From a4682ceae6774956461edd03b2485bbacea445f4 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Tue, 4 Oct 2011 01:17:41 +0000 Subject: Bugzilla Bug #688225 - (dogtagIPAv2.1) TRACKER: of the Dogtag fixes for freeIPA 2.1 git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/tags/IPA_v2_RHEL_6_2_20111003@2252 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../cms/servlet/admin/ACLAdminServlet.java | 915 +++++ .../netscape/cms/servlet/admin/AdminResources.java | 44 + .../netscape/cms/servlet/admin/AdminServlet.java | 1304 +++++++ .../cms/servlet/admin/AuthAdminServlet.java | 1690 +++++++++ .../cms/servlet/admin/AuthCredentials.java | 100 + .../netscape/cms/servlet/admin/CAAdminServlet.java | 1642 +++++++++ .../cms/servlet/admin/CMSAdminServlet.java | 3677 ++++++++++++++++++++ .../cms/servlet/admin/JobsAdminServlet.java | 1004 ++++++ .../cms/servlet/admin/KRAAdminServlet.java | 887 +++++ .../cms/servlet/admin/LogAdminServlet.java | 2550 ++++++++++++++ .../cms/servlet/admin/OCSPAdminServlet.java | 560 +++ .../cms/servlet/admin/PolicyAdminServlet.java | 1243 +++++++ .../cms/servlet/admin/ProfileAdminServlet.java | 2683 ++++++++++++++ .../cms/servlet/admin/PublisherAdminServlet.java | 3054 ++++++++++++++++ .../netscape/cms/servlet/admin/RAAdminServlet.java | 576 +++ .../cms/servlet/admin/RegistryAdminServlet.java | 362 ++ .../cms/servlet/admin/UsrGrpAdminServlet.java | 2332 +++++++++++++ 17 files changed, 24623 insertions(+) create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java create mode 100644 pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java (limited to 'pki/base/common/src/com/netscape/cms/servlet/admin') diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java new file mode 100644 index 000000000..7bac528e9 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java @@ -0,0 +1,915 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.math.*; +import java.text.*; +import java.net.*; +import javax.servlet.*; +import javax.servlet.http.*; +//import com.netscape.certsrv.util.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.evaluators.*; +import com.netscape.certsrv.acls.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; +import com.netscape.cmsutil.util.*; + + +/** + * Manage Access Control List configuration + * + * @version $Revision$, $Date$ + */ +public class ACLAdminServlet extends AdminServlet { + + private IUGSubsystem mUG = null; + private static final String PROP_ACLS = "acls"; + private static final String PROP_EVAL = "accessEvaluator"; + private final static String INFO = "ACLAdminServlet"; + private IAuthzManager mAuthzMgr = null; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL = + "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3"; + + /** + * Constructs servlet. + */ + public ACLAdminServlet() { + super(); + mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + } + + /** + * initialize the servlet. + * + * + * @param config servlet configuration, read from the web.xml file + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mAuthzMgr = mAuthz.get(mAclMethod); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Process the HTTP request. + * + * @param req the object holding the request information + * @param resp the object holding the response information + */ + + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + String scope = super.getParameter(req, Constants.OP_SCOPE); + String op = super.getParameter(req, Constants.OP_TYPE); + + if (op == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PROTOCOL")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + Locale clientLocale = super.getLocale(req); + + try { + super.authenticate(req); + } catch (IOException e) { + log(ILogger.LL_SECURITY, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS")); + sendResponse(ERROR, CMS.getUserMessage(getLocale(req),"CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + + IUser user = null; + + try { + SessionContext mSC = SessionContext.getContext(); + + user = (IUser) + mSC.get(SessionContext.USER); + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + + try { + AUTHZ_RES_NAME = "certServer.acl.configuration"; + + if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ACL)) { + listResources(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_ACL_IMPLS)) { + listACLsEvaluators(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_EVALUATOR_TYPES)) { + listACLsEvaluatorTypes(req, resp); + return; + } + } else if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ACL)) { + getResourceACL(req, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ACL)) { + updateResources(req, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ACL_IMPLS)) { + addACLsEvaluator(req, resp, scope); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ACL_IMPLS)) { + deleteACLsEvaluator(req, resp, scope); + return; + } + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_OP_SCOPE")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, e.toString()); + sendResponse(ERROR, e.toString(getLocale(req)), + null, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + log(ILogger.LL_DEBUG, "SRVLT_FAIL_PERFORM 2"); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + + log(ILogger.LL_DEBUG, "SRVLT_FAIL_PERFORM 3"); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + + /** + * list acls resources by name + */ + private void listResources(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + + NameValuePairs params = new NameValuePairs(); + + Enumeration res = mAuthzMgr.getACLs(); + + while (res.hasMoreElements()) { + ACL acl = (ACL) res.nextElement(); + String desc = acl.getDescription(); + + if (desc == null) + params.add(acl.getName(), ""); + else + params.add(acl.getName(), desc); + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * get acls information for a resource + */ + private void getResourceACL(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + + NameValuePairs params = new NameValuePairs(); + //get resource id first + String resourceId = super.getParameter(req, Constants.RS_ID); + + if (resourceId == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IACL acl = mAuthzMgr.getACL(resourceId); + + if (acl != null) { + Enumeration en = acl.rights(); + + StringBuffer rights = new StringBuffer(); + + if (en.hasMoreElements()) { + while (en.hasMoreElements()) { + if (rights.length() != 0) { + rights.append(","); + } + String right = (String) en.nextElement(); + + rights.append(right); + } + } + + params.add(Constants.PR_ACL_OPS, rights.toString()); + + en = acl.entries(); + String acis = ""; + + if (en.hasMoreElements()) { + while (en.hasMoreElements()) { + if (acis != "") { + acis += ";"; + } + ACLEntry aclEntry = (ACLEntry) en.nextElement(); + String aci = aclEntry.getACLEntryString(); + + acis += aci; + } + } + + params.add(Constants.PR_ACI, acis); + + sendResponse(SUCCESS, null, params, resp); + return; + + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_RESOURCE_NOT_FOUND")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_RESOURCE_NOT_FOUND"), + null, resp); + return; + } + } + + /** + * modify acls information for a resource + *

+ * + *

+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void updateResources(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // get resource id first + String resourceId = super.getParameter(req, Constants.RS_ID); + + if (resourceId == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // get resource acls + String resourceACLs = super.getParameter(req, Constants.PR_ACI); + String rights = super.getParameter(req, Constants.PR_ACL_RIGHTS); + String desc = super.getParameter(req, Constants.PR_ACL_DESC); + + try { + mAuthzMgr.updateACLs(resourceId, rights, resourceACLs, desc); + + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_UPDATE_FAIL"), + null, resp); + return; + } + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * list access evaluators by types and class paths + */ + private void listACLsEvaluators(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration res = mAuthzMgr.aclEvaluatorElements(); + + while (res.hasMoreElements()) { + IAccessEvaluator evaluator = (IAccessEvaluator) res.nextElement(); + + // params.add(evaluator.getType(), evaluator.getDescription()); + params.add(evaluator.getType(), evaluator.getClass().getName()); + } + + sendResponse(SUCCESS, null, params, resp); + } + + private void listACLsEvaluatorTypes(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration res = mAuthzMgr.aclEvaluatorElements(); + + while (res.hasMoreElements()) { + IAccessEvaluator evaluator = (IAccessEvaluator) res.nextElement(); + String[] operators = evaluator.getSupportedOperators(); + StringBuffer str = new StringBuffer(); + + for (int i = 0; i < operators.length; i++) { + if (str.length() > 0) + str.append(","); + str.append(operators[i]); + } + + params.add(evaluator.getType(), str.toString()); + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * add access evaluators + *

+ * + *

+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this ACL evaluator's + * substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addACLsEvaluator(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // get evaluator type first + String type = super.getParameter(req, Constants.RS_ID); + + if (type == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the evaluator type unique? + /* + if (!mACLs.isTypeUnique(type)) { + String infoMsg = "replacing existing type: "+ type; + log(ILogger.LL_WARN, infoMsg); + } + */ + + // get class + String classPath = super.getParameter(req, Constants.PR_ACL_CLASS); + + IConfigStore destStore = + mConfig.getSubStore(PROP_EVAL); + IConfigStore mStore = + destStore.getSubStore(ScopeDef.SC_ACL_IMPLS); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + String errMsg = "class " + classPath + " not found"; + + log(ILogger.LL_FAILURE, errMsg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_CLASS_LOAD_FAIL"), + null, resp); + return; + } + + // is the class an IAccessEvaluator? + try { + if + (Class.forName("com.netscape.certsrv.evaluators.IAccessEvaluator").isAssignableFrom(newImpl) == false) { + String errMsg = "class not com.netscape.certsrv.evaluators.IAccessEvaluator" + + classPath; + + log(ILogger.LL_FAILURE, errMsg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_ILL_CLASS"), + null, resp); + return; + } + } catch (Exception e) { + String errMsg = "class not com.netscape.certsrv.evaluators.IAccessEvaluator" + + classPath; + + log(ILogger.LL_FAILURE, errMsg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_ILL_CLASS"), + null, resp); + return; + } + + IConfigStore substore = mStore.makeSubStore(type); + + substore.put(Constants.PR_ACL_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_FAIL_COMMIT")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_COMMIT_FAIL"), + null, resp); + return; + } + + // Instantiate an object for this implementation + IAccessEvaluator evaluator = null; + + try { + evaluator = (IAccessEvaluator) Class.forName(classPath).newInstance(); + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_INST_CLASS_FAIL"), + null, resp); + return; + } + + // initialize the access evaluator + if (evaluator != null) { + evaluator.init(); + // add evaluator to list + mAuthzMgr.registerEvaluator(type, evaluator); + } + + //... + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * remove access evaluators + *

+ * + *

+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this ACL evaluator's + * substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void deleteACLsEvaluator(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does the evaluator exist? + Hashtable mEvaluators = mAuthzMgr.getAccessEvaluators(); + + if (mEvaluators.containsKey(id) == false) { + log(ILogger.LL_FAILURE, "evaluator attempted to be removed not found"); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_EVAL_NOT_FOUND"), + null, resp); + return; + } + + // it's possibl that it's being used...we have to assume that + // the administrator knows what she is doing, for now + mEvaluators.remove((Object) id); + + try { + IConfigStore destStore = + mConfig.getSubStore(PROP_EVAL); + IConfigStore mStore = + destStore.getSubStore(ScopeDef.SC_ACL_IMPLS); + + mStore.removeSubStore(id); + } catch (Exception eeee) { + //CMS.debugStackTrace(eeee); + } + // commiting + try { + mConfig.commit(true); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ACLS_SRVLT_FAIL_COMMIT")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_ACL_COMMIT_FAIL"), + null, resp); + return; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ACL, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ACL, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Searchs for certificate requests. + */ + + /* + private void getACLs(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException, + EBaseException { + NameValuePairs params = new NameValuePairs(); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(bos); + String names = getParameter(req, Constants.PT_NAMES); + StringTokenizer st = new StringTokenizer(names, ","); + while (st.hasMoreTokens()) { + String target = st.nextToken(); + ACL acl = AccessManager.getInstance().getACL(target); + oos.writeObject(acl); + } + // BASE64Encoder encoder = new BASE64Encoder(); + // params.add(Constants.PT_ACLS, encoder.encodeBuffer(bos.toByteArray())); + params.add(Constants.PT_ACLS, CMS.BtoA(bos.toByteArray())); + sendResponse(SUCCESS, null, params, resp); + } + */ + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, + level, "ACLAdminServlet: " + msg); + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java b/pki/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java new file mode 100644 index 000000000..4e97c2d52 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/AdminResources.java @@ -0,0 +1,44 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.util.*; + + +/** + * A class represents a resource bundle for the remote admin. + * + * @version $Revision$, $Date$ + * @see java.util.ListResourceBundle + */ +public class AdminResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + */ + public Object[][] getContents() { + return contents; + } + + /** + * Constants. The suffix represents the number of + * possible parameters. + */ + static final Object[][] contents = {}; +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java new file mode 100644 index 000000000..f7f9ce16a --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/AdminServlet.java @@ -0,0 +1,1304 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import javax.servlet.*; +import javax.servlet.http.*; +import java.security.cert.X509Certificate; +import netscape.security.x509.X509CertImpl; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.apps.*; +import com.netscape.cms.servlet.base.*; + + +/** + * A class represents an administration servlet that + * is responsible to serve administrative + * operation such as configuration parameter updates. + * + * Since each administration servlet needs to perform + * authentication information parsing and response + * formulation, it makes sense to encapsulate the + * commonalities into this class. + * + * By extending this serlvet, the subclass does not + * need to re-implement the request parsing code + * (i.e. authentication information parsing). + * + * If a subsystem needs to expose configuration + * parameters management, it should create an + * administration servlet (i.e. CAAdminServlet) + * and register it to RemoteAdmin subsystem. + * + * + * public class CAAdminServlet extends AdminServlet { + * ... + * } + * + * + * @version $Revision$, $Date$ + */ +public class AdminServlet extends HttpServlet { + + private final static String HDR_AUTHORIZATION = "Authorization"; + private final static String HDR_LANG = "accept-language"; + private final static String HDR_CONTENT_LEN = "Content-Length"; + + protected ILogger mLogger = CMS.getLogger(); + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private IUGSubsystem mUG = null; + protected IConfigStore mConfig = null; + protected IAuthzSubsystem mAuthz = null; + + // we don't allow to switch authz db mid-way, for now + protected String mAclMethod = null; + protected String mOp = ""; + protected static String AUTHZ_RES_NAME = "certServer"; + protected AuthzToken mToken; + + private String mServletID = null; + public final static String PROP_AUTHZ_MGR = "AuthzMgr"; + public final static String PROP_ACL = "ACLinfo"; + + public final static String AUTHZ_MGR_BASIC = "BasicAclAuthz"; + public final static String AUTHZ_MGR_LDAP = "DirAclAuthz"; + public final static String PROP_ID = "ID"; + public final static String AUTHZ_CONFIG_STORE = "authz"; + public final static String AUTHZ_SRC_TYPE = "sourceType"; + public final static String AUTHZ_SRC_LDAP = "ldap"; + public final static String AUTHZ_SRC_XML = "web.xml"; + public static final String CERT_ATTR = + "javax.servlet.request.X509Certificate"; + + public final static String SIGNED_AUDIT_SCOPE = "Scope"; + public final static String SIGNED_AUDIT_OPERATION = "Operation"; + public final static String SIGNED_AUDIT_RESOURCE = "Resource"; + public final static String SIGNED_AUDIT_RULENAME = "RULENAME"; + public final static String SIGNED_AUDIT_PASSWORD_VALUE = "********"; + public final static String SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR = "Unknown"; + public final static String SIGNED_AUDIT_NAME_VALUE_DELIMITER = ";;"; + public final static String SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER = "+"; + + private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL = + "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4"; + private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS = + "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3"; + private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL = + "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4"; + private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS = + "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME = + "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3"; + private final static String CERTUSERDB = + IAuthSubsystem.CERTUSERDB_AUTHMGR_ID; + private final static String PASSWDUSERDB = + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID; + + /** + * Constructs generic administration servlet. + */ + public AdminServlet() { + } + + /** + * Initializes the servlet. + */ + public void init(ServletConfig sc) throws ServletException { + super.init(sc); + mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + mConfig = CMS.getConfigStore(); + + String srcType = AUTHZ_SRC_LDAP; + + try { + IConfigStore authzConfig = mConfig.getSubStore(AUTHZ_CONFIG_STORE); + + srcType = authzConfig.getString(AUTHZ_SRC_TYPE, AUTHZ_SRC_LDAP); + } catch (EBaseException e) { + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_FAIL_SRC_TYPE")); + } + mAuthz = + (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); + + mServletID = getSCparam(sc, PROP_ID, "servlet id unknown"); + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_INITED", mServletID)); + + if (srcType.equalsIgnoreCase(AUTHZ_SRC_XML)) { + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_INITED", "")); + // get authz mgr from xml file; if not specified, use + // ldap by default + mAclMethod = getSCparam(sc, PROP_AUTHZ_MGR, AUTHZ_MGR_LDAP); + + if (mAclMethod.equalsIgnoreCase(AUTHZ_MGR_BASIC)) { + String aclInfo = sc.getInitParameter(PROP_ACL); + + if (aclInfo != null) { + try { + addACLInfo(aclInfo); + //mAuthz.authzMgrAccessInit(mAclMethod, aclInfo); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_MGR_INIT_FAIL")); + throw new ServletException("failed to init authz info from xml config file"); + } + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTHZ_MGR_INIT_DONE", mServletID)); + } else { // PROP_AUTHZ_MGR not specified, use default authzmgr + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_PROP_ACL_NOT_SPEC", PROP_ACL, mServletID, AUTHZ_MGR_LDAP)); + } + } else { // PROP_AUTHZ_MGR not specified, use default authzmgr + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_PROP_ACL_NOT_SPEC", PROP_AUTHZ_MGR, mServletID, AUTHZ_MGR_LDAP)); + } + + } else { + mAclMethod = AUTHZ_MGR_LDAP; + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTH_LDAP_NOT_XML", mServletID)); + } + } + + public void outputHttpParameters(HttpServletRequest httpReq) + { + CMS.debug("AdminServlet:service() uri = " + httpReq.getRequestURI()); + Enumeration paramNames = httpReq.getParameterNames(); + while (paramNames.hasMoreElements()) { + String pn = (String)paramNames.nextElement(); + // added this facility so that password can be hidden, + // all sensitive parameters should be prefixed with + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed + if( pn.startsWith("__") || + pn.endsWith("password") || + pn.endsWith("passwd") || + pn.endsWith("pwd") || + pn.equalsIgnoreCase("admin_password_again") || + pn.equalsIgnoreCase("directoryManagerPwd") || + pn.equalsIgnoreCase("bindpassword") || + pn.equalsIgnoreCase("bindpwd") || + pn.equalsIgnoreCase("passwd") || + pn.equalsIgnoreCase("password") || + pn.equalsIgnoreCase("pin") || + pn.equalsIgnoreCase("pwd") || + pn.equalsIgnoreCase("pwdagain") || + pn.equalsIgnoreCase("uPasswd") ) { + CMS.debug("AdminServlet::service() param name='" + pn + + "' value='(sensitive)'" ); + } else { + CMS.debug("AdminServlet::service() param name='" + pn + + "' value='" + httpReq.getParameter(pn) + "'" ); + } + } + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + boolean running_state = CMS.isInRunningState(); + + if (!running_state) + throw new IOException( + "CMS server is not ready to serve."); + + if (CMS.debugOn()) { + outputHttpParameters(req); + } + } + + private void addACLInfo(String info) throws EBaseException { + StringTokenizer tokenizer = new StringTokenizer(info, "#"); + + while (tokenizer.hasMoreTokens()) { + String acl = (String) tokenizer.nextToken(); + + mAuthz.authzMgrAccessInit(mAclMethod, acl); + } + } + + private String getSCparam(ServletConfig sc, String param, String defVal) { + String val = sc.getInitParameter(param); + + if (val == null) + return defVal; + else + return val; + } + + /** + * Authenticates to the identity scope with the given + * userid and password via identity manager. + *

+ * + *

+ * @exception IOException an input/output error has occurred + */ + protected void authenticate(HttpServletRequest req) throws + IOException { + + String auditMessage = null; + String auditSubjectID = ILogger.UNIDENTIFIED; + String auditUID = ILogger.UNIDENTIFIED; + String authType = ""; + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + try { + IConfigStore configStore = CMS.getConfigStore(); + + authType = configStore.getString("authType"); + } catch (EBaseException e) { + // do nothing for now. + } + IAuthSubsystem auth = (IAuthSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + X509Certificate cert = null; + + if (authType.equals("sslclientauth")) { + X509Certificate[] allCerts = + (X509Certificate[]) req.getAttribute(CERT_ATTR); + + if (allCerts == null || allCerts.length == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + + throw new IOException("No certificate"); + } + + cert = allCerts[0]; + try { + byte[] certEncoded = cert.getEncoded(); + + cert = new X509CertImpl(certEncoded); + + // save the "Subject DN" of this certificate in case it + // must be audited as an authentication failure + String certUID = cert.getSubjectDN().getName(); + + if (certUID != null) { + certUID = certUID.trim(); + + if (!(certUID.equals(""))) { + auditUID = certUID; + } + } + } catch (Exception e) { + } + } + + // create session (if we don't, identity will reject + // the authentication). + SessionContext sc = SessionContext.getContext(); + IAuthToken token = null; + + // a kludge for the desperately pinging console + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + log(ILogger.LL_DEBUG, CMS.getLogMessage("ADMIN_SRVLT_ABOUT_AUTH", + mServletID)); + try { + if (authType.equals("sslclientauth")) { + IAuthManager + authMgr = auth.get(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID); + IAuthCredentials authCreds = + getAuthCreds(authMgr, cert); + + token = (AuthToken) authMgr.authenticate(authCreds); + } else { + String authToken = req.getHeader(HDR_AUTHORIZATION); + String b64s = authToken.substring( + authToken.lastIndexOf(' ') + 1); + String authCode = new String(com.netscape.osutil.OSUtil.AtoB(b64s)); + String userid = authCode.substring(0, + authCode.lastIndexOf(':')); + String password = authCode.substring( + authCode.lastIndexOf(':') + 1); + AuthCredentials cred = new AuthCredentials(); + + // save the "userid" of this certificate in case it + // must be audited as an authentication failure + String pwdUID = userid; + + if (pwdUID != null) { + pwdUID = pwdUID.trim(); + + if (!(pwdUID.equals(""))) { + auditUID = pwdUID; + } + } + + cred.set("uid", userid); + cred.set("pwd", password); + + token = auth.authenticate(cred, + IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID); + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FOR_SRVLT", + mServletID)); + } + } catch (EBaseException e) { + //will fix it later for authorization + /* + String errMsg = "authenticate(): " + + AdminResources.SRVLT_FAIL_AUTHS +": "+userid +":"+ + e.getMessage(); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAIL", + CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS"), + userid,e.getMessage())); + */ + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + throw new IOException("authentication failed"); + } + + try { + String tuserid = token.getInString("userid"); + + if (tuserid == null) { + mLogger.log( + ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_NO_AUTH_TOKEN", + tuserid)); + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + throw new IOException("authentication failed"); + } + + // get user. + // this either returns null or + // throws exception when user not found + IUser user = mUG.getUser(tuserid); + + if (user == null) { + mLogger.log( + ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_FOUND", + tuserid)); + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + throw new IOException("authentication failed"); + } + + // set session context to work with some agent servlets. + // XXX should see if this can be used for more things. + SessionContext sessionContext = SessionContext.getContext(); + + sessionContext.put(SessionContext.AUTH_TOKEN, token); + sessionContext.put(SessionContext.USER_ID, tuserid); + sessionContext.put(SessionContext.USER, user); + } catch (EUsrGrpException e) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString())); + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + throw new IOException("authentication failed"); + } catch (EBaseException e) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, + ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_ERROR", + e.toString())); + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + throw new IOException("authentication failed"); + } + + // build locale based on the client language + Locale locale = getLocale(req); + + sc.put(SessionContext.LOCALE, locale); + + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, + auditSubjectID(), + ILogger.SUCCESS, + CERTUSERDB); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, + auditSubjectID(), + ILogger.SUCCESS, + PASSWDUSERDB); + + audit(auditMessage); + } + } catch (IOException eAudit1) { + if (authType.equals("sslclientauth")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + CERTUSERDB, + auditUID); + + audit(auditMessage); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + ILogger.UNIDENTIFIED, + ILogger.FAILURE, + PASSWDUSERDB, + auditUID); + + audit(auditMessage); + } + + // rethrow the specific exception to be handled later + throw eAudit1; + } + } + + public static AuthCredentials getAuthCreds( + IAuthManager authMgr, X509Certificate clientCert) + throws EBaseException { + // get credentials from http parameters. + String[] reqCreds = authMgr.getRequiredCreds(); + AuthCredentials creds = new AuthCredentials(); + + for (int i = 0; i < reqCreds.length; i++) { + String reqCred = reqCreds[i]; + + if (reqCred.equals(IAuthManager.CRED_SSL_CLIENT_CERT)) { + // cert could be null; + creds.set(reqCred, new X509Certificate[] { clientCert} + ); + } + } + return creds; + } + + /** + * Authorize must occur after Authenticate + *

+ * + *

+ * @param req HTTP servlet request + * @return the authorization token + */ + protected AuthzToken authorize(HttpServletRequest req) { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + String resource = null; + String operation = null; + + // use session context to get auth token for now + SessionContext sc = SessionContext.getContext(); + IAuthToken authToken = (IAuthToken) sc.get(SessionContext.AUTH_TOKEN); + + AuthzToken authzTok = null; + + CMS.debug("AdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CHECK_AUTHZ_AUTH", mServletID)); + // hardcoded for now .. just testing + try { + // we check both "read" and "write" for now. later within + // each servlet, they can break it down + authzTok = mAuthz.authorize(mAclMethod, authToken, AUTHZ_RES_NAME, mOp); + // initialize the ACL resource, overwriting "auditACLResource" + // if it is not null + resource = (String) + authzTok.get(AuthzToken.TOKEN_AUTHZ_RESOURCE); + if (resource != null) { + auditACLResource = resource.trim(); + } + + // initialize the operation, overwriting "auditOperation" + // if it is not null + operation = (String) + authzTok.get(AuthzToken.TOKEN_AUTHZ_OPERATION); + if (operation != null) { + auditOperation = operation.trim(); + } + + CMS.debug(CMS.getLogMessage("ADMIN_SRVLT_AUTH_SUCCEED", mServletID)); + } catch (EAuthzAccessDenied e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, + auditOperation); + + audit(auditMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); + + audit(auditMessage); + + return null; + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, + auditOperation); + + audit(auditMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); + + audit(auditMessage); + + return null; + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTHZ_FAIL, + auditSubjectID, + ILogger.FAILURE, + auditACLResource, + auditOperation); + + audit(auditMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + auditSubjectID, + ILogger.FAILURE, + auditGroups(auditSubjectID)); + + audit(auditMessage); + + return null; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS, + auditSubjectID, + ILogger.SUCCESS, + auditACLResource, + auditOperation); + + audit(auditMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ROLE_ASSUME, + auditSubjectID, + ILogger.SUCCESS, + auditGroups(auditSubjectID)); + + audit(auditMessage); + + return authzTok; + } + + /** + * Retrieves locale based on the request. + */ + protected Locale getLocale(HttpServletRequest req) { + Locale locale = null; + String lang = req.getHeader(HDR_LANG); + + if (lang == null) { + // use server locale + locale = Locale.getDefault(); + } else { + locale = new Locale(UserInfo.getUserLanguage(lang), + UserInfo.getUserCountry(lang)); + } + return locale; + } + + public static int SUCCESS = 0; + public static int ERROR = 1; + public static int RESTART = -1; + + /** + * Sends response. + * + * @param returnCode return code + * @param errorMsg localized error message + * @param params result parameters + * @param resp HTTP servlet response + */ + protected void sendResponse(int returnCode, String errorMsg, + NameValuePairs params, HttpServletResponse resp) + throws IOException { + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(bos); + + dos.writeInt(returnCode); + if (errorMsg != null) { + dos.writeUTF(errorMsg); + } + StringBuffer buf = new StringBuffer(); + + if (params != null) { + Enumeration e = params.getNames(); + + if (e.hasMoreElements()) { + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + String value = java.net.URLEncoder.encode((String) + params.getValue(name)); + + buf.append(java.net.URLEncoder.encode(name) + + "=" + value); + if (e.hasMoreElements()) + buf.append("&"); + } + byte content[] = buf.toString().getBytes(); + + dos.write(content, 0, content.length); + } + } + byte msg[] = bos.toByteArray(); + + resp.setContentLength(msg.length); + resp.getOutputStream().write(msg); + resp.getOutputStream().flush(); + } + + /** + * URL decodes the given string. + */ + protected String URLdecode(String s) { + if (s == null) + return null; + ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); + + for (int i = 0; i < s.length(); i++) { + int c = (int) s.charAt(i); + + if (c == '+') { + out.write(' '); + } else if (c == '%') { + int c1 = Character.digit(s.charAt(++i), 16); + int c2 = Character.digit(s.charAt(++i), 16); + + out.write((char) (c1 * 16 + c2)); + } else { + out.write(c); + } + } // end for + return out.toString(); + } + + protected String getParameter(HttpServletRequest req, String name) { + // Servlet framework already apply URLdecode + // return URLdecode(req.getParameter(name)); + return req.getParameter(name); + } + + /** + * Generic configuration store get operation. + */ + protected synchronized void getConfig( + IConfigStore config, HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + //if (name.equals(Constants.PT_OP)) + // continue; + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + + //System.out.println(name); + //System.out.println(name+","+config.getString(name)); + params.add(name, config.getString(name)); + } + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Generic configuration store set operation. + * The caller is responsible to do validiation before + * calling this, and commit changes after this call. + */ + protected synchronized void setConfig( + IConfigStore config, HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + //if (name.equals(Constants.PT_OP)) + // continue; + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + // XXX Need validation... + // XXX what if update failed + config.putString(name, req.getParameter(name)); + } + commit(true); + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Lists configuration store. + */ + protected synchronized void listConfig( + IConfigStore config, HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration e = config.getPropertyNames(); + NameValuePairs params = new NameValuePairs(); + + while (e.hasMoreElements()) { + String s = (String) e.nextElement(); + + params.add(s, config.getString(s)); + } + sendResponse(SUCCESS, null, params, resp); + } + + /** + * authorize a user based on its authentication credentials. + */ + public boolean authorize(IAuthToken token) throws EBaseException { + String mGroupNames[] = { "Administrators" }; + boolean mAnd = true; + + try { + String userid = token.getInString("userid"); + + if (userid == null) { + mLogger.log( + ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_GRP_AUTHZ_FAIL", userid)); + return false; + } + + // get user. + // this either returns null or throws exception when user not found + IUser user = mUG.getUser(userid); + + if (user == null) { + mLogger.log( + ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_IN_DB", userid)); + return false; + } + + // set session context to work with some agent servlets. + // XXX should see if this can be used for more things. + SessionContext sessionContext = SessionContext.getContext(); + + sessionContext.put(SessionContext.AUTH_TOKEN, token); + sessionContext.put(SessionContext.USER_ID, userid); + sessionContext.put(SessionContext.USER, user); + + // check group membership of user. + if (mAnd) { + for (int i = 0; i < mGroupNames.length; i++) { + if (!mUG.isMemberOf(user, mGroupNames[i])) { + mLogger.log( + ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_IN_GRP", userid, + mGroupNames[i])); + return false; + } + } + return true; + } else { + for (int i = 0; i < mGroupNames.length; i++) { + if (mUG.isMemberOf(user, mGroupNames[i])) { + mLogger.log(ILogger.EV_SYSTEM, + ILogger.S_OTHER, ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_GRP_AUTH_SUCC_USER", userid, + mGroupNames[i])); + return true; + } + } + StringBuffer groups = new StringBuffer(); + groups.append(mGroupNames[0]); + + for (int j = 1; j < mGroupNames.length; j++) { + groups.append(","); + groups.append(mGroupNames[j]); + } + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, + ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USER_NOT_ANY_GRP", userid, groups.toString())); + return false; + } + } catch (EUsrGrpException e) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString())); + return false; + } + } + + /** + * FileConfigStore functionality + * + * The original config file is moved to .. + * Commits the current properties to the configuration file. + *

+ * + * @param createBackup true if a backup file should be created + */ + protected void commit(boolean createBackup) throws EBaseException { + mConfig.commit(createBackup); + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ADMIN, + level, "AdminServlet: " + msg); + } + + /** + * Signed Audit Log + * + * This method is inherited by all extended admin servlets + * and is called to store messages to the signed audit log. + *

+ * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + /** + * Signed Audit Log Subject ID + * + * This method is inherited by all extended "CMSServlet"s, + * and is called to obtain the "SubjectID" for + * a signed audit log message. + *

+ * + * @return id string containing the signed audit log message SubjectID + */ + protected String auditSubjectID() { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) + auditContext.get(SessionContext.USER_ID); + + if (subjectID != null) { + subjectID = subjectID.trim(); + } else { + subjectID = ILogger.NONROLEUSER; + } + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + /** + * Signed Audit Parameters + * + * This method is inherited by all extended admin servlets and + * is called to extract parameters from the HttpServletRequest + * and return a string of name;;value pairs separated by a '+' + * if more than one name;;value pair exists. + *

+ * + * @param req HTTP servlet request + * @return a delimited string of one or more delimited name/value pairs + */ + protected String auditParams(HttpServletRequest req) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + String parameters = SIGNED_AUDIT_EMPTY_NAME_VALUE_PAIR; + String value = null; + + // always identify the scope of the request + if (req.getParameter(Constants.OP_SCOPE) != null) { + parameters = SIGNED_AUDIT_SCOPE + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + req.getParameter(Constants.OP_SCOPE); + } + + // identify the operation type of the request + if (req.getParameter(Constants.OP_TYPE) != null) { + parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER; + + parameters += SIGNED_AUDIT_OPERATION + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + req.getParameter(Constants.OP_TYPE); + } + + // identify the resource type of the request + if (req.getParameter(Constants.RS_ID) != null) { + parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER; + + parameters += SIGNED_AUDIT_RESOURCE + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + req.getParameter(Constants.RS_ID); + } + + // identify any remaining request parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + // skip previously extracted parameters + if (name.equals(Constants.OP_SCOPE)) { + continue; + } + if (name.equals(Constants.OP_TYPE)) { + continue; + } + if (name.equals(Constants.RS_ID)) { + continue; + } + + // skip "RULENAME" parameter + if (name.equals(SIGNED_AUDIT_RULENAME)) { + continue; + } + + parameters += SIGNED_AUDIT_NAME_VALUE_PAIRS_DELIMITER; + + value = req.getParameter(name); + if (value != null) { + value = value.trim(); + + if (value.equals("")) { + parameters += name + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + // + // To fix Blackflag Bug # 613800: + // + // Check "com.netscape.certsrv.common.Constants" for + // case-insensitive "password", "pwd", and "passwd" + // name fields, and hide any password values: + // + /* "password" */ if( name.equals( Constants.PASSWORDTYPE ) || + name.equals( Constants.TYPE_PASSWORD ) || + name.equals( Constants.PR_USER_PASSWORD ) || + name.equals( Constants.PT_OLD_PASSWORD ) || + name.equals( Constants.PT_NEW_PASSWORD ) || + name.equals( Constants.PT_DIST_STORE ) || + name.equals( Constants.PT_DIST_EMAIL ) || + /* "pwd" */ name.equals( Constants.PR_AUTH_ADMIN_PWD ) || + // ignore this one name.equals( Constants.PR_BINDPWD_PROMPT ) || + name.equals( Constants.PR_DIRECTORY_MANAGER_PWD ) || + name.equals( Constants.PR_OLD_AGENT_PWD ) || + name.equals( Constants.PR_AGENT_PWD ) || + name.equals( Constants.PT_PUBLISH_PWD ) || + /* "passwd" */ name.equals( Constants.PR_BIND_PASSWD ) || + name.equals( Constants.PR_BIND_PASSWD_AGAIN ) || + name.equals( Constants.PR_TOKEN_PASSWD ) ) { + + // hide password value + parameters += name + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + SIGNED_AUDIT_PASSWORD_VALUE; + } else { + // process normally + parameters += name + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + value; + } + } + } else { + parameters += name + + SIGNED_AUDIT_NAME_VALUE_DELIMITER + + ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } + + return parameters; + } + + /** + * Signed Audit Groups + * + * This method is called to extract all "groups" associated + * with the "auditSubjectID()". + *

+ * + * @param SubjectID string containing the signed audit log message SubjectID + * @return a delimited string of groups associated + * with the "auditSubjectID()" + */ + private String auditGroups(String SubjectID) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + if ((SubjectID == null) || + (SubjectID.equals(ILogger.UNIDENTIFIED))) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + Enumeration groups = null; + + try { + groups = mUG.findGroups("*"); + } catch (Exception e) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + StringBuffer membersString = new StringBuffer(); + + while (groups.hasMoreElements()) { + IGroup group = (IGroup) groups.nextElement(); + + if (group.isMember(SubjectID) == true) { + if (membersString.length()!=0) { + membersString.append(", "); + } + + membersString.append(group.getGroupID()); + } + } + + if (membersString.length()!= 0) { + return membersString.toString(); + } else { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } + + protected NameValuePairs convertStringArrayToNVPairs(String[] s) { + if (s == null) return null; + NameValuePairs nvps = new NameValuePairs(); + int i; + + for (i = 0; i < s.length; i++) { + int j = s[i].indexOf(";"); + String paramName = s[i].substring(0, j); + String args = s[i].substring(j + 1); + + nvps.add(paramName, args); + } + return nvps; + + } + + protected static IExtendedPluginInfo getClassByNameAsExtendedPluginInfo(String className) { + + IExtendedPluginInfo epi = null; + + try { + // here is the new dummy obj created + Object o = Class.forName(className).newInstance(); + + epi = (IExtendedPluginInfo) o; + } catch (Exception e) { + } + + return epi; + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java new file mode 100644 index 000000000..fd7edfabd --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java @@ -0,0 +1,1690 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import java.security.cert.X509Certificate; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import netscape.security.x509.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.usrgrp.*; + + +/** + * A class representing an administration servlet for the + * Authentication Management subsystem. This servlet is responsible + * to serve configuration requests for the Auths Management subsystem. + * + * + * @version $Revision$, $Date$ + */ +public class AuthAdminServlet extends AdminServlet { + + private final static String INFO = "AuthAdminServlet"; + private IAuthSubsystem mAuths = null; + + private final static String PW_PASSWORD_CACHE_ADD = + "PASSWORD_CACHE_ADD"; + private final static String VIEW = ";" + Constants.VIEW; + private final static String EDIT = ";" + Constants.EDIT; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH = + "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3"; + + public AuthAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mAuths = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + AUTHZ_RES_NAME = "certServer.auth.configuration"; + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * retrieve extended plugin info such as brief description, type info + * from policy, authentication, + * need to add: listener, mapper and publishing plugins + * --- same as policy, should we move this into extendedpluginhelper? + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + + NameValuePairs params = + getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + + impl = mAuths.getAuthManagerPlugin(implName); + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + if (op == null) { + //System.out.println("SRVLT_INVALID_PROTOCOL"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + // if it is not authentication, that means it is for CSC admin ping. + // the best way to do is to define another protocol for ping and move + // it to the generic servlet which is admin servlet. + if (!op.equals(OpDef.OP_AUTH)) { + if (scope.equals(ScopeDef.SC_AUTH)) { + String id = req.getParameter(Constants.RS_ID); + + // for CSC admin ping only + if (op.equals(OpDef.OP_READ) && + id.equals(Constants.RS_ID_CONFIG)) { + + // no need to authenticate this. if we're alive, return true. + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_PING, Constants.TRUE); + sendResponse(SUCCESS, null, params, resp); + return; + } else { + //System.out.println("SRVLT_INVALID_OP_TYPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op), + null, resp); + return; + } + } + } + + try { + if (op.equals(OpDef.OP_AUTH)) { + if (scope.equals(ScopeDef.SC_AUTHTYPE)) { + IConfigStore configStore = CMS.getConfigStore(); + String val = configStore.getString("authType", "pwd"); + NameValuePairs params = new NameValuePairs(); + + params.add("authType", val); + sendResponse(SUCCESS, null, params, resp); + return; + } + } + } catch (Exception e) { + sendResponse(ERROR,CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + // for the rest + try { + super.authenticate(req); + if (op.equals(OpDef.OP_AUTH)) { // for admin authentication only + sendResponse(SUCCESS, null, null, resp); + return; + } + } catch (IOException e) { + //System.out.println("SRVLT_FAIL_AUTHS"); + sendResponse(ERROR,CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + + try { + // perform operation based on scope + if (scope != null) { + AUTHZ_RES_NAME = "certServer.auth.configuration"; + if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + try { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + getExtendedPluginInfo(req, resp); + return; + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + } + if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) { + listAuthMgrPlugins(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) { + listAuthMgrInsts(req, resp); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) { + getConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) { + getInstConfig(req, resp); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) { + addAuthMgrPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) { + addAuthMgrInst(req, resp, scope); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_AUTH_IMPLS)) { + delAuthMgrPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) { + delAuthMgrInst(req, resp, scope); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_AUTH_MGR_INSTANCE)) { + modAuthMgrInst(req, resp, scope); + return; + } + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + + private void putUserPWPair(String combo) { + int semicolon; + + semicolon = combo.indexOf(";"); + String user = combo.substring(0, semicolon); + String pw = combo.substring(semicolon + 1); + + CMS.putPasswordCache(user, pw); + } + + /** + * Add authentication manager plug-in + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring + * authentication + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this authentication + * manager's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addAuthMgrPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + // is the manager id unique? + if (mAuths.getPlugins().containsKey((Object) id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_DUP_MGR_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_AUTH_CLASS); + + if (classPath == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_NULL_AUTHMGR_CLASSNAME"), + null, resp); + return; + } + + if (classPath.equals("com.netscape.cmscore.authentication.PasswdUserDBAuthentication") || + classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp); + return; + } + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_PLUGIN_NOT_FOUND"), + null, resp); + return; + } catch (IllegalArgumentException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_PLUGIN_NOT_FOUND"), + null, resp); + return; + } + + // is the class an IAuthManager? + try { + if (IAuthManager.class.isAssignableFrom(newImpl) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_ILL_CLASS"), + null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_ILL_CLASS"), + null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_AUTH_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add manager to registry. + AuthMgrPlugin plugin = new AuthMgrPlugin(id, classPath); + + mAuths.getPlugins().put(id, plugin); + mAuths.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_PLUGIN_ADD", id)); + + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Add authentication manager instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring + * authentication + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this authentication + * manager's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addAuthMgrInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the manager instance id unique? + if (mAuths.getInstances().containsKey((Object) id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_ILL_MGR_INST_ID"), + null, resp); + return; + } + + // get required parameters + // SC_AUTH_IMPL_NAME is absolutely required, the rest depend on + // on each authenticaton manager + String implname = req.getParameter(Constants.PR_AUTH_IMPL_NAME); + + if (implname == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_MISSING_PARAMS"), + null, resp); + return; + } + + // prevent agent & admin creation. + if (implname.equals(IAuthSubsystem.PASSWDUSERDB_PLUGIN_ID) || + implname.equals(IAuthSubsystem.CERTUSERDB_PLUGIN_ID)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp); + } + + // check if implementation exists. + AuthMgrPlugin plugin = + (AuthMgrPlugin) mAuths.getPlugins().get(implname); + + if (plugin == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + // now the rest of config parameters + // note that we only check to see if the required parameters + // are there, but not checking the values are valid + String[] configParams = mAuths.getConfigParams(implname); + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + String val = req.getParameter(key); + + if (val != null) { + substore.put(key, val); + } + } + } + substore.put(IAuthSubsystem.PROP_PLUGIN, implname); + + String pwadd = req.getParameter(PW_PASSWORD_CACHE_ADD); + + if (pwadd != null) { + putUserPWPair(pwadd); + } + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + IAuthManager authMgrInst = null; + + try { + authMgrInst = (IAuthManager) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // cleanup + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } + + // initialize the authentication manager + try { + authMgrInst.init(id, implname, substore); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // clean up. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // inited and commited ok. now add manager instance to list. + mAuths.add(id, authMgrInst); + + mAuths.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_MGR_ADD", id)); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_AUTH_IMPL_NAME, implname); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private synchronized void listAuthMgrPlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = mAuths.getPlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + AuthMgrPlugin value = (AuthMgrPlugin) + mAuths.getPlugins().get(name); + + if (value.isVisible()) { + params.add(name, value.getClassPath() + EDIT); + } + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listAuthMgrInsts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + for (Enumeration e = mAuths.getInstances().keys(); + e.hasMoreElements();) { + String name = (String) e.nextElement(); + AuthManagerProxy proxy = (AuthManagerProxy) mAuths.getInstances().get(name); + IAuthManager value = proxy.getAuthManager(); + String enableStr = "enabled"; + + if (!proxy.isEnable()) { + enableStr = "disabled"; + } + + AuthMgrPlugin amgrplugin = (AuthMgrPlugin) + mAuths.getPlugins().get(value.getImplName()); + + if (!amgrplugin.isVisible()) { + params.add(name, value.getImplName() + ";invisible;" + enableStr); + } else { + params.add(name, value.getImplName() + ";visible;" + enableStr); + } + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Delete authentication manager plug-in + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring + * authentication + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this authentication + * manager's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void delAuthMgrPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // prevent deletion of admin and agent. + if (id.equals(IAuthSubsystem.PASSWDUSERDB_PLUGIN_ID) || + id.equals(IAuthSubsystem.CERTUSERDB_PLUGIN_ID)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp); + } + + // does auth manager exist? + if (mAuths.getPlugins().containsKey(id) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_AUTHENTICATION_DUP_MGR_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + // first check if any instances from this auth manager + // DON'T remove auth manager if any instance + for (Enumeration e = mAuths.getInstances().keys(); + e.hasMoreElements();) { + IAuthManager authMgr = (IAuthManager) mAuths.get((String) e.nextElement()); + + if (authMgr.getImplName() == id) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_MGR_IN_USE"), + null, resp); + return; + } + } + + // then delete this auth manager + mAuths.getPlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } + } + + /** + * Delete authentication manager instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring + * authentication + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this authentication + * manager's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void delAuthMgrInst(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // prevent deletion of admin and agent. + if (id.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID) || + id.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp); + } + + // does auth manager instance exist? + if (mAuths.getInstances().containsKey(id) == false) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + new EAuthMgrNotFound(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + IAuthManager mgrInst = (IAuthManager) mAuths.get(id); + + mAuths.getInstances().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + //This only works in the fact that we only support one instance per + //auth plugin. + ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); + + authInfo.removePassword("Rule " + id); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * used for getting the required configuration parameters (with + * possible default values) for a particular auth manager plugin + * implementation name specified in the RS_ID. Actually, there is + * no logic in here to set any default value here...there's no + * default value for any parameter in this authentication subsystem + * at this point. Later, if we do have one (or some), it can be + * added. The interface remains the same. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + String[] configParams = mAuths.getConfigParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_AUTH_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + params.add(configParams[i], ""); + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does auth manager instance exist? + if (mAuths.getInstances().containsKey(id) == false) { + sendResponse(ERROR, + new EAuthMgrNotFound(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + IAuthManager mgrInst = (IAuthManager) mAuths.get(id); + IConfigStore config = mgrInst.getConfigStore(); + String[] configParams = mgrInst.getConfigParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_AUTH_IMPL_NAME, mgrInst.getImplName()); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + String val = (String) config.get(key); + + if (val != null) { + params.add(key, val); + } else { + params.add(key, ""); + } + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Modify authentication manager instance + * This will actually create a new instance with new configuration + * parameters and replace the old instance if the new instance is + * created and initialized successfully. + * The old instance is left running, so this is very expensive. + * Restart of server recommended. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_AUTH used when configuring + * authentication + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of this authentication + * manager's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void modAuthMgrInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + // expensive operation. + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // prevent modification of admin and agent. + if (id.equals(IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID) || + id.equals(IAuthSubsystem.CERTUSERDB_AUTHMGR_ID)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_BASE_PERMISSION_DENIED"), null, resp); + } + + // Does the manager instance exist? + if (!mAuths.getInstances().containsKey((Object) id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage("CMS_AUTHENTICATION_MGR_IMPL_NOT_FOUND"), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_AUTH_IMPL_NAME); + + if (implname == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage("CMS_AUTHENTICATION_MISSING_PARAMS"), + null, resp); + return; + } + + // get plugin for implementation + AuthMgrPlugin plugin = + (AuthMgrPlugin) mAuths.getPlugins().get(implname); + + if (plugin == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + new EAuthMgrPluginNotFound(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_AUTHMGR_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + // save old instance substore params in case new one fails. + + IAuthManager oldinst = + (IAuthManager) mAuths.get(id); + IConfigStore oldConfig = oldinst.getConfigStore(); + + String[] oldConfigParms = oldinst.getConfigParams(); + NameValuePairs saveParams = new NameValuePairs(); + + // implName is always required so always include it it. + saveParams.add(IAuthSubsystem.PROP_PLUGIN, + (String) oldConfig.get(IAuthSubsystem.PROP_PLUGIN)); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.length; i++) { + String key = oldConfigParms[i]; + Object val = oldConfig.get(key); + + if (val != null) { + saveParams.add(key, (String) val); + } + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_AUTH_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + + // create new substore. + + String[] configParams = mAuths.getConfigParams(implname); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(IAuthSubsystem.PROP_PLUGIN, implname); + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + String val = req.getParameter(key); + + if (val != null) { + substore.put(key, val); + } + } + } + + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + IAuthManager newMgrInst = null; + + try { + newMgrInst = (IAuthManager) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // cleanup + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EAuthException(CMS.getUserMessage(getLocale(req),"CMS_AUTHENTICATION_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } + + // initialize the authentication manager + + try { + newMgrInst.init(id, implname, substore); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + mAuths.add(id, newMgrInst); + + mAuths.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_MGR_REPL", id)); + + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_AUTH, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + // convenience routine. + private static void restore(IConfigStore store, + String id, NameValuePairs saveParams) { + store.removeSubStore(id); + IConfigStore rstore = store.makeSubStore(id); + + Enumeration keys = saveParams.getNames(); + + while (keys.hasMoreElements()) { + String key = (String) keys.nextElement(); + String value = saveParams.getValue(key); + + if (value != null) + rstore.put(key, value); + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java b/pki/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java new file mode 100644 index 000000000..354015e13 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/AuthCredentials.java @@ -0,0 +1,100 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.authentication.*; + + +/** + * Authentication Credentials as input to the authMgr + *

+ * + * @version $Revision$, $Date$ + */ +public class AuthCredentials implements IAuthCredentials { + private Hashtable authCreds = null; + // Inserted by bskim + private IArgBlock argblk = null; + // Insert end + + public AuthCredentials() { + authCreds = new Hashtable(); + } + + /** + * sets a credential with credential name and the credential + * @param name credential name + * @param cred credential + * @exception com.netscape.certsrv.base.EBaseException NullPointerException + */ + public void set(String name, Object cred)throws EBaseException { + if (cred == null) { + throw new EBaseException("AuthCredentials.set()"); + } + + authCreds.put(name, cred); + } + + /** + * returns the credential to which the specified name is mapped in this + * credential set + * @param name credential name + * @return the named authentication credential + */ + public Object get(String name) { + return ((Object) authCreds.get(name)); + } + + /** + * removes the name and its corresponding credential from this + * credential set. This method does nothing if the named + * credential is not in the credential set. + * @param name credential name + */ + public void delete(String name) { + authCreds.remove(name); + } + + /** + * returns an enumeration of the credentials in this credential + * set. Use the Enumeration methods on the returned object to + * fetch the elements sequentially. + * @return an enumeration of the values in this credential set + * @see java.util.Enumeration + */ + public Enumeration getElements() { + return (authCreds.elements()); + } + + // Inserted by bskim + public void setArgBlock(IArgBlock blk) { + argblk = blk; + return; + } + + // Insert end + + public IArgBlock getArgBlock() { + return argblk; + } + // Insert end +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java new file mode 100644 index 000000000..5f2bf07c9 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java @@ -0,0 +1,1642 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.cert.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import netscape.security.x509.*; + +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.apps.*; +import com.netscape.cmsutil.util.*; +import com.netscape.certsrv.request.IRequestListener; + + +/** + * A class representings an administration servlet for Certificate + * Authority. This servlet is responsible to serve CA + * administrative operations such as configuration parameter + * updates. + * + * @version $Revision$, $Date$ + */ +public class CAAdminServlet extends AdminServlet { + + public final static String PROP_EMAIL_TEMPLATE = "emailTemplate"; + + private final static String INFO = "CAAdminServlet"; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE = + "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3"; + + private ICertificateAuthority mCA = null; + protected static final String PROP_ENABLED = "enabled"; + + /** + * Constructs CA servlet. + */ + public CAAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mCA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP request. Each request is authenticated to + * the authenticate manager. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + //get all operational flags + String op = req.getParameter(Constants.OP_TYPE); + String scope = req.getParameter(Constants.OP_SCOPE); + + //check operational flags + if ((op == null) || (scope == null)) { + sendResponse(1, "Invalid Protocol", null, resp); + return; + } + + super.authenticate(req); + + try { + AUTHZ_RES_NAME = "certServer.ca.configuration"; + if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + try { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + getExtendedPluginInfo(req, resp); + return; + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + } + } + + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) + getGeneralConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CONNECTOR)) + getConnectorConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRLIPS)) + getCRLIPsConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRL)) + getCRLConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) + getNotificationReqCompConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) + getNotificationRevCompConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) + getNotificationRIQConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRLEXTS_RULES)) + getCRLExtsConfig(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) + setGeneralConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CONNECTOR)) + setConnectorConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRLIPS)) + setCRLIPsConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRL)) + setCRLConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) + setNotificationReqCompConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) + setNotificationRevCompConfig(req, resp); + else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) + setNotificationRIQConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRLEXTS_RULES)) + setCRLExtsConfig(req, resp); + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_CRLEXTS_RULES)) + listCRLExtsConfig(req, resp); + else if (scope.equals(ScopeDef.SC_CRLIPS)) + listCRLIPsConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_CRLIPS)) + addCRLIPsConfig(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_CRLIPS)) + deleteCRLIPsConfig(req, resp); + } else { + sendResponse(1, "Unknown operation", null, resp); + } + } catch (Exception e) { + sendResponse(1, e.toString(), null, resp); + return; + } + } + + /*========================================================== + * private methods + *==========================================================*/ + + /* + * handle request completion (cert issued) notification config requests + */ + private void getNotificationCompConfig(HttpServletRequest req, + HttpServletResponse resp, IConfigStore rc) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, rc.getString(name, "")); + } + + params.add(Constants.PR_ENABLE, + rc.getString(PROP_ENABLED, Constants.FALSE)); + sendResponse(SUCCESS, null, params, resp); + } + + private void getNotificationRevCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + IConfigStore rc = nc.getSubStore(mCA.PROP_CERT_REVOKED_SUBSTORE); + + getNotificationCompConfig(req, resp, rc); + } + + private void getNotificationReqCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + IConfigStore rc = nc.getSubStore(mCA.PROP_CERT_ISSUED_SUBSTORE); + + getNotificationCompConfig(req, resp, rc); + } + + /* + * handle getting request in queue notification config info + */ + private void getNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mCA.PROP_REQ_IN_Q_SUBSTORE); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, riq.getString(name, "")); + } + + params.add(Constants.PR_ENABLE, + riq.getString(PROP_ENABLED, Constants.FALSE)); + sendResponse(SUCCESS, null, params, resp); + } + + /* + * handle setting request in queue notification config info + */ + private void setNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mCA.PROP_REQ_IN_Q_SUBSTORE); + + //set rest of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String val = req.getParameter(name); + + // if it's emailTemplate, check to see if the path exists + if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) { + File template = new File(val); + + if ((!template.exists()) || (!template.canRead()) + || (template.isDirectory())) { + String error = + "Template: " + val + " does not exist or invalid"; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PATH")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PATH"), + null, resp); + return; + } + } + riq.putString(name, val); + mCA.getRequestInQListener().set(name, val); + } + + // set enable flag + String enabledString = req.getParameter(Constants.PR_ENABLE); + + riq.putString(PROP_ENABLED, enabledString); + mCA.getRequestInQListener().set(PROP_ENABLED, enabledString); + + commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + /* + * handle setting request complete notification config info + */ + private void setNotificationCompConfig(HttpServletRequest req, + HttpServletResponse resp, IConfigStore rc, IRequestListener thisListener) throws ServletException, + IOException, EBaseException { + + //set rest of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String val = req.getParameter(name); + + // if it's emailTemplate, check to see if the path exists + if (name.equalsIgnoreCase(PROP_EMAIL_TEMPLATE)) { + File template = new File(val); + + if ((!template.exists()) || (!template.canRead()) + || (template.isDirectory())) { + String error = + "Template: " + val + " does not exist or invalid"; + + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PATH")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PATH"), + null, resp); + return; + } + } + rc.putString(name, val); + thisListener.set(name, val); + } + + // set enable flag + String enabledString = req.getParameter(Constants.PR_ENABLE); + + rc.putString(PROP_ENABLED, enabledString); + thisListener.set(PROP_ENABLED, enabledString); + + commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + private void setNotificationRevCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mCA.PROP_CERT_REVOKED_SUBSTORE); + + setNotificationCompConfig(req, resp, rc, mCA.getCertRevokedListener()); + } + + private void setNotificationReqCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mCA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mCA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mCA.PROP_CERT_ISSUED_SUBSTORE); + + setNotificationCompConfig(req, resp, rc, mCA.getCertIssuedListener()); + + } + + private void listCRLIPsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + Enumeration ips = mCA.getCRLIssuingPoints(); + + while (ips.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) ips.nextElement(); + + if (ip != null) { + String ipId = ip.getId(); + + if (ipId != null && ipId.length() > 0) + params.add(ipId, ip.getDescription()); + params.add(ipId + "." + Constants.PR_ENABLED, + (Boolean.valueOf(ip.isCRLIssuingPointEnabled())).toString()); + } + } + + sendResponse(SUCCESS, null, params, resp); + } + + private void getCRLIPsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.RS_ID); + + if (id != null && id.length() > 0) { + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(id); + + if (ip != null) { + + Enumeration e = req.getParameterNames(); + String value = ""; + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.PR_ENABLED)) { + if (ip.isCRLIssuingPointEnabled()) { + value = Constants.TRUE; + } else { + value = Constants.FALSE; + } + } + if (name.equals(Constants.PR_ID)) + value = id; + if (name.equals(Constants.PR_DESCRIPTION)) + value = ip.getDescription(); + if (name.equals(Constants.PR_CLASS)) + value = ip.getClass().getName(); + + params.add(name, value); + } + } + } + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Add CRL issuing points configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when + * configuring CRL profile (extensions, frequency, CRL format) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void addCRLIPsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String ipId = req.getParameter(Constants.PR_ID); + + if (ipId == null || ipId.length() == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP name", null, resp); + return; + } + params.add(Constants.PR_ID, ipId); + + String desc = req.getParameter(Constants.PR_DESCRIPTION); + + if (desc == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP description", null, resp); + return; + } + params.add(Constants.PR_DESCRIPTION, desc); + + String sEnable = req.getParameter(Constants.PR_ENABLED); + boolean enable = true; + + if (sEnable != null && sEnable.length() > 0 && + sEnable.equalsIgnoreCase(Constants.FALSE)) { + enable = false; + params.add(Constants.PR_ENABLED, Constants.FALSE); + } else { + params.add(Constants.PR_ENABLED, Constants.TRUE); + } + + IConfigStore crlSubStore = + mCA.getConfigStore().getSubStore(mCA.PROP_CRL_SUBSTORE); + Enumeration crlNames = crlSubStore.getSubStoreNames(); + + while (crlNames.hasMoreElements()) { + String name = (String) crlNames.nextElement(); + + if (ipId.equals(name)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, ipId + " CRL IP already exists", null, resp); + return; + } + } + if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Cannot add or edit CRL IP", null, resp); + return; + } + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Set CRL issuing points configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when + * configuring CRL profile (extensions, frequency, CRL format) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setCRLIPsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String ipId = req.getParameter(Constants.PR_ID); + + if (ipId == null || ipId.length() == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP name", null, resp); + return; + } + params.add(Constants.PR_ID, ipId); + + String desc = req.getParameter(Constants.PR_DESCRIPTION); + + if (desc == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP description", null, resp); + return; + } + params.add(Constants.PR_DESCRIPTION, desc); + + String sEnable = req.getParameter(Constants.PR_ENABLED); + boolean enable = true; + + if (sEnable != null && sEnable.length() > 0 && + sEnable.equalsIgnoreCase(Constants.FALSE)) { + enable = false; + params.add(Constants.PR_ENABLED, Constants.FALSE); + } else { + params.add(Constants.PR_ENABLED, Constants.TRUE); + } + + IConfigStore crlSubStore = + mCA.getConfigStore().getSubStore(mCA.PROP_CRL_SUBSTORE); + boolean done = false; + Enumeration crlNames = crlSubStore.getSubStoreNames(); + + while (crlNames.hasMoreElements()) { + String name = (String) crlNames.nextElement(); + + if (ipId.equals(name)) { + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId); + + if (ip != null) { + ip.setDescription(desc); + ip.enableCRLIssuingPoint(enable); + } + IConfigStore c = crlSubStore.getSubStore(ipId); + + if (c != null) { + c.putString(Constants.PR_DESCRIPTION, desc); + c.putString(Constants.PR_ENABLED, + (enable) ? Constants.TRUE : Constants.FALSE); + } + done = true; + break; + } + } + if (!done) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP " + ipId, null, resp); + return; + } + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Delete CRL issuing points configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when + * configuring CRL profile (extensions, frequency, CRL format) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void deleteCRLIPsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.RS_ID); + + if (id != null && id.length() > 0) { + IConfigStore crlSubStore = + mCA.getConfigStore().getSubStore(mCA.PROP_CRL_SUBSTORE); + boolean done = false; + Enumeration crlNames = crlSubStore.getSubStoreNames(); + + while (crlNames.hasMoreElements()) { + String name = (String) crlNames.nextElement(); + + if (id.equals(name)) { + mCA.deleteCRLIssuingPoint(crlSubStore, id); + done = true; + break; + } + } + if (!done) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, "Missing CRL IP " + id, null, resp); + return; + } + commit(true); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void getCRLExtsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + String ipId = null; + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + ipId = name; + } + if (ipId == null || ipId.length() <= 0) { + ipId = ICertificateAuthority.PROP_MASTER_CRL; + } + + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId); + ICMSCRLExtensions crlExts = ip.getCRLExtensions(); + String id = req.getParameter(Constants.RS_ID); + + if (id != null) { + params = crlExts.getConfigParams(id); + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Delete CRL extensions configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when + * configuring CRL profile (extensions, frequency, CRL format) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setCRLExtsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String ipId = req.getParameter(Constants.PR_ID); + + if (ipId == null || ipId.length() <= 0) { + ipId = ICertificateAuthority.PROP_MASTER_CRL; + } + + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId); + ICMSCRLExtensions crlExts = ip.getCRLExtensions(); + + IConfigStore config = mCA.getConfigStore(); + IConfigStore crlsSubStore = + config.getSubStore(mCA.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore.getSubStore(ipId); + IConfigStore crlExtsSubStore = + crlSubStore.getSubStore(mCA.PROP_CRLEXT_SUBSTORE); + + String id = req.getParameter(Constants.RS_ID); + + if (id != null) { + IConfigStore crlExtSubStore = crlExtsSubStore.getSubStore(id); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_CRLEXT_IMPL_NAME)) + continue; + if (name.equals("RULENAME")) + continue; + String value = req.getParameter(name); + + params.add(name, value); + } + crlExts.setConfigParams(id, params, crlExtSubStore); + commit(true); + ip.clearCRLCache(); + ip.updateCRLCacheRepository(); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void listCRLExtsConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.PR_ID); + + if (id == null || id.length() <= 0) { + id = mCA.PROP_MASTER_CRL; + } + + IConfigStore config = mCA.getConfigStore(); + IConfigStore crlsSubStore = config.getSubStore(mCA.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore.getSubStore(id); + IConfigStore crlExtsSubStore = crlSubStore.getSubStore(mCA.PROP_CRLEXT_SUBSTORE); + + if (crlExtsSubStore != null) { + Enumeration enumExts = crlExtsSubStore.getSubStoreNames(); + + while (enumExts.hasMoreElements()) { + String extName = (String) enumExts.nextElement(); + boolean crlExtEnabled = false; + IConfigStore crlExtSubStore = crlExtsSubStore.getSubStore(extName); + Enumeration properties = crlExtSubStore.getPropertyNames(); + + while (properties.hasMoreElements()) { + String name = (String) properties.nextElement(); + + if (name.equals(Constants.PR_ENABLE)) { + crlExtEnabled = crlExtSubStore.getBoolean(name, false); + } + } + params.add(extName, extName + ";visible;" + ((crlExtEnabled) ? "enabled" : "disabled")); + } + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * retrieve extended plugin info such as brief description, + * type info from CRL extensions + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + + NameValuePairs params = + getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + + String ipId = null; + String name = null; + + Enumeration ips = mCA.getCRLIssuingPoints(); + if (ips.hasMoreElements()) { + ICRLIssuingPoint ip = (ICRLIssuingPoint) ips.nextElement(); + if (ip != null) { + ipId = ip.getId(); + } + } + if (ipId != null) { + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(ipId); + ICMSCRLExtensions crlExts = ip.getCRLExtensions(); + name = crlExts.getClassPath(implName); + } + if (name != null) { + impl = getClassByNameAsExtendedPluginInfo(name); + } + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + } + + /** + * Set CRL configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE used when + * configuring CRL profile (extensions, frequency, CRL format) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setCRLConfig(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.RS_ID); + + if (id == null || id.length() <= 0 || + id.equals(Constants.RS_ID_CONFIG)) { + id = mCA.PROP_MASTER_CRL; + } + ICRLIssuingPoint ip = mCA.getCRLIssuingPoint(id); + + //Save New Settings to the config file + IConfigStore config = mCA.getConfigStore(); + IConfigStore crlsSubStore = config.getSubStore(mCA.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore.getSubStore(id); + + //set reset of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String value = req.getParameter(name); + + params.add(name, value); + crlSubStore.putString(name, value); + } + boolean noRestart = ip.updateConfig(params); + + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + if (noRestart) + sendResponse(SUCCESS, null, null, resp); + else + sendResponse(RESTART, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void getCRLConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.RS_ID); + + if (id == null || id.length() <= 0 || + id.equals(Constants.RS_ID_CONFIG)) { + id = mCA.PROP_MASTER_CRL; + } + IConfigStore crlsSubStore = + mCA.getConfigStore().getSubStore(mCA.PROP_CRL_SUBSTORE); + IConfigStore crlSubStore = crlsSubStore.getSubStore(id); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, crlSubStore.getString(name, "")); + } + + getSigningAlgConfig(params); + sendResponse(SUCCESS, null, params, resp); + } + + private void getConnectorConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore caConfig = mCA.getConfigStore(); + IConfigStore connectorConfig = caConfig.getSubStore("connector"); + IConfigStore caConnectorConfig = null; + + if (isKRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("KRA"); + } else if (isCLAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("CLA"); + } + + Enumeration enum1 = req.getParameterNames(); + NameValuePairs params = new NameValuePairs(); + + if (caConnectorConfig != null) { + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.OP_TYPE)) + continue; + + params.add(name, caConnectorConfig.getString(name, "")); + } + } + sendResponse(SUCCESS, null, params, resp); + } + + private void setConnectorConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore caConfig = mCA.getConfigStore(); + IConfigStore connectorConfig = caConfig.getSubStore("connector"); + IConfigStore caConnectorConfig = null; + +// String nickname = CMS.getServerCertNickname(); + + if (isKRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("KRA"); + } else if (isCLAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("CLA"); + } + + Enumeration enum1 = req.getParameterNames(); + + if (caConnectorConfig != null) { + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; +/* + if (name.equals("nickName")) { + caConnectorConfig.putString(name, nickname); + continue; + } +*/ + if (name.equals("host")) { + try { + Utils.checkHost(req.getParameter("host")); + } catch (UnknownHostException e) { + sendResponse(ERROR, "Unknown Host " + req.getParameter("host"), null, resp); + return; + } + } + caConnectorConfig.putString(name, req.getParameter(name)); + } + } + + commit(true); + sendResponse(RESTART, null, null, resp); + } + + private boolean isKRAConnector(HttpServletRequest req) { + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + + if (val.equals("Data Recovery Manager Connector")) + return true; + else + return false; + } + } + return false; + } + + private boolean isCLAConnector(HttpServletRequest req) { + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + + if (val.equals("Clone Master Manager Connector")) + return true; + else + return false; + } + } + return false; + } + + private void getGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String value = "false"; + + /* + ISubsystem eeGateway = + SubsystemRegistry.getInstance().get("eeGateway"); + if (eeGateway != null) { + IConfigStore eeConfig = eeGateway.getConfigStore(); + if (eeConfig != null) + value = eeConfig.getString("enabled", "true"); + String ocspValue = "true"; + ocspValue = eeConfig.getString("enableOCSP", "true"); + params.add(Constants.PR_OCSP_ENABLED, ocspValue); + } + params.add(Constants.PR_EE_ENABLED, value); + */ + + + IConfigStore caConfig = mCA.getConfigStore(); + + value = caConfig.getString(mCA.PROP_ENABLE_PAST_CATIME, "false"); + params.add(Constants.PR_VALIDITY, value); + + getSigningAlgConfig(params); + getSerialConfig(params); + getMaxSerialConfig(params); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getSigningAlgConfig(NameValuePairs params) { + params.add(Constants.PR_DEFAULT_ALGORITHM, + mCA.getDefaultAlgorithm()); + String[] algorithms = mCA.getCASigningAlgorithms(); + StringBuffer algorStr = new StringBuffer(); + + for (int i = 0; i < algorithms.length; i++) { + if (i == 0) + algorStr.append(algorithms[i]); + else { + algorStr.append(":"); + algorStr.append(algorithms[i]); + } + } + params.add(Constants.PR_ALL_ALGORITHMS, algorStr.toString()); + } + + private void getSerialConfig(NameValuePairs params) { + params.add(Constants.PR_SERIAL, + mCA.getStartSerial()); + } + + private void getMaxSerialConfig(NameValuePairs params) { + params.add(Constants.PR_MAXSERIAL, + mCA.getMaxSerial()); + } + + private void setGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + ISubsystem eeGateway = null; + + /* + ISubsystem eeGateway = + SubsystemRegistry.getInstance().get("eeGateway"); + */ + IConfigStore eeConfig = null; + + if (eeGateway != null) + eeConfig = eeGateway.getConfigStore(); + IConfigStore caConfig = mCA.getConfigStore(); + + Enumeration enum1 = req.getParameterNames(); + boolean restart = false; + + //mCA.setMaxSerial(""); + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_EE_ENABLED)) { + + /* + if (eeConfig != null) { + if (((EEGateway)eeGateway).isEnabled() && + value.equals("false") || + !((EEGateway)eeGateway).isEnabled() && + value.equals("true")) { + restart=true;; + } + eeConfig.putString("enabled", value); + } + */ + } else if (key.equals(Constants.PR_VALIDITY)) { + mCA.setValidity(value); + } else if (key.equals(Constants.PR_DEFAULT_ALGORITHM)) { + mCA.setDefaultAlgorithm(value); + } else if (key.equals(Constants.PR_SERIAL)) { + mCA.setStartSerial(value); + } else if (key.equals(Constants.PR_MAXSERIAL)) { + mCA.setMaxSerial(value); + } + } + + commit(true); + if (restart) + sendResponse(RESTART, null, null, resp); + else + sendResponse(SUCCESS, null, null, resp); + } + + /** + * Retrieves configuration parameters of certificate + * authority. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + // validate + super.getConfig(mCA.getConfigStore(), req, resp); + } + + /** + * Sets configuration parameters of certificate + * authority. + */ + private synchronized void setConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + super.setConfig(mCA.getConfigStore(), req, resp); + // XXX - commit changes + } + + /** + * Lists configuration store parameters. + */ + private synchronized void listConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + super.listConfig(mCA.getConfigStore(), req, resp); + } + + /** + * Locks a request so that no one can modify it except + * owner. + */ + private synchronized void lockRequest(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + // XXX + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Locks certificate record so that no one can + * modify it except owner. + */ + private synchronized void lockCertRecord(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Modifies a cert record. + */ + private synchronized void modifyCertRecord(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + // XXX + sendResponse(SUCCESS, null, params, resp); + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, + level, "CAAdminServlet: " + msg); + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java new file mode 100644 index 000000000..b735f0f10 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java @@ -0,0 +1,3677 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import java.security.cert.CertificateEncodingException; +import javax.servlet.*; +import javax.servlet.http.*; +import org.mozilla.jss.CryptoManager.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.*; +import netscape.security.x509.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.selftests.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.ra.*; +import com.netscape.certsrv.ocsp.*; +import com.netscape.certsrv.tks.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.cert.ICrossCertPairSubsystem; +import com.netscape.cmsutil.util.*; +import com.netscape.cms.servlet.common.CMSGateway; +import org.mozilla.jss.util.Password; +import org.mozilla.jss.util.PasswordCallback; +import org.mozilla.jss.util.ConsolePasswordCallback; +import org.mozilla.jss.util.IncorrectPasswordException; +import com.netscape.symkey.*; + +/** + * A class representings an administration servlet. This + * servlet is responsible to serve Certificate Server + * level administrative operations such as configuration + * parameter updates. + * + * @version $Revision$, $Date$ + */ +public final class CMSAdminServlet extends AdminServlet { + + private final static String INFO = "CMSAdminServlet"; + private final static String BEGIN_HEADER = "-----BEGIN CERTIFICATE-----"; + private final static String END_HEADER = "-----END CERTIFICATE-----"; + + private final static String PROP_DB = "dbs"; + private final static String PROP_SMTP = "smtp"; + private final static String PROP_RADM = "radm"; + private final static String PROP_GATEWAY = "cmsgateway"; + private final static String PROP_INTERNAL_DB = "internaldb"; + + private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + private final static byte EOL[] = { Character.LINE_SEPARATOR }; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION = + "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3"; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY = + "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC = + "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; + private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = + "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; + private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = + "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; + + // CMS must be instantiated before this admin servlet. + + /** + * Constructs CA servlet. + */ + public CMSAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + try { + super.authenticate(req); + } catch (IOException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + try { + AUTHZ_RES_NAME = "certServer.general.configuration"; + if (scope.equals(ScopeDef.SC_PLATFORM)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + getEnv(req, resp); + return; + } + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LDAP)) + getDBConfig(req, resp); + else if (scope.equals(ScopeDef.SC_SMTP)) + readSMTPConfig(req, resp); + else if (scope.equals(ScopeDef.SC_STAT)) + readStat(req, resp); + else if (scope.equals(ScopeDef.SC_ENCRYPTION)) + readEncryption(req, resp); + else if (scope.equals(ScopeDef.SC_TOKEN)) + getAllTokenNames(req, resp); + else if (scope.equals(ScopeDef.SC_SUBJECT_NAME)) + getSubjectName(req, resp); + else if (scope.equals(ScopeDef.SC_GET_NICKNAMES)) + getAllNicknames(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LDAP)) + setDBConfig(req, resp); + else if (scope.equals(ScopeDef.SC_SMTP)) + modifySMTPConfig(req, resp); + else if (scope.equals(ScopeDef.SC_TASKS)) + performTasks(req, resp); + else if (scope.equals(ScopeDef.SC_ENCRYPTION)) + modifyEncryption(req, resp); + else if (scope.equals(ScopeDef.SC_ISSUE_IMPORT_CERT)) + issueImportCert(req, resp); + else if (scope.equals(ScopeDef.SC_INSTALL_CERT)) + installCert(req, resp); + else if (scope.equals(ScopeDef.SC_IMPORT_CROSS_CERT)) + importXCert(req, resp); + else if (scope.equals(ScopeDef.SC_DELETE_CERTS)) + deleteCerts(req, resp); + else if (scope.equals(ScopeDef.SC_TRUST)) + trustCACert(req, resp); + else if (scope.equals(ScopeDef.SC_TOKEN_LOGON)) + loggedInToken(req, resp); + else if (scope.equals(ScopeDef.SC_ROOTCERT_TRUSTBIT)) + setRootCertTrust(req, resp); + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_SUBSYSTEM)) + readSubsystem(req, resp); + else if (scope.equals(ScopeDef.SC_CA_CERTLIST)) + getCACerts(req, resp); + else if (scope.equals(ScopeDef.SC_ALL_CERTLIST)) + getAllCertsManage(req, resp); + else if (scope.equals(ScopeDef.SC_USERCERTSLIST)) + getUserCerts(req, resp); + else if (scope.equals(ScopeDef.SC_TKSKEYSLIST)) + getTKSKeys(req, resp); + else if (scope.equals(ScopeDef.SC_TOKEN)) + getAllTokenNames(req, resp); + else if (scope.equals(ScopeDef.SC_ROOTCERTSLIST)) + getRootCerts(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "delete"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_ROOTCERTSLIST)) { + deleteRootCert(req, resp); + } else if (scope.equals(ScopeDef.SC_USERCERTSLIST)) { + deleteUserCert(req,resp); + } + } else if (op.equals(OpDef.OP_PROCESS)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_CERT_REQUEST)) + getCertRequest(req, resp); + else if (scope.equals(ScopeDef.SC_SUBJECT_NAME)) + processSubjectName(req, resp); + else if (scope.equals(ScopeDef.SC_CERTINFO)) + getCertInfo(req, resp); + else if (scope.equals(ScopeDef.SC_CERT_PRETTY_PRINT)) + getCertPrettyPrint(req, resp); + else if (scope.equals(ScopeDef.SC_ROOTCERT_TRUSTBIT)) + getRootCertTrustBit(req, resp); + else if (scope.equals(ScopeDef.SC_TOKEN_STATUS)) + checkTokenStatus(req, resp); + else if (scope.equals(ScopeDef.SC_SELFTESTS)) + runSelfTestsOnDemand(req, resp); + else if (scope.equals(ScopeDef.SC_TKSKEYSLIST)) + createMasterKey(req, resp); + } else if (op.equals(OpDef.OP_VALIDATE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_SUBJECT_NAME)) + validateSubjectName(req, resp); + else if (scope.equals(ScopeDef.SC_KEY_LENGTH)) + validateKeyLength(req, resp); + else if (scope.equals(ScopeDef.SC_CERTIFICATE_EXTENSION)) + validateCertExtension(req, resp); + else if (scope.equals(ScopeDef.SC_KEY_CURVENAME)) + validateCurveName(req, resp); + } + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), + null, resp); + return; + } catch (Exception e) { + StringWriter sw = new StringWriter(); + + e.printStackTrace(new PrintWriter(sw)); + + sendResponse(1, "operation failure", null, resp); + return; + } + } + + private void getEnv(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + if (File.separator.equals("\\")) + params.add(Constants.PR_NT, Constants.TRUE); + else + params.add(Constants.PR_NT, Constants.FALSE); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getAllTokenNames(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_TOKEN_LIST, jssSubSystem.getTokenList()); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getAllNicknames(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + params.add(Constants.PR_ALL_NICKNAMES, jssSubSystem.getAllCerts()); + + sendResponse(SUCCESS, null, params, resp); + } + + private boolean isSubsystemInstalled(String subsystem) { + Enumeration e = CMS.getSubsystems(); + + while (e.hasMoreElements()) { + String type = ""; + ISubsystem sys = (ISubsystem) e.nextElement(); + + //get subsystem type + if ((sys instanceof IKeyRecoveryAuthority) && + subsystem.equals("kra")) + return true; + else if ((sys instanceof IRegistrationAuthority) && + subsystem.equals("ra")) + return true; + else if ((sys instanceof ICertificateAuthority) && + subsystem.equals("ca")) + return true; + else if ((sys instanceof IOCSPAuthority) && + subsystem.equals("ocsp")) + return true; + } + + return false; + } + + private void readEncryption(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + Enumeration e = CMS.getSubsystems(); + boolean isCAInstalled = false; + boolean isRAInstalled = false; + boolean isKRAInstalled = false; + boolean isOCSPInstalled = false; + boolean isTKSInstalled = false; + + while (e.hasMoreElements()) { + String type = ""; + ISubsystem sys = (ISubsystem) e.nextElement(); + + //get subsystem type + if (sys instanceof IKeyRecoveryAuthority) + isKRAInstalled = true; + else if (sys instanceof IRegistrationAuthority) + isRAInstalled = true; + else if (sys instanceof ICertificateAuthority) + isCAInstalled = true; + else if (sys instanceof IOCSPAuthority) + isOCSPInstalled = true; + else if (sys instanceof ITKSAuthority) + isTKSInstalled = true; + + } + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String caTokenName = ""; + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_CIPHER_VERSION, + jssSubSystem.getCipherVersion()); + params.add(Constants.PR_CIPHER_FORTEZZA, jssSubSystem.isCipherFortezza()); + params.add(Constants.PR_CIPHER_PREF, jssSubSystem.getCipherPreferences()); + + String tokenList = jssSubSystem.getTokenList(); + + String tokenNewList = ""; + StringTokenizer tokenizer = new StringTokenizer(tokenList, ","); + + while (tokenizer.hasMoreElements()) { + String tokenName = (String) tokenizer.nextElement(); + String certs = jssSubSystem.getCertListWithoutTokenName(tokenName); + + if (certs.equals("")) + continue; + if (tokenNewList.equals("")) + tokenNewList = tokenNewList + tokenName; + else + tokenNewList = tokenNewList + "," + tokenName; + tokenName = escapeString(tokenName); + params.add(Constants.PR_TOKEN_PREFIX + tokenName, certs); + } + + params.add(Constants.PR_TOKEN_LIST, tokenNewList); + + if (isCAInstalled) { + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getSigningUnit(); + + caTokenName = signingUnit.getTokenName(); + + if (caTokenName.equals(jssSubSystem.getInternalTokenName())) + caTokenName = Constants.PR_INTERNAL_TOKEN; + + String caNickName = signingUnit.getNickname(); + + //params.add(Constants.PR_CERT_CA, caTokenName+","+caNickName); + params.add(Constants.PR_CERT_CA, getCertNickname(caNickName)); + } + + if (isRAInstalled) { + IRegistrationAuthority ra = (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + String raNickname = ra.getNickname(); + + params.add(Constants.PR_CERT_RA, getCertNickname(raNickname)); + } + + if (isKRAInstalled) { + IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + String kraNickname = kra.getNickname(); + + params.add(Constants.PR_CERT_TRANS, getCertNickname(kraNickname)); + } + if (isTKSInstalled) { + ITKSAuthority tks = (ITKSAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_TKS); + } + String nickName = CMS.getServerCertNickname(); + + params.add(Constants.PR_CERT_SERVER, getCertNickname(nickName)); + + sendResponse(SUCCESS, null, params, resp); + } + + private String escapeString(String name) { + StringTokenizer tokenizer = new StringTokenizer(name, " "); + StringBuffer tokenname = new StringBuffer(); + + if (tokenizer.countTokens() == 1) + return name; + while (tokenizer.hasMoreElements()) { + if (tokenizer.countTokens() == 1) + tokenname.append((String) tokenizer.nextElement()); + else { + tokenname.append((String) tokenizer.nextElement()); + tokenname.append("%20"); + } + } + + return tokenname.toString(); + } + + private String getCertNickname(String nickName) { + if (!nickName.equals("")) { + StringTokenizer tokenizer = new StringTokenizer(nickName, ":"); + String tokenName = ""; + + if (tokenizer.countTokens() > 1) { + tokenName = (String) tokenizer.nextElement(); + } else { + tokenName = Constants.PR_INTERNAL_TOKEN; + } + return tokenName + "," + ((String) tokenizer.nextElement()); + } + return ""; + } + + /** + * Modify encryption configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION used when + * configuring encryption (cert settings and SSL cipher preferences) + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to modify encryption configuration + */ + private void modifyEncryption(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + Enumeration enum1 = req.getParameterNames(); + NameValuePairs params = new NameValuePairs(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + jssSubSystem.getInternalTokenName(); + Enumeration e = CMS.getSubsystems(); + boolean isCAInstalled = false; + boolean isRAInstalled = false; + boolean isKRAInstalled = false; + boolean isOCSPInstalled = false; + boolean isTKSInstalled = false; + + while (e.hasMoreElements()) { + String type = ""; + ISubsystem sys = (ISubsystem) e.nextElement(); + + //get subsystem type + if (sys instanceof IKeyRecoveryAuthority) + isKRAInstalled = true; + else if (sys instanceof IRegistrationAuthority) + isRAInstalled = true; + else if (sys instanceof ICertificateAuthority) + isCAInstalled = true; + else if (sys instanceof IOCSPAuthority) + isOCSPInstalled = true; + else if (sys instanceof ITKSAuthority) + isTKSInstalled = true; + } + + ICertificateAuthority ca = null; + IRegistrationAuthority ra = null; + IKeyRecoveryAuthority kra = null; + ITKSAuthority tks = null; + + if (isCAInstalled) + ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + if (isRAInstalled) + ra = (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA); + if (isKRAInstalled) + kra = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + if (isTKSInstalled) + tks = (ITKSAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_TKS); + + boolean isCACert = true; + + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + String val = req.getParameter(name); + + if (name.equals(Constants.PR_CIPHER_PREF)) { + jssSubSystem.setCipherPreferences(val); + } else if (name.equals(Constants.PR_CERT_CA)) { + ISigningUnit signingUnit = ca.getSigningUnit(); + + if ((val != null) && (!val.equals(""))) { + StringTokenizer tokenizer = new StringTokenizer(val, ","); + + if (tokenizer.countTokens() != 2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getLogMessage("BASE_INVALID_UI_INFO")); + } + + String tokenName = (String) tokenizer.nextElement(); + String nickName = (String) tokenizer.nextElement(); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN)) { + tokenName = jssSubSystem.getInternalTokenName(); + } else { + nickName = tokenName + ":" + nickName; + } + + isCACert = jssSubSystem.isCACert(nickName); + if (isCACert) { + signingUnit.updateConfig(nickName, tokenName); + } else + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getLogMessage("BASE_NOT_CA_CERT")); + } + } else if (name.equals(Constants.PR_CERT_RA)) { + if ((val != null) && (!val.equals(""))) { + String nickName = getCertConfigNickname(val); + + ra.setNickname(nickName); + } + } else if (name.equals(Constants.PR_CERT_TRANS)) { + if ((val != null) && (!val.equals(""))) { + String nickName = getCertConfigNickname(val); + + kra.setNickname(nickName); + } + } else if (name.equals(Constants.PR_CERT_SERVER)) { + if ((val != null) && (!val.equals(""))) { + String nickName = getCertConfigNickname(val); + + modifyRADMCert(nickName); + modifyAgentGatewayCert(nickName); + if (isRAInstalled) + modifyEEGatewayCert(ra, nickName); + if (isCAInstalled) + modifyCAGatewayCert(ca, nickName); + } + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(RESTART, null, params, resp); + mConfig.commit(true); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private String getCertConfigNickname(String val) throws EBaseException { + StringTokenizer tokenizer = new StringTokenizer(val, ","); + + if (tokenizer.countTokens() != 2) { + throw new EBaseException(CMS.getLogMessage("BASE_INVALID_UI_INFO")); + } + String tokenName = (String) tokenizer.nextElement(); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN)) + tokenName = ""; + else + tokenName = tokenName + ":"; + return (tokenName + (String) tokenizer.nextElement()); + } + + private void modifyRADMCert(String nickName) { + CMS.setServerCertNickname(nickName); + + /* + RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance(); + HTTPService httpsService = raAdmin.getHttpsService(); + httpsService.setNickName(nickName); + */ + } + + private void modifyAgentGatewayCert(String nickName) { + CMS.setServerCertNickname(nickName); + + /* + AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID); + HTTPService httpsService = gateway.getHttpsService(); + httpsService.setNickName(nickName); + */ + } + + private void modifyEEGatewayCert(IRegistrationAuthority ra, String nickName) { + CMS.setServerCertNickname(nickName); + + /* + HTTPSubsystem eeGateway = ra.getHTTPSubsystem(); + HTTPService httpsService = eeGateway.getHttpsService(); + httpsService.setNickName(nickName); + */ + } + + private void modifyCAGatewayCert(ICertificateAuthority ca, String nickName) { + CMS.setServerCertNickname(nickName); + + /* + HTTPSubsystem caGateway = ca.getHTTPSubsystem(); + HTTPService httpsService = caGateway.getHttpsService(); + httpsService.setNickName(nickName); + */ + } + + /** + * Performs Server Tasks: RESTART/STOP operation + */ + private void performTasks(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String restart = req.getParameter(Constants.PR_SERVER_RESTART); + String stop = req.getParameter(Constants.PR_SERVER_STOP); + NameValuePairs params = new NameValuePairs(); + + if (restart != null) { + //XXX Uncommented afetr watchdog is implemented + sendResponse(SUCCESS, null, params, resp); + //mServer.restart(); + return; + } + + if (stop != null) { + //XXX Send response first then shutdown + sendResponse(SUCCESS, null, params, resp); + CMS.shutdown(); + return; + } + + sendResponse(ERROR, "Unknown operation", null, resp); + + } + + /** + * Reads subsystems that server has loaded with. + */ + private void readSubsystem(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = CMS.getSubsystems(); + StringBuffer buff = new StringBuffer(); + + while (e.hasMoreElements()) { + String type = ""; + ISubsystem sys = (ISubsystem) e.nextElement(); + + //get subsystem type + if (sys instanceof IKeyRecoveryAuthority) + type = Constants.PR_KRA_INSTANCE; + if (sys instanceof IRegistrationAuthority) + type = Constants.PR_RA_INSTANCE; + if (sys instanceof ICertificateAuthority) + type = Constants.PR_CA_INSTANCE; + if (sys instanceof IOCSPAuthority) + type = Constants.PR_OCSP_INSTANCE; + if (sys instanceof ITKSAuthority) + type = Constants.PR_TKS_INSTANCE; + if (!type.trim().equals("")) + params.add(sys.getId(), type); + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Reads server statistics. + */ + private void readStat(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + IConfigStore cs = CMS.getConfigStore(); + try { + String installdate = cs.getString(Constants.PR_STAT_INSTALLDATE, ""); + params.add(Constants.PR_STAT_INSTALLDATE, installdate); + } catch (Exception e) { + } + + try { + String version = cs.getString(Constants.PR_STAT_VERSION, ""); + params.add(Constants.PR_STAT_VERSION, version); + } catch (Exception e) { + } + + try { + String instanceId = cs.getString(Constants.PR_STAT_INSTANCEID, ""); + params.add(Constants.PR_STAT_INSTANCEID, instanceId); + } catch (Exception e) { + } + + params.add(Constants.PR_STAT_STARTUP, + (new Date(CMS.getStartupTime())).toString()); + params.add(Constants.PR_STAT_TIME, + (new Date(System.currentTimeMillis())).toString()); + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Modifies network information. + */ + private void modifyNetworkConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + /* + HTTPSubsystem eeGateway = (HTTPSubsystem) + SubsystemRegistry.getInstance().get("eeGateway"); + RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance(); + AgentGateway agent = (AgentGateway)mReg.get(AgentGateway.ID); + + Enumeration enum1 = req.getParameterNames(); + + String eeHTTPportString = null; + String eeHTTPSportString = null; + String agentHTTPSportString = null; + String radminHTTPSportString = null; + + String gatewayBacklog = "15"; + + // eeHTTPEnabled corresponds to the checkbox which enables the + // HTTP EE port + String eeHTTPEnabled = Constants.FALSE; + + while (enum1.hasMoreElements()) { + String key = (String)enum1.nextElement(); + String value = (String)req.getParameter(key); + + if (key.equals(Constants.PR_AGENT_S_BACKLOG)) { + agent.setHTTPSBacklog(value); + } else if (key.equals(Constants.PR_GATEWAY_S_BACKLOG)) { + eeGateway.setHTTPSBacklog(value); + } else if (key.equals(Constants.PR_ADMIN_S_BACKLOG)) { + raAdmin.setHTTPSBacklog(value); + } else if (key.equals(Constants.PR_GATEWAY_BACKLOG)) { + gatewayBacklog = value; + } else if (key.equals(Constants.PR_GATEWAY_PORT_ENABLED)) { + eeHTTPEnabled = value; + } + } + + + eeHTTPportString = req.getParameter(Constants.PR_GATEWAY_PORT); + eeHTTPSportString = req.getParameter(Constants.PR_GATEWAY_S_PORT); + agentHTTPSportString= req.getParameter(Constants.PR_AGENT_S_PORT); + radminHTTPSportString= req.getParameter(Constants.PR_ADMIN_S_PORT); + + + int eeHTTPport=0; + int eeHTTPSport=0; + int agentHTTPSport=0; + int radminHTTPSport=0; + if (eeHTTPportString != null) eeHTTPport = Integer.parseInt(eeHTTPportString); + if (eeHTTPSportString != null) eeHTTPSport = Integer.parseInt(eeHTTPSportString); + if (agentHTTPSportString != null) agentHTTPSport = Integer.parseInt(agentHTTPSportString); + if (radminHTTPSportString != null) radminHTTPSport = Integer.parseInt(radminHTTPSportString); + + + String portName=""; + int portnum; + try { + + // EE HTTP is special, since it has it's own checkbox for enabling/disabling + if (eeHTTPEnabled.equals(Constants.TRUE) && + eeHTTPport != 0 && + eeHTTPport != eeGateway.getHTTPPort()) + { + portName = "End-entity"; + checkPortAvailable(eeHTTPport); + } + + if (eeHTTPSport != 0 && eeHTTPSport != eeGateway.getHTTPSPort()) { + portName = "SSL End-entity"; + checkPortAvailable(eeHTTPSport); + } + if (agentHTTPSport != 0 && agentHTTPSport != agent.getHTTPSPort()) { + portName = "Agent"; + checkPortAvailable(agentHTTPSport); + } + if (radminHTTPSport != 0 && radminHTTPSport != raAdmin.getHTTPSPort()) { + portName = "Remote Admin"; + checkPortAvailable(radminHTTPSport); + } + + // If any of the above ports are not available, an exception + // will be thrown and these methods below will not be called + + if (eeHTTPEnabled.equals(Constants.TRUE)) { + eeGateway.setHTTPPort(eeHTTPport); + } + eeGateway.setHTTPSPort(eeHTTPSport); + agent.setHTTPSPort(agentHTTPSport); + raAdmin.setHTTPSPort(radminHTTPSport); + + } catch (IOException e) { + // send 'port in use' error + sendResponse(ERROR, portName+" "+e.getMessage(), null, resp); + // we do not want to save the config in this case + return; + } + + eeGateway.setHTTPBacklog(gatewayBacklog); + eeGateway.setHTTPPortEnable(eeHTTPEnabled); + + mConfig.commit(true); + sendResponse(RESTART, null, null, resp); + */ + } + + /** + * Check if the port is available for binding. + * @throws IOException if not available + */ + + private void checkPortAvailable(int port) + throws IOException { + try { + // see if the port is being used by somebody else + ServerSocket ss = new ServerSocket(port); + + ss.close(); + } catch (Exception e) { + throw new IOException("port " + port + " is in use. Please select another port"); + } + } + + /** + * Reads network information. + */ + private void readNetworkConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + getEENetworkConfig(params); + getAdminConfig(params); + getAgentConfig(params); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getEENetworkConfig(NameValuePairs params) + throws EBaseException { + + /* + HTTPSubsystem eeGateway = + (HTTPSubsystem)mReg.get("eeGateway"); + if (eeGateway == null) { + // i.e. standalone DRM + params.add(Constants.PR_GATEWAY_S_PORT, "-1"); + params.add(Constants.PR_GATEWAY_PORT, "-1"); + params.add(Constants.PR_GATEWAY_S_BACKLOG, "-1"); + params.add(Constants.PR_GATEWAY_BACKLOG,"-1"); + params.add(Constants.PR_GATEWAY_PORT_ENABLED,"false"); + } else { + params.add(Constants.PR_GATEWAY_S_PORT, + ""+eeGateway.getHTTPSPort()); + params.add(Constants.PR_GATEWAY_PORT, + ""+eeGateway.getHTTPPort()); + params.add(Constants.PR_GATEWAY_S_BACKLOG, + ""+eeGateway.getHTTPBacklog()); + params.add(Constants.PR_GATEWAY_BACKLOG, + ""+eeGateway.getHTTPSBacklog()); + params.add(Constants.PR_GATEWAY_PORT_ENABLED, + eeGateway.getHTTPPortEnable()); + } + */ + } + + private void getAdminConfig(NameValuePairs params) throws EBaseException { + + /* + RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance(); + params.add(Constants.PR_ADMIN_S_PORT, ""+raAdmin.getHTTPSPort()); + params.add(Constants.PR_ADMIN_S_BACKLOG,""+raAdmin.getHTTPSBacklog()); + */ + } + + private void getAgentConfig(NameValuePairs params) throws EBaseException { + + /* + AgentGateway agent = (AgentGateway)mReg.get(AgentGateway.ID); + params.add(Constants.PR_AGENT_S_PORT, ""+agent.getHTTPSPort()); + params.add(Constants.PR_AGENT_S_BACKLOG,""+agent.getHTTPSBacklog()); + */ + } + + /** + * Modifies database information. + */ + private void setDBConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore dbConfig = mConfig.getSubStore(PROP_INTERNAL_DB); + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals(Constants.OP_TYPE)) + continue; + if (key.equals(Constants.RS_ID)) + continue; + if (key.equals(Constants.OP_SCOPE)) + continue; + + dbConfig.putString(key, req.getParameter(key)); + } + + sendResponse(RESTART, null, null, resp); + mConfig.commit(true); + } + /** + * Create Master Key + */ +private void createMasterKey(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + String newKeyName = null, selectedToken = null; + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.PR_KEY_LIST)) + { + newKeyName = req.getParameter(name); + } + if (name.equals(Constants.PR_TOKEN_LIST)) + { + selectedToken = req.getParameter(name); + } + + + } + if(selectedToken!=null && newKeyName!=null) + { + String symKeys = SessionKey.GenMasterKey(selectedToken,newKeyName); + CMS.getConfigStore().putString("tks.defaultSlot", selectedToken); + String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); + + SessionKey.SetDefaultPrefix(masterKeyPrefix); + params.add(Constants.PR_KEY_LIST, newKeyName); + params.add(Constants.PR_TOKEN_LIST, selectedToken); + } + sendResponse(SUCCESS, null, params, resp); +} + + /** + * Reads secmod.db + */ + private void getTKSKeys(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.PR_TOKEN_LIST)) + { + String selectedToken = req.getParameter(name); + + int count = 0; + int keys_found = 0; + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem)CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + CryptoToken token = null; + CryptoManager mCryptoManager = null; + try { + mCryptoManager = CryptoManager.getInstance(); + } catch (Exception e2) { + } + + if(!jssSubSystem.isTokenLoggedIn(selectedToken)) + { + PasswordCallback cpcb = new ConsolePasswordCallback(); + while (true) { + try { + token = mCryptoManager.getTokenByName(selectedToken); + token.login(cpcb); + break; + } catch (Exception e3) { + //log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_INCORRECT_PWD")); + continue; + } + } + } + // String symKeys = new String("key1,key2"); + String symKeys = SessionKey.ListSymmetricKeys(selectedToken); + params.add(Constants.PR_TOKEN_LIST, symKeys); + + } + } + sendResponse(SUCCESS, null, params, resp); + } + + + /** + * Reads database information. + */ + private void getDBConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore dbConfig = mConfig.getSubStore(PROP_DB); + IConfigStore ldapConfig = dbConfig.getSubStore("ldap"); + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_SECURE_PORT_ENABLED)) + params.add(name, ldapConfig.getString(name, "Constants.FALSE")); + else + params.add(name, ldapConfig.getString(name, "")); + } + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Modifies SMTP configuration. + */ + private void modifySMTPConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + // XXX + IConfigStore sConfig = mConfig.getSubStore(PROP_SMTP); + + String host = req.getParameter(Constants.PR_SERVER_NAME); + + if (host != null) + sConfig.putString("host", host); + + String port = req.getParameter(Constants.PR_PORT); + + if (port != null) + sConfig.putString("port", port); + + commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + /** + * Reads SMTP configuration. + */ + private void readSMTPConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore dbConfig = mConfig.getSubStore(PROP_SMTP); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_SERVER_NAME, + dbConfig.getString("host")); + params.add(Constants.PR_PORT, + dbConfig.getString("port")); + sendResponse(SUCCESS, null, params, resp); + } + + private void loggedInToken(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + String tokenName = ""; + String pwd = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_TOKEN_NAME)) { + tokenName = value; + } else if (key.equals(Constants.PR_TOKEN_PASSWD)) { + pwd = value; + } + } + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + jssSubSystem.loggedInToken(tokenName, pwd); + + /* Do a "PUT" of the new pw to the watchdog" */ + CMS.putPasswordCache(tokenName, pwd); + sendResponse(SUCCESS, null, null, resp); + } + + private void checkTokenStatus(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + String key = ""; + String value = ""; + + while (enum1.hasMoreElements()) { + key = (String) enum1.nextElement(); + value = req.getParameter(key); + if (key.equals(Constants.PR_TOKEN_NAME)) { + break; + } + } + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + boolean status = jssSubSystem.isTokenLoggedIn(value); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_LOGGED_IN, "" + status); + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Retrieve a certificate request + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC used when + * asymmetric keys are generated + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to retrieve certificate request + */ + private void getCertRequest(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditPublicKey = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + Enumeration enum1 = req.getParameterNames(); + String tokenName = Constants.PR_INTERNAL_TOKEN_NAME; + String keyType = ""; + int keyLength = 512; + String subjectName = ""; + String certType = Constants.PR_CA_SIGNING_CERT; + String dir = ""; + String pathname = ""; + String serverID = ""; + String otherNickname = ""; + String certSubType = ""; + String keyCurveName = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_TOKEN_NAME)) { + if (!value.equals(Constants.PR_INTERNAL_TOKEN)) + tokenName = value; + } else if (key.equals(Constants.PR_KEY_LENGTH)) { + keyLength = Integer.parseInt(value); + } else if (key.equals(Constants.PR_KEY_TYPE)) { + keyType = value; + } else if (key.equals(Constants.RS_ID)) { + certType = value; + } else if (key.equals(Constants.PR_SUBJECT_NAME)) { + subjectName = value; + } else if (key.equals(Constants.PR_SERVER_ID)) { + serverID = value; + } else if (key.equals(Constants.PR_NICKNAME)) { + otherNickname = value; + } else if (key.equals(Constants.PR_CERTIFICATE_SUBTYPE)) { + certSubType = value; + } else if (key.equals(Constants.PR_KEY_CURVENAME)) { + keyCurveName = value; + } + } + + pathname = mConfig.getString("instanceRoot", "") + + File.separator + "conf" + File.separator; + dir = pathname; + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + KeyPair keypair = null; + PQGParams pqgParams = null; + String nickname = ""; + + // other cert and has the existing key + if (certType.equals(Constants.PR_OTHER_CERT) && keyType.equals("")) + nickname = otherNickname; + else if (!certType.equals(Constants.PR_OTHER_CERT)) + nickname = getNickname(certType); + + String nicknameWithoutTokenName = ""; + + if (nickname != null && !nickname.equals("")) { + int index = nickname.indexOf(":"); + + nicknameWithoutTokenName = nickname; + if (index >= 0) + nicknameWithoutTokenName = nickname.substring(index + 1); + } + + if (keyType.equals("")) { + if (nickname.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); + + audit(auditMessage); + + throw new EBaseException( + CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } + keypair = jssSubSystem.getKeyPair(nickname); + } else { + if (keyType.equals("ECC")) { + // get ECC keypair + keypair = jssSubSystem.getECCKeyPair(tokenName, keyCurveName, certType); + } else { //DSA or RSA + if (keyType.equals("DSA")) + pqgParams = jssSubSystem.getPQG(keyLength); + keypair = jssSubSystem.getKeyPair(tokenName, keyType, keyLength, pqgParams); + } + } + + // reset the "auditPublicKey" + auditPublicKey = auditPublicKey(keypair); + + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + pathname = pathname + File.separator + "cacsr.txt"; + if (!keyType.equals("")) + setCANewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) { + pathname = pathname + File.separator + "racsr.txt"; + if (!keyType.equals("")) + setRANewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + pathname = pathname + File.separator + "ocspcsr.txt"; + if (!keyType.equals("")) + setOCSPNewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) { + pathname = pathname + File.separator + "kracsr.txt"; + if (!keyType.equals("")) + setKRANewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_SERVER_CERT)) { + pathname = pathname + File.separator + "sslcsr.txt"; + if (!keyType.equals("")) + setAgentNewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) { + pathname = pathname + File.separator + "sslcsrradm.txt"; + if (!keyType.equals("")) + setRADMNewnickname(tokenName, nicknameWithoutTokenName); + } else if (certType.equals(Constants.PR_OTHER_CERT)) { + pathname = pathname + File.separator + "othercsr.txt"; + } + String certReq = jssSubSystem.getCertRequest(subjectName, keypair); + + params.add(Constants.PR_CSR, certReq); + params.add(Constants.PR_CERT_REQUEST_DIR, dir); + PrintStream ps = new PrintStream(new FileOutputStream(pathname)); + + ps.println(certReq); + ps.close(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.SUCCESS, + auditPublicKey); + + audit(auditMessage); + + mConfig.commit(true); + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, + auditSubjectID, + ILogger.FAILURE, + auditPublicKey); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC, + // auditSubjectID, + // ILogger.FAILURE, + // auditPublicKey ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void setCANewnickname(String tokenName, String nickname) + throws EBaseException { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getSigningUnit(); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + signingUnit.setNewNickName(nickname); + else { + if (tokenName.equals("") && nickname.equals("")) + signingUnit.setNewNickName(""); + else + signingUnit.setNewNickName(tokenName + ":" + nickname); + } + } + + private String getCANewnickname() throws EBaseException { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getSigningUnit(); + + return signingUnit.getNewNickName(); + } + + private void setRANewnickname(String tokenName, String nickname) + throws EBaseException { + IRegistrationAuthority ra = (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + ra.setNewNickName(nickname); + else { + if (tokenName.equals("") && nickname.equals("")) + ra.setNewNickName(""); + else + ra.setNewNickName(tokenName + ":" + nickname); + } + } + + private String getRANewnickname() throws EBaseException { + IRegistrationAuthority ra = (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + return ra.getNewNickName(); + } + + private void setOCSPNewnickname(String tokenName, String nickname) + throws EBaseException { + IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP); + + if (ocsp != null) { + ISigningUnit signingUnit = ocsp.getSigningUnit(); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + signingUnit.setNewNickName(nickname); + else { + if (tokenName.equals("") && nickname.equals("")) + signingUnit.setNewNickName(""); + else + signingUnit.setNewNickName(tokenName + ":" + nickname); + } + } else { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getOCSPSigningUnit(); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + signingUnit.setNewNickName(nickname); + else { + if (tokenName.equals("") && nickname.equals("")) + signingUnit.setNewNickName(""); + else + signingUnit.setNewNickName(tokenName + ":" + nickname); + } + } + } + + private String getOCSPNewnickname() throws EBaseException { + IOCSPAuthority ocsp = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP); + + if (ocsp != null) { + ISigningUnit signingUnit = ocsp.getSigningUnit(); + + return signingUnit.getNewNickName(); + } else { + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getOCSPSigningUnit(); + + return signingUnit.getNewNickName(); + } + } + + private void setKRANewnickname(String tokenName, String nickname) + throws EBaseException { + IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + kra.setNewNickName(nickname); + else { + if (tokenName.equals("") && nickname.equals("")) + kra.setNewNickName(""); + else + kra.setNewNickName(tokenName + ":" + nickname); + } + } + + private String getKRANewnickname() throws EBaseException { + IKeyRecoveryAuthority kra = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + + return kra.getNewNickName(); + } + + private void setRADMNewnickname(String tokenName, String nickName) + throws EBaseException { + CMS.setServerCertNickname(tokenName, nickName); + + /* + RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance(); + HTTPService httpsService = raAdmin.getHttpsService(); + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + httpsService.setNewNickName(nickName); + else { + if (tokenName.equals("") && nickName.equals("")) + httpsService.setNewNickName(""); + else + httpsService.setNewNickName(tokenName+":"+nickName); + } + */ + } + + private String getRADMNewnickname() + throws EBaseException { + // assuming the nickname does not change. + return CMS.getServerCertNickname(); + + /* + RemoteAdmin raAdmin = (RemoteAdmin)RemoteAdmin.getInstance(); + HTTPService httpsService = raAdmin.getHttpsService(); + return httpsService.getNewNickName(); + */ + } + + private void setAgentNewnickname(String tokenName, String nickName) + throws EBaseException { + CMS.setServerCertNickname(tokenName, nickName); + + /* + AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID); + HTTPService httpsService = gateway.getHttpsService(); + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) + httpsService.setNewNickName(nickName); + else { + if (tokenName.equals("") && nickName.equals("")) + httpsService.setNewNickName(""); + else + httpsService.setNewNickName(tokenName+":"+nickName); + } + */ + } + + private String getAgentNewnickname() + throws EBaseException { + // assuming the nickname does not change. + return CMS.getServerCertNickname(); + + /* + AgentGateway gateway = (AgentGateway)mReg.get(AgentGateway.ID); + HTTPService httpsService = gateway.getHttpsService(); + return httpsService.getNewNickName(); + */ + } + + /** + * Issue import certificate + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when + * "Certificate Setup Wizard" is used to import CA certs into the + * certificate database + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to issue an import certificate + */ + private void issueImportCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + Enumeration enum1 = req.getParameterNames(); + String pkcs = ""; + String type = ""; + String tokenName = Constants.PR_INTERNAL_TOKEN_NAME; + String keyType = "RSA"; + int keyLength = 512; + String subjectName = ""; + KeyCertData properties = new KeyCertData(); + String pathname = ""; + + String configPath = ""; + String newtokenname = null; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals("pathname")) { + configPath = mConfig.getString("instanceRoot", "") + + File.separator + "conf" + File.separator; + pathname = configPath + value; + } else { + if (key.equals(Constants.PR_TOKEN_NAME)) + newtokenname = value; + properties.put(key, value); + } + } + + String certType = (String) properties.get(Constants.RS_ID); + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + IDBSubsystem dbs = (IDBSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_DBS); + ICertificateAuthority ca = (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ICertificateRepository repository = + (ICertificateRepository) ca.getCertificateRepository(); + ISigningUnit signingUnit = ca.getSigningUnit(); + String oldtokenname = null; + //this is the old nick name + String nickname = getNickname(certType); + String nicknameWithoutTokenName = ""; + String oldcatokenname = signingUnit.getTokenName(); + String canickname = getNickname(Constants.PR_CA_SIGNING_CERT); + String canicknameWithoutTokenName = ""; + + int index = nickname.indexOf(":"); + + if (index == -1) { + nicknameWithoutTokenName = nickname; + oldtokenname = Constants.PR_INTERNAL_TOKEN_NAME; + } else if (index > 0 && (index < (nickname.length() - 1))) { + nicknameWithoutTokenName = nickname.substring(index + 1); + oldtokenname = nickname.substring(0, index); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new + EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } + + if (newtokenname == null) + newtokenname = oldtokenname; + index = canickname.indexOf(":"); + if (index == -1) { + canicknameWithoutTokenName = canickname; + } else if (index > 0 && (index < (canickname.length() - 1))) { + canicknameWithoutTokenName = canickname.substring(index + 1); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new + EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } + + //xxx renew ca ,use old issuer? + properties.setIssuerName( + jssSubSystem.getCertSubjectName(oldcatokenname, + canicknameWithoutTokenName)); + + KeyPair pair = null; + + if (nickname.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new + EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } + + //xxx set to old nickname? + properties.setCertNickname(nickname); + if (!certType.equals(Constants.PR_CA_SIGNING_CERT)) { + CertificateExtensions exts = jssSubSystem.getExtensions( + oldcatokenname, canicknameWithoutTokenName); + + properties.setCAExtensions(exts); + } + + KeyPair caKeyPair = null; + String defaultSigningAlg = null; + String defaultOCSPSigningAlg = null; + + if (properties.getHashType() != null) { + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + defaultSigningAlg = properties.getHashType(); + } + if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + defaultOCSPSigningAlg = properties.getHashType(); + } + } + + // create a new CA certificate or ssl server cert + if (properties.getKeyCurveName() != null) { //new ECC + CMS.debug("CMSAdminServlet: issueImportCert: generating ECC keys"); + pair = jssSubSystem.getECCKeyPair(properties); + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) + caKeyPair = pair; + } else if (properties.getKeyLength() != null) { //new RSA or DSA + keyType = properties.getKeyType(); + String keyLen = properties.getKeyLength(); + PQGParams pqgParams = null; + + if (keyType.equals("DSA")) { + pqgParams = jssSubSystem.getCAPQG(Integer.parseInt(keyLen), + mConfig); + //properties.put(Constants.PR_PQGPARAMS, pqgParams); + } + pair = jssSubSystem.getKeyPair(properties); + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) + caKeyPair = pair; + // renew the CA certificate or ssl server cert + } else { + pair = jssSubSystem.getKeyPair(nickname); + // should get it from the CA signing certificate + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + updateCASignature(nickname, properties, jssSubSystem); + caKeyPair = pair; + defaultSigningAlg = signingUnit.getDefaultAlgorithm(); + } + + /* + String alg = jssSubSystem.getSignatureAlgorithm(nickname); + SignatureAlgorithm sigAlg = SigningUnit.mapAlgorithmToJss(alg); + properties.setSignatureAlgorithm(sigAlg); + properties.setAlgorithmId( + jssSubSystem.getAlgorithmId(alg, mConfig)); + */ + } + + String alg = properties.getSignedBy(); + if (!certType.equals(Constants.PR_CA_SIGNING_CERT)) { + caKeyPair = jssSubSystem.getKeyPair(canickname); + updateCASignature(canickname, properties, jssSubSystem); + } else if (alg != null) { + // self signed CA signing cert, new keys + // value provided for signedBy + SignatureAlgorithm sigAlg = Cert.mapAlgorithmToJss(alg); + properties.setSignatureAlgorithm(sigAlg); + properties.setAlgorithmId(jssSubSystem.getAlgorithmId(alg, mConfig)); + } + + if (pair == null) + CMS.debug("CMSAdminServlet: issueImportCert: key pair is null"); + + BigInteger nextSerialNo = repository.getNextSerialNumber(); + + properties.setSerialNumber(nextSerialNo); + properties.setKeyPair(pair); + properties.setConfigFile(mConfig); + // properties.put(Constants.PR_CA_KEYPAIR, pair); + properties.put(Constants.PR_CA_KEYPAIR, caKeyPair); + + X509CertImpl signedCert = + jssSubSystem.getSignedCert(properties, certType, + caKeyPair.getPrivate()); + + if (signedCert == null) + CMS.debug("CMSAdminServlet: issueImportCert: signedCert is null"); + + /* bug 600124 + try { + jssSubSystem.deleteTokenCertificate(nickname, pathname); + } catch (Throwable e) { + //skip it + } + */ + + boolean nicknameChanged = false; + + //xxx import cert with nickname without token name? + //jss adds the token prefix!!! + //log(ILogger.LL_DEBUG,"import as alias"+ nicknameWithoutTokenName); + try { + CMS.debug("CMSAdminServlet: issueImportCert: Importing cert: " + nicknameWithoutTokenName); + jssSubSystem.importCert(signedCert, nicknameWithoutTokenName, + certType); + } catch (EBaseException e) { + // if it fails, let use a different nickname to try + Date now = new Date(); + String newNickname = nicknameWithoutTokenName + + "-" + now.getTime(); + + CMS.debug("CMSAdminServlet: issueImportCert: Importing cert with nickname: " + newNickname); + jssSubSystem.importCert(signedCert, newNickname, + certType); + nicknameWithoutTokenName = newNickname; + nicknameChanged = true; + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + nickname = newNickname; + } else { + nickname = tokenName + ":" + newNickname; + } + } + + ICertRecord certRecord = repository.createCertRecord( + signedCert.getSerialNumber(), + signedCert, null); + + repository.addCertificateRecord(certRecord); + + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + try { + X509CertInfo certInfo = (X509CertInfo) signedCert.get( + X509CertImpl.NAME + "." + X509CertImpl.INFO); + CertificateExtensions extensions = (CertificateExtensions) + certInfo.get(X509CertInfo.EXTENSIONS); + + if (extensions != null) { + BasicConstraintsExtension basic = + (BasicConstraintsExtension) + extensions.get(BasicConstraintsExtension.NAME); + + if (basic == null) + log(CMS.getLogMessage("ADMIN_SRVLT_BASIC_CONSTRAIN_NULL")); + else { + Integer pathlen = (Integer) + basic.get(BasicConstraintsExtension.PATH_LEN); + int num = pathlen.intValue(); + + if (num == 0) + ca.setBasicConstraintMaxLen(num); + else if (num > 0) { + num = num - 1; + ca.setBasicConstraintMaxLen(num); + } + } + } else + log(CMS.getLogMessage("ADMIN_SRVLT_CERT_NO_EXT")); + } catch (Exception eee) { + log("CMSAdminServlet: Exception caught: " + eee.toString()); + } + } + + CMS.debug("CMSAdminServlet: oldtoken:" + oldtokenname + + " newtoken:" + newtokenname + " nickname:" + nickname); + if ((newtokenname != null && + !newtokenname.equals(oldtokenname)) || nicknameChanged) { + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + signingUnit.updateConfig(nicknameWithoutTokenName, + newtokenname); + } else { + signingUnit.updateConfig(newtokenname + ":" + + nicknameWithoutTokenName, + newtokenname); + } + } else if (certType.equals(Constants.PR_SERVER_CERT)) { + if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + nickname = nicknameWithoutTokenName; + } else { + nickname = newtokenname + ":" + + nicknameWithoutTokenName; + } + + //setRADMNewnickname("",""); + //modifyRADMCert(nickname); + modifyAgentGatewayCert(nickname); + if (isSubsystemInstalled("ra")) { + IRegistrationAuthority ra = + (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + modifyEEGatewayCert(ra, nickname); + } + if (isSubsystemInstalled("ca")) { + modifyCAGatewayCert(ca, nickname); + } + } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) { + if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + nickname = nicknameWithoutTokenName; + } else { + nickname = newtokenname + ":" + + nicknameWithoutTokenName; + } + + modifyRADMCert(nickname); + } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + if (ca != null) { + ISigningUnit ocspSigningUnit = ca.getOCSPSigningUnit(); + + if (newtokenname.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + ocspSigningUnit.updateConfig( + nicknameWithoutTokenName, newtokenname); + } else { + ocspSigningUnit.updateConfig(newtokenname + ":" + + nicknameWithoutTokenName, + newtokenname); + } + } + } + } + + // set signing algorithms if needed + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) + signingUnit.setDefaultAlgorithm(defaultSigningAlg); + + if (defaultOCSPSigningAlg != null) { + ISigningUnit ocspSigningUnit = ca.getOCSPSigningUnit(); + ocspSigningUnit.setDefaultAlgorithm(defaultOCSPSigningAlg); + } + + properties.clear(); + properties = null; + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + mConfig.commit(true); + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString()); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private String getDefaultSigningAlg(String keyType, String messageDigest) { + if (keyType.equals("RSA")) { + if (messageDigest.equals("MD2")) { + return "MD2withRSA"; + } else if (messageDigest.equals("MD5")) { + return "MD5withRSA"; + } else if (messageDigest.equals("SHA1")) { + return "SHA1withRSA"; + } else if (messageDigest.equals("SHA256")) { + return "SHA256withRSA"; + } else if (messageDigest.equals("SHA512")) { + return "SHA512withRSA"; + } + } else if (keyType.equals("DSA")) { + if (messageDigest.equals("SHA1")) { + return "SHA1withDSA"; + } + } else /* EC */ { + if (messageDigest.equals("SHA1")) { + return "SHA1withEC"; + } else if (messageDigest.equals("SHA256")) { + return "SHA256withEC"; + } else if (messageDigest.equals("SHA384")) { + return "SHA384withEC"; + } else if (messageDigest.equals("SHA512")) { + return "SHA512withEC"; + } + } + return null; + } + + private void updateCASignature(String nickname, KeyCertData properties, + ICryptoSubsystem jssSubSystem) throws EBaseException { + String alg = jssSubSystem.getSignatureAlgorithm(nickname); + SignatureAlgorithm sigAlg = Cert.mapAlgorithmToJss(alg); + + properties.setSignatureAlgorithm(sigAlg); + properties.setAlgorithmId( + jssSubSystem.getAlgorithmId(alg, mConfig)); + } + + /** + * Install certificates + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when + * "Certificate Setup Wizard" is used to import CA certs into the + * certificate database + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to install a certificate + */ + private void installCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String tokenName = Constants.PR_INTERNAL_TOKEN_NAME; + String pkcs = ""; + String certType = ""; + String nickname = ""; + String pathname = ""; + String serverRoot = ""; + String serverID = ""; + String certpath = ""; + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_PKCS10)) + pkcs = value; + else if (key.equals(Constants.RS_ID)) + certType = value; + else if (key.equals(Constants.PR_NICKNAME)) + nickname = value; + else if (key.equals("pathname")) + pathname = value; + else if (key.equals(Constants.PR_SERVER_ROOT)) + serverRoot = value; + else if (key.equals(Constants.PR_SERVER_ID)) + serverID = value; + else if (key.equals(Constants.PR_CERT_FILEPATH)) + certpath = value; + } + + try { + if (pkcs == null || pkcs.equals("")) { + if (certpath == null || certpath.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + EBaseException ex = new EBaseException( + CMS.getLogMessage("BASE_INVALID_FILE_PATH")); + + throw ex; + } else { + FileInputStream in = new FileInputStream(certpath); + BufferedReader d = + new BufferedReader(new InputStreamReader(in)); + String content = ""; + + pkcs = ""; + StringBuffer sb = new StringBuffer(); + while ((content = d.readLine()) != null) { + sb.append(content); + sb.append("\n"); + } + + pkcs = sb.toString(); + if (d != null) { + d.close(); + } + pkcs = pkcs.substring(0, pkcs.length() - 1); + } + } + } catch (IOException ee) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException( + CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); + } + + pkcs = pkcs.trim(); + pathname = serverRoot + File.separator + serverID + + File.separator + "config" + File.separator + pathname; + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + //String nickname = getNickname(certType); + String nicknameWithoutTokenName = ""; + + int index = nickname.indexOf(":"); + + if (index == -1) + nicknameWithoutTokenName = nickname; + else if (index > 0 && (index < (nickname.length() - 1))) { + tokenName = nickname.substring(0, index); + nicknameWithoutTokenName = nickname.substring(index + 1); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException( + CMS.getLogMessage("BASE_CERT_NOT_FOUND")); + } + + /* + if (certType.equals(Constants.PR_CA_SIGNING_CERT) || + certType.equals(Constants.PR_RA_SIGNING_CERT) || + certType.equals(Constants.PR_OCSP_SIGNING_CERT) || + certType.equals(Constants.PR_KRA_TRANSPORT_CERT) || + certType.equals(Constants.PR_SERVER_CERT) || + certType.equals(Constants.PR_SERVER_CERT_RADM)) { + String oldnickname = getNickname(certType); + try { + jssSubsystem.deleteTokenCertificate(oldnickname, + pathname); + //jssSubsystem.deleteTokenCertificate(nickname, + pathname); + } catch (EBaseException e) { + // skip it + } + } else { + try { + jssSubsystem.deleteTokenCertificate(nickname, pathname); + } catch (EBaseException e) { + // skip it + } + } + */ + + // 600124 - renewal of SSL crash the server + // we now do not delete previously installed certificates. + + // Same Subject | Same Nickname | Same Key | Legal + // ----------------------------------------------------------- + // 1. Yes Yes No Yes + // 2. Yes Yes Yes Yes + // 3. No No Yes Yes + // 4. No No No Yes + // 5. No Yes Yes No + // 6. No Yes No No + // 7. Yes No Yes No + // 8. Yes No No No + + // Based on above table, the following cases are permitted: + // Existing Key: + // (a) Same Subject & Same Nickname --- (2) + // (b) Different Subject & Different Nickname --- (3) + // (In order to support Case b., we need to use a different + // nickname). + // New Key: + // (c) Same Subject & Same Nickname --- (1) + // (d) Different Subject & Different Nickname --- (4) + // (In order to support Case b., we need to use a different + // nickname). + // + + try { + jssSubSystem.importCert(pkcs, nicknameWithoutTokenName, + certType); + } catch (EBaseException e) { + // if it fails, let use a different nickname to try + Date now = new Date(); + String newNickname = nicknameWithoutTokenName + "-" + + now.getTime(); + + jssSubSystem.importCert(pkcs, newNickname, certType); + nicknameWithoutTokenName = newNickname; + if (tokenName.equals(Constants.PR_INTERNAL_TOKEN_NAME)) { + nickname = newNickname; + } else { + nickname = tokenName + ":" + newNickname; + } + CMS.debug("CMSAdminServlet: installCert(): nickname="+nickname); + } + + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + ICertificateAuthority ca = + (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getSigningUnit(); + String signatureAlg = + jssSubSystem.getSignatureAlgorithm(nickname); + + signingUnit.setDefaultAlgorithm(signatureAlg); + setCANewnickname("", ""); + try { + CertificateExtensions extensions = null; + + if (nickname.equals(nicknameWithoutTokenName)) { + signingUnit.updateConfig(nickname, + Constants.PR_INTERNAL_TOKEN_NAME); + extensions = jssSubSystem.getExtensions( + Constants.PR_INTERNAL_TOKEN_NAME, nickname); + } else { + String tokenname1 = nickname.substring(0, index); + + signingUnit.updateConfig(nickname, tokenname1); + extensions = jssSubSystem.getExtensions(tokenname1, + nicknameWithoutTokenName); + } + if (extensions != null) { + BasicConstraintsExtension basic = + (BasicConstraintsExtension) + extensions.get(BasicConstraintsExtension.NAME); + + if (basic == null) + log(CMS.getLogMessage("ADMIN_SRVLT_BASIC_CONSTRAIN_NULL")); + else { + Integer pathlen = (Integer) + basic.get(BasicConstraintsExtension.PATH_LEN); + int num = pathlen.intValue(); + + if (num == 0) + ca.setBasicConstraintMaxLen(num); + else if (num > 0) { + num = num - 1; + ca.setBasicConstraintMaxLen(num); + } + } + } else { + log(CMS.getLogMessage("ADMIN_SRVLT_CERT_NO_EXT")); + } + } catch (Exception eee) { + log("CMSAdminServlet: Exception: " + eee.toString()); + } + } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) { + setRANewnickname("", ""); + IRegistrationAuthority ra = + (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + ra.setNickname(nickname); + } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + setOCSPNewnickname("", ""); + IOCSPAuthority ocsp = + (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP); + + if (ocsp != null) { + ISigningUnit signingUnit = ocsp.getSigningUnit(); + + if (nickname.equals(nicknameWithoutTokenName)) { + signingUnit.updateConfig(nickname, + Constants.PR_INTERNAL_TOKEN_NAME); + } else { + String tokenname1 = nickname.substring(0, index); + + signingUnit.updateConfig(nickname, tokenname1); + } + } else { + ICertificateAuthority ca = + (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getOCSPSigningUnit(); + + if (nickname.equals(nicknameWithoutTokenName)) { + signingUnit.updateConfig(nickname, + Constants.PR_INTERNAL_TOKEN_NAME); + } else { + String tokenname1 = nickname.substring(0, index); + + signingUnit.updateConfig(nickname, tokenname1); + } + } + } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) { + setKRANewnickname("", ""); + IKeyRecoveryAuthority kra = + (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + + kra.setNickname(nickname); + } else if (certType.equals(Constants.PR_SERVER_CERT)) { + setAgentNewnickname("", ""); + //modifyRADMCert(nickname); + modifyAgentGatewayCert(nickname); + if (isSubsystemInstalled("ra")) { + IRegistrationAuthority ra = + (IRegistrationAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + modifyEEGatewayCert(ra, nickname); + } + if (isSubsystemInstalled("ca")) { + ICertificateAuthority ca = + (ICertificateAuthority) + CMS.getSubsystem(CMS.SUBSYSTEM_CA); + + modifyCAGatewayCert(ca, nickname); + } + } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) { + setRADMNewnickname("", ""); + modifyRADMCert(nickname); + } + + boolean verified = CMS.verifySystemCertByNickname(nickname, null); + if (verified == true) { + CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() succeeded:"+ nickname); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.SUCCESS, + nickname); + + audit(auditMessage); + } else { + CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() failed:"+ nickname); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.FAILURE, + nickname); + + audit(auditMessage); + } + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + mConfig.commit(true); + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * For "importing" cross-signed cert into internal db for further + * cross pair matching and publishing + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when + * "Certificate Setup Wizard" is used to import a CA cross-signed + * certificate into the database + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to import a cross-certificate pair + */ + private void importXCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String b64Cert = ""; + String certType = ""; + String pathname = ""; + String serverRoot = ""; + String serverID = ""; + String certpath = ""; + Enumeration enum1 = req.getParameterNames(); + NameValuePairs results = new NameValuePairs(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + // really should be PR_CERT_CONTENT + if (key.equals(Constants.PR_PKCS10)) + b64Cert = value; + else if (key.equals(Constants.RS_ID)) + certType = value; + else if (key.equals("pathname")) + pathname = value; + else if (key.equals(Constants.PR_SERVER_ROOT)) + serverRoot = value; + else if (key.equals(Constants.PR_SERVER_ID)) + serverID = value; + else if (key.equals(Constants.PR_CERT_FILEPATH)) + certpath = value; + } + + try { + if (b64Cert == null || b64Cert.equals("")) { + if (certpath == null || certpath.equals("")) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + EBaseException ex = new EBaseException( + CMS.getLogMessage("BASE_INVALID_FILE_PATH")); + + throw ex; + } else { + FileInputStream in = new FileInputStream(certpath); + BufferedReader d = + new BufferedReader(new InputStreamReader(in)); + String content = ""; + + b64Cert = ""; + StringBuffer sb = new StringBuffer(); + while ((content = d.readLine()) != null) { + sb.append(content); + sb.append("\n"); + } + b64Cert = sb.toString(); + if (d != null) { + d.close(); + } + b64Cert = b64Cert.substring(0, b64Cert.length() - 1); + } + } + } catch (IOException ee) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException( + CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); + } + CMS.debug("CMSAdminServlet: got b64Cert"); + b64Cert = Cert.stripBrackets(b64Cert.trim()); + + // Base64 decode cert + byte[] bCert = null; + + try { + bCert = (byte[]) (com.netscape.osutil.OSUtil.AtoB(b64Cert)); + } catch (Exception e) { + CMS.debug("CMSAdminServlet: exception: " + e.toString()); + } + + pathname = serverRoot + File.separator + serverID + + File.separator + "config" + File.separator + pathname; + + ICrossCertPairSubsystem ccps = + (ICrossCertPairSubsystem) CMS.getSubsystem("CrossCertPair"); + + try { + //this will import into internal ldap crossCerts entry + ccps.importCert(bCert); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(1, "xcert importing failure:" + e.toString(), + null, resp); + return; + } + + try { + // this will publish all of the cross cert pairs from internal + // db to publishing directory, if turned on + ccps.publishCertPairs(); + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(1, "xcerts publishing failure:" + e.toString(), null, resp); + return; + } + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String content = jssSubSystem.getCertPrettyPrint(b64Cert, + super.getLocale(req)); + + results.add(Constants.PR_NICKNAME, "FBCA cross-signed cert"); + results.add(Constants.PR_CERT_CONTENT, content); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, results, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private String getNickname(String certType) throws EBaseException { + String nickname = ""; + + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + ICertificateAuthority ca = + (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getSigningUnit(); + + nickname = signingUnit.getNickname(); + } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + IOCSPAuthority ocsp = + (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP); + + if (ocsp == null) { + // this is a local CA service + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); + ISigningUnit signingUnit = ca.getOCSPSigningUnit(); + + nickname = signingUnit.getNickname(); + } else { + ISigningUnit signingUnit = ocsp.getSigningUnit(); + + nickname = signingUnit.getNickname(); + } + } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) { + IRegistrationAuthority ra = + (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA); + + nickname = ra.getNickname(); + } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) { + IKeyRecoveryAuthority kra = + (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + + nickname = kra.getNickname(); + } else if (certType.equals(Constants.PR_SERVER_CERT)) { + nickname = CMS.getServerCertNickname(); + } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) { + nickname = CMS.getServerCertNickname(); + } + + return nickname; + } + + private void getCertInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + NameValuePairs results = new NameValuePairs(); + String pkcs = ""; + String path = ""; + String certType = ""; + String otherNickname = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_PKCS10)) { + pkcs = value; + } else if (key.equals(Constants.RS_ID)) { + certType = value; + } else if (key.equals(Constants.PR_CERT_FILEPATH)) { + path = value; + } else if (key.equals(Constants.PR_NICKNAME)) { + otherNickname = value; + } + } + + try { + if (pkcs == null || pkcs.equals("")) { + + if (path == null || path.equals("")) { + EBaseException ex = new EBaseException( + CMS.getLogMessage("BASE_INVALID_FILE_PATH")); + + throw ex; + } else { + FileInputStream in = new FileInputStream(path); + BufferedReader d = + new BufferedReader(new InputStreamReader(in)); + String content = ""; + + pkcs = ""; + StringBuffer sb = new StringBuffer(); + while ((content = d.readLine()) != null) { + sb.append(content); + sb.append("\n"); + } + pkcs = sb.toString(); + if (d != null) { + d.close(); + } + pkcs = pkcs.substring(0, pkcs.length() - 1); + } + } + } catch (IOException ee) { + throw new EBaseException(CMS.getLogMessage("BASE_OPEN_FILE_FAILED")); + } + + pkcs = pkcs.trim(); + int totalLen = pkcs.length(); + + if (pkcs.indexOf(BEGIN_HEADER) != 0 || + pkcs.indexOf(END_HEADER) != (totalLen - 25)) { + throw (new EBaseException(CMS.getLogMessage("BASE_INVALID_CERT_FORMAT"))); + } + + String nickname = ""; + + if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { + nickname = getCANewnickname(); + } else if (certType.equals(Constants.PR_RA_SIGNING_CERT)) { + nickname = getRANewnickname(); + } else if (certType.equals(Constants.PR_KRA_TRANSPORT_CERT)) { + nickname = getKRANewnickname(); + } else if (certType.equals(Constants.PR_SERVER_CERT)) { + nickname = getAgentNewnickname(); + } else if (certType.equals(Constants.PR_SERVER_CERT_RADM)) { + nickname = getRADMNewnickname(); + } else if (certType.equals(Constants.PR_OTHER_CERT)) { + nickname = otherNickname; + } else if (certType.equals(Constants.PR_OCSP_SIGNING_CERT)) { + nickname = getOCSPNewnickname(); + } + if (nickname.equals("")) + nickname = getNickname(certType); + + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String content = jssSubSystem.getCertPrettyPrint(pkcs, + super.getLocale(req)); + + if (nickname != null && !nickname.equals("")) + results.add(Constants.PR_NICKNAME, nickname); + results.add(Constants.PR_CERT_CONTENT, content); + //results = jssSubSystem.getCertInfo(value); + + sendResponse(SUCCESS, null, results, resp); + } + + private void getCertPrettyPrint(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String nickname = ""; + String serialno = ""; + String issuername = ""; + Locale locale = super.getLocale(req); + NameValuePairs pairs = new NameValuePairs(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.OP_TYPE)) + continue; + if (key.equals(Constants.RS_ID)) + continue; + if (key.equals(Constants.OP_SCOPE)) + continue; + if (key.equals(Constants.PR_NICK_NAME)) { + nickname = value; + continue; + } + if (key.equals(Constants.PR_SERIAL_NUMBER)) { + serialno = value; + continue; + } + if (key.equals(Constants.PR_ISSUER_NAME)) { + issuername = value; + continue; + } + } + + String print = jssSubSystem.getCertPrettyPrintAndFingerPrint(nickname, + serialno, issuername, locale); + pairs.add(nickname, print); + + sendResponse(SUCCESS, null, pairs, resp); + } + + private void getRootCertTrustBit(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String nickname = ""; + String serialno = ""; + String issuername = ""; + Locale locale = super.getLocale(req); + NameValuePairs pairs = new NameValuePairs(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.OP_TYPE)) + continue; + if (key.equals(Constants.RS_ID)) + continue; + if (key.equals(Constants.OP_SCOPE)) + continue; + if (key.equals(Constants.PR_NICK_NAME)) { + nickname = value; + continue; + } + if (key.equals(Constants.PR_SERIAL_NUMBER)) { + serialno = value; + continue; + } + if (key.equals(Constants.PR_ISSUER_NAME)) { + issuername = value; + continue; + } + } + + String trustbit = jssSubSystem.getRootCertTrustBit(nickname, + serialno, issuername); + pairs.add(nickname, trustbit); + + sendResponse(SUCCESS, null, pairs, resp); + } + + private void getCACerts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + NameValuePairs pairs = jssSubSystem.getCACerts(); + + sendResponse(SUCCESS, null, pairs, resp); + } + + private void deleteRootCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + int mindex = id.indexOf(":SERIAL#<"); + String nickname = id.substring(0, mindex); + String sstr1 = id.substring(mindex); + int lindex = sstr1.indexOf(">"); + String serialno = sstr1.substring(9, lindex); + String issuername = sstr1.substring(lindex+1); + jssSubSystem.deleteRootCert(nickname, serialno, issuername); + sendResponse(SUCCESS, null, null, resp); + } + + private void deleteUserCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + int mindex = id.indexOf(":SERIAL#<"); + String nickname = id.substring(0, mindex); + String sstr1 = id.substring(mindex); + int lindex = sstr1.indexOf(">"); + String serialno = sstr1.substring(9, lindex); + String issuername = sstr1.substring(lindex+1); + jssSubSystem.deleteUserCert(nickname, serialno, issuername); + sendResponse(SUCCESS, null, null, resp); + } + + private void getRootCerts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + NameValuePairs pairs = jssSubSystem.getRootCerts(); + + sendResponse(SUCCESS, null, pairs, resp); + } + + private void getAllCertsManage(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + NameValuePairs pairs = jssSubSystem.getAllCertsManage(); + + sendResponse(SUCCESS, null, pairs, resp); + } + + private void getUserCerts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + NameValuePairs pairs = jssSubSystem.getUserCerts(); + sendResponse(SUCCESS, null, pairs, resp); + } + + private void deleteCerts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String nickname = ""; + String date = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.OP_TYPE)) + continue; + if (key.equals(Constants.RS_ID)) + continue; + if (key.equals(Constants.OP_SCOPE)) + continue; + int index = value.indexOf(";"); + + nickname = value.substring(0, index); + date = value.substring(index + 1); + // cant use this one now since jss doesnt have the interface to + // do it. + jssSubSystem.deleteCert(nickname, date); + // jssSubsystem.deleteCACert(nickname, date); + } + + sendResponse(SUCCESS, null, null, resp); + } + + private void validateSubjectName(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_SUBJECT_NAME)) { + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + jssSubSystem.isX500DN(value); + } + } + + sendResponse(SUCCESS, null, null, resp); + } + + private void validateKeyLength(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + String keyType = "RSA"; + String keyLen = "512"; + String certType = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_CERTIFICATE_TYPE)) { + certType = value; + } else if (key.equals(Constants.PR_KEY_TYPE)) { + keyType = value; + } else if (key.equals(Constants.PR_KEY_LENGTH)) { + keyLen = value; + } + } + int keyLength = Integer.parseInt(keyLen); + int minKey = mConfig.getInteger( + ConfigConstants.PR_RSA_MIN_KEYLENGTH, 512); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + // jssSubSystem.checkKeyLength(keyType, keyLength, certType, minKey); + sendResponse(SUCCESS, null, null, resp); + } + + private void validateCurveName(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + String curveName = null; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_KEY_CURVENAME)) { + curveName = value; + } + } + // check that the curvename is in the list of supported curves + String curveList = mConfig.getString("keys.ecc.curve.list", "nistp521"); + String[] curves = curveList.split(","); + boolean match = false; + for (int i=0; i + * + *
    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY used when + * "Manage Certificate" is used to edit the trustness of certs and + * deletion of certs + *
+ * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException failed to establish CA certificate trust + */ + private void trustCACert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + CMS.debug("CMSAdminServlet: trustCACert()"); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + Enumeration enum1 = req.getParameterNames(); + ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + String trust = ""; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.RS_ID)) { + trust = value; + } else if (key.equals("certName0")) { + int index = value.indexOf(";"); + String nickname = value.substring(0, index); + String date = value.substring(index + 1); + + jssSubSystem.trustCert(nickname, date, trust); + } + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + //sendResponse(SUCCESS, null, null, resp); + sendResponse(RESTART, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Execute all self tests specified to be run on demand. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION used when self + * tests are run on demand + *
+ * @exception EMissingSelfTestException a self test plugin instance + * property name was missing + * @exception ESelfTestException a self test is missing a required + * configuration parameter + * @exception IOException an input/output error has occurred + */ + private synchronized void + runSelfTestsOnDemand(HttpServletRequest req, + HttpServletResponse resp) + throws EMissingSelfTestException, + ESelfTestException, + IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + if (CMS.debugOn()) { + CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():" + + " ENTERING . . ."); + } + + Enumeration enum1 = req.getParameterNames(); + String request = ""; + NameValuePairs results = new NameValuePairs(); + String content = ""; + String instanceName = null; + String instanceFullName = null; + String logMessage = null; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_RUN_SELFTESTS_ON_DEMAND)) { + request = value; + } + } + + ISelfTestSubsystem mSelfTestSubsystem = (ISelfTestSubsystem) + CMS.getSubsystem(CMS.SUBSYSTEM_SELFTESTS); + + if ((request == null) || + (request.equals(""))) { + // self test plugin run on demand request parameter was missing + // log the error + logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND_REQUEST", + getServletInfo(), + Constants.PR_RUN_SELFTESTS_ON_DEMAND + ); + + mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // notify console of FAILURE + content += logMessage + + "\n"; + sendResponse(ERROR, content, null, resp); + + // raise an exception + throw new ESelfTestException(logMessage); + } + + // run all self test plugin instances (designated on-demand) + String[] selftests = mSelfTestSubsystem.listSelfTestsEnabledOnDemand(); + + if (selftests != null && selftests.length > 0) { + // log that execution of on-demand self tests has begun + logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND", + getServletInfo()); + + mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store this information for console notification + content += logMessage + + "\n"; + + for (int i = 0; i < selftests.length; i++) { + if (selftests[i] != null) { + instanceName = selftests[i].trim(); + instanceFullName = ISelfTestSubsystem.ID + + "." + + ISelfTestSubsystem.PROP_CONTAINER + + "." + + ISelfTestSubsystem.PROP_INSTANCE + + "." + + instanceName; + } else { + // self test plugin instance property name was missing + // log the error + logMessage = CMS.getLogMessage( + "SELFTESTS_PARAMETER_WAS_NULL", + getServletInfo()); + + mSelfTestSubsystem.log( + mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // notify console of FAILURE + content += logMessage + + "\n"; + sendResponse(ERROR, content, null, resp); + + // raise an exception + throw new EMissingSelfTestException(); + } + + ISelfTest test = (ISelfTest) + mSelfTestSubsystem.getSelfTest(instanceName); + + if (test == null) { + // self test plugin instance property name is not present + // log the error + logMessage = CMS.getLogMessage("SELFTESTS_MISSING_NAME", + getServletInfo(), + instanceFullName); + + mSelfTestSubsystem.log( + mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // notify console of FAILURE + content += logMessage + + "\n"; + sendResponse(ERROR, content, null, resp); + + // raise an exception + throw new EMissingSelfTestException(instanceFullName); + } + + try { + if (CMS.debugOn()) { + CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():" + + " running \"" + + test.getSelfTestName() + + "\""); + } + + // store this information for console notification + content += "CMSAdminServlet::runSelfTestsOnDemand():" + + " running \"" + + test.getSelfTestName() + + "\" . . .\n"; + + test.runSelfTest(mSelfTestSubsystem.getSelfTestLogger()); + + // store this information for console notification + content += "COMPLETED SUCCESSFULLY\n"; + } catch (ESelfTestException e) { + // Check to see if the self test was critical: + if (mSelfTestSubsystem.isSelfTestCriticalOnDemand( + instanceName)) { + // log the error + logMessage = CMS.getLogMessage( + "SELFTESTS_RUN_ON_DEMAND_FAILED", + getServletInfo(), + instanceFullName); + + mSelfTestSubsystem.log( + mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // notify console of FAILURE + content += "FAILED WITH CRITICAL ERROR\n"; + content += logMessage + + "\n"; + sendResponse(ERROR, content, null, resp); + + // shutdown the system gracefully + CMS.shutdown(); + + return; + } else { + // store this information for console notification + content += "FAILED WITH NON-CRITICAL ERROR\n"; + } + } + } + + // log that execution of all "critical" on-demand self tests + // has completed "successfully" + logMessage = CMS.getLogMessage("SELFTESTS_RUN_ON_DEMAND_SUCCEEDED", + getServletInfo()); + mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store this information for console notification + content += logMessage + + "\n"; + } else { + // log this fact + logMessage = CMS.getLogMessage("SELFTESTS_NOT_RUN_ON_DEMAND", + getServletInfo()); + + mSelfTestSubsystem.log(mSelfTestSubsystem.getSelfTestLogger(), + logMessage); + + // store this information for console notification + content += logMessage + + "\n"; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.SUCCESS); + + audit(auditMessage); + + // notify console of SUCCESS + results.add(Constants.PR_RUN_SELFTESTS_ON_DEMAND_CLASS, + CMSAdminServlet.class.getName()); + results.add(Constants.PR_RUN_SELFTESTS_ON_DEMAND_CONTENT, + content); + sendResponse(SUCCESS, null, results, resp); + + if (CMS.debugOn()) { + CMS.debug("CMSAdminServlet::runSelfTestsOnDemand():" + + " EXITING."); + } + } catch (EMissingSelfTestException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (ESelfTestException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + } catch (IOException eAudit3) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION, + auditSubjectID, + ILogger.FAILURE); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit3; + } + } + + public void log(int level, String msg) { + mLogger.log(ILogger.EV_SYSTEM, ILogger.S_OTHER, level, "CMSAdminServlet: " + msg); + } + + /** + * Signed Audit Log Public Key + * + * This method is called to obtain the public key from the passed in + * "KeyPair" object for a signed audit log message. + *

+ * + * @param object a Key Pair Object + * @return key string containing the public key + */ + private String auditPublicKey(KeyPair object) { + // if no signed audit object exists, bail + if (mSignedAuditLogger == null) { + return null; + } + + if (object == null) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + + byte rawData[] = null; + + rawData = object.getPublic().getEncoded(); + + String key = null; + StringBuffer sb = new StringBuffer(); + + // convert "rawData" into "base64Data" + if (rawData != null) { + String base64Data = null; + + base64Data = com.netscape.osutil.OSUtil.BtoA(rawData).trim(); + + // extract all line separators from the "base64Data" + for (int i = 0; i < base64Data.length(); i++) { + if (base64Data.substring(i, i).getBytes() != EOL) { + sb.append(base64Data.substring(i, i)); + } + } + } + key = sb.toString(); + + if (key != null) { + key = key.trim(); + + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } + } else { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java new file mode 100644 index 000000000..af506433d --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/JobsAdminServlet.java @@ -0,0 +1,1004 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.jobs.*; +import com.netscape.certsrv.apps.*; + + +/** + * A class representing an administration servlet for the + * Jobs Scheduler and it's scheduled jobs. + * + * @version $Revision$, $Date$ + */ +public class JobsAdminServlet extends AdminServlet { + // ... remove later + private final static String EDIT = ";edit"; + private final static String VISIBLE = ";visible"; + private final static String ENABLED = ";enabled"; + private final static String DISABLED = ";disabled"; + + private final static String INFO = "JobsAdminServlet"; + private IJobsScheduler mJobsSched = null; + + /** + * Constructs JobsAdminServlet. + */ + public JobsAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mJobsSched = (IJobsScheduler) + CMS.getSubsystem(CMS.SUBSYSTEM_JOBS); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * retrieve extended plugin info such as brief description, type info + * from jobs + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + + NameValuePairs params = + getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + + JobPlugin jp = + (JobPlugin) mJobsSched.getPlugins().get(implName); + + if (jp != null) + impl = getClassByNameAsExtendedPluginInfo(jp.getClassPath()); + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + if (op == null) { + //System.out.println("SRVLT_INVALID_PROTOCOL"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + try { + super.authenticate(req); + } catch (IOException e) { + sendResponse(ERROR,CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + + try { + AUTHZ_RES_NAME = "certServer.job.configuration"; + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_JOBS)) + getSettings(req, resp); + else if (scope.equals(ScopeDef.SC_JOBS_IMPLS)) + getConfig(req, resp); + else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) + getInstConfig(req, resp); + else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + try { + getExtendedPluginInfo(req, resp); + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + } else { + //System.out.println("SRVLT_INVALID_OP_SCOPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_JOBS)) { + setSettings(req, resp); + } else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) { + modJobsInst(req, resp, scope); + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_JOBS_IMPLS)) + listJobPlugins(req, resp); + else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) + listJobsInsts(req, resp); + else { + //System.out.println("SRVLT_INVALID_OP_SCOPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_JOBS_IMPLS)) + addJobPlugin(req, resp, scope); + else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) + addJobsInst(req, resp, scope); + else { + //System.out.println("SRVLT_INVALID_OP_SCOPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_JOBS_IMPLS)) + delJobPlugin(req, resp, scope); + else if (scope.equals(ScopeDef.SC_JOBS_INSTANCE)) + delJobsInst(req, resp, scope); + else { + //System.out.println("SRVLT_INVALID_OP_SCOPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op), + null, resp); + return; + } + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + } + + private synchronized void addJobPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + // is the job plugin id unique? + if (mJobsSched.getPlugins().containsKey((Object) id)) { + sendResponse(ERROR, + new EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ILL_JOB_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_JOBS_CLASS); + + if (classPath == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_NULL_CLASS"), + null, resp); + return; + } + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_NO_CLASS"), + null, resp); + return; + } catch (IllegalArgumentException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_NO_CLASS"), + null, resp); + return; + } + + // is the class an IJob? + try { + if (IJob.class.isAssignableFrom(newImpl) == false) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ILL_CLASS"), + null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ILL_CLASS"), + null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_JOBS_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add manager to registry. + JobPlugin plugin = new JobPlugin(id, classPath); + + mJobsSched.getPlugins().put(id, plugin); + mJobsSched.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_JS_PLUGIN_ADD", id)); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void addJobsInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the job instance id unique? + if (mJobsSched.getInstances().containsKey((Object) id)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ILL_JOB_INST_ID"), + null, resp); + return; + } + + // get required parameters + // SC_JOBS_IMPL_NAME is absolutely required, the rest depend on + // on each job plugin + String implname = req.getParameter(Constants.PR_JOBS_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ADD_MISSING_PARAMS"), + null, resp); + return; + } + + // check if implementation exists. + JobPlugin plugin = + (JobPlugin) mJobsSched.getPlugins().get(implname); + + if (plugin == null) { + sendResponse(ERROR, + new + EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND", + id)).toString(), + null, resp); + return; + } + + // now the rest of config parameters + // note that we only check to see if the required parameters + // are there, but not checking the values are valid + String[] configParams = mJobsSched.getConfigParams(implname); + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + String val = req.getParameter(key); + + if (val != null && !val.equals("")) { + substore.put(key, val); + } else if (!key.equals("profileId")) { + sendResponse(ERROR, + new + EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_MISSING_INST_PARAM_VAL", + key)).toString(), + null, resp); + return; + } + } + } + + substore.put(IJobsScheduler.PROP_PLUGIN, implname); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + IJob jobsInst = null; + + try { + jobsInst = (IJob) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } + + IJobsScheduler scheduler = (IJobsScheduler) + CMS.getSubsystem(CMS.SUBSYSTEM_JOBS); + + // initialize the job plugin + try { + jobsInst.init(scheduler, id, implname, substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // inited and commited ok. now add manager instance to list. + mJobsSched.getInstances().put(id, jobsInst); + + mJobsSched.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_JOB_INST_ADD", id)); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_JOBS_IMPL_NAME, implname); + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listJobPlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = mJobsSched.getPlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + JobPlugin value = (JobPlugin) + mJobsSched.getPlugins().get(name); + + params.add(name, value.getClassPath()); + // params.add(name, value.getClassPath()+EDIT); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listJobsInsts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + for (Enumeration e = mJobsSched.getInstances().keys(); + e.hasMoreElements();) { + String name = (String) e.nextElement(); + IJob value = (IJob) + mJobsSched.getInstances().get((Object) name); + + // params.add(name, value.getImplName()); + params.add(name, value.getImplName() + VISIBLE + + (value.isEnabled() ? ENABLED : DISABLED) + ); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delJobPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does this job plugin exist? + if (mJobsSched.getPlugins().containsKey(id) == false) { + sendResponse(ERROR, + new + EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND", + id)).toString(), + null, resp); + return; + } + + // first check if any instances from this job plugin + // DON'T remove job plugin if any instance + for (Enumeration e = mJobsSched.getInstances().elements(); + e.hasMoreElements();) { + IJob jobs = (IJob) e.nextElement(); + + if ((jobs.getImplName()).equals(id)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_IN_USE"), + null, resp); + return; + } + } + + // then delete this job plugin + mJobsSched.getPlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delJobsInst(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does job plugin instance exist? + if (mJobsSched.getInstances().containsKey(id) == false) { + sendResponse(ERROR, + new EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_NOT_FOUND", + id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + IJob jobInst = (IJob) mJobsSched.getInstances().get(id); + + mJobsSched.getInstances().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * used for getting the required configuration parameters (with + * possible default values) for a particular job plugin + * implementation name specified in the RS_ID. Actually, there is + * no logic in here to set any default value here...there's no + * default value for any parameter in this job scheduler subsystem + * at this point. Later, if we do have one (or some), it can be + * added. The interface remains the same. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + String[] configParams = mJobsSched.getConfigParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_JOBS_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + params.add(configParams[i], ""); + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does job plugin instance exist? + if (mJobsSched.getInstances().containsKey(id) == false) { + sendResponse(ERROR, + new EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_NOT_FOUND", + id)).toString(), + null, resp); + return; + } + + IJob jobInst = (IJob) mJobsSched.getInstances().get(id); + IConfigStore config = jobInst.getConfigStore(); + String[] configParams = jobInst.getConfigParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_JOBS_IMPL_NAME, jobInst.getImplName()); + + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + + String val = (String) config.get(key); + + if (val != null && !val.equals("")) { + params.add(key, val); + } else { + params.add(key, ""); + } + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Modify job plugin instance. + * This will actually create a new instance with new configuration + * parameters and replace the old instance, if the new instance + * created and initialized successfully. + * The old instance is left running. so this is very expensive. + * Restart of server recommended. + */ + private synchronized void modJobsInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + // expensive operation. + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the job instance exist? + if (!mJobsSched.getInstances().containsKey((Object) id)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ILL_JOB_INST_ID"), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_JOBS_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_ADD_MISSING_PARAMS"), + null, resp); + return; + } + + // get plugin for implementation + JobPlugin plugin = + (JobPlugin) mJobsSched.getPlugins().get(implname); + + if (plugin == null) { + sendResponse(ERROR, + new EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_JOB_PLUGIN_NOT_FOUND", + id)).toString(), + null, resp); + return; + } + + // save old instance substore params in case new one fails. + + IJob oldinst = + (IJob) mJobsSched.getInstances().get((Object) id); + IConfigStore oldConfig = oldinst.getConfigStore(); + + String[] oldConfigParms = oldinst.getConfigParams(); + NameValuePairs saveParams = new NameValuePairs(); + + // implName is always required so always include it it. + saveParams.add(IJobsScheduler.PROP_PLUGIN, + (String) oldConfig.get(IJobsScheduler.PROP_PLUGIN)); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.length; i++) { + String key = oldConfigParms[i]; + Object val = oldConfig.get(key); + + if (val != null) { + saveParams.add(key, (String) val); + } + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + IConfigStore instancesConfig = + destStore.getSubStore(scope); + + instancesConfig.removeSubStore(id); + + // create new substore. + + String[] configParams = mJobsSched.getConfigParams(implname); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(IJobsScheduler.PROP_PLUGIN, implname); + if (configParams != null) { + for (int i = 0; i < configParams.length; i++) { + String key = configParams[i]; + String val = req.getParameter(key); + + if (val != null && !val.equals("")) { + substore.put(key, val); + } else if (!key.equals("profileId")) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new + EJobsException(CMS.getUserMessage(getLocale(req),"CMS_JOB_SRVLT_MISSING_INST_PARAM_VAL", + key)).toString(), + null, resp); + return; + } + } + } + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + IJob newJobInst = null; + + try { + newJobInst = (IJob) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new EJobsException( + CMS.getUserMessage(getLocale(req),"CMS_JOB_LOAD_CLASS_FAILED", className)).toString(), + null, resp); + return; + } + + // initialize the job plugin + + IJobsScheduler scheduler = (IJobsScheduler) + CMS.getSubsystem(CMS.SUBSYSTEM_JOBS); + + try { + newJobInst.init(scheduler, id, implname, substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Exception e) { + CMS.debug("JobsAdminServlet: modJobsInst: " + e); + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, "unidentified error" + e, null, resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + + } catch (EBaseException e) { + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + mJobsSched.getInstances().put(id, newJobInst); + + mJobsSched.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_JOB_INST_REP", id)); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private void getSettings(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + IConfigStore config = mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + + params.add(Constants.PR_ENABLE, + config.getString(IJobsScheduler.PROP_ENABLED, + Constants.FALSE)); + // default 1 minute + params.add(Constants.PR_JOBS_FREQUENCY, + config.getString(IJobsScheduler.PROP_INTERVAL, "1")); + + //System.out.println("Send: "+params.toString()); + sendResponse(SUCCESS, null, params, resp); + } + + private void setSettings(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + //Save New Settings to the config file + IConfigStore config = mConfig.getSubStore(DestDef.DEST_JOBS_ADMIN); + + String enabled = config.getString(IJobsScheduler.PROP_ENABLED); + String enabledSetTo = req.getParameter(Constants.PR_ENABLE); + boolean enabledChanged = false; + + if (!enabled.equalsIgnoreCase(enabledSetTo)) { + enabledChanged = true; + // set enable flag + config.putString(IJobsScheduler.PROP_ENABLED, enabledSetTo); + } + + //set frequency + String interval = + req.getParameter(Constants.PR_JOBS_FREQUENCY); + + if (interval != null) { + config.putString(IJobsScheduler.PROP_INTERVAL, interval); + mJobsSched.setInterval( + config.getInteger(IJobsScheduler.PROP_INTERVAL)); + } + + if (enabledChanged == true) { + if (enabled.equalsIgnoreCase("false")) { // turned on + mJobsSched.startDaemon(); + } + } + mConfig.commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + // convenience routine. + private static void restore(IConfigStore store, + String id, NameValuePairs saveParams) { + store.removeSubStore(id); + IConfigStore rstore = store.makeSubStore(id); + + Enumeration keys = saveParams.getNames(); + + while (keys.hasMoreElements()) { + String key = (String) keys.nextElement(); + String value = saveParams.getValue(key); + + if (!value.equals("")) + rstore.put(key, value); + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java new file mode 100644 index 000000000..423095d51 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java @@ -0,0 +1,887 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.x509.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.password.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.kra.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.usrgrp.*; + + +/** + * A class representings an administration servlet for Key + * Recovery Authority. This servlet is responsible to serve + * KRA administrative operation such as configuration + * parameter updates. + * + * @version $Revision$, $Date$ + */ +public class KRAAdminServlet extends AdminServlet { + protected static final String PROP_ENABLED = "enabled"; + + private final static String INFO = "KRAAdminServlet"; + + private IKeyRecoveryAuthority mKRA = null; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM = + "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; + + /** + * Constructs KRA servlet. + */ + public KRAAdminServlet() { + super(); + } + + public void init(ServletConfig config) throws ServletException { + super.init(config); + mKRA = (IKeyRecoveryAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_KRA); + } + + /** + * Returns serlvet information. + * + * @return name of this servlet + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP admin request. + * + * @param req HTTP request + * @param resp HTTP response + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + super.authenticate(req); + String scope = req.getParameter(Constants.OP_SCOPE); + + if (scope == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + String op = req.getParameter(Constants.OP_TYPE); + + if (op == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op), + null, resp); + return; + } + + try { + AUTHZ_RES_NAME = "certServer.kra.configuration"; + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + /* Functions not implemented in console + if (scope.equals(ScopeDef.SC_AUTO_RECOVERY)) { + readAutoRecoveryConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_RECOVERY)) { + readRecoveryConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) { + getNotificationRIQConfig(req, resp); + return; + } else + */ + if (scope.equals(ScopeDef.SC_GENERAL)) { + getGeneralConfig(req, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + /* Functions not implemented in console + if (scope.equals(ScopeDef.SC_AUTO_RECOVERY)) { + modifyAutoRecoveryConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_AGENT_PWD)) { + changeAgentPwd(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_MNSCHEME)) { + changeMNScheme(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) { + setNotificationRIQConfig(req, resp); + return; + } else + */ + if (scope.equals(ScopeDef.SC_GENERAL)) { + setGeneralConfig(req,resp); + } + } + } catch (EBaseException e) { + // convert exception into locale-specific message + sendResponse(ERROR, e.toString(getLocale(req)), + null, resp); + return; + } catch (Exception e) { + e.printStackTrace(); + } + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + } + + private void getGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + int value = 1; + + value = mKRA.getNoOfRequiredAgents(); + params.add(Constants.PR_NO_OF_REQUIRED_RECOVERY_AGENTS, Integer.toString(value)); + + sendResponse(SUCCESS, null, params, resp); + } + + private void setGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + Enumeration enum1 = req.getParameterNames(); + boolean restart = false; + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_NO_OF_REQUIRED_RECOVERY_AGENTS)) { + try { + int number = Integer.parseInt(value); + mKRA.setNoOfRequiredAgents(number); + } catch (NumberFormatException e) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + throw new EBaseException("Number of agents must be an integer"); + } + } + } + + commit(true); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + if (restart) + sendResponse(RESTART, null, null, resp); + else + sendResponse(SUCCESS, null, null, resp); + } + + /** + * Changes M-N scheme. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_DRM used when configuring + * DRM (Key recovery scheme, change of any secret component) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception EBaseException an error has occurred + */ + private synchronized void changeMNScheme(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + try { + NameValuePairs params = new NameValuePairs(); + String recN = getParameter(req, + Constants.PR_RECOVERY_N); + String recM = getParameter(req, + Constants.PR_RECOVERY_M); + String oldAgents = getParameter(req, + Constants.PR_OLD_RECOVERY_AGENT); + String agents = getParameter(req, + Constants.PR_RECOVERY_AGENT); + + if (recN == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EKRAException( + CMS.getLogMessage("KRA_INVALID_N")); + } + + if (recM == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EKRAException( + CMS.getLogMessage("KRA_INVALID_M")); + } + + if (recN != null && recM != null && oldAgents != null + && agents != null) { + int nVal = Integer.parseInt(recN); + + int mVal = Integer.parseInt(recM); + + Credential oldcreds[] = + parseCredentialStr(oldAgents); + + if (oldcreds == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EKRAException( + CMS.getLogMessage("KRA_INVALID_PASSWORD")); + } + + Credential creds[] = + parseCredentialStr(agents); + + if (creds == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EKRAException( + CMS.getLogMessage("KRA_INVALID_PASSWORD")); + } else { + for (int i = 0; i < creds.length; i++) { + Credential credential = creds[i]; + String pass = credential.getPassword(); + IPasswordCheck checker = CMS.getPasswordChecker(); + + if (!checker.isGoodPassword(pass)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(checker.getReason(pass)); + } + } + } + if (mKRA.getStorageKeyUnit().changeAgentMN( + nVal, mVal, oldcreds, creds)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + // successful operation + sendResponse(SUCCESS, null, params, + resp); + return; + } + } + } catch (IOException e) { + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getLogMessage("BASE_INVALID_OPERATION")); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } + } + + /** + * Changes recovery agent password. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_DRM used when configuring + * DRM (Key recovery scheme, change of any secret component) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception EBaseException an error has occurred + */ + private synchronized void changeAgentPwd(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + try { + String id = getParameter(req, Constants.RS_ID); + String oldpwd = getParameter(req, + Constants.PR_OLD_AGENT_PWD); + String newpwd = getParameter(req, + Constants.PR_AGENT_PWD); + IPasswordCheck checker = CMS.getPasswordChecker(); + + if (!checker.isGoodPassword(newpwd)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(checker.getReason(newpwd)); + } + + if (mKRA.getStorageKeyUnit().changeAgentPassword(id, + oldpwd, newpwd)) { + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EKRAException( + CMS.getLogMessage("KRA_INVALID_PASSWORD")); + } + } catch (IOException e) { + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getLogMessage("BASE_INVALID_OPERATION")); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } + } + + /** + * Modifies auto recovery configuration. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_DRM used when configuring + * DRM (Key recovery scheme, change of any secret component) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception EBaseException an error has occurred + */ + private synchronized void modifyAutoRecoveryConfig( + HttpServletRequest req, HttpServletResponse resp) + throws EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + try { + NameValuePairs params = new NameValuePairs(); + String autoOn = getParameter(req, + Constants.PR_AUTO_RECOVERY_ON); + String agents = getParameter(req, + Constants.PR_RECOVERY_AGENT); + + if (autoOn.equals(Constants.TRUE)) { + Credential creds[] = parseCredentialStr( + agents); + + if (mKRA.setAutoRecoveryState(creds, true)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, + resp); + return; + } + } else if (autoOn.equals(Constants.FALSE)) { + if (mKRA.setAutoRecoveryState(null, false)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, + resp); + return; + } + } + } catch (IOException e) { + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getLogMessage("BASE_INVALID_OPERATION")); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } + } + + /** + * Reads auto recovery status. + * + * @param req HTTP request + * @param resp HTTP response + */ + private synchronized void readAutoRecoveryConfig( + HttpServletRequest req, HttpServletResponse resp) + throws EBaseException { + try { + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_AUTO_RECOVERY_ON, + mKRA.getAutoRecoveryState() ? + Constants.TRUE : Constants.FALSE); + sendResponse(SUCCESS, null, params, resp); + } catch (IOException e) { + throw new EBaseException( + CMS.getLogMessage("BASE_INVALID_OPERATION")); + } + } + + /** + * Reads recovery configuration. + * + * @param req HTTP request + * @param resp HTTP response + */ + private synchronized void readRecoveryConfig( + HttpServletRequest req, HttpServletResponse resp) + throws EBaseException { + try { + IStorageKeyUnit sku = mKRA.getStorageKeyUnit(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_RECOVERY_N, + Integer.toString(sku.getNoOfAgents())); + params.add(Constants.PR_RECOVERY_M, + Integer.toString(sku.getNoOfRequiredAgents())); + Enumeration e = sku.getAgentIdentifiers(); + StringBuffer as = new StringBuffer(); + + while (e.hasMoreElements()) { + as.append((String)e.nextElement()); + if (e.hasMoreElements()) { + as.append(","); + } + } + params.add(Constants.PR_RECOVERY_AGENT, as.toString()); + sendResponse(SUCCESS, null, params, resp); + } catch (IOException e) { + throw new EBaseException( + CMS.getLogMessage("BASE_INVALID_OPERATION")); + } + } + + /** + * Reads information about auto recovery agents. + * + * @param req HTTP request + * @param resp HTTP response + */ + private synchronized void readAutoRecoveryAgents( + HttpServletRequest req, HttpServletResponse resp) + throws EBaseException { + try { + // send the entire list anyway + NameValuePairs params = new NameValuePairs(); + Enumeration e = mKRA.getAutoRecoveryIDs(); + StringBuffer users = new StringBuffer(); + + while (e.hasMoreElements()) { + users.append((String) e.nextElement()); + if (e.hasMoreElements()) { + users.append(","); + } + } + params.add(Constants.PR_GROUP_USER, users.toString()); + params.add(Constants.PR_GROUP_DESC, + "Auto Recovery Agents"); // XXX - localized + sendResponse(SUCCESS, null, params, resp); + } catch (IOException e) { + throw new EBaseException( + CMS.getLogMessage("BASE_INVALID_OPERATION")); + } + } + + /** + * Modifies information about auto recovery agents. + * + * @param req HTTP request + * @param resp HTTP response + */ + private synchronized void modifyAutoRecoveryAgents( + HttpServletRequest req, HttpServletResponse resp) + throws EBaseException { + Vector v = new Vector(); + String users = getParameter(req, + Constants.PR_GROUP_USER); + StringTokenizer st = new StringTokenizer(users, ","); + + while (st.hasMoreTokens()) { + v.addElement(st.nextToken()); + } + String desc = getParameter(req, + Constants.PR_GROUP_DESC); + String agents = getParameter(req, + Constants.PR_RECOVERY_AGENT); + Credential creds[] = parseCredentialStr( + agents); + // XXX - check if the given password matched + // put ids into hashtable so that we can + // figure out what should be saved and deleted + Enumeration e = mKRA.getAutoRecoveryIDs(); + Hashtable h = new Hashtable(); + + while (e.hasMoreElements()) { + h.put(e.nextElement(), ""); + } + + // go through each of the user in the new list + for (int i = 0; i < v.size(); i++) { + String key = (String) v.elementAt(i); + + if (h.containsKey(key)) { + h.remove(key); + } else { + mKRA.addAutoRecovery(key, creds); + } + } + + // delete all the unreferenced + Enumeration dels = h.keys(); + + while (dels.hasMoreElements()) { + mKRA.removeAutoRecovery((String) + dels.nextElement()); + } + } + + /** + * Parses uid0=pwd0,uid1=pwd1,... into AgentCredential. + * + * @param s credential string + * @return a list of credentials + */ + private Credential[] parseCredentialStr(String s) { + StringTokenizer st = new StringTokenizer(s, ","); + Vector v = new Vector(); + + while (st.hasMoreTokens()) { + String a = st.nextToken(); + StringTokenizer st0 = new StringTokenizer(a, "="); + + v.addElement(new Credential(st0.nextToken(), + st0.nextToken())); + } + Credential ac[] = new Credential[v.size()]; + + v.copyInto(ac); + return ac; + } + + /* + * handle getting request in queue notification config info + */ + private void getNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + IConfigStore config = mKRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mKRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mKRA.PROP_REQ_IN_Q_SUBSTORE); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, riq.getString(name, "")); + } + + params.add(Constants.PR_ENABLE, + riq.getString(PROP_ENABLED, Constants.FALSE)); + //System.out.println("Send: "+params.toString()); + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Handle setting request in queue notification config info + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_DRM used when configuring + * DRM (Key recovery scheme, change of any secret component) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + IConfigStore config = mKRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mKRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mKRA.PROP_REQ_IN_Q_SUBSTORE); + + //set rest of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String val = req.getParameter(name); + + riq.putString(name, val); + mKRA.getRequestInQListener().set(name, val); + } + + // set enable flag + String enabledString = req.getParameter(Constants.PR_ENABLE); + + riq.putString(PROP_ENABLED, enabledString); + mKRA.getRequestInQListener().set(PROP_ENABLED, enabledString); + + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_DRM, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_DRM, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java new file mode 100644 index 000000000..f8350da9d --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/LogAdminServlet.java @@ -0,0 +1,2550 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import javax.servlet.*; +import javax.servlet.http.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.*; + + +/** + * A class representings an administration servlet for logging + * subsystem. This servlet is responsible to serve + * logging administrative operation such as configuration + * parameter updates and log retriever. + * + * @version $Revision$, $Date$ + */ +public class LogAdminServlet extends AdminServlet { + + private final static String INFO = "LogAdminServlet"; + + private ILogSubsystem mSys = null; + + private final static String VIEW = ";" + Constants.VIEW; + private final static String EDIT = ";" + Constants.EDIT; + + private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit"; + private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT = + "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3"; + private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; + private final static String LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE = + "LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4"; + + /** + * Constructs Log servlet. + */ + public LogAdminServlet() { + super(); + } + + public static Hashtable toHashtable(HttpServletRequest req) { + Hashtable httpReqHash = new Hashtable(); + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + httpReqHash.put(name, req.getParameter(name)); + } + return httpReqHash; + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mSys = (ILogSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_LOG); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + String op = req.getParameter(Constants.OP_TYPE); + + if (op == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + super.authenticate(req); + + try { + // perform operation based on scope + String scope = req.getParameter(Constants.OP_SCOPE); + + if (scope != null) { + AUTHZ_RES_NAME = "certServer.log.configuration"; + if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + try { + getExtendedPluginInfo(req, resp); + return; + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + } + + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + if (scope.equals(ScopeDef.SC_LOG_IMPLS)) { + getConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_LOG_RULES)) { + getInstConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_GENERAL)) { + getGeneralConfig(req, resp); + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + if (scope.equals(ScopeDef.SC_LOG_IMPLS)) { + delLogPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_LOG_RULES)) { + delLogInst(req, resp, scope); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + if (scope.equals(ScopeDef.SC_LOG_IMPLS)) { + addLogPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_LOG_RULES)) { + addLogInst(req, resp, scope); + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + AUTHZ_RES_NAME = "certServer.log.configuration"; + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + if (scope.equals(ScopeDef.SC_LOG_RULES)) { + modLogInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_GENERAL)) { + setGeneralConfig(req, resp); + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LOG_IMPLS)) { + listLogPlugins(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_LOG_RULES)) { + listLogInsts(req, resp, true); + return; + } else if (scope.equals(ScopeDef.SC_LOG_INSTANCES)) { + listLogInsts(req, resp, false); + return; + } else if (scope.equals(ScopeDef.SC_LOG_CONTENT)) { + String instName = req.getParameter(Constants.PR_LOG_INSTANCE); + + if (instName.equals("System")) { + AUTHZ_RES_NAME = "certServer.log.content.system"; + } else if (instName.equals("Transactions")) { + AUTHZ_RES_NAME = "certServer.log.content.transactions"; + } else if (instName.equals(Constants.PR_LOG_SIGNED_AUDIT)) { + AUTHZ_RES_NAME = "certServer.log.content.signedAudit"; + } + + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + ILogEventListener loginst = + mSys.getLogInstance(instName); + + if (loginst != null) { + NameValuePairs nvps = loginst.retrieveLogContent(toHashtable(req)); + + sendResponse(SUCCESS, null, nvps, resp); + } + return; + } else if (scope.equals(ScopeDef.SC_LOG_ARCH)) { + String instName = req.getParameter(Constants.PR_LOG_INSTANCE); + + if (instName.equals("System")) { + AUTHZ_RES_NAME = "certServer.log.content.system"; + } else if (instName.equals("Transactions")) { + AUTHZ_RES_NAME = "certServer.log.content.transactions"; + } else if (instName.equals(Constants.PR_LOG_SIGNED_AUDIT)) { + AUTHZ_RES_NAME = "certServer.log.content.signedAudit"; + } + + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + ILogEventListener loginst = + mSys.getLogInstance(instName); + + if (loginst != null) { + NameValuePairs nvps = loginst.retrieveLogList(toHashtable(req)); + + sendResponse(SUCCESS, null, nvps, resp); + } + return; + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op), + null, resp); + return; + } + } + } catch (EBaseException e) { + // if it is EBaseException, we can output better + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + } catch (Exception e) { + System.out.println("XXX >>>" + e.toString() + "<<<"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + } + + return; + } + + private synchronized void listLogInsts(HttpServletRequest req, + HttpServletResponse resp, boolean all) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String insts = null; + Enumeration e = mSys.getLogInsts().keys(); + + for (; e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILogEventListener value = ((ILogSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_LOG)).getLogInstance(name); + + if (value == null) + continue; + String pName = mSys.getLogPluginName(value); + LogPlugin pClass = (LogPlugin) + mSys.getLogPlugins().get(pName); + String c = pClass.getClassPath(); + + // not show ntEventlog here + if (all || (!all && !c.endsWith("NTEventLog"))) + params.add(name, pName + ";visible"); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * retrieve extended plugin info such as brief description, type info + * from logging + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + NameValuePairs params = getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + LogPlugin lp = (LogPlugin) mSys.getLogPlugins().get(implName); + + if (lp != null) { + impl = getClassByNameAsExtendedPluginInfo(lp.getClassPath()); + } + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + + } + + /** + * Add log plug-in + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when + * configuring signedAudit + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of the log's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addLogPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String logType = null; + String id = req.getParameter(Constants.RS_ID); + + // if this "required" parameter is not present, + // always log messages to the signed audit log + logType = id; + if (logType == null) { + logType = SIGNED_AUDIT_LOG_TYPE; + } + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the log id unique? + if (mSys.getLogPlugins().containsKey((Object) id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ILL_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_LOG_CLASS); + + if (classPath == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_NULL_CLASS"), + null, resp); + return; + } + + IConfigStore destStore = null; + + destStore = mConfig.getSubStore("log"); + IConfigStore instancesConfig = + destStore.getSubStore("impl"); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_NO_CLASS"), + null, resp); + return; + } catch (IllegalArgumentException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_NO_CLASS"), + null, resp); + return; + } + + // is the class an ILogEventListner? + try { + if (ILogEventListener.class.isAssignableFrom(newImpl) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ILL_CLASS"), + null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ILL_CLASS"), + null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_LOG_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add log to registry. + LogPlugin plugin = new LogPlugin(id, classPath); + + mSys.getLogPlugins().put(id, plugin); + + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private boolean isValidID(String id) { + if (id == null) + return false; + for (int i = 0; i < id.length(); i++) { + if (!Character.isLetterOrDigit(id.charAt(i))) + return false; + } + return true; + } + + /** + * Add log instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when + * configuring signedAudit + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of the log's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addLogInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String logType = null; + String id = req.getParameter(Constants.RS_ID); + + // if this "required" parameter is not present, + // always log messages to the signed audit log + logType = id; + if (logType == null) { + logType = SIGNED_AUDIT_LOG_TYPE; + } + + if (id == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (!isValidID(id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, "Invalid ID '" + id + "'", + null, resp); + return; + } + + if (mSys.getLogInsts().containsKey((Object) id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ILL_INST_ID"), + null, resp); + return; + } + + // get required parameters + String implname = req.getParameter( + Constants.PR_LOG_IMPL_NAME); + + if (implname == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ADD_MISSING_PARAMS"), + null, resp); + return; + } + + // check if implementation exists. + LogPlugin plugin = + (LogPlugin) mSys.getLogPlugins().get( + implname); + + if (plugin == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_PLUGIN_NOT_FOUND",implname)).toString(), + null, resp); + return; + } + + Vector configParams = mSys.getLogDefaultParams(implname); + + IConfigStore destStore = + mConfig.getSubStore("log"); + IConfigStore instancesConfig = + destStore.getSubStore("instance"); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String val = req.getParameter(kv.substring(0, index)); + + if (val == null) { + substore.put(kv.substring(0, index), + kv.substring(index + 1)); + } else { + substore.put(kv.substring(0, index), + val); + } + } + } + substore.put("pluginName", implname); + + // Fix Blackflag Bug #615603: Currently, although expiring log + // files is no longer supported, it is still a required parameter + // that must be present during the creation and modification of + // custom log plugins. + substore.put("expirationTime", "0"); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + ILogEventListener logInst = null; + + try { + logInst = (ILogEventListener) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } + + // initialize the log + try { + logInst.init(mSys, substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + instancesConfig.removeSubStore(id); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // inited and commited ok. now add log instance to list. + mSys.getLogInsts().put(id, logInst); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_LOG_IMPL_NAME, implname); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private synchronized void listLogPlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = mSys.getLogPlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + LogPlugin value = (LogPlugin) + mSys.getLogPlugins().get(name); + // get Description + String c = value.getClassPath(); + String desc = "unknown"; + + try { + ILogEventListener lp = (ILogEventListener) + Class.forName(c).newInstance(); + + desc = lp.getDescription(); + } catch (Exception exp) { + sendResponse(ERROR, exp.toString(), null, + resp); + return; + } + params.add(name, value.getClassPath() + "," + desc); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + public String getLogPluginName(ILogEventListener log) { + IConfigStore cs = log.getConfigStore(); + + try { + return cs.getString("pluginName", ""); + } catch (EBaseException e) { + return ""; + } + } + + /** + * Delete log instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when + * configuring signedAudit + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of the log's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void delLogInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String logType = null; + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + // if this "required" parameter is not present, + // always log messages to the signed audit log + logType = id; + if (logType == null) { + logType = SIGNED_AUDIT_LOG_TYPE; + } + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the log instance exist? + if (mSys.getLogInsts().containsKey(id) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogNotFound(CMS.getUserMessage(getLocale(req), "CMS_LOG_INSTANCE_NOT_FOUND",id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + ILogEventListener logInst = (ILogEventListener) + mSys.getLogInstance(id); + + mSys.getLogInsts().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore("log"); + IConfigStore instancesConfig = + destStore.getSubStore("instance"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Delete log plug-in + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when + * configuring signedAudit + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of the log's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void delLogPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String logType = null; + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + // if this "required" parameter is not present, + // always log messages to the signed audit log + logType = id; + if (logType == null) { + logType = SIGNED_AUDIT_LOG_TYPE; + } + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (mSys.getLogPlugins().containsKey(id) == false) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogPluginNotFound(CMS.getUserMessage(getLocale(req),"CMS_LOG_PLUGIN_NOT_FOUND",id)).toString(), + null, resp); + return; + } + + // first check if any instances from this log + // DON'T remove log if any instance + for (Enumeration e = mSys.getLogInsts().keys(); + e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILogEventListener log = mSys.getLogInstance(name); + + if (getLogPluginName(log) == id) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_IN_USE"), + null, resp); + return; + } + } + + // then delete this log + mSys.getLogPlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore("log"); + IConfigStore instancesConfig = + destStore.getSubStore("impl"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(SUCCESS, null, params, resp); + return; + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private synchronized void getLogConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Vector configParams = mSys.getLogDefaultParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_LOG_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getLogInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does log instance exist? + if (mSys.getLogInsts().containsKey(id) == false) { + sendResponse(ERROR, + new ELogNotFound(CMS.getUserMessage(getLocale(req),"CMS_LOG_INSTANCE_NOT_FOUND",id)).toString(), + null, resp); + return; + } + + ILogEventListener logInst = (ILogEventListener) + mSys.getLogInstance(id); + Vector configParams = logInst.getInstanceParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_LOG_IMPL_NAME, + getLogPluginName(logInst)); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Modify log instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT used when + * configuring signedAudit + *
  • signed.audit LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE used when log file + * name (including any path changes) for any of audit, system, transaction, + * or other customized log file change is attempted (authorization should + * not allow, but make sure it's written after the attempt) + *
  • signed.audit LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE used when log + * expiration time change is attempted (authorization should not allow, but + * make sure it's written after the attempt) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @param scope string used to obtain the contents of the log's substore + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void modLogInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String logType = null; + String origLogPath = req.getParameter(Constants.PR_LOG_FILENAME); + String newLogPath = origLogPath; + String origExpirationTime = req.getParameter( + Constants.PR_LOG_EXPIRED_TIME); + String newExpirationTime = origExpirationTime; + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + String type = ""; + + // if this "required" parameter is not present, + // always log messages to the signed audit log + logType = id; + if (logType == null) { + logType = SIGNED_AUDIT_LOG_TYPE; + } + + if (origLogPath != null) { + origLogPath = origLogPath.trim(); + newLogPath = newLogPath.trim(); + } else { + origLogPath = ""; + newLogPath = ""; + } + + if (origExpirationTime != null) { + origExpirationTime = origExpirationTime.trim(); + newExpirationTime = newExpirationTime.trim(); + } else { + origExpirationTime = ""; + newExpirationTime = ""; + } + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the manager instance exist? + if (!mSys.getLogInsts().containsKey((Object) id)) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ILL_INST_ID"), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_LOG_IMPL_NAME); + + if (implname == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req),"CMS_LOG_SRVLT_ADD_MISSING_PARAMS"), + + null, resp); + return; + } + // get plugin for implementation + LogPlugin plugin = + (LogPlugin) mSys.getLogPlugins().get(implname); + + if (plugin == null) { + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogPluginNotFound(CMS.getUserMessage(getLocale(req),"CMS_LOG_PLUGIN_NOT_FOUND",implname)).toString(), null, resp); + return; + } + + // save old instance substore params in case new one fails. + + ILogEventListener oldinst = + (ILogEventListener) mSys.getLogInstance(id); + Vector oldConfigParms = oldinst.getInstanceParams(); + NameValuePairs saveParams = new NameValuePairs(); + + // implName is always required so always include it it. + saveParams.add("pluginName", implname); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.size(); i++) { + String kv = (String) oldConfigParms.elementAt(i); + int index = kv.indexOf('='); + + saveParams.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore("log"); + IConfigStore instancesConfig = + destStore.getSubStore("instance"); + + // create new substore. + + Vector configParams = mSys.getLogInstanceParams(id); + + //instancesConfig.removeSubStore(id); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put("pluginName", implname); + + // Fix Blackflag Bug #615603: Currently, although expiring log + // files is no longer supported, it is still a required parameter + // that must be present during the creation and modification of + // custom log plugins. + substore.put("expirationTime", "0"); + + // IMPORTANT: save a copy of the original log file path + origLogPath = substore.getString(Constants.PR_LOG_FILENAME); + newLogPath = origLogPath; + + if (origLogPath != null) { + origLogPath = origLogPath.trim(); + newLogPath = newLogPath.trim(); + } else { + origLogPath = ""; + newLogPath = ""; + } + + // IMPORTANT: save a copy of the original log expiration time + origExpirationTime = substore.getString( + Constants.PR_LOG_EXPIRED_TIME); + newExpirationTime = origExpirationTime; + + if (origExpirationTime != null) { + origExpirationTime = origExpirationTime.trim(); + newExpirationTime = newExpirationTime.trim(); + } else { + origExpirationTime = ""; + newExpirationTime = ""; + } + + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + AUTHZ_RES_NAME = + "certServer.log.configuration"; + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String key = kv.substring(0, index); + String val = req.getParameter(key); + + if + (key.equals("level")) { + if (val.equals(ILogger.LL_DEBUG_STRING)) + val = "0"; + else if (val.equals(ILogger.LL_INFO_STRING)) + val = "1"; + else if (val.equals(ILogger.LL_WARN_STRING)) + val = "2"; + else if (val.equals(ILogger.LL_FAILURE_STRING)) + val = "3"; + else if (val.equals(ILogger.LL_MISCONF_STRING)) + val = "4"; + else if (val.equals(ILogger.LL_CATASTRPHE_STRING)) + val = "5"; + else if (val.equals(ILogger.LL_SECURITY_STRING)) + val = "6"; + + } + + if + (key.equals("rolloverInterval")) { + if (val.equals("Hourly")) + val = Integer.toString(60 * 60); + else if (val.equals("Daily")) + val = Integer.toString(60 * 60 * 24); + else if (val.equals("Weekly")) + val = Integer.toString(60 * 60 * 24 * 7); + else if (val.equals("Monthly")) + val = Integer.toString(60 * 60 * 24 * 30); + else if (val.equals("Yearly")) + val = Integer.toString(60 * 60 * 24 * 365); + } + + if + (key.equals(Constants.PR_LOG_TYPE)) { + type = val; + } + + if (val != null) { + if (key.equals("fileName")) { + String origVal = substore.getString(key); + + val = val.trim(); + newLogPath = val; + if (!val.equals(origVal.trim())) { + AUTHZ_RES_NAME = + "certServer.log.configuration.fileName"; + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + // store a message in the signed audit log + // file (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log + // file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + } + } +/* + if (key.equals("expirationTime")) { + String origVal = substore.getString(key); + + val = val.trim(); + newExpirationTime = val; + if (!val.equals(origVal.trim())) { + if (id.equals(SIGNED_AUDIT_LOG_TYPE)) { + AUTHZ_RES_NAME = + "certServer.log.configuration.signedAudit.expirationTime"; + } + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + // store a message in the signed audit log + // file (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log + // file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + } + } +*/ + substore.put(key, val); + } + } + } + + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + ILogEventListener newMgrInst = null; + + try { + newMgrInst = (ILogEventListener) + Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // cleanup + restore(instancesConfig, id, saveParams); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + restore(instancesConfig, id, saveParams); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + restore(instancesConfig, id, saveParams); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + new ELogException(CMS.getUserMessage(getLocale(req),"CMS_LOG_LOAD_CLASS_FAIL", className)).toString(), + null, resp); + return; + } + // initialize the log + + try { + if (false) { + newMgrInst.init(mSys, substore); + } + } catch (EBaseException e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, e.toString(getLocale(req)), null, + resp); + return; + } catch (Throwable e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + restore(instancesConfig, id, saveParams); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, e.toString(), null, + resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + // REMOVED - we didn't do anything to shut off the old instance + // so, it will still be running at this point. You'd have two + // log isntances writing to the same file - this would be a big PROBLEM!!! + + //mSys.getLogInsts().put(id, newMgrInst); + + NameValuePairs params = new NameValuePairs(); + + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.SUCCESS, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.SUCCESS, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + } + + sendResponse(RESTART, null, params, resp); + return; + } catch (EBaseException eAudit1) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // check to see if the log file path parameter was changed + newLogPath = auditCheckLogPath(req); + + // check to see if the log expiration time parameter was changed + newExpirationTime = auditCheckLogExpirationTime(req); + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newLogPath.equals(origLogPath))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newLogPath); + + audit(auditMessage); + } + + // store a message in the signed audit log file + // (regardless of logType) + if (!(newExpirationTime.equals(origExpirationTime))) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + auditSubjectID, + ILogger.FAILURE, + logType, + newExpirationTime); + + audit(auditMessage); + } + + // store a message in the signed audit log file + if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + } + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // check to see if the log file path parameter was changed + // newLogPath = auditCheckLogPath( req ); + // + // // check to see if the log expiration time parameter was changed + // newExpirationTime = auditCheckLogExpirationTime( req ); + // + // // store a message in the signed audit log file + // // (regardless of logType) + // if( !( newLogPath.equals( origLogPath ) ) ) { + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE, + // auditSubjectID, + // ILogger.FAILURE, + // logType, + // newLogPath ); + // + // audit( auditMessage ); + // } + // + // // store a message in the signed audit log file + // // (regardless of logType) + // if( !( newExpirationTime.equals( origExpirationTime ) ) ) { + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE, + // auditSubjectID, + // ILogger.FAILURE, + // logType, + // newExpirationTime ); + // + // audit( auditMessage ); + // } + // + // // store a message in the signed audit log file + // if( logType.equals( SIGNED_AUDIT_LOG_TYPE ) ) { + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // } + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * used for getting the required configuration parameters (with + * possible default values) for a particular plugin + * implementation name specified in the RS_ID. Actually, there is + * no logic in here to set any default value here...there's no + * default value for any parameter in this log subsystem + * at this point. Later, if we do have one (or some), it can be + * added. The interface remains the same. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Vector configParams = mSys.getLogDefaultParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_LOG_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + if (index == -1) { + params.add(kv, ""); + } else { + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does log instance exist? + if (mSys.getLogInsts().containsKey(id) == false) { + sendResponse(ERROR, + new ELogNotFound(CMS.getUserMessage(getLocale(req),"CMS_LOG_INSTANCE_NOT_FOUND",id)).toString(), + null, resp); + return; + } + + ILogEventListener logInst = (ILogEventListener) + mSys.getLogInstance(id); + Vector configParams = logInst.getInstanceParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_LOG_IMPL_NAME, + getLogPluginName(logInst)); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + // convenience routine. + private static void restore(IConfigStore store, + String id, NameValuePairs saveParams) { + store.removeSubStore(id); + IConfigStore rstore = store.makeSubStore(id); + + Enumeration keys = saveParams.getNames(); + + while (keys.hasMoreElements()) { + String key = (String) keys.nextElement(); + String value = saveParams.getValue(key); + + if (value != null) + rstore.put(key, value); + } + } + + /** + * Signed Audit Check Log Path + * + * This method is called to extract the log file path. + *

+ * + * @param req http servlet request + * @return a string containing the log file path + */ + private String auditCheckLogPath(HttpServletRequest req) { + // check to see if the log file path parameter was changed + String logPath = req.getParameter(Constants.PR_LOG_FILENAME); + + if (logPath == null) { + logPath = ""; + } + + logPath = logPath.trim(); + + return logPath; + } + + /** + * Signed Audit Check Log Expiration Time + * + * This method is called to extract the log expiration time. + *

+ * + * @param req http servlet request + * @return a string containing the log expiration time + */ + private String auditCheckLogExpirationTime(HttpServletRequest req) { + // check to see if the log expiration time parameter was changed + String expirationTime = req.getParameter( + Constants.PR_LOG_EXPIRED_TIME); + + if (expirationTime == null) { + expirationTime = ""; + } + + expirationTime = expirationTime.trim(); + + return expirationTime; + } + + private void getGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String value = "false"; + + value = mConfig.getString(Constants.PR_DEBUG_LOG_ENABLE, "false"); + params.add(Constants.PR_DEBUG_LOG_ENABLE, value); + + value = mConfig.getString(Constants.PR_DEBUG_LOG_LEVEL, "0"); + params.add(Constants.PR_DEBUG_LOG_LEVEL, value); + + sendResponse(SUCCESS, null, params, resp); + } + + private void setGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + Enumeration enum1 = req.getParameterNames(); + boolean restart = false; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_DEBUG_LOG_ENABLE)) { + if (value.equals("true") || value.equals("false")) { + mConfig.putString(Constants.PR_DEBUG_LOG_ENABLE, value); + } else { + CMS.debug("setGeneralConfig: Invalid value for " + Constants.PR_DEBUG_LOG_ENABLE + ": " + value); + throw new EBaseException("Invalid value for " + Constants.PR_DEBUG_LOG_ENABLE); + } + } else if (key.equals(Constants.PR_DEBUG_LOG_LEVEL)) { + try { + int number = Integer.parseInt(value); + mConfig.putString(Constants.PR_DEBUG_LOG_LEVEL, value); + } catch (NumberFormatException e) { + CMS.debug("setGeneralConfig: Invalid value for " + Constants.PR_DEBUG_LOG_LEVEL + ": " + value); + throw new EBaseException("Invalid value for " + Constants.PR_DEBUG_LOG_LEVEL); + } + } + } + + mConfig.commit(true); + + if (restart) + sendResponse(RESTART, null, null, resp); + else + sendResponse(SUCCESS, null, null, resp); + } + +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java new file mode 100644 index 000000000..aafe4f4bc --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java @@ -0,0 +1,560 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.cert.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import netscape.security.x509.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.ocsp.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.apps.*; + + +/** + * A class representings an administration servlet for Certificate + * Authority. This servlet is responsible to serve OCSP + * administrative operations such as configuration parameter + * updates. + * + * @version $Revision$, $Date$ + */ +public class OCSPAdminServlet extends AdminServlet { + + protected static final String PROP_ENABLED = "enabled"; + + private final static String INFO = "OCSPAdminServlet"; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE = + "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3"; + + private IOCSPAuthority mOCSP = null; + + public OCSPAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mOCSP = (IOCSPAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_OCSP); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP request. Each request is authenticated to + * the authenticate manager. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + //get all operational flags + String op = req.getParameter(Constants.OP_TYPE); + String scope = req.getParameter(Constants.OP_SCOPE); + + //check operational flags + if ((op == null) || (scope == null)) { + sendResponse(1, "Invalid Protocol", null, resp); + return; + } + + super.authenticate(req); + + try { + AUTHZ_RES_NAME = "certServer.ocsp.configuration"; + if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + try { + getExtendedPluginInfo(req, resp); + return; + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + } + } + + if (scope.equals(ScopeDef.SC_OCSPSTORE_DEFAULT)) { + if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + setDefaultStore(req, resp); + return; + } + } + + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) { + getGeneralConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) { + getOCSPStoresConfig(req, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) { + setGeneralConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) { + setOCSPStoresConfig(req, resp); + return; + } + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_OCSPSTORES_RULES)) { + listOCSPStoresConfig(req, resp); + return; + } + } + } catch (Exception e) { + sendResponse(1, e.toString(), null, resp); + return; + } + } + + /** + * retrieve extended plugin info such as brief description, + * type info from CRL extensions + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + + NameValuePairs params = + getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + + impl = getClassByNameAsExtendedPluginInfo(implName); + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + + } + + /** + * Set default OCSP store + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when + * configuring OCSP profile (everything under Online Certificate Status + * Manager) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setDefaultStore(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + mOCSP.getConfigStore().putString(IOCSPAuthority.PROP_DEF_STORE_ID, + id); + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void getOCSPStoresConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + IOCSPStore store = mOCSP.getOCSPStore(id); + NameValuePairs params = store.getConfigParameters(); + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Set OCSP store configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when + * configuring OCSP profile (everything under Online Certificate Status + * Manager) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setOCSPStoresConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + NameValuePairs params = new NameValuePairs(); + + String id = req.getParameter(Constants.RS_ID); + + IOCSPStore store = mOCSP.getOCSPStore(id); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_CRLEXT_IMPL_NAME)) + continue; + if (name.equals("RULENAME")) + continue; + String value = req.getParameter(name); + + params.add(name, value); + } + store.setConfigParameters(params); + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void listOCSPStoresConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + IConfigStore config = mOCSP.getConfigStore(); + String defStore = config.getString(mOCSP.PROP_DEF_STORE_ID); + IConfigStore SubStore = config.getSubStore(mOCSP.PROP_STORE); + Enumeration enumStores = SubStore.getSubStoreNames(); + + while (enumStores.hasMoreElements()) { + String storeName = (String) enumStores.nextElement(); + boolean storeEnabled = false; + + if (storeName.equals(defStore)) { + storeEnabled = true; + } + params.add(storeName, storeName + ";visible;" + ((storeEnabled) ? "enabled" : "disabled")); + } + sendResponse(SUCCESS, null, params, resp); + } + + private void getGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + getSigningAlgConfig(params); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getSigningAlgConfig(NameValuePairs params) { + params.add(Constants.PR_DEFAULT_ALGORITHM, + mOCSP.getDefaultAlgorithm()); + String[] algorithms = mOCSP.getOCSPSigningAlgorithms(); + StringBuffer algorStr = new StringBuffer(); + + for (int i = 0; i < algorithms.length; i++) { + if (i == 0) + algorStr.append(algorithms[i]); + else + algorStr.append(":"); + algorStr.append(algorithms[i]); + } + params.add(Constants.PR_ALL_ALGORITHMS, algorStr.toString()); + } + + /** + * Set general OCSP configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE used when + * configuring OCSP profile (everything under Online Certificate Status + * Manager) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private void setGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + Enumeration enum1 = req.getParameterNames(); + boolean restart = false; + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + String value = req.getParameter(key); + + if (key.equals(Constants.PR_DEFAULT_ALGORITHM)) { + mOCSP.setDefaultAlgorithm(value); + } + } + + commit(true); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_OTHER, + level, "CAAdminServlet: " + msg); + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java new file mode 100644 index 000000000..91309e08c --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java @@ -0,0 +1,1243 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import javax.servlet.*; +import javax.servlet.http.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.ra.IRegistrationAuthority; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + + +/** + * This class is an administration servlet for policy management. + * + * Each service (CA, KRA, RA) should be responsible + * for registering an instance of this with the remote + * administration subsystem. + * + * @version $Revision$, $Date$ + */ +public class PolicyAdminServlet extends AdminServlet { + public final static String PROP_AUTHORITY = "authority"; + + private final static String INFO = "PolicyAdminServlet"; + private final static String PW_PASSWORD_CACHE_ADD = + "PASSWORD_CACHE_ADD"; + + public final static String PROP_PREDICATE = "predicate"; + private IPolicyProcessor mProcessor = null; + private IAuthority mAuthority = null; + + // These will be moved to PolicyResources + public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope"; + public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management"; + public static String NYI = "Not Yet Implemented"; + public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration"; + public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration"; + public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request"; + public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request"; + public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request"; + public static String MISSING_POLICY_INST_ID = "Missing policy impl id in request"; + public static String INVALID_POLICY_INST_ID = "Invalid policy impl id in request"; + public static String COMMA = ","; + public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY = + "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3"; + + /** + * Constructs administration servlet. + */ + public PolicyAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + String authority = config.getInitParameter(PROP_AUTHORITY); + String policyStatus = null; + + CMS.debug( "PolicyAdminServlet: In Policy Admin Servlet init!" ); + + // CMS 6.1 began utilizing the "Certificate Profiles" framework + // instead of the legacy "Certificate Policies" framework. + // + // Beginning with CS 8.1, to meet the Common Criteria evaluation + // performed on this version of the product, it was determined + // that this legacy "Certificate Policies" framework would be + // deprecated and disabled by default (see Bugzilla Bug #472597). + // + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // + // Further, the "PolicyAdminServlet.java" servlet is ONLY used + // by the CA Console for the following: + // + // SERVLET-NAME URL-PATTERN + // ==================================================== + // capolicy ca/capolicy + // + // Finally, the "PolicyAdminServlet.java" servlet is ONLY used + // by the KRA Console for the following: + // + // SERVLET-NAME URL-PATTERN + // ==================================================== + // krapolicy kra/krapolicy + // + if (authority != null) + mAuthority = (IAuthority) CMS.getSubsystem(authority); + if (mAuthority != null) + if (mAuthority instanceof ICertificateAuthority) { + mProcessor = ((ICertificateAuthority) mAuthority).getPolicyProcessor(); + try { + policyStatus = ICertificateAuthority.ID + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + if( mConfig.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "ca.Policy.enable=" is missing, + // then the referenced instance existed prior + // to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: ca.Policy.enable=false + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } catch( EBaseException e ) { + throw new ServletException( authority + + " does not have a " + + "master policy switch called '" + + policyStatus + "'" ); + } + } else if (mAuthority instanceof IRegistrationAuthority) { + // this refers to the legacy RA (pre-CMS 7.0) + mProcessor = ((IRegistrationAuthority) mAuthority).getPolicyProcessor(); + } else if (mAuthority instanceof IKeyRecoveryAuthority) { + mProcessor = ((IKeyRecoveryAuthority) mAuthority).getPolicyProcessor(); + try { + policyStatus = IKeyRecoveryAuthority.ID + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + if( mConfig.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "kra.Policy.enable=" is missing, + // then the referenced instance existed prior + // to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is ENABLED" ); + } else { + // CS 8.1 Default: kra.Policy.enable=false + CMS.debug( "PolicyAdminServlet::init " + + "Certificate Policy Framework (deprecated) " + + "is DISABLED" ); + return; + } + } catch( EBaseException e ) { + throw new ServletException( authority + + " does not have a " + + "master policy switch called '" + + policyStatus + "'" ); + } + } else + throw new ServletException(authority + " does not have policy processor!"); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * retrieve extended plugin info such as brief description, type info + * from policy, authentication, + * need to add: listener, mapper and publishing plugins + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + if (!readAuthorize(req, resp)) + return; + String id = req.getParameter(Constants.RS_ID); + NameValuePairs params = null; + + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName1 = id.substring(colon + 1); + String implName = implName1; + String instName = null; + + colon = implName1.indexOf(':'); + if (colon > -1) { + implName = implName1.substring(0, colon); + instName = implName1.substring(colon + 1); + params = getExtendedPluginInfo(getLocale(req), implType, implName, instName); + } else { + params = getExtendedPluginInfo(getLocale(req), implType, implName); + } + sendResponse(SUCCESS, null, params, resp); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + IPolicyRule policy = mProcessor.getPolicyImpl(implName); + + impl = policy; + + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + } + + public NameValuePairs getExtendedPluginInfo(Locale locale, String pluginType, + String implName, + String instName) { + IExtendedPluginInfo ext_info = null; + + Object impl = null; + + IPolicyRule policy = mProcessor.getPolicyInstance(instName); + + impl = policy; + if (impl == null) { + impl = mProcessor.getPolicyImpl(implName); + } + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + + } + + if (nvps != null) { + addDefaultParams(impl, nvps); + } + + return nvps; + } + + private void addDefaultParams(Object ext_info, NameValuePairs nvps) { + + /* make sure policy rules have 'enable' and 'predicate' */ + + if (ext_info instanceof IPolicyRule) { + if (nvps.getPair(IPolicyRule.PROP_ENABLE) == null) { + nvps.add(IPolicyRule.PROP_ENABLE, "boolean;Enable this policy rule"); + } + if (nvps.getPair(PROP_PREDICATE) == null) { + nvps.add(PROP_PREDICATE, "string;Rules describing when this policy should run."); + } + } + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + super.authenticate(req); + + AUTHZ_RES_NAME = "certServer.policy.configuration"; + String scope = req.getParameter(Constants.OP_SCOPE); + + if (scope.equals(ScopeDef.SC_POLICY_RULES)) + processPolicyRuleMgmt(req, resp); + else if (scope.equals(ScopeDef.SC_POLICY_IMPLS)) + processPolicyImplMgmt(req, resp); + else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + try { + getExtendedPluginInfo(req, resp); + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + } else + sendResponse(ERROR, INVALID_POLICY_SCOPE, null, resp); + } + + private boolean readAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + private boolean modifyAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + /** + * Process Policy Implementation Management. + */ + public void processPolicyImplMgmt(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_SEARCH)) { + if (!readAuthorize(req, resp)) + return; + listPolicyImpls(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deletePolicyImpl(req, resp); + } else if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getPolicyImplConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addPolicyImpl(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_IMPL_OP, + null, resp); + } + + public void processPolicyRuleMgmt(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_SEARCH)) { + if (!readAuthorize(req, resp)) + return; + listPolicyInstances(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deletePolicyInstance(req, resp); + } else if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getPolicyInstanceConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addPolicyInstance(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + String id = req.getParameter(Constants.RS_ID); + + if (id.equalsIgnoreCase(Constants.RS_ID_ORDER)) + changePolicyInstanceOrdering(req, resp); + else + modifyPolicyInstance(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_IMPL_OP, + null, resp); + } + + public void listPolicyImpls(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + Enumeration policyImplNames = mProcessor.getPolicyImplsInfo(); + Enumeration policyImpls = mProcessor.getPolicyImpls(); + + if (policyImplNames == null || + policyImpls == null) { + sendResponse(ERROR, INVALID_POLICY_IMPL_CONFIG, null, resp); + return; + } + + // Assemble a name value pair; + NameValuePairs nvp = new NameValuePairs(); + + while (policyImplNames.hasMoreElements() && + policyImpls.hasMoreElements()) { + String id = (String) policyImplNames.nextElement(); + IPolicyRule impl = (IPolicyRule) + policyImpls.nextElement(); + String className = + impl.getClass().getName(); + String desc = impl.getDescription(); + + nvp.add(id, className + "," + desc); + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void listPolicyInstances(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + Enumeration instancesInfo = mProcessor.getPolicyInstancesInfo(); + + if (instancesInfo == null) { + sendResponse(ERROR, INVALID_POLICY_INSTANCE_CONFIG, null, resp); + return; + } + + // Assemble name value pairs + NameValuePairs nvp = new NameValuePairs(); + String instName, rest; + + while (instancesInfo.hasMoreElements()) { + String info = (String) instancesInfo.nextElement(); + int i = info.indexOf(";"); + + nvp.add(info.substring(0, i), info.substring(i + 1)); + + } + sendResponse(SUCCESS, null, nvp, resp); + } + + /** + * Delete policy implementation + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deletePolicyImpl(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID).trim(); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + try { + mProcessor.deletePolicyImpl(id); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + //e.printStackTrace(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + public void getPolicyImplConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + Vector v = mProcessor.getPolicyImplConfig(id); + + if (v == null) { + sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + for (Enumeration e = v.elements(); e.hasMoreElements();) { + String nv = (String) e.nextElement(); + int index = nv.indexOf("="); + + nvp.add(nv.substring(0, index), nv.substring(index + 1)); + } + sendResponse(SUCCESS, null, nvp, resp); + } + + /** + * Add policy implementation + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addPolicyImpl(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_POLICY_CLASS); + + if (classPath == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_IMPL_CLASS, null, resp); + return; + } + try { + mProcessor.addPolicyImpl(id, classPath); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Delete policy instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deletePolicyInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID).trim(); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + try { + mProcessor.deletePolicyInstance(id); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + //e.printStackTrace(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + public void getPolicyInstanceConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get the policy rule id. + String id = req.getParameter(Constants.RS_ID).trim(); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + Vector v = mProcessor.getPolicyInstanceConfig(id); + + if (v == null) { + sendResponse(ERROR, INVALID_POLICY_INST_ID, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + for (Enumeration e = v.elements(); e.hasMoreElements();) { + String nv = (String) e.nextElement(); + int index = nv.indexOf("="); + String name = nv.substring(0, index); + String value = nv.substring(index + 1); + + if (value == null) { + value = ""; + } + + nvp.add(name, value); + + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void + putUserPWPair(String combo) { + int semicolon; + + semicolon = combo.indexOf(";"); + String user = combo.substring(0, semicolon); + String pw = combo.substring(semicolon + 1); + + CMS.putPasswordCache(user, pw); + } + + /** + * Add policy instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addPolicyInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + // Get the default config params for the implementation. + String implName = req.getParameter(IPolicyRule.PROP_IMPLNAME); + + if (implName == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + // We need to fetch parameters: enable, predicate and implname + // always, and any additional parameters as required by the + // implementation. + Hashtable ht = new Hashtable(); + String val = req.getParameter(IPolicyRule.PROP_ENABLE).trim(); + + if (val == null) + val = "true"; + ht.put(IPolicyRule.PROP_ENABLE, val); + + val = req.getParameter(IPolicyRule.PROP_PREDICATE); + if (val != null) + ht.put(IPolicyRule.PROP_PREDICATE, val); + ht.put(IPolicyRule.PROP_IMPLNAME, implName); + + Vector v = mProcessor.getPolicyImplConfig(implName); + + if (v == null) { + // Invalid impl id + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp); + return; + } + for (Enumeration e = v.elements(); e.hasMoreElements();) { + String nv = (String) e.nextElement(); + int index = nv.indexOf("="); + String key = nv.substring(0, index); + + val = req.getParameter(key).trim(); + if (val != null) + ht.put(key, val); + } + + String pwadd = req.getParameter(PW_PASSWORD_CACHE_ADD); + + if (pwadd != null) { + putUserPWPair(pwadd); + } + + try { + mProcessor.addPolicyInstance(id, ht); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Change ordering of policy instances + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void changePolicyInstanceOrdering(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String policyOrder = + req.getParameter(Constants.PR_POLICY_ORDER); + + if (policyOrder == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_ORDERING, null, resp); + return; + } + try { + mProcessor.changePolicyInstanceOrdering(policyOrder); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify policy instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY used when + * configuring cert policy constraints and extensions + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyPolicyInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + // Get the default config params for the implementation. + String implName = req.getParameter(IPolicyRule.PROP_IMPLNAME).trim(); + + if (implName == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + // We need to fetch parameters: enable, predicate and implname + // always, and any additional parameters as required by the + // implementation. + Hashtable ht = new Hashtable(); + String val = req.getParameter(IPolicyRule.PROP_ENABLE).trim(); + + if (val == null) + val = "true"; + ht.put(IPolicyRule.PROP_ENABLE, val); + + val = req.getParameter(IPolicyRule.PROP_PREDICATE); + if (val != null) + ht.put(IPolicyRule.PROP_PREDICATE, val); + ht.put(IPolicyRule.PROP_IMPLNAME, implName); + Vector v = mProcessor.getPolicyImplConfig(implName); + + if (v == null) { + // Invalid impl id + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, INVALID_POLICY_IMPL_ID, null, resp); + return; + } + // XXX + for (Enumeration n = req.getParameterNames(); n.hasMoreElements();) { + String p = (String) n.nextElement(); + String l = (String) req.getParameter(p); + + if (l != null) + ht.put(p, l); + } + + /* + for(Enumeration e = v.elements(); e.hasMoreElements(); ) + { + String nv = (String)e.nextElement(); + int index = nv.indexOf("="); + String key = nv.substring(0, index); + val = req.getParameter(key); + if (val != null) + ht.put(key, val); + } + */ + + try { + mProcessor.modifyPolicyInstance(id, ht); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, e.toString(), null, resp); + } + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java new file mode 100644 index 000000000..8306bc77e --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java @@ -0,0 +1,2683 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import javax.servlet.*; +import javax.servlet.http.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.registry.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.ra.IRegistrationAuthority; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; + + +/** + * This class is an administration servlet for policy management. + * + * Each service (CA, KRA, RA) should be responsible + * for registering an instance of this with the remote + * administration subsystem. + * + * @version $Revision$, $Date$ + */ +public class ProfileAdminServlet extends AdminServlet { + public final static String PROP_AUTHORITY = "authority"; + + private final static String INFO = "ProfileAdminServlet"; + private final static String PW_PASSWORD_CACHE_ADD = + "PASSWORD_CACHE_ADD"; + + public final static String PROP_PREDICATE = "predicate"; + private IAuthority mAuthority = null; + private IPluginRegistry mRegistry = null; + private IProfileSubsystem mProfileSub = null; + + // These will be moved to PolicyResources + public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope"; + public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management"; + public static String NYI = "Not Yet Implemented"; + public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration"; + public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration"; + public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request"; + public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request"; + public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request"; + public static String MISSING_POLICY_INST_ID = "Missing policy id in request"; + public static String POLICY_INST_ID_ALREADY_USED = "policy id already used"; + public static String INVALID_POLICY_INST_ID = "Invalid policy id in request"; + public static String COMMA = ","; + public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; + public static String BAD_CONFIGURATION_VAL = "Invalid configuration value."; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE = + "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3"; + + /** + * Constructs administration servlet. + */ + public ProfileAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + String authority = config.getInitParameter(PROP_AUTHORITY); + + if (authority != null) + mAuthority = (IAuthority) CMS.getSubsystem(authority); + mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + mProfileSub = (IProfileSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_PROFILE); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + private void addDefaultParams(Object ext_info, NameValuePairs nvps) { + + /* make sure policy rules have 'enable' and 'predicate' */ + + if (ext_info instanceof IPolicyRule) { + if (nvps.getPair(IPolicyRule.PROP_ENABLE) == null) { + nvps.add(IPolicyRule.PROP_ENABLE, "boolean;Enable this policy rule"); + } + if (nvps.getPair(PROP_PREDICATE) == null) { + nvps.add(PROP_PREDICATE, "string;Rules describing when this policy should run."); + } + } + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + super.authenticate(req); + + AUTHZ_RES_NAME = "certServer.profile.configuration"; + String scope = req.getParameter(Constants.OP_SCOPE); + + CMS.debug("ProfileAdminServlet: service scope: " + scope); + if (scope.equals(ScopeDef.SC_PROFILE_RULES)) { + processProfileRuleMgmt(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_POLICIES)) { + processProfilePolicy(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_DEFAULT_POLICY)) { + processPolicyDefaultConfig(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_CONSTRAINT_POLICY)) { + processPolicyConstraintConfig(req, resp); + } else if (scope.equals(ScopeDef.SC_POLICY_IMPLS)) { + processPolicyImplMgmt(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_INPUT)) { + processProfileInput(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_OUTPUT)) { + processProfileOutput(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_INPUT_CONFIG)) { + processProfileInputConfig(req, resp); + } else if (scope.equals(ScopeDef.SC_PROFILE_OUTPUT_CONFIG)) { + processProfileOutputConfig(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_SCOPE, null, resp); + } + + private boolean readAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + private boolean modifyAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + public void processProfilePolicy(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getProfilePolicy(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addProfilePolicy(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deleteProfilePolicy(req, resp); + } + } + + public void processProfileInput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + String scope = super.getParameter(req, Constants.OP_SCOPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getProfileInput(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addProfileInput(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deleteProfileInput(req, resp); + } + } + + public void processProfileOutput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + String scope = super.getParameter(req, Constants.OP_SCOPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getProfileOutput(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addProfileOutput(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deleteProfileOutput(req, resp); + } + } + + public void processProfileInputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getInputConfig(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + modifyInputConfig(req, resp); + } + } + + public void processProfileOutputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getOutputConfig(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + modifyOutputConfig(req, resp); + } + } + + public void processPolicyDefaultConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getPolicyDefaultConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addPolicyDefaultConfig(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + modifyPolicyDefaultConfig(req, resp); + } + } + + public void processPolicyConstraintConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + CMS.debug("ProfileAdminServlet: processPolicyConstraintConfig op " + op); + if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getPolicyConstraintConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addPolicyConstraintConfig(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + modifyPolicyConstraintConfig(req, resp); + } + } + + /** + * Process Policy Implementation Management. + */ + public void processPolicyImplMgmt(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_SEARCH)) { + if (!readAuthorize(req, resp)) + return; + listProfileImpls(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_IMPL_OP, + null, resp); + } + + public void processProfileRuleMgmt(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + + if (op.equals(OpDef.OP_SEARCH)) { + if (!readAuthorize(req, resp)) + return; + listProfileInstances(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deleteProfileInstance(req, resp); + } else if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getProfileInstanceConfig(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addProfileInstance(req, resp); + } else if (op.equals(OpDef.OP_MODIFY)) { + if (!modifyAuthorize(req, resp)) + return; + modifyProfileInstance(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_IMPL_OP, + null, resp); + } + + /** + * Lists all registered profile impementations + */ + public void listProfileImpls(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + Enumeration impls = mRegistry.getIds("profile"); + NameValuePairs nvp = new NameValuePairs(); + + while (impls.hasMoreElements()) { + String id = (String) impls.nextElement(); + IPluginInfo info = mRegistry.getPluginInfo("profile", id); + + nvp.add(id, info.getClassName() + "," + + info.getDescription(getLocale(req))); + } + sendResponse(SUCCESS, null, nvp, resp); + } + + /** + * Add policy profile + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addProfilePolicy(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + CMS.debug("ProfileAdminServlet: in addProfilePolicy"); + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + String defImpl = st.nextToken(); + String conImpl = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + if (mProfileSub.isProfileEnable(profileId)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_CREATE_POLICY_FAILED", + "Profile is currently enabled"), + null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + + IProfilePolicy policy = null; + + try { + if (!isValidId(setId)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_CREATE_POLICY_FAILED", + "Invalid set id " + setId), + null, resp); + return; + } + if (!isValidId(pId)) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), + "CMS_PROFILE_CREATE_POLICY_FAILED", + "Invalid policy id " + pId), + null, resp); + return; + } + policy = profile.createProfilePolicy(setId, pId, + defImpl, conImpl); + } catch (EBaseException e1) { + // error + CMS.debug("ProfileAdminServlet: addProfilePolicy " + + e1.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_POLICY_FAILED", + e1.toString()), + null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Add profile input + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addProfileInput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String inputId = st.nextToken(); + String inputImpl = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + IProfileInput input = null; + Enumeration names = req.getParameterNames(); + NameValuePairs nvps = new NameValuePairs(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + nvps.add(name, req.getParameter(name)); + } + + try { + input = profile.createProfileInput(inputId, inputImpl, nvps); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_INPUT_FAILED", + e1.toString()), + null, resp); + + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Add profile output + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addProfileOutput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String outputId = st.nextToken(); + String outputImpl = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + IProfileOutput output = null; + Enumeration names = req.getParameterNames(); + NameValuePairs nvps = new NameValuePairs(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + nvps.add(name, req.getParameter(name)); + } + + try { + output = profile.createProfileOutput(outputId, outputImpl, + nvps); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_PROFILE_CREATE_OUTPUT_FAILED", + e1.toString()), + null, resp); + + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Delete policy profile + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deleteProfilePolicy(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String profileId = ""; + String policyId = ""; + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + profileId = req.getParameter(name); + if (name.equals("POLICYID")) + policyId = req.getParameter(name); + } + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + + try { + profile.deleteProfilePolicy(setId, pId); + } catch (EBaseException e1) { + CMS.debug("ProfileAdminServlet: " + e1.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Delete profile input + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deleteProfileInput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String profileId = ""; + String inputId = ""; + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + profileId = req.getParameter(name); + if (name.equals("INPUTID")) + inputId = req.getParameter(name); + } + CMS.debug("ProfileAdminServlet: deleteProfileInput profileId -> " + profileId); + CMS.debug("ProfileAdminServlet: deleteProfileInput inputId -> " + inputId); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + CMS.debug("deleteProfileInput profile -> " + profile); + try { + profile.deleteProfileInput(inputId); + } catch (EBaseException e1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Delete profile output + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deleteProfileOutput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String profileId = ""; + String outputId = ""; + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + profileId = req.getParameter(name); + if (name.equals("OUTPUTID")) + outputId = req.getParameter(name); + } + CMS.debug("ProfileAdminServlet: deleteProfileOutput profileId -> " + profileId); + CMS.debug("ProfileAdminServlet: deleteProfileOutput outputId -> " + outputId); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + CMS.debug("ProfileAdminServlet: deleteProfileOutput profile -> " + profile); + try { + profile.deleteProfileOutput(outputId); + } catch (EBaseException e1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Add default policy profile configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addPolicyDefaultConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + + IProfilePolicy policy = profile.getProfilePolicy(setId, pId); + IPolicyDefault def = policy.getDefault(); + IConfigStore defConfig = def.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + try { + def.setConfig(name,req.getParameter(name)); + + } catch (EPropertyException e) { + + CMS.debug("ProfileAdminServlet: modifyPolicyDefConfig setConfig exception."); + try { + profile.deleteProfilePolicy(setId, pId); + } catch (Exception e11) {} + sendResponse(ERROR,BAD_CONFIGURATION_VAL,null,resp); + return; + } + // defConfig.putString("params." + name, req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Add policy constraints profile configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addPolicyConstraintConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + + IProfilePolicy policy = profile.getProfilePolicy(setId, pId); + IPolicyConstraint con = policy.getConstraint(); + IConfigStore conConfig = con.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + + try { + con.setConfig(name,req.getParameter(name)); + + } catch (EPropertyException e) { + + CMS.debug("ProfileAdminServlet: addPolicyConstraintsConfig setConfig exception."); + try { + profile.deleteProfilePolicy(setId, pId); + } catch (Exception e11) {} + sendResponse(ERROR,BAD_CONFIGURATION_VAL,null,resp); + return; + } + // conConfig.putString("params." + name, req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify default policy profile configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyPolicyDefaultConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + IProfilePolicy policy = profile.getProfilePolicy(setId, pId); + IPolicyDefault def = policy.getDefault(); + IConfigStore defConfig = def.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + try { + def.setConfig(name,req.getParameter(name)); + + } catch (EPropertyException e) { + + CMS.debug("ProfileAdminServlet: modifyPolicyDefConfig setConfig exception."); + sendResponse(ERROR,BAD_CONFIGURATION_VAL,null,resp); + return; + } + // defConfig.putString("params." + name, req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify profile input configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyInputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String inputId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + IProfileInput input = profile.getProfileInput(inputId); + IConfigStore inputConfig = input.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + inputConfig.putString("params." + name, req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify profile output configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyOutputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String outputId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + IProfileOutput output = profile.getProfileOutput(outputId); + IConfigStore outputConfig = output.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + outputConfig.putString("params." + name, + req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify policy constraints profile configuration + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyPolicyConstraintConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + IProfilePolicy policy = profile.getProfilePolicy(setId, pId); + IPolicyConstraint con = policy.getConstraint(); + IConfigStore conConfig = con.getConfigStore(); + + Enumeration names = req.getParameterNames(); + + CMS.debug("ProfileAdminServlet: modifyPolicyConstraintConfig policy " + policy + " con " + con); + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + + if (name.equals("OP_SCOPE")) + continue; + if (name.equals("OP_TYPE")) + continue; + if (name.equals("RS_ID")) + continue; + + // CMS.debug("ProfileAdminServlet: modifyPolicyConstraintConfig name" + name + " val " + req.getParameter(name)); + try { + con.setConfig(name,req.getParameter(name)); + + } catch (EPropertyException e) { + + CMS.debug("ProfileAdminServlet: modifyPolicyConstraintsConfig setConfig exception."); + sendResponse(ERROR,BAD_CONFIGURATION_VAL,null,resp); + return; + } + //conConfig.putString("params." + name, req.getParameter(name)); + } + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, nvp, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + public void getPolicyDefaultConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getPolicyDefaultConfig() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + IProfilePolicy policy = null; + IPolicyDefault rule = null; + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + + policy = profile.getProfilePolicy(setId, pId); + rule = policy.getDefault(); + + NameValuePairs nvp = new NameValuePairs(); + Enumeration names = rule.getConfigNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + IDescriptor desc = rule.getConfigDescriptor(getLocale(req), name); + + if (desc == null) { + nvp.add(name, ";" + ";" + rule.getConfig(name)); + } else { + nvp.add(name, desc.getSyntax() + ";" + ";" + getNonNull(desc.getConstraint()) + ";" + desc.getDescription(getLocale(req)) + ";" + rule.getConfig(name)); + } + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getPolicyConstraintConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + String constraintsList = req.getParameter(Constants.PR_CONSTRAINTS_LIST); + + // this one gets called when one of the elements in the default list get + // selected, then it returns the list of supported constraintsPolicy + if (constraintsList != null) { + + } + + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String policyId = st.nextToken(); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getPolicyConstraintConfig() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + StringTokenizer ss = new StringTokenizer(policyId, ":"); + String setId = ss.nextToken(); + String pId = ss.nextToken(); + IProfilePolicy policy = profile.getProfilePolicy(setId, pId); + IPolicyConstraint rule = policy.getConstraint(); + + NameValuePairs nvp = new NameValuePairs(); + Enumeration names = rule.getConfigNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + IDescriptor desc = rule.getConfigDescriptor(getLocale(req), name); + + if (desc == null) { + nvp.add(name, ";" + rule.getConfig(name)); + } else { + nvp.add(name, desc.getSyntax() + ";" + getNonNull(desc.getConstraint()) + ";" + desc.getDescription(getLocale(req)) + ";" + rule.getConfig(name)); + } + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getProfilePolicy(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + + // only allow profile retrival if it is disabled + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(id); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getProfilePolicy() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + NameValuePairs nvp = new NameValuePairs(); + Enumeration setIds = profile.getProfilePolicySetIds(); + + if (!setIds.hasMoreElements()) { + // no set id; this is a brand new profile + sendResponse(SUCCESS, null, nvp, resp); + return; + } + while (setIds.hasMoreElements()) { + String setId = (String) setIds.nextElement(); + Enumeration policies = profile.getProfilePolicies(setId); + + while (policies.hasMoreElements()) { + IProfilePolicy policy = (IProfilePolicy) policies.nextElement(); + IPolicyDefault def = policy.getDefault(); + IConfigStore defConfig = def.getConfigStore(); + IPolicyConstraint con = policy.getConstraint(); + IConfigStore conConfig = con.getConfigStore(); + + nvp.add(setId + ":" + policy.getId(), + def.getName(getLocale(req)) + ";" + + con.getName(getLocale(req))); + } + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getProfileOutput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(id); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getProfileOutput() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + NameValuePairs nvp = new NameValuePairs(); + Enumeration outputs = profile.getProfileOutputIds(); + + while (outputs.hasMoreElements()) { + String outputId = (String) outputs.nextElement(); + IProfileOutput output = profile.getProfileOutput(outputId); + + nvp.add(outputId, output.getName(getLocale(req))); + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getProfileInput(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(id); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getProfileInput() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + NameValuePairs nvp = new NameValuePairs(); + Enumeration inputs = profile.getProfileInputIds(); + + while (inputs.hasMoreElements()) { + String inputId = (String) inputs.nextElement(); + IProfileInput input = profile.getProfileInput(inputId); + + nvp.add(inputId, input.getName(getLocale(req))); + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getInputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + String id = req.getParameter(Constants.RS_ID); + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String inputId = st.nextToken(); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getInputConfig() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + IProfileInput profileInput = null; + NameValuePairs nvp = new NameValuePairs(); + + profileInput = profile.getProfileInput(inputId); + Enumeration names = profileInput.getConfigNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + IDescriptor desc = profileInput.getConfigDescriptor( + getLocale(req), name); + if (desc == null) { + nvp.add(name, ";" + ";" + profileInput.getConfig(name)); + } else { + nvp.add(name, desc.getSyntax() + ";" + + getNonNull(desc.getConstraint()) + ";" + + desc.getDescription(getLocale(req)) + ";" + + profileInput.getConfig(name)); + } + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getOutputConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + String id = req.getParameter(Constants.RS_ID); + StringTokenizer st = new StringTokenizer(id, ";"); + String profileId = st.nextToken(); + String outputId = st.nextToken(); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getOutputConfig() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + IProfileOutput profileOutput = null; + NameValuePairs nvp = new NameValuePairs(); + + profileOutput = profile.getProfileOutput(outputId); + Enumeration names = profileOutput.getConfigNames(); + + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + IDescriptor desc = profileOutput.getConfigDescriptor( + getLocale(req), name); + if (desc == null) { + nvp.add(name, ";" + ";" + profileOutput.getConfig(name)); + } else { + nvp.add(name, desc.getSyntax() + ";" + + getNonNull(desc.getConstraint()) + ";" + + desc.getDescription(getLocale(req)) + ";" + + profileOutput.getConfig(name)); + } + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void listProfileInstances(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + NameValuePairs nvp = new NameValuePairs(); + Enumeration e = mProfileSub.getProfileIds(); + + while (e.hasMoreElements()) { + String profileId = (String) e.nextElement(); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(profileId); + } catch (EBaseException e1) { + // error + } + + String status = null; + + if (mProfileSub.isProfileEnable(profileId)) { + status = "enabled"; + } else { + status = "disabled"; + } + + // mInstanceId + ";visible;" + enabled + nvp.add(profileId, profileId + ";visible;" + status); + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getProfileInstanceConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + String id = req.getParameter(Constants.RS_ID); + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(id); + } catch (EBaseException e1) { + CMS.debug( "ProfileAdminServlet::getProfileInstanceConfig() - " + + "profile is null!" ); + throw new ServletException( e1.toString() ); + } + + NameValuePairs nvp = new NameValuePairs(); + + nvp.add("name", profile.getName(getLocale(req))); + nvp.add("desc", profile.getDescription(getLocale(req))); + nvp.add("visible", Boolean.toString(profile.isVisible())); + nvp.add("enable", Boolean.toString( + mProfileSub.isProfileEnable(id))); + + String authid = profile.getAuthenticatorId(); + + if (authid == null) { + nvp.add("auth", ""); + } else { + nvp.add("auth", authid); + } + CMS.debug("ProfileAdminServlet: authid=" + authid); + nvp.add("plugin", mProfileSub.getProfileClassId(id)); + + sendResponse(SUCCESS, null, nvp, resp); + } + + /** + * Delete profile instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void deleteProfileInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + String config = null; + + ISubsystem subsystem = CMS.getSubsystem("ca"); + String subname = "ca"; + + if (subsystem == null) + subname = "ra"; + + try { + config = CMS.getConfigStore().getString("instanceRoot") + + "/profiles/" + subname + "/" + id + ".cfg"; + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + try { + mProfileSub.deleteProfile(id, config); + } catch (EProfileException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), e.toString(), id), null, resp); + return; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + public void + putUserPWPair(String combo) { + int semicolon; + + semicolon = combo.indexOf(";"); + String user = combo.substring(0, semicolon); + String pw = combo.substring(semicolon + 1); + + CMS.putPasswordCache(user, pw); + } + + public boolean isValidId(String id) + { + for (int i = 0; i < id.length(); i++) { + char c = id.charAt(i); + if (!Character.isLetterOrDigit(c)) + return false; + } + return true; + } + + /** + * Add profile instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void addProfileInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + if (id == null || id.trim().equals("") || !isValidId(id)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, MISSING_POLICY_INST_ID, null, resp); + return; + } + + // see if profile id already used + IProfile p = null; + + try { + p = mProfileSub.getProfile(id); + } catch (EProfileException e1) { + } + if (p != null) { + sendResponse(ERROR, POLICY_INST_ID_ALREADY_USED, null, resp); + return; + } + + String impl = req.getParameter("impl"); + String name = req.getParameter("name"); + String desc = req.getParameter("desc"); + String visible = req.getParameter("visible"); + String auth = req.getParameter("auth"); + String config = null; + + ISubsystem subsystem = CMS.getSubsystem("ca"); + String subname = "ca"; + + if (subsystem == null) + subname = "ra"; + + try { + config = CMS.getConfigStore().getString("instanceRoot") + "/profiles/" + subname + "/" + id + ".cfg"; + } catch (EBaseException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + IPluginInfo info = mRegistry.getPluginInfo("profile", impl); + + IProfile profile = null; + + // create configuration file + File configFile = new File(config); + + configFile.createNewFile(); + + // create profile + try { + profile = mProfileSub.createProfile(id, impl, + info.getClassName(), + config); + profile.setName(getLocale(req), name); + profile.setDescription(getLocale(req), name); + if (visible != null && visible.equals("true")) { + profile.setVisible(true); + } else { + profile.setVisible(false); + } + profile.setAuthenticatorId(auth); + profile.getConfigStore().commit(false); + + mProfileSub.createProfileConfig(id, impl, config); + if (profile instanceof IProfileEx) { + // populates profile specific plugins such as + // policies, inputs and outputs + ((IProfileEx)profile).populate(); + } + } catch (Exception e) { + CMS.debug("ProfileAdminServlet: " + e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, null, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + /** + * Modify profile instance + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE used when + * configuring cert profile (general settings and cert profile; obsoletes + * extensions and constraints policies) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + */ + public void modifyProfileInstance(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + // Get the policy impl id and class path. + String id = req.getParameter(Constants.RS_ID); + + IProfile profile = null; + + try { + profile = mProfileSub.getProfile(id); + } catch (EBaseException e1) { + // error + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, null, null, resp); + return; + } + String name = req.getParameter("name"); + String desc = req.getParameter("desc"); + String auth = req.getParameter("auth"); + String visible = req.getParameter("visible"); + + // String config = req.getParameter("config"); + + profile.setAuthenticatorId(auth); + profile.setName(getLocale(req), name); + profile.setDescription(getLocale(req), desc); + if (visible != null && visible.equals("true")) { + profile.setVisible(true); + } else { + profile.setVisible(false); + } + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + try { + profile.getConfigStore().commit(false); + } catch (Exception e) { + } + + sendResponse(SUCCESS, null, null, resp); + } catch (IOException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + // } catch( ServletException eAudit2 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit2; + } + } + + protected String getNonNull(String s) { + if (s == null) + return ""; + return s; + } + +} + diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java new file mode 100644 index 000000000..d840f6cda --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java @@ -0,0 +1,3054 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.text.*; +import java.math.*; +import java.security.*; +import java.security.cert.X509Certificate; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import netscape.ldap.*; +import org.mozilla.jss.ssl.*; +import netscape.security.x509.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.authority.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.security.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.ca.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.publish.*; +import com.netscape.cmsutil.password.*; + + +/** + * A class representing an publishing servlet for the + * Publishing subsystem. This servlet is responsible + * to serve configuration requests for the Publishing subsystem. + * + * @version $Revision$, $Date$ + */ +public class PublisherAdminServlet extends AdminServlet { + public final static String PROP_AUTHORITY = "authority"; + + private final static String INFO = "PublisherAdminServlet"; + private final static String PW_TAG_CA_LDAP_PUBLISHING = + "CA LDAP Publishing"; + public final static String NOMAPPER = ""; + private IPublisherProcessor mProcessor = null; + private IAuthority mAuth = null; + + private final static String VIEW = ";" + Constants.VIEW; + private final static String EDIT = ";" + Constants.EDIT; + + public PublisherAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + String authority = config.getInitParameter(PROP_AUTHORITY); + + if (authority != null) + mAuth = (IAuthority) CMS.getSubsystem(authority); + if (mAuth != null) + if (mAuth instanceof ICertificateAuthority) { + mProcessor = ((ICertificateAuthority) mAuth).getPublisherProcessor(); + } else + throw new ServletException(authority + " does not have publishing processor!"); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + CMS.debug("PublisherAdminServlet: in service"); + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + if (op == null) { + //System.out.println("SRVLT_INVALID_PROTOCOL"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + // for the rest + try { + super.authenticate(req); + + if (op.equals(OpDef.OP_AUTH)) { // for admin authentication only + sendResponse(SUCCESS, null, null, resp); + return; + } + } catch (IOException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req),"CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + try { + AUTHZ_RES_NAME = "certServer.publisher.configuration"; + if (scope != null) { + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LDAP)) { + getLDAPDest(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) { + getConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) { + getInstConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) { + getMapperConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) { + getMapperInstConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) { + getRuleConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_EXTENDED_PLUGIN_INFO)) { + getExtendedPluginInfo(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_RULE_RULES)) { + getRuleInstConfig(req, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LDAP)) { + setLDAPDest(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) { + modPublisherInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) { + modMapperInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_RULE_RULES)) { + modRuleInst(req, resp, scope); + return; + } + } else if (op.equals(OpDef.OP_PROCESS)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_LDAP)) { + testSetLDAPDest(req, resp); + return; + } + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) { + listPublisherPlugins(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) { + listPublisherInsts(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) { + listMapperPlugins(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) { + listMapperInsts(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) { + listRulePlugins(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_RULE_RULES)) { + listRuleInsts(req, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) { + addPublisherPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) { + addPublisherInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) { + addMapperPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) { + addMapperInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) { + addRulePlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_RULE_RULES)) { + addRuleInst(req, resp, scope); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_PUBLISHER_IMPLS)) { + delPublisherPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_PUBLISHER_RULES)) { + delPublisherInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_IMPLS)) { + delMapperPlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_MAPPER_RULES)) { + delMapperInst(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_RULE_IMPLS)) { + delRulePlugin(req, resp, scope); + return; + } else if (scope.equals(ScopeDef.SC_RULE_RULES)) { + delRuleInst(req, resp, scope); + return; + } + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_TYPE", op), + null, resp); + return; + } + } else { + //System.out.println("SRVLT_INVALID_OP_SCOPE"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } catch (EBaseException e) { + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } + //System.out.println("SRVLT_FAIL_PERFORM 2"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + + private IExtendedPluginInfo getExtendedPluginInfo(IPublisherProcessor + p) { + Enumeration mappers = p.getMapperInsts().keys(); + Enumeration publishers = p.getPublisherInsts().keys(); + + StringBuffer map = new StringBuffer(); + + for (; mappers.hasMoreElements();) { + String name = (String) mappers.nextElement(); + + if (map.length()== 0) { + map.append(name); + } else { + map.append(","); + map.append(name); + } + } + StringBuffer publish = new StringBuffer(); + + for (; publishers.hasMoreElements();) { + String name = (String) publishers.nextElement(); + + publish.append(","); + publish.append(name); + } + + String epi[] = new String[] { + "type;choice(cacert,crl,certs,xcert);The certType of the request", + "mapper;choice(" + map.toString() + ");Use the mapper to find the ldap dn to publish the certificate or crl", + "publisher;choice(" + publish.toString() + ");Use the publisher to publish the certificate or crl a directory etc", + "enable;boolean;", + "predicate;string;" + }; + + return new ExtendedPluginInfo(epi); + } + + private NameValuePairs getExtendedPluginInfo(Locale locale, String implType, String implName) { + IExtendedPluginInfo ext_info = null; + Object impl = null; + + if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_PUBLISHRULE)) { + IPublisherProcessor p_processor = mProcessor; + Plugin plugin = (Plugin) p_processor.getRulePlugins().get(implName); + + // Should get the registered rules from processor + // instead of plugin + // OLD: impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath()); + impl = getExtendedPluginInfo(p_processor); + } else if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_MAPPER)) { + IPublisherProcessor p_processor = mProcessor; + Plugin plugin = (Plugin) p_processor.getMapperPlugins().get(implName + ); + + impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath()); + + } else if (implType.equals(Constants.PR_EXT_PLUGIN_IMPLTYPE_PUBLISHER) + ) { + IPublisherProcessor p_processor = mProcessor; + Plugin plugin = (Plugin) p_processor.getPublisherPlugins().get(implName); + + impl = getClassByNameAsExtendedPluginInfo(plugin.getClassPath()); + } + if (impl != null) { + if (impl instanceof IExtendedPluginInfo) { + ext_info = (IExtendedPluginInfo) impl; + } + } + + NameValuePairs nvps = null; + + if (ext_info == null) { + nvps = new NameValuePairs(); + } else { + nvps = convertStringArrayToNVPairs(ext_info.getExtendedPluginInfo(locale)); + } + + return nvps; + + } + + /** + * retrieve extended plugin info such as brief description, type info + * from policy, authentication, + * need to add: listener, mapper and publishing plugins + */ + private void getExtendedPluginInfo(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + int colon = id.indexOf(':'); + + String implType = id.substring(0, colon); + String implName = id.substring(colon + 1); + + NameValuePairs params = + getExtendedPluginInfo(getLocale(req), implType, implName); + + sendResponse(SUCCESS, null, params, resp); + } + + private void getLDAPDest(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + IConfigStore config = mAuth.getConfigStore(); + IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE); + IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE); + IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_ENABLE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS)) + continue; + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY)) + continue; + if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS)) + continue; + if (name.equals(Constants.PR_CERT_NAMES)) { + ICryptoSubsystem jss = (ICryptoSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); + + params.add(name, jss.getAllCerts()); + } else { + String value = ldap.getString(name, ""); + + if (value == null || value.equals("")) { + if (name.equals(ILdapBoundConnFactory.PROP_LDAPCONNINFO + "." + ILdapConnInfo.PROP_HOST)) { + value = mConfig.getString(ConfigConstants.PR_MACHINE_NAME, null); + } else if (name.equals(ILdapBoundConnFactory.PROP_LDAPCONNINFO + "." + ILdapConnInfo.PROP_PORT)) { + value = ILdapConnInfo.PROP_PORT_DEFAULT; + } else if (name.equals(ILdapBoundConnFactory.PROP_LDAPAUTHINFO + "." + ILdapAuthInfo.PROP_BINDDN)) { + value = ILdapAuthInfo.PROP_BINDDN_DEFAULT; + } + } + params.add(name, value); + } + } + params.add(Constants.PR_PUBLISHING_ENABLE, + publishcfg.getString(IPublisherProcessor.PROP_ENABLE, Constants.FALSE)); + params.add(Constants.PR_PUBLISHING_QUEUE_ENABLE, + publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_ENABLE, Constants.TRUE)); + params.add(Constants.PR_PUBLISHING_QUEUE_THREADS, + publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_THREADS, "3")); + params.add(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE, + publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE, "40")); + params.add(Constants.PR_PUBLISHING_QUEUE_PRIORITY, + publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_PRIORITY, "0")); + params.add(Constants.PR_PUBLISHING_QUEUE_STATUS, + publishcfg.getString(Constants.PR_PUBLISHING_QUEUE_STATUS, "200")); + params.add(Constants.PR_ENABLE, + ldapcfg.getString(IPublisherProcessor.PROP_ENABLE, Constants.FALSE)); + sendResponse(SUCCESS, null, params, resp); + } + + private void setLDAPDest(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + //Save New Settings to the config file + IConfigStore config = mAuth.getConfigStore(); + IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE); + IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE); + IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP); + + //set enable flag + publishcfg.putString(IPublisherProcessor.PROP_ENABLE, req.getParameter(Constants.PR_PUBLISHING_ENABLE)); + String enable = req.getParameter(Constants.PR_ENABLE); + + ldapcfg.putString(IPublisherProcessor.PROP_ENABLE, enable); + if (enable.equals("false")) { + // need to disable the ldap module here + mProcessor.setLdapConnModule(null); + } + + //set reset of the parameters + Enumeration e = req.getParameterNames(); + String pwd = null; + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_ENABLE)) + continue; + // don't store password in the config file. + if (name.equals(Constants.PR_BIND_PASSWD)) + continue; // old style password read from config. + if (name.equals(Constants.PR_DIRECTORY_MANAGER_PWD)) { + pwd = req.getParameter(name); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + + /* Don't enter the publishing pw into the config store */ + ldap.putString(name, req.getParameter(name)); + } + + commit(true); + + /* Do a "PUT" of the new pw to the watchdog" + ** do not remove - cfu + if (pwd != null) + CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); + */ + + // support publishing dirsrv with different pwd than internaldb + // update passwordFile + String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); + IPasswordStore pwdStore = CMS.getPasswordStore(); + CMS.debug("PublisherAdminServlet: setLDAPDest(): saving password for "+ prompt + " to password file"); + pwdStore.putPassword(prompt, pwd); + pwdStore.commit(); + CMS.debug("PublisherAdminServlet: setLDAPDest(): password saved"); + +/* we'll shut down and restart the PublisherProcessor instead + // what a hack to do this without require restart server +// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); + ILdapConnModule connModule = mProcessor.getLdapConnModule(); + ILdapAuthInfo authInfo = null; + if (connModule != null) { + authInfo = connModule.getLdapAuthInfo(); + } + +// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); + if (authInfo != null) { + CMS.debug("PublisherAdminServlet: setLDAPDest(): adding password to memory cache"); + authInfo.addPassword(prompt, pwd); + } else + CMS.debug("PublisherAdminServlet: setLDAPDest(): authInfo null"); +*/ + + try { + CMS.debug("PublisherAdminServlet: setLDAPDest(): restarting publishing processor"); + mProcessor.shutdown(); + mProcessor.startup(); + CMS.debug("PublisherAdminServlet: setLDAPDest(): publishing processor restarted"); + } catch (Exception ex) { + // force to save the config even there is error + // ignore any exception + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_RES_LDAP", ex.toString())); + } + + //XXX See if we can dynamically in B2 + sendResponse(SUCCESS, null, null, resp); + } + + private void testSetLDAPDest(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + CMS.debug("PublisherAdmineServlet: in testSetLDAPDest"); + //Save New Settings to the config file + IConfigStore config = mAuth.getConfigStore(); + IConfigStore publishcfg = config.getSubStore(IPublisherProcessor.PROP_PUBLISH_SUBSTORE); + IConfigStore ldapcfg = publishcfg.getSubStore(IPublisherProcessor.PROP_LDAP_PUBLISH_SUBSTORE); + IConfigStore ldap = ldapcfg.getSubStore(IPublisherProcessor.PROP_LDAP); + + //set enable flag + publishcfg.putString(IPublisherProcessor.PROP_ENABLE, + req.getParameter(Constants.PR_PUBLISHING_ENABLE)); + String ldapPublish = req.getParameter(Constants.PR_ENABLE); + + ldapcfg.putString(IPublisherProcessor.PROP_ENABLE, ldapPublish); + if (ldapPublish.equals("false")) { + // need to disable the ldap module here + mProcessor.setLdapConnModule(null); + } + + //set reset of the parameters + Enumeration e = req.getParameterNames(); + String pwd = null; + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + if (name.equals(Constants.PR_PUBLISHING_ENABLE)) + continue; + // don't store password in the config file. + if (name.equals(Constants.PR_BIND_PASSWD)) + continue; // old style password read from config. + if (name.equals(Constants.PR_DIRECTORY_MANAGER_PWD)) { + pwd = req.getParameter(name); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_ENABLE)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_THREADS)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PAGE_SIZE)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_PRIORITY)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + if (name.equals(Constants.PR_PUBLISHING_QUEUE_STATUS)) { + publishcfg.putString(name, req.getParameter(name)); + continue; + } + + /* Don't enter the publishing pw into the config store */ + ldap.putString(name, req.getParameter(name)); + } + + // test before commit + if (publishcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) && + ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) { + params.add("title", + "You've attempted to configure CMS to connect" + + " to a LDAP directory. The connection status is" + + " as follows:\n \n"); + LDAPConnection conn = null; + ILdapConnInfo connInfo = + CMS.getLdapConnInfo(ldap.getSubStore( + ILdapBoundConnFactory.PROP_LDAPCONNINFO)); + //LdapAuthInfo authInfo = + //new LdapAuthInfo(ldap.getSubStore( + // ILdapBoundConnFactory.PROP_LDAPAUTHINFO)); + String host = connInfo.getHost(); + int port = connInfo.getPort(); + boolean secure = connInfo.getSecure(); + //int authType = authInfo.getAuthType(); + String authType = ldap.getSubStore( + ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(ILdapAuthInfo.PROP_LDAPAUTHTYPE); + int version = connInfo.getVersion(); + String bindAs = null; + String certNickName = null; + + if (authType.equals(ILdapAuthInfo.LDAP_SSLCLIENTAUTH_STR)) { + try { + //certNickName = authInfo.getParms()[0]; + certNickName = ldap.getSubStore( + ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(ILdapAuthInfo.PROP_CLIENTCERTNICKNAME); + conn = new LDAPConnection(CMS.getLdapJssSSLSocketFactory( + certNickName)); + CMS.debug("Publishing Test certNickName=" + certNickName); + params.add(Constants.PR_CONN_INITED, + "Create ssl LDAPConnection with certificate: " + + certNickName + dashes(70 - 44 - certNickName.length()) + " Success"); + } catch (Exception ex) { + params.add(Constants.PR_CONN_INIT_FAIL, + "Create ssl LDAPConnection with certificate: " + + certNickName + dashes(70 - 44 - certNickName.length()) + " failure\n" + " exception: " + ex); + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then LDAP publishing will fail.\n" + + "Do you want to save the configuration anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + try { + conn.connect(host, port); + params.add(Constants.PR_CONN_OK, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + " Success"); + params.add(Constants.PR_AUTH_OK, + "Authentication: SSL client authentication" + + dashes(70 - 41) + " Success" + + "\nBind to the directory as: " + certNickName + + dashes(70 - 26 - certNickName.length()) + " Success"); + } catch (LDAPException ex) { + if (ex.getLDAPResultCode() == LDAPException.UNAVAILABLE) { + // need to intercept this because message from LDAP is + // "DSA is unavailable" which confuses with DSA PKI. + params.add(Constants.PR_CONN_FAIL, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + + " Failure\n" + + " error: server unavailable"); + } else { + params.add(Constants.PR_CONN_FAIL, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + + " Failure"); + } + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "LDAP publishing will fail.\n" + + "Do you want to save the configuration anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + } else { + try { + if (secure) { + conn = new LDAPConnection( + CMS.getLdapJssSSLSocketFactory()); + params.add(Constants.PR_CONN_INITED, + "Create ssl LDAPConnection" + + dashes(70 - 25) + " Success"); + } else { + conn = new LDAPConnection(); + params.add(Constants.PR_CONN_INITED, + "Create LDAPConnection" + + dashes(70 - 21) + " Success"); + } + } catch (Exception ex) { + params.add(Constants.PR_CONN_INIT_FAIL, + "Create LDAPConnection" + + dashes(70 - 21) + " Failure\n" + + "exception: " + ex); + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "LDAP publishing will fail.\n" + + "Do you want to save the configuration anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + try { + conn.connect(host, port); + params.add(Constants.PR_CONN_OK, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + " Success"); + } catch (LDAPException ex) { + if (ex.getLDAPResultCode() == LDAPException.UNAVAILABLE) { + // need to intercept this because message from LDAP is + // "DSA is unavailable" which confuses with DSA PKI. + params.add(Constants.PR_CONN_FAIL, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + " Failure" + + "\nerror: server unavailable"); + } else { + params.add(Constants.PR_CONN_FAIL, + "Connect to directory server " + + host + " at port " + port + + dashes(70 - 37 - host.length() - (Integer.valueOf(port)).toString().length()) + " Failure" + + "\nexception: " + ex); + } + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "LDAP publishing will fail.\n" + + "Do you want to save the configuration anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + try { + //bindAs = authInfo.getParms()[0]; + bindAs = ldap.getSubStore( + ILdapBoundConnFactory.PROP_LDAPAUTHINFO).getString(ILdapAuthInfo.PROP_BINDDN); + conn.authenticate(version, bindAs, pwd); + params.add(Constants.PR_AUTH_OK, + "Authentication: Basic authentication" + + dashes(70 - 36) + " Success" + + "\nBind to the directory as: " + bindAs + + dashes(70 - 26 - bindAs.length()) + " Success"); + } catch (LDAPException ex) { + if (ex.getLDAPResultCode() == + LDAPException.NO_SUCH_OBJECT) { + params.add(Constants.PR_AUTH_FAIL, + "Authentication: Basic authentication" + + dashes(70 - 36) + "Failure" + + "\nBind to the directory as: " + bindAs + + dashes(70 - 26 - bindAs.length()) + + "Failure" + "\nThe object doesn't exist. " + + "Please correct the value assigned in the" + + " \"Directory manager DN\" field."); + } else if (ex.getLDAPResultCode() == + LDAPException.INVALID_CREDENTIALS) { + params.add(Constants.PR_AUTH_FAIL, + "Authentication: Basic authentication" + + dashes(70 - 36) + " Failure" + + "\nBind to the directory as: " + bindAs + + dashes(70 - 26 - bindAs.length()) + + " Failure" + "\nInvalid password. " + + "Please correct the value assigned in the" + + " \"Password\" field."); + } else { + params.add(Constants.PR_AUTH_FAIL, + "Authentication: Basic authentication" + + dashes(70 - 36) + " Failure" + + "\nBind to the directory as: " + bindAs + + dashes(70 - 26 - bindAs.length()) + + " Failure"); + } + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "LDAP publishing will fail.\n" + + "Do you want to save the configuration anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + } + + } + + //commit(true); + if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE) && + pwd != null) { + + /* Do a "PUT" of the new pw to the watchdog" + ** do not remove - cfu + CMS.putPasswordCache(PW_TAG_CA_LDAP_PUBLISHING, pwd); + */ + + // support publishing dirsrv with different pwd than internaldb + // update passwordFile + String prompt = ldap.getString(Constants.PR_BINDPWD_PROMPT); + IPasswordStore pwdStore = CMS.getPasswordStore(); + CMS.debug("PublisherAdminServlet: testSetLDAPDest(): saving password for "+ + prompt + " to password file"); + pwdStore.putPassword(prompt, pwd); + pwdStore.commit(); + CMS.debug("PublisherAdminServlet: testSetLDAPDest(): password saved"); +/* we'll shut down and restart the PublisherProcessor instead + // what a hack to do this without require restart server +// ILdapAuthInfo authInfo = CMS.getLdapAuthInfo(); + ILdapConnModule connModule = mProcessor.getLdapConnModule(); + ILdapAuthInfo authInfo = null; + if (connModule != null) { + authInfo = connModule.getLdapAuthInfo(); + } else + CMS.debug("PublisherAdminServlet: testSetLDAPDest(): connModule null"); + +// authInfo.addPassword(PW_TAG_CA_LDAP_PUBLISHING, pwd); + if (authInfo != null) { + CMS.debug("PublisherAdminServlet: testSetLDAPDest(): adding password to memory cache"); + authInfo.addPassword(prompt, pwd); + } else + CMS.debug("PublisherAdminServlet: testSetLDAPDest(): authInfo null"); +*/ + } + //params.add(Constants.PR_SAVE_OK, + // "\n \nConfiguration changes are now committed."); + + mProcessor.shutdown(); + + if (publishcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) { + mProcessor.startup(); + //params.add("restarted", "Publishing is restarted."); + + if (ldapcfg.getBoolean(IPublisherProcessor.PROP_ENABLE)) { + ICertAuthority authority = (ICertAuthority) mProcessor.getAuthority(); + + if (!(authority instanceof ICertificateAuthority)) + return; + ICertificateAuthority ca = (ICertificateAuthority) authority; + + // publish ca cert + try { + mProcessor.publishCACert(ca.getCACert()); + CMS.debug("PublisherAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_PUB_CA_CERT")); + params.add("publishCA", + "CA certificate is published."); + } catch (Exception ex) { + // exception not thrown - not seen as a fatal error. + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_NO_PUB_CA_CERT", ex.toString())); + params.add("publishCA", + "Failed to publish CA certificate."); + int index = ex.toString().indexOf("Failed to create CA"); + + if (index > -1) { + params.add("createError", + ex.toString().substring(index)); + } + mProcessor.shutdown(); + // Do you want to enable LDAP publishing anyway + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "the CA certificate won't be published.\n" + + "Do you want to enable LDAP publishing anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + + } + // publish crl + try { + CMS.debug("PublisherAdminServlet: about to update CRL"); + ca.publishCRLNow(); + CMS.debug(CMS.getLogMessage("ADMIN_SRVLT_PUB_CRL")); + params.add("publishCRL", + "CRL is published."); + } catch (Exception ex) { + // exception not thrown - not seen as a fatal error. + log(ILogger.LL_FAILURE, + "Could not publish crl " + ex.toString()); + params.add("publishCRL", + "Failed to publish CRL."); + mProcessor.shutdown(); + // Do you want to enable LDAP publishing anyway + params.add(Constants.PR_SAVE_NOT, + "\n \nIf the problem is not fixed then " + + "the CRL won't be published.\n" + + "Do you want to enable LDAP publishing anyway?"); + sendResponse(SUCCESS, null, params, resp); + return; + } + } + commit(true); + params.add(Constants.PR_SAVE_OK, + "\n \nConfiguration changes are now committed."); + params.add("restarted", "Publishing is restarted."); + } else { + commit(true); + params.add(Constants.PR_SAVE_OK, + "\n \nConfiguration changes are now committed."); + params.add("stopped", + "Publishing is stopped."); + } + + //XXX See if we can dynamically in B2 + sendResponse(SUCCESS, null, params, resp); + } + + private synchronized void addMapperPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the manager id unique? + if (mProcessor.getMapperPlugins().containsKey((Object) id)) { + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req),"CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_MAPPER_CLASS); + + if (classPath == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req),"CMS_LDAP_SRVLT_NULL_CLASS"), null, resp); + return; + } + + IConfigStore destStore = null; + + destStore = mConfig.getSubStore(mAuth.getId() + ".publish.mapper"); + IConfigStore instancesConfig = destStore.getSubStore("impl"); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } catch (IllegalArgumentException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } + + // is the class an ILdapMapper? + try { + if (ILdapMapper.class.isAssignableFrom(newImpl) == false) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_MAPPER_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add mapper to registry. + MapperPlugin plugin = new MapperPlugin(id, classPath); + + mProcessor.getMapperPlugins().put(id, plugin); + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_MAPPER_ADDED", "")); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private boolean isValidID(String id) { + if (id == null) + return false; + for (int i = 0; i < id.length(); i++) { + if (!Character.isLetterOrDigit(id.charAt(i))) + return false; + } + return true; + } + + private synchronized void addMapperInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (!isValidID(id)) { + sendResponse(ERROR, "Invalid ID '" + id + "'", + null, resp); + return; + } + + if (mProcessor.getMapperInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get required parameters + String implname = req.getParameter( + Constants.PR_MAPPER_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + + // check if implementation exists. + MapperPlugin plugin = + (MapperPlugin) mProcessor.getMapperPlugins().get( + implname); + + if (plugin == null) { + sendResponse(ERROR, + new EMapperPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + Vector configParams = mProcessor.getMapperDefaultParams(implname); + + IConfigStore destStore = mConfig.getSubStore(mAuth.getId() + ".publish.mapper"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String val = req.getParameter(kv.substring(0, index)); + + if (val == null) { + substore.put(kv.substring(0, index), + kv.substring(index + 1)); + } else { + substore.put(kv.substring(0, index), + val); + } + } + } + substore.put("pluginName", implname); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + ILdapMapper mapperInst = null; + + try { + mapperInst = (ILdapMapper) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + + // initialize the mapper + try { + mapperInst.init(substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // inited and commited ok. now add mapper instance to list. + mProcessor.getMapperInsts().put(id, new MapperProxy(true, mapperInst)); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_MAPPER_INST_ADDED", id)); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_MAPPER_IMPL_NAME, implname); + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listMapperPlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = mProcessor.getMapperPlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + MapperPlugin value = (MapperPlugin) + mProcessor.getMapperPlugins().get(name); + // get Description + String c = value.getClassPath(); + String desc = "unknown"; + + try { + ILdapMapper lp = (ILdapMapper) + Class.forName(c).newInstance(); + + desc = lp.getDescription(); + } catch (Exception exp) { + sendResponse(ERROR, exp.toString(), null, + resp); + return; + } + params.add(name, value.getClassPath() + "," + desc); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + public String getMapperPluginName(ILdapMapper mapper) { + IConfigStore cs = mapper.getConfigStore(); + + try { + return cs.getString("pluginName", ""); + } catch (EBaseException e) { + return ""; + } + } + + private synchronized void listMapperInsts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = mProcessor.getMapperInsts().keys(); + + for (; e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILdapMapper value = mProcessor.getMapperInstance(name); + + params.add(name, getMapperPluginName(value) + ";visible"); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delMapperInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does a`mapper instance exist? + if (mProcessor.getMapperInsts().containsKey(id) == false) { + sendResponse(ERROR, + new EMapperNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + ILdapMapper mapperInst = (ILdapMapper) + mProcessor.getMapperInstance(id); + + mProcessor.getMapperInsts().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore( + mAuth.getId() + ".publish.mapper"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delMapperPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (mProcessor.getMapperPlugins().containsKey(id) == false) { + sendResponse(ERROR, + new EMapperPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // first check if any instances from this mapper + // DON'T remove mapper if any instance + for (Enumeration e = mProcessor.getMapperInsts().keys(); + e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILdapMapper mapper = mProcessor.getMapperInstance(name); + + if (id.equals(getMapperPluginName(mapper))) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp); + return; + } + } + + // then delete this mapper + mProcessor.getMapperPlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore( + mAuth.getId() + ".publish.mapper"); + IConfigStore instancesConfig = + destStore.getSubStore("impl"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void getMapperConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Vector configParams = mProcessor.getMapperDefaultParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_MAPPER_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getMapperInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does mapper instance exist? + if (mProcessor.getMapperInsts().containsKey(id) == false) { + sendResponse(ERROR, + new EMapperNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + ILdapMapper mapperInst = (ILdapMapper) + mProcessor.getMapperInstance(id); + Vector configParams = mapperInst.getInstanceParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_MAPPER_IMPL_NAME, + getMapperPluginName(mapperInst)); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void modMapperInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the manager instance exist? + if (!mProcessor.getMapperInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_MAPPER_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + // get plugin for implementation + MapperPlugin plugin = + (MapperPlugin) mProcessor.getMapperPlugins().get(implname); + + if (plugin == null) { + sendResponse(ERROR, + new EMapperPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_MAPPER_PLUGIN_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + // save old instance substore params in case new one fails. + + ILdapMapper oldinst = + (ILdapMapper) mProcessor.getMapperInstance(id); + Vector oldConfigParms = oldinst.getInstanceParams(); + NameValuePairs saveParams = new NameValuePairs(); + + // implName is always required so always include it it. + saveParams.add("pluginName", implname); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.size(); i++) { + String kv = (String) oldConfigParms.elementAt(i); + int index = kv.indexOf('='); + + saveParams.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + + ".publish.mapper"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + // create new substore. + + Vector configParams = mProcessor.getMapperInstanceParams(id); + + instancesConfig.removeSubStore(id); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put("pluginName", implname); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String key = kv.substring(0, index); + String val = req.getParameter(key); + + if (val != null) { + substore.put(key, val); + } + } + } + + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + ILdapMapper newMgrInst = null; + + try { + newMgrInst = (ILdapMapper) + Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + // initialize the mapper + + try { + newMgrInst.init(substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(getLocale(req)), null, + resp); + return; + } catch (Throwable e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(), null, + resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + mProcessor.getMapperInsts().put(id, new MapperProxy(true, newMgrInst)); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_MAPPER_REPLACED", id)); + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void addRulePlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the rule id unique? + if (mProcessor.getRulePlugins().containsKey((Object) id)) { + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage("CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id)).toString(getLocale(req)), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_RULE_CLASS); + + if (classPath == null) { + sendResponse(ERROR, CMS.getUserMessage("CMS_LDAP_SRVLT_NULL_CLASS"), null, resp); + return; + } + + IConfigStore destStore = null; + + destStore = mConfig.getSubStore( + mAuth.getId() + ".publish.rule"); + IConfigStore instancesConfig = destStore.getSubStore("impl"); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } catch (IllegalArgumentException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } + + // is the class an ILdapRule? + try { + if (ILdapRule.class.isAssignableFrom(newImpl) == false) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_RULE_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add rule to registry. + RulePlugin plugin = new RulePlugin(id, classPath); + + mProcessor.getRulePlugins().put(id, plugin); + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_RULE_PLUG_ADDED", id)); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void addRuleInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + if (!isValidID(id)) { + sendResponse(ERROR, "Invalid ID '" + id + "'", + null, resp); + return; + } + + if (mProcessor.getRuleInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get required parameters + String implname = req.getParameter( + Constants.PR_RULE_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + + // check if implementation exists. + RulePlugin plugin = + (RulePlugin) mProcessor.getRulePlugins().get( + implname); + + if (plugin == null) { + sendResponse(ERROR, + new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + Vector configParams = mProcessor.getRuleDefaultParams(implname); + + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + + ".publish.rule"); + IConfigStore instancesConfig = + destStore.getSubStore("instance"); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String val = req.getParameter(kv.substring(0, index)); + + if (val == null) { + substore.put(kv.substring(0, index), + kv.substring(index + 1)); + } else { + if (val.equals(NOMAPPER)) + val = ""; + substore.put(kv.substring(0, index), + val); + } + } + } + substore.put("pluginName", implname); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + ILdapRule ruleInst = null; + + try { + ruleInst = (ILdapRule) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + + // initialize the rule + try { + ruleInst.init(mProcessor, substore); + ruleInst.setInstanceName(id); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + // inited and commited ok. now add manager instance to list. + mProcessor.getRuleInsts().put(id, ruleInst); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_RULE_INST_ADDED", id)); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_RULE_IMPL_NAME, implname); + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listRulePlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = mProcessor.getRulePlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + RulePlugin value = (RulePlugin) + mProcessor.getRulePlugins().get(name); + // get Description + String c = value.getClassPath(); + String desc = "unknown"; + + try { + ILdapRule lp = (ILdapRule) + Class.forName(c).newInstance(); + + desc = lp.getDescription(); + } catch (Exception exp) { + } + params.add(name, value.getClassPath() + "," + desc); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listRuleInsts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + String insts = null; + Enumeration e = mProcessor.getRuleInsts().keys(); + + for (; e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILdapRule value = (ILdapRule) + mProcessor.getRuleInsts().get((Object) name); + String enabled = value.enabled() ? "enabled" : "disabled"; + + params.add(name, value.getInstanceName() + ";visible;" + enabled); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + public String getRulePluginName(ILdapRule rule) { + IConfigStore cs = rule.getConfigStore(); + + try { + return cs.getString("pluginName", ""); + } catch (EBaseException e) { + return ""; + } + } + + private synchronized void delRulePlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does rule exist? + if (mProcessor.getRulePlugins().containsKey(id) == false) { + sendResponse(ERROR, + new ERulePluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_PLUGIN_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // first check if any instances from this rule + // DON'T remove rule if any instance + for (Enumeration e = mProcessor.getRuleInsts().elements(); + e.hasMoreElements();) { + ILdapRule rule = (ILdapRule) + e.nextElement(); + + if (id.equals(getRulePluginName(rule))) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp); + return; + } + } + + // then delete this rule + mProcessor.getRulePlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore( + mAuth.getId() + ".rule"); + IConfigStore instancesConfig = destStore.getSubStore("impl"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delRuleInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // prevent deletion of admin and agent. + + // does rule instance exist? + if (mProcessor.getRuleInsts().containsKey(id) == false) { + sendResponse(ERROR, + new ERuleNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + ILdapRule ruleInst = (ILdapRule) + mProcessor.getRuleInsts().get(id); + + mProcessor.getRuleInsts().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore( + mAuth.getId() + ".publish.rule"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void getRuleConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Vector configParams = mProcessor.getRuleDefaultParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_RULE_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getRuleInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does rule instance exist? + if (mProcessor.getRuleInsts().containsKey(id) == false) { + sendResponse(ERROR, + new ERuleNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_RULE_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + ILdapRule ruleInst = (ILdapRule) + mProcessor.getRuleInsts().get(id); + Vector configParams = ruleInst.getInstanceParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_RULE_IMPL_NAME, + getRulePluginName(ruleInst)); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void modRuleInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the manager instance exist? + if (!mProcessor.getRuleInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_RULE_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + + // get plugin for implementation + RulePlugin plugin = + (RulePlugin) mProcessor.getRulePlugins().get(implname); + + if (plugin == null) { + sendResponse(ERROR, + //new ERulePluginNotFound(implname).toString(getLocale(req)), + "", + null, resp); + return; + } + + // save old instance substore params in case new one fails. + + ILdapRule oldinst = + (ILdapRule) mProcessor.getRuleInsts().get((Object) id); + Vector oldConfigParms = oldinst.getInstanceParams(); + NameValuePairs saveParams = new NameValuePairs(); + + // implName is always required so always include it it. + saveParams.add("pluginName", implname); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.size(); i++) { + String kv = (String) oldConfigParms.elementAt(i); + int index = kv.indexOf('='); + + saveParams.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore( + mAuth.getId() + ".publish.rule"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + // create new substore. + + Vector configParams = mProcessor.getRuleDefaultParams(implname); + + instancesConfig.removeSubStore(id); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put("pluginName", implname); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String key = kv.substring(0, index); + String val = req.getParameter(key); + + if (val == null) { + substore.put(key, + kv.substring(index + 1)); + } else { + if (val.equals(NOMAPPER)) + val = ""; + substore.put(key, val); + } + } + } + + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + ILdapRule newRuleInst = null; + + try { + newRuleInst = (ILdapRule) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + + // initialize the rule + + try { + newRuleInst.init(mProcessor, substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + mProcessor.getRuleInsts().put(id, newRuleInst); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_RULE_INST_REP", id)); + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void addPublisherPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // is the manager id unique? + if (mProcessor.getPublisherPlugins().containsKey((Object) id)) { + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_PLUGIN_ID", id)).toString(), + null, resp); + return; + } + + String classPath = req.getParameter(Constants.PR_PUBLISHER_CLASS); + + if (classPath == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req),"CMS_LDAP_SRVLT_NULL_CLASS"), null, resp); + return; + } + + IConfigStore destStore = null; + + destStore = mConfig.getSubStore( + mAuth.getId() + ".publish.publisher"); + IConfigStore instancesConfig = destStore.getSubStore("impl"); + + // Does the class exist? + Class newImpl = null; + + try { + newImpl = Class.forName(classPath); + } catch (ClassNotFoundException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } catch (IllegalArgumentException e) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_NO_CLASS"), null, resp); + return; + } + + // is the class an ILdapPublisher? + try { + if (ILdapPublisher.class.isAssignableFrom(newImpl) == false) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + } catch (NullPointerException e) { // unlikely, only if newImpl null. + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_CLASS", classPath), null, resp); + return; + } + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put(Constants.PR_PUBLISHER_CLASS, classPath); + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // add publisher to registry. + PublisherPlugin plugin = new PublisherPlugin(id, classPath); + + mProcessor.getPublisherPlugins().put(id, plugin); + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_PUB_PLUG_ADDED", id)); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void addPublisherInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (!isValidID(id)) { + sendResponse(ERROR, "Invalid ID '" + id + "'", + null, resp); + return; + } + + if (mProcessor.getPublisherInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get required parameters + String implname = req.getParameter( + Constants.PR_PUBLISHER_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + + // check if implementation exists. + PublisherPlugin plugin = + (PublisherPlugin) mProcessor.getPublisherPlugins().get( + implname); + + if (plugin == null) { + sendResponse(ERROR, + new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + Vector configParams = mProcessor.getPublisherDefaultParams(implname); + + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + ".publish.publisher"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + IConfigStore substore = instancesConfig.makeSubStore(id); + + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String val = null; + + if (index == -1) { + val = req.getParameter(kv); + } else { + val = req.getParameter(kv.substring(0, index)); + } + if (val == null) { + if (index == -1) { + substore.put(kv, ""); + } else { + substore.put(kv.substring(0, index), + kv.substring(index + 1)); + } + } else { + if (index == -1) { + substore.put(kv, val); + } else { + substore.put(kv.substring(0, index), + val); + } + } + } + } + substore.put("pluginName", implname); + + // Instantiate an object for this implementation + String className = plugin.getClassPath(); + ILdapPublisher publisherInst = null; + + try { + publisherInst = (ILdapPublisher) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + + // initialize the publisher + try { + publisherInst.init(substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + instancesConfig.removeSubStore(id); + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + instancesConfig.removeSubStore(id); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // inited and commited ok. now add manager instance to list. + mProcessor.getPublisherInsts().put(id, new PublisherProxy(true, publisherInst)); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_PUB_INST_ADDED", id)); + + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_PUBLISHER_IMPL_NAME, implname); + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void listPublisherPlugins(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + Enumeration e = mProcessor.getPublisherPlugins().keys(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + PublisherPlugin value = (PublisherPlugin) + mProcessor.getPublisherPlugins().get(name); + // get Description + String c = value.getClassPath(); + String desc = "unknown"; + + try { + ILdapPublisher lp = (ILdapPublisher) + Class.forName(c).newInstance(); + + desc = lp.getDescription(); + } catch (Exception exp) { + } + params.add(name, value.getClassPath() + "," + desc); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + public String getPublisherPluginName(ILdapPublisher pub) { + IConfigStore cs = pub.getConfigStore(); + + try { + return cs.getString("pluginName", ""); + } catch (EBaseException e) { + return ""; + } + } + + private synchronized void listPublisherInsts(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String insts = null; + Enumeration e = mProcessor.getPublisherInsts().keys(); + + for (; e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILdapPublisher value = mProcessor.getPublisherInstance(name); + + if (value == null) + continue; + params.add(name, getPublisherPluginName(value) + ";visible"); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delPublisherPlugin(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does publisher exist? + if (mProcessor.getPublisherPlugins().containsKey(id) == false) { + sendResponse(ERROR, + new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // first check if any instances from this publisher + // DON'T remove publisher if any instance + for (Enumeration e = mProcessor.getPublisherInsts().keys(); + e.hasMoreElements();) { + String name = (String) e.nextElement(); + ILdapPublisher publisher = + mProcessor.getPublisherInstance(name); + + if (id.equals(getPublisherPluginName(publisher))) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_IN_USE"), null, resp); + return; + } + } + + // then delete this publisher + mProcessor.getPublisherPlugins().remove((Object) id); + + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + ".publish.publisher"); + IConfigStore instancesConfig = destStore.getSubStore("impl"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + private synchronized void delPublisherInst(HttpServletRequest req, + HttpServletResponse resp, String scope) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // prevent deletion of admin and agent. + + // does publisher instance exist? + if (mProcessor.getPublisherInsts().containsKey(id) == false) { + sendResponse(ERROR, + new EPublisherNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + // only remove from memory + // cannot shutdown because we don't keep track of whether it's + // being used. + ILdapPublisher publisherInst = mProcessor.getPublisherInstance(id); + + mProcessor.getPublisherInsts().remove((Object) id); + + // remove the configuration. + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + ".publish.publisher"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + instancesConfig.removeSubStore(id); + // commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * used for getting the required configuration parameters (with + * possible default values) for a particular plugin + * implementation name specified in the RS_ID. Actually, there is + * no logic in here to set any default value here...there's no + * default value for any parameter in this publishing subsystem + * at this point. Later, if we do have one (or some), it can be + * added. The interface remains the same. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException, EBaseException { + + String implname = req.getParameter(Constants.RS_ID); + + if (implname == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Vector configParams = mProcessor.getPublisherDefaultParams(implname); + NameValuePairs params = new NameValuePairs(); + + // implName is always required so always send it. + params.add(Constants.PR_PUBLISHER_IMPL_NAME, ""); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + if (index == -1) { + params.add(kv, ""); + } else { + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + } + sendResponse(0, null, params, resp); + return; + } + + private synchronized void getInstConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // does publisher instance exist? + if (mProcessor.getPublisherInsts().containsKey(id) == false) { + sendResponse(ERROR, + new EPublisherNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_NOT_FOUND", id)).toString(), + null, resp); + return; + } + + ILdapPublisher publisherInst = (ILdapPublisher) + mProcessor.getPublisherInstance(id); + Vector configParams = publisherInst.getInstanceParams(); + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_PUBLISHER_IMPL_NAME, + getPublisherPluginName(publisherInst)); + // implName is always required so always send it. + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + + params.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Modify publisher instance. + * This will actually create a new instance with new configuration + * parameters and replace the old instance, if the new instance + * created and initialized successfully. + * The old instance is left running. so this is very expensive. + * Restart of server recommended. + */ + private synchronized void modPublisherInst(HttpServletRequest req, + HttpServletResponse resp, String scope) + throws ServletException, IOException, EBaseException { + + // expensive operation. + + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + //System.out.println("SRVLT_NULL_RS_ID"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // Does the manager instance exist? + if (!mProcessor.getPublisherInsts().containsKey((Object) id)) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ILL_INST_ID", id), + null, resp); + return; + } + + // get new implementation (same or different.) + String implname = req.getParameter(Constants.PR_PUBLISHER_IMPL_NAME); + + if (implname == null) { + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_LDAP_SRVLT_ADD_MISSING_PARAMS"), null, resp); + return; + } + + // get plugin for implementation + PublisherPlugin plugin = + (PublisherPlugin) mProcessor.getPublisherPlugins().get(implname); + + if (plugin == null) { + sendResponse(ERROR, + new EPublisherPluginNotFound(CMS.getUserMessage(getLocale(req), "CMS_LDAP_PUBLISHER_PLUGIN_NOT_FOUND", implname)).toString(), + null, resp); + return; + } + + // save old instance substore params in case new one fails. + + ILdapPublisher oldinst = mProcessor.getPublisherInstance(id); + Vector oldConfigParms = oldinst.getInstanceParams(); + NameValuePairs saveParams = new NameValuePairs(); + String pubType = ""; + + // implName is always required so always include it it. + saveParams.add("pluginName", implname); + if (oldConfigParms != null) { + for (int i = 0; i < oldConfigParms.size(); i++) { + String kv = (String) oldConfigParms.elementAt(i); + int index = kv.indexOf('='); + if (index > -1) { + if (kv.substring(0, index).equalsIgnoreCase("caObjectClass")) { + pubType = "cacert"; + } else if (kv.substring(0, index).equalsIgnoreCase("crlObjectClass")) { + pubType = "crl"; + } + + saveParams.add(kv.substring(0, index), + kv.substring(index + 1)); + } + } + } + + // on to the new instance. + + // remove old substore. + + IConfigStore destStore = + mConfig.getSubStore(mAuth.getId() + ".publish.publisher"); + IConfigStore instancesConfig = destStore.getSubStore("instance"); + + // get objects added and deleted + if (pubType.equals("cacert")) { + saveParams.add("caObjectClassAdded", instancesConfig.getString(id + ".caObjectClassAdded", "")); + saveParams.add("caObjectClassDeleted", instancesConfig.getString(id + ".caObjectClassDeleted", "")); + } else if (pubType.equals("crl")) { + saveParams.add("crlObjectClassAdded", instancesConfig.getString(id + ".crlObjectClassAdded", "")); + saveParams.add("crlObjectClassDeleted", instancesConfig.getString(id + ".crlObjectClassDeleted", "")); + } + + // create new substore. + + Vector configParams = mProcessor.getPublisherInstanceParams(id); + + instancesConfig.removeSubStore(id); + + IConfigStore substore = instancesConfig.makeSubStore(id); + + substore.put("pluginName", implname); + if (configParams != null) { + for (int i = 0; i < configParams.size(); i++) { + String kv = (String) configParams.elementAt(i); + int index = kv.indexOf('='); + String key = kv.substring(0, index); + String val = req.getParameter(key); + + if (val != null) { + substore.put(key, val); + } + } + } + + // process any changes to the ldap object class definitions + if (pubType.equals("cacert")) { + processChangedOC(saveParams, substore, "caObjectClass"); + substore.put("pubtype", "cacert"); + } + + if (pubType.equals("crl")) { + processChangedOC(saveParams, substore, "crlObjectClass"); + substore.put("pubtype", "crl"); + } + + // Instantiate an object for new implementation + + String className = plugin.getClassPath(); + ILdapPublisher newMgrInst = null; + + try { + newMgrInst = (ILdapPublisher) Class.forName(className).newInstance(); + } catch (ClassNotFoundException e) { + // cleanup + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (InstantiationException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } catch (IllegalAccessException e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, + new ELdapException(CMS.getUserMessage(getLocale(req), "CMS_LDAP_FAIL_LOAD_CLASS", className)).toString(), + null, resp); + return; + } + + // initialize the publisher + + try { + newMgrInst.init(substore); + } catch (EBaseException e) { + // don't commit in this case and cleanup the new substore. + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(getLocale(req)), null, resp); + return; + } catch (Throwable e) { + restore(instancesConfig, id, saveParams); + sendResponse(ERROR, e.toString(), null, resp); + return; + } + + // initialized ok. commiting + try { + mConfig.commit(true); + } catch (EBaseException e) { + // clean up. + restore(instancesConfig, id, saveParams); + //System.out.println("SRVLT_FAIL_COMMIT"); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_COMMIT_FAILED"), + null, resp); + return; + } + + // commited ok. replace instance. + + mProcessor.getPublisherInsts().put(id, new PublisherProxy(true, newMgrInst)); + + mProcessor.log(ILogger.LL_INFO, + CMS.getLogMessage("ADMIN_SRVLT_PUB_INST_REP", id)); + + NameValuePairs params = new NameValuePairs(); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + // convenience function - takes list1, list2. Returns what is in list1 + // but not in list2 + private String[] getExtras(String[] list1, String[] list2) { + Vector extras = new Vector(); + for (int i=0; i< list1.length; i++) { + boolean match=false; + for (int j=0; j < list2.length; j++) { + if ((list1[i].trim()).equalsIgnoreCase(list2[j].trim())) { + match = true; + break; + } + } + if (!match) extras.add(list1[i].trim()); + } + + return (String[])extras.toArray(new String[extras.size()]); + } + + // convenience function - takes list1, list2. Concatenates the two + // lists removing duplicates + private String[] joinLists(String[] list1, String[] list2) { + Vector sum = new Vector(); + for (int i=0; i< list1.length; i++) { + sum.add(list1[i]); + } + + for (int i=0; i < list2.length; i++) { + boolean match=false; + for (int j=0; j < list1.length; j++) { + if ((list2[i].trim()).equalsIgnoreCase(list1[j].trim())) { + match = true; + break; + } + } + if (!match) sum.add(list2[i].trim()); + } + + return (String[])sum.toArray(new String[sum.size()]); + } + + // convenience funtion. Takes a string array and delimiter + // and returns a String with the concatenation + private static String join(String[] s, String delimiter) { + if (s.length == 0) return ""; + + StringBuffer buffer = new StringBuffer(s[0]); + if (s.length > 1) { + for (int i=1; i< s.length; i++) { + buffer.append(delimiter).append(s[i].trim()); + } + } + return buffer.toString(); + } + + private void processChangedOC(NameValuePairs saveParams, IConfigStore newstore, String objName) { + String newOC = null, oldOC = null; + String oldAdded = null, oldDeleted = null; + + try { + newOC = newstore.getString(objName); + } catch (Exception e) { + } + + oldOC = saveParams.getValue(objName); + oldAdded = saveParams.getValue(objName + "Added"); + oldDeleted = saveParams.getValue(objName + "Deleted"); + + if ((oldOC == null) || (newOC == null)) return; + if (oldOC.equalsIgnoreCase(newOC)) return; + + String [] oldList = oldOC.split(","); + String [] newList = newOC.split(","); + String [] deletedList = getExtras(oldList, newList); + String [] addedList = getExtras(newList, oldList); + + // CMS.debug("addedList = " + join(addedList, ",")); + // CMS.debug("deletedList = " + join(deletedList, ",")); + + if ((addedList.length ==0) && (deletedList.length == 0)) + return; // no changes + + if (oldAdded != null) { + // CMS.debug("oldAdded is " + oldAdded); + String [] oldAddedList = oldAdded.split(","); + addedList = joinLists(addedList, oldAddedList); + } + + if (oldDeleted != null) { + // CMS.debug("oldDeleted is " + oldDeleted); + String [] oldDeletedList = oldDeleted.split(","); + deletedList = joinLists(deletedList, oldDeletedList); + } + + String[] addedList1 = getExtras(addedList, deletedList); + String[] deletedList1 = getExtras(deletedList, addedList); + + //create the final strings and write to config + String addedListStr = join(addedList1, ","); + String deletedListStr = join(deletedList1, ","); + + CMS.debug("processChangedOC: added list is " + addedListStr); + CMS.debug("processChangedOC: deleted list is " + deletedListStr); + + newstore.put(objName + "Added", addedListStr); + newstore.put(objName + "Deleted", deletedListStr); + } + + // convenience routine. + private static void restore(IConfigStore store, + String id, NameValuePairs saveParams) { + store.removeSubStore(id); + IConfigStore rstore = store.makeSubStore(id); + + Enumeration keys = saveParams.getNames(); + + while (keys.hasMoreElements()) { + String key = (String) keys.nextElement(); + String value = saveParams.getValue(key); + + if (value != null) + rstore.put(key, value); + } + } + + private String dashes(int len) { + String dashes = "..................................................."; + + if (len <= 0) + return ""; + String new1 = dashes.substring(0, len); + + return new1; + } + + /** + * logs an entry in the log file. + */ + public void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, + ILogger.S_LDAP, level, "PublishingAdminServlet: " + msg); + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java new file mode 100644 index 000000000..c5ec93f3a --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/RAAdminServlet.java @@ -0,0 +1,576 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.cert.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.security.util.*; +import netscape.security.x509.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.ra.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.dbs.crldb.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.request.IRequestListener; + + +/** + * A class representings an administration servlet for Registration + * Authority. This servlet is responsible to serve RA + * administrative operations such as configuration parameter + * updates. + * + * @version $Revision$, $Date$ + */ +public class RAAdminServlet extends AdminServlet { + protected static final String PROP_ENABLED = "enabled"; + + /*========================================================== + * variables + *==========================================================*/ + private final static String INFO = "RAAdminServlet"; + private IRegistrationAuthority mRA = null; + + /*========================================================== + * constructors + *==========================================================*/ + + /** + * Constructs RA servlet. + */ + public RAAdminServlet() { + super(); + } + + /*========================================================== + * public methods + *==========================================================*/ + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mRA = (IRegistrationAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_RA); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP request. Each request is authenticated to + * the authenticate manager. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + //get all operational flags + String op = req.getParameter(Constants.OP_TYPE); + String scope = req.getParameter(Constants.OP_SCOPE); + + //check operational flags + if ((op == null) || (scope == null)) { + sendResponse(1, "Invalid Protocol", null, resp); + return; + } + + //authenticate the user + super.authenticate(req); + + //perform services + try { + AUTHZ_RES_NAME = "certServer.ra.configuration"; + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) { + readGeneralConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_CONNECTOR)) { + getConnectorConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) { + getNotificationReqCompConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) { + getNotificationRevCompConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) { + getNotificationRIQConfig(req, resp); + return; + } else { + sendResponse(1, "Unknown operation", null, resp); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GENERAL)) { + modifyGeneralConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_CONNECTOR)) { + setConnectorConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_REQ_COMP)) { + setNotificationReqCompConfig(req, resp); + return; + }else if (scope.equals(ScopeDef.SC_NOTIFICATION_REV_COMP)) { + setNotificationRevCompConfig(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_NOTIFICATION_RIQ)) { + setNotificationRIQConfig(req, resp); + return; + } else { + sendResponse(1, "Unknown operation", null, resp); + return; + } + } + } catch (Exception e) { + //System.out.println("XXX >>>" + e.toString() + "<<<"); + sendResponse(1, "Unknown operation", null, resp); + } + + return; + } + + /*========================================================== + * private methods + *==========================================================*/ + + /* + * handle getting completion (cert issued) notification config info + */ + private void getNotificationCompConfig(HttpServletRequest req, + HttpServletResponse resp, IConfigStore rc) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, rc.getString(name, "")); + } + + params.add(Constants.PR_ENABLE, + rc.getString(PROP_ENABLED, Constants.FALSE)); + //System.out.println("Send: "+params.toString()); + sendResponse(SUCCESS, null, params, resp); + } + + private void getNotificationReqCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mRA.PROP_CERT_ISSUED_SUBSTORE); + + getNotificationCompConfig(req, resp, rc); + + } + + private void getNotificationRevCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mRA.PROP_CERT_REVOKED_SUBSTORE); + + getNotificationCompConfig(req, resp, rc); + + } + + /* + * handle getting request in queue notification config info + */ + private void getNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mRA.PROP_REQ_IN_Q_SUBSTORE); + + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + params.add(name, riq.getString(name, "")); + } + + params.add(Constants.PR_ENABLE, + riq.getString(PROP_ENABLED, Constants.FALSE)); + //System.out.println("Send: "+params.toString()); + sendResponse(SUCCESS, null, params, resp); + } + + /* + * handle setting request in queue notification config info + */ + private void setNotificationRIQConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore riq = nc.getSubStore(mRA.PROP_REQ_IN_Q_SUBSTORE); + + //set rest of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String val = req.getParameter(name); + + riq.putString(name, val); + mRA.getRequestInQListener().set(name, val); + } + + // set enable flag + String enabledString = req.getParameter(Constants.PR_ENABLE); + + riq.putString(PROP_ENABLED, enabledString); + mRA.getRequestInQListener().set(PROP_ENABLED, enabledString); + + commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + /* + * handle setting request complete notification config info + */ + private void setNotificationCompConfig(HttpServletRequest req, + HttpServletResponse resp, IConfigStore rc, IRequestListener thisListener) throws ServletException, + IOException, EBaseException { + //set rest of the parameters + Enumeration e = req.getParameterNames(); + + while (e.hasMoreElements()) { + String name = (String) e.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.PR_ENABLE)) + continue; + String val = req.getParameter(name); + + rc.putString(name, val); + thisListener.set(name, val); + } + + // set enable flag + String enabledString = req.getParameter(Constants.PR_ENABLE); + + rc.putString(PROP_ENABLED, enabledString); + thisListener.set(PROP_ENABLED, enabledString); + + commit(true); + + sendResponse(SUCCESS, null, null, resp); + } + + private void setNotificationReqCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mRA.PROP_CERT_ISSUED_SUBSTORE); + + setNotificationCompConfig(req, resp, rc, mRA.getCertIssuedListener()); + + } + + private void setNotificationRevCompConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore config = mRA.getConfigStore(); + IConfigStore nc = + config.getSubStore(mRA.PROP_NOTIFY_SUBSTORE); + + IConfigStore rc = nc.getSubStore(mRA.PROP_CERT_REVOKED_SUBSTORE); + + setNotificationCompConfig(req, resp, rc, mRA.getCertRevokedListener()); + } + + private void getConnectorConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + IConfigStore raConfig = mRA.getConfigStore(); + IConfigStore connectorConfig = raConfig.getSubStore("connector"); + IConfigStore caConnectorConfig = null; + + if (isCAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("CA"); + } else if (isRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("RA"); + } else if (isKRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("KRA"); + } + + /* + Enumeration enum = req.getParameterNames(); + NameValuePairs params = new NameValuePairs(); + while (enum.hasMoreElements()) { + String key = (String)enum.nextElement(); + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + if (val.equals("CA Connector")) + } + } + */ + + Enumeration enum1 = req.getParameterNames(); + NameValuePairs params = new NameValuePairs(); + + if (caConnectorConfig != null) { + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; + if (name.equals(Constants.OP_TYPE)) + continue; + + params.add(name, caConnectorConfig.getString(name, "")); + } + } + sendResponse(SUCCESS, null, params, resp); + } + + private void setConnectorConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + IConfigStore raConfig = mRA.getConfigStore(); + IConfigStore connectorConfig = raConfig.getSubStore("connector"); + IConfigStore caConnectorConfig = null; + // String nickname = raConfig.getString("certNickname", ""); + + if (isCAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("CA"); + } else if (isRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("RA"); + } else if (isKRAConnector(req)) { + caConnectorConfig = connectorConfig.getSubStore("KRA"); + } + + Enumeration enum1 = req.getParameterNames(); + + if (caConnectorConfig != null) { + while (enum1.hasMoreElements()) { + String name = (String) enum1.nextElement(); + + if (name.equals(Constants.OP_TYPE)) + continue; + if (name.equals(Constants.RS_ID)) + continue; + if (name.equals(Constants.OP_SCOPE)) + continue; +/* + if (name.equals("nickName")) { + caConnectorConfig.putString(name, nickname); + continue; + } +*/ + caConnectorConfig.putString(name, req.getParameter(name)); + } + } + + commit(true); + sendResponse(RESTART, null, null, resp); + } + + private boolean isCAConnector(HttpServletRequest req) { + + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + + if (val.equals("Certificate Manager Connector")) + return true; + else + return false; + } + } + return false; + } + + private boolean isRAConnector(HttpServletRequest req) { + + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + + if (val.equals("Registration Manager Connector")) + return true; + else + return false; + } + } + return false; + } + + private boolean isKRAConnector(HttpServletRequest req) { + + Enumeration enum1 = req.getParameterNames(); + + while (enum1.hasMoreElements()) { + String key = (String) enum1.nextElement(); + + if (key.equals("RS_ID")) { + String val = req.getParameter(key); + + if (val.equals("Data Recovery Manager Connector")) + return true; + else + return false; + } + } + return false; + } + + //reading the RA general information + private void readGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + /* + ISubsystem eeGateway = + SubsystemRegistry.getInstance().get("eeGateway"); + String value = "false"; + if (eeGateway != null) { + IConfigStore eeConfig = eeGateway.getConfigStore(); + if (eeConfig != null) + value = eeConfig.getString("enabled", "true"); + } + params.add(Constants.PR_EE_ENABLED, value); + */ + + sendResponse(SUCCESS, null, params, resp); + } + + //mdify RA General Information + private void modifyGeneralConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + /* + ISubsystem eeGateway = + SubsystemRegistry.getInstance().get("eeGateway"); + IConfigStore eeConfig = null; + if (eeGateway != null) + eeConfig = eeGateway.getConfigStore(); + + Enumeration enum = req.getParameterNames(); + while (enum.hasMoreElements()) { + String key = (String)enum.nextElement(); + if (key.equals(Constants.PR_EE_ENABLED)) { + if (eeConfig != null) + eeConfig.putString("enabled", + req.getParameter(Constants.PR_EE_ENABLED)); + } + } + + */ + sendResponse(RESTART, null, null, resp); + commit(true); + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java new file mode 100644 index 000000000..78d88c9b3 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/RegistryAdminServlet.java @@ -0,0 +1,362 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.*; +import javax.servlet.*; +import javax.servlet.http.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.registry.*; +import com.netscape.certsrv.authority.IAuthority; +import com.netscape.certsrv.ca.ICertificateAuthority; +import com.netscape.certsrv.ra.IRegistrationAuthority; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.profile.*; + +/** + * This implements the administration servlet for registry subsystem. + * + * @version $Revision$, $Date$ + */ +public class RegistryAdminServlet extends AdminServlet { + public final static String PROP_AUTHORITY = "authority"; + + private final static String INFO = "RegistryAdminServlet"; + private final static String PW_PASSWORD_CACHE_ADD = + "PASSWORD_CACHE_ADD"; + + public final static String PROP_PREDICATE = "predicate"; + private IAuthority mAuthority = null; + private IPluginRegistry mRegistry = null; + + // These will be moved to PolicyResources + public static String INVALID_POLICY_SCOPE = "Invalid policy administration scope"; + public static String INVALID_POLICY_IMPL_OP = "Invalid operation for policy implementation management"; + public static String NYI = "Not Yet Implemented"; + public static String INVALID_POLICY_IMPL_CONFIG = "Invalid policy implementation configuration"; + public static String INVALID_POLICY_INSTANCE_CONFIG = "Invalid policy instance configuration"; + public static String MISSING_POLICY_IMPL_ID = "Missing policy impl id in request"; + public static String MISSING_POLICY_IMPL_CLASS = "Missing policy impl class in request"; + public static String INVALID_POLICY_IMPL_ID = "Invalid policy impl id in request"; + public static String MISSING_POLICY_INST_ID = "Missing policy impl id in request"; + public static String INVALID_POLICY_INST_ID = "Invalid policy impl id in request"; + public static String COMMA = ","; + public static String MISSING_POLICY_ORDERING = "Missing policy ordering"; + + /** + * Constructs administration servlet. + */ + public RegistryAdminServlet() { + super(); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + String authority = config.getInitParameter(PROP_AUTHORITY); + + if (authority != null) + mAuthority = (IAuthority) CMS.getSubsystem(authority); + mRegistry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves HTTP admin request. + */ + public void service(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + super.authenticate(req); + + AUTHZ_RES_NAME = "certServer.registry.configuration"; + String scope = req.getParameter(Constants.OP_SCOPE); + String op = req.getParameter(Constants.OP_TYPE); + + if (scope.equals(ScopeDef.SC_SUPPORTED_CONSTRAINTPOLICIES)) { + if (op.equals(OpDef.OP_READ)) + if (!readAuthorize(req, resp)) + return; + getSupportedConstraintPolicies(req, resp); + } else { + processImplMgmt(req, resp); + } + } + + private boolean readAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + private boolean modifyAuthorize(HttpServletRequest req, + HttpServletResponse resp) throws IOException { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return false; + } + return true; + } + + /** + * Process Policy Implementation Management. + */ + public void processImplMgmt(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + // Get operation type + String op = req.getParameter(Constants.OP_TYPE); + String scope = req.getParameter(Constants.OP_SCOPE); + + if (op.equals(OpDef.OP_SEARCH)) { + if (!readAuthorize(req, resp)) + return; + listImpls(req, resp); + } else if (op.equals(OpDef.OP_READ)) { + if (!readAuthorize(req, resp)) + return; + getProfileImplConfig(req, resp); + } else if (op.equals(OpDef.OP_DELETE)) { + if (!modifyAuthorize(req, resp)) + return; + deleteImpl(req, resp); + } else if (op.equals(OpDef.OP_ADD)) { + if (!modifyAuthorize(req, resp)) + return; + addImpl(req, resp); + } else + sendResponse(ERROR, INVALID_POLICY_IMPL_OP, + null, resp); + } + + public void addImpl(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID); + String scope = req.getParameter(Constants.OP_SCOPE); + String classPath = req.getParameter(Constants.PR_POLICY_CLASS); + String desc = req.getParameter(Constants.PR_POLICY_DESC); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + IPluginInfo info = mRegistry.createPluginInfo(id, desc, classPath); + try { + mRegistry.addPluginInfo(scope, id, info); + } catch (Exception e) { + CMS.debug(e.toString()); + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void deleteImpl(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID); + String scope = req.getParameter(Constants.OP_SCOPE); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + IPluginInfo info = mRegistry.getPluginInfo(scope, id); + + if (info == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + try { + mRegistry.removePluginInfo(scope, id); + } catch (Exception e) { + CMS.debug(e.toString()); + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + /** + * Lists all registered profile impementations + */ + public void listImpls(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + String scope = req.getParameter(Constants.OP_SCOPE); + Enumeration impls = mRegistry.getIds(scope); + NameValuePairs nvp = new NameValuePairs(); + + while (impls.hasMoreElements()) { + String id = (String) impls.nextElement(); + IPluginInfo info = mRegistry.getPluginInfo(scope, id); + + nvp.add(id, info.getClassName() + "," + + info.getDescription(getLocale(req)) + "," + info.getName(getLocale(req))); + } + + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getSupportedConstraintPolicies(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, IOException { + String id = req.getParameter(Constants.RS_ID); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + NameValuePairs nvp = new NameValuePairs(); + + try { + IPluginInfo info = mRegistry.getPluginInfo("defaultPolicy", id); + String className = info.getClassName(); + IPolicyDefault policyDefaultClass = (IPolicyDefault) + Class.forName(className).newInstance(); + + if (policyDefaultClass != null) { + Enumeration impls = mRegistry.getIds("constraintPolicy"); + + while (impls.hasMoreElements()) { + String constraintID = (String) impls.nextElement(); + IPluginInfo constraintInfo = mRegistry.getPluginInfo( + "constraintPolicy", constraintID); + IPolicyConstraint policyConstraintClass = (IPolicyConstraint) + Class.forName(constraintInfo.getClassName()).newInstance(); + + CMS.debug("RegistryAdminServlet: getSUpportedConstraint " + constraintInfo.getClassName()); + + if (policyConstraintClass.isApplicable(policyDefaultClass)) { + CMS.debug("RegistryAdminServlet: getSUpportedConstraint isApplicable " + constraintInfo.getClassName()); + nvp.add(constraintID, constraintInfo.getClassName() + "," + + constraintInfo.getDescription(getLocale(req)) + "," + constraintInfo.getName(getLocale(req))); + } + } + } + } catch (Exception ex) { + CMS.debug("RegistyAdminServlet: getSupportConstraintPolicies: " + ex.toString()); + CMS.debug(ex); + } + sendResponse(SUCCESS, null, nvp, resp); + } + + public void getProfileImplConfig(HttpServletRequest req, + HttpServletResponse resp) + throws ServletException, IOException { + + // Get the policy impl id. + String id = req.getParameter(Constants.RS_ID); + String scope = req.getParameter(Constants.OP_SCOPE); + + if (id == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + IPluginInfo info = mRegistry.getPluginInfo(scope, id); + + if (info == null) { + sendResponse(ERROR, MISSING_POLICY_IMPL_ID, null, resp); + return; + } + + NameValuePairs nvp = new NameValuePairs(); + + String className = info.getClassName(); + IConfigTemplate template = null; + + try { + template = (IConfigTemplate) + Class.forName(className).newInstance(); + } catch (Exception e) { + } + if (template != null) { + Enumeration names = template.getConfigNames(); + + if (names != null) { + while (names.hasMoreElements()) { + String name = (String) names.nextElement(); + CMS.debug("RegistryAdminServlet: getProfileImpl descriptor " + name); + IDescriptor desc = template.getConfigDescriptor(getLocale(req), name); + + if (desc != null) { + try { + String value = getNonNull(desc.getSyntax()) + ";" + getNonNull(desc.getConstraint()) + ";" + desc.getDescription(getLocale(req)) + ";" + getNonNull(desc.getDefaultValue()); + + CMS.debug("RegistryAdminServlet: getProfileImpl " + value); + nvp.add(name, value); + } catch (Exception e) { + + CMS.debug("RegistryAdminServlet: getProfileImpl skipped descriptor for " + name); + } + } else { + CMS.debug("RegistryAdminServlet: getProfileImpl cannot find descriptor for " + name); + } + } + } + } + sendResponse(SUCCESS, null, nvp, resp); + } + + protected String getNonNull(String s) { + if (s == null) + return ""; + return s; + } +} diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java new file mode 100644 index 000000000..5ac9e0dd1 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java @@ -0,0 +1,2332 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.servlet.admin; + + +import java.io.*; +import java.util.*; +import java.net.*; +import java.util.*; +import java.text.*; +import java.math.*; +import java.security.cert.*; +import javax.servlet.*; +import javax.servlet.http.*; +import netscape.ldap.*; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.InternalCertificate; +import com.netscape.cmsutil.util.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.password.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.authorization.*; +import com.netscape.cms.servlet.base.*; + + +/** + * A class representing an administration servlet for + * User/Group Manager. It communicates with client + * SDK to allow remote administration of User/Group + * manager. + * + * This servlet will be registered to remote + * administration subsystem by usrgrp manager. + * + * @version $Revision$, $Date$ + */ +public class UsrGrpAdminServlet extends AdminServlet { + + private final static String INFO = "UsrGrpAdminServlet"; + private final static String RES_CA_GROUP = "certServer.ca.group"; + private final static String RES_RA_GROUP = "certServer.ra.group"; + private final static String RES_KRA_GROUP = "certServer.kra.group"; + private final static String RES_OCSP_GROUP = "certServer.ocsp.group"; + private final static String RES_TKS_GROUP = "certServer.tks.group"; + private final static String SYSTEM_USER = "$System$"; + // private final static String RES_GROUP = "root.common.goldfish"; + + private final static String BACK_SLASH = "\\"; + + private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE = + "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3"; + + private IUGSubsystem mMgr = null; + + private IAuthzSubsystem mAuthz = null; + + private static String [] mMultiRoleGroupEnforceList = null; + private final static String MULTI_ROLE_ENABLE= "multiroles.enable"; + private final static String MULTI_ROLE_ENFORCE_GROUP_LIST = "multiroles.false.groupEnforceList"; + + + /** + * Constructs User/Group manager servlet. + */ + public UsrGrpAdminServlet() { + super(); + mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); + } + + /** + * Initializes this servlet. + */ + public void init(ServletConfig config) throws ServletException { + super.init(config); + mMgr = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + } + + /** + * Returns serlvet information. + */ + public String getServletInfo() { + return INFO; + } + + /** + * Serves incoming User/Group management request. + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + + String scope = super.getParameter(req, Constants.OP_SCOPE); + String op = super.getParameter(req, Constants.OP_TYPE); + + if (op == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_INVALID_PROTOCOL")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_PROTOCOL"), + null, resp); + return; + } + + Locale clientLocale = super.getLocale(req); + + try { + super.authenticate(req); + } catch (IOException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS")); + + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHS_FAILED"), + null, resp); + return; + } + + // authorization + // temporary test before servlets are exposed with authtoken + /* + SessionContext sc = SessionContext.getContext(); + AuthToken authToken = (AuthToken) sc.get(SessionContext.AUTH_TOKEN); + + AuthzToken authzTok = null; + CMS.debug("UserGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CHECK_AUTHZ_SUB")); + // hardcoded for now .. just testing + try { + authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read"); + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_CALL_FAIL",e.toString())); + } + if (AuthzToken.AUTHZ_STATUS_FAIL.equals(authzTok.get(AuthzToken.TOKEN_AUTHZ_STATUS))) { + // audit would have been needed here if this weren't just a test... + + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_FAIL_AUTHS")); + + sendResponse(ERROR, + MessageFormatter.getLocalizedString( + getLocale(req), + AdminResources.class.getName(), + AdminResources.SRVLT_FAIL_AUTHS), + null, resp); + return; + } + */ + + + try { + ISubsystem subsystem = CMS.getSubsystem("ca"); + if (subsystem != null) + AUTHZ_RES_NAME = RES_CA_GROUP; + subsystem = CMS.getSubsystem("ra"); + if (subsystem != null) + AUTHZ_RES_NAME = RES_RA_GROUP; + subsystem = CMS.getSubsystem("kra"); + if (subsystem != null) + AUTHZ_RES_NAME = RES_KRA_GROUP; + subsystem = CMS.getSubsystem("ocsp"); + if (subsystem != null) + AUTHZ_RES_NAME = RES_OCSP_GROUP; + subsystem = CMS.getSubsystem("tks"); + if (subsystem != null) + AUTHZ_RES_NAME = RES_TKS_GROUP; + if (scope != null) { + if (scope.equals(ScopeDef.SC_USER_TYPE)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + + getUserType(req, resp); + return; + } + + if (op.equals(OpDef.OP_READ)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GROUPS)) { + findGroup(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USERS)) { + findUser(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USER_CERTS)) { + findUserCerts(req, resp, clientLocale); + return; + } + } else if (op.equals(OpDef.OP_MODIFY)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GROUPS)) { + modifyGroup(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USERS)) { + modifyUser(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USER_CERTS)) { + modifyUserCert(req, resp); + return; + } + } else if (op.equals(OpDef.OP_ADD)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GROUPS)) { + addGroup(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USERS)) { + addUser(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USER_CERTS)) { + addUserCert(req, resp); + return; + } + } else if (op.equals(OpDef.OP_DELETE)) { + mOp = "modify"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GROUPS)) { + removeGroup(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USERS)) { + removeUser(req, resp); + return; + } + } else if (op.equals(OpDef.OP_SEARCH)) { + mOp = "read"; + if ((mToken = super.authorize(req)) == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_AUTHZ_FAILED"), + null, resp); + return; + } + if (scope.equals(ScopeDef.SC_GROUPS)) { + findGroups(req, resp); + return; + } else if (scope.equals(ScopeDef.SC_USERS)) { + findUsers(req, resp); + return; + } else { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_INVALID_OP_SCOPE")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_INVALID_OP_SCOPE"), + null, resp); + return; + } + } + } // if + } catch (EBaseException e) { + log(ILogger.LL_FAILURE, e.toString()); + sendResponse(ERROR, e.toString(getLocale(req)), + null, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage(" ADMIN_SRVLT_FAIL_PERFORM")); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_PERFORM_FAILED"), + null, resp); + return; + } + } + + private void getUserType(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String id = super.getParameter(req, Constants.RS_ID); + IUser user = mMgr.getUser(id); + String val = user.getUserType(); + + if (val == null || val.equals("")) + val = "noType"; + NameValuePairs params = new NameValuePairs(); + + params.add(Constants.PR_USER_TYPE, val); + sendResponse(SUCCESS, null, params, resp); + } + + /** + * Retrieves configuration parameters of + * authentication manager. + */ + private synchronized void getConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + super.getConfig(mMgr.getConfigStore(), req, resp); + } + + /** + * Sets configuration parameters of + * User/Group manager. + */ + private synchronized void setConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + super.setConfig(mMgr.getConfigStore(), req, resp); + } + + /** + * Lists configuration parameters. + */ + private synchronized void listConfig(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + super.listConfig(mMgr.getConfigStore(), req, resp); + } + + /** + * Searches for users in LDAP directory. List uids only + * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + */ + private synchronized void findUsers(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + NameValuePairs params = new NameValuePairs(); + + Enumeration e = null; + + try { + e = mMgr.listUsers("*"); + } catch (Exception ex) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + StringBuffer sb = new StringBuffer(); + int i = 0; + + while (e.hasMoreElements()) { + IUser user = (IUser) e.nextElement(); + + if (i > 0) { + sb.append(";"); + sb.append(user.getUserID()); + sb.append(":"); + sb.append(user.getFullName()); + } else { + sb.append(user.getUserID()); + sb.append(":"); + sb.append(user.getFullName()); + } + i++; + } + params.add("userInfo", sb.toString()); + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * List user information. Certificates covered in a separate + * protocol for findUserCerts(). List of group memberships are + * also provided. + * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + */ + private synchronized void findUser(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + NameValuePairs params = new NameValuePairs(); + + IUser user = null; + + try { + user = mMgr.getUser(id); + } catch (Exception e) { + e.printStackTrace(); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + if (user != null) { + params.add(Constants.PR_USER_FULLNAME, user.getFullName()); + params.add(Constants.PR_USER_EMAIL, user.getEmail()); + params.add(Constants.PR_USER_PHONE, user.getPhone()); + params.add(Constants.PR_USER_STATE, user.getState()); + + // get list of groups, and get a list of those that this + // uid belongs to + Enumeration e = null; + + try { + e = mMgr.findGroups("*"); + } catch (Exception ex) { + ex.printStackTrace(); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + StringBuffer grpString = new StringBuffer(); + + while (e.hasMoreElements()) { + IGroup group = (IGroup) e.nextElement(); + + if (group.isMember(id) == true) { + if (grpString.length()!=0) { + grpString.append(","); + } + grpString.append(group.getGroupID()); + } + } + + params.add(Constants.PR_USER_GROUP, grpString.toString()); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp); + return; + } + + /** + * List user certificate(s) + * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + */ + private synchronized void findUserCerts(HttpServletRequest req, + HttpServletResponse resp, Locale clientLocale) + throws ServletException, + IOException, EBaseException { + + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + NameValuePairs params = new NameValuePairs(); + + IUser user = null; + + try { + user = mMgr.getUser(id); + } catch (Exception e) { + e.printStackTrace(); + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp); + return; + } + + if (user == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_NOT_EXIST"), null, resp); + return; + } + + X509Certificate[] certs = + (X509Certificate[]) user.getX509Certificates(); + + if (certs != null) { + for (int i = 0; i < certs.length; i++) { + ICertPrettyPrint print = CMS.getCertPrettyPrint(certs[i]); + + // add base64 encoding + String base64 = CMS.getEncodedCert(certs[i]); + + // pretty print certs + params.add(getCertificateString(certs[i]), + print.toString(clientLocale) + "\n" + base64); + } + sendResponse(SUCCESS, null, params, resp); + return; + } + + sendResponse(SUCCESS, null, params, resp); + return; + } + + /** + * Converts certificate into string format. + */ + protected String getCertificateString(X509Certificate cert) { + if (cert == null) { + return null; + } + + // note that it did not represent a certificate fully + return cert.getVersion() + ";" + cert.getSerialNumber().toString() + + ";" + cert.getIssuerDN() + ";" + cert.getSubjectDN(); + } + + /** + * Searchess for groups in LDAP server + * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#group + */ + private synchronized void findGroups(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + Enumeration e = null; + + try { + e = mMgr.listGroups("*"); + } catch (Exception ex) { + ex.printStackTrace(); + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + while (e.hasMoreElements()) { + IGroup group = (IGroup) e.nextElement(); + String desc = group.getDescription(); + + if (desc != null) { + params.add(group.getGroupID(), desc); + } else { + params.add(group.getGroupID(), ""); + } + } + + sendResponse(SUCCESS, null, params, resp); + } + + /** + * finds a group + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + */ + private synchronized void findGroup(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + NameValuePairs params = new NameValuePairs(); + + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + Enumeration e = null; + + try { + e = mMgr.findGroups(id); + } catch (Exception ex) { + ex.printStackTrace(); + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + if (e.hasMoreElements()) { + IGroup group = (IGroup) e.nextElement(); + + params.add(Constants.PR_GROUP_GROUP, group.getGroupID()); + params.add(Constants.PR_GROUP_DESC, + group.getDescription()); + + Enumeration members = group.getMemberNames(); + StringBuffer membersString = new StringBuffer(); + + if (members != null) { + while (members.hasMoreElements()) { + if (membersString.length()!=0) { + membersString.append(", "); + } + + String mn = (String) members.nextElement(); + + membersString.append(mn); + } + } + + params.add(Constants.PR_GROUP_USER, membersString.toString()); + + sendResponse(SUCCESS, null, params, resp); + return; + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_GROUP_NOT_EXIST")); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_GROUP_NOT_EXIST"), null, resp); + return; + + } + } + + /** + * Adds a new user to LDAP server + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addUser(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + if (id.indexOf(BACK_SLASH) != -1) { + // backslashes (BS) are not allowed + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_RS_ID_BS"), + null, resp); + return; + } + + if (id.equals(SYSTEM_USER)) { + // backslashes (BS) are not allowed + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", id)); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_SPECIAL_ID", id), + null, resp); + return; + } + + IUser user = mMgr.createUser(id); + String fname = super.getParameter(req, Constants.PR_USER_FULLNAME); + + if ((fname == null) || (fname.length() == 0)) { + String msg = CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED_1", "full name"); + + log(ILogger.LL_FAILURE, msg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, msg, null, resp); + return; + } else + user.setFullName(fname); + + String email = super.getParameter(req, Constants.PR_USER_EMAIL); + + if (email != null) { + user.setEmail(email); + } else { + user.setEmail(""); + } + String pword = super.getParameter(req, Constants.PR_USER_PASSWORD); + + if (pword != null && !pword.equals("")) { + IPasswordCheck passwdCheck = CMS.getPasswordChecker(); + + if (!passwdCheck.isGoodPassword(pword)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EUsrGrpException(passwdCheck.getReason(pword)); + + //UsrGrpResources.BAD_PASSWD); + } + + user.setPassword(pword); + } else { + user.setPassword(""); + } + String phone = super.getParameter(req, Constants.PR_USER_PHONE); + + if (phone != null) { + user.setPhone(phone); + } else { + user.setPhone(""); + } + String userType = super.getParameter(req, Constants.PR_USER_TYPE); + + if (userType != null) { + user.setUserType(userType); + } else { + user.setUserType(""); + } + String userState = super.getParameter(req, Constants.PR_USER_STATE); + + if (userState != null) { + user.setState(userState); + } + + try { + mMgr.addUser(user); + + // if group is specified, add user to group + String groupName = super.getParameter(req, + Constants.PR_USER_GROUP); + + if (groupName != null) { + Enumeration e = null; + + try { + e = mMgr.findGroups(groupName); + } catch (Exception ex) { + ex.printStackTrace(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + return; + } + + if (e.hasMoreElements()) { + IGroup group = (IGroup) e.nextElement(); + + group.addMemberName(id); + try { + mMgr.modifyGroup(group); + } catch (Exception ex) { + log(ILogger.LL_FAILURE, ex.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + return; + } + } + // for audit log + SessionContext sContext = SessionContext.getContext(); + String adminId = (String) sContext.get(SessionContext.USER_ID); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP, + AuditFormat.LEVEL, AuditFormat.ADDUSERGROUPFORMAT, + new Object[] {adminId, id, groupName} + ); + } + + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (EUsrGrpException e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + if (user.getUserID() == null) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED_1", "uid"), null, resp); + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + } + return; + } catch (LDAPException e) { + String errMsg = "addUser()" + e.toString(); + + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString())); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp); + return; + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Adds a certificate to a user + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addUserCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IUser user = mMgr.createUser(id); + String certS = super.getParameter(req, Constants.PR_USER_CERT); + String certsString = Cert.stripBrackets(certS); + + // no cert is a success + if (certsString == null) { + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + // only one cert added per operation + X509Certificate certs[] = null; + + // Base64 decode cert + + try { + byte bCert[] = (byte[]) (com.netscape.osutil.OSUtil.AtoB(certsString)); + X509Certificate cert = new X509CertImpl(bCert); + + certs = new X509Certificate[1]; + certs[0] = cert; + } catch (CertificateException e) { + // cert chain direction + boolean assending = true; + + // could it be a pkcs7 blob? + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_IS_PK_BLOB")); + byte p7Cert[] = (byte[]) (com.netscape.osutil.OSUtil.AtoB(certsString)); + + try { + CryptoManager manager = CryptoManager.getInstance(); + + PKCS7 pkcs7 = new PKCS7(p7Cert); + + X509Certificate p7certs[] = pkcs7.getCertificates(); + + if (p7certs.length == 0) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); + return; + } + // fix for 370099 - cert ordering can not be assumed + // find out the ordering ... + certs = new X509Certificate[p7Cert.length]; + + // self-signed and alone? take it. otherwise test + // the ordering + if (p7certs[0].getSubjectDN().toString().equals( + p7certs[0].getIssuerDN().toString()) && + (p7certs.length == 1)) { + certs[0] = p7certs[0]; + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_SINGLE_CERT_IMPORT")); + } else if (p7certs[0].getIssuerDN().toString().equals(p7certs[1].getSubjectDN().toString())) { + certs[0] = p7certs[0]; + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD")); + } else if (p7certs[1].getIssuerDN().toString().equals(p7certs[0].getSubjectDN().toString())) { + assending = false; + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_DESC_ORD")); + certs[0] = p7certs[p7certs.length - 1]; + } else { + // not a chain, or in random order + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); + return; + } + + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CHAIN_STORED_DB", String.valueOf(p7certs.length))); + + int j = 0; + int jBegin = 0; + int jEnd = 0; + + if (assending == true) { + jBegin = 1; + jEnd = p7certs.length; + } else { + jBegin = 0; + jEnd = p7certs.length - 1; + } + // store the chain into cert db, except for the user cert + for (j = jBegin; j < jEnd; j++) { + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_IN_CHAIN", String.valueOf(j), String.valueOf(p7certs[j].getSubjectDN()))); + org.mozilla.jss.crypto.X509Certificate leafCert = + null; + + leafCert = + manager.importCACertPackage(p7certs[j].getEncoded()); + + if (leafCert == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NULL")); + } else { + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NON_NULL")); + } + + if (leafCert instanceof InternalCertificate) { + ((InternalCertificate) leafCert).setSSLTrust( + InternalCertificate.VALID_CA | + InternalCertificate.TRUSTED_CA | + InternalCertificate.TRUSTED_CLIENT_CA); + } else { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NOT_INTERNAL_CERT", + String.valueOf(p7certs[j].getSubjectDN()))); + } + } + + /* + } catch (CryptoManager.UserCertConflictException ex) { + // got a "user cert" in the chain, most likely the CA + // cert of this instance, which has a private key. Ignore + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_PKS7_IGNORED", ex.toString())); + */ + } catch (Exception ex) { + //----- + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", ex.toString())); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp); + return; + } + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_O_ERROR", e.toString())); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_O_ERROR"), null, resp); + return; + } + + try { + CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_BEFORE_VALIDITY")); + certs[0].checkValidity(); // throw exception if fails + + user.setX509Certificates(certs); + mMgr.addUserCert(user); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + + } catch (CertificateExpiredException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED", + String.valueOf(certs[0].getSubjectDN()))); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_EXPIRED"), null, resp); + return; + } catch (CertificateNotYetValidException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID", + String.valueOf(certs[0].getSubjectDN()))); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp); + return; + + } catch (LDAPException e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + if (e.getLDAPResultCode() == + LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp); + } else { + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); + } + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); + return; + } + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Removes a certificate for a user + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + *

+ * + * In this method, "certDN" is actually a combination of version, + * serialNumber, issuerDN, and SubjectDN. + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void modifyUserCert(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IUser user = mMgr.createUser(id); + String certDN = super.getParameter(req, Constants.PR_USER_CERT); + + // no certDN is a success + if (certDN == null) { + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } + + user.setCertDN(certDN); + try { + mMgr.removeUserCert(user); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); + return; + } + // } catch( EBaseException eAudit1 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * removes a user. user not removed if belongs to any group + * (Administrators should remove the user from "uniquemember" of + * any group he/she belongs to before trying to remove the user + * itself. + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void removeUser(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + //get id first + String id = super.getParameter(req, Constants.RS_ID); + boolean mustDelete = false; + int index = 0; + + if ((index = id.lastIndexOf(":true")) != -1) { + id = id.substring(0, index); + mustDelete = true; + } + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + // get list of groups, and see if uid belongs to any + Enumeration e = null; + + try { + e = mMgr.findGroups("*"); + } catch (Exception ex) { + ex.printStackTrace(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp); + return; + } + + while (e.hasMoreElements()) { + IGroup group = (IGroup) e.nextElement(); + + if (group.isMember(id) == true) { + if (mustDelete) { + mMgr.removeUserFromGroup(group, id); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV_G"), + null, resp); + return; + } + } + } + + // comes out clean of group membership...now remove user + try { + mMgr.removeUser(id); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception ex) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV"), null, resp); + return; + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * Adds a new group in local scope. + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#group + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void addGroup(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IGroup group = mMgr.createGroup(id); + String members = super.getParameter(req, + Constants.PR_GROUP_USER); + String desc = super.getParameter(req, + Constants.PR_GROUP_DESC); + + if (desc != null) { + group.set("description", (Object) desc); + } else { + group.set("description", (Object) ""); + } + + if (members != null) { + StringTokenizer st = new StringTokenizer(members, ","); + + while (st.hasMoreTokens()) { + group.addMemberName(st.nextToken()); + } + } + + // allow adding a group with no members + try { + mMgr.addGroup(group); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_ADD_FAILED"), + null, resp); + return; + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * removes a group + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#group + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void removeGroup(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + // if fails, let the exception fall through + mMgr.removeGroup(id); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + /** + * modifies a group + *

+ * + * last person of the super power group "Certificate + * Server Administrators" can never be removed. + *

+ * + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#group + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void modifyGroup(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IGroup group = mMgr.createGroup(id); + + String desc = super.getParameter(req, + Constants.PR_GROUP_DESC); + + if (desc != null) { + group.set("description", (Object) desc); + } + + String members = super.getParameter(req, Constants.PR_GROUP_USER); + + if (members != null) { + StringTokenizer st = new StringTokenizer(members, ","); + + String groupName = group.getName(); + boolean multiRole = true; + + try { + multiRole = mConfig.getBoolean(MULTI_ROLE_ENABLE); + } catch (Exception eee) { + } + while (st.hasMoreTokens()) { + String memberName = st.nextToken(); + if (multiRole) { + group.addMemberName(memberName); + } else { + if( isGroupInMultiRoleEnforceList(groupName)) { + if (!isDuplicate(groupName, memberName)) { + group.addMemberName(memberName); + } else { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EBaseException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberName)); + } + } else { + group.addMemberName(memberName); + } + } + } + } + + // allow adding a group with no members, except "Certificate + // Server Administrators" + try { + mMgr.modifyGroup(group); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_MODIFY_FAILED"), + null, resp); + return; + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private boolean isGroupInMultiRoleEnforceList(String groupName) + { + String groupList = null; + + if (groupName == null || groupName.equals("")) { + return true; + } + if (mMultiRoleGroupEnforceList == null) { + try { + groupList = mConfig.getString(MULTI_ROLE_ENFORCE_GROUP_LIST); + } catch (Exception e) { + } + + if (groupList != null && !groupList.equals("")) { + mMultiRoleGroupEnforceList = groupList.split(","); + for (int j = 0 ; j < mMultiRoleGroupEnforceList.length; j++) { + mMultiRoleGroupEnforceList[j] = mMultiRoleGroupEnforceList[j].trim(); + } + } + } + + if (mMultiRoleGroupEnforceList == null) + return true; + + for (int i = 0; i < mMultiRoleGroupEnforceList.length; i++) { + if (groupName.equals(mMultiRoleGroupEnforceList[i])) { + return true; + } + } + return false; + } + + private boolean isDuplicate(String groupName, String memberName) { + Enumeration groups = null; + + // Let's not mess with users that are already a member of this group + boolean isMember = false; + try { + isMember = mMgr.isMemberOf(memberName,groupName); + } catch (Exception e) { + } + + if (isMember == true) { + return false; + } + try { + groups = mMgr.listGroups("*"); + while (groups.hasMoreElements()) { + IGroup group = (IGroup) groups.nextElement(); + String name = group.getName(); + Enumeration g = mMgr.findGroups(name); + IGroup g1 = (IGroup) g.nextElement(); + if (!name.equals(groupName)) { + if (isGroupInMultiRoleEnforceList(name)) { + Enumeration members = g1.getMemberNames(); + while (members.hasMoreElements()) { + String m1 = (String) members.nextElement(); + if (m1.equals(memberName)) + return true; + } + } + } + } + } catch (Exception e) { + } + + return false; + } + + /** + * Modifies an existing user in local scope. + *

+ * + * Request/Response Syntax: + * http://warp.mcom.com/server/certificate/columbo/design/ + * ui/admin-protocol-definition.html#user-admin + *

+ * + *

    + *
  • signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring + * role information (anything under users/groups) + *
+ * @param req HTTP servlet request + * @param resp HTTP servlet response + * @exception ServletException a servlet error has occurred + * @exception IOException an input/output error has occurred + * @exception EBaseException an error has occurred + */ + private synchronized void modifyUser(HttpServletRequest req, + HttpServletResponse resp) throws ServletException, + IOException, EBaseException { + + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + + // ensure that any low-level exceptions are reported + // to the signed audit log and stored as failures + try { + //get id first + String id = super.getParameter(req, Constants.RS_ID); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID")); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"), + null, resp); + return; + } + + IUser user = mMgr.createUser(id); + String fname = super.getParameter(req, Constants.PR_USER_FULLNAME); + + if ((fname == null) || (fname.length() == 0)) { + String msg = + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED", "full name"); + + log(ILogger.LL_FAILURE, msg); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, msg, null, resp); + return; + } else + user.setFullName(fname); + + String email = super.getParameter(req, Constants.PR_USER_EMAIL); + + if (email != null) { + user.setEmail(email); + } + String pword = super.getParameter(req, Constants.PR_USER_PASSWORD); + + if ((pword != null) && (!pword.equals(""))) { + IPasswordCheck passwdCheck = CMS.getPasswordChecker(); + + if (!passwdCheck.isGoodPassword(pword)) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + throw new EUsrGrpException(passwdCheck.getReason(pword)); + + //UsrGrpResources.BAD_PASSWD); + } + + user.setPassword(pword); + } + String phone = super.getParameter(req, Constants.PR_USER_PHONE); + + if (phone != null) { + user.setPhone(phone); + } + + String userState = super.getParameter(req, Constants.PR_USER_STATE); + if (userState != null) { + user.setState(userState); + } + + try { + mMgr.modifyUser(user); + NameValuePairs params = new NameValuePairs(); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.SUCCESS, + auditParams(req)); + + audit(auditMessage); + + sendResponse(SUCCESS, null, params, resp); + return; + } catch (Exception e) { + log(ILogger.LL_FAILURE, e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + sendResponse(ERROR, + CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp); + return; + } + } catch (EBaseException eAudit1) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit1; + } catch (IOException eAudit2) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + auditSubjectID, + ILogger.FAILURE, + auditParams(req)); + + audit(auditMessage); + + // rethrow the specific exception to be handled later + throw eAudit2; + // } catch( ServletException eAudit3 ) { + // // store a message in the signed audit log file + // auditMessage = CMS.getLogMessage( + // LOGGING_SIGNED_AUDIT_CONFIG_ROLE, + // auditSubjectID, + // ILogger.FAILURE, + // auditParams( req ) ); + // + // audit( auditMessage ); + // + // // rethrow the specific exception to be handled later + // throw eAudit3; + } + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_USRGRP, + level, "UsrGrpAdminServlet: " + msg); + } +} -- cgit