From 87db79f4bc75823965725f4f3379bcbaa2165a94 Mon Sep 17 00:00:00 2001
From: Brian Major <major.brian@gmail.com>
Date: Mon, 12 Dec 2016 13:34:32 -0800
Subject: [PATCH] Modifications to credentials provided when running the ac
 admin tool.

---
 .../ca/nrc/cadc/ac/admin/AbstractCommand.java |  1 -
 .../ca/nrc/cadc/ac/admin/CommandRunner.java   | 52 +++----------------
 .../nrc/cadc/ac/admin/ListUserRequests.java   |  1 +
 .../java/ca/nrc/cadc/ac/admin/ListUsers.java  |  1 +
 .../java/ca/nrc/cadc/ac/admin/RejectUser.java | 10 ++--
 .../java/ca/nrc/cadc/ac/admin/ViewUser.java   |  2 +-
 6 files changed, 15 insertions(+), 52 deletions(-)

diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
index a5a32ed8..f521b5d9 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
@@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
 
     private UserPersistence userPersistence;
 
-
     protected abstract void doRun()
             throws AccessControlException, TransientException;
 
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
index 5da814fa..97f13068 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
@@ -78,11 +78,8 @@ import org.apache.log4j.Logger;
 
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.auth.AuthenticationUtil;
-import ca.nrc.cadc.auth.DelegationToken;
-import ca.nrc.cadc.auth.PrincipalExtractor;
-import ca.nrc.cadc.auth.SSOCookieCredential;
-import ca.nrc.cadc.auth.X509CertificateChain;
+import ca.nrc.cadc.auth.AuthMethod;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 
 
@@ -116,6 +113,7 @@ public class CommandRunner
         {
             Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
             operatorSubject.getPrincipals().add(userIDPrincipal);
+            operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD);
         }
         else
         {
@@ -130,48 +128,12 @@ public class CommandRunner
                 throw new IllegalArgumentException("Certificate required");
 
             operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
+            operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser"));
             operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
+            operatorSubject.getPublicCredentials().add(AuthMethod.CERT);
         }
 
-        // run as the user
-        AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(operatorSubject);
-        Subject subject = AuthenticationUtil.getSubject(principalExtractor);
-        LOGGER.debug("running as: " + subject);
-        Subject.doAs(subject, command);
-    }
-
-    class AnonPrincipalExtractor implements PrincipalExtractor
-    {
-        Subject s;
-
-        AnonPrincipalExtractor(Subject s)
-        {
-            this.s = s;
-        }
-        public Set<Principal> getPrincipals()
-        {
-            return s.getPrincipals();
-        }
-        public X509CertificateChain getCertificateChain()
-        {
-            LOGGER.debug("getCerfiticateChain called");
-            for (Object o : s.getPublicCredentials())
-            {
-                if (o instanceof X509CertificateChain)
-                {
-                    LOGGER.debug("returning certificate chain.");
-                    return (X509CertificateChain) o;
-                }
-            }
-            return null;
-        }
-        public DelegationToken getDelegationToken()
-        {
-            return null;
-        }
-        public SSOCookieCredential getSSOCookieCredential()
-        {
-            return null;
-        }
+        LOGGER.debug("running as: " + operatorSubject);
+        Subject.doAs(operatorSubject, command);
     }
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
index 66f48174..8a92a058 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
@@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers
     {
     	return this.getUserPersistence().getUserRequests();
     }
+
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
index 1256ad9a..bcb5d34b 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
@@ -92,4 +92,5 @@ public class ListUsers extends AbstractListUsers
     {
     	return this.getUserPersistence().getUsers();
     }
+
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
index 4050de7b..e21718a9 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
@@ -81,10 +81,10 @@ import ca.nrc.cadc.net.TransientException;
  * @author yeunga
  *
  */
-public class RejectUser extends AbstractUserCommand 
+public class RejectUser extends AbstractUserCommand
 {
     private static final Logger log = Logger.getLogger(RejectUser.class);
-	
+
     /**
      * Constructor
      * @param userID Id of the pending user to be deleted
@@ -93,9 +93,9 @@ public class RejectUser extends AbstractUserCommand
     {
     	super(userID);
     }
-    
-    protected void execute() 
-        throws AccessControlException, UserNotFoundException, TransientException 
+
+    protected void execute()
+        throws AccessControlException, UserNotFoundException, TransientException
     {
         // delete user from the pending tree
         this.getUserPersistence().deleteUserRequest(this.getPrincipal());
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
index 6201ca87..e3e705ca 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
@@ -106,7 +106,7 @@ public class ViewUser extends AbstractUserCommand
             User user = this.getUserPersistence().getUser(this.getPrincipal());
             this.printUser(user);
         }
-        catch (UserNotFoundException e)
+        catch (AccessControlException | UserNotFoundException e)
         {
             // Not in the main tree, try the pending tree
             User user = this.getUserPersistence().getUserRequest(this.getPrincipal());
-- 
GitLab