[Pki-devel] [PATCH] 649 Refactored SecurityDomainProcessor.
Endi Sukma Dewata
edewata at redhat.com
Tue Oct 6 22:49:17 UTC 2015
The SecurityDomainProcessor.getEnterpriseGroupName() has been
added to simplify ConfigurationUtils.getGroupName().
The SecurityDomainProcessor.getInstallToken() has been modified
to validate the user role and the IP address, and to generate
safer session ID.
https://fedorahosted.org/pki/ticket/1633
--
Endi S. Dewata
-------------- next part --------------
From 12d25aa9ac0d9cf8ae97631f5060ab431580401b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 11 Sep 2015 22:54:56 +0200
Subject: [PATCH] Refactored SecurityDomainProcessor.
The SecurityDomainProcessor.getEnterpriseGroupName() has been
added to simplify ConfigurationUtils.getGroupName().
The SecurityDomainProcessor.getInstallToken() has been modified
to validate the user role and the IP address, and to generate
safer session ID.
https://fedorahosted.org/pki/ticket/1633
---
.../cms/servlet/csadmin/ConfigurationUtils.java | 18 -------
.../servlet/csadmin/SecurityDomainProcessor.java | 61 ++++++++++++----------
.../server/rest/SecurityDomainService.java | 16 ++++--
3 files changed, 46 insertions(+), 49 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 7b5bef567de773c0cd5b86ba6e36a1c16f444012..d3302949fe9145b2e3cab3f456a105537909fc66 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -441,24 +441,6 @@ public class ConfigurationUtils {
return null;
}
- public static String getGroupName(String uid, String subsystemname) {
- IUGSubsystem subsystem = (IUGSubsystem) (CMS.getSubsystem(IUGSubsystem.ID));
- if (subsystem.isMemberOf(uid, "Enterprise CA Administrators") && subsystemname.equals("CA")) {
- return "Enterprise CA Administrators";
- } else if (subsystem.isMemberOf(uid, "Enterprise KRA Administrators") && subsystemname.equals("KRA")) {
- return "Enterprise KRA Administrators";
- } else if (subsystem.isMemberOf(uid, "Enterprise OCSP Administrators") && subsystemname.equals("OCSP")) {
- return "Enterprise OCSP Administrators";
- } else if (subsystem.isMemberOf(uid, "Enterprise TKS Administrators") && subsystemname.equals("TKS")) {
- return "Enterprise TKS Administrators";
- } else if (subsystem.isMemberOf(uid, "Enterprise RA Administrators") && subsystemname.equals("RA")) {
- return "Enterprise RA Administrators";
- } else if (subsystem.isMemberOf(uid, "Enterprise TPS Administrators") && subsystemname.equals("TPS")) {
- return "Enterprise TPS Administrators";
- }
- return null;
- }
-
public static String getDomainXML(String hostname, int https_admin_port, boolean https)
throws IOException, SAXException, ParserConfigurationException {
CMS.debug("getDomainXML start");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index 08b11c605ad3feb2efb30d3b754bf4dacc19a950..b8c4288adbf28975f8ed8f48bbf65372696c3fbd 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -31,13 +31,6 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
@@ -55,9 +48,17 @@ import com.netscape.certsrv.system.DomainInfo;
import com.netscape.certsrv.system.InstallToken;
import com.netscape.certsrv.system.SecurityDomainHost;
import com.netscape.certsrv.system.SecurityDomainSubsystem;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
import com.netscape.cms.servlet.processors.CAProcessor;
import com.netscape.cmsutil.xml.XMLObject;
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+
/**
* @author Endi S. Dewata
*/
@@ -74,47 +75,51 @@ public class SecurityDomainProcessor extends CAProcessor {
super("securitydomain", locale);
}
+ public static String getEnterpriseGroupName(String subsystemname) {
+ return "Enterprise " + subsystemname + " Administrators";
+ }
+
public InstallToken getInstallToken(
String user,
- String hostname,
- String subsystem) throws EBaseException {
+ String host,
+ String subsystemName) throws Exception {
- String groupname = ConfigurationUtils.getGroupName(user, subsystem);
+ subsystemName = subsystemName.toUpperCase();
+ IUGSubsystem subsystem = (IUGSubsystem) CMS.getSubsystem(IUGSubsystem.ID);
- if (groupname == null) {
+ String groupName = getEnterpriseGroupName(subsystemName);
+ CMS.debug("SecurityDomainProcessor: group: " + groupName);
+
+ if (!subsystem.isMemberOf(user, groupName)) {
String message = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
user,
ILogger.FAILURE,
- "Enterprise " + subsystem + " Administrators");
+ groupName);
audit(message);
- throw new UnauthorizedException("Access denied.");
+ throw new UnauthorizedException("User " + user + " is not a member of " + groupName + " group.");
}
String message = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
user,
ILogger.SUCCESS,
- groupname);
+ groupName);
audit(message);
- String ip = "";
- try {
- ip = InetAddress.getByName(hostname).getHostAddress();
- } catch (Exception e) {
- CMS.debug("Unable to determine IP address for "+hostname);
- }
+ String ip = InetAddress.getByName(host).getHostAddress(); // throws exception on failure
- // assign cookie
- Long num = random.nextLong();
- String cookie = num.toString();
+ // generate random session ID
+ // use positive number to avoid CLI issues
+ Long num = Math.abs(random.nextLong());
+ String sessionID = num.toString();
- String auditParams = "operation;;issue_token+token;;" + cookie + "+ip;;" + ip +
- "+uid;;" + user + "+groupname;;" + groupname;
+ String auditParams = "operation;;issue_token+token;;" + sessionID + "+ip;;" + ip +
+ "+uid;;" + user + "+groupname;;" + groupName;
ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable();
- int status = ctable.addEntry(cookie, ip, user, groupname);
+ int status = ctable.addEntry(sessionID, ip, user, groupName);
if (status == ISecurityDomainSessionTable.SUCCESS) {
message = CMS.getLogMessage(
@@ -132,11 +137,11 @@ public class SecurityDomainProcessor extends CAProcessor {
auditParams);
audit(message);
- throw new PKIException("Failed to update security domain.");
+ throw new PKIException("Failed to create session.");
}
- return new InstallToken(cookie);
+ return new InstallToken(sessionID);
}
public DomainInfo getDomainInfo() throws EBaseException {
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
index 23c439c7e4b58b5582dd67d3581898b4b23daabe..3d708ebb6de32235e9fbaaf8a6e8e87635c131ce 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
@@ -24,7 +24,7 @@ import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
-import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.system.DomainInfo;
import com.netscape.certsrv.system.InstallToken;
@@ -51,6 +51,7 @@ public class SecurityDomainService extends PKIService implements SecurityDomainR
@Override
public Response getInstallToken(String hostname, String subsystem) {
+ CMS.debug("SecurityDomainService.getInstallToken(" + hostname + ", " + subsystem + ")");
try {
// Get uid from realm authentication.
String user = servletRequest.getUserPrincipal().getName();
@@ -59,8 +60,12 @@ public class SecurityDomainService extends PKIService implements SecurityDomainR
InstallToken installToken = processor.getInstallToken(user, hostname, subsystem);
return createOKResponse(installToken);
+ } catch (PKIException e) {
+ CMS.debug("SecurityDomainService: " + e);
+ throw e;
- } catch (EBaseException e) {
+ } catch (Exception e) {
+ CMS.debug(e);
throw new PKIException(e.getMessage(), e);
}
}
@@ -72,7 +77,12 @@ public class SecurityDomainService extends PKIService implements SecurityDomainR
DomainInfo domainInfo = processor.getDomainInfo();
return createOKResponse(domainInfo);
- } catch (EBaseException e) {
+ } catch (PKIException e) {
+ CMS.debug("SecurityDomainService: " + e);
+ throw e;
+
+ } catch (Exception e) {
+ CMS.debug(e);
throw new PKIException(e.getMessage(), e);
}
}
--
2.4.3
More information about the Pki-devel
mailing list