3 files changed, 244 insertions, 1 deletions

diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
index b96499a77..156643897 100644
--- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
@@ -58,6 +58,11 @@ public interface IAuthzSubsystem extends ISubsystem {
     public static final String PROP_INSTANCE = "instance";
 
     /**
+     * Constant for realm
+     */
+    public static final String PROP_REALM = "realm";
+
+    /**
      * authorize the user associated with the given authToken for a given
      * operation with the given authorization manager name
      *
@@ -76,6 +81,20 @@ public interface IAuthzSubsystem extends ISubsystem {
             String exp) throws EBaseException;
 
     /**
+     * Authorize the user against the specified realm.  Looks for authz manager
+     * associated with the plugin and authenticates if present.
+     *
+     * @param realm
+     * @param authToken
+     * @param owner TODO
+     * @param resource
+     * @param operation
+     * @throws EBaseException if any error occurs during authentication.
+     */
+    public void checkRealm(String realm, IAuthToken authToken,
+            String owner, String resource, String operation) throws EBaseException;
+
+    /**
      * Adds (registers) the given authorization manager.
      *
      * @param name The authorization manager name
diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
new file mode 100644
index 000000000..1908e3c69
--- /dev/null
+++ b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
@@ -0,0 +1,186 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authorization;
+
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.Locale;
+import java.util.Vector;
+
+import com.netscape.certsrv.acls.ACL;
+import com.netscape.certsrv.acls.EACLsException;
+import com.netscape.certsrv.acls.IACL;
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzInternalError;
+import com.netscape.certsrv.authorization.IAuthzManager;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.cmsutil.util.Utils;
+
+public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
+
+    private static final String GROUP = "group";
+
+    /* name of this authorization manager instance */
+    private String name = null;
+
+    /* name of the authorization manager plugin */
+    private String implName = null;
+
+    /* configuration store */
+    private IConfigStore config;
+
+    /* group that is allowed to access resources */
+    private String groupName = null;
+
+    /* Vector of extendedPluginInfo strings */
+    protected static Vector<String> mExtendedPluginInfo = null;
+
+    protected static String[] mConfigParams = null;
+
+    static {
+        mExtendedPluginInfo = new Vector<String>();
+        mExtendedPluginInfo.add("group;string,required;" +
+                "Group to permit access");
+    }
+
+    public BasicGroupAuthz() {
+        mConfigParams = new String[] {"group"};
+    }
+
+    @Override
+    public String[] getExtendedPluginInfo(Locale locale) {
+        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+        return s;
+    }
+
+    @Override
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public String getImplName() {
+        return implName;
+    }
+
+    @Override
+    public void accessInit(String accessInfo) throws EBaseException {
+        // TODO Auto-generated method stub
+
+    }
+
+    @Override
+    public AuthzToken authorize(IAuthToken authToken, String resource, String operation)
+            throws EAuthzInternalError, EAuthzAccessDenied {
+        String user = authToken.getInString(IAuthToken.USER_ID);
+        if (user == null) {
+            throw new EAuthzAccessDenied("No userid provided");
+        }
+
+        IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+        IGroup group = ug.getGroupFromName(groupName);
+        if (!group.isMember(user)) {
+            throw new EAuthzAccessDenied("Access denied");
+        }
+
+        CMS.debug("BasicGroupAuthz: authorization passed");
+
+        // compose AuthzToken
+        AuthzToken authzToken = new AuthzToken(this);
+        authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource);
+        authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation);
+        authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS);
+
+        return authzToken;
+    }
+
+    @Override
+    public AuthzToken authorize(IAuthToken authToken, String expression)
+            throws EAuthzInternalError, EAuthzAccessDenied {
+        return authorize(authToken, null, null);
+    }
+
+    @Override
+    public void init(String name, String implName, IConfigStore config) throws EBaseException {
+        this.name = name;
+        this.implName = implName;
+        this.config = config;
+
+        groupName = config.getString(GROUP);
+    }
+
+    @Override
+    public void shutdown() {
+        // TODO Auto-generated method stub
+    }
+
+    @Override
+    public String[] getConfigParams() throws EBaseException {
+        return mConfigParams;
+    }
+
+    @Override
+    public IConfigStore getConfigStore() {
+        return config;
+    }
+
+    @Override
+    public Enumeration<ACL> getACLs() {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public IACL getACL(String target) {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public void updateACLs(String id, String rights, String strACLs, String desc) throws EACLsException {
+        // TODO Auto-generated method stub
+
+    }
+
+    @Override
+    public Enumeration<IAccessEvaluator> aclEvaluatorElements() {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public void registerEvaluator(String type, IAccessEvaluator evaluator) {
+        // TODO Auto-generated method stub
+
+    }
+
+    @Override
+    public Hashtable<String, IAccessEvaluator> getAccessEvaluators() {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index a6019730a..8b126d2da 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -21,11 +21,14 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
 
+import org.apache.commons.codec.binary.StringUtils;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzManagerProxy;
 import com.netscape.certsrv.authorization.AuthzMgrPlugin;
 import com.netscape.certsrv.authorization.AuthzToken;
+import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.authorization.EAuthzException;
 import com.netscape.certsrv.authorization.EAuthzMgrNotFound;
 import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound;
@@ -156,6 +159,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                     // it is mis-configurated. This give
                     // administrator another chance to
                     // fix the problem via console
+                    CMS.debug(e);
                 } catch (Throwable e) {
                     log(ILogger.LL_FAILURE,
                             CMS.getLogMessage("CMSCORE_AUTHZ_PLUGIN_INIT_FAILED", insName, e.toString()));
@@ -163,6 +167,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                     // it is mis-configurated. This give
                     // administrator another chance to
                     // fix the problem via console
+                    CMS.debug(e);
                 }
                 // add manager instance to list.
                 mAuthzMgrInsts.put(insName, new
@@ -212,7 +217,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
      * Authorization to the named authorization manager instance
      *
      * @param authzMgrName The authorization manager name
-     * @param authToken the authenticaton token associated with a user
+     * @param authToken the authentication token associated with a user
      * @param resource the resource protected by the authorization system
      * @param operation the operation for resource protected by the authoriz
      *            n system
@@ -465,4 +470,37 @@ public class AuthzSubsystem implements IAuthzSubsystem {
                 level, msg);
     }
 
+    @Override
+    public void checkRealm(String realm, IAuthToken authToken, String owner, String resource, String operation)
+            throws EBaseException {
+        // if no realm entry, SUCCESS by default
+        if (realm == null) return;
+
+        // if record owner == requester, SUCCESS
+        if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
+
+        String mgrName = getAuthzManagerByRealm(realm);
+        // if no authz manager for this realm, SUCCESS by default
+        if (mgrName == null) return;
+
+        AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
+        if (authzToken == null) {
+            throw new EAuthzAccessDenied("Not authorized by ACL realm");
+        }
+    }
+
+    public String getAuthzManagerByRealm(String realm) throws EBaseException {
+        for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) {
+            IAuthzManager mgr = proxy.getAuthzManager();
+            if (mgr != null) {
+                IConfigStore cfg = mgr.getConfigStore();
+                String mgrRealm = cfg.getString(PROP_REALM, null);
+                if (StringUtils.equals(mgrRealm, realm)) {
+                    return mgr.getName();
+                }
+            }
+        }
+        return null;
+    }
+
 }