summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
* Removed unused code for existing CA installation.Endi S. Dewata2016-04-301-16/+1
| | | | | | | | The print_existing_ca_step_one_information() has been removed from pkispawn since existing CA installation no longer requires two-step operation. https://fedorahosted.org/pki/ticket/1736
* Fixed problem uninstalling standalone KRA.Endi S. Dewata2016-04-291-0/+1
| | | | | | | | When installing a standalone KRA the admin certificate is base-64 encoded and stored in the kra.admin.cert property in the CS.cfg. Previously the encoded certificate contains EOL characters which may cause uninstall to fail due to parsing error. The install code has been fixed to normalize the encoded certificate properly.
* Fixed incorrect clone installation summaryMatthew Harmsen2016-04-281-0/+6
| | | | - PKI TRAC Ticket #856 - Incorrect clone installation summary
* Fixed build issue with apache-commons-codec 1.8.Endi S. Dewata2016-04-281-3/+1
| | | | | | The StringUtils.equals() invocation in AuthzSubsystem has been replaced with regular String.equals() since it's unavailable in apache-commons-codec 1.8.
* Removed unused variables in deployment scriptlets.Endi S. Dewata2016-04-2812-78/+76
| | | | | | | | The unused rv instance variables in all deployment scriptlets have been removed. The spawn() and destroy() are now returning None instead of error code. If an error happens during execution the scriptlet will throw an exception which will be caught by pkispawn or pkidestroy and then displayed to the user.
* Removed pkidaemon support of apache instancesMatthew Harmsen2016-04-275-255/+59
| | | | - PKI TRAC Ticket #2248 - support only tomcat instances
* fix bashismsMatthew Harmsen2016-04-263-7/+7
| | | | | | - PKI TRAC Ticket #2249 - fix bashisms - changes 'source' to '.' - changes 'bash' to 'sh'
* Fix problem in creating certificate requestsAde Lee2016-04-221-2/+2
| | | | | | | | | | | | | | | Some incorrect code was added to request processing in the realm patches. In the request LDAP modification code, if the realm was not present, we added a modification to remove the realm attribute. Unfortunately, if the realm was not present to begin with, this resulted in LDAP returning a "No Such Attribute (16)" error, causing all kinds of requests - including certificate requests to fail to be submitted. At this point, we do not permit users to change the realm of a request. Therefore, there is no reason to remove the realm. If we ever need to do this in future, we'll have to be smarter about it.
* Realm: allow auth instances to support multiple realmsAde Lee2016-04-202-11/+28
| | | | | | | | | | | | | | | | In practice, most folks will use something like DirAclAuthz to manage their realm. Rather than requiring a new authz plugin for each realm, we allow the authz plugin to support multiple realms (as a comma separated list). For the Acl plugins in particular, we expand the authorize call to allow the caller to pass in the realm as well as the resource and operation. The resource queried would then be constructed on the fly as realm.resource Examples will be provided in the wiki page. Trac Ticket 2041
* Realms - Address comments from reviewAde Lee2016-04-206-26/+34
| | | | | | | | | | | | Review comments addressed: 1. when archiving or generating keys, realm is checked 2. when no plugin is found for a realm, access is denied. 3. rename mFoo to foo for new variables. 4. add chaining of exceptions 5. remove attributes from KeyArchivalRequest etc. when realm is null 6. Add more detail to denial in BasicGroupAuthz Part of Trac Ticket 2041
* Add authz checks for all operationsAde Lee2016-04-202-11/+52
| | | | | | | We add authz realm checks as appropriate for each operation. Part of Trac Ticket #2041
* Make recovery methods more consistentAde Lee2016-04-201-4/+43
| | | | | | | | | | | The async recovery request mechanism was implemented differently from other requests. This makes it difficult to add tings like authorization consisitently. We move the required methods to the KeyRequestDAO to be more consistent. Part of Ticket #2041
* Added realm to methods for listing requests and keysAde Lee2016-04-201-0/+6
| | | | | | | | | | | 1. Added query parameters for the realm. If a realm is specified, then only the key requests and keys associated with the realm are returned. If no realm is specified, then only those requests and keys without a realm are returned. 2. Added parameters to keyClient and the CLI Part of Trac Ticket #2041
* Added realm for archival and key generation through RESTAde Lee2016-04-201-1/+25
| | | | | | | | This will allow users to specify the realm when generating or archiving a request. No interface change is needed (yet) because the extra parameter is passed through the request. Part of Ticket #2041
* Added new authz methods to check realmAde Lee2016-04-202-1/+225
| | | | | | | | | | | | * Added method to check realm. This method will look for an authz instance for a specified realm and invoke it to determine access. * Added a basic group based authz plugin mostly for testing. This plugin simply checks if the requestor is in the correct group. In practice, customers will probably want something more complex maybe subclassing BasicAclAuthz. Part of Trac Ticket #2041
* Add realm to the key recordAde Lee2016-04-203-6/+19
| | | | Part of Trac Ticket# 2041
* Add realm to the request recordAde Lee2016-04-205-17/+54
| | | | Part of Trac Ticket #2041
* Add realm schema changesAde Lee2016-04-201-2/+7
| | | | | Added realm attribute and index. Added to request and keyRecord. Part of Trac Ticket 2041
* Fixed PKCS #12 export options.Endi S. Dewata2016-04-202-2/+40
| | | | | | | | The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
* Add script to enable USN pluginAde Lee2016-04-153-0/+22
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Moved self-signed SSL server certificate creation.Endi S. Dewata2016-04-152-41/+55
