[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359
Author: HonzaCholasta
Title: #359: dogtag: search past the first 100 certificates
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH 1/2] dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/dogtag.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
url = 'http://%s/ca/rest/certs/search?size=%d' % (
ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
opener = urllib.request.build_opener()
opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),
From 66ade174732375f5fcf9f3786939285810cb7eba Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Tue, 17 Jan 2017 14:34:33 +0100
Subject: [PATCH 2/2] cert: fix search limit handling in cert-find
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.
Detect and report if size limit was exceeded in the certificate search in
the CA.
Do not apply limits to the internal ca-find call.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/cert.py | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index d8bfc1c..c5ed9bf 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
elif isinstance(value, DN):
value = unicode(value)
ra_options[name] = value
-if sizelimit:
-ra_options['sizelimit'] = sizelimit
+if sizelimit > 0:
+# Dogtag doesn't tell that the size limit was exceeded
+# search for one more entry so that we can tell ourselves
+ra_options['sizelimit'] = sizelimit + 1
if exactly:
ra_options['exactly'] = True
@@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
raise
return result, False, complete
-ca_objs = self.api.Command.ca_find()['result']
+ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result']
ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs}
ra = self.api.Backend.ra
for ra_obj in ra.find(ra_options):
+if sizelimit > 0 and len(result) >= sizelimit:
+self.add_message(messages.SearchResultTruncated(
+reason=errors.SizeLimitExceeded()))
+break
+
issuer = DN(ra_obj['issuer'])
serial_number = ra_obj['serial_number']
@@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
if criteria is not None:
return dict(result=[], count=0, truncated=False)
+# respect the configured search limits
+if timelimit is None:
+timelimit = self.api.Backend.ldap2.time_limit
+if sizelimit is None:
+sizelimit = self.api.Backend.ldap2.size_limit
+
result = collections.OrderedDict()
truncated = False
complete = False
@@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
**options)
if sub_complete:
-sizelimit = None
+sizelimit = 0
for key in tuple(result):
if key not in sub_result:
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359
Author: HonzaCholasta
Title: #359: dogtag: search past the first 100 certificates
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH 1/2] dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/dogtag.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
url = 'http://%s/ca/rest/certs/search?size=%d' % (
ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
opener = urllib.request.build_opener()
opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),
From f7f2d04e550f997108f7a2177c50a8816d769b86 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Tue, 17 Jan 2017 14:34:33 +0100
Subject: [PATCH 2/2] cert: fix search limit handling in cert-find
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.
Detect and report if size limit was exceeded in the certificate search in
the CA.
Do not apply limits to the internal ca-find call.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/cert.py | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index d8bfc1c..f4ba630 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
elif isinstance(value, DN):
value = unicode(value)
ra_options[name] = value
-if sizelimit:
-ra_options['sizelimit'] = sizelimit
+if sizelimit > 0:
+# Dogtag doesn't tell that the size limit was exceeded
+# search for one more entry so that we can tell ourselves
+ra_options['sizelimit'] = sizelimit + 1
if exactly:
ra_options['exactly'] = True
@@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
raise
return result, False, complete
-ca_objs = self.api.Command.ca_find()['result']
+ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result']
ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs}
ra = self.api.Backend.ra
for ra_obj in ra.find(ra_options):
+if sizelimit > 0 and len(result) >= sizelimit:
+self.add_message(messages.SearchResultTruncated(
+reason=errors.SizeLimitExceeded()))
+break
+
issuer = DN(ra_obj['issuer'])
serial_number = ra_obj['serial_number']
@@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
if criteria is not None:
return dict(result=[], count=0, truncated=False)
+# respect the configured search limits
+if timelimit is None:
+timelimit = self.api.Backend.ldap2.timelimit
+if sizelimit is None:
+sizelimit = self.api.Backend.ldap2.sizelimit
+
result = collections.OrderedDict()
truncated = False
complete = False
@@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
**options)
if sub_complete:
-sizelimit = None
+sizelimit = 0
for key in tuple(result):
if key not in sub_result:
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
