diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2015-07-04 11:00:29 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-07-06 18:46:38 -0400 |
commit | c48c52703c374c8e7e65c11fdeee9eeda464290f (patch) | |
tree | 69074a1ae11108ae7d4827a546f466daab009450 /base/ca | |
parent | 02c50813a2f5054ad1b6b0a42e919e3ae1472fe0 (diff) | |
download | pki-c48c52703c374c8e7e65c11fdeee9eeda464290f.tar.gz pki-c48c52703c374c8e7e65c11fdeee9eeda464290f.tar.xz pki-c48c52703c374c8e7e65c11fdeee9eeda464290f.zip |
Verify raw profile config before accepting it
Creating or modifying a profile with bad profile data in the "raw"
format succeeds and saves the bad data. After restart, the profile
cannot be loaded and attempting to use, modify or delete or recreate
the profile will fail.
Verify raw profile data by instantiating a temporary profile and
attempting to initialise it with the received configuration.
Fixes: https://fedorahosted.org/pki/ticket/1462
Diffstat (limited to 'base/ca')
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java index f7d82b05f..a1dba8064 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java @@ -81,6 +81,7 @@ import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.profile.PolicyConstraintFactory; import com.netscape.cms.servlet.profile.PolicyDefaultFactory; import com.netscape.cmscore.base.SimpleProperties; +import com.netscape.cmscore.base.PropConfigStore; /** * @author alee @@ -583,8 +584,27 @@ public class ProfileService extends PKIService implements ProfileResource { auditParams.put("class_id", classId); IPluginInfo info = registry.getPluginInfo("profile", classId); + String className = info.getClassName(); - profile = ps.createProfile(profileId, classId, info.getClassName()); + // create temporary profile to verify profile configuration + IProfile tempProfile; + try { + tempProfile = (IProfile) Class.forName(className).newInstance(); + } catch (Exception e) { + throw new PKIException( + "Error instantiating profile class: " + className); + } + tempProfile.setId(profileId); + try { + PropConfigStore tempConfig = new PropConfigStore(null); + tempConfig.load(new ByteArrayInputStream(data)); + tempProfile.init(ps, tempConfig); + } catch (Exception e) { + throw new BadRequestException("Invalid profile data", e); + } + + // no error thrown, proceed with profile creation + profile = ps.createProfile(profileId, classId, className); profile.getConfigStore().commit(false); profile.getConfigStore().load(new ByteArrayInputStream(data)); ps.disableProfile(profileId); @@ -698,6 +718,27 @@ public class ProfileService extends PKIService implements ProfileResource { simpleProperties.store(out, null); data = out.toByteArray(); // original data sans profileId, classId + // create temporary profile to verify profile configuration + String classId = ps.getProfileClassId(profileId); + String className = + registry.getPluginInfo("profile", classId).getClassName(); + IProfile tempProfile; + try { + tempProfile = (IProfile) Class.forName(className).newInstance(); + } catch (Exception e) { + throw new PKIException( + "Error instantiating profile class: " + className); + } + tempProfile.setId(profileId); + try { + PropConfigStore tempConfig = new PropConfigStore(null); + tempConfig.load(new ByteArrayInputStream(data)); + tempProfile.init(ps, tempConfig); + } catch (Exception e) { + throw new BadRequestException("Invalid profile data", e); + } + + // no error thrown, so commit updated profile config profile.getConfigStore().load(new ByteArrayInputStream(data)); ps.disableProfile(profileId); profile.getConfigStore().commit(false); |