diff options
Diffstat (limited to 'base')
7 files changed, 111 insertions, 26 deletions
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java index 72980aa5a..005043ada 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java @@ -106,6 +106,8 @@ public class AuditFormat { "Admin UID: {0} removed User UID: {1} from group: {2}"; public static final String ADDCERTSUBJECTDNFORMAT = "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}"; + public static final String REMOVECERTSUBJECTDNFORMAT = + "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}"; // LDAP publishing public static final String LDAP_PUBLISHED_FORMAT = diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java index eb7f84ebf..543b33c26 100644 --- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java @@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp { public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; /** + * Remove a certSubjectDN field from the user + * @param identity + * @throws EUsrGrpException + * @throws LDAPException + */ + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException; + + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, * serialNumber, issuerDN, and SubjectDN), and it gets removed diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 6cd64f654..bcfe36459 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -144,6 +144,7 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.system.InstallToken; import com.netscape.certsrv.system.InstallTokenRequest; import com.netscape.certsrv.system.SystemConfigClient; +import com.netscape.certsrv.usrgrp.EUsrGrpException; import com.netscape.certsrv.usrgrp.IGroup; import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; @@ -170,6 +171,7 @@ public class ConfigurationUtils { public static String AUTH_FAILURE = "2"; public static final BigInteger BIG_ZERO = new BigInteger("0"); public static final Long MINUS_ONE = Long.valueOf(-1); + public static final String DBUSER = "pkidbuser"; public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException, IncorrectPasswordException { @@ -717,8 +719,6 @@ public class ConfigurationUtils { BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException, NoSuchItemOnTokenException, InvalidBERException, IOException { byte b[] = new byte[1000000]; - IConfigStore cs = CMS.getConfigStore(); - String instanceRoot = cs.getString("instanceRoot"); FileInputStream fis = new FileInputStream(p12File); while (fis.available() > 0) @@ -1204,8 +1204,7 @@ public class ConfigurationUtils { String instanceId = cs.getString("instanceId"); String cstype = cs.getString("cs.type"); - String dbuser = "uid=" + LDAPUtil.escapeDN(cstype + "-" + cs.getString("machineName") + "-" - + cs.getString("service.securePort")) + ",ou=people," + baseDN; + String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN; String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf"; @@ -3389,19 +3388,28 @@ public class ConfigurationUtils { } } - public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException, + public static void setupDBUser() throws CertificateException, LDAPException, EBaseException, NotInitializedException, ObjectNotFoundException, TokenException, IOException { IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + try { + @SuppressWarnings("unused") + Enumeration<IUser> dbusers = system.findUsers(DBUSER); + CMS.debug("DB User already exists: " + DBUSER); + return; + } catch (EUsrGrpException e) { + CMS.debug("Creating DB User: " + DBUSER); + } + String b64 = getSubsystemCert(); if (b64 == null) { CMS.debug("setupDBUser(): failed to fetch subsystem cert"); - return; + throw new EBaseException("setupDBUser(): failed to fetch subsystem cert"); } - IUser user = system.createUser(dbuser); - user.setFullName(dbuser); + IUser user = system.createUser(DBUSER); + user.setFullName(DBUSER); user.setEmail(""); user.setPassword(""); user.setUserType("agentType"); @@ -3414,6 +3422,36 @@ public class ConfigurationUtils { CMS.debug("setupDBUser(): successfully added the user"); system.addUserCert(user); CMS.debug("setupDBUser(): successfully add the user certificate"); + + // set subject dn + system.addCertSubjectDN(user); + + // remove old db users + CMS.debug("Removing seeAlso from old dbusers"); + removeOldDBUsers(certs[0].getSubjectDN().toString()); + } + + public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException { + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); + IConfigStore cs = CMS.getConfigStore(); + String userbasedn = "ou=people, " + cs.getString("internaldb.basedn"); + IConfigStore dbCfg = cs.getSubStore("internaldb"); + ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory(); + dbFactory.init(dbCfg); + LDAPConnection conn = dbFactory.getConn(); + + String filter = "(&(seeAlso=" + LDAPUtil.escapeFilter(subjectDN) + ")(!(uid=" + DBUSER + ")))"; + String[] attrs = null; + LDAPSearchResults res = conn.search(userbasedn, LDAPConnection.SCOPE_SUB, filter, + attrs, false); + if (res != null) { + while (res.hasMoreElements()) { + String uid = (String) res.next().getAttribute("uid").getStringValues().nextElement(); + IUser user = system.getUser(uid); + CMS.debug("removeOldDUsers: Removing seeAlso from " + uid); + system.removeCertSubjectDN(user); + } + } } public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException, diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index e81afdd2f..197c16ad3 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -31,8 +31,6 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ocsp.IOCSPAuthority; import com.netscape.certsrv.property.PropertySet; -import com.netscape.certsrv.usrgrp.IUGSubsystem; -import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cms.servlet.wizard.WizardServlet; import com.netscape.cmsutil.util.Utils; @@ -225,16 +223,8 @@ public class DonePanel extends WizardPanelBase { e.printStackTrace(); } - String dbuser = null; try { - dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-" - + cs.getString("service.securePort"); - if (!sdtype.equals("new")) { - ConfigurationUtils.setupDBUser(dbuser); - } - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - IUser user = system.getUser(dbuser); - system.addCertSubjectDN(user); + ConfigurationUtils.setupDBUser(); } catch (Exception e) { e.printStackTrace(); CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e); diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java index 4ae9579f2..3bbe3ca80 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java @@ -703,13 +703,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } try { - String dbuser = csType + "-" + CMS.getEEHost() + "-" + cs.getString("service.securePort"); - if (! securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) { - ConfigurationUtils.setupDBUser(dbuser); - } - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID)); - IUser user = system.getUser(dbuser); - system.addCertSubjectDN(user); + ConfigurationUtils.setupDBUser(); } catch (Exception e) { e.printStackTrace(); throw new PKIException("Errors in creating or updating dbuser: " + e); diff --git a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java index 9ba62babb..42c3b0d6f 100644 --- a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java +++ b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java @@ -108,4 +108,9 @@ public class AuditFormat { "Admin UID: {0} added User UID: {1} to group: {2}"; public static final String REMOVEUSERGROUPFORMAT = "Admin UID: {0} removed User UID: {1} from group: {2}"; + public static final String ADDCERTSUBJECTDNFORMAT = + "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}"; + public static final String REMOVECERTSUBJECTDNFORMAT = + "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}"; + } diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index 9e3dacb17..6b6157241 100644 --- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -820,6 +820,54 @@ public final class UGSubsystem implements IUGSubsystem { return; } + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException { + User user = (User) identity; + + if (user == null) { + CMS.debug("removeCertSubjectDN: null user passed in"); + return; + } + + X509Certificate cert[] = null; + LDAPModificationSet delAttr = new LDAPModificationSet(); + + if ((cert = user.getX509Certificates()) != null) { + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN); + attrCertDNStr.addValue(cert[0].getSubjectDN().toString()); + delAttr.add(LDAPModification.DELETE, attrCertDNStr); + + LDAPConnection ldapconn = null; + + try { + ldapconn = getConn(); + ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) + + "," + getUserBaseDN(), delAttr); + // for audit log + SessionContext sessionContext = SessionContext.getContext(); + String adminId = (String) sessionContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT, + new Object[] { adminId, user.getUserID(), + cert[0].getSubjectDN().toString() } + ); + + } catch (LDAPException e) { + if (Debug.ON) { + e.printStackTrace(); + } + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + throw e; + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString())); + } finally { + if (ldapconn != null) + returnConn(ldapconn); + } + } + return; + } + /** * Removes a user certificate for a user entry * given a user certificate DN (actually, a combination of version, |