diff options
author | Ade Lee <alee@redhat.com> | 2014-06-11 23:50:00 +0800 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-06-13 03:04:06 +0800 |
commit | e399ad4a78a8a9b931c643f94190e441e767f22b (patch) | |
tree | d69d8519067b0c8f119cbad04d93869423644db4 /base/kra/src/org/dogtagpki/server/kra | |
parent | 68f401a044c4d1065681a5c988513ef8f590feb8 (diff) | |
download | pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.gz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.xz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.zip |
Fix identities for security data storage, retrieval and generation
For the new security data storage and retrieval, and for symmetric
key generation, we need to store the identity of the agent that is
requesting and approving each operation, both in the ldap record
and in the audit logs. (Tickets 806 and 807)
This patch also adds required logic to check that the owner of the
recovery request is the same agent that retrieves the key. It also
adds missing audit log constants for symmmetric key generation so that
they will show up in the audit log.
Diffstat (limited to 'base/kra/src/org/dogtagpki/server/kra')
-rw-r--r-- | base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java | 32 | ||||
-rw-r--r-- | base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java | 18 |
2 files changed, 34 insertions, 16 deletions
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 4f3ef57af..c538e016b 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceMessage; +import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyArchivalRequest; import com.netscape.certsrv.key.KeyRecoveryRequest; @@ -176,7 +177,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Archival must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); @@ -207,8 +212,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { + String requestor = servletRequest.getUserPrincipal().getName(); + if (requestor == null) { + throw new UnauthorizedException("Recovery must be initiated by an agent"); + } response = (data.getCertificate() != null)? - requestKeyRecovery(data): dao.submitRequest(data, uriInfo); + requestKeyRecovery(data): dao.submitRequest(data, uriInfo, requestor); auditRecoveryRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getKeyId()); @@ -253,18 +262,9 @@ public class KeyRequestService extends PKIService implements KeyRequestResource if (id == null) { throw new BadRequestException("Invalid request id."); } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); try { - IRequest request = queue.findRequest(id); - String type = request.getRequestType(); - if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { - service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) { - dao.approveRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } + service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); } catch (EBaseException e) { e.printStackTrace(); auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); @@ -448,7 +448,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Key generation must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index cfb84a5bf..9f33b1ba7 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -314,8 +314,22 @@ public class KeyService extends PKIService implements KeyResource { throw new BadRequestException("Invalid request type"); } - //confirm that agent is originator of request, else throw 401 - // TO-DO + //confirm that retriever is originator of request, else throw 401 + String retriever = servletRequest.getUserPrincipal().getName(); + IRequest request; + try { + request = queue.findRequest(reqId); + } catch (EBaseException e) { + e.printStackTrace(); + auditRetrieveKey(ILogger.FAILURE, reqId, null, "unable to retrieve recovery request"); + throw new PKIException(e.getMessage()); + } + String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + if (! originator.equals(retriever)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "recovery request not approved. originator does not match retriever"); + throw new UnauthorizedException( + "Data for recovery requests can only be retrieved by the originators of the request"); + } // confirm request is in approved state RequestStatus status = reqInfo.getRequestStatus(); |