Пример #1
0
  /**
   * Process the HTTP request.
   *
   * <ul>
   *   <li>http.param op 'downloadBIN' - return the binary certificate chain
   *   <li>http.param op 'displayIND' - display pretty-print of certificate chain components
   * </ul>
   *
   * @param cmsReq the object holding the request and response information
   */
  protected void process(CMSRequest cmsReq) throws EBaseException {
    CMS.debug("UpdateDomainXML: processing...");
    String status = SUCCESS;
    String status2 = SUCCESS;

    HttpServletRequest httpReq = cmsReq.getHttpReq();
    HttpServletResponse httpResp = cmsReq.getHttpResp();

    CMS.debug("UpdateDomainXML process: authentication starts");
    IAuthToken authToken = null;
    try {
      authToken = authenticate(cmsReq);
    } catch (Exception e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_BAD_SERV_OUT_STREAM", "", e.toString()));
      outputError(httpResp, AUTH_FAILURE, "Error: Not authenticated", null);
      return;
    }
    if (authToken == null) {
      CMS.debug("UpdateDomainXML process: authToken is null");
      outputError(httpResp, AUTH_FAILURE, "Error: not authenticated", null);
      return;
    }
    CMS.debug("UpdateDomainXML process: authentication done");

    AuthzToken authzToken = null;

    try {
      authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "modify");
    } catch (EAuthzAccessDenied e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
      outputError(httpResp, "Error: Not authorized");
      return;
    } catch (Exception e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
      outputError(httpResp, "Error: Encountered problem during authorization.");
      return;
    }
    if (authzToken == null) {
      CMS.debug("UpdateDomainXML process: authorization error");
      outputError(httpResp, "Error: Not authorized");
      return;
    }

    String list = httpReq.getParameter("list");
    String type = httpReq.getParameter("type");
    String host = httpReq.getParameter("host");
    String name = httpReq.getParameter("name");
    String sport = httpReq.getParameter("sport");
    String agentsport = httpReq.getParameter("agentsport");
    String adminsport = httpReq.getParameter("adminsport");
    String eecaport = httpReq.getParameter("eeclientauthsport");
    String httpport = httpReq.getParameter("httpport");
    String domainmgr = httpReq.getParameter("dm");
    String clone = httpReq.getParameter("clone");
    String operation = httpReq.getParameter("operation");

    // ensure required parameters are present
    // especially important for DS syntax checking
    String missing = "";
    if ((host == null) || host.equals("")) {
      missing += " host ";
    }
    if ((name == null) || name.equals("")) {
      missing += " name ";
    }
    if ((sport == null) || sport.equals("")) {
      missing += " sport ";
    }
    if ((type == null) || type.equals("")) {
      missing += " type ";
    }
    if ((clone == null) || clone.equals("")) {
      clone = "false";
    }

    if (!missing.equals("")) {
      CMS.debug(
          "UpdateDomainXML process: required parameters:" + missing + "not provided in request");
      outputError(httpResp, "Error: required parameters: " + missing + "not provided in request");
      return;
    }

    String auditMessage = null;
    String auditSubjectID = auditSubjectID();
    String auditParams =
        "host;;"
            + host
            + "+name;;"
            + name
            + "+sport;;"
            + sport
            + "+clone;;"
            + clone
            + "+type;;"
            + type;
    if (operation != null) {
      auditParams += "+operation;;" + operation;
    } else {
      auditParams += "+operation;;add";
    }

    String basedn = null;
    String secstore = null;

    IConfigStore cs = CMS.getConfigStore();

    try {
      basedn = cs.getString("internaldb.basedn");
      secstore = cs.getString("securitydomain.store");
    } catch (Exception e) {
      CMS.debug(
          "Unable to determine security domain name or basedn. Please run the domaininfo migration script");
    }

    if ((basedn != null) && (secstore != null) && (secstore.equals("ldap"))) {
      // update in ldap

      LDAPEntry entry = null;
      String listName = type + "List";
      String cn = host + ":";

      if ((adminsport != null) && (adminsport != "")) {
        cn += adminsport;
      } else {
        cn += sport;
      }

      String dn = "cn=" + cn + ",cn=" + listName + ",ou=Security Domain," + basedn;
      CMS.debug("UpdateDomainXML: updating LDAP entry: " + dn);

      LDAPAttributeSet attrs = null;
      attrs = new LDAPAttributeSet();
      attrs.add(new LDAPAttribute("objectclass", "top"));
      attrs.add(new LDAPAttribute("objectclass", "pkiSubsystem"));
      attrs.add(new LDAPAttribute("cn", cn));
      attrs.add(new LDAPAttribute("Host", host));
      attrs.add(new LDAPAttribute("SecurePort", sport));

      if ((agentsport != null) && (!agentsport.equals(""))) {
        attrs.add(new LDAPAttribute("SecureAgentPort", agentsport));
      }
      if ((adminsport != null) && (!adminsport.equals(""))) {
        attrs.add(new LDAPAttribute("SecureAdminPort", adminsport));
      }
      if ((httpport != null) && (!httpport.equals(""))) {
        attrs.add(new LDAPAttribute("UnSecurePort", httpport));
      }
      if ((eecaport != null) && (!eecaport.equals(""))) {
        attrs.add(new LDAPAttribute("SecureEEClientAuthPort", eecaport));
      }
      if ((domainmgr != null) && (!domainmgr.equals(""))) {
        attrs.add(new LDAPAttribute("DomainManager", domainmgr.toUpperCase()));
      }
      attrs.add(new LDAPAttribute("clone", clone.toUpperCase()));
      attrs.add(new LDAPAttribute("SubsystemName", name));
      entry = new LDAPEntry(dn, attrs);

      if ((operation != null) && (operation.equals("remove"))) {
        status = remove_from_ldap(dn);
        String adminUserDN;
        if ((agentsport != null) && (!agentsport.equals(""))) {
          adminUserDN = "uid=" + type + "-" + host + "-" + agentsport + ",ou=People," + basedn;
        } else {
          adminUserDN = "uid=" + type + "-" + host + "-" + sport + ",ou=People," + basedn;
        }
        String userAuditParams =
            "Scope;;users+Operation;;OP_DELETE+source;;UpdateDomainXML"
                + "+resource;;"
                + adminUserDN;
        if (status.equals(SUCCESS)) {
          // remove the user for this subsystem's admin
          status2 = remove_from_ldap(adminUserDN);
          if (status2.equals(SUCCESS)) {
            auditMessage =
                CMS.getLogMessage(
                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
                    auditSubjectID,
                    ILogger.SUCCESS,
                    userAuditParams);
            audit(auditMessage);

            // remove this user from the subsystem group
            userAuditParams =
                "Scope;;groups+Operation;;OP_DELETE_USER"
                    + "+source;;UpdateDomainXML"
                    + "+resource;;Subsystem Group+user;;"
                    + adminUserDN;
            dn = "cn=Subsystem Group, ou=groups," + basedn;
            LDAPModification mod =
                new LDAPModification(
                    LDAPModification.DELETE, new LDAPAttribute("uniqueMember", adminUserDN));
            status2 = modify_ldap(dn, mod);
            if (status2.equals(SUCCESS)) {
              auditMessage =
                  CMS.getLogMessage(
                      LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
                      auditSubjectID,
                      ILogger.SUCCESS,
                      userAuditParams);
            } else {
              auditMessage =
                  CMS.getLogMessage(
                      LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
                      auditSubjectID,
                      ILogger.FAILURE,
                      userAuditParams);
            }
            audit(auditMessage);
          } else { // error deleting user
            auditMessage =
                CMS.getLogMessage(
                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
                    auditSubjectID,
                    ILogger.FAILURE,
                    userAuditParams);
            audit(auditMessage);
          }
        }
      } else {
        status = add_to_ldap(entry, dn);
      }
    } else {
      // update the domain.xml file
      String path = CMS.getConfigStore().getString("instanceRoot", "") + "/conf/domain.xml";

