diff options
Diffstat (limited to 'base/common')
11 files changed, 248 insertions, 155 deletions
diff --git a/base/common/src/com/netscape/certsrv/system/InstallToken.java b/base/common/src/com/netscape/certsrv/system/InstallToken.java index aa34893a1..06accc3f2 100644 --- a/base/common/src/com/netscape/certsrv/system/InstallToken.java +++ b/base/common/src/com/netscape/certsrv/system/InstallToken.java @@ -14,7 +14,7 @@ // // (C) 2012 Red Hat, Inc. // All rights reserved. -// --- END COPYRIGHT BLOCK --- +// --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.system; import javax.xml.bind.annotation.XmlAccessType; @@ -26,16 +26,17 @@ import javax.xml.bind.annotation.XmlRootElement; * @author alee * */ -@XmlRootElement(name="CertData") +@XmlRootElement(name="InstallToken") @XmlAccessorType(XmlAccessType.FIELD) public class InstallToken { + @XmlElement private String token; public InstallToken(String token) { this.token = token; } - + public InstallToken() { // required by jaxb } diff --git a/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java b/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java deleted file mode 100644 index bc000a96a..000000000 --- a/base/common/src/com/netscape/certsrv/system/InstallTokenRequest.java +++ /dev/null @@ -1,99 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2012 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.certsrv.system; - -import javax.xml.bind.annotation.XmlAccessorType; -import javax.xml.bind.annotation.XmlElement; -import javax.xml.bind.annotation.XmlRootElement; -import javax.xml.bind.annotation.XmlAccessType; - -/** - * @author alee - * - */ -@XmlRootElement(name="InstallTokenRequest") -@XmlAccessorType(XmlAccessType.FIELD) -public class InstallTokenRequest { - @XmlElement - private String user; - - @XmlElement - private String password; - - @XmlElement - private String subsystem; - - @XmlElement - private String host; - - @XmlElement - private String port; - - public InstallTokenRequest(String user, String password, String subsystem, String host, String port) { - this.user = user; - this.password = password; - this.subsystem = subsystem; - this.host = host; - this.port = port; - } - - public InstallTokenRequest() { - // required for jaxb - } - - public String getUser() { - return user; - } - - public void setUser(String user) { - this.user = user; - } - - public String getPassword() { - return password; - } - - public void setPassword(String password) { - this.password = password; - } - - public String getSubsystem() { - return subsystem; - } - - public void setSubsystem(String subsystem) { - this.subsystem = subsystem; - } - - public String getHost() { - return host; - } - - public void setHost(String host) { - this.host = host; - } - - public String getPort() { - return port; - } - - public void setPort(String port) { - this.port = port; - } - -} diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java new file mode 100644 index 000000000..fd7eb342b --- /dev/null +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainClient.java @@ -0,0 +1,42 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.system; + +import java.net.URISyntaxException; + +import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.client.PKIClient; + + +/** + * @author alee + */ +public class SecurityDomainClient extends PKIClient { + + private SecurityDomainResource client; + + public SecurityDomainClient(ClientConfig config) throws URISyntaxException { + super(config); + + client = createProxy(SecurityDomainResource.class); + } + + public InstallToken getInstallToken(String hostname, String subsystem) { + return client.getInstallToken(hostname, subsystem); + } +} diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java new file mode 100644 index 000000000..41bbf779e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java @@ -0,0 +1,38 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.system; + +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.QueryParam; +import javax.ws.rs.core.MediaType; + +/** + * @author alee + */ +@Path("securityDomain") +public interface SecurityDomainResource { + + @GET + @Path("installToken") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public InstallToken getInstallToken( + @QueryParam("hostname") String hostname, + @QueryParam("subsystem") String subsystem); +} diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java index 876ed9bac..fd14bbe19 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigClient.java @@ -40,8 +40,4 @@ public class SystemConfigClient extends PKIClient { public ConfigurationResponse configure(ConfigurationRequest data) { return configClient.configure(data); } - - public InstallToken getInstallToken(InstallTokenRequest data) { - return configClient.getInstallToken(data); - } } diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java index 4ecafc6f7..ca06ededb 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java @@ -44,12 +44,6 @@ public interface SystemConfigResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) public ConfigurationResponse configure(ConfigurationRequest data); - @POST - @Path("installToken") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public InstallToken getInstallToken(InstallTokenRequest data); - @GET @Path("domainInfo") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) diff --git a/base/common/src/com/netscape/cms/authorization/AAclAuthz.java b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java index b47956fb3..089cca9be 100644 --- a/base/common/src/com/netscape/cms/authorization/AAclAuthz.java +++ b/base/common/src/com/netscape/cms/authorization/AAclAuthz.java @@ -521,7 +521,7 @@ public abstract class AAclAuthz { log(ILogger.LL_INFO, infoMsg); return; } else { - Object[] params = new Object[2]; + String[] params = new String[2]; params[0] = name; params[1] = perm; @@ -530,7 +530,7 @@ public abstract class AAclAuthz { CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm)); throw new EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION", - (String[]) params)); + params)); } } diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 89233bdc2..531fc212f 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -146,8 +146,7 @@ import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.ocsp.IDefStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.system.InstallToken; -import com.netscape.certsrv.system.InstallTokenRequest; -import com.netscape.certsrv.system.SystemConfigClient; +import com.netscape.certsrv.system.SecurityDomainClient; import com.netscape.certsrv.usrgrp.EUsrGrpException; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; @@ -322,17 +321,17 @@ public class ConfigurationUtils { } String csType = cs.getString("cs.type"); - InstallTokenRequest data = new InstallTokenRequest(user, passwd, csType, CMS.getEEHost(), CMS.getAdminPort()); - ClientConfig config = new ClientConfig(); config.setServerURI("https://" + sdhost + ":" + sdport + "/ca"); + config.setUsername(user); + config.setPassword(passwd); - SystemConfigClient client = new SystemConfigClient(config); + SecurityDomainClient client = new SecurityDomainClient(config); - InstallToken token = null; try { - token = client.getInstallToken(data); + InstallToken token = client.getInstallToken(sdhost, csType); return token.getToken(); + } catch (ClientResponseFailure e) { if (e.getResponse().getResponseStatus() == Response.Status.NOT_FOUND) { // try the old servlet diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java new file mode 100644 index 000000000..f6cb4c638 --- /dev/null +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java @@ -0,0 +1,112 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.csadmin; + +import java.net.InetAddress; +import java.util.Locale; +import java.util.Random; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; +import com.netscape.certsrv.base.ISecurityDomainSessionTable; +import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.base.UnauthorizedException; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.system.InstallToken; +import com.netscape.cms.servlet.processors.Processor; + +/** + * @author Endi S. Dewata + */ +public class SecurityDomainProcessor extends Processor { + + private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE = + "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1"; + + Random random = new Random(); + + public SecurityDomainProcessor(Locale locale) throws EPropertyNotFound, EBaseException { + super("securitydomain", locale); + } + + public InstallToken getInstallToken( + String user, + String hostname, + String subsystem) throws EBaseException { + + String groupname = ConfigurationUtils.getGroupName(user, subsystem); + + if (groupname == null) { + String message = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + user, + ILogger.FAILURE, + "Enterprise " + subsystem + " Administrators"); + audit(message); + + throw new UnauthorizedException("Access denied."); + } + + String message = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + user, + ILogger.SUCCESS, + groupname); + audit(message); + + String ip = ""; + try { + ip = InetAddress.getByName(hostname).getHostAddress(); + } catch (Exception e) { + CMS.debug("Unable to determine IP address for "+hostname); + } + + // assign cookie + Long num = random.nextLong(); + String cookie = num.toString(); + + String auditParams = "operation;;issue_token+token;;" + cookie + "+ip;;" + ip + + "+uid;;" + user + "+groupname;;" + groupname; + + ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable(); + int status = ctable.addEntry(cookie, ip, user, groupname); + + if (status == ISecurityDomainSessionTable.SUCCESS) { + message = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, + user, + ILogger.SUCCESS, + auditParams); + audit(message); + + } else { + message = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE, + user, + ILogger.FAILURE, + auditParams); + audit(message); + + throw new PKIException("Failed to update security domain."); + } + + + return new InstallToken(cookie); + } +} diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java new file mode 100644 index 000000000..3a2bac49c --- /dev/null +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SecurityDomainService.java @@ -0,0 +1,44 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.csadmin; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.system.InstallToken; +import com.netscape.certsrv.system.SecurityDomainResource; +import com.netscape.cms.servlet.base.PKIService; + +/** + * @author alee + */ +public class SecurityDomainService extends PKIService implements SecurityDomainResource { + + @Override + public InstallToken getInstallToken(String hostname, String subsystem) { + try { + // Get uid from realm authentication. + String user = servletRequest.getUserPrincipal().getName(); + + SecurityDomainProcessor processor = new SecurityDomainProcessor(getLocale()); + return processor.getInstallToken(user, hostname, subsystem); + + } catch (EBaseException e) { + throw new PKIException(e.getMessage(), e); + } + } +} diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java index 3bbe3ca80..8bc3c5946 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java @@ -18,10 +18,8 @@ package com.netscape.cms.servlet.csadmin; import java.math.BigInteger; -import java.net.InetAddress; import java.net.MalformedURLException; import java.net.URL; -import java.net.UnknownHostException; import java.security.NoSuchAlgorithmException; import java.util.Collection; import java.util.Enumeration; @@ -46,7 +44,6 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.ISecurityDomainSessionTable; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; @@ -54,8 +51,6 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.system.ConfigurationRequest; import com.netscape.certsrv.system.ConfigurationResponse; import com.netscape.certsrv.system.DomainInfo; -import com.netscape.certsrv.system.InstallToken; -import com.netscape.certsrv.system.InstallTokenRequest; import com.netscape.certsrv.system.SystemCertData; import com.netscape.certsrv.system.SystemConfigResource; import com.netscape.certsrv.usrgrp.IUGSubsystem; @@ -909,35 +904,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } @Override - public InstallToken getInstallToken(InstallTokenRequest data) { - // TODO Figure out how to do authentication here based on user/pass - // For now, allow all user/pass to be valid - CMS.debug("getInstallToken(): starting"); - String user = data.getUser(); - String host = data.getHost(); - String subsystem = data.getSubsystem(); - String groupname = ConfigurationUtils.getGroupName(user, subsystem); - - // assign cookie - long num = random.nextLong(); - String cookie = num + ""; - ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable(); - String ip; - try { - ip = InetAddress.getByName(host).toString(); - } catch (UnknownHostException e) { - throw new PKIException(Response.Status.BAD_REQUEST, "Unable to resolve host " + host + - "to an IP address: " + e); - } - int index = ip.indexOf("/"); - if (index > 0) ip = ip.substring(index + 1); - - ctable.addEntry(cookie, ip, user, groupname); - - return new InstallToken(cookie); - } - - @Override public DomainInfo getDomainInfo() { // TODO Auto-generated method stub for a RESTful method that returns the security domain return null; |