[Pki-devel] [PATCH] 0057-Changes-to-use-standard-dbuser
Ade Lee
alee at redhat.com
Thu Sep 20 02:24:00 UTC 2012
Made changes as suggested on #irc.
Specifically ,
- use escapeFilter() instead of escapeDN()
- log if user is null
- rename addCert to delAttr
- throw exception if cannot get subsystem cert.
Acked by Jack and pushed to master.
On Wed, 2012-09-19 at 13:19 -0400, Ade Lee wrote:
> Changes to use standard dbuser
>
> We create a user that can be used to connect to the database using the
> subsystem cert for client auth. We identified this user, using the seeAlso
> attribute and provided certmap rules to this effect.
>
> For this user, we used to reuse the uid = user CA-hostname-port, which is already
> created for inter-system communication. But this is problematic if more than one
> dbuser exists, as the directory server may bind as the incorrect user. In any
> replication topology, there must be only one dbuser using the subsystem cert.
>
> To simplify things, we create a new user specifically for this purpose
> (pkidbuser), and we remove the seeAlso attribute from the older dbusers.
>
> A script is needed to convert existing dogtag 9 istances to use the new user,
> and set the relevant acls. This will be done in a separate commit.
>
> Please review.
>
> Ade
>
> differences between files attachment
> (pki-vakwetu-0057-Changes-to-use-standard-dbuser.patch)
> >From a57a6e4a68e358fade3e1f217a5f5228004a1c77 Mon Sep 17 00:00:00 2001
> From: Ade Lee <alee at redhat.com>
> Date: Wed, 19 Sep 2012 12:37:41 -0400
> Subject: [PATCH] Changes to use standard dbuser
>
> We create a user that can be used to connect to the database using the
> subsystem cert for client auth. We identified this user, using the seeAlso
> attribute and provided certmap rules to this effect.
>
> For this user, we used to reuse the uid = user CA-hostname-port, which is already
> created for inter-system communication. But this is problematic if more than one
> dbuser exists, as the directory server may bind as the incorrect user. In any
> replication topology, there must be only one dbuser using the subsystem cert.
>
> To simplify things, we create a new user specifically for this purpose
> (pkidbuser), and we remove the seeAlso attribute from the older dbusers.
>
> A script is needed to convert existing dogtag 9 istances to use the new user,
> and set the relevant acls. This will be done in a separate commit.
> ---
> .../com/netscape/certsrv/logging/AuditFormat.java | 2 +
> .../com/netscape/certsrv/usrgrp/IUGSubsystem.java | 8 ++++
> .../cms/servlet/csadmin/ConfigurationUtils.java | 52 +++++++++++++++++++---
> .../netscape/cms/servlet/csadmin/DonePanel.java | 12 +----
> .../cms/servlet/csadmin/SystemConfigService.java | 8 +---
> .../com/netscape/cmscore/logging/AuditFormat.java | 5 +++
> .../com/netscape/cmscore/usrgrp/UGSubsystem.java | 47 +++++++++++++++++++
> 7 files changed, 109 insertions(+), 25 deletions(-)
>
> diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> index 72980aa5ad04e3c92c64a2a055c40924723054fb..005043ada55174e231c9acf823fece15a6527314 100644
> --- a/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> +++ b/base/common/src/com/netscape/certsrv/logging/AuditFormat.java
> @@ -106,6 +106,8 @@ public class AuditFormat {
> "Admin UID: {0} removed User UID: {1} from group: {2}";
> public static final String ADDCERTSUBJECTDNFORMAT =
> "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
> + public static final String REMOVECERTSUBJECTDNFORMAT =
> + "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
>
> // LDAP publishing
> public static final String LDAP_PUBLISHED_FORMAT =
> diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> index eb7f84ebf4c02985c864e1c6855277f4939729bb..543b33c26bdc7863b714ffc57a229c17e766f4d4 100644
> --- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> +++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
> @@ -88,6 +88,14 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp {
> public void addCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
>
> /**
> + * Remove a certSubjectDN field from the user
> + * @param identity
> + * @throws EUsrGrpException
> + * @throws LDAPException
> + */
> + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException;
> +
> + /**
> * Removes a user certificate for a user entry
> * given a user certificate DN (actually, a combination of version,
> * serialNumber, issuerDN, and SubjectDN), and it gets removed
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> index 6cd64f654348c0b80aa216c936e2149dc966590d..afeb4c1f6fb7cd922100d78dddfd8c14182aa7ef 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
> @@ -144,6 +144,7 @@ import com.netscape.certsrv.ocsp.IOCSPAuthority;
> import com.netscape.certsrv.system.InstallToken;
> import com.netscape.certsrv.system.InstallTokenRequest;
> import com.netscape.certsrv.system.SystemConfigClient;
> +import com.netscape.certsrv.usrgrp.EUsrGrpException;
> import com.netscape.certsrv.usrgrp.IGroup;
> import com.netscape.certsrv.usrgrp.IUGSubsystem;
> import com.netscape.certsrv.usrgrp.IUser;
> @@ -170,6 +171,7 @@ public class ConfigurationUtils {
> public static String AUTH_FAILURE = "2";
> public static final BigInteger BIG_ZERO = new BigInteger("0");
> public static final Long MINUS_ONE = Long.valueOf(-1);
> + public static final String DBUSER = "pkidbuser";
>
> public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
> IncorrectPasswordException {
> @@ -717,8 +719,6 @@ public class ConfigurationUtils {
> BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
> NoSuchItemOnTokenException, InvalidBERException, IOException {
> byte b[] = new byte[1000000];
> - IConfigStore cs = CMS.getConfigStore();
> - String instanceRoot = cs.getString("instanceRoot");
>
> FileInputStream fis = new FileInputStream(p12File);
> while (fis.available() > 0)
> @@ -1204,8 +1204,7 @@ public class ConfigurationUtils {
> String instanceId = cs.getString("instanceId");
> String cstype = cs.getString("cs.type");
>
> - String dbuser = "uid=" + LDAPUtil.escapeDN(cstype + "-" + cs.getString("machineName") + "-"
> - + cs.getString("service.securePort")) + ",ou=people," + baseDN;
> + String dbuser = "uid=" + DBUSER + ",ou= people," + baseDN;
>
> String configDir = instancePath + File.separator + cstype.toLowerCase() + File.separator + "conf";
>
> @@ -3389,19 +3388,28 @@ public class ConfigurationUtils {
> }
> }
>
> - public static void setupDBUser(String dbuser) throws CertificateException, LDAPException, EBaseException,
> + public static void setupDBUser() throws CertificateException, LDAPException, EBaseException,
> NotInitializedException, ObjectNotFoundException, TokenException, IOException {
> IUGSubsystem system =
> (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
>
> + try {
> + @SuppressWarnings("unused")
> + Enumeration<IUser> dbusers = system.findUsers(DBUSER);
> + CMS.debug("DB User already exists: " + DBUSER);
> + return;
> + } catch (EUsrGrpException e) {
> + CMS.debug("Creating DB User: " + DBUSER);
> + }
> +
> String b64 = getSubsystemCert();
> if (b64 == null) {
> CMS.debug("setupDBUser(): failed to fetch subsystem cert");
> return;
> }
>
> - IUser user = system.createUser(dbuser);
> - user.setFullName(dbuser);
> + IUser user = system.createUser(DBUSER);
> + user.setFullName(DBUSER);
> user.setEmail("");
> user.setPassword("");
> user.setUserType("agentType");
> @@ -3414,6 +3422,36 @@ public class ConfigurationUtils {
> CMS.debug("setupDBUser(): successfully added the user");
> system.addUserCert(user);
> CMS.debug("setupDBUser(): successfully add the user certificate");
> +
> + // set subject dn
> + system.addCertSubjectDN(user);
> +
> + // remove old db users
> + CMS.debug("Removing seeAlso from old dbusers");
> + removeOldDBUsers(certs[0].getSubjectDN().toString());
> + }
> +
> + public static void removeOldDBUsers(String subjectDN) throws EBaseException, LDAPException {
> + IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> + IConfigStore cs = CMS.getConfigStore();
> + String userbasedn = "ou=people, " + cs.getString("internaldb.basedn");
> + IConfigStore dbCfg = cs.getSubStore("internaldb");
> + ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory();
> + dbFactory.init(dbCfg);
> + LDAPConnection conn = dbFactory.getConn();
> +
> + String filter = "(&(seeAlso=" + LDAPUtil.escapeDN(subjectDN) + ")(!(uid=" + DBUSER + ")))";
> + String[] attrs = null;
> + LDAPSearchResults res = conn.search(userbasedn, LDAPConnection.SCOPE_SUB, filter,
> + attrs, false);
> + if (res != null) {
> + while (res.hasMoreElements()) {
> + String uid = (String) res.next().getAttribute("uid").getStringValues().nextElement();
> + IUser user = system.getUser(uid);
> + CMS.debug("removeOldDUsers: Removing seeAlso from " + uid);
> + system.removeCertSubjectDN(user);
> + }
> + }
> }
>
> public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> index e81afdd2f9068e27dd3c89d462e6c92805b6158e..197c16ad351c15b6bc00ec39dd21499ea293143a 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
> @@ -31,8 +31,6 @@ import com.netscape.certsrv.apps.CMS;
> import com.netscape.certsrv.base.IConfigStore;
> import com.netscape.certsrv.ocsp.IOCSPAuthority;
> import com.netscape.certsrv.property.PropertySet;
> -import com.netscape.certsrv.usrgrp.IUGSubsystem;
> -import com.netscape.certsrv.usrgrp.IUser;
> import com.netscape.cms.servlet.wizard.WizardServlet;
> import com.netscape.cmsutil.util.Utils;
>
> @@ -225,16 +223,8 @@ public class DonePanel extends WizardPanelBase {
> e.printStackTrace();
> }
>
> - String dbuser = null;
> try {
> - dbuser = cs.getString("cs.type") + "-" + cs.getString("machineName") + "-"
> - + cs.getString("service.securePort");
> - if (!sdtype.equals("new")) {
> - ConfigurationUtils.setupDBUser(dbuser);
> - }
> - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> - IUser user = system.getUser(dbuser);
> - system.addCertSubjectDN(user);
> + ConfigurationUtils.setupDBUser();
> } catch (Exception e) {
> e.printStackTrace();
> CMS.debug("DonePanel - update(): Unable to create or update dbuser" + e);
> diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> index 4ae9579f29479a2e01e2e14b386f14f8a0b80f7e..3bbe3ca8099f0e722271e9bf7ae21812bffb5404 100644
> --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigService.java
> @@ -703,13 +703,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
> }
>
> try {
> - String dbuser = csType + "-" + CMS.getEEHost() + "-" + cs.getString("service.securePort");
> - if (! securityDomainType.equals(ConfigurationRequest.NEW_DOMAIN)) {
> - ConfigurationUtils.setupDBUser(dbuser);
> - }
> - IUGSubsystem system = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
> - IUser user = system.getUser(dbuser);
> - system.addCertSubjectDN(user);
> + ConfigurationUtils.setupDBUser();
> } catch (Exception e) {
> e.printStackTrace();
> throw new PKIException("Errors in creating or updating dbuser: " + e);
> diff --git a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> index 9ba62babbd6c401f90b461fccacda275b5e69da8..42c3b0d6f2ac2ea809f78d36b2f856dc3de3c10b 100644
> --- a/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> +++ b/base/common/src/com/netscape/cmscore/logging/AuditFormat.java
> @@ -108,4 +108,9 @@ public class AuditFormat {
> "Admin UID: {0} added User UID: {1} to group: {2}";
> public static final String REMOVEUSERGROUPFORMAT =
> "Admin UID: {0} removed User UID: {1} from group: {2}";
> + public static final String ADDCERTSUBJECTDNFORMAT =
> + "Admin UID: {0} added cert subject DN for User UID: {1}. cert DN: {2}";
> + public static final String REMOVECERTSUBJECTDNFORMAT =
> + "Admin UID: {0} removed cert subject DN for User UID: {1}. cert DN: {2}";
> +
> }
> diff --git a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> index 9e3dacb17a16f0d292476b351b9e2309cb184f1b..76132734d2f6604b8770c05a3473d7b0176d2738 100644
> --- a/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> +++ b/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
> @@ -820,6 +820,53 @@ public final class UGSubsystem implements IUGSubsystem {
> return;
> }
>
> + public void removeCertSubjectDN(IUser identity) throws EUsrGrpException, LDAPException {
> + User user = (User) identity;
> +
> + if (user == null) {
> + return;
> + }
> +
> + X509Certificate cert[] = null;
> + LDAPModificationSet addCert = new LDAPModificationSet();
> +
> + if ((cert = user.getX509Certificates()) != null) {
> + LDAPAttribute attrCertDNStr = new LDAPAttribute(LDAP_ATTR_CERTDN);
> + attrCertDNStr.addValue(cert[0].getSubjectDN().toString());
> + addCert.add(LDAPModification.DELETE, attrCertDNStr);
> +
> + LDAPConnection ldapconn = null;
> +
> + try {
> + ldapconn = getConn();
> + ldapconn.modify("uid=" + LDAPUtil.escapeDN(user.getUserID()) +
> + "," + getUserBaseDN(), addCert);
> + // for audit log
> + SessionContext sessionContext = SessionContext.getContext();
> + String adminId = (String) sessionContext.get(SessionContext.USER_ID);
> +
> + mLogger.log(ILogger.EV_AUDIT, ILogger.S_USRGRP,
> + AuditFormat.LEVEL, AuditFormat.REMOVECERTSUBJECTDNFORMAT,
> + new Object[] { adminId, user.getUserID(),
> + cert[0].getSubjectDN().toString() }
> + );
> +
> + } catch (LDAPException e) {
> + if (Debug.ON) {
> + e.printStackTrace();
> + }
> + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
> + throw e;
> + } catch (ELdapException e) {
> + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
> + } finally {
> + if (ldapconn != null)
> + returnConn(ldapconn);
> + }
> + }
> + return;
> + }
> +
> /**
> * Removes a user certificate for a user entry
> * given a user certificate DN (actually, a combination of version,
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list