Re: [Pki-devel] Using Dogtag REST API

2020-07-08 Thread Dinesh Prasanth Moluguwan Krishnamoorthy 
Pascal,

You are sending the parameters via the request's body (which usually is
done in POST). Taking a quick look at the source code [1], seems to me that
you need to pass as GET params.

Example:
   $ curl -k --cert-type P12 --cert ~/ca_admin_cert.p12:Secret.123 https://
:8443/ca/rest/agent/certrequests?requestState=pending=15

HTH!

Thanks,
--Dinesh


[1]
https://github.com/dogtagpki/pki/blob/master/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java#L57

On Wed, Jul 8, 2020 at 9:09 AM Pascal Jakobi 
wrote:

> Hi there
>
>
> I created a small python script that just does a "certreqs".
>
> Here is the result :
>
> python3 ./test.py
>
> {"requestState": "pending", "requestType": "any", "start": 5, "pageSize": 0, 
> "maxTime": 100}
>
> Status 200
>
> {'total': 10, 'entries': [
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/1', 'realm': None, 'certId': 
> '0x1', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/1', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/2', 'realm': None, 'certId': 
> '0x2', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/2', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/3', 'realm': None, 'certId': 
> '0x3', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/3', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/4', 'realm': None, 'certId': 
> '0x4', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/4', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/5', 'realm': None, 'certId': 
> '0x5', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/5', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/6', 'realm': None, 'certId': 
> '0x6', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/6', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/7', 'realm': None, 'certId': 
> None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 
> 'success', 'errorMessage': None},
> {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/8', 'realm': None, 'certId': 
> None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 
> 'success', 'errorMessage': None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/9', 'realm': None, 'certId': 
> '0x7', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/7', 
> 'certRequestType': 'keygen', 'operationResult': 'success', 'errorMessage': 
> None},
> {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
> 'https://auth.iamts.fr:8443/ca/rest/certrequests/10', 'realm': None, 
> 'certId': '0x8', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/8', 
> 'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
> None}],
> 'Link': []}
>
> [pascal@dell pki_ui]$
>
>
> This raises 2 questions.
> 1/ I requested "pending" cert reqs. But I get also "complete" reqs. Any
> idea why ?
> 2/ I set the start field to 5, but I receive all requests. Again why is
> that ?
>
> Thxs again for your help
>
>
> --
> *Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
> pascal.jak...@gmail.com - +33 6 87 47 58 19
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [CRON] Errored: dogtagpki/pki-nightly-test#770 (master - 2a95153)

2020-07-08 Thread Travis CI 
Build Update for dogtagpki/pki-nightly-test
-

Build: #770
Status: Errored

Duration: 16 mins and 41 secs
Commit: 2a95153 (master)
Author: Dinesh Prasanth M K
Message: Remove EOL F29 from matrix and add support for v10.8 branch

Signed-off-by: Dinesh Prasanth M K 

View the changeset: 
https://github.com/dogtagpki/pki-nightly-test/compare/1cec22733aad03cad1e589a08281f4a2db79ec90...2a95153102234446e6beb5d4074ae6eebd760fb3

View the full build log and details: 
https://travis-ci.org/github/dogtagpki/pki-nightly-test/builds/706166478?utm_medium=notification_source=email


--

You can unsubscribe from build emails from the dogtagpki/pki-nightly-test 
repository going to 
https://travis-ci.org/account/preferences/unsubscribe?repository=20325727_medium=notification_source=email.
Or unsubscribe from *all* email updating your settings at 
https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email.
Or configure specific recipients for build notifications in your .travis.yml 
file. See https://docs.travis-ci.com/user/notifications.

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] Using Dogtag REST API

2020-07-08 Thread Pascal Jakobi 

Hi there


I created a small python script that just does a "certreqs".

Here is the result :

python3 ./test.py

   {"requestState": "pending", "requestType": "any", "start": 5, "pageSize": 0, 
"maxTime": 100}

