Re: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken
Acked by alee:
https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0
Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd)
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote:
> The attached patch moves some string constants from AuthToken to
> IAuthToken. External authentication support will bring a new
> implementation of IAuthToken so moving these to the interface
> simplifies things.
>
> Thanks,
> Fraser
> From 8118f83cc7691e48c63111a050540c9180fd29e5 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Tue, 29 Nov 2016 16:10:58 +1000
> Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken
>
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
> .../netscape/certsrv/authentication/AuthToken.java | 34
> --
> .../certsrv/authentication/IAuthToken.java | 34
> ++
> 2 files changed, 34 insertions(+), 34 deletions(-)
>
> diff --git
> a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> index
> 0febf87727d2ebde9dbcacbd5059f9b9afa13701..53959b131f2d9a99e6b9b65640f8546e84468c66
> 100644
> --- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> +++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
> @@ -51,40 +51,6 @@ import com.netscape.certsrv.usrgrp.Certificates;
> public class AuthToken implements IAuthToken {
> protected Hashtable mAttrs = null;
>
> -/* Subject name of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
> -
> -/* NotBefore value of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
> -
> -/* NotAfter value of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
> -
> -/* Cert Extentions value of the certificate in the authenticating entry
> */
> -public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
> -
> -/* Serial number of the certificate in the authenticating entry */
> -public static final String TOKEN_CERT_SERIALNUM = "certSerial";
> -
> -/**
> - * Certificate to be renewed
> - */
> -public static final String TOKEN_CERT = "tokenCert";
> -
> -/* Certificate to be revoked */
> -public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
> -
> -/**
> - * Name of the authentication manager that created the AuthToken
> - * as a string.
> - */
> -public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName";
> -
> -/**
> - * Time of authentication as a java.util.Date
> - */
> -public static final String TOKEN_AUTHTIME = "authTime";
> -
> /**
> * Constructs an instance of a authentication token.
> * The token by default contains the following attributes:
> diff --git
> a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> index
> a71432446edcf6b5d838f1115df16b26acd01dce..a3f240e9c35987462eb2f176de650a769df1005c
> 100644
> --- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
> @@ -41,6 +41,40 @@ public interface IAuthToken {
> public static final String UID = "uid";
> public static final String GROUPS = "groups";
>
> +/* Subject name of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
> +
> +/* NotBefore value of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
> +
> +/* NotAfter value of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter";
> +
> +/* Cert Extentions value of the certificate in the authenticating entry
> */
> +public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts";
> +
> +/* Serial number of the certificate in the authenticating entry */
> +public static final String TOKEN_CERT_SERIALNUM = "certSerial";
> +
> +/**
> + * Certificate to be renewed
> + */
> +public static final String TOKEN_CERT = "tokenCert";
> +
> +/* Certificate to be revoked */
> +public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
> +
> +/**
> + * Name of the authentication manager that created the AuthToken
> + * as a string.
> + */
> +public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName";
> +
> +/**
> + * Time of authentication as a java.util.Date
> + */
> +public static final String TOKEN_AUTHTIME = "authTime";
> +
>
Re: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass
Acked by alee:
https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41
Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76)
On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote:
> The attached patch merges some duplicate authz manager code into the
> existing AAclAuthz superclass.
>
> It simplifies things if we end up adding a new authz manager as part
> of external authentication / GSS-API support. But it's a nice
> refactor to do anyway :)
>
> Thanks,
> Fraser
> From afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Fri, 25 Nov 2016 14:29:40 +1000
> Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass
>
> DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is
> still a lot of duplicate code. Push the duplicated bits up into the
> AAclAuthz.
>
> Also remove abstract method flushResourceACLs() from AAclAuthz, and
> its implementation from BasicAclAuthz, because it is only
> implemented (meaningfully) by DirAclAuthz.
