Replaced auth.properties with acl.properties.

The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.

The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.

The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.

18 files changed, 182 insertions, 66 deletions

diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/conf/acl.properties
index 24ed2d6a5..1c6651e4f 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -1,8 +1,9 @@
-# Restful API authorization mapping info
+# ACL mapping
 #
 # Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
+#   <mapping name> = <resource ID>,<operation>
+# Example:
+#   users = certServer.ca.users,execute
 
 account.login = certServer.ca.account,login
 account.logout = certServer.ca.account,logout
diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties
new file mode 100644
index 000000000..a213534ad
--- /dev/null
+++ b/base/ca/shared/conf/auth-method.properties
@@ -0,0 +1,18 @@
+# Authentication method mapping
+#
+# Format:
+#   <mapping name> = <authentication manager>,...
+# Example:
+#   default = *
+#   account = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+certs = certUserDBAuthMgr
+certrequests = certUserDBAuthMgr
+groups = certUserDBAuthMgr
+kraconnectors = certUserDBAuthMgr
+profiles = certUserDBAuthMgr
+securityDomain.installToken = passwdUserDBAuthMgr
+selftests = certUserDBAuthMgr
+users = certUserDBAuthMgr
diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore
new file mode 100644
index 000000000..5e7d2734c
--- /dev/null
+++ b/base/common/upgrade/10.0.5/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore
new file mode 100644
index 000000000..5e7d2734c
--- /dev/null
+++ b/base/common/upgrade/10.0.6/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/conf/acl.properties
index 77b7df8bd..8f6ff5e7a 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/conf/acl.properties
@@ -1,8 +1,9 @@
-# Restful API authorization mapping info
+# ACL mapping
 #
 # Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
+#   <mapping name> = <resource ID>,<operation>
+# Example:
+#   users = certServer.ca.users,execute
 
 account.login = certServer.kra.account,login
 account.logout = certServer.kra.account,logout
diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties
new file mode 100644
index 000000000..108448c1f
--- /dev/null
+++ b/base/kra/shared/conf/auth-method.properties
@@ -0,0 +1,15 @@
+# Authentication method mapping
+#
+# Format:
+#   <mapping name> = <authentication manager>,...
+# Example:
+#   default = *
+#   account = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+groups = certUserDBAuthMgr
+keys = certUserDBAuthMgr
+keyrequests = certUserDBAuthMgr
+selftests = certUserDBAuthMgr
+users = certUserDBAuthMgr
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/conf/acl.properties
index 9e138cb5a..67c68b37f 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/conf/acl.properties
@@ -1,8 +1,9 @@
-# Restful API authorization mapping info
+# ACL mapping
 #
 # Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
+#   <mapping name> = <resource ID>,<operation>
+# Example:
+#   users = certServer.ca.users,execute
 
 account.login = certServer.ocsp.account,login
 account.logout = certServer.ocsp.account,logout
diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties
new file mode 100644
index 000000000..5718fc6da
--- /dev/null
+++ b/base/ocsp/shared/conf/auth-method.properties
@@ -0,0 +1,12 @@
+# Authentication method mapping
+#
+# Format:
+#   <mapping name> = <authentication manager>,...
+# Example:
+#   default = *
+#   account = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+groups = certUserDBAuthMgr
+users = certUserDBAuthMgr
diff --git a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
index b43eb3cbe..c4b890e12 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
@@ -17,9 +17,10 @@
 //--- END COPYRIGHT BLOCK ---
 package com.netscape.cms.authorization;
 
+import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.lang.reflect.Method;
-import java.net.URL;
 import java.security.Principal;
 import java.util.Properties;
 
@@ -49,7 +50,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class ACLInterceptor implements ContainerRequestFilter {
 
-    Properties authProperties;
+    Properties properties;
 
     @Context
     ServletContext servletContext;
@@ -57,14 +58,33 @@ public class ACLInterceptor implements ContainerRequestFilter {
     @Context
     SecurityContext securityContext;
 
-    public synchronized void loadAuthProperties() throws IOException {
+    public synchronized void loadProperties() throws IOException {
 
-        if (authProperties != null)
+        if (properties != null)
             return;
 
-        URL url = servletContext.getResource("/WEB-INF/auth.properties");
-        authProperties = new Properties();
-        authProperties.load(url.openStream());
+        properties = new Properties();
+
+        String context = servletContext.getContextPath();
+        String subsystem = context.startsWith("/") ? context.substring(1) : context;
+
+        // load default mapping
+        String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/acl.properties";
+        CMS.debug("ACLInterceptor: loading " + defaultMapping);
+        try (FileReader in = new FileReader(defaultMapping)) {
+            properties.load(in);
+        }
+
+        // load custom mapping
+        File customMapping = new File(System.getProperty("catalina.base")
+                + "/" + subsystem + "/conf/acl.properties");
+        CMS.debug("ACLInterceptor: checking " + customMapping);
+        if (customMapping.exists()) {
+            CMS.debug("ACLInterceptor: loading " + customMapping);
+            try (FileReader in = new FileReader(customMapping)) {
+                properties.load(in);
+            }
+        }
     }
 
     @Override
@@ -118,9 +138,9 @@ public class ACLInterceptor implements ContainerRequestFilter {
         }
 
         try {
-            loadAuthProperties();
+            loadProperties();
 
-            String value = authProperties.getProperty(name);
+            String value = properties.getProperty(name);
 
             // If no property defined, allow request.
             if (value == null) {
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index 2e6b68955..6d26840b6 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -17,9 +17,10 @@
 //--- END COPYRIGHT BLOCK ---
 package com.netscape.cms.authorization;
 
+import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.lang.reflect.Method;
-import java.net.URL;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.HashSet;
@@ -48,7 +49,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class AuthMethodInterceptor implements ContainerRequestFilter {
 
-    Properties authMethodProperties;
+    Properties properties;
 
     @Context
     ServletContext servletContext;
@@ -56,37 +57,32 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
     @Context
     SecurityContext securityContext;
 
-    public synchronized void loadAuthProperties() throws IOException {
+    public synchronized void loadProperties() throws IOException {
 
-        if (authMethodProperties != null)
+        if (properties != null)
             return;
 
-        authMethodProperties = new Properties();
-
-        URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
-
-        if (url == null) {
-            authMethodProperties.put("default", "*");
-            authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
-            authMethodProperties.put("authenticators", "certUserDBAuthMgr");
-            authMethodProperties.put("certs", "certUserDBAuthMgr");
-            authMethodProperties.put("certrequests", "certUserDBAuthMgr");
-            authMethodProperties.put("config", "certUserDBAuthMgr");
-            authMethodProperties.put("connections", "certUserDBAuthMgr");
-            authMethodProperties.put("groups", "certUserDBAuthMgr");
-            authMethodProperties.put("keys", "certUserDBAuthMgr");
-            authMethodProperties.put("keyrequests", "certUserDBAuthMgr");
-            authMethodProperties.put("kraconnectors", "certUserDBAuthMgr");
-            authMethodProperties.put("profiles", "certUserDBAuthMgr");
-            authMethodProperties.put("profile-mappings", "certUserDBAuthMgr");
-            authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
-            authMethodProperties.put("selftests", "certUserDBAuthMgr");
-            authMethodProperties.put("tokens", "certUserDBAuthMgr");
-            authMethodProperties.put("tpsconnectors", "certUserDBAuthMgr");
-            authMethodProperties.put("users", "certUserDBAuthMgr");
+        properties = new Properties();
 
-        } else {
-            authMethodProperties.load(url.openStream());
+        String context = servletContext.getContextPath();
+        String subsystem = context.startsWith("/") ? context.substring(1) : context;
+
+        // load default mapping
+        String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/auth-method.properties";
+        CMS.debug("AuthMethodInterceptor: loading " + defaultMapping);
+        try (FileReader in = new FileReader(defaultMapping)) {
+            properties.load(in);
+        }
+
+        // load custom mapping
+        File customMapping = new File(System.getProperty("catalina.base") +
+                "/" + subsystem + "/conf/auth-method.properties");
+        CMS.debug("AuthMethodInterceptor: checking " + customMapping);
+        if (customMapping.exists()) {
+            CMS.debug("AuthMethodInterceptor: loading " + customMapping);
+            try (FileReader in = new FileReader(customMapping)) {
+                properties.load(in);
+            }
         }
     }
 
@@ -119,9 +115,9 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
         CMS.debug("AuthMethodInterceptor: mapping: " + name);
 
         try {
-            loadAuthProperties();
+            loadProperties();
 
-            String value = authMethodProperties.getProperty(name);
+            String value = properties.getProperty(name);
             Collection<String> authMethods = new HashSet<String>();
             if (value != null) {
                 for (String v : value.split(",")) {
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index eb1e4b81a..e41f1a980 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -26,7 +26,7 @@ import pki
 
