diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java')
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java | 1513 |
1 files changed, 115 insertions, 1398 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java index 85ef4fa0f..7b0813d71 100644 --- a/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java +++ b/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java @@ -17,58 +17,38 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.servlet.profile; -import java.math.BigInteger; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; -import java.util.Date; import java.util.Enumeration; +import java.util.HashMap; import java.util.Locale; -import java.util.StringTokenizer; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.security.x509.BasicConstraintsExtension; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import org.w3c.dom.Node; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.authentication.EAuthException; +import com.netscape.certsrv.authorization.EAuthzException; +import com.netscape.certsrv.base.BadRequestDataException; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.MetaInfo; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.ca.ICertificateAuthority; -import com.netscape.certsrv.dbs.certdb.ICertRecord; -import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.profile.EDeferException; import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.ERejectException; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.profile.IProfile; -import com.netscape.certsrv.profile.IProfileAuthenticator; -import com.netscape.certsrv.profile.IProfileContext; -import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.profile.IProfileOutput; -import com.netscape.certsrv.profile.IProfileSubsystem; import com.netscape.certsrv.property.IDescriptor; -import com.netscape.certsrv.request.INotify; import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.IRequestQueue; -import com.netscape.certsrv.request.RequestId; -import com.netscape.certsrv.request.RequestStatus; import com.netscape.certsrv.template.ArgList; import com.netscape.certsrv.template.ArgSet; -import com.netscape.certsrv.util.IStatsSubsystem; -import com.netscape.cms.servlet.common.AuthCredentials; +import com.netscape.cms.servlet.cert.EnrollmentProcessor; +import com.netscape.cms.servlet.cert.RenewalProcessor; import com.netscape.cms.servlet.common.CMSRequest; +import com.netscape.cms.servlet.processors.Processor; import com.netscape.cmsutil.util.Cert; -import com.netscape.cmsutil.util.Utils; import com.netscape.cmsutil.xml.XMLObject; /** @@ -83,31 +63,9 @@ public class ProfileSubmitServlet extends ProfileServlet { * */ private static final long serialVersionUID = 7557922703180866442L; - private static final String ARG_AUTH_TOKEN = "auth_token"; - private static final String ARG_REQUEST_OWNER = "requestOwner"; - private static final String PROP_PROFILE_ID = "profileId"; - private static final String PROP_AUTHORITY_ID = "authorityId"; private final static String SUCCESS = "0"; private final static String FAILED = "1"; - private String mProfileId = null; - private String mProfileSubId = null; - private String mAuthorityId = null; - - private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { - - /* 0 */"automated profile cert request rejection: " - + "indeterminate reason for inability to process " - + "cert request due to an EBaseException" - }; - private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; - - private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = - "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; - private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = - "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; - public ProfileSubmitServlet() { } @@ -123,273 +81,122 @@ public class ProfileSubmitServlet extends ProfileServlet { */ public void init(ServletConfig sc) throws ServletException { super.init(sc); - mAuthorityId = sc.getInitParameter(PROP_AUTHORITY_ID); - mProfileId = sc.getInitParameter(PROP_PROFILE_ID); - } - - private void setInputsIntoContext(HttpServletRequest request, IProfile profile, IProfileContext ctx) { - // passing inputs into context - Enumeration<String> inputIds = profile.getProfileInputIds(); - - if (inputIds != null) { - while (inputIds.hasMoreElements()) { - String inputId = inputIds.nextElement(); - IProfileInput profileInput = profile.getProfileInput(inputId); - Enumeration<String> inputNames = profileInput.getValueNames(); - - while (inputNames.hasMoreElements()) { - String inputName = inputNames.nextElement(); - if (request.getParameter(inputName) != null) { - // all subject name parameters start with sn_, no other input parameters do - if (inputName.matches("^sn_.*")) { - ctx.set(inputName, escapeValueRfc1779(request.getParameter(inputName), false).toString()); - } else { - ctx.set(inputName, request.getParameter(inputName)); - } - } - } - } - } - } - /* - * fill input info from "request" to context. - * This is expected to be used by renewal where the request - * is retrieved from request record + /** + * Process the HTTP request + * <P> + * + * (Certificate Request Processed - either an automated "EE" profile based cert acceptance, or an automated "EE" + * profile based cert rejection) + * <P> + * + * <ul> + * <li>http.param profileId ID of profile to use to process request + * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED used when a certificate request has just been + * through the approval process + * </ul> + * + * @param cmsReq the object holding the request and response information + * @exception EBaseException an error has occurred */ - private void setInputsIntoContext(IRequest request, IProfile profile, IProfileContext ctx, Locale locale) { - // passing inputs into context - Enumeration<String> inputIds = profile.getProfileInputIds(); - - if (inputIds != null) { - while (inputIds.hasMoreElements()) { - String inputId = inputIds.nextElement(); - IProfileInput profileInput = profile.getProfileInput(inputId); - Enumeration<String> inputNames = profileInput.getValueNames(); - - while (inputNames.hasMoreElements()) { - String inputName = inputNames.nextElement(); - String inputValue = ""; - CMS.debug("ProfileSubmitServlet: setInputsIntoContext() getting input name= " + inputName); - try { - inputValue = profileInput.getValue(inputName, locale, request); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: setInputsIntoContext() getvalue() failed: " + e.toString()); - } - - if (inputValue != null) { - CMS.debug("ProfileSubmitServlet: setInputsIntoContext() setting value in ctx:" + inputValue); - ctx.set(inputName, inputValue); - } else { - CMS.debug("ProfileSubmitServlet: setInputsIntoContext() value null"); - } - } - } - } - } - - private void setCredentialsIntoContext(HttpServletRequest request, IProfileAuthenticator authenticator, - IProfileContext ctx) { - Enumeration<String> authIds = authenticator.getValueNames(); - - if (authIds != null) { - CMS.debug("ProfileSubmitServlet:setCredentialsIntoContext() authNames not null"); - while (authIds.hasMoreElements()) { - String authName = authIds.nextElement(); + public void process(CMSRequest cmsReq) throws EBaseException { + HttpServletRequest request = cmsReq.getHttpReq(); + HttpServletResponse response = cmsReq.getHttpResp(); + boolean xmlOutput = getXMLOutput(request); - CMS.debug("ProfileSubmitServlet:setCredentialsIntoContext() authName:" + - authName); - if (request.getParameter(authName) != null) { - CMS.debug("ProfileSubmitServlet:setCredentialsIntoContext() authName found in request"); - ctx.set(authName, request.getParameter(authName)); - } else { - CMS.debug("ProfileSubmitServlet:setCredentialsIntoContext() authName not found in request"); - } - } - } else { - CMS.debug("ProfileSubmitServlet:setCredentialsIntoContext() authIds` null"); - } - } + Locale locale = getLocale(request); - String getUidFromDN(String userdn) { - StringTokenizer st = new StringTokenizer(userdn, ","); - while (st.hasMoreTokens()) { - String t = st.nextToken(); - int i = t.indexOf("="); + HashMap<String, Object> results = null; + String renewal = request.getParameter("renewal"); - if (i == -1) { - continue; - } - String n = t.substring(0, i); - if (n.equalsIgnoreCase("uid")) { - String v = t.substring(i + 1); - CMS.debug("ProfileSubmitServlet:: getUidFromDN(): uid found:" + v); - return v; + try { + if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) { + CMS.debug("ProfileSubmitServlet: isRenewal true"); + RenewalProcessor processor = new RenewalProcessor("caProfileSubmit", locale); + results = processor.processRenewal(cmsReq); } else { - continue; + CMS.debug("ProfileSubmitServlet: isRenewal false"); + EnrollmentProcessor processor = new EnrollmentProcessor("caProfileSubmit", locale); + results = processor.processEnrollment(cmsReq); } + } catch (BadRequestDataException e) { + CMS.debug("ProfileSubmitServlet: bad data provided in processing request: " + e.toString()); + errorExit(response, xmlOutput, e.getMessage(), null); + return; + } catch (EAuthzException e) { + CMS.debug("ProfileSubmitServlet: authorization error in processing request: " + e.toString()); + errorExit(response, xmlOutput, e.getMessage(), null); + return; + } catch (EAuthException e) { + CMS.debug("ProfileSubmitServlet: authentication error in processing request: " + e.toString()); + errorExit(response, xmlOutput, e.getMessage(), null); + return; + } catch (EBaseException e) { + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: error in processing request: " + e.toString()); + errorExit(response, xmlOutput, e.getMessage(), null); + return; } - return null; - } - /* - * authenticate for renewal - more to add necessary params/values - * to the session context - */ - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request, IRequest origReq, SessionContext context) - throws EBaseException { - IAuthToken authToken = authenticate(authenticator, request); - // For renewal, fill in necessary params - if (authToken != null) { - String ouid = origReq.getExtDataInString("auth_token.uid"); - // if the orig cert was manually approved, then there was - // no auth token uid. Try to get the uid from the cert dn - // itself, if possible - if (ouid == null) { - String sdn = (String) context.get("origSubjectDN"); - if (sdn != null) { - ouid = getUidFromDN(sdn); - if (ouid != null) - CMS.debug("ProfileSubmitServlet: renewal: authToken original uid not found"); - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: authToken original uid found in orig request auth_token"); - } - String auid = authToken.getInString("uid"); - if (auid != null) { // not through ssl client auth - CMS.debug("ProfileSubmitServlet: renewal: authToken uid found:" + auid); - // authenticated with uid - // put "orig_req.auth_token.uid" so that authz with - // UserOrigReqAccessEvaluator will work - if (ouid != null) { - context.put("orig_req.auth_token.uid", ouid); - CMS.debug("ProfileSubmitServlet: renewal: authToken original uid found:" + ouid); - } else { - CMS.debug("ProfileSubmitServlet: renewal: authToken original uid not found"); - } - } else { // through ssl client auth? - CMS.debug("ProfileSubmitServlet: renewal: authToken uid not found:"); - // put in orig_req's uid - if (ouid != null) { - CMS.debug("ProfileSubmitServlet: renewal: origReq uid not null:" + ouid + ". Setting authtoken"); - authToken.set("uid", ouid); - context.put(SessionContext.USER_ID, ouid); - } else { - CMS.debug("ProfileSubmitServlet: renewal: origReq uid not found"); - // throw new EBaseException("origReq uid not found"); + IRequest[] reqs = (IRequest []) results.get(Processor.ARG_REQUESTS); + String errorCode = (String) results.get(Processor.ARG_ERROR_CODE); + String errorReason = (String) results.get(Processor.ARG_ERROR_REASON); + IProfile profile = (IProfile) results.get(Processor.ARG_PROFILE); + ArgSet args = new ArgSet(); + + if (errorCode != null) { + if (xmlOutput) { + String requestIds = ""; + for (IRequest req : reqs) { + requestIds += " " + req.getRequestId().toString(); } - } - String userdn = origReq.getExtDataInString("auth_token.userdn"); - if (userdn != null) { - CMS.debug("ProfileSubmitServlet: renewal: origReq userdn not null:" + userdn + ". Setting authtoken"); - authToken.set("userdn", userdn); + outputError(response, errorCode, errorReason, requestIds); } else { - CMS.debug("ProfileSubmitServlet: renewal: origReq userdn not found"); - // throw new EBaseException("origReq userdn not found"); - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: authToken null"); - } - return authToken; - } - - public IAuthToken authenticate(IProfileAuthenticator authenticator, - HttpServletRequest request) throws EBaseException { - AuthCredentials credentials = new AuthCredentials(); - - // build credential - Enumeration<String> authNames = authenticator.getValueNames(); - - if (authNames != null) { - while (authNames.hasMoreElements()) { - String authName = authNames.nextElement(); + ArgList requestlist = new ArgList(); - credentials.set(authName, request.getParameter(authName)); + for (IRequest req : reqs) { + ArgSet requestset = new ArgSet(); + requestset.set(ARG_REQUEST_ID, req.getRequestId().toString()); + requestlist.add(requestset); + } + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, errorCode); + args.set(ARG_ERROR_REASON, errorReason); + outputTemplate(request, response, args); } + return; } - credentials.set("clientHost", request.getRemoteHost()); - IAuthToken authToken = authenticator.authenticate(credentials); + if (xmlOutput) { + xmlOutput(response, profile, locale, reqs); + } else { + ArgList outputlist = new ArgList(); + for (int k = 0; k < reqs.length; k++) { - SessionContext sc = SessionContext.getContext(); - if (sc != null) { - sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName()); - String userid = authToken.getInString(IAuthToken.USER_ID); - if (userid != null) { - sc.put(SessionContext.USER_ID, userid); + setOutputIntoArgs(profile, outputlist, locale, reqs[k]); + args.set(ARG_OUTPUT_LIST, outputlist); } - } - - return authToken; - } - private void setInputsIntoRequest(HttpServletRequest request, IProfile profile, IRequest req) { - Enumeration<String> inputIds = profile.getProfileInputIds(); + CMS.debug("ProfileSubmitServlet: done serving"); - if (inputIds != null) { - while (inputIds.hasMoreElements()) { - String inputId = inputIds.nextElement(); - IProfileInput profileInput = profile.getProfileInput(inputId); - Enumeration<String> inputNames = profileInput.getValueNames(); + ArgList requestlist = new ArgList(); - if (inputNames != null) { - while (inputNames.hasMoreElements()) { - String inputName = inputNames.nextElement(); + for (int k = 0; k < reqs.length; k++) { + ArgSet requestset = new ArgSet(); - if (request.getParameter(inputName) != null) { - // special characters in subject names parameters must be escaped - if (inputName.matches("^sn_.*")) { - req.setExtData(inputName, escapeValueRfc1779(request.getParameter(inputName), false) - .toString()); - } else { - req.setExtData(inputName, request.getParameter(inputName)); - } - } - } - } + requestset.set(ARG_REQUEST_ID, + reqs[k].getRequestId().toString()); + requestlist.add(requestset); } - } - } - - /* - * fill input info from orig request to the renew request. - * This is expected to be used by renewal where the request - * is retrieved from request record - */ - private void setInputsIntoRequest(IRequest request, IProfile profile, IRequest req, Locale locale) { - // passing inputs into request - Enumeration<String> inputIds = profile.getProfileInputIds(); - - if (inputIds != null) { - while (inputIds.hasMoreElements()) { - String inputId = inputIds.nextElement(); - IProfileInput profileInput = profile.getProfileInput(inputId); - Enumeration<String> inputNames = profileInput.getValueNames(); + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, "0"); + args.set(ARG_ERROR_REASON, ""); - while (inputNames.hasMoreElements()) { - String inputName = inputNames.nextElement(); - String inputValue = ""; - CMS.debug("ProfileSubmitServlet: setInputsIntoRequest() getting input name= " + inputName); - try { - inputValue = profileInput.getValue(inputName, locale, request); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: setInputsIntoRequest() getvalue() failed: " + e.toString()); - } - - if (inputValue != null) { - CMS.debug("ProfileSubmitServlet: setInputsIntoRequest() setting value in ctx:" + inputValue); - req.setExtData(inputName, inputValue); - } else { - CMS.debug("ProfileSubmitServlet: setInputsIntoRequest() value null"); - } - } - } + outputTemplate(request, response, args); } - } private void setOutputIntoArgs(IProfile profile, ArgList outputlist, Locale locale, IRequest req) { @@ -418,7 +225,7 @@ public class ProfileSubmitServlet extends ProfileServlet { try { outputValue = profileOutput.getValue(outputName, - locale, req); + locale, req); } catch (EProfileException e) { CMS.debug("ProfileSubmitServlet: " + e.toString()); } @@ -435,26 +242,23 @@ public class ProfileSubmitServlet extends ProfileServlet { } } - /** - * Process the HTTP request - * <P> - * - * (Certificate Request Processed - either an automated "EE" profile based cert acceptance, or an automated "EE" - * profile based cert rejection) - * <P> - * - * <ul> - * <li>http.param profileId ID of profile to use to process request - * <li>signed.audit LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED used when a certificate request has just been - * through the approval process - * </ul> - * - * @param cmsReq the object holding the request and response information - * @exception EBaseException an error has occurred - */ - public void process(CMSRequest cmsReq) throws EBaseException { - HttpServletRequest request = cmsReq.getHttpReq(); - HttpServletResponse response = cmsReq.getHttpResp(); + private void errorExit(HttpServletResponse response, boolean xmlOutput, String message, String requestId) + throws EBaseException { + if (xmlOutput) { + outputError(response, FAILED, message, requestId); + } else { + ArgSet args = new ArgSet(); + args.set(ARG_ERROR_CODE, "1"); + args.set(ARG_ERROR_REASON, message); + outputTemplate(xmlOutput, response, args); + } + + for (String event : statEvents) { + endTiming(event); + } + } + + private boolean getXMLOutput(HttpServletRequest request) { boolean xmlOutput = false; String v = request.getParameter("xml"); @@ -470,1002 +274,7 @@ public class ProfileSubmitServlet extends ProfileServlet { } else { CMS.debug("xmlOutput false"); } - - IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); - if (statsSub != null) { - statsSub.startTiming("enrollment", true /* main action */); - } - - Locale locale = getLocale(request); - ArgSet args = new ArgSet(); - - if (CMS.debugOn()) { - CMS.debug("Start of ProfileSubmitServlet Input Parameters"); - @SuppressWarnings("unchecked") - Enumeration<String> paramNames = request.getParameterNames(); - - while (paramNames.hasMoreElements()) { - String paramName = paramNames.nextElement(); - // added this facility so that password can be hidden, - // all sensitive parameters should be prefixed with - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed - if (paramName.startsWith("__") || - paramName.endsWith("password") || - paramName.endsWith("passwd") || - paramName.endsWith("pwd") || - paramName.equalsIgnoreCase("admin_password_again") || - paramName.equalsIgnoreCase("directoryManagerPwd") || - paramName.equalsIgnoreCase("bindpassword") || - paramName.equalsIgnoreCase("bindpwd") || - paramName.equalsIgnoreCase("passwd") || - paramName.equalsIgnoreCase("password") || - paramName.equalsIgnoreCase("pin") || - paramName.equalsIgnoreCase("pwd") || - paramName.equalsIgnoreCase("pwdagain") || - paramName.equalsIgnoreCase("uPasswd")) { - CMS.debug("ProfileSubmitServlet Input Parameter " + - paramName + "='(sensitive)'"); - } else { - CMS.debug("ProfileSubmitServlet Input Parameter " + - paramName + "='" + - request.getParameter(paramName) + "'"); - } - } - CMS.debug("End of ProfileSubmitServlet Input Parameters"); - } - - CMS.debug("ProfileSubmitServlet: start serving"); - - if (mProfileSubId == null || mProfileSubId.equals("")) { - mProfileSubId = IProfileSubsystem.ID; - } - CMS.debug("ProfileSubmitServlet: SubId=" + mProfileSubId); - IProfileSubsystem ps = (IProfileSubsystem) - CMS.getSubsystem(mProfileSubId); - - if (ps == null) { - CMS.debug("ProfileSubmitServlet: ProfileSubsystem not found"); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - return; - } - - /* - * Renewal - Renewal is retrofitted into the Profile Enrollment - * Framework. The authentication and authorization are taken from - * the renewal profile, while the input (with requests) and grace - * period constraint are taken from the original cert's request record. - * - * Things to note: - * * the renew request will contain the original profile instead - * of the new - * * there is no request for system and admin certs generated at - * time of installation configuration. - */ - String renewal = request.getParameter("renewal"); - boolean isRenewal = false; - if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) { - CMS.debug("ProfileSubmitServlet: isRenewal true"); - isRenewal = true; - request.setAttribute("reqType", "renewal"); - } else { - CMS.debug("ProfileSubmitServlet: isRenewal false"); - } - - String renewProfileId = null; - IRequest origReq = null; - Integer origSeqNum = 0; - - // if we did not configure profileId in xml file, - // then accept the user-provided one - String profileId = null; - - if (mProfileId == null) { - profileId = request.getParameter("profileId"); - } else { - profileId = mProfileId; - } - - CMS.debug("ProfileSubmitServlet: profileId " + profileId); - // This is the expiration date of the orig. cert that will - // be used in the RenewGracePeriodConstraint - Date origNotAfter = null; - String origSubjectDN = null; - - if (isRenewal) { - // dig up the original request to "clone" - renewProfileId = profileId; - CMS.debug("ProfileSubmitServlet: renewProfileId =" + renewProfileId); - IAuthority authority = (IAuthority) CMS.getSubsystem(mAuthorityId); - if (authority == null) { - CMS.debug("ProfileSubmitServlet: renewal: Authority " + mAuthorityId + - " not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - IRequestQueue queue = authority.getRequestQueue(); - - if (queue == null) { - CMS.debug("ProfileSubmitServlet: renewal: Request Queue of " + - mAuthorityId + " not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - - String serial = request.getParameter("serial_num"); - BigInteger certSerial = null; - // if serial number is sent with request, then the authentication - // method is not ssl client auth. In this case, an alternative - // authentication method is used (default: ldap based) - if (serial != null) { - CMS.debug("ProfileSubmitServlet: renewal: found serial_num"); - certSerial = new BigInteger(serial); - // usr_origreq evaluator should be used to authorize ownership - // of the cert - } else { - CMS.debug("ProfileSubmitServlet: renewal: serial_num not found, must do ssl client auth"); - // ssl client auth is to be used - // this is not authentication. Just use the cert to search - // for orig request and find the right profile - SSLClientCertProvider sslCCP = new