summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFraser Tweedale <ftweedal@redhat.com>2016-01-14 16:13:26 +1100
committerFraser Tweedale <ftweedal@redhat.com>2016-02-15 14:38:06 +1000
commitae975289fcd669e122589cfd1a7c82e0b28f733e (patch)
tree97a15170931f2e21216c3f053604e1f882cdc55d
parentf6177fede9d1b688f0519953ec14839d513a6e2c (diff)
downloadpki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.gz
pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.xz
pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.zip
Weaken PKIPrincipal to superclass in several places
In several places we are casting a `Principal' to `PKIPrincpal', when `GenericPrincpal' or even no cast will suffice. In upcoming external authentication support externally authenticated principals will not be instances of `PKIPrincipal', so weaken assumptions about type of the principal where possible. Part of: https://fedorahosted.org/pki/ticket/1359
Diffstat
-rw-r--r--base/ca/src/org/dogtagpki/server/ca/rest/CertService.java8
-rw-r--r--base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java28
-rw-r--r--base/server/cms/src/org/dogtagpki/server/rest/AccountService.java5
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java9
-rw-r--r--base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java4
5 files changed, 33 insertions, 21 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 440f756de..f219db63e 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -50,6 +50,7 @@ import netscape.security.x509.RevocationReason;
import netscape.security.x509.X509CertImpl;
import netscape.security.x509.X509Key;
+import org.apache.catalina.realm.GenericPrincipal;
import org.jboss.resteasy.plugins.providers.atom.Link;
import com.netscape.certsrv.apps.CMS;
@@ -75,7 +76,6 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
import com.netscape.certsrv.logging.AuditFormat;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.realm.PKIPrincipal;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cms.servlet.cert.CertRequestDAO;
import com.netscape.cms.servlet.cert.FilterBuilder;
@@ -242,8 +242,10 @@ public class CertService extends PKIService implements CertResource {
processor.createCRLExtension();
- PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal();
- // TODO: do not hard-code role name
+ // TODO remove hardcoded role names and consult authzmgr
+ // (so that we can handle externally-authenticated principals)
+ GenericPrincipal principal =
+ (GenericPrincipal) servletRequest.getUserPrincipal();
String subjectDN = principal.hasRole("Certificate Manager Agents") ?
null : clientSubjectDN;
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index 08496f309..7029ea7fe 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -41,6 +41,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
+import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.lang.StringUtils;
import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -77,7 +78,6 @@ import com.netscape.certsrv.profile.ProfileResource;
import com.netscape.certsrv.property.EPropertyException;
import com.netscape.certsrv.registry.IPluginInfo;
import com.netscape.certsrv.registry.IPluginRegistry;
-import com.netscape.cms.realm.PKIPrincipal;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cms.servlet.profile.PolicyConstraintFactory;
import com.netscape.cms.servlet.profile.PolicyDefaultFactory;
@@ -125,11 +125,14 @@ public class ProfileService extends PKIService implements ProfileResource {
throw new PKIException("Error listing profiles. Profile Service not available");
}
- PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
- if ((principal != null) &&
- (principal.hasRole("Certificate Manager Agents") ||
- principal.hasRole("Certificate Manager Administrators"))) {
- visibleOnly = false;
+ // TODO remove hardcoded role names and consult authzmgr
+ // (so that we can handle externally-authenticated principals)
+ Principal principal = servletRequest.getUserPrincipal();
+ if (principal != null && principal instanceof GenericPrincipal) {
+ GenericPrincipal genPrincipal = (GenericPrincipal) principal;
+ if (genPrincipal.hasRole("Certificate Manager Agents") ||
+ genPrincipal.hasRole("Certificate Manager Administrators"))
+ visibleOnly = false;
}
Enumeration<String> e = ps.getProfileIds();
@@ -182,11 +185,14 @@ public class ProfileService extends PKIService implements ProfileResource {
throw new PKIException("Error retrieving profile. Profile Service not available");
}
- PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
- if ((principal != null) &&
- (principal.hasRole("Certificate Manager Agents") ||
- principal.hasRole("Certificate Manager Administrators"))) {
- visibleOnly = false;
+ // TODO remove hardcoded role names and consult authzmgr
+ // (so that we can handle externally-authenticated principals)
+ Principal principal = servletRequest.getUserPrincipal();
+ if (principal != null && principal instanceof GenericPrincipal) {
+ GenericPrincipal genPrincipal = (GenericPrincipal) principal;
+ if (genPrincipal.hasRole("Certificate Manager Agents") ||
+ genPrincipal.hasRole("Certificate Manager Administrators"))
+ visibleOnly = false;
}
IProfile profile;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
index 4e8e6e6f8..827e99e07 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
@@ -29,6 +29,7 @@ import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
+import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.lang.StringUtils;
import com.netscape.certsrv.account.AccountInfo;
@@ -75,8 +76,10 @@ public class AccountService extends PKIService implements AccountResource {
String email = user.getEmail();
if (!StringUtils.isEmpty(email)) response.setEmail(email);
+ }
- String[] roles = pkiPrincipal.getRoles();
+ if (principal instanceof GenericPrincipal) {
+ String[] roles = ((GenericPrincipal) principal).getRoles();
response.setRoles(Arrays.asList(roles));
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
index 38f542ffb..38b174859 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
@@ -21,13 +21,13 @@ package com.netscape.cmscore.dbs;
import java.security.Principal;
import java.util.Arrays;
+import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.lang.StringUtils;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.common.Constants;
-import com.netscape.cms.realm.PKIPrincipal;
/**
@@ -51,12 +51,13 @@ public class CSCfgDatabase<E extends CSCfgRecord> extends Database<E> {
}
public boolean canApprove(Principal principal) {
- if (!(principal instanceof PKIPrincipal)) {
+ if (!(principal instanceof GenericPrincipal)) {
return false;
}
- PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
- return pkiPrincipal.hasRole("TPS Agents");
+ // TODO remove hardcoded role name and consult authzmgr
+ // (so that we can handle externally-authenticated principals)
+ return ((GenericPrincipal) principal).hasRole("TPS Agents");
}
public String getRecordStatus(String recordID) throws EBaseException {
diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
index 93cd411cb..bc655d6d0 100644
--- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
@@ -5,6 +5,7 @@ import java.net.URI;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
@@ -37,7 +38,6 @@ import com.netscape.certsrv.system.TPSConnectorResource;
import com.netscape.certsrv.tps.cert.TPSCertResource;
import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.certsrv.usrgrp.IUser;
-import com.netscape.cms.realm.PKIPrincipal;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
@@ -326,7 +326,7 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
throw new PKIException("Bad TPS connection configuration: userid not defined");
}
- PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
+ Principal principal = servletRequest.getUserPrincipal();
if (principal == null) {
throw new UnauthorizedException("User credentials not provided");
}
generated by cgit (git 2.34.1) at 2024-06-06 13:23:52 +0000