diff options
| author | Ade Lee <alee@redhat.com> | 2012-05-13 23:04:36 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-06-08 10:48:25 -0400 |
| commit | c310d4a1716c3f7db005e55dbc9a69086512b221 (patch) | |
| tree | 797ab1eff5aa4c4c9e7d7cffd40b8e13bb8aed74 | |
| parent | 084a8cd360c7508febde06415d727d7d247b16ad (diff) | |
| download | pki-c310d4a1716c3f7db005e55dbc9a69086512b221.tar.gz pki-c310d4a1716c3f7db005e55dbc9a69086512b221.tar.xz pki-c310d4a1716c3f7db005e55dbc9a69086512b221.zip | |
initial checkin for profile submit changes
Refactored ProfileSubmitServlet to make the flow clearer.
3 files changed, 813 insertions, 837 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java index 1c610996..f035285e 100644 --- a/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java +++ b/base/common/src/com/netscape/cms/servlet/base/CMSServlet.java @@ -117,6 +117,7 @@ public abstract class CMSServlet extends HttpServlet { public final static String PROP_ID = "ID"; public final static String PROP_AUTHORITY = "authority"; + public final static String PROP_AUTHORITYID = "authorityId"; public final static String PROP_AUTHMGR = "AuthMgr"; public final static String PROP_CLIENTAUTH = "GetClientCert"; public final static String PROP_RESOURCEID = "resourceID"; @@ -291,6 +292,9 @@ public abstract class CMSServlet extends HttpServlet { mOutputTemplatePath = sc.getInitParameter("templatePath"); String authority = sc.getInitParameter(PROP_AUTHORITY); + if (authority == null) { + authority = sc.getInitParameter(PROP_AUTHORITYID); + } if (authority != null) mAuthority = (IAuthority) diff --git a/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java b/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java index e975161d..0295eb6a 100644 --- a/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java +++ b/base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java @@ -24,6 +24,7 @@ import java.io.IOException; import java.io.PrintStream; import java.io.PrintWriter; import java.util.Enumeration; +import java.util.LinkedHashSet; import java.util.Locale; import javax.servlet.ServletConfig; @@ -158,6 +159,9 @@ public class ProfileServlet extends CMSServlet { protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + // stats + protected LinkedHashSet<String> statEvents = null; + public ProfileServlet() { super(); } @@ -291,6 +295,55 @@ public class ProfileServlet extends CMSServlet { } } + public void outputTemplate(boolean isXML, HttpServletResponse response, ArgSet args) + throws EBaseException { + if (isXML) { + response.setContentType("text/xml"); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + outputThisAsXML(bos, args); + try { + response.setContentLength(bos.size()); + bos.writeTo(response.getOutputStream()); + } catch (Exception e) { + CMS.debug("outputTemplate error " + e); + } + return; + } + startTiming("output_template"); + + BufferedReader reader = null; + try { + reader = new BufferedReader(new FileReader(mTemplate)); + + response.setContentType("text/html; charset=UTF-8"); + + PrintWriter writer = response.getWriter(); + + // output template + String line = null; + + do { + line = reader.readLine(); + if (line != null) { + if (line.indexOf("<CMS_TEMPLATE>") == -1) { + writer.println(line); + } else { + // output javascript parameters + writer.println("<script type=\"text/javascript\">"); + outputData(writer, args); + writer.println("</script>"); + } + } + } while (line != null); + reader.close(); + } catch (IOException e) { + CMS.debug(e); + throw new EBaseException(e.toString()); + } finally { + endTiming("output_template"); + } + } + protected void outputArgList(PrintWriter writer, String name, ArgList list) throws IOException { @@ -321,6 +374,27 @@ public class ProfileServlet extends CMSServlet { } } + public void startTiming(String event) { + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.startTiming(event, true); + } + if (statEvents == null) { + statEvents = new LinkedHashSet<String>(); + } + statEvents.add(event); + } + + public void endTiming(String event) { + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + if (statsSub != null) { + statsSub.endTiming(event); + } + if (statEvents != null) { + statEvents.remove(event); + } + } + protected String escapeJavaScriptString(String v) { int l = v.length(); char in[] = new char[l]; diff --git a/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java index 85ef4fa0..81064d05 100644 --- a/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java +++ b/base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java @@ -42,9 +42,7 @@ import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.dbs.certdb.ICertRecord; -import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.profile.EDeferException; import com.netscape.certsrv.profile.EProfileException; @@ -64,7 +62,6 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.certsrv.template.ArgList; import com.netscape.certsrv.template.ArgSet; -import com.netscape.certsrv.util.IStatsSubsystem; import com.netscape.cms.servlet.common.AuthCredentials; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cmsutil.util.Cert; @@ -94,12 +91,6 @@ public class ProfileSubmitServlet extends ProfileServlet { private String mProfileSubId = null; private String mAuthorityId = null; - private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] { - - /* 0 */"automated profile cert request rejection: " - + "indeterminate reason for inability to process " - + "cert request due to an EBaseException" - }; private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5"; @@ -418,7 +409,7 @@ public class ProfileSubmitServlet extends ProfileServlet { try { outputValue = profileOutput.getValue(outputName, - locale, req); + locale, req); } catch (EProfileException e) { CMS.debug("ProfileSubmitServlet: " + e.toString()); } @@ -435,6 +426,22 @@ public class ProfileSubmitServlet extends ProfileServlet { } } + private void errorExit(HttpServletResponse response, boolean xmlOutput, String message, String requestId) + throws EBaseException { + if (xmlOutput) { + outputError(response, FAILED, message, requestId); + } else { + ArgSet args = new ArgSet(); + args.set(ARG_ERROR_CODE, "1"); + args.set(ARG_ERROR_REASON, message); + outputTemplate(xmlOutput, response, args); + } + + for (String event : statEvents) { + endTiming(event); + } + } + /** * Process the HTTP request * <P> @@ -455,703 +462,619 @@ public class ProfileSubmitServlet extends ProfileServlet { public void process(CMSRequest cmsReq) throws EBaseException { HttpServletRequest request = cmsReq.getHttpReq(); HttpServletResponse response = cmsReq.getHttpResp(); - boolean xmlOutput = false; + boolean xmlOutput = getXMLOutput(request); - String v = request.getParameter("xml"); - if ((v != null) && (v.equalsIgnoreCase("true"))) { - xmlOutput = true; - } - v = request.getParameter("xmlOutput"); - if ((v != null) && (v.equalsIgnoreCase("true"))) { - xmlOutput = true; + if (CMS.debugOn()) { + printParameterValues(request); } - if (xmlOutput) { - CMS.debug("xmlOutput true"); + + String renewal = request.getParameter("renewal"); + if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) { + CMS.debug("ProfileSubmitServlet: isRenewal true"); + processRenewal(cmsReq); + return; } else { - CMS.debug("xmlOutput false"); + CMS.debug("ProfileSubmitServlet: isRenewal false"); } - IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); - if (statsSub != null) { - statsSub.startTiming("enrollment", true /* main action */); - } + startTiming("enrollment"); Locale locale = getLocale(request); - ArgSet args = new ArgSet(); - if (CMS.debugOn()) { - CMS.debug("Start of ProfileSubmitServlet Input Parameters"); - @SuppressWarnings("unchecked") - Enumeration<String> paramNames = request.getParameterNames(); - - while (paramNames.hasMoreElements()) { - String paramName = paramNames.nextElement(); - // added this facility so that password can be hidden, - // all sensitive parameters should be prefixed with - // __ (double underscores); however, in the event that - // a security parameter slips through, we perform multiple - // additional checks to insure that it is NOT displayed - if (paramName.startsWith("__") || - paramName.endsWith("password") || - paramName.endsWith("passwd") || - paramName.endsWith("pwd") || - paramName.equalsIgnoreCase("admin_password_again") || - paramName.equalsIgnoreCase("directoryManagerPwd") || - paramName.equalsIgnoreCase("bindpassword") || - paramName.equalsIgnoreCase("bindpwd") || - paramName.equalsIgnoreCase("passwd") || - paramName.equalsIgnoreCase("password") || - paramName.equalsIgnoreCase("pin") || - paramName.equalsIgnoreCase("pwd") || - paramName.equalsIgnoreCase("pwdagain") || - paramName.equalsIgnoreCase("uPasswd")) { - CMS.debug("ProfileSubmitServlet Input Parameter " + - paramName + "='(sensitive)'"); - } else { - CMS.debug("ProfileSubmitServlet Input Parameter " + - paramName + "='" + - request.getParameter(paramName) + "'"); - } + // if we did not configure profileId in xml file, + // then accept the user-provided one + String profileId = (mProfileId == null) ? request.getParameter("profileId") : mProfileId; + CMS.debug("ProfileSubmitServlet: profileId " + profileId); + + IProfile profile = getProfile(profileId); + if (profile == null) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId), null); + return; + } + + IProfileContext ctx = profile.createContext(); + IProfileAuthenticator authenticator = null; + try { + authenticator = profile.getAuthenticator(); + if (authenticator != null) { + CMS.debug("ProfileSubmitServlet: authenticator " + authenticator.getName() + " found"); + setCredentialsIntoContext(request, authenticator, ctx); } - CMS.debug("End of ProfileSubmitServlet Input Parameters"); + } catch (EProfileException e) { + // authenticator not installed correctly + CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); + return; } - CMS.debug("ProfileSubmitServlet: start serving"); + CMS.debug("ProfileSubmitServlet: set Inputs into profile Context"); + setInputsIntoContext(request, profile, ctx); - if (mProfileSubId == null || mProfileSubId.equals("")) { - mProfileSubId = IProfileSubsystem.ID; + // for ssl authentication; pass in servlet for retrieving + // ssl client certificates + // insert profile context so that input parameter can be retrieved + SessionContext context = SessionContext.getContext(); + context.put("profileContext", ctx); + context.put("sslClientCertProvider", new SSLClientCertProvider(request)); + CMS.debug("ProfileSubmitServlet: set sslClientCertProvider"); + + // before creating the request, authenticate the request + IAuthToken authToken = null; + try { + authToken = authenticate(request, null, authenticator, context, false); + } catch (EBaseException e) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_ERROR"), null); + return; } - CMS.debug("ProfileSubmitServlet: SubId=" + mProfileSubId); - IProfileSubsystem ps = (IProfileSubsystem) - CMS.getSubsystem(mProfileSubId); - if (ps == null) { - CMS.debug("ProfileSubmitServlet: ProfileSubsystem not found"); + // authentication success, now authorize + try { + authorize(profileId, profile, authToken); + } catch (EBaseException e) { + e.printStackTrace(); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_AUTHORIZATION_ERROR"), null); + return; + } + + /////////////////////////////////////////////// + // create and populate request + /////////////////////////////////////////////// + startTiming("request_population"); + IRequest reqs[] = null; + try { + reqs = profile.createRequests(ctx, locale); + } catch (Exception e) { + CMS.debug(e); + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); + errorExit(response, xmlOutput, e.toString(), null); + return; + } + + try { + populateRequests(request, false, locale, null, null, null, profileId, profile, + ctx, authenticator, authToken, reqs); + } catch (EBaseException e) { + CMS.debug("Error in populating request: " + e); + errorExit(response, xmlOutput, e.toString(), null); + return; + } + endTiming("request_population"); + + /////////////////////////////////////////////// + // submit request + /////////////////////////////////////////////// + ArgSet args = new ArgSet(); + String errorCode = submitRequests(locale, profile, authToken, reqs); + String errorReason = codeToReason(locale, errorCode); + + if (errorCode != null) { if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); + String requestIds = ""; + for (IRequest req : reqs) { + requestIds += " " + req.getRequestId().toString(); + } + + outputError(response, errorCode, errorReason, requestIds); } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); + ArgList requestlist = new ArgList(); + + for (IRequest req : reqs) { + ArgSet requestset = new ArgSet(); + requestset.set(ARG_REQUEST_ID, req.getRequestId().toString()); + requestlist.add(requestset); + } + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, errorCode); + args.set(ARG_ERROR_REASON, errorReason); outputTemplate(request, response, args); } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } + + endTiming("enrollment"); return; } - /* - * Renewal - Renewal is retrofitted into the Profile Enrollment - * Framework. The authentication and authorization are taken from - * the renewal profile, while the input (with requests) and grace - * period constraint are taken from the original cert's request record. - * - * Things to note: - * * the renew request will contain the original profile instead - * of the new - * * there is no request for system and admin certs generated at - * time of installation configuration. - */ - String renewal = request.getParameter("renewal"); - boolean isRenewal = false; - if ((renewal != null) && (renewal.equalsIgnoreCase("true"))) { - CMS.debug("ProfileSubmitServlet: isRenewal true"); - isRenewal = true; - request.setAttribute("reqType", "renewal"); + /////////////////////////////////////////////// + // output output list + /////////////////////////////////////////////// + + if (xmlOutput) { + xmlOutput(response, profile, locale, reqs); } else { - CMS.debug("ProfileSubmitServlet: isRenewal false"); - } + ArgList outputlist = new ArgList(); + for (int k = 0; k < reqs.length; k++) { - String renewProfileId = null; - IRequest origReq = null; - Integer origSeqNum = 0; + setOutputIntoArgs(profile, outputlist, locale, reqs[k]); + args.set(ARG_OUTPUT_LIST, outputlist); + } - // if we did not configure profileId in xml file, - // then accept the user-provided one - String profileId = null; + CMS.debug("ProfileSubmitServlet: done serving"); - if (mProfileId == null) { - profileId = request.getParameter("profileId"); - } else { - profileId = mProfileId; - } + ArgList requestlist = new ArgList(); - CMS.debug("ProfileSubmitServlet: profileId " + profileId); - // This is the expiration date of the orig. cert that will - // be used in the RenewGracePeriodConstraint - Date origNotAfter = null; - String origSubjectDN = null; - - if (isRenewal) { - // dig up the