gigi.git
3 years agoHighlight expired nucleus bonus verifications in points overview
INOPIAE [Wed, 8 Feb 2017 15:18:54 +0000 (16:18 +0100)]
Highlight expired nucleus bonus verifications in points overview

fixes issue #123

Change-Id: I796e0e2f81897c35307fcdc64255127f058696a2

3 years agoMerge "Temporarily disable SystemCallFilter"
Benny Baumann [Wed, 8 Feb 2017 09:20:17 +0000 (10:20 +0100)]
Merge "Temporarily disable SystemCallFilter"

3 years agofix: empty-variable "version" in development runs.
Felix Dörre [Wed, 8 Feb 2017 08:02:48 +0000 (09:02 +0100)]
fix: empty-variable "version" in development runs.

Change-Id: Ia0cdebab2e2b8f7733c59280086db8a72ab73941

3 years agoTemporarily disable SystemCallFilter
Lucas Werkmeister [Tue, 7 Feb 2017 23:36:51 +0000 (00:36 +0100)]
Temporarily disable SystemCallFilter

systemd applies drop-ins in lexicographical order (to be documented by
systemd/systemd#5262), hence the Z- prefix.

Change-Id: I589b9a4fae5cd5dd107f58f734558bfa31517f4b

3 years agoupd: enhance "CSRF-missing" test case exception for better debuging
Felix Dörre [Tue, 7 Feb 2017 09:17:38 +0000 (10:17 +0100)]
upd: enhance "CSRF-missing" test case exception for better debuging

Change-Id: I3dce9fb7da31987044b23dcf8310af44f64855fb

3 years agoupd: move external keywords to own class
Felix Dörre [Mon, 6 Feb 2017 22:46:29 +0000 (23:46 +0100)]
upd: move external keywords to own class

Change-Id: Iad887cf134103ed6d26aa32d1358c23de0eeebae

3 years agofix: display verify information only when verification token is known.
Felix Dörre [Mon, 6 Feb 2017 22:45:13 +0000 (23:45 +0100)]
fix: display verify information only when verification token is known.

Change-Id: I12ea06f13fddc3ad931751e9751f7d87fefd6c60

3 years agofix: make the pinger daemon keep cool when missing database connection
Felix Dörre [Thu, 19 Jan 2017 11:30:34 +0000 (12:30 +0100)]
fix: make the pinger daemon keep cool when missing database connection

Change-Id: Ic207edc3ab008ac765787146e9752bcd0f867f9b

3 years agofix: add ioctl to SystemCallFilter
Lucas Werkmeister [Fri, 27 Jan 2017 11:35:10 +0000 (12:35 +0100)]
fix: add ioctl to SystemCallFilter

Apparently Java needs this to read data from a socket, but only in some
circumstances (Felix says only HTTP domain check was broken, HTTPS check
worked fine).

Change-Id: Ia1b54ef364b282631b44a8313570dafae6b8c5d4

3 years agoupd: add more sandboxing directives to gigi-proxy.service
Lucas Werkmeister [Wed, 18 Jan 2017 13:06:39 +0000 (14:06 +0100)]
upd: add more sandboxing directives to gigi-proxy.service

Most notably, the set of permitted syscalls excludes fork and many file
system commands like unlink or rmdir.

Change-Id: I87827f6ed0025570288611cf257c6e3a01769593

3 years agoadd: fix own host name on certificate issue page
Felix Dörre [Tue, 10 Jan 2017 21:44:36 +0000 (22:44 +0100)]
add: fix own host name on certificate issue page

Change-Id: I7fa0e2df8afbe78017067ef8e80c9ecf3a07ca68

3 years agoadd: detect a quiz-admin directly in gigi
Felix Dörre [Tue, 3 Jan 2017 10:35:19 +0000 (11:35 +0100)]
add: detect a quiz-admin directly in gigi

Change-Id: I21854cbafae2a676db624b46975624f31a49d549

3 years agofix: restrict access to CATS-API even more
Felix Dörre [Fri, 30 Dec 2016 12:01:43 +0000 (13:01 +0100)]
fix: restrict access to CATS-API even more

Change-Id: Idb32bf7e12e0f2704541108afb9a5fcc3e0762a7

3 years agofix: greatly improve performance of often-executed ping-fetch-query
Felix Dörre [Fri, 23 Dec 2016 10:45:21 +0000 (11:45 +0100)]
fix: greatly improve performance of often-executed ping-fetch-query

Change-Id: Ic574b193f65f1fd362bf7451fe343e0caa788910

3 years agoadd: yet another nucleus test
Felix Dörre [Fri, 30 Dec 2016 10:13:37 +0000 (11:13 +0100)]
add: yet another nucleus test

Change-Id: I83cb4a944f8d9e26447535b0672f87a4344458e5

3 years agofix: counting of nucleus verifications
Felix Dörre [Fri, 30 Dec 2016 09:44:06 +0000 (10:44 +0100)]
fix: counting of nucleus verifications

Change-Id: I4a76e579049d822d3280ffc4570f5f2248cac9a4

3 years agofix: send password reset emails to the correct user
Felix Dörre [Thu, 29 Dec 2016 16:50:51 +0000 (17:50 +0100)]
fix: send password reset emails to the correct user

Change-Id: I6e88d9fd742255a30a9572f446a3d2b35fb0fcf0

3 years agoadd: Implement use of Cisco Umbrella 1 Million domain list
Felix Dörre [Fri, 23 Dec 2016 10:46:53 +0000 (11:46 +0100)]
add: Implement use of Cisco Umbrella 1 Million domain list

as source for high-financial-value-domains
Information about the list is available here:
http://s3-us-west-1.amazonaws.com/umbrella-static/index.html

Blogpost about it:
https://blog.opendns.com/2016/12/14/cisco-umbrella-1-million/

Change-Id: I5d8183f5dd09e3b033301cec59b3fa1e820f236c

3 years agofix: Exception when using TestManager functionality
Felix Dörre [Thu, 15 Dec 2016 09:20:39 +0000 (10:20 +0100)]
fix: Exception when using TestManager functionality

a constant date gets older than two years at some point in time

Change-Id: I804b06258d27f535a7e9af2dd75223f099170fd0

3 years agofix: generate correct urls to static resources
Felix Dörre [Thu, 8 Dec 2016 15:53:28 +0000 (16:53 +0100)]
fix: generate correct urls to static resources

Change-Id: Ibd337a102b6362fa601fc38aed68031677d3ad5d

4 years agoupd: enforce serverAuth EKU for SSL-pings
Felix Dörre [Sun, 27 Nov 2016 15:10:34 +0000 (16:10 +0100)]
upd: enforce serverAuth EKU for SSL-pings

Change-Id: Ia98447b476eb1e6b60c7471208c7cf965e482aea

4 years agoupd: in SSLPinger move serverAuth EKU OID to a constant
Felix Dörre [Sun, 27 Nov 2016 15:14:38 +0000 (16:14 +0100)]
upd: in SSLPinger move serverAuth EKU OID to a constant

Change-Id: Ic4714e6af8a00cc58e69de2def7e9dc1bbbaff05

4 years agofix: allow SSLPinger to process certs without EKU
Felix Dörre [Sun, 27 Nov 2016 00:06:41 +0000 (01:06 +0100)]
fix: allow SSLPinger to process certs without EKU

Change-Id: Ic4c8de9e4cf5ce617dcd5613296c473678596392

4 years agofix: send unsigned mail correctly
Felix Dörre [Tue, 22 Nov 2016 08:30:21 +0000 (09:30 +0100)]
fix: send unsigned mail correctly

Change-Id: I12c008ceab2e0bb7b97eb329141ef2ec82dc71f4

4 years agoupd: use try-with-resources to protect JDBC-Statement
Felix Dörre [Mon, 31 Oct 2016 09:52:52 +0000 (10:52 +0100)]
upd: use try-with-resources to protect JDBC-Statement

Change-Id: I5084448dc134d47da6aaa0dd6ed53b4aacb1c994

4 years agofix: correct SQL query for issuing repings.
Felix Dörre [Tue, 25 Oct 2016 10:26:12 +0000 (12:26 +0200)]
fix: correct SQL query for issuing repings.

Change-Id: Ibabc4851514b1ebe353c6feb1e369353728f6bae

4 years agoupd: use "PartOf" relation in gigi-proxy.service
Felix Dörre [Thu, 10 Nov 2016 11:36:36 +0000 (12:36 +0100)]
upd: use "PartOf" relation in gigi-proxy.service

This enables puppet to simply manage gigi-proxy.socket
by ensuring that a restart of gigi-proxy.socket will
also restart gigi-proxy.service.

Change-Id: I96a51f38cfb4c0f5d6b5efd7a8425d90a17534b6

4 years agofix: fixed date in testcases
Felix Dörre [Thu, 10 Nov 2016 17:59:15 +0000 (18:59 +0100)]
fix: fixed date in testcases

Change-Id: I29fbf97a27309a54ed4d36463799b92ccf8a6edd

4 years agoMerge "fix: resource leak in template fast-debug code"
Lucas Werkmeister [Sun, 16 Oct 2016 16:22:30 +0000 (18:22 +0200)]
Merge "fix: resource leak in template fast-debug code"

4 years agoMerge "add: email-management-api"
Benny Baumann [Sun, 16 Oct 2016 16:22:28 +0000 (18:22 +0200)]
Merge "add: email-management-api"

4 years agoMerge "upd: more realistic content-type for cert-downloads from API"
Lucas Werkmeister [Sun, 16 Oct 2016 16:20:53 +0000 (18:20 +0200)]
Merge "upd: more realistic content-type for cert-downloads from API"

4 years agofix: resource leak in template fast-debug code
Felix Dörre [Fri, 7 Oct 2016 22:19:04 +0000 (00:19 +0200)]
fix: resource leak in template fast-debug code

Change-Id: I570f997bb3e61d916ccc2dfd0ad23c8225ee9020

4 years agoadd: email-management-api
Felix Dörre [Mon, 3 Oct 2016 12:03:38 +0000 (14:03 +0200)]
add: email-management-api

Change-Id: I4f7ca7b68e9222520738fb329ba390b07fd74b10

4 years agoupd: more realistic content-type for cert-downloads from API
Felix Dörre [Mon, 3 Oct 2016 12:03:27 +0000 (14:03 +0200)]
upd: more realistic content-type for cert-downloads from API

Change-Id: I4ad6ee5c27d680cbf4750fe9d8c3a754c9a58590

4 years agoMerge "upd: improve digest explanation and make SHA512 default"
Benny Baumann [Sun, 9 Oct 2016 16:20:16 +0000 (18:20 +0200)]
Merge "upd: improve digest explanation and make SHA512 default"

4 years agoupd: improve digest explanation and make SHA512 default
Lucas Werkmeister [Mon, 3 Oct 2016 16:15:22 +0000 (18:15 +0200)]
upd: improve digest explanation and make SHA512 default

See #119.

Change-Id: Ia481947c3dff9b6a9770462185c5a12f0f1d996b

4 years agoupd: use same-protocol-prefixes for static-links
Felix Dörre [Mon, 3 Oct 2016 12:02:01 +0000 (14:02 +0200)]
upd: use same-protocol-prefixes for static-links

Change-Id: I0e556b4dde914e0c8eeaccb9c6e5c703225a46ff

4 years agoupd: change mail footer so it is recognized by at least thunderbird.
Felix Dörre [Thu, 29 Sep 2016 21:05:51 +0000 (23:05 +0200)]
upd: change mail footer so it is recognized by at least thunderbird.

note: significant whitespace at the end of line 5. This whitespace is
required for thunderbird to recognize the footer.

Change-Id: I3eff5903146a5b11ef522f0cb4dba1696dca2c9e

4 years agoMerge "fix: #112 use term “country”, not “state”"
Felix Dörre [Tue, 4 Oct 2016 08:07:55 +0000 (10:07 +0200)]
Merge "fix: #112 use term “country”, not “state”"

4 years agofix: #112 use term “country”, not “state”
Lucas Werkmeister [Tue, 27 Sep 2016 10:09:28 +0000 (12:09 +0200)]
fix: #112 use term “country”, not “state”

Continuation of a1618d1.

CertificateOwner.getById() has to be updated because users.country and
organisations.country now clash.

The User constructor is updated for consistency with the Organisation
constructor.

Change-Id: I0aeaf47fa8627ba5c4a5b35f15804e283e4a55b3

4 years agoupd: add Also= directive to gigi-proxy.service
Lucas Werkmeister [Mon, 3 Oct 2016 12:35:15 +0000 (14:35 +0200)]
upd: add Also= directive to gigi-proxy.service

When the service is installed/deinstalled, install/deinstall the
accompanying socket as well. (But not the other way around: you can
install the socket alone, so that the service will only be started
on-demand.)

See systemd.unit(5).

Change-Id: I3fd4af0617e1191c96af82ae1c6491feb9dfc654

4 years agoupd: make output of Find-Agent-info JSON-formatted
Felix Dörre [Fri, 23 Sep 2016 16:57:16 +0000 (18:57 +0200)]
upd: make output of Find-Agent-info JSON-formatted

Change-Id: I773aaff596314e83b63e8555ff8e85fce1c2cf55

4 years agoMerge branch 'libs/json/local'
Felix Dörre [Tue, 27 Sep 2016 23:21:32 +0000 (01:21 +0200)]
Merge branch 'libs/json/local'

Change-Id: Ie68cd2871a8abba4386d089f25da628ba69335cc

4 years agoupd: remove json-pointer feature
Felix Dörre [Tue, 27 Sep 2016 23:15:10 +0000 (01:15 +0200)]
upd: remove json-pointer feature

Change-Id: I7c19cbfbf4de25ca7545ae93f574d597b7d723dd

4 years agoadd: import org.json
Felix Dörre [Tue, 27 Sep 2016 14:12:24 +0000 (16:12 +0200)]
add: import org.json

Change-Id: Ia39786f4396e70551aac44ce99ebc664366b4b0a

4 years agoadd: import script for json.org
Felix Dörre [Tue, 27 Sep 2016 14:08:26 +0000 (16:08 +0200)]
add: import script for json.org

Change-Id: I2d67e7ce167e2ddc5a4a5d439835a0bc33861a30

4 years agoMerge "Fix error message"
Benny Baumann [Tue, 27 Sep 2016 18:21:21 +0000 (20:21 +0200)]
Merge "Fix error message"

4 years agoFix error message
Lucas Werkmeister [Tue, 27 Sep 2016 14:27:53 +0000 (16:27 +0200)]
Fix error message

Change-Id: Ice3d62d7f75165df86c6dce60dbc6d3e9c769918

4 years agoupd: make verification processes more consistent on failure
Felix Dörre [Thu, 22 Sep 2016 21:49:48 +0000 (23:49 +0200)]
upd: make verification processes more consistent on failure

Change-Id: I0a1dfd77fea5f9b365cc166196d0068607cc2b5d

4 years agofix: content of mail footer
Felix Dörre [Thu, 22 Sep 2016 21:47:58 +0000 (23:47 +0200)]
fix: content of mail footer

Change-Id: I866901be3862c3646ff7911ee698c1ad23f934a6

4 years agofix: S/MIME signature
Felix Dörre [Wed, 21 Sep 2016 11:22:21 +0000 (13:22 +0200)]
fix: S/MIME signature

See https://tools.ietf.org/html/rfc5751#section-3.1.1 for reference.

Change-Id: I9fcd558182395ec83cadb42c0d2bc5c785d49864

4 years agoMerge "add: support configuring SetUID behavior"
Benny Baumann [Tue, 20 Sep 2016 19:23:41 +0000 (21:23 +0200)]
Merge "add: support configuring SetUID behavior"

4 years agoadd: support configuring SetUID behavior
Lucas Werkmeister [Wed, 7 Sep 2016 13:03:47 +0000 (15:03 +0200)]
add: support configuring SetUID behavior

- It is now possible to skip the setuid step altogether by setting both
  UID and GID to the special value -1.
- The Java code now verifies that the values are in range for an
  unsigned 16-bit ID.
- The C code now verifies that the cast from jint to uid_t/gid_t does
  not overflow.
- The C code now skips setuid() or setgid() if the real and effective ID
  are already the desired ID.

The 16-bit limit is somewhat arbitrary. Some old UNIX systems, such as
PWB/UNIX, supported only 8-bit IDs (see for example
/usr/man/man2/getuid.2 in Henry Spencer’s tarball); Wikipedia claims
that some other UNIX systems used 15-bit values, but does not specify
which systems; Linux originally supported 16-bit IDs but then added
support for 32-bit IDs with new syscalls in Linux 2.4. On Debian
systems, the nobody user (default setuid target) is 65534, so we need to
allow at least 16-bit IDs, otherwise the default value is invalid.

Change-Id: I66600572016b18d5ff550560048cdf691dec85e8

4 years agoadd: javadoc to "Certificate"'s constructor
Felix Dörre [Sat, 17 Sep 2016 20:49:13 +0000 (22:49 +0200)]
add: javadoc to "Certificate"'s constructor

Change-Id: I7f35343fde31b7eb3edf41a133d3600dd56338d9

4 years agoupd: factor out default client certificate profile
Felix Dörre [Fri, 16 Sep 2016 12:58:05 +0000 (14:58 +0200)]
upd: factor out default client certificate profile

Change-Id: Ief1459b17cd820d0d635e89230904d2c46cd69b2

4 years agoadd: constant for "secure." server name
Felix Dörre [Fri, 16 Sep 2016 11:05:18 +0000 (13:05 +0200)]
add: constant for "secure." server name

Change-Id: I7cfac77e65cf965d9d7f04622e6c6322880b506e

4 years agoadd: test redirect after login
Felix Dörre [Thu, 15 Sep 2016 18:34:49 +0000 (20:34 +0200)]
add: test redirect after login

Change-Id: I3caf0a1641a1673e13d68a5c8b9ec4885729811b

4 years agofix: redirect-back after login
Felix Dörre [Thu, 15 Sep 2016 18:34:36 +0000 (20:34 +0200)]
fix: redirect-back after login

Change-Id: Ib416aed3f5c64909593172dcaa378fbcbd59c183

4 years agoadd: testcase for successful certificate login
Felix Dörre [Thu, 15 Sep 2016 09:36:16 +0000 (11:36 +0200)]
add: testcase for successful certificate login

Change-Id: Ie6efe2d2a5ab6e14ca3eee95db9c5e99e498b2ce

4 years agofix: deadlock possibility in "DatabaseConnection"
Felix Dörre [Thu, 15 Sep 2016 07:50:53 +0000 (09:50 +0200)]
fix: deadlock possibility in "DatabaseConnection"

Change-Id: I987cd3d9a0940f1fe3cf9289ec7512b785eca5df

4 years agofix: certlogin. There was a "toLower" needed instead of an "toUpper"
Felix Dörre [Thu, 15 Sep 2016 07:50:37 +0000 (09:50 +0200)]
fix: certlogin. There was a "toLower" needed instead of an "toUpper"

Change-Id: Ie233b6e920ec486a7e59d100681e86856bc7485c

4 years agofix: broken hyperlink formatting
INOPIAE [Thu, 15 Sep 2016 05:53:19 +0000 (07:53 +0200)]
fix: broken hyperlink formatting

Change-Id: I8209324d6fc9dbb8d5e1f0098155a3b3f3e60591

4 years agoMerge "upd: native Makefile improvements"
Felix Dörre [Wed, 14 Sep 2016 19:45:01 +0000 (21:45 +0200)]
Merge "upd: native Makefile improvements"

4 years agoMerge "upd: modified text displayed during certificate creation process"
Felix Dörre [Wed, 14 Sep 2016 19:44:56 +0000 (21:44 +0200)]
Merge "upd: modified text displayed during certificate creation process"

4 years agoadd: js-managed default values for certificate-issue-form
Felix Dörre [Sat, 10 Sep 2016 14:18:48 +0000 (16:18 +0200)]
add: js-managed default values for certificate-issue-form

