summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki
Commit message (Collapse)AuthorAgeFilesLines
...
* ticket #1110 pkispawn (configuration) does not provide CA extensions in ↵Christina Fu2014-09-252-0/+28
| | | | subordinate certificate signing requests (CSR)
* Remove Apache info from pkispawn and pkidestroyMatthew Harmsen2014-09-0211-208/+20
| | | | - PKI TRAC Ticket #1077 - Consider removing [Apache] section from 'default.cfg'
* Fix kra-connector-removeAde Lee2014-09-023-20/+69
| | | | | | | | | | | | | | | | | | | | The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-284-47/+0
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* Fix issues found by pycharmAde Lee2014-08-061-12/+15
| | | | Some formatting, uninitialized variables.
* Fix pkidestroy for proxy portsAde Lee2014-08-061-0/+8
| | | | | | | | Current pkidestroy fails to remove a system that has been configured to use proxy ports because the wrong ports are passed into the updateDomainXML servlet. This small patch fixes this problem. Ticket #1095
* Fix independent pkispawn installation and configurationMatthew Harmsen2014-08-044-21/+22
| | | | | * PKI TRAC Ticket #905 - 2 Step Configuration of CA instance using pkispawn fails
* Add ability to create database as subtree of existing treeAde Lee2014-07-171-1/+2
| | | | | | | | | | | | | | | | This patch adds the ability to create a subsystem that uses an existing subtree to create the internal basedn. This is useful for instance, for IPA which will use the original o=ipaca as the top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca. The patch also allows such a system to be cloned, but not to setup the replication agreements, on the assumption that the data is already being replicated at the top-level DN or some higher level. The patch also contains some minor cleanups - removing unused imports and removal of an invalid reference in the python code. Ticket 1051
* Remove legacy 'systemctl' filesMatthew Harmsen2014-07-031-1/+1
| | | | - PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
* More formatting changesAde Lee2014-06-103-185/+199
| | | | | Improve the layout of strings in pkimessages and fix a couple more PEP 8 issues.
* Fix pycharm warnings for server python classesAde Lee2014-06-109-659/+847
| | | | | Mostly reformatting due to PEP8. Not all pycharm warnings are addressed, but the vast majority are.
* Reformat scriptlets to be in line with PEP8Ade Lee2014-06-109-248/+400
| | | | Mostly handle pycharm warnings about code formatting.
* Modify master_dict to mdict to improve readabilityAde Lee2014-06-1012-1199/+1204
| | | | | | Most of the install python scripts do not meet PEP8 including being less than 80 chars. Changing master_dict to mdict helps fix this and improves or at least does not degrade readability.
* TPS Token Profile Resolver Framework - part2Christina Fu2014-06-042-0/+7
|
* fix issues identified by pycharm for system.pyAde Lee2014-05-292-4/+4
|
* Correct debug message in 'pkiconfig.py'Fraser Tweedale2014-05-211-3/+5
| | | | | | | The instructions for enabling external debugging shown during installation is incorrect. Fix the message. Ticket #937
* PhoneHome feature:Jack Magne2014-04-152-0/+10
| | | | | | 1. Provides an xml file served by TPS to allow the client(esc) to configure itself to contact TPS. 2. Edewata review fixes. Return application/xml instead of text/xml, and fix how the phone home file path is calculated.
* Share subsystem cert in shared tomcat instancesAde Lee2014-03-311-0/+32
| | | | | | | | | | In shared tomcat instances, we need to share the subsystem cert and not create a new one for each additional subsystem added to the instance. In addition, if the instances share the same database, then only one pkidbuser should be created with the relevant subsystem cert and seeAlso attribute. Ticket 893
* Added 'daemon-reload' methodMatthew Harmsen2014-03-181-4/+130
| | | | | | | | | | | | * PKI TRAC Ticket #869 - f19 ipa-server-install fails at step 6/22 of cert sys install - systemctl start pki-tomcatd.target fails * Cleaned up Pylint errors on Python Systemd class - Changed Systemd from old-style class to new-style class - Added Docstrings to all Systemd methods and functions - R:3078, 4: Method could be a function (no-self-use): NOTE: Although pylint reports that daemon_reload() could be declared as a function rather than a method, removal of the 'self' argument resulted in a compilation error.
* Direct deployment for TPS.Endi S. Dewata2014-03-072-22/+47
| | | | | | | | | | | | | | | | | | | The deployment tool has been modified to deploy TPS directly from the share folder. This way the TPS UI can be upgraded automatically with RPM upgrade without having to write upgrade scripts. For this to work, the TPS web application files cannot contain any slot parameters. So, the cfgPath parameter has been removed from web.xml, and the CMSStartServlet has been modified such that if the parameter is missing it would generate a default path matching the original value in web.xml. Also, the velocity.properties has been modified to use a fixed value for the file.resource.loader.path parameter pointing to the share folder. In the future other subsystems may be modified to use the same deployment mechanism. Ticket #748, #752, #499
* Upgraded RESTEasy client library.Endi S. Dewata2014-02-271-0/+4
| | | | | | | | | | The Dogtag client library has been modified to use RESTEasy 3.0 client library. A new upgrade script has been added to update existing servers. The JAXB annotation in ResourceMessage has been modified to require explicit property mapping. Ticket #554
* Added decorator to handle exceptionsAde Lee2014-02-192-5/+5
| | | | | | Decorator catches HttpErrorExceptions from Requests and extracts the relevant PKIException object, and rethrows it.
* Replaced Jettison with Jackson.Endi S. Dewata2014-02-061-12/+72
| | | | | | | | | The Jettison library has been replaced with Jackson library as JSON provider for RESTEasy. All class paths and the deployment tools have been updated accordingly. The Python library and the TPS UI have been updated as well to use the new JSON format. Ticket #817
* Fixed template deployment.Endi S. Dewata2014-02-061-0/+16
| | | | | | The deployment scriptlet has been fixed to copy the templates to the subsystem web application. This functionality was incorrectly removed in a previous revision (5952a82975063c4ec27303091a44e586d1386933).
* Debian: add init script functionalityAde Lee2014-01-082-5/+29
| | | | | | | | | | | | | | | The addtions in this patch will add start/stop/restart/status functionality to operations, so that Debian systems can perform these operations by calling these functions from an init script. We also introduce a parameter in the configuration scripts that can be used to determine if the system is a debian system. This parameter is used to specify a system V init script instead of a systemd script on a debian system, when the configuration scriptlets start and stop a system. Also source apparently does not work by default in debian. Used dot (.) instead.
* Cannot connect to ds when anon. access is offAbhishek Koneru2014-01-081-13/+34
| | | | | | | | | | | | | The connection to ds is checked during installation. But the current method of checking the ds connection before binding with the ds throws an Inappropriate Authentication error when Anonymous access is off. This patch uses the following method to check the connection to a DS server. 1. Initialize the connection 2. Bind with the DS. 3. Perform the ldap search. Ticket #811
* Moved web application context file.Endi S. Dewata2013-12-162-86/+79
| | | | | | | | | | | | | | The location of web application context file has been changed from <instance>/webapps/<name>/META-INF/context.xml into <instance>/conf/Catalina/localhost/<name>.xml. This will eventually allow deploying the web application directly from the shared folder. A new upgrade script has been added to move the context files in the existing instances. Ticket #499
* Replaced auth.properties with acl.properties.Endi S. Dewata2013-11-201-1/+1
| | | | | | | | | | | | | | The ACL mapping files have been renamed from auth.properties to acl.properties to match the actual content and moved into the subsystem conf folder. The authentication method mapping files have been extracted from the interceptor into actual files. The ACLInterceptor and AuthMethodInterceptors have been modified to read the default mapping first, then overwrite it with custom mapping if it exists in the subsystem folder. The UpdateAuthzProperties upgrade script has been replaced with RemoveAuthProperties that will remove the old auth.properties.
* Fix useradd command in pkispawn to not create avcAde Lee2013-11-191-2/+4
| | | | Ticket 803
* Renamed CLI commands.Endi S. Dewata2013-11-051-1/+1
| | | | | | | | | | | | | | | | | | The following commands have been renamed. The old commands will no longer work. * profile -> ca-profile * kraconnector -> ca-kraconnector The following commands have also been renamed, but the old commands will continue to work: * cert -> ca-cert * key -> kra-key The user and group commands have already been renamed to <subsytem>- user and <subsystem>-group. The old commands will continue to work and will use CA subsystem by default. Ticket #701
* Backup upgrade tracker.Endi S. Dewata2013-10-311-0/+1
| | | | | | | | | The upgrade framework has been modified to backup the files used to track the upgrade progress. If the tracker file is also modified by the upgrade scriptlet, it will only keep the initial backup (before any modifications were made). Ticket #763
* Stand-alone DRMMatthew Harmsen2013-10-252-263/+253
| | | | * TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
* Stand-alone DRMMatthew Harmsen2013-10-156-334/+597
| | | | * TRAC Ticket #667 - provide option for ca-less drm install
* Ticket 757 - Allow unescaped '%' characters in deployment file password valuesNathan Kinder2013-10-091-0/+33
| | | | | | | | | | | | | This patch allows password values in pkispawn deployment files to contain unescaped '%' characters. Non password settings support interpolation, so they still require escaping. This patch has been tested with deployment file based installs as well as interactive installs. The way it works is that we escape the password settings internally immediately after reading the deployment config file. The interactive installation code already escapes password values as it receives them from the user. This approach allows the rest of the installation code to remain as-is.
