From ba75a144f4c57c0e804fdd6e86eaae40e5822b14 Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata <edewata@redhat.com>
Date: Fri, 1 Feb 2013 13:05:38 -0500
Subject: Added configuration file for authentication method validation.

The auth.properties have been converted into a configuration file to store the
list of allowed authentication methods for each REST method.

The old auth.properties have been renamed to acl.properties since it's used to
store ACL mappings.

Ticket #510
---
 base/ca/shared/webapps/ca/WEB-INF/acl.properties         | 14 ++++++++++++++
 base/ca/shared/webapps/ca/WEB-INF/auth-method.properties | 11 +++++++++++
 base/ca/shared/webapps/ca/WEB-INF/auth.properties        | 14 --------------
 .../src/com/netscape/certsrv/acls/ACLInterceptor.java    | 16 ++++++++--------
 base/kra/shared/webapps/kra/WEB-INF/acl.properties       | 12 ++++++++++++
 .../shared/webapps/kra/WEB-INF/auth-method.properties    | 10 ++++++++++
 base/kra/shared/webapps/kra/WEB-INF/auth.properties      | 12 ------------
 base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties     | 10 ++++++++++
 .../shared/webapps/ocsp/WEB-INF/auth-method.properties   |  9 +++++++++
 base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties    | 10 ----------
 base/tks/shared/webapps/tks/WEB-INF/acl.properties       | 10 ++++++++++
 .../shared/webapps/tks/WEB-INF/auth-method.properties    |  9 +++++++++
 base/tks/shared/webapps/tks/WEB-INF/auth.properties      | 10 ----------
 13 files changed, 93 insertions(+), 54 deletions(-)
 create mode 100644 base/ca/shared/webapps/ca/WEB-INF/acl.properties
 create mode 100644 base/ca/shared/webapps/ca/WEB-INF/auth-method.properties
 delete mode 100644 base/ca/shared/webapps/ca/WEB-INF/auth.properties
 create mode 100644 base/kra/shared/webapps/kra/WEB-INF/acl.properties
 create mode 100644 base/kra/shared/webapps/kra/WEB-INF/auth-method.properties
 delete mode 100644 base/kra/shared/webapps/kra/WEB-INF/auth.properties
 create mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
 create mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties
 delete mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
 create mode 100644 base/tks/shared/webapps/tks/WEB-INF/acl.properties
 create mode 100644 base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
 delete mode 100644 base/tks/shared/webapps/tks/WEB-INF/auth.properties

diff --git a/base/ca/shared/webapps/ca/WEB-INF/acl.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
new file mode 100644
index 000000000..20f3dd864
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
@@ -0,0 +1,14 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.ca.account,login
+account.logout = certServer.ca.account,logout
+admin.users = certServer.ca.users,execute
+admin.groups = certServer.ca.groups,execute
+admin.kraconnector = certServer.ca.connectorInfo,modify
+agent.certrequests = certServer.ca.certrequests,execute
+agent.certs = certServer.ca.certs,execute
+securityDomain.installToken = certServer.securitydomain.domainxml,read
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..3a6658765
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties
@@ -0,0 +1,11 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
+securityDomain.installToken = passwdUserDBAuthMgr
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
deleted file mode 100644
index 20f3dd864..000000000
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ /dev/null
@@ -1,14 +0,0 @@
-# Restful API authorization mapping info
-#
-# Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
-
-account.login = certServer.ca.account,login
-account.logout = certServer.ca.account,logout
-admin.users = certServer.ca.users,execute
-admin.groups = certServer.ca.groups,execute
-admin.kraconnector = certServer.ca.connectorInfo,modify
-agent.certrequests = certServer.ca.certrequests,execute
-agent.certs = certServer.ca.certs,execute
-securityDomain.installToken = certServer.securitydomain.domainxml,read
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
index c30740260..dd4985eab 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
@@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal;
 @Precedence("SECURITY")
 public class ACLInterceptor implements PreProcessInterceptor {
 
-    Properties authProperties;
+    Properties aclProperties;
 
     @Context
     ServletContext servletContext;
@@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor {
     @Context
     SecurityContext securityContext;
 
-    public synchronized void loadAuthProperties() throws IOException {
+    public synchronized void loadACLProperties() throws IOException {
 
-        if (authProperties != null) return;
+        if (aclProperties != null) return;
 
-        URL url = servletContext.getResource("/WEB-INF/auth.properties");
-        authProperties = new Properties();
-        authProperties.load(url.openStream());
+        URL url = servletContext.getResource("/WEB-INF/acl.properties");
+        aclProperties = new Properties();
+        aclProperties.load(url.openStream());
     }
 
     @Override
@@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor {
         }
 
         try {
-            loadAuthProperties();
+            loadACLProperties();
 
             String name = aclMapping.value();
-            String value = authProperties.getProperty(name);
+            String value = aclProperties.getProperty(name);
 
             // If no property defined, allow request.
             if (value == null) return null;
diff --git a/base/kra/shared/webapps/kra/WEB-INF/acl.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
new file mode 100644
index 000000000..952bdad33
--- /dev/null
+++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
@@ -0,0 +1,12 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.kra.account,login
+account.logout = certServer.kra.account,logout
+admin.users = certServer.kra.users,execute
+admin.groups = certServer.kra.groups,execute
+agent.keys = certServer.kra.keys,execute
+agent.keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..29a2f2381
--- /dev/null
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties
@@ -0,0 +1,10 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
deleted file mode 100644
index 952bdad33..000000000
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ /dev/null
@@ -1,12 +0,0 @@
-# Restful API authorization mapping info
-#
-# Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
-
-account.login = certServer.kra.account,login
-account.logout = certServer.kra.account,logout
-admin.users = certServer.kra.users,execute
-admin.groups = certServer.kra.groups,execute
-agent.keys = certServer.kra.keys,execute
-agent.keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
new file mode 100644
index 000000000..95fabba72
--- /dev/null
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
@@ -0,0 +1,10 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.ocsp.account,login
+account.logout = certServer.ocsp.account,logout
+admin.users = certServer.ocsp.users,execute
+admin.groups = certServer.ocsp.groups,execute
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..81e24403f
--- /dev/null
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties
@@ -0,0 +1,9 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
deleted file mode 100644
index 95fabba72..000000000
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-# Restful API authorization mapping info
-#
-# Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
-
-account.login = certServer.ocsp.account,login
-account.logout = certServer.ocsp.account,logout
-admin.users = certServer.ocsp.users,execute
-admin.groups = certServer.ocsp.groups,execute
diff --git a/base/tks/shared/webapps/tks/WEB-INF/acl.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
new file mode 100644
index 000000000..62367135e
--- /dev/null
+++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
@@ -0,0 +1,10 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.tks.account,login
+account.logout = certServer.tks.account,logout
+admin.users = certServer.tks.users,execute
+admin.groups = certServer.tks.groups,execute
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..81e24403f
--- /dev/null
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
@@ -0,0 +1,9 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
deleted file mode 100644
index 62367135e..000000000
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-# Restful API authorization mapping info
-#
-# Format:
-# <mapping name> = <resource ID>,<operation>
-# ex: admin.users = certServer.ca.users,read
-
-account.login = certServer.tks.account,login
-account.logout = certServer.tks.account,logout
-admin.users = certServer.tks.users,execute
-admin.groups = certServer.tks.groups,execute
-- 
cgit