Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ACScopeValidator.java 0 → 100644 +103 −0 Original line number Diff line number Diff line /* ************************************************************************ ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2009. (c) 2009. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 4 $ * ************************************************************************ */ package ca.nrc.cadc.ac.server; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.InvalidDelegationTokenException; import java.net.URI; /** * * @author pdowler */ public class ACScopeValidator extends DelegationToken.ScopeValidator { public static final String SCOPE = "ac.resetPassword"; public ACScopeValidator() { } @Override public void verifyScope(URI scope, String requestURI) throws InvalidDelegationTokenException { try { if (scope.toASCIIString().equals(SCOPE)) { return; // OK } } catch(Exception ignore) { } throw new InvalidDelegationTokenException("invalid scope: " + scope); } } cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java +15 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,21 @@ public interface UserPersistence<T extends Principal> throws UserNotFoundException, TransientException, AccessControlException; /** * Get the user specified by email address exists in the active users tree. * * @param emailAddress The user's email address. * * @return User instance. * * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ User<Principal> getUserByEmailAddress(String emailAddress) throws UserNotFoundException, TransientException, AccessControlException; /** * Get the user specified by userID whose account is pending approval. * Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +112 −0 Original line number Diff line number Diff line Loading @@ -381,6 +381,24 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return getUser(userID, config.getUsersDN()); } /** * Get the user specified by the email address exists. * * @param emailAddress The user's email address. * * @return User instance. * * @throws UserNotFoundException when the user is not found in the main tree. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ public User<Principal> getUserByEmailAddress(final String emailAddress) throws UserNotFoundException, TransientException, AccessControlException { return getUserByEmailAddress(emailAddress, config.getUsersDN(), true); } /** * Obtain a user who is awaiting approval. * Loading Loading @@ -415,6 +433,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return getUser(userID, usersDN, true); } /** * Get the user specified by userID. * Loading Loading @@ -519,6 +538,99 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return user; } /** * Get the user specified by the email address exists. * * @param emailAddress The user's email address. * @param usersDN The LDAP tree to search. * @param proxy Whether to proxy the search as the calling Subject. * @return User ID * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ private User<Principal> getUserByEmailAddress(final String emailAddress, final String usersDN, final boolean proxy) throws UserNotFoundException, TransientException, AccessControlException { SearchResultEntry searchResult = null; Filter filter = null; try { filter = Filter.createEqualityFilter("email", emailAddress); logger.debug("search filter: " + filter); SearchRequest searchRequest = new SearchRequest(usersDN, SearchScope.ONE, filter, userAttribs); searchResult = getReadOnlyConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode()); } if (searchResult == null) { // determine if the user is not there of if the calling user // doesn't have permission to see it SearchRequest searchRequest = new SearchRequest(usersDN, SearchScope.ONE, filter, userAttribs); try { searchResult = getReadOnlyConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode()); } if (searchResult == null) { String msg = "User with email address " + emailAddress + " not found"; logger.debug(msg); throw new UserNotFoundException(msg); } throw new AccessControlException("Permission denied"); } String userIDString = searchResult.getAttributeValue(LDAP_UID); HttpPrincipal userID = new HttpPrincipal(userIDString); User<Principal> user = new User<Principal>(userID); String username = searchResult.getAttributeValue(userLdapAttrib.get(HttpPrincipal.class)); logger.debug("username: " + username); user.getIdentities().add(new HttpPrincipal(username)); Integer numericID = searchResult.getAttributeValueAsInteger(userLdapAttrib.get(NumericPrincipal.class)); logger.debug("Numeric id: " + numericID); if (numericID == null) { // If the numeric ID does not return it means the user // does not have permission throw new AccessControlException("Permission denied"); } user.getIdentities().add(new NumericPrincipal(numericID)); String x500str = searchResult.getAttributeValue(userLdapAttrib.get(X500Principal.class)); logger.debug("x500principal: " + x500str); if (x500str != null) user.getIdentities().add(new X500Principal(x500str)); String fname = searchResult.getAttributeValue(LDAP_FIRST_NAME); String lname = searchResult.getAttributeValue(LDAP_LAST_NAME); PersonalDetails personaDetails = new PersonalDetails(fname, lname); personaDetails.address = searchResult.getAttributeValue(LDAP_ADDRESS); personaDetails.city = searchResult.getAttributeValue(LDAP_CITY); personaDetails.country = searchResult.getAttributeValue(LDAP_COUNTRY); personaDetails.email = searchResult.getAttributeValue(LDAP_EMAIL); personaDetails.institute = searchResult.getAttributeValue(LDAP_INSTITUTE); user.details.add(personaDetails); return user; } public User<T> getAugmentedUser(final T userID) throws UserNotFoundException, TransientException { Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java +26 −1 Original line number Diff line number Diff line Loading @@ -85,7 +85,6 @@ import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.profiler.Profiler; import com.unboundid.ldap.sdk.DN; import javax.security.auth.Subject; public class LdapUserPersistence<T extends Principal> extends LdapPersistence implements UserPersistence<T> Loading Loading @@ -188,6 +187,32 @@ public class LdapUserPersistence<T extends Principal> extends LdapPersistence im } } /** * Get the user specified by email address exists in the active users tree. * * @param emailAddress The user's email address. * * @return User ID. * * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ public User<Principal> getUserByEmailAddress(String emailAddress) throws UserNotFoundException, TransientException, AccessControlException { LdapConnections conns = new LdapConnections(this); try { LdapUserDAO<T> userDAO = new LdapUserDAO<T>(conns); return userDAO.getUserByEmailAddress(emailAddress); } finally { conns.releaseConnections(); } } /** * Get the user specified by userID whose account is pending approval. * Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ResetPasswordServlet.java 0 → 100644 +314 −0 File added.Preview size limit exceeded, changes collapsed. Show changes Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ACScopeValidator.java 0 → 100644 +103 −0 Original line number Diff line number Diff line /* ************************************************************************ ******************* CANADIAN ASTRONOMY DATA CENTRE ******************* ************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES ************** * * (c) 2009. (c) 2009. * Government of Canada Gouvernement du Canada * National Research Council Conseil national de recherches * Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6 * All rights reserved Tous droits réservés * * NRC disclaims any warranties, Le CNRC dénie toute garantie * expressed, implied, or énoncée, implicite ou légale, * statutory, of any kind with de quelque nature que ce * respect to the software, soit, concernant le logiciel, * including without limitation y compris sans restriction * any warranty of merchantability toute garantie de valeur * or fitness for a particular marchande ou de pertinence * purpose. NRC shall not be pour un usage particulier. * liable in any event for any Le CNRC ne pourra en aucun cas * damages, whether direct or être tenu responsable de tout * indirect, special or general, dommage, direct ou indirect, * consequential or incidental, particulier ou général, * arising from the use of the accessoire ou fortuit, résultant * software. Neither the name de l'utilisation du logiciel. Ni * of the National Research le nom du Conseil National de * Council of Canada nor the Recherches du Canada ni les noms * names of its contributors may de ses participants ne peuvent * be used to endorse or promote être utilisés pour approuver ou * products derived from this promouvoir les produits dérivés * software without specific prior de ce logiciel sans autorisation * written permission. préalable et particulière * par écrit. * * This file is part of the Ce fichier fait partie du projet * OpenCADC project. OpenCADC. * * OpenCADC is free software: OpenCADC est un logiciel libre ; * you can redistribute it and/or vous pouvez le redistribuer ou le * modify it under the terms of modifier suivant les termes de * the GNU Affero General Public la “GNU Affero General Public * License as published by the License” telle que publiée * Free Software Foundation, par la Free Software Foundation * either version 3 of the : soit la version 3 de cette * License, or (at your option) licence, soit (à votre gré) * any later version. toute version ultérieure. * * OpenCADC is distributed in the OpenCADC est distribué * hope that it will be useful, dans l’espoir qu’il vous * but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE * without even the implied GARANTIE : sans même la garantie * warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ * or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF * PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence * General Public License for Générale Publique GNU Affero * more details. pour plus de détails. * * You should have received Vous devriez avoir reçu une * a copy of the GNU Affero copie de la Licence Générale * General Public License along Publique GNU Affero avec * with OpenCADC. If not, see OpenCADC ; si ce n’est * <http://www.gnu.org/licenses/>. pas le cas, consultez : * <http://www.gnu.org/licenses/>. * * $Revision: 4 $ * ************************************************************************ */ package ca.nrc.cadc.ac.server; import ca.nrc.cadc.auth.DelegationToken; import ca.nrc.cadc.auth.InvalidDelegationTokenException; import java.net.URI; /** * * @author pdowler */ public class ACScopeValidator extends DelegationToken.ScopeValidator { public static final String SCOPE = "ac.resetPassword"; public ACScopeValidator() { } @Override public void verifyScope(URI scope, String requestURI) throws InvalidDelegationTokenException { try { if (scope.toASCIIString().equals(SCOPE)) { return; // OK } } catch(Exception ignore) { } throw new InvalidDelegationTokenException("invalid scope: " + scope); } }
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/UserPersistence.java +15 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,21 @@ public interface UserPersistence<T extends Principal> throws UserNotFoundException, TransientException, AccessControlException; /** * Get the user specified by email address exists in the active users tree. * * @param emailAddress The user's email address. * * @return User instance. * * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ User<Principal> getUserByEmailAddress(String emailAddress) throws UserNotFoundException, TransientException, AccessControlException; /** * Get the user specified by userID whose account is pending approval. * Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +112 −0 Original line number Diff line number Diff line Loading @@ -381,6 +381,24 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return getUser(userID, config.getUsersDN()); } /** * Get the user specified by the email address exists. * * @param emailAddress The user's email address. * * @return User instance. * * @throws UserNotFoundException when the user is not found in the main tree. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ public User<Principal> getUserByEmailAddress(final String emailAddress) throws UserNotFoundException, TransientException, AccessControlException { return getUserByEmailAddress(emailAddress, config.getUsersDN(), true); } /** * Obtain a user who is awaiting approval. * Loading Loading @@ -415,6 +433,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return getUser(userID, usersDN, true); } /** * Get the user specified by userID. * Loading Loading @@ -519,6 +538,99 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO return user; } /** * Get the user specified by the email address exists. * * @param emailAddress The user's email address. * @param usersDN The LDAP tree to search. * @param proxy Whether to proxy the search as the calling Subject. * @return User ID * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ private User<Principal> getUserByEmailAddress(final String emailAddress, final String usersDN, final boolean proxy) throws UserNotFoundException, TransientException, AccessControlException { SearchResultEntry searchResult = null; Filter filter = null; try { filter = Filter.createEqualityFilter("email", emailAddress); logger.debug("search filter: " + filter); SearchRequest searchRequest = new SearchRequest(usersDN, SearchScope.ONE, filter, userAttribs); searchResult = getReadOnlyConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode()); } if (searchResult == null) { // determine if the user is not there of if the calling user // doesn't have permission to see it SearchRequest searchRequest = new SearchRequest(usersDN, SearchScope.ONE, filter, userAttribs); try { searchResult = getReadOnlyConnection().searchForEntry(searchRequest); } catch (LDAPException e) { LdapDAO.checkLdapResult(e.getResultCode()); } if (searchResult == null) { String msg = "User with email address " + emailAddress + " not found"; logger.debug(msg); throw new UserNotFoundException(msg); } throw new AccessControlException("Permission denied"); } String userIDString = searchResult.getAttributeValue(LDAP_UID); HttpPrincipal userID = new HttpPrincipal(userIDString); User<Principal> user = new User<Principal>(userID); String username = searchResult.getAttributeValue(userLdapAttrib.get(HttpPrincipal.class)); logger.debug("username: " + username); user.getIdentities().add(new HttpPrincipal(username)); Integer numericID = searchResult.getAttributeValueAsInteger(userLdapAttrib.get(NumericPrincipal.class)); logger.debug("Numeric id: " + numericID); if (numericID == null) { // If the numeric ID does not return it means the user // does not have permission throw new AccessControlException("Permission denied"); } user.getIdentities().add(new NumericPrincipal(numericID)); String x500str = searchResult.getAttributeValue(userLdapAttrib.get(X500Principal.class)); logger.debug("x500principal: " + x500str); if (x500str != null) user.getIdentities().add(new X500Principal(x500str)); String fname = searchResult.getAttributeValue(LDAP_FIRST_NAME); String lname = searchResult.getAttributeValue(LDAP_LAST_NAME); PersonalDetails personaDetails = new PersonalDetails(fname, lname); personaDetails.address = searchResult.getAttributeValue(LDAP_ADDRESS); personaDetails.city = searchResult.getAttributeValue(LDAP_CITY); personaDetails.country = searchResult.getAttributeValue(LDAP_COUNTRY); personaDetails.email = searchResult.getAttributeValue(LDAP_EMAIL); personaDetails.institute = searchResult.getAttributeValue(LDAP_INSTITUTE); user.details.add(personaDetails); return user; } public User<T> getAugmentedUser(final T userID) throws UserNotFoundException, TransientException { Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserPersistence.java +26 −1 Original line number Diff line number Diff line Loading @@ -85,7 +85,6 @@ import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.net.TransientException; import ca.nrc.cadc.profiler.Profiler; import com.unboundid.ldap.sdk.DN; import javax.security.auth.Subject; public class LdapUserPersistence<T extends Principal> extends LdapPersistence implements UserPersistence<T> Loading Loading @@ -188,6 +187,32 @@ public class LdapUserPersistence<T extends Principal> extends LdapPersistence im } } /** * Get the user specified by email address exists in the active users tree. * * @param emailAddress The user's email address. * * @return User ID. * * @throws UserNotFoundException when the user is not found. * @throws TransientException If an temporary, unexpected problem occurred. * @throws AccessControlException If the operation is not permitted. */ public User<Principal> getUserByEmailAddress(String emailAddress) throws UserNotFoundException, TransientException, AccessControlException { LdapConnections conns = new LdapConnections(this); try { LdapUserDAO<T> userDAO = new LdapUserDAO<T>(conns); return userDAO.getUserByEmailAddress(emailAddress); } finally { conns.releaseConnections(); } } /** * Get the user specified by userID whose account is pending approval. * Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ResetPasswordServlet.java 0 → 100644 +314 −0 File added.Preview size limit exceeded, changes collapsed. Show changes
