summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Py3 compatibility: encode output of subprocess callChristian Heimes2015-08-176-16/+22
| | | | | | | | | In Python 3 subprocess.Popen() and check_out() return bytes. The rest of PKI expects text, so the output has to be decoded. - ascii for dnsdomainname - sys.getfilesystemencoding() for paths - utf-8 for the rest
* Py3 compatibility: write XML as encoded bytesChristian Heimes2015-08-1710-27/+32
| | | | | Python 3 treats serialized XML as encoded bytes. etree must encode XML to UTF-8 and write it to a file opened in binary mode.
* Py3 modernization: misc manual fixesChristian Heimes2015-08-176-33/+41
| | | | | | | | | | | | | | | | | | | | | | Python 3's exception class has no message attribute. e.message can either be replaced with string representation of e or e.args[0]. Use print(line, end='') instead of sys.stdout.write(). With end='' no new line is appended. Use six.reraise() to reraise an exception. Remove sys.exc_clear() as it is no longer available in Python 3. Conditionally import shutil.WindowsError. Use six.move to import correct modules / function like quote, urlparse and configparser. Silence some pylint warnings. pylint doesn't understand six.moves magic and emits a import-error warning. Add additional tox envs to check for Python 3 compatibility.
* policycoreutils-python3 lacks sepolgen on Fedora 22Christian Heimes2015-08-172-4/+21
| | | | | | | | | Fedora 22's Python bindings for SELinux lacks sepolgen. The seobject package is available for Python 3 but can't be imported because it depends on sepolgen. The workaround makes it possible to test the Python 3 port on Fedora 22. It can be removed later once Fedora 23 is out.
* Py3 modernization: libmodernize.fixes.fix_dict_sixChristian Heimes2015-08-171-1/+1
| | | | | | | | | In Python 3 dict methods like values(), items() and keys() return views rather than lists. The iter equivalents are gone. Use six to use iterators on Python 2 and 3. In some places like setup.py a list is required. Use list(somedict.values()) to get a list on all Python versions.
* Py3 modernization: libmodernize.fixes.fix_metaclassChristian Heimes2015-08-171-4/+2
| | | | | | Python 3 has a different syntax for meta classes. The old __metaclass__ attribute is no longer supported. six.with_metaclass() constructs a suitable metaclass for us.
* Py3 modernization: libmodernize.fixes.fix_xrange_sixChristian Heimes2015-08-171-1/+1
| | | | | In Python 3 range() returns an iterator and xrange() is gone. Use six.moves to use an iterable range() on Python 2.
* Py3 modernization: libmodernize.fixes.fix_input_sixChristian Heimes2015-08-172-5/+10
| | | | | | | In Python 3 raw_input() has been renamed to input() and the old, insecure input() builtin is gone. six.moves simplifies the transition. It provides the former raw_input() function under the same import name on Python 2 and 3.
* Py3 modernization: libmodernize.fixes.fix_printChristian Heimes2015-08-1714-327/+341
| | | | | | | | | Replace print statement with Python 3's print() function. For Python 2 'from __future__ import print_function' turns the print statement into Python 3 compatible print function. See https://www.python.org/dev/peps/pep-3105/
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2015-08-1750-0/+56
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-174-34/+110
| | | | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) (cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
* Make pki PEP 8 compatibleChristian Heimes2015-08-1433-304/+401
| | | | | | | | | | | | | | | | | | | Large portions of the patch was automatically created with autopep8: find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ --aggressive find base/common/upgrade base/server/upgrade -type f -and \ -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive autopep8 --in-place --ignore E309 --aggressive \ base/common/sbin/pki-upgrade \ base/server/sbin/pkispawn \ base/server/sbin/pkidestroy \ base/server/sbin/pki-server \ base/server/sbin/pki-server-upgrade About two dozent violations were fixed manually. https://fedorahosted.org/pki/ticket/708
* setpin utility doesn't set the pin for users.Jack Magne2015-08-131-0/+5
| | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear.
* One-liner fix to conditional for new SerialNumberUpdateTaskAde Lee2015-08-121-2/+2
|
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-121-31/+29
| | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538
* Separate range and cert status threadsAde Lee2015-08-121-4/+76
| | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606
* Replace Exception.message with str(exc)Christian Heimes2015-08-101-5/+4
| | | | | | | | | | | | | | | Python 3 has deprecated and remove Exception.message. Instead we should simply use string formatting to print the message of an Exception. >>> import pki >>> pki.PKIException('msg') PKIException('msg',) >>> pki.PKIException('msg').message 'msg' >>> str(pki.PKIException('msg')) 'msg' >>> '%s' % pki.PKIException('msg') 'msg'
* Simplify exception handling in pkihelperChristian Heimes2015-08-101-32/+24
| | | | | | | | | Several methods except OSError before they except shutil.Error. In Python 3 the second except clause will be ignored because in Python 3 shutil.Error is a subclass of OSError. The body of the except clauses only differs in the logging message. A single except clause with an isinstance() check has the same effect.
* remove more inaccessible URLs from server.xmlMatthew Harmsen2015-08-074-16/+12
| | | | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible - PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-076-12/+131
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-054-27/+33
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-315-30/+78
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Firefox warningJack Magne2015-07-311-9/+0
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Add certutil options for ECCMatthew Harmsen2015-07-285-5/+38
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
* Remove noise file generation codeAde Lee2015-07-282-64/+19
| | | | | | | | Noise file does not actually need to have random data because NSS does not actually use this data. Certutil still needs the file though, so we will put dummy data in there. This solves potential problems with the random() method used and also issues like BZ 1244382
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Updated man pages with TPS info.Endi S. Dewata2015-07-183-30/+178
| | | | | | | The man pages for pkispawn and pki_default.cfg have been updated to include TPS deployment parameters. https://fedorahosted.org/pki/ticket/1277
* Updated man page for configuring secure LDAP connection.Endi S. Dewata2015-07-181-36/+77
| | | | | | | | | | | | The instruction to setup secure LDAP connection in the pkispawn man page has been updated. The sample deployment configuration file has been made more generic. The setup-ds.pl has been removed from the instruction since generating a self-signed certificate requires a DS admin server. The URL to download setupssl2.sh has been changed with a more direct link. The sample LDAP password has been changed to match the current deployment configuration examples. Some paragraphs have been line wrapped to simplify man page development.
* Added 'pkidaemon' man page.Matthew Harmsen2015-07-171-0/+304
|
* Document workaround for 1454 in 'pkispawn' man page.Jack Magne2015-07-171-1/+18
| | | | Ticket #1486.
* Removed hard-coded /root in pkispawn man page.Endi S. Dewata2015-07-171-5/+6
| | | | | | | | | The /root in pkispawn man page has been replaced with a more generic $HOME. An incorrect /root in the following example has been removed: semanage -a -t pki_tomcat_cert_t /root/backup_keys.p12
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-164-0/+120
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Updated pkispawn man page.Endi S. Dewata2015-07-161-103/+302
| | | | | | | | | The pkispawn man page has been updated to clarify the section headers of various deployment scenarios. Some paragraphs have been line wrapped to simplify man page development. The existing sample password has been replaced with another password that does not match a parameter name to simplify search and replace for customization.
* Fix exception when talking to dogtag 9 systemsAde Lee2015-07-161-6/+3
| | | | | | | | | | | | | When getting a token from the security domain for a Dogtag 9 system, we first attempt to reach the REST interfaces. When this fails (with 404 exception), we catch the exception and try the old interfaces. The exception being thrown has been changed from the deprecated ClientResponseFailure to being wrapped in a PKIException, so the code catching the exception needs to be modified accordingly. Ticket 1495
* Added man pages for pki-serverAde Lee2015-07-165-0/+429
| | | | Trac ticket 1356
* Fixed PKCS12Export output.Endi S. Dewata2015-07-151-1/+3
| | | | | | | | | | | | The PKCS12Export has been modified such that if an error occurs in normal mode it will display the error message and in debug mode it will display the full stack trace. The code has also been refactored such that it can be reused as a library in addition to command-line tool. The code will now throw exceptions instead of exiting to the system. https://fedorahosted.org/pki/ticket/1224
* Fixed cert-find performance.Endi S. Dewata2015-07-153-49/+112
| | | | | | | | The CertService.searchCerts() has been modified to use the VLV properly to retrieve just the entries in the requested page, thus reducing the response time and memory requirement. Some classes have been modified to clean up the debugging logs.
* Renamed deprecated pylint 'disable-msg' to 'disable'.Matthew Harmsen2015-07-141-1/+1
|
* Man page updates for cloningAde Lee2015-07-141-6/+41
| | | | Ticket 1076
* Disable 'W1401' anomalous-backslash-in-string pylint warning for regexMatthew Harmsen2015-07-131-0/+1
| | | | expressions used by system call to 'sed'.
* remove inaccessible URLs from server.xmlMatthew Harmsen2015-07-133-6/+40
| | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible
* Add details on exporting and importing system certs when cloning.Ade Lee2015-07-131-1/+16
| | | | Trac ticket 852, 853
* Ticket 1414: Add documentation of pki_clone_setup_replicationAde Lee2015-07-131-1/+5
|
* pkispawn man page ECC exampleMatthew Harmsen2015-07-101-0/+34
| | | | - PKI TRAC Ticket #1460 - Add 'pkispawn' man page example for ECC
* In-tree tests and linting with toxChristian Heimes2015-07-102-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | Before the patch it wasn't possible to run pylint outside a RPM build. The Python sources were split into common and server files in two separate trees. With setup.py and tox the pki package can now be installed and tested in a virtual env. Tox enables developers to automate installation and testing in Python virtual environment. The new tox.ini performs several tasks with one command: * It creates and installs a source distribution of pki packages and its command line scripts * It verifies that all CLI scripts can be execute (using its --help argument). * It runs pylint on all Python files and CLI scripts. * It can run flake8 on all Python and CLI files (disabled for now). * Finally it builds Sphinx autodocs. I had to delay the root check in pkispawn and pkidestroy and modify two files to get rid of Sphinx warnings. https://fedorahosted.org/pki/ticket/696 http://tox.readthedocs.org
* Fixed user-cert-add --serial with remote CA.Endi S. Dewata2015-07-091-6/+4
| | | | | | | | | | | | | | | | | The user-cert-add command has been modified to ask the user for the CA server URI if the CA is not available locally. A new SubsystemClient.exists() method has been added to check whether a subsystem is deployed on the target instance. The SubsystemCLI has been modified to call logout() only if the operation is executed successfully. The certificate approval callback class has been refactored out of PKIConnection into a separate class to clean up circular dependency with PKIClient. https://fedorahosted.org/pki/ticket/1448
* Fixed default cert-find filter.Endi S. Dewata2015-07-061-120/+128
| | | | | | | | To improve the performance the default LDAP filter generated by cert-find has been changed to (certStatus=*) to match an existing VLV index. https://fedorahosted.org/pki/ticket/1449
* Omit OCSP from clone description.Jack Magne2015-07-061-4/+4
| | | | | Ticket #1358. Also note that OCSP cloning is unsupported as of now.
* Note on overriding pki_client_dir when using an HSMMatthew Harmsen2015-07-061-0/+3
| | | | | | - PKI TRAC Ticket #1425 - pkispawn CA with HSM - if the config file has pki_client related params the dir is not created and the admin cert p12 file is stored nowhere
* Ticket 1447 pkispawn: findCertByNickname fails to find cert in creating ↵Christina Fu2015-07-061-5/+9
| | | | shared tomcat subsystems on HSM
generated by cgit (git 2.34.1) at 2025-09-28 02:27:16 +0000