From 457dbfbec07839167a1afdb209a6d10b436bc856 Mon Sep 17 00:00:00 2001 From: Brian Major <brian.major@nrc-cnrc.gc.ca> Date: Thu, 2 Oct 2014 15:34:33 -0700 Subject: [PATCH] nep110 - Restored missing authentication util methods, canonize dn in ldap dao for search. --- .../nrc/cadc/ac/server/ldap/LdapUserDAO.java | 34 ++++++++-- .../cadc/ac/server/web/ACSearchRunner.java | 63 ++++++++++++++----- 2 files changed, 77 insertions(+), 20 deletions(-) diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java index c6b9221c..1d7cd6f4 100755 --- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java @@ -79,15 +79,13 @@ import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; -import ca.nrc.cadc.ac.Group; import ca.nrc.cadc.ac.PersonalDetails; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; +import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.net.TransientException; -import com.unboundid.ldap.sdk.CompareRequest; -import com.unboundid.ldap.sdk.CompareResult; import com.unboundid.ldap.sdk.DN; import com.unboundid.ldap.sdk.Filter; import com.unboundid.ldap.sdk.LDAPException; @@ -128,6 +126,8 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO System.arraycopy(memberAttribs, 0, tmp, princs.length, memberAttribs.length); memberAttribs = tmp; } + + /** * Get the user specified by userID. @@ -407,9 +407,11 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO throw new IllegalArgumentException( "Unsupported principal type " + user.getUserID().getClass()); } + + String name = getUserName(searchField, user); searchField = "(" + searchField + "=" + - user.getUserID().getName() + ")"; + name + ")"; SearchResultEntry searchResult = null; try @@ -425,15 +427,35 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO { LdapDAO.checkLdapResult(e.getResultCode()); } - if (searchResult == null) { - String msg = "User not found " + user.getUserID().toString(); + String msg = "User not found " + name; logger.debug(msg); throw new UserNotFoundException(msg); } return searchResult.getAttributeValueAsDN("entrydn"); } + + /** + * If the principal is of type x500, canonize the name for the + * search. + * + * @param searchField + * @param user + * @return + */ + private String getUserName(String searchField, User<? extends Principal> user) + { + if (searchField != null) + { + if (searchField.equals("distinguishedname")) + { + return AuthenticationUtil.canonizeDistinguishedName(user.getUserID().getName()); + } + return user.getUserID().getName(); + } + return null; + } } diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java index 6ceca043..f654e889 100755 --- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java +++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java @@ -74,8 +74,11 @@ import java.security.AccessController; import java.security.Principal; import java.util.Collection; import java.util.Date; +import java.util.Iterator; +import java.util.Set; import javax.security.auth.Subject; +import javax.security.auth.x500.X500Principal; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; @@ -87,6 +90,8 @@ import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.GroupPersistence; import ca.nrc.cadc.ac.server.PluginFactory; import ca.nrc.cadc.ac.server.RequestValidator; +import ca.nrc.cadc.auth.AuthenticationUtil; +import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.uws.ExecutionPhase; import ca.nrc.cadc.uws.Job; @@ -125,15 +130,31 @@ public class ACSearchRunner implements JobRunner @Override public void run() { - log.debug("RUN ACSearchRunner: " + job.ownerSubject); + AccessControlContext acContext = AccessController.getContext(); + Subject subject = Subject.getSubject(acContext); + + log.debug("RUN ACSearchRunner: " + subject); + if (log.isDebugEnabled()) + { + Set<Principal> principals = subject.getPrincipals(); + Iterator<Principal> i = principals.iterator(); + while (i.hasNext()) + { + Principal next = i.next(); + log.debug("Principal " + + next.getClass().getSimpleName() + + ": " + next.getName()); + } + } logInfo = new JobLogInfo(job); + logInfo.setSubject(subject); String startMessage = logInfo.start(); log.info(startMessage); long t1 = System.currentTimeMillis(); - search(); + search(subject); long t2 = System.currentTimeMillis(); logInfo.setElapsedTime(t2 - t1); @@ -143,7 +164,7 @@ public class ACSearchRunner implements JobRunner } @SuppressWarnings("unchecked") - private void search() + private void search(Subject subject) { // Note: This search runner is customized to run with @@ -156,8 +177,6 @@ public class ACSearchRunner implements JobRunner try { - - ExecutionPhase ep = jobUpdater.setPhase(job.getID(), ExecutionPhase.QUEUED, ExecutionPhase.EXECUTING, new Date()); @@ -172,21 +191,37 @@ public class ACSearchRunner implements JobRunner // only allow users to search themselves... Principal userBeingSearched = rv.getPrincipal(); - if (userBeingSearched != null) + + boolean idMatch = false; + if (userBeingSearched instanceof X500Principal) { - AccessControlContext acContext = AccessController.getContext(); - Subject subject = Subject.getSubject(acContext); - boolean idMatch = false; - for (Principal p : subject.getPrincipals()) + Set<X500Principal> x500Principals = subject.getPrincipals(X500Principal.class); + Iterator<X500Principal> i = x500Principals.iterator(); + while (i.hasNext()) { - if (p.equals(userBeingSearched)) + X500Principal next = i.next(); + log.debug(String.format("Comparing x500: [%s][%s]", + next.getName(), userBeingSearched.getName())); + if (AuthenticationUtil.equals(next, userBeingSearched)) idMatch = true; } - if (!idMatch) - throw new AccessControlException("Can only search oneself."); } + else if (userBeingSearched instanceof HttpPrincipal) + { + Set<HttpPrincipal> httpPrincipals = subject.getPrincipals(HttpPrincipal.class); + Iterator<HttpPrincipal> i = httpPrincipals.iterator(); + while (i.hasNext()) + { + HttpPrincipal next = i.next(); + log.debug(String.format("Comparing http: [%s][%s]", + next.getName(), userBeingSearched.getName())); + if (next.equals(userBeingSearched)) + idMatch = true; + } + } + if (!idMatch) + throw new AccessControlException("Can only search oneself."); - PluginFactory factory = new PluginFactory(); GroupPersistence dao = factory.getGroupPersistence(); Collection<Group> groups = -- GitLab