[Pki-devel] [PATCH] 736 Fixed token status search filter.
The LDAP attribute for token status has been modified to store the
same values displayed on the CLI. This way searching tokens with
specific status can be done correctly with simple LDAP filter such
as (tokenStatus=).
https://fedorahosted.org/pki/ticket/2296
--
Endi S. Dewata
>From 0b56804d0c4a1c63e6aba639bec1c4ecc147b849 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata"
Date: Mon, 2 May 2016 18:00:05 +0200
Subject: [PATCH] Fixed token status search filter.
The LDAP attribute for token status has been modified to store the
same values displayed on the CLI. This way searching tokens with
specific status can be done correctly with simple LDAP filter such
as (tokenStatus=).
https://fedorahosted.org/pki/ticket/2296
---
.../src/org/dogtagpki/server/tps/TPSTokendb.java | 10 +--
.../org/dogtagpki/server/tps/dbs/TokenRecord.java | 29 ++---
.../server/tps/processor/TPSEnrollProcessor.java | 76 +++---
.../server/tps/processor/TPSProcessor.java | 2 +-
.../dogtagpki/server/tps/rest/TokenService.java| 49 ++
5 files changed, 67 insertions(+), 99 deletions(-)
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
index 4a4aa89d3d61637b948599d481d1091db2c05ab6..523ac2f56888402511e7893dd5cf3c788bc300ee 100644
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
@@ -161,7 +161,7 @@ public class TPSTokendb {
tdbFindTokenRecordsByUID(userid);
boolean foundActive = false;
for (TokenRecord tokenRecord:tokens) {
-if (tokenRecord.getStatus().equals("active")) {
+if (tokenRecord.getTokenStatus().equals(TokenStatus.ACTIVE)) {
foundActive = true;
}
}
@@ -170,9 +170,9 @@ public class TPSTokendb {
}
}
-public void tdbAddTokenEntry(TokenRecord tokenRecord, String status)
+public void tdbAddTokenEntry(TokenRecord tokenRecord, TokenStatus status)
throws Exception {
-tokenRecord.setStatus(status);
+tokenRecord.setTokenStatus(status);
tps.tokenDatabase.addRecord(tokenRecord.getId(), tokenRecord);
}
@@ -186,11 +186,11 @@ public class TPSTokendb {
} catch (Exception e) {
CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry not found; Adding");
// add and exit
-tdbAddTokenEntry(tokenRecord, "ready");
+tdbAddTokenEntry(tokenRecord, TokenStatus.READY);
return;
}
// token found; modify
-CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry found; Modifying with status: "+ tokenRecord.getStatus());
+CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry found; Modifying with status: " + tokenRecord.getTokenStatus());
// don't change the create time of an existing token record; put it back
tokenRecord.setCreateTimestamp(existingTokenRecord.getCreateTimestamp());
tps.tokenDatabase.updateRecord(id, tokenRecord);
diff --git a/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java b/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java
index e8b0c5d9f949be11cf4d62086930af2bda4e3930..05761e1db553895d956f7c630200d6bfa042c609 100644
--- a/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java
+++ b/base/tps/src/org/dogtagpki/server/tps/dbs/TokenRecord.java
@@ -241,31 +241,10 @@ public class TokenRecord extends DBRecord {
public TokenStatus getTokenStatus() {
String status = getStatus();
-
-if ("ready".equals(status)) {
-return TokenStatus.READY;
-
-} else if ("active".equals(status)) {
-return TokenStatus.ACTIVE;
-
-} else if ("lost".equals(status)) {
-String reason = getReason();
-
-if ("keyCompromise".equals(reason)) {
-return TokenStatus.PERM_LOST;
-
-} else if ("destroyed".equals(reason)) {
-return TokenStatus.DAMAGED;
-
-} else if ("onHold".equals(reason)) {
-return TokenStatus.SUSPENDED;
-}
-
-} else if ("terminated".equals(status)) {
-return TokenStatus.TERMINATED;
-}
-
-return TokenStatus.PERM_LOST;
+return TokenStatus.valueOf(status);
}
+public void setTokenStatus(TokenStatus status) {
+setStatus(status.toString());
+}
}
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 4e8c8abfb95af5344a9a8303e8b5f34625286007..25e016b6400f3667cfc6eb22b04666a4f5af05c6 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -319,7 +319,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
Re: [Pki-devel] [PATCH] 734 Removed unsupported token states from TPS CS.cfg.
On 4/29/2016 5:15 PM, Endi Sukma Dewata wrote: The in-line documentation in CS.cfg for TPS has been updated to remove unsupported token states in the corresponding properties: * tokendb.allowedTransitions * tps.operations.allowedTransitions New patch attached. Added default transition for tps.operations.allowedTransitions. -- Endi S. Dewata >From 331a73f2fc925e0d2b05c813ba2720106f78a8dd Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 29 Apr 2016 23:56:50 +0200 Subject: [PATCH] Updated default TPS token state transitions. The tps.operations.allowedTransitions property has been updated to include 4:4 transition by default. The inline documentation for tokendb.allowedTransitions and tps.operations.allowedTransitions has been updated to remove unsupported states and to add a note about adding/removing transitions. https://fedorahosted.org/pki/ticket/1290 --- base/tps-client/doc/CS.cfg.in | 23 ++- base/tps/shared/conf/CS.cfg.in | 23 ++- 2 files changed, 20 insertions(+), 26 deletions(-) diff --git a/base/tps-client/doc/CS.cfg.in b/base/tps-client/doc/CS.cfg.in index e15fc533258048f3802768acec65c3f38ece1b9f..f4bed51cb548f4d2db980c1325160a8ffaca7ede 100644 --- a/base/tps-client/doc/CS.cfg.in +++ b/base/tps-client/doc/CS.cfg.in @@ -1487,9 +1487,10 @@ tokendb._069=# DAMAGED = 1, tokendb._070=# PERM_LOST = 2, tokendb._071=# SUSPENDED = 3, tokendb._072=# ACTIVE = 4, -tokendb._073=# TEMP_LOST_PERM_LOST = 5, -tokendb._074=# TERMINATED = 6 -tokendb._075=# +tokendb._073=# TERMINATED = 6 +tokendb._074=# Note: Default transitions can be removed from the list if necessary. +tokendb._075=# Do not add other transitions since they may not be supported. +tokendb._076=# tokendb.auditLog=[PKI_INSTANCE_PATH]/logs/tokendb-audit.log tokendb.hostport=[TOKENDB_HOST]:[TOKENDB_PORT] tokendb.ssl=false @@ -1590,18 +1591,14 @@ tps._002=# tps.cert.list=sslserver,subsystem,audit_signing tps._003=# tps.cert.sslserver.nickname=xxx tps._005=# tps.cert.subsystem.nickname=xxx tps._007=# tps.cert.audit_signing.nickname=xxx -tps._008=# operations.allowedTransitions: +tps._008=# tps.operations.allowedTransitions: tps._009=# - token operations, like formatting and enrollment have transitions between the following states tps._010=# READY = 0, -tps._011=# DAMAGED = 1, -tps._012=# PERM_LOST = 2, -tps._013=# SUSPENDED = 3, -tps._014=# ACTIVE = 4, -tps._015=# TEMP_LOST_PERM_LOST = 5, -tps._016=# TERMINATED = 6 -tps._017=# Sample: tps.operations.allowedTransitions=0:0,0:4,4:4,4:6,6:0 -tps._018= -tps.operations.allowedTransitions=0:0,0:4,4:0 +tps._011=# ACTIVE = 4 +tps._012=# Note: Default transitions can be removed from the list if necessary. +tps._013=# Do not add other transitions since they may not be supported. +tps._014= +tps.operations.allowedTransitions=0:0,0:4,4:4,4:0 tps.cert.list=sslserver,subsystem,audit_signing tps.cert.sslserver.nickname=[HSM_LABEL][NICKNAME] tps.cert.subsystem.nickname=[HSM_LABEL][NICKNAME] diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index 2b451defc4f0e43bc01729f4177ff757e60008a8..c2b5265047ce225e23f9090706b1725dd2902f2b 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -1959,9 +1959,10 @@ tokendb._069=# DAMAGED = 1, tokendb._070=# PERM_LOST = 2, tokendb._071=# SUSPENDED = 3, tokendb._072=# ACTIVE = 4, -tokendb._073=# TEMP_LOST_PERM_LOST = 5, -tokendb._074=# TERMINATED = 6 -tokendb._075=# +tokendb._073=# TERMINATED = 6 +tokendb._074=# Note: Default transitions can be removed from the list if necessary. +tokendb._075=# Do not add other transitions since they may not be supported. +tokendb._076=# tokendb.activityBaseDN=ou=Activities,[TOKENDB_ROOT] tokendb.addConfigTemplate=addConfig.template tokendb.addResultTemplate=addResults.template @@ -2021,23 +2022,19 @@ tps._002=# tps.cert.list=sslserver,subsystem,audit_signing tps._003=# tps.cert.sslserver.nickname=xxx tps._005=# tps.cert.subsystem.nickname=xxx tps._007=# tps.cert.audit_signing.nickname=xxx -tps._008=# operations.allowedTransitions: +tps._008=# tps.operations.allowedTransitions: tps._009=# - token operations, like formatting and enrollment have transitions between the following states tps._010=# READY = 0, -tps._011=# DAMAGED = 1, -tps._012=# PERM_LOST = 2, -tps._013=# SUSPENDED = 3, -tps._014=# ACTIVE = 4, -tps._015=# TEMP_LOST_PERM_LOST = 5, -tps._016=# TERMINATED = 6 -tps._017=# Sample: tps.operations.allowedTransitions=0:0,0:4,4:4,4:6,6:0 -tps._018= +tps._011=# ACTIVE = 4 +tps._012=# Note: Default transitions can
Re: [Pki-devel] [PATCH] 734 Removed unsupported token states from TPS CS.cfg.
On 5/5/2016 6:15 PM, Endi Sukma Dewata wrote: On 4/29/2016 5:15 PM, Endi Sukma Dewata wrote: The in-line documentation in CS.cfg for TPS has been updated to remove unsupported token states in the corresponding properties: * tokendb.allowedTransitions * tps.operations.allowedTransitions New patch attached. Added default transition for tps.operations.allowedTransitions. ACKed by jmagne (thanks!). Pushed to master. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [DESIGN] Lightweight CA renewal
Hullo all, FreeIPA Lightweight CAs implementation is progressing well. The remaining big unknown in the design is how to do renewal. I have put my ideas into the design page[1] and would appreciate any and all feedback! [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal Some brief commentary on the options: I intend to implement approach (1) as a baseline. Apart from implementing machinery in Dogtag to actually perform the renewal - which is required for all the approaches - it's not much work and gets us over the "lightweight CAs can be renewed easily" line, even if it is a manual process. For automatic renewal, I am leaning towards approach (2). Dogtag owns the lightweight CAs so I think it makes sense to give Dogtag the ability to renew them automatically (if configured to do so), without relying on external tools i.e. Certmonger. But as you will see from the outlines, each approach has its upside and downside. Cheers, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 0102 Lightweight CAs: allow specifying authority via ProfileSubmitServlet
Attached patch does what it says on the tin ;)
Cheers, and have a good weekend y'all.
Fraser
From cabae0a050fb752b290ece28d5dac927f01b3c01 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Fri, 6 May 2016 16:03:57 +1000
Subject: [PATCH] Lightweight CAs: allow specifying authority via
ProfileSubmitServlet
Lightweight CAs were supported in REST-based request submission, but
not via ProfileSubmitServlet, however, FreeIPA currently uses
ProfileSubmitServlet, so make it possible to use lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1625
---
.../cms/servlet/profile/ProfileSubmitServlet.java| 20 +++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git
a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
index
f7b08ece99e11f1e1633e0d67fb4646a27417d80..4096d0aecfc1eb71481d446a5809631516bc5d27
100644
---
a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
+++
b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
@@ -33,6 +33,9 @@ import com.netscape.certsrv.authentication.EAuthException;
import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.BadRequestDataException;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.ca.AuthorityID;
+import com.netscape.certsrv.ca.CANotFoundException;
+import com.netscape.certsrv.ca.ICertificateAuthority;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.profile.EProfileException;
import com.netscape.certsrv.profile.IEnrollProfile;
@@ -220,8 +223,23 @@ public class ProfileSubmitServlet extends ProfileServlet {
CMSTemplate.escapeJavaScriptStringHTML(profileId)));
}
+String aidString = request.getParameter("authorityId");
+AuthorityID aid = null;
+if (aidString != null && !aidString.isEmpty()) {
+try {
+aid = new AuthorityID(aidString);
+} catch (IllegalArgumentException e) {
+throw new BadRequestDataException("invalid AuthorityID: " +
aidString);
+}
+ICertificateAuthority ca = (ICertificateAuthority)
+CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+ca = ca.getCA(aid);
+if (ca == null)
+throw new CANotFoundException("CA not found: " + aidString);
+}
+
CertEnrollmentRequest data =
CertEnrollmentRequestFactory.create(cmsReq, profile, locale);
-return processor.processEnrollment(data, request, null, null);
+return processor.processEnrollment(data, request, aid, null);
}
public HashMap processRenewal(CMSRequest cmsReq) throws
EBaseException {
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