| | | | | | | | | To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736
* Updated pki pkcs12-export CLI.Endi S. Dewata2016-04-153-10/+30
| | | | | | | | | | | | For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736
* Simplified deployment properties for existing CA case.Endi S. Dewata2016-04-153-13/+45
| | | | | | | | | | | | | | | A new pki_existing deployment property has been added to install CA with existing CA certificate and key in a single step. New certificate deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_ca_signing_csr_path -> pki_external_csr_path - pki_ca_signing_cert_path -> pki_external_ca_cert_path - pki_cert_chain_path -> pki_external_ca_cert_chain_path - pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname https://fedorahosted.org/pki/ticket/1736
* Added PKCS #12 deployment properties.Endi S. Dewata2016-04-152-5/+8
| | | | | | | | | | New PKCS #12 deployment properties have been added as aliases for some external CA properties to allow them to be used in more general cases: - pki_pkcs12_path -> pki_external_pkcs12_path - pki_pkcs12_password -> pki_external_pkcs12_password https://fedorahosted.org/pki/ticket/1736
* Lightweight CAs: indicate when CA does not yet have keysFraser Tweedale2016-04-141-4/+1
| | | | | | | | | | When a lightweight CA is created, clones will initialise a local object when the LDAP replication takes place, however, the signing keys will not yet have been replicated. Therefore, indicate CA readiness in authority data and respond appropriately (HTTP 503) when signing operations are attempted. Part of: https://fedorahosted.org/pki/ticket/1625
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-132-4/+22
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Fixed exception handling in CertUtil.Endi S. Dewata2016-04-122-14/+18
| | | | | | | The CertUtil.createLocalCert() has been modified to re-throw the exception instead of ignoring it. https://fedorahosted.org/pki/ticket/1654
* Fixed exception handling in CertificateAuthority.Endi S. Dewata2016-04-129-56/+71
| | | | | | | | The CertificateAuthority.getCACert() has been modified to re-throw the exception instead of ignoring it. All callers have been modified to bubble up the exception. https://fedorahosted.org/pki/ticket/1654
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-082-8/+23
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Fixed missing trust flags in certificate backup.Endi S. Dewata2016-04-041-22/+18
| | | | | | | | | | | | | | | | | | | | The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
* comment typosChristina Fu2016-03-311-9/+9
|
* Fixed KRA install problem.Endi S. Dewata2016-03-302-28/+44
| | | | | | | | | | | | | Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247
* Install tools clean-up.Endi S. Dewata2016-03-305-16/+13
| | | | | | | | | | | | Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247
* Fixed certificate chain import problem.Endi S. Dewata2016-03-291-11/+13
| | | | | | | | | | | | In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-284-22/+184
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Fixed exception handling in EnrollProfile.Endi S. Dewata2016-03-241-70/+87
| | | | | | | To help troubleshooting the EnrollProfile has been modified to log the stack trace and chain the exception. https://fedorahosted.org/pki/ticket/1654
* Allow multiple ACLs of same name (union of rules)Fraser Tweedale2016-03-221-1/+13
| | | | | | | | | | | Several lightweight CA ACLs share the 'certServer.ca.authorities' name, but when loading ACLs each load overwrites the previous. If multiple resourceACLS values have the same name, instead of replacing the existing ACL with the new one, add the rights and rules to the existing ACL. Part of: https://fedorahosted.org/pki/ticket/1625
* Remove unused 'toMIME64' methodsFraser Tweedale2016-03-221-10/+0
|
* Remove commented-out codeFraser Tweedale2016-03-222-18/+0
|
* Remove unused class 'RAEnrollProfile'Fraser Tweedale2016-03-221-128/+0
|
* Remove unused variables from profile classesFraser Tweedale2016-03-221-1/+0
| | | | | Also drive-by refactor 'createProfileData' to use 'getProfile', reducing code size.
* Removed unnecessary URL encoding for admin cert request.Endi S. Dewata2016-03-212-2/+8
| | | | | | | | | Due to changes in aaacd71a2f125501645885d3da1de18459782572, when pki_import_admin_cert is set to False the installation code performs an unnecessary URL encoding for the admin certificate request. The extra URL encoding has now been removed. https://fedorahosted.org/pki/ticket/1803
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-03-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Additional clean-ups for PKCS #12 utilities.Endi S. Dewata2016-03-185-22/+23
| | | | | | | | | | | | | | | | The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
* Renamed PKCS #12 options for consistency.Endi S. Dewata2016-03-186-41/+41
| | | | | | | The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
* Added TPS token filter dialog.Endi S. Dewata2016-03-171-6/+22
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-171-6/+52
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Make PKIInstance and PKISubsystem hashableChristian Heimes2016-03-041-2/+4
| | | | The upgrade uses instance and subsystem as keys for dicts.
* Package pki client library for Python 3Christian Heimes2016-03-041-2/+2
| | | | | | | | | | Dogtag's Python code has been compatible with Python 3 for a while. A new package pki-base-python3 provides the pki package for clients. As of now pki.server is not packages for Python 3. The pki-base package also provides pki-base-python2. https://fedorahosted.org/pki/ticket/1739
* Correct installation path for pki.serverChristian Heimes2016-03-031-1/+1
| | | | | 0e35b64c1f751cc8a7a8a0fac25828a8eab24714 introduced an additional and unwanted directory.
generated by cgit (git 2.34.1) at 2024-06-07 03:13:40 +0000