summaryrefslogtreecommitdiffstats
path: root/base/common/src/com/netscape/cms/servlet/admin
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-05-19 11:05:20 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-05-31 12:01:36 -0500
commitae03c6bdf570cb36a1b139aeb0e467081665459e (patch)
treef586fe5e5c3e4e1c4c1eb73f184d7bc4438296a5 /base/common/src/com/netscape/cms/servlet/admin
parent83bca19f80ea0deef4034e80a559ffa88da44a1a (diff)
downloadpki-ae03c6bdf570cb36a1b139aeb0e467081665459e.tar.gz
pki-ae03c6bdf570cb36a1b139aeb0e467081665459e.tar.xz
pki-ae03c6bdf570cb36a1b139aeb0e467081665459e.zip
Added user REST service.
The user REST service is based on UsrGrpAdminServlet. It provides an interface to manage users and user certificates. Ticket #160
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/admin')
-rw-r--r--base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java484
-rw-r--r--base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java483
2 files changed, 967 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java b/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java
new file mode 100644
index 000000000..ebeb5b134
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java
@@ -0,0 +1,484 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.admin;
+
+import java.net.URI;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import netscape.ldap.LDAPException;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.x509.X509CertImpl;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.InternalCertificate;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.user.UserCertCollection;
+import com.netscape.certsrv.user.UserCertData;
+import com.netscape.certsrv.user.UserCertResource;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSException;
+import com.netscape.cms.servlet.base.CMSResourceService;
+import com.netscape.cmsutil.util.Cert;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class UserCertResourceService extends CMSResourceService implements UserCertResource {
+
+ public final static int DEFAULT_SIZE = 20;
+
+ public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+ public UserCertData createUserCertData(String userID, X509Certificate cert) throws Exception {
+
+ UserCertData userCertData = new UserCertData();
+
+ userCertData.setVersion(cert.getVersion());
+ userCertData.setSerialNumber(cert.getSerialNumber());
+ userCertData.setIssuerDN(cert.getIssuerDN().toString());
+ userCertData.setSubjectDN(cert.getSubjectDN().toString());
+
+ userID = URLEncoder.encode(userID, "UTF-8");
+ String certID = URLEncoder.encode(userCertData.getID(), "UTF-8");
+ URI uri = uriInfo.getBaseUriBuilder().path(UserCertResource.class).path("{certID}").build(userID, certID);
+ userCertData.setLink(new Link("self", uri));
+
+ return userCertData;
+ }
+
+ /**
+ * List user certificate(s)
+ *
+ * Request/Response Syntax:
+ * http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ */
+ @Override
+ public UserCertCollection findUserCerts(String userID, Integer start, Integer size) {
+ try {
+ start = start == null ? 0 : start;
+ size = size == null ? DEFAULT_SIZE : size;
+
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user = null;
+
+ try {
+ user = userGroupManager.getUser(userID);
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+ }
+
+ if (user == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+ }
+
+ UserCertCollection response = new UserCertCollection();
+
+ X509Certificate[] certs = user.getX509Certificates();
+ if (certs != null) {
+ for (int i=start; i<start+size && i<certs.length; i++) {
+ X509Certificate cert = certs[i];
+ response.addCert(createUserCertData(userID, cert));
+ }
+
+ if (start > 0) {
+ URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build();
+ response.addLink(new Link("prev", uri));
+ }
+
+ if (start+size < certs.length) {
+ URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build();
+ response.addLink(new Link("next", uri));
+ }
+ }
+
+ return response;
+
+ } catch (CMSException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new CMSException(e.getMessage());
+ }
+ }
+
+ @Override
+ public UserCertData getUserCert(String userID, String certID) {
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user = null;
+
+ try {
+ user = userGroupManager.getUser(userID);
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+ }
+
+ if (user == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+ }
+
+ X509Certificate[] certs = user.getX509Certificates();
+
+ if (certs == null) {
+ throw new CMSException("Certificate not found");
+ }
+
+ try {
+ certID = URLDecoder.decode(certID, "UTF-8");
+ } catch (Exception e) {
+ throw new CMSException(e.getMessage());
+ }
+
+ for (X509Certificate cert : certs) {
+
+ UserCertData userCertData = createUserCertData(userID, cert);
+
+ if (!userCertData.getID().equals(certID)) continue;
+
+ ICertPrettyPrint print = CMS.getCertPrettyPrint(cert);
+ userCertData.setPrettyPrint(print.toString(getLocale()));
+
+ // add base64 encoding
+ String base64 = CMS.getEncodedCert(cert);
+ userCertData.setEncoded(base64);
+
+ return userCertData;
+ }
+
+ throw new CMSException("Certificate not found");
+
+ } catch (CMSException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new CMSException(e.getMessage());
+ }
+ }
+
+ /**
+ * Adds a certificate to a user
+ * <P>
+ *
+ * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+ * users/groups)
+ * </ul>
+ */
+ @Override
+ public Response addUserCert(String userID, UserCertData userCertData) {
+
+ // ensure that any low-level exceptions are reported
+ // to the signed audit log and stored as failures
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user = userGroupManager.createUser(userID);
+
+ String encoded = userCertData.getEncoded();
+ encoded = Cert.normalizeCertStrAndReq(encoded);
+ encoded = Cert.stripBrackets(encoded);
+
+ // no cert is a success
+ if (encoded == null) {
+ auditAddUserCert(userID, userCertData, ILogger.SUCCESS);
+ return Response.ok().build();
+ }
+
+ // only one cert added per operation
+ X509Certificate cert = null;
+
+ // Base64 decode cert
+ byte binaryCert[] = Utils.base64decode(encoded);
+
+ try {
+ cert = new X509CertImpl(binaryCert);
+
+ } catch (CertificateException e) {
+ // ignore
+ }
+
+ if (cert == null) {
+ // cert chain direction
+ boolean assending = true;
+
+ // could it be a pkcs7 blob?
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_IS_PK_BLOB"));
+
+ try {
+ CryptoManager manager = CryptoManager.getInstance();
+
+ PKCS7 pkcs7 = new PKCS7(binaryCert);
+
+ X509Certificate p7certs[] = pkcs7.getCertificates();
+
+ if (p7certs.length == 0) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+ }
+
+ // fix for 370099 - cert ordering can not be assumed
+ // find out the ordering ...
+
+ // self-signed and alone? take it. otherwise test
+ // the ordering
+ if (p7certs[0].getSubjectDN().toString().equals(
+ p7certs[0].getIssuerDN().toString()) &&
+ (p7certs.length == 1)) {
+ cert = p7certs[0];
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_SINGLE_CERT_IMPORT"));
+
+ } else if (p7certs[0].getIssuerDN().toString().equals(p7certs[1].getSubjectDN().toString())) {
+ cert = p7certs[0];
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD"));
+
+ } else if (p7certs[1].getIssuerDN().toString().equals(p7certs[0].getSubjectDN().toString())) {
+ assending = false;
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_DESC_ORD"));
+ cert = p7certs[p7certs.length - 1];
+
+ } else {
+ // not a chain, or in random order
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN"));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+ }
+
+ CMS.debug("UserCertResourceService: "
+ + CMS.getLogMessage("ADMIN_SRVLT_CHAIN_STORED_DB", String.valueOf(p7certs.length)));
+
+ int j = 0;
+ int jBegin = 0;
+ int jEnd = 0;
+
+ if (assending == true) {
+ jBegin = 1;
+ jEnd = p7certs.length;
+ } else {
+ jBegin = 0;
+ jEnd = p7certs.length - 1;
+ }
+
+ // store the chain into cert db, except for the user cert
+ for (j = jBegin; j < jEnd; j++) {
+ CMS.debug("UserCertResourceService: "
+ + CMS.getLogMessage("ADMIN_SRVLT_CERT_IN_CHAIN", String.valueOf(j),
+ String.valueOf(p7certs[j].getSubjectDN())));
+ org.mozilla.jss.crypto.X509Certificate leafCert =
+ manager.importCACertPackage(p7certs[j].getEncoded());
+
+ if (leafCert == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NULL"));
+ } else {
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NON_NULL"));
+ }
+
+ if (leafCert instanceof InternalCertificate) {
+ ((InternalCertificate) leafCert).setSSLTrust(
+ InternalCertificate.VALID_CA |
+ InternalCertificate.TRUSTED_CA |
+ InternalCertificate.TRUSTED_CLIENT_CA);
+ } else {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NOT_INTERNAL_CERT",
+ String.valueOf(p7certs[j].getSubjectDN())));
+ }
+ }
+
+ /*
+ } catch (CryptoManager.UserCertConflictException e) {
+ // got a "user cert" in the chain, most likely the CA
+ // cert of this instance, which has a private key. Ignore
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_PKS7_IGNORED", e.toString()));
+ */
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", e.toString()));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+ }
+ }
+
+ try {
+ CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_BEFORE_VALIDITY"));
+ cert.checkValidity(); // throw exception if fails
+
+ user.setX509Certificates(new X509Certificate[] { cert });
+ userGroupManager.addUserCert(user);
+
+ auditAddUserCert(userID, userCertData, ILogger.SUCCESS);
+
+ // read the data back
+
+ userCertData.setVersion(cert.getVersion());
+ userCertData.setSerialNumber(cert.getSerialNumber());
+ userCertData.setIssuerDN(cert.getIssuerDN().toString());
+ userCertData.setSubjectDN(cert.getSubjectDN().toString());
+ String certID = userCertData.getID();
+
+ userCertData = getUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
+
+ return Response
+ .created(userCertData.getLink().getHref())
+ .entity(userCertData)
+ .type(MediaType.APPLICATION_XML)
+ .build();
+
+ } catch (CertificateExpiredException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED",
+ String.valueOf(cert.getSubjectDN())));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_EXPIRED"));
+
+ } catch (CertificateNotYetValidException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID",
+ String.valueOf(cert.getSubjectDN())));
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"));
+
+ } catch (LDAPException e) {
+ if (e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_CERT_EXISTS"));
+ } else {
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+ }
+ }
+
+ } catch (CMSException e) {
+ auditAddUserCert(userID, userCertData, ILogger.FAILURE);
+ throw e;
+
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, e.toString());
+ auditAddUserCert(userID, userCertData, ILogger.FAILURE);
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+ }
+ }
+
+ /**
+ * Removes a certificate for a user
+ * <P>
+ *
+ * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ * <P>
+ *
+ * In this method, "certDN" is actually a combination of version, serialNumber, issuerDN, and SubjectDN.
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+ * users/groups)
+ * </ul>
+ */
+ @Override
+ public void removeUserCert(String userID, String certID) {
+
+ try {
+ certID = URLDecoder.decode(certID, "UTF-8");
+ } catch (Exception e) {
+ throw new CMSException(e.getMessage());
+ }
+
+ UserCertData userCertData = new UserCertData();
+ userCertData.setID(certID);
+ removeUserCert(userID, userCertData);
+ }
+
+ public void removeUserCert(String userID, UserCertData userCertData) {
+
+ // ensure that any low-level exceptions are reported
+ // to the signed audit log and stored as failures
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user = userGroupManager.createUser(userID);
+ String certID = userCertData.getID();
+
+ // no certDN is a success
+ if (certID == null) {
+ auditDeleteUserCert(userID, userCertData, ILogger.SUCCESS);
+ return;
+ }
+
+ user.setCertDN(certID);
+
+ userGroupManager.removeUserCert(user);
+
+ auditDeleteUserCert(userID, userCertData, ILogger.SUCCESS);
+
+ } catch (CMSException e) {
+ auditDeleteUserCert(userID, userCertData, ILogger.FAILURE);
+ throw e;
+
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, e.toString());
+ auditDeleteUserCert(userID, userCertData, ILogger.FAILURE);
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+ }
+ }
+
+ public void log(int level, String message) {
+ log(ILogger.S_USRGRP, level, message);
+ }
+
+ public void auditAddUserCert(String id, UserCertData userCertData, String status) {
+ audit(OpDef.OP_ADD, id, getParams(userCertData), status);
+ }
+
+ public void auditDeleteUserCert(String id, UserCertData userCertData, String status) {
+ audit(OpDef.OP_DELETE, id, getParams(userCertData), status);
+ }
+
+ public void audit(String type, String id, Map<String, String> params, String status) {
+ audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
+ }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java b/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java
new file mode 100644
index 000000000..1639c5912
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java
@@ -0,0 +1,483 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.admin;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.util.Enumeration;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import netscape.ldap.LDAPException;
+
+import org.apache.commons.lang.StringUtils;
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.password.IPasswordCheck;
+import com.netscape.certsrv.user.UserCollection;
+import com.netscape.certsrv.user.UserData;
+import com.netscape.certsrv.user.UserResource;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSException;
+import com.netscape.cms.servlet.base.CMSResourceService;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class UserResourceService extends CMSResourceService implements UserResource {
+
+ public final static int DEFAULT_SIZE = 20;
+
+ public final static String BACK_SLASH = "\\";
+ public final static String SYSTEM_USER = "$System$";
+
+ public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+ public UserData createUserData(IUser user) throws Exception {
+
+ UserData userData = new UserData();
+
+ String id = user.getUserID();
+ if (!StringUtils.isEmpty(id)) userData.setID(id);
+
+ String fullName = user.getFullName();
+ if (!StringUtils.isEmpty(fullName)) userData.setFullName(fullName);
+
+ String userID = URLEncoder.encode(id, "UTF-8");
+ URI uri = uriInfo.getBaseUriBuilder().path(UserResource.class).path("{userID}").build(userID);
+ userData.setLink(new Link("self", uri));
+
+ return userData;
+ }
+
+ /**
+ * Searches for users in LDAP directory.
+ *
+ * Request/Response Syntax:
+ * http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ */
+ @Override
+ public UserCollection findUsers(String filter, Integer start, Integer size) {
+ try {
+ filter = StringUtils.isEmpty(filter) ? "*" : "*"+LDAPUtil.escapeFilter(filter)+"*";
+ start = start == null ? 0 : start;
+ size = size == null ? DEFAULT_SIZE : size;
+
+ Enumeration<IUser> users = userGroupManager.findUsers(filter);
+
+ UserCollection response = new UserCollection();
+
+ int i = 0;
+
+ // skip to the start of the page
+ for ( ; i<start && users.hasMoreElements(); i++) users.nextElement();
+
+ // return entries up to the page size
+ for ( ; i<start+size && users.hasMoreElements(); i++) {
+ IUser user = users.nextElement();
+ response.addUser(createUserData(user));
+ }
+
+ // count the total entries
+ for ( ; users.hasMoreElements(); i++) users.nextElement();
+
+ if (start > 0) {
+ URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build();
+ response.addLink(new Link("prev", uri));
+ }
+
+ if (start+size < i) {
+ URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build();
+ response.addLink(new Link("next", uri));
+ }
+
+ return response;
+
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+ }
+ }
+
+ /**
+ * List user information. Certificates covered in a separate
+ * protocol for findUserCerts(). List of group memberships are
+ * also provided.
+ *
+ * Request/Response Syntax:
+ * http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ */
+ @Override
+ public UserData getUser(String userID) {
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user;
+
+ try {
+ user = userGroupManager.getUser(userID);
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+ }
+
+ if (user == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+ }
+
+ UserData userData = createUserData(user);
+
+ String email = user.getEmail();
+ if (!StringUtils.isEmpty(email)) userData.setEmail(email);
+
+ String phone = user.getPhone();
+ if (!StringUtils.isEmpty(phone)) userData.setPhone(phone);
+
+ String state = user.getState();
+ if (!StringUtils.isEmpty(state)) userData.setState(state);
+
+ String type = user.getUserType();
+ if (!StringUtils.isEmpty(type)) userData.setType(type);
+
+ return userData;
+
+ } catch (CMSException e) {
+ throw e;
+
+ } catch (Exception e) {
+ throw new CMSException(e.getMessage());
+ }
+ }
+
+ /**
+ * Adds a new user to LDAP server
+ * <P>
+ *
+ * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+ * users/groups)
+ * </ul>
+ */
+
+ @Override
+ public Response addUser(UserData userData) {
+
+ String userID = userData.getID();
+
+ // ensure that any low-level exceptions are reported
+ // to the signed audit log and stored as failures
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ if (userID.indexOf(BACK_SLASH) != -1) {
+ // backslashes (BS) are not allowed
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_RS_ID_BS"));
+ }
+
+ if (userID.equals(SYSTEM_USER)) {
+ // backslashes (BS) are not allowed
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", userID));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_SPECIAL_ID", userID));
+ }
+
+ IUser user = userGroupManager.createUser(userID);
+
+ String fname = userData.getFullName();
+ if (fname == null || fname.length() == 0) {
+ String msg = getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", "full name");
+
+ log(ILogger.LL_FAILURE, msg);
+ throw new CMSException(msg);
+
+ } else {
+ user.setFullName(fname);
+ }
+
+ String email = userData.getEmail();
+ if (email != null) {
+ user.setEmail(email);
+ } else {
+ user.setEmail("");
+ }
+
+ String pword = userData.getPassword();
+ if (pword != null && !pword.equals("")) {
+ IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+ if (!passwdCheck.isGoodPassword(pword)) {
+ throw new EUsrGrpException(passwdCheck.getReason(pword));
+ }
+
+ user.setPassword(pword);
+ } else {
+ user.setPassword("");
+ }
+
+ String phone = userData.getPhone();
+ if (phone != null) {
+ user.setPhone(phone);
+ } else {
+ user.setPhone("");
+ }
+
+ String type = userData.getType();
+ if (type != null) {
+ user.setUserType(type);
+ } else {
+ user.setUserType("");
+ }
+
+ String state = userData.getState();
+ if (state != null) {
+ user.setState(state);
+ }
+
+ try {
+ userGroupManager.addUser(user);
+
+ auditAddUser(userID, userData, ILogger.SUCCESS);
+
+ // read the data back
+ userData = getUser(userID);
+
+ return Response
+ .created(userData.getLink().getHref())
+ .entity(userData)
+ .type(MediaType.APPLICATION_XML)
+ .build();
+
+ } catch (EUsrGrpException e) {
+ log(ILogger.LL_FAILURE, e.toString());
+
+ if (user.getUserID() == null) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", "uid"));
+ } else {
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+ }
+
+ } catch (LDAPException e) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString()));
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, e.toString());
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+ }
+
+ } catch (CMSException e) {
+ auditAddUser(userID, userData, ILogger.FAILURE);
+ throw e;
+
+ } catch (EBaseException e) {
+ auditAddUser(userID, userData, ILogger.FAILURE);
+ throw new CMSException(e.getMessage());
+ }
+ }
+
+ /**
+ * Modifies an existing user in local scope.
+ * <P>
+ *
+ * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+ * users/groups)
+ * </ul>
+ */
+ @Override
+ public Response modifyUser(String userID, UserData userData) {
+
+ // ensure that any low-level exceptions are reported
+ // to the signed audit log and stored as failures
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ IUser user = userGroupManager.createUser(userID);
+
+ String fullName = userData.getFullName();
+ if (fullName != null) {
+ user.setFullName(fullName);
+ }
+
+ String email = userData.getEmail();
+ if (email != null) {
+ user.setEmail(email);
+ }
+
+ String pword = userData.getPassword();
+ if (pword != null && !pword.equals("")) {
+ IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+ if (!passwdCheck.isGoodPassword(pword)) {
+ throw new EUsrGrpException(passwdCheck.getReason(pword));
+ }
+
+ user.setPassword(pword);
+ }
+
+ String phone = userData.getPhone();
+ if (phone != null) {
+ user.setPhone(phone);
+ }
+
+ String state = userData.getState();
+ if (state != null) {
+ user.setState(state);
+ }
+
+ try {
+ userGroupManager.modifyUser(user);
+
+ auditModifyUser(userID, userData, ILogger.SUCCESS);
+
+ // read the data back
+ userData = getUser(userID);
+
+ return Response
+ .ok(userData)
+ .type(MediaType.APPLICATION_XML)
+ .build();
+
+ } catch (Exception e) {
+ log(ILogger.LL_FAILURE, e.toString());
+ throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+ }
+
+ } catch (CMSException e) {
+ auditModifyUser(userID, userData, ILogger.FAILURE);
+ throw e;
+
+ } catch (EBaseException e) {
+ auditModifyUser(userID, userData, ILogger.FAILURE);
+ throw new CMSException(e.getMessage());
+ }
+ }
+
+ /**
+ * removes a user. user not removed if belongs to any group
+ * (Administrators should remove the user from "uniquemember" of
+ * any group he/she belongs to before trying to remove the user
+ * itself.
+ * <P>
+ *
+ * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+ * ui/admin-protocol-definition.html#user-admin
+ * <P>
+ *
+ * <ul>
+ * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+ * users/groups)
+ * </ul>
+ */
+ @Override
+ public void removeUser(String userID) {
+
+ // ensure that any low-level exceptions are reported
+ // to the signed audit log and stored as failures
+ try {
+ if (userID == null) {
+ log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+ }
+
+ // get list of groups, and see if uid belongs to any
+ Enumeration<IGroup> groups;
+
+ try {
+ groups = userGroupManager.findGroups("*");
+
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+ }
+
+ try {
+ while (groups.hasMoreElements()) {
+ IGroup group = groups.nextElement();
+ if (!group.isMember(userID)) continue;
+
+ userGroupManager.removeUserFromGroup(group, userID);
+ }
+
+ // comes out clean of group membership...now remove user
+ userGroupManager.removeUser(userID);
+
+ auditDeleteUser(userID, ILogger.SUCCESS);
+
+ } catch (Exception e) {
+ throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_FAIL_USER_RMV"));
+ }
+
+ } catch (CMSException e) {
+ auditDeleteUser(userID, ILogger.FAILURE);
+ throw e;
+ }
+ }
+
+ public void log(int level, String message) {
+ log(ILogger.S_USRGRP, level, message);
+ }
+
+ public void auditAddUser(String id, UserData userData, String status) {
+ audit(OpDef.OP_ADD, id, getParams(userData), status);
+ }
+
+ public void auditModifyUser(String id, UserData userData, String status) {
+ audit(OpDef.OP_MODIFY, id, getParams(userData), status);
+ }
+
+ public void auditDeleteUser(String id, String status) {
+ audit(OpDef.OP_DELETE, id, null, status);
+ }
+
+ public void audit(String type, String id, Map<String, String> params, String status) {
+ audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
+ }
+}
generated by cgit (git 2.34.1) at 2024-05-20 22:14:28 +0000