summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-09-19 12:37:41 -0400
committerAde Lee <alee@redhat.com>2012-09-19 22:20:34 -0400
commite1666df57fb49b4c2c20563559cd2a7450a6f9f4 (patch)
tree8b372320ca55260d777c815dae104ef05ad7f240
parent9173b431751486018957428e67392a4a94a86baf (diff)
downloadpki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.zip
pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.gz
pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.xz
Changes to use standard dbuser
We create a user that can be used to connect to the database using the subsystem cert for client auth. We identified this user, using the seeAlso attribute and provided certmap rules to this effect. For this user, we used to reuse the uid = user CA-hostname-port, which is already created for inter-system communication. But this is problematic if more than one dbuser exists, as the directory server may bind as the incorrect user. In any replication topology, there must be only one dbuser using the subsystem cert. To simplify things, we create a new user specifically for this purpose (pkidbuser), and we remove the seeAlso attribute from the older dbusers. A script is needed to convert existing dogtag 9 istances to use the new user, and set the relevant acls. This will be done in a separate commit.
-rw-r--r--base/common/src/com/netscape/certsrv/logging/AuditFormat.java2
-rw-r--r--base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java8
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java54
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java12
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java8
-rw-r--r--base/common/src/com/netscape/cmscore/logging/AuditFormat.java5
-rw-r--r--base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java48
7 files changed, 111 insertions, 26 deletions
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
index 72980aa..005043a 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
@@ -106,6 +106,8 @@ public class AuditFormat {
"Admin UID: {0} removed User UID: {1} from group: {2}";
public static final String ADDCERTSUBJECTDNFORMAT =
"Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
+ public static final String REMOVECERTSUBJECTDNFORMAT =
+ "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
// LDAP publishing
public static final String LDAP_PUBLISHED_FORMAT =
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
index eb7f84e..543b33c 100644
--- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
@@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp {
public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
/**
+ * Remove a certSubjectDN field from the user
+ * @param identity
+ * @throws EUsrGrpException
+ * @throws LDAPException
+ */
+ public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
+
+ /**
* Removes a user certificate for a user entry
* given a user certificate DN (actually, a combination of version,
* serialNumber, issuerDN, and SubjectDN), and it gets removed
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 6cd64f6..bcfe364 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -144,6 +144,7 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority;
import com.netscape.certsrv.system.InstallToken;
import com.netscape.certsrv.system.InstallTokenRequest;
import com.netscape.certsrv.system.SystemConfigClient;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
import com.netscape.certsrv.usrgrp.IGroup;
import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.certsrv.usrgrp.IUser;
@@ -170,6 +171,7 @@ public class ConfigurationUtils {
public static String AUTH_FAILURE = "2";
public static final BigInteger BIG_ZERO = new BigInteger("0");
public static final Long MINUS_ONE = Long.valueOf(-1);
+ public static final String DBUSER = "pkidbuser";
public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
IncorrectPasswordException {
@@ -717,8 +719,6 @@ public class ConfigurationUtils {
BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
NoSuchItemOnTokenException, InvalidBERException, IOException {
byte b[] = new byte[1000000];
- IConfigStore cs = CMS.getConfigStore();
- String instanceRoot = cs.getString("instanceRoot");
FileInputStream fis = new FileInputStream(p12File);
while (fis.available() > 0)
@@ -1204,8 +1204,7 @@ public class ConfigurationUtils {
String instanceId = cs.getString("instanceId");
String cstype = cs.getString("cs.type");
- String dbuser = "uid=" + LDAPUtil.escapeDN(cstype + "-" + cs.getString("machineName") + "-"
- + cs.getString("service.securePort")) + ",ou=people," + baseDN;
+ String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN;
String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf";
@@ -3389,19 +3388,28 @@ public class ConfigurationUtils {
}
}
- public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException,
+ public static void setupDBUser() throws CertificateException, LDAPException, EBaseException,
NotInitializedException, ObjectNotFoundException, TokenException, IOException {
IUGSubsystem system =
(IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ try {
+ @SuppressWarnings("unused")
+ Enumeration<IUser> dbusers = system.findUsers(DBUSER);
+ CMS.debug("DB User already exists: " + DBUSER);
+ return;
+ } catch (EUsrGrpException e) {
+ CMS.debug("Creating DB User: " + DBUSER);
+ }
+
String b64 = getSubsystemCert();
if (b64 == null) {
CMS.debug("setupDBUser(): failed to fetch subsystem cert");
- return;
+ throw new EBaseException("setupDBUser(): failed to fetch subsystem cert");
}
- IUser user = system.createUser(dbuser);
- user.setFullName(dbuser);
+ IUser user = system.createUser(DBUSER);
+ user.setFullName(DBUSER);
user.setEmail("");
user.setPassword("");
user.setUserType("agentType");
@@ -3414,6 +3422,36 @@ public class ConfigurationUtils {
CMS.debug("setupDBUser(): successfully added the user");
system.addUserCert(user);
CMS.debug("setupDBUser(): successfully add the user certificate");
+
+ // set subject dn
+ system.addCertSubjectDN(user);
+
+ // remove old db users
+ CMS.debug("Removing seeAlso from old dbusers");
+ removeOldDBUsers(certs[0].getSubjectDN().toString());
+ }
+
+ public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException {
+ IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
+ IConfigStore cs = CMS.getConfigStore();
+ String userbasedn = "ou=people, " + cs.getString("internaldb.basedn");
+ IConfigStore dbCfg = cs.getSubStore("internaldb");
+ ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory();
+ dbFactory.init(dbCfg);
+ LDAPConnection conn = dbFactory.getConn();
+
+ String filter = "(&(seeAlso=" + LDAPUtil.escapeFilter(subjectDN) + ")(!(uid=" + DBUSER + ")))";
+ String[] attrs = null;
+ LDAPSearchResults res = conn.search(userbasedn, LDAPConnection.SCOPE_SUB, filter,
+ attrs, false);
+ if (res != null) {
+ while (res.hasMoreElements()) {
+ String uid = (String) res.next().getAttribute("uid").getStringValues().nextElement();
+ IUser user = system.getUser(uid);
+ CMS.debug("removeOldDUsers: Removing seeAlso from " + uid);
+ system.removeCertSubjectDN(user);
+ }
+ }
}
public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
index e81afdd..197c16a 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
@@ -31,8 +31,6 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.ocsp.IOCSPAuthority;
import com.netscape.certsrv.property.PropertySet;
-import com.netscape.certsrv.usrgrp.IUGSubsystem;
-import com.netscape.certsrv.usrgrp.IUser;
import com.netscape.cms.servlet.wizard.WizardServlet;
import com.netscape.cmsutil.util.Utils;
@@ -225,16 +223,8 @@ public class DonePanel extends WizardPanelBase {
e.printStackTrace();
}
- String dbuser = null;
try {
- dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
- + cs.getString("service.securePort");
- if (!sdtype.equals("new")) {
- ConfigurationUtils.setupDBUser(dbuser);
- }
- IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- IUser user = system.getUser(dbuser);
- system.addCertSubjectDN(user);
+ ConfigurationUtils.setupDBUser();
} catch (Exception e) {
e.printStackTrace();
CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e);
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
index 4ae9579..3bbe3ca 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
@@ -703,13 +703,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
}
try {
- String dbuser = csType + "-" + CMS.getEEHost() + "-" + cs.getString("service.securePort");
- if (! securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
- ConfigurationUtils.setupDBUser(dbuser);
- }
- IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- IUser user = system.getUser(dbuser);
- system.addCertSubjectDN(user);
+ ConfigurationUtils.setupDBUser();
} catch (Exception e) {
e.printStackTrace();
throw new PKIException("Errors in creating or updating dbuser: " + e);
diff --git a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
index 9ba62ba..42c3b0d 100644
--- a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
+++ b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
@@ -108,4 +108,9 @@ public class AuditFormat {
"Admin UID: {0} added User UID: {1} to group: {2}";
public static final String REMOVEUSERGROUPFORMAT =
"Admin UID: {0} removed User UID: {1} from group: {2}";
+ public static final String ADDCERTSUBJECTDNFORMAT =
+ "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
+ public static final String REMOVECERTSUBJECTDNFORMAT =
+ "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
+
}
diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
index 9e3dacb..6b61572 100644
--- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
+++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
@@ -820,6 +820,54 @@ public final class UGSubsystem implements IUGSubsystem {
return;
}
+ public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException {
+ User user = (User) identity;
+
+ if (user == null) {
+ CMS.debug("removeCertSubjectDN: null user passed in");
+ return;
+ }
+
+ X509Certificate cert[] = null;
+ LDAPModificationSet delAttr = new LDAPModificationSet();
+
+ if ((cert = user.getX509Certificates()) != null) {
+ LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN);
+ attrCertDNStr.addValue(cert[0].getSubjectDN().toString());
+ delAttr.add(LDAPModification.DELETE, attrCertDNStr);
+
+ LDAPConnection ldapconn = null;
+
+ try {
+ ldapconn = getConn();
+ ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) +
+ "," + getUserBaseDN(), delAttr);
+ // for audit log
+ SessionContext sessionContext = SessionContext.getContext();
+ String adminId = (String) sessionContext.get(SessionContext.USER_ID);
+
+ mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
+ AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT,
+ new Object[] { adminId, user.getUserID(),
+ cert[0].getSubjectDN().toString() }
+ );
+
+ } catch (LDAPException e) {
+ if (Debug.ON) {
+ e.printStackTrace();
+ }
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
+ throw e;
+ } catch (ELdapException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
+ } finally {
+ if (ldapconn != null)
+ returnConn(ldapconn);
+ }
+ }
+ return;
+ }
+
/**
* Removes a user certificate for a user entry
* given a user certificate DN (actually, a combination of version,