diff --git a/cadc-access-control-admin/build.gradle b/cadc-access-control-admin/build.gradle
index 44037a6ab5e60e117a735a2fb2e59c7163ead46f..4c61862d44ffa9804e53d0194f9265697dfc8b91 100644
--- a/cadc-access-control-admin/build.gradle
+++ b/cadc-access-control-admin/build.gradle
@@ -15,7 +15,7 @@ sourceCompatibility = 1.7
group = 'org.opencadc'
-version = '1.0.1'
+version = '1.0.2'
mainClassName = 'ca.nrc.cadc.ac.admin.Main'
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
index a5a32ed8aad8a4ff57f75352ee99b9f22e23bfa5..f521b5d9e9023bc4016426d212d10a4cdca85fda 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
@@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
private UserPersistence userPersistence;
-
protected abstract void doRun()
throws AccessControlException, TransientException;
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
index 40185149c2bafc61c4fe92adc08d84e945067e7b..c2690950f379826a596c50b4768c026fcc819481 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
@@ -72,9 +72,12 @@
import java.io.PrintStream;
import java.security.cert.CertificateException;
+import javax.security.auth.Subject;
+
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
+import ca.nrc.cadc.auth.CertCmdArgUtil;
import ca.nrc.cadc.util.ArgumentMap;
import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.util.StringUtil;
@@ -95,6 +98,7 @@ public class CmdLineParser
private Level logLevel = Level.OFF;
private AbstractCommand command;
private boolean isHelpCommand = false;
+ private ArgumentMap am;
/**
* Constructor.
@@ -105,7 +109,7 @@ public class CmdLineParser
public CmdLineParser(final String[] args, final PrintStream outStream,
final PrintStream errStream) throws UsageException, CertificateException
{
- ArgumentMap am = new ArgumentMap( args );
+ am = new ArgumentMap( args );
this.setLogLevel(am);
this.parse(am, outStream, errStream);
}
@@ -127,6 +131,11 @@ public class CmdLineParser
return this.logLevel;
}
+ public Subject getSubjectFromCert()
+ {
+ return CertCmdArgUtil.initSubject(am);
+ }
+
/*
* Set the log level.
* @param am Input arguments
@@ -294,6 +303,8 @@ public class CmdLineParser
StringBuilder sb = new StringBuilder();
sb.append("\n");
sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n");
+ sb.append(CertCmdArgUtil.getCertArgUsage());
+ sb.append("\n");
sb.append("Where command is\n");
sb.append("--list : List users in the Users tree\n");
sb.append("--list-pending : List users in the UserRequests tree\n");
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
index 6c8943814e7fb68da0f5945fcf9ce4ef8887841d..97f130684f1b7203e135eaba4b6e608a8d581e31 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
@@ -69,22 +69,17 @@
package ca.nrc.cadc.ac.admin;
import java.security.Principal;
-import java.util.HashSet;
import java.util.Set;
import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.ac.server.ldap.LdapConfig;
-import ca.nrc.cadc.auth.AuthenticationUtil;
-import ca.nrc.cadc.auth.DelegationToken;
+import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.HttpPrincipal;
-import ca.nrc.cadc.auth.PrincipalExtractor;
-import ca.nrc.cadc.auth.SSOCookieCredential;
-import ca.nrc.cadc.auth.X509CertificateChain;
import ca.nrc.cadc.net.TransientException;
@@ -112,59 +107,33 @@ public class CommandRunner
AbstractCommand command = commandLineParser.getCommand();
command.setUserPersistence(userPersistence);
- Principal userIDPrincipal = null;
+ Subject operatorSubject = new Subject();
+
if (command instanceof AbstractUserCommand)
{
- userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+ Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+ operatorSubject.getPrincipals().add(userIDPrincipal);
+ operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD);
}
-
- if (userIDPrincipal == null)
+ else
{
- // run as the operator
- LdapConfig config = LdapConfig.getLdapConfig();
- String proxyDN = config.getProxyUserDN();
- if (proxyDN == null)
- throw new IllegalArgumentException("No ldap account in .dbrc");
-
- String userIDLabel = "uid=";
- int uidIndex = proxyDN.indexOf("uid=");
- int commaIndex = proxyDN.indexOf(",", userIDLabel.length());
- String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex);
- userIDPrincipal = new HttpPrincipal(userID);
- }
+ // run as the operator using their cert
+ Subject subjectFromCert = commandLineParser.getSubjectFromCert();
- // run as the user
- LOGGER.debug("running as " + userIDPrincipal.getName());
- Set<Principal> userPrincipals = new HashSet<Principal>(1);
- userPrincipals.add(userIDPrincipal);
- AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals);
- Subject subject = AuthenticationUtil.getSubject(principalExtractor);
- Subject.doAs(subject, command);
- }
+ if (subjectFromCert == null)
+ throw new IllegalArgumentException("Certificate required");
- class AnonPrincipalExtractor implements PrincipalExtractor
- {
- Set<Principal> principals;
+ Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class);
+ if (pSet.isEmpty())
+ throw new IllegalArgumentException("Certificate required");
- AnonPrincipalExtractor(Set<Principal> principals)
- {
- this.principals = principals;
- }
- public Set<Principal> getPrincipals()
- {
- return principals;
- }
- public X509CertificateChain getCertificateChain()
- {
- return null;
- }
- public DelegationToken getDelegationToken()
- {
- return null;
- }
- public SSOCookieCredential getSSOCookieCredential()
- {
- return null;
+ operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
+ operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser"));
+ operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
+ operatorSubject.getPublicCredentials().add(AuthMethod.CERT);
}
+
+ LOGGER.debug("running as: " + operatorSubject);
+ Subject.doAs(operatorSubject, command);
}
}
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
index 66f48174b29e87d54990a65fdc22c1509c024bd5..8a92a058e235abcb0a8bec759fa357f4c0d8d6b8 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
@@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers
{
return this.getUserPersistence().getUserRequests();
}
+
}
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
index 1256ad9af5a0a8f8e3d63356bddd808e06d7b790..bcb5d34bee217fba54a4a10949eb90dce956f0be 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
@@ -92,4 +92,5 @@ public class ListUsers extends AbstractListUsers
{
return this.getUserPersistence().getUsers();
}
+
}
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
index 4050de7b22186cc4fd0c06a7a70205a840d26d21..e21718a93cf2c124abd6b1b34591a18d7f0da203 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
@@ -81,10 +81,10 @@ import ca.nrc.cadc.net.TransientException;
* @author yeunga
*
*/
-public class RejectUser extends AbstractUserCommand
+public class RejectUser extends AbstractUserCommand
{
private static final Logger log = Logger.getLogger(RejectUser.class);
-
+
/**
* Constructor
* @param userID Id of the pending user to be deleted
@@ -93,9 +93,9 @@ public class RejectUser extends AbstractUserCommand
{
super(userID);
}
-
- protected void execute()
- throws AccessControlException, UserNotFoundException, TransientException
+
+ protected void execute()
+ throws AccessControlException, UserNotFoundException, TransientException
{
// delete user from the pending tree
this.getUserPersistence().deleteUserRequest(this.getPrincipal());
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
index 6201ca876d905d73bd634ea381eedcdc93305052..e3e705ca79e27baad75b8b35d3f5a48df326eaaf 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
@@ -106,7 +106,7 @@ public class ViewUser extends AbstractUserCommand
User user = this.getUserPersistence().getUser(this.getPrincipal());
this.printUser(user);
}
- catch (UserNotFoundException e)
+ catch (AccessControlException | UserNotFoundException e)
{
// Not in the main tree, try the pending tree
User user = this.getUserPersistence().getUserRequest(this.getPrincipal());