Commit 823e303d authored by Patrick Dowler's avatar Patrick Dowler
Browse files

restore search detail selector hack in LdapGroupPersistence, fix deleteGroup... 

restore search detail selector hack in LdapGroupPersistence, fix deleteGroup so it properly clears members
parent 220f226a

projects/cadcAccessControl-Server/build.xml

+2 −0
Original line number Diff line number Diff line
@@ -115,11 +115,13 @@ 


    <!-- Why do the tests need this configuration in two places? -->

    <!-- jenkinsd 2015.07.20 -->

    <!--

    <copy overwrite="true" file="test/LdapConfig.test.properties"

          todir="build/test/class"/>

    <mkdir dir="${user.home}/config" />

    <copy overwrite="true" file="test/LdapConfig.test.properties"

          todir="${user.home}/config/"/>

    -->

  </target>



  <!-- JAR files needed to run the test suite -->

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java

+9 −2
Original line number Diff line number Diff line
@@ -144,8 +144,15 @@ public abstract class LdapDAO 
            throws TransientException

    {

    	logger.debug("Ldap result: " + code);

        checkLdapResult(code, false);

    }

    

    	if (code == ResultCode.SUCCESS || code == ResultCode.NO_SUCH_OBJECT)

    protected static void checkLdapResult(ResultCode code, boolean ignoreNoSuchAttribute)

            throws TransientException

    {

    	if ( code == ResultCode.SUCCESS 

                || code == ResultCode.NO_SUCH_OBJECT

                || (ignoreNoSuchAttribute && code == ResultCode.NO_SUCH_ATTRIBUTE) )

        {

            return;

        }

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

+34 −35
Original line number Diff line number Diff line
@@ -435,16 +435,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
     * @throws GroupNotFoundException If the group was not found.

     * @throws TransientException     If an temporary, unexpected problem occurred.

     */

    public Group getGroup(final String groupID)

    public Group getGroup(final String groupID, boolean complete)

            throws GroupNotFoundException, TransientException,

                   AccessControlException

    {

        Group group = getGroup(getGroupDN(groupID), groupID, GROUP_AND_MEMBER_ATTRS);

        String[] attrs = GROUP_ATTRS;

        if (complete)

            attrs = GROUP_AND_MEMBER_ATTRS;

        

        Group adminGroup = getGroup(getAdminGroupDN(groupID), null, GROUP_AND_MEMBER_ATTRS);

        Group group = getGroup(getGroupDN(groupID), groupID, attrs);



        if (complete)

        {

            Group adminGroup = getGroup(getAdminGroupDN(groupID), null, GROUP_AND_MEMBER_ATTRS);

            group.getGroupAdmins().addAll(adminGroup.getGroupMembers());

            group.getUserAdmins().addAll(adminGroup.getUserMembers());

        }



        return group;

    }
@@ -454,7 +460,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
            throws GroupNotFoundException, TransientException,

                   AccessControlException

    {

        logger.info("getGroup: " + groupDN + " attrs: " + attributes.length);

        logger.debug("getGroup: " + groupDN + " attrs: " + attributes.length);

        String loggableGroupID = xgroupID;

        if (loggableGroupID == null)

        {
@@ -558,7 +564,8 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
            throws GroupNotFoundException, TransientException,

                   AccessControlException, UserNotFoundException

    {

        getGroup(group.getID()); //group must exists first

        String groupID = group.getID();

        getGroup(getGroupDN(groupID), groupID, PUB_GROUP_ATTRS);//group must exists first

        return modifyGroup(group, false);

    }
@@ -665,11 +672,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
        {

            if (withActivate)

            {

                return new ActivatedGroup(getGroup(group.getID()));

                return new ActivatedGroup(getGroup(group.getID(), true));

            }

            else

            {

                return getGroup(group.getID());

                return getGroup(group.getID(), true);

            }

        }

        catch (GroupNotFoundException e)
@@ -699,47 +706,39 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO 
            throws GroupNotFoundException, TransientException,

                   AccessControlException

    {

        Group group = getGroup(groupDN, groupID, GROUP_AND_MEMBER_ATTRS);

        List<Modification> modifs = new ArrayList<Modification>();

        modifs.add(new Modification(ModificationType.ADD, "nsaccountlock", "true"));



        if (isAdmin)

        {

            if (!group.getGroupAdmins().isEmpty() ||

                !group.getUserAdmins().isEmpty())

        ModifyRequest clearMembers = new ModifyRequest(groupDN, 

                new Modification(ModificationType.DELETE, "uniquemember"));

        try

        {

                modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));

            }

            logger.debug("clearMembers " + groupDN);

            LDAPResult result = getReadWriteConnection().modify(clearMembers);

            LdapDAO.checkLdapResult(result.getResultCode(), true);

        }

        else

        {

            if (!group.getGroupMembers().isEmpty() ||

                !group.getUserMembers().isEmpty())

        catch (LDAPException e1)

        {

                modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));

            }

            logger.debug("clear members fail: " + e1, e1);

            LdapDAO.checkLdapResult(e1.getResultCode(), true);

        }



        ModifyRequest modifyRequest = new ModifyRequest(groupDN, modifs);

        ModifyRequest deleteGroup = new ModifyRequest(groupDN, 

                new Modification(ModificationType.ADD, "nsaccountlock", "true"));

