Fixed gathering of operator credentials

cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java

@@ -72,9 +72,12 @@
 import java.io.PrintStream;
 import java.security.cert.CertificateException;
 
+import javax.security.auth.Subject;
+
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 
+import ca.nrc.cadc.auth.CertCmdArgUtil;
 import ca.nrc.cadc.util.ArgumentMap;
 import ca.nrc.cadc.util.Log4jInit;
 import ca.nrc.cadc.util.StringUtil;
@@ -95,6 +98,7 @@ public class CmdLineParser
     private Level logLevel = Level.OFF;
     private AbstractCommand command;
     private boolean isHelpCommand = false;
+    private ArgumentMap am;
 
     /**
      * Constructor.
@@ -105,7 +109,7 @@ public class CmdLineParser
     public CmdLineParser(final String[] args, final PrintStream outStream,
         final PrintStream errStream) throws UsageException, CertificateException
     {
-        ArgumentMap am = new ArgumentMap( args );
+        am = new ArgumentMap( args );
     	this.setLogLevel(am);
     	this.parse(am, outStream, errStream);
     }
@@ -127,6 +131,11 @@ public class CmdLineParser
     	return this.logLevel;
     }
 
+    public Subject getSubjectFromCert()
+    {
+        return CertCmdArgUtil.initSubject(am);
+    }
+
     /*
      * Set the log level.
      * @param am Input arguments
@@ -294,6 +303,8 @@ public class CmdLineParser
     	StringBuilder sb = new StringBuilder();
     	sb.append("\n");
     	sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n");
+    	sb.append(CertCmdArgUtil.getCertArgUsage());
+    	sb.append("\n");
     	sb.append("Where command is\n");
     	sb.append("--list                       : List users in the Users tree\n");
     	sb.append("--list-pending               : List users in the UserRequests tree\n");

cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java

@@ -69,19 +69,17 @@
 package ca.nrc.cadc.ac.admin;
 
 import java.security.Principal;
-import java.util.HashSet;
 import java.util.Set;
 
 import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
 
 import org.apache.log4j.Logger;
 
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.ac.server.ldap.LdapConfig;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.DelegationToken;
-import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.auth.PrincipalExtractor;
 import ca.nrc.cadc.auth.SSOCookieCredential;
 import ca.nrc.cadc.auth.X509CertificateChain;
@@ -112,50 +110,59 @@ public class CommandRunner
         AbstractCommand command = commandLineParser.getCommand();
         command.setUserPersistence(userPersistence);
 
-        Principal userIDPrincipal = null;
+        Subject operatorSubject = new Subject();
+
         if (command instanceof AbstractUserCommand)
         {
-            userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+            Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+            operatorSubject.getPrincipals().add(userIDPrincipal);
         }
-
-        if (userIDPrincipal == null)
+        else
         {
-            // run as the operator
-            LdapConfig config = LdapConfig.getLdapConfig();
-            String proxyDN = config.getProxyUserDN();
-            if (proxyDN == null)
-                throw new IllegalArgumentException("No ldap account in .dbrc");
-
-            String userIDLabel = "uid=";
-            int uidIndex = proxyDN.indexOf("uid=");
-            int commaIndex = proxyDN.indexOf(",", userIDLabel.length());
-            String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex);
-            userIDPrincipal = new HttpPrincipal(userID);
+            // run as the operator using their cert
+            Subject subjectFromCert = commandLineParser.getSubjectFromCert();
+
+            if (subjectFromCert == null)
+                throw new IllegalArgumentException("Certificate required");
+
+            Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class);
+            if (pSet.isEmpty())
+                throw new IllegalArgumentException("Certificate required");
+
+            operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
+            operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
         }
 
         // run as the user
-        LOGGER.debug("running as " + userIDPrincipal.getName());
-        Set<Principal> userPrincipals = new HashSet<Principal>(1);
-        userPrincipals.add(userIDPrincipal);
-        AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals);
+        AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(operatorSubject);
         Subject subject = AuthenticationUtil.getSubject(principalExtractor);
+        LOGGER.debug("running as: " + subject);
         Subject.doAs(subject, command);
     }
 
     class AnonPrincipalExtractor implements PrincipalExtractor
     {
-        Set<Principal> principals;
+        Subject s;
 
-        AnonPrincipalExtractor(Set<Principal> principals)
+        AnonPrincipalExtractor(Subject s)
         {
-            this.principals = principals;
+            this.s = s;
         }
         public Set<Principal> getPrincipals()
         {
-            return principals;
+            return s.getPrincipals();
         }
         public X509CertificateChain getCertificateChain()
         {
+            LOGGER.debug("getCerfiticateChain called");
+            for (Object o : s.getPublicCredentials())
+            {
+                if (o instanceof X509CertificateChain)
+                {
+                    LOGGER.debug("returning certificate chain.");
+                    return (X509CertificateChain) o;
+                }
+            }
             return null;
         }
         public DelegationToken getDelegationToken()