* Fixed pylint issue in pkiparser.py.Endi S. Dewata2013-10-071-1/+1
| | | | | | The exception handler in pkiparser.py has been modified to re-raise the exception such that it will be handled by the caller instead of exitting to the system immediately.
* Ticket 755 - Detect unescaped percent characters in deployment filesNathan Kinder2013-10-072-0/+12
| | | | | | | | | | | | The deployment config files used by pkispawn support interpolation as supplied by ConfigParser. Interpolation uses the '%' character, which means values that need to contain a '%' character need to be properly escaped. This patch detects errors with unescaped '%' characters and reports a useful message bac kto the user who is running pkispawn. This patch also adds notes to the pkispawn and pki_default.cfg man pages to explain that escaping of '%' characters is required.
* Changes to TPSConnectorService based on reviewAde Lee2013-09-301-1/+3
|
* Add service to generate and retrieve a shared secretAde Lee2013-09-303-0/+133
| | | | | | | | | | | | | | | | A new REST service has been added to the TKS to manage shared secrets. The shared secret is tied to the TKS-TPS connector, and is created at the end of the TPS configuration. At this point, the TPS contacts the TKS and requests that the shared secret be generated. The secret is returned to the TPS, wrapped using the subsystem certificate of the TPS. The TPS should then decrypt the shared secret and store it in its certificate database. This operations requires JSS changes, though, and so will be deferred to a later patch. For now, though, if the TPS and TKS share the same certdb, then it is sufficient to generate the shared secret. Clients and CLI are also provided. The CLI in particular is used to remove the TPSConnector entries and the shared secret when the TPS is pkidestroyed.
* Added interactive install for tomcat TPSAde Lee2013-09-201-0/+42
| | | | | | Up to now, only pkispawn with a config file worked for tomcat-tps installation. This patch adds the functionality for the interactive installation.
* Added new link for resteasy dependencyAde Lee2013-09-171-0/+2
| | | | | Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor with correct method call and reformatted the interceptors.
* fixing for new tomcat systemd filesAde Lee2013-09-171-1/+1
| | | | | | | | tomcat now uses systemd unit files. We will reuse and customize those files accordingly. As a result, startup is simplified considerably - and pkidaemon has been gutted accordingly. We'll need to add migration scripts for older instances in a subsequent patch.
* TRAC Ticket #707 - Do not "require" the following pkispawn parameters for ↵Matthew Harmsen2013-09-161-19/+23
| | | | GUI-based configuration
* Catch all exceptions when checking for status.Ade Lee2013-09-062-10/+16
| | | | | | | | | | | | python-requests now throws a ProxyError if the server is not yet up. Previously only connect exceptions were seen. To ensure that we are not broken again when python-requests and the underlying libraries are changed, we will catch and log all exceptions. If the connection ultimately fails, we will time out in any case. Also fixed some new warnings from Pylint 1.0 Ticket 717
* Fixed pkispawn blocking during TPS deployment.Endi S. Dewata2013-08-261-2/+2
| | | | | | | Due to a recent change pkispawn would ask for the certificate database password interactively during TPS deployment. To fix the problem, the certutil invocation in pkihelper.py has been restored to the proper indentation.
* converted strings to lists and applied subprocess.check_call():Matthew Harmsen2013-08-221-168/+181
| | | | * TRAC Ticket #561 - Replace subprocess.call() with subprocess.check_call()
* By default, disable SSL3_RSA_WITH_DES_CBC_SHA.Matthew Harmsen2013-08-201-1/+1
| | | | * TRAC Ticket #706 - Disable SSL3_RSA_WITH_DES_CBC_SHA
* Fixed pylint false positive.Endi S. Dewata2013-08-161-4/+8
| | | | | | | Under some circumstances build would fail due to pylint E1103 error saying "Instance of 'list' has no 'strip' member". This is a false positive since the object is actually a string. To avoid the error the code has been changed to explicitly convert the value to string.
* Initial code to configure a TPS in tomcatAde Lee2013-08-132-1/+33
| | | | | This code allows pkispawn to configure a tps in tomcat. It does not include any config using the web UI panels.
* Fixed NullPointerException with external CA.Endi S. Dewata2013-07-231-2/+1
| | | | | | | The deployment tool has been modified to overwrite the pki_issuing_ca when configuring with external CA regardless of the default value. Bugzilla #986901
* Minor issue - redundant import in pkispawnAbhishek Koneru2013-07-221-2/+2
| | | | | | | A redundant import has been added in one ofthe previous patches. Fixed another small issue while using the escape character. Pylint fixes.
generated by cgit (git 2.34.1) at 2025-09-28 01:43:22 +0000