From 0a5f725bd3a44b202ab12010381b5469c3118d13 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Feb 2017 12:18:03 +1000 Subject: [PATCH 175/175] Add authn manager that reuses auth token from session To process a cert request immediately (rather than having it queued as pending), the user must be authenticated *by the profile*; auth tokens from the main authentication system are not used. For external authentication support it is possible that the external authentication is sufficient to authenticate use of a problem; especially when the profile uses componenets like ExternalProcessConstraint to perform validation of the cert request against external sources of information. To support this use case, add the SessionAuthentication profile authenticator, which merely reuses the IAuthToken from the session context, if present. Part of: https://pagure.io/dogtagpki/issue/1359 --- base/ca/shared/conf/CS.cfg | 2 + .../cms/authentication/SessionAuthentication.java | 167 +++++++++++++++++++++ .../10.4.0/05-AddSessionAuthenticationPlugin | 51 +++++++ 3 files changed, 220 insertions(+) create mode 100644 base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java create mode 100755 base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 3beb45c5392427dec411fda0bb12769b9d279f43..e4bbe5f35cf18a4f725713a5a75df591c11bd44f 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth +auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication auths.instance.TokenAuth.pluginName=TokenAuth auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents auths.instance.AgentCertAuth.pluginName=AgentCertAuth @@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth auths.instance.flatFileAuth.pluginName=FlatFileAuth auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth +auths.instance.SessionAuthentication.pluginName=SessionAuthentication auths.revocationChecking.bufferSize=50 auths.revocationChecking.ca=ca auths.revocationChecking.enabled=true diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java new file mode 100644 index 0000000000000000000000000000000000000000..27f08cd9989361709825ec3a632c123a3f7fc0ad --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java @@ -0,0 +1,167 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.cms.authentication; + +import java.util.Collections; +import java.util.Enumeration; +import java.util.Locale; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.EMissingCredential; +import com.netscape.certsrv.authentication.IAuthCredentials; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.profile.IProfile; +import com.netscape.certsrv.profile.IProfileAuthenticator; +import com.netscape.certsrv.property.IDescriptor; +import com.netscape.certsrv.request.IRequest; + +/** + * Pull any existing auth token from the session context. + * + * Use with caution as a profile authenticator; if there is a + * session it will unconditionally approve the request + * (subject to constraints, etc). + */ +public class SessionAuthentication + implements IProfileAuthenticator { + + private String instName = null; + private String implName = null; + private IConfigStore config = null; + + public SessionAuthentication() { + } + + public void init(String instName, String implName, IConfigStore config) + throws EBaseException { + this.instName = instName; + this.implName = implName; + this.config = config; + } + + /** + * Gets the name of this authentication manager. + */ + public String getName() { + return instName; + } + + /** + * Gets the plugin name of authentication manager. + */ + public String getImplName() { + return implName; + } + + public boolean isSSLClientRequired() { + return false; + } + + /** + * Authenticate user. + * + * @return the auth token from existing session context, if any. + * @throws EMissingCredential if no auth token or no session + */ + public IAuthToken authenticate(IAuthCredentials authCred) + throws EMissingCredential { + SessionContext context = SessionContext.getExistingContext(); + + if (context == null) + throw new EMissingCredential("SessionAuthentication: no session"); + + IAuthToken authToken = (IAuthToken) + context.get(SessionContext.AUTH_TOKEN); + + if (authToken == null) + throw new EMissingCredential("SessionAuthentication: no auth token"); + + return authToken; + } + + public String[] getRequiredCreds() { + String[] requiredCreds = { }; + return requiredCreds; + } + + public String[] getConfigParams() { + return null; + } + + /** + * prepare this authentication manager for shutdown. + */ + public void shutdown() { + } + + /** + * gets the configuretion substore used by this authentication + * manager + * + * @return configuration store + */ + public IConfigStore getConfigStore() { + return config; + } + + // Profile-related methods + + public void init(IProfile profile, IConfigStore config) { + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT"); + } + + /** + * Retrieves a list of names of the value parameter. + */ + public Enumeration getValueNames() { + return Collections.emptyEnumeration(); + } + + public boolean isValueWriteable(String name) { + return false; + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + return null; + } + + public void populate(IAuthToken token, IRequest request) { + } +} diff --git a/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin new file mode 100755 index 0000000000000000000000000000000000000000..62d508ed199f2643bc05bea78c7a80b22188ec4a --- /dev/null +++ b/base/server/upgrade/10.4.0/05-AddSessionAuthenticationPlugin @@ -0,0 +1,51 @@ +#!/usr/bin/python +# Authors: +# Fraser Tweedale +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2017 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import os.path + +import pki +from pki.server.upgrade import PKIServerUpgradeScriptlet + + +class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet): + def __init__(self): + super(AddSessionAuthenticationPlugin, self).__init__() + self.message = 'Add SessionAuthentication to CS.cfg' + + def upgrade_subsystem(self, instance, subsystem): + if subsystem.name == 'ca': + self.add_plugin(instance, subsystem) + + def add_plugin(self, instance, subsystem): # pylint: disable=W0613 + filename = os.path.join(subsystem.conf_dir, 'CS.cfg') + self.backup(filename) + + properties = pki.PropertyFile(filename) + properties.read() + + properties.set( + 'auths.impl.SessionAuthentication.class', + 'com.netscape.cms.authentication.SessionAuthentication') + properties.set( + 'auths.instance.SessionAuthentication.pluginName', + 'SessionAuthentication') + + properties.write() -- 2.9.3