|
 |
08c5c1 |
From dcf1135e8d55ba8bcfc6df07883aa3704b20a81f Mon Sep 17 00:00:00 2001
|
|
|
08c5c1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
08c5c1 |
Date: Thu, 1 Jul 2021 14:58:31 -0700
|
|
|
08c5c1 |
Subject: [PATCH 1/5] Bug1958277 PKCS10Client Attribute Encoding
|
|
|
08c5c1 |
|
|
|
08c5c1 |
PKCS10Client has an option "-k" which allows for individual DN
|
|
|
08c5c1 |
attributes to be encoded differently and separately.
|
|
|
08c5c1 |
For example:
|
|
|
08c5c1 |
PKCS10Client -p <passwd> -d . -k true -o req.txt -n 'cn=UTF8String:aa,ou=BMPString:bb,o=cc'
|
|
|
08c5c1 |
|
|
|
08c5c1 |
This option might have been accidentally disabled. In this patch, the
|
|
|
08c5c1 |
attribute encoding code is moved to CryptoUtil.java with some
|
|
|
08c5c1 |
refactoring, and calls to getJssName() is re-enabled for subjectName
|
|
|
08c5c1 |
in PKCS10Client;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1958277
|
|
|
08c5c1 |
|
|
|
08c5c1 |
(cherry picked from commit 22008c96bf943e575c254cbd0e8414a478481263)
|
|
|
08c5c1 |
---
|
|
|
08c5c1 |
.../src/com/netscape/cmstools/PKCS10Client.java | 151 +---------------
|
|
|
08c5c1 |
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 196 ++++++++++++++++++++-
|
|
|
08c5c1 |
2 files changed, 196 insertions(+), 151 deletions(-)
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
|
|
|
08c5c1 |
index 137049e..4c002c2 100644
|
|
|
08c5c1 |
--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
|
|
|
08c5c1 |
+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
|
|
|
08c5c1 |
@@ -24,18 +24,11 @@ import java.io.PrintStream;
|
|
|
08c5c1 |
import java.security.KeyPair;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
import org.mozilla.jss.CryptoManager;
|
|
|
08c5c1 |
-import org.mozilla.jss.asn1.BMPString;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
|
|
|
08c5c1 |
-import org.mozilla.jss.asn1.PrintableString;
|
|
|
08c5c1 |
-import org.mozilla.jss.asn1.TeletexString;
|
|
|
08c5c1 |
-import org.mozilla.jss.asn1.UTF8String;
|
|
|
08c5c1 |
-import org.mozilla.jss.asn1.UniversalString;
|
|
|
08c5c1 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
08c5c1 |
import org.mozilla.jss.crypto.KeyPairAlgorithm;
|
|
|
08c5c1 |
import org.mozilla.jss.crypto.KeyPairGenerator;
|
|
|
08c5c1 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
08c5c1 |
-import org.mozilla.jss.pkix.primitive.AVA;
|
|
|
08c5c1 |
-import org.mozilla.jss.pkix.primitive.Name;
|
|
|
08c5c1 |
import org.mozilla.jss.util.Password;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
import com.netscape.cmsutil.crypto.CryptoUtil;
|
|
|
08c5c1 |
@@ -138,6 +131,7 @@ public class PKCS10Client {
|
|
|
08c5c1 |
enable_encoding = true;
|
|
|
08c5c1 |
else
|
|
|
08c5c1 |
enable_encoding = false;
|
|
|
08c5c1 |
+ System.out.println("PKCS10Client: enable_encoding =" + enable_encoding);
|
|
|
08c5c1 |
} else if (name.equals("-s")) {
|
|
|
08c5c1 |
String ec_sensitive_s = args[i+1];
|
|
|
08c5c1 |
ec_sensitive = Integer.parseInt(ec_sensitive_s);
|
|
|
08c5c1 |
@@ -289,7 +283,7 @@ public class PKCS10Client {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
|
|
|
08c5c1 |
PKCS10 certReq = CryptoUtil.createCertificationRequest(
|
|
|
08c5c1 |
- subjectName, pair, extns);
|
|
|
08c5c1 |
+ subjectName, enable_encoding, pair, extns);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (certReq == null) {
|
|
|
08c5c1 |
System.out.println("PKCS10Client: cert request null");
|
|
|
08c5c1 |
@@ -333,145 +327,4 @@ public class PKCS10Client {
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- static boolean isEncoded (String elementValue) {
|
|
|
08c5c1 |
- boolean encoded = false;
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (elementValue != null && ((elementValue.startsWith("UTF8String:")) ||
|
|
|
08c5c1 |
- (elementValue.startsWith("PrintableString:")) ||
|
|
|
08c5c1 |
- (elementValue.startsWith("BMPString:")) ||
|
|
|
08c5c1 |
- (elementValue.startsWith("TeletexString:")) ||
|
|
|
08c5c1 |
- (elementValue.startsWith("UniversalString:")))) {
|
|
|
08c5c1 |
- encoded = true;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- return encoded;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- static Name addNameElement (Name name, OBJECT_IDENTIFIER oid, int n, String elementValue) {
|
|
|
08c5c1 |
- try {
|
|
|
08c5c1 |
- String encodingType = (n > 0)? elementValue.substring(0, n): null;
|
|
|
08c5c1 |
- String nameValue = (n > 0)? elementValue.substring(n+1): null;
|
|
|
08c5c1 |
- if (encodingType != null && encodingType.length() > 0 &&
|
|
|
08c5c1 |
- nameValue != null && nameValue.length() > 0) {
|
|
|
08c5c1 |
- if (encodingType.equals("UTF8String")) {
|
|
|
08c5c1 |
- name.addElement( new AVA(oid, new UTF8String(nameValue)));
|
|
|
08c5c1 |
- } else if (encodingType.equals("PrintableString")) {
|
|
|
08c5c1 |
- name.addElement( new AVA(oid, new PrintableString(nameValue)));
|
|
|
08c5c1 |
- } else if (encodingType.equals("BMPString")) {
|
|
|
08c5c1 |
- name.addElement( new AVA(oid, new BMPString(nameValue)));
|
|
|
08c5c1 |
- } else if (encodingType.equals("TeletexString")) {
|
|
|
08c5c1 |
- name.addElement( new AVA(oid, new TeletexString(nameValue)));
|
|
|
08c5c1 |
- } else if (encodingType.equals("UniversalString")) {
|
|
|
08c5c1 |
- name.addElement( new AVA(oid, new UniversalString(nameValue)));
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- } catch (Exception e) {
|
|
|
08c5c1 |
- System.out.println("PKCS10Client: Error adding name element: " + elementValue + " Error: " + e.toString());
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- return name;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- static Name getJssName(boolean enable_encoding, String dn) {
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- X500Name x5Name = null;
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- try {
|
|
|
08c5c1 |
- x5Name = new X500Name(dn);
|
|
|
08c5c1 |
- } catch (IOException e) {
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- System.out.println("PKCS10Client: Illegal Subject Name: " + dn + " Error: " + e.toString());
|
|
|
08c5c1 |
- System.out.println("PKCS10Client: Filling in default Subject Name......");
|
|
|
08c5c1 |
- return null;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- Name ret = new Name();
|
|
|
08c5c1 |
- netscape.security.x509.RDN[] names = null;
|
|
|
08c5c1 |
- names = x5Name.getNames();
|
|
|
08c5c1 |
- int nameLen = x5Name.getNamesLength();
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- netscape.security.x509.RDN cur = null;
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- for (int i = 0; i < nameLen; i++) {
|
|
|
08c5c1 |
- cur = names[i];
|
|
|
08c5c1 |
- String rdnStr = cur.toString();
|
|
|
08c5c1 |
- String[] split = rdnStr.split("=");
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split.length != 2)
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- int n = split[1].indexOf(':');
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- try {
|
|
|
08c5c1 |
- if (split[0].equals("UID")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement(ret, new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"),
|
|
|
08c5c1 |
- n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addElement(new AVA(new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"),
|
|
|
08c5c1 |
- new PrintableString(split[1])));
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("UID found : " + split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("C")) {
|
|
|
08c5c1 |
- ret.addCountryName(split[1]);
|
|
|
08c5c1 |
- // System.out.println("C found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("CN")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement (ret, Name.commonName, n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addCommonName(split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("CN found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("L")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement (ret, Name.localityName, n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addLocalityName(split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("L found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("O")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement (ret, Name.organizationName, n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addOrganizationName(split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("O found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("ST")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement (ret, Name.stateOrProvinceName, n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addStateOrProvinceName(split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("ST found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (split[0].equals("OU")) {
|
|
|
08c5c1 |
- if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
- ret = addNameElement (ret, Name.organizationalUnitName, n, split[1]);
|
|
|
08c5c1 |
- } else {
|
|
|
08c5c1 |
- ret.addOrganizationalUnitName(split[1]);
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- // System.out.println("OU found : " + split[1]);
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- } catch (Exception e) {
|
|
|
08c5c1 |
- System.out.println("PKCS10Client: Error constructing RDN: " + rdnStr + " Error: " + e.toString());
|
|
|
08c5c1 |
- continue;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- return ret;
|
|
|
08c5c1 |
- }
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
08c5c1 |
index 2fe4757..befceed 100644
|
|
|
08c5c1 |
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
08c5c1 |
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
08c5c1 |
@@ -65,6 +65,11 @@ import org.mozilla.jss.asn1.ANY;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.ASN1Value;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.BIT_STRING;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.INTEGER;
|
|
|
08c5c1 |
+import org.mozilla.jss.asn1.BMPString;
|
|
|
08c5c1 |
+import org.mozilla.jss.asn1.PrintableString;
|
|
|
08c5c1 |
+import org.mozilla.jss.asn1.TeletexString;
|
|
|
08c5c1 |
+import org.mozilla.jss.asn1.UTF8String;
|
|
|
08c5c1 |
+import org.mozilla.jss.asn1.UniversalString;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.InvalidBERException;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.NULL;
|
|
|
08c5c1 |
import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
|
|
|
08c5c1 |
@@ -114,6 +119,7 @@ import org.mozilla.jss.pkix.crmf.EncryptedKey;
|
|
|
08c5c1 |
import org.mozilla.jss.pkix.crmf.EncryptedValue;
|
|
|
08c5c1 |
import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
|
|
|
08c5c1 |
import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
|
|
|
08c5c1 |
+import org.mozilla.jss.pkix.primitive.AVA;
|
|
|
08c5c1 |
import org.mozilla.jss.pkix.primitive.Name;
|
|
|
08c5c1 |
import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
|
|
|
08c5c1 |
import org.mozilla.jss.ssl.SSLSocket;
|
|
|
08c5c1 |
@@ -1691,6 +1697,14 @@ public class CryptoUtil {
|
|
|
08c5c1 |
throws NoSuchAlgorithmException, NoSuchProviderException,
|
|
|
08c5c1 |
InvalidKeyException, IOException, CertificateException,
|
|
|
08c5c1 |
SignatureException {
|
|
|
08c5c1 |
+ return createCertificationRequest(subjectName, false, keyPair, exts);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // encodeSubj works with PKCS10Client "-k" option
|
|
|
08c5c1 |
+ public static PKCS10 createCertificationRequest(String subjectName,
|
|
|
08c5c1 |
+ boolean encodeSubj, KeyPair keyPair, Extensions exts)
|
|
|
08c5c1 |
+ throws NoSuchAlgorithmException, NoSuchProviderException,
|
|
|
08c5c1 |
+ InvalidKeyException, IOException, CertificateException,
|
|
|
08c5c1 |
+ SignatureException {
|
|
|
08c5c1 |
String method = "CryptoUtil: createCertificationRequest: ";
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String alg = "SHA256withRSA";
|
|
|
08c5c1 |
@@ -1705,7 +1719,7 @@ public class CryptoUtil {
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
return createCertificationRequest(
|
|
|
08c5c1 |
- subjectName, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(),
|
|
|
08c5c1 |
+ subjectName, encodeSubj, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(),
|
|
|
08c5c1 |
alg, exts);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -1714,6 +1728,14 @@ public class CryptoUtil {
|
|
|
08c5c1 |
throws NoSuchAlgorithmException, NoSuchProviderException,
|
|
|
08c5c1 |
InvalidKeyException, IOException, CertificateException,
|
|
|
08c5c1 |
SignatureException {
|
|
|
08c5c1 |
+ return createCertificationRequest(subjectName, false, pubk, prik, alg, null);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ public static PKCS10 createCertificationRequest(String subjectName,
|
|
|
08c5c1 |
+ boolean encodeSubj,
|
|
|
08c5c1 |
+ X509Key pubk, PrivateKey prik, String alg, Extensions exts)
|
|
|
08c5c1 |
+ throws NoSuchAlgorithmException, NoSuchProviderException,
|
|
|
08c5c1 |
+ InvalidKeyException, IOException, CertificateException,
|
|
|
08c5c1 |
+ SignatureException {
|
|
|
08c5c1 |
X509Key key = pubk;
|
|
|
08c5c1 |
java.security.Signature sig = java.security.Signature.getInstance(alg,
|
|
|
08c5c1 |
"Mozilla-JSS");
|
|
|
08c5c1 |
@@ -1734,13 +1756,182 @@ public class CryptoUtil {
|
|
|
08c5c1 |
} else {
|
|
|
08c5c1 |
pkcs10 = new PKCS10(key);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
- X500Name name = new X500Name(subjectName);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ Name n = getJssName(encodeSubj, subjectName);
|
|
|
08c5c1 |
+ ByteArrayOutputStream subjectEncStream = new ByteArrayOutputStream();
|
|
|
08c5c1 |
+ n.encode(subjectEncStream);
|
|
|
08c5c1 |
+ byte[] b = subjectEncStream.toByteArray();
|
|
|
08c5c1 |
+ X500Name name = new X500Name(b);
|
|
|
08c5c1 |
X500Signer signer = new X500Signer(sig, name);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
pkcs10.encodeAndSign(signer);
|
|
|
08c5c1 |
return pkcs10;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ static boolean isEncoded (String elementValue) {
|
|
|
08c5c1 |
+ boolean encoded = false;
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //System.out.println("CryptoUtil: isEncoded: elementValue =" +
|
|
|
08c5c1 |
+ // elementValue);
|
|
|
08c5c1 |
+ if (elementValue != null && ((elementValue.startsWith("UTF8String:")) ||
|
|
|
08c5c1 |
+ (elementValue.startsWith("PrintableString:")) ||
|
|
|
08c5c1 |
+ (elementValue.startsWith("BMPString:")) ||
|
|
|
08c5c1 |
+ (elementValue.startsWith("TeletexString:")) ||
|
|
|
08c5c1 |
+ (elementValue.startsWith("UniversalString:")))) {
|
|
|
08c5c1 |
+ encoded = true;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ return encoded;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ static Name addNameElement (Name name, OBJECT_IDENTIFIER oid, int n, String elementValue) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: elementValue =" +
|
|
|
08c5c1 |
+ // elementValue);
|
|
|
08c5c1 |
+ try {
|
|
|
08c5c1 |
+ String encodingType = (n > 0)? elementValue.substring(0, n): null;
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: encodingType =" +
|
|
|
08c5c1 |
+ // encodingType);
|
|
|
08c5c1 |
+ String nameValue = (n > 0)? elementValue.substring(n+1): null;
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: nameValue =" +
|
|
|
08c5c1 |
+ // nameValue);
|
|
|
08c5c1 |
+ if (encodingType != null && encodingType.length() > 0 &&
|
|
|
08c5c1 |
+ nameValue != null && nameValue.length() > 0) {
|
|
|
08c5c1 |
+ if (encodingType.equals("UTF8String")) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: UTF8String");
|
|
|
08c5c1 |
+ name.addElement( new AVA(oid, new UTF8String(nameValue)));
|
|
|
08c5c1 |
+ } else if (encodingType.equals("PrintableString")) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: PrintableString");
|
|
|
08c5c1 |
+ name.addElement( new AVA(oid, new PrintableString(nameValue)));
|
|
|
08c5c1 |
+ } else if (encodingType.equals("BMPString")) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: BMPString");
|
|
|
08c5c1 |
+ name.addElement( new AVA(oid, new BMPString(nameValue)));
|
|
|
08c5c1 |
+ } else if (encodingType.equals("TeletexString")) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: TeletexString");
|
|
|
08c5c1 |
+ name.addElement( new AVA(oid, new TeletexString(nameValue)));
|
|
|
08c5c1 |
+ } else if (encodingType.equals("UniversalString")) {
|
|
|
08c5c1 |
+ // System.out.println("CryptoUtil: addNameElement: UniversalString");
|
|
|
08c5c1 |
+ name.addElement( new AVA(oid, new UniversalString(nameValue)));
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } catch (Exception e) {
|
|
|
08c5c1 |
+ System.out.println("CryptoUtil: Error adding name element: " + elementValue + " Error: " + e.toString());
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ return name;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ static Name getJssName(boolean enable_encoding, String dn) {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ X500Name x5Name = null;
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //System.out.println("CryptoUtil: getJssName: dn= " + dn);
|
|
|
08c5c1 |
+ try {
|
|
|
08c5c1 |
+ x5Name = new X500Name(dn);
|
|
|
08c5c1 |
+ } catch (IOException e) {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ System.out.println("CryptoUtil: Illegal Subject Name: " + dn + " Error: " + e.toString());
|
|
|
08c5c1 |
+ System.out.println("CryptoUtil: Filling in default Subject Name......");
|
|
|
08c5c1 |
+ return null;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ Name ret = new Name();
|
|
|
08c5c1 |
+ netscape.security.x509.RDN[] names = x5Name.getNames();
|
|
|
08c5c1 |
+ int nameLen = x5Name.getNamesLength();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ netscape.security.x509.RDN cur = null;
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ for (int i = 0; i < nameLen; i++) {
|
|
|
08c5c1 |
+ cur = names[i];
|
|
|
08c5c1 |
+ String rdnStr = cur.toString();
|
|
|
08c5c1 |
+ String[] split = rdnStr.split("=");
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split.length != 2)
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: split[0] =" + split[0]);
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: split[1] =" + split[1]);
|
|
|
08c5c1 |
+ int n = split[1].indexOf(':');
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ try {
|
|
|
08c5c1 |
+ if (split[0].equals("UID")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: encoded UID");
|
|
|
08c5c1 |
+ ret = addNameElement(ret, new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"),
|
|
|
08c5c1 |
+ n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: not encoded UID");
|
|
|
08c5c1 |
+ ret.addElement(new AVA(new OBJECT_IDENTIFIER("0.9.2342.19200300.100.1.1"),
|
|
|
08c5c1 |
+ new PrintableString(split[1])));
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("UID found : " + split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("C")) {
|
|
|
08c5c1 |
+ ret.addCountryName(split[1]);
|
|
|
08c5c1 |
+ // System.out.println("C found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("CN")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: encoded CN");
|
|
|
08c5c1 |
+ ret = addNameElement (ret, Name.commonName, n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: not encoded CN");
|
|
|
08c5c1 |
+ ret.addCommonName(split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("CN found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("L")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ ret = addNameElement (ret, Name.localityName, n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ ret.addLocalityName(split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("L found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("O")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: encoded O");
|
|
|
08c5c1 |
+ ret = addNameElement (ret, Name.organizationName, n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: not encoded O");
|
|
|
08c5c1 |
+ ret.addOrganizationName(split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("O found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("ST")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ ret = addNameElement (ret, Name.stateOrProvinceName, n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ ret.addStateOrProvinceName(split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("ST found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (split[0].equals("OU")) {
|
|
|
08c5c1 |
+ if (enable_encoding && isEncoded(split[1])) {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: encoded OU");
|
|
|
08c5c1 |
+ ret = addNameElement (ret, Name.organizationalUnitName, n, split[1]);
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ // System.out.println(" getJssName: not encoded OU");
|
|
|
08c5c1 |
+ ret.addOrganizationalUnitName(split[1]);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ // System.out.println("OU found : " + split[1]);
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } catch (Exception e) {
|
|
|
08c5c1 |
+ System.out.println("CryptoUtil: Error constructing RDN: " + rdnStr + " Error: " + e.toString());
|
|
|
08c5c1 |
+ continue;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ return ret;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
public static KeyIdentifier createKeyIdentifier(KeyPair keypair)
|
|
|
08c5c1 |
throws NoSuchAlgorithmException, InvalidKeyException {
|
|
|
08c5c1 |
String method = "CryptoUtil: createKeyIdentifier: ";
|
|
|
08c5c1 |
@@ -1848,6 +2039,7 @@ public class CryptoUtil {
|
|
|
08c5c1 |
PKCS10 pkcs10 = new PKCS10(key);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
X500Name name = new X500Name(subjectName);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
X500Signer signer = new X500Signer(sig, name);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
pkcs10.encodeAndSign(signer);
|
|
|
08c5c1 |
--
|
|
|
08c5c1 |
1.8.3.1
|
|
|
08c5c1 |
|
|
|
08c5c1 |
|
|
|
08c5c1 |
From b974f1d9daf393efc19308bac42b955c601090b7 Mon Sep 17 00:00:00 2001
|
|
|
08c5c1 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
08c5c1 |
Date: Thu, 15 Jul 2021 13:24:26 -0500
|
|
|
08c5c1 |
Subject: [PATCH 2/5] Add GitLab synchronization job
|
|
|
08c5c1 |
|
|
|
08c5c1 |
The .gitlab-ci.yml has been added to define a job to
|
|
|
08c5c1 |
synchronize a branch from an upstream repository to a
|
|
|
08c5c1 |
GitLab repository.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
(cherry picked from commit 27912b9e4311d4f12499f9f1b59e0b4bf4c5bac5)
|
|
|
08c5c1 |
---
|
|
|
08c5c1 |
.gitlab-ci.yml | 22 +++++++++++
|
|
|
08c5c1 |
docs/development/Synchronizing-GitLab-Branch.adoc | 48 +++++++++++++++++++++++
|
|
|
08c5c1 |
2 files changed, 70 insertions(+)
|
|
|
08c5c1 |
create mode 100644 .gitlab-ci.yml
|
|
|
08c5c1 |
create mode 100644 docs/development/Synchronizing-GitLab-Branch.adoc
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
|
|
|
08c5c1 |
new file mode 100644
|
|
|
08c5c1 |
index 0000000..249e240
|
|
|
08c5c1 |
--- /dev/null
|
|
|
08c5c1 |
+++ b/.gitlab-ci.yml
|
|
|
08c5c1 |
@@ -0,0 +1,22 @@
|
|
|
08c5c1 |
+image: fedora
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+sync:
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ script:
|
|
|
08c5c1 |
+ - echo "Synchronizing $CI_COMMIT_BRANCH branch from $UPSTREAM_URL to $CI_PROJECT_URL"
|
|
|
08c5c1 |
+ - dnf install -y git
|
|
|
08c5c1 |
+ - git remote set-url origin https://sync:$ACCESS_TOKEN@$CI_SERVER_HOST/$CI_PROJECT_PATH.git
|
|
|
08c5c1 |
+ - git remote remove upstream || true
|
|
|
08c5c1 |
+ - git remote add upstream $UPSTREAM_URL
|
|
|
08c5c1 |
+ - git remote -v
|
|
|
08c5c1 |
+ - git fetch upstream $CI_COMMIT_BRANCH
|
|
|
08c5c1 |
+ - git checkout upstream/$CI_COMMIT_BRANCH
|
|
|
08c5c1 |
+ - git log origin/$CI_COMMIT_BRANCH..upstream/$CI_COMMIT_BRANCH --oneline
|
|
|
08c5c1 |
+ - GIT_SSL_NO_VERIFY=true git push origin HEAD:$CI_COMMIT_BRANCH
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ rules:
|
|
|
08c5c1 |
+ - if: $SYNC == "true"
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ tags:
|
|
|
08c5c1 |
+ # Use shared runners.
|
|
|
08c5c1 |
+ - shared
|
|
|
08c5c1 |
diff --git a/docs/development/Synchronizing-GitLab-Branch.adoc b/docs/development/Synchronizing-GitLab-Branch.adoc
|
|
|
08c5c1 |
new file mode 100644
|
|
|
08c5c1 |
index 0000000..b0937f2
|
|
|
08c5c1 |
--- /dev/null
|
|
|
08c5c1 |
+++ b/docs/development/Synchronizing-GitLab-Branch.adoc
|
|
|
08c5c1 |
@@ -0,0 +1,48 @@
|
|
|
08c5c1 |
+= Synchronizing GitLab Branch =
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+== Overview ==
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+This page describes the procedure to synchronize a branch from an upstream repository
|
|
|
08c5c1 |
+to a GitLab repository.
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+== Creating Access Token ==
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+In the GitLab repository create a project access token with a **write_repository** permission.
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+See link:https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#creating-a-project-access-token[Creating a project access token].
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+== Configuring Synchronization ==
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+In the GitLab repository create the following variables:
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+* `UPSTREAM_URL`: The URL of the upstream repository.
|
|
|
08c5c1 |
+** Unselect **Protect variable** to synchronize unprotected branches.
|
|
|
08c5c1 |
+* `ACCESS_TOKEN`: The value of the access token.
|
|
|
08c5c1 |
+** Unselect **Protect variable** to synchronize unprotected branches.
|
|
|
08c5c1 |
+** Select **Mask variable** to keep the access token hidden.
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+See link:https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project[Add a CI/CD variable to a project].
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+== Running Synchronization Manually ==
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+In the GitLab repository run a pipeline with the following parameters:
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+* **Run for branch name or tag**: The branch to be synchronized.
|
|
|
08c5c1 |
+* **Variables**:
|
|
|
08c5c1 |
+** `SYNC`: `true`
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+See link:https://docs.gitlab.com/ee/ci/pipelines/#run-a-pipeline-manually[Run a pipeline manually].
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+== Scheduling Automatic Synchronization ==
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+In the GitLab repository create a schedule with the following parameters:
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+* **Interval Pattern**: The frequency of synchronization.
|
|
|
08c5c1 |
+** To synchronize every hour, enter: `0 * * * *`
|
|
|
08c5c1 |
+* **Target Branch**: The branch to be synchronized.
|
|
|
08c5c1 |
+* **Variables**:
|
|
|
08c5c1 |
+** `SYNC`: `true`
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+Additional schedules can be created for synchronizing other branches.
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+See link:https://docs.gitlab.com/ee/ci/pipelines/schedules.html#configuring-pipeline-schedules[Configuring pipeline schedules].
|
|
|
08c5c1 |
--
|
|
|
08c5c1 |
1.8.3.1
|
|
|
08c5c1 |
|
|
|
08c5c1 |
|
|
|
08c5c1 |
From 32fcaab4585e893742018855c142d01716430cdb Mon Sep 17 00:00:00 2001
|
|
|
08c5c1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
08c5c1 |
Date: Wed, 28 Jul 2021 16:21:27 -0700
|
|
|
08c5c1 |
Subject: [PATCH 3/5] Bug1959937 - TPS Allowing Token Transactions while the CA
|
|
|
08c5c1 |
is Down
|
|
|
08c5c1 |
|
|
|
08c5c1 |
This patch propagates the exception thrown when revocation/unrevocation
|
|
|
08c5c1 |
fails so that the token record is not updated on TPS; This allows
|
|
|
08c5c1 |
the TPS token to be consistent with the certs on the CA.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1959937
|
|
|
08c5c1 |
|
|
|
08c5c1 |
(cherry picked from commit 2f7ed836ab20988386e651c1000f4e12eff6c0af)
|
|
|
08c5c1 |
---
|
|
|
08c5c1 |
base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 14 ++++++++++----
|
|
|
08c5c1 |
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
08c5c1 |
index b58c24f..147f346 100644
|
|
|
08c5c1 |
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
08c5c1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
08c5c1 |
@@ -616,7 +616,7 @@ public class TPSTokendb {
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
private void revokeCert(TokenRecord tokenRecord, TPSCertRecord cert, String tokenReason,
|
|
|
08c5c1 |
- String ipAddress, String remoteUser) {
|
|
|
08c5c1 |
+ String ipAddress, String remoteUser) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String method = "TPSTokendb.revokeCert";
|
|
|
08c5c1 |
String logMsg;
|
|
|
08c5c1 |
@@ -678,12 +678,15 @@ public class TPSTokendb {
|
|
|
08c5c1 |
tdbActivity(ActivityDatabase.OP_CERT_REVOCATION, tokenRecord,
|
|
|
08c5c1 |
ipAddress, e.getMessage(), "failure", remoteUser);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // continue revoking the next certificate
|
|
|
08c5c1 |
+ // bail out if revocation failed; This will allow the token
|
|
|
08c5c1 |
+ // status info to be consistent with that of the certs on the
|
|
|
08c5c1 |
+ // CA
|
|
|
08c5c1 |
+ throw e;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
private void unrevokeCert(TokenRecord tokenRecord, TPSCertRecord cert, String tokenReason,
|
|
|
08c5c1 |
- String ipAddress, String remoteUser) {
|
|
|
08c5c1 |
+ String ipAddress, String remoteUser) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String method = "TPSTokendb.unrevokeCert";
|
|
|
08c5c1 |
String logMsg;
|
|
|
08c5c1 |
@@ -733,7 +736,10 @@ public class TPSTokendb {
|
|
|
08c5c1 |
tdbActivity(ActivityDatabase.OP_CERT_RESTORATION, tokenRecord,
|
|
|
08c5c1 |
ipAddress, e.getMessage(), "failure", remoteUser);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // continue unrevoking the next certificate
|
|
|
08c5c1 |
+ // bail out if revocation failed; This will allow the token
|
|
|
08c5c1 |
+ // status info to be consistent with that of the certs on the
|
|
|
08c5c1 |
+ // CA
|
|
|
08c5c1 |
+ throw e;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
--
|
|
|
08c5c1 |
1.8.3.1
|
|
|
08c5c1 |
|
|
|
08c5c1 |
|
|
|
08c5c1 |
From d413394b2673e94e21dd645e588e934cc05c932b Mon Sep 17 00:00:00 2001
|
|
|
08c5c1 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
08c5c1 |
Date: Thu, 30 May 2019 19:42:42 +1000
|
|
|
08c5c1 |
Subject: [PATCH 4/5] AuthorityService.getCert/Chain: avoid NPE if CA is not
|
|
|
08c5c1 |
ready
|
|
|
08c5c1 |
|
|
|
08c5c1 |
If a LWCA is not ready (i.e. key replication and signing unit
|
|
|
08c5c1 |
initialisation has not completed), asking for its certificate (or
|
|
|
08c5c1 |
chain) results in a NullPointerException. Update
|
|
|
08c5c1 |
AuthorityService.getCert() and .getChain() to raise
|
|
|
08c5c1 |
ResourceNotFoundException instead.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
Part of: https://pagure.io/dogtagpki/issue/3102
|
|
|
08c5c1 |
|
|
|
08c5c1 |
(cherry picked from commit a491bb99f273a3bd2f8c9540c8c18b2604adc035)
|
|
|
08c5c1 |
---
|
|
|
08c5c1 |
.../src/org/dogtagpki/server/ca/rest/AuthorityService.java | 14 ++++++++++++--
|
|
|
08c5c1 |
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
08c5c1 |
index 36ddc6f..12388c9 100644
|
|
|
08c5c1 |
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
08c5c1 |
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
|
|
|
08c5c1 |
@@ -140,8 +140,13 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
|
|
|
08c5c1 |
if (ca == null)
|
|
|
08c5c1 |
throw new ResourceNotFoundException("CA \"" + aidString + "\" not found");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ org.mozilla.jss.crypto.X509Certificate cert = ca.getCaX509Cert();
|
|
|
08c5c1 |
+ if (cert == null)
|
|
|
08c5c1 |
+ throw new ResourceNotFoundException(
|
|
|
08c5c1 |
+ "Certificate for CA \"" + aidString + "\" not available");
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
- return Response.ok(ca.getCaX509Cert().getEncoded()).build();
|
|
|
08c5c1 |
+ return Response.ok(cert.getEncoded()).build();
|
|
|
08c5c1 |
} catch (CertificateEncodingException e) {
|
|
|
08c5c1 |
// this really is a 500 Internal Server Error
|
|
|
08c5c1 |
throw new PKIException("Error encoding certificate: " + e);
|
|
|
08c5c1 |
@@ -167,9 +172,14 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
|
|
|
08c5c1 |
if (ca == null)
|
|
|
08c5c1 |
throw new ResourceNotFoundException("CA \"" + aidString + "\" not found");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ netscape.security.x509.CertificateChain chain = ca.getCACertChain();
|
|
|
08c5c1 |
+ if (chain == null)
|
|
|
08c5c1 |
+ throw new ResourceNotFoundException(
|
|
|
08c5c1 |
+ "Certificate chain for CA \"" + aidString + "\" not available");
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
- ca.getCACertChain().encode(out);
|
|
|
08c5c1 |
+ chain.encode(out);
|
|
|
08c5c1 |
} catch (IOException e) {
|
|
|
08c5c1 |
throw new PKIException("Error encoding certificate chain: " + e);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
--
|
|
|
08c5c1 |
1.8.3.1
|
|
|
08c5c1 |
|
|
|
08c5c1 |
|
|
|
08c5c1 |
From dae038b021e8623b920df8abf3abd5d48ab0636c Mon Sep 17 00:00:00 2001
|
|
|
08c5c1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
08c5c1 |
Date: Wed, 14 Jul 2021 17:24:59 -0700
|
|
|
08c5c1 |
Subject: [PATCH 5/5] Bug1979710-TPS: separate config actions by profile
|
|
|
08c5c1 |
permission list
|
|
|
08c5c1 |
|
|
|
08c5c1 |
This patch addresses the issue that TPS agent operations on tokens,
|
|
|
08c5c1 |
activities, and profiles are not limited by the types (profiles)
|
|
|
08c5c1 |
permmtted to the agent (as described in the documentation).
|
|
|
08c5c1 |
This is a regression from 8.x.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
The affected operations are:
|
|
|
08c5c1 |
- findProfiles
|
|
|
08c5c1 |
- getProfiles
|
|
|
08c5c1 |
- updateProfile
|
|
|
08c5c1 |
- changeStatus (of a profile)
|
|
|
08c5c1 |
- retrieveTokens
|
|
|
08c5c1 |
- getToken
|
|
|
08c5c1 |
- modifyToken
|
|
|
08c5c1 |
- changeTokenStatus
|
|
|
08c5c1 |
- retrieveActivities
|
|
|
08c5c1 |
- getActivity
|
|
|
08c5c1 |
|
|
|
08c5c1 |
Note that some operations that seem like should be affected are not
|
|
|
08c5c1 |
due to the fact that they are TPS admin operations and are shielded
|
|
|
08c5c1 |
from entering the TPS service at the activity level. For example,
|
|
|
08c5c1 |
deleting a token would be such a case.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
The authorization enforcement added in this patch should affect both
|
|
|
08c5c1 |
access from the web UI as well as access from PKI CLI.
|
|
|
08c5c1 |
Reference: https://github.com/dogtagpki/pki/wiki/PKI-TPS-CLI
|
|
|
08c5c1 |
|
|
|
08c5c1 |
Another note: the VLV complicates the resulting page. If the returned
|
|
|
08c5c1 |
entries on the page are all restricted then nothing would be shown. To
|
|
|
08c5c1 |
add a bit more clarity, an <restricted> entry is added to reflect such
|
|
|
08c5c1 |
effect so that it would be less confusing to the role user.
|
|
|
08c5c1 |
The <restricted> entries are left with the epoch date.
|
|
|
08c5c1 |
This would affect both WEB UI and PKI CLI.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
Also, a list minute addition to address an issue with 1911472 in
|
|
|
08c5c1 |
CertService.java where the subject DN of the CA signing cert should
|
|
|
08c5c1 |
be used instead of the issuer.
|
|
|
08c5c1 |
|
|
|
08c5c1 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1979710
|
|
|
08c5c1 |
|
|
|
08c5c1 |
(cherry picked from commit eea6184452505f1755b7e5b9d12b0fb765742fec)
|
|
|
08c5c1 |
---
|
|
|
08c5c1 |
.../org/dogtagpki/server/ca/rest/CertService.java | 2 +-
|
|
|
08c5c1 |
base/tps/shared/conf/CS.cfg | 2 +-
|
|
|
08c5c1 |
.../dogtagpki/server/tps/rest/ActivityService.java | 188 ++++++++++++++--
|
|
|
08c5c1 |
.../dogtagpki/server/tps/rest/ProfileService.java | 125 ++++++++---
|
|
|
08c5c1 |
.../dogtagpki/server/tps/rest/TokenService.java | 249 ++++++++++++++++-----
|
|
|
08c5c1 |
5 files changed, 463 insertions(+), 103 deletions(-)
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
|
|
|
08c5c1 |
index 74d3a5d..f577992 100644
|
|
|
08c5c1 |
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
|
|
|
08c5c1 |
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
|
|
|
08c5c1 |
@@ -193,7 +193,7 @@ public class CertService extends PKIService implements CertResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
processor.setAuthority(authority);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- caX500DN = (X500Name) authority.getCACert().getIssuerDN();
|
|
|
08c5c1 |
+ caX500DN = (X500Name) authority.getCACert().getSubjectDN();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (EBaseException e) {
|
|
|
08c5c1 |
throw new PKIException(e.getMessage());
|
|
|
08c5c1 |
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
|
|
|
08c5c1 |
index 4bd4bb7..2e5d499 100644
|
|
|
08c5c1 |
--- a/base/tps/shared/conf/CS.cfg
|
|
|
08c5c1 |
+++ b/base/tps/shared/conf/CS.cfg
|
|
|
08c5c1 |
@@ -2361,7 +2361,7 @@ target.Profile_Mappings.displayname=Token Profile Mapping Resolvers
|
|
|
08c5c1 |
target.Profile_Mappings.list=enrollProfileMappingResolver,formatProfileMappingResolver,pinResetProfileMappingResolver
|
|
|
08c5c1 |
target.Profile_Mappings.pattern=mappingResolver\.$name\.mapping\..*
|
|
|
08c5c1 |
target.Profiles.displayname=Token Profile
|
|
|
08c5c1 |
-target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey
|
|
|
08c5c1 |
+target.Profiles.list=userKey,soKey,soCleanUserToken,soUserKey,cleanToken,soCleanSoToken,tokenKey,externalRegISEtoken,externalRegAddToToken,delegateISEtoken,delegateIEtoken
|
|
|
08c5c1 |
target.Profiles.pattern=op\..*\.$name\..*
|
|
|
08c5c1 |
target.Subsystem_Connections.displayname=Subsystem Connection
|
|
|
08c5c1 |
target.Subsystem_Connections.list=
|
|
|
08c5c1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
|
|
|
08c5c1 |
index 37a3083..4f07be7 100644
|
|
|
08c5c1 |
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
|
|
|
08c5c1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
|
|
|
08c5c1 |
@@ -21,15 +21,20 @@ package org.dogtagpki.server.tps.rest;
|
|
|
08c5c1 |
import java.io.UnsupportedEncodingException;
|
|
|
08c5c1 |
import java.net.URI;
|
|
|
08c5c1 |
import java.net.URLEncoder;
|
|
|
08c5c1 |
+import java.util.Date;
|
|
|
08c5c1 |
import java.util.Iterator;
|
|
|
08c5c1 |
+import java.util.List;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
import javax.ws.rs.core.Response;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
import org.dogtagpki.server.tps.TPSSubsystem;
|
|
|
08c5c1 |
import org.dogtagpki.server.tps.dbs.ActivityDatabase;
|
|
|
08c5c1 |
import org.dogtagpki.server.tps.dbs.ActivityRecord;
|
|
|
08c5c1 |
+import org.dogtagpki.server.tps.dbs.TokenDatabase;
|
|
|
08c5c1 |
+import org.dogtagpki.server.tps.dbs.TokenRecord;
|
|
|
08c5c1 |
import org.jboss.resteasy.plugins.providers.atom.Link;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+import com.netscape.cms.realm.PKIPrincipal;
|
|
|
08c5c1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.BadRequestException;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.PKIException;
|
|
|
08c5c1 |
@@ -38,6 +43,9 @@ import com.netscape.certsrv.logging.ActivityCollection;
|
|
|
08c5c1 |
import com.netscape.certsrv.logging.ActivityData;
|
|
|
08c5c1 |
import com.netscape.certsrv.logging.ActivityResource;
|
|
|
08c5c1 |
import com.netscape.cms.servlet.base.PKIService;
|
|
|
08c5c1 |
+import com.netscape.certsrv.user.UserResource;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUser;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
/**
|
|
|
08c5c1 |
* @author Endi S. Dewata
|
|
|
08c5c1 |
@@ -74,6 +82,21 @@ public class ActivityService extends PKIService implements ActivityResource {
|
|
|
08c5c1 |
return activityData;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ public ActivityData createRestrictedActivityData() {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ ActivityData activityData = new ActivityData();
|
|
|
08c5c1 |
+ activityData.setID("<restricted>");
|
|
|
08c5c1 |
+ activityData.setTokenID("<restricted>");
|
|
|
08c5c1 |
+ activityData.setUserID("<restricted>");
|
|
|
08c5c1 |
+ activityData.setIP("<restricted>");
|
|
|
08c5c1 |
+ activityData.setOperation("<restricted>");
|
|
|
08c5c1 |
+ activityData.setResult("<restricted>");
|
|
|
08c5c1 |
+ activityData.setMessage("<restricted>");
|
|
|
08c5c1 |
+ activityData.setDate(new Date(0L));
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ return activityData;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
public ActivityRecord createActivityRecord(ActivityData activityData) {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
ActivityRecord activityRecord = new ActivityRecord();
|
|
|
08c5c1 |
@@ -91,8 +114,8 @@ public class ActivityService extends PKIService implements ActivityResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response findActivities(String filter, Integer start, Integer size) {
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- CMS.debug("ActivityService.findActivities()");
|
|
|
08c5c1 |
+ String method = "ActivityService.findActivities: ";
|
|
|
08c5c1 |
+ CMS.debug(method);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (filter != null && filter.length() < MIN_FILTER_LENGTH) {
|
|
|
08c5c1 |
throw new BadRequestException("Filter is too short.");
|
|
|
08c5c1 |
@@ -136,24 +159,65 @@ public class ActivityService extends PKIService implements ActivityResource {
|
|
|
08c5c1 |
Integer size,
|
|
|
08c5c1 |
ActivityCollection response) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ String method = "ActivityService.retrieveActivitiesWithVLV: ";
|
|
|
08c5c1 |
+ CMS.debug(method);
|
|
|
08c5c1 |
// search with VLV sorted by date in reverse order
|
|
|
08c5c1 |
IDBVirtualList<ActivityRecord> list = database.findRecords(
|
|
|
08c5c1 |
null, null, new String[] { "-date" }, size);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
int total = list.getSize();
|
|
|
08c5c1 |
+ CMS.debug(method + "total: " + total);
|
|
|
08c5c1 |
+ int retTotal = 0; // debugging only
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// return entries in the requested page
|
|
|
08c5c1 |
- for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
- ActivityRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- if (record == null) {
|
|
|
08c5c1 |
- CMS.debug("ActivityService: Activity record not found");
|
|
|
08c5c1 |
- throw new PKIException("Activity record not found");
|
|
|
08c5c1 |
+ if (authorizedProfiles != null) {
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
08c5c1 |
+ for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ ActivityRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { // not authorized for all profiles
|
|
|
08c5c1 |
+ for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ ActivityRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.Id="+ record.getId());
|
|
|
08c5c1 |
+ // On some rare occasions, some activities don't have
|
|
|
08c5c1 |
+ // their token type filled in. It is therefore necessary
|
|
|
08c5c1 |
+ // to get it from the token record directly.
