Fix identities for security data storage, retrieval and generation

For the new security data storage and retrieval, and for symmetric key generation, we need to store the identity of the agent that is requesting and approving each operation, both in the ldap record and in the audit logs. (Tickets 806 and 807) This patch also adds required logic to check that the owner of the recovery request is the same agent that retrieves the key. It also adds missing audit log constants for symmmetric key generation so that they will show up in the audit log.
author: Ade Lee <alee@redhat.com> 2014-06-11 23:50:00 +0800
committer: Ade Lee <alee@redhat.com> 2014-06-13 03:04:06 +0800
commit: e399ad4a78a8a9b931c643f94190e441e767f22b (patch)
tree: d69d8519067b0c8f119cbad04d93869423644db4 /base/kra/src/org/dogtagpki/server/kra
parent: 68f401a044c4d1065681a5c988513ef8f590feb8 (diff)
download: pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.gz
pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.xz
pki-e399ad4a78a8a9b931c643f94190e441e767f22b.zip
2 files changed, 34 insertions, 16 deletions
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 4f3ef57af..c538e016b 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -43,6 +43,7 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceMessage;
+import com.netscape.certsrv.base.UnauthorizedException;
 import com.netscape.certsrv.dbs.keydb.KeyId;
 import com.netscape.certsrv.key.KeyArchivalRequest;
 import com.netscape.certsrv.key.KeyRecoveryRequest;
@@ -176,7 +177,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
         KeyRequestDAO dao = new KeyRequestDAO();
         KeyRequestResponse response;
         try {
-            response = dao.submitRequest(data, uriInfo);
+            String owner = servletRequest.getUserPrincipal().getName();
+            if (owner == null) {
+                throw new UnauthorizedException("Archival must be performed by an agent");
+            }
+            response = dao.submitRequest(data, uriInfo, owner);
             auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
 
             return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
@@ -207,8 +212,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
         KeyRequestDAO dao = new KeyRequestDAO();
         KeyRequestResponse response;
         try {
+            String requestor = servletRequest.getUserPrincipal().getName();
+            if (requestor == null) {
+                throw new UnauthorizedException("Recovery must be initiated by an agent");
+            }
             response = (data.getCertificate() != null)?
-                    requestKeyRecovery(data): dao.submitRequest(data, uriInfo);
+                    requestKeyRecovery(data): dao.submitRequest(data, uriInfo, requestor);
             auditRecoveryRequestMade(response.getRequestInfo().getRequestId(),
                     ILogger.SUCCESS, data.getKeyId());
 
@@ -253,18 +262,9 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
         if (id == null) {
             throw new BadRequestException("Invalid request id.");
         }
-        // auth and authz
-        KeyRequestDAO dao = new KeyRequestDAO();
         try {
-            IRequest request = queue.findRequest(id);
-            String type = request.getRequestType();
-            if (IRequest.KEYRECOVERY_REQUEST.equals(type)) {
-                service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName());
-                auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
-            } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) {
-                dao.approveRequest(id);
-                auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
-            }
+            service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName());
+            auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
         } catch (EBaseException e) {
             e.printStackTrace();
             auditRecoveryRequestChange(id, ILogger.FAILURE, "approve");
@@ -448,7 +448,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
         KeyRequestDAO dao = new KeyRequestDAO();
         KeyRequestResponse response;
         try {
-            response = dao.submitRequest(data, uriInfo);
+            String owner = servletRequest.getUserPrincipal().getName();
+            if (owner == null) {
+                throw new UnauthorizedException("Key generation must be performed by an agent");
+            }
+            response = dao.submitRequest(data, uriInfo, owner);
             auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
                     data.getClientKeyId());
 
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index cfb84a5bf..9f33b1ba7 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -314,8 +314,22 @@ public class KeyService extends PKIService implements KeyResource {
             throw new BadRequestException("Invalid request type");
         }
 
-        //confirm that agent is originator of request, else throw 401
-        //  TO-DO
+        //confirm that retriever is originator of request, else throw 401
+        String retriever = servletRequest.getUserPrincipal().getName();
+        IRequest request;
+        try {
+            request = queue.findRequest(reqId);
+        } catch (EBaseException e) {
+            e.printStackTrace();
+            auditRetrieveKey(ILogger.FAILURE, reqId, null, "unable to retrieve recovery request");
+            throw new PKIException(e.getMessage());
+        }
+        String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+        if (! originator.equals(retriever)) {
+            auditRetrieveKey(ILogger.FAILURE, reqId, null, "recovery request not approved.  originator does not match retriever");
+            throw new UnauthorizedException(
+                    "Data for recovery requests can only be retrieved by the originators of the request");
+        }
 
         // confirm request is in approved state
         RequestStatus status = reqInfo.getRequestStatus();
author	Ade Lee <alee@redhat.com>	2014-06-11 23:50:00 +0800
committer	Ade Lee <alee@redhat.com>	2014-06-13 03:04:06 +0800
commit	e399ad4a78a8a9b931c643f94190e441e767f22b (patch)
tree	d69d8519067b0c8f119cbad04d93869423644db4 /base/kra/src/org/dogtagpki/server/kra
parent	68f401a044c4d1065681a5c988513ef8f590feb8 (diff)
download	pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.gz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.xz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.zip