[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Author: HonzaCholasta Title: #359: dogtag: search past the first 100 certificates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/359/head:pr359 git checkout pr359 From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 21 Dec 2016 09:55:40 +0100 Subject: [PATCH 1/2] dogtag: search past the first 100 certificates Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 --- ipaserver/plugins/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 73c14ed..f5f9ebe 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1914,7 +1914,7 @@ def convert_time(value): url = 'http://%s/ca/rest/certs/search?size=%d' % ( ipautil.format_netloc(self.ca_host, 8080), -options.get('sizelimit', 100)) +options.get('sizelimit', 0x7fff)) opener = urllib.request.build_opener() opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), From 66ade174732375f5fcf9f3786939285810cb7eba Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 17 Jan 2017 14:34:33 +0100 Subject: [PATCH 2/2] cert: fix search limit handling in cert-find If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 --- ipaserver/plugins/cert.py | 21 + 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index d8bfc1c..c5ed9bf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): elif isinstance(value, DN): value = unicode(value) ra_options[name] = value -if sizelimit: -ra_options['sizelimit'] = sizelimit +if sizelimit > 0: +# Dogtag doesn't tell that the size limit was exceeded +# search for one more entry so that we can tell ourselves +ra_options['sizelimit'] = sizelimit + 1 if exactly: ra_options['exactly'] = True @@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): raise return result, False, complete -ca_objs = self.api.Command.ca_find()['result'] +ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result'] ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs} ra = self.api.Backend.ra for ra_obj in ra.find(ra_options): +if sizelimit > 0 and len(result) >= sizelimit: +self.add_message(messages.SearchResultTruncated( +reason=errors.SizeLimitExceeded())) +break + issuer = DN(ra_obj['issuer']) serial_number = ra_obj['serial_number'] @@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False, if criteria is not None: return dict(result=[], count=0, truncated=False) +# respect the configured search limits +if timelimit is None: +timelimit = self.api.Backend.ldap2.time_limit +if sizelimit is None: +sizelimit = self.api.Backend.ldap2.size_limit + result = collections.OrderedDict() truncated = False complete = False @@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False, **options) if sub_complete: -sizelimit = None +sizelimit = 0 for key in tuple(result): if key not in sub_result: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][synchronized] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359 Author: HonzaCholasta Title: #359: dogtag: search past the first 100 certificates Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/359/head:pr359 git checkout pr359 From fc2a2834236c3cf55bfa41d1f48d4d7c4044b01f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 21 Dec 2016 09:55:40 +0100 Subject: [PATCH 1/2] dogtag: search past the first 100 certificates Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 --- ipaserver/plugins/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 73c14ed..f5f9ebe 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1914,7 +1914,7 @@ def convert_time(value): url = 'http://%s/ca/rest/certs/search?size=%d' % ( ipautil.format_netloc(self.ca_host, 8080), -options.get('sizelimit', 100)) +options.get('sizelimit', 0x7fff)) opener = urllib.request.build_opener() opener.addheaders = [('Accept-Encoding', 'gzip, deflate'), From f7f2d04e550f997108f7a2177c50a8816d769b86 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 17 Jan 2017 14:34:33 +0100 Subject: [PATCH 2/2] cert: fix search limit handling in cert-find If search limits are not specified in cert-find, use the configured limits. This applies to the certificate search in the CA as well. Detect and report if size limit was exceeded in the certificate search in the CA. Do not apply limits to the internal ca-find call. https://fedorahosted.org/freeipa/ticket/6564 --- ipaserver/plugins/cert.py | 21 + 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index d8bfc1c..f4ba630 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1304,8 +1304,10 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): elif isinstance(value, DN): value = unicode(value) ra_options[name] = value -if sizelimit: -ra_options['sizelimit'] = sizelimit +if sizelimit > 0: +# Dogtag doesn't tell that the size limit was exceeded +# search for one more entry so that we can tell ourselves +ra_options['sizelimit'] = sizelimit + 1 if exactly: ra_options['exactly'] = True @@ -1319,11 +1321,16 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): raise return result, False, complete -ca_objs = self.api.Command.ca_find()['result'] +ca_objs = self.api.Command.ca_find(timelimit=0, sizelimit=0)['result'] ca_objs = {DN(ca['ipacasubjectdn'][0]): ca for ca in ca_objs} ra = self.api.Backend.ra for ra_obj in ra.find(ra_options): +if sizelimit > 0 and len(result) >= sizelimit: +self.add_message(messages.SearchResultTruncated( +reason=errors.SizeLimitExceeded())) +break + issuer = DN(ra_obj['issuer']) serial_number = ra_obj['serial_number'] @@ -1453,6 +1460,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False, if criteria is not None: return dict(result=[], count=0, truncated=False) +# respect the configured search limits +if timelimit is None: +timelimit = self.api.Backend.ldap2.timelimit +if sizelimit is None: +sizelimit = self.api.Backend.ldap2.sizelimit + result = collections.OrderedDict() truncated = False complete = False @@ -1470,7 +1483,7 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False, **options) if sub_complete: -sizelimit = None +sizelimit = 0 for key in tuple(result): if key not in sub_result: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code