diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-11-18 20:18:20 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-11-19 14:18:18 -0500 |
commit | f2235017d6749576188cfaa8c0d1d5bf426c3012 (patch) | |
tree | c8e804aa7593d98871d71ecc8a72e9b8d47b5914 /base | |
parent | 23c1fa50ea823dff082898872596752150a99837 (diff) | |
download | pki-f2235017d6749576188cfaa8c0d1d5bf426c3012.tar.gz pki-f2235017d6749576188cfaa8c0d1d5bf426c3012.tar.xz pki-f2235017d6749576188cfaa8c0d1d5bf426c3012.zip |
Added ACL for TPS profile mapping.
New ACL has been added to allow only the administrators to access
TPS profile mappings.
Ticket #652
Diffstat (limited to 'base')
6 files changed, 29 insertions, 2 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java b/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java index 20e360310..04e606b8a 100644 --- a/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java +++ b/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java @@ -31,11 +31,16 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; +import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; + /** * @author Endi S. Dewata */ @Path("profile-mappings") +@AuthMethodMapping("profile-mappings") +@ACLMapping("profile-mappings.read") public interface ProfileMappingResource { @GET @@ -53,6 +58,7 @@ public interface ProfileMappingResource { @ClientResponseType(entityType=ProfileMappingData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("profile-mappings.add") public Response addProfileMapping(ProfileMappingData profileMappingData); @PUT @@ -60,6 +66,7 @@ public interface ProfileMappingResource { @ClientResponseType(entityType=ProfileMappingData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("profile-mappings.modify") public Response updateProfileMapping( @PathParam("profileMappingID") String profileMappingID, ProfileMappingData profileMappingData); @@ -67,5 +74,6 @@ public interface ProfileMappingResource { @DELETE @Path("{profileMappingID}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("profile-mappings.remove") public void removeProfileMapping(@PathParam("profileMappingID") String profileMappingID); } diff --git a/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java index 277fc4efe..bc0cb92f2 100644 --- a/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java @@ -43,7 +43,7 @@ public class ProfileMappingAddCLI extends CLI { } public void printHelp() { - formatter.printHelp(getFullName() + " <ProfileMapping ID> [OPTIONS...]", options); + formatter.printHelp(getFullName() + " [OPTIONS...]", options); } public void execute(String[] args) throws Exception { diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index 75159f375..2e6b68955 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -78,6 +78,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { authMethodProperties.put("keyrequests", "certUserDBAuthMgr"); authMethodProperties.put("kraconnectors", "certUserDBAuthMgr"); authMethodProperties.put("profiles", "certUserDBAuthMgr"); + authMethodProperties.put("profile-mappings", "certUserDBAuthMgr"); authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); authMethodProperties.put("selftests", "certUserDBAuthMgr"); authMethodProperties.put("tokens", "certUserDBAuthMgr"); diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index 95f137688..5b0e4cf3b 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -26,6 +26,7 @@ resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS A resourceACLS: certServer.tps.connections:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access configuration. resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations -resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. +resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,modify,remove) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. +resourceACLS: certServer.tps.profile-mappings:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators" :Only admins can access profile mappings. resourceACLS: certServer.tps.selftests:read,execute:allow (read,execute) group="TUS Administrators":Only admins can access selftests. resourceACLS: certServer.tps.tokens:read,add,modify,remove:allow (read) group="TUS Administrators" || group="TUS Agents" || group="TUS Operators"; allow (add,remove) group="TUS Administrators" ; allow (modify) group="TUS Agents":Admins, agents, operators can read tokens, but only admins can add and remove tokens, and only agents can modify tokens. diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties index e986b87a3..c5f27f100 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties @@ -22,6 +22,10 @@ profiles.add = certServer.tps.profiles,add profiles.modify = certServer.tps.profiles,modify profiles.approve = certServer.tps.profiles,approve profiles.remove = certServer.tps.profiles,remove +profile-mappings.read = certServer.tps.profile-mappings,read +profile-mappings.add = certServer.tps.profile-mappings,add +profile-mappings.modify = certServer.tps.profile-mappings,modify +profile-mappings.remove = certServer.tps.profile-mappings,remove selftests.read = certServer.tps.selftests,read selftests.execute = certServer.tps.selftests,execute tokens.read = certServer.tps.tokens,read diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml index 9f171f0c2..6f83271cc 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml @@ -253,6 +253,19 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Profile Mappings</web-resource-name> + <url-pattern>/rest/profile-mappings/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Self Tests</web-resource-name> <url-pattern>/rest/selftests/*</url-pattern> </web-resource-collection> |