[Pki-devel] [PATCH] 757 Added TPS token state transition validation.
The TPSSubsystem has been modified to load and validate the token state transition lists during initialization. If any of the lists is empty or any of the transitions is invalid, the initialization will fail and the subsystem will not start. https://fedorahosted.org/pki/ticket/2334 -- Endi S. Dewata >From d4348403cbe9dcc8984f580da325a14a680076fb Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata"Date: Wed, 25 May 2016 06:27:46 +0200 Subject: [PATCH] Added TPS token state transition validation. The TPSSubsystem has been modified to load and validate the token state transition lists during initialization. If any of the lists is empty or any of the transitions is invalid, the initialization will fail and the subsystem will not start. https://fedorahosted.org/pki/ticket/2334 --- .../src/org/dogtagpki/server/tps/TPSSubsystem.java | 124 + .../src/org/dogtagpki/server/tps/TPSTokendb.java | 2 +- .../org/dogtagpki/server/tps/engine/TPSEngine.java | 51 - .../server/tps/processor/TPSEnrollProcessor.java | 3 +- .../server/tps/processor/TPSProcessor.java | 7 +- .../dogtagpki/server/tps/rest/TokenService.java| 17 ++- 6 files changed, 122 insertions(+), 82 deletions(-) diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java index 2d415c16c7da0b4ad19ecc7d4b2ac3e2d329aa70..7146eb4cfe0b3a1f48743c807db9f03b3c4b63a9 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java @@ -22,6 +22,7 @@ import java.util.HashMap; import java.util.LinkedHashSet; import java.util.Map; +import org.apache.commons.lang.StringUtils; import org.dogtagpki.server.tps.authentication.AuthenticationManager; import org.dogtagpki.server.tps.cms.ConnectionManager; import org.dogtagpki.server.tps.config.AuthenticatorDatabase; @@ -36,6 +37,7 @@ import org.dogtagpki.server.tps.dbs.TokenDatabase; import org.dogtagpki.server.tps.dbs.TokenRecord; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.server.tps.mapping.MappingResolverManager; +import org.dogtagpki.tps.main.TPSException; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.crypto.ObjectNotFoundException; @@ -51,6 +53,7 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequestListener; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.tps.token.TokenStatus; +import com.netscape.cmscore.base.FileConfigStore; import com.netscape.cmscore.dbs.DBSubsystem; /** @@ -81,7 +84,9 @@ public class TPSSubsystem implements IAuthority, ISubsystem { public TPSEngine engine; public TPSTokendb tdb; -public Map allowedTransitions = new HashMap (); + +public Map uiTransitions; +public Map operationTransitions; @Override public String getId() { @@ -116,45 +121,109 @@ public class TPSSubsystem implements IAuthority, ISubsystem { profileDatabase = new ProfileDatabase(); profileMappingDatabase = new ProfileMappingDatabase(); -CMS.debug("TokenSubsystem: allowed transitions:"); +FileConfigStore defaultConfig = new FileConfigStore("/usr/share/pki/tps/conf/CS.cfg"); -// initialize allowed token state transitions with empty containers -for (TokenStatus state : TokenStatus.values()) { -allowedTransitions.put(state, new LinkedHashSet()); -} +uiTransitions = loadAndValidateTokenStateTransitions( +defaultConfig, cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS); -// load allowed token state transitions from TPS configuration -for (String transition : cs.getString(TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS).split(",")) { -String states[] = transition.split(":"); - -TokenStatus fromState = TokenStatus.fromInt(Integer.valueOf(states[0])); -TokenStatus toState = TokenStatus.fromInt(Integer.valueOf(states[1])); -CMS.debug("TokenSubsystem: - " + fromState + " to " + toState); - -Collection nextStates = allowedTransitions.get(fromState); -nextStates.add(toState); -} +operationTransitions = loadAndValidateTokenStateTransitions( +defaultConfig, cs, TPSEngine.CFG_OPERATIONS_ALLOWED_TRANSITIONS); tdb = new TPSTokendb(this); engine = new TPSEngine(); engine.init(); +} + +public Map loadTokenStateTransitions(IConfigStore cs, String property) throws EBaseException { + +String value = cs.getString(property); + +if (StringUtils.isEmpty(value)) { +CMS.debug("Missing token state transitions in " + property); +
[Pki-devel] [PATCH] 758 Fixed error handling in ProxyRealm.
The ProxyRealms for Tomcat 7 and 8 have been modified to return an error if the subsystem is not available instead of falling back to username/password authentication. https://fedorahosted.org/pki/ticket/2326 -- Endi S. Dewata >From cc10c05d122df43bb5b09cfc09c42099c1fd08bd Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata"Date: Thu, 26 May 2016 05:10:17 +0200 Subject: [PATCH] Fixed error handling in ProxyRealm. The ProxyRealms for Tomcat 7 and 8 have been modified to return an error if the subsystem is not available instead of falling back to username/password authentication. https://fedorahosted.org/pki/ticket/2326 --- base/server/tomcat7/src/CMakeLists.txt | 3 +- .../src/com/netscape/cms/tomcat/ProxyRealm.java| 46 ++ base/server/tomcat8/src/CMakeLists.txt | 3 +- .../src/com/netscape/cms/tomcat/ProxyRealm.java| 44 + 4 files changed, 94 insertions(+), 2 deletions(-) diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt index bb42bfe0a4a840f0b271a83600f79686f76cc353..f84369ccc33d47c11f32bc3e956431f501c121e4 100644 --- a/base/server/tomcat7/src/CMakeLists.txt +++ b/base/server/tomcat7/src/CMakeLists.txt @@ -124,7 +124,8 @@ javac(pki-tomcat7-classes com/netscape/cms/tomcat/*.java CLASSPATH ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} -${CMAKE_BINARY_DIR}/../../tomcat +${JAXRS_API_JAR} +${CMAKE_BINARY_DIR}/../../tomcat OUTPUT_DIR ${CMAKE_BINARY_DIR}/../../tomcat DEPENDS diff --git a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java index 094c0561f49f4e79d910b1d9a30c13b10d04a297..13b61e47a5531785760a338db1658c6bd1619555 100644 --- a/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java +++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/ProxyRealm.java @@ -7,6 +7,8 @@ import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; +import javax.ws.rs.ServiceUnavailableException; + import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Realm; @@ -60,12 +62,26 @@ public class ProxyRealm implements Realm { } @Override +public Principal authenticate(String username) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} +return realm.authenticate(username); +} + +@Override public Principal authenticate(String username, String password) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.authenticate(username, password); } @Override public Principal authenticate(X509Certificate certs[]) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.authenticate(certs); } @@ -80,11 +96,17 @@ public class ProxyRealm implements Realm { String realmName, String md5a2 ) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2); } @Override public Principal authenticate(GSSContext gssContext, boolean storeCreds) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.authenticate(gssContext, storeCreds); } @@ -95,26 +117,41 @@ public class ProxyRealm implements Realm { SecurityConstraint[] constraints, Context context ) throws IOException { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.hasResourcePermission(request, response, constraints, context); } @Override public String getInfo() { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.getInfo(); } @Override public void backgroundProcess() { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} realm.backgroundProcess(); } @Override public SecurityConstraint[] findSecurityConstraints(Request request, Context context) { +if (realm == null) { +throw new ServiceUnavailableException("Subsystem unavailable"); +} return realm.findSecurityConstraints(request, context); } @Override public boolean hasRole(Wrapper wrapper, Principal principal, String role) { +if (realm == null) { +throw new
Re: [Pki-devel] [PATCH] 303-306 Various issues
On 5/24/2016 10:32 PM, Ade Lee wrote: Patches 303, 305 and 306 have been modified as discussed and checked in. Patch 304 has been revised as discussed on IRC. Please review. Ade Just one thing, the maxAge unit is still hours. I'm not sure anybody wants to purge CRLs less than a day old. Considering in the future we're going to provide a default maxAge of 1 year, it might be better to specify it in days instead. Other than that it's ACKed. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch
Looks good: Just a minor suggestion: The bookean to markAsRevoked, you might want to rename as "isAlreadyRevoked" to tell the reader more clearly what is going on. We know we want to revoke a cert, but this boolean covers the case when the cert to be revoked is already in the unique (on hold) status. ACK then if tested to work, especially that routine that calculates if a cert is currently on hold. If that has any issues, could be an issue. - Original Message - > From: "Christina Fu"> To: "pki-devel" > Sent: Tuesday, May 24, 2016 6:18:25 PM > Subject: [Pki-devel] [PATCH] > pki-cfu-0123-Ticket-1665-Cert-Revocation-Reasons-not-being-update.patch > > https://fedorahosted.org/pki/ticket/1665 Certificate Revocation Reasons > not being updated in some cases > > Ticket 1665 - Cert Revocation > Reasons not being updated when on-hold > This patch fixes the following areas: > * In the CA, when revokeCert is called, make it possible to move > from on_hold > to revoke. > * In the servlet that handles TPS revoke (DoRevokeTPS), make sure > it allows > the on_hold cert to be put in the bucket to be revoked. > * there are a few minor fixes such as typos and one have to do with the > populate method in SubjectDNInput.java needs better handling of > subject in > case it's null. > Note: This patch does not make attempt to allow agents to revoke > certs that > are on_hold from agent interface. The search filter needs to be > modified to > allow that. > > thanks, > Christina > > ___ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel