[PATCH] 0109-Ticket-1375-Provide-cert-key-retention-for-externalR.patch
by Christina Fu
Ticket #1375 Provide cert/key retention for externalReg
Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized
keys out of the box
This patch provides the cert/key retention feature for externalReg. if the
certsToAdd field contains (serial,ca#) instead of the full (serial, ca#,
keyId, kra#), then it is expecting the cert/key to be retained from token
without having to do a full retrieval (recovery). This patch also
fixes the
issues reported in #1514 and #1587 as testing of #1375 is easier with
those
two issues addressed. An issue was found during development where Coolkey
puts limits on the cert/key ids on the token and make it impossible to
inject
cert ID higher than 4, as it would then result in key ids into two digits.
This issue will be filed as a separte ticket and addressed separately.
Most
testing will then be conducted.
thanks,
Christina
8 years, 3 months
[PATCH] [WIP] Add external authentication support
by Fraser Tweedale
Hi all,
GSS-API authentication support is in progress. The approach is
detailed in the design proposal[1], which is not complete.
The attached patch is provided for early review of the approach and
implementation. It should not break existing behaviour for existing
authentication methods, but is not yet fully usable for externally
authenticated principals.
Some brief implementation notes:
- `ExternalAuthToken' class wraps an externally authenticated
principal in order to provide reasonable values for common
AuthToken attributes. Many attributes are not yet implemented,
and some never will be (i.e. some call sites may need to weaken
their assumptions).
- There are ~9 explicit casts of principal from abstract `Principal'
to `PKIPrincpial'; these sites need to be checked and probably
updated in most cases, because (principal instanceof PKIPrincipal)
is no longer a valid assumption. Some are definitely broken.
- `AuthMethodInterceptor' currently treats all external
authentication methods the same, allowing allowing access. If
needed, different external authn methods can be distinguished,
allowing different access rules for different external authn
methods.
- This patch does not configure the second tomcat AJP `Connector'
required. Also, the `Connector' needs to be "locked down" to a
only allow traffic from the Apache frontend. I need to confirm
how to do this and clearly document it.
Regarding the design document, there is a lot more to come re:
authorization, especially for user-created objects such as secrets
in KRA.
8 years, 3 months