Enabled authentication for security domain REST interface.

The REST interface for security domain has been refactored and
configured such that it requires authentication. A CLI has been
added to get an installation token.

Ticket #309

11 files changed, 248 insertions, 155 deletions

diff --git a/base/common/src/com/netscape/certsrv/system/InstallToken.java b/base/common/src/com/netscape/certsrv/system/InstallToken.java
index aa34893a1..06accc3f2 100644
--- a/base/common/src/com/netscape/certsrv/system/InstallToken.java
+++ b/base/common/src/com/netscape/certsrv/system/InstallToken.java
@@ -14,7 +14,7 @@
 //
 // (C) 2012 Red Hat, Inc.
 // All rights reserved.
-// --- END COPYRIGHT BLOCK --- 
+// --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.system;
 
 import javax.xml.bind.annotation.XmlAccessType;
@@ -26,16 +26,17 @@ import javax.xml.bind.annotation.XmlRootElement;
  * @author alee
  *
  */
-@XmlRootElement(name="CertData")
+@XmlRootElement(name="InstallToken")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class InstallToken {
+
     @XmlElement
     private String token;
 
     public InstallToken(String token) {
         this.token = token;
     }
-    
+
     public InstallToken() {
         // required by jaxb
     }
diff --git a/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java b/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java
deleted file mode 100644
index bc000a96a..000000000
--- a/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java
+++ /dev/null
@@ -1,99 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2012 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK --- 
-package com.netscape.certsrv.system;
-
-import javax.xml.bind.annotation.XmlAccessorType;
-import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlAccessType;
-
-/**
- * @author alee
- *
- */
-@XmlRootElement(name="InstallTokenRequest")
-@XmlAccessorType(XmlAccessType.FIELD)
-public class InstallTokenRequest {
-    @XmlElement
-    private String user;
-    
-    @XmlElement
-    private String password;
-    
-    @XmlElement
-    private String subsystem;
-    
-    @XmlElement
-    private String host;
-    
-    @XmlElement
-    private String port;
-
-    public InstallTokenRequest(String user, String password, String subsystem, String host, String port) {
-        this.user = user;
-        this.password = password;
-        this.subsystem = subsystem;
-        this.host = host;
-        this.port = port;
-    }
-
-    public InstallTokenRequest() {
-        // required for jaxb
-    }
-
-    public String getUser() {
-        return user;
-    }
-
-    public void setUser(String user) {
-        this.user = user;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-
-    public void setPassword(String password) {
-        this.password = password;
-    }
-
-    public String getSubsystem() {
-        return subsystem;
-    }
-
-    public void setSubsystem(String subsystem) {
-        this.subsystem = subsystem;
-    }
-
-    public String getHost() {
-        return host;
-    }
-
-    public void setHost(String host) {
-        this.host = host;
-    }
-
-    public String getPort() {
-        return port;
-    }
-
-    public void setPort(String port) {
-        this.port = port;
-    }
-    
-}
diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java
new file mode 100644
index 000000000..fd7eb342b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java
@@ -0,0 +1,42 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.system;
+
+import java.net.URISyntaxException;
+
+import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.certsrv.client.PKIClient;
+
+
+/**
+ * @author alee
+ */
+public class SecurityDomainClient extends PKIClient {
+
+    private SecurityDomainResource client;
+
+    public SecurityDomainClient(ClientConfig config) throws URISyntaxException {
+        super(config);
+
+        client = createProxy(SecurityDomainResource.class);
+    }
+
+    public InstallToken getInstallToken(String hostname, String subsystem) {
+        return client.getInstallToken(hostname, subsystem);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
new file mode 100644
index 000000000..41bbf779e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.system;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+
+/**
+ * @author alee
+ */
+@Path("securityDomain")
+public interface SecurityDomainResource {
+
+    @GET
+    @Path("installToken")
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public InstallToken getInstallToken(
+            @QueryParam("hostname") String hostname,
+            @QueryParam("subsystem") String subsystem);
+}
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java
index 876ed9bac..fd14bbe19 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java
@@ -40,8 +40,4 @@ public class SystemConfigClient extends PKIClient {
     public ConfigurationResponse configure(ConfigurationRequest data) {
         return configClient.configure(data);
     }
-
-    public InstallToken getInstallToken(InstallTokenRequest data) {
-        return configClient.getInstallToken(data);
-    }
 }
diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
index 4ecafc6f7..ca06ededb 100644
--- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java
@@ -44,12 +44,6 @@ public interface SystemConfigResource {
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     public ConfigurationResponse configure(ConfigurationRequest data);
 
-    @POST
-    @Path("installToken")
-    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
-    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
-    public InstallToken getInstallToken(InstallTokenRequest data);
-
     @GET
     @Path("domainInfo")
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
diff --git a/base/common/src/com/netscape/cms/authorization/AAclAuthz.java b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java
index b47956fb3..089cca9be 100644
--- a/base/common/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -521,7 +521,7 @@ public abstract class AAclAuthz {
             log(ILogger.LL_INFO, infoMsg);
             return;
         } else {
-            Object[] params = new Object[2];
+            String[] params = new String[2];
 
             params[0] = name;
             params[1] = perm;
@@ -530,7 +530,7 @@ public abstract class AAclAuthz {
                     CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm));
 
             throw new EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION",
-                        (String[]) params));
+                        params));
         }
     }
 
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 89233bdc2..531fc212f 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -146,8 +146,7 @@ import com.netscape.certsrv.ldap.ILdapConnFactory;
 import com.netscape.certsrv.ocsp.IDefStore;
 import com.netscape.certsrv.ocsp.IOCSPAuthority;
 import com.netscape.certsrv.system.InstallToken;
-import com.netscape.certsrv.system.InstallTokenRequest;
-import com.netscape.certsrv.system.SystemConfigClient;
+import com.netscape.certsrv.system.SecurityDomainClient;
 import com.netscape.certsrv.usrgrp.EUsrGrpException;
 import com.netscape.certsrv.usrgrp.IGroup;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
@@ -322,17 +321,17 @@ public class ConfigurationUtils {
         }
         String csType = cs.getString("cs.type");
 
-        InstallTokenRequest data = new InstallTokenRequest(user, passwd, csType, CMS.getEEHost(), CMS.getAdminPort());
-
         ClientConfig config = new ClientConfig();
         config.setServerURI("https://" + sdhost + ":" + sdport + "/ca");
+        config.setUsername(user);
+        config.setPassword(passwd);
 
-        SystemConfigClient client = new SystemConfigClient(config);
+        SecurityDomainClient client = new SecurityDomainClient(config);
 
-        InstallToken token = null;
         try {
-            token = client.getInstallToken(data);
+            InstallToken token = client.getInstallToken(sdhost, csType);
             return token.getToken();
+
         } catch (ClientResponseFailure e) {
             if (e.getResponse().getResponseStatus() == Response.Status.NOT_FOUND) {
                 // try the old servlet
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
new file mode 100644
index 000000000..f6cb4c638
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -0,0 +1,112 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.csadmin;
+
+import java.net.InetAddress;
+import java.util.Locale;
+import java.util.Random;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.certsrv.base.ISecurityDomainSessionTable;
+import com.netscape.certsrv.base.PKIException;
+import com.netscape.certsrv.base.UnauthorizedException;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.system.InstallToken;
+import com.netscape.cms.servlet.processors.Processor;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class SecurityDomainProcessor extends Processor {
+
+    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+
+    Random random = new Random();
+
+    public SecurityDomainProcessor(Locale locale) throws EPropertyNotFound, EBaseException {
+        super("securitydomain", locale);
+    }
+
+    public InstallToken getInstallToken(
+            String user,
+            String hostname,
+            String subsystem) throws EBaseException {
+
+        String groupname = ConfigurationUtils.getGroupName(user, subsystem);
+
+        if (groupname == null) {
+            String message = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    user,
+                    ILogger.FAILURE,
+                    "Enterprise " + subsystem + " Administrators");
+            audit(message);
+
+            throw new UnauthorizedException("Access denied.");
+        }
+
+        String message = CMS.getLogMessage(
+                LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                user,
+                ILogger.SUCCESS,
+                groupname);
+        audit(message);
+
+        String ip = "";
+        try {
+            ip = InetAddress.getByName(hostname).getHostAddress();
+        } catch (Exception e) {
+            CMS.debug("Unable to determine IP address for "+hostname);
+        }
+
+        // assign cookie
+        Long num = random.nextLong();
+        String cookie = num.toString();
+
+        String auditParams = "operation;;issue_token+token;;" + cookie + "+ip;;" + ip +
+                      "+uid;;" + user + "+groupname;;" + groupname;
+
+        ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable();
+        int status = ctable.addEntry(cookie, ip, user, groupname);
+
+        if (status == ISecurityDomainSessionTable.SUCCESS) {
+            message = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               user,
+                               ILogger.SUCCESS,
+                               auditParams);
+            audit(message);
+
+        } else {
+            message = CMS.getLogMessage(
+                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               user,
+                               ILogger.FAILURE,
+                               auditParams);
+            audit(message);
+
+            throw new PKIException("Failed to update security domain.");
+        }
+
+
+        return new InstallToken(cookie);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java
new file mode 100644
index 000000000..3a2bac49c
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java
@@ -0,0 +1,44 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.servlet.csadmin;
+
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.PKIException;
+import com.netscape.certsrv.system.InstallToken;
+import com.netscape.certsrv.system.SecurityDomainResource;
+import com.netscape.cms.servlet.base.PKIService;
+
+/**
+ * @author alee
+ */
+public class SecurityDomainService extends PKIService implements SecurityDomainResource {
+
+    @Override
+    public InstallToken getInstallToken(String hostname, String subsystem) {
+        try {
+            // Get uid from realm authentication.
+            String user = servletRequest.getUserPrincipal().getName();
+
+            SecurityDomainProcessor processor = new SecurityDomainProcessor(getLocale());
+            return processor.getInstallToken(user, hostname, subsystem);
+
+        } catch (EBaseException e) {
+            throw new PKIException(e.getMessage(), e);
+        }
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
index 3bbe3ca80..8bc3c5946 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
@@ -18,10 +18,8 @@
 package com.netscape.cms.servlet.csadmin;
 
 import java.math.BigInteger;
-import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.net.UnknownHostException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Collection;
 import java.util.Enumeration;
@@ -46,7 +44,6 @@ import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
-import com.netscape.certsrv.base.ISecurityDomainSessionTable;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
@@ -54,8 +51,6 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority;
 import com.netscape.certsrv.system.ConfigurationRequest;
 import com.netscape.certsrv.system.ConfigurationResponse;
 import com.netscape.certsrv.system.DomainInfo;
-import com.netscape.certsrv.system.InstallToken;
-import com.netscape.certsrv.system.InstallTokenRequest;
 import com.netscape.certsrv.system.SystemCertData;
 import com.netscape.certsrv.system.SystemConfigResource;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
@@ -909,35 +904,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
     }
 
     @Override
-    public InstallToken getInstallToken(InstallTokenRequest data) {
-        // TODO Figure out how to do authentication here based on user/pass
-        // For now, allow all user/pass to be valid
-        CMS.debug("getInstallToken(): starting");
-        String user = data.getUser();
-        String host = data.getHost();
-        String subsystem = data.getSubsystem();
-        String groupname = ConfigurationUtils.getGroupName(user, subsystem);
-
-        // assign cookie
-        long num = random.nextLong();
-        String cookie = num + "";
-        ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable();
-        String ip;
-        try {
-            ip = InetAddress.getByName(host).toString();
-        } catch (UnknownHostException e) {
-            throw new PKIException(Response.Status.BAD_REQUEST, "Unable to resolve host " + host +
-                    "to an IP address: " + e);
-        }
-        int index = ip.indexOf("/");
-        if (index > 0)  ip = ip.substring(index + 1);
-
-        ctable.addEntry(cookie, ip, user, groupname);
-
-        return new InstallToken(cookie);
-    }
-
-    @Override
     public DomainInfo getDomainInfo() {
         // TODO Auto-generated method stub for a RESTful method that returns the security domain
         return null;