From 2b22b097f2e890d78d6e67ba9a0cfad0d951e782 Mon Sep 17 00:00:00 2001 From: Brian Major <major.brian@gmail.com> Date: Thu, 24 Mar 2016 11:31:11 -0700 Subject: [PATCH] s1886 - New policies for accounts with no http pricipal --- .../cadc/ac/server/ldap/LdapGroupPersistence.java | 14 ++++++++++++-- .../cadc/ac/server/ldap/LdapUserPersistence.java | 4 ++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java index 4b11e3ce..8ce149e9 100755 --- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java +++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java @@ -92,6 +92,7 @@ import ca.nrc.cadc.ac.server.GroupPersistence; import ca.nrc.cadc.auth.AuthMethod; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DNPrincipal; +import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.util.ObjectUtil; @@ -125,8 +126,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis { // current policy: group names visible to all authenticated users Subject caller = AuthenticationUtil.getCurrentSubject(); - if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller))) - throw new AccessControlException("Caller is not authenticated"); + checkAuthenticatedWithAccount(caller); LdapGroupDAO groupDAO = null; LdapUserDAO userDAO = null; @@ -175,6 +175,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis GroupNotFoundException { Subject caller = AuthenticationUtil.getCurrentSubject(); + checkAuthenticatedWithAccount(caller); Principal userID = getUser(caller); LdapConnections conns = new LdapConnections(this); @@ -395,4 +396,13 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis GroupMemberships gms = gset.iterator().next(); return gms.getUserID(); } + + private void checkAuthenticatedWithAccount(Subject caller) + { + if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller))) + throw new AccessControlException("Caller is not authenticated"); + + if (caller.getPrincipals(HttpPrincipal.class).isEmpty()) + throw new AccessControlException("Caller does not have authorized account"); + } } diff --git a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java index 1dfa5a60..8711e52e 100755 --- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java +++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java @@ -290,6 +290,10 @@ public class LdapUserPersistence extends LdapPersistence implements UserPersiste if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller))) throw new AccessControlException("Caller is not authenticated"); + // user must also have an approved account + if (caller.getPrincipals(HttpPrincipal.class).isEmpty()) + throw new AccessControlException("Caller does not have authorized account"); + LdapUserDAO userDAO = null; LdapConnections conns = new LdapConnections(this); try -- GitLab