[Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.

John Magne jmagne at redhat.com
Thu Nov 10 23:40:02 UTC 2016 


Looked over all these and it looks good. Post checkin ACK :)

Just a couple of questions:

1. Code like this:

if (!synchronous) {
+                    // Has to be in this state or it won't go anywhere.
+                    request.setRequestStatus(RequestStatus.BEGIN);
+                    queue.processRequest(request);
+                } else {
+                    kra.processSynchronousRequest(request);
+                }

I know we are handling the synchronous request with a processor and such, but the standard async request is being
handled with the same queue method. Would it look nicer to have a layer for the standard case, like processAsynchRequest?
No big deal.


2. Did we do a sanity sweep of the various scenarios to make sure that they refactor is good with respect to legacy code paths?
I"m sure we have but was just asking.


3. Also I realize that the "realm" param is not yet supported but is a hook for future code, if we have to touch anything again, might help to give a comment
in the key methods as to why it is not yet being used.

thanks,
jack

----- Original Message -----
> From: "Ade Lee" <alee at redhat.com>
> To: pki-devel at redhat.com
> Sent: Friday, November 4, 2016 1:11:03 PM
> Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.
> 
> Hi all,
> 
> This is in support of Ticket https://fedorahosted.org/pki/ticket/2532
> 
> This is preliminary set of patches - just so you can see what I'm doing
> in case I need to change anything.
> 
> Note: With the changes, you can archive a secret like this:
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
> "test_1"
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
> "test_2" --express
> 
> The first invocation will archive a secret and create an archival
> request in LDAP.  The second will create one only in memory - and will
> not store it in LDAP.
> 
> You can of course, see the requests created using -
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> `hostname` -p 8443 key-request-find
> 
> For retrieving the secret, you can do either:
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> aleeredhat.laptop -p 8443 key-retrieve --keyID  0x5
> 
> pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
> aleeredhat.laptop -p 8443 key-retrieve --keyID  0x5 --express
> 
> The first will retrieve the secret while creating a retrieval request.
> The second will create a retrieval request only in memory, and will not
> write it to LDAP.
> 
> In both cases, there should be audit logs both for retrieval and
> archival.
>  
> Thanks,
> Ade
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list