Added new authz methods to check realm

* Added method to check realm. This method will look for an authz instance for a specified realm and invoke it to determine access. * Added a basic group based authz plugin mostly for testing. This plugin simply checks if the requestor is in the correct group. In practice, customers will probably want something more complex maybe subclassing BasicAclAuthz. Part of Trac Ticket #2041
author: Ade Lee <alee@redhat.com> 2016-04-16 11:29:37 -0400
committer: Ade Lee <alee@redhat.com> 2016-04-20 17:29:43 -0400
commit: 9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb (patch)
tree: 898e3d9137e9946f396eec1f6554597bf547fd7d /base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
parent: bb6fd9e1a73e2ee224fc9332681fb59113f94d8f (diff)
download: pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.gz
pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.xz
pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.zip
1 files changed, 39 insertions, 1 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index a6019730a..8b126d2da 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -21,11 +21,14 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
 
+import org.apache.commons.codec.binary.StringUtils;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzManagerProxy;
 import com.netscape.certsrv.authorization.AuthzMgrPlugin;
 import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.authorization.EAuthzException;
 import com.netscape.certsrv.authorization.EAuthzMgrNotFound;
 import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound;
@@ -156,6 +159,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                     // it is mis-configurated. This give
                     // administrator another chance to
                     // fix the problem via console
+                    CMS.debug(e);
                 } catch (Throwable e) {
                     log(ILogger.LL_FAILURE,
                             CMS.getLogMessage("CMSCORE_AUTHZ_PLUGIN_INIT_FAILED", insName, e.toString()));
@@ -163,6 +167,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                     // it is mis-configurated. This give
                     // administrator another chance to
                     // fix the problem via console
+                    CMS.debug(e);
                 }
                 // add manager instance to list.
                 mAuthzMgrInsts.put(insName, new
@@ -212,7 +217,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
      * Authorization to the named authorization manager instance
      *
      * @param authzMgrName The authorization manager name
-     * @param authToken the authenticaton token associated with a user
+     * @param authToken the authentication token associated with a user
      * @param resource the resource protected by the authorization system
      * @param operation the operation for resource protected by the authoriz
      *            n system
@@ -465,4 +470,37 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                 level, msg);
     }
 
+    @Override
+    public void checkRealm(String realm, IAuthToken authToken, String owner, String resource, String operation)
+            throws EBaseException {
+        // if no realm entry, SUCCESS by default
+        if (realm == null) return;
+
+        // if record owner == requester, SUCCESS
+        if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
+
+        String mgrName = getAuthzManagerByRealm(realm);
+        // if no authz manager for this realm, SUCCESS by default
+        if (mgrName == null) return;
+
+        AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
+        if (authzToken == null) {
+            throw new EAuthzAccessDenied("Not authorized by ACL realm");
+        }
+    }
+
+    public String getAuthzManagerByRealm(String realm) throws EBaseException {
+        for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) {
+            IAuthzManager mgr = proxy.getAuthzManager();
+            if (mgr != null) {
+                IConfigStore cfg = mgr.getConfigStore();
+                String mgrRealm = cfg.getString(PROP_REALM, null);
+                if (StringUtils.equals(mgrRealm, realm)) {
+                    return mgr.getName();
+                }
+            }
+        }
+        return null;
+    }
+
 }
author	Ade Lee <alee@redhat.com>	2016-04-16 11:29:37 -0400
committer	Ade Lee <alee@redhat.com>	2016-04-20 17:29:43 -0400
commit	9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb (patch)
tree	898e3d9137e9946f396eec1f6554597bf547fd7d /base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
parent	bb6fd9e1a73e2ee224fc9332681fb59113f94d8f (diff)
download	pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.gz pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.xz pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.zip