[Pki-devel] [PATCH] pki-cfu-0131-Ticket-2335-Missing-activity-logs-when-formatting-en.patch
https://fedorahosted.org/pki/ticket/2335 Ticket #2335 Missing activity logs when formatting/enrolling unknown token This patch adds activity logs for adding unknown token during format or enrollment thanks, Christina >From 844c5c03d5981f6c881bb82f114c72e335478b44 Mon Sep 17 00:00:00 2001 From: Christina FuDate: Fri, 3 Jun 2016 17:26:47 -0700 Subject: [PATCH] Ticket #2335 Missing activity logs when formatting/enrolling unknown token This patch adds activity logs for adding unknown token during format or enrollment --- base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 11 +-- .../server/tps/processor/TPSEnrollProcessor.java | 18 ++ .../server/tps/processor/TPSPinResetProcessor.java | 7 --- .../dogtagpki/server/tps/processor/TPSProcessor.java | 17 ++--- 4 files changed, 33 insertions(+), 20 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java index ed7e022faf7d85bee8e53ebe37b35a16b713bde5..e9190d09a6fd48e34a15ce761fa0aec201db9c30 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java @@ -180,19 +180,18 @@ public class TPSTokendb { public void tdbUpdateTokenEntry(TokenRecord tokenRecord) throws Exception { +String method = "TPSTokendb.tdbUpdateTokenEntry:"; String id = tokenRecord.getId(); TokenRecord existingTokenRecord; try { existingTokenRecord = tps.tokenDatabase.getRecord(id); } catch (EDBRecordNotFoundException e) { -CMS.debug("TPSTokendb.tdbUpdateTokenEntry: " + e); -CMS.debug("TPSTokendb.tdbUpdateTokenEntry: Adding token " + id); -// add and exit -tdbAddTokenEntry(tokenRecord, TokenStatus.FORMATTED); -return; +String logMsg = method + e; +CMS.debug(logMsg); +throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } // token found; modify -CMS.debug("TPSTokendb.tdbUpdateTokenEntry: token entry found; Modifying with status: " + tokenRecord.getTokenStatus()); +CMS.debug(method + " token entry found; Modifying with status: " + tokenRecord.getTokenStatus()); // don't change the create time of an existing token record; put it back tokenRecord.setCreateTimestamp(existingTokenRecord.getCreateTimestamp()); tps.tokenDatabase.updateRecord(id, tokenRecord); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 24b2dbf8200ae32dc4627e1fed6e9c5af64b187f..4182cc1c879f69b8200c90586fdd4a13d23ec6c5 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -366,13 +366,14 @@ public class TPSEnrollProcessor extends TPSProcessor { pkcs11objx.setCUID(appletInfo.getCUID()); +logMsg = "add token during enrollment"; if (!isTokenPresent) { try { -tps.tdb.tdbAddTokenEntry(tokenRecord, TokenStatus.FORMATTED); +tps.tdb.tdbAddTokenEntry(tokenRecord, TokenStatus.UNFORMATTED); +tps.tdb.tdbActivity(ActivityDatabase.OP_ADD, tokenRecord, session.getIpAddress(), logMsg, "success"); } catch (Exception e) { -String failMsg = "add token failure"; -logMsg = failMsg + ":" + e.toString(); -tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, +logMsg = logMsg + ":" + e.toString(); +tps.tdb.tdbActivity(ActivityDatabase.OP_ADD, tokenRecord, session.getIpAddress(), logMsg, "failure"); throw new TPSException(logMsg); } @@ -397,6 +398,7 @@ public class TPSEnrollProcessor extends TPSProcessor { } //most failed would have thrown an exception +logMsg = " generateCertsAfterRenewalRecoveryPolicy returned status=" + status; String statusString = "Unknown"; // gives some meaningful debug message if (status == TPSStatus.STATUS_NO_ERROR) statusString = "Enrollment to follow"; @@ -409,7 +411,6 @@ public class TPSEnrollProcessor extends TPSProcessor { renewed = true; tps.tdb.tdbActivity(ActivityDatabase.OP_RENEWAL, tokenRecord, session.getIpAddress(), logMsg, "success"); } else { -logMsg = " generateCertsAfterRenewalRecoveryPolicy returned status=" + status; CMS.debug(method + logMsg); tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -536,13 +537,14 @@ public class
[Pki-devel] [PATCH] 762 Removed selftest interface from TPS UI.
The selftest interface has been removed from TPS UI to avoid confusion due to its limited usefulness. https://fedorahosted.org/pki/ticket/2344 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata >From af1d50bae945e14e1edc198d78d774b6ca491a5d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata"Date: Sat, 4 Jun 2016 01:20:04 +0200 Subject: [PATCH] Removed selftest interface from TPS UI. The selftest interface has been removed from TPS UI to avoid confusion due to its limited usefulness. https://fedorahosted.org/pki/ticket/2344 --- base/tps/shared/webapps/tps/ui/index.html | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/base/tps/shared/webapps/tps/ui/index.html b/base/tps/shared/webapps/tps/ui/index.html index f2a9d758457d98234b5baa1cbe85773a509173bb..63baf3e27bbc5e4267d91fc1c3f5586991b3abb8 100644 --- a/base/tps/shared/webapps/tps/ui/index.html +++ b/base/tps/shared/webapps/tps/ui/index.html @@ -38,7 +38,9 @@ +
Re: [Pki-devel] [pki-devel][PATCH] 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch
Pushed to master based on cfu's verbal conditional ACK for this (after I modded it the way she requested) Tested to work. commit 3cd58a98022141da2af4bf0bad29ab1dbdc86fbe Author: Jack MagneDate: Wed Jun 1 15:05:20 2016 -0700 Closing ticket #1512 - Original Message - > From: "Christina Fu" > To: pki-devel@redhat.com > Sent: Friday, June 3, 2016 2:46:28 PM > Subject: Re: [Pki-devel] [pki-devel][PATCH] > 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch > > while the patch works, I think the original code logic is somehow flawed in a > way that it uses the "profile" attribute to determine whether the request > was non-TMS archival requests, and if null it treats it as TMS. It would > make better sense if we add a separate case instead of lumping the handling > of recovery requests inside where the TMS handling is at. > > thanks, > Christina > > On 06/01/2016 03:13 PM, John Magne wrote: > > > > Show KeyOwner info when viewing recovery requests. > > This simple fix will grab the subject info out of the cert > associated with either pending or complete recovery requests being > viewed in the KRA UI. > > For example: > > KeyOwner: UID=jmagne, O=Token Key User > > Will be displayed. > Have seen this display for both pending and completed recovery requests. > > This simple fix should be good enough for this round, despite the bug > asking about agent info and such. Those enhancements for later. > > Ticket : Ticket #1512 : Key owner info missing from the Search results of > Recovery request > > > ___ > Pki-devel mailing list Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [pki-devel][PATCH] 0069-Show-KeyOwner-info-when-viewing-recovery-requests.patch
while the patch works, I think the original code logic is somehow flawed in a way that it uses the "profile" attribute to determine whether the request was non-TMS archival requests, and if null it treats it as TMS. It would make better sense if we add a separate case instead of lumping the handling of recovery requests inside where the TMS handling is at. thanks, Christina On 06/01/2016 03:13 PM, John Magne wrote: Show KeyOwner info when viewing recovery requests. This simple fix will grab the subject info out of the cert associated with either pending or complete recovery requests being viewed in the KRA UI. For example: KeyOwner: UID=jmagne, O=Token Key User Will be displayed. Have seen this display for both pending and completed recovery requests. This simple fix should be good enough for this round, despite the bug asking about agent info and such. Those enhancements for later. Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 761 Fixed truncated token activity message in TPS UI.
The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata >From 9c7c9dc278451fde67c725c2898e9dc92e199060 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata"Date: Fri, 3 Jun 2016 20:58:23 +0200 Subject: [PATCH] Fixed truncated token activity message in TPS UI. The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299 --- base/server/share/webapps/pki/js/pki-ui.js | 6 +++--- base/tps/shared/webapps/tps/ui/activity.html | 4 +++- dogtag/common-ui/shared/css/pki-ui.css | 1 + 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/base/server/share/webapps/pki/js/pki-ui.js b/base/server/share/webapps/pki/js/pki-ui.js index 288461fa20d314581dac5163e7fad8c7e03a76de..c4acdb9965c57c297f7eb748b493a54bdcb6a6da 100644 --- a/base/server/share/webapps/pki/js/pki-ui.js +++ b/base/server/share/webapps/pki/js/pki-ui.js @@ -1080,7 +1080,7 @@ var EntryPage = Page.extend({ if (self.mode == "view") { // All fields are read-only. -self.$(".pki-fields input").each(function(index) { +self.$(".pki-fields input, select, textarea").each(function(index) { var input = $(this); input.attr("readonly", "readonly"); }); @@ -1091,7 +1091,7 @@ var EntryPage = Page.extend({ } else { // Show editable fields. -self.$(".pki-fields input").each(function(index) { +self.$(".pki-fields input, select, textarea").each(function(index) { var input = $(this); var name = input.attr("name"); if (_.contains(self.editable, name)) { @@ -1105,7 +1105,7 @@ var EntryPage = Page.extend({ self.editMenu.show(); } -self.$(".pki-fields input").each(function(index) { +self.$(".pki-fields input, select, textarea").each(function(index) { var input = $(this); self.loadField(input); }); diff --git a/base/tps/shared/webapps/tps/ui/activity.html b/base/tps/shared/webapps/tps/ui/activity.html index 5ba96a4e19f033c4f85a448a51e13d056d059684..d9a32994feff62efd4ca8e4914b9c3e242859d80 100644 --- a/base/tps/shared/webapps/tps/ui/activity.html +++ b/base/tps/shared/webapps/tps/ui/activity.html @@ -42,6 +42,8 @@ Date Message - + + + diff --git a/dogtag/common-ui/shared/css/pki-ui.css b/dogtag/common-ui/shared/css/pki-ui.css index dcf9595a6f8b6873f1407093cf0af920ff040adc..1728a737eb34919f76545ccb01e8c9d50c06e774 100644 --- a/dogtag/common-ui/shared/css/pki-ui.css +++ b/dogtag/common-ui/shared/css/pki-ui.css @@ -71,6 +71,7 @@ fieldset label { min-width: 150px; display: inline-block; line-height: 30px; + vertical-align: top; } fieldset input { -- 2.5.5 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch
The original "Show archival requests" and "Show recovery requests" are actually quite misleading, as they do NOT show any archival or recovery requests for TMS. However, for the lack of a better idea, I'll leave them as is. commit 1c5458150d583481415e2bde4e68d8ab7bbf56d9 thanks, Christina On 06/03/2016 10:42 AM, John Magne wrote: ACK Does the job with little fuss. One thing I would push for is to leave the original labels for standard requests the way they were and NOT call them "Non Token " requests. This we the old behavior remains and the user can explore the new options provided for TMS related requests if they so choose. - Original Message - From: "Christina Fu"To: "pki-devel" Sent: Friday, June 3, 2016 10:22:07 AM Subject: [Pki-devel] [PATCH] pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch https://fedorahosted.org/pki/ticket/2352 Ticket #2352 [TMS] missing netkeyKeyRecovery requests option in KRA agent for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch
ACK Does the job with little fuss. One thing I would push for is to leave the original labels for standard requests the way they were and NOT call them "Non Token " requests. This we the old behavior remains and the user can explore the new options provided for TMS related requests if they so choose. - Original Message - > From: "Christina Fu"> To: "pki-devel" > Sent: Friday, June 3, 2016 10:22:07 AM > Subject: [Pki-devel] [PATCH] > pki-cfu-0129-Ticket-2352-TMS-missing-netkeyKeyRecovery-requests-o.patch > > https://fedorahosted.org/pki/ticket/2352 > Ticket #2352 [TMS] missing netkeyKeyRecovery requests option in KRA > agent for "List Request" > This patch allows KRA agent to list netkeyKeyRecovery requests > > thanks, > Christina > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 320 - pki-server db changes
