summaryrefslogtreecommitdiffstats
path: root/base/server/python
Commit message (Collapse)AuthorAgeFilesLines
* Fix escaping of password fields to prevent interpolationChristian Heimes2016-01-131-2/+6
| | | | | | | | | | Some password and pin fields are missing from the no_interpolation list. One entry is misspelled. A '%' in password field such as pki_clone_pkcs12_password causes an installation error. https://fedorahosted.org/pki/ticket/1703 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* Fixed external CA case for IPA compatibility.Endi S. Dewata2016-01-082-5/+12
| | | | | | | | | | | | | The installation code for external CA case has been fixed such that IPA can detect step 1 completion properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for PEM output properly. The installation summary for step 1 has been updated to provide more accurate information. https://fedorahosted.org/pki/ticket/456
* Added mechanism to import existing CA certificate.Endi S. Dewata2015-11-254-32/+183
| | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456
* Added pki-server subsystem-cert-export command.Endi S. Dewata2015-11-142-0/+132
| | | | | | | | A new command has been added to export a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. https://fedorahosted.org/pki/ticket/456
* Added automatic Tomcat migration.Endi S. Dewata2015-10-305-27/+53
| | | | | | | | | | | | | | | | | | | The pki-core.spec has been modified to execute pki-server migrate when the package is installed. This way when upgrading from F22 to F23 all PKI instances will be migrated automatically to Tomcat 8. The pki-server migrate command has been modified such that if there is no specific Tomcat version specified it will use the current Tomcat version. The top attribute in the CLI class was not functioning properly, so it has been replaced with get_top_module() method. The getopt() invocations in pki-server subcommands have been replaced with gnu_getopt() to allow intermixing options and arguments. https://fedorahosted.org/pki/ticket/1310
* Python client for subcasAde Lee2015-09-272-14/+33
| | | | | | Includes python code (and unit tests!) to list, get and create subCAs. Also fixed a couple of PEP 8 violations that crept in.
* Added support for secure database connection in CLI.Endi S. Dewata2015-09-222-11/+96
| | | | | | | | | | The pki-server subsystem-cert-update has been modified to support secure database connection with client certificate authentication. The pki client-cert-show has been modified to provide an option to export client certificate's private key. https://fedorahosted.org/pki/ticket/1551
* Added CLI to update cert data and request in CS.cfg.Endi S. Dewata2015-09-045-47/+682
| | | | | | | | | A set of new pki-server commands have been added to simplify updating the cert data and cert request stored in the CS.cfg with the cert data and cert request stored in the NSS and LDAP database, respectively. https://fedorahosted.org/pki/ticket/1551
* Ticket 1566 on HSM, non-CA subystem installations failing while trying to ↵Christina Fu2015-08-191-10/+10
| | | | join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
* Silence no-name-in-module errorChristian Heimes2015-08-191-1/+1
| | | | | | | | Some versions of pylint complain about six's moves magic: No name 'urllib' in module '_MovedItems' (no-name-in-module) Disable error E0611.
* Py3 compatibility: set default for verbosity to 0Christian Heimes2015-08-171-1/+1
| | | | | | | The default value for argparser's verbosity was None, but None can't be compared to 2 in Python 3. TypeError: unorderable types: NoneType() >= int()
* Py3 compatibility: encode output of subprocess callChristian Heimes2015-08-172-5/+10
| | | | | | | | | In Python 3 subprocess.Popen() and check_out() return bytes. The rest of PKI expects text, so the output has to be decoded. - ascii for dnsdomainname - sys.getfilesystemencoding() for paths - utf-8 for the rest
* Py3 compatibility: write XML as encoded bytesChristian Heimes2015-08-174-11/+16
| | | | | Python 3 treats serialized XML as encoded bytes. etree must encode XML to UTF-8 and write it to a file opened in binary mode.
* Py3 modernization: misc manual fixesChristian Heimes2015-08-174-25/+33
| | | | | | | | | | | | | | | | | | | | | | Python 3's exception class has no message attribute. e.message can either be replaced with string representation of e or e.args[0]. Use print(line, end='') instead of sys.stdout.write(). With end='' no new line is appended. Use six.reraise() to reraise an exception. Remove sys.exc_clear() as it is no longer available in Python 3. Conditionally import shutil.WindowsError. Use six.move to import correct modules / function like quote, urlparse and configparser. Silence some pylint warnings. pylint doesn't understand six.moves magic and emits a import-error warning. Add additional tox envs to check for Python 3 compatibility.
* policycoreutils-python3 lacks sepolgen on Fedora 22Christian Heimes2015-08-172-4/+21
| | | | | | | | | Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject package is available for Python 3 but can't be imported because it depends on sepolgen. The workaround makes it possible to test the Python 3 port on Fedora 22. It can be removed later once Fedora 23 is out.
* Py3 modernization: libmodernize.fixes.fix_dict_sixChristian Heimes2015-08-171-1/+1
| | | | | | | | | In Python 3 dict methods like values(), items() and keys() return views rather than lists. The iter equivalents are gone. Use six to use iterators on Python 2 and 3. In some places like setup.py a list is required. Use list(somedict.values()) to get a list on all Python versions.
* Py3 modernization: libmodernize.fixes.fix_metaclassChristian Heimes2015-08-171-4/+2
| | | | | | Python 3 has a different syntax for meta classes. The old __metaclass__ attribute is no longer supported. six.with_metaclass() constructs a suitable metaclass for us.
* Py3 modernization: libmodernize.fixes.fix_xrange_sixChristian Heimes2015-08-171-1/+1
| | | | | In Python 3 range() returns an iterator and xrange() is gone. Use six.moves to use an iterable range() on Python 2.
* Py3 modernization: libmodernize.fixes.fix_input_sixChristian Heimes2015-08-172-5/+10
| | | | | | | In Python 3 raw_input() has been renamed to input() and the old, insecure input() builtin is gone. six.moves simplifies the transition. It provides the former raw_input() function under the same import name on Python 2 and 3.
* Py3 modernization: libmodernize.fixes.fix_printChristian Heimes2015-08-1710-202/+212
| | | | | | | | | Replace print statement with Python 3's print() function. For Python 2 'from __future__ import print_function' turns the print statement into Python 3 compatible print function. See https://www.python.org/dev/peps/pep-3105/
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2015-08-1721-0/+27
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-171-34/+38
| | | | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) (cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
* Make pki PEP 8 compatibleChristian Heimes2015-08-1413-181/+202
| | | | | | | | | | | | | | | | | | | Large portions of the patch was automatically created with autopep8: find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ --aggressive find base/common/upgrade base/server/upgrade -type f -and \ -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive autopep8 --in-place --ignore E309 --aggressive \ base/common/sbin/pki-upgrade \ base/server/sbin/pkispawn \ base/server/sbin/pkidestroy \ base/server/sbin/pki-server \ base/server/sbin/pki-server-upgrade About two dozent violations were fixed manually. https://fedorahosted.org/pki/ticket/708
* Replace Exception.message with str(exc)Christian Heimes2015-08-101-5/+4
| | | | | | | | | | | | | | | Python 3 has deprecated and remove Exception.message. Instead we should simply use string formatting to print the message of an Exception. >>> import pki >>> pki.PKIException('msg') PKIException('msg',) >>> pki.PKIException('msg').message 'msg' >>> str(pki.PKIException('msg')) 'msg' >>> '%s' % pki.PKIException('msg') 'msg'
* Simplify exception handling in pkihelperChristian Heimes2015-08-101-32/+24
| | | | | | | | | Several methods except OSError before they except shutil.Error. In Python 3 the second except clause will be ignored because in Python 3 shutil.Error is a subclass of OSError. The body of the except clauses only differs in the logging message. A single except clause with an isinstance() check has the same effect.
