s1886 - New policies for accounts with no http pricipal

2b22b097 · Brian Major · 9c6e670f · 2b22b097 · 2b22b097
Commit 2b22b097 authored Mar 24, 2016 by Brian Major
--- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java
+++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java
@@ -92,6 +92,7 @@ import ca.nrc.cadc.ac.server.GroupPersistence;
 import ca.nrc.cadc.auth.AuthMethod;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.DNPrincipal;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 import ca.nrc.cadc.util.ObjectUtil;

@@ -125,8 +126,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
    {
        // current policy: group names visible to all authenticated users
        Subject caller = AuthenticationUtil.getCurrentSubject();
-        if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
-            throw new AccessControlException("Caller is not authenticated");
+        checkAuthenticatedWithAccount(caller);

        LdapGroupDAO groupDAO = null;
        LdapUserDAO userDAO = null;
@@ -175,6 +175,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
               GroupNotFoundException
    {
        Subject caller = AuthenticationUtil.getCurrentSubject();
+        checkAuthenticatedWithAccount(caller);
        Principal userID = getUser(caller);

        LdapConnections conns = new LdapConnections(this);
@@ -395,4 +396,13 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
        GroupMemberships gms = gset.iterator().next();
        return gms.getUserID();
    }
+
+    private void checkAuthenticatedWithAccount(Subject caller)
+    {
+        if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
+            throw new AccessControlException("Caller is not authenticated");
+
+        if (caller.getPrincipals(HttpPrincipal.class).isEmpty())
+            throw new AccessControlException("Caller does not have authorized account");
+    }
 }
--- a/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
+++ b/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java
@@ -290,6 +290,10 @@ public class LdapUserPersistence extends LdapPersistence implements UserPersiste
        if (caller == null || AuthMethod.ANON.equals(AuthenticationUtil.getAuthMethod(caller)))
            throw new AccessControlException("Caller is not authenticated");

+        // user must also have an approved account
+        if (caller.getPrincipals(HttpPrincipal.class).isEmpty())
+            throw new AccessControlException("Caller does not have authorized account");
+
        LdapUserDAO userDAO = null;
        LdapConnections conns = new LdapConnections(this);
        try