Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/GroupPersistence.java +4 −4 Original line number Diff line number Diff line Loading @@ -68,16 +68,16 @@ */ package ca.nrc.cadc.ac.server; import java.security.AccessControlException; import java.security.Principal; import java.util.Collection; import ca.nrc.cadc.ac.Group; import ca.nrc.cadc.ac.GroupAlreadyExistsException; import ca.nrc.cadc.ac.GroupNotFoundException; import ca.nrc.cadc.ac.IdentityType; import ca.nrc.cadc.ac.Role; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.net.TransientException; import java.security.AccessControlException; import java.security.Principal; import java.util.Collection; public abstract interface GroupPersistence<T extends Principal> { Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/PluginFactory.java +4 −4 Original line number Diff line number Diff line Loading @@ -125,8 +125,8 @@ public class PluginFactory { try { Class c = Class.forName(cname); ret = (GroupPersistence) c.newInstance(); Class<?> c = Class.forName(cname); ret = (GroupPersistence<T>) c.newInstance(); } catch (Exception ex) { Loading @@ -149,8 +149,8 @@ public class PluginFactory { try { Class c = Class.forName(cname); ret = (UserPersistence) c.newInstance(); Class<?> c = Class.forName(cname); ret = (UserPersistence<T>) c.newInstance(); } catch (Exception ex) { Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java +60 −15 Original line number Diff line number Diff line Loading @@ -68,22 +68,26 @@ */ package ca.nrc.cadc.ac.server.ldap; import java.security.AccessControlException; import java.security.AccessController; import java.security.Principal; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.auth.OpenIdPrincipal; import ca.nrc.cadc.net.TransientException; import com.unboundid.ldap.sdk.DN; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; import java.security.AccessControlException; import java.security.AccessController; import java.security.Principal; import java.util.List; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; public abstract class LdapDAO { Loading Loading @@ -116,7 +120,15 @@ public abstract class LdapDAO { conn = new LDAPConnection(config.getServer(), config.getPort()); conn.bind(config.getAdminUserDN(), config.getAdminPasswd()); } return conn; } protected DN getSubjectDN() throws LDAPException { if (subjDN == null) { Subject callerSubject = Subject.getSubject(AccessController.getContext()); if (callerSubject == null) Loading Loading @@ -161,7 +173,7 @@ public abstract class LdapDAO } SearchResult searchResult = conn.search(config.getUsersDN(), SearchScope.ONE, getConnection().search(config.getUsersDN(), SearchScope.ONE, ldapField, new String[] {"entrydn"}); if (searchResult.getEntryCount() < 1) Loading @@ -173,17 +185,50 @@ public abstract class LdapDAO subjDN = ((SearchResultEntry) searchResult.getSearchEntries() .get(0)).getAttributeValueAsDN("entrydn"); } return conn; return subjDN; } protected DN getSubjectDN() throws LDAPException /** * Checks the Ldap result code, and if the result is not SUCCESS, * throws an appropriate exception. This is the place to decide on * mapping between ldap errors and exception types * @param code * @param errorMsg * @throws TransientException */ protected static void checkLdapResult(ResultCode code, String errorMsg) throws TransientException { if (subjDN == null) String msg = ""; if (errorMsg != null) { getConnection(); msg = "(" + errorMsg + ")"; } if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS) { throw new AccessControlException("Not authorized " + msg); } else if (code == ResultCode.INVALID_CREDENTIALS) { throw new AccessControlException("Invalid credentials " + msg); } else if (code == ResultCode.SUCCESS) { // all good. nothing to do } else if (code == ResultCode.PARAM_ERROR) { throw new IllegalArgumentException("Error in Ldap parameters " + msg); } else if (code == ResultCode.BUSY || code == ResultCode.CONNECT_ERROR ) { throw new TransientException("Connection problems " + msg ); } else { throw new RuntimeException("Ldap error" + msg); } return subjDN; } } projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java +151 −202 File changed.Preview size limit exceeded, changes collapsed. Show changes projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +23 −26 Original line number Diff line number Diff line Loading @@ -84,7 +84,6 @@ import ca.nrc.cadc.ac.PersonalDetails; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.net.TransientException; import com.unboundid.ldap.sdk.CompareRequest; Loading Loading @@ -167,7 +166,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e) { e.printStackTrace(); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } if (searchResult == null) Loading Loading @@ -202,6 +201,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO public Collection<Group> getUserGroups(T userID) throws UserNotFoundException, TransientException, AccessControlException { Collection<Group> groups = new HashSet<Group>(); try { String searchField = (String) userLdapAttrib.get(userID.getClass()); Loading @@ -228,7 +228,6 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest); Collection<Group> groups = new HashSet<Group>(); if (searchResult != null) { String[] members = Loading @@ -249,15 +248,12 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } } } return groups; } catch (LDAPException e) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting user groups", e); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } return groups; } /** Loading Loading @@ -310,11 +306,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e1) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting the user", e1); LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage()); } return false; } public boolean isMember(T userID, String groupID) Loading Loading @@ -347,11 +341,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting the user", e); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } return false; } /** Loading Loading @@ -401,7 +393,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO DN getUserDN(User<? extends Principal> user) throws LDAPException, UserNotFoundException throws UserNotFoundException, TransientException { String searchField = (String) userLdapAttrib.get(user.getUserID().getClass()); if (searchField == null) Loading @@ -413,17 +405,22 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO searchField = "(" + searchField + "=" + user.getUserID().getName() + ")"; SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB, SearchResultEntry searchResult = null; try { SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB, searchField, new String[] {"entrydn"}); // searchRequest.addControl( // new ProxiedAuthorizationV2RequestControl("dn:" + // getSubjectDN().toNormalizedString())); SearchResultEntry searchResult = searchResult = getConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } if (searchResult == null) { String msg = "User not found " + user.getUserID().toString(); Loading Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/GroupPersistence.java +4 −4 Original line number Diff line number Diff line Loading @@ -68,16 +68,16 @@ */ package ca.nrc.cadc.ac.server; import java.security.AccessControlException; import java.security.Principal; import java.util.Collection; import ca.nrc.cadc.ac.Group; import ca.nrc.cadc.ac.GroupAlreadyExistsException; import ca.nrc.cadc.ac.GroupNotFoundException; import ca.nrc.cadc.ac.IdentityType; import ca.nrc.cadc.ac.Role; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.net.TransientException; import java.security.AccessControlException; import java.security.Principal; import java.util.Collection; public abstract interface GroupPersistence<T extends Principal> { Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/PluginFactory.java +4 −4 Original line number Diff line number Diff line Loading @@ -125,8 +125,8 @@ public class PluginFactory { try { Class c = Class.forName(cname); ret = (GroupPersistence) c.newInstance(); Class<?> c = Class.forName(cname); ret = (GroupPersistence<T>) c.newInstance(); } catch (Exception ex) { Loading @@ -149,8 +149,8 @@ public class PluginFactory { try { Class c = Class.forName(cname); ret = (UserPersistence) c.newInstance(); Class<?> c = Class.forName(cname); ret = (UserPersistence<T>) c.newInstance(); } catch (Exception ex) { Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java +60 −15 Original line number Diff line number Diff line Loading @@ -68,22 +68,26 @@ */ package ca.nrc.cadc.ac.server.ldap; import java.security.AccessControlException; import java.security.AccessController; import java.security.Principal; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.auth.OpenIdPrincipal; import ca.nrc.cadc.net.TransientException; import com.unboundid.ldap.sdk.DN; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; import java.security.AccessControlException; import java.security.AccessController; import java.security.Principal; import java.util.List; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.x500.X500Principal; public abstract class LdapDAO { Loading Loading @@ -116,7 +120,15 @@ public abstract class LdapDAO { conn = new LDAPConnection(config.getServer(), config.getPort()); conn.bind(config.getAdminUserDN(), config.getAdminPasswd()); } return conn; } protected DN getSubjectDN() throws LDAPException { if (subjDN == null) { Subject callerSubject = Subject.getSubject(AccessController.getContext()); if (callerSubject == null) Loading Loading @@ -161,7 +173,7 @@ public abstract class LdapDAO } SearchResult searchResult = conn.search(config.getUsersDN(), SearchScope.ONE, getConnection().search(config.getUsersDN(), SearchScope.ONE, ldapField, new String[] {"entrydn"}); if (searchResult.getEntryCount() < 1) Loading @@ -173,17 +185,50 @@ public abstract class LdapDAO subjDN = ((SearchResultEntry) searchResult.getSearchEntries() .get(0)).getAttributeValueAsDN("entrydn"); } return conn; return subjDN; } protected DN getSubjectDN() throws LDAPException /** * Checks the Ldap result code, and if the result is not SUCCESS, * throws an appropriate exception. This is the place to decide on * mapping between ldap errors and exception types * @param code * @param errorMsg * @throws TransientException */ protected static void checkLdapResult(ResultCode code, String errorMsg) throws TransientException { if (subjDN == null) String msg = ""; if (errorMsg != null) { getConnection(); msg = "(" + errorMsg + ")"; } if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS) { throw new AccessControlException("Not authorized " + msg); } else if (code == ResultCode.INVALID_CREDENTIALS) { throw new AccessControlException("Invalid credentials " + msg); } else if (code == ResultCode.SUCCESS) { // all good. nothing to do } else if (code == ResultCode.PARAM_ERROR) { throw new IllegalArgumentException("Error in Ldap parameters " + msg); } else if (code == ResultCode.BUSY || code == ResultCode.CONNECT_ERROR ) { throw new TransientException("Connection problems " + msg ); } else { throw new RuntimeException("Ldap error" + msg); } return subjDN; } }
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java +151 −202 File changed.Preview size limit exceeded, changes collapsed. Show changes
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +23 −26 Original line number Diff line number Diff line Loading @@ -84,7 +84,6 @@ import ca.nrc.cadc.ac.PersonalDetails; import ca.nrc.cadc.ac.User; import ca.nrc.cadc.ac.UserNotFoundException; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.NumericPrincipal; import ca.nrc.cadc.net.TransientException; import com.unboundid.ldap.sdk.CompareRequest; Loading Loading @@ -167,7 +166,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e) { e.printStackTrace(); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } if (searchResult == null) Loading Loading @@ -202,6 +201,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO public Collection<Group> getUserGroups(T userID) throws UserNotFoundException, TransientException, AccessControlException { Collection<Group> groups = new HashSet<Group>(); try { String searchField = (String) userLdapAttrib.get(userID.getClass()); Loading @@ -228,7 +228,6 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO SearchResultEntry searchResult = getConnection().searchForEntry(searchRequest); Collection<Group> groups = new HashSet<Group>(); if (searchResult != null) { String[] members = Loading @@ -249,15 +248,12 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } } } return groups; } catch (LDAPException e) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting user groups", e); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } return groups; } /** Loading Loading @@ -310,11 +306,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e1) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting the user", e1); LdapDAO.checkLdapResult(e1.getResultCode(), e1.getDiagnosticMessage()); } return false; } public boolean isMember(T userID, String groupID) Loading Loading @@ -347,11 +341,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO } catch (LDAPException e) { // TODO check which LDAP exceptions are transient and which // ones are // access control throw new TransientException("Error getting the user", e); LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } return false; } /** Loading Loading @@ -401,7 +393,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO DN getUserDN(User<? extends Principal> user) throws LDAPException, UserNotFoundException throws UserNotFoundException, TransientException { String searchField = (String) userLdapAttrib.get(user.getUserID().getClass()); if (searchField == null) Loading @@ -413,17 +405,22 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO searchField = "(" + searchField + "=" + user.getUserID().getName() + ")"; SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB, SearchResultEntry searchResult = null; try { SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB, searchField, new String[] {"entrydn"}); // searchRequest.addControl( // new ProxiedAuthorizationV2RequestControl("dn:" + // getSubjectDN().toNormalizedString())); SearchResultEntry searchResult = searchResult = getConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode(), e.getDiagnosticMessage()); } if (searchResult == null) { String msg = "User not found " + user.getUserID().toString(); Loading
