diff options
| author | Ade Lee <alee@redhat.com> | 2014-06-11 23:50:00 +0800 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2014-06-13 03:04:06 +0800 |
| commit | e399ad4a78a8a9b931c643f94190e441e767f22b (patch) | |
| tree | d69d8519067b0c8f119cbad04d93869423644db4 /base/kra/src | |
| parent | 68f401a044c4d1065681a5c988513ef8f590feb8 (diff) | |
| download | pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.gz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.tar.xz pki-e399ad4a78a8a9b931c643f94190e441e767f22b.zip | |
Fix identities for security data storage, retrieval and generation
For the new security data storage and retrieval, and for symmetric
key generation, we need to store the identity of the agent that is
requesting and approving each operation, both in the ldap record
and in the audit logs. (Tickets 806 and 807)
This patch also adds required logic to check that the owner of the
recovery request is the same agent that retrieves the key. It also
adds missing audit log constants for symmmetric key generation so that
they will show up in the audit log.
Diffstat (limited to 'base/kra/src')
7 files changed, 81 insertions, 125 deletions
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 54cf2a0c6..8ee8cb2d0 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -575,6 +575,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } + public int getNoOfRequiredSecurityDataRecoveryAgents() throws EBaseException { + int ret = -1; + ret = mConfig.getInteger("noOfRequiredSecurityDataRecoveryAgents", 1); + if (ret <= 0) { + throw new EBaseException("Invalid parameter noOfRequiredSecurityDataRecoveryAgents"); + } + return ret; + } + /** * Sets number of required agents for * recovery operation @@ -850,7 +859,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setExtData(RecoveryService.ATTR_SERIALNO, kid); r.setExtData(RecoveryService.ATTR_USER_CERT, cert); // first one in the "approvingAgents" list is the initiating agent - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, agent); + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); r.setRequestStatus(RequestStatus.PENDING); queue.updateRequest(r); auditRecoveryID = r.getRequestId().toString(); @@ -911,7 +920,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (agents != null) { int i = agents.indexOf(","); if (i == -1) { @@ -946,7 +955,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (agents != null) { int count = 0; StringTokenizer st = new StringTokenizer(agents, ","); @@ -959,11 +968,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } count++; } + int agentsRequired = + (r.getRequestType().equals(IRequest.SECURITY_DATA_RECOVERY_REQUEST)) ? + getNoOfRequiredSecurityDataRecoveryAgents() : + getNoOfRequiredAgents(); // note: if count==1 and required agents is 1, it's good to add - // and it'd look like "agent1,agent1" - that's the only dup allowed - if (count <= getNoOfRequiredAgents()) { //all good, add it - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, + // and it'd look like "agent1,agent1" - that's the only duplicate allowed + if (count <= agentsRequired) { //all good, add it + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agents + "," + agentID); if (count == getNoOfRequiredAgents()) { r.setRequestStatus(RequestStatus.APPROVED); @@ -1039,7 +1052,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } // for both sync and async recovery - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, agent); + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -1151,8 +1164,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - auditAgents = - r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); // set transient parameters params = createVolatileRequest(r.getRequestId()); diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index 1b5781ca0..7b1685b4d 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -103,9 +103,6 @@ public class RecoveryService implements IService { public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; - // for Async Key Recovery - public static final String ATTR_APPROVE_AGENTS = "approvingAgents"; - private IKeyRecoveryAuthority mKRA = null; private IKeyRepository mStorage = null; private IStorageKeyUnit mStorageUnit = null; diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java index 269fa8df4..a2d587318 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java @@ -53,7 +53,6 @@ import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -119,7 +118,8 @@ public class SecurityDataRecoveryService implements IService { byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; byte iv_in[] = null; - String subjectID = auditSubjectID(); + String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = requestor; Hashtable<String, Object> params = mKRA.getVolatileRequest( request.getRequestId()); @@ -130,7 +130,7 @@ public class SecurityDataRecoveryService implements IService { if (params == null) { CMS.debug("Can't get volatile params."); - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "cannot get volatile params"); throw new EBaseException("Can't obtain volatile params!"); } @@ -213,7 +213,7 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); } catch (Exception e) { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot unwrap passphrase"); throw new EBaseException("Can't unwrap pass phase! " + e.toString()); } finally { @@ -235,7 +235,7 @@ public class SecurityDataRecoveryService implements IService { wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); key_data = wrapper.wrap(symKey); } catch (Exception e) { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot wrap symmetric key"); throw new EBaseException("Can't wrap symmetric key! " + e.toString()); } @@ -248,13 +248,13 @@ public class SecurityDataRecoveryService implements IService { encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); key_data = encryptor.doFinal(unwrappedSecData); } else { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Failed to create cipher"); throw new IOException("Failed to create cipher"); } } catch (Exception e) { e.printStackTrace(); - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot wrap pass phrase"); throw new EBaseException("Can't wrap pass phrase!"); } @@ -265,7 +265,7 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); } - auditRecoveryRequestProcessed(subjectID, ILogger.SUCCESS, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); mKRA.getRequestQueue().updateRequest(request); @@ -421,26 +421,6 @@ public class SecurityDataRecoveryService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java index 8201414db..4a2ebef34 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataService.java @@ -24,7 +24,6 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -47,7 +46,6 @@ import com.netscape.cmsutil.util.Utils; */ public class SecurityDataService implements IService { - private final static String DEFAULT_OWNER = "IPA Agent"; public final static String ATTR_KEY_RECORD = "keyRecord"; private final static String STATUS_ACTIVE = "active"; @@ -94,7 +92,7 @@ public class SecurityDataService implements IService { String algParams = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_PARAMS); String algStr = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_OID); - // prameters if the secret is a symkey + // parameters if the secret is a symmetric key String dataType = request.getExtDataInString(IRequest.SECURITY_DATA_TYPE); String algorithm = request.getExtDataInString(IRequest.SECURITY_DATA_ALGORITHM); int strength = request.getExtDataInInteger(IRequest.SECURITY_DATA_STRENGTH); @@ -102,12 +100,12 @@ public class SecurityDataService implements IService { CMS.debug("SecurityDataService.serviceRequest. Request id: " + id); CMS.debug("SecurityDataService.serviceRequest wrappedSecurityData: " + wrappedSecurityData); - String owner = getOwnerName(request); - String subjectID = auditSubjectID(); + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; //Check here even though restful layer checks for this. if (clientKeyId == null || dataType == null) { - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Bad data in request"); throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); } @@ -177,11 +175,13 @@ public class SecurityDataService implements IService { } else if (securityData != null) { privateSecurityData = mStorageUnit.encryptInternalPrivate(securityData); } else { // We have no data. - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } // create key record + // Note that in this case the owner is the same as the approving agent + // because the archival request is made by the agent. KeyRecord rec = new KeyRecord(null, publicKey, privateSecurityData, owner, algStr, owner); @@ -191,7 +191,7 @@ public class SecurityDataService implements IService { //Now we need a serial number for our new key. if (rec.getSerialNumber() != null) { - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -202,7 +202,7 @@ public class SecurityDataService implements IService { if (serialNo == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to get next Key ID"); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -222,7 +222,7 @@ public class SecurityDataService implements IService { storage.addKeyRecord(rec); - auditArchivalRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), clientKeyId, serialNo.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); mKRA.getRequestQueue().updateRequest(request); @@ -230,10 +230,6 @@ public class SecurityDataService implements IService { return true; } - //ToDo: return real owner with auth - private String getOwnerName(IRequest request) { - return DEFAULT_OWNER; - } private void audit(String msg) { if (signedAuditLogger == null) @@ -246,26 +242,6 @@ public class SecurityDataService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 774bbcda9..46c8265f0 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -34,7 +34,6 @@ import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -56,7 +55,6 @@ import com.netscape.cmscore.dbs.KeyRecord; */ public class SymKeyGenService implements IService { - private final static String DEFAULT_OWNER = "IPA Agent"; public final static String ATTR_KEY_RECORD = "keyRecord"; private final static String STATUS_ACTIVE = "active"; @@ -102,12 +100,12 @@ public class SymKeyGenService implements IService { CMS.debug("SymKeyGenService.serviceRequest. Request id: " + id); CMS.debug("SymKeyGenService.serviceRequest algorithm: " + algorithm); - String owner = getOwnerName(request); - String subjectID = auditSubjectID(); + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; //Check here even though restful layer checks for this. if (algorithm == null || clientKeyId == null || keySize <= 0) { - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Bad data in request"); throw new EBaseException("Bad data in SymKeyGenService.serviceRequest"); } @@ -167,7 +165,7 @@ public class SymKeyGenService implements IService { } catch (TokenException | IllegalStateException | CharConversionException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { CMS.debugStackTrace(); - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to generate symmetric key"); throw new EBaseException("Errors in generating symmetric key: " + e); } @@ -178,7 +176,7 @@ public class SymKeyGenService implements IService { if (sk != null) { privateSecurityData = mStorageUnit.wrap(sk); } else { // We have no data. - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } @@ -192,7 +190,7 @@ public class SymKeyGenService implements IService { //Now we need a serial number for our new key. if (rec.getSerialNumber() != null) { - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -203,7 +201,7 @@ public class SymKeyGenService implements IService { if (serialNo == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to get next Key ID"); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -218,7 +216,7 @@ public class SymKeyGenService implements IService { CMS.debug("KRA adding Security Data key record " + serialNo); storage.addKeyRecord(rec); - auditSymKeyGenRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), clientKeyId, serialNo.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); @@ -227,11 +225,6 @@ public class SymKeyGenService implements IService { return true; } - //ToDo: return real owner with auth - private String getOwnerName(IRequest request) { - return DEFAULT_OWNER; - } - private void audit(String msg) { if (signedAuditLogger == null) return; @@ -243,26 +236,6 @@ public class SymKeyGenService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 4f3ef57af..c538e016b 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceMessage; +import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyArchivalRequest; import com.netscape.certsrv.key.KeyRecoveryRequest; @@ -176,7 +177,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Archival must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); @@ -207,8 +212,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { + String requestor = servletRequest.getUserPrincipal().getName(); + if (requestor == null) { + throw new UnauthorizedException("Recovery must be initiated by an agent"); + } response = (data.getCertificate() != null)? - requestKeyRecovery(data): dao.submitRequest(data, uriInfo); + requestKeyRecovery(data): dao.submitRequest(data, uriInfo, requestor); auditRecoveryRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getKeyId()); @@ -253,18 +262,9 @@ public class KeyRequestService extends PKIService implements KeyRequestResource if (id == null) { throw new BadRequestException("Invalid request id."); } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); try { - IRequest request = queue.findRequest(id); - String type = request.getRequestType(); - if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { - service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) { - dao.approveRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } + service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); } catch (EBaseException e) { e.printStackTrace(); auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); @@ -448,7 +448,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Key generation must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index cfb84a5bf..9f33b1ba7 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -314,8 +314,22 @@ public class KeyService extends PKIService implements KeyResource { throw new BadRequestException("Invalid request type"); } - //confirm that agent is originator of request, else throw 401 - // TO-DO + //confirm that retriever is originator of request, else throw 401 + String retriever = servletRequest.getUserPrincipal().getName(); + IRequest request; + try { + request = queue.findRequest(reqId); + } catch (EBaseException e) { + e.printStackTrace(); + auditRetrieveKey(ILogger.FAILURE, reqId, null, "unable to retrieve recovery request"); + throw new PKIException(e.getMessage()); + } + String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + if (! originator.equals(retriever)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "recovery request not approved. originator does not match retriever"); + throw new UnauthorizedException( + "Data for recovery requests can only be retrieved by the originators of the request"); + } // confirm request is in approved state RequestStatus status = reqInfo.getRequestStatus(); |