diff options
author | Ade Lee <alee@redhat.com> | 2016-04-16 16:43:28 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2016-04-20 17:30:35 -0400 |
commit | 002052717ad3b02a82630ba9c799a38146989b02 (patch) | |
tree | ba16c908494ed759bd84982d2aaac5f092508b13 /base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java | |
parent | c198f02b53b4a702e5ca8e3477f89f2b72a7b467 (diff) | |
download | pki-002052717ad3b02a82630ba9c799a38146989b02.tar.gz pki-002052717ad3b02a82630ba9c799a38146989b02.tar.xz pki-002052717ad3b02a82630ba9c799a38146989b02.zip |
Add authz checks for all operations
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
Diffstat (limited to 'base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java')
-rw-r--r-- | base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index 43a5f540a..52df7696f 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -21,6 +21,7 @@ package org.dogtagpki.server.kra.rest; import java.math.BigInteger; import java.net.URI; +import java.security.Principal; import java.util.ArrayList; import java.util.Collection; import java.util.Enumeration; @@ -41,6 +42,8 @@ import javax.ws.rs.core.UriInfo; import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.HTTPGoneException; @@ -67,6 +70,7 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; +import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.key.KeyRequestDAO; import com.netscape.cmsutil.ldap.LDAPUtil; @@ -337,7 +341,7 @@ public class KeyService extends PKIService implements KeyResource { KeyRequestDAO reqDAO = new KeyRequestDAO(); KeyRequestInfo reqInfo; try { - reqInfo = reqDAO.getRequest(reqId, uriInfo); + reqInfo = reqDAO.getRequest(reqId, uriInfo, getAuthToken()); } catch (EBaseException e1) { // failed to get request logMessage = "failed to get request"; @@ -415,6 +419,17 @@ public class KeyService extends PKIService implements KeyResource { start = start == null ? 0 : start; size = size == null ? DEFAULT_SIZE : size; + if (realm != null) { + try { + authz.checkRealm(realm, getAuthToken(), null, "keys", "list"); + } catch (EAuthzAccessDenied e) { + throw new UnauthorizedException("Not authorized to list these keys"); + } catch (EBaseException e) { + CMS.debug("listRequests: unable to authorize realm" + e); + throw new PKIException(e.toString()); + } + } + // get ldap filter String filter = createSearchFilter(status, clientKeyID, realm); CMS.debug("listKeys: filter is " + filter); @@ -489,7 +504,16 @@ public class KeyService extends PKIService implements KeyResource { while (iter.hasNext()) { KeyInfo info = iter.next(); if (info != null) { - // return the first one + // return the first one, but first confirm that the requester has access to this key + try { + authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read"); + } catch (EAuthzAccessDenied e) { + throw new UnauthorizedException("Not authorized to read this key"); + } catch (EBaseException e) { + CMS.debug("listRequests: unable to authorize realm" + e); + throw new PKIException(e.toString()); + } + auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo); return createOKResponse(info); @@ -654,10 +678,15 @@ public class KeyService extends PKIService implements KeyResource { IKeyRecord rec = null; try { rec = repo.readKeyRecord(keyId.toBigInteger()); + authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "key", "read"); KeyInfo info = createKeyDataInfo(rec, true); auditRetrieveKey(ILogger.SUCCESS, null, keyId, auditInfo); return createOKResponse(info); + } catch (EAuthzAccessDenied e) { + auditInfo = method + "Unauthorized access for key record"; + auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo); + throw new UnauthorizedException(auditInfo); } catch (EDBRecordNotFoundException e) { auditInfo = method + e.getMessage(); auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo); @@ -672,6 +701,13 @@ public class KeyService extends PKIService implements KeyResource { } } + private IAuthToken getAuthToken() { + Principal principal = servletRequest.getUserPrincipal(); + PKIPrincipal pkiprincipal = (PKIPrincipal) principal; + IAuthToken authToken = pkiprincipal.getAuthToken(); + return authToken; + } + @Override public Response modifyKeyStatus(KeyId keyId, String status) { String method = "KeyService.modifyKeyStatus: "; |