Loading cadc-access-control-admin/build.gradle +1 −1 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ sourceCompatibility = 1.7 group = 'org.opencadc' version = '1.0.1' version = '1.0.2' mainClassName = 'ca.nrc.cadc.ac.admin.Main' Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java +0 −1 Original line number Diff line number Diff line Loading @@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object> private UserPersistence userPersistence; protected abstract void doRun() throws AccessControlException, TransientException; Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java +12 −1 Original line number Diff line number Diff line Loading @@ -72,9 +72,12 @@ import java.io.PrintStream; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; Loading @@ -95,6 +98,7 @@ public class CmdLineParser private Level logLevel = Level.OFF; private AbstractCommand command; private boolean isHelpCommand = false; private ArgumentMap am; /** * Constructor. Loading @@ -105,7 +109,7 @@ public class CmdLineParser public CmdLineParser(final String[] args, final PrintStream outStream, final PrintStream errStream) throws UsageException, CertificateException { ArgumentMap am = new ArgumentMap( args ); am = new ArgumentMap( args ); this.setLogLevel(am); this.parse(am, outStream, errStream); } Loading @@ -127,6 +131,11 @@ public class CmdLineParser return this.logLevel; } public Subject getSubjectFromCert() { return CertCmdArgUtil.initSubject(am); } /* * Set the log level. * @param am Input arguments Loading Loading @@ -294,6 +303,8 @@ public class CmdLineParser StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append(CertCmdArgUtil.getCertArgUsage()); sb.append("\n"); sb.append("Where command is\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java +22 −53 Original line number Diff line number Diff line Loading @@ -69,22 +69,17 @@ package ca.nrc.cadc.ac.admin; import java.security.Principal; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.AuthMethod; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; Loading Loading @@ -112,59 +107,33 @@ public class CommandRunner AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); Principal userIDPrincipal = null; Subject operatorSubject = new Subject(); if (command instanceof AbstractUserCommand) { userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); operatorSubject.getPrincipals().add(userIDPrincipal); operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD); } if (userIDPrincipal == null) else { // run as the operator LdapConfig config = LdapConfig.getLdapConfig(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the operator using their cert Subject subjectFromCert = commandLineParser.getSubjectFromCert(); // run as the user LOGGER.debug("running as " + userIDPrincipal.getName()); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } if (subjectFromCert == null) throw new IllegalArgumentException("Certificate required"); class AnonPrincipalExtractor implements PrincipalExtractor { Set<Principal> principals; Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class); if (pSet.isEmpty()) throw new IllegalArgumentException("Certificate required"); AnonPrincipalExtractor(Set<Principal> principals) { this.principals = principals; } public Set<Principal> getPrincipals() { return principals; } public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } public SSOCookieCredential getSSOCookieCredential() { return null; operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals()); operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser")); operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials()); operatorSubject.getPublicCredentials().add(AuthMethod.CERT); } LOGGER.debug("running as: " + operatorSubject); Subject.doAs(operatorSubject, command); } } cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java +1 −0 Original line number Diff line number Diff line Loading @@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers { return this.getUserPersistence().getUserRequests(); } } Loading
cadc-access-control-admin/build.gradle +1 −1 Original line number Diff line number Diff line Loading @@ -15,7 +15,7 @@ sourceCompatibility = 1.7 group = 'org.opencadc' version = '1.0.1' version = '1.0.2' mainClassName = 'ca.nrc.cadc.ac.admin.Main' Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java +0 −1 Original line number Diff line number Diff line Loading @@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object> private UserPersistence userPersistence; protected abstract void doRun() throws AccessControlException, TransientException; Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java +12 −1 Original line number Diff line number Diff line Loading @@ -72,9 +72,12 @@ import java.io.PrintStream; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; Loading @@ -95,6 +98,7 @@ public class CmdLineParser private Level logLevel = Level.OFF; private AbstractCommand command; private boolean isHelpCommand = false; private ArgumentMap am; /** * Constructor. Loading @@ -105,7 +109,7 @@ public class CmdLineParser public CmdLineParser(final String[] args, final PrintStream outStream, final PrintStream errStream) throws UsageException, CertificateException { ArgumentMap am = new ArgumentMap( args ); am = new ArgumentMap( args ); this.setLogLevel(am); this.parse(am, outStream, errStream); } Loading @@ -127,6 +131,11 @@ public class CmdLineParser return this.logLevel; } public Subject getSubjectFromCert() { return CertCmdArgUtil.initSubject(am); } /* * Set the log level. * @param am Input arguments Loading Loading @@ -294,6 +303,8 @@ public class CmdLineParser StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append(CertCmdArgUtil.getCertArgUsage()); sb.append("\n"); sb.append("Where command is\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java +22 −53 Original line number Diff line number Diff line Loading @@ -69,22 +69,17 @@ package ca.nrc.cadc.ac.admin; import java.security.Principal; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.AuthMethod; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; Loading Loading @@ -112,59 +107,33 @@ public class CommandRunner AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); Principal userIDPrincipal = null; Subject operatorSubject = new Subject(); if (command instanceof AbstractUserCommand) { userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); operatorSubject.getPrincipals().add(userIDPrincipal); operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD); } if (userIDPrincipal == null) else { // run as the operator LdapConfig config = LdapConfig.getLdapConfig(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the operator using their cert Subject subjectFromCert = commandLineParser.getSubjectFromCert(); // run as the user LOGGER.debug("running as " + userIDPrincipal.getName()); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } if (subjectFromCert == null) throw new IllegalArgumentException("Certificate required"); class AnonPrincipalExtractor implements PrincipalExtractor { Set<Principal> principals; Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class); if (pSet.isEmpty()) throw new IllegalArgumentException("Certificate required"); AnonPrincipalExtractor(Set<Principal> principals) { this.principals = principals; } public Set<Principal> getPrincipals() { return principals; } public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } public SSOCookieCredential getSSOCookieCredential() { return null; operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals()); operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser")); operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials()); operatorSubject.getPublicCredentials().add(AuthMethod.CERT); } LOGGER.debug("running as: " + operatorSubject); Subject.doAs(operatorSubject, command); } }
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java +1 −0 Original line number Diff line number Diff line Loading @@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers { return this.getUserPersistence().getUserRequests(); } }
