summaryrefslogtreecommitdiffstats
path: root/base/common
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixup for subcasAde Lee2015-09-301-3/+3
| | | | | | The attribute used in requests to specify the authority has changed from authority to issuer_id. This updates the python client accordingly.
* Refactored certificate processors.Endi S. Dewata2015-09-301-5/+7
| | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463
* Fixup for python client for subcasAde Lee2015-09-271-7/+7
|
* Python client for subcasAde Lee2015-09-272-14/+486
| | | | | | Includes python code (and unit tests!) to list, get and create subCAs. Also fixed a couple of PEP 8 violations that crept in.
* Added Features REST API resourceAde Lee2015-09-273-0/+365
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
* Lightweight CAs: REST cert request param to specify authorityFraser Tweedale2015-09-262-3/+18
| | | | | | | | Add the optional "ca" query parameter for REST cert request submission. Also update the ca-cert-request-submit CLI command with an option to provide an AuthorityID. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: add ca-authority CLIFraser Tweedale2015-09-262-1/+64
| | | | | | Add CLI commands for creating, listing and showing lightweight CAs. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: initial supportFraser Tweedale2015-09-2611-4/+403
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* API: add support for generic entitiesFraser Tweedale2015-09-142-3/+21
|
* Silence no-name-in-module errorChristian Heimes2015-08-191-1/+1
| | | | | | | | Some versions of pylint complain about six's moves magic: No name 'urllib' in module '_MovedItems' (no-name-in-module) Disable error E0611.
* Py3 compatibility: __eq__ blocks inheritance of __hash__Christian Heimes2015-08-171-0/+6
| | | | | | | | Some types implement __eq__ but don't provide a __hash__ function. Mark these types as non-hashable with __hash__ = None. This fixes: DeprecationWarning: Overriding __eq__ blocks inheritance of __hash__ in 3.x
* Py3 modernization: misc manual fixesChristian Heimes2015-08-173-5/+6
| | | | | | | | | | | | | | | | | | | | | | Python 3's exception class has no message attribute. e.message can either be replaced with string representation of e or e.args[0]. Use print(line, end='') instead of sys.stdout.write(). With end='' no new line is appended. Use six.reraise() to reraise an exception. Remove sys.exc_clear() as it is no longer available in Python 3. Conditionally import shutil.WindowsError. Use six.move to import correct modules / function like quote, urlparse and configparser. Silence some pylint warnings. pylint doesn't understand six.moves magic and emits a import-error warning. Add additional tox envs to check for Python 3 compatibility.
* Py3 modernization: libmodernize.fixes.fix_dict_sixChristian Heimes2015-08-175-22/+30
| | | | | | | | | In Python 3 dict methods like values(), items() and keys() return views rather than lists. The iter equivalents are gone. Use six to use iterators on Python 2 and 3. In some places like setup.py a list is required. Use list(somedict.values()) to get a list on all Python versions.
* Py3 modernization: libmodernize.fixes.fix_metaclassChristian Heimes2015-08-171-2/+2
| | | | | | Python 3 has a different syntax for meta classes. The old __metaclass__ attribute is no longer supported. six.with_metaclass() constructs a suitable metaclass for us.
* Py3 modernization: lib2to3.fixes.fix_execfileChristian Heimes2015-08-171-1/+4
| | | | | execfile has been removed from Python 3. The upgrade importer now reads, compiles and executed the upgrade scripts manually.
* Py3 modernization: libmodernize.fixes.fix_input_sixChristian Heimes2015-08-171-1/+4
| | | | | | | In Python 3 raw_input() has been renamed to input() and the old, insecure input() builtin is gone. six.moves simplifies the transition. It provides the former raw_input() function under the same import name on Python 2 and 3.
* Py3 modernization: libmodernize.fixes.fix_printChristian Heimes2015-08-178-196/+204
| | | | | | | | | Replace print statement with Python 3's print() function. For Python 2 'from __future__ import print_function' turns the print statement into Python 3 compatible print function. See https://www.python.org/dev/peps/pep-3105/
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2015-08-1718-0/+18
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Make pki PEP 8 compatibleChristian Heimes2015-08-1412-96/+126
| | | | | | | | | | | | | | | | | | | Large portions of the patch was automatically created with autopep8: find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ --aggressive find base/common/upgrade base/server/upgrade -type f -and \ -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive autopep8 --in-place --ignore E309 --aggressive \ base/common/sbin/pki-upgrade \ base/server/sbin/pkispawn \ base/server/sbin/pkidestroy \ base/server/sbin/pki-server \ base/server/sbin/pki-server-upgrade About two dozent violations were fixed manually. https://fedorahosted.org/pki/ticket/708
* Replace Exception.message with str(exc)Christian Heimes2015-08-101-5/+5
| | | | | | | | | | | | | | | Python 3 has deprecated and remove Exception.message. Instead we should simply use string formatting to print the message of an Exception. >>> import pki >>> pki.PKIException('msg') PKIException('msg',) >>> pki.PKIException('msg').message 'msg' >>> str(pki.PKIException('msg')) 'msg' >>> '%s' % pki.PKIException('msg') 'msg'
* Remove import of exceptions moduleChristian Heimes2015-08-101-2/+1
| | | | | The exceptions module is obsolete. All builtin exception classes are globals.
* Don't use the types module for builtin typesChristian Heimes2015-08-103-25/+22
| | | | | Since Python 2.2 most types in the types module refer to builtin type objects, e.g. types.ListType is list.
* Use dict.iteritems() instead of dict.items()Christian Heimes2015-08-104-34/+32
| | | | | | iteritems() is the preferred way to iterate over key, value pairs. Python-modernize can convert iteritems() to efficient code on Python 2 and 3.
* Temporary silence InsecureRequestWarningChristian Heimes2015-08-081-0/+24
| | | | https://fedorahosted.org/pki/ticket/1253
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-052-10/+8
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-311-2/+17
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Removed audit CLI from non-TPS subsystems.Endi S. Dewata2015-07-174-8/+0
| | | | | | | | | | Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437
* Handle JSON decode error in handle_exceptions()Christian Heimes2015-07-151-11/+24
| | | | | | | | | | | | | pki.handle_exceptions() raises a JSON decode exception when the body of the HTTPException is not a valid JSON string. The JSON exception hides the true error message. The patch also fixes a bug in PKIException.from_json(). The code and ClassName attribute are now correctly set. Finally we have our first unit test. https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5129
* Ticket 1459 Dogtag clients cannot connect when CS is configured with ECCChristina Fu2015-07-131-0/+4
| | | | clients are: cli, HttpClient, and java console
* remove inaccessible URLs from server.xmlMatthew Harmsen2015-07-131-0/+4
| | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible
* In-tree tests and linting with toxChristian Heimes2015-07-102-20/+23
| | | | | | | | | | | | | | | | | | | | | | | | | Before the patch it wasn't possible to run pylint outside a RPM build. The Python sources were split into common and server files in two separate trees. With setup.py and tox the pki package can now be installed and tested in a virtual env. Tox enables developers to automate installation and testing in Python virtual environment. The new tox.ini performs several tasks with one command: * It creates and installs a source distribution of pki packages and its command line scripts * It verifies that all CLI scripts can be execute (using its --help argument). * It runs pylint on all Python files and CLI scripts. * It can run flake8 on all Python and CLI files (disabled for now). * Finally it builds Sphinx autodocs. I had to delay the root check in pkispawn and pkidestroy and modify two files to get rid of Sphinx warnings. https://fedorahosted.org/pki/ticket/696 http://tox.readthedocs.org
* Fixed user-cert-add --serial with remote CA.Endi S. Dewata2015-07-095-217/+344
| | | | | | | | | | | | | | | | | The user-cert-add command has been modified to ask the user for the CA server URI if the CA is not available locally. A new SubsystemClient.exists() method has been added to check whether a subsystem is deployed on the target instance. The SubsystemCLI has been modified to call logout() only if the operation is executed successfully. The certificate approval callback class has been refactored out of PKIConnection into a separate class to clean up circular dependency with PKIClient. https://fedorahosted.org/pki/ticket/1448
* Cleaned up SystemConfigService.validateRequest().Endi S. Dewata2015-07-013-3/+3
| | | | | | | | | | The configure() in SystemConfigService method has been modified to log only the error message in normal responses but log the full stack trace when unexpected issues occur. The validateData() in SystemConfigService has been renamed to validateRequest() for clarity. The log messages have been modified to include the invalid values entered in the request.
* Fixed selftests log message.Endi S. Dewata2015-06-232-6/+4
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-183-9/+11
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Startup log message improvementes.Endi S. Dewata2015-06-161-1/+0
| | | | | | | | The PKIListener has been modified to verify that all subsystems are running and to show the command to enable the subsystem if it was disabled due to errors. https://fedorahosted.org/pki/ticket/1406
* Run pylint on upgrade scriptsChristian Heimes2015-06-162-8/+8
| | | | | | | pylint-build-scan.sh doesn't checked the upgrader's Python files yet. This patch adds the common and server upgrade scripts to pylint-build-scan.sh. It also fixes a couple of pylint violations, mostly missing calls to __init__().
* Add new KRA audit events to KRA's CS.cfgChristian Heimes2015-06-161-0/+4
| | | | | | | The patch implements an updater, that adds the new KRA signed audit events (#1160) to KRA's CS.cfg. https://fedorahosted.org/pki/ticket/1382
* Cleaned up python docs generation.Endi S. Dewata2015-05-286-65/+65
| | | | | | | The script to generate Python docs has been cleaned up and simplified. The python-sphinx configuration files have been moved into base/common/python. The build artifacts are now created in the build/base/common/python.
* PKI TRAC Ticket #1388 - pylint unidiomatic-typecheck warnings cause koji ↵Matthew Harmsen2015-05-262-4/+5
| | | | | | builds to fail (cherry picked from commit d2c24aff4e9dc6aa27b337479cfee1fac4940994)
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-211-4/+4
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-112-145/+11
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-101-0/+6
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Ticket 1295 Upgrade script for - CA: OCSP via GET does not workChristina Fu2015-05-051-0/+0
|
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-33/+9
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Fix some javadoc errors that prevent F23 buildAde Lee2015-04-248-18/+2
|
* Fixed build issues.Endi S. Dewata2015-04-221-1/+1
| | | | | The code has been modified to fix tomcatjss and python-sphinx issues.
* Add nuxwdog functionality to DogtagAde Lee2015-04-222-2/+2
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-211-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added server migration command.Endi S. Dewata2015-04-211-11/+61
| | | | | | | | | | | | New pki-server CLI commands have been added to migrate the server configuration from Tomcat 7 to Tomcat 8 and vice versa. These commands can be used later during system upgrade to migrate existing instances from Tomcat 7 in F22 to Tomcat 8 in F23. The Python CLI framework has been refactored to provide a way to find other CLI modules by the command names. https://fedorahosted.org/pki/ticket/1264
generated by cgit (git 2.34.1) at 2025-09-28 14:45:23 +0000