summaryrefslogtreecommitdiffstats
path: root/base/kra/src/org/dogtagpki/server/kra/rest
diff options
context:
space:
mode:
Diffstat (limited to 'base/kra/src/org/dogtagpki/server/kra/rest')
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java67
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java32
2 files changed, 67 insertions, 32 deletions
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 8504f0ea2..41d78af53 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.PKIException;
@@ -171,15 +172,25 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Archival must be performed by an agent");
}
+
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "archive");
+ }
response = dao.submitRequest(data, uriInfo, getRequestor());
auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -216,7 +227,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditRecoveryRequestMade(null, ILogger.FAILURE, data.getKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -233,11 +244,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.approveRequest(id, getRequestor(), getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to approve request");
+ throw new UnauthorizedException("Not authorized to approve request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "approve");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -254,11 +265,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.rejectRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "reject");
}catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to reject request");
+ throw new UnauthorizedException("Not authorized to reject request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "reject");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -275,11 +286,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.cancelRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "cancel");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to cancel request");
+ throw new UnauthorizedException("Not authorized to cancel request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "cancel");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -295,10 +306,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
try {
authz.checkRealm(realm, getAuthToken(), null, "keyRequests", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these requests");
+ throw new UnauthorizedException("Not authorized to list these requests", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
// get ldap filter
@@ -317,7 +330,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException e) {
CMS.debug("listRequests: error in obtaining request results" + e);
e.printStackTrace();
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createOKResponse(requests);
}
@@ -426,7 +439,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
request = requestClazz.getDeclaredConstructor(ResourceMessage.class).newInstance(data);
} catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException
| IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
- throw new BadRequestException("Invalid request class." + e);
+ throw new BadRequestException("Invalid request class." + e, e);
}
if (request instanceof KeyArchivalRequest) {
@@ -453,16 +466,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateSymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -477,16 +500,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateAsymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditAsymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 52df7696f..255d8d614 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -44,6 +44,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.HTTPGoneException;
@@ -150,7 +151,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EBaseException e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, null, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
String type = request.getRequestType();
@@ -170,7 +171,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (Exception e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
if (keyData == null) {
@@ -348,7 +349,7 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(logMessage);
e1.printStackTrace();
- throw new PKIException(logMessage + e1.getMessage());
+ throw new PKIException(logMessage + e1.getMessage(), e1);
}
if (reqInfo == null) {
// request not found
@@ -377,7 +378,7 @@ public class KeyService extends PKIService implements KeyResource {
logMessage = e.getMessage();
CMS.debug(logMessage);
- throw new PKIException(logMessage);
+ throw new PKIException(logMessage, e);
}
String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
if (! originator.equals(retriever)) {
@@ -423,10 +424,12 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these keys");
+ throw new UnauthorizedException("Not authorized to list these keys", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -475,7 +478,7 @@ public class KeyService extends PKIService implements KeyResource {
auditRetrieveKey(ILogger.FAILURE, null, clientKeyID, e.getMessage() + auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -508,10 +511,10 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to read this key");
+ throw new UnauthorizedException("Not authorized to read this key", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -686,18 +689,17 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EAuthzAccessDenied e) {
auditInfo = method + "Unauthorized access for key record";
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
- throw new UnauthorizedException(auditInfo);
+ throw new UnauthorizedException(auditInfo, e);
} catch (EDBRecordNotFoundException e) {
auditInfo = method + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
-
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found", e);
} catch (Exception e) {
auditInfo = method + "Unable to retrieve key record: " + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
CMS.debug(auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
@@ -735,14 +737,14 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to modify", e);
} catch (Exception e) {
auditInfo = auditInfo + ":" + e.getMessage();
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
generated by cgit (git 2.34.1) at 2024-05-06 12:29:50 +0000