rpms / pki-core

Clone
Source Code
GIT

Blame SOURCES/pki-core-fixed-pkidbuser-group-memberships.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   efcdb25fbce54c1efbb4924ed496b6fbdd9a9df3
  2.   SOURCES
  3.   pki-core-fixed-pkidbuser-group-memberships.patch
Blob History Raw
efcdb2 
commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76
efcdb2 
Author: Matthew Harmsen <mharmsen@redhat.com>
efcdb2 
Date:   Tue Sep 15 12:29:08 2015 -0600
efcdb2
efcdb2 
    Fixed pkidbuser group memberships.
efcdb2
efcdb2 
    Due to a certificate mapping issue the subsystem certificate can
efcdb2 
    be mapped into either the subsystem user or pkidbuser, which may
efcdb2 
    cause problems since the users don't belong to the same groups.
efcdb2 
    As a temporary solution the pkidbuser is now added into the same
efcdb2 
    groups. This way the client subsystem can always access the
efcdb2 
    services regardless of which user the certificate is actually
efcdb2 
    mapped to.
efcdb2
efcdb2 
    Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival
efcdb2
efcdb2 
    https://fedorahosted.org/pki/ticket/1595
efcdb2
efcdb2 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
efcdb2 
index 708240b..d99929f 100644
efcdb2 
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
efcdb2 
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
efcdb2 
@@ -50,6 +50,7 @@ import java.security.cert.CertificateNotYetValidException;
efcdb2 
 import java.security.interfaces.RSAPublicKey;
efcdb2 
 import java.util.ArrayList;
efcdb2 
 import java.util.Arrays;
efcdb2 
+import java.util.Collection;
efcdb2 
 import java.util.Enumeration;
efcdb2 
 import java.util.List;
efcdb2 
 import java.util.StringTokenizer;
efcdb2 
@@ -62,32 +63,7 @@ import javax.ws.rs.core.MultivaluedMap;
efcdb2 
 import javax.ws.rs.core.Response;
efcdb2 
 import javax.xml.parsers.ParserConfigurationException;
efcdb2
efcdb2 
-import netscape.ldap.LDAPAttribute;
efcdb2 
-import netscape.ldap.LDAPAttributeSet;
efcdb2 
-import netscape.ldap.LDAPConnection;
efcdb2 
-import netscape.ldap.LDAPDN;
efcdb2 
-import netscape.ldap.LDAPEntry;
efcdb2 
-import netscape.ldap.LDAPException;
efcdb2 
-import netscape.ldap.LDAPModification;
efcdb2 
-import netscape.ldap.LDAPSearchConstraints;
efcdb2 
-import netscape.ldap.LDAPSearchResults;
efcdb2 
-import netscape.ldap.LDAPv3;
efcdb2 
-import netscape.security.pkcs.ContentInfo;
efcdb2 
-import netscape.security.pkcs.PKCS10;
efcdb2 
-import netscape.security.pkcs.PKCS7;
efcdb2 
-import netscape.security.pkcs.SignerInfo;
efcdb2 
-import netscape.security.util.DerOutputStream;
efcdb2 
-import netscape.security.util.ObjectIdentifier;
efcdb2 
-import netscape.security.x509.AlgorithmId;
efcdb2 
-import netscape.security.x509.BasicConstraintsExtension;
efcdb2 
-import netscape.security.x509.CertificateChain;
efcdb2 
-import netscape.security.x509.Extension;
efcdb2 
-import netscape.security.x509.Extensions;
efcdb2 
-import netscape.security.x509.KeyUsageExtension;
efcdb2 
-import netscape.security.x509.X500Name;
efcdb2 
-import netscape.security.x509.X509CertImpl;
efcdb2 
-import netscape.security.x509.X509Key;
efcdb2 
-
efcdb2 
+import org.apache.commons.lang.StringUtils;
efcdb2 
 import org.apache.velocity.context.Context;
efcdb2 
 import org.mozilla.jss.CryptoManager;
efcdb2 
 import org.mozilla.jss.CryptoManager.NicknameConflictException;
efcdb2 
@@ -180,6 +156,32 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory;
efcdb2 
 import com.netscape.cmsutil.ldap.LDAPUtil;
efcdb2 
 import com.netscape.cmsutil.xml.XMLObject;
efcdb2
efcdb2 
+import netscape.ldap.LDAPAttribute;
efcdb2 
+import netscape.ldap.LDAPAttributeSet;
efcdb2 
+import netscape.ldap.LDAPConnection;
efcdb2 
+import netscape.ldap.LDAPDN;
efcdb2 
+import netscape.ldap.LDAPEntry;
efcdb2 
+import netscape.ldap.LDAPException;
efcdb2 
+import netscape.ldap.LDAPModification;
efcdb2 
+import netscape.ldap.LDAPSearchConstraints;
efcdb2 
+import netscape.ldap.LDAPSearchResults;
efcdb2 
+import netscape.ldap.LDAPv3;
efcdb2 
+import netscape.security.pkcs.ContentInfo;
efcdb2 
+import netscape.security.pkcs.PKCS10;
efcdb2 
+import netscape.security.pkcs.PKCS7;
efcdb2 
+import netscape.security.pkcs.SignerInfo;
efcdb2 
+import netscape.security.util.DerOutputStream;
efcdb2 
+import netscape.security.util.ObjectIdentifier;
efcdb2 
+import netscape.security.x509.AlgorithmId;
efcdb2 
+import netscape.security.x509.BasicConstraintsExtension;
efcdb2 
+import netscape.security.x509.CertificateChain;
efcdb2 
+import netscape.security.x509.Extension;
efcdb2 
+import netscape.security.x509.Extensions;
efcdb2 
+import netscape.security.x509.KeyUsageExtension;
efcdb2 
+import netscape.security.x509.X500Name;
efcdb2 
+import netscape.security.x509.X509CertImpl;
efcdb2 
+import netscape.security.x509.X509Key;
efcdb2 
+
efcdb2 
 /**
efcdb2 
  * Utility class for functions to be used both by the RESTful installer
efcdb2 
  * and the UI Panels.
efcdb2 
@@ -3892,7 +3894,7 @@ public class ConfigurationUtils {
efcdb2 
         String groupName = "Trusted Managers";
efcdb2 
         IGroup group = system.getGroupFromName(groupName);
efcdb2 
         if (!group.isMember(id)) {
efcdb2 
-            CMS.debug("setupClientAuthUser: adding user to the trusted managers group.");
efcdb2 
+            CMS.debug("setupClientAuthUser: adding user to the " + groupName + " group.");
efcdb2 
             group.addMemberName(id);
efcdb2 
             system.modifyGroup(group);
efcdb2 
         }
efcdb2 
@@ -4119,7 +4121,7 @@ public class ConfigurationUtils {
efcdb2 
         user.setX509Certificates(certs);
efcdb2
efcdb2 
         system.addUser(user);
efcdb2 
-        CMS.debug("setupDBUser(): successfully added the user");
efcdb2 
+        CMS.debug("setupDBUser(): successfully added " + DBUSER);
efcdb2
efcdb2 
         system.addUserCert(user);
efcdb2 
         CMS.debug("setupDBUser(): successfully add the user certificate");
efcdb2 
@@ -4130,6 +4132,36 @@ public class ConfigurationUtils {
efcdb2 
         // remove old db users
efcdb2 
         CMS.debug("setupDBUser(): removing seeAlso from old dbusers");
efcdb2 
         removeOldDBUsers(certs[0].getSubjectDN().toString());
efcdb2 
+
efcdb2 
+        // workaround for ticket #1595
efcdb2 
+        IConfigStore cs = CMS.getConfigStore();
efcdb2 
+        String csType = cs.getString("cs.type").toUpperCase();
efcdb2 
+
efcdb2 
+        Collection<String> groupNames = new ArrayList<String>();
efcdb2 
+
efcdb2 
+        if ("CA".equals(csType)) {
efcdb2 
+            groupNames.add("Subsystem Group");
efcdb2 
+            groupNames.add("Certificate Manager Agents");
efcdb2 
+
efcdb2 
+        } else if ("KRA".equals(csType)) {
efcdb2 
+            groupNames.add("Data Recovery Manager Agents");
efcdb2 
+            groupNames.add("Trusted Managers");
efcdb2 
+
efcdb2 
+        } else if ("OCSP".equals(csType)) {
efcdb2 
+            groupNames.add("Trusted Managers");
efcdb2 
+
efcdb2 
+        } else if ("TKS".equals(csType)) {
efcdb2 
+            groupNames.add("Token Key Service Manager Agents");
efcdb2 
+        }
efcdb2 
+
efcdb2 
+        for (String groupName : groupNames) {
efcdb2 
+            IGroup group = system.getGroupFromName(groupName);
efcdb2 
+            if (!group.isMember(DBUSER)) {
efcdb2 
+                CMS.debug("setupDBUser(): adding " + DBUSER + " to the " + groupName + " group.");
efcdb2 
+                group.addMemberName(DBUSER);
efcdb2 
+                system.modifyGroup(group);
efcdb2 
+            }
efcdb2 
+        }
efcdb2 
     }
efcdb2
efcdb2 
     public static void addProfilesToTPSUser(String adminID) throws EUsrGrpException, LDAPException {

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation