diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-01-14 16:13:26 +1100 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-02-15 14:38:06 +1000 |
commit | ae975289fcd669e122589cfd1a7c82e0b28f733e (patch) | |
tree | 97a15170931f2e21216c3f053604e1f882cdc55d /base/ca/src/org/dogtagpki/server | |
parent | f6177fede9d1b688f0519953ec14839d513a6e2c (diff) | |
download | pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.gz pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.tar.xz pki-ae975289fcd669e122589cfd1a7c82e0b28f733e.zip |
Weaken PKIPrincipal to superclass in several places
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
Diffstat (limited to 'base/ca/src/org/dogtagpki/server')
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/CertService.java | 8 | ||||
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 28 |
2 files changed, 22 insertions, 14 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java index 440f756de..f219db63e 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java @@ -50,6 +50,7 @@ import netscape.security.x509.RevocationReason; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509Key; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; @@ -75,7 +76,6 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.cert.CertRequestDAO; import com.netscape.cms.servlet.cert.FilterBuilder; @@ -242,8 +242,10 @@ public class CertService extends PKIService implements CertResource { processor.createCRLExtension(); - PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal(); - // TODO: do not hard-code role name + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + GenericPrincipal principal = + (GenericPrincipal) servletRequest.getUserPrincipal(); String subjectDN = principal.hasRole("Certificate Manager Agents") ? null : clientSubjectDN; diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java index 08496f309..7029ea7fe 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java @@ -41,6 +41,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; +import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang.StringUtils; import org.jboss.resteasy.plugins.providers.atom.Link; @@ -77,7 +78,6 @@ import com.netscape.certsrv.profile.ProfileResource; import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.registry.IPluginInfo; import com.netscape.certsrv.registry.IPluginRegistry; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.profile.PolicyConstraintFactory; import com.netscape.cms.servlet.profile.PolicyDefaultFactory; @@ -125,11 +125,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error listing profiles. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } Enumeration<String> e = ps.getProfileIds(); @@ -182,11 +185,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error retrieving profile. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } IProfile profile; |