1 files changed, 226 insertions, 0 deletions

diff --git a/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java b/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java
new file mode 100644
index 000000000..c929f80ec
--- /dev/null
+++ b/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java
@@ -0,0 +1,226 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.cms.authorization;
+
+
+// cert server imports.
+import com.netscape.certsrv.acls.*;
+import com.netscape.certsrv.dbs.*;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.apps.*;
+import com.netscape.certsrv.authorization.*;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.base.EPropertyNotFound;
+import com.netscape.cmsutil.util.*;
+import com.netscape.certsrv.authentication.*;
+
+// java sdk imports.
+import java.util.Hashtable;
+import java.util.Vector;
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+import java.io.IOException;
+
+
+/**
+ * A class for basic acls authorization manager
+ *
+ * @version $Revision$, $Date$
+ */
+public class BasicAclAuthz extends AAclAuthz
+    implements IAuthzManager, IExtendedPluginInfo {
+
+    // members
+
+    /* name of this authorization manager instance */
+    private String mName = null;
+
+    /* name of the authorization manager plugin */
+    private String mImplName = null;
+
+    /* configuration store */
+    private IConfigStore mConfig;
+
+    /* the system logger */
+    private ILogger mLogger = null;
+
+    protected static final String PROP_BASEDN = "basedn";
+
+    private static boolean needsFlush = false;
+
+    static {
+        mExtendedPluginInfo.add("nothing for now");
+    }
+
+    /**
+     * Default constructor
+     */
+    public BasicAclAuthz() {
+
+        /* Holds configuration parameters accepted by this implementation.
+         * This list is passed to the configuration console so configuration
+         * for instances of this implementation can be configured through the
+         * console.
+         */
+        mConfigParams =
+                new String[] { 
+                    "dummy"
+                };
+    }
+
+    /**
+     *
+     */
+    public void init(String name, String implName, IConfigStore config)
+        throws EBaseException {
+        mName = name;
+        mImplName = implName;
+        mConfig = config;
+        mLogger = CMS.getLogger();
+
+        super.init(config);
+
+        log(ILogger.LL_INFO, "initialization done");
+    }
+
+    /**
+     * gets the name of this authorization manager instance
+     */
+    public String getName() {
+        return mName;
+    }
+
+    /**
+     * gets the plugin name of this authorization manager.
+     */
+    public String getImplName() {
+        return mImplName;
+    }
+
+    /**
+     * check the authorization permission for the user associated with
+     * authToken on operation
+     * <p>
+     * Example:
+     * <p>
+     * For example, if UsrGrpAdminServlet needs to authorize the caller
+     * it would do be done in the following fashion:
+     * <PRE>
+     *   try {
+     *     authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read");
+     *   } catch (EBaseException e) {
+     *      log(ILogger.LL_FAILURE, "authorize call: "+ e.toString());
+     *   }
+     * </PRE> 
+     * @param authToken the authToken associated with a user
+     * @param resource - the protected resource name
+     * @param operation - the protected resource operation name
+     * @exception EAuthzInternalError if an internal error occurred.
+     * @exception EAuthzAccessDenied if access denied
+     * @return authzToken if success
+     */
+    public AuthzToken authorize(IAuthToken authToken, String resource, String operation)
+        throws EAuthzInternalError, EAuthzAccessDenied {
+        AuthzToken authzToken = new AuthzToken(this);
+
+        try {
+            checkPermission(authToken, resource, operation);
+
+            CMS.debug("BasicAclAuthz: authorization passed");
+
+            // compose AuthzToken
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation);
+            authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS,
+                AuthzToken.AUTHZ_STATUS_SUCCESS);
+        } catch (EACLsException e) {
+            // audit here later 
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED"));
+            String params[] = {resource, operation};
+
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+
+        return authzToken;
+    }
+
+    public AuthzToken authorize(IAuthToken authToken, String expression)
+      throws EAuthzAccessDenied {
+        if (evaluateACLs(authToken, expression)) {
+            return (new AuthzToken(this));
+        } else {
+            String params[] = {expression};
+            throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params));
+        }
+    }
+
+    /**
+     * This currently does not flush to permanent storage
+     * @param id is the resource id
+     * @param strACLs 
+     */
+    public void updateACLs(String id, String rights, String strACLs,
+        String desc) throws EACLsException {
+        try {
+            super.updateACLs(id, rights, strACLs, desc);
+            //            flushResourceACLs();
+            needsFlush = false;
+        } catch (EACLsException ex) {
+            // flushing failed, set flag
+            needsFlush = true;
+
+            String errMsg = "updateACLs: failed to flushResourceACLs(): "
+                + ex.toString();
+
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString()));
+
+            throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+        }
+    }
+
+    /**
+     * updates resourceACLs to permanent storage.
+     * currently not implemented for this authzMgr
+     */
+    protected void flushResourceACLs() throws EACLsException {
+        log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented");
+        throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED"));
+    }
+
+    /**
+     * graceful shutdown 
+     */
+    public void shutdown() {
+        log(ILogger.LL_INFO, "shutting down");
+    }
+
+    /**
+     * Logs a message for this class in the system log file.
+     * @param level The log level.
+     * @param msg The message to log.
+     * @see com.netscape.certsrv.logging.ILogger
+     */
+    protected void log(int level, String msg) {
+        if (mLogger == null)
+            return;
+        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
+            level, msg);
+    }
+}