original request to "clone" - renewProfileId = profileId; - CMS.debug("ProfileSubmitServlet: renewProfileId =" + renewProfileId); - IAuthority authority = (IAuthority) CMS.getSubsystem(mAuthorityId); - if (authority == null) { - CMS.debug("ProfileSubmitServlet: renewal: Authority " + mAuthorityId + - " not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - IRequestQueue queue = authority.getRequestQueue(); - - if (queue == null) { - CMS.debug("ProfileSubmitServlet: renewal: Request Queue of " + - mAuthorityId + " not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; + for (int k = 0; k < reqs.length; k++) { + ArgSet requestset = new ArgSet(); + + requestset.set(ARG_REQUEST_ID, + reqs[k].getRequestId().toString()); + requestlist.add(requestset); } + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, "0"); + args.set(ARG_ERROR_REASON, ""); - String serial = request.getParameter("serial_num"); - BigInteger certSerial = null; - // if serial number is sent with request, then the authentication - // method is not ssl client auth. In this case, an alternative - // authentication method is used (default: ldap based) - if (serial != null) { - CMS.debug("ProfileSubmitServlet: renewal: found serial_num"); - certSerial = new BigInteger(serial); - // usr_origreq evaluator should be used to authorize ownership - // of the cert - } else { - CMS.debug("ProfileSubmitServlet: renewal: serial_num not found, must do ssl client auth"); - // ssl client auth is to be used - // this is not authentication. Just use the cert to search - // for orig request and find the right profile - SSLClientCertProvider sslCCP = new SSLClientCertProvider(request); - X509Certificate[] certs = sslCCP.getClientCertificateChain(); - certSerial = null; - if (certs == null || certs.length == 0) { - CMS.debug("ProfileSubmitServlet: renewal: no ssl client cert chain"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } else { // has ssl client cert - CMS.debug("ProfileSubmitServlet: renewal: has ssl client cert chain"); - // shouldn't expect leaf cert to be always at the - // same location - X509Certificate clientCert = null; - for (int i = 0; i < certs.length; i++) { - clientCert = certs[i]; - byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); - // try to see if this is a leaf cert - // look for BasicConstraint extension - if (extBytes == null) { - // found leaf cert - CMS.debug("ProfileSubmitServlet: renewal: found leaf cert"); - break; - } else { - CMS.debug("ProfileSubmitServlet: renewal: found cert having BasicConstraints ext"); - // it's got BasicConstraints extension - // so it's not likely to be a leaf cert, - // however, check the isCA field regardless - try { - BasicConstraintsExtension bce = - new BasicConstraintsExtension(true, extBytes); - if (bce != null) { - if (!(Boolean) bce.get("is_ca")) { - CMS.debug("ProfileSubmitServlet: renewal: found CA cert in chain"); - break; - } // else found a ca cert, continue - } - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + - e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } - } - if (clientCert == null) { - CMS.debug("ProfileSubmitServlet: renewal: no client cert in chain"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - // convert to java X509 cert interface - try { - byte[] certEncoded = clientCert.getEncoded(); + outputTemplate(request, response, args); + } - clientCert = new X509CertImpl(certEncoded); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } + SessionContext.releaseContext(); + endTiming("enrollment"); + } - certSerial = clientCert.getSerialNumber(); - } - } + /* + * Renewal - Renewal is retrofitted into the Profile Enrollment + * Framework. The authentication and authorization are taken from + * the renewal profile, while the input (with requests) and grace + * period constraint are taken from the original cert's request record. + * + * Things to note: + * * the renew request will contain the original profile instead of the new + */ + public void processRenewal(CMSRequest cmsReq) throws EBaseException { + HttpServletRequest request = cmsReq.getHttpReq(); + HttpServletResponse response = cmsReq.getHttpResp(); + boolean xmlOutput = getXMLOutput(request); - CMS.debug("ProfileSubmitServlet: renewal: serial number of cert to renew:" + certSerial.toString()); + startTiming("enrollment"); - try { - ICertificateRepository certDB = null; - if (authority instanceof ICertificateAuthority) { - certDB = ((ICertificateAuthority) authority).getCertificateRepository(); - } - if (certDB == null) { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - ICertRecord rec = certDB.readCertificateRecord(certSerial); - if (rec == null) { - CMS.debug("ProfileSubmitServlet: renewal cert record not found for serial number " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } else { - CMS.debug("ProfileSubmitServlet: renewal cert record found for serial number:" - + certSerial.toString()); - // check to see if the cert is revoked or revoked_expired - if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) - || (rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED))) { - CMS.debug("ProfileSubmitServlet: renewal cert found to be revoked. Serial number = " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_CA_CANNOT_RENEW_REVOKED_CERT", certSerial.toString())); - outputTemplate(request, response, args); - return; - } - MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO); - // note: CA's internal certs don't have request ids - // so some other way needs to be done - if (metaInfo != null) { - String rid = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); - - if (rid != null) { - origReq = queue.findRequest(new RequestId(rid)); - if (origReq != null) { - CMS.debug("ProfileSubmitServlet: renewal: found original enrollment request id:" + rid); - // debug: print the extData keys - /* - Enumeration<String> en = origReq.getExtDataKeys(); - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key print BEGINS"); - while (en.hasMoreElements()) { - String next = (String) en.nextElement(); - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key:"+ next); - } - CMS.debug("ProfileSubmitServlet: renewal: origRequest extdata key print ENDS"); - */ - String requestorE = origReq.getExtDataInString("requestor_email"); - CMS.debug("ProfileSubmitServlet: renewal original requestor email=" + requestorE); - profileId = origReq.getExtDataInString("profileId"); - if (profileId != null) - CMS.debug("ProfileSubmitServlet: renewal original profileId=" + profileId); - else { - CMS.debug("ProfileSubmitServlet: renewal original profileId not found"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM); - - } else { //if origReq - CMS.debug("ProfileSubmitServlet: renewal original request not found for request id " - + rid); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: cert record locating request id in MetaInfo failed for serial number " - + certSerial.toString()); - CMS.debug("ProfileSubmitServlet: renewal: cert may be bootstrapped system cert during installation/configuration - no request record exists"); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR" + ": original request not found")); - outputTemplate(request, response, args); - return; - } - } else { - CMS.debug("ProfileSubmitServlet: renewal: cert record locating MetaInfo failed for serial number " - + certSerial.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - // get orig cert expiration date - CMS.debug("ProfileSubmitServlet: renewal: before getting origNotAfter"); - X509CertImpl origCert = rec.getCertificate(); - origNotAfter = origCert.getNotAfter(); - CMS.debug("ProfileSubmitServlet: renewal: origNotAfter =" + - origNotAfter.toString()); - origSubjectDN = origCert.getSubjectDN().getName(); - CMS.debug("ProfileSubmitServlet: renewal: orig subj dn =" + - origSubjectDN); - } - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - } // end isRenewal + Locale locale = getLocale(request); + request.setAttribute("reqType", "renewal"); - IProfile profile = null; - IProfile renewProfile = null; + // in case of renew, "profile" is the orig profile + // while "renewProfile" is the current profile used for renewal + String renewProfileId = (mProfileId == null) ? request.getParameter("profileId") : mProfileId; + CMS.debug("processRenewal: renewProfileId " + renewProfileId); - try { - profile = ps.getProfile(profileId); - if (isRenewal) { - // in case of renew, "profile" is the orig profile - // while "renewProfile" is the current profile used for renewal - renewProfile = ps.getProfile(renewProfileId); - } - } catch (EProfileException e) { - if (profile == null) { - CMS.debug("ProfileSubmitServlet: profile not found profileId " + - profileId + " " + e.toString()); - } - if (renewProfile == null) { - CMS.debug("ProfileSubmitServlet: profile not found renewProfileId " + - renewProfileId + " " + e.toString()); - } + IProfile renewProfile = getProfile(renewProfileId); + if (renewProfile == null) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId), null); + return; } - if (profile == null) { - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", profileId)); - outputTemplate(request, response, args); + + String serial = request.getParameter("serial_num"); + BigInteger certSerial = null; + + if (serial != null) { + // if serial number is sent with request, then the authentication + // method is not ssl client auth. In this case, an alternative + // authentication method is used (default: ldap based) + // usr_origreq evaluator should be used to authorize ownership + // of the cert + CMS.debug("ProfileSubmitServlet: renewal: found serial_num"); + certSerial = new BigInteger(serial); + } else { + // ssl client auth is to be used + // this is not authentication. Just use the cert to search + // for orig request and find the right profile + CMS.debug("ProfileSubmitServlet: renewal: serial_num not found, must do ssl client auth"); + certSerial = getSerialNumberFromCert(request); + if (certSerial == null) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); + return; } + } + CMS.debug("processRenewal: serial number of cert to renew:" + certSerial.toString()); + + ICertRecord rec = getCertRecord(certSerial); + if (rec == null) { + CMS.debug("processRenewal: cert record not found for serial number " + certSerial.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); return; } - if (isRenewal && (renewProfile == null)) { - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", renewProfileId)); - outputTemplate(request, response, args); - } + + // check to see if the cert is revoked or revoked_expired + if ((rec.getStatus().equals(ICertRecord.STATUS_REVOKED)) + || (rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED))) { + CMS.debug("processRenewal: cert found to be revoked. Serial number = " + + certSerial.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_CA_CANNOT_RENEW_REVOKED_CERT"), + null); return; } - if (!ps.isProfileEnable(profileId)) { - CMS.debug("ProfileSubmitServlet: Profile " + profileId + - " not enabled"); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", profileId)); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } + X509CertImpl origCert = rec.getCertificate(); + if (origCert == null) { + CMS.debug("processRenewal: original cert not found in cert record for serial number " + + certSerial.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); return; } - if (isRenewal) { - if (!ps.isProfileEnable(renewProfileId)) { - CMS.debug("ProfileSubmitServlet: renewal Profile " + renewProfileId + - " not enabled"); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", renewProfileId)); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_PROFILE_NOT_FOUND", renewProfileId)); - outputTemplate(request, response, args); - } - return; - } + Date origNotAfter = origCert.getNotAfter(); + CMS.debug("processRenewal: origNotAfter =" + origNotAfter.toString()); + + String origSubjectDN = origCert.getSubjectDN().getName(); + CMS.debug("processRenewal: orig subj dn =" + origSubjectDN); + + IRequest origReq = getOriginalRequest(certSerial, rec); + if (origReq == null) { + CMS.debug("processRenewal: original request not foundcert not found"); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); + return; + } + + String profileId = origReq.getExtDataInString("profileId"); + CMS.debug("ProfileSubmitServlet: renewal original profileId=" + profileId); + + Integer origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM); + IProfile profile = getProfile(profileId); + if (profile == null) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", profileId), null); + return; } IProfileContext ctx = profile.createContext(); - // passing auths into context + IProfileAuthenticator authenticator = null; IProfileAuthenticator origAuthenticator = null; - try { - if (isRenewal) { - authenticator = renewProfile.getAuthenticator(); - origAuthenticator = profile.getAuthenticator(); - } else { - authenticator = profile.getAuthenticator(); + authenticator = renewProfile.getAuthenticator(); + origAuthenticator = profile.getAuthenticator(); + + if (authenticator != null) { + CMS.debug("ProfileSubmitServlet: authenticator " + authenticator.getName() + " found"); + setCredentialsIntoContext(request, authenticator, ctx); } - } catch (EProfileException e) { - // authenticator not installed correctly - CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - return; - } - if (authenticator == null) { - CMS.debug("ProfileSubmitServlet: authenticator not found"); - } else { - CMS.debug("ProfileSubmitServlet: authenticator " + - authenticator.getName() + " found"); - setCredentialsIntoContext(request, authenticator, ctx); - } - // for renewal, this will override or add auth info to the profile context - if (isRenewal) { + // for renewal, this will override or add auth info to the profile context if (origAuthenticator != null) { CMS.debug("ProfileSubmitServlet: for renewal, original authenticator " + origAuthenticator.getName() + " found"); setCredentialsIntoContext(request, origAuthenticator, ctx); - } else { - CMS.debug("ProfileSubmitServlet: for renewal, original authenticator not found"); } - } - CMS.debug("ProfileSubmistServlet: set Inputs into profile Context"); - if (isRenewal) { - // for renewal, input needs to be retrieved from the orig req record - CMS.debug("ProfileSubmitServlet: set original Inputs into profile Context"); - setInputsIntoContext(origReq, profile, ctx, locale); - ctx.set(IEnrollProfile.CTX_RENEWAL, "true"); - ctx.set("renewProfileId", renewProfileId); - ctx.set(IEnrollProfile.CTX_RENEWAL_SEQ_NUM, origSeqNum.toString()); - } else { - setInputsIntoContext(request, profile, ctx); + } catch (EProfileException e) { + // authenticator not installed correctly + CMS.debug("processRenewal: exception:" + e.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); + return; } - // before creating the request, authenticate the request - - IAuthToken authToken = null; + // for renewal, input needs to be retrieved from the orig req record + CMS.debug("processRenewal: set original Inputs into profile Context"); + setInputsIntoContext(origReq, profile, ctx, locale); + ctx.set(IEnrollProfile.CTX_RENEWAL, "true"); + ctx.set("renewProfileId", renewProfileId); + ctx.set(IEnrollProfile.CTX_RENEWAL_SEQ_NUM, origSeqNum.toString()); // for ssl authentication; pass in servlet for retrieving // ssl client certificates SessionContext context = SessionContext.getContext(); - - // insert profile context so that input parameter can be retrieved context.put("profileContext", ctx); - context.put("sslClientCertProvider", - new SSLClientCertProvider(request)); + context.put("sslClientCertProvider", new SSLClientCertProvider(request)); CMS.debug("ProfileSubmitServlet: set sslClientCertProvider"); - if ((isRenewal == true) && (origSubjectDN != null)) + if (origSubjectDN != null) context.put("origSubjectDN", origSubjectDN); - if (statsSub != null) { - statsSub.startTiming("profile_authentication"); + + // before creating the request, authenticate the request + IAuthToken authToken = null; + try { + authToken = authenticate(request, origReq, authenticator, context, true); + } catch (EBaseException e) { + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_ERROR"), null); + return; } - if (authenticator != null) { + // authentication success, now authorize + try { + authorize(profileId, renewProfile, authToken); + } catch (EBaseException e) { + e.printStackTrace(); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_AUTHORIZATION_ERROR"), null); + return; + } - CMS.debug("ProfileSubmitServlet: authentication required."); - String uid_cred = "Unidentified"; - String uid_attempted_cred = "Unidentified"; - Enumeration<String> authIds = authenticator.getValueNames(); - //Attempt to possibly fetch attemped uid, may not always be available. - if (authIds != null) { - while (authIds.hasMoreElements()) { - String authName = authIds.nextElement(); - String value = request.getParameter(authName); - if (value != null) { - if (authName.equals("uid")) { - uid_attempted_cred = value; - } - } - } - } + /////////////////////////////////////////////// + // create and populate requests + /////////////////////////////////////////////// + startTiming("request_population"); + IRequest reqs[] = null; - String authSubjectID = auditSubjectID(); + try { + reqs = profile.createRequests(ctx, locale); + } catch (EProfileException e) { + CMS.debug(e); + CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); + errorExit(response, xmlOutput, e.toString(), null); + return; + } catch (Throwable e) { + CMS.debug(e); + CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); + errorExit(response, xmlOutput, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), null); + return; + } - String authMgrID = authenticator.getName(); - String auditMessage = null; - try { - if (isRenewal) { - CMS.debug("ProfileSubmitServlet: renewal authenticate begins"); - authToken = authenticate(authenticator, request, origReq, context); - CMS.debug("ProfileSubmitServlet: renewal authenticate ends"); - } else { - authToken = authenticate(authenticator, request); - } - } catch (EBaseException e) { - CMS.debug("ProfileSubmitServlet: authentication error " + - e.toString()); - // authentication error - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_AUTHENTICATION_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_AUTHENTICATION_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("authentication"); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } + try { + populateRequests(request, true, locale, origNotAfter, origSubjectDN, origReq, profileId, profile, + ctx, authenticator, authToken, reqs); + } catch (EBaseException e) { + CMS.debug("Error in populating request: " + e); + errorExit(response, xmlOutput, e.toString(), null); + return; + } - //audit log our authentication failure + endTiming("request_population"); - authSubjectID += " : " + uid_cred; - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_AUTH_FAIL, - authSubjectID, - ILogger.FAILURE, - authMgrID, - uid_attempted_cred); - audit(auditMessage); + /////////////////////////////////////////////// + // submit request + /////////////////////////////////////////////// + ArgSet args = new ArgSet(); + String errorCode = submitRequests(locale, profile, authToken, reqs); + String errorReason = codeToReason(locale, errorCode); - return; + if (errorCode != null) { + if (xmlOutput) { + String requestIds = ""; + for (IRequest req : reqs) { + requestIds += " " + req.getRequestId().toString(); + } + + outputError(response, errorCode, errorReason, requestIds); + } else { + ArgList requestlist = new ArgList(); + + for (IRequest req : reqs) { + ArgSet requestset = new ArgSet(); + requestset.set(ARG_REQUEST_ID, req.getRequestId().toString()); + requestlist.add(requestset); + } + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, errorCode); + args.set(ARG_ERROR_REASON, errorReason); + outputTemplate(request, response, args); } - //Log successful authentication + endTiming("enrollment"); + return; + } - //Attempt to get uid from authToken, most tokens respond to the "uid" cred. - uid_cred = authToken.getInString("uid"); + /////////////////////////////////////////////// + // output output list + /////////////////////////////////////////////// + if (xmlOutput) { + xmlOutput(response, profile, locale, reqs); + } else { + ArgList outputlist = new ArgList(); + for (int k = 0; k < reqs.length; k++) { - if (uid_cred == null || uid_cred.length() == 0) { - uid_cred = "Unidentified"; + setOutputIntoArgs(profile, outputlist, locale, reqs[k]); + args.set(ARG_OUTPUT_LIST, outputlist); } - authSubjectID = authSubjectID + " : " + uid_cred; + CMS.debug("ProfileSubmitServlet: done serving"); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, - authSubjectID, - ILogger.SUCCESS, - authMgrID); + ArgList requestlist = new ArgList(); - audit(auditMessage); + for (int k = 0; k < reqs.length; k++) { + ArgSet requestset = new ArgSet(); + requestset.set(ARG_REQUEST_ID, + reqs[k].getRequestId().toString()); + requestlist.add(requestset); + } + args.set(ARG_REQUEST_LIST, requestlist); + args.set(ARG_ERROR_CODE, "0"); + args.set(ARG_ERROR_REASON, ""); + + outputTemplate(request, response, args); } - if (statsSub != null) { - statsSub.endTiming("profile_authentication"); - } - // authentication success + SessionContext.releaseContext(); + endTiming("enrollment"); + } + + private void authorize(String profileId, IProfile profile, IAuthToken authToken) throws EBaseException { if (authToken != null) { CMS.debug("ProfileSubmitServlet authToken not null"); - // do profile authorization - String acl = null; - if (isRenewal) - acl = renewProfile.getAuthzAcl(); - else - acl = profile.getAuthzAcl(); + + String acl = profile.getAuthzAcl(); CMS.debug("ProfileSubmitServlet: authz using acl: " + acl); if (acl != null && acl.length() > 0) { - try { - String resource = profileId + ".authz.acl"; - authorize(mAclMethod, resource, authToken, acl); - } catch (Exception e) { - CMS.debug("ProfileSubmitServlet authorize: " + e.toString()); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, - "CMS_AUTHORIZATION_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_AUTHORIZATION_ERROR")); - outputTemplate(request, response, args); - } - - return; - } + String resource = profileId + ".authz.acl"; + authorize(mAclMethod, resource, authToken, acl); } } + } - IRequest reqs[] = null; + private IProfile getProfile(String