Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
OATS-CADC
ac
Commits
1e2f5dea
Commit
1e2f5dea
authored
Dec 02, 2016
by
Brian Major
Browse files
Fixed gathering of operator credentials
parent
7cbc62a8
Changes
2
Hide whitespace changes
Inline
Side-by-side
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
View file @
1e2f5dea
...
...
@@ -72,9 +72,12 @@
import
java.io.PrintStream
;
import
java.security.cert.CertificateException
;
import
javax.security.auth.Subject
;
import
org.apache.log4j.Level
;
import
org.apache.log4j.Logger
;
import
ca.nrc.cadc.auth.CertCmdArgUtil
;
import
ca.nrc.cadc.util.ArgumentMap
;
import
ca.nrc.cadc.util.Log4jInit
;
import
ca.nrc.cadc.util.StringUtil
;
...
...
@@ -95,6 +98,7 @@ public class CmdLineParser
private
Level
logLevel
=
Level
.
OFF
;
private
AbstractCommand
command
;
private
boolean
isHelpCommand
=
false
;
private
ArgumentMap
am
;
/**
* Constructor.
...
...
@@ -105,7 +109,7 @@ public class CmdLineParser
public
CmdLineParser
(
final
String
[]
args
,
final
PrintStream
outStream
,
final
PrintStream
errStream
)
throws
UsageException
,
CertificateException
{
ArgumentMap
am
=
new
ArgumentMap
(
args
);
am
=
new
ArgumentMap
(
args
);
this
.
setLogLevel
(
am
);
this
.
parse
(
am
,
outStream
,
errStream
);
}
...
...
@@ -127,6 +131,11 @@ public class CmdLineParser
return
this
.
logLevel
;
}
public
Subject
getSubjectFromCert
()
{
return
CertCmdArgUtil
.
initSubject
(
am
);
}
/*
* Set the log level.
* @param am Input arguments
...
...
@@ -294,6 +303,8 @@ public class CmdLineParser
StringBuilder
sb
=
new
StringBuilder
();
sb
.
append
(
"\n"
);
sb
.
append
(
"Usage: "
+
APP_NAME
+
" <command> [-v|--verbose|-d|--debug] [-h|--help]\n"
);
sb
.
append
(
CertCmdArgUtil
.
getCertArgUsage
());
sb
.
append
(
"\n"
);
sb
.
append
(
"Where command is\n"
);
sb
.
append
(
"--list : List users in the Users tree\n"
);
sb
.
append
(
"--list-pending : List users in the UserRequests tree\n"
);
...
...
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
View file @
1e2f5dea
...
...
@@ -69,19 +69,17 @@
package
ca.nrc.cadc.ac.admin
;
import
java.security.Principal
;
import
java.util.HashSet
;
import
java.util.Set
;
import
javax.security.auth.Subject
;
import
javax.security.auth.x500.X500Principal
;
import
org.apache.log4j.Logger
;
import
ca.nrc.cadc.ac.UserNotFoundException
;
import
ca.nrc.cadc.ac.server.UserPersistence
;
import
ca.nrc.cadc.ac.server.ldap.LdapConfig
;
import
ca.nrc.cadc.auth.AuthenticationUtil
;
import
ca.nrc.cadc.auth.DelegationToken
;
import
ca.nrc.cadc.auth.HttpPrincipal
;
import
ca.nrc.cadc.auth.PrincipalExtractor
;
import
ca.nrc.cadc.auth.SSOCookieCredential
;
import
ca.nrc.cadc.auth.X509CertificateChain
;
...
...
@@ -112,50 +110,59 @@ public class CommandRunner
AbstractCommand
command
=
commandLineParser
.
getCommand
();
command
.
setUserPersistence
(
userPersistence
);
Principal
userIDPrincipal
=
null
;
Subject
operatorSubject
=
new
Subject
();
if
(
command
instanceof
AbstractUserCommand
)
{
userIDPrincipal
=
((
AbstractUserCommand
)
command
).
getPrincipal
();
Principal
userIDPrincipal
=
((
AbstractUserCommand
)
command
).
getPrincipal
();
operatorSubject
.
getPrincipals
().
add
(
userIDPrincipal
);
}
if
(
userIDPrincipal
==
null
)
else
{
// run as the operator
LdapConfig
config
=
LdapConfig
.
getLdapConfig
();
String
proxyDN
=
config
.
getProxyUserDN
();
if
(
proxyDN
==
null
)
throw
new
IllegalArgumentException
(
"No ldap account in .dbrc"
);
String
userIDLabel
=
"uid="
;
int
uidIndex
=
proxyDN
.
indexOf
(
"uid="
);
int
commaIndex
=
proxyDN
.
indexOf
(
","
,
userIDLabel
.
length
());
String
userID
=
proxyDN
.
substring
(
uidIndex
+
userIDLabel
.
length
(),
commaIndex
);
userIDPrincipal
=
new
HttpPrincipal
(
userID
);
// run as the operator using their cert
Subject
subjectFromCert
=
commandLineParser
.
getSubjectFromCert
();
if
(
subjectFromCert
==
null
)
throw
new
IllegalArgumentException
(
"Certificate required"
);
Set
<
X500Principal
>
pSet
=
subjectFromCert
.
getPrincipals
(
X500Principal
.
class
);
if
(
pSet
.
isEmpty
())
throw
new
IllegalArgumentException
(
"Certificate required"
);
operatorSubject
.
getPrincipals
().
addAll
(
subjectFromCert
.
getPrincipals
());
operatorSubject
.
getPublicCredentials
().
addAll
(
subjectFromCert
.
getPublicCredentials
());
}
// run as the user
LOGGER
.
debug
(
"running as "
+
userIDPrincipal
.
getName
());
Set
<
Principal
>
userPrincipals
=
new
HashSet
<
Principal
>(
1
);
userPrincipals
.
add
(
userIDPrincipal
);
AnonPrincipalExtractor
principalExtractor
=
new
AnonPrincipalExtractor
(
userPrincipals
);
AnonPrincipalExtractor
principalExtractor
=
new
AnonPrincipalExtractor
(
operatorSubject
);
Subject
subject
=
AuthenticationUtil
.
getSubject
(
principalExtractor
);
LOGGER
.
debug
(
"running as: "
+
subject
);
Subject
.
doAs
(
subject
,
command
);
}
class
AnonPrincipalExtractor
implements
PrincipalExtractor
{
S
et
<
Principal
>
principal
s
;
S
ubject
s
;
AnonPrincipalExtractor
(
S
et
<
Principal
>
principal
s
)
AnonPrincipalExtractor
(
S
ubject
s
)
{
this
.
principals
=
principal
s
;
this
.
s
=
s
;
}
public
Set
<
Principal
>
getPrincipals
()
{
return
p
rincipals
;
return
s
.
getP
rincipals
()
;
}
public
X509CertificateChain
getCertificateChain
()
{
LOGGER
.
debug
(
"getCerfiticateChain called"
);
for
(
Object
o
:
s
.
getPublicCredentials
())
{
if
(
o
instanceof
X509CertificateChain
)
{
LOGGER
.
debug
(
"returning certificate chain."
);
return
(
X509CertificateChain
)
o
;
}
}
return
null
;
}
public
DelegationToken
getDelegationToken
()
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment