diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2015-09-28 22:37:02 +0200 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-09-30 11:54:04 -0600 |
| commit | 8a7fbb03f8317a881032e098b6360018878ac280 (patch) | |
| tree | fe79157ad6a0c2a9b32eab358a3fb136daf49359 /base | |
| parent | fe956dab8709e7c2bf892b7a87f5c170baedd679 (diff) | |
| download | pki-8a7fbb03f8317a881032e098b6360018878ac280.tar.gz pki-8a7fbb03f8317a881032e098b6360018878ac280.tar.xz pki-8a7fbb03f8317a881032e098b6360018878ac280.zip | |
Refactored certificate processors.
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
Diffstat (limited to 'base')
10 files changed, 115 insertions, 53 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java index 95f1f4c20..3c1e50b7c 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java @@ -138,6 +138,7 @@ public class CertRequestService extends PKIService implements CertRequestResourc CMS.debug("enrollCert: bad request data: " + e); throw new BadRequestException(e.toString()); } catch (EBaseException e) { + CMS.debug(e); throw new PKIException(e); } catch (Exception e) { CMS.debug(e); diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java index d55b5b4e1..2b914e856 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java +++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java @@ -37,6 +37,7 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; +import com.netscape.certsrv.base.ResourceMessage; import com.netscape.certsrv.profile.ProfileAttribute; import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.profile.ProfileOutput; @@ -48,7 +49,7 @@ import com.netscape.certsrv.profile.ProfileOutput; @XmlRootElement(name = "CertEnrollmentRequest") @XmlAccessorType(XmlAccessType.FIELD) -public class CertEnrollmentRequest { +public class CertEnrollmentRequest extends ResourceMessage { private static final String PROFILE_ID = "profileId"; private static final String RENEWAL = "renewal"; @@ -286,7 +287,7 @@ public class CertEnrollmentRequest { @Override public int hashCode() { final int prime = 31; - int result = 1; + int result = super.hashCode(); result = prime * result + ((inputs == null) ? 0 : inputs.hashCode()); result = prime * result + ((outputs == null) ? 0 : outputs.hashCode()); result = prime * result + ((profileId == null) ? 0 : profileId.hashCode()); @@ -301,7 +302,7 @@ public class CertEnrollmentRequest { public boolean equals(Object obj) { if (this == obj) return true; - if (obj == null) + if (!super.equals(obj)) return false; if (getClass() != obj.getClass()) return false; @@ -346,8 +347,6 @@ public class CertEnrollmentRequest { before.setProfileId("caUserCert"); before.setRenewal(false); - //Simulate a "caUserCert" Profile enrollment - ProfileInput certReq = before.createInput("KeyGenInput"); certReq.addAttribute(new ProfileAttribute("cert_request_type", "crmf", null)); certReq.addAttribute(new ProfileAttribute( @@ -371,6 +370,9 @@ public class CertEnrollmentRequest { submitter.addAttribute(new ProfileAttribute("requestor_email", "admin@redhat.com", null)); submitter.addAttribute(new ProfileAttribute("requestor_phone", "650-555-5555", null)); + before.setAttribute("uid", "testuser"); + before.setAttribute("pwd", "password"); + String xml = before.toXML(); System.out.println(xml); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index f1a147eb4..e5daf78fd 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.request.INotify; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestStatus; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmsutil.ldap.LDAPUtil; @@ -51,26 +52,31 @@ public class CertProcessor extends CAProcessor { super(id, locale); } - protected void setCredentialsIntoContext(HttpServletRequest request, IProfileAuthenticator authenticator, + protected void setCredentialsIntoContext( + HttpServletRequest request, + AuthCredentials creds, + IProfileAuthenticator authenticator, IProfileContext ctx) { - Enumeration<String> authIds = authenticator.getValueNames(); - - if (authIds != null) { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authNames not null"); - while (authIds.hasMoreElements()) { - String authName = authIds.nextElement(); - - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName:" + - authName); - if (request.getParameter(authName) != null) { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName found in request"); - ctx.set(authName, request.getParameter(authName)); - } else { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authName not found in request"); - } + + Enumeration<String> names = authenticator.getValueNames(); + if (names == null) { + CMS.debug("CertProcessor: No authenticator credentials required"); + return; + } + + CMS.debug("CertProcessor: Authentication credentials:"); + while (names.hasMoreElements()) { + String name = names.nextElement(); + + Object value; + if (creds == null) { + value = request.getParameter(name); + } else { + value = creds.get(name); } - } else { - CMS.debug("CertRequestSubmitter:setCredentialsIntoContext() authIds` null"); + + if (value == null) continue; + ctx.set(name, value.toString()); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java index c94ee1496..be6d22c57 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cms.servlet.request.CMSRequestDAO; @@ -169,13 +170,23 @@ public class CertRequestDAO extends CMSRequestDAO { CertRequestInfos ret = new CertRequestInfos(); + AuthCredentials credentials = new AuthCredentials(); + String uid = data.getAttribute("uid"); + if (uid != null) { + credentials.set("uid", uid); + } + String password = data.getAttribute("pwd"); + if (password != null) { + credentials.set("pwd", password); + } + HashMap<String, Object> results = null; if (data.isRenewal()) { RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale); - results = processor.processRenewal(data, request); + results = processor.processRenewal(data, request, credentials); } else { EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale); - results = processor.processEnrollment(data, request); + results = processor.processEnrollment(data, request, credentials); } IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index ce57e1fc3..eac435922 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -37,6 +37,7 @@ import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.profile.ProfileAttribute; import com.netscape.certsrv.profile.ProfileInput; import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; import com.netscape.cmsutil.ldap.LDAPUtil; @@ -97,8 +98,11 @@ public class EnrollmentProcessor extends CertProcessor { * @param cmsReq the object holding the request and response information * @exception EBaseException an error has occurred */ - public HashMap<String, Object> processEnrollment(CertEnrollmentRequest data, HttpServletRequest request) - throws EBaseException { + public HashMap<String, Object> processEnrollment( + CertEnrollmentRequest data, + HttpServletRequest request, + AuthCredentials credentials) + throws EBaseException { try { if (CMS.debugOn()) { @@ -131,7 +135,7 @@ public class EnrollmentProcessor extends CertProcessor { IProfileAuthenticator authenticator = profile.getAuthenticator(); if (authenticator != null) { CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); + setCredentialsIntoContext(request, credentials, authenticator, ctx); } // for ssl authentication; pass in servlet for retrieving ssl client certificates @@ -142,7 +146,7 @@ public class EnrollmentProcessor extends CertProcessor { CMS.debug("EnrollmentProcessor: set sslClientCertProvider"); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, null, authenticator, context, false); + IAuthToken authToken = authenticate(request, null, authenticator, context, false, credentials); // authentication success, now authorize authorize(profileId, profile, authToken); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 5ebbbff8f..7e34e4d5e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.profile.IProfileAuthenticator; import com.netscape.certsrv.profile.IProfileContext; import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.request.IRequest; +import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.profile.SSLClientCertProvider; @@ -63,7 +64,10 @@ public class RenewalProcessor extends CertProcessor { * Things to note: * * the renew request will contain the original profile instead of the new */ - public HashMap<String, Object> processRenewal(CertEnrollmentRequest data, HttpServletRequest request) + public HashMap<String, Object> processRenewal( + CertEnrollmentRequest data, + HttpServletRequest request, + AuthCredentials credentials) throws EBaseException { try { if (CMS.debugOn()) { @@ -170,14 +174,14 @@ public class RenewalProcessor extends CertProcessor { if (authenticator != null) { CMS.debug("RenewalSubmitter: authenticator " + authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); + setCredentialsIntoContext(request, credentials, authenticator, ctx); } // for renewal, this will override or add auth info to the profile context if (origAuthenticator != null) { CMS.debug("RenewalSubmitter: for renewal, original authenticator " + origAuthenticator.getName() + " found"); - setCredentialsIntoContext(request, origAuthenticator, ctx); + setCredentialsIntoContext(request, credentials, origAuthenticator, ctx); } // for renewal, input needs to be retrieved from the orig req record @@ -197,7 +201,7 @@ public class RenewalProcessor extends CertProcessor { context.put("origSubjectDN", origSubjectDN); // before creating the request, authenticate the request - IAuthToken authToken = authenticate(request, origReq, authenticator, context, true); + IAuthToken authToken = authenticate(request, origReq, authenticator, context, true, credentials); // authentication success, now authorize authorize(profileId, renewProfile, authToken); diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java index 32ae0fcc8..b4d5fa9c8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java +++ b/base/server/cms/src/com/netscape/cms/servlet/common/AuthCredentials.java @@ -54,7 +54,7 @@ public class AuthCredentials implements IAuthCredentials { */ public void set(String name, Object cred) throws EAuthException { if (cred == null) { - throw new EAuthException("AuthCredentials.set()"); + throw new EAuthException("Missing credential: " + name); } authCreds.put(name, cred); diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 5f6f45cb8..e3b3d3497 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletRequest; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.IAuthzSubsystem; @@ -358,10 +359,14 @@ public class CAProcessor extends Processor { * authenticate for renewal - more to add necessary params/values * to the session context */ - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request, IRequest origReq, SessionContext context) throws EBaseException + public IAuthToken authenticate( + IProfileAuthenticator authenticator, + HttpServletRequest request, + IRequest origReq, + SessionContext context, + AuthCredentials credentials) throws EBaseException { - IAuthToken authToken = authenticate(authenticator, request); + IAuthToken authToken = authenticate(authenticator, request, credentials); // For renewal, fill in necessary params if (authToken != null) { String ouid = origReq.getExtDataInString("auth_token.uid"); @@ -417,18 +422,23 @@ public class CAProcessor extends Processor { return authToken; } - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request) throws EBaseException { - AuthCredentials credentials = new AuthCredentials(); + public IAuthToken authenticate( + IProfileAuthenticator authenticator, + HttpServletRequest request, + AuthCredentials credentials) throws EBaseException { - // build credential - Enumeration<String> authNames = authenticator.getValueNames(); + if (credentials == null) { + credentials = new AuthCredentials(); - if (authNames != null) { - while (authNames.hasMoreElements()) { - String authName = authNames.nextElement(); + // build credential + Enumeration<String> authNames = authenticator.getValueNames(); - credentials.set(authName, request.getParameter(authName)); + if (authNames != null) { + while (authNames.hasMoreElements()) { + String authName = authNames.nextElement(); + + credentials.set(authName, request.getParameter(authName)); + } } } @@ -447,8 +457,13 @@ public class CAProcessor extends Processor { return authToken; } - public IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator, - SessionContext context, boolean isRenewal) throws EBaseException { + public IAuthToken authenticate( + HttpServletRequest request, + IRequest origReq, + IProfileAuthenticator authenticator, + SessionContext context, + boolean isRenewal, + AuthCredentials credentials) throws EBaseException { startTiming("profile_authentication"); IAuthToken authToken = null; @@ -475,12 +490,27 @@ public class CAProcessor extends Processor { String auditMessage = null; try { if (isRenewal) { - authToken = authenticate(authenticator, request, origReq, context); + authToken = authenticate(authenticator, request, origReq, context, credentials); } else { - authToken = authenticate(authenticator, request); + authToken = authenticate(authenticator, request, credentials); } + + } catch (EAuthException e) { + CMS.debug("CAProcessor: authentication error: " + e); + + authSubjectID += " : " + uid_cred; + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + authSubjectID, + ILogger.FAILURE, + authMgrID, + uid_attempted_cred); + audit(auditMessage); + + throw e; + } catch (EBaseException e) { - CMS.debug("CertProcessor: authentication error " + e.toString()); + CMS.debug(e); authSubjectID += " : " + uid_cred; auditMessage = CMS.getLogMessage( diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java index b64819e4c..69b9d9ccd 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java @@ -221,7 +221,7 @@ public class ProfileSubmitServlet extends ProfileServlet { } CertEnrollmentRequest data = CertEnrollmentRequestFactory.create(cmsReq, profile, locale); - return processor.processEnrollment(data, request); + return processor.processEnrollment(data, request, null); } public HashMap<String, Object> processRenewal(CMSRequest cmsReq) throws EBaseException { @@ -248,7 +248,7 @@ public class ProfileSubmitServlet extends ProfileServlet { //only used in renewal data.setSerialNum(request.getParameter("serial_num")); - return processor.processRenewal(data, request); + return processor.processRenewal(data, request, null); } private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) { diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java index 137edb5c5..8e2c59c26 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/AuthSubsystem.java @@ -195,6 +195,8 @@ public class AuthSubsystem implements IAuthSubsystem { while (instances.hasMoreElements()) { String insName = instances.nextElement(); + CMS.debug("AuthSubsystem: initializing authentication manager " + insName); + String implName = c.getString(insName + "." + PROP_PLUGIN); AuthMgrPlugin plugin = mAuthMgrPlugins.get(implName); @@ -233,6 +235,7 @@ public class AuthSubsystem implements IAuthSubsystem { throw new EAuthException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL", className), e); } catch (EBaseException e) { + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString())); // Skip the authenticaiton instance if // it is mis-configurated. This give @@ -240,6 +243,7 @@ public class AuthSubsystem implements IAuthSubsystem { // fix the problem via console } catch (Throwable e) { + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AUTH_INIT_ERROR", insName, e.toString())); // Skip the authenticaiton instance if // it is mis-configurated. This give |