From a405515d3b2ef8f6e22ef3ecc2d7eed3081bec1d Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Mon, 11 Feb 2013 22:01:56 -0500 Subject: Added user-add/remove-membership CLI. --- .../certsrv/group/GroupMemberCollection.java | 4 +- .../netscape/certsrv/group/GroupMemberData.java | 36 +- .../src/com/netscape/certsrv/user/UserClient.java | 10 + .../certsrv/user/UserMembershipCollection.java | 4 +- .../netscape/certsrv/user/UserMembershipData.java | 37 +- .../certsrv/user/UserMembershipResource.java | 17 + .../cms/servlet/admin/GroupMemberService.java | 315 ++--------------- .../netscape/cms/servlet/admin/GroupProcessor.java | 393 +++++++++++++++++++++ .../cms/servlet/admin/UserCertService.java | 4 +- .../cms/servlet/admin/UserMembershipService.java | 60 +++- .../netscape/cms/servlet/admin/UserService.java | 2 +- .../netscape/cms/servlet/processors/Processor.java | 49 +++ .../src/com/netscape/cmstools/group/GroupCLI.java | 2 +- .../cmstools/user/UserAddMembershipCLI.java | 57 +++ .../src/com/netscape/cmstools/user/UserCLI.java | 4 +- .../cmstools/user/UserRemoveMembershipCLI.java | 54 +++ .../x509/AuthorityKeyIdentifierExtension.java | 2 +- 17 files changed, 724 insertions(+), 326 deletions(-) create mode 100644 base/common/src/com/netscape/cms/servlet/admin/GroupProcessor.java create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java create mode 100644 base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberCollection.java b/base/common/src/com/netscape/certsrv/group/GroupMemberCollection.java index d19d939ad..03474d23d 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberCollection.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberCollection.java @@ -68,11 +68,11 @@ public class GroupMemberCollection { GroupMemberCollection response = new GroupMemberCollection(); GroupMemberData member1 = new GroupMemberData(); - member1.setID("User 1"); + member1.setUserID("User 1"); response.addMember(member1); GroupMemberData member2 = new GroupMemberData(); - member2.setID("User 2"); + member2.setUserID("User 2"); response.addMember(member2); JAXBContext context = JAXBContext.newInstance(GroupMemberCollection.class); diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberData.java b/base/common/src/com/netscape/certsrv/group/GroupMemberData.java index 11f3a2147..4bf9edaba 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberData.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberData.java @@ -33,18 +33,28 @@ import com.netscape.certsrv.common.Constants; @XmlRootElement(name="GroupMember") public class GroupMemberData { - String id; + String groupID; + String userID; Link link; + @XmlAttribute(name="GroupID") + public String getGroupID() { + return groupID; + } + + public void setGroupID(String groupID) { + this.groupID = groupID; + } + @FormParam(Constants.PR_GROUP_USER) - @XmlAttribute(name="id") - public String getID() { - return id; + @XmlAttribute(name="UserID") + public String getUserID() { + return userID; } - public void setID(String id) { - this.id = id; + public void setUserID(String userID) { + this.userID = userID; } @XmlElement(name="Link") @@ -60,7 +70,8 @@ public class GroupMemberData { public int hashCode() { final int prime = 31; int result = 1; - result = prime * result + ((id == null) ? 0 : id.hashCode()); + result = prime * result + ((groupID == null) ? 0 : groupID.hashCode()); + result = prime * result + ((userID == null) ? 0 : userID.hashCode()); return result; } @@ -73,10 +84,15 @@ public class GroupMemberData { if (getClass() != obj.getClass()) return false; GroupMemberData other = (GroupMemberData) obj; - if (id == null) { - if (other.id != null) + if (groupID == null) { + if (other.groupID != null) + return false; + } else if (!groupID.equals(other.groupID)) + return false; + if (userID == null) { + if (other.userID != null) return false; - } else if (!id.equals(other.id)) + } else if (!userID.equals(other.userID)) return false; return true; } diff --git a/base/common/src/com/netscape/certsrv/user/UserClient.java b/base/common/src/com/netscape/certsrv/user/UserClient.java index 87fe391b6..2dd350354 100644 --- a/base/common/src/com/netscape/certsrv/user/UserClient.java +++ b/base/common/src/com/netscape/certsrv/user/UserClient.java @@ -95,4 +95,14 @@ public class UserClient extends PKIClient { public UserMembershipCollection findUserMemberships(String userID, Integer start, Integer size) { return userMembershipClient.findUserMemberships(userID, start, size); } + + public UserMembershipData addUserMembership(String userID, String groupID) { + @SuppressWarnings("unchecked") + ClientResponse response = (ClientResponse)userMembershipClient.addUserMembership(userID, groupID); + return getEntity(response); + } + + public void removeUserMembership(String userD, String groupID) { + userMembershipClient.removeUserMembership(userD, groupID); + } } diff --git a/base/common/src/com/netscape/certsrv/user/UserMembershipCollection.java b/base/common/src/com/netscape/certsrv/user/UserMembershipCollection.java index f7646d2ef..624891918 100644 --- a/base/common/src/com/netscape/certsrv/user/UserMembershipCollection.java +++ b/base/common/src/com/netscape/certsrv/user/UserMembershipCollection.java @@ -68,11 +68,11 @@ public class UserMembershipCollection { UserMembershipCollection response = new UserMembershipCollection(); UserMembershipData membership1 = new UserMembershipData(); - membership1.setID("Group 1"); + membership1.setGroupID("Group 1"); response.addMembership(membership1); UserMembershipData membership2 = new UserMembershipData(); - membership2.setID("Group 2"); + membership2.setGroupID("Group 2"); response.addMembership(membership2); JAXBContext context = JAXBContext.newInstance(UserMembershipCollection.class); diff --git a/base/common/src/com/netscape/certsrv/user/UserMembershipData.java b/base/common/src/com/netscape/certsrv/user/UserMembershipData.java index 6d5a51ebe..c7d75719c 100644 --- a/base/common/src/com/netscape/certsrv/user/UserMembershipData.java +++ b/base/common/src/com/netscape/certsrv/user/UserMembershipData.java @@ -19,7 +19,6 @@ package com.netscape.certsrv.user; import javax.ws.rs.FormParam; -import javax.xml.bind.annotation.XmlAttribute; import javax.xml.bind.annotation.XmlElement; import javax.xml.bind.annotation.XmlRootElement; @@ -33,18 +32,28 @@ import com.netscape.certsrv.common.Constants; @XmlRootElement(name="UserMembership") public class UserMembershipData { - String id; + String userID; + String groupID; Link link; + @XmlElement(name="UserID") + public String getUserID() { + return userID; + } + + public void setUserID(String userID) { + this.userID = userID; + } + + @XmlElement(name="GroupID") @FormParam(Constants.PR_GROUP_USER) - @XmlAttribute(name="id") - public String getID() { - return id; + public String getGroupID() { + return groupID; } - public void setID(String id) { - this.id = id; + public void setGroupID(String groupID) { + this.groupID = groupID; } @XmlElement(name="Link") @@ -60,7 +69,8 @@ public class UserMembershipData { public int hashCode() { final int prime = 31; int result = 1; - result = prime * result + ((id == null) ? 0 : id.hashCode()); + result = prime * result + ((groupID == null) ? 0 : groupID.hashCode()); + result = prime * result + ((userID == null) ? 0 : userID.hashCode()); return result; } @@ -73,10 +83,15 @@ public class UserMembershipData { if (getClass() != obj.getClass()) return false; UserMembershipData other = (UserMembershipData) obj; - if (id == null) { - if (other.id != null) + if (groupID == null) { + if (other.groupID != null) + return false; + } else if (!groupID.equals(other.groupID)) + return false; + if (userID == null) { + if (other.userID != null) return false; - } else if (!id.equals(other.id)) + } else if (!userID.equals(other.userID)) return false; return true; } diff --git a/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java b/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java index 193af5126..eedc2c961 100644 --- a/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java @@ -18,12 +18,18 @@ package com.netscape.certsrv.user; +import javax.ws.rs.Consumes; +import javax.ws.rs.DELETE; import javax.ws.rs.GET; +import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; + +import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; @@ -40,4 +46,15 @@ public interface UserMembershipResource { @PathParam("userID") String userID, @QueryParam("start") Integer start, @QueryParam("size") Integer size); + + @POST + @ClientResponseType(entityType=UserMembershipData.class) + @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public Response addUserMembership(@PathParam("userID") String userID, String groupID); + + @DELETE + @Path("{groupID}") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public void removeUserMembership(@PathParam("userID") String userID, @PathParam("groupID") String groupID); } diff --git a/base/common/src/com/netscape/cms/servlet/admin/GroupMemberService.java b/base/common/src/com/netscape/cms/servlet/admin/GroupMemberService.java index cd17f5b6c..a6dd58aba 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/GroupMemberService.java +++ b/base/common/src/com/netscape/cms/servlet/admin/GroupMemberService.java @@ -18,35 +18,20 @@ package com.netscape.cms.servlet.admin; -import java.net.URI; -import java.net.URLEncoder; -import java.util.Enumeration; import java.util.Map; -import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; -import org.jboss.resteasy.plugins.providers.atom.Link; - import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.BadRequestException; -import com.netscape.certsrv.base.ConflictingOperationException; -import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; -import com.netscape.certsrv.base.ResourceNotFoundException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.common.OpDef; import com.netscape.certsrv.common.ScopeDef; import com.netscape.certsrv.group.GroupMemberCollection; import com.netscape.certsrv.group.GroupMemberData; import com.netscape.certsrv.group.GroupMemberResource; -import com.netscape.certsrv.group.GroupNotFoundException; -import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.IAuditor; import com.netscape.certsrv.logging.ILogger; -import com.netscape.certsrv.user.UserResource; -import com.netscape.certsrv.usrgrp.IGroup; -import com.netscape.certsrv.usrgrp.IUGSubsystem; import com.netscape.cms.servlet.base.PKIService; /** @@ -54,311 +39,67 @@ import com.netscape.cms.servlet.base.PKIService; */ public class GroupMemberService extends PKIService implements GroupMemberResource { - public final static int DEFAULT_SIZE = 20; - - public final static String MULTI_ROLE_ENABLE = "multiroles.enable"; - public final static String MULTI_ROLE_ENFORCE_GROUP_LIST = "multiroles.false.groupEnforceList"; - - public static String[] multiRoleGroupEnforceList; - - public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - - public GroupMemberData createGroupMemberData(String memberID) throws Exception { - - GroupMemberData groupMemberData = new GroupMemberData(); - - groupMemberData.setID(memberID); - - String userID = URLEncoder.encode(memberID, "UTF-8"); - URI uri = uriInfo.getBaseUriBuilder().path(UserResource.class).path("{userID}").build(userID); - groupMemberData.setLink(new Link("self", uri)); - - return groupMemberData; - } - @Override public GroupMemberCollection findGroupMembers(String groupID, Integer start, Integer size) { try { - start = start == null ? 0 : start; - size = size == null ? DEFAULT_SIZE : size; - - if (groupID == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); - } + GroupProcessor processor = new GroupProcessor(getLocale()); + processor.setUriInfo(uriInfo); + return processor.findGroupMembers(groupID, start, size); - IGroup group = userGroupManager.getGroupFromName(groupID); - if (group == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); - throw new GroupNotFoundException(groupID); - } - - GroupMemberCollection response = new GroupMemberCollection(); - - Enumeration members = group.getMemberNames(); - - int i = 0; - - // skip to the start of the page - for ( ; i 0) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build(); - response.addLink(new Link("prev", uri)); - } - - if (start+size < i) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build(); - response.addLink(new Link("next", uri)); - } - - return response; - - } catch (PKIException e) { - throw e; - - } catch (Exception e) { + } catch (EBaseException e) { CMS.debug(e); throw new PKIException(getUserMessage("CMS_INTERNAL_ERROR")); } } @Override - public Response addGroupMember(String groupID, String memberID) { - GroupMemberData groupMemberData = new GroupMemberData(); - groupMemberData.setID(memberID); - return addGroupMember(groupID, groupMemberData); - } - - public Response addGroupMember(String groupID, GroupMemberData groupMemberData) { - + public GroupMemberData getGroupMember(String groupID, String memberID) { try { - if (groupID == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); - } - - IGroup group = userGroupManager.getGroupFromName(groupID); - if (group == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); - throw new GroupNotFoundException(groupID); - } - - String memberID = groupMemberData.getID(); - boolean multiRole = true; - - try { - IConfigStore config = CMS.getConfigStore(); - multiRole = config.getBoolean(MULTI_ROLE_ENABLE); - } catch (Exception e) { - // ignore - } - - if (multiRole) { - // a user can be a member of multiple groups - userGroupManager.addUserToGroup(group, memberID); - - } else { - // a user can be a member of at most one group in the enforce list - if (isGroupInMultiRoleEnforceList(groupID)) { - // make sure the user is not already a member in another group in the list - if (!isDuplicate(groupID, memberID)) { - userGroupManager.addUserToGroup(group, memberID); - } else { - throw new ConflictingOperationException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberID)); - } - - } else { - // the user can be a member of multiple groups outside the list - userGroupManager.addUserToGroup(group, memberID); - } - } - - // for audit log - SessionContext sContext = SessionContext.getContext(); - String adminId = (String) sContext.get(SessionContext.USER_ID); - - logger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, - AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT, - new Object[] { adminId, memberID, groupID }); - - auditAddGroupMember(groupID, groupMemberData, ILogger.SUCCESS); - - // read the data back - groupMemberData = getGroupMember(groupID, memberID); - - return Response - .created(groupMemberData.getLink().getHref()) - .entity(groupMemberData) - .type(MediaType.APPLICATION_XML) - .build(); - - } catch (PKIException e) { - auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); - throw e; + GroupProcessor processor = new GroupProcessor(getLocale()); + processor.setUriInfo(uriInfo); + return processor.getGroupMember(groupID, memberID); } catch (Exception e) { log(ILogger.LL_FAILURE, e.toString()); - auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); - throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); - } - } - - public boolean isGroupInMultiRoleEnforceList(String groupID) { - - if (groupID == null || groupID.equals("")) { - return true; - } - - String groupList = null; - if (multiRoleGroupEnforceList == null) { - try { - IConfigStore config = CMS.getConfigStore(); - groupList = config.getString(MULTI_ROLE_ENFORCE_GROUP_LIST); - } catch (Exception e) { - // ignore - } - - if (groupList != null && !groupList.equals("")) { - multiRoleGroupEnforceList = groupList.split(","); - for (int j = 0; j < multiRoleGroupEnforceList.length; j++) { - multiRoleGroupEnforceList[j] = multiRoleGroupEnforceList[j].trim(); - } - } - } - - if (multiRoleGroupEnforceList == null) - return true; - - for (int i = 0; i < multiRoleGroupEnforceList.length; i++) { - if (groupID.equals(multiRoleGroupEnforceList[i])) { - return true; - } - } - - return false; - } - - public boolean isDuplicate(String groupID, String memberID) { - - // Let's not mess with users that are already a member of this group - try { - boolean isMember = userGroupManager.isMemberOf(memberID, groupID); - if (isMember == true) return false; - - } catch (Exception e) { - // ignore - } - - try { - Enumeration groups = userGroupManager.listGroups("*"); - while (groups.hasMoreElements()) { - IGroup group = groups.nextElement(); - String name = group.getName(); - - Enumeration g = userGroupManager.findGroups(name); - IGroup g1 = g.nextElement(); - - if (!name.equals(groupID)) { - if (isGroupInMultiRoleEnforceList(name)) { - Enumeration members = g1.getMemberNames(); - while (members.hasMoreElements()) { - String m1 = members.nextElement(); - if (m1.equals(memberID)) - return true; - } - } - } - } - } catch (Exception e) { - // ignore + throw new PKIException(e.getMessage()); } - - return false; } @Override - public GroupMemberData getGroupMember(String groupID, String memberID) { + public Response addGroupMember(String groupID, String memberID) { + GroupMemberData groupMemberData = new GroupMemberData(); + groupMemberData.setGroupID(groupID); + groupMemberData.setUserID(memberID); + return addGroupMember(groupID, groupMemberData); + } + public Response addGroupMember(String groupID, GroupMemberData groupMemberData) { try { - if (groupID == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); - } - - IGroup group = userGroupManager.getGroupFromName(groupID); - if (group == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); - throw new GroupNotFoundException(groupID); - } - - Enumeration e = group.getMemberNames(); - while (e.hasMoreElements()) { - String memberName = e.nextElement(); - if (!memberName.equals(memberID)) continue; - - GroupMemberData groupMemberData = createGroupMemberData(memberID); - return groupMemberData; - } - - throw new ResourceNotFoundException("Group member " + memberID + " not found"); - - } catch (PKIException e) { - throw e; + GroupProcessor processor = new GroupProcessor(getLocale()); + processor.setUriInfo(uriInfo); + return processor.addGroupMember(groupID, groupMemberData); - } catch (Exception e) { + } catch (EBaseException e) { log(ILogger.LL_FAILURE, e.toString()); - throw new PKIException(e.getMessage()); + auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); + throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); } } @Override public void removeGroupMember(String groupID, String memberID) { GroupMemberData groupMemberData = new GroupMemberData(); - groupMemberData.setID(memberID); + groupMemberData.setUserID(memberID); removeGroupMember(groupID, groupMemberData); } public void removeGroupMember(String groupID, GroupMemberData groupMemberData) { try { - if (groupID == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); - throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); - } - - IGroup group = userGroupManager.getGroupFromName(groupID); - if (group == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); - throw new GroupNotFoundException(groupID); - } - - String member = groupMemberData.getID(); - userGroupManager.removeUserFromGroup(group, member); + GroupProcessor processor = new GroupProcessor(getLocale()); + processor.setUriInfo(uriInfo); + processor.removeGroupMember(groupID, groupMemberData.getUserID()); - // for audit log - SessionContext sContext = SessionContext.getContext(); - String adminId = (String) sContext.get(SessionContext.USER_ID); - - logger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, - AuditFormat.LEVEL, AuditFormat.REMOVEUSERGROUPFORMAT, - new Object[] { adminId, member, groupID }); - - auditDeleteGroupMember(groupID, groupMemberData, ILogger.SUCCESS); - - } catch (PKIException e) { - auditDeleteGroupMember(groupID, groupMemberData, ILogger.FAILURE); - throw e; - - } catch (Exception e) { + } catch (EBaseException e) { log(ILogger.LL_FAILURE, e.toString()); auditDeleteGroupMember(groupID, groupMemberData, ILogger.FAILURE); throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); diff --git a/base/common/src/com/netscape/cms/servlet/admin/GroupProcessor.java b/base/common/src/com/netscape/cms/servlet/admin/GroupProcessor.java new file mode 100644 index 000000000..8f92074db --- /dev/null +++ b/base/common/src/com/netscape/cms/servlet/admin/GroupProcessor.java @@ -0,0 +1,393 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + +import java.net.URI; +import java.net.URLEncoder; +import java.util.Enumeration; +import java.util.Locale; +import java.util.Map; + +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriInfo; + +import org.jboss.resteasy.plugins.providers.atom.Link; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.BadRequestException; +import com.netscape.certsrv.base.ConflictingOperationException; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.base.ResourceNotFoundException; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.common.OpDef; +import com.netscape.certsrv.common.ScopeDef; +import com.netscape.certsrv.group.GroupMemberCollection; +import com.netscape.certsrv.group.GroupMemberData; +import com.netscape.certsrv.group.GroupMemberResource; +import com.netscape.certsrv.group.GroupNotFoundException; +import com.netscape.certsrv.logging.AuditFormat; +import com.netscape.certsrv.logging.IAuditor; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.usrgrp.IGroup; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.cms.servlet.processors.Processor; + +/** + * @author Endi S. Dewata + */ +public class GroupProcessor extends Processor { + + public final static int DEFAULT_SIZE = 20; + + public final static String MULTI_ROLE_ENABLE = "multiroles.enable"; + public final static String MULTI_ROLE_ENFORCE_GROUP_LIST = "multiroles.false.groupEnforceList"; + + public static String[] multiRoleGroupEnforceList; + + public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + + protected UriInfo uriInfo; + + public GroupProcessor(Locale locale) throws EBaseException { + super("group", locale); + } + + public UriInfo getUriInfo() { + return uriInfo; + } + + public void setUriInfo(UriInfo uriInfo) { + this.uriInfo = uriInfo; + } + + public GroupMemberData createGroupMemberData(String groupID, String memberID) throws Exception { + + GroupMemberData groupMemberData = new GroupMemberData(); + groupMemberData.setGroupID(groupID); + groupMemberData.setUserID(memberID); + + URI uri = uriInfo.getBaseUriBuilder() + .path(GroupMemberResource.class) + .path("{userID}") + .build( + URLEncoder.encode(groupID, "UTF-8"), + URLEncoder.encode(memberID, "UTF-8")); + + groupMemberData.setLink(new Link("self", uri)); + + return groupMemberData; + } + + public GroupMemberCollection findGroupMembers(String groupID, Integer start, Integer size) { + try { + start = start == null ? 0 : start; + size = size == null ? DEFAULT_SIZE : size; + + if (groupID == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); + } + + IGroup group = userGroupManager.getGroupFromName(groupID); + if (group == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); + throw new GroupNotFoundException(groupID); + } + + GroupMemberCollection response = new GroupMemberCollection(); + + Enumeration members = group.getMemberNames(); + + int i = 0; + + // skip to the start of the page + for ( ; i 0) { + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build(); + response.addLink(new Link("prev", uri)); + } + + if (start+size < i) { + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build(); + response.addLink(new Link("next", uri)); + } + + return response; + + } catch (PKIException e) { + throw e; + + } catch (Exception e) { + CMS.debug(e); + throw new PKIException(getUserMessage("CMS_INTERNAL_ERROR")); + } + } + + public GroupMemberData getGroupMember(String groupID, String memberID) { + try { + if (groupID == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); + } + + IGroup group = userGroupManager.getGroupFromName(groupID); + if (group == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); + throw new GroupNotFoundException(groupID); + } + + Enumeration e = group.getMemberNames(); + while (e.hasMoreElements()) { + String memberName = e.nextElement(); + if (!memberName.equals(memberID)) continue; + + GroupMemberData groupMemberData = createGroupMemberData(groupID, memberID); + return groupMemberData; + } + + throw new ResourceNotFoundException("Group member " + memberID + " not found"); + + } catch (PKIException e) { + throw e; + + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + throw new PKIException(e.getMessage()); + } + } + + public Response addGroupMember(String groupID, GroupMemberData groupMemberData) { + + try { + if (groupID == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); + } + + IGroup group = userGroupManager.getGroupFromName(groupID); + if (group == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); + throw new GroupNotFoundException(groupID); + } + + String memberID = groupMemberData.getUserID(); + boolean multiRole = true; + + try { + IConfigStore config = CMS.getConfigStore(); + multiRole = config.getBoolean(MULTI_ROLE_ENABLE); + } catch (Exception e) { + // ignore + } + + if (multiRole) { + // a user can be a member of multiple groups + userGroupManager.addUserToGroup(group, memberID); + + } else { + // a user can be a member of at most one group in the enforce list + if (isGroupInMultiRoleEnforceList(groupID)) { + // make sure the user is not already a member in another group in the list + if (!isDuplicate(groupID, memberID)) { + userGroupManager.addUserToGroup(group, memberID); + } else { + throw new ConflictingOperationException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberID)); + } + + } else { + // the user can be a member of multiple groups outside the list + userGroupManager.addUserToGroup(group, memberID); + } + } + + // for audit log + SessionContext sContext = SessionContext.getContext(); + String adminId = (String) sContext.get(SessionContext.USER_ID); + + logger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT, + new Object[] { adminId, memberID, groupID }); + + auditAddGroupMember(groupID, groupMemberData, ILogger.SUCCESS); + + // read the data back + groupMemberData = getGroupMember(groupID, memberID); + + return Response + .created(groupMemberData.getLink().getHref()) + .entity(groupMemberData) + .type(MediaType.APPLICATION_XML) + .build(); + + } catch (PKIException e) { + auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); + throw e; + + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + auditAddGroupMember(groupID, groupMemberData, ILogger.FAILURE); + throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); + } + } + + + public boolean isGroupInMultiRoleEnforceList(String groupID) { + + if (groupID == null || groupID.equals("")) { + return true; + } + + String groupList = null; + if (multiRoleGroupEnforceList == null) { + try { + IConfigStore config = CMS.getConfigStore(); + groupList = config.getString(MULTI_ROLE_ENFORCE_GROUP_LIST); + } catch (Exception e) { + // ignore + } + + if (groupList != null && !groupList.equals("")) { + multiRoleGroupEnforceList = groupList.split(","); + for (int j = 0; j < multiRoleGroupEnforceList.length; j++) { + multiRoleGroupEnforceList[j] = multiRoleGroupEnforceList[j].trim(); + } + } + } + + if (multiRoleGroupEnforceList == null) + return true; + + for (int i = 0; i < multiRoleGroupEnforceList.length; i++) { + if (groupID.equals(multiRoleGroupEnforceList[i])) { + return true; + } + } + + return false; + } + + public boolean isDuplicate(String groupID, String memberID) { + + // Let's not mess with users that are already a member of this group + try { + boolean isMember = userGroupManager.isMemberOf(memberID, groupID); + if (isMember == true) return false; + + } catch (Exception e) { + // ignore + } + + try { + Enumeration groups = userGroupManager.listGroups("*"); + while (groups.hasMoreElements()) { + IGroup group = groups.nextElement(); + String name = group.getName(); + + Enumeration g = userGroupManager.findGroups(name); + IGroup g1 = g.nextElement(); + + if (!name.equals(groupID)) { + if (isGroupInMultiRoleEnforceList(name)) { + Enumeration members = g1.getMemberNames(); + while (members.hasMoreElements()) { + String m1 = members.nextElement(); + if (m1.equals(memberID)) + return true; + } + } + } + } + } catch (Exception e) { + // ignore + } + + return false; + } + + public void removeGroupMember(String groupID, String memberID) { + GroupMemberData groupMemberData = new GroupMemberData(); + groupMemberData.setUserID(memberID); + removeGroupMember(groupID, groupMemberData); + } + + public void removeGroupMember(String groupID, GroupMemberData groupMemberData) { + try { + if (groupID == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID")); + } + + IGroup group = userGroupManager.getGroupFromName(groupID); + if (group == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); + throw new GroupNotFoundException(groupID); + } + + String member = groupMemberData.getUserID(); + userGroupManager.removeUserFromGroup(group, member); + + // for audit log + SessionContext sContext = SessionContext.getContext(); + String adminId = (String) sContext.get(SessionContext.USER_ID); + + logger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.REMOVEUSERGROUPFORMAT, + new Object[] { adminId, member, groupID }); + + auditDeleteGroupMember(groupID, groupMemberData, ILogger.SUCCESS); + + } catch (PKIException e) { + auditDeleteGroupMember(groupID, groupMemberData, ILogger.FAILURE); + throw e; + + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + auditDeleteGroupMember(groupID, groupMemberData, ILogger.FAILURE); + throw new PKIException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED")); + } + } + + public void log(int level, String message) { + log(ILogger.S_USRGRP, level, message); + } + + public void auditAddGroupMember(String groupID, GroupMemberData groupMemberData, String status) { + audit(OpDef.OP_ADD, groupID, getParams(groupMemberData), status); + } + + public void auditDeleteGroupMember(String groupID, GroupMemberData groupMemberData, String status) { + audit(OpDef.OP_DELETE, groupID, getParams(groupMemberData), status); + } + + public void audit(String type, String id, Map params, String status) { + audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status); + } +} diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserCertService.java b/base/common/src/com/netscape/cms/servlet/admin/UserCertService.java index 5f39b5800..efefcca8c 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/UserCertService.java +++ b/base/common/src/com/netscape/cms/servlet/admin/UserCertService.java @@ -112,7 +112,7 @@ public class UserCertService extends PKIService implements UserCertResource { if (user == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST")); - throw new UserNotFoundException(userID, getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST")); + throw new UserNotFoundException(userID); } UserCertCollection response = new UserCertCollection(); @@ -164,7 +164,7 @@ public class UserCertService extends PKIService implements UserCertResource { if (user == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST")); - throw new UserNotFoundException(userID, getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST")); + throw new UserNotFoundException(userID); } X509Certificate[] certs = user.getX509Certificates(); diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserMembershipService.java b/base/common/src/com/netscape/cms/servlet/admin/UserMembershipService.java index 995551905..29688e469 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/UserMembershipService.java +++ b/base/common/src/com/netscape/cms/servlet/admin/UserMembershipService.java @@ -18,20 +18,25 @@ package com.netscape.cms.servlet.admin; +import java.io.UnsupportedEncodingException; import java.net.URI; import java.net.URLEncoder; import java.util.Enumeration; import java.util.Map; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.Response; + import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.BadRequestException; +import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.UserNotFoundException; import com.netscape.certsrv.common.OpDef; import com.netscape.certsrv.common.ScopeDef; -import com.netscape.certsrv.group.GroupResource; +import com.netscape.certsrv.group.GroupMemberData; import com.netscape.certsrv.logging.IAuditor; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.user.UserMembershipCollection; @@ -51,14 +56,18 @@ public class UserMembershipService extends PKIService implements UserMembershipR public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); - public UserMembershipData createUserMembershipData(IGroup group) throws Exception { + public UserMembershipData createUserMembershipData(String userID, String groupID) throws UnsupportedEncodingException { UserMembershipData userMembershipData = new UserMembershipData(); + userMembershipData.setUserID(userID); + userMembershipData.setGroupID(groupID); - userMembershipData.setID(group.getName()); + URI uri = uriInfo.getBaseUriBuilder().path(UserMembershipResource.class) + .path("{groupID}") + .build( + URLEncoder.encode(userID, "UTF-8"), + URLEncoder.encode(groupID, "UTF-8")); - String userID = URLEncoder.encode(group.getName(), "UTF-8"); - URI uri = uriInfo.getBaseUriBuilder().path(GroupResource.class).path("{groupID}").build(userID); userMembershipData.setLink(new Link("self", uri)); return userMembershipData; @@ -79,8 +88,7 @@ public class UserMembershipService extends PKIService implements UserMembershipR if (user == null) { log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST")); - - throw new UserNotFoundException(userID, getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST")); + throw new UserNotFoundException(userID); } UserMembershipCollection response = new UserMembershipCollection(); @@ -95,7 +103,7 @@ public class UserMembershipService extends PKIService implements UserMembershipR // return entries up to the page size for ( ; i params, String status) { + + if (auditor == null) return; + + String auditMessage = CMS.getLogMessage( + message, + auditor.getSubjectID(), + status, + auditor.getParamString(scope, type, id, params)); + + auditor.log(auditMessage); + } + + /** + * Get the values of the fields annotated with @FormParam. + */ + public Map getParams(Object object) { + + Map map = new HashMap(); + + // for each fields in the object + for (Method method : object.getClass().getMethods()) { + FormParam element = method.getAnnotation(FormParam.class); + if (element == null) continue; + + String name = element.value(); + + try { + // get the value from the object + Object value = method.invoke(object); + + // put the value in the map + map.put(name, value == null ? null : value.toString()); + + } catch (Exception e) { + // ignore inaccessible fields + e.printStackTrace(); + } + } + + return map; + } } diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java index b2c38d808..469347a7b 100644 --- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java @@ -114,7 +114,7 @@ public class GroupCLI extends CLI { } public static void printGroupMember(GroupMemberData groupMemberData) { - System.out.println(" Member: "+groupMemberData.getID()); + System.out.println(" Member: "+groupMemberData.getUserID()); Link link = groupMemberData.getLink(); if (verbose && link != null) { diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java new file mode 100644 index 000000000..e1b523ace --- /dev/null +++ b/base/java-tools/src/com/netscape/cmstools/user/UserAddMembershipCLI.java @@ -0,0 +1,57 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cmstools.user; + +import com.netscape.certsrv.user.UserMembershipData; +import com.netscape.cmstools.cli.CLI; +import com.netscape.cmstools.cli.MainCLI; + +/** + * @author Endi S. Dewata + */ +public class UserAddMembershipCLI extends CLI { + + public UserCLI parent; + + public UserAddMembershipCLI(UserCLI parent) { + super("add-membership", "Add user membership"); + this.parent = parent; + } + + public void printHelp() { + formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); + } + + public void execute(String[] args) throws Exception { + + if (args.length != 2) { + printHelp(); + System.exit(1); + } + + String userID = args[0]; + String groupID = args[1]; + + UserMembershipData userMembershipData = parent.client.addUserMembership(userID, groupID); + + MainCLI.printMessage("Added membership in \""+groupID+"\""); + + UserCLI.printUserMembership(userMembershipData); + } +} diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java index 3e64a9227..f17ba2029 100644 --- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java @@ -54,6 +54,8 @@ public class UserCLI extends CLI { addModule(new UserRemoveCertCLI(this)); addModule(new UserFindMembershipCLI(this)); + addModule(new UserAddMembershipCLI(this)); + addModule(new UserRemoveMembershipCLI(this)); } public void printHelp() { @@ -164,7 +166,7 @@ public class UserCLI extends CLI { } public static void printUserMembership(UserMembershipData userMembershipData) { - System.out.println(" Membership: "+userMembershipData.getID()); + System.out.println(" Membership: "+userMembershipData.getGroupID()); Link link = userMembershipData.getLink(); if (verbose && link != null) { diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java new file mode 100644 index 000000000..cab887a38 --- /dev/null +++ b/base/java-tools/src/com/netscape/cmstools/user/UserRemoveMembershipCLI.java @@ -0,0 +1,54 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cmstools.user; + +import com.netscape.cmstools.cli.CLI; +import com.netscape.cmstools.cli.MainCLI; + +/** + * @author Endi S. Dewata + */ +public class UserRemoveMembershipCLI extends CLI { + + public UserCLI parent; + + public UserRemoveMembershipCLI(UserCLI parent) { + super("remove-membership", "Remove user membership"); + this.parent = parent; + } + + public void printHelp() { + formatter.printHelp(parent.name + "-" + name + " [OPTIONS...]", options); + } + + public void execute(String[] args) throws Exception { + + if (args.length != 2) { + printHelp(); + System.exit(1); + } + + String userID = args[0]; + String groupID = args[1]; + + parent.client.removeUserMembership(userID, groupID); + + MainCLI.printMessage("Deleted membership in group \""+groupID+"\""); + } +} diff --git a/base/util/src/netscape/security/x509/AuthorityKeyIdentifierExtension.java b/base/util/src/netscape/security/x509/AuthorityKeyIdentifierExtension.java index a8df9d132..df42fc6f7 100644 --- a/base/util/src/netscape/security/x509/AuthorityKeyIdentifierExtension.java +++ b/base/util/src/netscape/security/x509/AuthorityKeyIdentifierExtension.java @@ -131,7 +131,7 @@ public class AuthorityKeyIdentifierExtension extends Extension * The default constructor for this extension. Null parameters make * the element optional (not present). * - * @param id the KeyIdentifier associated with this extension. + * @param groupID the KeyIdentifier associated with this extension. * @param names the GeneralNames associated with this extension * @param serialNum the CertificateSerialNumber associated with * this extension. -- cgit