 INSTANCE_BASE_DIR = '/var/lib/pki'
 REGISTRY_DIR = '/etc/sysconfig/pki'
-SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks']
+SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
 
 
 class PKISubsystem(object):
diff --git a/base/server/share/conf/tomcat.conf b/base/server/share/conf/tomcat.conf
index ce8453c91..87c0b54d7 100644
--- a/base/server/share/conf/tomcat.conf
+++ b/base/server/share/conf/tomcat.conf
@@ -30,9 +30,9 @@ CATALINA_TMPDIR=[PKI_TMPDIR]
 # - parameters to the JVM like 
 #   -Xminf0.1 -Xmaxf0.3
 # - parameters to set java.library.path for libtcnative.so
-#   -Djava.library.path=/usr/lib"
+#   -Djava.library.path=/usr/lib
 # - parameters to run a java debugger (e. g. - 'eclipse')
-#   -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M"
+#   -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M
 JAVA_OPTS="-DRESTEASY_LIB=[PKI_RESTEASY_LIB]"
 
 # What user should run tomcat
diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore
new file mode 100644
index 000000000..5e7d2734c
--- /dev/null
+++ b/base/server/upgrade/10.0.6/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.0.99/02-UpdateAuthzProperties b/base/server/upgrade/10.0.99/02-RemoveAuthProperties
index 992b2d518..83719fc75 100755
--- a/base/server/upgrade/10.0.99/02-UpdateAuthzProperties
+++ b/base/server/upgrade/10.0.99/02-RemoveAuthProperties
@@ -21,25 +21,22 @@
 
 import os
 import pki
-import shutil
 import pki.server.upgrade
 
 
-class UpdateAuthzProperties(pki.server.upgrade.PKIServerUpgradeScriptlet):
+class RemoveAuthProperties(pki.server.upgrade.PKIServerUpgradeScriptlet):
 
     def __init__(self):
-        self.message = 'Update auth.properties'
+        self.message = 'Remove auth.properties'
 
     def upgrade_subsystem(self, instance, subsystem):
+
         auth_properties = os.path.join(
             instance.base_dir,
             'webapps', subsystem.name,
             'WEB-INF', 'auth.properties')
 
         self.backup(auth_properties)
-        default_auth_properties = os.path.join(
-            pki.SHARE_DIR, subsystem.name,
-            'webapps', subsystem.name,
-            'WEB-INF', 'auth.properties')
 
-        shutil.copyfile(default_auth_properties, auth_properties)
+        if os.path.exists(auth_properties):
+            os.remove(auth_properties)
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/conf/acl.properties
index cf3d27b74..db13b08a1 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/conf/acl.properties
@@ -1,8 +1,9 @@
-# Restful API authorization mapping info
+# ACL mapping
 #
 # Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
+#   <mapping name> = <resource ID>,<operation>
+# Example:
+#   users = certServer.ca.users,execute
 
 account.login = certServer.tks.account,login
 account.logout = certServer.tks.account,logout
diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties
new file mode 100644
index 000000000..fe91b9051
--- /dev/null
+++ b/base/tks/shared/conf/auth-method.properties
@@ -0,0 +1,14 @@
+# Authentication method mapping
+#
+# Format:
+#   <mapping name> = <authentication manager>,...
+# Example:
+#   default = *
+#   account = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+groups = certUserDBAuthMgr
+selftests = certUserDBAuthMgr
+tpsconnectors = certUserDBAuthMgr
+users = certUserDBAuthMgr
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/conf/acl.properties
index c5f27f100..3697f0171 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/conf/acl.properties
@@ -1,8 +1,10 @@
-# Restful API authorization mapping info
+# ACL mapping
 #
 # Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
+#   <mapping name> = <resource ID>,<operation>
+# Example:
+#   users = certServer.ca.users,execute
+
 
 account.login = certServer.tps.account,login
 account.logout = certServer.tps.account,logout
diff --git a/base/tps-tomcat/shared/conf/auth-method.properties b/base/tps-tomcat/shared/conf/auth-method.properties
new file mode 100644
index 000000000..af894ba05
--- /dev/null
+++ b/base/tps-tomcat/shared/conf/auth-method.properties
@@ -0,0 +1,26 @@
+# Authentication method mapping
+#
+# Format:
+#   <mapping name> = <authentication manager>,...
+# Example:
+#   default = *
+#   account = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+authenticators = certUserDBAuthMgr
+certs = certUserDBAuthMgr
+certrequests = certUserDBAuthMgr
+config = certUserDBAuthMgr
+connections = certUserDBAuthMgr
+groups = certUserDBAuthMgr
+keys = certUserDBAuthMgr
+keyrequests = certUserDBAuthMgr
+kraconnectors = certUserDBAuthMgr
+profiles = certUserDBAuthMgr
+profile-mappings = certUserDBAuthMgr
+securityDomain.installToken = passwdUserDBAuthMgr
+selftests = certUserDBAuthMgr
+tokens = certUserDBAuthMgr
+tpsconnectors = certUserDBAuthMgr
+users = certUserDBAuthMgr