Change-Id: I73713d708f5fdbd505f408b6b19a7a0f7fab813b

4 years agoupd: modified text displayed during certificate creation process
INOPIAE [Sat, 10 Sep 2016 11:11:15 +0000 (13:11 +0200)]
upd: modified text displayed during certificate creation process

Change-Id: Ic3038b764e213e6d904ff25c115818d9b4496f7a

4 years agofix: translation strings in "VerificationAgentEntered.templ"
Felix Dörre [Sun, 11 Sep 2016 18:44:25 +0000 (20:44 +0200)]
fix: translation strings in "VerificationAgentEntered.templ"

no need to start a translation string when there is nothing
to translate

Change-Id: I2922810f617f1d9e3ec451574134dbb947c474a3

4 years agoupd: use serials lowercase-only
Felix Dörre [Sun, 11 Sep 2016 08:46:54 +0000 (10:46 +0200)]
upd: use serials lowercase-only

Change-Id: Ia30c803c25f6b593086df614ce1d711c1be84ebf

4 years agofix: postgres conditional expression in SimpleSigner error query.
Felix Dörre [Sat, 10 Sep 2016 14:22:37 +0000 (16:22 +0200)]
fix: postgres conditional expression in SimpleSigner error query.

Change-Id: Ia55d3c3c5baf251c7f748153dc727a131502fe87

4 years agofix: simple signer correctly parse profile-EKUs
Felix Dörre [Sat, 10 Sep 2016 14:02:10 +0000 (16:02 +0200)]
fix: simple signer correctly parse profile-EKUs

Change-Id: Iec644be800d86fe687acccf779383e90a68bd780

4 years agoupd: enforce a more strict Form call pattern.
Felix Dörre [Fri, 9 Sep 2016 23:37:33 +0000 (01:37 +0200)]
upd: enforce a more strict Form call pattern.

form management is now split into:
- initial generation (typically in doGet)
- actual submitting (typically in beforePost) resulting in
 - an error (permament or non-permament)
 - a submission result
   - redirect
   - success message
   - custom
- re-emitting if needed (typically in doPost)

Change-Id: Ic226bb886a513b6dfbd844294d2092b653c5df5b

4 years agoupd: native Makefile improvements
Lucas Werkmeister [Fri, 9 Sep 2016 20:19:31 +0000 (22:19 +0200)]
upd: native Makefile improvements

- Remove optimization. We don't need it, and -O3 in particular can
  introduce bugs.
- Move -I directives to preprocessor flags.
- Add a separate goal for the header file instead of using shell &&.
- Use the special variable $(RM) to remove files, and ignore failures if
  some files don't exist.

Change-Id: Icb7bd684bae6bdb860712a4e24d880b265db292a

4 years agoupd: use a more strict pattern for handling forms
Felix Dörre [Mon, 5 Sep 2016 17:05:17 +0000 (19:05 +0200)]
upd: use a more strict pattern for handling forms

Change-Id: I55e1087868820e652fccc7454c9ae290b6947119

4 years agofix: make simple signer select CA certificate better.
Felix Dörre [Fri, 9 Sep 2016 12:07:05 +0000 (14:07 +0200)]
fix: make simple signer select CA certificate better.

Change-Id: I51d3a7849c1d5899a80c93c7222a2e97a3ff5dba

4 years agofix: add CAP_SETGID to gigi-standalone bounding set
Lucas Werkmeister [Fri, 9 Sep 2016 12:47:57 +0000 (14:47 +0200)]
fix: add CAP_SETGID to gigi-standalone bounding set

I thought CAP_SETUID included CAP_SETGID, but that’s not the case, and
we need both.

Change-Id: I83adef1bec4baea2a4bd28aafe8c1686f2932014

4 years agoadd: test case for user opt-in notification for RA Agents
INOPIAE [Mon, 22 Aug 2016 08:24:15 +0000 (10:24 +0200)]
add: test case for user opt-in notification for RA Agents

Change-Id: I896cb3d9f6c6f894001cb8d26f6a84f8b3fc8e6c

4 years agoadd: implement opt-in for notification of RA Agent
INOPIAE [Fri, 19 Aug 2016 13:22:27 +0000 (15:22 +0200)]
add: implement opt-in for notification of RA Agent

Sets the opt-in value for an RA Agent to receive a notification for
every Verification he enters and sends notification if value is given.

fixes issue #95

Change-Id: I4a544712831aa45b9b5ec252c79834c1f10fb179

4 years agoMerge changes Ia0c9d6da,I9e50cc2d
Felix Dörre [Wed, 7 Sep 2016 20:58:55 +0000 (22:58 +0200)]
Merge changes Ia0c9d6da,I9e50cc2d

* changes:
  add: tests for EditDistance
  add: improvement of template parsing

4 years agoadd: tests for EditDistance
Johannes Bechberger [Mon, 5 Sep 2016 20:38:18 +0000 (22:38 +0200)]
add: tests for EditDistance

Change-Id: Ia0c9d6da088cc4060ebd6b24d1d8a34eb99c4e6d

4 years agoadd: improvement of template parsing
Johannes Bechberger [Mon, 5 Sep 2016 18:01:39 +0000 (20:01 +0200)]
add: improvement of template parsing

Change-Id: I9e50cc2d8d30b7b795dedb9dee02ade4d090d891

4 years agochg: replace CAcert Wot User by SomeCA User when creating certificates
INOPIAE [Fri, 2 Sep 2016 03:52:39 +0000 (05:52 +0200)]
chg: replace CAcert Wot User by SomeCA User when creating certificates

Change-Id: I71bfb43f10ec7e4d39a4ccbb27305afb708df4e3

4 years agofix: print error messages for translation extraction to stderr
Felix Dörre [Sun, 4 Sep 2016 11:53:10 +0000 (13:53 +0200)]
fix: print error messages for translation extraction to stderr

Change-Id: I26c6294d93463575ce02a5a0752a37814eb47a0d

4 years agoadd: fail build when translation extraction has a problem.
Felix Dörre [Sat, 3 Sep 2016 13:05:30 +0000 (15:05 +0200)]
add: fail build when translation extraction has a problem.

Change-Id: Ibeeb1f674ce09a131cac21fa6a5df3516b586e60

4 years agoupd: cleanup SQL statements to make them statically verifiable.
Felix Dörre [Sat, 3 Sep 2016 15:07:57 +0000 (17:07 +0200)]
upd: cleanup SQL statements to make them statically verifiable.

Change-Id: I4e7b773bf13a1c5a9b979a995bf72fe5ba45f9d0

4 years agoMerge "fix: language detection pattern for Group description"
Benny Baumann [Tue, 6 Sep 2016 06:55:10 +0000 (08:55 +0200)]
Merge "fix: language detection pattern for Group description"

4 years agofix: language detection pattern for Group description
Felix Dörre [Sun, 4 Sep 2016 11:47:56 +0000 (13:47 +0200)]
fix: language detection pattern for Group description

Change-Id: I15ead19d4a218b527eb25430659355d5e47029ad

4 years agofix: SQL query was wrong
Felix Dörre [Sat, 3 Sep 2016 14:12:57 +0000 (16:12 +0200)]
fix: SQL query was wrong

Change-Id: I3637c59944fdd5fc2e61a991b51781b3b9d746db

4 years agoMerge "Replace init scripts with systemd unit files"
Felix Dörre [Sat, 3 Sep 2016 15:24:24 +0000 (17:24 +0200)]
Merge "Replace init scripts with systemd unit files"

4 years agoReplace init scripts with systemd unit files
Lucas Werkmeister [Tue, 30 Aug 2016 12:35:05 +0000 (14:35 +0200)]
Replace init scripts with systemd unit files

The package installs four unit files. gigi-standalone.service works just
like the old cacert-gigi service: gigi will start as root, manage its
own ports, then drop privileges. gigi-proxy.service and .socket let
systemd manage the port and start gigi as its dedicated user. These
services need different configuration for gigi: for the proxy version,
the configuration must contain proxy=true and http.bindPort=stdin, while
for the standalone version the configuration must have proxy=false and
specify real ports. For this reason, we also disable Debian's policy to
automatically start services upon package installation.

(gigi-simple-signer.service is a direct conversion of
cacert-gigi-signer.init.)

Very simple init scripts for gigi-standalone and gigi-simple-signer are
provided, so that running /etc/init.d/gigi-standalone start will still
work. The scripts simply redirect to systemctl; the LSB header is not
included, since the scripts are useless on their own.

Change-Id: I53f0c825880d1b8c082496106a018957d6128392

4 years agoMerge changes I343e1e25,I8bf03317
Lucas Werkmeister [Tue, 30 Aug 2016 17:43:05 +0000 (19:43 +0200)]
Merge changes I343e1e25,I8bf03317

* changes:
  Support socket activation
  Support reading configuration from file

4 years agoSupport socket activation
Lucas Werkmeister [Mon, 29 Aug 2016 12:10:09 +0000 (14:10 +0200)]
Support socket activation

There are now separate properties for the port that is "displayed" (e.g.
when issuing redirects) and the port that is actually bound. The bind
ports may also be set to "stdin", in which case System.inheritedChannel
is used (expects a socket as file descriptor 0). This allows gigi to
inherit a socket from the system manager ((x)inetd, systemd), which in
turn allows one to run gigi as any user on root ports (e.g. port 80).

Change-Id: I343e1e25daae94aae67db1dd6f25fcfb6241d0fc

4 years agoSupport reading configuration from file
Lucas Werkmeister [Mon, 29 Aug 2016 14:00:47 +0000 (16:00 +0200)]
Support reading configuration from file

This is necessary to support socket activation (Java only supports a
single "inherited channel", which must be file descriptor 0), and also
makes it simpler to run gigi when the configuration is just a regular
file.

It also simplifies the DevelLauncher a bit.

Change-Id: I8bf03317ea549bd17f5b61e50808f48314a06803

4 years agoadd: prevent supporters from modifying their own accounts via support
Felix Dörre [Fri, 26 Aug 2016 08:08:24 +0000 (10:08 +0200)]
add: prevent supporters from modifying their own accounts via support

Change-Id: Ie759b769074e5f7c25787cee7f5661fd8b1471a5

4 years agoMerge "fix: only run fetch-locales in postinst configure"
Felix Dörre [Mon, 29 Aug 2016 11:32:35 +0000 (13:32 +0200)]
Merge "fix: only run fetch-locales in postinst configure"

4 years agoadd: notify board if a support role is granted or removed
INOPIAE [Sun, 28 Aug 2016 06:05:10 +0000 (08:05 +0200)]
add: notify board if a support role is granted or removed

The board mailing address needs to be defined in the future to the email
address for the recipient defined.

Change-Id: Id19ac9023aa199981f91cdcb25a63d26f5af5173

4 years agofix: only run fetch-locales in postinst configure
Lucas Werkmeister [Sat, 27 Aug 2016 11:56:51 +0000 (13:56 +0200)]
fix: only run fetch-locales in postinst configure

I believe we’re not supposed to run that in other postinst phases.

Change-Id: I180aa9fe1b58a33e61b6e6e8b18e944a41d81c22

4 years agofix: stop checking CAA on public suffix (and report error better)
Felix Dörre [Fri, 26 Aug 2016 15:18:05 +0000 (17:18 +0200)]
fix: stop checking CAA on public suffix (and report error better)

Change-Id: Ifb7000db540e6e89c5b8e7c2bdccb6656c5ebe50

4 years agoadd: make inclusion of leaf certificate optional
Felix Dörre [Fri, 26 Aug 2016 19:31:31 +0000 (21:31 +0200)]
add: make inclusion of leaf certificate optional

Change-Id: Ie7c9b18bcb698fb4b9fd688e68f16d8ffb2157cb

4 years agofix: message to user on single-certificate-revoke
Felix Dörre [Thu, 25 Aug 2016 23:08:49 +0000 (01:08 +0200)]
fix: message to user on single-certificate-revoke

Change-Id: I0e49c575e7e421922ed3120572480ad263506893

4 years agofix: turn NPE in better error message.
Felix Dörre [Thu, 25 Aug 2016 22:01:15 +0000 (00:01 +0200)]
fix: turn NPE in better error message.

Change-Id: I2a45b7dd043d4a4d9c73a19ea4bcf1c4433b391d