diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-01-14 16:13:26 +1100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-02-15 14:38:06 +1000 |
commit | ae975289fcd669e122589cfd1a7c82e0b28f733e (patch) | |
tree | 97a15170931f2e21216c3f053604e1f882cdc55d | |
parent | f6177fede9d1b688f0519953ec14839d513a6e2c (diff) | |
download | pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.gz pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.xz pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.zip |
Weaken PKIPrincipal to superclass in several places
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
5 files changed, 33 insertions, 21 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java index 440f756de..f219db63e 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java @@ -50,6 +50,7 @@ import netscape.security.x509.RevocationReason; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509Key; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; @@ -75,7 +76,6 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.cert.CertRequestDAO; import com.netscape.cms.servlet.cert.FilterBuilder; @@ -242,8 +242,10 @@ public class CertService extends PKIService implements CertResource { processor.createCRLExtension(); - PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal(); - // TODO: do not hard-code role name + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + GenericPrincipal principal = + (GenericPrincipal) servletRequest.getUserPrincipal(); String subjectDN = principal.hasRole("Certificate Manager Agents") ? null : clientSubjectDN; diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java index 08496f309..7029ea7fe 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java @@ -41,6 +41,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; +import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang.StringUtils; import org.jboss.resteasy.plugins.providers.atom.Link; @@ -77,7 +78,6 @@ import com.netscape.certsrv.profile.ProfileResource; import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.registry.IPluginInfo; import com.netscape.certsrv.registry.IPluginRegistry; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.profile.PolicyConstraintFactory; import com.netscape.cms.servlet.profile.PolicyDefaultFactory; @@ -125,11 +125,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error listing profiles. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } Enumeration<String> e = ps.getProfileIds(); @@ -182,11 +185,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error retrieving profile. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } IProfile profile; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java index 4e8e6e6f8..827e99e07 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java @@ -29,6 +29,7 @@ import javax.ws.rs.core.Request; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; +import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang.StringUtils; import com.netscape.certsrv.account.AccountInfo; @@ -75,8 +76,10 @@ public class AccountService extends PKIService implements AccountResource { String email = user.getEmail(); if (!StringUtils.isEmpty(email)) response.setEmail(email); + } - String[] roles = pkiPrincipal.getRoles(); + if (principal instanceof GenericPrincipal) { + String[] roles = ((GenericPrincipal) principal).getRoles(); response.setRoles(Arrays.asList(roles)); } diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java index 38f542ffb..38b174859 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java @@ -21,13 +21,13 @@ package com.netscape.cmscore.dbs; import java.security.Principal; import java.util.Arrays; +import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang.StringUtils; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.common.Constants; -import com.netscape.cms.realm.PKIPrincipal; /** @@ -51,12 +51,13 @@ public class CSCfgDatabase<E extends CSCfgRecord> extends Database<E> { } public boolean canApprove(Principal principal) { - if (!(principal instanceof PKIPrincipal)) { + if (!(principal instanceof GenericPrincipal)) { return false; } - PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; - return pkiPrincipal.hasRole("TPS Agents"); + // TODO remove hardcoded role name and consult authzmgr + // (so that we can handle externally-authenticated principals) + return ((GenericPrincipal) principal).hasRole("TPS Agents"); } public String getRecordStatus(String recordID) throws EBaseException { diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java index 93cd411cb..bc655d6d0 100644 --- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java +++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java @@ -5,6 +5,7 @@ import java.net.URI; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.security.Principal; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collection; @@ -37,7 +38,6 @@ import com.netscape.certsrv.system.TPSConnectorResource; import com.netscape.certsrv.tps.cert.TPSCertResource; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; @@ -326,7 +326,7 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou throw new PKIException("Bad TPS connection configuration: userid not defined"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); + Principal principal = servletRequest.getUserPrincipal(); if (principal == null) { throw new UnauthorizedException("User credentials not provided"); } |