profileId) { + if (mProfileSubId == null || mProfileSubId.equals("")) { + mProfileSubId = IProfileSubsystem.ID; + } + CMS.debug("ProfileSubmitServlet: SubId=" + mProfileSubId); - if (statsSub != null) { - statsSub.startTiming("request_population"); + IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(mProfileSubId); + if (ps == null) { + CMS.debug("getProfile: Profile Subsystem not found"); + return null; } - /////////////////////////////////////////////// - // create request - /////////////////////////////////////////////// + + IProfile profile = null; + try { - reqs = profile.createRequests(ctx, locale); + profile = ps.getProfile(profileId); } catch (EProfileException e) { - CMS.debug(e); - CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); - if (xmlOutput) { - outputError(response, e.toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, e.toString()); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; - } catch (Throwable e) { - CMS.debug(e); - CMS.debug("ProfileSubmitServlet: createRequests " + e.toString()); - if (xmlOutput) { - outputError(response, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR")); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); + if (profile == null) { + CMS.debug("ProfileSubmitServlet: profile not found profileId " + profileId + " " + e.toString()); } - return; } + if (profile == null) { + CMS.debug("getProfile: Profile not found: " + profileId); + return null; + } + + if (!ps.isProfileEnable(profileId)) { + CMS.debug("ProfileSubmitServlet: Profile " + profileId + " not enabled"); + return null; + } + return profile; + } + + private String codeToReason(Locale locale, String errorCode) { + if (errorCode.equals("1")) { + return CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"); + } else if (errorCode.equals("2")) { + return CMS.getUserMessage(locale, "CMS_PROFILE_DEFERRED"); + } else if (errorCode.equals("3")) { + return CMS.getUserMessage(locale, "CMS_PROFILE_REJECTED"); + } + return null; + } + private String submitRequests(Locale locale, IProfile profile, IAuthToken authToken, IRequest[] reqs) { + String auditMessage = null; + String auditSubjectID = auditSubjectID(); + String auditRequesterID = ILogger.UNIDENTIFIED; + String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; String errorCode = null; String errorReason = null; - /////////////////////////////////////////////// - // populate request - /////////////////////////////////////////////// - for (int k = 0; k < reqs.length; k++) { + for (IRequest req : reqs) { + try { + // reset the "auditRequesterID" + auditRequesterID = auditRequesterID(req); + + // print request debug + if (req != null) { + Enumeration<String> reqKeys = req.getExtDataKeys(); + while (reqKeys.hasMoreElements()) { + String reqKey = reqKeys.nextElement(); + String reqVal = req.getExtDataInString(reqKey); + if (reqVal != null) { + CMS.debug("ProfileSubmitServlet: key=$request." + reqKey + "$ value=" + reqVal); + } + } + } + + profile.submit(authToken, req); + req.setRequestStatus(RequestStatus.COMPLETE); + + // reset the "auditInfoCertValue" + auditInfoCertValue = auditInfoCertValue(req); + + if (auditInfoCertValue != null) { + if (!(auditInfoCertValue.equals( + ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRequesterID, + ILogger.SIGNED_AUDIT_ACCEPTANCE, + auditInfoCertValue); + + audit(auditMessage); + } + } + } catch (EDeferException e) { + // return defer message to the user + req.setRequestStatus(RequestStatus.PENDING); + // need to notify + INotify notify = profile.getRequestQueue().getPendingNotify(); + if (notify != null) { + notify.notify(req); + } + + CMS.debug("ProfileSubmitServlet: submit " + e.toString()); + errorCode = "2"; + errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_DEFERRED", e.toString()); + + // do NOT store a message in the signed audit log file + // as this errorCode indicates that a process has been + // deferred for manual acceptance/cancellation/rejection + } catch (ERejectException e) { + // return error to the user + req.setRequestStatus(RequestStatus.REJECTED); + CMS.debug("ProfileSubmitServlet: submit " + e.toString()); + errorCode = "3"; + errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_REJECTED", e.toString()); + + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + errorReason); + + audit(auditMessage); + } catch (Throwable e) { + // return error to the user + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: submit " + e.toString()); + errorCode = "1"; + errorReason = CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + ILogger.SIGNED_AUDIT_REJECTION, + errorReason); + + audit(auditMessage); + } + + try { + if (errorCode == null) { + profile.getRequestQueue().markAsServiced(req); + } else { + profile.getRequestQueue().updateRequest(req); + } + } catch (EBaseException e) { + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: updateRequest " + e.toString()); + } + } + return errorCode; + } + + private void populateRequests(HttpServletRequest request, boolean isRenewal, Locale locale, Date origNotAfter, + String origSubjectDN, IRequest origReq, String profileId, IProfile profile, IProfileContext ctx, + IProfileAuthenticator authenticator, IAuthToken authToken, IRequest[] reqs) throws EBaseException { + for (IRequest req : reqs) { boolean fromRA = false; String uid = ""; // adding parameters to request if (isRenewal) { - setInputsIntoRequest(origReq, profile, reqs[k], locale); - // set orig expiration date to be used in Validity constraint - reqs[k].setExtData("origNotAfter", - BigInteger.valueOf(origNotAfter.getTime())); - // set subjectDN to be used in subject name default - reqs[k].setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, origSubjectDN); - // set request type - reqs[k].setRequestType("renewal"); - } else - setInputsIntoRequest(request, profile, reqs[k]); + setInputsIntoRequest(origReq, profile, req, locale); + req.setExtData("origNotAfter", BigInteger.valueOf(origNotAfter.getTime())); + req.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, origSubjectDN); + req.setRequestType("renewal"); + } else { + setInputsIntoRequest(request, profile, req); + } // serial auth token into request if (authToken != null) { @@ -1161,19 +1084,16 @@ public class ProfileSubmitServlet extends ProfileServlet { String[] tokenVals = authToken.getInStringArray(tokenName); if (tokenVals != null) { for (int i = 0; i < tokenVals.length; i++) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + - tokenName + "[" + i + "]", tokenVals[i]); + req.setExtData(ARG_AUTH_TOKEN + "." + tokenName + "[" + i + "]", tokenVals[i]); } } else { String tokenVal = authToken.getInString(tokenName); if (tokenVal != null) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + tokenName, - tokenVal); + req.setExtData(ARG_AUTH_TOKEN + "." + tokenName, tokenVal); // if RA agent, auto assign the request if (tokenName.equals("uid")) uid = tokenVal; - if (tokenName.equals("group") && - tokenVal.equals("Registration Manager Agents")) { + if (tokenName.equals("group") && tokenVal.equals("Registration Manager Agents")) { fromRA = true; } } @@ -1183,289 +1103,267 @@ public class ProfileSubmitServlet extends ProfileServlet { if (fromRA) { CMS.debug("ProfileSubmitServlet: request from RA: " + uid); - reqs[k].setExtData(ARG_REQUEST_OWNER, uid); + req.setExtData(ARG_REQUEST_OWNER, uid); } // put profile framework parameters into the request - reqs[k].setExtData(ARG_PROFILE, "true"); - reqs[k].setExtData(ARG_PROFILE_ID, profileId); + req.setExtData(ARG_PROFILE, "true"); + req.setExtData(ARG_PROFILE_ID, profileId); if (isRenewal) - reqs[k].setExtData(ARG_RENEWAL_PROFILE_ID, request.getParameter("profileId")); - reqs[k].setExtData(ARG_PROFILE_APPROVED_BY, profile.getApprovedBy()); - String setId = profile.getPolicySetId(reqs[k]); + req.setExtData(ARG_RENEWAL_PROFILE_ID, request.getParameter("profileId")); + req.setExtData(ARG_PROFILE_APPROVED_BY, profile.getApprovedBy()); + String setId = profile.getPolicySetId(req); if (setId == null) { // no profile set found CMS.debug("ProfileSubmitServlet: no profile policy set found"); - if (xmlOutput) { - outputError(response, FAILED, CMS.getUserMessage("CMS_PROFILE_NO_POLICY_SET_FOUND"), - reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, - CMS.getUserMessage("CMS_PROFILE_NO_POLICY_SET_FOUND")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; + throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NO_POLICY_SET_FOUND")); } CMS.debug("ProfileSubmitServlet profileSetid=" + setId); - reqs[k].setExtData(ARG_PROFILE_SET_ID, setId); - reqs[k].setExtData(ARG_PROFILE_REMOTE_HOST, request.getRemoteHost()); - reqs[k].setExtData(ARG_PROFILE_REMOTE_ADDR, request.getRemoteAddr()); + req.setExtData(ARG_PROFILE_SET_ID, setId); + req.setExtData(ARG_PROFILE_REMOTE_HOST, request.getRemoteHost()); + req.setExtData(ARG_PROFILE_REMOTE_ADDR, request.getRemoteAddr()); - CMS.debug("ProfileSubmitServlet: request " + - reqs[k].getRequestId().toString()); + CMS.debug("ProfileSubmitServlet: request " + req.getRequestId().toString()); try { CMS.debug("ProfileSubmitServlet: populating request inputs"); // give authenticator a chance to populate the request if (authenticator != null) { - authenticator.populate(authToken, reqs[k]); + authenticator.populate(authToken, req); } - profile.populateInput(ctx, reqs[k]); - profile.populate(reqs[k]); + profile.populateInput(ctx, req); + profile.populate(req); } catch (EProfileException e) { - CMS.debug("ProfileSubmitServlet: populate " + e.toString()); - if (xmlOutput) { - outputError(response, FAILED, e.toString(), reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, e.toString()); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: EProfileException for " + req.getRequestId().toString() + + ": " + e.toString()); + throw new EBaseException(e.toString()); } catch (Throwable e) { CMS.debug("ProfileSubmitServlet: populate " + e.toString()); - // throw new IOException("Profile " + profileId + - // " cannot populate"); - if (xmlOutput) { - outputError(response, FAILED, CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR"), - reqs[k].getRequestId().toString()); - } else { - args.set(ARG_ERROR_CODE, "1"); - args.set(ARG_ERROR_REASON, CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR")); - outputTemplate(request, response, args); - } - if (statsSub != null) { - statsSub.endTiming("request_population"); - statsSub.endTiming("enrollment"); - } - return; + throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR")); } } - if (statsSub != null) { - statsSub.endTiming("request_population"); - } - - String auditMessage = null; - String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; - String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } - try { - /////////////////////////////////////////////// - // submit request - /////////////////////////////////////////////// - String requestIds = ""; // deliminated with double space - for (int k = 0; k < reqs.length; k++) { - try { - // reset the "auditRequesterID" - auditRequesterID = auditRequesterID(reqs[k]); - - // print request debug - if (reqs[k] != null) { - requestIds += " " + reqs[k].getRequestId().toString(); - Enumeration<String> reqKeys = reqs[k].getExtDataKeys(); - while (reqKeys.hasMoreElements()) { - String reqKey = reqKeys.nextElement(); - String reqVal = reqs[k].getExtDataInString(reqKey); - if (reqVal != null) { - CMS.debug("ProfileSubmitServlet: key=$request." + reqKey + "$ value=" + reqVal); - } - } - } + private IAuthToken authenticate(HttpServletRequest request, IRequest origReq, IProfileAuthenticator authenticator, + SessionContext context, boolean isRenewal) throws EBaseException { + startTiming("profile_authentication"); - profile.submit(authToken, reqs[k]); - reqs[k].setRequestStatus(RequestStatus.COMPLETE); - - // reset the "auditInfoCertValue" - auditInfoCertValue = auditInfoCertValue(reqs[k]); - - if (auditInfoCertValue != null) { - if (!(auditInfoCertValue.equals( - ILogger.SIGNED_AUDIT_EMPTY_VALUE))) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - ILogger.SIGNED_AUDIT_ACCEPTANCE, - auditInfoCertValue); - - audit(auditMessage); + IAuthToken authToken = null; + if (authenticator != null) { + CMS.debug("authenticate: authentication required."); + String uid_cred = "Unidentified"; + String uid_attempted_cred = "Unidentified"; + Enumeration<String> authIds = authenticator.getValueNames(); + //Attempt to possibly fetch attempted uid, may not always be available. + if (authIds != null) { + while (authIds.hasMoreElements()) { + String authName = authIds.nextElement(); + String value = request.getParameter(authName); + if (value != null) { + if (authName.equals("uid")) { + uid_attempted_cred = value; } } - } catch (EDeferException e) { - // return defer message to the user - reqs[k].setRequestStatus(RequestStatus.PENDING); - // need to notify - INotify notify = profile.getRequestQueue().getPendingNotify(); - if (notify != null) { - notify.notify(reqs[k]); - } - - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "2"; - errorReason = CMS.getUserMessage(locale, - "CMS_PROFILE_DEFERRED", - e.toString()); - } catch (ERejectException e) { - // return error to the user - reqs[k].setRequestStatus(RequestStatus.REJECTED); - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "3"; - errorReason = CMS.getUserMessage(locale, - "CMS_PROFILE_REJECTED", - e.toString()); - } catch (Throwable e) { - // return error to the user - CMS.debug("ProfileSubmitServlet: submit " + e.toString()); - errorCode = "1"; - errorReason = CMS.getUserMessage(locale, - "CMS_INTERNAL_ERROR"); } + } - try { - if (errorCode == null) { - profile.getRequestQueue().markAsServiced(reqs[k]); - } else { - profile.getRequestQueue().updateRequest(reqs[k]); - } - } catch (EBaseException e) { - CMS.debug("ProfileSubmitServlet: updateRequest " + - e.toString()); + String authSubjectID = auditSubjectID(); + String authMgrID = authenticator.getName(); + String auditMessage = null; + try { + if (isRenewal) { + authToken = authenticate(authenticator, request, origReq, context); + } else { + authToken = authenticate(authenticator, request); } + } catch (EBaseException e) { + CMS.debug("ProfileSubmitServlet: authentication error " + e.toString()); - if (errorCode != null) { - if (errorCode.equals("1")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - errorReason); + authSubjectID += " : " + uid_cred; + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_FAIL, + authSubjectID, + ILogger.FAILURE, + authMgrID, + uid_attempted_cred); + audit(auditMessage); - audit(auditMessage); - } else if (errorCode.equals("2")) { - // do NOT store a message in the signed audit log file - // as this errorCode indicates that a process has been - // deferred for manual acceptance/cancellation/rejection - } else if (errorCode.equals("3")) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - errorReason); + throw e; + } - audit(auditMessage); - } - } + //Log successful authentication + //Attempt to get uid from authToken, most tokens respond to the "uid" cred. + uid_cred = authToken.getInString("uid"); + + if (uid_cred == null || uid_cred.length() == 0) { + uid_cred = "Unidentified"; } - if (errorCode != null) { - if (xmlOutput) { - // when errorCode is not null, requestIds should have >=1 - outputError(response, errorCode, errorReason, requestIds); - } else { - ArgList requestlist = new ArgList(); + authSubjectID = authSubjectID + " : " + uid_cred; - for (int k = 0; k < reqs.length; k++) { - ArgSet requestset = new ArgSet(); + // store a message in the signed audit log file + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_AUTH_SUCCESS, + authSubjectID, + ILogger.SUCCESS, + authMgrID); + + audit(auditMessage); + } + endTiming("profile_authentication"); + return authToken; + } - requestset.set(ARG_REQUEST_ID, - reqs[k].getRequestId().toString()); - requestlist.add(requestset); + private BigInteger getSerialNumberFromCert(HttpServletRequest request) throws EBaseException { + BigInteger certSerial; + SSLClientCertProvider sslCCP = new SSLClientCertProvider(request); + X509Certificate[] certs = sslCCP.getClientCertificateChain(); + certSerial = null; + if (certs == null || certs.length == 0) { + CMS.debug("ProfileSubmitServlet: renewal: no ssl client cert chain"); + return null; + } else { // has ssl client cert + CMS.debug("ProfileSubmitServlet: renewal: has ssl client cert chain"); + // shouldn't expect leaf cert to be always at the + // same location + X509Certificate clientCert = null; + for (int i = 0; i < certs.length; i++) { + clientCert = certs[i]; + byte[] extBytes = clientCert.getExtensionValue("2.5.29.19"); + // try to see if this is a leaf cert + // look for BasicConstraint extension + if (extBytes == null) { + // found leaf cert + CMS.debug("ProfileSubmitServlet: renewal: found leaf cert"); + break; + } else { + CMS.debug("ProfileSubmitServlet: renewal: found cert having BasicConstraints ext"); + // it's got BasicConstraints extension + // so it's not likely to be a leaf cert, + // however, check the isCA field regardless + try { + BasicConstraintsExtension bce = + new BasicConstraintsExtension(true, extBytes); + if (bce != null) { + if (!(Boolean) bce.get("is_ca")) { + CMS.debug("ProfileSubmitServlet: renewal: found CA cert in chain"); + break; + } // else found a ca cert, continue + } + } catch (Exception e) { + CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); + return null; } - args.set(ARG_REQUEST_LIST, requestlist); - args.set(ARG_ERROR_CODE, errorCode); - args.set(ARG_ERROR_REASON, errorReason); - outputTemplate(request, response, args); } - if (statsSub != null) { - statsSub.endTiming("enrollment"); - } - return; + } + if (clientCert == null) { + CMS.debug("ProfileSubmitServlet: renewal: no client cert in chain"); + return null; + } + // convert to java X509 cert interface + try { + byte[] certEncoded = clientCert.getEncoded(); + clientCert = new X509CertImpl(certEncoded); + } catch (Exception e) { + e.printStackTrace(); + CMS.debug("ProfileSubmitServlet: renewal: exception:" + e.toString()); + return null; } - /////////////////////////////////////////////// - // output output list - /////////////////////////////////////////////// - if (xmlOutput) { - xmlOutput(response, profile, locale, reqs); - } else { - ArgList outputlist = new ArgList(); - for (int k = 0; k < reqs.length; k++) { + certSerial = clientCert.getSerialNumber(); + } + return certSerial; + } - setOutputIntoArgs(profile, outputlist, locale, reqs[k]); - args.set(ARG_OUTPUT_LIST, outputlist); - } + private IRequest getOriginalRequest(BigInteger certSerial, ICertRecord rec) throws EBaseException { + IAuthority authority = (IAuthority) CMS.getSubsystem(mAuthorityId); + if (authority == null) { + CMS.debug("getOriginalRequest: Authority " + mAuthorityId + " not found"); + return null; + } + IRequestQueue queue = authority.getRequestQueue(); - CMS.debug("ProfileSubmitServlet: done serving"); + if (queue == null) { + CMS.debug("getOriginalRequest: Request Queue of " + mAuthorityId + " not found"); + return null; + } - ArgList requestlist = new ArgList(); + MetaInfo metaInfo = (MetaInfo) rec.get(ICertRecord.ATTR_META_INFO); + if (metaInfo == null) { + CMS.debug("getOriginalRequest: cert record locating MetaInfo failed for serial number " + + certSerial.toString()); + return null; + } - for (int k = 0; k < reqs.length; k++) { - ArgSet requestset = new ArgSet(); + String rid = (String) metaInfo.get(ICertRecord.META_REQUEST_ID); + if (rid == null) { + CMS.debug("getOriginalRequest: cert record locating request id in MetaInfo failed " + + "for serial number " + certSerial.toString()); + return null; + } - requestset.set(ARG_REQUEST_ID, - reqs[k].getRequestId().toString()); - requestlist.add(requestset); - } - args.set(ARG_REQUEST_LIST, requestlist); - args.set(ARG_ERROR_CODE, "0"); - args.set(ARG_ERROR_REASON, ""); + CMS.debug("getOriginalRequest: request id is " + rid); + IRequest origReq = queue.findRequest(new RequestId(rid)); + return origReq; + } - outputTemplate(request, response, args); - } - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - // (automated cert request processed - "rejected") - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - ILogger.SIGNED_AUDIT_REJECTION, - SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]); + private boolean getXMLOutput(HttpServletRequest request) { + boolean xmlOutput = false; - audit(auditMessage); + String v = request.getParameter("xml"); + if ((v != null) && (v.equalsIgnoreCase("true"))) { + xmlOutput = true; + } + v = request.getParameter("xmlOutput"); + if ((v != null) && (v.equalsIgnoreCase("true"))) { + xmlOutput = true; + } + if (xmlOutput) { + CMS.debug("xmlOutput true"); + } else { + CMS.debug("xmlOutput false"); + } + return xmlOutput; + } - if (statsSub != null) { - statsSub.endTiming("enrollment"); + private void printParameterValues(HttpServletRequest request) { + CMS.debug("Start of ProfileSubmitServlet Input Parameters"); + // @SuppressWarnings("unchecked") + Enumeration<String> paramNames = request.getParameterNames(); + + while (paramNames.hasMoreElements()) { + String paramName = paramNames.nextElement(); + // added this facility so that password can be hidden, + // all sensitive parameters should be prefixed with + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed + if (paramName.startsWith("__") || + paramName.endsWith("password") || + paramName.endsWith("passwd") || + paramName.endsWith("pwd") || + paramName.equalsIgnoreCase("admin_password_again") || + paramName.equalsIgnoreCase("directoryManagerPwd") || + paramName.equalsIgnoreCase("bindpassword") || + paramName.equalsIgnoreCase("bindpwd") || + paramName.equalsIgnoreCase("passwd") || + paramName.equalsIgnoreCase("password") || + paramName.equalsIgnoreCase("pin") || + paramName.equalsIgnoreCase("pwd") || + paramName.equalsIgnoreCase("pwdagain") || + paramName.equalsIgnoreCase("uPasswd")) { + CMS.debug("ProfileSubmitServlet Input Parameter " + + paramName + "='(sensitive)'"); + } else { + CMS.debug("ProfileSubmitServlet Input Parameter " + + paramName + "='" + + request.getParameter(paramName) + "'"); } - throw eAudit1; - } finally { - SessionContext.releaseContext(); - } - if (statsSub != null) { - statsSub.endTiming("enrollment"); } + CMS.debug("End of ProfileSubmitServlet Input Parameters"); } private void xmlOutput(HttpServletResponse httpResp, IProfile profile, Locale locale, IRequest[] reqs) { |