summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Py3 modernization: libmodernize.fixes.fix_dict_sixChristian Heimes2015-08-177-24/+32
| | | | | | | | | In Python 3 dict methods like values(), items() and keys() return views rather than lists. The iter equivalents are gone. Use six to use iterators on Python 2 and 3. In some places like setup.py a list is required. Use list(somedict.values()) to get a list on all Python versions.
* Py3 modernization: libmodernize.fixes.fix_unicode_typeChristian Heimes2015-08-171-17/+18
| | | | | The unicode type has been renamed to str. six.text_type is unicode in Python 2 and str in Python 3.
* Py3 modernization: libmodernize.fixes.fix_metaclassChristian Heimes2015-08-172-6/+4
| | | | | | Python 3 has a different syntax for meta classes. The old __metaclass__ attribute is no longer supported. six.with_metaclass() constructs a suitable metaclass for us.
* Py3 modernization: lib2to3.fixes.fix_execfileChristian Heimes2015-08-171-1/+4
| | | | | execfile has been removed from Python 3. The upgrade importer now reads, compiles and executed the upgrade scripts manually.
* Py3 modernization: libmodernize.fixes.fix_xrange_sixChristian Heimes2015-08-172-1/+3
| | | | | In Python 3 range() returns an iterator and xrange() is gone. Use six.moves to use an iterable range() on Python 2.
* Py3 modernization: libmodernize.fixes.fix_input_sixChristian Heimes2015-08-173-6/+14
| | | | | | | In Python 3 raw_input() has been renamed to input() and the old, insecure input() builtin is gone. six.moves simplifies the transition. It provides the former raw_input() function under the same import name on Python 2 and 3.
* Py3 modernization: libmodernize.fixes.fix_printChristian Heimes2015-08-1724-612/+636
| | | | | | | | | Replace print statement with Python 3's print() function. For Python 2 'from __future__ import print_function' turns the print statement into Python 3 compatible print function. See https://www.python.org/dev/peps/pep-3105/
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2015-08-1771-0/+77
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-174-34/+110
| | | | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) (cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
* Make pki PEP 8 compatibleChristian Heimes2015-08-1448-536/+752
| | | | | | | | | | | | | | | | | | | Large portions of the patch was automatically created with autopep8: find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \ --aggressive find base/common/upgrade base/server/upgrade -type f -and \ -not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive autopep8 --in-place --ignore E309 --aggressive \ base/common/sbin/pki-upgrade \ base/server/sbin/pkispawn \ base/server/sbin/pkidestroy \ base/server/sbin/pki-server \ base/server/sbin/pki-server-upgrade About two dozent violations were fixed manually. https://fedorahosted.org/pki/ticket/708
* setpin utility doesn't set the pin for users.Jack Magne2015-08-133-34/+35
| | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear.
* Ticket 1543 portalEnroll authentication does not load during creation from ↵Christina Fu2015-08-121-2/+0
| | | | | | | | | | | | | | Console It appears that the PortalEnroll plugin was never converted to work in the Profile Framework. This patch takes out the following line from CS.cfg: auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll so that it cannot be instantiated from the console, nor manually in CS.cfg, unless explicitly put back in. While in CS.cfg.in, I found the NSSAuth auths.impl line having no real implementation, so I remove that too.
* One-liner fix to conditional for new SerialNumberUpdateTaskAde Lee2015-08-121-2/+2
|
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-123-31/+37
| | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538
* Ticket 1539 Unable to create ECC KRA Instance when kra admin key type is ECCChristina Fu2015-08-122-4/+4
| | | | | | This patch changes the relevant CA enrollment admin profiles so that they accept requests for EC certs. The issue actually not just affected KRA, it also affected other non-CA subsystems.
* Separate range and cert status threadsAde Lee2015-08-122-4/+81
| | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606
* Replace Exception.message with str(exc)Christian Heimes2015-08-102-10/+9
| | | | | | | | | | | | | | | Python 3 has deprecated and remove Exception.message. Instead we should simply use string formatting to print the message of an Exception. >>> import pki >>> pki.PKIException('msg') PKIException('msg',) >>> pki.PKIException('msg').message 'msg' >>> str(pki.PKIException('msg')) 'msg' >>> '%s' % pki.PKIException('msg') 'msg'
* Simplify exception handling in pkihelperChristian Heimes2015-08-101-32/+24
| | | | | | | | | Several methods except OSError before they except shutil.Error. In Python 3 the second except clause will be ignored because in Python 3 shutil.Error is a subclass of OSError. The body of the except clauses only differs in the logging message. A single except clause with an isinstance() check has the same effect.
* Remove import of exceptions moduleChristian Heimes2015-08-101-2/+1
| | | | | The exceptions module is obsolete. All builtin exception classes are globals.
* Don't use the types module for builtin typesChristian Heimes2015-08-103-25/+22
| | | | | Since Python 2.2 most types in the types module refer to builtin type objects, e.g. types.ListType is list.
* Use dict.iteritems() instead of dict.items()Christian Heimes2015-08-104-34/+32
| | | | | | iteritems() is the preferred way to iterate over key, value pairs. Python-modernize can convert iteritems() to efficient code on Python 2 and 3.
* Temporary silence InsecureRequestWarningChristian Heimes2015-08-081-0/+24
| | | | https://fedorahosted.org/pki/ticket/1253
* remove more inaccessible URLs from server.xmlMatthew Harmsen2015-08-074-16/+12
| | | | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible - PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-076-12/+131
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-057-47/+46
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* remove extra space from Base 64 encoded cert displaysMatthew Harmsen2015-07-316-18/+18
| | | | | - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display
* Add code to reindex data during cloning without replicationAde Lee2015-07-3116-32/+243
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Firefox warningJack Magne2015-07-313-15/+7
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Add certutil options for ECCMatthew Harmsen2015-07-285-5/+38
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* Ticket 1307 issue: FilterMappingResolver always returns targetChristina Fu2015-07-282-7/+12
|
* TPS UI: After successful key upgrade during pin reset operation the token db ↵Jack Magne2015-07-281-0/+15
| | | | | | | still shows old key Simple matter of not updating the token record at the end of the pin reset operation. Also, make sure the activity log is correct.
* Remove noise file generation codeAde Lee2015-07-282-64/+19
| | | | | | | | Noise file does not actually need to have random data because NSS does not actually use this data. Certutil still needs the file though, so we will put dummy data in there. This solves potential problems with the random() method used and also issues like BZ 1244382
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Fixed ObjectNotFoundException in PKCS12Export.Endi S. Dewata2015-07-201-6/+6
| | | | | | | The PKCS12Export has been fixed to handle ObjectNotFoundException when exporting certificates without private keys. https://fedorahosted.org/pki/ticket/1506
* Added pki-tps-profile man page.Endi S. Dewata2015-07-185-28/+188
| | | | | | | | | A new man page has been added for the pki tps-profile CLI. The CLI has been modified to refer to the new man page. Some other man pages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1271
* Updated man pages with TPS info.Endi S. Dewata2015-07-183-30/+178
| | | | | | | The man pages for pkispawn and pki_default.cfg have been updated to include TPS deployment parameters. https://fedorahosted.org/pki/ticket/1277
* Updated man page for configuring secure LDAP connection.Endi S. Dewata2015-07-181-36/+77
| | | | | | | | | | | | The instruction to setup secure LDAP connection in the pkispawn man page has been updated. The sample deployment configuration file has been made more generic. The setup-ds.pl has been removed from the instruction since generating a self-signed certificate requires a DS admin server. The URL to download setupssl2.sh has been changed with a more direct link. The sample LDAP password has been changed to match the current deployment configuration examples. Some paragraphs have been line wrapped to simplify man page development.
* Added 'pkidaemon' man page.Matthew Harmsen2015-07-171-0/+304
|
* Added pki-audit man page.Endi S. Dewata2015-07-172-2/+112
| | | | | | | | A new man page has been added for the pki <subsystem>-audit CLI. Due to database upgrade issue the command is currently only available in TPS. https://fedorahosted.org/pki/ticket/1437
* Removed audit CLI from non-TPS subsystems.Endi S. Dewata2015-07-1713-39/+13
| | | | | | | | | | Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437
* Remove 'setup' directory containing remaining Perl routinesMatthew Harmsen2015-07-175-4383/+0
| | | | - PKI TRAC Ticket #1492 - remove pki-proxy-setup
* Document workaround for 1454 in 'pkispawn' man page.Jack Magne2015-07-171-1/+18
| | | | Ticket #1486.
* Removed hard-coded /root in pkispawn man page.Endi S. Dewata2015-07-171-5/+6
| | | | | | | | | The /root in pkispawn man page has been replaced with a more generic $HOME. An incorrect /root in the following example has been removed: semanage -a -t pki_tomcat_cert_t /root/backup_keys.p12
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-169-1316/+120
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Updated pkispawn man page.Endi S. Dewata2015-07-161-103/+302
| | | | | | | | | The pkispawn man page has been updated to clarify the section headers of various deployment scenarios. Some paragraphs have been line wrapped to simplify man page development. The existing sample password has been replaced with another password that does not match a parameter name to simplify search and replace for customization.
* Fix exception when talking to dogtag 9 systemsAde Lee2015-07-161-6/+3
| | | | | | | | | | | | | When getting a token from the security domain for a Dogtag 9 system, we first attempt to reach the REST interfaces. When this fails (with 404 exception), we catch the exception and try the old interfaces. The exception being thrown has been changed from the deprecated ClientResponseFailure to being wrapped in a PKIException, so the code catching the exception needs to be modified accordingly. Ticket 1495
* Added man pages for pki-serverAde Lee2015-07-165-0/+429
| | | | Trac ticket 1356
* Handle JSON decode error in handle_exceptions()Christian Heimes2015-07-151-11/+24
| | | | | | | | | | | | | pki.handle_exceptions() raises a JSON decode exception when the body of the HTTPException is not a valid JSON string. The JSON exception hides the true error message. The patch also fixes a bug in PKIException.from_json(). The code and ClassName attribute are now correctly set. Finally we have our first unit test. https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5129
* Fixed PKCS12Export output.Endi S. Dewata2015-07-152-207/+265
| | | | | | | | | | | | The PKCS12Export has been modified such that if an error occurs in normal mode it will display the error message and in debug mode it will display the full stack trace. The code has also been refactored such that it can be reused as a library in addition to command-line tool. The code will now throw exceptions instead of exiting to the system. https://fedorahosted.org/pki/ticket/1224
generated by cgit (git 2.34.1) at 2025-09-30 20:08:05 +0000