From 24a48dbf79c327d57371b91ae6cc4b1997e1fb00 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 8 Feb 2017 11:55:13 +1000
Subject: [PATCH 173/175] CertProcessor: set external principal attributes into
 request

When processing a certificate request, if the authenticated
principal is an ExternalPrincipal, add its whole attribute map to
the IRequest.  This provides a way for AJP request attributes to be
propagated through the profile system to profile components like
ExternalProcessConstraint.  One such attribute that is needed for
GSS-API support is "KRB5CCNAME".

Part of: https://pagure.io/dogtagpki/issue/1359
---
 .../netscape/cms/servlet/cert/CertProcessor.java    | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 47b522208af05486a22abdd6196d8385dd615857..be59e4c0a94b603a6f077352ab7b3117cd266b32 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -18,6 +18,7 @@
 package com.netscape.cms.servlet.cert;
 
 import java.math.BigInteger;
+import java.security.Principal;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.HashMap;
@@ -26,6 +27,7 @@ import java.util.Locale;
 import javax.servlet.http.HttpServletRequest;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.ExternalAuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -45,6 +47,7 @@ import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.cms.servlet.common.AuthCredentials;
 import com.netscape.cms.servlet.processors.CAProcessor;
+import com.netscape.cms.tomcat.ExternalPrincipal;
 import com.netscape.cmsutil.ldap.LDAPUtil;
 
 public class CertProcessor extends CAProcessor {
@@ -138,6 +141,24 @@ public class CertProcessor extends CAProcessor {
                 }
             }
         }
+
+        // special processing of ExternalAuthToken / ExternalPrincipal
+        if (authToken instanceof ExternalAuthToken) {
+            Principal principal =
+                ((ExternalAuthToken) authToken).getPrincipal();
+            if (principal instanceof ExternalPrincipal) {
+                HashMap<String, Object> m =
+                    ((ExternalPrincipal) principal).getAttributes();
+                for (String k : m.keySet()) {
+                    req.setExtData(
+                        IRequest.AUTH_TOKEN_PREFIX
+                            + "." + "PRINCIPAL"
+                            + "." + k
+                        , m.get(k).toString()
+                    );
+                }
+            }
+        }
     }
 
     /*
-- 
2.9.3