summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java')
-rw-r--r--pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java217
1 files changed, 118 insertions, 99 deletions
diff --git a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
index 6438dc4ae..4b9291481 100644
--- a/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
+++ b/pki/base/common/src/com/netscape/cms/policy/constraints/AttributePresentConstraints.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cms.policy.constraints;
-
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Locale;
@@ -44,20 +43,20 @@ import com.netscape.certsrv.request.PolicyResult;
import com.netscape.certsrv.request.RequestId;
import com.netscape.cms.policy.APolicyRule;
-
/**
* This checks if attribute present.
* <P>
+ *
* <PRE>
* NOTE: The Policy Framework has been replaced by the Profile Framework.
* </PRE>
* <P>
- *
+ *
* @deprecated
* @version $Revision$, $Date$
*/
-public class AttributePresentConstraints extends APolicyRule
- implements IEnrollmentPolicy, IExtendedPluginInfo {
+public class AttributePresentConstraints extends APolicyRule implements
+ IEnrollmentPolicy, IExtendedPluginInfo {
protected static final String PROP_ENABLED = "enabled";
protected static final String PROP_LDAP = "ldap";
@@ -76,50 +75,59 @@ public class AttributePresentConstraints extends APolicyRule
private LDAPConnection mCheckAttrLdapConnection = null;
public AttributePresentConstraints() {
- DESC = "Rejects request if ldap attribute is not present in the " +
- "directory.";
+ DESC = "Rejects request if ldap attribute is not present in the "
+ + "directory.";
}
public String[] getExtendedPluginInfo(Locale locale) {
String params[] = {
- PROP_ATTR + ";string,required;Ldap attribute to check presence of (default " +
- DEF_ATTR + ")",
- PROP_VALUE + ";string;if this parameter is non-empty, the attribute must " +
- "match this value for the request to proceed ",
- PROP_LDAP_BASE + ";string,required;Base DN to start searching " +
- "under. If your user's DN is 'uid=jsmith, o=company', you " +
- "might want to use 'o=company' here",
- PROP_LDAP_HOST + ";string,required;" +
- "LDAP host to connect to",
- PROP_LDAP_PORT + ";number,required;" +
- "LDAP port number (use 389, or 636 if SSL)",
- PROP_LDAP_SSL + ";boolean;" +
- "Use SSL to connect to directory?",
- PROP_LDAP_VER + ";choice(3,2),required;" +
- "LDAP protocol version",
- PROP_LDAP_BIND + ";string;DN to bind as for attribute checking. " +
- "For example 'CN=Pincheck User'",
- PROP_LDAP_PW + ";password;Enter password used to bind as " +
- "the above user",
- PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;" +
- "How to bind to the directory",
- PROP_LDAP_CERT + ";string;If you want to use " +
- "SSL client auth to the directory, set the client " +
- "cert nickname here",
- PROP_LDAP_BASE + ";string,required;Base DN to start searching " +
- "under. If your user's DN is 'uid=jsmith, o=company', you " +
- "might want to use 'o=company' here",
- PROP_LDAP_MINC + ";number;number of connections " +
- "to keep open to directory server. Default " + DEF_LDAP_MINC,
- PROP_LDAP_MAXC + ";number;when needed, connection " +
- "pool can grow to this many (multiplexed) connections. Default " + DEF_LDAP_MAXC,
- IExtendedPluginInfo.HELP_TOKEN +
- ";configuration-policyrules-pinpresent",
- IExtendedPluginInfo.HELP_TEXT +
- ";" + DESC + " This plugin can be used to " +
- "check the presence (and, optionally, the value) of any LDAP " +
- "attribute for the user. "
- };
+ PROP_ATTR
+ + ";string,required;Ldap attribute to check presence of (default "
+ + DEF_ATTR + ")",
+ PROP_VALUE
+ + ";string;if this parameter is non-empty, the attribute must "
+ + "match this value for the request to proceed ",
+ PROP_LDAP_BASE
+ + ";string,required;Base DN to start searching "
+ + "under. If your user's DN is 'uid=jsmith, o=company', you "
+ + "might want to use 'o=company' here",
+ PROP_LDAP_HOST + ";string,required;"
+ + "LDAP host to connect to",
+ PROP_LDAP_PORT + ";number,required;"
+ + "LDAP port number (use 389, or 636 if SSL)",
+ PROP_LDAP_SSL + ";boolean;"
+ + "Use SSL to connect to directory?",
+ PROP_LDAP_VER + ";choice(3,2),required;"
+ + "LDAP protocol version",
+ PROP_LDAP_BIND
+ + ";string;DN to bind as for attribute checking. "
+ + "For example 'CN=Pincheck User'",
+ PROP_LDAP_PW + ";password;Enter password used to bind as "
+ + "the above user",
+ PROP_LDAP_AUTH + ";choice(BasicAuth,SslClientAuth),required;"
+ + "How to bind to the directory",
+ PROP_LDAP_CERT + ";string;If you want to use "
+ + "SSL client auth to the directory, set the client "
+ + "cert nickname here",
+ PROP_LDAP_BASE
+ + ";string,required;Base DN to start searching "
+ + "under. If your user's DN is 'uid=jsmith, o=company', you "
+ + "might want to use 'o=company' here",
+ PROP_LDAP_MINC + ";number;number of connections "
+ + "to keep open to directory server. Default "
+ + DEF_LDAP_MINC,
+ PROP_LDAP_MAXC
+ + ";number;when needed, connection "
+ + "pool can grow to this many (multiplexed) connections. Default "
+ + DEF_LDAP_MAXC,
+ IExtendedPluginInfo.HELP_TOKEN
+ + ";configuration-policyrules-pinpresent",
+ IExtendedPluginInfo.HELP_TEXT
+ + ";"
+ + DESC
+ + " This plugin can be used to "
+ + "check the presence (and, optionally, the value) of any LDAP "
+ + "attribute for the user. " };
return params;
}
@@ -180,9 +188,9 @@ public class AttributePresentConstraints extends APolicyRule
protected static final String PROP_VALUE = "value";
protected static final String DEF_VALUE = "";
- protected static Vector mParamNames;
+ protected static Vector mParamNames;
protected static Hashtable mParamDefault;
- protected Hashtable mParamValue = null;
+ protected Hashtable mParamValue = null;
static {
mParamNames = new Vector();
@@ -201,7 +209,7 @@ public class AttributePresentConstraints extends APolicyRule
addParam(PROP_ATTR, DEF_ATTR);
addParam(PROP_VALUE, DEF_VALUE);
};
-
+
protected static void addParam(String name, Object value) {
mParamNames.addElement(name);
mParamDefault.put(name, value);
@@ -210,40 +218,33 @@ public class AttributePresentConstraints extends APolicyRule
protected void getStringConfigParam(IConfigStore config, String paramName) {
try {
mParamValue.put(
- paramName, config.getString(paramName, (String) mParamDefault.get(paramName))
- );
+ paramName,
+ config.getString(paramName,
+ (String) mParamDefault.get(paramName)));
} catch (Exception e) {
}
}
protected void getIntConfigParam(IConfigStore config, String paramName) {
try {
- mParamValue.put(
- paramName, Integer.valueOf(
- config.getInteger(paramName,
- ((Integer) mParamDefault.get(paramName)).intValue()
- )
- )
- );
+ mParamValue.put(paramName, Integer.valueOf(config.getInteger(
+ paramName,
+ ((Integer) mParamDefault.get(paramName)).intValue())));
} catch (Exception e) {
}
}
protected void getBooleanConfigParam(IConfigStore config, String paramName) {
try {
- mParamValue.put(
- paramName, Boolean.valueOf(
- config.getBoolean(paramName,
- ((Boolean) mParamDefault.get(paramName)).booleanValue()
- )
- )
- );
+ mParamValue.put(paramName, Boolean.valueOf(config.getBoolean(
+ paramName,
+ ((Boolean) mParamDefault.get(paramName)).booleanValue())));
} catch (Exception e) {
}
}
public void init(ISubsystem owner, IConfigStore config)
- throws EBaseException {
+ throws EBaseException {
mConfig = config;
mParamValue = new Hashtable();
@@ -277,14 +278,16 @@ public class AttributePresentConstraints extends APolicyRule
String requestType = r.getRequestType();
- if (requestType.equals(IRequest.ENROLLMENT_REQUEST) ||
- requestType.equals(IRequest.RENEWAL_REQUEST)) {
+ if (requestType.equals(IRequest.ENROLLMENT_REQUEST)
+ || requestType.equals(IRequest.RENEWAL_REQUEST)) {
String uid = r.getExtDataInString(IRequest.HTTP_PARAMS, "uid");
if (uid == null) {
- log(ILogger.LL_INFO, "did not find UID parameter in request " + r.getRequestId());
- setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+ log(ILogger.LL_INFO, "did not find UID parameter in request "
+ + r.getRequestId());
+ setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"),
+ "");
return PolicyResult.REJECTED;
}
@@ -292,26 +295,34 @@ public class AttributePresentConstraints extends APolicyRule
try {
String[] attrs = { (String) mParamValue.get(PROP_ATTR) };
- LDAPSearchResults searchResult =
- mCheckAttrLdapConnection.search((String) mParamValue.get(PROP_LDAP_BASE),
- LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs, false);
-
+ LDAPSearchResults searchResult = mCheckAttrLdapConnection
+ .search((String) mParamValue.get(PROP_LDAP_BASE),
+ LDAPv2.SCOPE_SUB, "(uid=" + uid + ")", attrs,
+ false);
+
if (!searchResult.hasMoreElements()) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
- setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", uid));
+ setError(r,
+ CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"),
+ "");
return PolicyResult.REJECTED;
}
LDAPEntry entry = (LDAPEntry) searchResult.nextElement();
userdn = entry.getDN();
-
- LDAPAttribute attr = entry.getAttribute((String) mParamValue.get(PROP_ATTR));
+
+ LDAPAttribute attr = entry.getAttribute((String) mParamValue
+ .get(PROP_ATTR));
/* if attribute not present, reject the request */
if (attr == null) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn));
- setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn));
+ setError(r,
+ CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"),
+ "");
return PolicyResult.REJECTED;
}
String acceptedValue = ((String) mParamValue.get(PROP_VALUE));
@@ -327,17 +338,24 @@ public class AttributePresentConstraints extends APolicyRule
}
}
if (matches == 0) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("CMS_AUTH_NO_PIN_FOUND", userdn));
- setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+ log(ILogger.LL_FAILURE, CMS.getLogMessage(
+ "CMS_AUTH_NO_PIN_FOUND", userdn));
+ setError(
+ r,
+ CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"),
+ "");
return PolicyResult.REJECTED;
}
}
-
- CMS.debug("AttributePresentConstraints: Attribute is present for user: \"" + userdn + "\"");
+
+ CMS.debug("AttributePresentConstraints: Attribute is present for user: \""
+ + userdn + "\"");
} catch (LDAPException e) {
- log(ILogger.LL_FAILURE, CMS.getLogMessage("POLICY_PIN_UNAUTHORIZED"));
- setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"), "");
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("POLICY_PIN_UNAUTHORIZED"));
+ setError(r, CMS.getUserMessage("CMS_POLICY_PIN_UNAUTHORIZED"),
+ "");
return PolicyResult.REJECTED;
}
@@ -383,25 +401,26 @@ public class AttributePresentConstraints extends APolicyRule
return params;
/*
- params.addElement("ldap.ldapconn.host=localhost");
- params.addElement("ldap.ldapconn.port=389");
- params.addElement("ldap.ldapconn.secureConn=false");
- params.addElement("ldap.ldapconn.version=3");
- params.addElement("ldap.ldapauth.bindDN=CN=Directory Manager");
- params.addElement("ldap.ldapauth.bindPWPrompt=");
- params.addElement("ldap.ldapauth.clientCertNickname=");
- params.addElement("ldap.ldapauth.authtype=BasicAuth");
- params.addElement("ldap.basedn=");
- params.addElement("ldap.minConns=1");
- params.addElement("ldap.maxConns=5");
+ * params.addElement("ldap.ldapconn.host=localhost");
+ * params.addElement("ldap.ldapconn.port=389");
+ * params.addElement("ldap.ldapconn.secureConn=false");
+ * params.addElement("ldap.ldapconn.version=3");
+ * params.addElement("ldap.ldapauth.bindDN=CN=Directory Manager");
+ * params.addElement("ldap.ldapauth.bindPWPrompt=");
+ * params.addElement("ldap.ldapauth.clientCertNickname=");
+ * params.addElement("ldap.ldapauth.authtype=BasicAuth");
+ * params.addElement("ldap.basedn=");
+ * params.addElement("ldap.minConns=1");
+ * params.addElement("ldap.maxConns=5");
*/
}
protected void log(int level, String msg) {
- if (mLogger == null) return;
+ if (mLogger == null)
+ return;
- mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER,
- level, "AttributePresentConstraints: " + msg);
+ mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, level,
+ "AttributePresentConstraints: " + msg);
}
}
generated by cgit (git 2.34.1) at 2024-07-01 13:25:32 +0000