| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.
The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.
https://fedorahosted.org/pki/ticket/342
|
| |
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
|
| |
|
|
|
|
|
|
| |
Lightweight CAs mean that we may wish to filter certificates based
on the issuer. Update X509CertImplMapper to store the issuer DN in
each certificate record, using exiting schema.
Also add indices for the 'issuerName' LDAP attribute.
|
| |
|
|
| |
client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
|
| | |
|
| |
|
|
|
|
|
| |
Implement lightweight authority deletion including CLI command. To
be deleted an authority must be disabled and have no sub-CAs.
Fixes: https://fedorahosted.org/pki/ticket/1324
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.
(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new setup.py in base/common/python makes it possible to bundle
the pki client library and upload it on PyPI. The setup.py in the root
directory is only used for tox and testing. It's a cleaner and less
fragile approach than to support two different build flavors with one
setup.py
The 'release' alias from setup.cfg creates and uploads a source
distribution and an universal wheel:
$ sudo yum install python-wheel python-setuptools
$ cd base/common/python
$ python setup.py release
The 'packages' alias just creates the source distribution and wheel:
$ python setup.py packages
The version number is taken from the Version and Release fields of
pki-core.spec.
|
| |
|
|
|
|
|
|
|
| |
Replace deprecated decodestring() and encodestring() with b64decode()
and b64encode().
Provice specialized encode_cert() / decode_cert() functions to handle
base64 encoding and decoding for X.509 certs in JSON strings. In Python
3 the base64 function don't suppor ASCII text, just ASCII bytes.
|
| |
|
|
|
|
| |
The attribute used in requests to specify the authority has changed
from authority to issuer_id. This updates the python client
accordingly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
|
| | |
|
| |
|
|
|
|
| |
Includes python code (and unit tests!) to list, get
and create subCAs. Also fixed a couple of PEP 8 violations that
crept in.
|
| |
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|
| |
|
|
|
|
|
|
| |
Add the optional "ca" query parameter for REST cert request
submission. Also update the ca-cert-request-submit CLI command with
an option to provide an AuthorityID.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
| |
Add CLI commands for creating, listing and showing lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| | |
|
| |
|
|
|
|
|
|
| |
Some versions of pylint complain about six's moves magic:
No name 'urllib' in module '_MovedItems' (no-name-in-module)
Disable error E0611.
|
| |
|
|
|
|
|
|
| |
Some types implement __eq__ but don't provide a __hash__ function. Mark
these types as non-hashable with __hash__ = None. This fixes:
DeprecationWarning:
Overriding __eq__ blocks inheritance of __hash__ in 3.x
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
| |
|
|
|
|
|
|
|
| |
In Python 3 dict methods like values(), items() and keys() return views
rather than lists. The iter equivalents are gone. Use six to use
iterators on Python 2 and 3.
In some places like setup.py a list is required. Use
list(somedict.values()) to get a list on all Python versions.
|
| |
|
|
|
|
| |
Python 3 has a different syntax for meta classes. The old __metaclass__
attribute is no longer supported. six.with_metaclass() constructs a
suitable metaclass for us.
|
| |
|
|
|
| |
execfile has been removed from Python 3. The upgrade importer now reads,
compiles and executed the upgrade scripts manually.
|
| |
|
|
|
|
|
| |
In Python 3 raw_input() has been renamed to input() and the old,
insecure input() builtin is gone. six.moves simplifies the transition.
It provides the former raw_input() function under the same import name
on Python 2 and 3.
|
| |
|
|
|
|
|
|
|
| |
Replace print statement with Python 3's print() function.
For Python 2 'from __future__ import print_function' turns the print
statement into Python 3 compatible print function.
See https://www.python.org/dev/peps/pep-3105/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3 has deprecated and remove Exception.message. Instead we should
simply use string formatting to print the message of an Exception.
>>> import pki
>>> pki.PKIException('msg')
PKIException('msg',)
>>> pki.PKIException('msg').message
'msg'
>>> str(pki.PKIException('msg'))
'msg'
>>> '%s' % pki.PKIException('msg')
'msg'
|
| |
|
|
|
| |
The exceptions module is obsolete. All builtin exception classes are
globals.
|
| |
|
|
|
| |
Since Python 2.2 most types in the types module refer to builtin type
objects, e.g. types.ListType is list.
|
| |
|
|
|
|
| |
iteritems() is the preferred way to iterate over key, value pairs.
Python-modernize can convert iteritems() to efficient code on Python 2
and 3.
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1253
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.
An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.
https://fedorahosted.org/pki/ticket/1535
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
| |
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pki.handle_exceptions() raises a JSON decode exception when the body of
the HTTPException is not a valid JSON string. The JSON exception hides
the true error message.
The patch also fixes a bug in PKIException.from_json(). The code and
ClassName attribute are now correctly set. Finally we have our first
unit test.
https://fedorahosted.org/pki/ticket/1488
https://fedorahosted.org/freeipa/ticket/5129
|
| |
|
|
| |
clients are: cli, HttpClient, and java console
|
| |
|
|
|
| |
- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before the patch it wasn't possible to run pylint outside a RPM build.
The Python sources were split into common and server files in two
separate trees. With setup.py and tox the pki package can now be
installed and tested in a virtual env.
Tox enables developers to automate installation and testing in Python
virtual environment. The new tox.ini performs several tasks with one
command:
* It creates and installs a source distribution of pki packages and its
command line scripts
* It verifies that all CLI scripts can be execute (using its --help
argument).
* It runs pylint on all Python files and CLI scripts.
* It can run flake8 on all Python and CLI files (disabled for now).
* Finally it builds Sphinx autodocs.
I had to delay the root check in pkispawn and pkidestroy and modify two
files to get rid of Sphinx warnings.
https://fedorahosted.org/pki/ticket/696
http://tox.readthedocs.org
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The user-cert-add command has been modified to ask the user for
the CA server URI if the CA is not available locally.
A new SubsystemClient.exists() method has been added to check
whether a subsystem is deployed on the target instance.
The SubsystemCLI has been modified to call logout() only if
the operation is executed successfully.
The certificate approval callback class has been refactored out
of PKIConnection into a separate class to clean up circular
dependency with PKIClient.
https://fedorahosted.org/pki/ticket/1448
|
| |
|
|
|
|
|
|
|
|
| |
The configure() in SystemConfigService method has been modified to
log only the error message in normal responses but log the full
stack trace when unexpected issues occur.
The validateData() in SystemConfigService has been renamed to
validateRequest() for clarity. The log messages have been modified
to include the invalid values entered in the request.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The SelfTestSubsystem has been modified to display a 'successful'
message only if all tests have passed. If a test fails, it will
log a failure, subsequent tests will not be executed, and the
subsystem will shutdown immediately.
The runSelfTest() in various tests have been cleaned up to throw
the original exception to help troubleshooting. The unused
RAPresence test has been removed.
https://fedorahosted.org/pki/ticket/1249
|
| |
|
|
|
|
|
|
| |
Various codes have been modified to properly stop threads during
shutdown. A new ID attribute has been added to the LDAP connection
factory classes to help identify leaking threads.
https://fedorahosted.org/pki/ticket/1327
|
| |
|
|
|
|
|
|
| |
The PKIListener has been modified to verify that all subsystems
are running and to show the command to enable the subsystem if it
was disabled due to errors.
https://fedorahosted.org/pki/ticket/1406
|
| |
|
|
|
|
|
| |
pylint-build-scan.sh doesn't checked the upgrader's Python files yet.
This patch adds the common and server upgrade scripts to
pylint-build-scan.sh. It also fixes a couple of pylint violations,
mostly missing calls to __init__().
|
| |
|
|
|
|
|
| |
The patch implements an updater, that adds the new KRA signed audit
events (#1160) to KRA's CS.cfg.
https://fedorahosted.org/pki/ticket/1382
|
| |
|
|
|
|
|
| |
The script to generate Python docs has been cleaned up and
simplified. The python-sphinx configuration files have been
moved into base/common/python. The build artifacts are now
created in the build/base/common/python.
|
| |
|
|
|
|
| |
builds to fail
(cherry picked from commit d2c24aff4e9dc6aa27b337479cfee1fac4940994)
|
