[Pki-devel] [PATCH] patches for authz realm and fixing output on request rejection
Ade Lee
alee at redhat.com
Tue May 10 01:48:59 UTC 2016
Thanks. Fixed as below. Pushed to master.
On Mon, 2016-05-09 at 17:51 -0500, Endi Sukma Dewata wrote:
> On 5/9/2016 2:18 PM, Ade Lee wrote:
> > Patch descriptions .. in reverse order.
> >
> > Note that the CA setup for authz is further documented at
> > pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a
> > section on 'CA Configuration".
> >
> > Thanks,
> > Ade
> >
> > ****************************************************************
> > commit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
> > Author: Ade Lee <alee at redhat.com>
> > Date: Mon May 9 15:00:20 2016 -0400
> >
> > Add authz realm check for cert enrollment
> >
> > Ticket 2041
> >
> > commit b5232ce101083409ed9a86e9057620cca7288f62
> > Author: Ade Lee <alee at redhat.com>
> > Date: Sat May 7 00:06:08 2016 -0400
> >
> > Fix error output when request is rejected
> >
> > With this fix, error messages are returned to the user when
> > a request is rejected - either in the UI or from the pki CLI.
> >
> > Trac Ticket 1247 (amongst others)
> >
> > commit 82d18a99103de1fa749b077cfccec5ff65ceb4a5
> > Author: Ade Lee <alee at redhat.com>
> > Date: Wed May 4 18:25:51 2016 -0400
> >
> > Add realm to requests coming in from CA
> >
> > Requests to the KRA through the CA-KRA connector use the
> > Enrollment
> > Service. This has been modified to read and store any realm
> > passed in.
> > The realm can be added to the request by havibg the admin add
> > a AuthzRealmDefault and AuthzRealmConstraint in a profile.
> >
> > At this point, all the constraint does is verify that the
> > realm is
> > one of a specified list of realms. More verification will be
> > added
> > in a subsequent patch.
> >
> > No attempt is made yet to allow users to specify the realm.
> > This
> > would need to be added as a ProfileInput.
> >
> > Part of Ticket 2041
>
> ACK. Just some comments:
>
> 1. In AuthzRealmDefault.populate() we should wrap and rethrow the
> exception instead of ignoring it.
>
> 2. In UserMessages.properties let's use "Authorization" instead of
> "Authz" to be more user-friendly. Or just "Realm" instead of "Authz
> realm".
>
> 3. In HttpPKIMessage.fromRequest() we probably want to copy the realm
> without any condition (e.g. to copy the null value).
>
> reqRealm = r.getRealm();
>
> 4. In CertRequestInfoFactory.create() this if condition is redundant:
>
> if (error != null) {
> info.setErrorMessage(error);
> }
>
More information about the Pki-devel
mailing list