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ type);
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty()) {
|
|
|
08c5c1 |
+ CMS.debug(method + "record.tokenType null...getting from token record");
|
|
|
08c5c1 |
+ String tokenID = record.getTokenID();
|
|
|
08c5c1 |
+ if ((tokenID != null) && !tokenID.isEmpty()) {
|
|
|
08c5c1 |
+ TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
+ TokenDatabase t_database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
+ TokenRecord t_record = t_database.getRecord(tokenID);
|
|
|
08c5c1 |
+ if (t_record != null)
|
|
|
08c5c1 |
+ type = t_record.getType();
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //CMS.debug(method + "type="+ type);
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty() || authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type allowed");
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ CMS.debug(method + "token type restricted; adding 'restricted' record");
|
|
|
08c5c1 |
+ response.addEntry(createRestrictedActivityData());
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } //for
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ } else { //authorizedProfiles null; no permission
|
|
|
08c5c1 |
+ CMS.debug(method + "authorized profiles is null");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ CMS.debug(method + "retTotal = " + retTotal);
|
|
|
08c5c1 |
response.setTotal(total);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -164,44 +228,120 @@ public class ActivityService extends PKIService implements ActivityResource {
|
|
|
08c5c1 |
Integer size,
|
|
|
08c5c1 |
ActivityCollection response) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ String method = "ActivityService.retrieveActivitiesWithoutVLV: ";
|
|
|
08c5c1 |
// search without VLV
|
|
|
08c5c1 |
- Iterator<ActivityRecord> activities = database.findRecords(filter).iterator();
|
|
|
08c5c1 |
+ List<ActivityRecord> activities = (List<ActivityRecord>) database.findRecords(filter);
|
|
|
08c5c1 |
+ int total = activities.size();
|
|
|
08c5c1 |
+ CMS.debug(method + "total: " + total);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // TODO: sort results by date in reverse order
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ int retTotal = 0; // debugging only
|
|
|
08c5c1 |
int i = 0;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // skip to the start of the page
|
|
|
08c5c1 |
- for (; i < start && activities.hasNext(); i++)
|
|
|
08c5c1 |
- activities.next();
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
// return entries in the requested page
|
|
|
08c5c1 |
- for (; i < start + size && activities.hasNext(); i++) {
|
|
|
08c5c1 |
- ActivityRecord record = activities.next();
|
|
|
08c5c1 |
- response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ if (authorizedProfiles != null) {
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
08c5c1 |
+ for (i= start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ ActivityRecord record = activities.get(i);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ record.getType());
|
|
|
08c5c1 |
+ response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { // not authorized for all profiles
|
|
|
08c5c1 |
+ for (i= start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ ActivityRecord record = activities.get(i);
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.ID="+ record.getId());
|
|
|
08c5c1 |
+ // On some rare occasions, some activities don't have
|
|
|
08c5c1 |
+ // their token type filled in. It is therefore necessary
|
|
|
08c5c1 |
+ // to get it from the token record directly.
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ type);
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty()) {
|
|
|
08c5c1 |
+ CMS.debug(method + "record.tokenType null...getting from token record");
|
|
|
08c5c1 |
+ String tokenID = record.getTokenID();
|
|
|
08c5c1 |
+ if ((tokenID != null) && !tokenID.isEmpty()) {
|
|
|
08c5c1 |
+ TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
+ TokenDatabase t_database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
+ TokenRecord t_record = t_database.getRecord(tokenID);
|
|
|
08c5c1 |
+ if (t_record != null)
|
|
|
08c5c1 |
+ type = t_record.getType();
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ //CMS.debug(method + "type="+ type);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty() || authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ response.addEntry(createActivityData(record));
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type not allowed: " + type +
|
|
|
08c5c1 |
+ // "; adding 'restricted' record");
|
|
|
08c5c1 |
+ response.addEntry(createRestrictedActivityData());
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { //authorizedProfiles null; no permission
|
|
|
08c5c1 |
+ CMS.debug(method + "authorized profiles is null");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // count the total entries
|
|
|
08c5c1 |
- for (; activities.hasNext(); i++) activities.next();
|
|
|
08c5c1 |
- response.setTotal(i);
|
|
|
08c5c1 |
+ CMS.debug(method + "retTotal = " + retTotal);
|
|
|
08c5c1 |
+ response.setTotal(total);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response getActivity(String activityID) {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ String method = "ActivityService.getActivity: ";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
if (activityID == null) throw new BadRequestException("Activity ID is null.");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("ActivityService.getActivity(\"" + activityID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + activityID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if (authorizedProfiles == null) {
|
|
|
08c5c1 |
+ msg = "authorizedProfiles null";
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(method + msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem)CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ActivityDatabase database = subsystem.getActivityDatabase();
|
|
|
08c5c1 |
+ ActivityRecord record = database.getRecord(activityID);
|
|
|
08c5c1 |
+ if (record == null) {
|
|
|
08c5c1 |
+ CMS.debug(method + "record not found");
|
|
|
08c5c1 |
+ throw new PKIException(method + "record not found");
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- return createOKResponse(createActivityData(database.getRecord(activityID)));
|
|
|
08c5c1 |
+ if ((type != null) && !type.isEmpty() && !authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ msg = "token type restricted: " + type;
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ return createOKResponse(createActivityData(record));
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
CMS.debug(e);
|
|
|
08c5c1 |
throw new PKIException(e.getMessage());
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ /*
|
|
|
08c5c1 |
+ * returns a list of TPS profiles allowed for the current user
|
|
|
08c5c1 |
+ */
|
|
|
08c5c1 |
+ List<String> getAuthorizedProfiles()
|
|
|
08c5c1 |
+ throws Exception {
|
|
|
08c5c1 |
+ String method = "ActivityService.getAuthorizedProfiles: ";
|
|
|
08c5c1 |
+ /*
|
|
|
08c5c1 |
+ String userID = servletRequest.getUserPrincipal().getName();
|
|
|
08c5c1 |
+ CMS.debug(method + "principal name: " + userID);
|
|
|
08c5c1 |
+ IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
|
|
|
08c5c1 |
+ IUser user = userGroupManager.getUser(userID);
|
|
|
08c5c1 |
+ */
|
|
|
08c5c1 |
+ PKIPrincipal pkiPrincipal = (PKIPrincipal) servletRequest.getUserPrincipal();
|
|
|
08c5c1 |
+ IUser user = pkiPrincipal.getUser();
|
|
|
08c5c1 |
+ return user.getTpsProfiles();
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
|
|
|
08c5c1 |
index 71bf9ad..de2691c 100644
|
|
|
08c5c1 |
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
|
|
|
08c5c1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
|
|
|
08c5c1 |
@@ -22,8 +22,11 @@ import java.io.UnsupportedEncodingException;
|
|
|
08c5c1 |
import java.net.URI;
|
|
|
08c5c1 |
import java.net.URLEncoder;
|
|
|
08c5c1 |
import java.security.Principal;
|
|
|
08c5c1 |
+import java.util.ArrayList;
|
|
|
08c5c1 |
+import java.util.Collection;
|
|
|
08c5c1 |
import java.util.HashMap;
|
|
|
08c5c1 |
import java.util.Iterator;
|
|
|
08c5c1 |
+import java.util.List;
|
|
|
08c5c1 |
import java.util.Map;
|
|
|
08c5c1 |
import java.util.regex.Pattern;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -35,16 +38,21 @@ import org.dogtagpki.server.tps.config.ProfileDatabase;
|
|
|
08c5c1 |
import org.dogtagpki.server.tps.config.ProfileRecord;
|
|
|
08c5c1 |
import org.jboss.resteasy.plugins.providers.atom.Link;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+import com.netscape.cms.realm.PKIPrincipal;
|
|
|
08c5c1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.BadRequestException;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.ForbiddenException;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.PKIException;
|
|
|
08c5c1 |
+import com.netscape.certsrv.base.UserNotFoundException;
|
|
|
08c5c1 |
import com.netscape.certsrv.common.Constants;
|
|
|
08c5c1 |
import com.netscape.certsrv.logging.AuditEvent;
|
|
|
08c5c1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.profile.ProfileCollection;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.profile.ProfileData;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.profile.ProfileResource;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUser;
|
|
|
08c5c1 |
+import com.netscape.certsrv.user.UserResource;
|
|
|
08c5c1 |
import com.netscape.cms.servlet.base.SubsystemService;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
/**
|
|
|
08c5c1 |
@@ -94,30 +102,51 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
throw new BadRequestException("Filter is too short.");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- start = start == null ? 0 : start;
|
|
|
08c5c1 |
- size = size == null ? DEFAULT_SIZE : size;
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
+ CMS.debug("ProfileService.j.findProfiles filter: " + filter);
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ start = start == null ? 0 : start;
|
|
|
08c5c1 |
+ size = size == null ? DEFAULT_SIZE : size;
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ProfileDatabase database = subsystem.getProfileDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- Iterator<ProfileRecord> profiles = database.findRecords(filter).iterator();
|
|
|
08c5c1 |
+ Collection<ProfileRecord> profiles = new ArrayList<>();
|
|
|
08c5c1 |
+ if (authorizedProfiles != null) {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ Collection<ProfileRecord> filteredProfiles = database.findRecords(filter);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
08c5c1 |
+ CMS.debug("ProfileService: User allowed to access all profiles");
|
|
|
08c5c1 |
+ profiles.addAll(filteredProfiles);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ for (ProfileRecord profile : filteredProfiles) {
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(profile.getID())) {
|
|
|
08c5c1 |
+ CMS.debug("ProfileService: User allowed to access profile " + profile.getID());
|
|
|
08c5c1 |
+ profiles.add(profile);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ Iterator<ProfileRecord> profileIterator = profiles.iterator();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
ProfileCollection response = new ProfileCollection();
|
|
|
08c5c1 |
int i = 0;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// skip to the start of the page
|
|
|
08c5c1 |
- for (; i < start && profiles.hasNext(); i++)
|
|
|
08c5c1 |
- profiles.next();
|
|
|
08c5c1 |
+ for (; i < start && profileIterator.hasNext(); i++)
|
|
|
08c5c1 |
+ profileIterator.next();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// return entries up to the page size
|
|
|
08c5c1 |
- for (; i < start + size && profiles.hasNext(); i++) {
|
|
|
08c5c1 |
- response.addEntry(createProfileData(profiles.next()));
|
|
|
08c5c1 |
+ for (; i < start + size && profileIterator.hasNext(); i++) {
|
|
|
08c5c1 |
+ response.addEntry(createProfileData(profileIterator.next()));
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// count the total entries
|
|
|
08c5c1 |
- for (; profiles.hasNext(); i++)
|
|
|
08c5c1 |
- profiles.next();
|
|
|
08c5c1 |
+ for (; profileIterator.hasNext(); i++)
|
|
|
08c5c1 |
+ profileIterator.next();
|
|
|
08c5c1 |
response.setTotal(i);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (start > 0) {
|
|
|
08c5c1 |
@@ -145,23 +174,33 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response getProfile(String profileID) {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ String method = "ProfileService.getProfile: ";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
if (profileID == null)
|
|
|
08c5c1 |
throw new BadRequestException("Profile ID is null.");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("ProfileService.getProfile(\"" + profileID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + profileID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ ProfileRecord profileRecord = null;
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if ((authorizedProfiles== null) || ((authorizedProfiles != null) && !authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(profileID))) {
|
|
|
08c5c1 |
+ msg = "profile record restricted for profileID:" + profileID;
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ throw new PKIException(msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ProfileDatabase database = subsystem.getProfileDatabase();
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- return createOKResponse(createProfileData(database.getRecord(profileID)));
|
|
|
08c5c1 |
+ profileRecord = database.getRecord(profileID);
|
|
|
08c5c1 |
+ return createOKResponse(createProfileData(profileRecord));
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (PKIException e) {
|
|
|
08c5c1 |
- CMS.debug("ProfileService: " + e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
throw e;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
throw new PKIException(e);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
@@ -231,6 +270,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response updateProfile(String profileID, ProfileData profileData) {
|
|
|
08c5c1 |
String method = "ProfileService.updateProfile";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (profileID == null) {
|
|
|
08c5c1 |
auditConfigTokenGeneral(ILogger.FAILURE, method, null,
|
|
|
08c5c1 |
@@ -244,7 +284,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
throw new BadRequestException("Profile data is null.");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("ProfileService.updateProfile(\"" + profileID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + profileID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
Map<String, String> properties = profileData.getProperties();
|
|
|
08c5c1 |
for (String name : properties.keySet()) {
|
|
|
08c5c1 |
@@ -254,6 +294,14 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if ((authorizedProfiles== null) || ((authorizedProfiles != null) && !authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(profileID))) {
|
|
|
08c5c1 |
+ msg = "profile record restricted for profileID:" + profileID;
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ throw new PKIException(msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ProfileDatabase database = subsystem.getProfileDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -306,12 +354,12 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
return createOKResponse(profileData);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (PKIException e) {
|
|
|
08c5c1 |
- CMS.debug("ProfileService: " + e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditTPSProfileChange(ILogger.FAILURE, method, profileID, profileData.getProperties(), e.toString());
|
|
|
08c5c1 |
throw e;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditTPSProfileChange(ILogger.FAILURE, method, profileID, profileData.getProperties(), e.toString());
|
|
|
08c5c1 |
throw new PKIException(e);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
@@ -319,7 +367,8 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response changeStatus(String profileID, String action) {
|
|
|
08c5c1 |
- String method = "ProfileService.changeStatus";
|
|
|
08c5c1 |
+ String method = "ProfileService.changeStatus: ";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (profileID == null) {
|
|
|
08c5c1 |
@@ -336,9 +385,17 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
auditModParams.put("Action", action);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("ProfileService.changeStatus(\"" + profileID + "\", \"" + action + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + profileID + "\", \"" + action + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if ((authorizedProfiles== null) || ((authorizedProfiles!= null) && (!authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(profileID)))) {
|
|
|
08c5c1 |
+ msg = "profile record restricted for profileID:" + profileID;
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ throw new PKIException(msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ProfileDatabase database = subsystem.getProfileDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -424,13 +481,13 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
return createOKResponse(profileData);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (PKIException e) {
|
|
|
08c5c1 |
- CMS.debug("ProfileService: " + e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditConfigTokenGeneral(ILogger.FAILURE, method,
|
|
|
08c5c1 |
auditModParams, e.toString());
|
|
|
08c5c1 |
throw e;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditConfigTokenGeneral(ILogger.FAILURE, method,
|
|
|
08c5c1 |
auditModParams, e.toString());
|
|
|
08c5c1 |
throw new PKIException(e);
|
|
|
08c5c1 |
@@ -439,7 +496,8 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response removeProfile(String profileID) {
|
|
|
08c5c1 |
- String method = "ProfileService.removeProfile";
|
|
|
08c5c1 |
+ String method = "ProfileService.removeProfile: ";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (profileID == null) {
|
|
|
08c5c1 |
@@ -449,9 +507,10 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
auditModParams.put("profileID", profileID);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("ProfileService.removeProfile(\"" + profileID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + profileID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
ProfileDatabase database = subsystem.getProfileDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -471,13 +530,13 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
return createNoContentResponse();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (PKIException e) {
|
|
|
08c5c1 |
- CMS.debug("ProfileService: " + e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditTPSProfileChange(ILogger.FAILURE, method, profileID,
|
|
|
08c5c1 |
auditModParams, e.toString());
|
|
|
08c5c1 |
throw e;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
auditTPSProfileChange(ILogger.FAILURE, method, profileID,
|
|
|
08c5c1 |
auditModParams, e.toString());
|
|
|
08c5c1 |
throw new PKIException(e);
|
|
|
08c5c1 |
@@ -485,6 +544,19 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
/*
|
|
|
08c5c1 |
+ * returns a list of TPS profiles allowed for the current user
|
|
|
08c5c1 |
+ */
|
|
|
08c5c1 |
+ List<String> getAuthorizedProfiles()
|
|
|
08c5c1 |
+ throws Exception {
|
|
|
08c5c1 |
+ String method = "ProfileService.getAuthorizedProfiles: ";
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ PKIPrincipal pkiPrincipal = (PKIPrincipal) servletRequest.getUserPrincipal();
|
|
|
08c5c1 |
+ IUser user = pkiPrincipal.getUser();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ return user.getTpsProfiles();
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ /*
|
|
|
08c5c1 |
* Service can be any of the methods offered
|
|
|
08c5c1 |
*/
|
|
|
08c5c1 |
public void auditTPSProfileChange(String status, String service, String profileID, Map<String, String> params,
|
|
|
08c5c1 |
@@ -498,6 +570,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
08c5c1 |
profileID,
|
|
|
08c5c1 |
auditor.getParamString(params),
|
|
|
08c5c1 |
info);
|
|
|
08c5c1 |
+ // CMS.debug("auditTPSProfileChange: " + msg);
|
|
|
08c5c1 |
signedAuditLogger.log(msg);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
08c5c1 |
index 9dd3ce1..a7a6022 100644
|
|
|
08c5c1 |
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
08c5c1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
|
|
|
08c5c1 |
@@ -23,8 +23,10 @@ import java.net.URI;
|
|
|
08c5c1 |
import java.net.URLEncoder;
|
|
|
08c5c1 |
import java.util.ArrayList;
|
|
|
08c5c1 |
import java.util.Collection;
|
|
|
08c5c1 |
+import java.util.Date;
|
|
|
08c5c1 |
import java.util.HashMap;
|
|
|
08c5c1 |
import java.util.Iterator;
|
|
|
08c5c1 |
+import java.util.List;
|
|
|
08c5c1 |
import java.util.Map;
|
|
|
08c5c1 |
import java.util.MissingResourceException;
|
|
|
08c5c1 |
import java.util.ResourceBundle;
|
|
|
08c5c1 |
@@ -39,6 +41,7 @@ import org.dogtagpki.server.tps.dbs.TokenRecord;
|
|
|
08c5c1 |
import org.dogtagpki.server.tps.engine.TPSEngine;
|
|
|
08c5c1 |
import org.jboss.resteasy.plugins.providers.atom.Link;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+import com.netscape.cms.realm.PKIPrincipal;
|
|
|
08c5c1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.BadRequestException;
|
|
|
08c5c1 |
import com.netscape.certsrv.base.IConfigStore;
|
|
|
08c5c1 |
@@ -53,6 +56,9 @@ import com.netscape.certsrv.tps.token.TokenData;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.token.TokenData.TokenStatusData;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.token.TokenResource;
|
|
|
08c5c1 |
import com.netscape.certsrv.tps.token.TokenStatus;
|
|
|
08c5c1 |
+import com.netscape.certsrv.user.UserResource;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
|
|
|
08c5c1 |
+import com.netscape.certsrv.usrgrp.IUser;
|
|
|
08c5c1 |
import com.netscape.cms.servlet.base.SubsystemService;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
import netscape.ldap.LDAPException;
|
|
|
08c5c1 |
@@ -229,6 +235,28 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return tokenData;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ public TokenData createRestrictedTokenData() throws Exception {
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ TokenData tokenData = new TokenData();
|
|
|
08c5c1 |
+ tokenData.setID("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setTokenID("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setUserID("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setType("<restricted>");
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ TokenStatusData statusData = new TokenStatusData();
|
|
|
08c5c1 |
+ statusData.name = TokenStatus.valueOf(null);
|
|
|
08c5c1 |
+ statusData.label = "<restricted>";
|
|
|
08c5c1 |
+ tokenData.setStatus(statusData);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ tokenData.setAppletID("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setKeyInfo("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setPolicy("<restricted>");
|
|
|
08c5c1 |
+ tokenData.setCreateTimestamp(new Date(0L));
|
|
|
08c5c1 |
+ tokenData.setModifyTimestamp(new Date(0L));
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ return tokenData;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response findTokens(
|
|
|
08c5c1 |
String filter,
|
|
|
08c5c1 |
@@ -311,24 +339,48 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
Integer size,
|
|
|
08c5c1 |
TokenCollection response) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ String method = "TokenService.retrieveTokensWithVLV: ";
|
|
|
08c5c1 |
// search with VLV sorted by date in reverse order
|
|
|
08c5c1 |
IDBVirtualList<TokenRecord> list = database.findRecords(
|
|
|
08c5c1 |
null, null, new String[] { "-modifyTimestamp", "-createTimestamp" }, size);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
int total = list.getSize();
|
|
|
08c5c1 |
+ int retTotal = 0; //debugging only
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// return entries in the requested page
|
|
|
08c5c1 |
- for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
- TokenRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
+ if (authorizedProfiles != null) {
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
08c5c1 |
+ for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ TokenRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- if (record == null) {
|
|
|
08c5c1 |
- CMS.debug("TokenService: Token record not found");
|
|
|
08c5c1 |
- throw new PKIException("Token record not found");
|
|
|
08c5c1 |
+ response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { // not authorized for all profiles
|
|
|
08c5c1 |
+ for (int i = start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ TokenRecord record = list.getElementAt(i);
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.ID="+ record.getId());
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ type;
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty() || authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type allowed");
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type restricted: " + type +
|
|
|
08c5c1 |
+ // "; adding 'restricted' record");
|
|
|
08c5c1 |
+ response.addEntry(createRestrictedTokenData());
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } //for
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ } else { //authorizedProfiles null; no permission
|
|
|
08c5c1 |
+ CMS.debug(method + "authorized profiles is null");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ CMS.debug(method + "retTotal = " + retTotal);
|
|
|
08c5c1 |
response.setTotal(total);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -340,44 +392,84 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
Integer size,
|
|
|
08c5c1 |
TokenCollection response) throws Exception {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // search without VLV
|
|
|
08c5c1 |
- Iterator<TokenRecord> tokens = database.findRecords(filter, attributes).iterator();
|
|
|
08c5c1 |
+ String method = "TokenService.retrieveTokensWithoutVLV: ";
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // TODO: sort results by date in reverse order
|
|
|
08c5c1 |
+ List<TokenRecord> tokens = (List<TokenRecord>) database.findRecords(filter);
|
|
|
08c5c1 |
+ int total = tokens.size();
|
|
|
08c5c1 |
+ CMS.debug(method + "total: " + total);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- int i = 0;
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // skip to the start of the page
|
|
|
08c5c1 |
- for (; i < start && tokens.hasNext(); i++)
|
|
|
08c5c1 |
- tokens.next();
|
|
|
08c5c1 |
+ int retTotal = 0; //debugging only
|
|
|
08c5c1 |
+ int i = 0;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// return entries in the requested page
|
|
|
08c5c1 |
- for (; i < start + size && tokens.hasNext(); i++) {
|
|
|
08c5c1 |
- TokenRecord record = tokens.next();
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
- response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ if (authorizedProfiles != null) {
|
|
|
08c5c1 |
+ if (authorizedProfiles.contains(UserResource.ALL_PROFILES)) {
|
|
|
08c5c1 |
+ for (i=start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ TokenRecord record = tokens.get(i);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ record.getType());
|
|
|
08c5c1 |
+ response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { // not authorized for all profiles
|
|
|
08c5c1 |
+ for (i=start; i < start + size && i < total; i++) {
|
|
|
08c5c1 |
+ TokenRecord record = tokens.get(i);
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.ID="+ record.getId());
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
+ //CMS.debug(method + "record.tokenType="+ type;
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty() || authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type allowed");
|
|
|
08c5c1 |
+ retTotal++;
|
|
|
08c5c1 |
+ response.addEntry(createTokenData(record));
|
|
|
08c5c1 |
+ } else {
|
|
|
08c5c1 |
+ //CMS.debug(method + "token type not allowed: " + type +
|
|
|
08c5c1 |
+ // "; adding 'restricted' record");
|
|
|
08c5c1 |
+ response.addEntry(createRestrictedTokenData());
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ } else { //authorizedProfiles null; no permission
|
|
|
08c5c1 |
+ CMS.debug(method + "authorized profiles is null");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- // count the total entries
|
|
|
08c5c1 |
- for (; tokens.hasNext(); i++)
|
|
|
08c5c1 |
- tokens.next();
|
|
|
08c5c1 |
+ CMS.debug(method + "retTotal = " + retTotal);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- response.setTotal(i);
|
|
|
08c5c1 |
+ response.setTotal(total);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response getToken(String tokenID) {
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
+ String method = "TokenService.getToken: ";
|
|
|
08c5c1 |
+ String msg = "";
|
|
|
08c5c1 |
if (tokenID == null)
|
|
|
08c5c1 |
throw new BadRequestException("Token ID is null.");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.getToken(\"" + tokenID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + tokenID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if (authorizedProfiles == null) {
|
|
|
08c5c1 |
+ msg = "authorizedProfiles null";
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(method + msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
TokenDatabase database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
+ TokenRecord record = database.getRecord(tokenID);
|
|
|
08c5c1 |
+ if (record == null) {
|
|
|
08c5c1 |
+ msg = "Token record not found";
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(method + msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ String type = record.getType();
|
|
|
08c5c1 |
+ if ((type == null) || type.isEmpty() || authorizedProfiles.contains(UserResource.ALL_PROFILES) || authorizedProfiles.contains(type))
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- return createOKResponse(createTokenData(database.getRecord(tokenID)));
|
|
|
08c5c1 |
+ return createOKResponse(createTokenData(record));
|
|
|
08c5c1 |
+ else
|
|
|
08c5c1 |
+ throw new PKIException(method + "Token record restricted");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (EDBException e) {
|
|
|
08c5c1 |
Throwable t = e.getCause();
|
|
|
08c5c1 |
@@ -397,7 +489,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response addToken(TokenData tokenData) {
|
|
|
08c5c1 |
- String method = "TokenService.addToken";
|
|
|
08c5c1 |
+ String method = "TokenService.addToken: ";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (tokenData == null) {
|
|
|
08c5c1 |
@@ -410,7 +502,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
String tokenID = tokenData.getTokenID();
|
|
|
08c5c1 |
auditModParams.put("tokenID", tokenID);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.addToken(\"" + tokenID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + tokenID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String remoteUser = servletRequest.getRemoteUser();
|
|
|
08c5c1 |
String ipAddress = servletRequest.getRemoteAddr();
|
|
|
08c5c1 |
@@ -451,7 +543,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return createCreatedResponse(tokenData, tokenData.getLink().getHref());
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + ": " + e.getMessage();
|
|
|
08c5c1 |
subsystem.tdb.tdbActivity(ActivityDatabase.OP_ADD, tokenRecord,
|
|
|
08c5c1 |
@@ -481,7 +573,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response replaceToken(String tokenID, TokenData tokenData) {
|
|
|
08c5c1 |
- String method = "TokenService.replaceToken";
|
|
|
08c5c1 |
+ String method = "TokenService.replaceToken: ";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (tokenID == null) {
|
|
|
08c5c1 |
@@ -495,7 +587,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
throw new BadRequestException("Token data is null.");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.replaceToken(\"" + tokenID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method +"(\"" + tokenID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String remoteUser = servletRequest.getRemoteUser();
|
|
|
08c5c1 |
String ipAddress = servletRequest.getRemoteAddr();
|
|
|
08c5c1 |
@@ -528,7 +620,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return createOKResponse(tokenData);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + ": " + e.getMessage();
|
|
|
08c5c1 |
subsystem.tdb.tdbActivity(ActivityDatabase.OP_TOKEN_MODIFY, tokenRecord,
|
|
|
08c5c1 |
@@ -559,7 +651,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response modifyToken(String tokenID, TokenData tokenData) {
|
|
|
08c5c1 |
- String method = "TokenService.modifyToken";
|
|
|
08c5c1 |
+ String method = "TokenService.modifyToken: ";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (tokenID == null) {
|
|
|
08c5c1 |
@@ -575,7 +667,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
throw e;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.modifyToken(\"" + tokenID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + tokenID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String remoteUser = servletRequest.getRemoteUser();
|
|
|
08c5c1 |
String ipAddress = servletRequest.getRemoteAddr();
|
|
|
08c5c1 |
@@ -584,11 +676,29 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
TokenRecord tokenRecord = null;
|
|
|
08c5c1 |
String msg = "modify token";
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if (authorizedProfiles == null) {
|
|
|
08c5c1 |
+ msg = "authorizedProfiles null";
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(method + msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
TokenDatabase database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// get existing record
|
|
|
08c5c1 |
tokenRecord = database.getRecord(tokenID);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ if (tokenRecord == null) {
|
|
|
08c5c1 |
+ CMS.debug(method + "Token record not found");
|
|
|
08c5c1 |
+ throw new PKIException(method + "Token record not found");
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ String type = tokenRecord.getType();
|
|
|
08c5c1 |
+ if ((type != null) && !type.isEmpty() && !authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ CMS.debug(method + "token record restricted");
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ throw new PKIException("token record restricted");
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
// update user ID if specified
|
|
|
08c5c1 |
String userID = tokenData.getUserID();
|
|
|
08c5c1 |
if (userID != null) {
|
|
|
08c5c1 |
@@ -622,7 +732,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return createOKResponse(tokenData);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + ": " + e.getMessage();
|
|
|
08c5c1 |
subsystem.tdb.tdbActivity(ActivityDatabase.OP_TOKEN_MODIFY, tokenRecord,
|
|
|
08c5c1 |
@@ -653,7 +763,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response changeTokenStatus(String tokenID, TokenStatus tokenStatus) {
|
|
|
08c5c1 |
- String method = "TokenService.changeTokenStatus";
|
|
|
08c5c1 |
+ String method = "TokenService.changeTokenStatus: ";
|
|
|
08c5c1 |
CMS.debug(method + "begins: with tokenStatus=" + tokenStatus.getName());
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -662,8 +772,12 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
"Token ID is null.");
|
|
|
08c5c1 |
throw new BadRequestException("Token ID is null.");
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
-
|
|
|
08c5c1 |
auditModParams.put("tokenID", tokenID);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
+ TokenDatabase database = null;
|
|
|
08c5c1 |
+ TokenRecord tokenRecord = null;
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
if (tokenStatus == null) {
|
|
|
08c5c1 |
auditConfigTokenGeneral(ILogger.FAILURE, method, null,
|
|
|
08c5c1 |
"Token state is null.");
|
|
|
08c5c1 |
@@ -671,39 +785,55 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
auditModParams.put("tokenStatus", tokenStatus.toString());
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.changeTokenStatus(\"" + tokenID + "\", \"" + tokenStatus + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + tokenID + "\", \"" + tokenStatus + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String remoteUser = servletRequest.getRemoteUser();
|
|
|
08c5c1 |
String ipAddress = servletRequest.getRemoteAddr();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- TPSSubsystem subsystem = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
|
|
|
08c5c1 |
// for auditing
|
|
|
08c5c1 |
TokenStatus oldStatus = null;
|
|
|
08c5c1 |
String oldReason = null;
|
|
|
08c5c1 |
TokenStatus newStatus = null;
|
|
|
08c5c1 |
String newReason = null;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- TokenRecord tokenRecord = null;
|
|
|
08c5c1 |
String msg = "change token status";
|
|
|
08c5c1 |
try {
|
|
|
08c5c1 |
- TokenDatabase database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
+ List<String> authorizedProfiles = getAuthorizedProfiles();
|
|
|
08c5c1 |
+ if (authorizedProfiles == null) {
|
|
|
08c5c1 |
+ msg = "authorizedProfiles null";
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
+ throw new PKIException(method + msg);
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ database = subsystem.getTokenDatabase();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
tokenRecord = database.getRecord(tokenID);
|
|
|
08c5c1 |
+ if (tokenRecord == null) {
|
|
|
08c5c1 |
+ CMS.debug(method + "Token record not found");
|
|
|
08c5c1 |
+ throw new PKIException(method + "Token record not found");
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+ String type = tokenRecord.getType();
|
|
|
08c5c1 |
+ if ((type != null) && !type.isEmpty() && !authorizedProfiles.contains(UserResource.ALL_PROFILES) && !authorizedProfiles.contains(type)) {
|
|
|
08c5c1 |
+ CMS.debug(method + "token record restricted: " + type);
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ throw new PKIException("token record restricted");
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
TokenStatus currentTokenStatus = tokenRecord.getTokenStatus();
|
|
|
08c5c1 |
- CMS.debug("TokenService.changeTokenStatus(): current status: " + currentTokenStatus);
|
|
|
08c5c1 |
+ CMS.debug(method + " current status: " + currentTokenStatus);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
oldStatus = tokenRecord.getTokenStatus();
|
|
|
08c5c1 |
oldReason = tokenRecord.getReason();
|
|
|
08c5c1 |
newStatus = tokenStatus;
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (currentTokenStatus == tokenStatus) {
|
|
|
08c5c1 |
- CMS.debug("TokenService.changeTokenStatus(): no status change, no activity log generated");
|
|
|
08c5c1 |
+ CMS.debug(method + " no status change, no activity log generated");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
TokenData tokenData = createTokenData(tokenRecord);
|
|
|
08c5c1 |
return createOKResponse(tokenData);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + " from " + currentTokenStatus + " to " + tokenStatus;
|
|
|
08c5c1 |
+ CMS.debug(method + msg);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// Check for invalid current status
|
|
|
08c5c1 |
if(!oldStatus.isValid()) {
|
|
|
08c5c1 |
@@ -717,7 +847,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
// make sure transition is allowed
|
|
|
08c5c1 |
if (!subsystem.isUITransitionAllowed(tokenRecord, tokenStatus)) {
|
|
|
08c5c1 |
- CMS.debug("TokenService.changeTokenStatus(): next status not allowed: " + tokenStatus);
|
|
|
08c5c1 |
+ CMS.debug(method + " next status not allowed: " + tokenStatus);
|
|
|
08c5c1 |
Exception ex = new BadRequestException("Invalid token status transition");
|
|
|
08c5c1 |
auditTokenStateChange(ILogger.FAILURE, oldStatus,
|
|
|
08c5c1 |
newStatus, oldReason, newReason,
|
|
|
08c5c1 |
@@ -725,7 +855,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
throw ex;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.changeTokenStatus(): next status allowed: " + tokenStatus);
|
|
|
08c5c1 |
+ CMS.debug(method + " next status allowed: " + tokenStatus);
|
|
|
08c5c1 |
// audit in setTokenStatus()
|
|
|
08c5c1 |
setTokenStatus(tokenRecord, tokenStatus, ipAddress, remoteUser, auditModParams);
|
|
|
08c5c1 |
database.updateRecord(tokenID, tokenRecord);
|
|
|
08c5c1 |
@@ -738,7 +868,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return createOKResponse(tokenData);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + ": " + e.getMessage();
|
|
|
08c5c1 |
subsystem.tdb.tdbActivity(ActivityDatabase.OP_TOKEN_STATUS_CHANGE, tokenRecord,
|
|
|
08c5c1 |
@@ -772,7 +902,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@Override
|
|
|
08c5c1 |
public Response removeToken(String tokenID) {
|
|
|
08c5c1 |
- String method = "TokenService.removeToken";
|
|
|
08c5c1 |
+ String method = "TokenService.removeToken: ";
|
|
|
08c5c1 |
Map<String, String> auditModParams = new HashMap<String, String>();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
if (tokenID == null) {
|
|
|
08c5c1 |
@@ -782,7 +912,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
throw ex;
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
- CMS.debug("TokenService.removeToken(\"" + tokenID + "\")");
|
|
|
08c5c1 |
+ CMS.debug(method + "(\"" + tokenID + "\")");
|
|
|
08c5c1 |
|
|
|
08c5c1 |
String remoteUser = servletRequest.getRemoteUser();
|
|
|
08c5c1 |
String ipAddress = servletRequest.getRemoteAddr();
|
|
|
08c5c1 |
@@ -795,7 +925,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
tokenRecord = database.getRecord(tokenID);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
//delete all certs associated with this token
|
|
|
08c5c1 |
- CMS.debug("TokenService.removeToken: about to remove all certificates associated with the token first");
|
|
|
08c5c1 |
+ CMS.debug(method + "about to remove all certificates associated with the token first");
|
|
|
08c5c1 |
subsystem.tdb.tdbRemoveCertificatesByCUID(tokenRecord.getId());
|
|
|
08c5c1 |
|
|
|
08c5c1 |
database.removeRecord(tokenID);
|
|
|
08c5c1 |
@@ -807,7 +937,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
return createNoContentResponse();
|
|
|
08c5c1 |
|
|
|
08c5c1 |
} catch (Exception e) {
|
|
|
08c5c1 |
- CMS.debug(e);
|
|
|
08c5c1 |
+ CMS.debug(method + e);
|
|
|
08c5c1 |
|
|
|
08c5c1 |
msg = msg + ": " + e.getMessage();
|
|
|
08c5c1 |
subsystem.tdb.tdbActivity(ActivityDatabase.OP_DELETE, tokenRecord,
|
|
|
08c5c1 |
@@ -837,11 +967,25 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
/*
|
|
|
08c5c1 |
+ * returns a list of TPS profiles allowed for the current user
|
|
|
08c5c1 |
+ */
|
|
|
08c5c1 |
+ List<String> getAuthorizedProfiles()
|
|
|
08c5c1 |
+ throws Exception {
|
|
|
08c5c1 |
+ String method = "TokenService.getAuthorizedProfiles: ";
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ PKIPrincipal pkiPrincipal = (PKIPrincipal) servletRequest.getUserPrincipal();
|
|
|
08c5c1 |
+ IUser user = pkiPrincipal.getUser();
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ return user.getTpsProfiles();
|
|
|
08c5c1 |
+ }
|
|
|
08c5c1 |
+
|
|
|
08c5c1 |
+ /*
|
|
|
08c5c1 |
* Service can be any of the methods offered
|
|
|
08c5c1 |
*/
|
|
|
08c5c1 |
public void auditConfigTokenRecord(String status, String service, String tokenID, Map<String, String> params,
|
|
|
08c5c1 |
String info) {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ //CMS.debug("auditTokenStateChange1: ");
|
|
|
08c5c1 |
String msg = CMS.getLogMessage(
|
|
|
08c5c1 |
AuditEvent.CONFIG_TOKEN_RECORD,
|
|
|
08c5c1 |
servletRequest.getUserPrincipal().getName(),
|
|
|
08c5c1 |
@@ -850,6 +994,7 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
tokenID,
|
|
|
08c5c1 |
auditor.getParamString(params),
|
|
|
08c5c1 |
info);
|
|
|
08c5c1 |
+ //CMS.debug("auditConfigTokenRecord: " + msg);
|
|
|
08c5c1 |
signedAuditLogger.log(msg);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
|
|
|
08c5c1 |
@@ -859,16 +1004,18 @@ public class TokenService extends SubsystemService implements TokenResource {
|
|
|
08c5c1 |
public void auditTokenStateChange(String status, TokenStatus oldState, TokenStatus newState, String oldReason,
|
|
|
08c5c1 |
String newReason, Map<String, String> params, String info) {
|
|
|
08c5c1 |
|
|
|
08c5c1 |
+ //CMS.debug("auditTokenStateChange2: ");
|
|
|
08c5c1 |
String msg = CMS.getLogMessage(
|
|
|
08c5c1 |
AuditEvent.TOKEN_STATE_CHANGE,
|
|
|
08c5c1 |
servletRequest.getUserPrincipal().getName(),
|
|
|
08c5c1 |
status,
|
|
|
08c5c1 |
- oldState.toString(),
|
|
|
08c5c1 |
+ (oldState==null)? "":oldState.toString(),
|
|
|
08c5c1 |
oldReason,
|
|
|
08c5c1 |
- newState.toString(),
|
|
|
08c5c1 |
+ (newState==null)? "":newState.toString(),
|
|
|
08c5c1 |
newReason,
|
|
|
08c5c1 |
auditor.getParamString(params),
|
|
|
08c5c1 |
info);
|
|
|
08c5c1 |
+ //CMS.debug("auditTokenStateChange: " + msg);
|
|
|
08c5c1 |
signedAuditLogger.log(msg);
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
}
|
|
|
08c5c1 |
--
|
|
|
08c5c1 |
1.8.3.1
|
|
|
08c5c1 |
|