>
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
> .../com/netscape/cms/authorization/AAclAuthz.java | 93 ++---
> .../netscape/cms/authorization/BasicAclAuthz.java | 144
> +
> .../netscape/cms/authorization/DirAclAuthz.java| 105 +--
> 3 files changed, 78 insertions(+), 264 deletions(-)
>
> diff --git
> a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> index
> b3e447cfca49951fe78f6b4896652921ffc43406..f95c98174a06dba9ebf3e43238e566be2e6b5594
> 100644
> --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
> @@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL;
> import com.netscape.certsrv.apps.CMS;
> import com.netscape.certsrv.authentication.IAuthToken;
> import com.netscape.certsrv.authorization.AuthzToken;
> +import com.netscape.certsrv.authorization.EAuthzAccessDenied;
> +import com.netscape.certsrv.authorization.EAuthzInternalError;
> +import com.netscape.certsrv.authorization.IAuthzManager;
> import com.netscape.certsrv.base.EBaseException;
> import com.netscape.certsrv.base.IConfigStore;
> import com.netscape.certsrv.evaluators.IAccessEvaluator;
> @@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils;
> * @version $Revision$, $Date$
> * @see HREF="http://developer.netscape.com/library/documentation/enterprise/admnunix/aclfiles.htm";>ACL
> Files
> */
> -public abstract class AAclAuthz {
> +public abstract class AAclAuthz implements IAuthzManager {
>
> protected static final String PROP_CLASS = "class";
> protected static final String PROP_IMPL = "impl";
> @@ -69,6 +72,12 @@ public abstract class AAclAuthz {
>
> protected static final String ACLS_ATTR = "aclResources";
>
> +/* name of this authorization manager instance */
> +private String mName = null;
> +
> +/* name of the authorization manager plugin */
> +private String mImplName = null;
> +
> private IConfigStore mConfig = null;
>
> private Hashtable mACLs = new Hashtable();
> @@ -93,14 +102,14 @@ public abstract class AAclAuthz {
> /**
> * Initializes
> */
> -protected void init(IConfigStore config)
> +public void init(String name, String implName, IConfigStore config)
> throws EBaseException {
> -
> +mName = name;
> +mImplName = implName;
> +mConfig = config;
> mLogger = CMS.getLogger();
> CMS.debug("AAclAuthz: init begins");
>
> -mConfig = config;
> -
> // load access evaluators specified in the config file
> IConfigStore mainConfig = CMS.getConfigStore();
> IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL);
> @@ -144,6 +153,20 @@ public abstract class AAclAuthz {
> }
>
> /**
> + * gets the name of this authorization manager instance
> + */
> +public String getName() {
> +return mName;
> +}
> +
> +/**
> + * gets the plugin name of this authorization manager.
> + */
> +public String getImplName() {
> +return mImplName;
> +}
> +
> +/**
> * Parse ACL resource attributes, then update the ACLs memory store
> * This is intended to be used if storing ACLs on ldap is not desired,
> * and the caller is expected to call this method to add resource
> @@ -818,7 +841,7 @@ public abstract class AAclAuthz {
> }
> }
>
> -private void log(int level, String msg) {
> +protected void log(int level, String msg) {
> if (mLogger == null)
> return;
> mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION,
> @@ -830,24 +853,58 @@ public abstract class AAclAuthz {
> **/
>
> /**
> - * update
Re: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions
Acked by alee:
https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec
Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc)
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote:
> With current ACL parsing, if you have a ':' in a group name (as
> occurs with FreeIPA permissions, which matter for upcoming external
> principal support) you are stuffed. This commit fixes that.
>
> It is really a band aid - the existing parsing code is poor and
> should be replaced with a nice combinatorial parser... but who has
> the time for that right now? ¯\_(ツ)_/¯
>
> Note that if there is a ':' in any of the ACL descriptions/comments
> (the final field) this change breaks it. We don't have any
> occurrences of that in our codebase.
>
> Thanks,
> Fraser
> From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Fri, 25 Nov 2016 18:04:22 +1000
> Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions
>
> Currently if ':' appears in an ACL expression (e.g. a group name, as
> occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
>
> Look backwards from end of string for the final ':', so that the ACL
> parses correctly.
>
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
> base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> index
> e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9
> 100644
> --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> @@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
>
> acl = new ACL(resource, rights, resACLs);
>
> +// search *backwards* for final instance of ':', to handle case
> +// where acl expressions contain colon, e.g. in a group name.
> String stx = st.substring(idx2 + 1);
> -int idx3 = stx.indexOf(":");
> +int idx3 = stx.lastIndexOf(":");
> String aclStr = stx.substring(0, idx3);
>
> // getting list of acl entries
> --
> 2.7.4
>
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem
Acked by alee:
https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277
Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4).
Thanks,
Fraser
On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote:
> This patch renames (a better name) and moves to the IAuthzSubsystem
> interface a method in AuthzSubsystem that may be useful for doing
> authorisation checks for external principals.
>
> Thanks,
> Fraser
> From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Fri, 25 Nov 2016 21:08:56 +1000
> Subject: [PATCH 141/141] Add getAuthzManagerNameByRealm to IAuthzSubsystem
>
> The getAuthzManagerByRealm public method is defined in
> AuthzSubsystem but to support external principals we want to make
> this part of the IAuthzSubsystem interface, so other classes (e.g.
> ACLInterceptor) can use it.
>
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
> .../netscape/certsrv/authorization/IAuthzSubsystem.java | 9 +
> .../netscape/cmscore/authorization/AuthzSubsystem.java | 16
> +---
> 2 files changed, 18 insertions(+), 7 deletions(-)
>
> diff --git
> a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> index
> c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8..6fcf8e7b03eb596bb7914912474eeb3c298b6da1
> 100644
> --- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> +++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
> @@ -21,6 +21,7 @@ import java.util.Enumeration;
> import java.util.Hashtable;
>
> import com.netscape.certsrv.authentication.IAuthToken;
> +import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
> import com.netscape.certsrv.base.EBaseException;
> import com.netscape.certsrv.base.ISubsystem;
>
> @@ -181,4 +182,12 @@ public interface IAuthzSubsystem extends ISubsystem {
> * @return an authorization manager interface
> */
> public IAuthzManager get(String name);
> +
> +/**
> + * Given a realm name, return the name of an authz manager for that
> realm.
> + *
> + * @throws EAuthzUnknownRealm if no authz manager is found.
> + */
> +public String getAuthzManagerNameByRealm(String realm)
> +throws EAuthzUnknownRealm;
> }
> diff --git
> a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
>
> b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> index
> 31d5e71b4bdd672fa3eae3108824480d87eafdf3..67d12bdff2e716bcea4034726d189a23c6f50796
> 100644
> ---
> a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> +++
> b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
> @@ -495,10 +495,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
> // if record owner == requester, SUCCESS
> if ((owner != null) &&
> owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
>
> -String mgrName = getAuthzManagerByRealm(realm);
> -if (mgrName == null) {
> -throw new EAuthzUnknownRealm("Realm not found");
> -}
> +String mgrName = getAuthzManagerNameByRealm(realm);
>
> AuthzToken authzToken = authorize(mgrName, authToken, resource,
> operation, realm);
> if (authzToken == null) {
> @@ -506,12 +503,17 @@ public class AuthzSubsystem implements IAuthzSubsystem {
> }
> }
>
> -public String getAuthzManagerByRealm(String realm) throws EBaseException
> {
> +public String getAuthzManagerNameByRealm(String realm) throws
> EAuthzUnknownRealm {
> for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) {
> IAuthzManager mgr = proxy.getAuthzManager();
> if (mgr != null) {
> IConfigStore cfg = mgr.getConfigStore();
> -String mgrRealmString = cfg.getString(PROP_REALM, null);
> +String mgrRealmString = null;
> +try {
> +mgrRealmString = cfg.getString(PROP_REALM, null);
> +} catch (EBaseException e) {
> +// never mind
> +}
> if (mgrRealmString == null) continue;
>
> List mgrRealms =
> Arrays.asList(mgrRealmString.split(","));
> @@ -521,7 +523,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
> }
> }
> }
> -return null;
> +throw new EAuthzUnknownRealm("Realm not found");
> }
>
> }
> --
> 2.7.4
>
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants
Acked by alee:
-
https://github.com/frasertweedale/pki/commit/9826013dfcab72481f3ad6462e1d2c4692367a02
-
https://github.com/frasertweedale/pki/commit/59071b422637e6e99dd956eed12c5c26e19c3ffc
-
https://github.com/frasertweedale/pki/commit/7f1f4a2504280a5b8504b4db5df40eac122c280f
Pushed to master:
- 9c23b02b00b13a834b636e9266ee1ae80506f228 Define "req_authority_id" IRequest
extdata key in IRequest
- a1b56be53d37561c6e80c2aa7daf1e7ab07518c5 Define "profileId" IRequest extdata
key in one place
- d699d27c7d7a59cf613380ec2214333ecc96ec23 Define "auth_token" IRequest extdata
key prefix in one place
Thanks,
Fraser
On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote:
> The attached patches relocate / redefine some constants that are
> used as keys when setting or getting IRequest extdata attributes.
>
> In some cases this removes duplicate constants or string literals.
> In other cases it actually defines a new constant.
> In all cases the key now uses a constant defined in IRequest, which
> is the appropriate place.
>
> This is refactoring work undertaken as part of GSSAPI support.
>
> Thanks,
> Fraser
> From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale
> Date: Wed, 7 Dec 2016 12:25:01 +1000
> Subject: [PATCH 144/146] Define "auth_token" IRequest extdata key prefix in
> one place
>
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
> base/common/src/com/netscape/certsrv/request/IRequest.java | 4
> .../cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 9 +++--
> .../src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 -
> .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 12
> +++-
> 4 files changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java
> b/base/common/src/com/netscape/certsrv/request/IRequest.java
> index
> c892dbb1dc5d75d4b44e4e26b584f94717b2457c..f17f560de75e54cb7650ee06d870f3d1491e52ac
> 100644
> --- a/base/common/src/com/netscape/certsrv/request/IRequest.java
> +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
> @@ -85,6 +85,10 @@ public interface IRequest extends Serializable {
> // server attributes: attributes generated by server modules.
> public static final String SERVER_ATTRS = "SERVER_ATTRS";
>
> +// Sometimes individual IAuthToken fields get set in request
> +// extdata, with key ("auth_token." + field_name).
> +public static final String AUTH_TOKEN_PREFIX = "auth_token";
> +
> public static final String RESULT = "Result"; // service result.
> public static final Integer RES_SUCCESS = Integer.valueOf(1); // result
> value
> public static final Integer RES_ERROR = Integer.valueOf(2); // result
> value
> diff --git
> a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> index
> 17b453ab5d82bd7c18612263f01e297a4e9df3da..cb5efa0b0e14274e0c4a9393522ab18071f60fd8
> 100644
> --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
> @@ -310,12 +310,17 @@ public class CertProcessor extends CAProcessor {
> String[] tokenVals =
> authToken.getInStringArray(tokenName);
> if (tokenVals != null) {
> for (int i = 0; i < tokenVals.length; i++) {
> -req.setExtData(ARG_AUTH_TOKEN + "." + tokenName
> + "[" + i + "]", tokenVals[i]);
> +req.setExtData(
> +IRequest.AUTH_TOKEN_PREFIX
> ++ "." + tokenName + "[" + i + "]"
> +, tokenVals[i]);
> }
> } else {
> String tokenVal = authToken.getInString(tokenName);
> if (tokenVal != null) {
> -req.setExtData(ARG_AUTH_TOKEN + "." + tokenName,
> tokenVal);
> +req.setExtData(
> +IRequest.AUTH_TOKEN_PREFIX + "." + tokenName,
> +tokenVal);
> // if RA agent, auto assign the request
> if (tokenName.equals("uid"))
> uid = tokenVal;
> diff --git
> a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
> b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
> index
> bb3cfa84a423fe452ef55fb20e23c03911831690..ae91f649541db5ce77679844ad7a4fec680e99e9
> 100644
> --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
> +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
> @@ -72,7 +72,6 @@ import netscape.security.x509.X509Ce
[Pki-devel] [PATCH] 0148 Remove principal type assumption from AuthorityService
Reviewed by alee:
https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d
Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99).
Thanks,
Fraser
From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Wed, 30 Nov 2016 10:06:15 +1000
Subject: [PATCH] Remove principal type assumption from AuthorityService
Part of: https://fedorahosted.org/pki/ticket/1359
---
.../src/org/dogtagpki/server/ca/rest/AuthorityService.java | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index
584ab6e59638beada6c89a1882a176b4743a861d..18542d3794f2f1ba3975c634ee726f6d94ebba5b
100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -36,6 +36,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authority.AuthorityData;
import com.netscape.certsrv.authority.AuthorityResource;
import com.netscape.certsrv.base.BadRequestDataException;
@@ -46,6 +47,7 @@ import com.netscape.certsrv.base.ForbiddenException;
import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.base.ResourceNotFoundException;
import com.netscape.certsrv.base.ServiceUnavailableException;
+import com.netscape.certsrv.base.SessionContext;
import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.ca.CADisabledException;
import com.netscape.certsrv.ca.CAEnabledException;
@@ -59,7 +61,6 @@ import com.netscape.certsrv.ca.IssuerUnavailableException;
import com.netscape.certsrv.common.OpDef;
import com.netscape.certsrv.common.ScopeDef;
import com.netscape.certsrv.logging.ILogger;
-import com.netscape.cms.realm.PKIPrincipal;
import com.netscape.cms.servlet.base.PKIService;
import com.netscape.cmsutil.util.Utils;
@@ -191,9 +192,6 @@ public class AuthorityService extends PKIService implements
AuthorityResource {
}
}
-PKIPrincipal principal =
-(PKIPrincipal) servletRequest.getUserPrincipal();
-
Map auditParams = new LinkedHashMap<>();
auditParams.put("dn", data.getDN());
if (parentAID != null)
@@ -201,10 +199,12 @@ public class AuthorityService extends PKIService
implements AuthorityResource {
if (data.getDescription() != null)
auditParams.put("description", data.getDescription());
+IAuthToken authToken = (IAuthToken)
+SessionContext.getContext().get(SessionContext.AUTH_TOKEN);
+
try {
ICertificateAuthority subCA = hostCA.createCA(
-principal.getAuthToken(),
-data.getDN(), parentAID, data.getDescription());
+authToken, data.getDN(), parentAID, data.getDescription());
audit(ILogger.SUCCESS, OpDef.OP_ADD,
subCA.getAuthorityID().toString(), auditParams);
return createOKResponse(readAuthorityData(subCA));
--
2.7.4
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
