s1651 - Added check that searches can only be done by same person

629d4227 · Brian Major · 4ada8fb9 · 629d4227 · 629d4227 · 629d4227
Commit 629d4227 authored 10 years ago by Brian Major
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
@@ -68,11 +68,14 @@
 */
 package ca.nrc.cadc.ac.server.web;

+import java.security.AccessControlContext;
 import java.security.AccessControlException;
+import java.security.AccessController;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.Date;

+import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.log4j.Logger;
@@ -84,7 +87,6 @@ import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.GroupPersistence;
 import ca.nrc.cadc.ac.server.PluginFactory;
 import ca.nrc.cadc.ac.server.RequestValidator;
-import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.uws.ExecutionPhase;
 import ca.nrc.cadc.uws.Job;
@@ -154,6 +156,8 @@ public class ACSearchRunner
        
        try
        {
+
+            
            ExecutionPhase ep = 
                jobUpdater.setPhase(job.getID(), ExecutionPhase.QUEUED, 
                                    ExecutionPhase.EXECUTING, new Date());
@@ -166,6 +170,23 @@ public class ACSearchRunner
            RequestValidator rv = new RequestValidator();
            rv.validate(job.getParameterList());
            
+            // only allow users to search themselves...
+            Principal userBeingSearched = rv.getPrincipal();
+            if (userBeingSearched != null)
+            {
+                AccessControlContext acContext = AccessController.getContext();
+                Subject subject = Subject.getSubject(acContext);
+                boolean idMatch = false;
+                for (Principal p : subject.getPrincipals())
+                {
+                    if (p.equals(userBeingSearched))
+                        idMatch = true;
+                }
+                if (!idMatch)
+                    throw new AccessControlException("Can only search oneself.");
+            }
+
+            
            PluginFactory factory = new PluginFactory();
            GroupPersistence dao = factory.getGroupPersistence();
            Collection<Group> groups = 
@@ -246,7 +267,7 @@ public class ACSearchRunner
            logInfo.setMessage(t.getMessage());
            log.debug("FAIL", t);
            
-            syncOut.setResponseCode(401);
+            syncOut.setResponseCode(403);
            
 //            ErrorSummary errorSummary =
 //                new ErrorSummary(t.getMessage(), ErrorType.FATAL);
@@ -284,36 +305,4 @@ public class ACSearchRunner
        }
    }
    
-//    private Principal getUserPrincipal(String userID, IdentityType type)
-//    {
-//        if (type == IdentityType.OPENID)
-//        {
-//            return new OpenIdPrincipal(userID);
-//        }
-//        if (type == IdentityType.UID)
-//        {
-//            try
-//            {
-//                Long numericId = Long.valueOf(userID);
-//                return new NumericPrincipal(numericId);
-//            }
-//            catch (NumberFormatException e)
-//            {
-//                throw new IllegalArgumentException("Illegal UID userID " +
-//                                                   userID + " because " +
-//                                                   e.getMessage());
-//            }
-//        }
-//        if (type == IdentityType.USERNAME)
-//        {
-//            return new HttpPrincipal(userID);
-//        }
-//        if (type == IdentityType.X500)
-//        {
-//            return new X500Principal(userID);
-//        }
-//        throw new IllegalArgumentException("Unknown user type " + 
-//                                           type.getValue());
-//    }
-    
 }
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java
@@ -68,26 +68,28 @@
 */
 package ca.nrc.cadc.ac.server.web;

-import ca.nrc.cadc.ac.GroupAlreadyExistsException;
-import ca.nrc.cadc.ac.GroupNotFoundException;
-import ca.nrc.cadc.ac.MemberAlreadyExistsException;
-import ca.nrc.cadc.ac.MemberNotFoundException;
-import ca.nrc.cadc.ac.UserNotFoundException;
-import ca.nrc.cadc.ac.server.GroupPersistence;
-import ca.nrc.cadc.ac.server.PluginFactory;
-import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.net.TransientException;
 import java.io.IOException;
-import java.io.PrintWriter;
 import java.security.AccessControlException;
 import java.security.Principal;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.List;
+
 import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletResponse;
+
 import org.apache.log4j.Logger;

+import ca.nrc.cadc.ac.GroupAlreadyExistsException;
+import ca.nrc.cadc.ac.GroupNotFoundException;
+import ca.nrc.cadc.ac.MemberAlreadyExistsException;
+import ca.nrc.cadc.ac.MemberNotFoundException;
+import ca.nrc.cadc.ac.UserNotFoundException;
+import ca.nrc.cadc.ac.server.GroupPersistence;
+import ca.nrc.cadc.ac.server.PluginFactory;
+import ca.nrc.cadc.ac.server.UserPersistence;
+import ca.nrc.cadc.net.TransientException;
+
 public abstract class GroupsAction
    implements PrivilegedExceptionAction<Object>
 {
@@ -131,9 +133,9 @@ public abstract class GroupsAction
        catch (AccessControlException e)
        {
            log.debug(e);
-            String message = "Unauthorized";
+            String message = "Permission Denied";
            this.logInfo.setMessage(message);
-            sendError(401, message);
+            sendError(403, message);
        }
        catch (IllegalArgumentException e)
        {

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java
@@ -94,16 +94,6 @@ public class GroupsServlet extends HttpServlet
        try
        {
            log.info(logInfo.start());
-
-            // Note: For this servlet, one does not want the subject to be
-            // augmented with all user principals, only the one in which
-            // they used to connect to the service.  This is accomplished
-            // by ensuring that there is no authenticator implementation
-            // available in the classpath with the name:
-            //   ca.nrc.cadc.auth.AuthenticatorImpl.class
-            // See cadcUtil method ca.nrc.cadc.auth.AuthenticationUtil#getAuthenticator()
-            // for more information.
-            
            Subject subject = AuthenticationUtil.getSubject(request);
            logInfo.setSubject(subject);
            GroupsAction action = GroupsActionFactory.getGroupsAction(request, logInfo);