On 5/9/2016 2:18 PM, Ade Lee wrote:
Patch descriptions .. in reverse order.
Note that the CA setup for authz is further documented at
pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a
section on 'CA Configuration".
Thanks,
Ade
****************************************************************
commit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
Author: Ade Lee <alee(a)redhat.com>
Date: Mon May 9 15:00:20 2016 -0400
Add authz realm check for cert enrollment
Ticket 2041
commit b5232ce101083409ed9a86e9057620cca7288f62
Author: Ade Lee <alee(a)redhat.com>
Date: Sat May 7 00:06:08 2016 -0400
Fix error output when request is rejected
With this fix, error messages are returned to the user when
a request is rejected - either in the UI or from the pki CLI.
Trac Ticket 1247 (amongst others)
commit 82d18a99103de1fa749b077cfccec5ff65ceb4a5
Author: Ade Lee <alee(a)redhat.com>
Date: Wed May 4 18:25:51 2016 -0400
Add realm to requests coming in from CA
Requests to the KRA through the CA-KRA connector use the Enrollment
Service. This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.
At this point, all the constraint does is verify that the realm is
one of a specified list of realms. More verification will be added
in a subsequent patch.
No attempt is made yet to allow users to specify the realm. This
would need to be added as a ProfileInput.
Part of Ticket 2041
ACK. Just some comments:
1. In AuthzRealmDefault.populate() we should wrap and rethrow the
exception instead of ignoring it.
2. In UserMessages.properties let's use "Authorization" instead of
"Authz" to be more user-friendly. Or just "Realm" instead of
"Authz realm".
3. In HttpPKIMessage.fromRequest() we probably want to copy the realm
without any condition (e.g. to copy the null value).
reqRealm = r.getRealm();
4. In CertRequestInfoFactory.create() this if condition is redundant:
if (error != null) {
info.setErrorMessage(error);
}
--
Endi S. Dewata