        

        try

        {

            //modifyRequest.addControl(

            //        new ProxiedAuthorizationV2RequestControl(

            //                "dn:" + getSubjectDN().toNormalizedString()));

            LDAPResult result = getReadWriteConnection().modify(modifyRequest);

            logger.debug("deleteGroup " + groupDN);

            LDAPResult result = getReadWriteConnection().modify(deleteGroup);

            LdapDAO.checkLdapResult(result.getResultCode());

        }

        catch (LDAPException e1)

        {

            logger.debug("Delete Exception: " + e1, e1);

            logger.debug("delete group fail: " + e1, e1);

            LdapDAO.checkLdapResult(e1.getResultCode());

        }



        try

        {

            getGroup(getGroupDN(group.getID()), null, GROUP_ATTRS);

            throw new RuntimeException("BUG: group not deleted " + group

                    .getID());

            Group g = getGroup(getGroupDN(groupID), null, GROUP_ATTRS);

            throw new RuntimeException("BUG: group not deleted " + g.getID());

        }

        catch (GroupNotFoundException ignore)

        {

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java

+19 −24
Original line number Diff line number Diff line
@@ -156,7 +156,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
        {

            userDAO = new LdapUserDAO<T>(conns);

            groupDAO = new LdapGroupDAO<T>(conns, userDAO);

            Group ret = groupDAO.getGroup(groupName);

            Group ret = groupDAO.getGroup(groupName, true);

            if (allowed || isOwner(callerSubject, ret))

                return ret;

            throw new AccessControlException("permission denied");
@@ -202,9 +202,8 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
        {

            userDAO = new LdapUserDAO<T>(conns);

            groupDAO = new LdapGroupDAO<T>(conns, userDAO);

            Group g = groupDAO.getGroup(groupName);

            Group g = groupDAO.getGroup(groupName, false);

            if (isOwner(callerSubject, g)) 

                // TODO: pass g into the delete so it doesn't have to do another get

                groupDAO.deleteGroup(groupName);

            else

                throw new AccessControlException("permission denied");
@@ -231,7 +230,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
            groupDAO = new LdapGroupDAO<T>(conns, userDAO);

            if (!allowed)

            {

                Group g = groupDAO.getGroup(group.getID());

                Group g = groupDAO.getGroup(group.getID(), false);

                if (isOwner(callerSubject, g))

                    allowed = true;

            }
@@ -278,7 +277,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
            else

            {

                List<Group> groups = getGroupCache(caller, role);

                log.info("getGroups  " + role + ": " + groups.size());

                log.debug("getGroups  " + role + ": " + groups.size());

                Collection<Group> ret = new ArrayList<Group>(groups.size());

                Iterator<Group> i = groups.iterator();

                while ( i.hasNext() )
@@ -286,21 +285,22 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
                    Group g = i.next();

                    if (groupID == null || g.getID().equalsIgnoreCase(groupID))

                    {

                        //if (detailSelector != null && detailSelector.isDetailedSearch(g, role))

                        //{

                        if (detailSelector != null && detailSelector.isDetailedSearch(g, role))

                        {

                            try

                            {

                            Group g2 = groupDAO.getGroup(g.getID());

                            log.info("role " + role + " loaded: " + g2);

                                Group g2 = groupDAO.getGroup(g.getID(), false);

                                log.debug("role " + role + " loaded: " + g2);

                                ret.add(g2);

                            }

                            catch(GroupNotFoundException contentBug)

                            {

                            log.info("skip: " + g.getID() + ": " + contentBug);

                                log.error("group: " + g.getID() + " in cache but not found", contentBug);

                                // skip and continue so user gets something

                            }

                        }

                        //}

                        //else

                        //    ret.add(g);

                        else

                            ret.add(g);

                    }

                }

                return ret;
@@ -311,11 +311,6 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
            log.error("getGroups fail", ex);

            throw ex;

        }

        //catch (GroupNotFoundException ex)

        //{

        //    log.error("getGroups fail", ex);

        //    throw ex;

        //}

        finally

        {

            conns.releaseConnections();
@@ -332,7 +327,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i 
        if (gset == null || gset.isEmpty())

            throw new RuntimeException("BUG: no GroupMemberships cache in Subject");

        GroupMemberships gms = gset.iterator().next();

        return gms.memberships.get(role);

        return gms.getMemberships(role);

    }

    

    // true if the current subject is a member: using GroupMemberships cache

projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java

+3 −3
Original line number Diff line number Diff line
@@ -149,13 +149,13 @@ public class AuthenticatorImpl implements Authenticator 
            subject.getPrincipals().addAll(user.getIdentities());

            if (user.appData != null)

            {

                log.info("found: " + user.appData.getClass().getName());

                log.debug("found: " + user.appData.getClass().getName());

                try

                {

                    GroupMemberships gms = (GroupMemberships) user.appData;

                    for (Group g : gms.memberships.get(Role.ADMIN))

                    for (Group g : gms.getMemberships(Role.ADMIN))

                        log.debug("GroupMemberships admin: " + g.getID());

                    for (Group g : gms.memberships.get(Role.MEMBER))

                    for (Group g : gms.getMemberships(Role.MEMBER))

                        log.debug("GroupMemberships member: " + g.getID());

                    subject.getPrivateCredentials().add(gms);

                }