Skip to content
Snippets Groups Projects
Commit d3462891 authored by Jeff Burke's avatar Jeff Burke
Browse files

S1651: merge

parents be95ee51 b6119cdf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 284 additions and 226 deletions
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/GroupPersistence.java
+ 4
4
View file @ d3462891
......@@ -68,16 +68,16 @@
*/
package ca.nrc.cadc.ac.server;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.Collection;
import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupAlreadyExistsException;
import ca.nrc.cadc.ac.GroupNotFoundException;
import ca.nrc.cadc.ac.IdentityType;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.net.TransientException;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.Collection;
public abstract interface GroupPersistence<T extends Principal>
{
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/PluginFactory.java
+ 4
4
View file @ d3462891
......@@ -125,8 +125,8 @@ public class PluginFactory
{
try
{
Class c = Class.forName(cname);
ret = (GroupPersistence) c.newInstance();
Class<?> c = Class.forName(cname);
ret = (GroupPersistence<T>) c.newInstance();
}
catch (Exception ex)
{
......@@ -149,8 +149,8 @@ public class PluginFactory
{
try
{
Class c = Class.forName(cname);
ret = (UserPersistence) c.newInstance();
Class<?> c = Class.forName(cname);
ret = (UserPersistence<T>) c.newInstance();
}
catch (Exception ex)
{
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
+ 60
15
View file @ d3462891
......@@ -68,22 +68,26 @@
*/
package ca.nrc.cadc.ac.server.ldap;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Principal;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.OpenIdPrincipal;
import ca.nrc.cadc.net.TransientException;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.Principal;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
public abstract class LdapDAO
{
......@@ -116,7 +120,15 @@ public abstract class LdapDAO
{
conn = new LDAPConnection(config.getServer(), config.getPort());
conn.bind(config.getAdminUserDN(), config.getAdminPasswd());
}
return conn;
}
protected DN getSubjectDN() throws LDAPException
{
if (subjDN == null)
{
Subject callerSubject =
Subject.getSubject(AccessController.getContext());
if (callerSubject == null)
......@@ -161,7 +173,7 @@ public abstract class LdapDAO
}
SearchResult searchResult =
conn.search(config.getUsersDN(), SearchScope.ONE,
getConnection().search(config.getUsersDN(), SearchScope.ONE,
ldapField, new String[] {"entrydn"});
if (searchResult.getEntryCount() < 1)
......@@ -173,17 +185,50 @@ public abstract class LdapDAO
subjDN = ((SearchResultEntry) searchResult.getSearchEntries()
.get(0)).getAttributeValueAsDN("entrydn");
}
return conn;
return subjDN;
}
protected DN getSubjectDN() throws LDAPException
/**
* Checks the Ldap result code, and if the result is not SUCCESS,
* throws an appropriate exception. This is the place to decide on
* mapping between ldap errors and exception types
* @param code
* @param errorMsg
* @throws TransientException
*/
protected static void checkLdapResult(ResultCode code, String errorMsg)
throws TransientException
{
if (subjDN == null)
String msg = "";
if (errorMsg != null)
{
getConnection();
msg = "(" + errorMsg + ")";
}
if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS)
{
throw new AccessControlException("Not authorized " + msg);
}
else if (code == ResultCode.INVALID_CREDENTIALS)
{
throw new AccessControlException("Invalid credentials " + msg);
}
else if (code == ResultCode.SUCCESS)
{
// all good. nothing to do
}
else if (code == ResultCode.PARAM_ERROR)
{
throw new IllegalArgumentException("Error in Ldap parameters " + msg);
}
else if (code == ResultCode.BUSY ||
code == ResultCode.CONNECT_ERROR )
{
throw new TransientException("Connection problems " + msg );
}
else
{
throw new RuntimeException("Ldap error" + msg);
}
return subjDN;
}
}
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+ 134
180
View file @ d3462891
......@@ -94,9 +94,11 @@ import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.LDAPSearchException;
import com.unboundid.ldap.sdk.Modification;
import com.unboundid.ldap.sdk.ModificationType;
import com.unboundid.ldap.sdk.ModifyRequest;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
......@@ -122,7 +124,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
/**
* Creates the group.
* Persists a group.
*
* @param group The group to create
*
......@@ -142,6 +144,12 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throw new IllegalArgumentException("Group owner must be specified");
}
if (!group.getProperties().isEmpty())
{
throw new UnsupportedOperationException(
"Support for groups properties not available");
}
if (!isCreatorOwner(group.getOwner()))
{
throw new AccessControlException("Group owner must be creator");
......@@ -149,28 +157,13 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
try
{
getGroup(group.getID());
throw new GroupAlreadyExistsException(group.getID());
}
catch (GroupNotFoundException ex)
{
try
{
if (!group.getProperties().isEmpty())
{
throw new UnsupportedOperationException(
"Support for groups properties not available");
}
try
{
getInactiveGroup(group);
return reactivateGroup(group);
}
catch (GroupNotFoundException e)
{
// ignore
}
Group newGroup = reactivateGroup(group);
if ( newGroup != null)
{
return newGroup;
}
else
{
DN ownerDN = userPersist.getUserDN(group.getOwner());
......@@ -180,13 +173,15 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
group.description,
group.getUserMembers(),
group.getGroupMembers());
LdapDAO.checkLdapResult(result.getResultCode(), null);
// add group to admin groups tree
result = addGroup(getAdminGroupDN(group.getID()),
group.getID(), ownerDN,
group.description,
group.getUserMembers(),
group.getGroupMembers());
group.getUserAdmins(),
group.getGroupAdmins());
LdapDAO.checkLdapResult(result.getResultCode(), null);
try
{
......@@ -197,19 +192,20 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throw new RuntimeException("BUG: new group not found");
}
}
catch (LDAPException e)
{
e.printStackTrace();
throw new RuntimeException(e);
}
}
catch (LDAPException e)
{
LdapDAO.checkLdapResult(e.getResultCode(),
e.getDiagnosticMessage());
throw new RuntimeException("Unexpected LDAP exception", e);
}
}
private LDAPResult addGroup(final DN groupDN, final String groupID,
final DN ownerDN, final String description,
final Set<User<? extends Principal>> users,
final Set<Group> groups)
throws UserNotFoundException, LDAPException
throws UserNotFoundException, LDAPException, TransientException
{
// add new group
List<Attribute> attributes = new ArrayList<Attribute>();
......@@ -242,7 +238,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
AddRequest addRequest = new AddRequest(groupDN, attributes);
addRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
......@@ -250,89 +245,66 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
return getConnection().add(addRequest);
}
private Group getInactiveGroup(final Group group)
/**
* Checks whether group name available for the user or already in use.
* @param group
* @return activated group or null if group does not exists
* @throws AccessControlException
* @throws UserNotFoundException
* @throws GroupNotFoundException
* @throws TransientException
* @throws GroupAlreadyExistsException
*/
private Group reactivateGroup(final Group group)
throws AccessControlException, UserNotFoundException,
GroupNotFoundException
TransientException, GroupAlreadyExistsException
{
Group inactiveGroup;
try
{
inactiveGroup = getInactiveGroup(
getGroupDN(group.getID()), group.getID());
// check group name exists
Filter filter = Filter.createEqualityFilter("cn", group.getID());
SearchRequest searchRequest =
new SearchRequest(
getGroupDN(group.getID())
.toNormalizedString(), SearchScope.SUB, filter,
new String[] {"nsaccountlock"});
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
if (inactiveGroup == null)
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
if (searchResult == null)
{
return null;
}
if (!group.getOwner().equals(inactiveGroup.getOwner()))
if (searchResult.getAttributeValue("nsaccountlock") == null)
{
throw new AccessControlException(
"Inactive group not owned be requestor");
throw new
GroupAlreadyExistsException("Group already exists " + group.getID());
}
Group inactiveAdminGroup = getInactiveGroup(
getAdminGroupDN(group.getID()), group.getID());
if (inactiveAdminGroup == null)
// activate group
try
{
throw new RuntimeException(
"BUG: adminGroup not found for group " + group.getID());
}
if (!group.getOwner().equals(inactiveAdminGroup.getOwner()))
return modifyGroup(group, true);
}
catch (GroupNotFoundException e)
{
throw new RuntimeException(
"Bug: adminGroup owner doesn't match "
+ "group owner for group " + group.getID());
}
return inactiveGroup;
"BUG: group to modify does not exist" + group.getID());
}
}
catch (LDAPException e)
{
// TODO Auto-generated catch block
throw new RuntimeException("BUG: LDAP Exception: ", e);
}
}
private Group getInactiveGroup(final DN groupDN, final String groupID)
throws UserNotFoundException, LDAPException, GroupNotFoundException
{
Filter filter = Filter.createANDFilter(
Filter.createEqualityFilter("cn", groupID),
Filter.createEqualityFilter("nsaccountlock", "true"));
SearchRequest searchRequest =
new SearchRequest(groupDN.toNormalizedString(), SearchScope.SUB,
filter, new String[] {"cn", "owner"});
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
if (searchResult == null)
{
String msg = "Inactive Group not found " + groupID;
logger.debug(msg);
throw new GroupNotFoundException(msg);
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
throw new RuntimeException("Unexpected LDAP exception", e);
}
String groupCN = searchResult.getAttributeValue("cn");
DN groupOwner = searchResult.getAttributeValueAsDN("owner");
User<X500Principal> owner = userPersist.getMember(groupOwner);
return new Group(groupCN, owner);
}
private Group reactivateGroup(final Group group)
throws UserNotFoundException, LDAPException, TransientException,
AccessControlException, GroupNotFoundException
{
return modifyGroup(group, true);
}
/**
......@@ -407,18 +379,44 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
SearchResult searchResult = null;
try
{
searchResult = getConnection().search(searchRequest);
}
catch (LDAPSearchException e)
{
if (e.getResultCode() == ResultCode.AUTHORIZATION_DENIED)
{
throw new AccessControlException("Unauthorized to access group " + groupID);
}
else if (e.getResultCode() == ResultCode.NO_SUCH_OBJECT)
{
String msg = "Group not found " + groupID;
logger.debug(msg);
throw new GroupNotFoundException(groupID);
}
else
{
throw new RuntimeException("Unknown LDAP exception: " + e.getResultCode());
}
}
if (searchResult == null)
if (searchResult.getEntryCount() == 0)
{
// deleted groups?
String msg = "Group not found " + groupID;
logger.debug(msg);
throw new GroupNotFoundException(groupID);
}
String groupCN = searchResult.getAttributeValue("cn");
DN groupOwner = searchResult.getAttributeValueAsDN("owner");
if (searchResult.getEntryCount() >1)
{
throw new RuntimeException("BUG: multiple results when retrieving group " + groupID);
}
SearchResultEntry searchEntry = searchResult.getSearchEntries().get(0);
String groupCN = searchEntry.getAttributeValue("cn");
DN groupOwner = searchEntry.getAttributeValueAsDN("owner");
User<X500Principal> owner;
try
......@@ -431,22 +429,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
Group ldapGroup = new Group(groupCN, owner);
if (searchResult.hasAttribute("description"))
if (searchEntry.hasAttribute("description"))
{
ldapGroup.description =
searchResult.getAttributeValue("description");
searchEntry.getAttributeValue("description");
}
if (searchResult.hasAttribute("modifytimestamp"))
if (searchEntry.hasAttribute("modifytimestamp"))
{
ldapGroup.lastModified =
searchResult.getAttributeValueAsDate("modifytimestamp");
searchEntry.getAttributeValueAsDate("modifytimestamp");
}
if (withMembers)
{
if (searchResult.getAttributeValues("uniquemember") != null)
if (searchEntry.getAttributeValues("uniquemember") != null)
{
for (String member : searchResult
for (String member : searchEntry
.getAttributeValues("uniquemember"))
{
DN memberDN = new DN(member);
......@@ -483,10 +481,8 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e1)
{
// TODO check which LDAP exceptions are transient and which
// ones are
// access control
throw new TransientException("Error getting the group", e1);
LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage());
throw new GroupNotFoundException("Not found " + groupID);
}
}
......@@ -506,6 +502,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throws GroupNotFoundException, TransientException,
AccessControlException, UserNotFoundException
{
getGroup(group.getID()); //group must exists first
return modifyGroup(group, false);
}
......@@ -518,16 +515,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throw new UnsupportedOperationException(
"Support for groups properties not available");
}
// check if group exists
if (withActivate)
{
getInactiveGroup(group);
}
else
{
getGroup(group.getID());
}
List<Modification> mods = new ArrayList<Modification>();
List<Modification> adminMods = new ArrayList<Modification>();
......@@ -549,16 +536,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
List<String> newMembers = new ArrayList<String>();
for (User<?> member : group.getUserMembers())
{
DN memberDN;
try
{
memberDN = userPersist.getUserDN(member);
}
catch (LDAPException e)
{
throw new UserNotFoundException("User not found "
+ member.getUserID());
}
DN memberDN = userPersist.getUserDN(member);
newMembers.add(memberDN.toNormalizedString());
}
for (Group gr : group.getGroupMembers())
......@@ -569,16 +547,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
List<String> newAdmins = new ArrayList<String>();
for (User<?> member : group.getUserAdmins())
{
DN memberDN;
try
{
memberDN = userPersist.getUserDN(member);
}
catch (LDAPException e)
{
throw new UserNotFoundException(
"User not found " + member.getUserID());
}
DN memberDN = userPersist.getUserDN(member);
newAdmins.add(memberDN.toNormalizedString());
}
for (Group gr : group.getGroupAdmins())
......@@ -599,24 +568,21 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LDAPResult result = getConnection().modify(modifyRequest);
}
catch (LDAPException e1)
{
throw new RuntimeException("LDAP problem", e1);
}
// modify the group itself now
modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods);
try
{
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode(), null);
// modify the group itself now
modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods);
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LDAPResult result = getConnection().modify(modifyRequest);
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode(), null);
}
catch (LDAPException e1)
{
throw new RuntimeException("LDAP problem", e1);
LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage());
}
try
{
......@@ -685,10 +651,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LDAPResult result = getConnection().modify(modifyRequest);
LdapDAO.checkLdapResult(result.getResultCode(), null);
}
catch (LDAPException e1)
{
throw new RuntimeException("LDAP problem", e1);
LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage());
}
try
......@@ -721,18 +688,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
GroupNotFoundException, UserNotFoundException
{
User<T> user = new User<T>(userID);
DN userDN;
try
{
userDN = userPersist.getUserDN(user);
}
catch (LDAPException e)
{
// TODO check which LDAP exceptions are transient and which
// ones are
// access control
throw new TransientException("Error getting user", e);
}
DN userDN = userPersist.getUserDN(user);
Collection<DN> groupDNs = new HashSet<DN>();
if (role == Role.OWNER)
......@@ -769,6 +725,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throws TransientException, AccessControlException,
GroupNotFoundException, UserNotFoundException
{
Collection<DN> groupDNs = new HashSet<DN>();
try
{
Filter filter = Filter.createEqualityFilter("owner",
......@@ -787,22 +744,18 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
Collection<DN> groupDNs = new HashSet<DN>();
SearchResult results = getConnection().search(searchRequest);
for (SearchResultEntry result : results.getSearchEntries())
{
String entryDN = result.getAttributeValue("entrydn");
groupDNs.add(new DN(entryDN));
}
return groupDNs;
}
catch (LDAPException e1)
{
// TODO check which LDAP exceptions are transient and which
// ones are
// access control
throw new TransientException("Error getting groups", e1);
LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage());
}
return groupDNs;
}
protected Collection<DN> getMemberGroups(final User<T> user,
......@@ -812,7 +765,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
throws TransientException, AccessControlException,
GroupNotFoundException, UserNotFoundException
{
Collection<DN> groups = new HashSet<DN>();
Collection<DN> groupDNs = new HashSet<DN>();
if (groupID != null)
{
DN groupDN;
......@@ -827,17 +780,16 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
if (userPersist.isMember(user.getUserID(),
groupDN.toNormalizedString()))
{
groups.add(groupDN);
groupDNs.add(groupDN);
}
}
else
{
Collection<DN> memberGroupDNs =
userPersist.getUserGroups(user.getUserID(), isAdmin);
groups.addAll(memberGroupDNs);
logger.debug("# groups found: " + memberGroupDNs.size());
groupDNs.addAll(memberGroupDNs);
}
return groups;
return groupDNs;
}
/**
......@@ -873,7 +825,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
* @param groupID
* @return
*/
protected DN getGroupDN(final String groupID)
protected DN getGroupDN(final String groupID) throws TransientException
{
try
{
......@@ -881,6 +833,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e)
{
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
throw new IllegalArgumentException(groupID + " not a valid group ID");
}
......@@ -890,7 +843,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
* @param groupID
* @return
*/
protected DN getAdminGroupDN(final String groupID)
protected DN getAdminGroupDN(final String groupID) throws TransientException
{
try
{
......@@ -898,6 +851,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e)
{
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
throw new IllegalArgumentException(groupID + " not a valid group ID");
}
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
+ 56
23
View file @ d3462891
......@@ -84,7 +84,6 @@ import ca.nrc.cadc.ac.PersonalDetails;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.net.TransientException;
import com.unboundid.ldap.sdk.CompareRequest;
......@@ -167,7 +166,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e)
{
e.printStackTrace();
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
if (searchResult == null)
......@@ -203,6 +202,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
public Collection<DN> getUserGroups(final T userID, final boolean isAdmin)
throws UserNotFoundException, TransientException, AccessControlException
{
Collection<DN> groupDNs = new HashSet<DN>();
try
{
String searchField = (String) userLdapAttrib.get(userID.getClass());
......@@ -239,7 +239,6 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
parentDN = new DN(config.getGroupsDN());
}
Collection<DN> groupDNs = new HashSet<DN>();
if (searchResult != null)
{
String[] members = searchResult.getAttributeValues("memberOf");
......@@ -254,17 +253,13 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
}
}
}
}
return groupDNs;
}
}
catch (LDAPException e)
{
e.printStackTrace();
// TODO check which LDAP exceptions are transient and which
// ones are
// access control
throw new TransientException("Error getting user groups", e);
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
return groupDNs;
}
/**
......@@ -315,15 +310,48 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
}
return true;
}
catch (LDAPException e1)
catch (LDAPException e)
{
// TODO check which LDAP exceptions are transient and which
// ones are
// access control
throw new TransientException("Error getting the user", e1);
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
return false;
}
// public boolean isMember(T userID, String groupID)
// throws UserNotFoundException, TransientException,
// AccessControlException
// {
// try
// {
// String searchField = (String) userLdapAttrib.get(userID.getClass());
// if (searchField == null)
// {
// throw new IllegalArgumentException(
// "Unsupported principal type " + userID.getClass());
// }
//
// User<T> user = getUser(userID);
// DN userDN = getUserDN(user);
//
// CompareRequest compareRequest =
// new CompareRequest(userDN.toNormalizedString(),
// "memberOf", groupID);
//
// compareRequest.addControl(
// new ProxiedAuthorizationV2RequestControl("dn:" +
// getSubjectDN().toNormalizedString()));
//
// CompareResult compareResult =
// getConnection().compare(compareRequest);
// return compareResult.compareMatched();
// }
// catch (LDAPException e)
// {
// LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
// throw new RuntimeException("Unexpected LDAP exception", e);
// }
// }
/**
* Returns a member user identified by the X500Principal only. The
* returned object has the fields required by the GMS.
......@@ -371,7 +399,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
DN getUserDN(User<? extends Principal> user)
throws LDAPException, UserNotFoundException
throws UserNotFoundException, TransientException
{
String searchField = (String) userLdapAttrib.get(user.getUserID().getClass());
if (searchField == null)
......@@ -383,17 +411,22 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
searchField = "(" + searchField + "=" +
user.getUserID().getName() + ")";
SearchRequest searchRequest =
new SearchRequest(this.config.getUsersDN(), SearchScope.SUB,
searchField, new String[] {"entrydn"});
SearchResultEntry searchResult = null;
try
{
SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB,
searchField, new String[] {"entrydn"});
// searchRequest.addControl(
// new ProxiedAuthorizationV2RequestControl("dn:" +
// getSubjectDN().toNormalizedString()));
SearchResultEntry searchResult =
searchResult =
getConnection().searchForEntry(searchRequest);
} catch (LDAPException e)
{
LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage());
}
if (searchResult == null)
{
String msg = "User not found " + user.getUserID().toString();
......
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java
+ 26
0
View file @ d3462891
......@@ -719,6 +719,32 @@ public class LdapGroupDAOTest
return null;
}
});
// change the user
Subject.doAs(daoTestUser2Subject, new PrivilegedExceptionAction<Object>()
{
public Object run() throws Exception
{
try
{
Group group = getGroupDAO().getGroup(groupID);
assertTrue(group == null);
fail("searchGroups with unknown user should throw " +
"GroupNotFoundException");
}
catch (GroupNotFoundException ignore)
{
}
return null;
}
});
}
private void assertGroupsEqual(Group gr1, Group gr2)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment