Age | Commit message (Collapse) | Author |
|
After PR #116, it's possible to inject an existing combined_ca_bundle
to the keymanager initialisation. However, it won't work for multiple
users because the file is removed when the keymanager is destroyed.
Considering there's no sensitive data on the file and it's created
as a temp file, we don't need to handle its deletion.
|
|
For the multi-tenancy case, the combined_ca_bundle could be done once
to avoid unnecessary disk IO for each user.
The default case is still valid, and will not cause issues anywhere.
|
|
- refresh random key in random time
- add get key by fingerprint
- refactor nicknym methods to own file
- tests
- note this do not include a check for
revoked key, since that need some changes
in gnupg
- Related: #6089
|
|
- Closes: #8165
|
|
|
|
|
|
- Resolves: #8068
|
|
|
|
|
|
- Resolves: #8031
|
|
Raise KeyNotFound error, when nicknym throws response 404, as it fails to find a key and add tests.
- Resolves: #7987
|
|
|
|
|
|
There was a duplicate import for get_versions, that was not at
the top of the file, that caused a pep warning and was fixed
in this commit
|
|
|
|
- Resolves: #7974
|
|
During encryption we where updating 'enc_used' in the key without
checking if it was already set.
|
|
|
|
- Resolves: #7500
|
|
- Resolves: #7485
|
|
This commit put those gnupg operations to be run on external threads
limited by the amount of cores present on user machine.
Some gnupg calls spawn processes and communicating to them is a
synchronous operation, so running outside of a reactor should improve
response time by avoiding reactor locking.
|
|
Some methods were missing docstrings and some code was exceeding the 80
column limit. Also some asserts arent needed anymore.
|
|
This commit adapts code to use HTTPClient instead of requests.
requests library receives a certificate as parameter during requests
while HTTPClient recelives a cert only on constructor. In order to have
both types (leap cert and commercial certs) working together we
introduced two clients on constructor.
|
|
Isolate requests lib related code and update docstrings.
|
|
That's a temporary fix for #6506
This commit adapts code to deal with deferreds coming from calling
requests from Twisted. Next step is just to change requests for twisted
http client present in leap.common.
Unfortunately, this last step will be a bit longer and would be better
to have integrations tests to ensure current HTTP behaviour.
|
|
The latests refactor missed one line.
|
|
Improve readability of operations on generic keys, by assigning the
class matching the type of key (_wrapper_map[ktype]) at the beginning of
each block.
in the future, we could pass the type of key (only PGP keys being used
at the moment) on initialization of the Keymanager, so we don't have to
pass the ktype on each method call.
|
|
|
|
In previous commit 9546348c, the combined bundle ca
was not long enough in scope and was therefore deleted
when it actually was used.
Adopted test to check whether file is deleted.
|
|
During decryption the signing public key was getting repush with a
different address as part of the verify usage flagging.
- Resolves: https://github.com/pixelated/pixelated-user-agent/issues/466
- Related: #7420
|
|
Fixup for 9546348c36. This problem only occurs in
test setups where '' is passed to ca_cert_path.
|
|
On fetch_key we were not catching the request exceptions, now they are
returned as failure in the deferred as it should.
- Related: #7410
|
|
|
|
This is necessary as a fetch by url will talk to remote
sites or, for providers with a commercial cert, with
a cert that had not been signed with the provider CA.
- support lookup of local keys by url for providers
with a commercial cert
- combine ca_bundle with ca_cert_path if specified
- close soledad after each test
|
|
In case of failure of fetch_key will be useful to have some logging
telling us wich key is fetching.
- Related: #7410
|
|
|
|
this avoids using a separate thread with tornado ioloop for events
client, since we can use twisted reactor.
- Resolves: #7274
|
|
Fixed pep8 warnings to prepare the keymanager for CI
|
|
|
|
latest gnupg version (from pypi) was '2.0.2-py2.7.egg', which is parsed
as a LegacyVersion and therefore breaks the numeric comparison. this is
a workaround to allow the sanity check to continue, by comparing just
the numeric part of the version string.
|
|
* Resolves: #7188
|
|
- Related: #6359
|
|
Nicknym server is authoritative for its own domain, but for others it might
retrieve keys from key servers. On keys from the same domain we set the
validation level to 'Provider Trust'. For other domains in the email
address we set it to 'Weak Chain' as we don't have info about its source.
Resolves: #6815
Related: #6718
Releases: 0.4.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Don't throw an exception if verification fails
|