Lightweight CAs: initial support

This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".

We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested.  The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.

Part of: https://fedorahosted.org/pki/ticket/1213

2 files changed, 219 insertions, 0 deletions

diff --git a/base/common/src/com/netscape/certsrv/authority/AuthorityData.java b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
new file mode 100644
index 000000000..2312c3989
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authority/AuthorityData.java
@@ -0,0 +1,123 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2015 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+/**
+ * @author ftweedal
+ */
+package com.netscape.certsrv.authority;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlRootElement;
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+@XmlRootElement(name = "authority")
+@XmlAccessorType(XmlAccessType.FIELD)
+public class AuthorityData {
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(AuthorityData.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(AuthorityData.class).createUnmarshaller();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @XmlAttribute
+    protected Boolean isHostAuthority;
+
+    public Boolean getIsHostAuthority() {
+        return isHostAuthority;
+    }
+
+
+    @XmlAttribute
+    protected String id;
+
+    public String getID() {
+        return id;
+    }
+
+
+    @XmlAttribute
+    protected String parentID;
+
+    public String getParentID() {
+        return parentID;
+    }
+
+
+    @XmlAttribute
+    protected String dn;
+
+    public String getDN() {
+        return dn;
+    }
+
+
+    @XmlAttribute
+    protected Boolean enabled;
+
+    public Boolean getEnabled() {
+        return enabled;
+    }
+
+
+    @XmlAttribute
+    protected String description;
+
+    public String getDescription() {
+        return description;
+    }
+
+
+    protected Link link;
+
+    public Link getLink() {
+        return link;
+    }
+
+    public void setLink(Link link) {
+        this.link = link;
+    }
+
+    protected AuthorityData() {
+    }
+
+    public AuthorityData(
+            Boolean isHostAuthority,
+            String dn, String id, String parentID,
+            Boolean enabled, String description) {
+        this.isHostAuthority = isHostAuthority;
+        this.dn = dn;
+        this.id = id;
+        this.parentID = parentID;
+        this.enabled = enabled;
+        this.description = description;
+    }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/authority/AuthorityResource.java b/base/common/src/com/netscape/certsrv/authority/AuthorityResource.java
new file mode 100644
index 000000000..eaef903db
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authority/AuthorityResource.java
@@ -0,0 +1,96 @@
+package com.netscape.certsrv.authority;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
+@Path("authorities")
+public interface AuthorityResource {
+
+    public static final String HOST_AUTHORITY = "host-authority";
+
+    @GET
+    public Response listCAs();
+    /*
+            @QueryParam("start") Integer start,
+            @QueryParam("size") Integer size);
+            */
+
+    @GET
+    @Path("{id}")
+    @ClientResponseType(entityType=AuthorityData.class)
+    public Response getCA(@PathParam("id") String caIDString);
+
+    @GET
+    @Path("{id}/cert")
+    @Produces("application/pkix-cert")
+    @ClientResponseType(entityType=byte[].class)
+    public Response getCert(@PathParam("id") String caIDString);
+
+    @GET
+    @Path("{id}/cert")
+    @Produces("application/x-pem-file")
+    @ClientResponseType(entityType=String.class)
+    public Response getCertPEM(@PathParam("id") String caIDString);
+
+    @GET
+    @Path("{id}/chain")
+    @Produces("application/pkcs7-mime")
+    @ClientResponseType(entityType=byte[].class)
+    public Response getChain(@PathParam("id") String caIDString);
+
+    @GET
+    @Path("{id}/chain")
+    @Produces("application/x-pem-file")
+    @ClientResponseType(entityType=String.class)
+    public Response getChainPEM(@PathParam("id") String caIDString);
+
+    @POST
+    @ClientResponseType(entityType=AuthorityData.class)
+    @AuthMethodMapping("authorities")
+    @ACLMapping("authorities.create")
+    public Response createCA(AuthorityData data);
+
+    /**
+     * Modify a CA (supports partial updates).
+     *
+     * isHostEnabled, authorityID, authorityParentID and DN are
+     * immutable; differences in these values are ignored.
+     *
+     * Other values, if null, are ignored, otherwise they are
+     * set to the new value.  To remove the description, use an
+     * empty string.
+     */
+    @PUT
+    @Path("{id}")
+    @ClientResponseType(entityType=AuthorityData.class)
+    @AuthMethodMapping("authorities")
+    @ACLMapping("authorities.modify")
+    public Response modifyCA(
+        @PathParam("id") String caIDString,
+        AuthorityData data);
+
+    @POST
+    @Path("{id}/enable")
+    @ClientResponseType(entityType=AuthorityData.class)
+    @AuthMethodMapping("authorities")
+    @ACLMapping("authorities.modify")
+    public Response enableCA(@PathParam("id") String caIDString);
+
+    @POST
+    @Path("{id}/disable")
+    @ClientResponseType(entityType=AuthorityData.class)
+    @AuthMethodMapping("authorities")
+    @ACLMapping("authorities.modify")
+    public Response disableCA(@PathParam("id") String caIDString);
+
+}