From 9dc5a7829e9521ac29196515e1384f552068a649 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 19 Apr 2016 22:32:33 -0400
Subject: Realm: allow auth instances to support multiple realms

In practice, most folks will use something like DirAclAuthz
to manage their realm.  Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).

For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation.  The resource queried would then be constructed on
the fly as realm.resource

Examples will be provided in the wiki page.

Trac Ticket 2041
---
 base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java | 8 ++++----
 base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java        | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'base/kra/src/org')

diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 41d78af53..103b78923 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -175,7 +175,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
 
             String realm = data.getRealm();
             if (realm != null) {
-                authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "archive");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.archival", "execute");
             }
             response = dao.submitRequest(data, uriInfo, getRequestor());
             auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
@@ -304,7 +304,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
             RequestId start, Integer pageSize, Integer maxResults, Integer maxTime, String realm) {
         if (realm != null) {
             try {
-                authz.checkRealm(realm, getAuthToken(), null, "keyRequests", "list");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests", "list");
             } catch (EAuthzAccessDenied e) {
                 throw new UnauthorizedException("Not authorized to list these requests", e);
             } catch (EAuthzUnknownRealm e) {
@@ -468,7 +468,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
             }
             String realm = data.getRealm();
             if (realm != null) {
-                authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateSymkey");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.symkey", "execute");
             }
 
             response = dao.submitRequest(data, uriInfo, getRequestor());
@@ -502,7 +502,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
             }
             String realm = data.getRealm();
             if (realm != null) {
-                authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateAsymkey");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.asymkey", "execute");
             }
 
             response = dao.submitRequest(data, uriInfo, getRequestor());
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 255d8d614..74b58b8a2 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -422,7 +422,7 @@ public class KeyService extends PKIService implements KeyResource {
 
         if (realm != null) {
             try {
-                authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
+                authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.keys", "list");
             } catch (EAuthzAccessDenied e) {
                 throw new UnauthorizedException("Not authorized to list these keys", e);
             } catch (EAuthzUnknownRealm e) {
@@ -509,7 +509,7 @@ public class KeyService extends PKIService implements KeyResource {
             if (info != null) {
                 // return the first one, but first confirm that the requester has access to this key
                 try {
-                    authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
+                    authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "certServer.kra.key", "read");
                 } catch (EAuthzAccessDenied e) {
                     throw new UnauthorizedException("Not authorized to read this key", e);
                 } catch (EBaseException e) {
@@ -681,7 +681,7 @@ public class KeyService extends PKIService implements KeyResource {
         IKeyRecord rec = null;
         try {
             rec = repo.readKeyRecord(keyId.toBigInteger());
-            authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "key", "read");
+            authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read");
             KeyInfo info = createKeyDataInfo(rec, true);
             auditRetrieveKey(ILogger.SUCCESS, null, keyId, auditInfo);
 
-- 
cgit