Add realm to requests coming in from CA

Requests to the KRA through the CA-KRA connector use the Enrollment
Service.  This has been modified to read and store any realm passed in.
The realm can be added to the request by havibg the admin add
a AuthzRealmDefault and AuthzRealmConstraint in a profile.

At this point, all the constraint does is verify that the realm is
one of a specified list of realms.  More verification will be added
in a subsequent patch.

No attempt is made yet to allow users to specify the realm.  This
would need to be added as a ProfileInput.

Part of Ticket 2041

3 files changed, 221 insertions, 12 deletions

diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/AuthzRealmConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/AuthzRealmConstraint.java
new file mode 100644
index 000000000..b2932a52f
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/AuthzRealmConstraint.java
@@ -0,0 +1,109 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.constraint;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.ERejectException;
+import com.netscape.certsrv.profile.IPolicyDefault;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.cms.profile.def.AuthzRealmDefault;
+import com.netscape.cms.profile.def.NoDefault;
+
+import netscape.security.x509.X509CertInfo;
+
+/**
+ * This class implements the authz realm constraint.
+ * It checks if the authz realm in the certificate
+ * template satisfies the criteria.
+ *
+ * @version $Revision$, $Date$
+ */
+public class AuthzRealmConstraint extends EnrollConstraint {
+
+    public static final String CONFIG_REALMS_ALLOWED = "realmsAllowed";
+
+    public AuthzRealmConstraint() {
+        super();
+        addConfigName(CONFIG_REALMS_ALLOWED);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public void setConfig(String name, String value)
+            throws EPropertyException {
+
+        if (mConfig.getSubStore("params") == null) {
+            CMS.debug("AuthzRealmConstraint: mConfig.getSubStore is null");
+            return;
+        }
+
+        CMS.debug("AuthzRealmConstraint: setConfig name=" + name +
+                " value=" + value);
+
+        mConfig.getSubStore("params").putString(name, value);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_REALMS_ALLOWED)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AUTHZ_REALMS_ALLOWED"));
+        }
+        return null;
+    }
+
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_CONSTRAINT_REALM_TEXT",
+                getConfig(CONFIG_REALMS_ALLOWED));
+    }
+
+    public boolean isApplicable(IPolicyDefault def) {
+        if (def instanceof NoDefault)
+            return true;
+        if (def instanceof AuthzRealmDefault)
+            return true;
+        return false;
+    }
+
+    @Override
+    public void validate(IRequest request, X509CertInfo info) throws ERejectException {
+        String realm = request.getRealm();
+        List<String> allowedRealms = Arrays.asList(getConfig(CONFIG_REALMS_ALLOWED).split("\\s*,\\s*"));
+        if (! allowedRealms.contains(realm)) {
+            throw new ERejectException(CMS.getUserMessage(
+                    getLocale(request),
+                    "CMS_PROFILE_AUTHZ_REALM_NOT_MATCHED", realm));
+        }
+
+        // TODO: code here to check authz based on identity
+
+    }
+
+}
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthzRealmDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthzRealmDefault.java
new file mode 100644
index 000000000..b9bce4ffd
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthzRealmDefault.java
@@ -0,0 +1,94 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.profile.def;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.profile.EProfileException;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.property.Descriptor;
+import com.netscape.certsrv.property.EPropertyException;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+import netscape.security.x509.X509CertInfo;
+
+public class AuthzRealmDefault extends EnrollDefault {
+
+    public static final String CONFIG_REALM = "realm";
+    public static final String VAL_REALM = "realm";
+
+    public AuthzRealmDefault() {
+        super();
+        addConfigName(CONFIG_REALM);
+        addValueName(VAL_REALM);
+    }
+
+    public void init(IProfile profile, IConfigStore config)
+            throws EProfileException {
+        super.init(profile, config);
+    }
+
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
+        if (name.equals(CONFIG_REALM)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AUTHZ_REALM"));
+        }
+        return null;
+    }
+
+    @Override
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        if (name.equals(VAL_REALM)) {
+            return new Descriptor(IDescriptor.STRING, null, null,
+                    CMS.getUserMessage(locale, "CMS_PROFILE_AUTHZ_REALM"));
+        }
+        return null;
+    }
+
+    @Override
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_AUTHZ_REALM",
+                getConfig(CONFIG_REALM));
+    }
+
+    @Override
+    public void populate(IRequest request, X509CertInfo info) throws EProfileException {
+        try {
+            request.setRealm(mapPattern(request, getConfig(CONFIG_REALM)));
+        } catch (IOException e) {
+            CMS.debug("authzRealmDefault: failed to populate request" + e);
+            throw new EProfileException(e);
+        }
+    }
+
+    @Override
+    public void setValue(String name, Locale locale, X509CertInfo info, String value)
+            throws EPropertyException {
+    }
+
+    @Override
+    public String getValue(String name, Locale locale, X509CertInfo info)
+            throws EPropertyException {
+        return null;
+    }
+
+}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
index 5f1fc4805..eceab03d1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
@@ -35,18 +35,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateX509Key;
-import netscape.security.x509.Extension;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
+import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
@@ -73,6 +62,19 @@ import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateX509Key;
+import netscape.security.x509.Extension;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
 /**
  * Connector servlet
  * process requests from remote authority -
@@ -594,6 +596,10 @@ public class ConnectorServlet extends CMSServlet {
 
             thisreq.setExtData(IRequest.AUTH_TOKEN, token);
 
+            if (StringUtils.isNotEmpty(msg.getReqRealm())) {
+                thisreq.setRealm(msg.getReqRealm());
+            }
+
             // setting requestor type must come after copy contents. because
             // requestor is a regular attribute.
             thisreq.setExtData(IRequest.REQUESTOR_TYPE,