diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/authorization')
3 files changed, 328 insertions, 308 deletions
diff --git a/pki/base/common/src/com/netscape/cms/authorization/AAclAuthz.java b/pki/base/common/src/com/netscape/cms/authorization/AAclAuthz.java index c3b0a8535..62abf3080 100644 --- a/pki/base/common/src/com/netscape/cms/authorization/AAclAuthz.java +++ b/pki/base/common/src/com/netscape/cms/authorization/AAclAuthz.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authorization; - import java.util.Enumeration; import java.util.Hashtable; import java.util.Locale; @@ -37,30 +36,32 @@ import com.netscape.certsrv.evaluators.IAccessEvaluator; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** - * An abstract class represents an authorization manager that governs the - * access of internal resources such as servlets. - * It parses in the ACLs associated with each protected - * resources, and provides protected method <CODE>checkPermission</CODE> - * for code that needs to verify access before performing - * actions. + * An abstract class represents an authorization manager that governs the access + * of internal resources such as servlets. It parses in the ACLs associated with + * each protected resources, and provides protected method + * <CODE>checkPermission</CODE> for code that needs to verify access before + * performing actions. * <P> * Here is a sample resourceACLS for a resource + * * <PRE> * certServer.UsrGrpAdminServlet: * execute: * deny (execute) user="tempAdmin"; * allow (execute) group="Administrators"; * </PRE> - * To perform permission checking, code call authz mgr authorize() - * method to verify access. See AuthzMgr for calling example. + * + * To perform permission checking, code call authz mgr authorize() method to + * verify access. See AuthzMgr for calling example. * <P> - * default "evaluators" are used to evaluate the "group=.." or "user=.." - * rules. See evaluator for more info + * default "evaluators" are used to evaluate the "group=.." or "user=.." rules. + * See evaluator for more info * * @version $Revision$, $Date$ - * @see <A HREF="http://developer.netscape.com/library/documentation/enterprise/admnunix/aclfiles.htm">ACL Files</A> + * @see <A + * HREF="http://developer.netscape.com/library/documentation/enterprise/admnunix/aclfiles.htm">ACL + * Files</A> */ public abstract class AAclAuthz { @@ -92,10 +93,9 @@ public abstract class AAclAuthz { } /** - * Initializes + * Initializes */ - protected void init(IConfigStore config) - throws EBaseException { + protected void init(IConfigStore config) throws EBaseException { mLogger = CMS.getLogger(); CMS.debug("AAclAuthz: init begins"); @@ -119,21 +119,21 @@ public abstract class AAclAuthz { } catch (Exception e) { log(ILogger.LL_MISCONF, "failed to get config class info"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", - type + "." + PROP_CLASS)); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", type + + "." + PROP_CLASS)); } - // instantiate evaluator + // instantiate evaluator try { - evaluator = - (IAccessEvaluator) Class.forName(evalClassPath).newInstance(); + evaluator = (IAccessEvaluator) Class.forName(evalClassPath) + .newInstance(); } catch (Exception e) { - String errMsg = "init(): failed to load class: " + - evalClassPath + ":" + e.toString(); + String errMsg = "init(): failed to load class: " + + evalClassPath + ":" + e.toString(); - throw new - EACLsException(CMS.getUserMessage("CMS_ACL_CLASS_LOAD_FAIL", - evalClassPath)); + throw new EACLsException(CMS.getUserMessage( + "CMS_ACL_CLASS_LOAD_FAIL", evalClassPath)); } if (evaluator != null) { @@ -143,7 +143,8 @@ public abstract class AAclAuthz { } else { String errMsg = "access evaluator " + type + " is null"; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NULL", type)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_NULL", type)); } } @@ -151,16 +152,18 @@ public abstract class AAclAuthz { } /** - * Parse ACL resource attributes, then update the ACLs memory store - * This is intended to be used if storing ACLs on ldap is not desired, - * and the caller is expected to call this method to add resource - * and acl info into acls memory store. The resACLs format should conform - * to the following: - * <resource ID>:right-1[,right-n]:[allow,deny](right(s))<evaluatorType>=<value>:<comment for this resource acl + * Parse ACL resource attributes, then update the ACLs memory store This is + * intended to be used if storing ACLs on ldap is not desired, and the + * caller is expected to call this method to add resource and acl info into + * acls memory store. The resACLs format should conform to the following: + * <resource + * ID>:right-1[,right-n]:[allow,deny](right(s))<evaluatorType>=<value + * >:<comment for this resource acl * <P> - * Example: - * resTurnKnob:left,right:allow(left) group="lefties":door knobs for lefties - * @param resACLs same format as the resourceACLs attribute + * Example: resTurnKnob:left,right:allow(left) group="lefties":door knobs + * for lefties + * + * @param resACLs same format as the resourceACLs attribute * @throws EBaseException parsing error from <code>parseACL</code> */ public void addACLs(String resACLs) throws EBaseException { @@ -180,7 +183,7 @@ public abstract class AAclAuthz { public IACL getACL(String target) { return (ACL) mACLs.get(target); } - + protected Enumeration getTargetNames() { return mACLs.keys(); } @@ -204,10 +207,10 @@ public abstract class AAclAuthz { } /** - * Returns a list of configuration parameter names. - * The list is passed to the configuration console so instances of - * this implementation can be configured through the console. - * + * Returns a list of configuration parameter names. The list is passed to + * the configuration console so instances of this implementation can be + * configured through the console. + * * @return String array of configuration parameter names. */ public String[] getConfigParams() { @@ -220,8 +223,7 @@ public abstract class AAclAuthz { public abstract void shutdown(); /** - * Registers new handler for the given attribute type - * in the expressions. + * Registers new handler for the given attribute type in the expressions. */ public void registerEvaluator(String type, IAccessEvaluator evaluator) { mEvaluators.put(type, evaluator); @@ -233,45 +235,42 @@ public abstract class AAclAuthz { *******************************************************/ /** - * Checks if the permission is granted or denied in - * the current execution context. If the code is - * marked as privileged, this methods will simply + * Checks if the permission is granted or denied in the current execution + * context. If the code is marked as privileged, this methods will simply * return. * <P> - * note that if a resource does not exist in the aclResources - * entry, but a higher level node exist, it will still be - * evaluated. The highest level node's acl determines the - * permission. If the higher level node doesn't contain any acl - * information, then it's passed down to the lower node. If - * a node has no aci in its resourceACLs, then it's considered - * passed. + * note that if a resource does not exist in the aclResources entry, but a + * higher level node exist, it will still be evaluated. The highest level + * node's acl determines the permission. If the higher level node doesn't + * contain any acl information, then it's passed down to the lower node. If + * a node has no aci in its resourceACLs, then it's considered passed. * <p> * example: certServer.common.users, if failed permission check for - * "certServer", then it's considered failed, and there is no need to - * continue the check. If passed permission check for "certServer", - * then it's considered passed, and no need to continue the - * check. If certServer contains no aci then "certServer.common" will be - * checked for permission instead. If down to the leaf level, - * the node still contains no aci, then it's considered passed. - * If at the leaf level, no such resource exist, or no acis, it's - * considered passed. + * "certServer", then it's considered failed, and there is no need to + * continue the check. If passed permission check for "certServer", then + * it's considered passed, and no need to continue the check. If certServer + * contains no aci then "certServer.common" will be checked for permission + * instead. If down to the leaf level, the node still contains no aci, then + * it's considered passed. If at the leaf level, no such resource exist, or + * no acis, it's considered passed. * <p> - * If there are multiple aci's for a resource, ALL aci's will be - * checked, and only if all passed permission checks, will the - * eventual access be granted. + * If there are multiple aci's for a resource, ALL aci's will be checked, + * and only if all passed permission checks, will the eventual access be + * granted. + * * @param name resource name * @param perm permission requested * @exception EACLsException access permission denied */ - protected synchronized void checkPermission(String name, String perm) - throws EACLsException { + protected synchronized void checkPermission(String name, String perm) + throws EACLsException { String resource = ""; StringTokenizer st = new StringTokenizer(name, "."); while (st.hasMoreTokens()) { String node = st.nextToken(); - if (! "".equals(resource)) { + if (!"".equals(resource)) { resource = resource + "." + node; } else { resource = node; @@ -287,19 +286,19 @@ public abstract class AAclAuthz { params[0] = name; params[1] = perm; - String errMsg = "checkPermission(): permission denied for the resource " + - name + " on operation " + perm; + String errMsg = "checkPermission(): permission denied for the resource " + + name + " on operation " + perm; - log(ILogger.LL_SECURITY, CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm)); + log(ILogger.LL_SECURITY, CMS.getLogMessage( + "AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm)); - throw new - EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION", - (String[]) params)); + throw new EACLsException(CMS.getUserMessage( + "CMS_ACL_NO_PERMISSION", (String[]) params)); } if (passed) { - String infoMsg = "checkPermission(): permission granted for the resource " + - name + " on operation " + perm; + String infoMsg = "checkPermission(): permission granted for the resource " + + name + " on operation " + perm; log(ILogger.LL_INFO, infoMsg); @@ -309,46 +308,44 @@ public abstract class AAclAuthz { } /** - * Checks if the permission is granted or denied in - * the current execution context. + * Checks if the permission is granted or denied in the current execution + * context. * <P> * An <code>ACL</code> may contain one or more <code>ACLEntry</code>. - * However, in case of multiple <code>ACLEntry</code>, a subject must - * pass ALL of the <code>ACLEntry</code> evaluation for permission - * to be granted + * However, in case of multiple <code>ACLEntry</code>, a subject must pass + * ALL of the <code>ACLEntry</code> evaluation for permission to be granted * <P> - * negative ("deny") aclEntries are treated differently than - * positive ("allow") statements. If a negative aclEntries - * fails the acl check, the permission check will return "false" - * right away; while in the case of a positive aclEntry, if the - * the aclEntry fails the acl check, the next aclEntry will be - * evaluated. + * negative ("deny") aclEntries are treated differently than positive + * ("allow") statements. If a negative aclEntries fails the acl check, the + * permission check will return "false" right away; while in the case of a + * positive aclEntry, if the the aclEntry fails the acl check, the next + * aclEntry will be evaluated. + * * @param name resource name * @param perm permission requested - * @return true if access allowed - * false if should be passed down to the next node + * @return true if access allowed false if should be passed down to the next + * node * @exception EACLsException if access disallowed */ - private boolean checkACLs(String name, String perm) - throws EACLsException { + private boolean checkACLs(String name, String perm) throws EACLsException { ACL acl = (ACL) mACLs.get(name); // no such resource, pass it down if (acl == null) { - String infoMsg = "checkACLs(): no acl for" + - name + "...pass down to next node"; + String infoMsg = "checkACLs(): no acl for" + name + + "...pass down to next node"; log(ILogger.LL_INFO, infoMsg); - return false; + return false; } Enumeration e = acl.entries(); if ((e == null) || (e.hasMoreElements() == false)) { // no acis for node, pass down to next node - String infoMsg = " AAclAuthz.checkACLs(): no acis for " + - name + " acl entry...pass down to next node"; + String infoMsg = " AAclAuthz.checkACLs(): no acis for " + name + + " acl entry...pass down to next node"; log(ILogger.LL_INFO, infoMsg); @@ -365,13 +362,16 @@ public abstract class AAclAuthz { if (entry.containPermission(perm) == true) { if (evaluateExpressions(entry.getAttributeExpressions())) { if (entry.checkPermission(perm) == false) { - log(ILogger.LL_SECURITY, " checkACLs(): permission denied"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); + log(ILogger.LL_SECURITY, + " checkACLs(): permission denied"); + throw new EACLsException( + CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); } } else if (!entry.isNegative()) { // didn't meet the access expression for "allow", failed log(ILogger.LL_SECURITY, "checkACLs(): permission denied"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); + throw new EACLsException( + CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); } } } @@ -380,10 +380,8 @@ public abstract class AAclAuthz { } /** - * Resolves the given expressions. - * expression || expression || ... - * example: - * group="Administrators" || group="Operators" + * Resolves the given expressions. expression || expression || ... example: + * group="Administrators" || group="Operators" */ private boolean evaluateExpressions(String s) { // XXX - just handle "||" (or) among multiple expressions for now @@ -449,14 +447,15 @@ public abstract class AAclAuthz { private boolean evaluateExpression(String expression) { // XXX - just recognize "=" for now!! int i = expression.indexOf("="); - String type = expression.substring(0, i); - String value = expression.substring(i + 1); + String type = expression.substring(0, i); + String value = expression.substring(i + 1); IAccessEvaluator evaluator = (IAccessEvaluator) mEvaluators.get(type); if (evaluator == null) { String errMsg = "evaluator for type " + type + "not found"; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type)); return false; } @@ -468,76 +467,72 @@ public abstract class AAclAuthz { *******************************************************/ /** - * Checks if the permission is granted or denied with id from authtoken + * Checks if the permission is granted or denied with id from authtoken * gotten from authentication that precedes authorization. If the code is - * marked as privileged, this methods will simply - * return. + * marked as privileged, this methods will simply return. * <P> - * note that if a resource does not exist in the aclResources - * entry, but a higher level node exist, it will still be - * evaluated. The highest level node's acl determines the - * permission. If the higher level node doesn't contain any acl - * information, then it's passed down to the lower node. If - * a node has no aci in its resourceACLs, then it's considered - * passed. + * note that if a resource does not exist in the aclResources entry, but a + * higher level node exist, it will still be evaluated. The highest level + * node's acl determines the permission. If the higher level node doesn't + * contain any acl information, then it's passed down to the lower node. If + * a node has no aci in its resourceACLs, then it's considered passed. * <p> * example: certServer.common.users, if failed permission check for - * "certServer", then it's considered failed, and there is no need to - * continue the check. If passed permission check for "certServer", - * then it's considered passed, and no need to continue the - * check. If certServer contains no aci then "certServer.common" will be - * checked for permission instead. If down to the leaf level, - * the node still contains no aci, then it's considered passed. - * If at the leaf level, no such resource exist, or no acis, it's - * considered passed. + * "certServer", then it's considered failed, and there is no need to + * continue the check. If passed permission check for "certServer", then + * it's considered passed, and no need to continue the check. If certServer + * contains no aci then "certServer.common" will be checked for permission + * instead. If down to the leaf level, the node still contains no aci, then + * it's considered passed. If at the leaf level, no such resource exist, or + * no acis, it's considered passed. * <p> - * If there are multiple aci's for a resource, ALL aci's will be - * checked, and only if all passed permission checks, will the - * eventual access be granted. + * If there are multiple aci's for a resource, ALL aci's will be checked, + * and only if all passed permission checks, will the eventual access be + * granted. + * * @param authToken authentication token gotten from authentication * @param name resource name * @param perm permission requested * @exception EACLsException access permission denied */ - public synchronized void checkPermission(IAuthToken authToken, String name, - String perm) - throws EACLsException { - + public synchronized void checkPermission(IAuthToken authToken, String name, + String perm) throws EACLsException { + Vector nodev = getNodes(name); Enumeration nodes = nodev.elements(); String order = getOrder(); Enumeration entries = null; - if (order.equals("deny")) + if (order.equals("deny")) entries = getDenyEntries(nodes, perm); - else + else entries = getAllowEntries(nodes, perm); - + boolean permitted = false; while (entries.hasMoreElements()) { ACLEntry entry = (ACLEntry) entries.nextElement(); - CMS.debug("checkACLS(): ACLEntry expressions= " + - entry.getAttributeExpressions()); + CMS.debug("checkACLS(): ACLEntry expressions= " + + entry.getAttributeExpressions()); if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { - log(ILogger.LL_SECURITY, - " checkACLs(): permission denied"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); + log(ILogger.LL_SECURITY, " checkACLs(): permission denied"); + throw new EACLsException( + CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); } } nodes = nodev.elements(); - if (order.equals("deny")) + if (order.equals("deny")) entries = getAllowEntries(nodes, perm); - else + else entries = getDenyEntries(nodes, perm); - while (entries.hasMoreElements()) { + while (entries.hasMoreElements()) { ACLEntry entry = (ACLEntry) entries.nextElement(); - CMS.debug("checkACLS(): ACLEntry expressions= " + - entry.getAttributeExpressions()); + CMS.debug("checkACLS(): ACLEntry expressions= " + + entry.getAttributeExpressions()); if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { permitted = true; } @@ -545,8 +540,8 @@ public abstract class AAclAuthz { nodev = null; if (permitted) { - String infoMsg = "checkPermission(): permission granted for the resource " + - name + " on operation " + perm; + String infoMsg = "checkPermission(): permission granted for the resource " + + name + " on operation " + perm; log(ILogger.LL_INFO, infoMsg); return; @@ -556,14 +551,14 @@ public abstract class AAclAuthz { params[0] = name; params[1] = perm; - String errMsg = "checkPermission(): permission denied for the resource " + - name + " on operation " + perm; + String errMsg = "checkPermission(): permission denied for the resource " + + name + " on operation " + perm; - log(ILogger.LL_SECURITY, - CMS.getLogMessage("AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm)); + log(ILogger.LL_SECURITY, CMS.getLogMessage( + "AUTHZ_EVALUATOR_ACCESS_DENIED", name, perm)); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_NO_PERMISSION", - (String[]) params)); + throw new EACLsException(CMS.getUserMessage( + "CMS_ACL_NO_PERMISSION", (String[]) params)); } } @@ -582,13 +577,12 @@ public abstract class AAclAuthz { while (e.hasMoreElements()) { ACLEntry entry = (ACLEntry) e.nextElement(); - if (!entry.isNegative() && - entry.containPermission(operation)) { + if (!entry.isNegative() && entry.containPermission(operation)) { v.addElement(entry); } } } - + return v.elements(); } @@ -607,21 +601,18 @@ public abstract class AAclAuthz { while (e.hasMoreElements()) { ACLEntry entry = (ACLEntry) e.nextElement(); - if (entry.isNegative() && - entry.containPermission(operation)) { + if (entry.isNegative() && entry.containPermission(operation)) { v.addElement(entry); } } } - + return v.elements(); } /** - * Resolves the given expressions. - * expression || expression || ... - * example: - * group="Administrators" || group="Operators" + * Resolves the given expressions. expression || expression || ... example: + * group="Administrators" || group="Operators" */ private boolean evaluateExpressions(IAuthToken authToken, String s) { // XXX - just handle "||" (or) among multiple expressions for now @@ -638,7 +629,8 @@ public abstract class AAclAuthz { if (orIndex == -1 && andIndex == -1) { boolean passed = evaluateExpression(authToken, s.trim()); - CMS.debug("evaluated expression: " + s.trim() + " to be " + passed); + CMS.debug("evaluated expression: " + s.trim() + " to be " + + passed); v.addElement(Boolean.valueOf(passed)); break; @@ -647,7 +639,8 @@ public abstract class AAclAuthz { String s1 = s.substring(0, orIndex); boolean passed = evaluateExpression(authToken, s1.trim()); - CMS.debug("evaluated expression: " + s1.trim() + " to be " + passed); + CMS.debug("evaluated expression: " + s1.trim() + " to be " + + passed); v.addElement(new Boolean(passed)); v.addElement("||"); s = s.substring(orIndex + 2); @@ -656,7 +649,8 @@ public abstract class AAclAuthz { String s1 = s.substring(0, andIndex); boolean passed = evaluateExpression(authToken, s1.trim()); - CMS.debug("evaluated expression: " + s1.trim() + " to be " + passed); + CMS.debug("evaluated expression: " + s1.trim() + " to be " + + passed); v.addElement(new Boolean(passed)); v.addElement("&&"); s = s.substring(andIndex + 2); @@ -703,7 +697,7 @@ public abstract class AAclAuthz { while (index != -1) { name = name.substring(0, index); v.addElement(name); - index = name.lastIndexOf("."); + index = name.lastIndexOf("."); } return v; @@ -729,7 +723,8 @@ public abstract class AAclAuthz { if (evaluator == null) { String errMsg = "evaluator for type " + type + "not found"; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_NOT_FOUND", type)); return false; } @@ -745,8 +740,9 @@ public abstract class AAclAuthz { i = exp.indexOf(">"); if (i == -1) { i = exp.indexOf("<"); - if (i == -1) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_OP_NOT_SUPPORTED", exp)); + if (i == -1) { + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "AUTHZ_OP_NOT_SUPPORTED", exp)); } else { return "<"; } @@ -780,25 +776,26 @@ public abstract class AAclAuthz { *******************************************************/ /** - * This one only updates the memory. Classes extend this class should - * also update to a permanent storage + * This one only updates the memory. Classes extend this class should also + * update to a permanent storage */ - public void updateACLs(String id, String rights, String strACLs, - String desc) throws EACLsException { + public void updateACLs(String id, String rights, String strACLs, String desc) + throws EACLsException { ACL acl = (ACL) getACL(id); - + String resourceACLs = id; if (rights != null) resourceACLs = id + ":" + rights + ":" + strACLs + ":" + desc; - // memory update + // memory update ACL ac = null; try { ac = (ACL) CMS.parseACL(resourceACLs); } catch (EBaseException ex) { - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0")); + throw new EACLsException( + CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0")); } mACLs.put(ac.getName(), ac); @@ -806,6 +803,7 @@ public abstract class AAclAuthz { /** * gets an enumeration of resources + * * @return an enumeration of resources contained in the ACL table */ public Enumeration aclResElements() { @@ -814,6 +812,7 @@ public abstract class AAclAuthz { /** * gets an enumeration of access evaluators + * * @return an enumeraton of access evaluators */ public Enumeration aclEvaluatorElements() { @@ -822,6 +821,7 @@ public abstract class AAclAuthz { /** * gets the access evaluators + * * @return handle to the access evaluators table */ public Hashtable getAccessEvaluators() { @@ -830,6 +830,7 @@ public abstract class AAclAuthz { /** * is this resource name unique + * * @return true if unique; false otherwise */ public boolean isTypeUnique(String type) { @@ -843,8 +844,8 @@ public abstract class AAclAuthz { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, level, + msg); } /********************************* @@ -852,24 +853,24 @@ public abstract class AAclAuthz { **********************************/ /** - * update acls. called after memory upate is done to flush to permanent + * update acls. called after memory upate is done to flush to permanent * storage. * <p> */ protected abstract void flushResourceACLs() throws EACLsException; /** - * an abstract class that enforces implementation of the - * authorize() method that will authorize an operation on a - * particular resource - * + * an abstract class that enforces implementation of the authorize() method + * that will authorize an operation on a particular resource + * * @param authToken the authToken associated with a user * @param resource - the protected resource name * @param operation - the protected resource operation name * @exception EBaseException If an internal error occurred. * @return authzToken */ - public abstract AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EBaseException; + public abstract AuthzToken authorize(IAuthToken authToken, String resource, + String operation) throws EBaseException; public String getOrder() { IConfigStore mainConfig = CMS.getConfigStore(); diff --git a/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java b/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java index 29cb671e6..f9d1864cb 100644 --- a/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java +++ b/pki/base/common/src/com/netscape/cms/authorization/BasicAclAuthz.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authorization; - // cert server imports. import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; @@ -31,14 +30,13 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IExtendedPluginInfo; import com.netscape.certsrv.logging.ILogger; - /** * A class for basic acls authorization manager - * + * * @version $Revision$, $Date$ */ -public class BasicAclAuthz extends AAclAuthz - implements IAuthzManager, IExtendedPluginInfo { +public class BasicAclAuthz extends AAclAuthz implements IAuthzManager, + IExtendedPluginInfo { // members @@ -67,22 +65,20 @@ public class BasicAclAuthz extends AAclAuthz */ public BasicAclAuthz() { - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the + /* + * Holds configuration parameters accepted by this implementation. This + * list is passed to the configuration console so configuration for + * instances of this implementation can be configured through the * console. */ - mConfigParams = - new String[] { - "dummy" - }; + mConfigParams = new String[] { "dummy" }; } /** * */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -108,20 +104,23 @@ public class BasicAclAuthz extends AAclAuthz } /** - * check the authorization permission for the user associated with - * authToken on operation + * check the authorization permission for the user associated with authToken + * on operation * <p> * Example: * <p> - * For example, if UsrGrpAdminServlet needs to authorize the caller - * it would do be done in the following fashion: + * For example, if UsrGrpAdminServlet needs to authorize the caller it would + * do be done in the following fashion: + * * <PRE> - * try { - * authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read"); - * } catch (EBaseException e) { - * log(ILogger.LL_FAILURE, "authorize call: "+ e.toString()); - * } - * </PRE> + * try { + * authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, + * "read"); + * } catch (EBaseException e) { + * log(ILogger.LL_FAILURE, "authorize call: " + e.toString()); + * } + * </PRE> + * * @param authToken the authToken associated with a user * @param resource - the protected resource name * @param operation - the protected resource operation name @@ -129,8 +128,8 @@ public class BasicAclAuthz extends AAclAuthz * @exception EAuthzAccessDenied if access denied * @return authzToken if success */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { + public AuthzToken authorize(IAuthToken authToken, String resource, + String operation) throws EAuthzInternalError, EAuthzAccessDenied { AuthzToken authzToken = new AuthzToken(this); try { @@ -142,63 +141,70 @@ public class BasicAclAuthz extends AAclAuthz authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, - AuthzToken.AUTHZ_STATUS_SUCCESS); + AuthzToken.AUTHZ_STATUS_SUCCESS); } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = {resource, operation}; + // audit here later + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); + String params[] = { resource, operation }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + throw new EAuthzAccessDenied(CMS.getUserMessage( + "CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); } return authzToken; } public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { + throws EAuthzAccessDenied { if (evaluateACLs(authToken, expression)) { return (new AuthzToken(this)); } else { - String params[] = {expression}; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + String params[] = { expression }; + throw new EAuthzAccessDenied(CMS.getUserMessage( + "CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); } } /** * This currently does not flush to permanent storage + * * @param id is the resource id - * @param strACLs + * @param strACLs */ - public void updateACLs(String id, String rights, String strACLs, - String desc) throws EACLsException { + public void updateACLs(String id, String rights, String strACLs, String desc) + throws EACLsException { try { super.updateACLs(id, rights, strACLs, desc); - // flushResourceACLs(); + // flushResourceACLs(); needsFlush = false; } catch (EACLsException ex) { // flushing failed, set flag needsFlush = true; String errMsg = "updateACLs: failed to flushResourceACLs(): " - + ex.toString(); + + ex.toString(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", + ex.toString())); throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); } } /** - * updates resourceACLs to permanent storage. - * currently not implemented for this authzMgr + * updates resourceACLs to permanent storage. currently not implemented for + * this authzMgr */ protected void flushResourceACLs() throws EACLsException { log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED")); + throw new EACLsException( + CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED")); } /** - * graceful shutdown + * graceful shutdown */ public void shutdown() { log(ILogger.LL_INFO, "shutting down"); @@ -206,6 +212,7 @@ public class BasicAclAuthz extends AAclAuthz /** * Logs a message for this class in the system log file. + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -213,7 +220,7 @@ public class BasicAclAuthz extends AAclAuthz protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, level, + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java b/pki/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java index ee22bb592..88ef8af0d 100644 --- a/pki/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java +++ b/pki/base/common/src/com/netscape/cms/authorization/DirAclAuthz.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.authorization; - import java.util.Enumeration; import netscape.ldap.LDAPAttribute; @@ -44,15 +43,14 @@ import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.ldap.ILdapConnFactory; import com.netscape.certsrv.logging.ILogger; - /** - * A class for ldap acls based authorization manager - * The ldap server used for acls is the cms internal ldap db. - * + * A class for ldap acls based authorization manager The ldap server used for + * acls is the cms internal ldap db. + * * @version $Revision$, $Date$ */ -public class DirAclAuthz extends AAclAuthz - implements IAuthzManager, IExtendedPluginInfo { +public class DirAclAuthz extends AAclAuthz implements IAuthzManager, + IExtendedPluginInfo { // members @@ -75,22 +73,23 @@ public class DirAclAuthz extends AAclAuthz private static boolean needsFlush = false; static { - mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + - "LDAP host to connect to"); - mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + - "LDAP port number (use 389, or 636 if SSL)"); - mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + - "Use SSL to connect to directory?"); - mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + - "LDAP protocol version"); - mExtendedPluginInfo.add("ldap.basedn;string,required;Base DN to start sarching " + - "under. If the ACL's DN is 'cn=resourceACL, o=NetscapeCertificateServer' you " + - "might want to use 'o=NetscapeCertificateServer' here"); - mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + - "to keep open to directory server. Default 5."); - mExtendedPluginInfo.add("ldap.maxConns;number;when needed, connection " - + - "pool can grow to this many (multiplexed) connections. Default 1000"); + mExtendedPluginInfo.add("ldap.ldapconn.host;string,required;" + + "LDAP host to connect to"); + mExtendedPluginInfo.add("ldap.ldapconn.port;number,required;" + + "LDAP port number (use 389, or 636 if SSL)"); + mExtendedPluginInfo.add("ldap.ldapconn.secureConn;boolean;" + + "Use SSL to connect to directory?"); + mExtendedPluginInfo.add("ldap.ldapconn.version;choice(3,2);" + + "LDAP protocol version"); + mExtendedPluginInfo + .add("ldap.basedn;string,required;Base DN to start sarching " + + "under. If the ACL's DN is 'cn=resourceACL, o=NetscapeCertificateServer' you " + + "might want to use 'o=NetscapeCertificateServer' here"); + mExtendedPluginInfo.add("ldap.minConns;number;number of connections " + + "to keep open to directory server. Default 5."); + mExtendedPluginInfo + .add("ldap.maxConns;number;when needed, connection " + + "pool can grow to this many (multiplexed) connections. Default 1000"); } /** @@ -98,28 +97,23 @@ public class DirAclAuthz extends AAclAuthz */ public DirAclAuthz() { - /* Holds configuration parameters accepted by this implementation. - * This list is passed to the configuration console so configuration - * for instances of this implementation can be configured through the + /* + * Holds configuration parameters accepted by this implementation. This + * list is passed to the configuration console so configuration for + * instances of this implementation can be configured through the * console. */ - mConfigParams = - new String[] { - "ldap.ldapconn.host", - "ldap.ldapconn.port", - "ldap.ldapconn.secureConn", - "ldap.ldapconn.version", - "ldap.basedn", - "ldap.minConns", - "ldap.maxConns", - }; + mConfigParams = new String[] { "ldap.ldapconn.host", + "ldap.ldapconn.port", "ldap.ldapconn.secureConn", + "ldap.ldapconn.version", "ldap.basedn", "ldap.minConns", + "ldap.maxConns", }; } /** * */ public void init(String name, String implName, IConfigStore config) - throws EBaseException { + throws EBaseException { mName = name; mImplName = implName; mConfig = config; @@ -154,7 +148,7 @@ public class DirAclAuthz extends AAclAuthz CMS.debug("DirAclAuthz: about to ldap search aclResources"); try { conn = getConn(); - LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, + LDAPSearchResults res = conn.search(mBaseDN, LDAPv2.SCOPE_SUB, "cn=aclResources", null, false); returnConn(conn); @@ -175,10 +169,15 @@ public class DirAclAuthz extends AAclAuthz } catch (LDAPException e) { String errMsg = "init() -" + e.toString(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", e.toString())); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_CONNECT_LDAP_FAIL", mBaseDN)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", + e.toString())); + throw new EACLsException(CMS.getUserMessage( + "CMS_ACL_CONNECT_LDAP_FAIL", mBaseDN)); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_INIT_ERROR", + e.toString())); } log(ILogger.LL_INFO, "initialization done"); @@ -199,28 +198,30 @@ public class DirAclAuthz extends AAclAuthz } /** - * check the authorization permission for the user associated with - * authToken on operation + * check the authorization permission for the user associated with authToken + * on operation * <p> * Example: * <p> - * For example, if UsrGrpAdminServlet needs to authorize the caller - * it would do be done in the following fashion: + * For example, if UsrGrpAdminServlet needs to authorize the caller it would + * do be done in the following fashion: + * * <PRE> - * try { - * authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read"); - * } catch (EBaseException e) { - * log(ILogger.LL_FAILURE, "authorize call: "+ e.toString()); - * } - * </PRE> + * try { + * authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read"); + * } catch (EBaseException e) { + * log(ILogger.LL_FAILURE, "authorize call: " + e.toString()); + * } + * </PRE> + * * @param authToken the authToken associated with a user * @param resource - the protected resource name * @param operation - the protected resource operation name * @exception EBaseException If an internal error occurred. * @return authzToken */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { + public AuthzToken authorize(IAuthToken authToken, String resource, + String operation) throws EAuthzInternalError, EAuthzAccessDenied { AuthzToken authzToken = new AuthzToken(this); try { @@ -228,45 +229,49 @@ public class DirAclAuthz extends AAclAuthz // compose AuthzToken authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); + authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, + AuthzToken.AUTHZ_STATUS_SUCCESS); CMS.debug("DirAclAuthz: authorization passed"); } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = {resource, operation}; + // audit here later + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); + String params[] = { resource, operation }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + throw new EAuthzAccessDenied(CMS.getUserMessage( + "CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); } - + return authzToken; } public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { + throws EAuthzAccessDenied { if (evaluateACLs(authToken, expression)) { return (new AuthzToken(this)); } else { - String params[] = {expression}; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + String params[] = { expression }; + throw new EAuthzAccessDenied(CMS.getUserMessage( + "CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); } } /** - * update acls. when memory update is done, flush to ldap. + * update acls. when memory update is done, flush to ldap. * <p> - * Currently, it is possible that when the memory is updated - * successfully, and the ldap isn't, the memory upates lingers. - * The result is that the changes will only be done on ldap at the - * next update, or when the system shuts down, another flush will be - * attempted. + * Currently, it is possible that when the memory is updated successfully, + * and the ldap isn't, the memory upates lingers. The result is that the + * changes will only be done on ldap at the next update, or when the system + * shuts down, another flush will be attempted. + * * @param id is the resource id * @param rights The allowable rights for this resource - * @param strACLs has the same format as a resourceACLs entry acis - * on the ldap server + * @param strACLs has the same format as a resourceACLs entry acis on the + * ldap server * @param desc The description for this resource */ - public void updateACLs(String id, String rights, String strACLs, - String desc) throws EACLsException { + public void updateACLs(String id, String rights, String strACLs, String desc) + throws EACLsException { try { super.updateACLs(id, rights, strACLs, desc); flushResourceACLs(); @@ -276,9 +281,11 @@ public class DirAclAuthz extends AAclAuthz needsFlush = true; String errMsg = "updateACLs: failed to flushResourceACLs(): " - + ex.toString(); + + ex.toString(); - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", + ex.toString())); throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); } @@ -334,7 +341,7 @@ public class DirAclAuthz extends AAclAuthz } /** - * graceful shutdown + * graceful shutdown */ public void shutdown() { if (needsFlush) { @@ -343,20 +350,25 @@ public class DirAclAuthz extends AAclAuthz flushResourceACLs(); } catch (EACLsException e) { // flushing failed again...too bad - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_ERROR", + e.toString())); } } try { mLdapConnFactory.reset(); mLdapConnFactory = null; - } catch (ELdapException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_LDAP_ERROR", e.toString())); + } catch (ELdapException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("AUTHZ_EVALUATOR_LDAP_ERROR", + e.toString())); } } /** * Logs a message for this class in the system log file. + * * @param level The log level. * @param msg The message to log. * @see com.netscape.certsrv.logging.ILogger @@ -364,7 +376,7 @@ public class DirAclAuthz extends AAclAuthz protected void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, level, + msg); } } |