Fix Bugzilla Bug 649910 - Console: an auditor or agent can be added to an administrator group.

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1526 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-19 03:19:27 +0000
committer: jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-19 03:19:27 +0000
commit: 15c626298e94d5974986a75e464fb4515dceed8b (patch)
tree: e2dd362f24f647203099408562cff629b5761433 /pki
parent: 02adcfeb70319062e34c099519764f876b252299 (diff)
download: pki-15c626298e94d5974986a75e464fb4515dceed8b.tar.gz
pki-15c626298e94d5974986a75e464fb4515dceed8b.tar.xz
pki-15c626298e94d5974986a75e464fb4515dceed8b.zip
5 files changed, 51 insertions, 18 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg
index 94b168289..c82818cbc 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg
@@ -136,6 +136,7 @@ subsystem.count=0
 passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
 passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
 multiroles=true
+multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group
 CrossCertPair._000=##
 CrossCertPair._001=## CrossCertPair Import
 CrossCertPair._002=##
diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
index 096f158a2..79b67fcc1 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
@@ -76,6 +76,9 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
     private IAuthzSubsystem mAuthz = null;
 
+    private static String [] mMultiRoleGroupEnforceList = null;
+    private final static String MULTI_ROLE_ENFORCE_GROUP_LIST = "multiroles.false.groupEnforceList";
+
     /**
      * Constructs User/Group manager servlet.
      */
@@ -1971,17 +1974,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
                 }
                 while (st.hasMoreTokens()) {
                     String memberName = st.nextToken();
-                   
                     if (multiRole) {
                         group.addMemberName(memberName);
                     } else {
-                        if (groupName.equals("Administrators") || 
-                            groupName.equals("Auditors") ||
-                            groupName.equals("Trusted Managers") ||
-                            groupName.equals("Certificate Manager Agents") ||
-                            groupName.equals("Registration Manager Agents") ||
-                            groupName.equals("Data Recovery Manager Agents") ||
-                            groupName.equals("Online Certificate Status Manager Agents")) {
+                        if( isGroupInMultiRoleEnforceList(groupName)) {
                             if (!isDuplicate(groupName, memberName)) {
                                 group.addMemberName(memberName);
                             } else {
@@ -2075,9 +2071,51 @@ public class UsrGrpAdminServlet extends AdminServlet {
         }
     }
 
+    private boolean isGroupInMultiRoleEnforceList(String groupName)
+    {
+        String groupList = null;
+
+        if (groupName == null || groupName.equals("")) {
+            return true;
+        }
+        if (mMultiRoleGroupEnforceList == null) {
+           try {
+               groupList = mConfig.getString(MULTI_ROLE_ENFORCE_GROUP_LIST); 
+           } catch (Exception e) {
+           }
+
+           if (groupList != null && !groupList.equals("")) {
+               mMultiRoleGroupEnforceList = groupList.split(",");
+               for (int j = 0 ; j < mMultiRoleGroupEnforceList.length; j++) {
+                   mMultiRoleGroupEnforceList[j] = mMultiRoleGroupEnforceList[j].trim();
+               }
+           }
+       }
+
+       if (mMultiRoleGroupEnforceList == null)
+           return true;
+
+       for (int i = 0; i < mMultiRoleGroupEnforceList.length; i++) {
+           if (groupName.equals(mMultiRoleGroupEnforceList[i])) {
+               return true;
+           }
+       }
+       return false;
+    }
+
     private boolean isDuplicate(String groupName, String memberName) {
         Enumeration groups = null;
 
+        // Let's not mess with users that are already a member of this group
+        boolean isMember = false;
+        try {
+            isMember = mMgr.isMemberOf(memberName,groupName);
+        } catch (Exception e) {
+        }
+
+        if (isMember == true) {
+            return false;
+        }
         try {
             groups = mMgr.listGroups("*");
             while (groups.hasMoreElements()) {
@@ -2085,20 +2123,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
                 String name = group.getName();
                 Enumeration g = mMgr.findGroups(name);
                 IGroup g1 = (IGroup) g.nextElement();
-
                 if (!name.equals(groupName)) {
-                    if (name.equals("Administrators") || 
-                        name.equals("Auditors") ||
-                        name.equals("Trusted Managers") ||
-                        name.equals("Certificate Manager Agents") ||
-                        name.equals("Registration Manager Agents") ||
-                        name.equals("Data Recovery Manager Agents") ||
-                        name.equals("Online Certificate Status Manager Agents")) {
+                    if (isGroupInMultiRoleEnforceList(name)) {
                         Enumeration members = g1.getMemberNames();
-
                         while (members.hasMoreElements()) {
                             String m1 = (String) members.nextElement();
-
                             if (m1.equals(memberName))
                                 return true;
                         }
diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg
index 7f0ab3c38..39ef0638a 100644
--- a/pki/base/kra/shared/conf/CS.cfg
+++ b/pki/base/kra/shared/conf/CS.cfg
@@ -111,6 +111,7 @@ preop.module.token=Internal Key Storage Token
 passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
 passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
 multiroles=true
+multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group
 CrossCertPair._000=##
 CrossCertPair._001=## CrossCertPair Import
 CrossCertPair._002=##
diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg
index e1586a2ed..e633fadd0 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg
+++ b/pki/base/ocsp/shared/conf/CS.cfg
@@ -103,6 +103,7 @@ preop.pin=[PKI_RANDOM_NUMBER]
 passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
 passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
 multiroles=true
+multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group
 CrossCertPair._000=##
 CrossCertPair._001=## CrossCertPair Import
 CrossCertPair._002=##
diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg
index 93bda8ad1..3f1f8d15e 100644
--- a/pki/base/tks/shared/conf/CS.cfg
+++ b/pki/base/tks/shared/conf/CS.cfg
@@ -99,6 +99,7 @@ service.instanceID=[PKI_INSTANCE_ID]
 passwordFile=[PKI_INSTANCE_PATH]/conf/password.conf
 passwordClass=com.netscape.cmsutil.password.PlainPasswordFile
 multiroles=true
+multiroles.false.groupEnforceList=Administrators,Auditors,Trusted Managers,Certificate Manager Agents,Registration Manager Agents,Data Recovery Manager Agents,Online Certificate Status Manager Agents,Token Key Service Manager Agents,Enterprise CA Administrators,Enterprise KRA Adminstrators,Enterprise OCSP Administrators,Enterprise RA Administrators,Enterprise TKS Administrators,Enterprise TPS Administrators,Security Domain Administrators,Subsystem Group
 CrossCertPair._000=##
 CrossCertPair._001=## CrossCertPair Import
 CrossCertPair._002=##
author	jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-19 03:19:27 +0000
committer	jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-19 03:19:27 +0000
commit	15c626298e94d5974986a75e464fb4515dceed8b (patch)
tree	e2dd362f24f647203099408562cff629b5761433 /pki
parent	02adcfeb70319062e34c099519764f876b252299 (diff)
download	pki-15c626298e94d5974986a75e464fb4515dceed8b.tar.gz pki-15c626298e94d5974986a75e464fb4515dceed8b.tar.xz pki-15c626298e94d5974986a75e464fb4515dceed8b.zip