|
|
708f38 |
From 428c189fa0560bf656b8ded272295d705f602093 Mon Sep 17 00:00:00 2001
|
|
|
708f38 |
From: Christina Fu <cfu@redhat.com>
|
|
|
708f38 |
Date: Thu, 19 Jan 2023 10:10:33 +0000
|
|
|
708f38 |
Subject: [PATCH] Add authorization to limit setTokenStatus to allowed admins
|
|
|
708f38 |
|
|
|
708f38 |
This patch adds authorization to limit setTokenStatus to admins
|
|
|
708f38 |
allowed for the token type in question.
|
|
|
708f38 |
If a token is not associated with a keyType/profile, then the admin
|
|
|
708f38 |
must have the ALL_PROFILES prvilege.
|
|
|
708f38 |
|
|
|
708f38 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153
|
|
|
708f38 |
|
|
|
708f38 |
(cherry picked from commit d74ac7e6e8a2efbb7abe3b5c21637afdd084d245)
|
|
|
708f38 |
---
|
|
|
708f38 |
.../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 +++++++++++++++++
|
|
|
708f38 |
1 file changed, 17 insertions(+)
|
|
|
708f38 |
|
|
|
708f38 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
708f38 |
index d2a3444..5256a66 100644
|
|
|
708f38 |
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
708f38 |
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
708f38 |
@@ -75,6 +75,23 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
708f38 |
public void setTokenStatus(TokenRecord tokenRecord, TokenStatus tokenState, String ipAddress, String remoteUser,
|
|
|
708f38 |
Map<String, String> auditModParams)
|
|
|
708f38 |
throws Exception {
|
|
|
708f38 |
+ String method = "TPSService:setTokenStatus: ";
|
|
|
708f38 |
+ String msg = "";
|
|
|
708f38 |
+
|
|
|
708f38 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
708f38 |
+ if (authorizedProfiles == null) {
|
|
|
708f38 |
+ msg = "authorizedProfiles null";
|
|
|
708f38 |
+ CMS.debug(method + msg);
|
|
|
708f38 |
+ throw new PKIException(method + msg);
|
|
|
708f38 |
+ }
|
|
|
708f38 |
+ String type = tokenRecord.getType();
|
|
|
708f38 |
+ // if token not associated with any keyType/profile, disallow access,
|
|
|
708f38 |
+ // unless the user has the "ALL_PROFILES" privilege
|
|
|
708f38 |
+ if (!authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
708f38 |
+ if (((type == null) || type.isEmpty()) || !authorizedProfiles.contains(type))
|
|
|
708f38 |
+ throw new PKIException(method + "Token record restricted");
|
|
|
708f38 |
+ }
|
|
|
708f38 |
+
|
|
|
708f38 |
TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
708f38 |
IConfigStore config = CMS.getConfigStore();
|
|
|
708f38 |
|
|
|
708f38 |
--
|
|
|
708f38 |
1.8.3.1
|
|
|
708f38 |
|