summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2016-04-19 14:52:40 -0400
committerAde Lee <alee@redhat.com>2016-04-20 17:31:01 -0400
commitb59d8305130e81d3e00240b5612a327c9dfc7d12 (patch)
tree0634fd72c54083da01fa8bf5173c027cb3a55fdb
parent3e4eb72ec8a295784e9283cccf637d4199d96626 (diff)
downloadpki-b59d8305130e81d3e00240b5612a327c9dfc7d12.zip
pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.gz
pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.xz
Realms - Address comments from review
Review comments addressed: 1. when archiving or generating keys, realm is checked 2. when no plugin is found for a realm, access is denied. 3. rename mFoo to foo for new variables. 4. add chaining of exceptions 5. remove attributes from KeyArchivalRequest etc. when realm is null 6. Add more detail to denial in BasicGroupAuthz Part of Trac Ticket 2041
-rw-r--r--base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java28
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java6
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyClient.java19
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java6
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java67
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java32
-rw-r--r--base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java21
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java15
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java6
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java8
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java2
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java8
12 files changed, 143 insertions, 75 deletions
diff --git a/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java
new file mode 100644
index 0000000..1be1577
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java
@@ -0,0 +1,28 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authorization;
+
+public class EAuthzUnknownRealm extends EAuthzException {
+
+ private static final long serialVersionUID = 2288587364467614277L;
+
+ public EAuthzUnknownRealm(String errorString) {
+ super(errorString);
+ }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
index d2a7749..67810a0 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
@@ -214,7 +214,11 @@ public class KeyArchivalRequest extends ResourceMessage {
* @param realm - the authentication realm
*/
public void setRealm(String realm) {
- attributes.put(REALM, realm);
+ if (realm != null) {
+ attributes.put(REALM, realm);
+ } else {
+ attributes.remove(REALM);
+ }
}
public String toString() {
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
index 1c8a76b..cb35922 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
@@ -653,10 +653,7 @@ public class KeyClient extends Client {
String req1 = Utils.base64encode(encryptedData);
data.setWrappedPrivateData(req1);
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -708,10 +705,7 @@ public class KeyClient extends Client {
String options = Utils.base64encode(pkiArchiveOptions);
data.setPKIArchiveOptions(options);
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -757,9 +751,7 @@ public class KeyClient extends Client {
data.setUsages(usages);
data.setTransWrappedSessionKey(transWrappedSessionKey);
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -829,10 +821,7 @@ public class KeyClient extends Client {
data.setKeySize(keySize);
data.setUsages(usages);
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
diff --git a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
index 37fc1c2..50946bb 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
@@ -134,6 +134,10 @@ public class KeyGenerationRequest extends ResourceMessage{
* @param realm - authorization realm to set
*/
public void setRealm(String realm) {
- attributes.put(REALM, realm);
+ if (realm != null) {
+ attributes.put(REALM, realm);
+ } else {
+ attributes.remove(REALM);
+ }
}
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 8504f0e..41d78af 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.PKIException;
@@ -171,15 +172,25 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Archival must be performed by an agent");
}
+
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "archive");
+ }
response = dao.submitRequest(data, uriInfo, getRequestor());
auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -216,7 +227,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditRecoveryRequestMade(null, ILogger.FAILURE, data.getKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -233,11 +244,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.approveRequest(id, getRequestor(), getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to approve request");
+ throw new UnauthorizedException("Not authorized to approve request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "approve");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -254,11 +265,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.rejectRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "reject");
}catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to reject request");
+ throw new UnauthorizedException("Not authorized to reject request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "reject");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -275,11 +286,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.cancelRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "cancel");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to cancel request");
+ throw new UnauthorizedException("Not authorized to cancel request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "cancel");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -295,10 +306,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
try {
authz.checkRealm(realm, getAuthToken(), null, "keyRequests", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these requests");
+ throw new UnauthorizedException("Not authorized to list these requests", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
// get ldap filter
@@ -317,7 +330,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException e) {
CMS.debug("listRequests: error in obtaining request results" + e);
e.printStackTrace();
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createOKResponse(requests);
}
@@ -426,7 +439,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
request = requestClazz.getDeclaredConstructor(ResourceMessage.class).newInstance(data);
} catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException
| IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
- throw new BadRequestException("Invalid request class." + e);
+ throw new BadRequestException("Invalid request class." + e, e);
}
if (request instanceof KeyArchivalRequest) {
@@ -453,16 +466,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateSymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -477,16 +500,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateAsymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditAsymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 52df769..255d8d6 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -44,6 +44,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.HTTPGoneException;
@@ -150,7 +151,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EBaseException e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, null, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
String type = request.getRequestType();
@@ -170,7 +171,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (Exception e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
if (keyData == null) {
@@ -348,7 +349,7 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(logMessage);
e1.printStackTrace();
- throw new PKIException(logMessage + e1.getMessage());
+ throw new PKIException(logMessage + e1.getMessage(), e1);
}
if (reqInfo == null) {
// request not found
@@ -377,7 +378,7 @@ public class KeyService extends PKIService implements KeyResource {
logMessage = e.getMessage();
CMS.debug(logMessage);
- throw new PKIException(logMessage);
+ throw new PKIException(logMessage, e);
}
String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
if (! originator.equals(retriever)) {
@@ -423,10 +424,12 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these keys");
+ throw new UnauthorizedException("Not authorized to list these keys", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -475,7 +478,7 @@ public class KeyService extends PKIService implements KeyResource {
auditRetrieveKey(ILogger.FAILURE, null, clientKeyID, e.getMessage() + auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -508,10 +511,10 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to read this key");
+ throw new UnauthorizedException("Not authorized to read this key", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -686,18 +689,17 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EAuthzAccessDenied e) {
auditInfo = method + "Unauthorized access for key record";
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
- throw new UnauthorizedException(auditInfo);
+ throw new UnauthorizedException(auditInfo, e);
} catch (EDBRecordNotFoundException e) {
auditInfo = method + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
-
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found", e);
} catch (Exception e) {
auditInfo = method + "Unable to retrieve key record: " + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
CMS.debug(auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
@@ -735,14 +737,14 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to modify", e);
} catch (Exception e) {
auditInfo = auditInfo + ":" + e.getMessage();
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
index 1908e3c..0bf2431 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
@@ -44,35 +44,35 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
private static final String GROUP = "group";
/* name of this authorization manager instance */
- private String name = null;
+ private String name;
/* name of the authorization manager plugin */
- private String implName = null;
+ private String implName;
/* configuration store */
private IConfigStore config;
/* group that is allowed to access resources */
- private String groupName = null;
+ private String groupName;
/* Vector of extendedPluginInfo strings */
- protected static Vector<String> mExtendedPluginInfo = null;
+ protected static Vector<String> extendedPluginInfo;
- protected static String[] mConfigParams = null;
+ protected static String[] configParams;
static {
- mExtendedPluginInfo = new Vector<String>();
- mExtendedPluginInfo.add("group;string,required;" +
+ extendedPluginInfo = new Vector<String>();
+ extendedPluginInfo.add("group;string,required;" +
"Group to permit access");
}
public BasicGroupAuthz() {
- mConfigParams = new String[] {"group"};
+ configParams = new String[] {"group"};
}
@Override
public String[] getExtendedPluginInfo(Locale locale) {
- String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+ String[] s = Utils.getStringArrayFromVector(extendedPluginInfo);
return s;
}
@@ -103,6 +103,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
IGroup group = ug.getGroupFromName(groupName);
if (!group.isMember(user)) {
+ CMS.debug("BasicGroupAuthz: access denied. User: " + user + " is not a member of group: " + groupName);
throw new EAuthzAccessDenied("Access denied");
}
@@ -139,7 +140,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
@Override
public String[] getConfigParams() throws EBaseException {
- return mConfigParams;
+ return configParams;
}
@Override
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 8aa0d21..04bb6f2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -37,6 +37,7 @@ import org.mozilla.jss.crypto.KeyPairAlgorithm;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.PKIException;
@@ -259,13 +260,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
try {
rec = repo.readKeyRecord(keyId.toBigInteger());
} catch (EDBRecordNotFoundException e) {
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to recover", e);
}
try {
authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ } catch (EAuthzUnknownRealm e) {
+ throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
- throw new UnauthorizedException("Agent not authorized by realm");
+ throw new UnauthorizedException("Agent not authorized by realm", e);
}
Hashtable<String, Object> requestParams;
@@ -315,13 +318,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
try {
rec = repo.readKeyRecord(keyId.toBigInteger());
} catch (EDBRecordNotFoundException e) {
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to recover", e);
}
try {
authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ } catch (EAuthzUnknownRealm e) {
+ throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
- throw new UnauthorizedException("Agent not authorized by realm");
+ throw new UnauthorizedException("Agent not authorized by realm", e);
}
String b64Certificate = data.getCertificate();
@@ -332,7 +337,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
// TODO - update request with realm
} catch (EBaseException | CertificateException e) {
e.printStackTrace();
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
IRequest request = null;
try {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 8b126d2..3544858 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.authorization.EAuthzMgrNotFound;
import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.authorization.IAuthzManager;
import com.netscape.certsrv.authorization.IAuthzSubsystem;
import com.netscape.certsrv.base.EBaseException;
@@ -480,8 +481,9 @@ public class AuthzSubsystem implements IAuthzSubsystem {
if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
String mgrName = getAuthzManagerByRealm(realm);
- // if no authz manager for this realm, SUCCESS by default
- if (mgrName == null) return;
+ if (mgrName == null) {
+ throw new EAuthzUnknownRealm("Realm not found");
+ }
AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
if (authzToken == null) {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
index fbf2ee2..9005013 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -56,7 +56,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
private String mClientId = null;
private String mStatus = null;
private String mDataType = null;
- private String mRealm = null;
+ private String realm = null;
protected static Vector<String> mNames = new Vector<String>();
@@ -141,7 +141,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
} else if (name.equalsIgnoreCase(ATTR_STATUS)) {
mStatus = (String) object;
} else if (name.equalsIgnoreCase(ATTR_REALM)) {
- mRealm = (String) object;
+ realm = (String) object;
} else {
throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
}
@@ -183,7 +183,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
} else if (name.equalsIgnoreCase(ATTR_STATUS)) {
return mStatus;
} else if (name.equalsIgnoreCase(ATTR_REALM)) {
- return mRealm;
+ return realm;
} else {
throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
}
@@ -395,6 +395,6 @@ public class KeyRecord implements IDBObj, IKeyRecord {
@Override
public String getRealm() throws EBaseException {
- return mRealm;
+ return realm;
}
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
index 418422a..6592b01 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
@@ -39,5 +39,5 @@ class ARequestRecord {
String mOwner;
String mRequestType;
Hashtable<String, Object> mExtData;
- String mRealm;
+ String realm;
};
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
index 38060c2..074bff4 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
@@ -93,7 +93,7 @@ public class RequestRecord
else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
return mExtData;
else if (name.equals(IRequestRecord.ATTR_REALM))
- return mRealm;
+ return realm;
else {
RequestAttr ra = mAttrTable.get(name);
@@ -122,7 +122,7 @@ public class RequestRecord
else if (name.equals(IRequestRecord.ATTR_REQUEST_OWNER))
mOwner = (String) o;
else if (name.equals(IRequestRecord.ATTR_REALM))
- mRealm = (String) o;
+ realm = (String) o;
else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
mExtData = (Hashtable<String, Object>) o;
else {
@@ -159,7 +159,7 @@ public class RequestRecord
mOwner = r.getRequestOwner();
mCreateTime = r.getCreationTime();
mModifyTime = r.getModificationTime();
- mRealm = r.getRealm();
+ realm = r.getRealm();
mExtData = loadExtDataFromRequest(r);
for (int i = 0; i < mRequestA.length; i++) {
@@ -173,7 +173,7 @@ public class RequestRecord
r.setRequestOwner(mOwner);
a.modModificationTime(r, mModifyTime);
a.modCreationTime(r, mCreateTime);
- r.setRealm(mRealm);
+ r.setRealm(realm);
storeExtDataIntoRequest(r);
for (int i = 0; i < mRequestA.length; i++) {