From 428c189fa0560bf656b8ded272295d705f602093 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Thu, 19 Jan 2023 10:10:33 +0000 Subject: [PATCH] Add authorization to limit setTokenStatus to allowed admins This patch adds authorization to limit setTokenStatus to admins allowed for the token type in question. If a token is not associated with a keyType/profile, then the admin must have the ALL_PROFILES prvilege. fixes https://bugzilla.redhat.com/show_bug.cgi?id=2106153 (cherry picked from commit d74ac7e6e8a2efbb7abe3b5c21637afdd084d245) --- .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java index d2a3444..5256a66 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java @@ -75,6 +75,23 @@ public class TokenService extends SubsystemService implements TokenResource { public void setTokenStatus(TokenRecord tokenRecord, TokenStatus tokenState, String ipAddress, String remoteUser, Map auditModParams) throws Exception { + String method = "TPSService:setTokenStatus: "; + String msg = ""; + + List authorizedProfiles = getAuthorizedProfiles(); + if (authorizedProfiles == null) { + msg = "authorizedProfiles null"; + CMS.debug(method + msg); + throw new PKIException(method + msg); + } + String type = tokenRecord.getType(); + // if token not associated with any keyType/profile, disallow access, + // unless the user has the "ALL_PROFILES" privilege + if (!authorizedProfiles.contains(UserResource.ALL_PROFILES)) { + if (((type == null) || type.isEmpty()) || !authorizedProfiles.contains(type)) + throw new PKIException(method + "Token record restricted"); + } + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); IConfigStore config = CMS.getConfigStore(); -- 1.8.3.1