On 10/28/2014 10:51 PM, Endi Sukma Dewata wrote:
Thanks for the review. New patch attached.
On 10/23/2014 3:59 AM, Petr Viktorin wrote:
In IPA we usually include the full ticket URL, not just the number.
Fixed.
The build fails with a lint message:
************* Module ipaserver.plugins.dogtag
ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
kra.get_client] Unexpected keyword argument 'password_file' in
constructor call)
ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
kra.get_client] No value for argument 'certdb_password' in constructor
call)
I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
takes password and not password_file. If a newer version is required you
should put it in the spec.
Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my
COPR repo:
dnf copr enable edewata/pki
OK. We should get that to an IPA COPR before merging this.
ipaserver.install.certs.CertDB.install_pem_from_p12:
If p12_passwd is missing and pwd_fname is None, this will crash.
Please document how the method should be called. And assert that exactly
one of p12_passwd and pwd_fname is given.
I reverted this change because the KRA backend actually no longer uses
install_pem_from_p12(). The KRA backend is now using the CLI from the
new Dogtag which generates the proper PEM format for client
authentication, so I'll leave install_pem_from_p12() unmodified because
it's still used by KrbInstance.
ipaserver.plugins.dogtag.kra.get_client:
Should every caller check if this returns None?
If not, raise an exception instead.
If yes, at least mention it in a docstring.
Fixed. It's now raising a generic exception.
Is there an existing exception that is more appropriate for backend
issues like this?
I'd go for RuntimeError.
Don't use translatable strings (the _ function) if you're not using
ipalib.PublicError subclasses.
Typo in commit message: "modified to use Dogtag's CLI *go* create"
Fixed.
How can I do some basic smoke check on this? Is there something I still
need to to besides ipa-kra-istall? Any other patches?
I tried:
from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_client()
keyclient.keys.archive_key('test3', KeyClient.PASS_PHRASE_TYPE, 'tkey')
which gives me:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 295, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 687, in
archive_key
nonce_iv = self.crypto.generate_nonce_iv()
File "/usr/lib/python2.7/site-packages/pki/crypto.py", line 176, in
generate_nonce_iv
iv_data = nss.generate_random(iv_length)
nss.error.NSPRError: (SEC_ERROR_NO_TOKEN) The security card or token
does not exist, needs to be initialized, or has been removed.
--
PetrĀ³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel