And now with the patches ..
On Thu, 2016-06-02 at 09:50 -0400, Ade Lee wrote:
> Patch descriptions (in reverse order).
>
> The final patch will need some discussion. Please review,
>
> Ade
>
> ***********************************************
> commit 4a1fb1e678d0024d9ee51fcda0d83f74f1715f4b
> Author: Ade Lee <[email protected]>
> Date: Thu Jun 2 09:41:35 2016 -0400
>
> Modify pki-server db-upgrade to do realm related upgrades
>
> Tickets 2320, 2319
>
> commit ed3e2da4c598bf4cec89bec8e20a23ab6d82013c
> Author: Ade Lee <[email protected]>
> Date: Fri May 27 14:01:59 2016 -0400
>
> New VLV indexes for KRA including realm
>
> commit 1a2947fed2f7cd2cc32fa810ab77d64bf3acb821
> Author: Ade Lee <[email protected]>
> Date: Thu May 26 00:48:39 2016 -0400
>
> Fix legacy servlets to check realm when requesting recovery
>
> commit 483f9b2066110c3b8d4598e3afe1a9508bddbbb7
> Author: Ade Lee <[email protected]>
> Date: Wed May 25 18:53:22 2016 -0400
>
> Change legacy requests servlet to check realm
>
> The legacy KRA servlet has been modified to check the realm
> if present in the request, or only return non-realm requests
> if not present.
>
> No attempt is made to fix the error reporting of the servlet.
> As such, an authz failure due to the realm check is handled
> in the same way that other authz failures are handled.
>
> commit 6c52845955315ca8842290d41c826c26aa037eb3
> Author: Ade Lee <[email protected]>
> Date: Wed May 25 18:10:59 2016 -0400
>
> Fix old KRA servlets to check realm
>
> The old KRA servlets to list and display keys do not go through
> the same code paths as the REST API. Therefore, they do not
> check the authz realm.
>
> This patch adds the relevant code. No attempt is made to fix the
> error handling of the old servlets. the long term solution for
> this
> is to deprecate the old servlets and make the UI use the REST API
> instead. Therefore, authz failures due to realm checks are
> handled
> in the same way as other authz changes.
>
> _______________________________________________
> Pki-devel mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/pki-devel
From 6c52845955315ca8842290d41c826c26aa037eb3 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Wed, 25 May 2016 18:10:59 -0400
Subject: [PATCH 315/319] Fix old KRA servlets to check realm
The old KRA servlets to list and display keys do not go through
the same code paths as the REST API. Therefore, they do not
check the authz realm.
This patch adds the relevant code. No attempt is made to fix the
error handling of the old servlets. the long term solution for this
is to deprecate the old servlets and make the UI use the REST API
instead. Therefore, authz failures due to realm checks are handled
in the same way as other authz changes.
---
.../netscape/cms/servlet/key/DisplayBySerial.java | 16 +++++++--
.../servlet/key/DisplayBySerialForRecovery.java | 16 +++++++--
.../src/com/netscape/cms/servlet/key/SrchKey.java | 40 +++++++++++++++++++---
.../cms/servlet/key/SrchKeyForRecovery.java | 38 +++++++++++++++++---
4 files changed, 96 insertions(+), 14 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
index 03af65c1f6df3a49408c42c8df6a009337d96f2f..7d3a5e9ff1c1886abde5e3cfe98b6338c9008db2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerial.java
@@ -31,6 +31,7 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.common.ICMSRequest;
@@ -154,7 +155,12 @@ public class DisplayBySerial extends CMSServlet {
if (req.getParameter(IN_SERIALNO) != null) {
seqNum = new BigInteger(req.getParameter(IN_SERIALNO));
}
- process(argSet, header, seqNum, req, resp, locale[0]);
+ process(argSet, header, seqNum, req, resp, locale[0], authToken);
+ } catch (EAuthzException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
} catch (NumberFormatException e) {
header.addStringValue(OUT_ERROR,
CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString()));
@@ -175,19 +181,23 @@ public class DisplayBySerial extends CMSServlet {
/**
* Display information about a particular key.
+ * @throws EAuthzException
*/
private void process(CMSTemplateParams argSet,
IArgBlock header, BigInteger seq,
HttpServletRequest req, HttpServletResponse resp,
- Locale locale) {
+ Locale locale, IAuthToken authToken) throws EAuthzException {
try {
header.addStringValue(OUT_OP,
req.getParameter(OUT_OP));
header.addStringValue(OUT_SERVICE_URL,
req.getRequestURI());
IKeyRecord rec = mKeyDB.readKeyRecord(seq);
-
+ mAuthz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(),
+ mAuthzResourceName, "read");
KeyRecordParser.fillRecordIntoArg(rec, header);
+ } catch (EAuthzException e) {
+ throw e;
} catch (EBaseException e) {
header.addStringValue(OUT_ERROR, e.toString(locale));
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java
index 48cac3785fd3868b14296c9f44b53e00e8493f87..fdba138a24fefd1e9042b3b29789cd134899b8ff 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/DisplayBySerialForRecovery.java
@@ -31,6 +31,7 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.common.ICMSRequest;
@@ -159,7 +160,12 @@ public class DisplayBySerialForRecovery extends CMSServlet {
}
process(argSet, header,
req.getParameter("publicKeyData"),
- seqNum, req, resp, locale[0]);
+ seqNum, req, resp, locale[0], authToken);
+ } catch (EAuthzException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
} catch (NumberFormatException e) {
header.addStringValue(OUT_ERROR,
CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString()));
@@ -183,11 +189,12 @@ public class DisplayBySerialForRecovery extends CMSServlet {
/**
* Display information about a particular key.
+ * @throws EAuthzException
*/
private synchronized void process(CMSTemplateParams argSet,
IArgBlock header, String publicKeyData, BigInteger seq,
HttpServletRequest req, HttpServletResponse resp,
- Locale locale) {
+ Locale locale, IAuthToken authToken) throws EAuthzException {
try {
header.addIntegerValue("noOfRequiredAgents",
mService.getNoOfRequiredAgents());
@@ -202,11 +209,14 @@ public class DisplayBySerialForRecovery extends CMSServlet {
publicKeyData);
}
IKeyRecord rec = mKeyDB.readKeyRecord(seq);
-
+ mAuthz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(),
+ mAuthzResourceName, "read");
KeyRecordParser.fillRecordIntoArg(rec, header);
// recovery identifier
header.addStringValue("recoveryID", mService.getRecoveryID());
+ } catch (EAuthzException e) {
+ throw e;
} catch (EBaseException e) {
header.addStringValue(OUT_ERROR, e.toString(locale));
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java
index 5bedf1f588186ded0d3070eec1285961a26b0dde..73a8051adc002dee5e3edc5a2fa15d16b6412658 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKey.java
@@ -27,12 +27,11 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X500Name;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.common.ICMSRequest;
@@ -45,6 +44,9 @@ import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
+import netscape.security.x509.X500Name;
/**
* Retrieve archived keys matching search criteria
@@ -65,6 +67,7 @@ public class SrchKey extends CMSServlet {
private final static String IN_MAXCOUNT = "maxCount";
private final static String IN_FILTER = "queryFilter";
private final static String IN_SENTINEL = "querySentinel";
+ private final static String REALM = "realm";
// output parameters
private final static String OUT_FILTER = IN_FILTER;
@@ -144,6 +147,7 @@ public class SrchKey extends CMSServlet {
* <li>http.param queryFilter ldap-style filter to search with
* <li>http.param querySentinel ID of first request to show
* <li>http.param timeLimit number of seconds to limit ldap search to
+ * <li>http.param realm authorization realm to search
* </ul>
*
* @param cmsReq the object holding the request and response information
@@ -173,6 +177,22 @@ public class SrchKey extends CMSServlet {
return;
}
+ String realm = req.getParameter(REALM);
+ try {
+ mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list");
+ } catch (EAuthzException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
+ } catch (EBaseException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.EXCEPTION);
+ return;
+ }
+
+
CMSTemplate form = null;
Locale[] locale = new Locale[1];
@@ -212,9 +232,10 @@ public class SrchKey extends CMSServlet {
if (timeLimitStr != null && timeLimitStr.length() > 0)
timeLimit = Integer.parseInt(timeLimitStr);
+
process(argSet, header, ctx, maxCount, maxResults,
timeLimit, sentinel,
- req.getParameter(IN_FILTER), req, resp, locale[0]);
+ req.getParameter(IN_FILTER), req, resp, locale[0], realm);
} catch (NumberFormatException e) {
header.addStringValue(OUT_ERROR,
CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString()));
@@ -240,9 +261,19 @@ public class SrchKey extends CMSServlet {
private void process(CMSTemplateParams argSet,
IArgBlock header, IArgBlock ctx,
int maxCount, int maxResults, int timeLimit, int sentinel, String filter,
- HttpServletRequest req, HttpServletResponse resp, Locale locale) {
+ HttpServletRequest req, HttpServletResponse resp, Locale locale, String realm) {
try {
+ if (filter.contains("(realm=)")) {
+ throw new EBaseException("Query filter cannot contain realm");
+ }
+
+ if (realm != null) {
+ filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))";
+ } else {
+ filter = "(&" + filter + "(!(realm=*)))";
+ }
+
// Fill header
header.addStringValue(OUT_OP,
req.getParameter(OUT_OP));
@@ -263,6 +294,7 @@ public class SrchKey extends CMSServlet {
CMS.debug("Resetting timelimit from " + timeLimit + " to " + mTimeLimits);
timeLimit = mTimeLimits;
}
+
CMS.debug("Start searching ... timelimit=" + timeLimit);
Enumeration<IKeyRecord> e = mKeyDB.searchKeys(filter,
maxResults, timeLimit);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java
index 897acfc764f5d72fad6710708b2cc40063578129..6ecf2b0561218c409d689bbf5a69638cd479524f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/SrchKeyForRecovery.java
@@ -27,12 +27,11 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X500Name;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.common.ICMSRequest;
@@ -45,6 +44,9 @@ import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
+import netscape.security.x509.X500Name;
/**
* Retrieve archived keys matching given public key material
@@ -66,6 +68,7 @@ public class SrchKeyForRecovery extends CMSServlet {
private final static String IN_MAXCOUNT = "maxCount";
private final static String IN_FILTER = "queryFilter";
private final static String IN_SENTINEL = "querySentinel";
+ private final static String REALM = "realm";
// output parameters
private final static String OUT_FILTER = IN_FILTER;
@@ -142,6 +145,7 @@ public class SrchKeyForRecovery extends CMSServlet {
* <li>http.param publicKeyData public key data to search on
* <li>http.param querySentinel ID of first request to show
* <li>http.param timeLimit number of seconds to limit ldap search to
+ * <li>http.param realm authorization realm to search
* </ul>
*
* @param cmsReq the object holding the request and response information
@@ -171,6 +175,21 @@ public class SrchKeyForRecovery extends CMSServlet {
return;
}
+ String realm = req.getParameter(REALM);
+ try {
+ mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list");
+ } catch (EAuthzAccessDenied | EAuthzUnknownRealm e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
+ } catch (EBaseException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.EXCEPTION);
+ return;
+ }
+
CMSTemplate form = null;
Locale[] locale = new Locale[1];
@@ -212,7 +231,8 @@ public class SrchKeyForRecovery extends CMSServlet {
if (timeLimitStr != null && timeLimitStr.length() > 0)
timeLimit = Integer.parseInt(timeLimitStr);
process(argSet, header, ctx, maxCount, maxResults, timeLimit, sentinel,
- req.getParameter("publicKeyData"), req.getParameter(IN_FILTER), req, resp, locale[0]);
+ req.getParameter("publicKeyData"), req.getParameter(IN_FILTER),
+ req, resp, locale[0], realm);
} catch (NumberFormatException e) {
log(ILogger.LL_FAILURE,
CMS.getLogMessage("BASE_INVALID_NUMBER_FORMAT"));
@@ -255,10 +275,20 @@ public class SrchKeyForRecovery extends CMSServlet {
IArgBlock header, IArgBlock ctx,
int maxCount, int maxResults, int timeLimit, int sentinel, String publicKeyData,
String filter,
- HttpServletRequest req, HttpServletResponse resp, Locale locale)
+ HttpServletRequest req, HttpServletResponse resp, Locale locale, String realm)
throws EBaseException {
try {
+ if (filter.contains("(realm=)")) {
+ throw new EBaseException("Query filter cannot contain realm");
+ }
+
+ if (realm != null) {
+ filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))";
+ } else {
+ filter = "(&" + filter + "(!(realm=*)))";
+ }
+
// Fill header
header.addStringValue(OUT_OP,
req.getParameter(OUT_OP));
--
2.4.3
From 483f9b2066110c3b8d4598e3afe1a9508bddbbb7 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Wed, 25 May 2016 18:53:22 -0400
Subject: [PATCH 316/319] Change legacy requests servlet to check realm
The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.
No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.
---
.../com/netscape/cms/servlet/request/QueryReq.java | 26 ++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
index 09bf3a0b8d5fd3e79474434722730164578b6164..146db7b3b8cd55d15e75e4012934ba72321f3b73 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.common.ICMSRequest;
@@ -45,6 +46,7 @@ import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cms.servlet.common.CMSTemplate;
import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
+import com.netscape.cmsutil.ldap.LDAPUtil;
/**
* Show paged list of requests matching search criteria
@@ -67,6 +69,7 @@ public class QueryReq extends CMSServlet {
private final static String IN_MAXCOUNT = "maxCount";
private final static String IN_TOTALCOUNT = "totalRecordCount";
private final static String PROP_PARSER = "parser";
+ private final static String REALM = "realm";
private final static String TPL_FILE = "queryReq.template";
@@ -232,6 +235,20 @@ public class QueryReq extends CMSServlet {
return;
}
+ String realm = null;
+ if (mAuthority.getId().equals("kra")) {
+ // for the KRA, check the realm (if present)
+ realm = req.getParameter(REALM);
+ try {
+ mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list");
+ } catch (EAuthzException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
+ }
+ }
+
CMSTemplate form = null;
Locale[] locale = new Locale[1];
@@ -269,6 +286,15 @@ public class QueryReq extends CMSServlet {
getRequestType(reqType) + ")";
}
+ if (mAuthority.getId().equals("kra")) {
+ // add realm to filter for KRA requests
+ if (realm != null) {
+ filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))";
+ } else {
+ filter = "(&" + filter + "(!(realm=*)))";
+ }
+ }
+
String direction = "begin";
if (req.getParameter("direction") != null) {
direction = req.getParameter("direction").trim();
--
2.4.3
From 1a2947fed2f7cd2cc32fa810ab77d64bf3acb821 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Thu, 26 May 2016 00:48:39 -0400
Subject: [PATCH 317/319] Fix legacy servlets to check realm when requesting
recovery
---
.../src/com/netscape/certsrv/kra/IKeyService.java | 8 +++--
.../src/com/netscape/kra/KeyRecoveryAuthority.java | 13 +++----
.../netscape/cms/servlet/key/KeyRequestDAO.java | 7 ++--
.../netscape/cms/servlet/key/RecoverBySerial.java | 42 ++++++++++++++++++----
4 files changed, 51 insertions(+), 19 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyService.java b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
index 9118bc935620039eb1f04c90f4581802ca2e03ab..d3d5ff61e7e510e2555d2d32d7d1d2c692ea2035 100644
--- a/base/common/src/com/netscape/certsrv/kra/IKeyService.java
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyService.java
@@ -20,11 +20,11 @@ package com.netscape.certsrv.kra;
import java.math.BigInteger;
import java.util.Hashtable;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.security.Credential;
+import netscape.security.x509.X509CertImpl;
+
/**
* An interface representing a recovery service.
* <P>
@@ -66,10 +66,12 @@ public interface IKeyService {
*
* @param kid key identifier
* @param cert certificate embedded in PKCS12
+ * @param agent agent requesting recovery
+ * @param realm authorization realm
* @return requestId
* @exception EBaseException failed to initiate async recovery
*/
- public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent)
+ public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent, String realm)
throws EBaseException;
/**
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index 8ee8cb2d0a725bf116ef51804a5122008edd21d8..cda3ba659b935139f23f5bae2ac6b1a41c060a8f 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -28,11 +28,6 @@ import java.util.Hashtable;
import java.util.StringTokenizer;
import java.util.Vector;
-import netscape.security.util.DerOutputStream;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.crypto.CryptoToken;
@@ -73,6 +68,11 @@ import com.netscape.cmscore.dbs.KeyRepository;
import com.netscape.cmscore.dbs.ReplicaIDRepository;
import com.netscape.cmscore.request.RequestSubsystem;
+import netscape.security.util.DerOutputStream;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+
/**
* A class represents an key recovery authority (KRA). A KRA
* is responsible to maintain key pairs that have been
@@ -841,7 +841,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
/**
* async key recovery initiation
*/
- public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent)
+ public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent, String realm)
throws EBaseException {
String auditPublicKey = auditPublicKey(cert);
@@ -861,6 +861,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
// first one in the "approvingAgents" list is the initiating agent
r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent);
r.setRequestStatus(RequestStatus.PENDING);
+ r.setRealm(realm);
queue.updateRequest(r);
auditRecoveryID = r.getRequestId().toString();
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 00e313a80da008ed84f5990cb29680192c3c6cba..8238c10f13a5a4eaceeb10d97f520c1cd1727e88 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -321,8 +321,9 @@ public class KeyRequestDAO extends CMSRequestDAO {
throw new KeyNotFoundException(keyId, "key not found to recover", e);
}
+ String realm = rec.getRealm();
try {
- authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
+ authz.checkRealm(realm, authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
} catch (EAuthzUnknownRealm e) {
throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
@@ -333,8 +334,8 @@ public class KeyRequestDAO extends CMSRequestDAO {
byte[] certData = Utils.base64decode(b64Certificate);
String requestId = null;
try {
- requestId = service.initAsyncKeyRecovery(new BigInteger(keyId.toString()), new X509CertImpl(certData), requestor);
- // TODO - update request with realm
+ requestId = service.initAsyncKeyRecovery(new BigInteger(keyId.toString()),
+ new X509CertImpl(certData), requestor, realm);
} catch (EBaseException | CertificateException e) {
e.printStackTrace();
throw new PKIException(e.toString(), e);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/RecoverBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/key/RecoverBySerial.java
index 7b961c0b2c8329eba9ae386cd2ef79b7bb16036d..baf1f287d41e7d6550ac174f70636370c4b4352f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/RecoverBySerial.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/RecoverBySerial.java
@@ -29,16 +29,19 @@ import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import netscape.security.x509.X509CertImpl;
-
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.base.SessionContext;
import com.netscape.certsrv.common.ICMSRequest;
+import com.netscape.certsrv.dbs.EDBRecordNotFoundException;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+import com.netscape.certsrv.dbs.keydb.KeyId;
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.Credential;
@@ -49,6 +52,8 @@ import com.netscape.cms.servlet.common.CMSTemplateParams;
import com.netscape.cms.servlet.common.ECMSGWException;
import com.netscape.cmsutil.util.Cert;
+import netscape.security.x509.X509CertImpl;
+
/**
* A class representing a recoverBySerial servlet.
*
@@ -83,6 +88,7 @@ public class RecoverBySerial extends CMSServlet {
private final static String PORT = "port";
private com.netscape.certsrv.kra.IKeyService mService = null;
+ private IKeyRepository repo;
private String mFormPath = null;
/**
@@ -99,6 +105,7 @@ public class RecoverBySerial extends CMSServlet {
super.init(sc);
mFormPath = "/" + mAuthority.getId() + "/" + TPL_FILE;
mService = (com.netscape.certsrv.kra.IKeyService) mAuthority;
+ repo = ((IKeyRecoveryAuthority) mAuthority).getKeyRepository();
mTemplates.remove(ICMSRequest.SUCCESS);
if (mOutputTemplatePath != null)
@@ -181,6 +188,27 @@ public class RecoverBySerial extends CMSServlet {
try {
String initAsyncRecovery = req.getParameter("initAsyncRecovery");
+ // First confirm that the requester has access to the authz realm (if present)
+ KeyId keyId = new KeyId(req.getParameter(IN_SERIALNO));
+ IKeyRecord rec = null;
+ try {
+ rec = repo.readKeyRecord(keyId.toBigInteger());
+ } catch (EDBRecordNotFoundException e) {
+ header.addStringValue(OUT_ERROR, "serialNumber not found");
+ return;
+ }
+
+ String realm = rec.getRealm();
+ try {
+ mAuthz.checkRealm(realm, authToken, rec.getOwnerName(),
+ mAuthzResourceName, "recover");
+ } catch (EAuthzException e) {
+ log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
+ return;
+ }
+
// this information is needed within the server for
// various signed audit log messages to report
ctx = SessionContext.getContext();
@@ -198,7 +226,7 @@ public class RecoverBySerial extends CMSServlet {
process(form, argSet, header,
req.getParameter(IN_SERIALNO),
req.getParameter(IN_CERT),
- req, resp, locale[0]);
+ req, resp, locale[0], realm);
int requiredNumber = mService.getNoOfRequiredAgents();
header.addIntegerValue("noOfRequiredAgents", requiredNumber);
@@ -217,7 +245,7 @@ public class RecoverBySerial extends CMSServlet {
req.getParameter(IN_CERT),
req.getParameter(IN_DELIVERY),
req.getParameter(IN_NICKNAME),
- req, resp, locale[0]);
+ req, resp, locale[0], realm);
if (pkcs12 != null) {
//resp.setStatus(HttpServletResponse.SC_OK);
@@ -260,7 +288,7 @@ public class RecoverBySerial extends CMSServlet {
private void process(CMSTemplate form, CMSTemplateParams argSet,
IArgBlock header, String seq, String cert,
HttpServletRequest req, HttpServletResponse resp,
- Locale locale) {
+ Locale locale, String realm) {
// seq is the key id
if (seq == null) {
@@ -289,7 +317,7 @@ public class RecoverBySerial extends CMSServlet {
try {
String reqID = mService.initAsyncKeyRecovery(
new BigInteger(seq), x509cert,
- (String) sContext.get(SessionContext.USER_ID));
+ (String) sContext.get(SessionContext.USER_ID), realm);
header.addStringValue(OUT_SERIALNO, req.getParameter(IN_SERIALNO));
header.addStringValue(OUT_SERIALNO_IN_HEX,
new BigInteger(req.getParameter(IN_SERIALNO)).toString(16));
@@ -320,7 +348,7 @@ public class RecoverBySerial extends CMSServlet {
String password, String passwordAgain,
String cert, String delivery, String nickname,
HttpServletRequest req, HttpServletResponse resp,
- Locale locale) {
+ Locale locale, String realm) {
if (seq == null) {
header.addStringValue(OUT_ERROR, "sequence number not found");
return null;
--
2.4.3
From ed3e2da4c598bf4cec89bec8e20a23ab6d82013c Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Fri, 27 May 2016 14:01:59 -0400
Subject: [PATCH 318/319] New VLV indexes for KRA including realm
---
base/kra/shared/conf/vlv.ldif | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/base/kra/shared/conf/vlv.ldif b/base/kra/shared/conf/vlv.ldif
index b619e8657c7b1b0e8d5485f0c00409f94c8dd219..ddb8b4e29c8a71670179dd85ca52e77e8f955c83 100644
--- a/base/kra/shared/conf/vlv.ldif
+++ b/base/kra/shared/conf/vlv.ldif
@@ -4,7 +4,7 @@ objectClass: vlvSearch
cn: allKeys-{instanceId}
vlvBase: ou=keyRepository,ou=kra,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(&(objectClass=top)(objectClass=keyRecord))(serialno=*))
+vlvFilter: (&(serialno=*)(!(realm=*)))
dn: cn=kraAll-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -12,7 +12,7 @@ objectClass: vlvSearch
cn: kraAll-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requeststate=*)
+vlvFilter: (&(requeststate=*)(!(realm=*)))
dn: cn=kraArchival-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -20,7 +20,7 @@ objectClass: vlvSearch
cn: kraArchival-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requesttype=enrollment)
+vlvFilter: (&(requesttype=enrollment)(!(realm=*)))
dn: cn=kraRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -28,7 +28,7 @@ objectClass: vlvSearch
cn: kraRecovery-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requesttype=recovery)
+vlvFilter: (&(requesttype=recovery)(!(realm=*)))
dn: cn=kraCanceled-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -36,7 +36,7 @@ objectClass: vlvSearch
cn: kraCanceled-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requeststate=canceled)
+vlvFilter: (&(requeststate=canceled)(!(realm=*)))
dn: cn=kraCanceledEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -44,7 +44,7 @@ objectClass: vlvSearch
cn: kraCanceledEnrollment-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=canceled)(requesttype=enrollment))
+vlvFilter: (&(&(requeststate=canceled)(requesttype=enrollment))(!(realm=*)))
dn: cn=kraCanceledRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -52,7 +52,7 @@ objectClass: vlvSearch
cn: kraCanceledRecovery-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=canceled)(requesttype=recovery))
+vlvFilter: (&(&(requeststate=canceled)(requesttype=recovery))(!(realm=*)))
dn: cn=kraRejected-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -60,7 +60,7 @@ objectClass: vlvSearch
cn: kraRejected-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requeststate=rejected)
+vlvFilter: (&(requeststate=rejected)(!(realm=*))))
dn: cn=kraRejectedEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -68,7 +68,7 @@ objectClass: vlvSearch
cn: kraRejectedEnrollment-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=rejected)(requesttype=enrollment))
+vlvFilter: (&(&(requeststate=rejected)(requesttype=enrollment))(!(realm=*)))
dn: cn=kraRejectedRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -76,7 +76,7 @@ objectClass: vlvSearch
cn: kraRejectedRecovery-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=rejected)(requesttype=recovery))
+vlvFilter: (&(&(requeststate=rejected)(requesttype=recovery))(!(realm=*)))
dn: cn=kraComplete-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -84,7 +84,7 @@ objectClass: vlvSearch
cn: kraComplete-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (requeststate=complete)
+vlvFilter: (&(requeststate=complete)(!(realm=*)))
dn: cn=kraCompleteEnrollment-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -92,7 +92,7 @@ objectClass: vlvSearch
cn: kraCompleteEnrollment-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=complete)(requesttype=enrollment))
+vlvFilter: (&(&(requeststate=complete)(requesttype=enrollment))(!(realm=*)))
dn: cn=kraCompleteRecovery-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
@@ -100,7 +100,7 @@ objectClass: vlvSearch
cn: kraCompleteRecovery-{instanceId}
vlvBase: ou=kra,ou=requests,{rootSuffix}
vlvScope: 1
-vlvFilter: (&(requeststate=complete)(requesttype=recovery))
+vlvFilter: (&(&(requeststate=complete)(requesttype=recovery))(!(realm=*)))
dn: cn=allKeys-{instanceId}Index, cn=allKeys-{instanceId}, cn={database}, cn=ldbm database, cn=plugins, cn=config
objectClass: top
--
2.4.3
From 4a1fb1e678d0024d9ee51fcda0d83f74f1715f4b Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Thu, 2 Jun 2016 09:41:35 -0400
Subject: [PATCH 319/319] Modify pki-srever db-upgrade to do realm related
upgrades
Tickets 2320, 2319
---
base/server/python/pki/server/__init__.py | 10 +-
base/server/python/pki/server/cli/db.py | 211 +++++++++++++++++++++++++++++-
2 files changed, 213 insertions(+), 8 deletions(-)
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 47f6aa5b46af6cf38b231d94a88e6bb02c7d99b1..8fe2d29b8d7dabdd50cc43f26aa9f1345481e385 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -318,7 +318,7 @@ class PKISubsystem(object):
def disable(self):
self.instance.undeploy(self.name)
- def open_database(self, name='internaldb'):
+ def open_database(self, name='internaldb', user=None, password=None):
# TODO: add LDAPI support
hostname = self.config['%s.ldapconn.host' % name]
@@ -341,7 +341,13 @@ class PKISubsystem(object):
connection.set_security_database(self.instance.nssdb_dir)
auth_type = self.config['%s.ldapauth.authtype' % name]
- if auth_type == 'BasicAuth':
+ if (user is not None and password is not None):
+ # connect using the provided credentials
+ connection.set_credentials(
+ bind_dn=user,
+ bind_password=password
+ )
+ elif auth_type == 'BasicAuth':
connection.set_credentials(
bind_dn=self.config['%s.ldapauth.bindDN' % name],
bind_password=self.instance.get_password(name)
diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
index 6cfd6b410eb75394f4b88b087b43a0538d3db6c6..d011a97d6967e0b5cf1e63a7c54f522f94733ba2 100644
--- a/base/server/python/pki/server/cli/db.py
+++ b/base/server/python/pki/server/cli/db.py
@@ -22,8 +22,13 @@ from __future__ import absolute_import
from __future__ import print_function
import getopt
import ldap
+import ldap.modlist
+import ldif
import nss.nss as nss
+import os
+import subprocess
import sys
+from tempfile import NamedTemporaryFile
import pki.cli
@@ -38,6 +43,17 @@ class DBCLI(pki.cli.CLI):
class DBUpgrade(pki.cli.CLI):
+
+ KRA_VLV_PATH = '/usr/share/pki/kra/conf/vlv.ldif'
+
+ KRA_VLVS = ['allKeys', 'kraAll',
+ 'kraArchival', 'kraRecovery',
+ 'kraCanceled', 'kraCanceledEnrollment', 'kraCanceledRecovery',
+ 'kraRejected', 'kraRejectedEnrollment', 'kraRejectedRecovery',
+ 'kraComplete', 'kraCompleteEnrollment', 'kraCompleteRecovery']
+
+ SCHEMA_PATH = '/usr/share/pki/server/conf/schema.ldif'
+
def __init__(self):
super(DBUpgrade, self).__init__(
'upgrade', 'Upgrade PKI server database')
@@ -46,6 +62,9 @@ class DBUpgrade(pki.cli.CLI):
print('Usage: pki-server db-upgrade [OPTIONS]')
print()
print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' -u, --user <User ID> User to connect to DB.')
+ print(' -w, --password <password> Password to connect to DB.')
+ print(' -x --server-id <ds ID> Server ID for the DB')
print(' -v, --verbose Run in verbose mode.')
print(' --help Show help message.')
print()
@@ -53,7 +72,11 @@ class DBUpgrade(pki.cli.CLI):
def execute(self, args):
try:
opts, _ = getopt.gnu_getopt(
- args, 'i:v', ['instance=', 'verbose', 'help'])
+ args,
+ 'i:u:w:x:v',
+ ['instance=', 'user=', 'password=', 'server_id=',
+ 'verbose', 'help']
+ )
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
@@ -66,6 +89,15 @@ class DBUpgrade(pki.cli.CLI):
if o in ('-i', '--instance'):
instance_name = a
+ elif o in ('-u', '--user'):
+ user = a
+
+ elif o in ('-w', '--password'):
+ password = a
+
+ elif o in ('-x', '--server-id'):
+ server_id = a
+
elif o in ('-v', '--verbose'):
self.set_verbose(True)
@@ -83,10 +115,22 @@ class DBUpgrade(pki.cli.CLI):
instance = pki.server.PKIInstance(instance_name)
instance.load()
+ self.add_issuer_name_to_ca(instance)
+
+ # realm changes
+ self.modify_schema(instance, user, password)
+ self.create_realm_index(instance, user, password, server_id)
+ self.modify_kra_vlv(instance, user, password, server_id)
+
+ self.print_message('Upgrade complete')
+
+ def add_issuer_name_to_ca(self, instance):
subsystem = instance.get_subsystem('ca')
if not subsystem:
- print('ERROR: missing subsystem ca')
- sys.exit(1)
+ if self.verbose:
+ print('add_issuer_name: No CA subsystem available. '
+ 'Skipping ...')
+ return
base_dn = subsystem.config['internaldb.basedn']
conn = subsystem.open_database()
@@ -94,7 +138,8 @@ class DBUpgrade(pki.cli.CLI):
try:
repo_dn = 'ou=certificateRepository,ou=ca,%s' % base_dn
if self.verbose:
- print('Searching certificates records with missing issuerName in %s' % repo_dn)
+ print('Searching for certificate records with missing '
+ 'issuerName in %s' % repo_dn)
entries = conn.ldap.search_s(
repo_dn,
@@ -108,8 +153,6 @@ class DBUpgrade(pki.cli.CLI):
finally:
conn.close()
- self.print_message('Upgrade complete')
-
def add_issuer_name(self, conn, entry):
dn, attrs = entry
@@ -129,3 +172,159 @@ class DBUpgrade(pki.cli.CLI):
print(
'Failed to add issuerName to certificate {}: {}'
.format(attrs.get('cn', ['<unknown>'])[0], e))
+
+ def modify_kra_vlv(self, instance, user, password, server_id=None):
+ subsystem = instance.get_subsystem('kra')
+ if not subsystem:
+ if self.verbose:
+ print('modify_kra_vlv: No KRA subsystem available. '
+ 'Skipping ...')
+ return
+
+ if self.verbose:
+ print("Modifying KRA VLVs for realm")
+
+ conn = subsystem.open_database(user=user, password=password)
+
+ ldif_file = self.create_ldif(instance, subsystem, self.KRA_VLV_PATH)
+ database = subsystem.config['internaldb.database']
+
+ try:
+ # remove old entries
+ for vlv in self.KRA_VLVS:
+ dn = ("cn=" + vlv + '-' + instance.name + ',cn=' + database +
+ ',cn=ldbm database, cn=plugins, cn=config')
+ index_dn = "cn=" + vlv + '-' + instance.name + "Index," + dn
+
+ try:
+ conn.ldap.delete_s(index_dn)
+ except ldap.NO_SUCH_OBJECT:
+ pass
+
+ try:
+ conn.ldap.delete_s(dn)
+ except ldap.NO_SUCH_OBJECT:
+ pass
+
+ # add new entries
+ parser = ldif.LDIFRecordList(open(ldif_file, "rb"))
+ parser.parse()
+ for dn, entry in parser.all_records:
+ add_modlist = ldap.modlist.addModlist(entry)
+ conn.ldap.add_s(dn, add_modlist)
+ finally:
+ conn.close()
+
+ os.unlink(ldif_file)
+ self.reindex_kra_vlv(instance, subsystem, user, password, server_id)
+
+ def create_ldif(self, instance, subsystem, ldif_path):
+ subs = {'{instanceId}': instance.name,
+ '{database}': subsystem.config['internaldb.database'],
+ '{rootSuffix}': subsystem.config['internaldb.basedn']}
+
+ out_file = NamedTemporaryFile(delete=False)
+
+ with open(ldif_path) as infile, open(out_file.name, 'w') as outfile:
+ for line in infile:
+ for src, target in subs.items():
+ line = line.replace(src, target)
+ outfile.write(line)
+
+ return out_file.name
+
+ def modify_schema(self, instance, user, password):
+ if self.verbose:
+ print("Modifying schema to latest")
+
+ subsystem = instance.subsystems[0]
+ host = subsystem.config['internaldb.ldapconn.host']
+ port = subsystem.config['internaldb.ldapconn.port']
+ cmd = ['ldapmodify',
+ '-c',
+ '-D', user,
+ '-w', password,
+ '-h', host,
+ '-p', port,
+ '-f', self.SCHEMA_PATH
+ ]
+
+ try:
+ subprocess.check_output(cmd)
+ except subprocess.CalledProcessError as e:
+ print('ldapmodify returns {}: {}'.format(e.returncode, e.output))
+
+ def create_realm_index(self, instance, user, password, server_id=None):
+ if self.verbose:
+ print("Adding realm index")
+
+ subsystem = instance.subsystems[0]
+ conn = subsystem.open_database(user=user, password=password)
+ database = subsystem.config['internaldb.database']
+
+ try:
+ dn = ("cn=realm,cn=index,cn=" + database +
+ ",cn=ldbm database, cn=plugins, cn=config")
+
+ attrs = {'objectclass': ['top', 'nsIndex'],
+ 'cn': 'realm',
+ 'nsIndexType': ['eq', 'pres'],
+ 'nsSystemIndex': 'false'}
+
+ mods = ldap.modlist.addModlist(attrs)
+
+ conn.ldap.add_s(dn, mods)
+
+ self.index_for_realm(instance, user, password, server_id)
+ except ldap.ALREADY_EXISTS:
+ if self.verbose:
+ print("realm index already exists. Skipping ..")
+ finally:
+ conn.close()
+
+ def index_for_realm(self, instance, user, password, server_id=None):
+ subsystem = instance.get_subsystem('kra')
+ if not subsystem:
+ if self.verbose:
+ print('index_for_realm: No KRA subsystem available. '
+ 'Skipping ...')
+ return
+
+ if self.verbose:
+ print('Indexing for new realm attribute')
+
+ database = subsystem.config['internaldb.database']
+ cmd = ['db2index.pl',
+ '-Z', server_id,
+ '-n', database,
+ '-D', user,
+ '-w', password,
+ '-t', 'realm:eq,pres'
+ ]
+
+ try:
+ subprocess.check_output(cmd)
+ except subprocess.CalledProcessError as e:
+ print('db2index.pl returns {}: {}'.format(e.returncode, e.output))
+
+ def reindex_kra_vlv(self, instance, subsystem, user,
+ password, server_id=None):
+ if self.verbose:
+ print('Re-indexing KRA VLV indexes')
+
+ database = subsystem.config['internaldb.database']
+ cmd = ['db2index.pl',
+ '-Z', server_id,
+ '-n', database,
+ '-D', user,
+ '-w', password
+ ]
+
+ for key in self.KRA_VLVS:
+ cmd.append("-T")
+ cmd.append(key + '-' + instance.name + "Index")
+
+ try:
+ subprocess.check_output(cmd)
+ except subprocess.CalledProcessError as e:
+ print('db2index.pl returns {}: {}'.format(e.returncode, e.output))
--
2.4.3
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
