[Pki-devel] [PATCH] patches for authz realm and fixing output on request rejection

Ade Lee alee at redhat.com
Tue May 10 01:48:59 UTC 2016 

Thanks.  Fixed as below.  Pushed to master.

On Mon, 2016-05-09 at 17:51 -0500, Endi Sukma Dewata wrote:
> On 5/9/2016 2:18 PM, Ade Lee wrote:
> > Patch descriptions .. in reverse order.
> > 
> > Note that the CA setup for authz is further documented at
> > pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a
> > section on 'CA Configuration".
> > 
> > Thanks,
> > Ade
> > 
> > ****************************************************************
> > commit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
> > Author: Ade Lee <alee at redhat.com>
> > Date:   Mon May 9 15:00:20 2016 -0400
> > 
> >      Add authz realm check for cert enrollment
> > 
> >      Ticket 2041
> > 
> > commit b5232ce101083409ed9a86e9057620cca7288f62
> > Author: Ade Lee <alee at redhat.com>
> > Date:   Sat May 7 00:06:08 2016 -0400
> > 
> >      Fix error output when request is rejected
> > 
> >      With this fix, error messages are returned to the user when
> >      a request is rejected - either in the UI or from the pki CLI.
> > 
> >      Trac Ticket 1247 (amongst others)
> > 
> > commit 82d18a99103de1fa749b077cfccec5ff65ceb4a5
> > Author: Ade Lee <alee at redhat.com>
> > Date:   Wed May 4 18:25:51 2016 -0400
> > 
> >      Add realm to requests coming in from CA
> > 
> >      Requests to the KRA through the CA-KRA connector use the
> > Enrollment
> >      Service.  This has been modified to read and store any realm
> > passed in.
> >      The realm can be added to the request by havibg the admin add
> >      a AuthzRealmDefault and AuthzRealmConstraint in a profile.
> > 
> >      At this point, all the constraint does is verify that the
> > realm is
> >      one of a specified list of realms.  More verification will be
> > added
> >      in a subsequent patch.
> > 
> >      No attempt is made yet to allow users to specify the realm. 
> >  This
> >      would need to be added as a ProfileInput.
> > 
> >      Part of Ticket 2041
> 
> ACK. Just some comments:
> 
> 1. In AuthzRealmDefault.populate() we should wrap and rethrow the 
> exception instead of ignoring it.
> 
> 2. In UserMessages.properties let's use "Authorization" instead of 
> "Authz" to be more user-friendly. Or just "Realm" instead of "Authz
> realm".
> 
> 3. In HttpPKIMessage.fromRequest() we probably want to copy the realm
> without any condition (e.g. to copy the null value).
> 
>      reqRealm = r.getRealm();
> 
> 4. In CertRequestInfoFactory.create() this if condition is redundant:
> 
>      if (error != null) {
>          info.setErrorMessage(error);
>      }
>

More information about the Pki-devel mailing list