Merge branch 'ac2' of /srv/cadc/git/wopencadc into ac2 (9fcb2c8e) · Commits · OATS-CADC / ac

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java

+17 −21

Original line number	Diff line number	Diff line
		@@ -312,7 +312,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		catch (UserNotFoundException e)
		{
		throw new RuntimeException("BUG: new user " + userDN.toNormalizedString() +
		" not found because " + e.getMessage());
		" not found");
		}
		}
		catch (LDAPException e)
		@@ -551,8 +551,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		}

		public User<T> getAugmentedUser(final T userID)
		throws UserNotFoundException, TransientException,
		AccessControlException
		throws UserNotFoundException, TransientException
		{
		String searchField = userLdapAttrib.get(userID.getClass());
		if (searchField == null)
		@@ -563,19 +562,16 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO

		try
		{
		Filter filter =
		Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock"));
		filter =
		Filter.createANDFilter(filter,
		Filter.createEqualityFilter(searchField, userID.getName()));

		searchField = "(" + searchField + "=" + userID.getName() + ")";

		logger.debug("search field: " + searchField);

		// TODO: Search must take into account deleted users (nsaccountlock attr)

		SearchRequest searchRequest =
		new SearchRequest(config.getUsersDN(), SearchScope.ONE,
		filter, identityAttribs);

		searchRequest.addControl(
		new ProxiedAuthorizationV2RequestControl(
		"dn:" + getSubjectDN().toNormalizedString()));
		searchField, identityAttribs);

		SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest);

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java

+15 −16

Original line number	Diff line number	Diff line
		@@ -214,8 +214,7 @@ public class LdapUserPersistence<T extends Principal>
		* @throws AccessControlException If the operation is not permitted.
		*/
		public User<T> getAugmentedUser(T userID)
		throws UserNotFoundException, TransientException,
		AccessControlException
		throws UserNotFoundException, TransientException
		{
		LdapUserDAO<T> userDAO = null;
		try

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/GetUserAction.java

+17 −16

Original line number	Diff line number	Diff line
		@@ -136,6 +136,11 @@ public class GetUserAction extends AbstractUserAction
		try
		{
		user = userPersistence.getUser(principal);
		}
		catch (UserNotFoundException e)
		{
		user = userPersistence.getPendingUser(principal);
		}

		// Only return user profile info, first and last name.
		if (detail != null && detail.equalsIgnoreCase("display"))
		@@ -151,11 +156,7 @@ public class GetUserAction extends AbstractUserAction
		user.details.clear();
		user.details.add(new PersonalDetails(pd.getFirstName(), pd.getLastName()));
		}
		}
		catch (UserNotFoundException e)
		{
		user = userPersistence.getPendingUser(principal);
		}

		}

		return user;

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/UserServlet.java

+19 −16

Original line number	Diff line number	Diff line
		@@ -70,6 +70,9 @@ package ca.nrc.cadc.ac.server.web.users;

		import ca.nrc.cadc.ac.server.web.SyncOutput;
		import ca.nrc.cadc.auth.AuthenticationUtil;
		import ca.nrc.cadc.auth.ServletPrincipalExtractor;
		import ca.nrc.cadc.auth.X509CertificateChain;
		import ca.nrc.cadc.util.ArrayUtil;
		import ca.nrc.cadc.util.StringUtil;
		import org.apache.log4j.Logger;

		@@ -84,6 +87,9 @@ import java.io.IOException;
		import java.security.AccessController;
		import java.security.Principal;
		import java.security.PrivilegedActionException;
		import java.security.cert.X509Certificate;
		import java.util.Arrays;
		import java.util.Set;

		public class UserServlet extends HttpServlet
		{
		@@ -126,7 +132,7 @@ public class UserServlet extends HttpServlet
		// Special case: if the calling subject has a servops X500Principal,
		// AND it is a GET request, do not augment the subject.
		Subject subject;
		if (action instanceof GetUserAction && isNotAugmentedSubject())
		if (action instanceof GetUserAction && isNotAugmentedSubject(request))
		{
		subject = Subject.getSubject(AccessController.getContext());
		log.debug("subject not augmented: " + subject);
		@@ -250,27 +256,24 @@ public class UserServlet extends HttpServlet
		}
		}

		protected boolean isNotAugmentedSubject()
		protected boolean isNotAugmentedSubject(HttpServletRequest request)
		{
		boolean notAugmented = false;
		Subject subject = Subject.getSubject(AccessController.getContext());
		log.debug("subject: " + subject);
		if (subject != null)
		{
		log.debug("notAugmentedX500User" + notAugmentedX500User);
		for (Principal principal : subject.getPrincipals())
		ServletPrincipalExtractor extractor = new ServletPrincipalExtractor(request);
		Set<Principal> principals = extractor.getPrincipals();
		log.debug("Principals: " + principals);

		for (Principal principal : principals)
		{
		if (principal instanceof X500Principal)
		{
		log.debug("principal: " + principal.getName());
		if (principal.getName().equalsIgnoreCase(notAugmentedX500User))
		{
		notAugmented = true;
		break;
		}
		return true;
		}
		}
		}
		return notAugmented;

		return false;

		}
		}

projects/cadcAccessControl-Server/src/ca/nrc/cadc/auth/AuthenticatorImpl.java

+23 −23

Original line number	Diff line number	Diff line
		@@ -72,10 +72,13 @@ package ca.nrc.cadc.auth;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.profiler.Profiler;
		import org.apache.log4j.Logger;

		import javax.security.auth.Subject;

		import java.security.AccessControlException;
		import java.security.Principal;
		import java.security.PrivilegedActionException;
		import java.security.PrivilegedExceptionAction;
		@@ -123,34 +126,31 @@ public class AuthenticatorImpl implements Authenticator

		protected void augmentSubject(final Subject subject)
		{
		try
		{
		PrivilegedExceptionAction<Object> action =
		new PrivilegedExceptionAction<Object>()
		{
		public Object run() throws Exception
		{

		try
		{
		LdapUserPersistence<Principal> dao = new LdapUserPersistence<Principal>();
		User<Principal> user = dao.getAugmentedUser(subject.getPrincipals().iterator().next());
		if (user.getIdentities() != null)
		{
		log.debug("Found " + user.getIdentities().size() + " principals after agument");
		}
		else
		{
		log.debug("Null identities after augment");
		}
		subject.getPrincipals().addAll(user.getIdentities());
		}
		catch (UserNotFoundException e)
		{
		// ignore, could be an anonymous user
		log.debug("could not find user for augmenting", e);
		}
		return null;
		}
		};

		Subject.doAs(subject, action);
		}
		catch (PrivilegedActionException e)
		catch (TransientException e)
		{
		String msg = "Error augmenting subject " + subject;
		throw new RuntimeException(msg, e);
		throw new IllegalStateException("Internal error", e);
		}

		}

		}