diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2013-11-05 11:10:15 -0500 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2013-11-07 11:49:38 -0500 |
| commit | 66eabd97adafa95f97215202a825d73f5fca7692 (patch) | |
| tree | d5759739e4bd0042e0d02124ad351d8b3cfb0040 | |
| parent | 89eebe6729b8a7ed53441649d0baa98c98fdfa7f (diff) | |
| download | pki-66eabd97adafa95f97215202a825d73f5fca7692.tar.gz pki-66eabd97adafa95f97215202a825d73f5fca7692.tar.xz pki-66eabd97adafa95f97215202a825d73f5fca7692.zip | |
Fixed return code for user and group services.
The user and group services have been modified to return consistent HTTP
return codes under various situations. The UGSubsystem has been modified
to capture any LDAP exceptions and throw the proper PKIException subclass
that represents the appropriate HTTP error code for the situation.
Ticket #669, #749
13 files changed, 165 insertions, 225 deletions
diff --git a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java index dd68795d1..88b126351 100644 --- a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java +++ b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java @@ -17,13 +17,13 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.ldap; +import netscape.ldap.LDAPException; + import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; -import netscape.ldap.LDAPException; - /** * @author Endi S. Dewata */ @@ -35,6 +35,8 @@ public class LDAPExceptionConverter { return new ConflictingOperationException("Attribute or value exists.", e); case LDAPException.NO_SUCH_OBJECT: return new ResourceNotFoundException("No such object.", e); + case LDAPException.NO_SUCH_ATTRIBUTE: + return new ResourceNotFoundException("No such attribute.", e); case LDAPException.INVALID_DN_SYNTAX: return new BadRequestException("Invalid DN syntax.", e); case LDAPException.ENTRY_ALREADY_EXISTS: diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java index 543b33c26..66914feec 100644 --- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java @@ -65,19 +65,16 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { * * @param identity the given user * @exception EUsrGrpException thrown when failed to add user to the group - * @exception LDAPException thrown when the LDAP internal database is not available */ - public void addUser(IUser identity) throws EUsrGrpException, LDAPException; + public void addUser(IUser identity) throws EUsrGrpException; /** * Adds a user certificate to user * * @param identity user interface * @exception EUsrGrpException thrown when failed to add the user certificate to the given user - * @exception LDAPException thrown when the LDAP internal database is not available */ - public void addUserCert(IUser identity) throws EUsrGrpException, - LDAPException; + public void addUserCert(IUser identity) throws EUsrGrpException; /** * Add a certSubjectDN field to the user @@ -85,15 +82,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { * @throws EUsrGrpException * @throws LDAPException */ - public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + public void addCertSubjectDN(IUser identity) throws EUsrGrpException; /** * Remove a certSubjectDN field from the user * @param identity * @throws EUsrGrpException - * @throws LDAPException */ - public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException; /** * Removes a user certificate for a user entry @@ -281,10 +277,8 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { * @param filter search filter * @return an user * @exception EUsrGrpException thrown when failed to find user - * @exception LDAPException thrown when the internal database is not available */ - public IUser findUsersByCert(String filter) throws - EUsrGrpException, LDAPException; + public IUser findUsersByCert(String filter) throws EUsrGrpException; /** * Get user locator which does the mapping between the user and the certificate. diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java b/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java index db9c1539f..84bda3d08 100644 --- a/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUsrGrp.java @@ -19,8 +19,6 @@ package com.netscape.certsrv.usrgrp; import java.io.Serializable; -import netscape.ldap.LDAPException; - /** * This interface defines the basic capabilities of * a usr/group manager. (get/add/modify/remove users or groups) @@ -62,10 +60,8 @@ public interface IUsrGrp extends IIdEvaluator , Serializable { * @param user an user interface * @exception EUsrGrpException thrown when some of the user attribute values * are null - * @exception LDAPException thrown when the LDAP internal database is not - * available, or the add operation failed */ - public void addUser(IUser user) throws EUsrGrpException, LDAPException; + public void addUser(IUser user) throws EUsrGrpException; /** * Removes a user. diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java index b703f5b47..b1da18892 100644 --- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java +++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java @@ -21,10 +21,10 @@ import java.util.Enumeration; import java.util.Locale; import java.util.Vector; -import netscape.ldap.LDAPException; import netscape.security.x509.X509CertImpl; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.SessionContext; @@ -201,17 +201,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater { ILogger.SUCCESS, auditParams); audit(auditMessage); - } catch (LDAPException e) { + + } catch (ConflictingOperationException e) { CMS.debug("UpdateSubsystemGroup: update " + e.toString()); - if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams); - audit(auditMessage); - throw new EProfileException(e.toString()); - } + // ignore + } catch (Exception e) { CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString()); auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java index 399b97d0c..9f976d401 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java @@ -254,7 +254,7 @@ public class GroupMemberProcessor extends Processor { } catch (Exception e) { log(ILogger.LL_FAILURE, e.toString()); auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); - throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); + throw new PKIException(getUserMessage("CMS_USRGRP_GROUP_MODIFY_FAILED")); } } @@ -372,7 +372,7 @@ public class GroupMemberProcessor extends Processor { } catch (Exception e) { log(ILogger.LL_FAILURE, e.toString()); auditDeleteGroupMember(groupID, groupMemberData, ILogger.FAILURE); - throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); + throw new PKIException(getUserMessage("CMS_USRGRP_GROUP_MODIFY_FAILED")); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupService.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupService.java index 3fd84da6c..3f250517a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupService.java @@ -38,6 +38,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.common.OpDef; import com.netscape.certsrv.common.ScopeDef; import com.netscape.certsrv.group.GroupCollection; @@ -207,23 +208,18 @@ public class GroupService extends PKIService implements GroupResource { } // allow adding a group with no members - try { - userGroupManager.addGroup(group); + userGroupManager.addGroup(group); - auditAddGroup(groupID, groupData, ILogger.SUCCESS); + auditAddGroup(groupID, groupData, ILogger.SUCCESS); - // read the data back - groupData = getGroup(groupID); + // read the data back + groupData = getGroup(groupID); - return Response - .created(groupData.getLink().getHref()) - .entity(groupData) - .type(MediaType.APPLICATION_XML) - .build(); - - } catch (Exception e) { - throw new PKIException(getUserMessage("CMS_USRGRP_GROUP_ADD_FAILED", headers)); - } + return Response + .created(groupData.getLink().getHref()) + .entity(groupData) + .type(MediaType.APPLICATION_XML) + .build(); } catch (PKIException e) { auditAddGroup(groupID, groupData, ILogger.FAILURE); @@ -263,27 +259,25 @@ public class GroupService extends PKIService implements GroupResource { IGroup group = userGroupManager.getGroupFromName(groupID); + if (group == null) { + throw new ResourceNotFoundException("Group " + groupID + " not found."); + } + group.set("description", groupData.getDescription()); // allow adding a group with no members, except "Certificate // Server Administrators" - try { - userGroupManager.modifyGroup(group); - - auditModifyGroup(groupID, groupData, ILogger.SUCCESS); + userGroupManager.modifyGroup(group); - // read the data back - groupData = getGroup(groupID); + auditModifyGroup(groupID, groupData, ILogger.SUCCESS); - return Response - .ok(groupData) - .type(MediaType.APPLICATION_XML) - .build(); + // read the data back + groupData = getGroup(groupID); - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - throw new PKIException(getUserMessage("CMS_USRGRP_GROUP_MODIFY_FAILED", headers)); - } + return Response + .ok(groupData) + .type(MediaType.APPLICATION_XML) + .build(); } catch (PKIException e) { auditModifyGroup(groupID, groupData, ILogger.FAILURE); diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UserService.