Skip to content
Snippets Groups Projects
Commit 9e647a79 authored by Jeff Burke's avatar Jeff Burke
Browse files

Merge branch 'ac2' of gimli2:/srv/cadc/git/wopencadc into ac2 

Conflicts:
	projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
parents 93ec644a 4953170d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 80 additions and 139 deletions
projects/cadcAccessControl-Server/build.xml
+ 2
1
View file @ 9e647a79
...@@ -93,6 +93,7 @@ ...@@ -93,6 +93,7 @@
<property name="cadcUtil" value="${lib}/cadcUtil.jar"/> <property name="cadcUtil" value="${lib}/cadcUtil.jar"/>
<property name="cadcUWS" value="${lib}/cadcUWS.jar"/> <property name="cadcUWS" value="${lib}/cadcUWS.jar"/>
<property name="wsUtil" value="${lib}/wsUtil.jar"/> <property name="wsUtil" value="${lib}/wsUtil.jar"/>
<property name="wsUtil-augment" value="${lib}/wsUtil-augment.jar"/>
<property name="javacsv" value="${ext.lib}/javacsv.jar"/> <property name="javacsv" value="${ext.lib}/javacsv.jar"/>
<property name="jdom2" value="${ext.lib}/jdom2.jar"/> <property name="jdom2" value="${ext.lib}/jdom2.jar"/>
...@@ -102,7 +103,7 @@ ...@@ -102,7 +103,7 @@
<property name="xerces" value="${ext.lib}/xerces.jar"/> <property name="xerces" value="${ext.lib}/xerces.jar"/>
<property name="jars" <property name="jars"
value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}"/> value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}:${wsUtil-augment}"/>
<target name="build" depends="compile"> <target name="build" depends="compile">
<jar jarfile="${build}/lib/${project}.jar" <jar jarfile="${build}/lib/${project}.jar"
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
+ 14
13
View file @ 9e647a79
...@@ -100,7 +100,7 @@ public class GetUserAction extends AbstractUserAction ...@@ -100,7 +100,7 @@ public class GetUserAction extends AbstractUserAction
{ {
User<Principal> user; User<Principal> user;
if (isSubjectUser(this.augmentUserDN)) if (isServops())
{ {
Subject subject = new Subject(); Subject subject = new Subject();
subject.getPrincipals().add(this.userID); subject.getPrincipals().add(this.userID);
...@@ -176,21 +176,22 @@ public class GetUserAction extends AbstractUserAction ...@@ -176,21 +176,22 @@ public class GetUserAction extends AbstractUserAction
return user; return user;
} }
protected boolean isSubjectUser(String username) protected boolean isServops()
{ {
boolean found = false; boolean isServops = false;
Subject subject = Subject.getSubject(AccessController.getContext()); AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
if (subject != null) if (subject != null)
{ {
for (Principal principal : subject.getPrincipals()) for (Principal principal : subject.getPrincipals())
{ {
if (principal.getName().equals(username)) if (principal.getName().equals(this.getAugmentUserDN()))
{ {
found = true; isServops = true;
break; break;
} }
} }
} }
return found; return found;
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
+ 2
1
View file @ 9e647a79
...@@ -68,17 +68,18 @@ ...@@ -68,17 +68,18 @@
*/ */
package ca.nrc.cadc.ac.server.web.users; package ca.nrc.cadc.ac.server.web.users;
import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.web.WebUtil; import ca.nrc.cadc.ac.server.web.WebUtil;
import ca.nrc.cadc.auth.CookiePrincipal; import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal; import ca.nrc.cadc.auth.OpenIdPrincipal;
import java.io.IOException; import java.io.IOException;
import java.net.URL; import java.net.URL;
import java.security.Principal; import java.security.Principal;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java
+ 6
3
View file @ 9e647a79
...@@ -71,15 +71,18 @@ package ca.nrc.cadc.ac.server; ...@@ -71,15 +71,18 @@ package ca.nrc.cadc.ac.server;
import ca.nrc.cadc.ac.Role; import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.server.web.groups.AddUserMemberActionTest; import ca.nrc.cadc.ac.server.web.groups.AddUserMemberActionTest;
import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.uws.Parameter; import ca.nrc.cadc.uws.Parameter;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.log4j.Level; import org.apache.log4j.Level;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import static org.junit.Assert.*; import static org.junit.Assert.*;
/** /**
...@@ -152,7 +155,7 @@ public class RequestValidatorTest ...@@ -152,7 +155,7 @@ public class RequestValidatorTest
paramList.clear(); paramList.clear();
paramList.add(new Parameter("ID", "foo")); paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP)); paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo")); paramList.add(new Parameter("ROLE", "foo"));
try try
{ {
...@@ -163,7 +166,7 @@ public class RequestValidatorTest ...@@ -163,7 +166,7 @@ public class RequestValidatorTest
paramList.clear(); paramList.clear();
paramList.add(new Parameter("ID", "foo")); paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP)); paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo")); paramList.add(new Parameter("ROLE", "foo"));
paramList.add(new Parameter("GROUPID", "")); paramList.add(new Parameter("GROUPID", ""));
try try
...@@ -175,7 +178,7 @@ public class RequestValidatorTest ...@@ -175,7 +178,7 @@ public class RequestValidatorTest
paramList.clear(); paramList.clear();
paramList.add(new Parameter("ID", "foo")); paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP)); paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", Role.MEMBER.getValue())); paramList.add(new Parameter("ROLE", Role.MEMBER.getValue()));
rv.validate(paramList); rv.validate(paramList);
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java
+ 4
2
View file @ 9e647a79
...@@ -74,7 +74,9 @@ import ca.nrc.cadc.ac.User; ...@@ -74,7 +74,9 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence; import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit;
import java.security.Principal; import java.security.Principal;
import org.apache.log4j.Level; import org.apache.log4j.Level;
...@@ -107,7 +109,7 @@ public class AddUserMemberActionTest ...@@ -107,7 +109,7 @@ public class AddUserMemberActionTest
try try
{ {
String userID = "foo"; String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP; String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType); Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal); User<Principal> user = new User<Principal>(userPrincipal);
...@@ -159,7 +161,7 @@ public class AddUserMemberActionTest ...@@ -159,7 +161,7 @@ public class AddUserMemberActionTest
try try
{ {
String userID = "foo"; String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP; String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType); Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal); User<Principal> user = new User<Principal>(userPrincipal);
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java
+ 5
2
View file @ 9e647a79
...@@ -74,8 +74,11 @@ import ca.nrc.cadc.ac.User; ...@@ -74,8 +74,11 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence; import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit;
import java.security.Principal; import java.security.Principal;
import org.apache.log4j.Level; import org.apache.log4j.Level;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.easymock.EasyMock; import org.easymock.EasyMock;
...@@ -106,7 +109,7 @@ public class RemoveUserMemberActionTest ...@@ -106,7 +109,7 @@ public class RemoveUserMemberActionTest
try try
{ {
String userID = "foo"; String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP; String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType); Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal); User<Principal> user = new User<Principal>(userPrincipal);
...@@ -156,7 +159,7 @@ public class RemoveUserMemberActionTest ...@@ -156,7 +159,7 @@ public class RemoveUserMemberActionTest
try try
{ {
String userID = "foo"; String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP; String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType); Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal); User<Principal> user = new User<Principal>(userPrincipal);
......
projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java
+ 44
116
View file @ 9e647a79
...@@ -71,13 +71,10 @@ package ca.nrc.cadc.ac.client; ...@@ -71,13 +71,10 @@ package ca.nrc.cadc.ac.client;
import java.io.*; import java.io.*;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal; import java.security.Principal;
import java.util.Iterator;
import java.util.Set; import java.util.Set;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
...@@ -87,9 +84,9 @@ import ca.nrc.cadc.auth.HttpPrincipal; ...@@ -87,9 +84,9 @@ import ca.nrc.cadc.auth.HttpPrincipal;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.xml.UserReader; import ca.nrc.cadc.ac.xml.UserReader;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.CookiePrincipal; import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.net.HttpDownload; import ca.nrc.cadc.net.HttpDownload;
...@@ -102,8 +99,6 @@ public class UserClient ...@@ -102,8 +99,6 @@ public class UserClient
private static final Logger log = Logger.getLogger(UserClient.class); private static final Logger log = Logger.getLogger(UserClient.class);
// socket factory to use when connecting // socket factory to use when connecting
private SSLSocketFactory sslSocketFactory;
private SSLSocketFactory mySocketFactory;
private String baseURL; private String baseURL;
/** /**
...@@ -148,12 +143,11 @@ public class UserClient ...@@ -148,12 +143,11 @@ public class UserClient
*/ */
public void augmentSubject(Subject subject) public void augmentSubject(Subject subject)
{ {
URL url = this.getURL(subject); Principal principal = this.getPrincipal(subject);
URL url = this.getURL(principal);
log.debug("augmentSubject request to " + url.toString()); log.debug("augmentSubject request to " + url.toString());
ByteArrayOutputStream out = new ByteArrayOutputStream(); ByteArrayOutputStream out = new ByteArrayOutputStream();
HttpDownload download = new HttpDownload(url, out); HttpDownload download = new HttpDownload(url, out);
download.setSSLSocketFactory(getSSLSocketFactory());
download.run(); download.run();
this.handleThrowable(download); this.handleThrowable(download);
...@@ -162,7 +156,7 @@ public class UserClient ...@@ -162,7 +156,7 @@ public class UserClient
protected void augmentSubject(Subject subject, Set<Principal> principals) protected void augmentSubject(Subject subject, Set<Principal> principals)
{ {
if (principals.isEmpty()) if (!principals.iterator().hasNext())
{ {
String name = subject.getPrincipals().iterator().next().getName(); String name = subject.getPrincipals().iterator().next().getName();
String msg = "No UserIdentity in LDAP server for principal: " + name; String msg = "No UserIdentity in LDAP server for principal: " + name;
...@@ -197,6 +191,33 @@ public class UserClient ...@@ -197,6 +191,33 @@ public class UserClient
} }
} }
protected Principal getPrincipal(final Subject subject)
{
Set<Principal> principals = subject.getPrincipals();
Iterator<Principal> iterator = principals.iterator();
if (iterator.hasNext())
{
Principal principal = iterator.next();
log.debug("alinga-- UserClient.getPrincipal(): principal = " + principal);
if (iterator.hasNext())
{
Principal principal1 = iterator.next();
log.debug("alinga-- UserClient.getPrincipal(): principal1 = " + principal1);
log.debug("alinga-- UserClient.getPrincipal(): number of principals = " + principals.size());
// Should only have one principal
final String msg = "Subject has more than one principal.";
throw new IllegalArgumentException(msg);
}
return principal;
}
else
{
final String msg = "Subject has no principal.";
throw new IllegalArgumentException(msg);
}
}
protected Set<Principal> getPrincipals(ByteArrayOutputStream out) protected Set<Principal> getPrincipals(ByteArrayOutputStream out)
{ {
try try
...@@ -224,127 +245,34 @@ public class UserClient ...@@ -224,127 +245,34 @@ public class UserClient
} }
} }
protected URL getURL(Subject subject) protected URL getURL(Principal principal)
{ {
try try
{ {
String userID = subject.getPrincipals().iterator().next().getName(); String userID = principal.getName();
String encodedUserID = URLEncoder.encode(userID, "UTF-8"); URL url = new URL(this.baseURL + "/users/" + userID +
URL url = new URL(this.baseURL + "/users/" + encodedUserID + "?idType=" + this.getIdType(principal) + "&detail=identity");
"?idType=" + this.getIdType(subject) + "&detail=identity");
log.debug("getURL(): returned url =" log.debug("getURL(): returned url ="
+ "" + ""
+ " " + url.toString()); + " " + url.toString());
return url; return url;
} }
catch (UnsupportedEncodingException e)
{
throw new RuntimeException(e);
}
catch (MalformedURLException e) catch (MalformedURLException e)
{ {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }
protected String getIdType(Subject subject) protected String getIdType(Principal principal)
{ {
Set<Principal> principals = subject.getPrincipals(); String idTypeStr = AuthenticationUtil.getPrincipalType(principal);
if (principals.size() > 0) if (idTypeStr == null)
{
String idTypeStr = null;
Principal principal = principals.iterator().next();
if (principal instanceof HttpPrincipal)
{
idTypeStr = IdentityType.USERNAME.getValue();
}
else if (principal instanceof X500Principal)
{
idTypeStr = IdentityType.X500.getValue();
}
else if (principal instanceof NumericPrincipal)
{
idTypeStr = IdentityType.CADC.getValue();
}
else if (principal instanceof CookiePrincipal)
{
idTypeStr = IdentityType.COOKIE.getValue();
}
else
{
final String msg = "Subject has unsupported principal " +
principal.getName() +
", not one of (X500, Cookie, HTTP or Cadc).";
throw new IllegalArgumentException(msg);
}
return idTypeStr;
}
else
{
final String msg = "Subject has no principal.";
throw new IllegalArgumentException(msg);
}
}
/**
* @param sslSocketFactory the sslSocketFactory to set
*/
public void setSSLSocketFactory(SSLSocketFactory sslSocketFactory)
{
if (mySocketFactory != null)
{
throw new IllegalStateException(
"Illegal use of GMSClient: cannot set SSLSocketFactory " +
"after using one created from Subject");
}
this.sslSocketFactory = sslSocketFactory;
clearCache();
}
private int subjectHashCode = 0;
private SSLSocketFactory getSSLSocketFactory()
{
AccessControlContext ac = AccessController.getContext();
Subject s = Subject.getSubject(ac);
// no real Subject: can only use the one from setSSLSocketFactory
if (s == null || s.getPrincipals().isEmpty())
{
return sslSocketFactory;
}
// lazy init
if (this.mySocketFactory == null)
{ {
log.debug("getSSLSocketFactory: " + s); final String msg = "Subject has unsupported principal " +
this.mySocketFactory = SSLUtil.getSocketFactory(s); principal.getName();
this.subjectHashCode = s.hashCode(); throw new IllegalArgumentException(msg);
}
else
{
int c = s.hashCode();
if (c != subjectHashCode)
{
throw new IllegalStateException(
"Illegal use of " + this.getClass().getSimpleName() +
": subject change not supported for internal " +
"SSLSocketFactory");
}
}
return this.mySocketFactory;
}
protected void clearCache()
{
AccessControlContext acContext = AccessController.getContext();
Subject subject = Subject.getSubject(acContext);
if (subject != null)
{
log.debug("Clearing cache");
subject.getPrivateCredentials().clear();
} }
return idTypeStr;
} }
} }
projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
+ 3
1
View file @ 9e647a79
...@@ -72,7 +72,6 @@ package ca.nrc.cadc.ac.xml; ...@@ -72,7 +72,6 @@ package ca.nrc.cadc.ac.xml;
import ca.nrc.cadc.ac.AC; import ca.nrc.cadc.ac.AC;
import ca.nrc.cadc.ac.Group; import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupProperty; import ca.nrc.cadc.ac.GroupProperty;
import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.PersonalDetails; import ca.nrc.cadc.ac.PersonalDetails;
import ca.nrc.cadc.ac.PosixDetails; import ca.nrc.cadc.ac.PosixDetails;
import ca.nrc.cadc.ac.ReaderException; import ca.nrc.cadc.ac.ReaderException;
...@@ -81,9 +80,11 @@ import ca.nrc.cadc.ac.UserDetails; ...@@ -81,9 +80,11 @@ import ca.nrc.cadc.ac.UserDetails;
import ca.nrc.cadc.ac.UserRequest; import ca.nrc.cadc.ac.UserRequest;
import ca.nrc.cadc.ac.WriterException; import ca.nrc.cadc.ac.WriterException;
import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal; import ca.nrc.cadc.auth.OpenIdPrincipal;
import ca.nrc.cadc.date.DateUtil; import ca.nrc.cadc.date.DateUtil;
import org.jdom2.Attribute; import org.jdom2.Attribute;
import org.jdom2.Document; import org.jdom2.Document;
import org.jdom2.Element; import org.jdom2.Element;
...@@ -91,6 +92,7 @@ import org.jdom2.output.Format; ...@@ -91,6 +92,7 @@ import org.jdom2.output.Format;
import org.jdom2.output.XMLOutputter; import org.jdom2.output.XMLOutputter;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import java.io.IOException; import java.io.IOException;
import java.io.Writer; import java.io.Writer;
import java.security.Principal; import java.security.Principal;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment