Added TPS user CLI.

The TPS client has been modified to include user client. The TPS CLI
has also been modified to provide user commands. New ACL entries have
been added to grant access rights to TPS administrators.

Ticket #652

6 files changed, 34 insertions, 14 deletions

diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
index 38aff46bd..263b92b3a 100644
--- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java
+++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
@@ -23,6 +23,7 @@ import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.logging.ActivityClient;
 import com.netscape.certsrv.token.TokenClient;
+import com.netscape.certsrv.user.UserClient;
 
 /**
  * @author Endi S. Dewata
@@ -37,5 +38,6 @@ public class TPSClient extends SubsystemClient {
     public void init() throws URISyntaxException {
         addClient(new ActivityClient(client, name));
         addClient(new TokenClient(client, name));
+        addClient(new UserClient(client, name));
     }
 }
diff --git a/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java
index 53160bb8c..1e7adf190 100644
--- a/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java
+++ b/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java
@@ -89,18 +89,23 @@ public class ACLInterceptor implements PreProcessInterceptor {
         }
 
         // If still not available, it's unprotected, allow request.
-        if (aclMapping == null) return null;
+        if (aclMapping == null) {
+            CMS.debug("ACLInterceptor: No ACL mapping.");
+            return null;
+        }
 
         Principal principal = securityContext.getUserPrincipal();
 
         // If unauthenticated, reject request.
         if (principal == null) {
+            CMS.debug("ACLInterceptor: No user principal provided.");
             throw new ForbiddenException("No user principal provided.");
         }
 
         // If unrecognized principal, reject request.
         if (!(principal instanceof PKIPrincipal)) {
-            throw new ForbiddenException("Invalid user principal");
+            CMS.debug("ACLInterceptor: Invalid user principal.");
+            throw new ForbiddenException("Invalid user principal.");
         }
 
         PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
@@ -108,6 +113,7 @@ public class ACLInterceptor implements PreProcessInterceptor {
 
         // If missing auth token, reject request.
         if (authToken == null) {
+            CMS.debug("ACLInterceptor: No authorization token present.");
             throw new ForbiddenException("No authorization token present.");
         }
 
@@ -118,12 +124,16 @@ public class ACLInterceptor implements PreProcessInterceptor {
             String value = authProperties.getProperty(name);
 
             // If no property defined, allow request.
-            if (value == null) return null;
+            if (value == null) {
+                CMS.debug("ACLInterceptor: No ACL configuration.");
+                return null;
+            }
 
             String values[] = value.split(",");
 
             // If invalid mapping, reject request.
             if (values.length != 2) {
+                CMS.debug("ACLInterceptor: Invalid ACL mapping.");
                 throw new ForbiddenException("Invalid ACL mapping.");
             }
 
@@ -137,10 +147,12 @@ public class ACLInterceptor implements PreProcessInterceptor {
 
             // If not authorized, reject request.
             if (authzToken == null) {
+                CMS.debug("ACLInterceptor: No authorization token present.");
                 throw new ForbiddenException("No authorization token present.");
             }
 
         } catch (EAuthzAccessDenied e) {
+            CMS.debug("ACLInterceptor: " + e.getMessage());
             throw new ForbiddenException(e.toString());
 
         } catch (IOException|EBaseException e) {
diff --git a/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index 8d7bcb3c6..c9e442769 100644
--- a/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -38,6 +38,7 @@ import org.jboss.resteasy.spi.Failure;
 import org.jboss.resteasy.spi.HttpRequest;
 import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
 
+import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthMethodMapping;
 import com.netscape.certsrv.authentication.AuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -89,7 +90,7 @@ public class AuthMethodInterceptor implements PreProcessInterceptor {
 
         Class<?> clazz = resourceMethod.getResourceClass();
         Method method = resourceMethod.getMethod();
-        System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
+        CMS.debug("AuthMethodInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
 
         // Get authentication mapping for the method.
         AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class);
@@ -108,7 +109,7 @@ public class AuthMethodInterceptor implements PreProcessInterceptor {
             name = authMapping.value();
         }
 
-        System.out.println("AuthInterceptor: mapping name: "+name);
+        CMS.debug("AuthMethodInterceptor: mapping name: "+name);
 
         try {
             loadAuthProperties();
@@ -121,23 +122,23 @@ public class AuthMethodInterceptor implements PreProcessInterceptor {
                 }
             }
 
-            System.out.println("AuthInterceptor: required auth methods: "+authMethods);
+            CMS.debug("AuthMethodInterceptor: required auth methods: "+authMethods);
 
             Principal principal = securityContext.getUserPrincipal();
 
             // If unauthenticated, reject request.
             if (principal == null) {
                 if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) {
-                    System.out.println("AuthInterceptor: anonymous access allowed");
+                    CMS.debug("AuthMethodInterceptor: anonymous access allowed");
                     return null;
                 }
-                System.out.println("AuthInterceptor: anonymous access not allowed");
+                CMS.debug("AuthMethodInterceptor: anonymous access not allowed");
                 throw new ForbiddenException("Anonymous access not allowed.");
             }
 
             // If unrecognized principal, reject request.
             if (!(principal instanceof PKIPrincipal)) {
-                System.out.println("AuthInterceptor: unknown principal");
+                CMS.debug("AuthMethodInterceptor: unknown principal");
                 throw new ForbiddenException("Unknown user principal");
             }
 
@@ -146,20 +147,20 @@ public class AuthMethodInterceptor implements PreProcessInterceptor {
 
             // If missing auth token, reject request.
             if (authToken == null) {
-                System.out.println("AuthInterceptor: missing authentication token");
+                CMS.debug("AuthMethodInterceptor: missing authentication token");
                 throw new ForbiddenException("Missing authentication token.");
             }
 
             String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
-            System.out.println("AuthInterceptor: authentication manager: "+authManager);
+            CMS.debug("AuthMethodInterceptor: authentication manager: "+authManager);
 
             if (authManager == null) {
-                System.out.println("AuthInterceptor: missing authentication manager");
+                CMS.debug("AuthMethodInterceptor: missing authentication manager");
                 throw new ForbiddenException("Missing authentication manager.");
             }
 
             if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
-                System.out.println("AuthInterceptor: "+authManager+" allowed");
+                CMS.debug("AuthMethodInterceptor: "+authManager+" allowed");
                 return null;
             }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java
index 4c9e501ad..6cd417312 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java
@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.Client;
 import com.netscape.certsrv.tps.TPSClient;
 import com.netscape.cmstools.logging.ActivityCLI;
 import com.netscape.cmstools.token.TokenCLI;
+import com.netscape.cmstools.user.UserCLI;
 
 /**
  * @author Endi S. Dewata
@@ -35,6 +36,7 @@ public class TPSCLI extends SubsystemCLI {
 
         addModule(new ActivityCLI(this));
         addModule(new TokenCLI(this));
+        addModule(new UserCLI(this));
     }
 
     public String getFullName() {
diff --git a/base/tps-tomcat/shared/conf/CS.cfg.in b/base/tps-tomcat/shared/conf/CS.cfg.in
index f84b16bf5..087ab483b 100644
--- a/base/tps-tomcat/shared/conf/CS.cfg.in
+++ b/base/tps-tomcat/shared/conf/CS.cfg.in
@@ -1354,7 +1354,7 @@ preop.configModules.module2.commonName=lunasa
 preop.configModules.module2.imagePath=/pki/images/clearpixel.gif
 preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module
 preop.hierarchy.profile=caCert.profile
-preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif
+preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif,/usr/share/pki/tps/conf/acl.ldif
 preop.internaldb.index_ldif=/usr/share/pki/tps/conf/index.ldif
 preop.internaldb.ldif=/usr/share/pki/tps/conf/database.ldif
 preop.internaldb.manager_ldif=/usr/share/pki/tps/conf/manager.ldif
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index fb63122d1..17d3bad64 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -20,3 +20,6 @@ resourceACLS: certServer.registry.configuration:read,modify:allow (read) group="
 resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate
 resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request
 resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
+resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
+resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations