From a4682ceae6774956461edd03b2485bbacea445f4 Mon Sep 17 00:00:00 2001 From: mharmsen Date: Tue, 4 Oct 2011 01:17:41 +0000 Subject: Bugzilla Bug #688225 - (dogtagIPAv2.1) TRACKER: of the Dogtag fixes for freeIPA 2.1 git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/tags/IPA_v2_RHEL_6_2_20111003@2252 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../authentication/CertUserDBAuthentication.java | 266 +++++++++++++++++++++ 1 file changed, 266 insertions(+) create mode 100644 pki/base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java (limited to 'pki/base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java') diff --git a/pki/base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/pki/base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java new file mode 100644 index 000000000..b9e0ede9d --- /dev/null +++ b/pki/base/common/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java @@ -0,0 +1,266 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cmscore.authentication; + + +import netscape.ldap.*; +import java.util.*; +import java.lang.Class; +import java.security.cert.*; +import netscape.security.x509.*; +import com.netscape.certsrv.base.*; +import com.netscape.cmscore.base.*; +import com.netscape.certsrv.common.*; +import com.netscape.certsrv.ldap.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.dbs.certdb.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.policy.*; + +import com.netscape.cmscore.ldapconn.*; +import com.netscape.cmscore.util.*; +import com.netscape.certsrv.ca.*; +import com.netscape.cmscore.dbs.*; +import com.netscape.certsrv.ra.*; +import com.netscape.cmscore.request.*; +import com.netscape.certsrv.kra.*; +import com.netscape.cmscore.usrgrp.*; + +import com.netscape.cmscore.util.*; + + +/** + * Certificate server agent authentication. + * Maps a SSL client authenticate certificate to a user (agent) entry in the + * internal database. + *

+ * + * @author lhsiao + * @author cfu + * @version $Revision$, $Date$ + */ +public class CertUserDBAuthentication implements IAuthManager { + + /* result auth token attributes */ + public static final String TOKEN_USERDN = "user"; + public static final String TOKEN_USER_DN = "userdn"; + public static final String TOKEN_USERID = "userid"; + public static final String TOKEN_UID = "uid"; + + /* required credentials */ + public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT; + protected String[] mRequiredCreds = { CRED_CERT }; + + /* config parameters to pass to console (none) */ + protected static String[] mConfigParams = null; + + private String mName = null; + private String mImplName = null; + private IConfigStore mConfig = null; + + private ICertUserLocator mCULocator = null; + private ILogger mLogger = CMS.getLogger(); + + private boolean mRevocationCheckingEnabled = false; + private IConfigStore mRevocationChecking = null; + private String mRequestor = null; + + public CertUserDBAuthentication() { + } + + /** + * initializes the CertUserDBAuthentication auth manager + *

+ * called by AuthSubsystem init() method, when initializing + * all available authentication managers. + * @param owner - The authentication subsystem that hosts this + * auth manager + * @param config - The configuration store used by the + * authentication subsystem + */ + public void init(String name, String implName, IConfigStore config) + throws EBaseException { + mName = name; + mImplName = implName; + mConfig = config; + + if (mConfig != null) { + mRevocationChecking = mConfig.getSubStore("revocationChecking"); + } + if (mRevocationChecking != null) { + mRevocationCheckingEnabled = mRevocationChecking.getBoolean("enabled", false); + if (mRevocationCheckingEnabled) { + int size = mRevocationChecking.getInteger("bufferSize", 0); + long interval = (long) mRevocationChecking.getInteger("validityInterval", 28800); + long unknownStateInterval = (long) mRevocationChecking.getInteger("unknownStateInterval", 1800); + + if (size > 0) + CMS.setListOfVerifiedCerts(size, interval, unknownStateInterval); + } + } + + mCULocator = new ExactMatchCertUserLocator(); + log(ILogger.LL_INFO, CMS.getLogMessage("INIT_DONE", name)); + } + + /** + * Gets the name of this authentication manager. + */ + public String getName() { + return mName; + } + + /** + * Gets the plugin name of authentication manager. + */ + public String getImplName() { + return mImplName; + } + + /** + * authenticates user(agent) by certificate + *

+ * called by other subsystems or their servlets to authenticate + * users (agents) + * @param authCred - authentication credential that contains + * an usrgrp.Certificates of the user (agent) + * @return the authentication token that contains the following + * + * @exception com.netscape.certsrv.base.EAuthsException any + * authentication failure or insufficient credentials + * @see com.netscape.certsrv.authentication.AuthToken + * @see com.netscape.certsrv.usrgrp.Certificates + */ + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential, EInvalidCredentials, EBaseException { + CMS.debug("CertUserDBAuth: started"); + AuthToken authToken = new AuthToken(this); + CMS.debug("CertUserDBAuth: Retrieving client certificate"); + X509Certificate[] x509Certs = + (X509Certificate[]) authCred.get(CRED_CERT); + + if (x509Certs == null) { + CMS.debug("CertUserDBAuth: no client certificate found"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_MISSING_CERT")); + throw new EMissingCredential(CMS.getUserMessage("CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CERT)); + } + CMS.debug("CertUserDBAuth: Got client certificate"); + + if (mRevocationCheckingEnabled) { + X509CertImpl cert0 = (X509CertImpl) x509Certs[0]; + if (cert0 == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_NO_CERT")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + if (CMS.isRevoked(x509Certs)) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_REVOKED_CERT")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + } + + CMS.debug("Authentication: client certificate found"); + + // map cert to user + User user = null; + Certificates certs = new Certificates(x509Certs); + + try { + user = (User) mCULocator.locateUser(certs); + } catch (EUsrGrpException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber().toString(16), x509Certs[0].getSubjectDN().toString(), e.toString())); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } catch (netscape.ldap.LDAPException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_CANNOT_AGENT_AUTH", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + } + + // any unexpected error occurs like internal db down, + // UGSubsystem only returns null for user. + if (user == null) { + CMS.debug("Authentication: cannot map certificate to user"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_USER_NOT_FOUND")); + throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } + + CMS.debug("Authentication: mapped certificate to user"); + + authToken.set(TOKEN_USERDN, user.getUserDN()); + authToken.set(TOKEN_USER_DN, user.getUserDN()); + authToken.set(TOKEN_USERID, user.getUserID()); + authToken.set(TOKEN_UID, user.getUserID()); + authToken.set(CRED_CERT, certs); + + log(ILogger.LL_INFO, CMS.getLogMessage("CMS_AUTH_AUTHENTICATED", user.getUserID())); + CMS.debug("authenticated " + user.getUserDN()); + + return authToken; + } + + /** + * get the list of authentication credential attribute names + * required by this authentication manager. Generally used by + * the servlets that handle agent operations to authenticate its + * users. It calls this method to know which are the + * required credentials from the user (e.g. Javascript form data) + * @return attribute names in Vector + */ + public String[] getRequiredCreds() { + return (mRequiredCreds); + } + + /** + * get the list of configuration parameter names + * required by this authentication manager. Generally used by + * the Certificate Server Console to display the table for + * configuration purposes. CertUserDBAuthentication is currently not + * exposed in this case, so this method is not to be used. + * @return configuration parameter names in Hashtable of Vectors + * where each hashtable entry's key is the substore name, value is a + * Vector of parameter names. If no substore, the parameter name + * is the Hashtable key itself, with value same as key. + */ + public String[] getConfigParams() { + return (mConfigParams); + } + + /** + * prepare this authentication manager for shutdown. + */ + public void shutdown() { + } + + /** + * gets the configuretion substore used by this authentication + * manager + * @return configuration store + */ + public IConfigStore getConfigStore() { + return mConfig; + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION, + level, msg); + } + +} -- cgit