Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
OATS-CADC
ac
Commits
472beb17
Commit
472beb17
authored
Dec 12, 2016
by
Patrick Dowler
Committed by
GitHub
Dec 12, 2016
Browse files
Merge pull request #23 from brianmajor/master
Fixed gathering of operator credentials
parents
cf9becf1
87db79f4
Changes
8
Hide whitespace changes
Inline
Side-by-side
cadc-access-control-admin/build.gradle
View file @
472beb17
...
...
@@ -15,7 +15,7 @@ sourceCompatibility = 1.7
group
=
'org.opencadc'
version
=
'1.0.
1
'
version
=
'1.0.
2
'
mainClassName
=
'ca.nrc.cadc.ac.admin.Main'
...
...
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
View file @
472beb17
...
...
@@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
private
UserPersistence
userPersistence
;
protected
abstract
void
doRun
()
throws
AccessControlException
,
TransientException
;
...
...
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java
View file @
472beb17
...
...
@@ -72,9 +72,12 @@
import
java.io.PrintStream
;
import
java.security.cert.CertificateException
;
import
javax.security.auth.Subject
;
import
org.apache.log4j.Level
;
import
org.apache.log4j.Logger
;
import
ca.nrc.cadc.auth.CertCmdArgUtil
;
import
ca.nrc.cadc.util.ArgumentMap
;
import
ca.nrc.cadc.util.Log4jInit
;
import
ca.nrc.cadc.util.StringUtil
;
...
...
@@ -95,6 +98,7 @@ public class CmdLineParser
private
Level
logLevel
=
Level
.
OFF
;
private
AbstractCommand
command
;
private
boolean
isHelpCommand
=
false
;
private
ArgumentMap
am
;
/**
* Constructor.
...
...
@@ -105,7 +109,7 @@ public class CmdLineParser
public
CmdLineParser
(
final
String
[]
args
,
final
PrintStream
outStream
,
final
PrintStream
errStream
)
throws
UsageException
,
CertificateException
{
ArgumentMap
am
=
new
ArgumentMap
(
args
);
am
=
new
ArgumentMap
(
args
);
this
.
setLogLevel
(
am
);
this
.
parse
(
am
,
outStream
,
errStream
);
}
...
...
@@ -127,6 +131,11 @@ public class CmdLineParser
return
this
.
logLevel
;
}
public
Subject
getSubjectFromCert
()
{
return
CertCmdArgUtil
.
initSubject
(
am
);
}
/*
* Set the log level.
* @param am Input arguments
...
...
@@ -294,6 +303,8 @@ public class CmdLineParser
StringBuilder
sb
=
new
StringBuilder
();
sb
.
append
(
"\n"
);
sb
.
append
(
"Usage: "
+
APP_NAME
+
" <command> [-v|--verbose|-d|--debug] [-h|--help]\n"
);
sb
.
append
(
CertCmdArgUtil
.
getCertArgUsage
());
sb
.
append
(
"\n"
);
sb
.
append
(
"Where command is\n"
);
sb
.
append
(
"--list : List users in the Users tree\n"
);
sb
.
append
(
"--list-pending : List users in the UserRequests tree\n"
);
...
...
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
View file @
472beb17
...
...
@@ -69,22 +69,17 @@
package
ca.nrc.cadc.ac.admin
;
import
java.security.Principal
;
import
java.util.HashSet
;
import
java.util.Set
;
import
javax.security.auth.Subject
;
import
javax.security.auth.x500.X500Principal
;
import
org.apache.log4j.Logger
;
import
ca.nrc.cadc.ac.UserNotFoundException
;
import
ca.nrc.cadc.ac.server.UserPersistence
;
import
ca.nrc.cadc.ac.server.ldap.LdapConfig
;
import
ca.nrc.cadc.auth.AuthenticationUtil
;
import
ca.nrc.cadc.auth.DelegationToken
;
import
ca.nrc.cadc.auth.AuthMethod
;
import
ca.nrc.cadc.auth.HttpPrincipal
;
import
ca.nrc.cadc.auth.PrincipalExtractor
;
import
ca.nrc.cadc.auth.SSOCookieCredential
;
import
ca.nrc.cadc.auth.X509CertificateChain
;
import
ca.nrc.cadc.net.TransientException
;
...
...
@@ -112,59 +107,33 @@ public class CommandRunner
AbstractCommand
command
=
commandLineParser
.
getCommand
();
command
.
setUserPersistence
(
userPersistence
);
Principal
userIDPrincipal
=
null
;
Subject
operatorSubject
=
new
Subject
();
if
(
command
instanceof
AbstractUserCommand
)
{
userIDPrincipal
=
((
AbstractUserCommand
)
command
).
getPrincipal
();
Principal
userIDPrincipal
=
((
AbstractUserCommand
)
command
).
getPrincipal
();
operatorSubject
.
getPrincipals
().
add
(
userIDPrincipal
);
operatorSubject
.
getPublicCredentials
().
add
(
AuthMethod
.
PASSWORD
);
}
if
(
userIDPrincipal
==
null
)
else
{
// run as the operator
LdapConfig
config
=
LdapConfig
.
getLdapConfig
();
String
proxyDN
=
config
.
getProxyUserDN
();
if
(
proxyDN
==
null
)
throw
new
IllegalArgumentException
(
"No ldap account in .dbrc"
);
String
userIDLabel
=
"uid="
;
int
uidIndex
=
proxyDN
.
indexOf
(
"uid="
);
int
commaIndex
=
proxyDN
.
indexOf
(
","
,
userIDLabel
.
length
());
String
userID
=
proxyDN
.
substring
(
uidIndex
+
userIDLabel
.
length
(),
commaIndex
);
userIDPrincipal
=
new
HttpPrincipal
(
userID
);
}
// run as the operator using their cert
Subject
subjectFromCert
=
commandLineParser
.
getSubjectFromCert
();
// run as the user
LOGGER
.
debug
(
"running as "
+
userIDPrincipal
.
getName
());
Set
<
Principal
>
userPrincipals
=
new
HashSet
<
Principal
>(
1
);
userPrincipals
.
add
(
userIDPrincipal
);
AnonPrincipalExtractor
principalExtractor
=
new
AnonPrincipalExtractor
(
userPrincipals
);
Subject
subject
=
AuthenticationUtil
.
getSubject
(
principalExtractor
);
Subject
.
doAs
(
subject
,
command
);
}
if
(
subjectFromCert
==
null
)
throw
new
IllegalArgumentException
(
"Certificate required"
);
class
AnonPrincipalExtractor
implements
PrincipalExtractor
{
Set
<
Principal
>
principals
;
Set
<
X500Principal
>
pSet
=
subjectFromCert
.
getPrincipals
(
X500Principal
.
class
);
if
(
pSet
.
isEmpty
())
throw
new
IllegalArgumentException
(
"Certificate required"
)
;
AnonPrincipalExtractor
(
Set
<
Principal
>
principals
)
{
this
.
principals
=
principals
;
}
public
Set
<
Principal
>
getPrincipals
()
{
return
principals
;
}
public
X509CertificateChain
getCertificateChain
()
{
return
null
;
}
public
DelegationToken
getDelegationToken
()
{
return
null
;
}
public
SSOCookieCredential
getSSOCookieCredential
()
{
return
null
;
operatorSubject
.
getPrincipals
().
addAll
(
subjectFromCert
.
getPrincipals
());
operatorSubject
.
getPrincipals
().
add
(
new
HttpPrincipal
(
"authorizedUser"
));
operatorSubject
.
getPublicCredentials
().
addAll
(
subjectFromCert
.
getPublicCredentials
());
operatorSubject
.
getPublicCredentials
().
add
(
AuthMethod
.
CERT
);
}
LOGGER
.
debug
(
"running as: "
+
operatorSubject
);
Subject
.
doAs
(
operatorSubject
,
command
);
}
}
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
View file @
472beb17
...
...
@@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers
{
return
this
.
getUserPersistence
().
getUserRequests
();
}
}
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
View file @
472beb17
...
...
@@ -92,4 +92,5 @@ public class ListUsers extends AbstractListUsers
{
return
this
.
getUserPersistence
().
getUsers
();
}
}
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
View file @
472beb17
...
...
@@ -81,10 +81,10 @@ import ca.nrc.cadc.net.TransientException;
* @author yeunga
*
*/
public
class
RejectUser
extends
AbstractUserCommand
public
class
RejectUser
extends
AbstractUserCommand
{
private
static
final
Logger
log
=
Logger
.
getLogger
(
RejectUser
.
class
);
/**
* Constructor
* @param userID Id of the pending user to be deleted
...
...
@@ -93,9 +93,9 @@ public class RejectUser extends AbstractUserCommand
{
super
(
userID
);
}
protected
void
execute
()
throws
AccessControlException
,
UserNotFoundException
,
TransientException
protected
void
execute
()
throws
AccessControlException
,
UserNotFoundException
,
TransientException
{
// delete user from the pending tree
this
.
getUserPersistence
().
deleteUserRequest
(
this
.
getPrincipal
());
...
...
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
View file @
472beb17
...
...
@@ -106,7 +106,7 @@ public class ViewUser extends AbstractUserCommand
User
user
=
this
.
getUserPersistence
().
getUser
(
this
.
getPrincipal
());
this
.
printUser
(
user
);
}
catch
(
UserNotFoundException
e
)
catch
(
AccessControlException
|
UserNotFoundException
e
)
{
// Not in the main tree, try the pending tree
User
user
=
this
.
getUserPersistence
().
getUserRequest
(
this
.
getPrincipal
());
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment