Merge branch 's1651' of ssh://mach16/usr/cadc/dev/git/wopencadc into s1651 (83b8eadd) · Commits · OATS-CADC / ac

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java

+23 −34

Original line number	Diff line number	Diff line
		@@ -68,11 +68,14 @@
		*/
		package ca.nrc.cadc.ac.server.web;

		import java.security.AccessControlContext;
		import java.security.AccessControlException;
		import java.security.AccessController;
		import java.security.Principal;
		import java.util.Collection;
		import java.util.Date;

		import javax.security.auth.Subject;
		import javax.servlet.http.HttpServletResponse;

		import org.apache.log4j.Logger;
		@@ -84,7 +87,6 @@ import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.GroupPersistence;
		import ca.nrc.cadc.ac.server.PluginFactory;
		import ca.nrc.cadc.ac.server.RequestValidator;
		import ca.nrc.cadc.auth.AuthenticationUtil;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.uws.ExecutionPhase;
		import ca.nrc.cadc.uws.Job;
		@@ -154,6 +156,8 @@ public class ACSearchRunner implements JobRunner

		try
		{


		ExecutionPhase ep =
		jobUpdater.setPhase(job.getID(), ExecutionPhase.QUEUED,
		ExecutionPhase.EXECUTING, new Date());
		@@ -166,6 +170,23 @@ public class ACSearchRunner implements JobRunner
		RequestValidator rv = new RequestValidator();
		rv.validate(job.getParameterList());

		// only allow users to search themselves...
		Principal userBeingSearched = rv.getPrincipal();
		if (userBeingSearched != null)
		{
		AccessControlContext acContext = AccessController.getContext();
		Subject subject = Subject.getSubject(acContext);
		boolean idMatch = false;
		for (Principal p : subject.getPrincipals())
		{
		if (p.equals(userBeingSearched))
		idMatch = true;
		}
		if (!idMatch)
		throw new AccessControlException("Can only search oneself.");
		}


		PluginFactory factory = new PluginFactory();
		GroupPersistence dao = factory.getGroupPersistence();
		Collection<Group> groups =
		@@ -246,7 +267,7 @@ public class ACSearchRunner implements JobRunner
		logInfo.setMessage(t.getMessage());
		log.debug("FAIL", t);

		syncOut.setResponseCode(401);
		syncOut.setResponseCode(403);

		// ErrorSummary errorSummary =
		// new ErrorSummary(t.getMessage(), ErrorType.FATAL);
		@@ -284,36 +305,4 @@ public class ACSearchRunner implements JobRunner
		}
		}

		// private Principal getUserPrincipal(String userID, IdentityType type)
		// {
		// if (type == IdentityType.OPENID)
		// {
		// return new OpenIdPrincipal(userID);
		// }
		// if (type == IdentityType.UID)
		// {
		// try
		// {
		// Long numericId = Long.valueOf(userID);
		// return new NumericPrincipal(numericId);
		// }
		// catch (NumberFormatException e)
		// {
		// throw new IllegalArgumentException("Illegal UID userID " +
		// userID + " because " +
		// e.getMessage());
		// }
		// }
		// if (type == IdentityType.USERNAME)
		// {
		// return new HttpPrincipal(userID);
		// }
		// if (type == IdentityType.X500)
		// {
		// return new X500Principal(userID);
		// }
		// throw new IllegalArgumentException("Unknown user type " +
		// type.getValue());
		// }

		}

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java

+14 −12

Original line number	Diff line number	Diff line
		@@ -68,26 +68,28 @@
		*/
		package ca.nrc.cadc.ac.server.web;

		import ca.nrc.cadc.ac.GroupAlreadyExistsException;
		import ca.nrc.cadc.ac.GroupNotFoundException;
		import ca.nrc.cadc.ac.MemberAlreadyExistsException;
		import ca.nrc.cadc.ac.MemberNotFoundException;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.GroupPersistence;
		import ca.nrc.cadc.ac.server.PluginFactory;
		import ca.nrc.cadc.ac.server.UserPersistence;
		import ca.nrc.cadc.net.TransientException;
		import java.io.IOException;
		import java.io.PrintWriter;
		import java.security.AccessControlException;
		import java.security.Principal;
		import java.security.PrivilegedActionException;
		import java.security.PrivilegedExceptionAction;
		import java.util.List;

		import javax.security.auth.Subject;
		import javax.servlet.http.HttpServletResponse;

		import org.apache.log4j.Logger;

		import ca.nrc.cadc.ac.GroupAlreadyExistsException;
		import ca.nrc.cadc.ac.GroupNotFoundException;
		import ca.nrc.cadc.ac.MemberAlreadyExistsException;
		import ca.nrc.cadc.ac.MemberNotFoundException;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.GroupPersistence;
		import ca.nrc.cadc.ac.server.PluginFactory;
		import ca.nrc.cadc.ac.server.UserPersistence;
		import ca.nrc.cadc.net.TransientException;

		public abstract class GroupsAction
		implements PrivilegedExceptionAction<Object>
		{
		@@ -131,9 +133,9 @@ public abstract class GroupsAction
		catch (AccessControlException e)
		{
		log.debug(e);
		String message = "Unauthorized";
		String message = "Permission Denied";
		this.logInfo.setMessage(message);
		sendError(401, message);
		sendError(403, message);
		}
		catch (IllegalArgumentException e)
		{

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java

+0 −10

Original line number	Diff line number	Diff line
		@@ -94,16 +94,6 @@ public class GroupsServlet extends HttpServlet
		try
		{
		log.info(logInfo.start());

		// Note: For this servlet, one does not want the subject to be
		// augmented with all user principals, only the one in which
		// they used to connect to the service. This is accomplished
		// by ensuring that there is no authenticator implementation
		// available in the classpath with the name:
		// ca.nrc.cadc.auth.AuthenticatorImpl.class
		// See cadcUtil method ca.nrc.cadc.auth.AuthenticationUtil#getAuthenticator()
		// for more information.

		Subject subject = AuthenticationUtil.getSubject(request);
		logInfo.setSubject(subject);
		GroupsAction action = GroupsActionFactory.getGroupsAction(request, logInfo);