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UserService.java index 827541e2f..3f172abeb 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/UserService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UserService.java @@ -39,7 +39,6 @@ import javax.ws.rs.core.Request; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; -import netscape.ldap.LDAPException; import netscape.security.pkcs.PKCS7; import netscape.security.x509.X509CertImpl; @@ -49,7 +48,6 @@ import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.InternalCertificate; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.BadRequestDataException; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; @@ -62,7 +60,6 @@ import com.netscape.certsrv.common.OpDef; import com.netscape.certsrv.common.ScopeDef; import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.certsrv.group.GroupMemberData; -import com.netscape.certsrv.ldap.LDAPExceptionConverter; import com.netscape.certsrv.logging.IAuditor; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.password.IPasswordCheck; @@ -187,7 +184,7 @@ public class UserService extends PKIService implements UserResource { if (userID == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestDataException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); } IUser user; @@ -266,13 +263,13 @@ public class UserService extends PKIService implements UserResource { try { if (userID == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestDataException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); } if (userID.indexOf(BACK_SLASH) != -1) { // backslashes (BS) are not allowed log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS")); - throw new BadRequestDataException(getUserMessage("CMS_ADMIN_SRVLT_RS_ID_BS", headers)); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_RS_ID_BS", headers)); } if (userID.equals(SYSTEM_USER)) { @@ -288,7 +285,7 @@ public class UserService extends PKIService implements UserResource { String msg = getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", headers, "full name"); log(ILogger.LL_FAILURE, msg); - throw new BadRequestDataException(msg); + throw new BadRequestException(msg); } else { user.setFullName(fname); @@ -337,43 +334,24 @@ public class UserService extends PKIService implements UserResource { String csType = cs.getString("cs.type"); if (tpsProfiles != null) { if (!csType.equals("TPS")) { - throw new BadRequestDataException("Cannot set tpsProfiles on a non-TPS subsystem"); + throw new BadRequestException("Cannot set tpsProfiles on a non-TPS subsystem"); } String[] profiles = tpsProfiles.split(","); user.setTpsProfiles(Arrays.asList(profiles)); } - try { - userGroupManager.addUser(user); - - auditAddUser(userID, userData, ILogger.SUCCESS); - - // read the data back - userData = getUser(userID); - - return Response - .created(userData.getLink().getHref()) - .entity(userData) - .type(MediaType.APPLICATION_XML) - .build(); - - } catch (EUsrGrpException e) { - log(ILogger.LL_FAILURE, e.toString()); + userGroupManager.addUser(user); - if (user.getUserID() == null) { - throw new BadRequestDataException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", headers, "uid")); - } else { - throw new PKIException(e.getMessage(), e); - } + auditAddUser(userID, userData, ILogger.SUCCESS); - } catch (LDAPException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString())); - throw LDAPExceptionConverter.toPKIException(e); + // read the data back + userData = getUser(userID); - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - throw new PKIException(e.getMessage(), e); - } + return Response + .created(userData.getLink().getHref()) + .entity(userData) + .type(MediaType.APPLICATION_XML) + .build(); } catch (PKIException e) { auditAddUser(userID, userData, ILogger.FAILURE); @@ -407,7 +385,7 @@ public class UserService extends PKIService implements UserResource { try { if (userID == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestDataException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers)); } IUser user = userGroupManager.createUser(userID); @@ -447,29 +425,23 @@ public class UserService extends PKIService implements UserResource { String csType = cs.getString("cs.type"); if (tpsProfiles != null) { if (!csType.equals("TPS")) { - throw new BadRequestDataException("Cannot set tpsProfiles on a non-TPS subsystem"); + throw new BadRequestException("Cannot set tpsProfiles on a non-TPS subsystem"); } String[] profiles = tpsProfiles.split(","); user.setTpsProfiles(Arrays.asList(profiles)); } - try { - userGroupManager.modifyUser(user); - - auditModifyUser(userID, userData, ILogger.SUCCESS); + userGroupManager.modifyUser(user); - // read the data back - userData = getUser(userID); + auditModifyUser(userID, userData, ILogger.SUCCESS); - return Response - .ok(userData) - .type(MediaType.APPLICATION_XML) - .build(); + // read the data back + userData = getUser(userID); - } catch (Exception e) { - log(ILogger.LL_FAILURE, e.toString()); - throw new PKIException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED", headers)); - } + return Response + .ok(userData) + .type(MediaType.APPLICATION_XML) + .build(); } catch (PKIException e) { auditModifyUser(userID, userData, ILogger.FAILURE); @@ -509,35 +481,27 @@ public class UserService extends PKIService implements UserResource { } // get list of groups, and see if uid belongs to any - Enumeration<IGroup> groups; + Enumeration<IGroup> groups = userGroupManager.findGroups("*"); - try { - groups = userGroupManager.findGroups("*"); + while (groups.hasMoreElements()) { + IGroup group = groups.nextElement(); + if (!group.isMember(userID)) continue; - } catch (Exception e) { - throw new PKIException(getUserMessage("CMS_INTERNAL_ERROR", headers)); + userGroupManager.removeUserFromGroup(group, userID); } - try { - while (groups.hasMoreElements()) { - IGroup group = groups.nextElement(); - if (!group.isMember(userID)) continue; + // comes out clean of group membership...now remove user + userGroupManager.removeUser(userID); - userGroupManager.removeUserFromGroup(group, userID); - } - - // comes out clean of group membership...now remove user - userGroupManager.removeUser(userID); - - auditDeleteUser(userID, ILogger.SUCCESS); - - } catch (Exception e) { - throw new PKIException(getUserMessage("CMS_USRGRP_SRVLT_FAIL_USER_RMV", headers)); - } + auditDeleteUser(userID, ILogger.SUCCESS); } catch (PKIException e) { auditDeleteUser(userID, ILogger.FAILURE); throw e; + + } catch (EBaseException e) { + auditDeleteUser(userID, ILogger.FAILURE); + throw new PKIException(e.getMessage()); } } @@ -864,13 +828,6 @@ public class UserService extends PKIService implements UserResource { log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID", String.valueOf(cert.getSubjectDN()))); throw new BadRequestException(getUserMessage("CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID", headers)); - - } catch (LDAPException e) { - if (e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { - throw new PKIException(getUserMessage("CMS_USRGRP_SRVLT_USER_CERT_EXISTS", headers)); - } else { - throw new PKIException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED", headers)); - } } } catch (PKIException e) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java index 2cd337123..c4eed9068 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java @@ -31,7 +31,6 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPException; import netscape.security.pkcs.PKCS7; import netscape.security.x509.X509CertImpl; @@ -40,6 +39,7 @@ import org.mozilla.jss.crypto.InternalCertificate; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authorization.IAuthzSubsystem; +import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ICertPrettyPrint; import com.netscape.certsrv.base.ISubsystem; @@ -900,21 +900,7 @@ public class UsrGrpAdminServlet extends AdminServlet { CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); } return; - } catch (LDAPException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString())); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CONFIG_ROLE, - auditSubjectID, - ILogger.FAILURE, - auditParams(req)); - - audit(auditMessage); - - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); - return; } catch (Exception e) { log(ILogger.LL_FAILURE, e.toString()); @@ -1251,7 +1237,7 @@ public class UsrGrpAdminServlet extends AdminServlet { CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp); return; - } catch (LDAPException e) { + } catch (ConflictingOperationException e) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_CONFIG_ROLE, @@ -1261,14 +1247,10 @@ public class UsrGrpAdminServlet extends AdminServlet { audit(auditMessage); - if (e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp); - } else { - sendResponse(ERROR, - CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); - } + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp); return; + } catch (Exception e) { log(ILogger.LL_FAILURE, e.toString()); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java index 16e2ab840..a0b975007 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java @@ -1555,15 +1555,8 @@ public class EnrollServlet extends CMSServlet { IUser adminuser = ug.createUser(userid); adminuser.setX509Certificates(issuedCerts); - try { - ug.addUserCert(adminuser); - } catch (netscape.ldap.LDAPException e) { - CMS.debug( - "EnrollServlet: Cannot add admin's certificate to its entry in the " + - "user group database. Error " + e); - throw new ECMSGWException( - CMS.getUserMessage("CMS_GW_ADDING_ADMIN_CERT_ERROR", e.toString())); - } + ug.addUserCert(adminuser); + IGroup agentGroup = ug.getGroupFromName(CA_AGENT_GROUP); diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 1936b2c5a..ede632ee5 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -29,7 +29,6 @@ import java.util.Set; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPException; import netscape.security.pkcs.PKCS10; import netscape.security.x509.CertificateExtensions; import netscape.security.x509.X500Name; @@ -45,6 +44,7 @@ import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.X509Certificate; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; @@ -281,7 +281,7 @@ public class CertUtil { * If that entry does not exist, uses basic default * * 2. Gets default.params.signingAlg from profile. - * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list + * If entry does not exist or equals "-", selects first algorithm in allowed algorithm list * that matches CA signing key type * Otherwise returns entry if it matches signing CA key type. * @@ -584,27 +584,25 @@ public class CertUtil { user.setUserType("agentType"); user.setState("1"); user.setPhone(""); - certs[0] = cert; - user.setX509Certificates(certs); system.addUser(user); CMS.debug("CertUtil addUserCertificate: successfully add the user"); - } catch (LDAPException e) { + + } catch (ConflictingOperationException e) { CMS.debug("CertUtil addUserCertificate" + e.toString()); - if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { - try { - user = system.getUser(id); - user.setX509Certificates(certs); - } catch (Exception ee) { - CMS.debug("CertUtil addUserCertificate: successfully find the user"); - } - } + // ignore + } catch (Exception e) { CMS.debug("CertUtil addUserCertificate addUser " + e.toString()); } try { + user = system.getUser(id); + certs[0] = cert; + user.setX509Certificates(certs); + system.addUserCert(user); CMS.debug("CertUtil addUserCertificate: successfully add the user certificate"); + } catch (Exception e) { CMS.debug("CertUtil addUserCertificate exception=" + e.toString()); } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index bbfb17374..b2634f6c2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -137,6 +137,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.IAuthSubsystem; import com.netscape.certsrv.authorization.IAuthzSubsystem; +import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; @@ -3121,7 +3122,7 @@ public class ConfigurationUtils { } public static void createAdmin(String uid, String email, String name, String pwd) throws IOException, - EBaseException { + EBaseException, LDAPException { IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); IConfigStore config = CMS.getConfigStore(); String groupNames = config.getString("preop.admin.group", "Certificate Manager Agents,Administrators"); @@ -3137,14 +3138,10 @@ public class ConfigurationUtils { user.setState("1"); user.setPhone(""); system.addUser(user); - } catch (LDAPException e) { - CMS.debug("AdminPanel createAdmin: addUser " + e.toString()); - if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { - throw new IOException(e.toString()); - } - } catch (Exception e) { + + } catch (ConflictingOperationException e) { CMS.debug("AdminPanel createAdmin: addUser " + e.toString()); - throw new IOException(e.toString()); + // ignore } IGroup group = null; @@ -3529,10 +3526,8 @@ public class ConfigurationUtils { user.setX509Certificates(certs); try { system.addUser(user); - } catch (LDAPException e) { - if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) { - throw e; - } + } catch (ConflictingOperationException e) { + // ignore if } CMS.debug("DonePanel display: successfully add the user"); system.addUserCert(user); @@ -3777,7 +3772,7 @@ public class ConfigurationUtils { removeOldDBUsers(certs[0].getSubjectDN().toString()); } - public static void addProfilesToTPSUser(String adminID) throws EUsrGrpException { + public static void addProfilesToTPSUser(String adminID) throws EUsrGrpException, LDAPException { CMS.debug("Adding all