| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
|
|
|
|
|
|
|
|
|
|
|
|
| |
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
|
|
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
| |
The async recovery request mechanism was implemented differently
from other requests. This makes it difficult to add tings like
authorization consisitently.
We move the required methods to the KeyRequestDAO to be more
consistent.
Part of Ticket #2041
|
|
|
|
|
|
|
|
|
|
|
| |
1. Added query parameters for the realm. If a realm is
specified, then only the key requests and keys associated
with the realm are returned. If no realm is specified,
then only those requests and keys without a realm are returned.
2. Added parameters to keyClient and the CLI
Part of Trac Ticket #2041
|
|
|
|
|
|
|
|
| |
This will allow users to specify the realm when generating
or archiving a request. No interface change is needed (yet)
because the extra parameter is passed through the request.
Part of Ticket #2041
|
|
|
|
|
|
|
|
|
| |
This patch does the following:
* it adds in the kra request an extra field called "delayLDAPCommit"
* when the request comes in to be processed, it sets this field to "false"
* by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write
* once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap
* In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket # 1597
Currently, KRA allows sites to opt for doing encryption/decryption instead of
wrapping/unwrapping for key archival and recovery.
The new cli code was later added without such support. We should honor the
same flags when cli is called to do key archival and recovery.
This feature was due to a specific customer request.
Here is what is now supported:
1. When the pki cli tool is used to recover a asymmetric private key,
support is there to do so with encrypt / decrypt.
2. The passphrase and generic data facility already uses
encrypt / decrypt so nothing here was needed. Calling it out since
this will possibly be a customer issue.
3. While under the hood, it made sense to add this functionality to the
Symmetric key archival and recovery operations.
4. All tests in DRMTest.java worked successfully when the kra was
configured to support this feature and configured to not observe this feature.
What is missing:
We have since added a method to do a server side key generation of an
asymmetric key pair in the kra and also archive it there at the same time.
In order to do encrypt / decrypt in this case we need to extract the key
contents out of a key object that is used to generate this key. It proved
problematic to extract said key. This should be ok since the customer only
needs to recover an asymmetric key in their test cases. We could look into
doing this later if a pressing need arises.
|
|
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys archived through the KRA connector in CA have null data type
attribute which causes a NPE during retrieval using the key-retrieve
CLI. The SecurityDataRecoveryService has been modified to consider
null data type attribute as asymmetric key type.
The KeyRetrieveCLI and KeyService have been modified to generate
better debugging messages to help troubleshooting.
https://fedorahosted.org/pki/ticket/1481
|
|
|
|
| |
REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
|
|
|
|
|
|
| |
All the secrets/keys retrieved using the client API's using Java/python
clients will be of the type - byte array. This applies to output of the
retrieveKey method and the public key attribute of the KeyInfo object.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds methods to key client to generate asymmetric keys using
algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096.
The generated keys are archived in the database.
Using the CLI, the public key(base64 encoded) can be retrieved by using
the key-show command.
The private key(base64 encoded) can be retrieved using the key-retrieve
command.
Ticket #1023
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the new security data storage and retrieval, and for symmetric
key generation, we need to store the identity of the agent that is
requesting and approving each operation, both in the ldap record
and in the audit logs. (Tickets 806 and 807)
This patch also adds required logic to check that the owner of the
recovery request is the same agent that retrieves the key. It also
adds missing audit log constants for symmmetric key generation so that
they will show up in the audit log.
|
|
|
|
|
|
|
|
|
|
| |
Some REST services that accept search keywords have been modified to
require a minimum length of 3 characters.
The DEFAULT_SIZE constant has been moved into the base PKIService
class to reduce multiple declarations.
Ticket #920
|
|
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
|
|
|
|
|
|
| |
Subsystem-specific configuration codes have been moved from the
SystemConfigService into the subsystem-specific installer.
Ticket #890
|
|
|
|
|
|
|
|
|
| |
New subclasses of SystemConfigService have been added for each
subsystem to replace the base installer. Initially these classes
are blank, so they are identical to the base class. Later they will
store subsystem-specific installation code.
Ticket #890
|
|
|
|
|
|
|
|
|
|
|
| |
A new CLI parameter has been added to allow the user select the
REST message format. This is done by setting the default consumes
and produces when creating the client proxy. For this to work the
hard-coded @Consumes and @Produces annotations need to be removed
from the interface definition. A new interceptor has been added
to validate the message format before executing the operation.
Ticket #554
|
|
|
|
|
|
|
|
| |
The REST service classes have been moved into org.dogtagpki.server
namespace. A new upgrade script has been added to update existing
instances.
Ticket #114
|
| |
|
|
|
|
|
|
| |
With this patch, you can now either send a pkiArchiveOptions object
or the exploded parameters. This reduces the processing required on
the client side.
|
|
|
|
|
|
|
|
|
| |
1) Added error checking in python client calls.
2) Allow symmetric key generation with default params. Fix bug for
when usages is not defined.
3) Fix bug when requesting key recovery - must check if key exists.
4) Extend key gen to allow for providing trans_wrapped_session_key
5) added constants to python client for key status
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the archival, recovery and generation code for symmetric keys,
we use functions that require knowledge of the symmetric keys algorithm
and key size. These were hardcoded to DES3, and so only DES3 worked.
We added those parameters to the archival request, save them in the
KeyRecord and retrive them when recovering the key.
Tests have been added to DRMTest for the relevant usages.
|
|
|
|
|
|
|
|
|
| |
1. Remove Link attribute from ResourceMessage,
2. Rename KeyDataInfo and KeyDataInfoCollection.
3. Move KEYGEN_ALGORITHMS
4. Fix missing space in PKIException
5. Move properties to attributes in ResourceMessage
6. Add missing code to update the request and set IRequest.RESULT
|
|
|
|
|
|
| |
Refactor ResourceMessage to include classname instead of Request Type.
Also changed PKIException.Data to extend ResourceMessage.
Modifications to the server code to get the tests working.
|
| |
|
| |
|
|
|
|
|
|
| |
TPS-rewrite effort):
http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
|
|
|
|
|
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS authenticators.
The set of interceptors in each application has been modified to
preserve the order.
Ticket #652
|
|
|
|
|
|
|
| |
Due to a regression RESTEasy is unable to find some sub-resources properly.
As a workaround some resources need to be merged into the parent resource.
The UserCertResource and UserMembershipResource have been merged into
UserResource. The GroupMemberResource has been merged into GroupResource.
|
|
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
|
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
|
|
|
| |
Ticket 97
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute in submitted archival
request and validate transport certificate against DRM's transport key list
- 731 - DRM to provide handling for alternative transport key based on detected
and validated transport certificate arriving as a part of extended archival request
|
|
|
|
|
|
| |
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new mechanism has been added to specify the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods. When a
client calls a REST method, the AuthMethodInterceptor will intercept the
call and verify that the client uses an allowed authentication method.
Most REST methods that require authentication have been configured to
require client certificate authentication. Authentication using username
and password will only be used to get the installation token from security
domain.
Ticket #477
|
|
|
|
|
|
|
|
| |
New CLI's have been added to search, add, and remove user membership.
The group member management code has been refactored into a processor
to allow reuse.
Ticket #190
|
| |
|
|
|
|
|
|
|
|
|
| |
The paths to RESTEasy jar files have been modified such that it can
be configured globally at build time using the spec file to support
different distributions, and at deployment time using a system-wide
configuration in /etc/pki/pki.conf.
Ticket #422, #423.
|