| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/1674
|
|
|
|
|
|
|
|
|
|
| |
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
| |
Ticket # 1466 .
Also remove some needless copies of server.xml from the code.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|
| |
|
| |
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy all subsystems
directly from the /usr/share/pki. This will simplify updating
the templates in the web applications.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First cut of gp211 and scp protocol 02 for tokens.
Allow token operations using a GP211 token over secure channel protocol 02.
This patch supports the following:
1. Token operations with a GP211 card and SCP02 protocol, implementation 15.
2. Token still supports GP201 cards with SCP01.
3. SCP02 tested with SC650 gp211/scp02 card.
Things still to do:
1. Right now the SCP02 support has been tested with the current gp201 applet and
enrollment and formatting works just fine. We need to modify and compile the applet
against the GP211 spec and retest to see if any further changes are needed.
2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some
of the routines are self contained vs similar SCP01 ones. We have another ticket to
complete the nistSP800 support from end to end. This work will be done for that ticket.
3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism.
As of now this work is done by simple encryption, this can be done later.
4. The security APDU level of "RMAC" is not supported because the card does not support it.
It could have been done to the spec, but it having the card to test is more convenient and there
were more crucial issues to this point.
|
|
|
|
|
| |
- this patch does not include TPS side of changes:
(#865 needs to be rewritten in Java)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
|
|
|
|
|
|
| |
This reverts commit 223d15539b7bcc0df025025036af2935726e52e3.
The patch does not work for subsystems installed on separate
instance since it will require additional OCSP setup.
|
|
|
|
|
|
|
|
| |
The CS.cfg templates for all subsystems have been modified to enable
certificate revocation checking during authentication. This will
affect new installations only.
Ticket #1117, #1134
|
|
|
|
| |
- PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
|
|
|
|
| |
- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
|
|
|
|
| |
* PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
|
|
|
|
|
| |
* PKI TRAC Ticket #946 - Installation of IPA hangs up
when LANG is set to tr_TR.UTF8
|
|
|
|
|
|
|
|
|
|
| |
Some REST services that accept search keywords have been modified to
require a minimum length of 3 characters.
The DEFAULT_SIZE constant has been moved into the base PKIService
class to reduce multiple declarations.
Ticket #920
|
|
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
|
|
|
|
|
|
|
|
| |
New subclasses of SystemConfigService have been added for each
subsystem to replace the base installer. Initially these classes
are blank, so they are identical to the base class. Later they will
store subsystem-specific installation code.
Ticket #890
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the CMSStartServlet always requires a cfgPath parameter
pointing to the CS.cfg location. By default the parameter points to
<instance>/conf/<subsystem>/CS.cfg unless it's manually changed by
the admin after installation.
Recently the servlet has been modified such that if the parameter
is not specified it will generate the default path automatically.
So it is no longer necessary to keep the cfgPath parameter in the
web.xml templates because it will point to the same location.
This patch removes the cfgPath parameters from all web.xml templates.
This way newly created subsystems will not have this parameter, which
will help direct deployment in the future. An upgrade script has been
added to remove the parameter from existing instances if it points to
the default location. If the parameter points to a different location
that means the subsystem has been customized so it will not be changed.
Ticket #748, #499
|
|
|
|
|
|
|
|
|
|
|
| |
A new CLI parameter has been added to allow the user select the
REST message format. This is done by setting the default consumes
and produces when creating the client proxy. For this to work the
hard-coded @Consumes and @Produces annotations need to be removed
from the interface definition. A new interceptor has been added
to validate the message format before executing the operation.
Ticket #554
|
|
|
|
|
|
|
|
| |
The REST service classes have been moved into org.dogtagpki.server
namespace. A new upgrade script has been added to update existing
instances.
Ticket #114
|
|
|
|
|
|
|
|
| |
This patch provides authentication plugin avoiding anonymous access.
Steps to use the plugin:
https://wiki.idm.lab.bos.redhat.com/export/idmwiki/New_Directory_Authentication_Plugin
BZ 861467/ Trac #348.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location of web application context file has been changed from
<instance>/webapps/<name>/META-INF/context.xml
into
<instance>/conf/Catalina/localhost/<name>.xml.
This will eventually allow deploying the web application directly
from the shared folder.
A new upgrade script has been added to move the context files in
the existing instances.
Ticket #499
|
|
|
|
|
|
|
| |
New ACL has been added to allow only the administrators in each subsystem
to access the selftests.
Ticket #652
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.
The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.
The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.
|
|
|
|
|
| |
The ACL and auth method mapping names in some resources have been
modified to be more consistent with those in other resources.
|
|
|
|
|
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS authenticators.
The set of interceptors in each application has been modified to
preserve the order.
Ticket #652
|
|
|
|
|
|
|
| |
Due to a regression RESTEasy is unable to find some sub-resources properly.
As a workaround some resources need to be merged into the parent resource.
The UserCertResource and UserMembershipResource have been merged into
UserResource. The GroupMemberResource has been merged into GroupResource.
|
|
|
|
| |
* TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
|
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
|
|
|
|
|
|
|
| |
The self tests and TokenServlet are modified to use the new shared secret
names. A parameter has been added to allow legacy systems to continue running
as-is. With a new system, the TKS self test will not fail on startup if
no shared secret keys are configured. It will fail, however, if the keys are
configured, but the ComputeSessionKey operation fails.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
|
|
|
| |
Ticket 719
|
| |
|
|
|
|
|
|
| |
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
|
|
|
|
|
| |
This code allows pkispawn to configure a tps in tomcat.
It does not include any config using the web UI panels.
|
|
|
|
|
|
|
|
|
| |
The authenticator configuration has been modified to store the authentication
info in the session so it can be used by the servlets. An upgrade script has
been added to update the configuration in existing instances.
The SSLAuthenticatorWithFalback was modified to propagate the configuration
to the actual authenticator handling the request.
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the server certificate name was partially hard-coded as
"Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems
it can be fully configured using pki_ssl_server_nickname parameter.
In Apache-based subsystems it's left unchanged.
Unused serverCertNick.conf files have been removed.
Ticket #631
|