Realms - Address comments from review

Review comments addressed: 1. when archiving or generating keys, realm is checked 2. when no plugin is found for a realm, access is denied. 3. rename mFoo to foo for new variables. 4. add chaining of exceptions 5. remove attributes from KeyArchivalRequest etc. when realm is null 6. Add more detail to denial in BasicGroupAuthz Part of Trac Ticket 2041
author: Ade Lee <alee@redhat.com> 2016-04-19 14:52:40 -0400
committer: Ade Lee <alee@redhat.com> 2016-04-20 17:31:01 -0400
commit: b59d8305130e81d3e00240b5612a327c9dfc7d12 (patch)
tree: 0634fd72c54083da01fa8bf5173c027cb3a55fdb /base/server
parent: 3e4eb72ec8a295784e9283cccf637d4199d96626 (diff)
download: pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.gz
pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.xz
pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.zip
6 files changed, 34 insertions, 26 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
index 1908e3c69..0bf24311f 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
@@ -44,35 +44,35 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
     private static final String GROUP = "group";
 
     /* name of this authorization manager instance */
-    private String name = null;
+    private String name;
 
     /* name of the authorization manager plugin */
-    private String implName = null;
+    private String implName;
 
     /* configuration store */
     private IConfigStore config;
 
     /* group that is allowed to access resources */
-    private String groupName = null;
+    private String groupName;
 
     /* Vector of extendedPluginInfo strings */
-    protected static Vector<String> mExtendedPluginInfo = null;
+    protected static Vector<String> extendedPluginInfo;
 
-    protected static String[] mConfigParams = null;
+    protected static String[] configParams;
 
     static {
-        mExtendedPluginInfo = new Vector<String>();
-        mExtendedPluginInfo.add("group;string,required;" +
+        extendedPluginInfo = new Vector<String>();
+        extendedPluginInfo.add("group;string,required;" +
                 "Group to permit access");
     }
 
     public BasicGroupAuthz() {
-        mConfigParams = new String[] {"group"};
+        configParams = new String[] {"group"};
     }
 
     @Override
     public String[] getExtendedPluginInfo(Locale locale) {
-        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+        String[] s = Utils.getStringArrayFromVector(extendedPluginInfo);
         return s;
     }
 
@@ -103,6 +103,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
         IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
         IGroup group = ug.getGroupFromName(groupName);
         if (!group.isMember(user)) {
+            CMS.debug("BasicGroupAuthz: access denied. User: " + user + " is not a member of group: " + groupName);
             throw new EAuthzAccessDenied("Access denied");
         }
 
@@ -139,7 +140,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
 
     @Override
     public String[] getConfigParams() throws EBaseException {
-        return mConfigParams;
+        return configParams;
     }
 
     @Override
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 8aa0d21ee..04bb6f2ec 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -37,6 +37,7 @@ import org.mozilla.jss.crypto.KeyPairAlgorithm;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
 import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.PKIException;
@@ -259,13 +260,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
         try {
             rec = repo.readKeyRecord(keyId.toBigInteger());
         } catch (EDBRecordNotFoundException e) {
-            throw new KeyNotFoundException(keyId);
+            throw new KeyNotFoundException(keyId, "key not found to recover", e);
         }
 
         try {
             authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+        } catch (EAuthzUnknownRealm e) {
+            throw new UnauthorizedException("Invalid realm", e);
         } catch (EBaseException e) {
-            throw new UnauthorizedException("Agent not authorized by realm");
+            throw new UnauthorizedException("Agent not authorized by realm", e);
         }
 
         Hashtable<String, Object> requestParams;
@@ -315,13 +318,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
         try {
             rec = repo.readKeyRecord(keyId.toBigInteger());
         } catch (EDBRecordNotFoundException e) {
-            throw new KeyNotFoundException(keyId);
+            throw new KeyNotFoundException(keyId, "key not found to recover", e);
         }
 
         try {
             authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+        } catch (EAuthzUnknownRealm e) {
+            throw new UnauthorizedException("Invalid realm", e);
         } catch (EBaseException e) {
-            throw new UnauthorizedException("Agent not authorized by realm");
+            throw new UnauthorizedException("Agent not authorized by realm", e);
         }
 
         String b64Certificate = data.getCertificate();
@@ -332,7 +337,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
             // TODO - update request with realm
         } catch (EBaseException | CertificateException e) {
             e.printStackTrace();
-            throw new PKIException(e.toString());
+            throw new PKIException(e.toString(), e);
         }
         IRequest request = null;
         try {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 8b126d2da..354485897 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.authorization.EAuthzException;
 import com.netscape.certsrv.authorization.EAuthzMgrNotFound;
 import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
 import com.netscape.certsrv.authorization.IAuthzManager;
 import com.netscape.certsrv.authorization.IAuthzSubsystem;
 import com.netscape.certsrv.base.EBaseException;
@@ -480,8 +481,9 @@ public class AuthzSubsystem implements IAuthzSubsystem {
         if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
 
         String mgrName = getAuthzManagerByRealm(realm);
-        // if no authz manager for this realm, SUCCESS by default
-        if (mgrName == null) return;
+        if (mgrName == null) {
+            throw new EAuthzUnknownRealm("Realm not found");
+        }
 
         AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
         if (authzToken == null) {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
index fbf2ee227..90050132b 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -56,7 +56,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
     private String mClientId = null;
     private String mStatus = null;
     private String mDataType = null;
-    private String mRealm = null;
+    private String realm = null;
 
 
     protected static Vector<String> mNames = new Vector<String>();
@@ -141,7 +141,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
         } else if (name.equalsIgnoreCase(ATTR_STATUS)) {
             mStatus = (String) object;
         } else if (name.equalsIgnoreCase(ATTR_REALM)) {
-            mRealm = (String) object;
+            realm = (String) object;
         } else {
             throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
         }
@@ -183,7 +183,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
         } else if (name.equalsIgnoreCase(ATTR_STATUS)) {
             return mStatus;
         } else if (name.equalsIgnoreCase(ATTR_REALM)) {
-            return mRealm;
+            return realm;
         } else {
             throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
         }
@@ -395,6 +395,6 @@ public class KeyRecord implements IDBObj, IKeyRecord {
 
     @Override
     public String getRealm() throws EBaseException {
-        return mRealm;
+        return realm;
     }
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
index 418422a9b..6592b0148 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
@@ -39,5 +39,5 @@ class ARequestRecord {
     String mOwner;
     String mRequestType;
     Hashtable<String, Object> mExtData;
-    String mRealm;
+    String realm;
 };
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
index 38060c2f2..074bff41c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
@@ -93,7 +93,7 @@ public class RequestRecord
         else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
             return mExtData;
         else if (name.equals(IRequestRecord.ATTR_REALM))
-            return mRealm;
+            return realm;
         else {
             RequestAttr ra = mAttrTable.get(name);
 
@@ -122,7 +122,7 @@ public class RequestRecord
         else if (name.equals(IRequestRecord.ATTR_REQUEST_OWNER))
             mOwner = (String) o;
         else if (name.equals(IRequestRecord.ATTR_REALM))
-            mRealm = (String) o;
+            realm = (String) o;
         else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
             mExtData = (Hashtable<String, Object>) o;
         else {
@@ -159,7 +159,7 @@ public class RequestRecord
         mOwner = r.getRequestOwner();
         mCreateTime = r.getCreationTime();
         mModifyTime = r.getModificationTime();
-        mRealm = r.getRealm();
+        realm = r.getRealm();
         mExtData = loadExtDataFromRequest(r);
 
         for (int i = 0; i < mRequestA.length; i++) {
@@ -173,7 +173,7 @@ public class RequestRecord
         r.setRequestOwner(mOwner);
         a.modModificationTime(r, mModifyTime);
         a.modCreationTime(r, mCreateTime);
-        r.setRealm(mRealm);
+        r.setRealm(realm);
         storeExtDataIntoRequest(r);
 
         for (int i = 0; i < mRequestA.length; i++) {
author	Ade Lee <alee@redhat.com>	2016-04-19 14:52:40 -0400
committer	Ade Lee <alee@redhat.com>	2016-04-20 17:31:01 -0400
commit	b59d8305130e81d3e00240b5612a327c9dfc7d12 (patch)
tree	0634fd72c54083da01fa8bf5173c027cb3a55fdb /base/server
parent	3e4eb72ec8a295784e9283cccf637d4199d96626 (diff)
download	pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.gz pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.tar.xz pki-b59d8305130e81d3e00240b5612a327c9dfc7d12.zip