Add authn manager that reuses auth token from session

To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.

For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.

To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.

Part of: https://pagure.io/dogtagpki/issue/1359

4 files changed, 224 insertions, 0 deletions

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index e8003603b..392331952 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD
 auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication
 auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
 auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth
+auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication
 auths.instance.TokenAuth.pluginName=TokenAuth
 auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
 auths.instance.AgentCertAuth.pluginName=AgentCertAuth
@@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth
 auths.instance.flatFileAuth.pluginName=FlatFileAuth
 auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt
 auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
+auths.instance.SessionAuthentication.pluginName=SessionAuthentication
 auths.revocationChecking.bufferSize=50
 auths.revocationChecking.ca=ca
 auths.revocationChecking.enabled=true
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java
new file mode 100644
index 000000000..27f08cd99
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java
@@ -0,0 +1,167 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.authentication;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Locale;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthToken;
+import com.netscape.certsrv.authentication.EMissingCredential;
+import com.netscape.certsrv.authentication.IAuthCredentials;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.profile.IProfile;
+import com.netscape.certsrv.profile.IProfileAuthenticator;
+import com.netscape.certsrv.property.IDescriptor;
+import com.netscape.certsrv.request.IRequest;
+
+/**
+ * Pull any existing auth token from the session context.
+ *
+ * Use with caution as a profile authenticator; if there is a
+ * session it will unconditionally approve the request
+ * (subject to constraints, etc).
+ */
+public class SessionAuthentication
+        implements IProfileAuthenticator {
+
+    private String instName = null;
+    private String implName = null;
+    private IConfigStore config = null;
+
+    public SessionAuthentication() {
+    }
+
+    public void init(String instName, String implName, IConfigStore config)
+            throws EBaseException {
+        this.instName = instName;
+        this.implName = implName;
+        this.config = config;
+    }
+
+    /**
+     * Gets the name of this authentication manager.
+     */
+    public String getName() {
+        return instName;
+    }
+
+    /**
+     * Gets the plugin name of authentication manager.
+     */
+    public String getImplName() {
+        return implName;
+    }
+
+    public boolean isSSLClientRequired() {
+        return false;
+    }
+
+    /**
+     * Authenticate user.
+     *
+     * @return the auth token from existing session context, if any.
+     * @throws EMissingCredential if no auth token or no session
+     */
+    public IAuthToken authenticate(IAuthCredentials authCred)
+            throws EMissingCredential {
+        SessionContext context = SessionContext.getExistingContext();
+
+        if (context == null)
+            throw new EMissingCredential("SessionAuthentication: no session");
+
+        IAuthToken authToken = (IAuthToken)
+            context.get(SessionContext.AUTH_TOKEN);
+
+        if (authToken == null)
+            throw new EMissingCredential("SessionAuthentication: no auth token");
+
+        return authToken;
+    }
+
+    public String[] getRequiredCreds() {
+        String[] requiredCreds = { };
+        return requiredCreds;
+    }
+
+    public String[] getConfigParams() {
+        return null;
+    }
+
+    /**
+     * prepare this authentication manager for shutdown.
+     */
+    public void shutdown() {
+    }
+
+    /**
+     * gets the configuretion substore used by this authentication
+     * manager
+     *
+     * @return configuration store
+     */
+    public IConfigStore getConfigStore() {
+        return config;
+    }
+
+    // Profile-related methods
+
+    public void init(IProfile profile, IConfigStore config) {
+    }
+
+    /**
+     * Retrieves the localizable name of this policy.
+     */
+    public String getName(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME");
+    }
+
+    /**
+     * Retrieves the localizable description of this policy.
+     */
+    public String getText(Locale locale) {
+        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT");
+    }
+
+    /**
+     * Retrieves a list of names of the value parameter.
+     */
+    public Enumeration<String> getValueNames() {
+        return Collections.emptyEnumeration();
+    }
+
+    public boolean isValueWriteable(String name) {
+        return false;
+    }
+
+    /**
+     * Retrieves the descriptor of the given value
+     * parameter by name.
+     */
+    public IDescriptor getValueDescriptor(Locale locale, String name) {
+        return null;
+    }
+
+    public void populate(IAuthToken token, IRequest request) {
+    }
+}
diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore
new file mode 100644
index 000000000..5e7d2734c
--- /dev/null
+++ b/base/server/upgrade/10.4.1/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin
new file mode 100755
index 000000000..62d508ed1
--- /dev/null
+++ b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin
@@ -0,0 +1,51 @@
+#!/usr/bin/python
+# Authors:
+#     Fraser Tweedale <ftweedal@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+
+import pki
+from pki.server.upgrade import PKIServerUpgradeScriptlet
+
+
+class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet):
+    def __init__(self):
+        super(AddSessionAuthenticationPlugin, self).__init__()
+        self.message = 'Add SessionAuthentication to CS.cfg'
+
+    def upgrade_subsystem(self, instance, subsystem):
+        if subsystem.name == 'ca':
+            self.add_plugin(instance, subsystem)
+
+    def add_plugin(self, instance, subsystem):  # pylint: disable=W0613
+        filename = os.path.join(subsystem.conf_dir, 'CS.cfg')
+        self.backup(filename)
+
+        properties = pki.PropertyFile(filename)
+        properties.read()
+
+        properties.set(
+            'auths.impl.SessionAuthentication.class',
+            'com.netscape.cms.authentication.SessionAuthentication')
+        properties.set(
+            'auths.instance.SessionAuthentication.pluginName',
+            'SessionAuthentication')
+
+        properties.write()