SSLClientCertProvider(request); - X509Certificate[] certs = sslCCP.getClientCertificateChain(); - certSerial = null; - if (certs == null || certs.length == 0) { - CMS.debug("ProfileSubmitServlet: renewal: no ssl client cert chain"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } else { // has ssl client cert - CMS.debug("ProfileSubmitServlet: renewal: has ssl client cert chain"); - // shouldn't expect leaf cert to be always at the - // same location - X509Certificate clientCert = null; - for (int i = 0; i < certs.length; i++) { - clientCert = certs[i]; - byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); - // try to see if this is a leaf cert - // look for BasicConstraint extension - if (extBytes == null) { - // found leaf cert - CMS.debug("ProfileSubmitServlet: renewal: found leaf cert"); - break; - } else { - CMS.debug("ProfileSubmitServlet: renewal: found cert having BasicConstraints ext"); - // it's got BasicConstraints extension - // so it's not likely to be a leaf cert, - // however, check the isCA field regardless - try { - BasicConstraintsExtension bce = - new BasicConstraintsExtension(true, extBytes); - if (bce != null) { - if (!(Boolean) bce.get("is_ca")) { - CMS.debug("ProfileSubmitServlet: renewal: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + - e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } - } - if (clientCert == null) { - CMS.debug("ProfileSubmitServlet: renewal: no client cert in chain"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - // convert to java X509 cert interface - try { - byte[] certEncoded = clientCert.getEncoded(); - - clientCert = new X509CertImpl(certEncoded); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - - certSerial = clientCert.getSerialNumber(); - } - } - - CMS.debug("ProfileSubmitServlet: renewal: serial number of cert to renew:" + certSerial.toString()); - - try { - ICertificateRepository certDB = null; - if (authority instanceof ICertificateAuthority) { - certDB = ((ICertificateAuthority) authority).getCertificateRepository(); - } - if (certDB == null) { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - ICertRecord rec = certDB.readCertificateRecord(certSerial); - if (rec == null) { - CMS.debug("ProfileSubmitServlet: renewal cert record not found for serial number " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } else { - CMS.debug("ProfileSubmitServlet: renewal cert record found for serial number:" - + certSerial.toString()); - // check to see if the cert is revoked or revoked_expired - if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) - || (rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED))) { - CMS.debug("ProfileSubmitServlet: renewal cert found to be revoked. Serial number = " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_CA_CANNOT_RENEW_REVOKED_CERT", certSerial.toString())); - outputTemplate(request, response, args); - return; - } - MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO); - // note: CA's internal certs don't have request ids - // so some other way needs to be done - if (metaInfo != null) { - String rid = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); - - if (rid != null) { - origReq = queue.findRequest(new RequestId(rid)); - if (origReq != null) { - CMS.debug("ProfileSubmitServlet: renewal: found original enrollment request id:" + rid); - // debug: print the extData keys - /* - Enumeration<String> en = origReq.getExtDataKeys(); - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key print BEGINS"); - while (en.hasMoreElements()) { - String next = (String) en.nextElement(); - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key:"+ next); - } - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key print ENDS"); - */ - String requestorE = origReq.getExtDataInString("requestor_email"); - CMS.debug("ProfileSubmitServlet: renewal original requestor email=" + requestorE); - profileId = origReq.getExtDataInString("profileId"); - if (profileId != null) - CMS.debug("ProfileSubmitServlet: renewal original profileId=" + profileId); - else { - CMS.debug("ProfileSubmitServlet: renewal original profileId not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM); - - } else { //if origReq - CMS.debug("ProfileSubmitServlet: renewal original request not found for request id " - + rid); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: cert record locating request id in MetaInfo failed for serial number " - + certSerial.toString()); - CMS.debug("ProfileSubmitServlet: renewal: cert may be bootstrapped system cert during installation/configuration - no request record exists"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR" + ": original request not found")); - outputTemplate(request, response, args); - return; - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: cert record locating MetaInfo failed for serial number " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - // get orig cert expiration date - CMS.debug("ProfileSubmitServlet: renewal: before getting origNotAfter"); - X509CertImpl origCert = rec.getCertificate(); - origNotAfter = origCert.getNotAfter(); - CMS.debug("ProfileSubmitServlet: renewal: origNotAfter =" + - origNotAfter.toString()); - origSubjectDN = origCert.getSubjectDN().getName(); - CMS.debug("ProfileSubmitServlet: renewal: orig subj dn =" + - origSubjectDN); - } - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } // end isRenewal - - IProfile profile = null; - IProfile renewProfile = null; - - try { - profile = ps.getProfile(profileId); - if (isRenewal) { - // in case of renew, "profile" is the orig profile - // while "renewProfile" is the current profile used for renewal - renewProfile = ps.getProfile(renewProfileId); - } - } catch (EProfileException e) { - if (profile == null) { - CMS.debug("ProfileSubmitServlet: profile not found profileId " + - profileId + " " + e.toString()); - } - if (renewProfile == null) { - CMS.debug("ProfileSubmitServlet: profile not found renewProfileId " + - renewProfileId + " " + e.toString()); - } - } - if (profile == null) { - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", profileId)); - outputTemplate(request, response, args); - } - return; - } - if (isRenewal && (renewProfile == null)) { - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", renewProfileId)); - outputTemplate(request, response, args); - } - return; - } - - if (!ps.isProfileEnable(profileId)) { - CMS.debug("ProfileSubmitServlet: Profile " + profileId + - " not enabled"); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", profileId)); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - return; - } - - if (isRenewal) { - if (!ps.isProfileEnable(renewProfileId)) { - CMS.debug("ProfileSubmitServlet: renewal Profile " + renewProfileId + - " not enabled"); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", renewProfileId)); - outputTemplate(request, response, args); - } - return; - } - } - - IProfileContext ctx = profile.createContext(); - // passing auths into context - IProfileAuthenticator authenticator = null; - IProfileAuthenticator origAuthenticator = null; - - try { - if (isRenewal) { - authenticator = renewProfile.getAuthenticator(); - origAuthenticator = profile.getAuthenticator(); - } else { - authenticator = profile.getAuthenticator(); - } - } catch (EProfileException e) { - // authenticator not installed correctly - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - if (authenticator == null) { - CMS.debug("ProfileSubmitServlet: authenticator not found"); - } else { - CMS.debug("ProfileSubmitServlet: authenticator " + - authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); - } - - // for renewal, this will override or add auth info to the profile context - if (isRenewal) { - if (origAuthenticator != null) { - CMS.debug("ProfileSubmitServlet: for renewal, original authenticator " + - origAuthenticator.getName() + " found"); - setCredentialsIntoContext(request, origAuthenticator, ctx); - } else { - CMS.debug("ProfileSubmitServlet: for renewal, original authenticator not found"); - } - } - - CMS.debug("ProfileSubmistServlet: set Inputs into profile Context"); - if (isRenewal) { - // for renewal, input needs to be retrieved from the orig req record - CMS.debug("ProfileSubmitServlet: set original Inputs into profile Context"); - setInputsIntoContext(origReq, profile, ctx, locale); - ctx.set(IEnrollProfile.CTX_RENEWAL, "true"); - ctx.set("renewProfileId", renewProfileId); - ctx.set(IEnrollProfile.CTX_RENEWAL_SEQ_NUM, origSeqNum.toString()); - } else { - setInputsIntoContext(request, profile, ctx); - } - - // before creating the request, authenticate the request - - IAuthToken authToken = null; - - // for ssl authentication; pass in servlet for retrieving - // ssl client certificates - SessionContext context = SessionContext.getContext(); - - // insert profile context so that input parameter can be retrieved - context.put("profileContext", ctx); - context.put("sslClientCertProvider", - new SSLClientCertProvider(request)); - CMS.debug("ProfileSubmitServlet: set sslClientCertProvider"); - if ((isRenewal == true) && (origSubjectDN != null)) - context.put("origSubjectDN", origSubjectDN); - if (statsSub != null) { - statsSub.startTiming("profile_authentication"); - } - - if (authenticator != null) { - - CMS.debug("ProfileSubmitServlet: authentication required."); - String uid_cred = "Unidentified"; - String uid_attempted_cred = "Unidentified"; - Enumeration<String> authIds = authenticator.getValueNames(); - //Attempt to possibly fetch attemped uid, may not always be available. - if (authIds != null) { - while (authIds.hasMoreElements()) { - String authName = authIds.nextElement(); - String value = request.getParameter(authName); - if (value != null) { - if (authName.equals("uid")) { - uid_attempted_cred = value; - } - } - } - } - - String authSubjectID = auditSubjectID(); - - String authMgrID = authenticator.getName(); - String auditMessage = null; - try { - if (isRenewal) { - CMS.debug("ProfileSubmitServlet: renewal authenticate begins"); - authToken = authenticate(authenticator, request, origReq, context); - CMS.debug("ProfileSubmitServlet: renewal authenticate ends"); - } else { - authToken = authenticate(authenticator, request); - } - } catch (EBaseException e) { - CMS.debug("ProfileSubmitServlet: authentication error " + - e.toString()); - // authentication error - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_AUTHENTICATION_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("authentication"); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - - //audit log our authentication failure - - authSubjectID += " : " + uid_cred; - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_AUTH_FAIL, - authSubjectID, - ILogger.FAILURE, - authMgrID, - uid_attempted_cred); - audit(auditMessage); - - return; - } - - //Log successful authentication - - //Attempt to get uid from authToken, most tokens respond to the "uid" cred. - uid_cred = authToken.getInString("uid"); - - if (uid_cred == null || uid_cred.length() == 0) { - uid_cred = "Unidentified"; - } - - authSubjectID = authSubjectID + " : " + uid_cred; - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, - authSubjectID, - ILogger.SUCCESS, - authMgrID); - - audit(auditMessage); - - } - if (statsSub != null) { - statsSub.endTiming("profile_authentication"); - } - - // authentication success - if (authToken != null) { - CMS.debug("ProfileSubmitServlet authToken not null"); - // do profile authorization - String acl = null; - if (isRenewal) - acl = renewProfile.getAuthzAcl(); - else - acl = profile.getAuthzAcl(); - CMS.debug("ProfileSubmitServlet: authz using acl: " + acl); - if (acl != null && acl.length() > 0) { - try { - String resource = profileId + ".authz.acl"; - authorize(mAclMethod, resource, authToken, acl); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet authorize: " + e.toString()); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, - "CMS_AUTHORIZATION_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_AUTHORIZATION_ERROR")); - outputTemplate(request, response, args); - } - - return; - } - } - } - - IRequest reqs[] = null; - - if (statsSub != null) { - statsSub.startTiming("request_population"); - } - /////////////////////////////////////////////// - // create request - /////////////////////////////////////////////// - try { - reqs = profile.createRequests(ctx, locale); - } catch (EProfileException e) { - CMS.debug(e); - CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); - if (xmlOutput) { - outputError(response, e.toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, e.toString()); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } catch (Throwable e) { - CMS.debug(e); - CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } - - String errorCode = null; - String errorReason = null; - - /////////////////////////////////////////////// - // populate request - /////////////////////////////////////////////// - for (int k = 0; k < reqs.length; k++) { - boolean fromRA = false; - String uid = ""; - - // adding parameters to request - if (isRenewal) { - setInputsIntoRequest(origReq, profile, reqs[k], locale); - // set orig expiration date to be used in Validity constraint - reqs[k].setExtData("origNotAfter", - BigInteger.valueOf(origNotAfter.getTime())); - // set subjectDN to be used in subject name default - reqs[k].setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, origSubjectDN); - // set request type - reqs[k].setRequestType("renewal"); - } else - setInputsIntoRequest(request, profile, reqs[k]); - - // serial auth token into request - if (authToken != null) { - Enumeration<String> tokenNames = authToken.getElements(); - while (tokenNames.hasMoreElements()) { - String tokenName = tokenNames.nextElement(); - String[] tokenVals = authToken.getInStringArray(tokenName); - if (tokenVals != null) { - for (int i = 0; i < tokenVals.length; i++) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + - tokenName + "[" + i + "]", tokenVals[i]); - } - } else { - String tokenVal = authToken.getInString(tokenName); - if (tokenVal != null) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + tokenName, - tokenVal); - // if RA agent, auto assign the request - if (tokenName.equals("uid")) - uid = tokenVal; - if (tokenName.equals("group") && - tokenVal.equals("Registration Manager Agents")) { - fromRA = true; - } - } - } - } - } - - if (fromRA) { - CMS.debug("ProfileSubmitServlet: request from RA: " + uid); - reqs[k].setExtData(ARG_REQUEST_OWNER, uid); - } - - // put profile framework parameters into the request - reqs[k].setExtData(ARG_PROFILE, "true"); - reqs[k].setExtData(ARG_PROFILE_ID, profileId); - if (isRenewal) - reqs[k].setExtData(ARG_RENEWAL_PROFILE_ID, request.getParameter("profileId")); - reqs[k].setExtData(ARG_PROFILE_APPROVED_BY, profile.getApprovedBy()); - String setId = profile.getPolicySetId(reqs[k]); - - if (setId == null) { - // no profile set found - CMS.debug("ProfileSubmitServlet: no profile policy set found"); - if (xmlOutput) { - outputError(response, FAILED, CMS.getUserMessage("CMS_PROFILE_NO_POLICY_SET_FOUND"), - reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, - CMS.getUserMessage("CMS_PROFILE_NO_POLICY_SET_FOUND")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } - - CMS.debug("ProfileSubmitServlet profileSetid=" + setId); - reqs[k].setExtData(ARG_PROFILE_SET_ID, setId); - reqs[k].setExtData(ARG_PROFILE_REMOTE_HOST, request.getRemoteHost()); - reqs[k].setExtData(ARG_PROFILE_REMOTE_ADDR, request.getRemoteAddr()); - - CMS.debug("ProfileSubmitServlet: request " + - reqs[k].getRequestId().toString()); - - try { - CMS.debug("ProfileSubmitServlet: populating request inputs"); - // give authenticator a chance to populate the request - if (authenticator != null) { - authenticator.populate(authToken, reqs[k]); - } - profile.populateInput(ctx, reqs[k]); - profile.populate(reqs[k]); - } catch (EProfileException e) { - CMS.debug("ProfileSubmitServlet: populate " + e.toString()); - if (xmlOutput) { - outputError(response, FAILED, e.toString(), reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, e.toString()); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } catch (Throwable e) { - CMS.debug("ProfileSubmitServlet: populate " + e.toString()); - // throw new IOException("Profile " + profileId + - // " cannot populate"); - if (xmlOutput) { - outputError(response, FAILED, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), - reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - } - - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; - String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - - try { - /////////////////////////////////////////////// - // submit request - /////////////////////////////////////////////// - String requestIds = ""; // deliminated with double space - for (int k = 0; k < reqs.length; k++) { - try { - // reset the "auditRequesterID" - auditRequesterID = auditRequesterID(reqs[k]); - - // print request debug - if (reqs[k] != null) { - requestIds += " " + reqs[k].getRequestId().toString(); - Enumeration<String> reqKeys = reqs[k].getExtDataKeys(); - while (reqKeys.hasMoreElements()) { - String reqKey = reqKeys.nextElement(); - String reqVal = reqs[k].getExtDataInString(reqKey); - if (reqVal != null) { - CMS.debug("ProfileSubmitServlet: key=$request." + reqKey + "$ value=" + reqVal); - } - } - } - - profile.submit(authToken, reqs[k]); - reqs[k].setRequestStatus(RequestStatus.COMPLETE); - - // reset the "auditInfoCertValue" - auditInfoCertValue = auditInfoCertValue(reqs[k]); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue); - - audit(auditMessage); - } - } - } catch (EDeferException e) { - // return defer message to the user - reqs[k].setRequestStatus(RequestStatus.PENDING); - // need to notify - INotify notify = profile.getRequestQueue().getPendingNotify(); - if (notify != null) { - notify.notify(reqs[k]); - } - - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "2"; - errorReason = CMS.getUserMessage(locale, - "CMS_PROFILE_DEFERRED", - e.toString()); - } catch (ERejectException e) { - // return error to the user - reqs[k].setRequestStatus(RequestStatus.REJECTED); - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "3"; - errorReason = CMS.getUserMessage(locale, - "CMS_PROFILE_REJECTED", - e.toString()); - } catch (Throwable e) { - // return error to the user - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "1"; - errorReason = CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR"); - } - - try { - if (errorCode == null) { - profile.getRequestQueue().markAsServiced(reqs[k]); - } else { - profile.getRequestQueue().updateRequest(reqs[k]); - } - } catch (EBaseException e) { - CMS.debug("ProfileSubmitServlet: updateRequest " + - e.toString()); - } - - if (errorCode != null) { - if (errorCode.equals("1")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - errorReason); - - audit(auditMessage); - } else if (errorCode.equals("2")) { - // do NOT store a message in the signed audit log file - // as this errorCode indicates that a process has been - // deferred for manual acceptance/cancellation/rejection - } else if (errorCode.equals("3")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - errorReason); - - audit(auditMessage); - } - } - } - - if (errorCode != null) { - if (xmlOutput) { - // when errorCode is not null, requestIds should have >=1 - outputError(response, errorCode, errorReason, requestIds); - } else { - ArgList requestlist = new ArgList(); - - for (int k = 0; k < reqs.length; k++) { - ArgSet requestset = new ArgSet(); - - requestset.set(ARG_REQUEST_ID, - reqs[k].getRequestId().toString()); - requestlist.add(requestset); - } - args.set(ARG_REQUEST_LIST, requestlist); - args.set(ARG_ERROR_CODE, errorCode); - args.set(ARG_ERROR_REASON, errorReason); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - return; - } - - /////////////////////////////////////////////// - // output output list - /////////////////////////////////////////////// - if (xmlOutput) { - xmlOutput(response, profile, locale, reqs); - } else { - ArgList outputlist = new ArgList(); - for (int k = 0; k < reqs.length; k++) { - - setOutputIntoArgs(profile, outputlist, locale, reqs[k]); - args.set(ARG_OUTPUT_LIST, outputlist); - } - - CMS.debug("ProfileSubmitServlet: done serving"); - - ArgList requestlist = new ArgList(); - - for (int k = 0; k < reqs.length; k++) { - ArgSet requestset = new ArgSet(); - - requestset.set(ARG_REQUEST_ID, - reqs[k].getRequestId().toString()); - requestlist.add(requestset); - } - args.set(ARG_REQUEST_LIST, requestlist); - args.set(ARG_ERROR_CODE, "0"); - args.set(ARG_ERROR_REASON, ""); - - outputTemplate(request, response, args); - } - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - // (automated cert request processed - "rejected") - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); - - audit(auditMessage); - - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - throw eAudit1; - } finally { - SessionContext.releaseContext(); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } + return xmlOutput; } private void xmlOutput(HttpServletResponse httpResp, IProfile profile, Locale locale, IRequest[] reqs) { @@ -1535,96 +344,4 @@ public class ProfileSubmitServlet extends ProfileServlet { } } - /** - * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for - * a signed audit log message. - * <P> - * - * @param request the actual request - * @return id string containing the signed audit log message RequesterID - */ - private String auditRequesterID(IRequest request) { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - - String requesterID = ILogger.UNIDENTIFIED; - - if (request != null) { - // overwrite "requesterID" if and only if "id" != null - String id = request.getRequestId().toString(); - - if (id != null) { - requesterID = id.trim(); - } - } - - return requesterID; - } - - /** - * Signed Audit Log Info Certificate Value - * - * This method is called to obtain the certificate from the passed in - * "X509CertImpl" for a signed audit log message. - * <P> - * - * @param request request containing an X509CertImpl - * @return cert string containing the certificate - */ - private String auditInfoCertValue(IRequest request) { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - - X509CertImpl x509cert = request.getExtDataInCert( - IEnrollProfile.REQUEST_ISSUED_CERT); - - if (x509cert == null) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - - byte rawData[] = null; - - try { - rawData = x509cert.getEncoded(); - } catch (CertificateEncodingException e) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - - String cert = null; - - // convert "rawData" into "base64Data" - if (rawData != null) { - String base64Data = null; - - base64Data = Utils.base64encode(rawData).trim(); - - // extract all line separators from the "base64Data" - StringBuffer sb = new StringBuffer(); - for (int i = 0; i < base64Data.length(); i++) { - if (!Character.isWhitespace(base64Data.charAt(i))) { - sb.append(base64Data.charAt(i)); - - } - } - cert = sb.toString(); - } - - if (cert != null) { - cert = cert.trim(); - - if (cert.equals("")) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } else { - return cert; - } - } else { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } - } } |