Merge remote-tracking branch 'origin/s1689' into s1689

b9dd71bd · Ed Chapin · 4a0a4bdb · a7369411 · b9dd71bd · b9dd71bd
Commit b9dd71bd authored 10 years ago by Ed Chapin
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/RequestValidator.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/RequestValidator.java
@@ -68,16 +68,16 @@
 */
 package ca.nrc.cadc.ac.server;
-import ca.nrc.cadc.ac.IdentityType;
+import java.security.Principal;
+import java.util.List;
+import org.apache.log4j.Logger;
 import ca.nrc.cadc.ac.Role;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.uws.Parameter;
 import ca.nrc.cadc.uws.ParameterUtil;
-import java.security.Principal;
-import java.util.List;
-import org.apache.log4j.Logger;
 /**
 * Request Validator. This class extracts and validates the ID, TYPE, ROLE
 * and GURI parameters.

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
@@ -79,15 +79,13 @@ import javax.security.auth.x500.X500Principal;
 import org.apache.log4j.Logger;
-import ca.nrc.cadc.ac.Group;
 import ca.nrc.cadc.ac.PersonalDetails;
 import ca.nrc.cadc.ac.User;
 import ca.nrc.cadc.ac.UserNotFoundException;
+import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
-import com.unboundid.ldap.sdk.CompareRequest;
-import com.unboundid.ldap.sdk.CompareResult;
 import com.unboundid.ldap.sdk.DN;
 import com.unboundid.ldap.sdk.Filter;
 import com.unboundid.ldap.sdk.LDAPException;
@@ -128,6 +126,8 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
        System.arraycopy(memberAttribs, 0, tmp, princs.length, memberAttribs.length);
        memberAttribs = tmp;
    }
    /**
     * Get the user specified by userID.
@@ -409,7 +409,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
        }
        searchField = "(" + searchField + "=" + 
-                      user.getUserID().getName() + ")";
+                user.getUserID().getName() + ")";
        SearchResultEntry searchResult = null;
        try
@@ -425,11 +425,10 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
        {
            LdapDAO.checkLdapResult(e.getResultCode());
        }
        if (searchResult == null)
        {
-            String msg = "User not found " + user.getUserID().toString();
+            String msg = "User not found " + user.getUserID().getName();
            logger.debug(msg);
            throw new UserNotFoundException(msg);
        }

--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
@@ -74,8 +74,11 @@ import java.security.AccessController;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.Date;
+import java.util.Iterator;
+import java.util.Set;
 import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.log4j.Logger;
@@ -87,6 +90,8 @@ import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.GroupPersistence;
 import ca.nrc.cadc.ac.server.PluginFactory;
 import ca.nrc.cadc.ac.server.RequestValidator;
+import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.uws.ExecutionPhase;
 import ca.nrc.cadc.uws.Job;
@@ -125,15 +130,31 @@ public class ACSearchRunner implements JobRunner
    @Override
    public void run()
    {
-        log.debug("RUN ACSearchRunner: " + job.ownerSubject);
+        AccessControlContext acContext = AccessController.getContext();
+        Subject subject = Subject.getSubject(acContext);
+        log.debug("RUN ACSearchRunner: " + subject);
+        if (log.isDebugEnabled())
+        {
+            Set<Principal> principals = subject.getPrincipals();
+            Iterator<Principal> i = principals.iterator();
+            while (i.hasNext())
+            {
+                Principal next = i.next();
+                log.debug("Principal " +
+                        next.getClass().getSimpleName()
+                        + ": " + next.getName());
+            }
+        }
        logInfo = new JobLogInfo(job);
+        logInfo.setSubject(subject);
        String startMessage = logInfo.start();
        log.info(startMessage);
        long t1 = System.currentTimeMillis();
-        search();
+        search(subject);
        long t2 = System.currentTimeMillis();
        logInfo.setElapsedTime(t2 - t1);
@@ -143,7 +164,7 @@ public class ACSearchRunner implements JobRunner
    }
    @SuppressWarnings("unchecked")
-    private void search()
+    private void search(Subject subject)
    {
        // Note: This search runner is customized to run with
@@ -156,8 +177,6 @@ public class ACSearchRunner implements JobRunner
        try
        {
            ExecutionPhase ep = 
                jobUpdater.setPhase(job.getID(), ExecutionPhase.QUEUED, 
                                    ExecutionPhase.EXECUTING, new Date());
@@ -172,21 +191,37 @@ public class ACSearchRunner implements JobRunner
            // only allow users to search themselves...
            Principal userBeingSearched = rv.getPrincipal();
-            if (userBeingSearched != null)
+            boolean idMatch = false;
+            if (userBeingSearched instanceof X500Principal)
            {
-                AccessControlContext acContext = AccessController.getContext();
+                Set<X500Principal> x500Principals = subject.getPrincipals(X500Principal.class);
-                Subject subject = Subject.getSubject(acContext);
+                Iterator<X500Principal> i = x500Principals.iterator();
-                boolean idMatch = false;
+                while (i.hasNext())
-                for (Principal p : subject.getPrincipals())
                {
-                    if (p.equals(userBeingSearched))
+                    X500Principal next = i.next();
+                    log.debug(String.format("Comparing x500: [%s][%s]",
+                            next.getName(), userBeingSearched.getName()));
+                    if (AuthenticationUtil.equals(next, userBeingSearched))
                        idMatch = true;
                }
-                if (!idMatch)
-                    throw new AccessControlException("Can only search oneself.");
            }
+            else if (userBeingSearched instanceof HttpPrincipal)
+            {
+                Set<HttpPrincipal> httpPrincipals = subject.getPrincipals(HttpPrincipal.class);
+                Iterator<HttpPrincipal> i = httpPrincipals.iterator();
+                while (i.hasNext())
+                {
+                    HttpPrincipal next = i.next();
+                    log.debug(String.format("Comparing http: [%s][%s]",
+                            next.getName(), userBeingSearched.getName()));
+                    if (next.equals(userBeingSearched))
+                        idMatch = true;
+                }
+            }
+            if (!idMatch)
+                throw new AccessControlException("Can only search oneself.");
            PluginFactory factory = new PluginFactory();
            GroupPersistence dao = factory.getGroupPersistence();
            Collection<Group> groups =