From ebfcf597d569e24fe6ec60062e37908c62bcff76 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 25 Nov 2016 14:29:40 +1000 Subject: Merge duplicate authz plugin code into superclass DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is still a lot of duplicate code. Push the duplicated bits up into the AAclAuthz. Also remove abstract method flushResourceACLs() from AAclAuthz, and its implementation from BasicAclAuthz, because it is only implemented (meaningfully) by DirAclAuthz. Part of: https://fedorahosted.org/pki/ticket/1359 --- .../com/netscape/cms/authorization/AAclAuthz.java | 93 ++++++++++--- .../netscape/cms/authorization/BasicAclAuthz.java | 144 +-------------------- .../netscape/cms/authorization/DirAclAuthz.java | 105 +-------------- 3 files changed, 78 insertions(+), 264 deletions(-) (limited to 'base/server/cms/src/com') diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java index b3e447cfc..f95c98174 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java @@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; +import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzInternalError; +import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.evaluators.IAccessEvaluator; @@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils; * @version $Revision$, $Date$ * @see ACL Files */ -public abstract class AAclAuthz { +public abstract class AAclAuthz implements IAuthzManager { protected static final String PROP_CLASS = "class"; protected static final String PROP_IMPL = "impl"; @@ -69,6 +72,12 @@ public abstract class AAclAuthz { protected static final String ACLS_ATTR = "aclResources"; + /* name of this authorization manager instance */ + private String mName = null; + + /* name of the authorization manager plugin */ + private String mImplName = null; + private IConfigStore mConfig = null; private Hashtable mACLs = new Hashtable(); @@ -93,14 +102,14 @@ public abstract class AAclAuthz { /** * Initializes */ - protected void init(IConfigStore config) + public void init(String name, String implName, IConfigStore config) throws EBaseException { - + mName = name; + mImplName = implName; + mConfig = config; mLogger = CMS.getLogger(); CMS.debug("AAclAuthz: init begins"); - mConfig = config; - // load access evaluators specified in the config file IConfigStore mainConfig = CMS.getConfigStore(); IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL); @@ -143,6 +152,20 @@ public abstract class AAclAuthz { log(ILogger.LL_INFO, "initialization done"); } + /** + * gets the name of this authorization manager instance + */ + public String getName() { + return mName; + } + + /** + * gets the plugin name of this authorization manager. + */ + public String getImplName() { + return mImplName; + } + /** * Parse ACL resource attributes, then update the ACLs memory store * This is intended to be used if storing ACLs on ldap is not desired, @@ -818,7 +841,7 @@ public abstract class AAclAuthz { } } - private void log(int level, String msg) { + protected void log(int level, String msg) { if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, @@ -830,24 +853,58 @@ public abstract class AAclAuthz { **********************************/ /** - * update acls. called after memory upate is done to flush to permanent - * storage. - *

- */ - protected abstract void flushResourceACLs() throws EACLsException; - - /** - * an abstract class that enforces implementation of the - * authorize() method that will authorize an operation on a - * particular resource + * check the authorization permission for the user associated with + * authToken on operation + * + * Example: + * + * For example, if UsrGrpAdminServlet needs to authorize the + * caller it would do be done in the following fashion: + * + * try { + * authzTok = mAuthz.authorize( + * "DirAclAuthz", authToken, RES_GROUP, "read"); + * } catch (EBaseException e) { + * log(ILogger.LL_FAILURE, "authorize call: " + e.toString()); + * } * * @param authToken the authToken associated with a user * @param resource - the protected resource name * @param operation - the protected resource operation name - * @exception EBaseException If an internal error occurred. + * @exception EAuthzAccessDenied If access was denied + * @exception EAuthzInternalError If an internal error occurred. * @return authzToken */ - public abstract AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EBaseException; + public AuthzToken authorize(IAuthToken authToken, String resource, String operation) + throws EAuthzInternalError, EAuthzAccessDenied { + try { + checkPermission(authToken, resource, operation); + // compose AuthzToken + AuthzToken authzToken = new AuthzToken(this); + authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); + authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); + authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); + CMS.debug(mName + ": authorization passed"); + return authzToken; + } catch (EACLsException e) { + // audit here later + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); + String params[] = { resource, operation }; + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); + + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); + } + } + + public AuthzToken authorize(IAuthToken authToken, String expression) + throws EAuthzAccessDenied { + if (evaluateACLs(authToken, expression)) { + return (new AuthzToken(this)); + } else { + String params[] = { expression }; + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + } + } public String getOrder() { IConfigStore mainConfig = CMS.getConfigStore(); diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java index c883758b3..6b33c2041 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java @@ -18,12 +18,7 @@ package com.netscape.cms.authorization; // cert server imports. -import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.EAuthzInternalError; import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -38,23 +33,6 @@ import com.netscape.certsrv.logging.ILogger; public class BasicAclAuthz extends AAclAuthz implements IAuthzManager, IExtendedPluginInfo { - // members - - /* name of this authorization manager instance */ - private String mName = null; - - /* name of the authorization manager plugin */ - private String mImplName = null; - - /* configuration store */ - @SuppressWarnings("unused") - private IConfigStore mConfig; - - /* the system logger */ - private ILogger mLogger = null; - - protected static final String PROP_BASEDN = "basedn"; - static { mExtendedPluginInfo.add("nothing for now"); } @@ -80,135 +58,15 @@ public class BasicAclAuthz extends AAclAuthz */ public void init(String name, String implName, IConfigStore config) throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - mLogger = CMS.getLogger(); - - super.init(config); + super.init(name, implName, config); log(ILogger.LL_INFO, "initialization done"); } - /** - * gets the name of this authorization manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authorization manager. - */ - public String getImplName() { - return mImplName; - } - - /** - * check the authorization permission for the user associated with - * authToken on operation - *

- * Example: - *

- * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: - * - * 

-     * try {
-     *     authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read");
-     * } catch (EBaseException e) {
-     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
-     * }
-     *
- * - * @param authToken the authToken associated with a user - * @param resource - the protected resource name - * @param operation - the protected resource operation name - * @exception EAuthzInternalError if an internal error occurred. - * @exception EAuthzAccessDenied if access denied - * @return authzToken if success - */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { - AuthzToken authzToken = new AuthzToken(this); - - try { - checkPermission(authToken, resource, operation); - - CMS.debug("BasicAclAuthz: authorization passed"); - - // compose AuthzToken - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, - AuthzToken.AUTHZ_STATUS_SUCCESS); - } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = { resource, operation }; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); - - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); - } - - return authzToken; - } - - public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { - if (evaluateACLs(authToken, expression)) { - return (new AuthzToken(this)); - } else { - String params[] = { expression }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); - } - } - - /** - * This currently does not flush to permanent storage - * - * @param id is the resource id - * @param strACLs - */ - public void updateACLs(String id, String rights, String strACLs, - String desc) throws EACLsException { - try { - super.updateACLs(id, rights, strACLs, desc); - // flushResourceACLs(); - } catch (EACLsException ex) { - - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); - - throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); - } - } - - /** - * updates resourceACLs to permanent storage. - * currently not implemented for this authzMgr - */ - protected void flushResourceACLs() throws EACLsException { - log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED")); - } - /** * graceful shutdown */ public void shutdown() { log(ILogger.LL_INFO, "shutting down"); } - - /** - * Logs a message for this class in the system log file. - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); - } } diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java index 4f14f4c40..bcb81f3d0 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java @@ -24,8 +24,6 @@ import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.EAuthzInternalError; import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -54,18 +52,6 @@ public class DirAclAuthz extends AAclAuthz // members - /* name of this authentication manager instance */ - private String mName = null; - - /* name of the authentication manager plugin */ - private String mImplName = null; - - /* configuration store */ - private IConfigStore mConfig; - - /* the system logger */ - private ILogger mLogger = null; - protected static final String PROP_BASEDN = "basedn"; private ILdapConnFactory mLdapConnFactory = null; @@ -118,15 +104,10 @@ public class DirAclAuthz extends AAclAuthz */ public void init(String name, String implName, IConfigStore config) throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - mLogger = CMS.getLogger(); - - super.init(config); + super.init(name, implName, config); // initialize LDAP connection factory - IConfigStore ldapConfig = mConfig.getSubStore("ldap"); + IConfigStore ldapConfig = config.getSubStore("ldap"); if (ldapConfig == null) { log(ILogger.LL_MISCONF, "failed to get config ldap info"); @@ -185,75 +166,6 @@ public class DirAclAuthz extends AAclAuthz log(ILogger.LL_INFO, "initialization done"); } - /** - * gets the name of this authorization manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authorization manager. - */ - public String getImplName() { - return mImplName; - } - - /** - * check the authorization permission for the user associated with - * authToken on operation - *

- * Example: - *

- * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: - * - * 

-     * try {
-     *     authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
-     * } catch (EBaseException e) {
-     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
-     * }
-     *
- * - * @param authToken the authToken associated with a user - * @param resource - the protected resource name - * @param operation - the protected resource operation name - * @exception EBaseException If an internal error occurred. - * @return authzToken - */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { - AuthzToken authzToken = new AuthzToken(this); - - try { - checkPermission(authToken, resource, operation); - // compose AuthzToken - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); - CMS.debug("DirAclAuthz: authorization passed"); - } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = { resource, operation }; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); - - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); - } - - return authzToken; - } - - public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { - if (evaluateACLs(authToken, expression)) { - return (new AuthzToken(this)); - } else { - String params[] = { expression }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); - } - } - /** * update acls. when memory update is done, flush to ldap. *

@@ -353,17 +265,4 @@ public class DirAclAuthz extends AAclAuthz } } - /** - * Logs a message for this class in the system log file. - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); - } } -- cgit