Skip to content

Commit

Permalink
Move CAEngine.readAuthority() to AuthorityMonitor
Browse files Browse the repository at this point in the history
  • Loading branch information
@edewata
edewata committed Oct 5, 2023
1 parent 3e62f42 commit 1020049
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 89 deletions.
97 changes: 93 additions & 4 deletions base/ca/src/main/java/com/netscape/ca/AuthorityMonitor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@
import java.util.TreeMap;
import java.util.TreeSet;

import org.dogtagpki.server.ca.AuthorityRecord;
import org.dogtagpki.server.ca.CAEngine;
import org.mozilla.jss.netscape.security.x509.X500Name;

import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.ca.ECAException;
Expand Down Expand Up @@ -161,7 +163,7 @@ public void run() {
switch (changeType) {
case LDAPPersistSearchControl.ADD:
logger.debug("AuthorityMonitor: ADD");
engine.readAuthority(entry);
readAuthority(entry);
break;
case LDAPPersistSearchControl.DELETE:
logger.debug("AuthorityMonitor: DELETE");
Expand All @@ -170,7 +172,7 @@ public void run() {
case LDAPPersistSearchControl.MODIFY:
logger.debug("AuthorityMonitor: MODIFY");
// TODO how do we handle authorityID change?
engine.readAuthority(entry);
readAuthority(entry);
break;
case LDAPPersistSearchControl.MODDN:
logger.debug("AuthorityMonitor: MODDN");
Expand All @@ -183,7 +185,7 @@ public void run() {

} else {
logger.debug("AuthorityMonitor: immediate result");
engine.readAuthority(entry);
readAuthority(entry);
loader.increment();
}
}
Expand Down Expand Up @@ -238,7 +240,7 @@ private synchronized void handleMODDN(DN oldDN, LDAPEntry entry) throws Exceptio
}

} else if (!wasMonitored && isMonitored) {
engine.readAuthority(entry);
readAuthority(entry);
}
}

Expand Down Expand Up @@ -279,6 +281,93 @@ private synchronized void handleDELETE(LDAPEntry entry) {
}
}

public synchronized void readAuthority(LDAPEntry entry) throws Exception {

logger.info("AuthorityMonitor: Loading authority record " + entry.getDN());

CAEngine engine = CAEngine.getInstance();
AuthorityRecord record;
try {
record = engine.getAuthorityRecord(entry);
} catch (Exception e) {
logger.warn("Unable to load authority record: " + e.getMessage(), e);
return;
}

String nsUniqueID = record.getNSUniqueID();
if (deletedNsUniqueIds.contains(nsUniqueID)) {
logger.warn("AuthorityMonitor: ignoring entry with nsUniqueId '"
+ nsUniqueID + "' due to deletion");
return;
}

AuthorityID authorityID = record.getAuthorityID();
X500Name authorityDN = record.getAuthorityDN();
String description = record.getDescription();

// Determine if it is the host authority's entry, by
// comparing DNs. DNs must be serialized in case different
// encodings are used for AVA values, e.g. PrintableString
// from LDAP vs UTF8String in certificate.

CertificateAuthority hostCA = engine.getCA();

if (authorityDN.toString().equals(hostCA.getX500Name().toString())) {
logger.info("AuthorityMonitor: Updating host CA");
foundHostCA = true;

logger.info("AuthorityMonitor: - ID: " + authorityID);
hostCA.setAuthorityID(authorityID);

logger.info("AuthorityMonitor: - description: " + description);
hostCA.setAuthorityDescription(description);

addCA(authorityID, hostCA);

return;
}

BigInteger newEntryUSN = record.getEntryUSN();
logger.debug("AuthorityMonitor: new entryUSN: " + newEntryUSN);

if (newEntryUSN == null) {
logger.debug("AuthorityMonitor: no entryUSN");
if (!engine.entryUSNPluginEnabled()) {
logger.warn("AuthorityMonitor: dirsrv USN plugin is not enabled; skipping entry");
logger.warn("Lightweight authority entry has no"
+ " entryUSN attribute and USN plugin not enabled;"
+ " skipping. Enable dirsrv USN plugin.");
return;

}

logger.debug("AuthorityMonitor: dirsrv USN plugin is enabled; continuing");
// entryUSN plugin is enabled, but no entryUSN attribute. We
// can proceed because future modifications will result in the
// entryUSN attribute being added.
}

BigInteger knownEntryUSN = entryUSNs.get(authorityID);
if (newEntryUSN != null && knownEntryUSN != null) {
logger.debug("AuthorityMonitor: known entryUSN: " + knownEntryUSN);
if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
logger.debug("AuthorityMonitor: data is current");
return;
}
}

try {
CertificateAuthority ca = engine.createCA(record);

addCA(authorityID, ca);
entryUSNs.put(authorityID, newEntryUSN);
nsUniqueIds.put(authorityID, nsUniqueID);

} catch (Exception e) {
logger.warn("AuthorityMonitor: Error initializing lightweight CA: " + e.getMessage(), e);
}
}

public void addCA(AuthorityID aid, CertificateAuthority ca) {
authorities.put(aid, ca);
}
Expand Down
85 changes: 0 additions & 85 deletions base/ca/src/main/java/org/dogtagpki/server/ca/CAEngine.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1406,91 +1406,6 @@ public synchronized void deleteAuthorityEntry(AuthorityID aid) throws EBaseExcep
authorityMonitor.removeCA(aid);
}

public synchronized void readAuthority(LDAPEntry entry) throws Exception {

logger.info("CAEngine: Loading authority record " + entry.getDN());

AuthorityRecord record;
try {
record = getAuthorityRecord(entry);
} catch (Exception e) {
logger.warn("Unable to load authority record: " + e.getMessage(), e);
return;
}

String nsUniqueId = record.getNSUniqueID();
if (authorityMonitor.deletedNsUniqueIds.contains(nsUniqueId)) {
logger.warn("CAEngine: ignoring entry with nsUniqueId '"
+ nsUniqueId + "' due to deletion");
return;
}

AuthorityID aid = record.getAuthorityID();
X500Name dn = record.getAuthorityDN();
String desc = record.getDescription();

// Determine if it is the host authority's entry, by
// comparing DNs. DNs must be serialized in case different
// encodings are used for AVA values, e.g. PrintableString
// from LDAP vs UTF8String in certificate.

CertificateAuthority hostCA = getCA();

if (dn.toString().equals(hostCA.getX500Name().toString())) {
logger.info("CAEngine: Updating host CA");
authorityMonitor.foundHostCA = true;

logger.info("CAEngine: - ID: " + aid);
hostCA.setAuthorityID(aid);

logger.info("CAEngine: - description: " + desc);
hostCA.setAuthorityDescription(desc);

authorityMonitor.addCA(aid, hostCA);

return;
}

BigInteger newEntryUSN = record.getEntryUSN();
logger.debug("CAEngine: new entryUSN: " + newEntryUSN);

if (newEntryUSN == null) {
logger.debug("CAEngine: no entryUSN");
if (!entryUSNPluginEnabled()) {
logger.warn("CAEngine: dirsrv USN plugin is not enabled; skipping entry");
logger.warn("Lightweight authority entry has no"
+ " entryUSN attribute and USN plugin not enabled;"
+ " skipping. Enable dirsrv USN plugin.");
return;
}

logger.debug("CAEngine: dirsrv USN plugin is enabled; continuing");
// entryUSN plugin is enabled, but no entryUSN attribute. We
// can proceed because future modifications will result in the
// entryUSN attribute being added.
}

BigInteger knownEntryUSN = authorityMonitor.entryUSNs.get(aid);
if (newEntryUSN != null && knownEntryUSN != null) {
logger.debug("CAEngine: known entryUSN: " + knownEntryUSN);
if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
logger.debug("CAEngine: data is current");
return;
}
}

try {
CertificateAuthority ca = createCA(record);

authorityMonitor.addCA(aid, ca);
authorityMonitor.entryUSNs.put(aid, newEntryUSN);
authorityMonitor.nsUniqueIds.put(aid, nsUniqueId);

} catch (Exception e) {
logger.warn("CAEngine: Error initializing lightweight CA: " + e.getMessage(), e);
}
}

/**
* Add an LDAP entry for the host authority.
*
Expand Down

0 comments on commit 1020049

Please sign in to comment.