diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-11-29 18:43:48 +1000 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2017-03-16 17:46:18 +1000 |
commit | 67d51413323e1d55fdc04ca5edf5d9f05afb0ebe (patch) | |
tree | 02f38710ad71837e34538664a12ad0c6b7ca2ab5 /base/server/cms/src/org | |
parent | ef84ef36be06944a7f6338ed022f13e066cd5c32 (diff) | |
download | pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.gz pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.xz pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.zip |
Update ACLInterceptor to support external principals
For external principal support, ACLInterceptor must handle
GenericPrincipal instances in addition to PKIPrincipal.
Specifically, if the principal is a GenericPrincipal, the auth token
is set to an ExternalAuthToken, and the authz manager is looked up
by the realm of the principal (it is assumed that the principal name
has the form "id@realm").
Part of: https://pagure.io/dogtagpki/issue/1359
Diffstat (limited to 'base/server/cms/src/org')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java | 41 |
1 files changed, 29 insertions, 12 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java index 490011681..8e02ec21c 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java @@ -31,14 +31,17 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.acls.ACLMapping; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; @@ -140,18 +143,33 @@ public class ACLInterceptor implements ContainerRequestFilter { if (principal != null) CMS.debug("ACLInterceptor: principal: " + principal.getName()); - // If unrecognized principal, reject request. - if (principal != null && !(principal instanceof PKIPrincipal)) { - CMS.debug("ACLInterceptor: Invalid user principal."); - // audit comment: no Principal, no one to blame here - throw new ForbiddenException("Invalid user principal."); - } + IAuthzSubsystem authzSubsystem = + (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - PKIPrincipal pkiPrincipal = null; IAuthToken authToken = null; + String authzMgrName = null; if (principal != null) { - pkiPrincipal = (PKIPrincipal) principal; - authToken = pkiPrincipal.getAuthToken(); + if (principal instanceof PKIPrincipal) { + authzMgrName = "DirAclAuthz"; + authToken = ((PKIPrincipal) principal).getAuthToken(); + } + else if (principal instanceof GenericPrincipal) { + String realm = null; + String[] parts = principal.getName().split("@", 2); + if (parts.length == 2) { + realm = parts[1]; + } + try { + authzMgrName = authzSubsystem.getAuthzManagerNameByRealm(realm); + } catch (EAuthzUnknownRealm e) { + throw new ForbiddenException( + "Cannot find AuthzManager for external principal " + principal.getName(), + e + ); + } + authToken = new ExternalAuthToken((GenericPrincipal) principal); + } + CMS.debug("ACLInterceptor: will use authz manager " + authzMgrName); } // If missing auth token, reject request. @@ -249,9 +267,8 @@ public class ACLInterceptor implements ContainerRequestFilter { try { // Check authorization. - IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - AuthzToken authzToken = mAuthz.authorize( - "DirAclAuthz", + AuthzToken authzToken = authzSubsystem.authorize( + authzMgrName, authToken, values[0], // resource values[1]); // operation |