diff options
Diffstat (limited to 'base/kra')
-rw-r--r-- | base/kra/functional/drmclient.py | 18 | ||||
-rw-r--r-- | base/kra/shared/conf/acl.ldif | 14 | ||||
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/auth.properties | 14 | ||||
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/web.xml | 117 |
4 files changed, 56 insertions, 107 deletions
diff --git a/base/kra/functional/drmclient.py b/base/kra/functional/drmclient.py index 62940fdf2..3c7c12e30 100644 --- a/base/kra/functional/drmclient.py +++ b/base/kra/functional/drmclient.py @@ -612,7 +612,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests/archive', + self._request('/kra/rest/agent/keyrequests/archive', self.kra_agent_port, self.POST, etree.tostring(request.getroot(), encoding='UTF-8')) @@ -637,7 +637,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/config/cert/transport', + self._request('/kra/rest/config/cert/transport', self.kra_agent_port, self.GET, None) @@ -675,7 +675,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keys', + self._request('/kra/rest/agent/keys', self.kra_agent_port, self.GET, get_args) @@ -717,7 +717,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests', + self._request('/kra/rest/agent/keyrequests', self.kra_agent_port, self.GET, get_args) @@ -750,7 +750,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests/recover', + self._request('/kra/rest/agent/keyrequests/recover', self.kra_agent_port, self.POST, etree.tostring(request.getroot(), encoding='UTF-8')) @@ -798,7 +798,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests/approve/'+ request_id, + self._request('/kra/rest/agent/keyrequests/'+request_id+'/approve', self.kra_agent_port, self.POST, None) @@ -820,7 +820,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests/reject/'+ request_id, + self._request('/kra/rest/agent/keyrequests/'+request_id+'/reject', self.kra_agent_port, self.POST, None) @@ -842,7 +842,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keyrequests/cancel/'+ request_id, + self._request('/kra/rest/agent/keyrequests/'+request_id+'/cancel', self.kra_agent_port, self.POST, None) @@ -898,7 +898,7 @@ class kra: #Call CMS http_status, http_reason_phrase, http_headers, http_body = \ - self._request('/kra/pki/keys/retrieve', + self._request('/kra/rest/agent/keys/retrieve', self.kra_agent_port, self.POST, etree.tostring(request.getroot(), encoding='UTF-8')) diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif index 38a9a088c..ea70ffd21 100644 --- a/base/kra/shared/conf/acl.ldif +++ b/base/kra/shared/conf/acl.ldif @@ -30,13 +30,7 @@ resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. -resourceACLS: certServer.kra.pki.key.retrieve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may retrieve archived key -resourceACLS: certServer.kra.pki.keyrequests:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequests data -resourceACLS: certServer.kra.pki.keyrequest:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequest data -resourceACLS: certServer.kra.pki.keyrequest.archive:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue archival request -resourceACLS: certServer.kra.pki.keyrequest.recover:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue recovery request -resourceACLS: certServer.kra.pki.keyrequest.approve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may approve security data request -resourceACLS: certServer.kra.pki.keyrequest.reject:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may reject key security data request -resourceACLS: certServer.kra.pki.keyrequest.cancel:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may cancel security data request -resourceACLS: certServer.kra.pki.keys:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read security data -resourceACLS: certServer.kra.pki.config.cert.transport:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read transport cert data +resourceACLS: certServer.kra.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.kra.keys:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key operations +resourceACLS: certServer.kra.keyrequests:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key request operations +resourceACLS: certServer.kra.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties index a206aa9e4..d2ba3075e 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties @@ -4,13 +4,7 @@ # <Rest API URL> = <ACL Resource ID>,<ACL resource operation> # ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute -/kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute -/kra/pki/keyrequests = certServer.kra.pki.keyrequests,read -/kra/pki/keyrequest = certServer.kra.pki.keyrequest,read -/kra/pki/keyrequest/archive = certServer.kra.pki.keyrequest.archive,execute -/kra/pki/keyrequest/recover = certServer.kra.pki.keyrequest.recover,execute -/kra/pki/keyrequest/approve = certServer.kra.pki.keyrequest.approve,execute -/kra/pki/keyrequest/reject = certServer.kra.pki.keyrequest.reject,execute -/kra/pki/keyrequest/cancel = certServer.kra.pki.keyrequest.cancel,execute -/kra/pki/keys = certServer.kra.pki.keys,read -/kra/pki/config/cert/transport = certServer.kra.pki.config.cert.transport,read +/kra/rest/admin/users = certServer.kra.users,execute +/kra/rest/admin/groups = certServer.kra.groups,execute +/kra/rest/agent/keys = certServer.kra.keys,execute +/kra/rest/agent/keyrequests = certServer.kra.keyrequests,execute diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index 7b4072085..9208507c3 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -691,13 +691,15 @@ <param-value> ee </param-value> </init-param> </servlet> + <!-- ==================== RESTEasy Configuration =============== --> + <listener> <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> - <param-value>/pki</param-value> + <param-value>/rest</param-value> </context-param> <context-param> @@ -718,7 +720,7 @@ <servlet-mapping> <servlet-name>Resteasy</servlet-name> - <url-pattern>/pki/*</url-pattern> + <url-pattern>/rest/*</url-pattern> </servlet-mapping> <servlet-mapping> @@ -950,81 +952,40 @@ <session-timeout>30</session-timeout> </session-config> -<!-- Default login configuration uses form-based authentication --> -<!-- Security Constraint for agent access to the Security Data Rest Interface --> - -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> -<!-- -<security-constraint> - <display-name>KRA Top Level Constraint</display-name> - <web-resource-collection> - <web-resource-name>KRA Protected Area</web-resource-name> - <url-pattern>/pki/* - </url-pattern> - </web-resource-collection> - <user-data-constraint> - <transport-guarantee>CONFIDENTIAL</transport-guarantee> - </user-data-constraint> - <auth-constraint> - <role-name>*</role-name> - </auth-constraint> -</security-constraint> ---> - -<!-- Security Constraint to deny certain http methods for key/retrieve --> -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> -<!-- -<security-constraint> -<display-name>Key forbidden</display-name> -<web-resource-collection> - <web-resource-name>Key forbidden</web-resource-name> - <url-pattern>/pki/key/retrieve</url-pattern> - <http-method>GET</http-method> - <http-method>PUT</http-method> - <http-method>DELETE</http-method> -</web-resource-collection> -<auth-constraint/> -</security-constraint> ---> - -<!-- Security Constraint to deny certain http methods for keyrequest/* --> -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> - -<!-- -<security-constraint> -<display-name>KeyRequest forbidden</display-name> -<web-resource-collection> - <web-resource-name>KeyRequest forbidden</web-resource-name> - <url-pattern>/pki/keyrequest/archive</url-pattern> - <url-pattern>/pki/keyrequest/recover</url-pattern> - <url-pattern>/pki/keyrequest/approve/*</url-pattern> - <url-pattern>/pki/keyrequest/reject/*</url-pattern> - <url-pattern>/pki/keyrequest/cancel/*</url-pattern> - <http-method>GET</http-method> - <http-method>PUT</http-method> - <http-method>DELETE</http-method> -</web-resource-collection> -<auth-constraint/> -</security-constraint> ---> - - -<!-- Customized SSL Client auth login config - uncomment to activate PKI realm as in conf/server.xml ---> - -<!-- - -<login-config> - <realm-name>PKIRealm</realm-name> - <auth-method>CLIENT-CERT</auth-method> - <realm-name>Client Cert Protected Area</realm-name> -</login-config> - -<security-role> - <role-name>*</role-name> -</security-role> - ---> + <!-- + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Agent Services</web-resource-name> + <url-pattern>/rest/agent/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Key Recovery Authority</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + --> </web-app> |