rpms / pki-core

Clone
Source Code
GIT

Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   708f38894a3d8ce81f5bf80f379048534ac3339a
  2.   SOURCES
  3.   pki-core-rhel-7-9-rhcs-9-7-bu-21.patch
Blob History Raw
708f38 
From 428c189fa0560bf656b8ded272295d705f602093 Mon Sep 17 00:00:00 2001
708f38 
From: Christina Fu <cfu@redhat.com>
708f38 
Date: Thu, 19 Jan 2023 10:10:33 +0000
708f38 
Subject: [PATCH] Add authorization to limit setTokenStatus to allowed admins
708f38
708f38 
This patch adds authorization to limit setTokenStatus to admins
708f38 
allowed for the token type in question.
708f38 
If a token is not associated with a keyType/profile, then the admin
708f38 
must have the ALL_PROFILES prvilege.
708f38
708f38 
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153
708f38
708f38 
(cherry picked from commit d74ac7e6e8a2efbb7abe3b5c21637afdd084d245)
708f38 
---
708f38 
 .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 +++++++++++++++++
708f38 
 1 file changed, 17 insertions(+)
708f38
708f38 
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
708f38 
index d2a3444..5256a66 100644
708f38 
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
708f38 
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
708f38 
@@ -75,6 +75,23 @@ public class TokenService extends SubsystemService implements TokenResource {
708f38 
     public void setTokenStatus(TokenRecord tokenRecord, TokenStatus tokenState, String ipAddress, String remoteUser,
708f38 
             Map<String, String> auditModParams)
708f38 
                     throws Exception {
708f38 
+        String method = "TPSService:setTokenStatus: ";
708f38 
+        String msg = "";
708f38 
+
708f38 
+        List<String> authorizedProfiles = getAuthorizedProfiles();
708f38 
+        if (authorizedProfiles == null) {
708f38 
+            msg = "authorizedProfiles null";
708f38 
+            CMS.debug(method + msg);
708f38 
+            throw new PKIException(method + msg);
708f38 
+        }
708f38 
+        String type = tokenRecord.getType();
708f38 
+        // if token not associated with any keyType/profile, disallow access,
708f38 
+        // unless the user has the "ALL_PROFILES" privilege
708f38 
+        if (!authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
708f38 
+            if (((type == null) || type.isEmpty()) || !authorizedProfiles.contains(type))
708f38 
+               throw new PKIException(method + "Token record restricted");
708f38 
+        }
708f38 
+
708f38 
         TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
708f38 
         IConfigStore config = CMS.getConfigStore();
708f38
708f38 
--
708f38 
1.8.3.1
708f38

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation