Skip to content
Snippets Groups Projects
Commit c5c8fdb2 authored by Adrian Damian's avatar Adrian Damian
Browse files

Merge branch 'ac2' of /srv/cadc/git/wopencadc into s1832

parents 4f5d5366 d4990244
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 109 additions and 208 deletions
projects/cadcAccessControl-Server/build.xml
+ 2
1
View file @ c5c8fdb2
......@@ -93,6 +93,7 @@
<property name="cadcUtil" value="${lib}/cadcUtil.jar"/>
<property name="cadcUWS" value="${lib}/cadcUWS.jar"/>
<property name="wsUtil" value="${lib}/wsUtil.jar"/>
<property name="wsUtil-augment" value="${lib}/wsUtil-augment.jar"/>
<property name="javacsv" value="${ext.lib}/javacsv.jar"/>
<property name="jdom2" value="${ext.lib}/jdom2.jar"/>
......@@ -102,7 +103,7 @@
<property name="xerces" value="${ext.lib}/xerces.jar"/>
<property name="jars"
value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}"/>
value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}:${wsUtil-augment}"/>
<target name="build" depends="compile">
<jar jarfile="${build}/lib/${project}.jar"
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java
+ 41
38
View file @ c5c8fdb2
......@@ -71,6 +71,8 @@ import ca.nrc.cadc.ac.PersonalDetails;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import java.security.AccessControlContext;
import java.security.AccessController;
......@@ -79,10 +81,12 @@ import java.security.PrivilegedExceptionAction;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
public class GetUserAction extends AbstractUserAction
{
private static final Logger log = Logger.getLogger(GetUserAction.class);
......@@ -100,14 +104,14 @@ public class GetUserAction extends AbstractUserAction
{
User<Principal> user;
if (isServops())
if (isAugmentUser())
{
Subject subject = new Subject();
Subject subject = new Subject();
subject.getPrincipals().add(this.userID);
user = (User<Principal>) Subject.doAs(subject, new PrivilegedExceptionAction<Object>()
user = Subject.doAs(subject, new PrivilegedExceptionAction<User<Principal>>()
{
@Override
public Object run() throws Exception
public User<Principal> run() throws Exception
{
return getUser(userID);
}
......@@ -130,58 +134,57 @@ public class GetUserAction extends AbstractUserAction
try
{
user = userPersistence.getUser(principal);
if (detail != null)
{
// Only return user principals
if (detail.equals("identity"))
{
user.details.clear();
}
// Only return user profile info, first and last name.
else if (detail.equals("display"))
{
user.getIdentities().clear();
Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
if (details.isEmpty())
{
String error = principal.getName() + " missing required PersonalDetails";
throw new IllegalStateException(error);
}
PersonalDetails pd = details.iterator().next();
user.details.clear();
user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
}
else
{
throw new IllegalArgumentException("Illegal detail parameter " + detail);
}
}
}
catch (UserNotFoundException e)
{
user = userPersistence.getPendingUser(principal);
}
return user;
if (detail != null)
{
// Only return user principals
if (detail.equals("identity"))
{
user.details.clear();
}
// Only return user profile info, first and last name.
else if (detail.equals("display"))
{
user.getIdentities().clear();
Set<PersonalDetails> details = user.getDetails(PersonalDetails.class);
if (details.isEmpty())
{
String error = principal.getName() + " missing required PersonalDetails";
throw new IllegalStateException(error);
}
PersonalDetails pd = details.iterator().next();
user.details.clear();
user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
}
else
{
throw new IllegalArgumentException("Illegal detail parameter " + detail);
}
}
return user;
}
protected boolean isServops()
protected boolean isAugmentUser()
{
boolean isServops = false;
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);
if (subject != null)
{
for (Principal principal : subject.getPrincipals())
for (Principal principal : subject.getPrincipals(HttpPrincipal.class))
{
if (principal.getName().equals(this.getAugmentUserDN()))
if (principal.getName().equals(this.getAugmentUserDN()))
{
isServops = true;
break;
return true;
}
}
}
return isServops;
return false;
}
}
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserActionFactory.java
+ 2
1
View file @ c5c8fdb2
......@@ -68,17 +68,18 @@
*/
package ca.nrc.cadc.ac.server.web.users;
import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.web.WebUtil;
import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal;
import java.io.IOException;
import java.net.URL;
import java.security.Principal;
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java
+ 4
4
View file @ c5c8fdb2
......@@ -90,7 +90,7 @@ public class UserServlet extends HttpServlet
private static final long serialVersionUID = 5289130885807305288L;
private static final Logger log = Logger.getLogger(UserServlet.class);
private String augmentUserDN;
private String augmentUser;
@Override
public void init(final ServletConfig config) throws ServletException
......@@ -99,8 +99,8 @@ public class UserServlet extends HttpServlet
try
{
this.augmentUserDN = config.getInitParameter(UserServlet.class.getName() + ".augmentUserDN");
log.info("augmentUserDN: " + augmentUserDN);
this.augmentUser = config.getInitParameter(UserServlet.class.getName() + ".augmentUser");
log.info("augmentUser: " + augmentUser);
}
catch(Exception ex)
{
......@@ -126,7 +126,7 @@ public class UserServlet extends HttpServlet
AbstractUserAction action = factory.createAction(request);
SyncOutput syncOut = new SyncOutput(response);
action.setAugmentUserDN(this.augmentUserDN);
action.setAugmentUserDN(this.augmentUser);
action.setLogInfo(logInfo);
action.setSyncOut(syncOut);
action.setAcceptedContentType(getAcceptedContentType(request));
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/RequestValidatorTest.java
+ 6
3
View file @ c5c8fdb2
......@@ -71,15 +71,18 @@ package ca.nrc.cadc.ac.server;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.server.web.groups.AddUserMemberActionTest;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.uws.Parameter;
import java.util.ArrayList;
import java.util.List;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.junit.BeforeClass;
import org.junit.Test;
import static org.junit.Assert.*;
/**
......@@ -152,7 +155,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo"));
try
{
......@@ -163,7 +166,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", "foo"));
paramList.add(new Parameter("GROUPID", ""));
try
......@@ -175,7 +178,7 @@ public class RequestValidatorTest
paramList.clear();
paramList.add(new Parameter("ID", "foo"));
paramList.add(new Parameter("IDTYPE", AuthenticationUtil.AUTH_TYPE_HTTP));
paramList.add(new Parameter("IDTYPE", IdentityType.USERNAME.getValue()));
paramList.add(new Parameter("ROLE", Role.MEMBER.getValue()));
rv.validate(paramList);
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/AddUserMemberActionTest.java
+ 4
2
View file @ c5c8fdb2
......@@ -74,7 +74,9 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
import java.security.Principal;
import org.apache.log4j.Level;
......@@ -107,7 +109,7 @@ public class AddUserMemberActionTest
try
{
String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
......@@ -159,7 +161,7 @@ public class AddUserMemberActionTest
try
{
String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/groups/RemoveUserMemberActionTest.java
+ 5
2
View file @ c5c8fdb2
......@@ -74,8 +74,11 @@ import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.util.Log4jInit;
import java.security.Principal;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.easymock.EasyMock;
......@@ -106,7 +109,7 @@ public class RemoveUserMemberActionTest
try
{
String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
......@@ -156,7 +159,7 @@ public class RemoveUserMemberActionTest
try
{
String userID = "foo";
String userIDType = AuthenticationUtil.AUTH_TYPE_HTTP;
String userIDType = IdentityType.USERNAME.getValue();
Principal userPrincipal = AuthenticationUtil.createPrincipal(userID, userIDType);
User<Principal> user = new User<Principal>(userPrincipal);
......
projects/cadcAccessControl/src/ca/nrc/cadc/ac/client/UserClient.java
+ 42
156
View file @ c5c8fdb2
......@@ -71,25 +71,18 @@ package ca.nrc.cadc.ac.client;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import ca.nrc.cadc.ac.*;
import ca.nrc.cadc.auth.HttpPrincipal;
import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.xml.UserReader;
import ca.nrc.cadc.auth.CookiePrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.SSLUtil;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.net.HttpDownload;
......@@ -102,8 +95,6 @@ public class UserClient
private static final Logger log = Logger.getLogger(UserClient.class);
// socket factory to use when connecting
private SSLSocketFactory sslSocketFactory;
private SSLSocketFactory mySocketFactory;
private String baseURL;
/**
......@@ -148,52 +139,40 @@ public class UserClient
*/
public void augmentSubject(Subject subject)
{
URL url = this.getURL(subject);
log.debug("augmentSubject request to " + url.toString());
ByteArrayOutputStream out = new ByteArrayOutputStream();
HttpDownload download = new HttpDownload(url, out);
download.setSSLSocketFactory(getSSLSocketFactory());
download.run();
this.handleThrowable(download);
this.augmentSubject(subject, this.getPrincipals(out));
Principal principal = this.getPrincipal(subject);
if (principal != null)
{
URL url = this.getURL(principal);
log.debug("augmentSubject request to " + url.toString());
ByteArrayOutputStream out = new ByteArrayOutputStream();
HttpDownload download = new HttpDownload(url, out);
download.run();
this.handleThrowable(download);
subject.getPrincipals().clear();
subject.getPrincipals().addAll(this.getPrincipals(out));
}
}
protected void augmentSubject(Subject subject, Set<Principal> principals)
protected Principal getPrincipal(final Subject subject)
{
if (principals.isEmpty())
{
String name = subject.getPrincipals().iterator().next().getName();
String msg = "No UserIdentity in LDAP server for principal: " + name;
throw new IllegalStateException(msg);
}
for (Principal principal : principals)
Set<Principal> principals = subject.getPrincipals();
Iterator<Principal> iterator = principals.iterator();
if (iterator.hasNext())
{
if (principal instanceof HttpPrincipal)
Principal principal = iterator.next();
if (iterator.hasNext())
{
subject.getPrincipals().add((HttpPrincipal)principal);
}
else if (principal instanceof X500Principal)
{
subject.getPrincipals().add((X500Principal)principal);
}
else if (principal instanceof NumericPrincipal)
{
subject.getPrincipals().add((NumericPrincipal)principal);
}
else if (principal instanceof CookiePrincipal)
{
subject.getPrincipals().add((CookiePrincipal)principal);
}
else
{
final String msg = "Subject has unsupported principal " +
principal.getName() +
", not one of (X500, Cookie, HTTP or Cadc).";
throw new IllegalStateException(msg);
// Should only have one principal
final String msg = "Subject has more than one principal.";
throw new IllegalArgumentException(msg);
}
return principal;
}
else
{
return null;
}
}
......@@ -224,127 +203,34 @@ public class UserClient
}
}
protected URL getURL(Subject subject)
protected URL getURL(Principal principal)
{
try
{
String userID = subject.getPrincipals().iterator().next().getName();
String encodedUserID = URLEncoder.encode(userID, "UTF-8");
URL url = new URL(this.baseURL + "/users/" + encodedUserID +
"?idType=" + this.getIdType(subject) + "&detail=identity");
String userID = principal.getName();
URL url = new URL(this.baseURL + "/users/" + userID +
"?idType=" + this.getIdType(principal) + "&detail=identity");
log.debug("getURL(): returned url ="
+ ""
+ " " + url.toString());
return url;
}
catch (UnsupportedEncodingException e)
{
throw new RuntimeException(e);
}
catch (MalformedURLException e)
{
throw new RuntimeException(e);
}
}
protected String getIdType(Subject subject)
{
Set<Principal> principals = subject.getPrincipals();
if (principals.size() > 0)
{
String idTypeStr = null;
Principal principal = principals.iterator().next();
if (principal instanceof HttpPrincipal)
{
idTypeStr = IdentityType.USERNAME.getValue();
}
else if (principal instanceof X500Principal)
{
idTypeStr = IdentityType.X500.getValue();
}
else if (principal instanceof NumericPrincipal)
{
idTypeStr = IdentityType.CADC.getValue();
}
else if (principal instanceof CookiePrincipal)
{
idTypeStr = IdentityType.COOKIE.getValue();
}
else
{
final String msg = "Subject has unsupported principal " +
principal.getName() +
", not one of (X500, Cookie, HTTP or Cadc).";
throw new IllegalArgumentException(msg);
}
return idTypeStr;
}
else
{
final String msg = "Subject has no principal.";
throw new IllegalArgumentException(msg);
}
}
/**
* @param sslSocketFactory the sslSocketFactory to set
*/
public void setSSLSocketFactory(SSLSocketFactory sslSocketFactory)
{
if (mySocketFactory != null)
{
throw new IllegalStateException(
"Illegal use of GMSClient: cannot set SSLSocketFactory " +
"after using one created from Subject");
}
this.sslSocketFactory = sslSocketFactory;
clearCache();
}
private int subjectHashCode = 0;
private SSLSocketFactory getSSLSocketFactory()
{
AccessControlContext ac = AccessController.getContext();
Subject s = Subject.getSubject(ac);
// no real Subject: can only use the one from setSSLSocketFactory
if (s == null || s.getPrincipals().isEmpty())
{
return sslSocketFactory;
}
// lazy init
if (this.mySocketFactory == null)
{
log.debug("getSSLSocketFactory: " + s);
this.mySocketFactory = SSLUtil.getSocketFactory(s);
this.subjectHashCode = s.hashCode();
}
else
{
int c = s.hashCode();
if (c != subjectHashCode)
{
throw new IllegalStateException(
"Illegal use of " + this.getClass().getSimpleName() +
": subject change not supported for internal " +
"SSLSocketFactory");
}
}
return this.mySocketFactory;
}
protected void clearCache()
protected String getIdType(Principal principal)
{
AccessControlContext acContext = AccessController.getContext();
Subject subject = Subject.getSubject(acContext);
if (subject != null)
String idTypeStr = AuthenticationUtil.getPrincipalType(principal);
if (idTypeStr == null)
{
log.debug("Clearing cache");
subject.getPrivateCredentials().clear();
final String msg = "Subject has unsupported principal " +
principal.getName();
throw new IllegalArgumentException(msg);
}
return idTypeStr;
}
}
projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java
+ 3
1
View file @ c5c8fdb2
......@@ -72,7 +72,6 @@ package ca.nrc.cadc.ac.xml;
import ca.nrc.cadc.ac.AC;
import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupProperty;
import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.PersonalDetails;
import ca.nrc.cadc.ac.PosixDetails;
import ca.nrc.cadc.ac.ReaderException;
......@@ -81,9 +80,11 @@ import ca.nrc.cadc.ac.UserDetails;
import ca.nrc.cadc.ac.UserRequest;
import ca.nrc.cadc.ac.WriterException;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.IdentityType;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal;
import ca.nrc.cadc.date.DateUtil;
import org.jdom2.Attribute;
import org.jdom2.Document;
import org.jdom2.Element;
......@@ -91,6 +92,7 @@ import org.jdom2.output.Format;
import org.jdom2.output.XMLOutputter;
import javax.security.auth.x500.X500Principal;
import java.io.IOException;
import java.io.Writer;
import java.security.Principal;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment