Skip to content
Snippets Groups Projects
Commit 14f92286 authored by Brian Major's avatar Brian Major
Browse files

t66402 - Check for changes to admin users and admin groups before modification

parent ee7cd2c3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
+ 7
5
View file @ 14f92286
...@@ -69,18 +69,16 @@ ...@@ -69,18 +69,16 @@
package ca.nrc.cadc.ac.server.ldap; package ca.nrc.cadc.ac.server.ldap;
import javax.net.SocketFactory; import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import java.io.File;
import java.net.MalformedURLException; import org.apache.log4j.Logger;
import java.security.*; import java.security.*;
import java.security.cert.CertificateException;
import java.util.Set; import java.util.Set;
import com.unboundid.ldap.sdk.*; import com.unboundid.ldap.sdk.*;
import com.unboundid.util.ssl.*;
import ca.nrc.cadc.auth.*; import ca.nrc.cadc.auth.*;
import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.net.TransientException;
...@@ -88,6 +86,8 @@ import ca.nrc.cadc.net.TransientException; ...@@ -88,6 +86,8 @@ import ca.nrc.cadc.net.TransientException;
public abstract class LdapDAO public abstract class LdapDAO
{ {
private static final Logger logger = Logger.getLogger(LdapDAO.class);
private LDAPConnection conn; private LDAPConnection conn;
LdapConfig config; LdapConfig config;
...@@ -226,6 +226,8 @@ public abstract class LdapDAO ...@@ -226,6 +226,8 @@ public abstract class LdapDAO
protected static void checkLdapResult(ResultCode code) protected static void checkLdapResult(ResultCode code)
throws TransientException throws TransientException
{ {
logger.debug("Ldap result: " + code);
if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS) if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS)
{ {
throw new AccessControlException("Not authorized "); throw new AccessControlException("Not authorized ");
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+ 56
19
View file @ 14f92286
...@@ -200,6 +200,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -200,6 +200,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("addGroup Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode()); LdapDAO.checkLdapResult(e.getResultCode());
throw new RuntimeException("Unexpected LDAP exception", e); throw new RuntimeException("Unexpected LDAP exception", e);
} }
...@@ -295,14 +296,13 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -295,14 +296,13 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
if (searchResult.getAttributeValue("nsaccountlock") == null) if (searchResult.getAttributeValue("nsaccountlock") == null)
{ {
throw new throw new GroupAlreadyExistsException("Group already exists " + group.getID());
GroupAlreadyExistsException("Group already exists " + group.getID());
} }
// activate group // activate group
try try
{ {
return modifyGroup(group, true); return modifyGroup(null, group, true);
} }
catch (GroupNotFoundException e) catch (GroupNotFoundException e)
{ {
...@@ -312,6 +312,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -312,6 +312,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("reactivateGroup Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode()); LdapDAO.checkLdapResult(e.getResultCode());
throw new RuntimeException("Unexpected LDAP exception", e); throw new RuntimeException("Unexpected LDAP exception", e);
} }
...@@ -365,6 +366,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -365,6 +366,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e1) catch (LDAPException e1)
{ {
logger.debug("getGroupNames Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode()); LdapDAO.checkLdapResult(e1.getResultCode());
throw new IllegalStateException("Unexpected exception: " + e1.getMatchedDN(), e1); throw new IllegalStateException("Unexpected exception: " + e1.getMatchedDN(), e1);
} }
...@@ -561,6 +563,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -561,6 +563,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e1) catch (LDAPException e1)
{ {
logger.debug("getGroup Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode()); LdapDAO.checkLdapResult(e1.getResultCode());
throw new GroupNotFoundException("Not found " + groupID); throw new GroupNotFoundException("Not found " + groupID);
} }
...@@ -582,11 +585,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -582,11 +585,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throws GroupNotFoundException, TransientException, throws GroupNotFoundException, TransientException,
AccessControlException, UserNotFoundException AccessControlException, UserNotFoundException
{ {
getGroup(group.getID()); //group must exists first Group existing = getGroup(group.getID()); //group must exists first
return modifyGroup(group, false); return modifyGroup(existing, group, false);
} }
private Group modifyGroup(final Group group, boolean withActivate) private Group modifyGroup(final Group existing, final Group group, boolean withActivate)
throws UserNotFoundException, TransientException, throws UserNotFoundException, TransientException,
AccessControlException, GroupNotFoundException AccessControlException, GroupNotFoundException
{ {
...@@ -595,6 +598,8 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -595,6 +598,8 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throw new UnsupportedOperationException( throw new UnsupportedOperationException(
"Support for groups properties not available"); "Support for groups properties not available");
} }
boolean adminChanges = false;
List<Modification> mods = new ArrayList<Modification>(); List<Modification> mods = new ArrayList<Modification>();
List<Modification> adminMods = new ArrayList<Modification>(); List<Modification> adminMods = new ArrayList<Modification>();
...@@ -602,6 +607,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -602,6 +607,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
{ {
mods.add(new Modification(ModificationType.DELETE, "nsaccountlock")); mods.add(new Modification(ModificationType.DELETE, "nsaccountlock"));
adminMods.add(new Modification(ModificationType.DELETE, "nsaccountlock")); adminMods.add(new Modification(ModificationType.DELETE, "nsaccountlock"));
adminChanges = true;
} }
if (group.description == null) if (group.description == null)
...@@ -612,7 +618,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -612,7 +618,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
{ {
mods.add(new Modification(ModificationType.REPLACE, "description", group.description)); mods.add(new Modification(ModificationType.REPLACE, "description", group.description));
} }
Set<String> newMembers = new HashSet<String>(); Set<String> newMembers = new HashSet<String>();
for (User<?> member : group.getUserMembers()) for (User<?> member : group.getUserMembers())
...@@ -629,11 +634,27 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -629,11 +634,27 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
DN grDN = getGroupDN(gr.getID()); DN grDN = getGroupDN(gr.getID());
newMembers.add(grDN.toNormalizedString()); newMembers.add(grDN.toNormalizedString());
} }
Set<String> newAdmins = new HashSet<String>(); Set<String> newAdmins = new HashSet<String>();
Set<User<? extends Principal>> existingUserAdmins = new HashSet<User<? extends Principal>>(0);
if (existing != null)
{
existingUserAdmins = existing.getUserAdmins();
}
for (User<?> member : group.getUserAdmins()) for (User<?> member : group.getUserAdmins())
{ {
DN memberDN = userPersist.getUserDN(member); DN memberDN = userPersist.getUserDN(member);
newAdmins.add(memberDN.toNormalizedString()); newAdmins.add(memberDN.toNormalizedString());
if (!existingUserAdmins.contains(member))
{
adminChanges = true;
}
}
Set<Group> existingGroupAdmins = new HashSet<Group>(0);
if (existing != null)
{
existingGroupAdmins = existing.getGroupAdmins();
} }
for (Group gr : group.getGroupAdmins()) for (Group gr : group.getGroupAdmins())
{ {
...@@ -641,8 +662,13 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -641,8 +662,13 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
{ {
throw new GroupNotFoundException(gr.getID()); throw new GroupNotFoundException(gr.getID());
} }
DN grDN = getGroupDN(gr.getID());
newAdmins.add(grDN.toNormalizedString()); DN grDN = getGroupDN(gr.getID());
newAdmins.add(grDN.toNormalizedString());
if (!existingGroupAdmins.contains(gr))
{
adminChanges = true;
}
} }
mods.add(new Modification(ModificationType.REPLACE, "uniquemember", mods.add(new Modification(ModificationType.REPLACE, "uniquemember",
...@@ -650,18 +676,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -650,18 +676,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
adminMods.add(new Modification(ModificationType.REPLACE, "uniquemember", adminMods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newAdmins.toArray(new String[newAdmins.size()]))); (String[]) newAdmins.toArray(new String[newAdmins.size()])));
// modify admin group first
ModifyRequest modifyRequest = new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
try try
{ {
modifyRequest.addControl( // modify admin group first (if necessary)
new ProxiedAuthorizationV2RequestControl( if (adminChanges)
"dn:" + getSubjectDN().toNormalizedString())); {
LdapDAO.checkLdapResult(getConnection(). ModifyRequest modifyRequest = new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
modify(modifyRequest).getResultCode());
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode());
}
// modify the group itself now // modify the group itself now
modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods); ModifyRequest modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods);
modifyRequest.addControl( modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl( new ProxiedAuthorizationV2RequestControl(
...@@ -671,6 +701,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -671,6 +701,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e1) catch (LDAPException e1)
{ {
logger.debug("Modify Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode()); LdapDAO.checkLdapResult(e1.getResultCode());
} }
try try
...@@ -744,6 +775,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -744,6 +775,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e1) catch (LDAPException e1)
{ {
logger.debug("Delete Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode()); LdapDAO.checkLdapResult(e1.getResultCode());
} }
...@@ -835,6 +867,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -835,6 +867,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("getGroups Exception: " + e, e);
throw new TransientException("Error getting group", e); throw new TransientException("Error getting group", e);
} }
return groups; return groups;
...@@ -879,6 +912,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -879,6 +912,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e1) catch (LDAPException e1)
{ {
logger.debug("getOwnerGroups Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode()); LdapDAO.checkLdapResult(e1.getResultCode());
} }
return groupDNs; return groupDNs;
...@@ -1028,6 +1062,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -1028,6 +1062,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("getGroupDN Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode()); LdapDAO.checkLdapResult(e.getResultCode());
} }
throw new IllegalArgumentException(groupID + " not a valid group ID"); throw new IllegalArgumentException(groupID + " not a valid group ID");
...@@ -1046,6 +1081,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -1046,6 +1081,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("getAdminGroupDN Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode()); LdapDAO.checkLdapResult(e.getResultCode());
} }
throw new IllegalArgumentException(groupID + " not a valid group ID"); throw new IllegalArgumentException(groupID + " not a valid group ID");
...@@ -1072,6 +1108,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO ...@@ -1072,6 +1108,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
} }
catch (LDAPException e) catch (LDAPException e)
{ {
logger.debug("isCreatorOwner Exception: " + e, e);
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment