[Pki-devel] [PATCH] 0157..0158 authToken-related refactors
Fraser Tweedale
ftweedal at redhat.com
Tue Feb 7 02:04:55 UTC 2017
Please review attached patches; a couple of small refactors to ease
upcoming GSS-API work.
Thanks,
Fraser
-------------- next part --------------
From 71a94aba941b395a07a849eacb125b9657f70f59 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 7 Feb 2017 11:38:03 +1000
Subject: [PATCH 157/158] Define AgentCertAuthentication token keys in
IAuthToken
Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.
Part of: https://fedorahosted.org/pki/ticket/1359
---
.../com/netscape/certsrv/authentication/IAuthToken.java | 3 +++
.../cms/authentication/AgentCertAuthentication.java | 17 +++++------------
2 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
index a3f240e9c35987462eb2f176de650a769df1005c..59c6af20c32e2ae7b94fb80208539c01303a9fcd 100644
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
@@ -37,8 +37,11 @@ public interface IAuthToken {
/**
* Constant for userid.
*/
+ public static final String USER = "user";
+ public static final String USER_DN = "userdn";
public static final String USER_ID = "userid";
public static final String UID = "uid";
+ public static final String GROUP = "group";
public static final String GROUPS = "groups";
/* Subject name of the certificate in the authenticating entry */
diff --git a/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
index c65dd397148c989fd9aa4d0e1e4ae7faf735342d..b7fafc895781e4bc950fa60b03444a6ad33248c7 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/AgentCertAuthentication.java
@@ -57,13 +57,6 @@ import com.netscape.certsrv.usrgrp.IUser;
public class AgentCertAuthentication implements IAuthManager,
IProfileAuthenticator {
- /* result auth token attributes */
- public static final String TOKEN_USERDN = "user";
- public static final String TOKEN_USER_DN = "userdn";
- public static final String TOKEN_USERID = "userid";
- public static final String TOKEN_UID = "uid";
- public static final String TOKEN_GROUP = "group";
-
/* required credentials */
public static final String CRED_CERT = IAuthManager.CRED_SSL_CLIENT_CERT;
protected String[] mRequiredCreds = { CRED_CERT };
@@ -225,11 +218,11 @@ public class AgentCertAuthentication implements IAuthManager,
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR"));
}
}
- authToken.set(TOKEN_USERDN, user.getUserDN());
- authToken.set(TOKEN_USER_DN, user.getUserDN());
- authToken.set(TOKEN_USERID, user.getUserID());
- authToken.set(TOKEN_UID, user.getUserID());
- authToken.set(TOKEN_GROUP, groupname);
+ authToken.set(IAuthToken.USER, user.getUserDN());
+ authToken.set(IAuthToken.USER_DN, user.getUserDN());
+ authToken.set(IAuthToken.USER_ID, user.getUserID());
+ authToken.set(IAuthToken.UID, user.getUserID());
+ authToken.set(IAuthToken.GROUP, groupname);
authToken.set(CRED_CERT, certs);
CMS.debug("AgentCertAuthentication: authenticated " + user.getUserDN());
--
2.9.3
-------------- next part --------------
From 04df8149e4caea2ace84e81b5b166be637f0b00d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 7 Feb 2017 11:47:54 +1000
Subject: [PATCH 158/158] CertProcessor: extract method setAuthTokenIntoRequest
The "set auth token into request" logic is extensive and warrants
extraction. It also has a separate concern mixed in with it: the
self-assignment of the request if the authenticated user is a
"Registration Manager Agent".
Separate these concerns and extract the setAuthTokenIntoRequest
method.
Part of: https://fedorahosted.org/pki/ticket/1359
---
.../netscape/cms/servlet/cert/CertProcessor.java | 68 +++++++++++-----------
1 file changed, 34 insertions(+), 34 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 026f4d4af5c2316ae8a93b2ecc62bc398d3b8b71..47b522208af05486a22abdd6196d8385dd615857 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -116,6 +116,30 @@ public class CertProcessor extends CAProcessor {
}
}
+ private static void setAuthTokenIntoRequest(
+ IRequest req, IAuthToken authToken) {
+ Enumeration<String> tokenNames = authToken.getElements();
+ while (tokenNames.hasMoreElements()) {
+ String tokenName = tokenNames.nextElement();
+ String[] tokenVals = authToken.getInStringArray(tokenName);
+ if (tokenVals != null) {
+ for (int i = 0; i < tokenVals.length; i++) {
+ req.setExtData(
+ IRequest.AUTH_TOKEN_PREFIX
+ + "." + tokenName + "[" + i + "]"
+ , tokenVals[i]);
+ }
+ } else {
+ String tokenVal = authToken.getInString(tokenName);
+ if (tokenVal != null) {
+ req.setExtData(
+ IRequest.AUTH_TOKEN_PREFIX + "." + tokenName,
+ tokenVal);
+ }
+ }
+ }
+ }
+
/*
* fill input info from orig request to the renew request.
* This is expected to be used by renewal where the request
@@ -289,9 +313,6 @@ public class CertProcessor extends CAProcessor {
IProfile profile, IProfileContext ctx, IProfileAuthenticator authenticator, IAuthToken authToken,
IRequest[] reqs) throws EBaseException {
for (IRequest req : reqs) {
- boolean fromRA = false;
- String uid = "";
-
// adding parameters to request
if (isRenewal) {
setInputsIntoRequest(origReq, profile, req, locale);
@@ -302,39 +323,18 @@ public class CertProcessor extends CAProcessor {
setInputsIntoRequest(data, profile, req);
}
- // serial auth token into request
if (authToken != null) {
- Enumeration<String> tokenNames = authToken.getElements();
- while (tokenNames.hasMoreElements()) {
- String tokenName = tokenNames.nextElement();
- String[] tokenVals = authToken.getInStringArray(tokenName);
- if (tokenVals != null) {
- for (int i = 0; i < tokenVals.length; i++) {
- req.setExtData(
- IRequest.AUTH_TOKEN_PREFIX
- + "." + tokenName + "[" + i + "]"
- , tokenVals[i]);
- }
- } else {
- String tokenVal = authToken.getInString(tokenName);
- if (tokenVal != null) {
- req.setExtData(
- IRequest.AUTH_TOKEN_PREFIX + "." + tokenName,
- tokenVal);
- // if RA agent, auto assign the request
- if (tokenName.equals("uid"))
- uid = tokenVal;
- if (tokenName.equals("group") && tokenVal.equals("Registration Manager Agents")) {
- fromRA = true;
- }
- }
- }
- }
- }
+ setAuthTokenIntoRequest(req, authToken);
- if (fromRA) {
- CMS.debug("CertProcessor: request from RA: " + uid);
- req.setExtData(ARG_REQUEST_OWNER, uid);
+ // if RA agent, auto-assign the request
+ String raGroupName = "Registration Manager Agents";
+ if (raGroupName.equals(authToken.getInString(IAuthToken.GROUP))) {
+ String uid = authToken.getInString(IAuthToken.UID);
+ if (uid == null)
+ uid = "";
+ CMS.debug("CertProcessor: request from RA: " + uid);
+ req.setExtData(ARG_REQUEST_OWNER, uid);
+ }
}
// put profile framework parameters into the request
--
2.9.3
More information about the Pki-devel
mailing list