Loading cadc-access-control-admin/build.gradle +1 −1 Original line number Original line Diff line number Diff line Loading @@ -15,7 +15,7 @@ sourceCompatibility = 1.7 group = 'org.opencadc' group = 'org.opencadc' version = '1.0.1' version = '1.0.2' mainClassName = 'ca.nrc.cadc.ac.admin.Main' mainClassName = 'ca.nrc.cadc.ac.admin.Main' Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java +0 −1 Original line number Original line Diff line number Diff line Loading @@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object> private UserPersistence userPersistence; private UserPersistence userPersistence; protected abstract void doRun() protected abstract void doRun() throws AccessControlException, TransientException; throws AccessControlException, TransientException; Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java +12 −1 Original line number Original line Diff line number Diff line Loading @@ -72,9 +72,12 @@ import java.io.PrintStream; import java.io.PrintStream; import java.security.cert.CertificateException; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Level; import org.apache.log4j.Logger; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; import ca.nrc.cadc.util.StringUtil; Loading @@ -95,6 +98,7 @@ public class CmdLineParser private Level logLevel = Level.OFF; private Level logLevel = Level.OFF; private AbstractCommand command; private AbstractCommand command; private boolean isHelpCommand = false; private boolean isHelpCommand = false; private ArgumentMap am; /** /** * Constructor. * Constructor. Loading @@ -105,7 +109,7 @@ public class CmdLineParser public CmdLineParser(final String[] args, final PrintStream outStream, public CmdLineParser(final String[] args, final PrintStream outStream, final PrintStream errStream) throws UsageException, CertificateException final PrintStream errStream) throws UsageException, CertificateException { { ArgumentMap am = new ArgumentMap( args ); am = new ArgumentMap( args ); this.setLogLevel(am); this.setLogLevel(am); this.parse(am, outStream, errStream); this.parse(am, outStream, errStream); } } Loading @@ -127,6 +131,11 @@ public class CmdLineParser return this.logLevel; return this.logLevel; } } public Subject getSubjectFromCert() { return CertCmdArgUtil.initSubject(am); } /* /* * Set the log level. * Set the log level. * @param am Input arguments * @param am Input arguments Loading Loading @@ -294,6 +303,8 @@ public class CmdLineParser StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append(CertCmdArgUtil.getCertArgUsage()); sb.append("\n"); sb.append("Where command is\n"); sb.append("Where command is\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); Loading cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java +22 −53 Original line number Original line Diff line number Diff line Loading @@ -69,22 +69,17 @@ package ca.nrc.cadc.ac.admin; package ca.nrc.cadc.ac.admin; import java.security.Principal; import java.security.Principal; import java.util.HashSet; import java.util.Set; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthMethod; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.net.TransientException; Loading Loading @@ -112,59 +107,33 @@ public class CommandRunner AbstractCommand command = commandLineParser.getCommand(); AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); command.setUserPersistence(userPersistence); Principal userIDPrincipal = null; Subject operatorSubject = new Subject(); if (command instanceof AbstractUserCommand) if (command instanceof AbstractUserCommand) { { userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); operatorSubject.getPrincipals().add(userIDPrincipal); operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD); } } else if (userIDPrincipal == null) { { // run as the operator // run as the operator using their cert LdapConfig config = LdapConfig.getLdapConfig(); Subject subjectFromCert = commandLineParser.getSubjectFromCert(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the user if (subjectFromCert == null) LOGGER.debug("running as " + userIDPrincipal.getName()); throw new IllegalArgumentException("Certificate required"); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } class AnonPrincipalExtractor implements PrincipalExtractor Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class); { if (pSet.isEmpty()) Set<Principal> principals; throw new IllegalArgumentException("Certificate required"); AnonPrincipalExtractor(Set<Principal> principals) operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals()); { operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser")); this.principals = principals; operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials()); } operatorSubject.getPublicCredentials().add(AuthMethod.CERT); public Set<Principal> getPrincipals() { return principals; } public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } public SSOCookieCredential getSSOCookieCredential() { return null; } } LOGGER.debug("running as: " + operatorSubject); Subject.doAs(operatorSubject, command); } } } } cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers { { return this.getUserPersistence().getUserRequests(); return this.getUserPersistence().getUserRequests(); } } } } Loading
cadc-access-control-admin/build.gradle +1 −1 Original line number Original line Diff line number Diff line Loading @@ -15,7 +15,7 @@ sourceCompatibility = 1.7 group = 'org.opencadc' group = 'org.opencadc' version = '1.0.1' version = '1.0.2' mainClassName = 'ca.nrc.cadc.ac.admin.Main' mainClassName = 'ca.nrc.cadc.ac.admin.Main' Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java +0 −1 Original line number Original line Diff line number Diff line Loading @@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object> private UserPersistence userPersistence; private UserPersistence userPersistence; protected abstract void doRun() protected abstract void doRun() throws AccessControlException, TransientException; throws AccessControlException, TransientException; Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CmdLineParser.java +12 −1 Original line number Original line Diff line number Diff line Loading @@ -72,9 +72,12 @@ import java.io.PrintStream; import java.io.PrintStream; import java.security.cert.CertificateException; import java.security.cert.CertificateException; import javax.security.auth.Subject; import org.apache.log4j.Level; import org.apache.log4j.Level; import org.apache.log4j.Logger; import org.apache.log4j.Logger; import ca.nrc.cadc.auth.CertCmdArgUtil; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.ArgumentMap; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.Log4jInit; import ca.nrc.cadc.util.StringUtil; import ca.nrc.cadc.util.StringUtil; Loading @@ -95,6 +98,7 @@ public class CmdLineParser private Level logLevel = Level.OFF; private Level logLevel = Level.OFF; private AbstractCommand command; private AbstractCommand command; private boolean isHelpCommand = false; private boolean isHelpCommand = false; private ArgumentMap am; /** /** * Constructor. * Constructor. Loading @@ -105,7 +109,7 @@ public class CmdLineParser public CmdLineParser(final String[] args, final PrintStream outStream, public CmdLineParser(final String[] args, final PrintStream outStream, final PrintStream errStream) throws UsageException, CertificateException final PrintStream errStream) throws UsageException, CertificateException { { ArgumentMap am = new ArgumentMap( args ); am = new ArgumentMap( args ); this.setLogLevel(am); this.setLogLevel(am); this.parse(am, outStream, errStream); this.parse(am, outStream, errStream); } } Loading @@ -127,6 +131,11 @@ public class CmdLineParser return this.logLevel; return this.logLevel; } } public Subject getSubjectFromCert() { return CertCmdArgUtil.initSubject(am); } /* /* * Set the log level. * Set the log level. * @param am Input arguments * @param am Input arguments Loading Loading @@ -294,6 +303,8 @@ public class CmdLineParser StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder(); sb.append("\n"); sb.append("\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append("Usage: " + APP_NAME + " <command> [-v|--verbose|-d|--debug] [-h|--help]\n"); sb.append(CertCmdArgUtil.getCertArgUsage()); sb.append("\n"); sb.append("Where command is\n"); sb.append("Where command is\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list : List users in the Users tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); sb.append("--list-pending : List users in the UserRequests tree\n"); Loading
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java +22 −53 Original line number Original line Diff line number Diff line Loading @@ -69,22 +69,17 @@ package ca.nrc.cadc.ac.admin; package ca.nrc.cadc.ac.admin; import java.security.Principal; import java.security.Principal; import java.util.HashSet; import java.util.Set; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import org.apache.log4j.Logger; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.UserPersistence; import ca.nrc.cadc.ac.server.ldap.LdapConfig; import ca.nrc.cadc.auth.AuthMethod; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSOCookieCredential; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.net.TransientException; Loading Loading @@ -112,59 +107,33 @@ public class CommandRunner AbstractCommand command = commandLineParser.getCommand(); AbstractCommand command = commandLineParser.getCommand(); command.setUserPersistence(userPersistence); command.setUserPersistence(userPersistence); Principal userIDPrincipal = null; Subject operatorSubject = new Subject(); if (command instanceof AbstractUserCommand) if (command instanceof AbstractUserCommand) { { userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal(); operatorSubject.getPrincipals().add(userIDPrincipal); operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD); } } else if (userIDPrincipal == null) { { // run as the operator // run as the operator using their cert LdapConfig config = LdapConfig.getLdapConfig(); Subject subjectFromCert = commandLineParser.getSubjectFromCert(); String proxyDN = config.getProxyUserDN(); if (proxyDN == null) throw new IllegalArgumentException("No ldap account in .dbrc"); String userIDLabel = "uid="; int uidIndex = proxyDN.indexOf("uid="); int commaIndex = proxyDN.indexOf(",", userIDLabel.length()); String userID = proxyDN.substring(uidIndex + userIDLabel.length(), commaIndex); userIDPrincipal = new HttpPrincipal(userID); } // run as the user if (subjectFromCert == null) LOGGER.debug("running as " + userIDPrincipal.getName()); throw new IllegalArgumentException("Certificate required"); Set<Principal> userPrincipals = new HashSet<Principal>(1); userPrincipals.add(userIDPrincipal); AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(userPrincipals); Subject subject = AuthenticationUtil.getSubject(principalExtractor); Subject.doAs(subject, command); } class AnonPrincipalExtractor implements PrincipalExtractor Set<X500Principal> pSet = subjectFromCert.getPrincipals(X500Principal.class); { if (pSet.isEmpty()) Set<Principal> principals; throw new IllegalArgumentException("Certificate required"); AnonPrincipalExtractor(Set<Principal> principals) operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals()); { operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser")); this.principals = principals; operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials()); } operatorSubject.getPublicCredentials().add(AuthMethod.CERT); public Set<Principal> getPrincipals() { return principals; } public X509CertificateChain getCertificateChain() { return null; } public DelegationToken getDelegationToken() { return null; } public SSOCookieCredential getSSOCookieCredential() { return null; } } LOGGER.debug("running as: " + operatorSubject); Subject.doAs(operatorSubject, command); } } } }
cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java +1 −0 Original line number Original line Diff line number Diff line Loading @@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers { { return this.getUserPersistence().getUserRequests(); return this.getUserPersistence().getUserRequests(); } } } }