      CMS.debug("UpdateDomainXML: got path=" + path);

      try {
        // using domain.xml file
        CMS.debug("UpdateDomainXML: Inserting new domain info");
        XMLObject parser = new XMLObject(new FileInputStream(path));
        Node n = parser.getContainer(list);
        int count = 0;

        if ((operation != null) && (operation.equals("remove"))) {
          // delete node
          Document doc = parser.getDocument();
          NodeList nodeList = doc.getElementsByTagName(type);
          int len = nodeList.getLength();

          for (int i = 0; i < len; i++) {
            Node nn = nodeList.item(i);
            Vector<String> v_name = parser.getValuesFromContainer(nn, "SubsystemName");
            Vector<String> v_host = parser.getValuesFromContainer(nn, "Host");
            Vector<String> v_adminport = parser.getValuesFromContainer(nn, "SecureAdminPort");
            if ((v_name.elementAt(0).equals(name))
                && (v_host.elementAt(0).equals(host))
                && (v_adminport.elementAt(0).equals(adminsport))) {
              Node parent = nn.getParentNode();
              parent.removeChild(nn);
              count--;
              break;
            }
          }
        } else {
          // add node
          Node parent = parser.createContainer(n, type);
          parser.addItemToContainer(parent, "SubsystemName", name);
          parser.addItemToContainer(parent, "Host", host);
          parser.addItemToContainer(parent, "SecurePort", sport);
          parser.addItemToContainer(parent, "SecureAgentPort", agentsport);
          parser.addItemToContainer(parent, "SecureAdminPort", adminsport);
          parser.addItemToContainer(parent, "SecureEEClientAuthPort", eecaport);
          parser.addItemToContainer(parent, "UnSecurePort", httpport);
          parser.addItemToContainer(parent, "DomainManager", domainmgr.toUpperCase());
          parser.addItemToContainer(parent, "Clone", clone.toUpperCase());
          count++;
        }
        // update count

        String countS = "";
        NodeList nlist = n.getChildNodes();
        Node countnode = null;
        for (int i = 0; i < nlist.getLength(); i++) {
          Element nn = (Element) nlist.item(i);
          String tagname = nn.getTagName();
          if (tagname.equals("SubsystemCount")) {
            countnode = nn;
            NodeList nlist1 = nn.getChildNodes();
            Node nn1 = nlist1.item(0);
            countS = nn1.getNodeValue();
            break;
          }
        }

        CMS.debug("UpdateDomainXML process: SubsystemCount=" + countS);
        try {
          count += Integer.parseInt(countS);
        } catch (Exception ee) {
        }

        n.removeChild(countnode);
        parser.addItemToContainer(n, "SubsystemCount", "" + count);

        // recreate domain.xml
        CMS.debug("UpdateDomainXML: Recreating domain.xml");
        byte[] b = parser.toByteArray();
        FileOutputStream fos = new FileOutputStream(path);
        fos.write(b);
        fos.close();
      } catch (Exception e) {
        CMS.debug("Failed to update domain.xml file" + e.toString());
        status = FAILED;
      }
    }

    if (status.equals(SUCCESS)) {
      auditMessage =
          CMS.getLogMessage(
              LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
              auditSubjectID,
              ILogger.SUCCESS,
              auditParams);
    } else {
      // what if already exists or already deleted
      auditMessage =
          CMS.getLogMessage(
              LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
              auditSubjectID,
              ILogger.FAILURE,
              auditParams);
    }
    audit(auditMessage);

    if (status.equals(SUCCESS) && status2.equals(SUCCESS)) {
      status = SUCCESS;
    } else {
      status = FAILED;
    }

    try {
      // send success status back to the requestor
      CMS.debug("UpdateDomainXML: Sending response");
      XMLObject xmlObj = new XMLObject();
      Node root = xmlObj.createRoot("XMLResponse");

      xmlObj.addItemToContainer(root, "Status", status);
      byte[] cb = xmlObj.toByteArray();

      outputResult(httpResp, "application/xml", cb);
    } catch (Exception e) {
      CMS.debug("UpdateDomainXML: Failed to send the XML output" + e.toString());
    }
  }
Пример #2
0
  /**
   * Process the HTTP request.
   *
   * <ul>
   *   <li>http.param recoveryID ID of request to recover
   * </ul>
   *
   * @param cmsReq the object holding the request and response information
   */
  public void process(CMSRequest cmsReq) throws EBaseException {

    HttpServletRequest req = cmsReq.getHttpReq();
    HttpServletResponse resp = cmsReq.getHttpResp();
    String auditMessage = null;
    String recoveryID = null;
    String agent = null;

    IAuthToken authToken = authenticate(cmsReq);

    AuthzToken authzToken = null;

    try {
      authzToken = authorize(mAclMethod, authToken, mAuthzResourceName, "download");
    } catch (EAuthzAccessDenied e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
    } catch (Exception e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
    }

    if (authzToken == null) {
      cmsReq.setStatus(ICMSRequest.UNAUTHORIZED);
      return;
    }

    CMSTemplate form = null;
    Locale[] locale = new Locale[1];

    try {
      form = getTemplate(mFormPath, req, locale);
    } catch (IOException e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_GET_TEMPLATE", mFormPath, e.toString()));
      throw new ECMSGWException(CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
    }

    cmsReq.setStatus(ICMSRequest.SUCCESS);
    IArgBlock header = CMS.createArgBlock();
    IArgBlock fixed = CMS.createArgBlock();
    CMSTemplateParams argSet = new CMSTemplateParams(header, fixed);

    // get status and populate argSet
    try {
      recoveryID = req.getParameter("recoveryID");

      header.addStringValue("recoveryID", recoveryID);

      Hashtable<String, Object> params = mService.getRecoveryParams(recoveryID);

      if (params == null) {
        log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_NO_RECOVERY_TOKEN_FOUND_1", recoveryID));
        throw new ECMSGWException(CMS.getUserMessage("CMS_GW_NO_RECOVERY_TOKEN_FOUND", recoveryID));
      }

      // only the init DRM agent can get the pkcs12
      SessionContext sContext = SessionContext.getContext();
      if (sContext != null) {
        agent = (String) sContext.get(SessionContext.USER_ID);
      }

      if (agent == null) {
        CMS.debug("GetPk12::process() - agent is null!");
        throw new EBaseException("agent is null");
      }

      String initAgent = (String) params.get("agent");

      if (!agent.equals(initAgent)) {
        log(ILogger.LL_SECURITY, CMS.getLogMessage("CMSGW_INVALID_AGENT_3", recoveryID, initAgent));

        throw new ECMSGWException(
            CMS.getUserMessage("CMS_GW_INVALID_AGENT", agent, initAgent, recoveryID));
      }

      header.addStringValue("serialNumber", (String) params.get("keyID"));

      // got all approval, return pk12
      byte pkcs12[] = ((IKeyRecoveryAuthority) mService).getPk12(recoveryID);

      if (pkcs12 != null) {
        mService.destroyRecoveryParams(recoveryID);
        try {
          resp.setContentType("application/x-pkcs12");
          resp.getOutputStream().write(pkcs12);
          mRenderResult = false;

          auditMessage =
              CMS.getLogMessage(
                  LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
                  agent,
                  ILogger.SUCCESS,
                  recoveryID,
                  "");

          audit(auditMessage);

          return;
        } catch (IOException e) {
          header.addStringValue(
              OUT_ERROR, CMS.getUserMessage(locale[0], "CMS_BASE_INTERNAL_ERROR", e.toString()));
        }
      } else if (((IKeyRecoveryAuthority) mService).getError(recoveryID) != null) {
        // error in recovery process
        header.addStringValue(OUT_ERROR, ((IKeyRecoveryAuthority) mService).getError(recoveryID));
      } else {
        // pk12 hasn't been created yet. Shouldn't get here
      }
    } catch (EBaseException e) {
      header.addStringValue(OUT_ERROR, e.toString(locale[0]));
    }

    if ((agent != null) && (recoveryID != null)) {
      auditMessage =
          CMS.getLogMessage(
              LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
              agent,
              ILogger.FAILURE,
              recoveryID,
              "");

      audit(auditMessage);
    }

    try {
      ServletOutputStream out = resp.getOutputStream();

      resp.setContentType("text/html");
      form.renderOutput(out, argSet);
    } catch (IOException e) {
      log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_STREAM_TEMPLATE", e.toString()));
      throw new ECMSGWException(CMS.getUserMessage("CMS_GW_DISPLAY_TEMPLATE_ERROR"));
    }

    cmsReq.setStatus(ICMSRequest.SUCCESS);
  }