Loading projects/cadcAccessControl-Admin/build.xml +8 −12 Original line number Diff line number Diff line Loading @@ -81,7 +81,7 @@ <property file="local.build.properties"/> <property name="project" value="userAdmin"/> <property name="project" value="cadcAccessControl-Admin"/> <!-- JAR files to be included in classpath and war file --> <property name="cadcAC" value="${lib}/cadcAccessControl.jar"/> Loading @@ -91,15 +91,13 @@ <property name="log4j" value="${ext.lib}/log4j.jar"/> <property name="commons-logging" value="${ext.lib}/commons-logging.jar"/> <property name="unboundid" value="${ext.lib}/unboundid-ldapsdk-se.jar"/> <property name="servlet-api" value="${ext.lib}/servlet-api.jar"/> <property name="jars" value="${cadcAC}:${cadcAC-Server}:${cadcUtil}:${log4j}"/> <property name="cadc" value="${cadcAC}:${cadcAC-Server}:${cadcUtil}"/> <property name="client.cadc.jars" value="${cadcAC}:${cadcAC-Server}:${cadcLog}:${cadcUtil}"/> <property name="client.external.jars" value="${unboundid}:${log4j}:${servlet-api}"/> <property name="client.cadc.jars" value="${cadcAC}:${cadcAC-Server}:${cadcLog}:${cadcUtil}"/> <property name="client.external.jars" value="${unboundid}:${log4j}"/> <property name="jars" value="${cadc}:${external}"/> <property name="jars" value="${cadc}:${client.cadc.jars}:${client.external.jars}"/> <target name="build" depends="compile,manifest"> <jar jarfile="${build}/lib/${project}.jar" Loading Loading @@ -136,8 +134,7 @@ <manifest file="${build}/tmp/${project}.mf" mode="replace"> <attribute name="Main-Class" value="ca.nrc.cadc.ac.admin.Main"/> <attribute name="Class-Path" value="${client.flat.manifest} ${client.non-flat.manifest}"/> <attribute name="Class-Path" value="${client.flat.manifest} ${client.non-flat.manifest}"/> </manifest> </target> Loading @@ -149,8 +146,7 @@ <property name="junit" value="${ext.dev}/junit.jar" /> <property name="objenesis" value="${ext.dev}/objenesis.jar" /> <property name="testingJars" value="${junit}:${asm}:${cglib}:${easymock}:${objenesis}:{unboundid}:${cadcLog}"/> <property name="testingJars" value="${junit}:${asm}:${cglib}:${easymock}:${objenesis}:{unboundid}:${cadcLog}"/> <target name="int-test" depends="build,compile-test,setup-test"> <echo message="Running test suite..."/> Loading projects/cadcAccessControl-Admin/scripts/userAdmin +1 −1 Original line number Diff line number Diff line #!/bin/bash java -Xmx128m -jar ${CADC_ROOT}/lib/userAdmin.jar $* java -Xmx128m -jar ${CADC_ROOT}/lib/cadcAccessControl-Admin.jar $* projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CmdLineParser.java +43 −74 Original line number Diff line number Diff line Loading @@ -72,13 +72,9 @@ import java.io.PrintStream; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.auth.SSLUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; Loading @@ -97,9 +93,8 @@ public class CmdLineParser // no need to proceed further if false private Level logLevel = Level.OFF; private boolean proceed = true; private AbstractCommand command; private Subject subject; private boolean isHelpCommand = false; /** * Constructor. Loading @@ -115,16 +110,6 @@ public class CmdLineParser this.parse(am, outStream, errStream); } /** * Return proceed status. * @return true program should proceed with further processing * false program should not proceed further */ public boolean proceed() { return this.proceed; } /** * Get the user admin command to be performed. * @return user admin command Loading @@ -134,14 +119,6 @@ public class CmdLineParser return this.command; } /** * Get the subject representing the user executing this user admin tool. */ public Subject getSubject() { return this.subject; } /** * Get the logging level. */ Loading Loading @@ -281,36 +258,22 @@ public class CmdLineParser protected void parse(final ArgumentMap am, final PrintStream out, final PrintStream err) throws UsageException, CertificateException { this.proceed = false; if (!am.isSet("h") && !am.isSet("help") && isValid(am)) { Subject subject = CertCmdArgUtil.initSubject(am, true); try { SSLUtil.validateSubject(subject, null); log.debug("subject: " + subject); this.subject = subject; this.proceed = true; } catch (CertificateException e) { if (am.isSet("list")) { // we can use anonymous subject this.proceed = true; // the following statements are executed only when proceed is true this.command.setSystemOut(out); this.command.setSystemErr(err); } else { throw e; isHelpCommand = true; } } // the following statements are executed only when proceed is true this.command.setSystemOut(out); this.command.setSystemErr(err); } public boolean isHelpCommand() { return isHelpCommand; } /** Loading @@ -320,7 +283,7 @@ public class CmdLineParser { StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("Usage: " + APP_NAME + " [--cert=<path to pem file>] <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Where command is\n"); sb.append("--list :list users in the Users tree\n"); sb.append(" :can be executed as an anonymous user\n"); Loading @@ -334,6 +297,12 @@ public class CmdLineParser sb.append("-v|--verbose : Verbose mode print progress and error messages\n"); sb.append("-d|--debug : Debug mode print all the logging messages\n"); sb.append("-h|--help : Print this message and exit\n"); sb.append("\n"); sb.append("Authentication and authorization:\n"); sb.append(" - An LdapConfig.properties file must exist in directory ~/config/\n"); sb.append(" - The corresponding host entry (devLdap or prodLdap) must exist\n"); sb.append(" in your ~/.dbrc file."); return sb.toString(); } } projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CommandRunner.java +68 −37 Original line number Diff line number Diff line Loading @@ -68,14 +68,24 @@ package ca.nrc.cadc.ac.admin; import ca.nrc.cadc.ac.User; import java.security.Principal; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; import org.apache.log4j.Logger; import javax.security.auth.Subject; import java.security.Principal; public class CommandRunner Loading @@ -98,42 +108,63 @@ public class CommandRunner * */ public void run() throws UserNotFoundException, TransientException { if (commandLineParser.proceed()) { AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); if (commandLineParser.getSubject() == null) Principal userIDPrincipal = null; if (command instanceof AbstractUserCommand) { // no credential, but command works with an anonymous user LOGGER.debug("running as anon user"); command.run(); userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); } else if (userIDPrincipal == null) { Subject subject = commandLineParser.getSubject(); LOGGER.debug("running as " + subject); // run as the operator LdapConfig config = LdapConfig.getLdapConfig(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the user LOGGER.debug("running as " + userIDPrincipal.getName()); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } // augment the subject if (subject.getPrincipals().isEmpty()) class AnonPrincipalExtractor implements PrincipalExtractor { throw new RuntimeException("BUG: subject with no principals"); Set<Principal> principals; AnonPrincipalExtractor(Set<Principal> principals) { this.principals = principals; } Principal userID = subject.getPrincipals().iterator().next(); User<Principal> subjectUser = userPersistence.getAugmentedUser(userID); for (Principal identity : subjectUser.getIdentities()) public Set<Principal> getPrincipals() { subject.getPrincipals().add(identity); return principals; } LOGGER.debug("augmented subject: " + subject); Subject.doAs(subject, command); public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } else public SSOCookieCredential getSSOCookieCredential() { throw new IllegalStateException("Not ready to proceed."); return null; } } } projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/Main.java +21 −15 Original line number Diff line number Diff line Loading @@ -70,14 +70,11 @@ package ca.nrc.cadc.ac.admin; import java.io.PrintStream; import java.security.Principal; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.server.PluginFactory; import org.apache.log4j.Logger; /** * A command line admin tool for LDAP users. Loading Loading @@ -117,14 +114,15 @@ public class Main try { main.execute(args); System.exit(0); } catch(UsageException | CertificateException e) { System.exit(0); System.exit(-1); } catch(Exception t) { System.exit(-1); System.exit(-2); } } Loading @@ -138,9 +136,16 @@ public class Main { try { final CmdLineParser parser = new CmdLineParser(args, systemOut, systemErr); if (parser.isHelpCommand()) { systemOut.println(CmdLineParser.getUsage()); } else { // Set the necessary JNDI system property for lookups. System.setProperty("java.naming.factory.initial", ContextFactoryImpl.class.getName()); Loading @@ -151,6 +156,7 @@ public class Main runner.run(); } } catch(UsageException e) { systemErr.println("ERROR: " + e.getMessage()); Loading Loading
projects/cadcAccessControl-Admin/build.xml +8 −12 Original line number Diff line number Diff line Loading @@ -81,7 +81,7 @@ <property file="local.build.properties"/> <property name="project" value="userAdmin"/> <property name="project" value="cadcAccessControl-Admin"/> <!-- JAR files to be included in classpath and war file --> <property name="cadcAC" value="${lib}/cadcAccessControl.jar"/> Loading @@ -91,15 +91,13 @@ <property name="log4j" value="${ext.lib}/log4j.jar"/> <property name="commons-logging" value="${ext.lib}/commons-logging.jar"/> <property name="unboundid" value="${ext.lib}/unboundid-ldapsdk-se.jar"/> <property name="servlet-api" value="${ext.lib}/servlet-api.jar"/> <property name="jars" value="${cadcAC}:${cadcAC-Server}:${cadcUtil}:${log4j}"/> <property name="cadc" value="${cadcAC}:${cadcAC-Server}:${cadcUtil}"/> <property name="client.cadc.jars" value="${cadcAC}:${cadcAC-Server}:${cadcLog}:${cadcUtil}"/> <property name="client.external.jars" value="${unboundid}:${log4j}:${servlet-api}"/> <property name="client.cadc.jars" value="${cadcAC}:${cadcAC-Server}:${cadcLog}:${cadcUtil}"/> <property name="client.external.jars" value="${unboundid}:${log4j}"/> <property name="jars" value="${cadc}:${external}"/> <property name="jars" value="${cadc}:${client.cadc.jars}:${client.external.jars}"/> <target name="build" depends="compile,manifest"> <jar jarfile="${build}/lib/${project}.jar" Loading Loading @@ -136,8 +134,7 @@ <manifest file="${build}/tmp/${project}.mf" mode="replace"> <attribute name="Main-Class" value="ca.nrc.cadc.ac.admin.Main"/> <attribute name="Class-Path" value="${client.flat.manifest} ${client.non-flat.manifest}"/> <attribute name="Class-Path" value="${client.flat.manifest} ${client.non-flat.manifest}"/> </manifest> </target> Loading @@ -149,8 +146,7 @@ <property name="junit" value="${ext.dev}/junit.jar" /> <property name="objenesis" value="${ext.dev}/objenesis.jar" /> <property name="testingJars" value="${junit}:${asm}:${cglib}:${easymock}:${objenesis}:{unboundid}:${cadcLog}"/> <property name="testingJars" value="${junit}:${asm}:${cglib}:${easymock}:${objenesis}:{unboundid}:${cadcLog}"/> <target name="int-test" depends="build,compile-test,setup-test"> <echo message="Running test suite..."/> Loading
projects/cadcAccessControl-Admin/scripts/userAdmin +1 −1 Original line number Diff line number Diff line #!/bin/bash java -Xmx128m -jar ${CADC_ROOT}/lib/userAdmin.jar $* java -Xmx128m -jar ${CADC_ROOT}/lib/cadcAccessControl-Admin.jar $*
projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CmdLineParser.java +43 −74 Original line number Diff line number Diff line Loading @@ -72,13 +72,9 @@ import java.io.PrintStream; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.auth.SSLUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; Loading @@ -97,9 +93,8 @@ public class CmdLineParser // no need to proceed further if false private Level logLevel = Level.OFF; private boolean proceed = true; private AbstractCommand command; private Subject subject; private boolean isHelpCommand = false; /** * Constructor. Loading @@ -115,16 +110,6 @@ public class CmdLineParser this.parse(am, outStream, errStream); } /** * Return proceed status. * @return true program should proceed with further processing * false program should not proceed further */ public boolean proceed() { return this.proceed; } /** * Get the user admin command to be performed. * @return user admin command Loading @@ -134,14 +119,6 @@ public class CmdLineParser return this.command; } /** * Get the subject representing the user executing this user admin tool. */ public Subject getSubject() { return this.subject; } /** * Get the logging level. */ Loading Loading @@ -281,36 +258,22 @@ public class CmdLineParser protected void parse(final ArgumentMap am, final PrintStream out, final PrintStream err) throws UsageException, CertificateException { this.proceed = false; if (!am.isSet("h") && !am.isSet("help") && isValid(am)) { Subject subject = CertCmdArgUtil.initSubject(am, true); try { SSLUtil.validateSubject(subject, null); log.debug("subject: " + subject); this.subject = subject; this.proceed = true; } catch (CertificateException e) { if (am.isSet("list")) { // we can use anonymous subject this.proceed = true; // the following statements are executed only when proceed is true this.command.setSystemOut(out); this.command.setSystemErr(err); } else { throw e; isHelpCommand = true; } } // the following statements are executed only when proceed is true this.command.setSystemOut(out); this.command.setSystemErr(err); } public boolean isHelpCommand() { return isHelpCommand; } /** Loading @@ -320,7 +283,7 @@ public class CmdLineParser { StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("Usage: " + APP_NAME + " [--cert=<path to pem file>] <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Where command is\n"); sb.append("--list :list users in the Users tree\n"); sb.append(" :can be executed as an anonymous user\n"); Loading @@ -334,6 +297,12 @@ public class CmdLineParser sb.append("-v|--verbose : Verbose mode print progress and error messages\n"); sb.append("-d|--debug : Debug mode print all the logging messages\n"); sb.append("-h|--help : Print this message and exit\n"); sb.append("\n"); sb.append("Authentication and authorization:\n"); sb.append(" - An LdapConfig.properties file must exist in directory ~/config/\n"); sb.append(" - The corresponding host entry (devLdap or prodLdap) must exist\n"); sb.append(" in your ~/.dbrc file."); return sb.toString(); } }
projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/CommandRunner.java +68 −37 Original line number Diff line number Diff line Loading @@ -68,14 +68,24 @@ package ca.nrc.cadc.ac.admin; import ca.nrc.cadc.ac.User; import java.security.Principal; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; import org.apache.log4j.Logger; import javax.security.auth.Subject; import java.security.Principal; public class CommandRunner Loading @@ -98,42 +108,63 @@ public class CommandRunner * */ public void run() throws UserNotFoundException, TransientException { if (commandLineParser.proceed()) { AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); if (commandLineParser.getSubject() == null) Principal userIDPrincipal = null; if (command instanceof AbstractUserCommand) { // no credential, but command works with an anonymous user LOGGER.debug("running as anon user"); command.run(); userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); } else if (userIDPrincipal == null) { Subject subject = commandLineParser.getSubject(); LOGGER.debug("running as " + subject); // run as the operator LdapConfig config = LdapConfig.getLdapConfig(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the user LOGGER.debug("running as " + userIDPrincipal.getName()); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } // augment the subject if (subject.getPrincipals().isEmpty()) class AnonPrincipalExtractor implements PrincipalExtractor { throw new RuntimeException("BUG: subject with no principals"); Set<Principal> principals; AnonPrincipalExtractor(Set<Principal> principals) { this.principals = principals; } Principal userID = subject.getPrincipals().iterator().next(); User<Principal> subjectUser = userPersistence.getAugmentedUser(userID); for (Principal identity : subjectUser.getIdentities()) public Set<Principal> getPrincipals() { subject.getPrincipals().add(identity); return principals; } LOGGER.debug("augmented subject: " + subject); Subject.doAs(subject, command); public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } else public SSOCookieCredential getSSOCookieCredential() { throw new IllegalStateException("Not ready to proceed."); return null; } } }
projects/cadcAccessControl-Admin/src/ca/nrc/cadc/ac/admin/Main.java +21 −15 Original line number Diff line number Diff line Loading @@ -70,14 +70,11 @@ package ca.nrc.cadc.ac.admin; import java.io.PrintStream; import java.security.Principal; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.server.PluginFactory; import org.apache.log4j.Logger; /** * A command line admin tool for LDAP users. Loading Loading @@ -117,14 +114,15 @@ public class Main try { main.execute(args); System.exit(0); } catch(UsageException | CertificateException e) { System.exit(0); System.exit(-1); } catch(Exception t) { System.exit(-1); System.exit(-2); } } Loading @@ -138,9 +136,16 @@ public class Main { try { final CmdLineParser parser = new CmdLineParser(args, systemOut, systemErr); if (parser.isHelpCommand()) { systemOut.println(CmdLineParser.getUsage()); } else { // Set the necessary JNDI system property for lookups. System.setProperty("java.naming.factory.initial", ContextFactoryImpl.class.getName()); Loading @@ -151,6 +156,7 @@ public class Main runner.run(); } } catch(UsageException e) { systemErr.println("ERROR: " + e.getMessage()); Loading
