Re: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests.
Looked over all these and it looks good. Post checkin ACK :)
Just a couple of questions:
1. Code like this:
if (!synchronous) {
+ // Has to be in this state or it won't go anywhere.
+ request.setRequestStatus(RequestStatus.BEGIN);
+ queue.processRequest(request);
+ } else {
+ kra.processSynchronousRequest(request);
+ }
I know we are handling the synchronous request with a processor and such, but the standard
async request is being
handled with the same queue method. Would it look nicer to have a layer for the standard
case, like processAsynchRequest?
No big deal.
2. Did we do a sanity sweep of the various scenarios to make sure that they refactor is
good with respect to legacy code paths?
I"m sure we have but was just asking.
3. Also I realize that the "realm" param is not yet supported but is a hook for
future code, if we have to touch anything again, might help to give a comment
in the key methods as to why it is not yet being used.
thanks,
jack
----- Original Message -----
From: "Ade Lee" <alee(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Friday, November 4, 2016 1:11:03 PM
Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and
recovery requests.
Hi all,
This is in support of Ticket https://fedorahosted.org/pki/ticket/2532
This is preliminary set of patches - just so you can see what I'm doing
in case I need to change anything.
Note: With the changes, you can archive a secret like this:
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
`hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
"test_1"
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
`hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID
"test_2" --express
The first invocation will archive a secret and create an archival
request in LDAP. The second will create one only in memory - and will
not store it in LDAP.
You can of course, see the requests created using -
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
`hostname` -p 8443 key-request-find
For retrieving the secret, you can do either:
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
aleeredhat.laptop -p 8443 key-retrieve --keyID 0x5
pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h
aleeredhat.laptop -p 8443 key-retrieve --keyID 0x5 --express
The first will retrieve the secret while creating a retrieval request.
The second will create a retrieval request only in memory, and will not
write it to LDAP.
In both cases, there should be audit logs both for retrieval and
archival.
Thanks,
Ade
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel