[Pki-devel] [PATCH] 757 Added TPS token state transition validation.

2016-05-25 Thread Endi Sukma Dewata 

The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.

https://fedorahosted.org/pki/ticket/2334

--
Endi S. Dewata
>From d4348403cbe9dcc8984f580da325a14a680076fb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 25 May 2016 06:27:46 +0200
Subject: [PATCH] Added TPS token state transition validation.

The TPSSubsystem has been modified to load and validate the token
state transition lists during initialization. If any of the lists
is empty or any of the transitions is invalid, the initialization
will fail and the subsystem will not start.

https://fedorahosted.org/pki/ticket/2334
---
 .../src/org/dogtagpki/server/tps/TPSSubsystem.java | 124 +
 .../src/org/dogtagpki/server/tps/TPSTokendb.java   |   2 +-
 .../org/dogtagpki/server/tps/engine/TPSEngine.java |  51 -
 .../server/tps/processor/TPSEnrollProcessor.java   |   3 +-
 .../server/tps/processor/TPSProcessor.java |   7 +-
 .../dogtagpki/server/tps/rest/TokenService.java|  17 ++-
 6 files changed, 122 insertions(+), 82 deletions(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
index 2d415c16c7da0b4ad19ecc7d4b2ac3e2d329aa70..7146eb4cfe0b3a1f48743c807db9f03b3c4b63a9 100644
--- a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
@@ -22,6 +22,7 @@ import java.util.HashMap;
 import java.util.LinkedHashSet;
 import java.util.Map;
 
+import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.authentication.AuthenticationManager;
 import org.dogtagpki.server.tps.cms.ConnectionManager;
 import org.dogtagpki.server.tps.config.AuthenticatorDatabase;
@@ -36,6 +37,7 @@ import org.dogtagpki.server.tps.dbs.TokenDatabase;
 import org.dogtagpki.server.tps.dbs.TokenRecord;
 import org.dogtagpki.server.tps.engine.TPSEngine;
 import org.dogtagpki.server.tps.mapping.MappingResolverManager;
+import org.dogtagpki.tps.main.TPSException;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.crypto.ObjectNotFoundException;
@@ -51,6 +53,7 @@ import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequestListener;
 import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.tps.token.TokenStatus;
+import com.netscape.cmscore.base.FileConfigStore;
 import com.netscape.cmscore.dbs.DBSubsystem;
 
 /**
@@ -81,7 +84,9 @@ public class TPSSubsystem implements IAuthority, ISubsystem {
 
 public TPSEngine engine;
 public TPSTokendb tdb;
-public Map allowedTransitions = new HashMap();
+
+public Map uiTransitions;
+public Map operationTransitions;
 
 @Override
 public String getId() {
@@ -116,45 +121,109 @@ public class TPSSubsystem implements IAuthority, ISubsystem {
 profileDatabase = new ProfileDatabase();
 profileMappingDatabase = new ProfileMappingDatabase();
 
-CMS.debug("TokenSubsystem: allowed transitions:");
+FileConfigStore defaultConfig = new FileConfigStore("/usr/share/pki/tps/conf/CS.cfg");
 
-// initialize allowed token state transitions with empty containers
-for (TokenStatus state : TokenStatus.values()) {
-allowedTransitions.put(state, new LinkedHashSet());
-}
+uiTransitions = loadAndValidateTokenStateTransitions(
+defaultConfig, cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS);
 
-// load allowed token state transitions from TPS configuration
-for (String transition : cs.getString(TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS).split(",")) {
-String states[] = transition.split(":");
-
-TokenStatus fromState = TokenStatus.fromInt(Integer.valueOf(states[0]));
-TokenStatus toState = TokenStatus.fromInt(Integer.valueOf(states[1]));
-CMS.debug("TokenSubsystem:  - " + fromState + " to " + toState);
-
-Collection nextStates = allowedTransitions.get(fromState);
-nextStates.add(toState);
-}
+operationTransitions = loadAndValidateTokenStateTransitions(
+defaultConfig, cs, TPSEngine.CFG_OPERATIONS_ALLOWED_TRANSITIONS);
 
 tdb = new TPSTokendb(this);
 
 engine = new TPSEngine();
 engine.init();
+}
+
+public Map loadTokenStateTransitions(IConfigStore cs, String property) throws EBaseException {
+
+String value = cs.getString(property);
+
+if (StringUtils.isEmpty(value)) {
+CMS.debug("Missing token state transitions in " + property);
+

[Pki-devel] [PATCH] 758 Fixed error handling in ProxyRealm.

2016-05-25 Thread Endi Sukma Dewata 

The ProxyRealms for Tomcat 7 and 8 have been modified to return an
error if the subsystem is not available instead of falling back to
username/password authentication.

https://fedorahosted.org/pki/ticket/2326

--
Endi S. Dewata
>From cc10c05d122df43bb5b09cfc09c42099c1fd08bd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Thu, 26 May 2016 05:10:17 +0200
Subject: [PATCH] Fixed error handling in ProxyRealm.

The ProxyRealms for Tomcat 7 and 8 have been modified to return an
error if the subsystem is not available instead of falling back to
username/password authentication.

https://fedorahosted.org/pki/ticket/2326
---
 base/server/tomcat7/src/CMakeLists.txt |  3 +-
 .../src/com/netscape/cms/tomcat/ProxyRealm.java| 46 ++
 base/server/tomcat8/src/CMakeLists.txt |  3 +-
 .../src/com/netscape/cms/tomcat/ProxyRealm.java| 44 +
 4 files changed, 94 insertions(+), 2 deletions(-)

diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt
index bb42bfe0a4a840f0b271a83600f79686f76cc353..f84369ccc33d47c11f32bc3e956431f501c121e4 100644
--- a/base/server/tomcat7/src/CMakeLists.txt
+++ b/base/server/tomcat7/src/CMakeLists.txt
@@ -124,7 +124,8 @@ javac(pki-tomcat7-classes
 com/netscape/cms/tomcat/*.java
 CLASSPATH
 ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
-${CMAKE_BINARY_DIR}/../../tomcat
+${JAXRS_API_JAR}
+${CMAKE_BINARY_DIR}/../../tomcat
 OUTPUT_DIR
 ${CMAKE_BINARY_DIR}/../../tomcat
 DEPENDS
diff --git a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
index 094c0561f49f4e79d910b1d9a30c13b10d04a297..13b61e47a5531785760a338db1658c6bd1619555 100644
--- a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
+++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -7,6 +7,8 @@ import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.ws.rs.ServiceUnavailableException;
+
 import org.apache.catalina.Container;
 import org.apache.catalina.Context;
 import org.apache.catalina.Realm;
@@ -60,12 +62,26 @@ public class ProxyRealm implements Realm {
 }
 
 @Override
+public Principal authenticate(String username) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
+return realm.authenticate(username);
+}
+
+@Override
 public Principal authenticate(String username, String password) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.authenticate(username, password);
 }
 
 @Override
 public Principal authenticate(X509Certificate certs[]) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.authenticate(certs);
 }
 
@@ -80,11 +96,17 @@ public class ProxyRealm implements Realm {
 String realmName,
 String md5a2
 ) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2);
 }
 
 @Override
 public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.authenticate(gssContext, storeCreds);
 }
 
@@ -95,26 +117,41 @@ public class ProxyRealm implements Realm {
 SecurityConstraint[] constraints,
 Context context
 ) throws IOException {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.hasResourcePermission(request, response, constraints, context);
 }
 
 @Override
 public String getInfo() {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.getInfo();
 }
 
 @Override
 public void backgroundProcess() {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 realm.backgroundProcess();
 }
 
 @Override
 public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
+if (realm == null) {
+throw new ServiceUnavailableException("Subsystem unavailable");
+}
 return realm.findSecurityConstraints(request, context);
 }
 
 @Override
 public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+if (realm == null) {
+throw new

Re: [Pki-devel] [PATCH] 303-306 Various issues

2016-05-25 Thread Endi Sukma Dewata 

On 5/24/2016 10:32 PM, Ade Lee wrote:

Patches 303, 305 and 306 have been modified as discussed and checked
in.

Patch 304 has been revised as discussed on IRC.  Please review.

Ade


Just one thing, the maxAge unit is still hours. I'm not sure anybody 
wants to purge CRLs less than a day old. Considering in the future we're 
going to provide a default maxAge of 1 year, it might be better to 
specify it in days instead.


Other than that it's ACKed.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch

2016-05-25 Thread John Magne 
Looks good:

Just a minor suggestion:

The bookean to markAsRevoked, you might want to rename as
"isAlreadyRevoked" to tell the reader more clearly what is going on.
We know we want to revoke a cert, but this boolean covers the case when the
cert to be revoked is already in the unique (on hold) status.

ACK then if tested to work, especially that routine that calculates if a cert
is currently on hold. If that has any issues, could be an issue.




- Original Message -
> From: "Christina Fu" 
> To: "pki-devel" 
> Sent: Tuesday, May 24, 2016 6:18:25 PM
> Subject: [Pki-devel] [PATCH] 
> pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch
> 
> https://fedorahosted.org/pki/ticket/1665 Certificate Revocation Reasons
> not being updated in some cases
> 
> Ticket 1665 - Cert Revocation
> Reasons not being updated when on-hold
>  This patch fixes the following areas:
>  * In the CA, when revokeCert is called, make it possible to move
> from on_hold
>  to revoke.
>  * In the servlet that handles TPS revoke (DoRevokeTPS), make sure
> it allows
>  the on_hold cert to be put in the bucket to be revoked.
>  * there are a few minor fixes such as typos and one have to do with the
>  populate method in SubjectDNInput.java needs better handling of
> subject in
>  case it's null.
>  Note: This patch does not make attempt to allow agents to revoke
> certs that
>  are on_hold from agent interface.  The search filter needs to be
> modified to
>  allow that.
> 
> thanks,
> Christina
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel