Merge branch 's1711' of /srv/cadc/git/wopencadc into s1666 (d7f30f6f) · Commits · OATS-CADC / ac

projects/cadcAccessControl-Server/build.xml

+2 −1

Original line number	Diff line number	Diff line
		@@ -93,6 +93,7 @@
		<property name="cadcRegistry" value="${lib}/cadcRegistryClient.jar" />
		<property name="cadcUtil" value="${lib}/cadcUtil.jar" />
		<property name="cadcUWS" value="${lib}/cadcUWS.jar" />
		<property name="wsUtil" value="${lib}/wsUtil.jar" />

		<property name="javacsv" value="${ext.lib}/javacsv.jar" />
		<property name="jdom2" value="${ext.lib}/jdom2.jar" />
		@@ -101,7 +102,7 @@
		<property name="unboundid" value="${ext.lib}/unboundid-ldapsdk-se.jar" />
		<property name="xerces" value="${ext.lib}/xerces.jar" />

		<property name="jars" value="${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}" />
		<property name="jars" value="${javacsv}:${jdom2}:${log4j}:${servlet}:${unboundid}:${xerces}:${cadcAccessControl}:${cadcLog}:${cadcRegistry}:${cadcUtil}:${cadcUWS}:${wsUtil}" />

		<target name="build" depends="compile">
		<jar jarfile="${build}/lib/${project}.jar"

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapConfig.java

+7 −0

Original line number	Diff line number	Diff line
		@@ -93,6 +93,8 @@ public class LdapConfig
		public static final String LDAP_AVAIL_TEST_GROUP = "availabilityTestGroup";
		public static final String LDAP_AVAIL_TEST_CALLING_USER_DN = "availabilityTestCallingUserDN";

		private final static int SECURE_PORT = 636;

		private String usersDN;
		private String groupsDN;
		private String adminGroupsDN;
		@@ -271,6 +273,11 @@ public class LdapConfig
		return this.port;
		}

		public boolean isSecure()
		{
		return getPort() == SECURE_PORT;
		}

		public String getAdminUserDN()
		{
		return this.adminUserDN;

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java

+63 −35

Original line number	Diff line number	Diff line
		@@ -68,26 +68,23 @@
		*/
		package ca.nrc.cadc.ac.server.ldap;

		import java.security.AccessControlException;
		import java.security.AccessController;
		import java.security.Principal;
		import java.util.Set;

		import javax.net.SocketFactory;
		import javax.net.ssl.SSLContext;
		import javax.net.ssl.SSLSocketFactory;
		import javax.security.auth.Subject;
		import javax.security.auth.x500.X500Principal;
		import java.io.File;
		import java.net.MalformedURLException;
		import java.security.*;
		import java.security.cert.CertificateException;
		import java.util.Set;

		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.auth.NumericPrincipal;
		import ca.nrc.cadc.auth.OpenIdPrincipal;
		import com.unboundid.ldap.sdk.*;
		import com.unboundid.util.ssl.*;

		import ca.nrc.cadc.auth.*;
		import ca.nrc.cadc.net.TransientException;

		import com.unboundid.ldap.sdk.DN;
		import com.unboundid.ldap.sdk.LDAPConnection;
		import com.unboundid.ldap.sdk.LDAPException;
		import com.unboundid.ldap.sdk.ResultCode;
		import com.unboundid.ldap.sdk.SearchResult;
		import com.unboundid.ldap.sdk.SearchResultEntry;
		import com.unboundid.ldap.sdk.SearchScope;

		public abstract class LdapDAO
		{
		@@ -118,13 +115,43 @@ public abstract class LdapDAO
		{
		if (conn == null)
		{
		conn = new LDAPConnection(config.getServer(), config.getPort());
		conn = new LDAPConnection(getSocketFactory(), config.getServer(),
		config.getPort());
		conn.bind(config.getAdminUserDN(), config.getAdminPasswd());
		}

		return conn;
		}

		private SocketFactory getSocketFactory()
		{
		final SocketFactory socketFactory;

		if (config.isSecure())
		{
		socketFactory = createSSLSocketFactory();
		}
		else
		{
		socketFactory = SocketFactory.getDefault();
		}

		return socketFactory;
		}

		private SSLSocketFactory createSSLSocketFactory()
		{
		try
		{
		return new com.unboundid.util.ssl.SSLUtil().
		createSSLSocketFactory();
		}
		catch (GeneralSecurityException e)
		{
		throw new RuntimeException("Unexpected error.", e);
		}
		}

		protected DN getSubjectDN() throws LDAPException
		{
		if (subjDN == null)
		@@ -174,7 +201,7 @@ public abstract class LdapDAO

		SearchResult searchResult =
		getConnection().search(config.getUsersDN(), SearchScope.ONE,
		ldapField, new String[] {"entrydn"});
		ldapField, "entrydn");

		if (searchResult.getEntryCount() < 1)
		{
		@@ -182,8 +209,8 @@ public abstract class LdapDAO
		"No LDAP account when search with rule " + ldapField);
		}

		subjDN = ((SearchResultEntry) searchResult.getSearchEntries()
		.get(0)).getAttributeValueAsDN("entrydn");
		subjDN = (searchResult.getSearchEntries().get(0))
		.getAttributeValueAsDN("entrydn");
		}
		return subjDN;
		}
		@@ -192,8 +219,8 @@ public abstract class LdapDAO
		* Checks the Ldap result code, and if the result is not SUCCESS,
		* throws an appropriate exception. This is the place to decide on
		* mapping between ldap errors and exception types
		* @param code
		* @param errorMsg
		*
		* @param code The code returned from an LDAP request.
		* @throws TransientException
		*/
		protected static void checkLdapResult(ResultCode code)
		@@ -207,7 +234,8 @@ public abstract class LdapDAO
		{
		throw new AccessControlException("Invalid credentials ");
		}
		else if ((code == ResultCode.SUCCESS) \|\| (code == ResultCode.NO_SUCH_OBJECT) )
		else if ((code == ResultCode.SUCCESS) \|\| (code
		== ResultCode.NO_SUCH_OBJECT))
		{
		// all good. nothing to do
		}

projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java

+103 −103

Original line number	Diff line number	Diff line
		@@ -68,6 +68,7 @@
		*/
		package ca.nrc.cadc.ac.server.ldap;

		import javax.security.auth.x500.X500Principal;
		import java.security.AccessControlException;
		import java.security.Principal;
		import java.util.Collection;
		@@ -75,31 +76,24 @@ import java.util.HashMap;
		import java.util.HashSet;
		import java.util.Map;

		import javax.security.auth.x500.X500Principal;

		import com.unboundid.ldap.sdk.*;
		import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;
		import org.apache.log4j.Logger;

		import ca.nrc.cadc.ac.PersonalDetails;
		import ca.nrc.cadc.ac.User;
		import ca.nrc.cadc.ac.UserNotFoundException;
		import ca.nrc.cadc.auth.AuthenticationUtil;
		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.net.TransientException;

		import com.unboundid.ldap.sdk.DN;
		import com.unboundid.ldap.sdk.Filter;
		import com.unboundid.ldap.sdk.LDAPException;
		import com.unboundid.ldap.sdk.SearchRequest;
		import com.unboundid.ldap.sdk.SearchResultEntry;
		import com.unboundid.ldap.sdk.SearchScope;
		import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;

		public class LdapUserDAO<T extends Principal> extends LdapDAO
		{
		private static final Logger logger = Logger.getLogger(LdapUserDAO.class);

		// Map of identity type to LDAP attribute
		private Map<Class<?>, String> userLdapAttrib = new HashMap<Class<?>, String>();
		private Map<Class<?>, String> userLdapAttrib =
		new HashMap<Class<?>, String>();

		// User attributes returned to the GMS
		private static final String LDAP_FNAME = "givenname";
		@@ -115,52 +109,58 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		this.userLdapAttrib.put(X500Principal.class, "distinguishedname");

		// add the id attributes to user and member attributes
		String[] princs = userLdapAttrib.values().toArray(new String[userLdapAttrib.values().size()]);
		String[] princs = userLdapAttrib.values()
		.toArray(new String[userLdapAttrib.values().size()]);
		String[] tmp = new String[userAttribs.length + princs.length];
		System.arraycopy(princs, 0, tmp, 0, princs.length);
		System.arraycopy(userAttribs, 0, tmp, princs.length, userAttribs.length);
		System.arraycopy(userAttribs, 0, tmp, princs.length,
		userAttribs.length);
		userAttribs = tmp;

		tmp = new String[memberAttribs.length + princs.length];
		System.arraycopy(princs, 0, tmp, 0, princs.length);
		System.arraycopy(memberAttribs, 0, tmp, princs.length, memberAttribs.length);
		System.arraycopy(memberAttribs, 0, tmp, princs.length,
		memberAttribs.length);
		memberAttribs = tmp;
		}



