diff options
| author | Ade Lee <alee@redhat.com> | 2016-04-19 14:52:40 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-04-20 17:31:01 -0400 |
| commit | b59d8305130e81d3e00240b5612a327c9dfc7d12 (patch) | |
| tree | 0634fd72c54083da01fa8bf5173c027cb3a55fdb /base/server/cmscore | |
| parent | 3e4eb72ec8a295784e9283cccf637d4199d96626 (diff) | |
| download | pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.gz pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.xz pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.zip | |
Realms - Address comments from review
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
Diffstat (limited to 'base/server/cmscore')
4 files changed, 13 insertions, 11 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java index 8b126d2da..354485897 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java @@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.authorization.EAuthzMgrNotFound; import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; @@ -480,8 +481,9 @@ public class AuthzSubsystem implements IAuthzSubsystem { if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return; String mgrName = getAuthzManagerByRealm(realm); - // if no authz manager for this realm, SUCCESS by default - if (mgrName == null) return; + if (mgrName == null) { + throw new EAuthzUnknownRealm("Realm not found"); + } AuthzToken authzToken = authorize(mgrName, authToken, resource, operation); if (authzToken == null) { diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java index fbf2ee227..90050132b 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -56,7 +56,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { private String mClientId = null; private String mStatus = null; private String mDataType = null; - private String mRealm = null; + private String realm = null; protected static Vector<String> mNames = new Vector<String>(); @@ -141,7 +141,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { } else if (name.equalsIgnoreCase(ATTR_STATUS)) { mStatus = (String) object; } else if (name.equalsIgnoreCase(ATTR_REALM)) { - mRealm = (String) object; + realm = (String) object; } else { throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -183,7 +183,7 @@ public class KeyRecord implements IDBObj, IKeyRecord { } else if (name.equalsIgnoreCase(ATTR_STATUS)) { return mStatus; } else if (name.equalsIgnoreCase(ATTR_REALM)) { - return mRealm; + return realm; } else { throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -395,6 +395,6 @@ public class KeyRecord implements IDBObj, IKeyRecord { @Override public String getRealm() throws EBaseException { - return mRealm; + return realm; } } diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java index 418422a9b..6592b0148 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java @@ -39,5 +39,5 @@ class ARequestRecord { String mOwner; String mRequestType; Hashtable<String, Object> mExtData; - String mRealm; + String realm; }; diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java index 38060c2f2..074bff41c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java @@ -93,7 +93,7 @@ public class RequestRecord else if (name.equals(IRequestRecord.ATTR_EXT_DATA)) return mExtData; else if (name.equals(IRequestRecord.ATTR_REALM)) - return mRealm; + return realm; else { RequestAttr ra = mAttrTable.get(name); @@ -122,7 +122,7 @@ public class RequestRecord else if (name.equals(IRequestRecord.ATTR_REQUEST_OWNER)) mOwner = (String) o; else if (name.equals(IRequestRecord.ATTR_REALM)) - mRealm = (String) o; + realm = (String) o; else if (name.equals(IRequestRecord.ATTR_EXT_DATA)) mExtData = (Hashtable<String, Object>) o; else { @@ -159,7 +159,7 @@ public class RequestRecord mOwner = r.getRequestOwner(); mCreateTime = r.getCreationTime(); mModifyTime = r.getModificationTime(); - mRealm = r.getRealm(); + realm = r.getRealm(); mExtData = loadExtDataFromRequest(r); for (int i = 0; i < mRequestA.length; i++) { @@ -173,7 +173,7 @@ public class RequestRecord r.setRequestOwner(mOwner); a.modModificationTime(r, mModifyTime); a.modCreationTime(r, mCreateTime); - r.setRealm(mRealm); + r.setRealm(realm); storeExtDataIntoRequest(r); for (int i = 0; i < mRequestA.length; i++) { |