Description of problem: In documenting the TPS TUS interfaces, it was determined that there are interfaces that are no longer used, and that should be removed. specifically, op=revoke, op=load, op=edit_admin Also, more audit logging is required for op=addUser Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 477892 [details] patch to fix
8.1: vakwetu@goofy-vm4 redhat]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" tps-ui Authentication realm: <https://svn.devel.redhat.com:443> Red Hat only: Kerberos Login Password for 'alee': Sending tps-ui/shared/docroot/tokendb/doToken.template Transmitting file data . Committed revision 15838. [vakwetu@goofy-vm4 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" Sending tps/src/modules/tokendb/mod_tokendb.cpp Transmitting file data . Committed revision 1834. tip: [vakwetu@dhcp231-121 tps-ui]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" Sending tps-ui/shared/docroot/tokendb/doToken.template Transmitting file data . Committed revision 1835. [vakwetu@dhcp231-121 tps]$ svn ci -m "Bugzilla Bug 676421 - CC: Remove unused TPS interface calls and add audit logging" Sending tps/src/modules/tokendb/mod_tokendb.cpp Transmitting file data . Committed revision 1836.
Tested TPS TUS interfaces op=revoke, op=load, op=edit_admin: - op=revoke and op=load are removed. - op=edit_admin throws message "too many tokens to edit". Tested audit logging for the op=addUser by adding a user in the TPS UI: - Signed audit log contains first name and last name used [2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=givenName;;test_agent+sn;;user1] tokendb user added - Signed audit log has audit messages indicating the roles added [2011-05-10 12:41:35] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;operator] user deleted from role [2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;agent] user added to role [2011-05-10 12:41:36] a4879d0 [AuditEvent=CONFIG_ROLE][SubjectID=admin][Role=Admin][Outcome=success][Object=uid;;test_agent_user1][ParamNameValPairs=role;;admin] user deleted from role Ade will be looking into the "op=edit_admin" issue later today.
Whats happening is that the tps is looking for a string that starts op=edit ... You could try op=edit_foo and get the same result. This is sloppy programming but not a bug per se, because the operation op=edit has its own authorization code etc. We should fix it to be more specific, and will likely do that in future - but it works for now.
Filed a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=707695 for the string parsing issue when op=edit. Marking this bug verified.