   Status 200

   {'total': 10, 'entries': [
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/1', 'realm': None, 'certId': 
'0x1', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/1', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/2', 'realm': None, 'certId': 
'0x2', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/2', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/3', 'realm': None, 'certId': 
'0x3', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/3', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/4', 'realm': None, 'certId': 
'0x4', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/4', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/5', 'realm': None, 'certId': 
'0x5', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/5', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/6', 'realm': None, 'certId': 
'0x6', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/6', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/7', 'realm': None, 'certId': 
None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 
'success', 'errorMessage': None},
   {'requestType': 'enrollment', 'requestStatus': 'pending', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/8', 'realm': None, 'certId': 
None, 'certURL': None, 'certRequestType': 'keygen', 'operationResult': 
'success', 'errorMessage': None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/9', 'realm': None, 'certId': 
'0x7', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/7', 
'certRequestType': 'keygen', 'operationResult': 'success', 'errorMessage': 
None},
   {'requestType': 'enrollment', 'requestStatus': 'complete', 'requestURL': 
'https://auth.iamts.fr:8443/ca/rest/certrequests/10', 'realm': None, 'certId': 
'0x8', 'certURL': 'https://auth.iamts.fr:8443/ca/rest/certs/8', 
'certRequestType': 'pkcs10', 'operationResult': 'success', 'errorMessage': 
None}],
   'Link': []}

   [pascal@dell pki_ui]$

   This raises 2 questions.
   1/ I requested "pending" cert reqs. But I get also "complete" reqs.
   Any idea why ?
   2/ I set the start field to 5, but I receive all requests. Again why
   is that ?

   Thxs again for your help


--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19
import requests
import json

#reqData = '{"requestState": "pending", "requestType": "any", "start": 0, "pageSize": 30, "maxTime": 100}'
reqData = '{"requestState": "pending", "requestType": "any", "start": 5, "pageSize": 0, "maxTime": 100}'

url = "https://auth.iamts.fr:8443/ca/rest/agent/certrequests;
headers = {'Accept': 'application/json', 'Content-Type':'application/json'}
cacertfile='/etc/pki/tls/certs/ca_cert.crt.pem'
certfile='/etc/pki/tls/certs/ca_admin_cert.crt.pem'
keyfile='/etc/pki/tls/private/ca_admin_cert.key.pem'
print(reqData)
resp = requests.request("GET", url, headers=headers, verify=cacertfile, cert=(certfile,keyfile),data=reqData)
print('Status {}'.format(resp.status_code))
if resp.status_code == 200: print(resp.json())
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] SSO

2020-07-08 Thread Pascal Jakobi 

I would be interested into trying this.

1/ Is there a list of the "environment variables" (I guess these are 
HTML headers) that dogtag needs ? Did not find it


2/ If I set an Apache reverse proxy, do I still need to insert an admin 
certificate in the browser's wallet ?


Thanks !

P

Le 03/07/2020 à 05:05, Fraser Tweedale a écrit :

On Thu, Jul 02, 2020 at 11:35:22AM -0400, Alex Scheel wrote:

There's a proposal for GSS-API auth:

https://www.dogtagpki.org/wiki/GSS-API_authentication
https://www.freeipa.org/page/V4/Dogtag_GSS-API_Authentication

However, it isn't implemented yet. This would probably suffice for
SSO though.


Although the design doc is called GSS-API Authentication, the
feature is actually a more general than that.  If you put Dogtag
behind a web frontend (e.g. Apache), you can authenticate users via
SAML or OIDC and convey the appropriate environment variables, and
it will work.  Dogtag just sees an external principal and their
groups conveyed via AJP request attributes.

Cheers,
Fraser



My 2c,

- Alex

- Original Message -

From: "Dinesh Prasanth Moluguwan Krishnamoorthy" 
To: "Pascal Jakobi" 
Cc: pki-devel@redhat.com
Sent: Thursday, July 2, 2020 11:18:53 AM
Subject: Re: [Pki-devel] SSO

Pascal,

I don't think Dogtag Web UI supports it. The feature you are suggesting
(sounds to me like it) requires a full fledged IDM deployment. You can look
at FreeIPA, if you are looking for MFA.

FreeIPA  uses Dogtag CA as its backend
to issue certs and also combines several other components to offer a
full-fledged IDM deployment.

Nonetheless, I'm CC'ing pki-devel to see if other developers have any
thoughts.

Regards,
--Dinesh

On Mon, Jun 29, 2020 at 4:47 PM Pascal Jakobi 
wrote:


Dinesh

In fact all I am doing here is in order to offer a GUI that may be used
with OpenId Connect (ie Keycloak or so...). The value of this is that it is
much more flexible than certificate based authentication. You can have MFA,
etc

So my question : is there a way to remove the certificate based access
control in Dogtag's UI ? I would replace it with a tomcat valve that
provides OIDC support.

Best
--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

--
*Pascal Jakobi* 116 rue de Stalingrad 93100 Montreuil, France
pascal.jak...@gmail.com - +33 6 87 47 58 19
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel