Thanks. Fixed as below. Pushed to master.
On Mon, 2016-05-09 at 17:51 -0500, Endi Sukma Dewata wrote:
On 5/9/2016 2:18 PM, Ade Lee wrote:
> Patch descriptions .. in reverse order.
>
> Note that the CA setup for authz is further documented at
>
pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a
> section on 'CA Configuration".
>
> Thanks,
> Ade
>
> ****************************************************************
> commit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
> Author: Ade Lee <alee(a)redhat.com>
> Date: Mon May 9 15:00:20 2016 -0400
>
> Add authz realm check for cert enrollment
>
> Ticket 2041
>
> commit b5232ce101083409ed9a86e9057620cca7288f62
> Author: Ade Lee <alee(a)redhat.com>
> Date: Sat May 7 00:06:08 2016 -0400
>
> Fix error output when request is rejected
>
> With this fix, error messages are returned to the user when
> a request is rejected - either in the UI or from the pki CLI.
>
> Trac Ticket 1247 (amongst others)
>
> commit 82d18a99103de1fa749b077cfccec5ff65ceb4a5
> Author: Ade Lee <alee(a)redhat.com>
> Date: Wed May 4 18:25:51 2016 -0400
>
> Add realm to requests coming in from CA
>
> Requests to the KRA through the CA-KRA connector use the
> Enrollment
> Service. This has been modified to read and store any realm
> passed in.
> The realm can be added to the request by havibg the admin add
> a AuthzRealmDefault and AuthzRealmConstraint in a profile.
>
> At this point, all the constraint does is verify that the
> realm is
> one of a specified list of realms. More verification will be
> added
> in a subsequent patch.
>
> No attempt is made yet to allow users to specify the realm.
> This
> would need to be added as a ProfileInput.
>
> Part of Ticket 2041
ACK. Just some comments:
1. In AuthzRealmDefault.populate() we should wrap and rethrow the
exception instead of ignoring it.
2. In UserMessages.properties let's use "Authorization" instead of
"Authz" to be more user-friendly. Or just "Realm" instead of
"Authz
realm".
3. In HttpPKIMessage.fromRequest() we probably want to copy the realm
without any condition (e.g. to copy the null value).
reqRealm = r.getRealm();
4. In CertRequestInfoFactory.create() this if condition is redundant:
if (error != null) {
info.setErrorMessage(error);
}