From 0aedaf10e1e3fe48df5f57ad0f25c80b91c2eb45 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Feb 23 2016 14:45:27 +0000 Subject: Do not decode HTTP reason phrase from Dogtag The HTTP reason phrase sent by Dogtag is assumed to be encoded in UTF-8, but the encoding used by Tomcat is dependent on system locale, causing decode errors in some locales. The reason phrase is optional and will not be sent in a future version of Tomcat[1], so do not bother decoding and returning it. [1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 Fixes: https://fedorahosted.org/freeipa/ticket/5578 Reviewed-By: Jan Cholasta --- diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 8996902..652bc3d 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -230,14 +230,14 @@ def ca_status(ca_host=None, use_proxy=True): ca_port = 443 else: ca_port = 8443 - status, reason, headers, body = unauthenticated_https_request( + status, headers, body = unauthenticated_https_request( ca_host, ca_port, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable - return reason + return status elif status != 200: raise errors.RemoteRetrieveError( - reason=_("Retrieving CA status failed: %s") % reason) + reason=_("Retrieving CA status failed with status %d") % status) return _parse_ca_status(body) @@ -248,8 +248,8 @@ def https_request(host, port, url, secdir, password, nickname, :param url: The path (not complete URL!) to post to. :param body: The request body (encodes kw if None) :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform a client authenticated HTTPS request """ @@ -277,8 +277,8 @@ def http_request(host, port, url, **kw): """ :param url: The path (not complete URL!) to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTP request. """ @@ -291,8 +291,8 @@ def unauthenticated_https_request(host, port, url, **kw): """ :param url: The path (not complete URL!) to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an unauthenticated HTTPS request. """ @@ -331,15 +331,14 @@ def _httplib_request( res = conn.getresponse() http_status = res.status - http_reason_phrase = unicode(res.reason, 'utf-8') http_headers = res.msg.dict http_body = res.read() conn.close() except Exception, e: raise NetworkError(uri=uri, error=str(e)) - root_logger.debug('response status %d %s', http_status, http_reason_phrase) + root_logger.debug('response status %d', http_status) root_logger.debug('response headers %s', http_headers) root_logger.debug('response body %r', http_body) - return http_status, http_reason_phrase, http_headers, http_body + return http_status, http_headers, http_body diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 564332e..f8a9c9e 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -402,12 +402,11 @@ class CertDB(object): dogtag.configured_constants().EE_SECURE_PORT, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) - http_status, http_reason_phrase, http_headers, http_body = result + http_status, http_headers, http_body = result if http_status != 200: raise CertificateOperationError( - error=_('Unable to communicate with CMS (%s)') % - http_reason_phrase) + error=_('Unable to communicate with CMS (status %d)') % http_status) # The result is an XML blob. Pull the certificate out of that doc = xml.dom.minidom.parseString(http_body) @@ -459,7 +458,7 @@ class CertDB(object): dogtag.configured_constants().EE_SECURE_PORT, "/ca/ee/ca/profileSubmitSSLClient", self.secdir, password, "ipaCert", **params) - http_status, http_reason_phrase, http_headers, http_body = result + http_status, http_headers, http_body = result if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index f5f8eb6..3029a91 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1350,8 +1350,8 @@ class ra(rabase.rabase): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTP request. """ @@ -1361,8 +1361,8 @@ class ra(rabase.rabase): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTPS request """ @@ -1422,7 +1422,7 @@ class ra(rabase.rabase): self.debug('%s.check_request_status()', self.fullname) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._request('/ca/ee/ca/checkRequest', self.env.ca_port, requestId=request_id, @@ -1431,7 +1431,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('check_request_status', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml) request_status = parse_result['request_status'] @@ -1507,7 +1507,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/displayBySerial', self.env.ca_agent_port, serialNumber=str(serial_number), @@ -1517,7 +1517,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('get_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml) request_status = parse_result['request_status'] @@ -1575,7 +1575,7 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', self.fullname) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, profileId=profile_id, @@ -1585,7 +1585,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml) # Note different status return, it's not request_status, it's error_code @@ -1654,7 +1654,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/doRevoke', self.env.ca_agent_port, op='revoke', @@ -1666,7 +1666,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('revoke_certificate', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml) request_status = parse_result['request_status'] @@ -1717,7 +1717,7 @@ class ra(rabase.rabase): serial_number = int(serial_number, 0) # Call CMS - http_status, http_reason_phrase, http_headers, http_body = \ + http_status, http_headers, http_body = \ self._sslget('/ca/agent/ca/doUnrevoke', self.env.ca_agent_port, serialNumber=str(serial_number), @@ -1726,7 +1726,7 @@ class ra(rabase.rabase): # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('take_certificate_off_hold', - detail=http_reason_phrase) + detail=http_status) parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml) @@ -2027,7 +2027,7 @@ class RestClient(Backend): """Log into the REST API""" if self.cookie is not None: return - status, status_text, resp_headers, resp_body = dogtag.https_request( + status, resp_headers, resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, '/ca/rest/account/login', self.sec_dir, self.password, self.ipa_certificate_nickname, @@ -2053,8 +2053,8 @@ class RestClient(Backend): """ :param url: The URL to post to. :param kw: Keyword arguments to encode into POST body. - :return: (http_status, http_reason_phrase, http_headers, http_body) - as (integer, unicode, dict, str) + :return: (http_status, http_headers, http_body) + as (integer, dict, str) Perform an HTTPS request """ @@ -2068,7 +2068,7 @@ class RestClient(Backend): resource = os.path.join('/ca/rest', self.path, path) # perform main request - status, status_text, resp_headers, resp_body = dogtag.https_request( + status, resp_headers, resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, resource, self.sec_dir, self.password, self.ipa_certificate_nickname, @@ -2077,10 +2077,10 @@ class RestClient(Backend): if status < 200 or status >= 300: explanation = self._parse_dogtag_error(resp_body) or '' raise errors.RemoteRetrieveError( - reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') - % {'status': status, 'status_text': status_text, 'explanation': explanation} + reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') + % {'status': status, 'explanation': explanation} ) - return (status, status_text, resp_headers, resp_body) + return (status, resp_headers, resp_body) class ra_certprofile(RestClient): @@ -2105,7 +2105,7 @@ class ra_certprofile(RestClient): """ Read the profile configuration from Dogtag """ - status, status_text, resp_headers, resp_body = self._ssldo( + status, resp_headers, resp_body = self._ssldo( 'GET', profile_id + '/raw') return resp_body