diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/evaluators')
4 files changed, 90 insertions, 71 deletions
diff --git a/pki/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java b/pki/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java index d026cdbaf..d945d7082 100644 --- a/pki/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java +++ b/pki/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.evaluators; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.EBaseException; @@ -28,7 +27,6 @@ import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cmsutil.util.Utils; - /** * A class represents a group acls evaluator. * <P> @@ -54,7 +52,7 @@ public class GroupAccessEvaluator implements IAccessEvaluator { } /** - * initialization. nothing for now. + * initialization. nothing for now. */ public void init() { CMS.debug("GroupAccessEvaluator: init"); @@ -62,6 +60,7 @@ public class GroupAccessEvaluator implements IAccessEvaluator { /** * gets the type name for this acl evaluator + * * @return type for this acl evaluator: "group" or "at_group" */ public String getType() { @@ -70,6 +69,7 @@ public class GroupAccessEvaluator implements IAccessEvaluator { /** * gets the description for this acl evaluator + * * @return description for this acl evaluator */ public String getDescription() { @@ -85,16 +85,16 @@ public class GroupAccessEvaluator implements IAccessEvaluator { } /** - * evaluates uid in AuthToken to see if it has membership in - * group value + * evaluates uid in AuthToken to see if it has membership in group value + * * @param authToken authentication token * @param type must be "at_group" * @param op must be "=" * @param value the group name - * @return true if AuthToken uid belongs to the group value, - * false otherwise + * @return true if AuthToken uid belongs to the group value, false otherwise */ - public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + public boolean evaluate(IAuthToken authToken, String type, String op, + String value) { if (type.equals(mType)) { // should define "uid" at a common place @@ -104,17 +104,20 @@ public class GroupAccessEvaluator implements IAccessEvaluator { if (uid == null) { uid = authToken.getInString("uid"); if (uid == null) { - CMS.debug("GroupAccessEvaluator: evaluate: uid null"); - log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL")); - return false; + CMS.debug("GroupAccessEvaluator: evaluate: uid null"); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("EVALUTOR_UID_NULL")); + return false; } } - CMS.debug("GroupAccessEvaluator: evaluate: uid="+uid +" value="+value); + CMS.debug("GroupAccessEvaluator: evaluate: uid=" + uid + " value=" + + value); String groupname = authToken.getInString("gid"); if (groupname != null) { - CMS.debug("GroupAccessEvaluator: evaluate: authToken gid="+groupname); + CMS.debug("GroupAccessEvaluator: evaluate: authToken gid=" + + groupname); if (op.equals("=")) { return groupname.equals(Utils.stripQuotes(value)); } else if (op.equals("!=")) { @@ -123,12 +126,12 @@ public class GroupAccessEvaluator implements IAccessEvaluator { } else { CMS.debug("GroupAccessEvaluator: evaluate: no gid in authToken"); IUser id = null; - try { - id = mUG.getUser(uid); - } catch (EBaseException e) { + try { + id = mUG.getUser(uid); + } catch (EBaseException e) { CMS.debug("GroupAccessEvaluator: " + e.toString()); return false; - } + } if (op.equals("=")) { return mUG.isMemberOf(id, Utils.stripQuotes(value)); @@ -142,13 +145,14 @@ public class GroupAccessEvaluator implements IAccessEvaluator { } /** - * evaluates uid in SessionContext to see if it has membership in - * group value + * evaluates uid in SessionContext to see if it has membership in group + * value + * * @param type must be "group" * @param op must be "=" * @param value the group name - * @return true if SessionContext uid belongs to the group value, - * false otherwise + * @return true if SessionContext uid belongs to the group value, false + * otherwise */ public boolean evaluate(String type, String op, String value) { @@ -161,12 +165,12 @@ public class GroupAccessEvaluator implements IAccessEvaluator { log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL")); return false; } - if (op.equals("=")) + if (op.equals("=")) return mUG.isMemberOf(id, Utils.stripQuotes(value)); else return !(mUG.isMemberOf(id, Utils.stripQuotes(value))); - - } + + } return false; } @@ -174,8 +178,8 @@ public class GroupAccessEvaluator implements IAccessEvaluator { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, - level, "GroupAccessEvaluator: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, level, + "GroupAccessEvaluator: " + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java b/pki/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java index a5c99eeb9..4de8f694f 100644 --- a/pki/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java +++ b/pki/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.evaluators; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.SessionContext; @@ -25,7 +24,6 @@ import com.netscape.certsrv.evaluators.IAccessEvaluator; import com.netscape.certsrv.logging.ILogger; import com.netscape.cmsutil.util.Utils; - /** * A class represents a IP address acls evaluator. * <P> @@ -44,13 +42,14 @@ public class IPAddressAccessEvaluator implements IAccessEvaluator { } /** - * initialization. nothing for now. + * initialization. nothing for now. */ public void init() { } /** * gets the type name for this acl evaluator + * * @return type for this acl evaluator: ipaddress */ public String getType() { @@ -59,6 +58,7 @@ public class IPAddressAccessEvaluator implements IAccessEvaluator { /** * gets the description for this acl evaluator + * * @return description for this acl evaluator */ public String getDescription() { @@ -75,24 +75,27 @@ public class IPAddressAccessEvaluator implements IAccessEvaluator { /** * Gets the IP address from session context + * * @param authToken authentication token * @param type must be "ipaddress" * @param op must be "=" or "!=" * @param value the ipaddress */ - public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + public boolean evaluate(IAuthToken authToken, String type, String op, + String value) { return evaluate(type, op, value); } /** - * evaluates uid in SessionContext to see if it has membership in - * group value + * evaluates uid in SessionContext to see if it has membership in group + * value + * * @param type must be "group" * @param op must be "=" * @param value the group name - * @return true if SessionContext uid belongs to the group value, - * false otherwise + * @return true if SessionContext uid belongs to the group value, false + * otherwise */ public boolean evaluate(String type, String op, String value) { @@ -103,16 +106,17 @@ public class IPAddressAccessEvaluator implements IAccessEvaluator { if (type.equals(mType)) { if (ipaddress == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUATOR_IPADDRESS_NULL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("EVALUATOR_IPADDRESS_NULL")); return false; } - if (op.equals("=")) { + if (op.equals("=")) { return ipaddress.matches(value); } else { return !(ipaddress.matches(value)); } - - } + + } return false; } @@ -120,7 +124,7 @@ public class IPAddressAccessEvaluator implements IAccessEvaluator { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, - level, "GroupAccessEvaluator: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, level, + "GroupAccessEvaluator: " + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java b/pki/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java index 4b6b56772..862206a9a 100644 --- a/pki/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java +++ b/pki/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.evaluators; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.SessionContext; @@ -26,7 +25,6 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cmsutil.util.Utils; - /** * A class represents a user acls evaluator. * <P> @@ -48,7 +46,7 @@ public class UserAccessEvaluator implements IAccessEvaluator { } /** - * initialization. nothing for now. + * initialization. nothing for now. */ public void init() { CMS.debug("UserAccessEvaluator: init"); @@ -56,6 +54,7 @@ public class UserAccessEvaluator implements IAccessEvaluator { /** * gets the type name for this acl evaluator + * * @return type for this acl evaluator: "user" or "at_user" */ public String getType() { @@ -64,6 +63,7 @@ public class UserAccessEvaluator implements IAccessEvaluator { /** * gets the description for this acl evaluator + * * @return description for this acl evaluator */ public String getDescription() { @@ -80,27 +80,30 @@ public class UserAccessEvaluator implements IAccessEvaluator { /** * Evaluates the user in AuthToken to see if it's equal to value + * * @param authToken AuthToken from authentication * @param type must be "at_user" * @param op must be "=" * @param value the user id * @return true if AuthToken uid is same as value, false otherwise */ - public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + public boolean evaluate(IAuthToken authToken, String type, String op, + String value) { if (type.equals(mType)) { String s = Utils.stripQuotes(value); if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("=")) - return true; - - // should define "uid" at a common place + return true; + + // should define "uid" at a common place String uid = null; uid = authToken.getInString("uid"); if (uid == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_IS_NULL")); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("EVALUTOR_UID_IS_NULL")); return false; } @@ -108,13 +111,14 @@ public class UserAccessEvaluator implements IAccessEvaluator { return s.equalsIgnoreCase(uid); else if (op.equals("!=")) return !(s.equalsIgnoreCase(uid)); - } + } return false; } /** * Evaluates the user in session context to see if it's equal to value + * * @param type must be "user" * @param op must be "=" * @param value the user id @@ -144,8 +148,8 @@ public class UserAccessEvaluator implements IAccessEvaluator { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, - level, "UserAccessEvaluator: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, level, + "UserAccessEvaluator: " + msg); } } diff --git a/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java b/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java index 88358aa58..ffe4a4f8e 100644 --- a/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java +++ b/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cms.evaluators; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.SessionContext; @@ -26,12 +25,11 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.usrgrp.IUser; import com.netscape.cmsutil.util.Utils; - /** - * A class represents a user-origreq uid mapping acls evaluator. - * This is primarily used for renewal. During renewal, the orig_req - * uid is placed in the SessionContext of the renewal session context - * to be evaluated by this evaluator + * A class represents a user-origreq uid mapping acls evaluator. This is + * primarily used for renewal. During renewal, the orig_req uid is placed in the + * SessionContext of the renewal session context to be evaluated by this + * evaluator * <P> * * @author Christina Fu @@ -52,7 +50,7 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { } /** - * initialization. nothing for now. + * initialization. nothing for now. */ public void init() { CMS.debug("UserOrigReqAccessEvaluator: init"); @@ -60,6 +58,7 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { /** * gets the type name for this acl evaluator + * * @return type for this acl evaluator: "user_origreq" or "at_user_origreq" */ public String getType() { @@ -68,6 +67,7 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { /** * gets the description for this acl evaluator + * * @return description for this acl evaluator */ public String getDescription() { @@ -84,21 +84,23 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { /** * Evaluates the user in AuthToken to see if it's equal to value + * * @param authToken AuthToken from authentication * @param type must be "at_userreq" * @param op must be "=" * @param value the request param name * @return true if AuthToken uid is same as value, false otherwise */ - public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + public boolean evaluate(IAuthToken authToken, String type, String op, + String value) { CMS.debug("UserOrigReqAccessEvaluator: evaluate() begins"); if (type.equals(mType)) { String s = Utils.stripQuotes(value); if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("=")) - return true; - - // should define "uid" at a common place + return true; + + // should define "uid" at a common place String uid = null; uid = authToken.getInString("uid"); @@ -107,30 +109,34 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken null"); return false; } else - CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken ="+ uid); + CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken =" + + uid); // find value of param in request SessionContext mSC = SessionContext.getContext(); - CMS.debug("UserOrigReqAccessEvaluator: evaluate() getting "+"orig_req."+s+ " in SessionContext"); + CMS.debug("UserOrigReqAccessEvaluator: evaluate() getting " + + "orig_req." + s + " in SessionContext"); // "orig_req.auth_token.uid" - String orig_id = (String) mSC.get("orig_req."+s); + String orig_id = (String) mSC.get("orig_req." + s); if (orig_id == null) { CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id null"); return false; } - CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id ="+ orig_id); + CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id =" + + orig_id); if (op.equals("=")) return uid.equalsIgnoreCase(orig_id); else if (op.equals("!=")) return !(uid.equalsIgnoreCase(orig_id)); - } + } return false; } /** * Evaluates the user in session context to see if it's equal to value + * * @param type must be "user_origreq" * @param op must be "=" * @param value the user id @@ -141,7 +147,7 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { SessionContext mSC = SessionContext.getContext(); if (type.equals(mType)) { -// what do I do with s here? + // what do I do with s here? String s = Utils.stripQuotes(value); if (s.equals(ANYBODY) && op.equals("=")) @@ -149,7 +155,7 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { IUser id = (IUser) mSC.get(SessionContext.USER); // "orig_req.auth_token.uid" - String orig_id = (String) mSC.get("orig_req"+s); + String orig_id = (String) mSC.get("orig_req" + s); if (op.equals("=")) return id.getName().equalsIgnoreCase(orig_id); @@ -159,11 +165,12 @@ public class UserOrigReqAccessEvaluator implements IAccessEvaluator { return false; } + private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, - level, "UserOrigReqAccessEvaluator: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, level, + "UserOrigReqAccessEvaluator: " + msg); } } |