[Pki-devel] [PATCH] 643 Fixed pkidbuser group memberships.

Endi Sukma Dewata edewata at redhat.com
Tue Sep 15 15:22:32 UTC 2015


On 9/11/2015 7:16 PM, Endi Sukma Dewata wrote:
> Due to a certificate mapping issue the subsystem certificate can
> be mapped into either the subsystem user or pkidbuser, which may
> cause problems since the users don't belong to the same groups.
> As a temporary solution the pkidbuser is now added into the same
> groups. This way the client subsystem can always access the
> services regardless of which user the certificate is actually
> mapped to.
>
> https://fedorahosted.org/pki/ticket/1595

Rebased for RHEL 7.2.

-- 
Endi S. Dewata
-------------- next part --------------
>From c267b17b97a3ac03f51f0074e8c0b1cf4388c68b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 11 Sep 2015 22:59:55 +0200
Subject: [PATCH] Fixed pkidbuser group memberships.

Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.

https://fedorahosted.org/pki/ticket/1595
---
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 88 +++++++++++++++-------
 1 file changed, 60 insertions(+), 28 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 708240b53baf6bd04e4f4651edaee3c695b9a896..d99929f20996f1aa7ddbf21d29dfe7b54905354d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -50,6 +50,7 @@ import java.security.cert.CertificateNotYetValidException;
 import java.security.interfaces.RSAPublicKey;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.StringTokenizer;
@@ -62,32 +63,7 @@ import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.xml.parsers.ParserConfigurationException;
 
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPDN;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPModification;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv3;
-import netscape.security.pkcs.ContentInfo;
-import netscape.security.pkcs.PKCS10;
-import netscape.security.pkcs.PKCS7;
-import netscape.security.pkcs.SignerInfo;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.ObjectIdentifier;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.Extension;
-import netscape.security.x509.Extensions;
-import netscape.security.x509.KeyUsageExtension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509Key;
-
+import org.apache.commons.lang.StringUtils;
 import org.apache.velocity.context.Context;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NicknameConflictException;
@@ -180,6 +156,32 @@ import com.netscape.cmsutil.http.JssSSLSocketFactory;
 import com.netscape.cmsutil.ldap.LDAPUtil;
 import com.netscape.cmsutil.xml.XMLObject;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPDN;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv3;
+import netscape.security.pkcs.ContentInfo;
+import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.pkcs.SignerInfo;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.Extension;
+import netscape.security.x509.Extensions;
+import netscape.security.x509.KeyUsageExtension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509Key;
+
 /**
  * Utility class for functions to be used both by the RESTful installer
  * and the UI Panels.
@@ -3892,7 +3894,7 @@ public class ConfigurationUtils {
         String groupName = "Trusted Managers";
         IGroup group = system.getGroupFromName(groupName);
         if (!group.isMember(id)) {
-            CMS.debug("setupClientAuthUser: adding user to the trusted managers group.");
+            CMS.debug("setupClientAuthUser: adding user to the " + groupName + " group.");
             group.addMemberName(id);
             system.modifyGroup(group);
         }
@@ -4119,7 +4121,7 @@ public class ConfigurationUtils {
         user.setX509Certificates(certs);
 
         system.addUser(user);
-        CMS.debug("setupDBUser(): successfully added the user");
+        CMS.debug("setupDBUser(): successfully added " + DBUSER);
 
         system.addUserCert(user);
         CMS.debug("setupDBUser(): successfully add the user certificate");
@@ -4130,6 +4132,36 @@ public class ConfigurationUtils {
         // remove old db users
         CMS.debug("setupDBUser(): removing seeAlso from old dbusers");
         removeOldDBUsers(certs[0].getSubjectDN().toString());
+
+        // workaround for ticket #1595
+        IConfigStore cs = CMS.getConfigStore();
+        String csType = cs.getString("cs.type").toUpperCase();
+
+        Collection<String> groupNames = new ArrayList<String>();
+
+        if ("CA".equals(csType)) {
+            groupNames.add("Subsystem Group");
+            groupNames.add("Certificate Manager Agents");
+
+        } else if ("KRA".equals(csType)) {
+            groupNames.add("Data Recovery Manager Agents");
+            groupNames.add("Trusted Managers");
+
+        } else if ("OCSP".equals(csType)) {
+            groupNames.add("Trusted Managers");
+
+        } else if ("TKS".equals(csType)) {
+            groupNames.add("Token Key Service Manager Agents");
+        }
+
+        for (String groupName : groupNames) {
+            IGroup group = system.getGroupFromName(groupName);
+            if (!group.isMember(DBUSER)) {
+                CMS.debug("setupDBUser(): adding " + DBUSER + " to the " + groupName + " group.");
+                group.addMemberName(DBUSER);
+                system.modifyGroup(group);
+            }
+        }
     }
 
     public static void addProfilesToTPSUser(String adminID) throws EUsrGrpException, LDAPException {
-- 
2.4.3



More information about the Pki-devel mailing list