|
|
92a605 |
From 9c8a4d2543e215f388e95e30f727a35eb9a7f778 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
92a605 |
Date: Mon, 5 Jun 2017 21:50:00 +0200
|
|
|
92a605 |
Subject: [PATCH 1/4] Fixed access banner normalization.
|
|
|
92a605 |
|
|
|
92a605 |
The PKIService has been modified to trim whitespaces in access
|
|
|
92a605 |
banner before returning the value to the client. The clients
|
|
|
92a605 |
have been modified to no longer trim the banner.
|
|
|
92a605 |
|
|
|
92a605 |
https://pagure.io/dogtagpki/issue/2671
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
|
|
|
92a605 |
(cherry picked from commit 5e0dcb69a734c9f52cca673a7a5189d31fb15774)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 2 +-
|
|
|
92a605 |
base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +-
|
|
|
92a605 |
base/server/share/webapps/pki/js/pki-banner.js | 2 +-
|
|
|
92a605 |
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
92a605 |
index 51861b5..8f91f32 100644
|
|
|
92a605 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
92a605 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
92a605 |
@@ -571,7 +571,7 @@ public class MainCLI extends CLI {
|
|
|
92a605 |
|
|
|
92a605 |
if (banner != null) {
|
|
|
92a605 |
|
|
|
92a605 |
- System.out.println(banner.trim());
|
|
|
92a605 |
+ System.out.println(banner);
|
|
|
92a605 |
System.out.println();
|
|
|
92a605 |
System.out.print("Do you want to proceed (y/N)? ");
|
|
|
92a605 |
System.out.flush();
|
|
|
92a605 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
index e023aa6..3273477 100644
|
|
|
92a605 |
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
@@ -98,7 +98,7 @@ public class PKIService {
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
public static String getBanner() throws IOException {
|
|
|
92a605 |
- return new String(Files.readAllBytes(bannerFile));
|
|
|
92a605 |
+ return new String(Files.readAllBytes(bannerFile)).trim();
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
public static MediaType resolveFormat(MediaType format) {
|
|
|
92a605 |
diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
index e88220e..ff64092 100644
|
|
|
92a605 |
--- a/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
+++ b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
@@ -37,7 +37,7 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) {
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
// display the banner and ask for confirmation
|
|
|
92a605 |
- var message = $.trim(data.Banner) + "\n\nDo you want to proceed?";
|
|
|
92a605 |
+ var message = banner + "\n\nDo you want to proceed?";
|
|
|
92a605 |
|
|
|
92a605 |
// if banner accepted
|
|
|
92a605 |
if (confirm(message)) {
|
|
|
92a605 |
--
|
|
|
92a605 |
1.8.3.1
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From 00b439b9056baef2b40a16cba2b3e46d1365ce62 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
92a605 |
Date: Tue, 13 Jun 2017 21:09:52 +0200
|
|
|
92a605 |
Subject: [PATCH 2/4] Fixed access banner encoding.
|
|
|
92a605 |
|
|
|
92a605 |
The Info service and client have been modified to transmit access
|
|
|
92a605 |
banner in Base64-encoded form. The PKI UI has been modified to
|
|
|
92a605 |
decode the access banner properly.
|
|
|
92a605 |
|
|
|
92a605 |
https://pagure.io/dogtagpki/issue/2671
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50
|
|
|
92a605 |
(cherry picked from commit e5f6ed7be301a3531b871ef3b0ce64bea0fe1973)
|
|
|
92a605 |
---
|
|
|
92a605 |
.../src/org/dogtagpki/common/Base64Adapter.java | 34 ++++++++++++++++++++++
|
|
|
92a605 |
base/common/src/org/dogtagpki/common/Info.java | 2 ++
|
|
|
92a605 |
base/server/share/webapps/pki/js/pki-banner.js | 3 ++
|
|
|
92a605 |
3 files changed, 39 insertions(+)
|
|
|
92a605 |
create mode 100644 base/common/src/org/dogtagpki/common/Base64Adapter.java
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/common/src/org/dogtagpki/common/Base64Adapter.java b/base/common/src/org/dogtagpki/common/Base64Adapter.java
|
|
|
92a605 |
new file mode 100644
|
|
|
92a605 |
index 0000000..f777745
|
|
|
92a605 |
--- /dev/null
|
|
|
92a605 |
+++ b/base/common/src/org/dogtagpki/common/Base64Adapter.java
|
|
|
92a605 |
@@ -0,0 +1,34 @@
|
|
|
92a605 |
+// --- BEGIN COPYRIGHT BLOCK ---
|
|
|
92a605 |
+// This program is free software; you can redistribute it and/or modify
|
|
|
92a605 |
+// it under the terms of the GNU General Public License as published by
|
|
|
92a605 |
+// the Free Software Foundation; version 2 of the License.
|
|
|
92a605 |
+//
|
|
|
92a605 |
+// This program is distributed in the hope that it will be useful,
|
|
|
92a605 |
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
92a605 |
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
92a605 |
+// GNU General Public License for more details.
|
|
|
92a605 |
+//
|
|
|
92a605 |
+// You should have received a copy of the GNU General Public License along
|
|
|
92a605 |
+// with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
92a605 |
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
92a605 |
+//
|
|
|
92a605 |
+// (C) 2017 Red Hat, Inc.
|
|
|
92a605 |
+// All rights reserved.
|
|
|
92a605 |
+// --- END COPYRIGHT BLOCK ---
|
|
|
92a605 |
+
|
|
|
92a605 |
+package org.dogtagpki.common;
|
|
|
92a605 |
+
|
|
|
92a605 |
+import javax.xml.bind.annotation.adapters.XmlAdapter;
|
|
|
92a605 |
+
|
|
|
92a605 |
+public class Base64Adapter extends XmlAdapter<byte[], String> {
|
|
|
92a605 |
+
|
|
|
92a605 |
+ @Override
|
|
|
92a605 |
+ public String unmarshal(byte[] bytes) throws Exception {
|
|
|
92a605 |
+ return new String(bytes);
|
|
|
92a605 |
+ }
|
|
|
92a605 |
+
|
|
|
92a605 |
+ @Override
|
|
|
92a605 |
+ public byte[] marshal(String string) throws Exception {
|
|
|
92a605 |
+ return string.getBytes();
|
|
|
92a605 |
+ }
|
|
|
92a605 |
+}
|
|
|
92a605 |
diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
index 0a216f4..7ea3fd7 100644
|
|
|
92a605 |
--- a/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
+++ b/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
@@ -26,6 +26,7 @@ import javax.xml.bind.Marshaller;
|
|
|
92a605 |
import javax.xml.bind.Unmarshaller;
|
|
|
92a605 |
import javax.xml.bind.annotation.XmlElement;
|
|
|
92a605 |
import javax.xml.bind.annotation.XmlRootElement;
|
|
|
92a605 |
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
|
|
|
92a605 |
|
|
|
92a605 |
import org.slf4j.Logger;
|
|
|
92a605 |
import org.slf4j.LoggerFactory;
|
|
|
92a605 |
@@ -66,6 +67,7 @@ public class Info extends ResourceMessage {
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
@XmlElement(name="Banner")
|
|
|
92a605 |
+ @XmlJavaTypeAdapter(Base64Adapter.class)
|
|
|
92a605 |
public String getBanner() {
|
|
|
92a605 |
return banner;
|
|
|
92a605 |
}
|
|
|
92a605 |
diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
index ff64092..05b5f01 100644
|
|
|
92a605 |
--- a/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
+++ b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
@@ -36,6 +36,9 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) {
|
|
|
92a605 |
return;
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
+ // decode Base64-encoded UTF-8 banner
|
|
|
92a605 |
+ var banner = decodeURIComponent(escape(atob(data.Banner)));
|
|
|
92a605 |
+
|
|
|
92a605 |
// display the banner and ask for confirmation
|
|
|
92a605 |
var message = banner + "\n\nDo you want to proceed?";
|
|
|
92a605 |
|
|
|
92a605 |
--
|
|
|
92a605 |
1.8.3.1
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From b5085492242307d669fb331dead66f331a07c09e Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
92a605 |
Date: Wed, 14 Jun 2017 03:40:43 +0200
|
|
|
92a605 |
Subject: [PATCH 3/4] Fixed access banner encoding (part 2).
|
|
|
92a605 |
|
|
|
92a605 |
The code that reads the access banner from file has been modified
|
|
|
92a605 |
to explicitly use UTF-8 encoding.
|
|
|
92a605 |
|
|
|
92a605 |
The Info class and the PKI UI have been modified not to encode the
|
|
|
92a605 |
access banner in Base64 since it is not necessary.
|
|
|
92a605 |
|
|
|
92a605 |
https://pagure.io/dogtagpki/issue/2671
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
|
|
|
92a605 |
(cherry picked from commit 4a8e1703603ab348b24d4f010e3587c340e1a032)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/common/src/org/dogtagpki/common/Info.java | 2 --
|
|
|
92a605 |
base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java | 2 +-
|
|
|
92a605 |
base/server/share/webapps/pki/js/pki-banner.js | 5 +----
|
|
|
92a605 |
3 files changed, 2 insertions(+), 7 deletions(-)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/common/src/org/dogtagpki/common/Info.java b/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
index 7ea3fd7..0a216f4 100644
|
|
|
92a605 |
--- a/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
+++ b/base/common/src/org/dogtagpki/common/Info.java
|
|
|
92a605 |
@@ -26,7 +26,6 @@ import javax.xml.bind.Marshaller;
|
|
|
92a605 |
import javax.xml.bind.Unmarshaller;
|
|
|
92a605 |
import javax.xml.bind.annotation.XmlElement;
|
|
|
92a605 |
import javax.xml.bind.annotation.XmlRootElement;
|
|
|
92a605 |
-import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
|
|
|
92a605 |
|
|
|
92a605 |
import org.slf4j.Logger;
|
|
|
92a605 |
import org.slf4j.LoggerFactory;
|
|
|
92a605 |
@@ -67,7 +66,6 @@ public class Info extends ResourceMessage {
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
@XmlElement(name="Banner")
|
|
|
92a605 |
- @XmlJavaTypeAdapter(Base64Adapter.class)
|
|
|
92a605 |
public String getBanner() {
|
|
|
92a605 |
return banner;
|
|
|
92a605 |
}
|
|
|
92a605 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
index 3273477..7a4727b 100644
|
|
|
92a605 |
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
|
|
|
92a605 |
@@ -98,7 +98,7 @@ public class PKIService {
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
public static String getBanner() throws IOException {
|
|
|
92a605 |
- return new String(Files.readAllBytes(bannerFile)).trim();
|
|
|
92a605 |
+ return new String(Files.readAllBytes(bannerFile), "UTF-8").trim();
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
public static MediaType resolveFormat(MediaType format) {
|
|
|
92a605 |
diff --git a/base/server/share/webapps/pki/js/pki-banner.js b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
index 05b5f01..2bb2792 100644
|
|
|
92a605 |
--- a/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
+++ b/base/server/share/webapps/pki/js/pki-banner.js
|
|
|
92a605 |
@@ -36,11 +36,8 @@ if (location.protocol == "https:" && !sessionStorage.bannerLock) {
|
|
|
92a605 |
return;
|
|
|
92a605 |
}
|
|
|
92a605 |
|
|
|
92a605 |
- // decode Base64-encoded UTF-8 banner
|
|
|
92a605 |
- var banner = decodeURIComponent(escape(atob(data.Banner)));
|
|
|
92a605 |
-
|
|
|
92a605 |
// display the banner and ask for confirmation
|
|
|
92a605 |
- var message = banner + "\n\nDo you want to proceed?";
|
|
|
92a605 |
+ var message = data.Banner + "\n\nDo you want to proceed?";
|
|
|
92a605 |
|
|
|
92a605 |
// if banner accepted
|
|
|
92a605 |
if (confirm(message)) {
|
|
|
92a605 |
--
|
|
|
92a605 |
1.8.3.1
|
|
|
92a605 |
|
|
|
92a605 |
|
|
|
92a605 |
From 6449371ab6cb95a10ce0ad37d4a303709e356973 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
92a605 |
Date: Wed, 14 Jun 2017 23:08:29 +0200
|
|
|
92a605 |
Subject: [PATCH 4/4] Added banner validation during server startup.
|
|
|
92a605 |
|
|
|
92a605 |
Some pki-server CLIs have been added to inspect and validate the
|
|
|
92a605 |
content of the banner file.
|
|
|
92a605 |
|
|
|
92a605 |
The PKI server startup script has been modified to validate the
|
|
|
92a605 |
content of the banner file using the new CLI.
|
|
|
92a605 |
|
|
|
92a605 |
https://pagure.io/dogtagpki/issue/2671
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4
|
|
|
92a605 |
(cherry picked from commit d2e247798a36225880ef6050716cc7576fe2ad7f)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/server/python/pki/server/__init__.py | 8 ++
|
|
|
92a605 |
base/server/python/pki/server/cli/banner.py | 186 ++++++++++++++++++++++++++++
|
|
|
92a605 |
base/server/sbin/pki-server | 2 +
|
|
|
92a605 |
base/server/scripts/operations | 6 +
|
|
|
92a605 |
4 files changed, 202 insertions(+)
|
|
|
92a605 |
create mode 100644 base/server/python/pki/server/cli/banner.py
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
|
|
|
92a605 |
index 46c6711..0852b12 100644
|
|
|
92a605 |
--- a/base/server/python/pki/server/__init__.py
|
|
|
92a605 |
+++ b/base/server/python/pki/server/__init__.py
|
|
|
92a605 |
@@ -19,6 +19,7 @@
|
|
|
92a605 |
#
|
|
|
92a605 |
|
|
|
92a605 |
from __future__ import absolute_import
|
|
|
92a605 |
+import codecs
|
|
|
92a605 |
from lxml import etree
|
|
|
92a605 |
import functools
|
|
|
92a605 |
import getpass
|
|
|
92a605 |
@@ -501,6 +502,7 @@ class PKIInstance(object):
|
|
|
92a605 |
self.conf_dir = os.path.join(CONFIG_BASE_DIR, name)
|
|
|
92a605 |
self.log_dir = os.path.join(LOG_BASE_DIR, name)
|
|
|
92a605 |
|
|
|
92a605 |
+ self.banner_file = os.path.join(self.conf_dir, 'banner.txt')
|
|
|
92a605 |
self.password_conf = os.path.join(self.conf_dir, 'password.conf')
|
|
|
92a605 |
self.external_certs_conf = os.path.join(
|
|
|
92a605 |
self.conf_dir, 'external_certs.conf')
|
|
|
92a605 |
@@ -792,6 +794,12 @@ class PKIInstance(object):
|
|
|
92a605 |
self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml')
|
|
|
92a605 |
os.remove(context_xml)
|
|
|
92a605 |
|
|
|
92a605 |
+ def banner_installed(self):
|
|
|
92a605 |
+ return os.path.exists(self.banner_file)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def get_banner(self):
|
|
|
92a605 |
+ return codecs.open(self.banner_file, "UTF-8").read().strip()
|
|
|
92a605 |
+
|
|
|
92a605 |
def __repr__(self):
|
|
|
92a605 |
if self.type == 9:
|
|
|
92a605 |
return "Dogtag 9 " + self.name
|
|
|
92a605 |
diff --git a/base/server/python/pki/server/cli/banner.py b/base/server/python/pki/server/cli/banner.py
|
|
|
92a605 |
new file mode 100644
|
|
|
92a605 |
index 0000000..98f8f16
|
|
|
92a605 |
--- /dev/null
|
|
|
92a605 |
+++ b/base/server/python/pki/server/cli/banner.py
|
|
|
92a605 |
@@ -0,0 +1,186 @@
|
|
|
92a605 |
+# Authors:
|
|
|
92a605 |
+# Endi S. Dewata <edewata@redhat.com>
|
|
|
92a605 |
+#
|
|
|
92a605 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
92a605 |
+# it under the terms of the GNU General Public License as published by
|
|
|
92a605 |
+# the Free Software Foundation; version 2 of the License.
|
|
|
92a605 |
+#
|
|
|
92a605 |
+# This program is distributed in the hope that it will be useful,
|
|
|
92a605 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
92a605 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
92a605 |
+# GNU General Public License for more details.
|
|
|
92a605 |
+#
|
|
|
92a605 |
+# You should have received a copy of the GNU General Public License along
|
|
|
92a605 |
+# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
92a605 |
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
92a605 |
+#
|
|
|
92a605 |
+# Copyright (C) 2017 Red Hat, Inc.
|
|
|
92a605 |
+# All rights reserved.
|
|
|
92a605 |
+#
|
|
|
92a605 |
+
|
|
|
92a605 |
+from __future__ import absolute_import
|
|
|
92a605 |
+from __future__ import print_function
|
|
|
92a605 |
+import codecs
|
|
|
92a605 |
+import getopt
|
|
|
92a605 |
+from lxml import etree
|
|
|
92a605 |
+import sys
|
|
|
92a605 |
+import traceback
|
|
|
92a605 |
+
|
|
|
92a605 |
+import pki.cli
|
|
|
92a605 |
+
|
|
|
92a605 |
+
|
|
|
92a605 |
+class BannerCLI(pki.cli.CLI):
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def __init__(self):
|
|
|
92a605 |
+ super(BannerCLI, self).__init__('banner',
|
|
|
92a605 |
+ 'Banner management commands')
|
|
|
92a605 |
+
|
|
|
92a605 |
+ self.add_module(BannerShowCLI())
|
|
|
92a605 |
+ self.add_module(BannerValidateCLI())
|
|
|
92a605 |
+
|
|
|
92a605 |
+
|
|
|
92a605 |
+class BannerShowCLI(pki.cli.CLI):
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def __init__(self):
|
|
|
92a605 |
+ super(BannerShowCLI, self).__init__('show', 'Show banner')
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def usage(self):
|
|
|
92a605 |
+ print('Usage: pki-server banner-show [OPTIONS]')
|
|
|
92a605 |
+ print()
|
|
|
92a605 |
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
|
|
|
92a605 |
+ print(' -v, --verbose Run in verbose mode.')
|
|
|
92a605 |
+ print(' --help Show help message.')
|
|
|
92a605 |
+ print()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def execute(self, argv):
|
|
|
92a605 |
+
|
|
|
92a605 |
+ try:
|
|
|
92a605 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
92a605 |
+ 'instance=',
|
|
|
92a605 |
+ 'verbose', 'help'])
|
|
|
92a605 |
+
|
|
|
92a605 |
+ except getopt.GetoptError as e:
|
|
|
92a605 |
+ print('ERROR: ' + str(e))
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ instance_name = 'pki-tomcat'
|
|
|
92a605 |
+
|
|
|
92a605 |
+ for o, a in opts:
|
|
|
92a605 |
+ if o in ('-i', '--instance'):
|
|
|
92a605 |
+ instance_name = a
|
|
|
92a605 |
+
|
|
|
92a605 |
+ elif o in ('-v', '--verbose'):
|
|
|
92a605 |
+ self.set_verbose(True)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ elif o == '--help':
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ else:
|
|
|
92a605 |
+ print('ERROR: unknown option ' + o)
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ instance = pki.server.PKIInstance(instance_name)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not instance.is_valid():
|
|
|
92a605 |
+ print('ERROR: Invalid instance %s.' % instance_name)
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ instance.load()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not instance.banner_installed():
|
|
|
92a605 |
+ print('ERROR: Banner is not installed')
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ print(instance.get_banner())
|
|
|
92a605 |
+
|
|
|
92a605 |
+
|
|
|
92a605 |
+class BannerValidateCLI(pki.cli.CLI):
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def __init__(self):
|
|
|
92a605 |
+ super(BannerValidateCLI, self).__init__('validate', 'Validate banner')
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def usage(self):
|
|
|
92a605 |
+ print('Usage: pki-server banner-validate [OPTIONS]')
|
|
|
92a605 |
+ print()
|
|
|
92a605 |
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
|
|
|
92a605 |
+ print(' --file <path> Validate specified banner file.')
|
|
|
92a605 |
+ print(' -v, --verbose Run in verbose mode.')
|
|
|
92a605 |
+ print(' --help Show help message.')
|
|
|
92a605 |
+ print()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ def execute(self, argv):
|
|
|
92a605 |
+
|
|
|
92a605 |
+ try:
|
|
|
92a605 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
92a605 |
+ 'instance=', 'file=',
|
|
|
92a605 |
+ 'verbose', 'help'])
|
|
|
92a605 |
+
|
|
|
92a605 |
+ except getopt.GetoptError as e:
|
|
|
92a605 |
+ print('ERROR: ' + str(e))
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ instance_name = 'pki-tomcat'
|
|
|
92a605 |
+ banner_file = None
|
|
|
92a605 |
+
|
|
|
92a605 |
+ for o, a in opts:
|
|
|
92a605 |
+ if o in ('-i', '--instance'):
|
|
|
92a605 |
+ instance_name = a
|
|
|
92a605 |
+
|
|
|
92a605 |
+ elif o == '--file':
|
|
|
92a605 |
+ banner_file = a
|
|
|
92a605 |
+
|
|
|
92a605 |
+ elif o in ('-v', '--verbose'):
|
|
|
92a605 |
+ self.set_verbose(True)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ elif o == '--help':
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ else:
|
|
|
92a605 |
+ print('ERROR: unknown option ' + o)
|
|
|
92a605 |
+ self.usage()
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if banner_file:
|
|
|
92a605 |
+
|
|
|
92a605 |
+ # load banner from file
|
|
|
92a605 |
+ banner = codecs.open(banner_file, "UTF-8").read().strip()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ else:
|
|
|
92a605 |
+
|
|
|
92a605 |
+ # load banner from instance
|
|
|
92a605 |
+ instance = pki.server.PKIInstance(instance_name)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not instance.is_valid():
|
|
|
92a605 |
+ print('ERROR: Invalid instance %s.' % instance_name)
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ instance.load()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not instance.banner_installed():
|
|
|
92a605 |
+ self.print_message('Banner is not installed')
|
|
|
92a605 |
+ return
|
|
|
92a605 |
+
|
|
|
92a605 |
+ banner = instance.get_banner()
|
|
|
92a605 |
+
|
|
|
92a605 |
+ if not banner:
|
|
|
92a605 |
+ print('ERROR: Banner is empty')
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ xml_banner = "<banner>" + banner + "</banner>"
|
|
|
92a605 |
+
|
|
|
92a605 |
+ try:
|
|
|
92a605 |
+ parser = etree.XMLParser()
|
|
|
92a605 |
+ etree.fromstring(xml_banner, parser)
|
|
|
92a605 |
+
|
|
|
92a605 |
+ self.print_message('Banner is valid')
|
|
|
92a605 |
+
|
|
|
92a605 |
+ except etree.XMLSyntaxError as e:
|
|
|
92a605 |
+ if self.verbose:
|
|
|
92a605 |
+ traceback.print_exc()
|
|
|
92a605 |
+ print('ERROR: Banner contains invalid character(s)')
|
|
|
92a605 |
+ sys.exit(1)
|
|
|
92a605 |
diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server
|
|
|
92a605 |
index 6df70dc..ce06e28 100644
|
|
|
92a605 |
--- a/base/server/sbin/pki-server
|
|
|
92a605 |
+++ b/base/server/sbin/pki-server
|
|
|
92a605 |
@@ -32,6 +32,7 @@ import pki.server.cli.kra
|
|
|
92a605 |
import pki.server.cli.ocsp
|
|
|
92a605 |
import pki.server.cli.tks
|
|
|
92a605 |
import pki.server.cli.tps
|
|
|
92a605 |
+import pki.server.cli.banner
|
|
|
92a605 |
import pki.server.cli.db
|
|
|
92a605 |
import pki.server.cli.instance
|
|
|
92a605 |
import pki.server.cli.subsystem
|
|
|
92a605 |
@@ -52,6 +53,7 @@ class PKIServerCLI(pki.cli.CLI):
|
|
|
92a605 |
self.add_module(pki.server.cli.tks.TKSCLI())
|
|
|
92a605 |
self.add_module(pki.server.cli.tps.TPSCLI())
|
|
|
92a605 |
|
|
|
92a605 |
+ self.add_module(pki.server.cli.banner.BannerCLI())
|
|
|
92a605 |
self.add_module(pki.server.cli.db.DBCLI())
|
|
|
92a605 |
self.add_module(pki.server.cli.instance.InstanceCLI())
|
|
|
92a605 |
self.add_module(pki.server.cli.subsystem.SubsystemCLI())
|
|
|
92a605 |
diff --git a/base/server/scripts/operations b/base/server/scripts/operations
|
|
|
92a605 |
index 907dd0e..908c952 100644
|
|
|
92a605 |
--- a/base/server/scripts/operations
|
|
|
92a605 |
+++ b/base/server/scripts/operations
|
|
|
92a605 |
@@ -1297,6 +1297,12 @@ EOF
|
|
|
92a605 |
/var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \
|
|
|
92a605 |
/var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy
|
|
|
92a605 |
|
|
|
92a605 |
+ pki-server banner-validate -i "$PKI_INSTANCE_NAME"
|
|
|
92a605 |
+ rv=$?
|
|
|
92a605 |
+ if [ $rv -ne 0 ]; then
|
|
|
92a605 |
+ return $rv
|
|
|
92a605 |
+ fi
|
|
|
92a605 |
+
|
|
|
92a605 |
if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then
|
|
|
92a605 |
# enable all subsystems
|
|
|
92a605 |
pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all
|
|
|
92a605 |
--
|
|
|
92a605 |
1.8.3.1
|
|
|
92a605 |
|