Fixed gathering of operator credentials (1e2f5dea) · Commits · OATS-CADC / ac

cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java

+12 −1

Original line number	Diff line number	Diff line
		@@ -72,9 +72,12 @@
		import java.io.PrintStream;
		import java.security.cert.CertificateException;

		import javax.security.auth.Subject;

		import org.apache.log4j.Level;
		import org.apache.log4j.Logger;

		import ca.nrc.cadc.auth.CertCmdArgUtil;
		import ca.nrc.cadc.util.ArgumentMap;
		import ca.nrc.cadc.util.Log4jInit;
		import ca.nrc.cadc.util.StringUtil;
		@@ -95,6 +98,7 @@ public class CmdLineParser
		private Level logLevel = Level.OFF;
		private AbstractCommand command;
		private boolean isHelpCommand = false;
		private ArgumentMap am;

		/**
		* Constructor.
		@@ -105,7 +109,7 @@ public class CmdLineParser
		public CmdLineParser(final String[] args, final PrintStream outStream,
		final PrintStream errStream) throws UsageException, CertificateException
		{
		ArgumentMap am = new ArgumentMap( args );
		am = new ArgumentMap( args );
		this.setLogLevel(am);
		this.parse(am, outStream, errStream);
		}
		@@ -127,6 +131,11 @@ public class CmdLineParser
		return this.logLevel;
		}

		public Subject getSubjectFromCert()
		{
		return CertCmdArgUtil.initSubject(am);
		}

		/*
		* Set the log level.
		* @param am Input arguments
		@@ -294,6 +303,8 @@ public class CmdLineParser
		StringBuilder sb = new StringBuilder();
		sb.append("\n");
		sb.append("Usage: " + APP_NAME + " <command> [-v\|--verbose\|-d\|--debug] [-h\|--help]\n");
		sb.append(CertCmdArgUtil.getCertArgUsage());
		sb.append("\n");
		sb.append("Where command is\n");
		sb.append("--list : List users in the Users tree\n");
		sb.append("--list-pending : List users in the UserRequests tree\n");

cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java

+33 −26

Original line number	Diff line number	Diff line
		@@ -69,19 +69,17 @@
		package ca.nrc.cadc.ac.admin;

		import java.security.Principal;
		import java.util.HashSet;
		import java.util.Set;

		import javax.security.auth.Subject;
		import javax.security.auth.x500.X500Principal;

		import org.apache.log4j.Logger;

		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.UserPersistence;
		import ca.nrc.cadc.ac.server.ldap.LdapConfig;
		import ca.nrc.cadc.auth.AuthenticationUtil;
		import ca.nrc.cadc.auth.DelegationToken;
		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.auth.PrincipalExtractor;
		import ca.nrc.cadc.auth.SSOCookieCredential;
		import ca.nrc.cadc.auth.X509CertificateChain;
		@@ -112,50 +110,59 @@ public class CommandRunner
		AbstractCommand command = commandLineParser.getCommand();
		command.setUserPersistence(userPersistence);

		Principal userIDPrincipal = null;
		Subject operatorSubject = new Subject();

		if (command instanceof AbstractUserCommand)
		{
		userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
		Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
		operatorSubject.getPrincipals().add(userIDPrincipal);
		}

		if (userIDPrincipal == null)
		else
		{
		// run as the operator
		LdapConfig config = LdapConfig.getLdapConfig();
		String proxyDN = config.getProxyUserDN();
		if (proxyDN == null)
		throw new IllegalArgumentException("No ldap account in .dbrc");

		String userIDLabel = "uid=";
		int uidIndex = proxyDN.indexOf("uid=");
		int commaIndex = proxyDN.indexOf(",", userIDLabel.length());
		String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex);
		userIDPrincipal = new HttpPrincipal(userID);
		// run as the operator using their cert
		Subject subjectFromCert = commandLineParser.getSubjectFromCert();

		if (subjectFromCert == null)
		throw new IllegalArgumentException("Certificate required");

		Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class);
		if (pSet.isEmpty())
		throw new IllegalArgumentException("Certificate required");

		operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
		operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
		}

		// run as the user
		LOGGER.debug("running as " + userIDPrincipal.getName());
		Set<Principal> userPrincipals = new HashSet<Principal>(1);
		userPrincipals.add(userIDPrincipal);
		AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals);
		AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(operatorSubject);
		Subject subject = AuthenticationUtil.getSubject(principalExtractor);
		LOGGER.debug("running as: " + subject);
		Subject.doAs(subject, command);
		}

		class AnonPrincipalExtractor implements PrincipalExtractor
		{
		Set<Principal> principals;
		Subject s;

		AnonPrincipalExtractor(Set<Principal> principals)
		AnonPrincipalExtractor(Subject s)
		{
		this.principals = principals;
		this.s = s;
		}
		public Set<Principal> getPrincipals()
		{
		return principals;
		return s.getPrincipals();
		}
		public X509CertificateChain getCertificateChain()
		{
		LOGGER.debug("getCerfiticateChain called");
		for (Object o : s.getPublicCredentials())
		{
		if (o instanceof X509CertificateChain)
		{
		LOGGER.debug("returning certificate chain.");
		return (X509CertificateChain) o;
		}
		}
		return null;
		}
		public DelegationToken getDelegationToken()