restore search detail selector hack in LdapGroupPersistence, fix deleteGroup... (823e303d) · Commits · OATS-CADC / ac

projects/cadcAccessControl-Server/build.xml

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -115,11 +115,13 @@

	<!-- Why do the tests need this configuration in two places? -->		<!-- Why do the tests need this configuration in two places? -->
	<!-- jenkinsd 2015.07.20 -->		<!-- jenkinsd 2015.07.20 -->
			<!--
	<copy overwrite="true" file="test/LdapConfig.test.properties"		<copy overwrite="true" file="test/LdapConfig.test.properties"
	todir="build/test/class"/>		todir="build/test/class"/>
	<mkdir dir="${user.home}/config" />		<mkdir dir="${user.home}/config" />
	<copy overwrite="true" file="test/LdapConfig.test.properties"		<copy overwrite="true" file="test/LdapConfig.test.properties"
	todir="${user.home}/config/"/>		todir="${user.home}/config/"/>
			-->
	</target>		</target>

	<!-- JAR files needed to run the test suite -->		<!-- JAR files needed to run the test suite -->

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java

+9 −2

Original line number	Original line	Diff line number	Diff line
	@@ -144,8 +144,15 @@ public abstract class LdapDAO
	throws TransientException		throws TransientException
	{		{
	logger.debug("Ldap result: " + code);		logger.debug("Ldap result: " + code);
			checkLdapResult(code, false);
			}

	if (code == ResultCode.SUCCESS \|\| code == ResultCode.NO_SUCH_OBJECT)		protected static void checkLdapResult(ResultCode code, boolean ignoreNoSuchAttribute)
			throws TransientException
			{
			if ( code == ResultCode.SUCCESS
			\|\| code == ResultCode.NO_SUCH_OBJECT
			\|\| (ignoreNoSuchAttribute && code == ResultCode.NO_SUCH_ATTRIBUTE) )
	{		{
	return;		return;
	}		}

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

+34 −35

Original line number	Original line	Diff line number	Diff line
	@@ -435,16 +435,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
	* @throws GroupNotFoundException If the group was not found.		* @throws GroupNotFoundException If the group was not found.
	* @throws TransientException If an temporary, unexpected problem occurred.		* @throws TransientException If an temporary, unexpected problem occurred.
	*/		*/
	public Group getGroup(final String groupID)		public Group getGroup(final String groupID, boolean complete)
	throws GroupNotFoundException, TransientException,		throws GroupNotFoundException, TransientException,
	AccessControlException		AccessControlException
	{		{
	Group group = getGroup(getGroupDN(groupID), groupID, GROUP_AND_MEMBER_ATTRS);		String[] attrs = GROUP_ATTRS;
			if (complete)
			attrs = GROUP_AND_MEMBER_ATTRS;

	Group adminGroup = getGroup(getAdminGroupDN(groupID), null, GROUP_AND_MEMBER_ATTRS);		Group group = getGroup(getGroupDN(groupID), groupID, attrs);

			if (complete)
			{
			Group adminGroup = getGroup(getAdminGroupDN(groupID), null, GROUP_AND_MEMBER_ATTRS);
	group.getGroupAdmins().addAll(adminGroup.getGroupMembers());		group.getGroupAdmins().addAll(adminGroup.getGroupMembers());
	group.getUserAdmins().addAll(adminGroup.getUserMembers());		group.getUserAdmins().addAll(adminGroup.getUserMembers());
			}

	return group;		return group;
	}		}
	@@ -454,7 +460,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
	throws GroupNotFoundException, TransientException,		throws GroupNotFoundException, TransientException,
	AccessControlException		AccessControlException
	{		{
	logger.info("getGroup: " + groupDN + " attrs: " + attributes.length);		logger.debug("getGroup: " + groupDN + " attrs: " + attributes.length);
	String loggableGroupID = xgroupID;		String loggableGroupID = xgroupID;
	if (loggableGroupID == null)		if (loggableGroupID == null)
	{		{
	@@ -558,7 +564,8 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
	throws GroupNotFoundException, TransientException,		throws GroupNotFoundException, TransientException,
	AccessControlException, UserNotFoundException		AccessControlException, UserNotFoundException
	{		{
	getGroup(group.getID()); //group must exists first		String groupID = group.getID();
			getGroup(getGroupDN(groupID), groupID, PUB_GROUP_ATTRS);//group must exists first
	return modifyGroup(group, false);		return modifyGroup(group, false);
	}		}

	@@ -665,11 +672,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
	{		{
	if (withActivate)		if (withActivate)
	{		{
	return new ActivatedGroup(getGroup(group.getID()));		return new ActivatedGroup(getGroup(group.getID(), true));
	}		}
	else		else
	{		{
	return getGroup(group.getID());		return getGroup(group.getID(), true);
	}		}
	}		}
	catch (GroupNotFoundException e)		catch (GroupNotFoundException e)
	@@ -699,47 +706,39 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
	throws GroupNotFoundException, TransientException,		throws GroupNotFoundException, TransientException,
	AccessControlException		AccessControlException
	{		{
	Group group = getGroup(groupDN, groupID, GROUP_AND_MEMBER_ATTRS);		ModifyRequest clearMembers = new ModifyRequest(groupDN,
	List<Modification> modifs = new ArrayList<Modification>();		new Modification(ModificationType.DELETE, "uniquemember"));
	modifs.add(new Modification(ModificationType.ADD, "nsaccountlock", "true"));		try

	if (isAdmin)
	{
	if (!group.getGroupAdmins().isEmpty() \|\|
	!group.getUserAdmins().isEmpty())
	{		{
	modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));		logger.debug("clearMembers " + groupDN);
	}		LDAPResult result = getReadWriteConnection().modify(clearMembers);
			LdapDAO.checkLdapResult(result.getResultCode(), true);
	}		}
	else		catch (LDAPException e1)
	{
	if (!group.getGroupMembers().isEmpty() \|\|
	!group.getUserMembers().isEmpty())
	{		{
	modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));		logger.debug("clear members fail: " + e1, e1);
	}		LdapDAO.checkLdapResult(e1.getResultCode(), true);
	}		}

	ModifyRequest modifyRequest = new ModifyRequest(groupDN, modifs);		ModifyRequest deleteGroup = new ModifyRequest(groupDN,
			new Modification(ModificationType.ADD, "nsaccountlock", "true"));

	try		try
	{		{
	//modifyRequest.addControl(		logger.debug("deleteGroup " + groupDN);
	// new ProxiedAuthorizationV2RequestControl(		LDAPResult result = getReadWriteConnection().modify(deleteGroup);
	// "dn:" + getSubjectDN().toNormalizedString()));
	LDAPResult result = getReadWriteConnection().modify(modifyRequest);
	LdapDAO.checkLdapResult(result.getResultCode());		LdapDAO.checkLdapResult(result.getResultCode());
	}		}
	catch (LDAPException e1)		catch (LDAPException e1)
	{		{
	logger.debug("Delete Exception: " + e1, e1);		logger.debug("delete group fail: " + e1, e1);
	LdapDAO.checkLdapResult(e1.getResultCode());		LdapDAO.checkLdapResult(e1.getResultCode());
	}		}

	try		try
	{		{
	getGroup(getGroupDN(group.getID()), null, GROUP_ATTRS);		Group g = getGroup(getGroupDN(groupID), null, GROUP_ATTRS);
	throw new RuntimeException("BUG: group not deleted " + group		throw new RuntimeException("BUG: group not deleted " + g.getID());
	.getID());
	}		}
	catch (GroupNotFoundException ignore)		catch (GroupNotFoundException ignore)
	{		{

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java

+19 −24

Original line number	Original line	Diff line number	Diff line
	@@ -156,7 +156,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	{		{
	userDAO = new LdapUserDAO<T>(conns);		userDAO = new LdapUserDAO<T>(conns);
	groupDAO = new LdapGroupDAO<T>(conns, userDAO);		groupDAO = new LdapGroupDAO<T>(conns, userDAO);
	Group ret = groupDAO.getGroup(groupName);		Group ret = groupDAO.getGroup(groupName, true);
	if (allowed \|\| isOwner(callerSubject, ret))		if (allowed \|\| isOwner(callerSubject, ret))
	return ret;		return ret;
	throw new AccessControlException("permission denied");		throw new AccessControlException("permission denied");
	@@ -202,9 +202,8 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	{		{
	userDAO = new LdapUserDAO<T>(conns);		userDAO = new LdapUserDAO<T>(conns);
	groupDAO = new LdapGroupDAO<T>(conns, userDAO);		groupDAO = new LdapGroupDAO<T>(conns, userDAO);
	Group g = groupDAO.getGroup(groupName);		Group g = groupDAO.getGroup(groupName, false);
	if (isOwner(callerSubject, g))		if (isOwner(callerSubject, g))
	// TODO: pass g into the delete so it doesn't have to do another get
	groupDAO.deleteGroup(groupName);		groupDAO.deleteGroup(groupName);
	else		else
	throw new AccessControlException("permission denied");		throw new AccessControlException("permission denied");
	@@ -231,7 +230,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	groupDAO = new LdapGroupDAO<T>(conns, userDAO);		groupDAO = new LdapGroupDAO<T>(conns, userDAO);
	if (!allowed)		if (!allowed)
	{		{
	Group g = groupDAO.getGroup(group.getID());		Group g = groupDAO.getGroup(group.getID(), false);
	if (isOwner(callerSubject, g))		if (isOwner(callerSubject, g))
	allowed = true;		allowed = true;
	}		}
	@@ -278,7 +277,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	else		else
	{		{
	List<Group> groups = getGroupCache(caller, role);		List<Group> groups = getGroupCache(caller, role);
	log.info("getGroups " + role + ": " + groups.size());		log.debug("getGroups " + role + ": " + groups.size());
	Collection<Group> ret = new ArrayList<Group>(groups.size());		Collection<Group> ret = new ArrayList<Group>(groups.size());
	Iterator<Group> i = groups.iterator();		Iterator<Group> i = groups.iterator();
	while ( i.hasNext() )		while ( i.hasNext() )
	@@ -286,21 +285,22 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	Group g = i.next();		Group g = i.next();
	if (groupID == null \|\| g.getID().equalsIgnoreCase(groupID))		if (groupID == null \|\| g.getID().equalsIgnoreCase(groupID))
	{		{
	//if (detailSelector != null && detailSelector.isDetailedSearch(g, role))		if (detailSelector != null && detailSelector.isDetailedSearch(g, role))
	//{		{
	try		try
	{		{
	Group g2 = groupDAO.getGroup(g.getID());		Group g2 = groupDAO.getGroup(g.getID(), false);
	log.info("role " + role + " loaded: " + g2);		log.debug("role " + role + " loaded: " + g2);
	ret.add(g2);		ret.add(g2);
	}		}
	catch(GroupNotFoundException contentBug)		catch(GroupNotFoundException contentBug)
	{		{
	log.info("skip: " + g.getID() + ": " + contentBug);		log.error("group: " + g.getID() + " in cache but not found", contentBug);
			// skip and continue so user gets something
			}
	}		}
	//}		else
	//else		ret.add(g);
	// ret.add(g);
	}		}
	}		}
	return ret;		return ret;
	@@ -311,11 +311,6 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	log.error("getGroups fail", ex);		log.error("getGroups fail", ex);
	throw ex;		throw ex;
	}		}
	//catch (GroupNotFoundException ex)
	//{
	// log.error("getGroups fail", ex);
	// throw ex;
	//}
	finally		finally
	{		{
	conns.releaseConnections();		conns.releaseConnections();
	@@ -332,7 +327,7 @@ public class LdapGroupPersistence<T extends Principal> extends LdapPersistence i
	if (gset == null \|\| gset.isEmpty())		if (gset == null \|\| gset.isEmpty())
	throw new RuntimeException("BUG: no GroupMemberships cache in Subject");		throw new RuntimeException("BUG: no GroupMemberships cache in Subject");
	GroupMemberships gms = gset.iterator().next();		GroupMemberships gms = gset.iterator().next();
	return gms.memberships.get(role);		return gms.getMemberships(role);
	}		}

	// true if the current subject is a member: using GroupMemberships cache		// true if the current subject is a member: using GroupMemberships cache

projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java

+3 −3

Original line number	Original line	Diff line number	Diff line
	@@ -149,13 +149,13 @@ public class AuthenticatorImpl implements Authenticator
	subject.getPrincipals().addAll(user.getIdentities());		subject.getPrincipals().addAll(user.getIdentities());
	if (user.appData != null)		if (user.appData != null)
	{		{
	log.info("found: " + user.appData.getClass().getName());		log.debug("found: " + user.appData.getClass().getName());
	try		try
	{		{
	GroupMemberships gms = (GroupMemberships) user.appData;		GroupMemberships gms = (GroupMemberships) user.appData;
	for (Group g : gms.memberships.get(Role.ADMIN))		for (Group g : gms.getMemberships(Role.ADMIN))
	log.debug("GroupMemberships admin: " + g.getID());		log.debug("GroupMemberships admin: " + g.getID());
	for (Group g : gms.memberships.get(Role.MEMBER))		for (Group g : gms.getMemberships(Role.MEMBER))
	log.debug("GroupMemberships member: " + g.getID());		log.debug("GroupMemberships member: " + g.getID());
	subject.getPrivateCredentials().add(gms);		subject.getPrivateCredentials().add(gms);
	}		}