Added access control for TPS token.

The TPS token REST interface has been modified to require client certificate
authentication. TPS admins, agents, and operators are allowed to view tokens,
but only admins are allowed to add and remove tokens, and only agents are
allowed to modify tokens.

5 files changed, 40 insertions, 11 deletions

diff --git a/base/common/src/com/netscape/certsrv/tps/token/TokenResource.java b/base/common/src/com/netscape/certsrv/tps/token/TokenResource.java
index 5f98845e3..000853623 100644
--- a/base/common/src/com/netscape/certsrv/tps/token/TokenResource.java
+++ b/base/common/src/com/netscape/certsrv/tps/token/TokenResource.java
@@ -31,11 +31,16 @@ import javax.ws.rs.core.Response;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
 
 /**
  * @author Endi S. Dewata
  */
 @Path("tokens")
+@AuthMethodMapping("tokens")
+@ACLMapping("tokens.read")
 public interface TokenResource {
 
     @GET
@@ -53,6 +58,7 @@ public interface TokenResource {
     @ClientResponseType(entityType=TokenData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("tokens.add")
     public Response addToken(TokenData tokenData);
 
     @PUT
@@ -60,6 +66,7 @@ public interface TokenResource {
     @ClientResponseType(entityType=TokenData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("tokens.modify")
     public Response updateToken(
             @PathParam("tokenID") String tokenID,
             TokenData tokenData);
@@ -69,6 +76,7 @@ public interface TokenResource {
     @ClientResponseType(entityType=TokenData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("tokens.modify")
     public Response modifyToken(
             @PathParam("tokenID") String tokenID,
             TokenModifyRequest request);
@@ -76,5 +84,6 @@ public interface TokenResource {
     @DELETE
     @Path("{tokenID}")
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("tokens.remove")
     public void removeToken(@PathParam("tokenID") String tokenID);
 }
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index c42ba26d0..fa2648bc7 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -48,7 +48,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class AuthMethodInterceptor implements ContainerRequestFilter {
 
-    Properties authProperties;
+    Properties authMethodProperties;
 
     @Context
     ServletContext servletContext;
@@ -58,22 +58,24 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
 
     public synchronized void loadAuthProperties() throws IOException {
 
-        if (authProperties != null)
+        if (authMethodProperties != null)
             return;
 
-        authProperties = new Properties();
+        authMethodProperties = new Properties();
 
         URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
 
         if (url == null) {
-            authProperties.put("default", "*");
-            authProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
-            authProperties.put("admin", "certUserDBAuthMgr");
-            authProperties.put("agent", "certUserDBAuthMgr");
-            authProperties.put("profiles", "certUserDBAuthMgr");
-            authProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
+            authMethodProperties.put("default", "*");
+            authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
+            authMethodProperties.put("admin", "certUserDBAuthMgr");
+            authMethodProperties.put("agent", "certUserDBAuthMgr");
+            authMethodProperties.put("profiles", "certUserDBAuthMgr");
+            authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
+            authMethodProperties.put("tokens", "certUserDBAuthMgr");
+
         } else {
-            authProperties.load(url.openStream());
+            authMethodProperties.load(url.openStream());
         }
     }
 
@@ -108,7 +110,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
         try {
             loadAuthProperties();
 
-            String value = authProperties.getProperty(name);
+            String value = authMethodProperties.getProperty(name);
             Collection<String> authMethods = new HashSet<String>();
             if (value != null) {
                 for (String v : value.split(",")) {
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index 17d3bad64..4e1e1a6fb 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -23,3 +23,4 @@ resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) gro
 resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
 resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
 resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations
+resourceACLS: certServer.tps.tokens:read,add,modify,remove:allow (read) group="TUS Administrators" || group="TUS Agents" || group="TUS Operators"; allow (add,remove) group="TUS Administrators" ; allow (modify) group="TUS Agents":Admins, agents, operators can read tokens, but only admins can add and remove tokens, and only agents can modify tokens.
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index 8ed17dbe0..f3f2fd99f 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
@@ -8,3 +8,7 @@ account.login = certServer.tps.account,login
 account.logout = certServer.tps.account,logout
 admin.users = certServer.tps.users,execute
 admin.groups = certServer.tps.groups,execute
+tokens.read = certServer.tps.tokens,read
+tokens.add = certServer.tps.tokens,add
+tokens.modify = certServer.tps.tokens,modify
+tokens.remove = certServer.tps.tokens,remove
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index 69316fa54..056de68e0 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
@@ -199,6 +199,19 @@
         </user-data-constraint>
     </security-constraint>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Token Services</web-resource-name>
+            <url-pattern>/rest/tokens/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
     <login-config>
         <realm-name>Token Processing Service</realm-name>
     </login-config>