profiles to TPS admin user"); IUGSubsystem system = (IUGSubsystem) CMS.getSubsystem(IUGSubsystem.ID); IUser user = system.getUser(adminID); diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java index 7019d1492..98614ac61 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java @@ -27,12 +27,12 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.ldap.LDAPException; import netscape.security.x509.X509CertImpl; import org.apache.velocity.context.Context; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; @@ -291,13 +291,12 @@ public class ImportAdminCertPanel extends WizardPanelBase { IUser user = ug.getUser(uid); user.setX509Certificates(certs); ug.addUserCert(user); - } catch (LDAPException e) { + + } catch (ConflictingOperationException e) { CMS.debug("ImportAdminCertPanel update: failed to add certificate to the internal database. Exception: " + e.toString()); - if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { - context.put("updateStatus", "failure"); - throw new IOException(e.toString()); - } + // ignore + } catch (Exception e) { CMS.debug( "ImportAdminCertPanel update: failed to add certificate. Exception: " diff --git a/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 3833c2937..4eaaa4758 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -42,8 +42,10 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.ldap.ELdapException; +import com.netscape.certsrv.ldap.LDAPExceptionConverter; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.EUsrGrpException; @@ -264,8 +266,7 @@ public final class UGSubsystem implements IUGSubsystem { * Searchs for identities that matches the certificate locater * generated filter. */ - public IUser findUsersByCert(String filter) throws - EUsrGrpException, LDAPException { + public IUser findUsersByCert(String filter) throws EUsrGrpException { if (filter == null) { return null; } @@ -299,10 +300,13 @@ public final class UGSubsystem implements IUGSubsystem { Enumeration<IUser> e = buildUsers(res); return e.nextElement(); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_FIND_USER_BY_CERT", e.toString())); + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_FIND_USER_BY_CERT", e.toString())); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -646,7 +650,7 @@ public final class UGSubsystem implements IUGSubsystem { * Adds identity. Certificates handled by a separate call to * addUserCert() */ - public void addUser(IUser identity) throws EUsrGrpException, LDAPException { + public void addUser(IUser identity) throws EUsrGrpException { User id = (User) identity; if (id == null) { @@ -731,8 +735,15 @@ public final class UGSubsystem implements IUGSubsystem { try { ldapconn = getConn(); ldapconn.add(entry); + + } catch (LDAPException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_USER_FAIL")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -742,8 +753,7 @@ public final class UGSubsystem implements IUGSubsystem { /** * adds a user certificate to user */ - public void addUserCert(IUser identity) throws EUsrGrpException, - LDAPException { + public void addUserCert(IUser identity) throws EUsrGrpException { User user = (User) identity; if (user == null) { @@ -790,9 +800,12 @@ public final class UGSubsystem implements IUGSubsystem { e.printStackTrace(); } log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); - throw e; + throw LDAPExceptionConverter.toPKIException(e); + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -802,7 +815,7 @@ public final class UGSubsystem implements IUGSubsystem { return; } - public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + public void addCertSubjectDN(IUser identity) throws EUsrGrpException { User user = (User) identity; if (user == null) { @@ -838,9 +851,12 @@ public final class UGSubsystem implements IUGSubsystem { e.printStackTrace(); } log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); - throw e; + throw LDAPExceptionConverter.toPKIException(e); + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -850,7 +866,7 @@ public final class UGSubsystem implements IUGSubsystem { return; } - public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException { User user = (User) identity; if (user == null) { @@ -887,9 +903,12 @@ public final class UGSubsystem implements IUGSubsystem { e.printStackTrace(); } log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); - throw e; + throw LDAPExceptionConverter.toPKIException(e); + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -916,19 +935,19 @@ public final class UGSubsystem implements IUGSubsystem { ldapUser = (User) getUser(user.getUserID()); if (ldapUser == null) { - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USER_NOT_FOUND")); + throw new ResourceNotFoundException(CMS.getUserMessage("CMS_USRGRP_USER_NOT_FOUND")); } X509Certificate[] certs = ldapUser.getX509Certificates(); if (certs == null) { - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); + throw new ResourceNotFoundException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); } String delCertdn = user.getCertDN(); if (delCertdn == null) { - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); + throw new ResourceNotFoundException(CMS.getUserMessage("CMS_USRGRP_CERT_NOT_FOUND")); } int certCount = 0; @@ -963,7 +982,7 @@ public final class UGSubsystem implements IUGSubsystem { if (e.getLDAPResultCode() == 16) { // ignore missing seeAlso attribute CMS.debug("removeUserCert: No attribute "+LDAP_ATTR_CERTDN+" in entry "+dn); } else { - throw e; + throw LDAPExceptionConverter.toPKIException(e); } } @@ -1000,10 +1019,11 @@ public final class UGSubsystem implements IUGSubsystem { } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_USER_FAIL")); + throw LDAPExceptionConverter.toPKIException(e); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_USR_CERT_ERROR")); } finally { if (ldapconn != null) @@ -1031,12 +1051,14 @@ public final class UGSubsystem implements IUGSubsystem { LDAPModification.ADD, memberAttr); ldapconn.modify(groupDN, singleChange); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER_TO_GROUP", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_USER_FAIL")); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER_TO_GROUP", e.toString())); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1058,12 +1080,14 @@ public final class UGSubsystem implements IUGSubsystem { LDAPModification.DELETE, memberAttr); ldapconn.modify(groupDN, singleChange); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER_FROM_GROUP", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_REMOVE_USER_FAIL")); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER_FROM_GROUP", e.toString())); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1094,10 +1118,11 @@ public final class UGSubsystem implements IUGSubsystem { } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_REMOVE_USER_FAIL")); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_USER", e.toString())); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1259,9 +1284,13 @@ public final class UGSubsystem implements IUGSubsystem { new Object[] { adminId, user.getUserID() } ); - } catch (Exception e) { + } catch (LDAPException e) { + throw LDAPExceptionConverter.toPKIException(e); + + } catch (ELdapException e) { //e.printStackTrace(); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_USER_FAIL")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1664,13 +1693,15 @@ public final class UGSubsystem implements IUGSubsystem { ldapconn = getConn(); ldapconn.add(entry); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_GROUP", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_GROUP_FAIL")); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_GROUP", e.toString())); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_GROUP_FAIL")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1693,12 +1724,15 @@ public final class UGSubsystem implements IUGSubsystem { try { ldapconn = getConn(); ldapconn.delete("cn=" + LDAPUtil.escapeRDNValue(name) + "," + getGroupBaseDN()); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_GROUP", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_REMOVE_GROUP_FAIL")); } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_REMOVE_GROUP", e.toString())); + throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_REMOVE_GROUP_FAIL")); + } finally { if (ldapconn != null) returnConn(ldapconn); @@ -1748,13 +1782,15 @@ public final class UGSubsystem implements IUGSubsystem { ldapconn = getConn(); ldapconn.modify("cn=" + LDAPUtil.escapeRDNValue(grp.getGroupID()) + "," + getGroupBaseDN(), mod); + } catch (LDAPException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_MODIFY_GROUP", e.toString())); + throw LDAPExceptionConverter.toPKIException(e); - throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_GROUP_FAIL")); - } catch (Exception e) { + } catch (ELdapException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_MODIFY_GROUP", e.toString())); throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_MOD_GROUP_FAIL")); + } finally { if (ldapconn != null) returnConn(ldapconn); |