diff options
4 files changed, 224 insertions, 0 deletions
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index e8003603b..392331952 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication auths.instance.TokenAuth.pluginName=TokenAuth auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents auths.instance.AgentCertAuth.pluginName=AgentCertAuth @@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth auths.instance.flatFileAuth.pluginName=FlatFileAuth auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.instance.SessionAuthentication.pluginName=SessionAuthentication auths.revocationChecking.bufferSize=50 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java new file mode 100644 index 000000000..27f08cd99 --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java @@ -0,0 +1,167 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.authentication; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.EMissingCredential; +import com.netscape.certsrv.authentication.IAuthCredentials; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileAuthenticator; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * Pull any existing auth token from the session context. + * + * Use with caution as a profile authenticator; if there is a + * session it will unconditionally approve the request + * (subject to constraints, etc). + */ +public class SessionAuthentication + implements IProfileAuthenticator { + + private String instName = null; + private String implName = null; + private IConfigStore config = null; + + public SessionAuthentication() { + } + + public void init(String instName, String implName, IConfigStore config) + throws EBaseException { + this.instName = instName; + this.implName = implName; + this.config = config; + } + + /** + * Gets the name of this authentication manager. + */ + public String getName() { + return instName; + } + + /** + * Gets the plugin name of authentication manager. + */ + public String getImplName() { + return implName; + } + + public boolean isSSLClientRequired() { + return false; + } + + /** + * Authenticate user. + * + * @return the auth token from existing session context, if any. + * @throws EMissingCredential if no auth token or no session + */ + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential { + SessionContext context = SessionContext.getExistingContext(); + + if (context == null) + throw new EMissingCredential("SessionAuthentication: no session"); + + IAuthToken authToken = (IAuthToken) + context.get(SessionContext.AUTH_TOKEN); + + if (authToken == null) + throw new EMissingCredential("SessionAuthentication: no auth token"); + + return authToken; + } + + public String[] getRequiredCreds() { + String[] requiredCreds = { }; + return requiredCreds; + } + + public String[] getConfigParams() { + return null; + } + + /** + * prepare this authentication manager for shutdown. + */ + public void shutdown() { + } + + /** + * gets the configuretion substore used by this authentication + * manager + * + * @return configuration store + */ + public IConfigStore getConfigStore() { + return config; + } + + // Profile-related methods + + public void init(IProfile profile, IConfigStore config) { + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); + } + + /** + * Retrieves a list of names of the value parameter. + */ + public Enumeration<String> getValueNames() { + return Collections.emptyEnumeration(); + } + + public boolean isValueWriteable(String name) { + return false; + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public void populate(IAuthToken token, IRequest request) { + } +} diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore new file mode 100644 index 000000000..5e7d2734c --- /dev/null +++ b/base/server/upgrade/10.4.1/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore diff --git a/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin new file mode 100755 index 000000000..62d508ed1 --- /dev/null +++ b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin @@ -0,0 +1,51 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale <ftweedal@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path + +import pki +from pki.server.upgrade import PKIServerUpgradeScriptlet + + +class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet): + def __init__(self): + super(AddSessionAuthenticationPlugin, self).__init__() + self.message = 'Add SessionAuthentication to CS.cfg' + + def upgrade_subsystem(self, instance, subsystem): + if subsystem.name == 'ca': + self.add_plugin(instance, subsystem) + + def add_plugin(self, instance, subsystem): # pylint: disable=W0613 + filename = os.path.join(subsystem.conf_dir, 'CS.cfg') + self.backup(filename) + + properties = pki.PropertyFile(filename) + properties.read() + + properties.set( + 'auths.impl.SessionAuthentication.class', + 'com.netscape.cms.authentication.SessionAuthentication') + properties.set( + 'auths.instance.SessionAuthentication.pluginName', + 'SessionAuthentication') + + properties.write() |