From 1ecd0c5389c0e48ceaaa90dcd9f8fcbeb2635c36 Mon Sep 17 00:00:00 2001 From: Alinga Yeung <Alinga.Yeung@nrc-cnrc.gc.ca> Date: Wed, 19 Aug 2015 09:29:31 -0700 Subject: [PATCH] Story ac2. Added super user support to UserAction. --- .../server/web/users/AbstractUserAction.java | 11 ++++ .../ac/server/web/users/GetUserAction.java | 66 ++++++++++++++++--- .../cadc/ac/server/web/users/UserServlet.java | 21 ++++++ 3 files changed, 90 insertions(+), 8 deletions(-) diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java index 1c7f0e12..cba19dfd 100644 --- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java +++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java @@ -103,6 +103,7 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob static final String DEFAULT_CONTENT_TYPE = "text/xml"; static final String JSON_CONTENT_TYPE = "application/json"; + protected String augmentUserDN; protected UserLogInfo logInfo; protected HttpServletResponse response; protected String acceptedContentType = DEFAULT_CONTENT_TYPE; @@ -113,6 +114,16 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob public abstract void doAction() throws Exception; + public void setAugmentUserDN(final String dn) + { + this.augmentUserDN = dn; + } + + public String getAugmentUserDN() + { + return this.augmentUserDN; + } + public void setLogInfo(UserLogInfo logInfo) { this.logInfo = logInfo; diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java index 8d95d946..4793c719 100644 --- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java +++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java @@ -71,11 +71,19 @@ import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; +import java.security.AccessControlContext; +import java.security.AccessController; import java.security.Principal; +import java.security.PrivilegedExceptionAction; + +import javax.security.auth.Subject; + +import org.apache.log4j.Logger; public class GetUserAction extends AbstractUserAction { + private static final Logger log = Logger.getLogger(GetUserAction.class); private final Principal userID; GetUserAction(Principal userID) @@ -84,22 +92,64 @@ public class GetUserAction extends AbstractUserAction this.userID = userID; } - public void doAction() throws Exception + public void doAction() throws Exception { - final UserPersistence<Principal> userPersistence = getUserPersistence(); - User<Principal> user; - - try + + if (isServops()) { - user = userPersistence.getUser(userID); + Subject subject = new Subject(); + subject.getPrincipals().add(this.userID); + user = (User<Principal>) Subject.doAs(subject, new PrivilegedExceptionAction<Object>() + { + @Override + public Object run() throws Exception + { + return getUser(userID); + } + + }); } - catch (UserNotFoundException e) + else { - user = userPersistence.getPendingUser(userID); + user = getUser(this.userID); } writeUser(user); } + protected User<Principal> getUser(Principal principal) throws Exception + { + final UserPersistence<Principal> userPersistence = getUserPersistence(); + User<Principal> user; + + try + { + user = userPersistence.getUser(principal); + } + catch (UserNotFoundException e) + { + user = userPersistence.getPendingUser(principal); + } + + return user; + } + + protected boolean isServops() + { + log.debug("alinga-- isServops(): augmentUserDN = " + this.augmentUserDN); + boolean isServops = false; + AccessControlContext acc = AccessController.getContext(); + Subject subject = Subject.getSubject(acc); + for (Principal principal : subject.getPrincipals()) + { + if (principal.getName().equals(this.getAugmentUserDN())) + { + isServops = true; + break; + } + } + + return isServops; + } } diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java index 2f2ee879..5feba14c 100644 --- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java +++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java @@ -72,11 +72,14 @@ import java.io.IOException; import java.security.PrivilegedActionException; import javax.security.auth.Subject; +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import ca.nrc.cadc.util.StringUtil; + import org.apache.log4j.Logger; import ca.nrc.cadc.auth.AuthenticationUtil; @@ -86,6 +89,23 @@ public class UserServlet extends HttpServlet private static final long serialVersionUID = 5289130885807305288L; private static final Logger log = Logger.getLogger(UserServlet.class); + private String augmentUserDN; + + @Override + public void init(final ServletConfig config) throws ServletException + { + super.init(config); + + try + { + this.augmentUserDN = config.getInitParameter(UserServlet.class.getName() + ".augmentUserDN"); + log.info("augmentUserDN: " + augmentUserDN); + } + catch(Exception ex) + { + log.error("failed to init: " + ex); + } + } /** * Create a UserAction and run the action safely. @@ -104,6 +124,7 @@ public class UserServlet extends HttpServlet AbstractUserAction action = factory.createAction(request); + action.setAugmentUserDN(this.augmentUserDN); action.setLogInfo(logInfo); action.setResponse(response); action.setAcceptedContentType(getAcceptedContentType(request)); -- GitLab