diff options
| author | Ade Lee <alee@redhat.com> | 2016-05-25 18:10:59 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-06-02 19:44:24 -0400 |
| commit | f51278ca75c028b7658caa2052d435c488eebe92 (patch) | |
| tree | 8fd4c6f9ccbd8a7b5cdd825f037e060e762f827d /base | |
| parent | 1470f72574464e5d45926bce9b56c610ab84fec2 (diff) | |
| download | pki-f51278ca75c028b7658caa2052d435c488eebe92.tar.gz pki-f51278ca75c028b7658caa2052d435c488eebe92.tar.xz pki-f51278ca75c028b7658caa2052d435c488eebe92.zip | |
Fix old KRA servlets to check realm
The old KRA servlets to list and display keys do not go through
the same code paths as the REST API. Therefore, they do not
check the authz realm.
This patch adds the relevant code. No attempt is made to fix the
error handling of the old servlets. the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead. Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
Diffstat (limited to 'base')
4 files changed, 96 insertions, 14 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java index 03af65c1f..7d3a5e9ff 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java @@ -31,6 +31,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -154,7 +155,12 @@ public class DisplayBySerial extends CMSServlet { if (req.getParameter(IN_SERIALNO) != null) { seqNum = new BigInteger(req.getParameter(IN_SERIALNO)); } - process(argSet, header, seqNum, req, resp, locale[0]); + process(argSet, header, seqNum, req, resp, locale[0], authToken); + } catch (EAuthzException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; } catch (NumberFormatException e) { header.addStringValue(OUT_ERROR, CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString())); @@ -175,19 +181,23 @@ public class DisplayBySerial extends CMSServlet { /** * Display information about a particular key. + * @throws EAuthzException */ private void process(CMSTemplateParams argSet, IArgBlock header, BigInteger seq, HttpServletRequest req, HttpServletResponse resp, - Locale locale) { + Locale locale, IAuthToken authToken) throws EAuthzException { try { header.addStringValue(OUT_OP, req.getParameter(OUT_OP)); header.addStringValue(OUT_SERVICE_URL, req.getRequestURI()); IKeyRecord rec = mKeyDB.readKeyRecord(seq); - + mAuthz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), + mAuthzResourceName, "read"); KeyRecordParser.fillRecordIntoArg(rec, header); + } catch (EAuthzException e) { + throw e; } catch (EBaseException e) { header.addStringValue(OUT_ERROR, e.toString(locale)); } diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java index 48cac3785..fdba138a2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java @@ -31,6 +31,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -159,7 +160,12 @@ public class DisplayBySerialForRecovery extends CMSServlet { } process(argSet, header, req.getParameter("publicKeyData"), - seqNum, req, resp, locale[0]); + seqNum, req, resp, locale[0], authToken); + } catch (EAuthzException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; } catch (NumberFormatException e) { header.addStringValue(OUT_ERROR, CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString())); @@ -183,11 +189,12 @@ public class DisplayBySerialForRecovery extends CMSServlet { /** * Display information about a particular key. + * @throws EAuthzException */ private synchronized void process(CMSTemplateParams argSet, IArgBlock header, String publicKeyData, BigInteger seq, HttpServletRequest req, HttpServletResponse resp, - Locale locale) { + Locale locale, IAuthToken authToken) throws EAuthzException { try { header.addIntegerValue("noOfRequiredAgents", mService.getNoOfRequiredAgents()); @@ -202,11 +209,14 @@ public class DisplayBySerialForRecovery extends CMSServlet { publicKeyData); } IKeyRecord rec = mKeyDB.readKeyRecord(seq); - + mAuthz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), + mAuthzResourceName, "read"); KeyRecordParser.fillRecordIntoArg(rec, header); // recovery identifier header.addStringValue("recoveryID", mService.getRecoveryID()); + } catch (EAuthzException e) { + throw e; } catch (EBaseException e) { header.addStringValue(OUT_ERROR, e.toString(locale)); } diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java index 5bedf1f58..0d9ae507c 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java @@ -27,12 +27,11 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.security.x509.X500Name; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -45,6 +44,9 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; +import com.netscape.cmsutil.ldap.LDAPUtil; + +import netscape.security.x509.X500Name; /** * Retrieve archived keys matching search criteria @@ -65,6 +67,7 @@ public class SrchKey extends CMSServlet { private final static String IN_MAXCOUNT = "maxCount"; private final static String IN_FILTER = "queryFilter"; private final static String IN_SENTINEL = "querySentinel"; + private final static String REALM = "realm"; // output parameters private final static String OUT_FILTER = IN_FILTER; @@ -144,6 +147,7 @@ public class SrchKey extends CMSServlet { * <li>http.param queryFilter ldap-style filter to search with * <li>http.param querySentinel ID of first request to show * <li>http.param timeLimit number of seconds to limit ldap search to + * <li>http.param realm authorization realm to search * </ul> * * @param cmsReq the object holding the request and response information @@ -173,6 +177,22 @@ public class SrchKey extends CMSServlet { return; } + String realm = req.getParameter(REALM); + try { + mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list"); + } catch (EAuthzException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.EXCEPTION); + return; + } + + CMSTemplate form = null; Locale[] locale = new Locale[1]; @@ -212,9 +232,10 @@ public class SrchKey extends CMSServlet { if (timeLimitStr != null && timeLimitStr.length() > 0) timeLimit = Integer.parseInt(timeLimitStr); + process(argSet, header, ctx, maxCount, maxResults, timeLimit, sentinel, - req.getParameter(IN_FILTER), req, resp, locale[0]); + req.getParameter(IN_FILTER), req, resp, locale[0], realm); } catch (NumberFormatException e) { header.addStringValue(OUT_ERROR, CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString())); @@ -240,9 +261,19 @@ public class SrchKey extends CMSServlet { private void process(CMSTemplateParams argSet, IArgBlock header, IArgBlock ctx, int maxCount, int maxResults, int timeLimit, int sentinel, String filter, - HttpServletRequest req, HttpServletResponse resp, Locale locale) { + HttpServletRequest req, HttpServletResponse resp, Locale locale, String realm) { try { + if (filter.contains("(realm=")) { + throw new EBaseException("Query filter cannot contain realm"); + } + + if (realm != null) { + filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))"; + } else { + filter = "(&" + filter + "(!(realm=*)))"; + } + // Fill header header.addStringValue(OUT_OP, req.getParameter(OUT_OP)); @@ -263,6 +294,7 @@ public class SrchKey extends CMSServlet { CMS.debug("Resetting timelimit from " + timeLimit + " to " + mTimeLimits); timeLimit = mTimeLimits; } + CMS.debug("Start searching ... timelimit=" + timeLimit); Enumeration<IKeyRecord> e = mKeyDB.searchKeys(filter, maxResults, timeLimit); diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java index 897acfc76..0c0f58615 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java @@ -27,12 +27,11 @@ import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.security.x509.X500Name; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -45,6 +44,9 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; +import com.netscape.cmsutil.ldap.LDAPUtil; + +import netscape.security.x509.X500Name; /** * Retrieve archived keys matching given public key material @@ -66,6 +68,7 @@ public class SrchKeyForRecovery extends CMSServlet { private final static String IN_MAXCOUNT = "maxCount"; private final static String IN_FILTER = "queryFilter"; private final static String IN_SENTINEL = "querySentinel"; + private final static String REALM = "realm"; // output parameters private final static String OUT_FILTER = IN_FILTER; @@ -142,6 +145,7 @@ public class SrchKeyForRecovery extends CMSServlet { * <li>http.param publicKeyData public key data to search on * <li>http.param querySentinel ID of first request to show * <li>http.param timeLimit number of seconds to limit ldap search to + * <li>http.param realm authorization realm to search * </ul> * * @param cmsReq the object holding the request and response information @@ -171,6 +175,21 @@ public class SrchKeyForRecovery extends CMSServlet { return; } + String realm = req.getParameter(REALM); + try { + mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list"); + } catch (EAuthzAccessDenied | EAuthzUnknownRealm e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.EXCEPTION); + return; + } + CMSTemplate form = null; Locale[] locale = new Locale[1]; @@ -212,7 +231,8 @@ public class SrchKeyForRecovery extends CMSServlet { if (timeLimitStr != null && timeLimitStr.length() > 0) timeLimit = Integer.parseInt(timeLimitStr); process(argSet, header, ctx, maxCount, maxResults, timeLimit, sentinel, - req.getParameter("publicKeyData"), req.getParameter(IN_FILTER), req, resp, locale[0]); + req.getParameter("publicKeyData"), req.getParameter(IN_FILTER), + req, resp, locale[0], realm); } catch (NumberFormatException e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT")); @@ -255,10 +275,20 @@ public class SrchKeyForRecovery extends CMSServlet { IArgBlock header, IArgBlock ctx, int maxCount, int maxResults, int timeLimit, int sentinel, String publicKeyData, String filter, - HttpServletRequest req, HttpServletResponse resp, Locale locale) + HttpServletRequest req, HttpServletResponse resp, Locale locale, String realm) throws EBaseException { try { + if (filter.contains("(realm=")) { + throw new EBaseException("Query filter cannot contain realm"); + } + + if (realm != null) { + filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))"; + } else { + filter = "(&" + filter + "(!(realm=*)))"; + } + // Fill header header.addStringValue(OUT_OP, req.getParameter(OUT_OP)); |