Bug 676421

Summary: CC: Remove unused TPS interface calls and add audit logging
Product: [Retired] Dogtag Certificate System Reporter: Ade Lee <alee>
Component: TPSAssignee: Ade Lee <alee>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 9.0CC: aakkiang, alee, benl, jmagne
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-04 20:27:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 445047    
Attachments:
Description Flags
patch to fix cfu: review+

Description Ade Lee 2011-02-09 19:43:06 UTC
Description of problem:
In documenting the TPS TUS interfaces, it was determined that there are interfaces that are no longer used, and that should be removed.
specifically, op=revoke, op=load, op=edit_admin

Also, more audit logging is required for op=addUser

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2011-02-09 19:45:43 UTC
Created attachment 477892 [details]
patch to fix

Comment 2 Ade Lee 2011-02-09 20:06:04 UTC
8.1:

vakwetu@goofy-vm4 redhat]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" tps-ui
Authentication realm: <https://svn.devel.redhat.com:443> Red Hat only: Kerberos Login
Password for 'alee': 
Sending        tps-ui/shared/docroot/tokendb/doToken.template
Transmitting file data .
Committed revision 15838.

[vakwetu@goofy-vm4 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps/src/modules/tokendb/mod_tokendb.cpp
Transmitting file data .
Committed revision 1834.

tip:

[vakwetu@dhcp231-121 tps-ui]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps-ui/shared/docroot/tokendb/doToken.template
Transmitting file data .
Committed revision 1835.

[vakwetu@dhcp231-121 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps/src/modules/tokendb/mod_tokendb.cpp
Transmitting file data .
Committed revision 1836.

Comment 3 Asha Akkiangady 2011-05-10 16:37:13 UTC
Tested TPS TUS interfaces op=revoke, op=load, op=edit_admin:
- op=revoke and op=load are removed. 
- op=edit_admin throws message "too many tokens to edit".

Tested audit logging for the op=addUser by adding a user in the TPS UI:

- Signed audit log contains first name and last name used
[2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=givenName;;test_agent+sn;;user1] tokendb user added

- Signed audit log has audit messages indicating the roles added
[2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;operator] user deleted from role
[2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;agent] user added to role
[2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;admin] user deleted from role


Ade will be looking into the "op=edit_admin" issue later today.

Comment 4 Ade Lee 2011-05-12 20:37:54 UTC
Whats happening is that the tps is looking for a string that starts op=edit ...
You could try op=edit_foo and get the same result.  This is sloppy programming but not a bug per se, because the operation op=edit has its own authorization code etc.

We should fix it to be more specific, and will likely do that in future - but it works for now.

Comment 5 Asha Akkiangady 2011-05-25 17:48:09 UTC
Filed a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=707695 for the string parsing issue when op=edit.

Marking this bug verified.