Merge pull request #14 from brianmajor/issue-10 (cf0e8254) · Commits · OATS-CADC / ac

cadc-access-control-server/build.gradle

+2 −2

Original line number	Diff line number	Diff line
		@@ -13,7 +13,7 @@ repositories {
		sourceCompatibility = 1.7
		group = 'org.opencadc'

		version = '1.0.2'
		version = '1.1.0'

		dependencies {
		compile 'log4j:log4j:1.2.+'
		@@ -22,7 +22,7 @@ dependencies {
		compile 'xerces:xercesImpl:2.+'
		compile 'com.unboundid:unboundid-ldapsdk:2.3.+'

		compile 'org.opencadc:cadc-access-control:1.+'
		compile 'org.opencadc:cadc-access-control:1.1.+'
		compile 'org.opencadc:cadc-util:1.+'
		compile 'org.opencadc:cadc-log:1.+'
		compile 'org.opencadc:cadc-registry:1.+'

cadc-access-control-server/src/main/java/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java

+40 −32

Original line number	Diff line number	Diff line
		@@ -69,6 +69,7 @@
		package ca.nrc.cadc.ac.server.ldap;

		import java.lang.reflect.Field;
		import java.net.URI;
		import java.security.AccessControlException;
		import java.util.ArrayList;
		import java.util.Collection;
		@@ -79,18 +80,6 @@ import java.util.Set;

		import org.apache.log4j.Logger;

		import ca.nrc.cadc.ac.ActivatedGroup;
		import ca.nrc.cadc.ac.Group;
		import ca.nrc.cadc.ac.GroupAlreadyExistsException;
		import ca.nrc.cadc.ac.GroupNotFoundException;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.GroupDetailSelector;
		import ca.nrc.cadc.auth.DNPrincipal;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.profiler.Profiler;
		import ca.nrc.cadc.util.StringUtil;

		import com.unboundid.ldap.sdk.AddRequest;
		import com.unboundid.ldap.sdk.Attribute;
		import com.unboundid.ldap.sdk.DN;
		@@ -110,6 +99,21 @@ import com.unboundid.ldap.sdk.SearchResultListener;
		import com.unboundid.ldap.sdk.SearchResultReference;
		import com.unboundid.ldap.sdk.SearchScope;

		import ca.nrc.cadc.ac.ActivatedGroup;
		import ca.nrc.cadc.ac.Group;
		import ca.nrc.cadc.ac.GroupAlreadyExistsException;
		import ca.nrc.cadc.ac.GroupNotFoundException;
		import ca.nrc.cadc.ac.GroupURI;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.server.GroupDetailSelector;
		import ca.nrc.cadc.auth.DNPrincipal;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.profiler.Profiler;
		import ca.nrc.cadc.reg.Standards;
		import ca.nrc.cadc.reg.client.LocalAuthority;
		import ca.nrc.cadc.util.StringUtil;

		public class LdapGroupDAO extends LdapDAO
		{
		private static final Logger logger = Logger.getLogger(LdapGroupDAO.class);
		@@ -193,16 +197,16 @@ public class LdapGroupDAO extends LdapDAO
		else
		{
		// add group to groups tree
		LDAPResult result = addGroup(getGroupDN(group.getID()),
		group.getID(), ownerDN,
		LDAPResult result = addGroup(getGroupDN(group.getID().getName()),
		group.getID().getName(), ownerDN,
		group.description,
		group.getUserMembers(),
		group.getGroupMembers());
		LdapDAO.checkLdapResult(result.getResultCode());

		// add group to admin groups tree
		result = addGroup(getAdminGroupDN(group.getID()),
		group.getID(), ownerDN,
		result = addGroup(getAdminGroupDN(group.getID().getName()),
		group.getID().getName(), ownerDN,
		group.description,
		group.getUserAdmins(),
		group.getGroupAdmins());
		@@ -245,7 +249,7 @@ public class LdapGroupDAO extends LdapDAO
		}
		for (Group groupMember : groups)
		{
		final String groupMemberID = groupMember.getID();
		final String groupMemberID = groupMember.getID().getName();
		if (!checkGroupExists(groupMemberID))
		{
		throw new GroupNotFoundException(groupMemberID);
		@@ -285,9 +289,9 @@ public class LdapGroupDAO extends LdapDAO
		try
		{
		// check group name exists
		Filter filter = Filter.createEqualityFilter(LDAP_CN, group.getID());
		Filter filter = Filter.createEqualityFilter(LDAP_CN, group.getID().getName());

		DN groupDN = getGroupDN(group.getID());
		DN groupDN = getGroupDN(group.getID().getName());
		SearchRequest searchRequest =
		new SearchRequest(groupDN.toNormalizedString(), SearchScope.BASE,
		filter, new String[]{LDAP_NSACCOUNTLOCK});
		@@ -537,7 +541,7 @@ public class LdapGroupDAO extends LdapDAO
		throws GroupNotFoundException, TransientException,
		AccessControlException, UserNotFoundException
		{
		String groupID = group.getID();
		String groupID = group.getID().getName();
		getGroup(getGroupDN(groupID), groupID, PUB_GROUP_ATTRS);//group must exists first
		return modifyGroup(group, false);
		}
		@@ -580,11 +584,11 @@ public class LdapGroupDAO extends LdapDAO
		}
		for (Group gr : group.getGroupMembers())
		{
		if (!checkGroupExists(gr.getID()))
		if (!checkGroupExists(gr.getID().getName()))
		{
		throw new GroupNotFoundException(gr.getID());
		throw new GroupNotFoundException(gr.getID().getName());
		}
		DN grDN = getGroupDN(gr.getID());
		DN grDN = getGroupDN(gr.getID().getName());
		newMembers.add(grDN.toNormalizedString());
		}

		@@ -596,11 +600,11 @@ public class LdapGroupDAO extends LdapDAO
		}
		for (Group gr : group.getGroupAdmins())
		{
		if (!checkGroupExists(gr.getID()))
		if (!checkGroupExists(gr.getID().getName()))
		{
		throw new GroupNotFoundException(gr.getID());
		throw new GroupNotFoundException(gr.getID().getName());
		}
		DN grDN = getGroupDN(gr.getID());
		DN grDN = getGroupDN(gr.getID().getName());
		newAdmins.add(grDN.toNormalizedString());
		}

		@@ -610,7 +614,7 @@ public class LdapGroupDAO extends LdapDAO
		(String[]) newAdmins.toArray(new String[newAdmins.size()])));

		ModifyRequest adminModify =
		new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
		new ModifyRequest(getAdminGroupDN(group.getID().getName()), adminMods);

		LdapDAO.checkLdapResult(
		getReadWriteConnection().modify(adminModify).getResultCode());
		@@ -621,7 +625,7 @@ public class LdapGroupDAO extends LdapDAO
		(String[]) newMembers.toArray(new String[newMembers.size()])));

		ModifyRequest modifyRequest =
		new ModifyRequest(getGroupDN(group.getID()), mods);
		new ModifyRequest(getGroupDN(group.getID().getName()), mods);

		LdapDAO.checkLdapResult(
		getReadWriteConnection().modify(modifyRequest).getResultCode());
		@@ -635,11 +639,11 @@ public class LdapGroupDAO extends LdapDAO
		{
		if (withActivate)
		{
		return new ActivatedGroup(getGroup(group.getID(), true));
		return new ActivatedGroup(getGroup(group.getID().getName(), true));
		}
		else
		{
		return getGroup(group.getID(), true);
		return getGroup(group.getID().getName(), true);
		}
		}
		catch (GroupNotFoundException e)
		@@ -756,9 +760,12 @@ public class LdapGroupDAO extends LdapDAO

		String entryDN = result.getAttributeValue(LDAP_ENTRYDN);
		String groupName = result.getAttributeValue(LDAP_CN);
		LocalAuthority localAuthority = new LocalAuthority();
		URI gmsServiceID = localAuthority.getServiceURI(Standards.GMS_GROUPS_01.toString());
		if (attributes == PUB_GROUP_ATTRS)
		{
		return new Group(groupName);
		GroupURI groupID = new GroupURI(gmsServiceID.toString() + "?" + groupName);
		return new Group(groupID);
		}

		String ownerDN = result.getAttributeValue(LDAP_OWNER);
		@@ -769,7 +776,8 @@ public class LdapGroupDAO extends LdapDAO
		try
		{
		User owner = userDAO.getUser(new DNPrincipal(ownerDN));
		Group group = new Group(groupName);
		GroupURI groupID = new GroupURI(gmsServiceID.toString() + "?" + groupName);
		Group group = new Group(groupID);
		setField(group, owner, LDAP_OWNER);
		if (result.hasAttribute(LDAP_DESCRIPTION))
		{

cadc-access-control-server/src/main/java/ca/nrc/cadc/ac/server/ldap/LdapGroupPersistence.java

+6 −6

Original line number	Diff line number	Diff line
		@@ -223,7 +223,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
		AccessControlException, UserNotFoundException
		{
		Subject callerSubject = AuthenticationUtil.getCurrentSubject();
		boolean allowed = isAdmin(callerSubject, group.getID());
		boolean allowed = isAdmin(callerSubject, group.getID().getName());

		LdapGroupDAO groupDAO = null;
		LdapUserDAO userDAO = null;
		@@ -234,7 +234,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
		groupDAO = new LdapGroupDAO(conns, userDAO);
		if (!allowed)
		{
		Group g = groupDAO.getGroup(group.getID(), false);
		Group g = groupDAO.getGroup(group.getID().getName(), false);
		if (isOwner(callerSubject, g))
		allowed = true;
		}
		@@ -287,13 +287,13 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
		while ( i.hasNext() )
		{
		Group g = i.next();
		if (groupID == null \|\| g.getID().equalsIgnoreCase(groupID))
		if (groupID == null \|\| g.getID().getName().equalsIgnoreCase(groupID))
		{
		if (detailSelector != null && detailSelector.isDetailedSearch(g, role))
		{
		try
		{
		Group g2 = groupDAO.getGroup(g.getID(), false);
		Group g2 = groupDAO.getGroup(g.getID().getName(), false);
		log.debug("role " + role + " loaded: " + g2);
		ret.add(g2);
		}
		@@ -340,7 +340,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
		List<Group> groups = getGroupCache(caller, Role.MEMBER);
		for (Group g : groups)
		{
		if (g.getID().equalsIgnoreCase(groupName))
		if (g.getID().getName().equalsIgnoreCase(groupName))
		return true;
		}
		return false;
		@@ -351,7 +351,7 @@ public class LdapGroupPersistence extends LdapPersistence implements GroupPersis
		List<Group> groups = getGroupCache(caller, Role.ADMIN);
		for (Group g : groups)
		{
		if (g.getID().equalsIgnoreCase(groupName))
		if (g.getID().getName().equalsIgnoreCase(groupName))
		return true;
		}
		return false;

cadc-access-control-server/src/main/java/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java

+24 −20

Original line number	Diff line number	Diff line
		@@ -86,25 +86,6 @@ import javax.security.auth.x500.X500Principal;

		import org.apache.log4j.Logger;

		import ca.nrc.cadc.ac.Group;
		import ca.nrc.cadc.ac.InternalID;
		import ca.nrc.cadc.ac.PersonalDetails;
		import ca.nrc.cadc.ac.Role;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserAlreadyExistsException;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.UserRequest;
		import ca.nrc.cadc.ac.client.GroupMemberships;
		import ca.nrc.cadc.auth.DNPrincipal;
		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.auth.NumericPrincipal;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.profiler.Profiler;
		import ca.nrc.cadc.reg.Standards;
		import ca.nrc.cadc.reg.client.LocalAuthority;
		import ca.nrc.cadc.util.ObjectUtil;
		import ca.nrc.cadc.util.StringUtil;

		import com.unboundid.ldap.sdk.AddRequest;
		import com.unboundid.ldap.sdk.Attribute;
		import com.unboundid.ldap.sdk.BindRequest;
		@@ -129,6 +110,26 @@ import com.unboundid.ldap.sdk.SimpleBindRequest;
		import com.unboundid.ldap.sdk.extensions.PasswordModifyExtendedRequest;
		import com.unboundid.ldap.sdk.extensions.PasswordModifyExtendedResult;

		import ca.nrc.cadc.ac.Group;
		import ca.nrc.cadc.ac.GroupURI;
		import ca.nrc.cadc.ac.InternalID;
		import ca.nrc.cadc.ac.PersonalDetails;
		import ca.nrc.cadc.ac.Role;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserAlreadyExistsException;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.ac.UserRequest;
		import ca.nrc.cadc.ac.client.GroupMemberships;
		import ca.nrc.cadc.auth.DNPrincipal;
		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.auth.NumericPrincipal;
		import ca.nrc.cadc.net.TransientException;
		import ca.nrc.cadc.profiler.Profiler;
		import ca.nrc.cadc.reg.Standards;
		import ca.nrc.cadc.reg.client.LocalAuthority;
		import ca.nrc.cadc.util.ObjectUtil;
		import ca.nrc.cadc.util.StringUtil;


		/**
		*
		@@ -781,11 +782,14 @@ public class LdapUserDAO extends LdapDAO
		// some pretty horrible hacks to avoid querying LDAP for group details...
		private Group createGroupFromDN(DN groupDN)
		{
		LocalAuthority localAuthority = new LocalAuthority();
		URI gmsServiceURI = localAuthority.getServiceURI(Standards.GMS_GROUPS_01.toString());
		String cn = groupDN.getRDNString();
		String[] parts = cn.split("=");
		if (parts.length == 2 && parts[0].equals("cn"))
		{
		return new Group(parts[1]);
		GroupURI groupID = new GroupURI(gmsServiceURI.toString() + "?" + parts[1]);
		return new Group(groupID);
		}
		throw new RuntimeException("BUG: failed to extract group name from " + groupDN
		.toString());

cadc-access-control-server/src/main/java/ca/nrc/cadc/ac/server/web/WhoAmIServlet.java

+9 −4

Original line number	Diff line number	Diff line
		@@ -79,13 +79,13 @@ import javax.servlet.http.HttpServlet;
		import javax.servlet.http.HttpServletRequest;
		import javax.servlet.http.HttpServletResponse;

		import ca.nrc.cadc.auth.AuthMethod;
		import ca.nrc.cadc.reg.Standards;
		import org.apache.log4j.Logger;

		import ca.nrc.cadc.auth.AuthMethod;
		import ca.nrc.cadc.auth.AuthenticationUtil;
		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.log.ServletLogInfo;
		import ca.nrc.cadc.reg.Standards;
		import ca.nrc.cadc.reg.client.LocalAuthority;
		import ca.nrc.cadc.reg.client.RegistryClient;

		@@ -154,6 +154,12 @@ public class WhoAmIServlet extends HttpServlet
		}
		}

		public URI getServiceURI(URI standard)
		{
		LocalAuthority localAuthority = new LocalAuthority();
		return localAuthority.getServiceURI(standard.toString());
		}

		/**
		* Forward on to the Service's user endpoint.
		*
		@@ -167,8 +173,7 @@ public class WhoAmIServlet extends HttpServlet
		{
		final RegistryClient registryClient = getRegistryClient();

		LocalAuthority localAuthority = new LocalAuthority();
		URI umsServiceURI = localAuthority.getServiceURI(Standards.UMS_WHOAMI_01.toString());
		URI umsServiceURI = getServiceURI(Standards.UMS_WHOAMI_01);
		log.debug("ums service uri: " + umsServiceURI);

		final URL serviceURL = registryClient.getServiceURL(umsServiceURI, Standards.UMS_USERS_01, AuthMethod.CERT);