With patch this time: On Fri, 2016-06-03 at 08:59 -0400, Ade Lee wrote: > commit 9450b5f7695cc827cced6e86281694daa1e5c2c8 > Author: Ade Lee> Date: Thu Jun 2 09:41:35 2016 -0400 > > Add commands to db-server to help with DB related changes > > Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv > -reindex > Added pki-server db-schema-upgrade > > If the admin has the directory manager (or equivalent) simple > creds, > then they can enter them as parameters and perform the > operations. > > Otherwise, they can specify --generate-ldif to generate LDIF > files > containing the changes that need to be implemented, and implement > them using GSSAPI or otherwise. > > Tickets 2320, 2319 > > Please review, > Thanks, > Ade > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-develFrom 9450b5f7695cc827cced6e86281694daa1e5c2c8 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 2 Jun 2016 09:41:35 -0400 Subject: [PATCH] Add commands to db-server to help with DB related changes Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319 --- base/server/python/pki/server/__init__.py | 11 +- base/server/python/pki/server/cli/db.py | 89 +++- base/server/python/pki/server/cli/kra.py | 352 ++ 3 files changed, 449 insertions(+), 3 deletions(-) diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 47f6aa5b46af6cf38b231d94a88e6bb02c7d99b1..8347311cfe1692a500f21d86b0ac0c8261e1d752 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -318,7 +318,8 @@ class PKISubsystem(object): def disable(self): self.instance.undeploy(self.name) -def open_database(self, name='internaldb'): +def open_database(self, name='internaldb', bind_dn=None, + bind_password=None): # TODO: add LDAPI support hostname = self.config['%s.ldapconn.host' % name] @@ -341,7 +342,13 @@ class PKISubsystem(object): connection.set_security_database(self.instance.nssdb_dir) auth_type = self.config['%s.ldapauth.authtype' % name] -if auth_type == 'BasicAuth': +if (bind_dn is not None and bind_password is not None): +# connect using the provided credentials +connection.set_credentials( +bind_dn=bind_dn, +bind_password=bind_password +) +elif auth_type == 'BasicAuth': connection.set_credentials( bind_dn=self.config['%s.ldapauth.bindDN' % name], bind_password=self.instance.get_password(name) diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py index 6cfd6b410eb75394f4b88b087b43a0538d3db6c6..709b39e2c576ffe60cfc04e71ebc9c3f3739bef5 100644 --- a/base/server/python/pki/server/cli/db.py +++ b/base/server/python/pki/server/cli/db.py @@ -23,6 +23,7 @@ from __future__ import print_function import getopt import ldap import nss.nss as nss +import subprocess import sys import pki.cli @@ -35,6 +36,92 @@ class DBCLI(pki.cli.CLI): 'db', 'DB management commands') self.add_module(DBUpgrade()) +self.add_module(DBSchemaUpgrade()) + + +class DBSchemaUpgrade(pki.cli.CLI): + +SCHEMA_PATH = '/usr/share/pki/server/conf/schema.ldif' + +def __init__(self): +super(DBSchemaUpgrade, self).__init__( +'schema-upgrade', 'Upgrade PKI database schema') + +def usage(self): +print('Usage: pki-server db-schema-upgrade [OPTIONS]') +print() +print(' -i, --instanceInstance ID (default: pki-tomcat).') +print(' -D, --bind-dn DN to connect to DB (default: cn=Directory Manager).') +print(' -w, --bind-password Password to connect to DB.') +print(' -v, --verbose Run in verbose mode.') +print(' --help Show help message.') +print() + +def execute(self, args): +try: +opts, _ = getopt.gnu_getopt( +args, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=', + 'verbose', 'help']) + +except getopt.GetoptError as e: +print('ERROR: ' + str(e)) +self.usage() +sys.exit(1) + +instance_name = 'pki-tomcat' +bind_dn = 'cn=Directory
[Pki-devel] [PATCH] 320 - pki-server db changes
commit 9450b5f7695cc827cced6e86281694daa1e5c2c8 Author: Ade LeeDate: Thu Jun 2 09:41:35 2016 -0400 Add commands to db-server to help with DB related changes Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319 Please review, Thanks, Ade ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0120..0121 Remove pki-ipa-retrieve-key script
On Thu, Jun 02, 2016 at 11:45:43PM -0500, Endi Sukma Dewata wrote: > On 5/31/2016 11:45 PM, Fraser Tweedale wrote: > > G'day comrades, > > > > Please review the attached two patches, which... > > > > (Patch 0120) > > > > - provide for passing of configuration (from CS.cfg) to KeyRetriever > > implementations > > > > - generalise IPACustodiaKeyRetriever to ExternalProcessKeyRetriever, > > which executes a configured executable rather than a hardcoded one > > > > (Patch 0121) > > > > - remove pki-ipa-retrieve-key script; it is being moved to FreeIPA > > repo > > > > Cheers, > > Fraser > > ACK. > > Separate issue. Instead of returning multiple binary attributes delimited > with 0 byte through standard output, it might be better to use JSON file > instead. So the command can be defined something like this: > > features.authority.keyRetrieverConfig.exec=/usr/libexec/pki-ipa-retrieve-key > -o {output} > > The ExternalProcessKeyRetriever will replace the {output} with a temporary > file, then later parse the result from that file. > Thanks Endi; pushed to master: 419ca3000142c60f176aabc68a2c5c3a1a3c1ea9 Lightweight CAs: remove pki-ipa-retrieve-key script f11e0b372e3a0736050dd9e2858fce3178171ee6 Lightweight CAs: generalise subprocess-based key retrieval I agree with the JSON enhancement, but not with using a temporary file; we can just send the JSON through stdout. I filed ticket: https://fedorahosted.org/pki/ticket/2351 Cheers, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel