diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2015-04-10 12:38:14 -0400 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2015-04-17 13:29:32 -0400 |
| commit | 7e58da6db8570e8472f5d76d0f50563f3c0e1970 (patch) | |
| tree | 184cb165c25dfe934d50079d86813d5a682a7419 /base/tps | |
| parent | 5c50472a1d91390879a24df7fcfa60d741f1c011 (diff) | |
| download | pki-7e58da6db8570e8472f5d76d0f50563f3c0e1970.tar.gz pki-7e58da6db8570e8472f5d76d0f50563f3c0e1970.tar.xz pki-7e58da6db8570e8472f5d76d0f50563f3c0e1970.zip | |
Fixed TPS REST services.
The REST services have been modified to support submit and cancel
actions. The ACL has been fixed to allow admins and agents to
change the status.
https://fedorahosted.org/pki/ticket/1292
Diffstat (limited to 'base/tps')
6 files changed, 196 insertions, 70 deletions
diff --git a/base/tps/shared/conf/acl.ldif b/base/tps/shared/conf/acl.ldif index 41b38137b..d69c69e29 100644 --- a/base/tps/shared/conf/acl.ldif +++ b/base/tps/shared/conf/acl.ldif @@ -21,13 +21,13 @@ resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody": resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout -resourceACLS: certServer.tps.authenticators:read,add,modify,approve,remove:allow (read,add,modify,approve,remove) group="Administrators":Only admins can access authenticators. +resourceACLS: certServer.tps.authenticators:read,change-status,add,modify,remove:allow (read,change-status,add,modify,remove) group="Administrators":Only admins can access authenticators. resourceACLS: certServer.tps.audit:read,modify:allow (read,modify) group="Administrators":Only admins can access configuration. resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="Administrators":Only admins can access configuration. -resourceACLS: certServer.tps.connectors:read,add,modify,approve,remove:allow (read,add,modify,approve,remove) group="Administrators":Only admins can access connectors. +resourceACLS: certServer.tps.connectors:read,change-status,add,modify,remove:allow (read,change-status,add,modify,remove) group="Administrators":Only admins can access connectors. resourceACLS: certServer.tps.groups:execute:allow (execute) group="Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="Administrators":Admins may execute user operations -resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="Administrators" || group="TPS Agents" ; allow (add,modify,remove) group="Administrators" ; allow (approve) group="TPS Agents":Admins and agents can read, but only admins can add, modify, and remove, and only agents can approve. -resourceACLS: certServer.tps.profile-mappings:read,add,modify,approve,remove:allow (read,add,modify,approve,remove) group="Administrators" :Only admins can access profile mappings. +resourceACLS: certServer.tps.profiles:read,change-status,add,modify,remove:allow (read,change-status) group="Administrators" || group="TPS Agents" ; allow (add,modify,remove) group="Administrators" :Admins and agents can read and change status, but only admins can add, modify, and remove. +resourceACLS: certServer.tps.profile-mappings:read,change-status,add,modify,remove:allow (read,change-status,add,modify,remove) group="Administrators" :Only admins can access profile mappings. resourceACLS: certServer.tps.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.tps.tokens:read,add,modify,remove:allow (read) group="Administrators" || group="TPS Agents" || group="TPS Operators"; allow (add,remove) group="Administrators" ; allow (modify) group="TPS Agents":Admins, agents, operators can read tokens, but only admins can add and remove tokens, and only agents can modify tokens. diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties index 840c0610e..2d2dc717a 100644 --- a/base/tps/shared/conf/acl.properties +++ b/base/tps/shared/conf/acl.properties @@ -20,7 +20,7 @@ config.modify = certServer.tps.config,modify connectors.read = certServer.tps.connectors,read connectors.add = certServer.tps.connectors,add connectors.modify = certServer.tps.connectors,modify -connectors.approve = certServer.tps.connectors,approve +connectors.change-status = certServer.tps.connectors,change-status connectors.remove = certServer.tps.connectors,remove groups = certServer.tps.groups,execute profiles.read = certServer.tps.profiles,read diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java index f02598d62..2ebc1d6ac 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java @@ -141,11 +141,12 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createOKResponse(response); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -163,11 +164,12 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createOKResponse(createAuthenticatorData(database.getRecord(authenticatorID))); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -196,11 +198,12 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createCreatedResponse(authenticatorData, authenticatorData.getLink().getHref()); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -253,21 +256,22 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createOKResponse(authenticatorData); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @Override - public Response changeAuthenticatorStatus(String authenticatorID, String action) { + public Response changeStatus(String authenticatorID, String action) { if (authenticatorID == null) throw new BadRequestException("Authenticator ID is null."); if (action == null) throw new BadRequestException("Action is null."); - CMS.debug("AuthenticatorService.changeAuthenticatorStatus(\"" + authenticatorID + "\")"); + CMS.debug("AuthenticatorService.changeStatus(\"" + authenticatorID + "\", \"" + action + "\")"); try { TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); @@ -276,31 +280,58 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes AuthenticatorRecord record = database.getRecord(authenticatorID); String status = record.getStatus(); + Principal principal = servletRequest.getUserPrincipal(); + boolean canApprove = database.canApprove(principal); + if (Constants.CFG_DISABLED.equals(status)) { - if ("enable".equals(action)) { - status = Constants.CFG_ENABLED; + + if (database.requiresApproval()) { + + if ("submit".equals(action) && !canApprove) { + status = Constants.CFG_PENDING_APPROVAL; + + } else if ("enable".equals(action) && canApprove) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } + } else { - throw new BadRequestException("Invalid action: " + action); + if ("enable".equals(action)) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } } } else if (Constants.CFG_ENABLED.equals(status)) { + if ("disable".equals(action)) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } } else if (Constants.CFG_PENDING_APPROVAL.equals(status)) { - if ("approve".equals(action)) { + + if ("approve".equals(action) && canApprove) { status = Constants.CFG_ENABLED; - } else if ("reject".equals(action)) { + + } else if ("reject".equals(action) && canApprove) { + status = Constants.CFG_DISABLED; + + } else if ("cancel".equals(action) && !canApprove) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } } else { - throw new PKIException("Invalid authenticator status: " + status); + throw new PKIException("Invalid status: " + status); } record.setStatus(status); @@ -311,11 +342,12 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createOKResponse(authenticatorData); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -342,11 +374,12 @@ public class AuthenticatorService extends PKIService implements AuthenticatorRes return createNoContentResponse(); } catch (PKIException e) { + CMS.debug("AuthenticatorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } } diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java index 9e558c7d3..1936b2e2e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java @@ -141,11 +141,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createOKResponse(response); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -163,11 +164,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createOKResponse(createConnectorData(database.getRecord(connectorID))); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -196,11 +198,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createCreatedResponse(connectorData, connectorData.getLink().getHref()); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -253,21 +256,22 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createOKResponse(connectorData); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @Override - public Response changeConnectorStatus(String connectorID, String action) { + public Response changeStatus(String connectorID, String action) { if (connectorID == null) throw new BadRequestException("Connector ID is null."); if (action == null) throw new BadRequestException("Action is null."); - CMS.debug("ConnectorService.changeConnectorStatus(\"" + connectorID + "\")"); + CMS.debug("ConnectorService.changeStatus(\"" + connectorID + "\", \"" + action + "\")"); try { TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); @@ -276,25 +280,52 @@ public class ConnectorService extends PKIService implements ConnectorResource { ConnectorRecord record = database.getRecord(connectorID); String status = record.getStatus(); + Principal principal = servletRequest.getUserPrincipal(); + boolean canApprove = database.canApprove(principal); + if (Constants.CFG_DISABLED.equals(status)) { - if ("enable".equals(action)) { - status = Constants.CFG_ENABLED; + + if (database.requiresApproval()) { + + if ("submit".equals(action) && !canApprove) { + status = Constants.CFG_PENDING_APPROVAL; + + } else if ("enable".equals(action) && canApprove) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } + } else { - throw new BadRequestException("Invalid action: " + action); + if ("enable".equals(action)) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } } } else if (Constants.CFG_ENABLED.equals(status)) { + if ("disable".equals(action)) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } } else if (Constants.CFG_PENDING_APPROVAL.equals(status)) { - if ("approve".equals(action)) { + + if ("approve".equals(action) && canApprove) { status = Constants.CFG_ENABLED; - } else if ("reject".equals(action)) { + + } else if ("reject".equals(action) && canApprove) { + status = Constants.CFG_DISABLED; + + } else if ("cancel".equals(action) && !canApprove) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } @@ -311,11 +342,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createOKResponse(connectorData); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -342,11 +374,12 @@ public class ConnectorService extends PKIService implements ConnectorResource { return createNoContentResponse(); } catch (PKIException e) { + CMS.debug("ConnectorService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } } diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java index 3286043bf..970dfde1d 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java @@ -141,11 +141,12 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createOKResponse(response); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -161,11 +162,12 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createOKResponse(createProfileMappingData(database.getRecord(profileMappingID))); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -192,11 +194,12 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createCreatedResponse(profileMappingData, profileMappingData.getLink().getHref()); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -246,21 +249,22 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createOKResponse(profileMappingData); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @Override - public Response changeProfileMappingStatus(String profileMappingID, String action) { + public Response changeStatus(String profileMappingID, String action) { if (profileMappingID == null) throw new BadRequestException("Profile mapping ID is null."); if (action == null) throw new BadRequestException("Action is null."); - CMS.debug("ProfileMappingService.changeProfileMappingStatus(\"" + profileMappingID + "\")"); + CMS.debug("ProfileMappingService.changeStatus(\"" + profileMappingID + "\", \"" + action + "\")"); try { TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); @@ -269,25 +273,52 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR ProfileMappingRecord record = database.getRecord(profileMappingID); String status = record.getStatus(); + Principal principal = servletRequest.getUserPrincipal(); + boolean canApprove = database.canApprove(principal); + if (Constants.CFG_DISABLED.equals(status)) { - if ("enable".equals(action)) { - status = Constants.CFG_ENABLED; + + if (database.requiresApproval()) { + + if ("submit".equals(action) && !canApprove) { + status = Constants.CFG_PENDING_APPROVAL; + + } else if ("enable".equals(action) && canApprove) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } + } else { - throw new BadRequestException("Invalid action: " + action); + if ("enable".equals(action)) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } } } else if (Constants.CFG_ENABLED.equals(status)) { + if ("disable".equals(action)) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } } else if (Constants.CFG_PENDING_APPROVAL.equals(status)) { - if ("approve".equals(action)) { + + if ("approve".equals(action) && canApprove) { status = Constants.CFG_ENABLED; - } else if ("reject".equals(action)) { + + } else if ("reject".equals(action) && canApprove) { + status = Constants.CFG_DISABLED; + + } else if ("cancel".equals(action) && !canApprove) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } @@ -304,11 +335,12 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createOKResponse(profileMappingData); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } @@ -333,11 +365,12 @@ public class ProfileMappingService extends PKIService implements ProfileMappingR return createNoContentResponse(); } catch (PKIException e) { + CMS.debug("ProfileMappingService: " + e); throw e; } catch (Exception e) { - e.printStackTrace(); - throw new PKIException(e.getMessage()); + CMS.debug(e); + throw new PKIException(e); } } } diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java index 4a6b8c68c..5fc243073 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java @@ -267,12 +267,12 @@ public class ProfileService extends PKIService implements ProfileResource { } @Override - public Response changeProfileStatus(String profileID, String action) { + public Response changeStatus(String profileID, String action) { if (profileID == null) throw new BadRequestException("Profile ID is null."); if (action == null) throw new BadRequestException("Action is null."); - CMS.debug("ProfileService.changeProfileStatus(\"" + profileID + "\")"); + CMS.debug("ProfileService.changeStatus(\"" + profileID + "\", \"" + action + "\")"); try { TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID); @@ -281,25 +281,52 @@ public class ProfileService extends PKIService implements ProfileResource { ProfileRecord record = database.getRecord(profileID); String status = record.getStatus(); + Principal principal = servletRequest.getUserPrincipal(); + boolean canApprove = database.canApprove(principal); + if (Constants.CFG_DISABLED.equals(status)) { - if ("enable".equals(action)) { - status = Constants.CFG_ENABLED; + + if (database.requiresApproval()) { + + if ("submit".equals(action) && !canApprove) { + status = Constants.CFG_PENDING_APPROVAL; + + } else if ("enable".equals(action) && canApprove) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } + } else { - throw new BadRequestException("Invalid action: " + action); + if ("enable".equals(action)) { + status = Constants.CFG_ENABLED; + + } else { + throw new BadRequestException("Invalid action: " + action); + } } } else if (Constants.CFG_ENABLED.equals(status)) { + if ("disable".equals(action)) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } } else if (Constants.CFG_PENDING_APPROVAL.equals(status)) { - if ("approve".equals(action)) { + + if ("approve".equals(action) && canApprove) { status = Constants.CFG_ENABLED; - } else if ("reject".equals(action)) { + + } else if ("reject".equals(action) && canApprove) { + status = Constants.CFG_DISABLED; + + } else if ("cancel".equals(action) && !canApprove) { status = Constants.CFG_DISABLED; + } else { throw new BadRequestException("Invalid action: " + action); } |