diff options
18 files changed, 182 insertions, 66 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/conf/acl.properties index 24ed2d6a5..1c6651e4f 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/conf/acl.properties @@ -1,8 +1,9 @@ -# Restful API authorization mapping info +# ACL mapping # # Format: -# <mapping name> = <resource ID>,<operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# Example: +# users = certServer.ca.users,execute account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties new file mode 100644 index 000000000..a213534ad --- /dev/null +++ b/base/ca/shared/conf/auth-method.properties @@ -0,0 +1,18 @@ +# Authentication method mapping +# +# Format: +# <mapping name> = <authentication manager>,... +# Example: +# default = * +# account = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +certs = certUserDBAuthMgr +certrequests = certUserDBAuthMgr +groups = certUserDBAuthMgr +kraconnectors = certUserDBAuthMgr +profiles = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr +selftests = certUserDBAuthMgr +users = certUserDBAuthMgr diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore new file mode 100644 index 000000000..5e7d2734c --- /dev/null +++ b/base/common/upgrade/10.0.5/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore new file mode 100644 index 000000000..5e7d2734c --- /dev/null +++ b/base/common/upgrade/10.0.6/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/conf/acl.properties index 77b7df8bd..8f6ff5e7a 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/conf/acl.properties @@ -1,8 +1,9 @@ -# Restful API authorization mapping info +# ACL mapping # # Format: -# <mapping name> = <resource ID>,<operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# Example: +# users = certServer.ca.users,execute account.login = certServer.kra.account,login account.logout = certServer.kra.account,logout diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties new file mode 100644 index 000000000..108448c1f --- /dev/null +++ b/base/kra/shared/conf/auth-method.properties @@ -0,0 +1,15 @@ +# Authentication method mapping +# +# Format: +# <mapping name> = <authentication manager>,... +# Example: +# default = * +# account = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +groups = certUserDBAuthMgr +keys = certUserDBAuthMgr +keyrequests = certUserDBAuthMgr +selftests = certUserDBAuthMgr +users = certUserDBAuthMgr diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/conf/acl.properties index 9e138cb5a..67c68b37f 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/conf/acl.properties @@ -1,8 +1,9 @@ -# Restful API authorization mapping info +# ACL mapping # # Format: -# <mapping name> = <resource ID>,<operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# Example: +# users = certServer.ca.users,execute account.login = certServer.ocsp.account,login account.logout = certServer.ocsp.account,logout diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties new file mode 100644 index 000000000..5718fc6da --- /dev/null +++ b/base/ocsp/shared/conf/auth-method.properties @@ -0,0 +1,12 @@ +# Authentication method mapping +# +# Format: +# <mapping name> = <authentication manager>,... +# Example: +# default = * +# account = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +groups = certUserDBAuthMgr +users = certUserDBAuthMgr diff --git a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java index b43eb3cbe..c4b890e12 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java @@ -17,9 +17,10 @@ //--- END COPYRIGHT BLOCK --- package com.netscape.cms.authorization; +import java.io.File; +import java.io.FileReader; import java.io.IOException; import java.lang.reflect.Method; -import java.net.URL; import java.security.Principal; import java.util.Properties; @@ -49,7 +50,7 @@ import com.netscape.cms.realm.PKIPrincipal; @Provider public class ACLInterceptor implements ContainerRequestFilter { - Properties authProperties; + Properties properties; @Context ServletContext servletContext; @@ -57,14 +58,33 @@ public class ACLInterceptor implements ContainerRequestFilter { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadProperties() throws IOException { - if (authProperties != null) + if (properties != null) return; - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); + properties = new Properties(); + + String context = servletContext.getContextPath(); + String subsystem = context.startsWith("/") ? context.substring(1) : context; + + // load default mapping + String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/acl.properties"; + CMS.debug("ACLInterceptor: loading " + defaultMapping); + try (FileReader in = new FileReader(defaultMapping)) { + properties.load(in); + } + + // load custom mapping + File customMapping = new File(System.getProperty("catalina.base") + + "/" + subsystem + "/conf/acl.properties"); + CMS.debug("ACLInterceptor: checking " + customMapping); + if (customMapping.exists()) { + CMS.debug("ACLInterceptor: loading " + customMapping); + try (FileReader in = new FileReader(customMapping)) { + properties.load(in); + } + } } @Override @@ -118,9 +138,9 @@ public class ACLInterceptor implements ContainerRequestFilter { } try { - loadAuthProperties(); + loadProperties(); - String value = authProperties.getProperty(name); + String value = properties.getProperty(name); // If no property defined, allow request. if (value == null) { diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index 2e6b68955..6d26840b6 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -17,9 +17,10 @@ //--- END COPYRIGHT BLOCK --- package com.netscape.cms.authorization; +import java.io.File; +import java.io.FileReader; import java.io.IOException; import java.lang.reflect.Method; -import java.net.URL; import java.security.Principal; import java.util.Collection; import java.util.HashSet; @@ -48,7 +49,7 @@ import com.netscape.cms.realm.PKIPrincipal; @Provider public class AuthMethodInterceptor implements ContainerRequestFilter { - Properties authMethodProperties; + Properties properties; @Context ServletContext servletContext; @@ -56,37 +57,32 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadProperties() throws IOException { - if (authMethodProperties != null) + if (properties != null) return; - authMethodProperties = new Properties(); - - URL url = servletContext.getResource("/WEB-INF/auth-method.properties"); - - if (url == null) { - authMethodProperties.put("default", "*"); - authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr"); - authMethodProperties.put("authenticators", "certUserDBAuthMgr"); - authMethodProperties.put("certs", "certUserDBAuthMgr"); - authMethodProperties.put("certrequests", "certUserDBAuthMgr"); - authMethodProperties.put("config", "certUserDBAuthMgr"); - authMethodProperties.put("connections", "certUserDBAuthMgr"); - authMethodProperties.put("groups", "certUserDBAuthMgr"); - authMethodProperties.put("keys", "certUserDBAuthMgr"); - authMethodProperties.put("keyrequests", "certUserDBAuthMgr"); - authMethodProperties.put("kraconnectors", "certUserDBAuthMgr"); - authMethodProperties.put("profiles", "certUserDBAuthMgr"); - authMethodProperties.put("profile-mappings", "certUserDBAuthMgr"); - authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); - authMethodProperties.put("selftests", "certUserDBAuthMgr"); - authMethodProperties.put("tokens", "certUserDBAuthMgr"); - authMethodProperties.put("tpsconnectors", "certUserDBAuthMgr"); - authMethodProperties.put("users", "certUserDBAuthMgr"); + properties = new Properties(); - } else { - authMethodProperties.load(url.openStream()); + String context = servletContext.getContextPath(); + String subsystem = context.startsWith("/") ? context.substring(1) : context; + + // load default mapping + String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/auth-method.properties"; + CMS.debug("AuthMethodInterceptor: loading " + defaultMapping); + try (FileReader in = new FileReader(defaultMapping)) { + properties.load(in); + } + + // load custom mapping + File customMapping = new File(System.getProperty("catalina.base") + + "/" + subsystem + "/conf/auth-method.properties"); + CMS.debug("AuthMethodInterceptor: checking " + customMapping); + if (customMapping.exists()) { + CMS.debug("AuthMethodInterceptor: loading " + customMapping); + try (FileReader in = new FileReader(customMapping)) { + properties.load(in); + } } } @@ -119,9 +115,9 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { CMS.debug("AuthMethodInterceptor: mapping: " + name); try { - loadAuthProperties(); + loadProperties(); - String value = authMethodProperties.getProperty(name); + String value = properties.getProperty(name); Collection<String> authMethods = new HashSet<String>(); if (value != null) { for (String v : value.split(",")) { diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index eb1e4b81a..e41f1a980 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -26,7 +26,7 @@ import pki INSTANCE_BASE_DIR = '/var/lib/pki' REGISTRY_DIR = '/etc/sysconfig/pki' -SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks'] +SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] class PKISubsystem(object): diff --git a/base/server/share/conf/tomcat.conf b/base/server/share/conf/tomcat.conf index ce8453c91..87c0b54d7 100644 --- a/base/server/share/conf/tomcat.conf +++ b/base/server/share/conf/tomcat.conf @@ -30,9 +30,9 @@ CATALINA_TMPDIR=[PKI_TMPDIR] # - parameters to the JVM like # -Xminf0.1 -Xmaxf0.3 # - parameters to set java.library.path for libtcnative.so -# -Djava.library.path=/usr/lib" +# -Djava.library.path=/usr/lib # - parameters to run a java debugger (e. g. - 'eclipse') -# -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M" +# -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M JAVA_OPTS="-DRESTEASY_LIB=[PKI_RESTEASY_LIB]" # What user should run tomcat diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore new file mode 100644 index 000000000..5e7d2734c --- /dev/null +++ b/base/server/upgrade/10.0.6/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/server/upgrade/10.0.99/02-UpdateAuthzProperties b/base/server/upgrade/10.0.99/02-RemoveAuthProperties index 992b2d518..83719fc75 100755 --- a/base/server/upgrade/10.0.99/02-UpdateAuthzProperties +++ b/base/server/upgrade/10.0.99/02-RemoveAuthProperties @@ -21,25 +21,22 @@ import os import pki -import shutil import pki.server.upgrade -class UpdateAuthzProperties(pki.server.upgrade.PKIServerUpgradeScriptlet): +class RemoveAuthProperties(pki.server.upgrade.PKIServerUpgradeScriptlet): def __init__(self): - self.message = 'Update auth.properties' + self.message = 'Remove auth.properties' def upgrade_subsystem(self, instance, subsystem): + auth_properties = os.path.join( instance.base_dir, 'webapps', subsystem.name, 'WEB-INF', 'auth.properties') self.backup(auth_properties) - default_auth_properties = os.path.join( - pki.SHARE_DIR, subsystem.name, - 'webapps', subsystem.name, - 'WEB-INF', 'auth.properties') - shutil.copyfile(default_auth_properties, auth_properties) + if os.path.exists(auth_properties): + os.remove(auth_properties) diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/conf/acl.properties index cf3d27b74..db13b08a1 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/conf/acl.properties @@ -1,8 +1,9 @@ -# Restful API authorization mapping info +# ACL mapping # # Format: -# <mapping name> = <resource ID>,<operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# Example: +# users = certServer.ca.users,execute account.login = certServer.tks.account,login account.logout = certServer.tks.account,logout diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties new file mode 100644 index 000000000..fe91b9051 --- /dev/null +++ b/base/tks/shared/conf/auth-method.properties @@ -0,0 +1,14 @@ +# Authentication method mapping +# +# Format: +# <mapping name> = <authentication manager>,... +# Example: +# default = * +# account = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +groups = certUserDBAuthMgr +selftests = certUserDBAuthMgr +tpsconnectors = certUserDBAuthMgr +users = certUserDBAuthMgr diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/conf/acl.properties index c5f27f100..3697f0171 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/conf/acl.properties @@ -1,8 +1,10 @@ -# Restful API authorization mapping info +# ACL mapping # # Format: -# <mapping name> = <resource ID>,<operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# Example: +# users = certServer.ca.users,execute + account.login = certServer.tps.account,login account.logout = certServer.tps.account,logout diff --git a/base/tps-tomcat/shared/conf/auth-method.properties b/base/tps-tomcat/shared/conf/auth-method.properties new file mode 100644 index 000000000..af894ba05 --- /dev/null +++ b/base/tps-tomcat/shared/conf/auth-method.properties @@ -0,0 +1,26 @@ +# Authentication method mapping +# +# Format: +# <mapping name> = <authentication manager>,... +# Example: +# default = * +# account = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +authenticators = certUserDBAuthMgr +certs = certUserDBAuthMgr +certrequests = certUserDBAuthMgr +config = certUserDBAuthMgr +connections = certUserDBAuthMgr +groups = certUserDBAuthMgr +keys = certUserDBAuthMgr +keyrequests = certUserDBAuthMgr +kraconnectors = certUserDBAuthMgr +profiles = certUserDBAuthMgr +profile-mappings = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr +selftests = certUserDBAuthMgr +tokens = certUserDBAuthMgr +tpsconnectors = certUserDBAuthMgr +users = certUserDBAuthMgr |