diff --git a/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch new file mode 100644 index 0000000..d340f51 --- /dev/null +++ b/SOURCES/pki-core-rhel-7-9-rhcs-9-7-bu-21.patch @@ -0,0 +1,48 @@ +From 428c189fa0560bf656b8ded272295d705f602093 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 19 Jan 2023 10:10:33 +0000 +Subject: [PATCH] Add authorization to limit setTokenStatus to allowed admins + +This patch adds authorization to limit setTokenStatus to admins +allowed for the token type in question. +If a token is not associated with a keyType/profile, then the admin +must have the ALL_PROFILES prvilege. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153 + +(cherry picked from commit d74ac7e6e8a2efbb7abe3b5c21637afdd084d245) +--- + .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +index d2a3444..5256a66 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java ++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +@@ -75,6 +75,23 @@ public class TokenService extends SubsystemService implements TokenResource { + public void setTokenStatus(TokenRecord tokenRecord, TokenStatus tokenState, String ipAddress, String remoteUser, + Map auditModParams) + throws Exception { ++ String method = "TPSService:setTokenStatus: "; ++ String msg = ""; ++ ++ List authorizedProfiles = getAuthorizedProfiles(); ++ if (authorizedProfiles == null) { ++ msg = "authorizedProfiles null"; ++ CMS.debug(method + msg); ++ throw new PKIException(method + msg); ++ } ++ String type = tokenRecord.getType(); ++ // if token not associated with any keyType/profile, disallow access, ++ // unless the user has the "ALL_PROFILES" privilege ++ if (!authorizedProfiles.contains(UserResource.ALL_PROFILES)) { ++ if (((type == null) || type.isEmpty()) || !authorizedProfiles.contains(type)) ++ throw new PKIException(method + "Token record restricted"); ++ } ++ + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + IConfigStore config = CMS.getConfigStore(); + +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index a1cb8c2..d1f47c3 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -65,13 +65,13 @@ Name: pki-core %if 0%{?rhel} Version: 10.5.18 -%define redhat_release 24 +%define redhat_release 25 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} %else Version: 10.5.18 -%define fedora_release 24 +%define fedora_release 25 %define fedora_stage 0 #%define default_release %{fedora_release}.%{fedora_stage} %define default_release %{fedora_release} @@ -228,6 +228,7 @@ Patch19: pki-core-rhel-7-9-rhcs-9-7-bu-15.patch #Patch20: pki-core-rhel-7-9-rhcs-9-7-bu-17.patch Patch21: pki-core-rhel-7-9-rhcs-9-7-bu-18.patch Patch22: pki-core-rhel-7-9-rhcs-9-7-bu-19.patch +Patch23: pki-core-rhel-7-9-rhcs-9-7-bu-21.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -850,6 +851,7 @@ This package is a part of the PKI Core used by the Certificate System. #%patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 %clean %{__rm} -rf %{buildroot} @@ -1386,6 +1388,18 @@ fi %endif # %{with server} %changelog +* Fri Feb 10 2023 Dogtag Team 10.5.18-25 +- ########################################################################## +- # RHEL 7.9 (Batch Update 21): +- ########################################################################## +- Bugzilla Bug #2160355 - RA Separation by KeyType - Set Token Status + [RHCS 9.7 bu 21] (cfu, ckelley) +- ########################################################################## +- # RHCS 9.7 (Batch Update 21): +- ########################################################################## +- Bugzilla Bug #1774177 - Rebase redhat-pki, redhat-pki-theme, pki-core, and + pki-console to 10.5.18 in RHCS 9.7 (Batch Update 7) + * Wed Oct 26 2022 Dogtag Team 10.5.18-24 - ########################################################################## - # RHEL 7.9 (Batch Update 19):