Bug 676421 - CC: Remove unused TPS interface calls and add audit logging
Summary: CC: Remove unused TPS interface calls and add audit logging
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: TPS
Version: 9.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2011-02-09 19:43 UTC by Ade Lee
Modified: 2015-01-04 23:46 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-04 20:27:12 UTC


Attachments (Terms of Use)
patch to fix (9.74 KB, patch)
2011-02-09 19:45 UTC, Ade Lee
cfu: review+
Details | Diff

Description Ade Lee 2011-02-09 19:43:06 UTC
Description of problem:
In documenting the TPS TUS interfaces, it was determined that there are interfaces that are no longer used, and that should be removed.
specifically, op=revoke, op=load, op=edit_admin

Also, more audit logging is required for op=addUser

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2011-02-09 19:45:43 UTC
Created attachment 477892 [details]
patch to fix

Comment 2 Ade Lee 2011-02-09 20:06:04 UTC
8.1:

vakwetu@goofy-vm4 redhat]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" tps-ui
Authentication realm: <https://svn.devel.redhat.com:443> Red Hat only: Kerberos Login
Password for 'alee': 
Sending        tps-ui/shared/docroot/tokendb/doToken.template
Transmitting file data .
Committed revision 15838.

[vakwetu@goofy-vm4 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps/src/modules/tokendb/mod_tokendb.cpp
Transmitting file data .
Committed revision 1834.

tip:

[vakwetu@dhcp231-121 tps-ui]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps-ui/shared/docroot/tokendb/doToken.template
Transmitting file data .
Committed revision 1835.

[vakwetu@dhcp231-121 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" 
Sending        tps/src/modules/tokendb/mod_tokendb.cpp
Transmitting file data .
Committed revision 1836.

Comment 3 Asha Akkiangady 2011-05-10 16:37:13 UTC
Tested TPS TUS interfaces op=revoke, op=load, op=edit_admin:
- op=revoke and op=load are removed. 
- op=edit_admin throws message "too many tokens to edit".

Tested audit logging for the op=addUser by adding a user in the TPS UI:

- Signed audit log contains first name and last name used
[2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=givenName;;test_agent+sn;;user1] tokendb user added

- Signed audit log has audit messages indicating the roles added
[2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;operator] user deleted from role
[2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;agent] user added to role
[2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;admin] user deleted from role


Ade will be looking into the "op=edit_admin" issue later today.

Comment 4 Ade Lee 2011-05-12 20:37:54 UTC
Whats happening is that the tps is looking for a string that starts op=edit ...
You could try op=edit_foo and get the same result.  This is sloppy programming but not a bug per se, because the operation op=edit has its own authorization code etc.

We should fix it to be more specific, and will likely do that in future - but it works for now.

Comment 5 Asha Akkiangady 2011-05-25 17:48:09 UTC
Filed a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=707695 for the string parsing issue when op=edit.

Marking this bug verified.


Note You need to log in before you can comment on or make changes to this bug.