Merge pull request #23 from brianmajor/master

Fixed gathering of operator credentials

Merge pull request #23 from brianmajor/master
Fixed gathering of operator credentials
472beb17 · Patrick Dowler · GitHub · cf9becf1 · 87db79f4 · 472beb17
Commit 472beb17 authored Dec 12, 2016 by Patrick Dowler Committed by GitHub Dec 12, 2016
--- a/cadc-access-control-admin/build.gradle
+++ b/cadc-access-control-admin/build.gradle
@@ -15,7 +15,7 @@ sourceCompatibility = 1.7

 group = 'org.opencadc'

-version = '1.0.1'
+version = '1.0.2'

 mainClassName = 'ca.nrc.cadc.ac.admin.Main'


--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
@@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>

    private UserPersistence userPersistence;

-
    protected abstract void doRun()
            throws AccessControlException, TransientException;


--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
@@ -72,9 +72,12 @@
 import java.io.PrintStream;
 import java.security.cert.CertificateException;

+import javax.security.auth.Subject;
+
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;

+import ca.nrc.cadc.auth.CertCmdArgUtil;
 import ca.nrc.cadc.util.ArgumentMap;
 import ca.nrc.cadc.util.Log4jInit;
 import ca.nrc.cadc.util.StringUtil;
@@ -95,6 +98,7 @@ public class CmdLineParser
    private Level logLevel = Level.OFF;
    private AbstractCommand command;
    private boolean isHelpCommand = false;
+    private ArgumentMap am;

    /**
     * Constructor.
@@ -105,7 +109,7 @@ public class CmdLineParser
    public CmdLineParser(final String[] args, final PrintStream outStream,
        final PrintStream errStream) throws UsageException, CertificateException
    {
-        ArgumentMap am = new ArgumentMap( args );
+        am = new ArgumentMap( args );
    	this.setLogLevel(am);
    	this.parse(am, outStream, errStream);
    }
@@ -127,6 +131,11 @@ public class CmdLineParser
    	return this.logLevel;
    }

+    public Subject getSubjectFromCert()
+    {
+        return CertCmdArgUtil.initSubject(am);
+    }
+
    /*
     * Set the log level.
     * @param am Input arguments
@@ -294,6 +303,8 @@ public class CmdLineParser
    	StringBuilder sb = new StringBuilder();
    	sb.append("\n");
    	sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n");
+    	sb.append(CertCmdArgUtil.getCertArgUsage());
+    	sb.append("\n");
    	sb.append("Where command is\n");
    	sb.append("--list                       : List users in the Users tree\n");
    	sb.append("--list-pending               : List users in the UserRequests tree\n");

--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
@@ -69,22 +69,17 @@
 package ca.nrc.cadc.ac.admin;

 import java.security.Principal;
-import java.util.HashSet;
 import java.util.Set;

 import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;

 import org.apache.log4j.Logger;

 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.ac.server.ldap.LdapConfig;
-import ca.nrc.cadc.auth.AuthenticationUtil;
-import ca.nrc.cadc.auth.DelegationToken;
+import ca.nrc.cadc.auth.AuthMethod;
 import ca.nrc.cadc.auth.HttpPrincipal;
-import ca.nrc.cadc.auth.PrincipalExtractor;
-import ca.nrc.cadc.auth.SSOCookieCredential;
-import ca.nrc.cadc.auth.X509CertificateChain;
 import ca.nrc.cadc.net.TransientException;


@@ -112,59 +107,33 @@ public class CommandRunner
        AbstractCommand command = commandLineParser.getCommand();
        command.setUserPersistence(userPersistence);

-        Principal userIDPrincipal = null;
+        Subject operatorSubject = new Subject();
+
        if (command instanceof AbstractUserCommand)
        {
-            userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+            Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
+            operatorSubject.getPrincipals().add(userIDPrincipal);
+            operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD);
        }
-
-        if (userIDPrincipal == null)
+        else
        {
-            // run as the operator
-            LdapConfig config = LdapConfig.getLdapConfig();
-            String proxyDN = config.getProxyUserDN();
-            if (proxyDN == null)
-                throw new IllegalArgumentException("No ldap account in .dbrc");
-
-            String userIDLabel = "uid=";
-            int uidIndex = proxyDN.indexOf("uid=");
-            int commaIndex = proxyDN.indexOf(",", userIDLabel.length());
-            String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex);
-            userIDPrincipal = new HttpPrincipal(userID);
-        }
+            // run as the operator using their cert
+            Subject subjectFromCert = commandLineParser.getSubjectFromCert();

-        // run as the user
-        LOGGER.debug("running as " + userIDPrincipal.getName());
-        Set<Principal> userPrincipals = new HashSet<Principal>(1);
-        userPrincipals.add(userIDPrincipal);
-        AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals);
-        Subject subject = AuthenticationUtil.getSubject(principalExtractor);
-        Subject.doAs(subject, command);
-    }
+            if (subjectFromCert == null)
+                throw new IllegalArgumentException("Certificate required");

-    class AnonPrincipalExtractor implements PrincipalExtractor
-    {
-        Set<Principal> principals;
+            Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class);
+            if (pSet.isEmpty())
+                throw new IllegalArgumentException("Certificate required");

-        AnonPrincipalExtractor(Set<Principal> principals)
-        {
-            this.principals = principals;
-        }
-        public Set<Principal> getPrincipals()
-        {
-            return principals;
-        }
-        public X509CertificateChain getCertificateChain()
-        {
-            return null;
-        }
-        public DelegationToken getDelegationToken()
-        {
-            return null;
-        }
-        public SSOCookieCredential getSSOCookieCredential()
-        {
-            return null;
+            operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
+            operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser"));
+            operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
+            operatorSubject.getPublicCredentials().add(AuthMethod.CERT);
        }
+
+        LOGGER.debug("running as: " + operatorSubject);
+        Subject.doAs(operatorSubject, command);
    }
 }
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
@@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers
    {
    	return this.getUserPersistence().getUserRequests();
    }
+
 }
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
@@ -92,4 +92,5 @@ public class ListUsers extends AbstractListUsers
    {
    	return this.getUserPersistence().getUsers();
    }
+
 }
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
@@ -81,10 +81,10 @@ import ca.nrc.cadc.net.TransientException;
 * @author yeunga
 *
 */
-public class RejectUser extends AbstractUserCommand 
+public class RejectUser extends AbstractUserCommand
 {
    private static final Logger log = Logger.getLogger(RejectUser.class);
-	
+
    /**
     * Constructor
     * @param userID Id of the pending user to be deleted
@@ -93,9 +93,9 @@ public class RejectUser extends AbstractUserCommand
    {
    	super(userID);
    }
-    
-    protected void execute() 
-        throws AccessControlException, UserNotFoundException, TransientException 
+
+    protected void execute()
+        throws AccessControlException, UserNotFoundException, TransientException
    {
        // delete user from the pending tree
        this.getUserPersistence().deleteUserRequest(this.getPrincipal());

--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
@@ -106,7 +106,7 @@ public class ViewUser extends AbstractUserCommand
            User user = this.getUserPersistence().getUser(this.getPrincipal());
            this.printUser(user);
        }
-        catch (UserNotFoundException e)
+        catch (AccessControlException | UserNotFoundException e)
        {
            // Not in the main tree, try the pending tree
            User user = this.getUserPersistence().getUserRequest(this.getPrincipal());