Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +16 −20 Original line number Diff line number Diff line Loading @@ -551,8 +551,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } public User<T> getAugmentedUser(final T userID) throws UserNotFoundException, TransientException, AccessControlException throws UserNotFoundException, TransientException { String searchField = userLdapAttrib.get(userID.getClass()); if (searchField == null) Loading @@ -563,19 +562,16 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO try { Filter filter = Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock")); filter = Filter.createANDFilter(filter, Filter.createEqualityFilter(searchField, userID.getName())); searchField = "(" + searchField + "=" + userID.getName() + ")"; logger.debug("search field: " + searchField); // TODO: Search must take into account deleted users (nsaccountlock attr) SearchRequest searchRequest = new SearchRequest(config.getUsersDN(), SearchScope.ONE, filter, identityAttribs); searchRequest.addControl( new ProxiedAuthorizationV2RequestControl( "dn:" + getSubjectDN().toNormalizedString())); searchField, identityAttribs); SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest); Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java +15 −16 Original line number Diff line number Diff line Loading @@ -214,8 +214,7 @@ public class LdapUserPersistence<T extends Principal> * @throws AccessControlException If the operation is not permitted. */ public User<T> getAugmentedUser(T userID) throws UserNotFoundException, TransientException, AccessControlException throws UserNotFoundException, TransientException { LdapUserDAO<T> userDAO = null; try Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java +21 −16 Original line number Diff line number Diff line Loading @@ -70,6 +70,9 @@ package ca.nrc.cadc.ac.server.web.users; import ca.nrc.cadc.ac.server.web.SyncOutput; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.ServletPrincipalExtractor; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.util.ArrayUtil; import ca.nrc.cadc.util.StringUtil; import org.apache.log4j.Logger; Loading @@ -84,6 +87,9 @@ import java.io.IOException; import java.security.AccessController; import java.security.Principal; import java.security.PrivilegedActionException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Set; public class UserServlet extends HttpServlet { Loading Loading @@ -126,7 +132,7 @@ public class UserServlet extends HttpServlet // Special case: if the calling subject has a servops X500Principal, // AND it is a GET request, do not augment the subject. Subject subject; if (action instanceof GetUserAction && isNotAugmentedSubject()) if (action instanceof GetUserAction && isNotAugmentedSubject(request)) { subject = Subject.getSubject(AccessController.getContext()); log.debug("subject not augmented: " + subject); Loading Loading @@ -250,27 +256,26 @@ public class UserServlet extends HttpServlet } } protected boolean isNotAugmentedSubject() { boolean notAugmented = false; Subject subject = Subject.getSubject(AccessController.getContext()); log.debug("subject: " + subject); if (subject != null) protected boolean isNotAugmentedSubject(HttpServletRequest request) { ServletPrincipalExtractor extractor = new ServletPrincipalExtractor(request); Set<Principal> principals = extractor.getPrincipals(); log.debug("Principals: " + principals); log.debug("notAugmentedX500User" + notAugmentedX500User); for (Principal principal : subject.getPrincipals()) for (Principal principal : principals) { if (principal instanceof X500Principal) { log.debug("principal: " + principal.getName()); if (principal.getName().equalsIgnoreCase(notAugmentedX500User)) { notAugmented = true; break; } return true; } } } return notAugmented; return false; } } projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java +23 −23 Original line number Diff line number Diff line Loading @@ -72,10 +72,13 @@ package ca.nrc.cadc.auth; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.profiler.Profiler; import org.apache.log4j.Logger; import javax.security.auth.Subject; import java.security.AccessControlException; import java.security.Principal; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; Loading Loading @@ -123,34 +126,31 @@ public class AuthenticatorImpl implements Authenticator protected void augmentSubject(final Subject subject) { try { PrivilegedExceptionAction<Object> action = new PrivilegedExceptionAction<Object>() { public Object run() throws Exception { try { LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>(); User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next()); if (user.getIdentities() != null) { log.debug("Found " + user.getIdentities().size() + " principals after agument"); } else { log.debug("Null identities after augment"); } subject.getPrincipals().addAll(user.getIdentities()); } catch (UserNotFoundException e) { // ignore, could be an anonymous user log.debug("could not find user for augmenting", e); } return null; } }; Subject.doAs(subject, action); } catch (PrivilegedActionException e) catch (TransientException e) { String msg = "Error augmenting subject " + subject; throw new RuntimeException(msg, e); throw new IllegalStateException("Internal error", e); } } } projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java +9 −0 Original line number Diff line number Diff line Loading @@ -79,6 +79,7 @@ import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserDetails; import ca.nrc.cadc.ac.UserRequest; import ca.nrc.cadc.ac.WriterException; import ca.nrc.cadc.auth.DNPrincipal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.IdentityType; import ca.nrc.cadc.auth.NumericPrincipal; Loading Loading @@ -266,6 +267,10 @@ public abstract class AbstractReaderWriter { principal = new X500Principal(identity); } else if (type.equals(IdentityType.ENTRY_DN.getValue())) { principal = new DNPrincipal(identity); } else { String error = "Unknown type attribute: " + type; Loading Loading @@ -729,6 +734,10 @@ public abstract class AbstractReaderWriter { identityElement.setAttribute("type", IdentityType.X500.getValue()); } else if ((identity instanceof DNPrincipal)) { identityElement.setAttribute("type", IdentityType.ENTRY_DN.getValue()); } else { String error = "Unsupported Principal type " + Loading Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +16 −20 Original line number Diff line number Diff line Loading @@ -551,8 +551,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } public User<T> getAugmentedUser(final T userID) throws UserNotFoundException, TransientException, AccessControlException throws UserNotFoundException, TransientException { String searchField = userLdapAttrib.get(userID.getClass()); if (searchField == null) Loading @@ -563,19 +562,16 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO try { Filter filter = Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock")); filter = Filter.createANDFilter(filter, Filter.createEqualityFilter(searchField, userID.getName())); searchField = "(" + searchField + "=" + userID.getName() + ")"; logger.debug("search field: " + searchField); // TODO: Search must take into account deleted users (nsaccountlock attr) SearchRequest searchRequest = new SearchRequest(config.getUsersDN(), SearchScope.ONE, filter, identityAttribs); searchRequest.addControl( new ProxiedAuthorizationV2RequestControl( "dn:" + getSubjectDN().toNormalizedString())); searchField, identityAttribs); SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest); Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java +15 −16 Original line number Diff line number Diff line Loading @@ -214,8 +214,7 @@ public class LdapUserPersistence<T extends Principal> * @throws AccessControlException If the operation is not permitted. */ public User<T> getAugmentedUser(T userID) throws UserNotFoundException, TransientException, AccessControlException throws UserNotFoundException, TransientException { LdapUserDAO<T> userDAO = null; try Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java +21 −16 Original line number Diff line number Diff line Loading @@ -70,6 +70,9 @@ package ca.nrc.cadc.ac.server.web.users; import ca.nrc.cadc.ac.server.web.SyncOutput; import ca.nrc.cadc.auth.AuthenticationUtil; import ca.nrc.cadc.auth.ServletPrincipalExtractor; import ca.nrc.cadc.auth.X509CertificateChain; import ca.nrc.cadc.util.ArrayUtil; import ca.nrc.cadc.util.StringUtil; import org.apache.log4j.Logger; Loading @@ -84,6 +87,9 @@ import java.io.IOException; import java.security.AccessController; import java.security.Principal; import java.security.PrivilegedActionException; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Set; public class UserServlet extends HttpServlet { Loading Loading @@ -126,7 +132,7 @@ public class UserServlet extends HttpServlet // Special case: if the calling subject has a servops X500Principal, // AND it is a GET request, do not augment the subject. Subject subject; if (action instanceof GetUserAction && isNotAugmentedSubject()) if (action instanceof GetUserAction && isNotAugmentedSubject(request)) { subject = Subject.getSubject(AccessController.getContext()); log.debug("subject not augmented: " + subject); Loading Loading @@ -250,27 +256,26 @@ public class UserServlet extends HttpServlet } } protected boolean isNotAugmentedSubject() { boolean notAugmented = false; Subject subject = Subject.getSubject(AccessController.getContext()); log.debug("subject: " + subject); if (subject != null) protected boolean isNotAugmentedSubject(HttpServletRequest request) { ServletPrincipalExtractor extractor = new ServletPrincipalExtractor(request); Set<Principal> principals = extractor.getPrincipals(); log.debug("Principals: " + principals); log.debug("notAugmentedX500User" + notAugmentedX500User); for (Principal principal : subject.getPrincipals()) for (Principal principal : principals) { if (principal instanceof X500Principal) { log.debug("principal: " + principal.getName()); if (principal.getName().equalsIgnoreCase(notAugmentedX500User)) { notAugmented = true; break; } return true; } } } return notAugmented; return false; } }
projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java +23 −23 Original line number Diff line number Diff line Loading @@ -72,10 +72,13 @@ package ca.nrc.cadc.auth; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.profiler.Profiler; import org.apache.log4j.Logger; import javax.security.auth.Subject; import java.security.AccessControlException; import java.security.Principal; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; Loading Loading @@ -123,34 +126,31 @@ public class AuthenticatorImpl implements Authenticator protected void augmentSubject(final Subject subject) { try { PrivilegedExceptionAction<Object> action = new PrivilegedExceptionAction<Object>() { public Object run() throws Exception { try { LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>(); User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next()); if (user.getIdentities() != null) { log.debug("Found " + user.getIdentities().size() + " principals after agument"); } else { log.debug("Null identities after augment"); } subject.getPrincipals().addAll(user.getIdentities()); } catch (UserNotFoundException e) { // ignore, could be an anonymous user log.debug("could not find user for augmenting", e); } return null; } }; Subject.doAs(subject, action); } catch (PrivilegedActionException e) catch (TransientException e) { String msg = "Error augmenting subject " + subject; throw new RuntimeException(msg, e); throw new IllegalStateException("Internal error", e); } } }
projects/cadcAccessControl/src/ca/nrc/cadc/ac/xml/AbstractReaderWriter.java +9 −0 Original line number Diff line number Diff line Loading @@ -79,6 +79,7 @@ import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserDetails; import ca.nrc.cadc.ac.UserRequest; import ca.nrc.cadc.ac.WriterException; import ca.nrc.cadc.auth.DNPrincipal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.IdentityType; import ca.nrc.cadc.auth.NumericPrincipal; Loading Loading @@ -266,6 +267,10 @@ public abstract class AbstractReaderWriter { principal = new X500Principal(identity); } else if (type.equals(IdentityType.ENTRY_DN.getValue())) { principal = new DNPrincipal(identity); } else { String error = "Unknown type attribute: " + type; Loading Loading @@ -729,6 +734,10 @@ public abstract class AbstractReaderWriter { identityElement.setAttribute("type", IdentityType.X500.getValue()); } else if ((identity instanceof DNPrincipal)) { identityElement.setAttribute("type", IdentityType.ENTRY_DN.getValue()); } else { String error = "Unsupported Principal type " + Loading
