From d9d35c92eccb20fbd3c6aa33ef2df6958df60e5c Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Wed, 7 Aug 2024 12:12:18 +0200 Subject: [PATCH] Revert the ACL check for profile APIs to v1 code. ACL groups does not match with the embedded checks in v1 code so the code has been reverted to the embedded check leaving the ACL update to future commits. --- .../server/ca/rest/base/ProfileBase.java | 82 ++++++------------- 1 file changed, 26 insertions(+), 56 deletions(-) diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/rest/base/ProfileBase.java b/base/ca/src/main/java/org/dogtagpki/server/ca/rest/base/ProfileBase.java index afd2a268eee..3d5e9fecba6 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/rest/base/ProfileBase.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/rest/base/ProfileBase.java @@ -23,15 +23,11 @@ import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang3.StringUtils; -import org.dogtagpki.server.authentication.AuthToken; -import org.dogtagpki.server.authorization.AuthzToken; import org.dogtagpki.server.ca.CAEngine; import org.dogtagpki.server.ca.CAEngineConfig; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.netscape.certsrv.authentication.ExternalAuthToken; -import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; @@ -70,11 +66,9 @@ import com.netscape.cms.profile.common.ProfilePolicyConfig; import com.netscape.cms.profile.common.ProfilePolicySetConfig; import com.netscape.cms.profile.common.ProfilePolicySetsConfig; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.profile.PolicyConstraintFactory; import com.netscape.cms.servlet.profile.PolicyDefaultFactory; import com.netscape.cmscore.apps.CMS; -import com.netscape.cmscore.authorization.AuthzSubsystem; import com.netscape.cmscore.base.SimpleProperties; import com.netscape.cmscore.logging.Auditor; import com.netscape.cmscore.profile.ProfileSubsystem; @@ -102,12 +96,21 @@ public ProfileBase(CAEngine engine) { public ProfileDataInfos listProfiles(HttpServletRequest servletRequest, int start, int size, Boolean visible, Boolean enable, String enableBy) { ProfileDataInfos infos = new ProfileDataInfos(); - boolean visibleOnly = isProfileAccessLimited(servletRequest.getUserPrincipal()); + boolean visibleOnly = true; if (ps == null) { logger.error("ProfileBase.listProfiles: ps is null"); throw new PKIException("Error listing profiles. Profile subsystem not available"); } + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; + } if (visibleOnly && visible != null && !visible.booleanValue()) { return infos; @@ -152,17 +155,15 @@ public ProfileDataInfos listProfiles(HttpServletRequest servletRequest, int star } public ProfileData retrieveProfile(HttpServletRequest servletRequest, String profileId) { - boolean visibleOnly = isProfileAccessLimited(servletRequest.getUserPrincipal()); try { - return createProfileData(profileId, visibleOnly, servletRequest.getLocale()); + return createProfileData(profileId, servletRequest.getUserPrincipal(), servletRequest.getLocale()); } catch (EBaseException e) { throw new ResourceNotFoundException("Profile not found: " + profileId); } } public byte[] retrieveRawProfile(HttpServletRequest servletRequest, String profileId) { - boolean visibleOnly = isProfileAccessLimited(servletRequest.getUserPrincipal()); - Profile profile = getProfile(profileId, visibleOnly); + Profile profile = getProfile(profileId, servletRequest.getUserPrincipal()); ByteArrayOutputStream data = new ByteArrayOutputStream(); // add profileId and classId "virtual" properties profile.getConfigStore().put("profileId", profileId); @@ -463,7 +464,7 @@ public ProfileData modifyProfile(HttpServletRequest servletRequest, String profi changeProfileData(data, profile, servletRequest.getLocale()); - return createProfileData(profileId, false, servletRequest.getLocale()); + return createProfileData(profileId, servletRequest.getUserPrincipal(), servletRequest.getLocale()); } catch (EBaseException e) { logger.error("modifyProfile: error obtaining profile `" + profileId + "`: " + e.getMessage(), e); @@ -627,8 +628,8 @@ private ProfileDataInfo createProfileDataInfo(String profileId, String uri, return ret; } - private ProfileData createProfileData(String profileId, boolean visibleOnly, Locale loc) throws EBaseException { - Profile profile = getProfile(profileId, visibleOnly); + private ProfileData createProfileData(String profileId, Principal principal, Locale loc) throws EBaseException { + Profile profile = getProfile(profileId, principal); ProfileData data = new ProfileData(); @@ -686,7 +687,8 @@ private ProfileData createProfileData(String profileId, boolean visibleOnly, Loc } - private Profile getProfile(String profileId, boolean visibleOnly) throws ProfileNotFoundException { + private Profile getProfile(String profileId, Principal principal) throws ProfileNotFoundException { + boolean visibleOnly = true; if (profileId == null) { logger.error("retrieveProfile: profileID is null"); throw new BadRequestException("Unable to retrieve profile: invalid profile ID"); @@ -697,6 +699,15 @@ private Profile getProfile(String profileId, boolean visibleOnly) throws Profile throw new PKIException("Error retrieving profile. Profile Service not available"); } + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; + } + Profile profile; try { profile = ps.getProfile(profileId); @@ -1186,47 +1197,6 @@ private void populateProfileInputs(ProfileData data, Profile profile, Locale loc } } - private boolean isProfileAccessLimited(Principal principal) { - AuthzSubsystem authzSubsystem = engine.getAuthzSubsystem(); - if (principal == null) - return true; - AuthToken authToken = null; - String authzMgrName = null; - if (principal instanceof PKIPrincipal pkiPrincipal) { - authzMgrName = "DirAclAuthz"; - authToken = pkiPrincipal.getAuthToken(); - if (authToken == null) - return true; - } else { - String realm = null; - String[] parts = principal.getName().split("@", 2); - if (parts.length == 2) { - realm = parts[1]; - } - try { - authzMgrName = authzSubsystem.getAuthzManagerNameByRealm(realm); - } catch (EAuthzUnknownRealm e) { - logger.error("Cannot find AuthzManager for external principal {}", principal.getName()); - return true; - } - authToken = new ExternalAuthToken((GenericPrincipal) principal); - } - try { - AuthzToken authzToken = authzSubsystem.authorize( - authzMgrName, - authToken, - "certServer.profile.configuration", - "read"); - - if (authzToken != null) - return false; - } catch (EBaseException e) { - logger.error("Cannot check authorization for principal {}", principal.getName()); - return true; - } - return true; - } - private void auditProfileChangeState(String profileId, String op, String status) { Auditor auditor = engine.getAuditor();