Added ACL for TPS profile mapping.

New ACL has been added to allow only the administrators to access
TPS profile mappings.

Ticket #652

6 files changed, 29 insertions, 2 deletions

diff --git a/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java b/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java
index 20e360310..04e606b8a 100644
--- a/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java
+++ b/base/common/src/com/netscape/certsrv/tps/profile/ProfileMappingResource.java
@@ -31,11 +31,16 @@ import javax.ws.rs.core.Response;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
 
 /**
  * @author Endi S. Dewata
  */
 @Path("profile-mappings")
+@AuthMethodMapping("profile-mappings")
+@ACLMapping("profile-mappings.read")
 public interface ProfileMappingResource {
 
     @GET
@@ -53,6 +58,7 @@ public interface ProfileMappingResource {
     @ClientResponseType(entityType=ProfileMappingData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("profile-mappings.add")
     public Response addProfileMapping(ProfileMappingData profileMappingData);
 
     @PUT
@@ -60,6 +66,7 @@ public interface ProfileMappingResource {
     @ClientResponseType(entityType=ProfileMappingData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("profile-mappings.modify")
     public Response updateProfileMapping(
             @PathParam("profileMappingID") String profileMappingID,
             ProfileMappingData profileMappingData);
@@ -67,5 +74,6 @@ public interface ProfileMappingResource {
     @DELETE
     @Path("{profileMappingID}")
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("profile-mappings.remove")
     public void removeProfileMapping(@PathParam("profileMappingID") String profileMappingID);
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java
index 277fc4efe..bc0cb92f2 100644
--- a/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/tps/profile/ProfileMappingAddCLI.java
@@ -43,7 +43,7 @@ public class ProfileMappingAddCLI extends CLI {
     }
 
     public void printHelp() {
-        formatter.printHelp(getFullName() + " <ProfileMapping ID> [OPTIONS...]", options);
+        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
     }
 
     public void execute(String[] args) throws Exception {
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index 75159f375..2e6b68955 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -78,6 +78,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
             authMethodProperties.put("keyrequests", "certUserDBAuthMgr");
             authMethodProperties.put("kraconnectors", "certUserDBAuthMgr");
             authMethodProperties.put("profiles", "certUserDBAuthMgr");
+            authMethodProperties.put("profile-mappings", "certUserDBAuthMgr");
             authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
             authMethodProperties.put("selftests", "certUserDBAuthMgr");
             authMethodProperties.put("tokens", "certUserDBAuthMgr");
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index 95f137688..5b0e4cf3b 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -26,6 +26,7 @@ resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS A
 resourceACLS: certServer.tps.connections:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access configuration.
 resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
 resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations
-resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles.
+resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,modify,remove) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles.
+resourceACLS: certServer.tps.profile-mappings:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators" :Only admins can access profile mappings.
 resourceACLS: certServer.tps.selftests:read,execute:allow (read,execute) group="TUS Administrators":Only admins can access selftests.
 resourceACLS: certServer.tps.tokens:read,add,modify,remove:allow (read) group="TUS Administrators" || group="TUS Agents" || group="TUS Operators"; allow (add,remove) group="TUS Administrators" ; allow (modify) group="TUS Agents":Admins, agents, operators can read tokens, but only admins can add and remove tokens, and only agents can modify tokens.
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index e986b87a3..c5f27f100 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
@@ -22,6 +22,10 @@ profiles.add = certServer.tps.profiles,add
 profiles.modify = certServer.tps.profiles,modify
 profiles.approve = certServer.tps.profiles,approve
 profiles.remove = certServer.tps.profiles,remove
+profile-mappings.read = certServer.tps.profile-mappings,read
+profile-mappings.add = certServer.tps.profile-mappings,add
+profile-mappings.modify = certServer.tps.profile-mappings,modify
+profile-mappings.remove = certServer.tps.profile-mappings,remove
 selftests.read = certServer.tps.selftests,read
 selftests.execute = certServer.tps.selftests,execute
 tokens.read = certServer.tps.tokens,read
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index 9f171f0c2..6f83271cc 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
@@ -253,6 +253,19 @@
 
     <security-constraint>
         <web-resource-collection>
+            <web-resource-name>Profile Mappings</web-resource-name>
+            <url-pattern>/rest/profile-mappings/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
             <web-resource-name>Self Tests</web-resource-name>
             <url-pattern>/rest/selftests/*</url-pattern>
         </web-resource-collection>