From ca08d7d3a7562588b09b78b7079b2c15e572a484 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 6 Jan 2016 14:50:42 +1100
Subject: [PATCH] Do not decode HTTP reason phrase from Dogtag
The HTTP reason phrase sent by Dogtag is assumed to be encoded in
UTF-8, but the encoding used by Tomcat is dependent on system
locale, causing decode errors in some locales.
The reason phrase is optional and will not be sent in a future
version of Tomcat[1], so do not bother decoding and returning it.
[1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37
Fixes: https://fedorahosted.org/freeipa/ticket/5578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
ipapython/dogtag.py | 23 +++++++++++------------
ipaserver/install/certs.py | 7 +++----
ipaserver/plugins/dogtag.py | 44 ++++++++++++++++++++++----------------------
3 files changed, 36 insertions(+), 38 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8996902ba92f0fdd6106e2650c2decde375c593b..652bc3d13f2b47b35f6da30579f2df5f083dbff2 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -230,14 +230,14 @@ def ca_status(ca_host=None, use_proxy=True):
ca_port = 443
else:
ca_port = 8443
- status, reason, headers, body = unauthenticated_https_request(
+ status, headers, body = unauthenticated_https_request(
ca_host, ca_port, '/ca/admin/ca/getStatus')
if status == 503:
# Service temporarily unavailable
- return reason
+ return status
elif status != 200:
raise errors.RemoteRetrieveError(
- reason=_("Retrieving CA status failed: %s") % reason)
+ reason=_("Retrieving CA status failed with status %d") % status)
return _parse_ca_status(body)
@@ -248,8 +248,8 @@ def https_request(host, port, url, secdir, password, nickname,
:param url: The path (not complete URL!) to post to.
:param body: The request body (encodes kw if None)
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform a client authenticated HTTPS request
"""
@@ -277,8 +277,8 @@ def http_request(host, port, url, **kw):
"""
:param url: The path (not complete URL!) to post to.
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform an HTTP request.
"""
@@ -291,8 +291,8 @@ def unauthenticated_https_request(host, port, url, **kw):
"""
:param url: The path (not complete URL!) to post to.
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform an unauthenticated HTTPS request.
"""
@@ -331,15 +331,14 @@ def _httplib_request(
res = conn.getresponse()
http_status = res.status
- http_reason_phrase = unicode(res.reason, 'utf-8')
http_headers = res.msg.dict
http_body = res.read()
conn.close()
except Exception, e:
raise NetworkError(uri=uri, error=str(e))
- root_logger.debug('response status %d %s', http_status, http_reason_phrase)
+ root_logger.debug('response status %d', http_status)
root_logger.debug('response headers %s', http_headers)
root_logger.debug('response body %r', http_body)
- return http_status, http_reason_phrase, http_headers, http_body
+ return http_status, http_headers, http_body
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 564332e6fde0698a23884922c5018fab59da7e4d..f8a9c9ecfd2fa1accb792c4748bc69f30701af6a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -402,12 +402,11 @@ class CertDB(object):
dogtag.configured_constants().EE_SECURE_PORT,
"/ca/ee/ca/profileSubmitSSLClient",
self.secdir, password, "ipaCert", **params)
- http_status, http_reason_phrase, http_headers, http_body = result
+ http_status, http_headers, http_body = result
if http_status != 200:
raise CertificateOperationError(
- error=_('Unable to communicate with CMS (%s)') %
- http_reason_phrase)
+ error=_('Unable to communicate with CMS (status %d)') % http_status)
# The result is an XML blob. Pull the certificate out of that
doc = xml.dom.minidom.parseString(http_body)
@@ -459,7 +458,7 @@ class CertDB(object):
dogtag.configured_constants().EE_SECURE_PORT,
"/ca/ee/ca/profileSubmitSSLClient",
self.secdir, password, "ipaCert", **params)
- http_status, http_reason_phrase, http_headers, http_body = result
+ http_status, http_headers, http_body = result
if http_status != 200:
raise RuntimeError("Unable to submit cert request")
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index f5f8eb67067c87f07c06e556fb9fc73792fbbc64..3029a9144d80a9b081853b95259fcd37e35d8c2b 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1350,8 +1350,8 @@ class ra(rabase.rabase):
"""
:param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform an HTTP request.
"""
@@ -1361,8 +1361,8 @@ class ra(rabase.rabase):
"""
:param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform an HTTPS request
"""
@@ -1422,7 +1422,7 @@ class ra(rabase.rabase):
self.debug('%s.check_request_status()', self.fullname)
# Call CMS
- http_status, http_reason_phrase, http_headers, http_body = \
+ http_status, http_headers, http_body = \
self._request('/ca/ee/ca/checkRequest',
self.env.ca_port,
requestId=request_id,
@@ -1431,7 +1431,7 @@ class ra(rabase.rabase):
# Parse and handle errors
if http_status != 200:
self.raise_certificate_operation_error('check_request_status',
- detail=http_reason_phrase)
+ detail=http_status)
parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml)
request_status = parse_result['request_status']
@@ -1507,7 +1507,7 @@ class ra(rabase.rabase):
serial_number = int(serial_number, 0)
# Call CMS
- http_status, http_reason_phrase, http_headers, http_body = \
+ http_status, http_headers, http_body = \
self._sslget('/ca/agent/ca/displayBySerial',
self.env.ca_agent_port,
serialNumber=str(serial_number),
@@ -1517,7 +1517,7 @@ class ra(rabase.rabase):
# Parse and handle errors
if http_status != 200:
self.raise_certificate_operation_error('get_certificate',
- detail=http_reason_phrase)
+ detail=http_status)
parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml)
request_status = parse_result['request_status']
@@ -1575,7 +1575,7 @@ class ra(rabase.rabase):
self.debug('%s.request_certificate()', self.fullname)
# Call CMS
- http_status, http_reason_phrase, http_headers, http_body = \
+ http_status, http_headers, http_body = \
self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
profileId=profile_id,
@@ -1585,7 +1585,7 @@ class ra(rabase.rabase):
# Parse and handle errors
if http_status != 200:
self.raise_certificate_operation_error('request_certificate',
- detail=http_reason_phrase)
+ detail=http_status)
parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml)
# Note different status return, it's not request_status, it's error_code
@@ -1654,7 +1654,7 @@ class ra(rabase.rabase):
serial_number = int(serial_number, 0)
# Call CMS
- http_status, http_reason_phrase, http_headers, http_body = \
+ http_status, http_headers, http_body = \
self._sslget('/ca/agent/ca/doRevoke',
self.env.ca_agent_port,
op='revoke',
@@ -1666,7 +1666,7 @@ class ra(rabase.rabase):
# Parse and handle errors
if http_status != 200:
self.raise_certificate_operation_error('revoke_certificate',
- detail=http_reason_phrase)
+ detail=http_status)
parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml)
request_status = parse_result['request_status']
@@ -1717,7 +1717,7 @@ class ra(rabase.rabase):
serial_number = int(serial_number, 0)
# Call CMS
- http_status, http_reason_phrase, http_headers, http_body = \
+ http_status, http_headers, http_body = \
self._sslget('/ca/agent/ca/doUnrevoke',
self.env.ca_agent_port,
serialNumber=str(serial_number),
@@ -1726,7 +1726,7 @@ class ra(rabase.rabase):
# Parse and handle errors
if http_status != 200:
self.raise_certificate_operation_error('take_certificate_off_hold',
- detail=http_reason_phrase)
+ detail=http_status)
parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml)
@@ -2027,7 +2027,7 @@ class RestClient(Backend):
"""Log into the REST API"""
if self.cookie is not None:
return
- status, status_text, resp_headers, resp_body = dogtag.https_request(
+ status, resp_headers, resp_body = dogtag.https_request(
self.ca_host, self.override_port or self.env.ca_agent_port,
'/ca/rest/account/login',
self.sec_dir, self.password, self.ipa_certificate_nickname,
@@ -2053,8 +2053,8 @@ class RestClient(Backend):
"""
:param url: The URL to post to.
:param kw: Keyword arguments to encode into POST body.
- :return: (http_status, http_reason_phrase, http_headers, http_body)
- as (integer, unicode, dict, str)
+ :return: (http_status, http_headers, http_body)
+ as (integer, dict, str)
Perform an HTTPS request
"""
@@ -2068,7 +2068,7 @@ class RestClient(Backend):
resource = os.path.join('/ca/rest', self.path, path)
# perform main request
- status, status_text, resp_headers, resp_body = dogtag.https_request(
+ status, resp_headers, resp_body = dogtag.https_request(
self.ca_host, self.override_port or self.env.ca_agent_port,
resource,
self.sec_dir, self.password, self.ipa_certificate_nickname,
@@ -2077,10 +2077,10 @@ class RestClient(Backend):
if status < 200 or status >= 300:
explanation = self._parse_dogtag_error(resp_body) or ''
raise errors.RemoteRetrieveError(
- reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s')
- % {'status': status, 'status_text': status_text, 'explanation': explanation}
+ reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s')
+ % {'status': status, 'explanation': explanation}
)
- return (status, status_text, resp_headers, resp_body)
+ return (status, resp_headers, resp_body)
class ra_certprofile(RestClient):
@@ -2105,7 +2105,7 @@ class ra_certprofile(RestClient):
"""
Read the profile configuration from Dogtag
"""
- status, status_text, resp_headers, resp_body = self._ssldo(
+ status, resp_headers, resp_body = self._ssldo(
'GET', profile_id + '/raw')
return resp_body
--
2.5.0