Commit 1e2f5dea authored by Brian Major's avatar Brian Major
Browse files

Fixed gathering of operator credentials

parent 7cbc62a8
...@@ -72,9 +72,12 @@ ...@@ -72,9 +72,12 @@
import java.io.PrintStream; import java.io.PrintStream;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import javax.security.auth.Subject;
import org.apache.log4j.Level; import org.apache.log4j.Level;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import ca.nrc.cadc.auth.CertCmdArgUtil;
import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.ArgumentMap;
import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit;
import ca.nrc.cadc.util.StringUtil; import ca.nrc.cadc.util.StringUtil;
...@@ -95,6 +98,7 @@ public class CmdLineParser ...@@ -95,6 +98,7 @@ public class CmdLineParser
private Level logLevel = Level.OFF; private Level logLevel = Level.OFF;
private AbstractCommand command; private AbstractCommand command;
private boolean isHelpCommand = false; private boolean isHelpCommand = false;
private ArgumentMap am;
/** /**
* Constructor. * Constructor.
...@@ -105,7 +109,7 @@ public class CmdLineParser ...@@ -105,7 +109,7 @@ public class CmdLineParser
public CmdLineParser(final String[] args, final PrintStream outStream, public CmdLineParser(final String[] args, final PrintStream outStream,
final PrintStream errStream) throws UsageException, CertificateException final PrintStream errStream) throws UsageException, CertificateException
{ {
ArgumentMap am = new ArgumentMap( args ); am = new ArgumentMap( args );
this.setLogLevel(am); this.setLogLevel(am);
this.parse(am, outStream, errStream); this.parse(am, outStream, errStream);
} }
...@@ -127,6 +131,11 @@ public class CmdLineParser ...@@ -127,6 +131,11 @@ public class CmdLineParser
return this.logLevel; return this.logLevel;
} }
public Subject getSubjectFromCert()
{
return CertCmdArgUtil.initSubject(am);
}
/* /*
* Set the log level. * Set the log level.
* @param am Input arguments * @param am Input arguments
...@@ -294,6 +303,8 @@ public class CmdLineParser ...@@ -294,6 +303,8 @@ public class CmdLineParser
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
sb.append("\n"); sb.append("\n");
sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n");
sb.append(CertCmdArgUtil.getCertArgUsage());
sb.append("\n");
sb.append("Where command is\n"); sb.append("Where command is\n");
sb.append("--list : List users in the Users tree\n"); sb.append("--list : List users in the Users tree\n");
sb.append("--list-pending : List users in the UserRequests tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n");
......
...@@ -69,19 +69,17 @@ ...@@ -69,19 +69,17 @@
package ca.nrc.cadc.ac.admin; package ca.nrc.cadc.ac.admin;
import java.security.Principal; import java.security.Principal;
import java.util.HashSet;
import java.util.Set; import java.util.Set;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.ac.server.ldap.LdapConfig;
import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.DelegationToken;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.PrincipalExtractor;
import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.SSOCookieCredential;
import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.auth.X509CertificateChain;
...@@ -112,50 +110,59 @@ public class CommandRunner ...@@ -112,50 +110,59 @@ public class CommandRunner
AbstractCommand command = commandLineParser.getCommand(); AbstractCommand command = commandLineParser.getCommand();
command.setUserPersistence(userPersistence); command.setUserPersistence(userPersistence);
Principal userIDPrincipal = null; Subject operatorSubject = new Subject();
if (command instanceof AbstractUserCommand) if (command instanceof AbstractUserCommand)
{ {
userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
operatorSubject.getPrincipals().add(userIDPrincipal);
} }
else
if (userIDPrincipal == null)
{ {
// run as the operator // run as the operator using their cert
LdapConfig config = LdapConfig.getLdapConfig(); Subject subjectFromCert = commandLineParser.getSubjectFromCert();
String proxyDN = config.getProxyUserDN();
if (proxyDN == null) if (subjectFromCert == null)
throw new IllegalArgumentException("No ldap account in .dbrc"); throw new IllegalArgumentException("Certificate required");
String userIDLabel = "uid="; Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class);
int uidIndex = proxyDN.indexOf("uid="); if (pSet.isEmpty())
int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); throw new IllegalArgumentException("Certificate required");
String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex);
userIDPrincipal = new HttpPrincipal(userID); operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
} }
// run as the user // run as the user
LOGGER.debug("running as " + userIDPrincipal.getName()); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(operatorSubject);
Set<Principal> userPrincipals = new HashSet<Principal>(1);
userPrincipals.add(userIDPrincipal);
AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals);
Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject subject = AuthenticationUtil.getSubject(principalExtractor);
LOGGER.debug("running as: " + subject);
Subject.doAs(subject, command); Subject.doAs(subject, command);
} }
class AnonPrincipalExtractor implements PrincipalExtractor class AnonPrincipalExtractor implements PrincipalExtractor
{ {
Set<Principal> principals; Subject s;
AnonPrincipalExtractor(Set<Principal> principals) AnonPrincipalExtractor(Subject s)
{ {
this.principals = principals; this.s = s;
} }
public Set<Principal> getPrincipals() public Set<Principal> getPrincipals()
{ {
return principals; return s.getPrincipals();
} }
public X509CertificateChain getCertificateChain() public X509CertificateChain getCertificateChain()
{ {
LOGGER.debug("getCerfiticateChain called");
for (Object o : s.getPublicCredentials())
{
if (o instanceof X509CertificateChain)
{
LOGGER.debug("returning certificate chain.");
return (X509CertificateChain) o;
}
}
return null; return null;
} }
public DelegationToken getDelegationToken() public DelegationToken getDelegationToken()
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment