s1728: add check in UserServlet for a special user used to augment a user's identites.

ab5fa4a8 · Jeff Burke · 9e647a79 · ab5fa4a8 · ab5fa4a8 · ab5fa4a8
Commit ab5fa4a8 authored 9 years ago by Jeff Burke
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java
@@ -108,7 +108,7 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob
    static final String DEFAULT_CONTENT_TYPE = "text/xml";
    static final String JSON_CONTENT_TYPE = "application/json";

-    protected String augmentUserDN;
+    protected boolean isAugmentUser;
    protected UserLogInfo logInfo;
    protected SyncOutput syncOut;

@@ -116,18 +116,19 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob

    AbstractUserAction()
    {
+        this.isAugmentUser = false;
    }

    public abstract void doAction() throws Exception;

-    public void setAugmentUserDN(final String dn)
+    public void setAugmentUser(final boolean isAugmentUser)
    {
-    	this.augmentUserDN = dn;
+    	this.isAugmentUser = isAugmentUser;
    }
    
-    public String getAugmentUserDN()
+    public boolean isAugmentUser()
    {
-    	return this.augmentUserDN;
+    	return this.isAugmentUser;
    }
    
    public void setLogInfo(UserLogInfo logInfo)

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
@@ -98,74 +98,58 @@ public class GetUserAction extends AbstractUserAction

 	public void doAction() throws Exception
    {
-        User<Principal> user;
- 
-        if (isServops())
-        {
-        	Subject subject = new Subject();
-        	subject.getPrincipals().add(this.userID);
-        	user = (User<Principal>) Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
-        	{
-				@Override
-				public Object run() throws Exception 
-				{
-					return getUser(userID);
-				}
-        		
-        	});
-        }
-        else
-        {
-        	user = getUser(this.userID);
-        }
-
+        User<Principal> user = getUser(this.userID);
        writeUser(user);
    }

    protected User<Principal> getUser(Principal principal) throws Exception
    {
        User<Principal> user;
+        final UserPersistence<Principal> userPersistence = getUserPersistence();

-        // For detail=identity, if the calling user is the same as the requested user,
-        // the calling user already has all principals for that user.
-        if (detail != null && detail.equalsIgnoreCase("identity") &&
-            isSubjectUser(principal.getName()))
+        /**
+         * Special case 1
+         * If detail=identity, AND if the calling Subject user is the same as
+         * the requested User, then return the User with the principals from the
+         * Subject which has already been augmented.
+         */
+        if (detail != null &&
+            detail.equalsIgnoreCase("identity") &&
+            isSubjectUser(principal))
        {
            Subject subject = Subject.getSubject(AccessController.getContext());
            user = new User<Principal>(principal);
            user.getIdentities().addAll(subject.getPrincipals());
        }
+
+        /**
+         * Special case 2
+         * If the calling Subject user is the notAugmentedX500User, AND it is
+         * a GET, call the userDAO to get the User with all identities.
+         */
+        else if (this.isAugmentUser)
+        {
+            user = userPersistence.getAugmentedUser(principal);
+        }
        else
        {
-            final UserPersistence<Principal> userPersistence = getUserPersistence();
            try
            {
                user = userPersistence.getUser(principal);
-                if (detail != null)
+
+                // Only return user profile info, first and last name.
+                if (detail != null && detail.equalsIgnoreCase("display"))
                {
-                    // Only return user principals
-                    if (detail.equalsIgnoreCase("identity"))
-                    {
-                        user.details.clear();
-                    }
-                    // Only return user profile info, first and last name.
-                    else if (detail.equalsIgnoreCase("display"))
+                    user.getIdentities().clear();
+                    Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
+                    if (details.isEmpty())
                    {
-                        user.getIdentities().clear();
-                        Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
-                        if (details.isEmpty())
-                        {
-                            String error = principal.getName() + " missing required PersonalDetails";
-                            throw new IllegalStateException(error);
-                        }
-                        PersonalDetails pd = details.iterator().next();
-                        user.details.clear();
-                        user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
-                    }
-                    else
-                    {
-                        throw new IllegalArgumentException("Illegal detail parameter " + detail);
+                        String error = principal.getName() + " missing required PersonalDetails";
+                        throw new IllegalStateException(error);
                    }
+                    PersonalDetails pd = details.iterator().next();
+                    user.details.clear();
+                    user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
                }
            }
            catch (UserNotFoundException e)
@@ -176,24 +160,22 @@ public class GetUserAction extends AbstractUserAction
    	
    	return user;
    }
-    
-    protected boolean isServops()
+
+    protected boolean isSubjectUser(Principal userPrincipal)
    {
-    	boolean isServops = false;
-        AccessControlContext acc = AccessController.getContext();
-        Subject subject = Subject.getSubject(acc);
+    	boolean isSubjectUser = false;
+        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject != null)
        {
-        	for (Principal principal : subject.getPrincipals())
+        	for (Principal subjectPrincipal : subject.getPrincipals())
        	{
-        		if (principal.getName().equals(this.getAugmentUserDN()))
+        		if (subjectPrincipal.getName().equals(userPrincipal.getName()))
        		{
-        			isServops = true;
+                    isSubjectUser = true;
        			break;
        		}
        	}
        }
-
-        return found;
+        return isSubjectUser;
    }
 }
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
@@ -75,16 +75,14 @@ import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.auth.IdentityType;
 import ca.nrc.cadc.auth.NumericPrincipal;
 import ca.nrc.cadc.auth.OpenIdPrincipal;
+import org.apache.log4j.Logger;

+import javax.security.auth.x500.X500Principal;
+import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.net.URL;
 import java.security.Principal;

-import javax.security.auth.x500.X500Principal;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.log4j.Logger;
-

 public abstract class UserActionFactory
 {

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
@@ -69,9 +69,13 @@
 package ca.nrc.cadc.ac.server.web.users;

 import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Principal;
 import java.security.PrivilegedActionException;

 import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -90,7 +94,7 @@ public class UserServlet extends HttpServlet

    private static final long serialVersionUID = 5289130885807305288L;
    private static final Logger log = Logger.getLogger(UserServlet.class);
-    private String augmentUserDN;
+    private String notAugmentedX500User;
    
    @Override
    public void init(final ServletConfig config) throws ServletException
@@ -99,8 +103,8 @@ public class UserServlet extends HttpServlet

        try
        {
-        	this.augmentUserDN = config.getInitParameter(UserServlet.class.getName() + ".augmentUserDN");
-            log.info("augmentUserDN: " + augmentUserDN);
+        	this.notAugmentedX500User = config.getInitParameter(UserServlet.class.getName() + ".NotAugmentedX500User");
+            log.info("notAugmentedX500User: " + notAugmentedX500User);
        }
        catch(Exception ex)
        {
@@ -120,13 +124,23 @@ public class UserServlet extends HttpServlet
        try
        {
            log.info(logInfo.start());
-            Subject subject = AuthenticationUtil.getSubject(request);
-            logInfo.setSubject(subject);
-
            AbstractUserAction action = factory.createAction(request);
            SyncOutput syncOut = new SyncOutput(response);

-            action.setAugmentUserDN(this.augmentUserDN);
+            // Special case: if the calling subject has a servops X500Principal,
+            // AND it is a GET request, do not augment the subject.
+            Subject subject;
+            if (action instanceof GetUserAction && isNotAugmentedSubject())
+            {
+                subject = Subject.getSubject(AccessController.getContext());
+                action.setAugmentUser(true);
+            }
+            else
+            {
+                subject = AuthenticationUtil.getSubject(request);
+            }
+            logInfo.setSubject(subject);
+
            action.setLogInfo(logInfo);
            action.setSyncOut(syncOut);
            action.setAcceptedContentType(getAcceptedContentType(request));
@@ -236,4 +250,25 @@ public class UserServlet extends HttpServlet
            return AbstractUserAction.DEFAULT_CONTENT_TYPE;
        }
    }
+
+    protected boolean isNotAugmentedSubject()
+    {
+        boolean notAugmented = false;
+        Subject subject = Subject.getSubject(AccessController.getContext());
+        if (subject != null)
+        {
+            for (Principal principal : subject.getPrincipals())
+            {
+                if (principal instanceof X500Principal)
+                {
+                    if (principal.getName().equalsIgnoreCase(this.notAugmentedX500User))
+                    {
+                        notAugmented = true;
+                        break;
+                    }
+                }
+            }
+        }
+        return notAugmented;
+    }
 }