Added tokenAuthenticate to admin interface

Modified code to use this interface by default.  Added required
migration script code.

Ticket 546

3 files changed, 131 insertions, 26 deletions

diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 7528c310d..2150a1dba 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -1786,6 +1786,19 @@
    </servlet>
 
    <servlet>
+      <servlet-name>  caTokenAuthenticate-admin  </servlet-name>
+      <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate  </servlet-class>
+             <init-param><param-name>  GetClientCert  </param-name>
+                         <param-value> false       </param-value> </init-param>
+             <init-param><param-name>  authority   </param-name>
+                         <param-value> ca          </param-value> </init-param>
+             <init-param><param-name>  ID          </param-name>
+                         <param-value> caTokenAuthenticate  </param-value> </init-param>
+             <init-param><param-name>  interface   </param-name>
+                         <param-value> admin          </param-value> </init-param>
+   </servlet>
+
+   <servlet>
       <servlet-name>  caProxyProfileSubmit  </servlet-name>
       <servlet-class> com.netscape.cms.servlet.base.ProxyServlet  </servlet-class>
              <init-param><param-name>  destServlet  </param-name>
@@ -2352,6 +2365,11 @@
    </servlet-mapping>
 
    <servlet-mapping>
+      <servlet-name>  caTokenAuthenticate-admin </servlet-name>
+      <url-pattern>   /admin/ca/tokenAuthenticate  </url-pattern>
+   </servlet-mapping>
+
+   <servlet-mapping>
       <servlet-name>  caUpdateOCSPConfig </servlet-name>
       <url-pattern>   /ee/ca/updateOCSPConfig </url-pattern>
    </servlet-mapping>
diff --git a/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
index 923b05019..99abad7eb 100644
--- a/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
+++ b/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java
@@ -18,6 +18,7 @@
 package com.netscape.cms.authentication;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.util.Enumeration;
 import java.util.Locale;
 import java.util.Vector;
@@ -136,30 +137,36 @@ public class TokenAuthentication implements IAuthManager,
 
         String sessionId = (String) authCred.get(CRED_SESSION_ID);
         String givenHost = (String) authCred.get("clientHost");
-        String auth_host = sconfig.getString("securitydomain.host");
-        int auth_port = sconfig.getInteger("securitydomain.httpseeport");
+        String authHost = sconfig.getString("securitydomain.host");
+        int authAdminPort = sconfig.getInteger("securitydomain.httpsadminport");
+        int authEEPort = sconfig.getInteger("securitydomain.httpseeport");
+        String authURL = "/ca/admin/ca/tokenAuthenticate";
+
+        String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost;
+        CMS.debug("TokenAuthentication: content=" + content);
 
-        HttpClient httpclient = new HttpClient();
         String c = null;
         try {
-            JssSSLSocketFactory factory = new JssSSLSocketFactory();
-            httpclient = new HttpClient(factory);
-            String content = CRED_SESSION_ID + "=" + sessionId + "&hostname=" + givenHost;
-            CMS.debug("TokenAuthentication: content=" + content);
-            httpclient.connect(auth_host, auth_port);
-            HttpRequest httprequest = new HttpRequest();
-            httprequest.setMethod(HttpRequest.POST);
-            httprequest.setURI("/ca/ee/ca/tokenAuthenticate");
-            httprequest.setHeader("user-agent", "HTTPTool/1.0");
-            httprequest.setHeader("content-length", "" + content.length());
-            httprequest.setHeader("content-type",
-                    "application/x-www-form-urlencoded");
-            httprequest.setContent(content);
-            HttpResponse httpresponse = httpclient.send(httprequest);
-
-            c = httpresponse.getContent();
+            c = sendAuthRequest(authHost, authAdminPort, authURL, content);
+            // in case where the new interface does not exist, EE will return a badly
+            // formatted response which will throw an exception during parsing
+            if (c != null) {
+                @SuppressWarnings("unused")
+                XMLObject parser = new XMLObject(new ByteArrayInputStream(c.getBytes()));
+            }
         } catch (Exception e) {
-            CMS.debug("TokenAuthentication authenticate Exception=" + e.toString());
+
+            CMS.debug("TokenAuthenticate: failed to contact admin host:port "
+                    + authHost + ":" + authAdminPort + " " + e);
+            CMS.debug("TokenAuthenticate: attempting ee port " + authEEPort);
+            authURL = "/ca/ee/ca/tokenAuthenticate";
+            try {
+                c = sendAuthRequest(authHost, authEEPort, authURL, content);
+            } catch (IOException e1) {
+                CMS.debug("TokenAuthenticate: failed to contact EE host:port "
+                        + authHost + ":" + authAdminPort + " " + e1);
+                throw new EBaseException(e1.getMessage());
+            }
         }
 
         if (c != null) {
@@ -204,6 +211,29 @@ public class TokenAuthentication implements IAuthManager,
         return authToken;
     }
 
+    private String sendAuthRequest(String authHost, int authPort, String authUrl, String content)
+            throws IOException {
+        HttpClient httpclient = new HttpClient();
+        String c = null;
+
+        JssSSLSocketFactory factory = new JssSSLSocketFactory();
+        httpclient = new HttpClient(factory);
+        httpclient.connect(authHost, authPort);
+        HttpRequest httprequest = new HttpRequest();
+        httprequest.setMethod(HttpRequest.POST);
+        httprequest.setURI(authUrl);
+        httprequest.setHeader("user-agent", "HTTPTool/1.0");
+        httprequest.setHeader("content-length", "" + content.length());
+        httprequest.setHeader("content-type",
+                "application/x-www-form-urlencoded");
+        httprequest.setContent(content);
+
+        HttpResponse httpresponse = httpclient.send(httprequest);
+        c = httpresponse.getContent();
+
+        return c;
+    }
+
     /**
      * get the list of authentication credential attribute names
      * required by this authentication manager. Generally used by
diff --git a/base/server/upgrade/10.0.1/02-CloningInterfaceChanges b/base/server/upgrade/10.0.1/02-CloningInterfaceChanges
index 524978d4d..6b3f6b6f5 100755
--- a/base/server/upgrade/10.0.1/02-CloningInterfaceChanges
+++ b/base/server/upgrade/10.0.1/02-CloningInterfaceChanges
@@ -21,7 +21,7 @@
 
 import os
 import sys
-import xml.etree.ElementTree as ET
+from lxml import etree as ET
 import pki.upgrade
 
 class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
@@ -32,7 +32,7 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
              <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML  </servlet-class>
              <init-param>
                  <param-name>  GetClientCert  </param-name>
-                 <param-value> true       </param-value>
+                 <param-value> false          </param-value>
              </init-param>
              <init-param>
                  <param-name>  authority   </param-name>
@@ -44,11 +44,11 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
              </init-param>
              <init-param>
                  <param-name>  interface   </param-name>
-                 <param-value> agent          </param-value>
+                 <param-value> admin       </param-value>
              </init-param>
              <init-param>
                  <param-name>  AuthMgr     </param-name>
-                 <param-value> certUserDBAuthMgr </param-value>
+                 <param-value> TokenAuth </param-value>
              </init-param>
              <init-param>
                  <param-name>  AuthzMgr    </param-name>
@@ -66,6 +66,33 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
             <url-pattern>   /admin/ca/updateDomainXML  </url-pattern>
         </servlet-mapping> """
 
+    tokenAuthenticateServletData = """
+        <servlet>
+            <servlet-name>  caTokenAuthenticate-admin  </servlet-name>
+            <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate  </servlet-class>
+            <init-param>
+                 <param-name>  GetClientCert  </param-name>
+                 <param-value> false       </param-value>
+            </init-param>
+            <init-param>
+                 <param-name>  authority   </param-name>
+                 <param-value> ca          </param-value>
+            </init-param>
+            <init-param>
+                 <param-name>  ID          </param-name>
+                 <param-value> caTokenAuthenticate  </param-value>
+            </init-param>
+            <init-param>
+                <param-name>  interface   </param-name>
+                <param-value> admin       </param-value>
+            </init-param>
+        </servlet>"""
+
+    tokenAuthenticateMappingData = """
+        <servlet-mapping>
+            <servlet-name>  caTokenAuthenticate-admin </servlet-name>
+            <url-pattern>   /admin/ca/tokenAuthenticate  </url-pattern>
+        </servlet-mapping>"""
 
     def __init__(self):
 
@@ -83,6 +110,7 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
         if subsystem == "ca":
             self.modify_update_number_range(subsystem)
             self.modify_update_domain_xml()
+            self.modify_token_authenticate()
         if subsystem == "kra":
             self.modify_update_number_range(subsystem)
 
@@ -124,15 +152,44 @@ class CloningInterfaceChanges(pki.upgrade.PKIUpgradeScriptlet):
             name = servlet.find('servlet-name').text.strip()
             if name == 'caUpdateDomainXML-admin':
                 found = True
+            if name == 'caUpdateDomainXML':
+                index = list(self.root).index(servlet) + 1
         if not found:
             servlet = ET.fromstring(self.updateDomainServletData)
-            self.root.append(servlet)
+            self.root.insert(index, servlet)
 
         found = False
         for mapping in self.doc.findall('.//servlet-mapping'):
             name = mapping.find('servlet-name').text.strip()
             if name == 'caUpdateDomainXML-admin':
                 found = True
+            if name == 'caUpdateDomainXML':
+                index = list(self.root).index(mapping) + 1
         if not found:
             mapping = ET.fromstring(self.updateDomainMappingData)
-            self.root.append(mapping)
+            self.root.insert(index, mapping)
+
+
+    def modify_token_authenticate(self):
+        #add caTokenAuthenticate-admin servlet and mapping
+        found = False
+        for servlet in self.doc.findall('.//servlet'):
+            name = servlet.find('servlet-name').text.strip()
+            if name == 'caTokenAuthenticate-admin':
+                found = True
+            if name == 'caTokenAuthenticate':
+                index = list(self.root).index(servlet) + 1
+        if not found:
+            servlet = ET.fromstring(self.tokenAuthenticateServletData)
+            self.root.insert(index, servlet)
+
+        found = False
+        for mapping in self.doc.findall('.//servlet-mapping'):
+            name = mapping.find('servlet-name').text.strip()
+            if name == 'caTokenAuthenticate-admin':
+                found = True
+            if name == 'caTokenAuthenticate':
+                index = list(self.root).index(mapping) + 1
+        if not found:
+            mapping = ET.fromstring(self.tokenAuthenticateMappingData)
+            self.root.insert(index, mapping)