* Add code to reindex data during cloning without replicationAde Lee2015-07-311-0/+1
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Add certutil options for ECCMatthew Harmsen2015-07-282-3/+33
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
* Remove noise file generation codeAde Lee2015-07-282-64/+19
| | | | | | | | Noise file does not actually need to have random data because NSS does not actually use this data. Certutil still needs the file though, so we will put dummy data in there. This solves potential problems with the random() method used and also issues like BZ 1244382
* Updated man pages with TPS info.Endi S. Dewata2015-07-181-2/+2
| | | | | | | The man pages for pkispawn and pki_default.cfg have been updated to include TPS deployment parameters. https://fedorahosted.org/pki/ticket/1277
* Limited Interactive Installation SupportMatthew Harmsen2015-07-021-0/+19
| | | | | - PKI TRAC Ticket #1441 - Lack of Interactive Installation Support (Cloning, Subordinates, Externals, HSMs, ECC)
* Ticket 1438 pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both ↵Christina Fu2015-07-011-35/+72
| | | | shared and nonshared tomcat instances
* Fixed Modutil.is_security_module_registered().Endi S. Dewata2015-06-291-45/+45
| | | | | | | | Due to issues with HSM the Modutil.is_security_module_registered() has been modified to the get the list of all registered modules and then use it to check if a module is registered. https://fedorahosted.org/pki/ticket/1444
* Check security module registrationMatthew Harmsen2015-06-182-0/+59
| | | | | | - PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances) - PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances) - PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances)
* ticket 867 symkey library path link fixChristina Fu2015-06-181-0/+7
|
* fix pylint issueChristina Fu2015-06-171-2/+2
|
* add pkiuser to nfast groupMatthew Harmsen2015-06-164-0/+96
| | | | - PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
* Invoke PKIInstance.load() during upgradeFraser Tweedale2015-06-161-0/+3
| | | | | | Some upgrade servlets use attributes loaded when PKIInstance.load() is invoked, but it may not have been; breakage ensues. Invoke it before executing upgrade scriptlets.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-3/+0
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Ticket 867 Need to support TPS as a separate tomcat instance.Christina Fu2015-06-011-8/+0
| | | | | This patch addressed the issue that TPS on independent Tomcat is missing symlink to symkey.jar and causes all symkey method reference to fail
* Fixed overwritten deployment property.Endi S. Dewata2015-05-291-1/+1
| | | | | | | The pki_pin has been removed from the default.cfg to avoid overwriting the randomly generated default value. https://fedorahosted.org/pki/ticket/1393
* disable backup keys and share master keys when using an HSMMatthew Harmsen2015-05-222-6/+39
| | | | | - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
* Added deployment parameters to construct pki_clone_uri.Endi S. Dewata2015-05-221-1/+0
| | | | | | | | New parameters have been added into the default.cfg to specify the master hostname and port for pki_clone_uri. By default they point to the security domain. The man page has been updated as well. https://fedorahosted.org/pki/ticket/1385
* Fixed pylint warning in pkihelper.py.Endi S. Dewata2015-05-141-1/+1
|
* Fixed problem redeploying subsystem.Endi S. Dewata2015-05-141-3/+13
| | | | | | | | The pki-server subsystem-enable CLI has been modified to deploy the subsystem from a custom location if available, or from the default location otherwise. https://fedorahosted.org/pki/ticket/1381
* modify contents of serverCertNick.confMatthew Harmsen2015-05-133-0/+48
| | | | | - PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA should hold off prepending token name in serverCertNick.conf till phase 2
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-112-6/+18
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-103-17/+93
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Fixed installation logs.Endi S. Dewata2015-05-081-6/+13
| | | | | | | | | To help troubleshooting installation failures the pkihelper.py has been modified to display the error code returned by the server before parsing the error message. If there is a parsing error, the unparsed message will now be displayed. The redundant 'raise' and 'return' statements have been removed.
* Simple fix for this is not requiring the pki_client_database_password to be ↵Jack Magne2015-05-071-1/+3
| | | | | | set when performing a clone operation. Tested with a cloned CA and a couple of other subysstems, such as OCSP.
* Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.Jack Magne2015-05-072-70/+10
| | | | | | | | | | The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
generated by cgit (git 2.34.1) at 2026-02-02 00:39:27 +0000