		/**
		* Get the user specified by userID.
		*
		* @param userID The userID.
		*
		* @return User instance.
		*
		* @throws UserNotFoundException when the user is not found.
		* @throws TransientException If an temporary, unexpected problem occurred.
		* @throws AccessControlException If the operation is not permitted.
		*/
		public User<T> getUser(T userID)
		throws UserNotFoundException, TransientException, AccessControlException
		throws UserNotFoundException, TransientException,
		AccessControlException
		{
		String searchField = (String) userLdapAttrib.get(userID.getClass());
		String searchField = userLdapAttrib.get(userID.getClass());
		if (searchField == null)
		{
		throw new IllegalArgumentException(
		"Unsupported principal type " + userID.getClass());
		}

		searchField = "(&(objectclass=cadcaccount)(" + searchField + "=" + userID.getName() + "))";
		searchField =
		"(&(objectclass=cadcaccount)(" + searchField + "=" + userID
		.getName() + "))";

		SearchResultEntry searchResult = null;
		try
		{
		SearchRequest searchRequest = new SearchRequest(config.getUsersDN(),
		SearchScope.SUB, searchField, userAttribs);
		SearchScope.SUB,
		searchField,
		userAttribs);

		searchRequest.addControl(
		new ProxiedAuthorizationV2RequestControl("dn:" +
		getSubjectDN().toNormalizedString()));
		getSubjectDN()
		.toNormalizedString()));

		searchResult = getConnection().searchForEntry(searchRequest);
		}
		@@ -192,20 +192,19 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		*
		* @param userID The userID.
		* @param isAdmin
		*
		* @return Collection of Group instances.
		*
		* @throws UserNotFoundException when the user is not found.
		* @throws TransientException If an temporary, unexpected problem occurred., e.getMessage(
		* @throws AccessControlException If the operation is not permitted.
		*/
		public Collection<DN> getUserGroups(final T userID, final boolean isAdmin)
		throws UserNotFoundException, TransientException, AccessControlException
		throws UserNotFoundException, TransientException,
		AccessControlException
		{
		Collection<DN> groupDNs = new HashSet<DN>();
		try
		{
		String searchField = (String) userLdapAttrib.get(userID.getClass());
		String searchField = userLdapAttrib.get(userID.getClass());
		if (searchField == null)
		{
		throw new IllegalArgumentException(
		@@ -224,7 +223,8 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO

		searchRequest.addControl(
		new ProxiedAuthorizationV2RequestControl("dn:" +
		getSubjectDN().toNormalizedString()));
		getSubjectDN()
		.toNormalizedString()));

		SearchResultEntry searchResult =
		getConnection().searchForEntry(searchRequest);
		@@ -267,9 +267,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		*
		* @param userID The userID.
		* @param groupID The groupID.
		*
		* @return true or false
		*
		* @throws UserNotFoundException If the user is not found.
		* @throws TransientException If an temporary, unexpected problem occurred.
		* @throws AccessControlException If the operation is not permitted.
		@@ -280,7 +278,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		{
		try
		{
		String searchField = (String) userLdapAttrib.get(userID.getClass());
		String searchField = userLdapAttrib.get(userID.getClass());
		if (searchField == null)
		{
		throw new IllegalArgumentException(
		@@ -295,20 +293,17 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO

		SearchRequest searchRequest =
		new SearchRequest(config.getUsersDN(), SearchScope.SUB,
		filter, new String[] {"cn"});
		filter, "cn");

		searchRequest.addControl(
		new ProxiedAuthorizationV2RequestControl("dn:" +
		getSubjectDN().toNormalizedString()));
		getSubjectDN()
		.toNormalizedString()));

		SearchResultEntry searchResults =
		getConnection().searchForEntry(searchRequest);

		if (searchResults == null)
		{
		return false;
		}
		return true;
		return (searchResults != null);
		}
		catch (LDAPException e)
		{
		@@ -357,6 +352,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		* returned object has the fields required by the GMS.
		* Note that this method binds as a proxy user and not as the
		* subject.
		*
		* @param userDN
		* @return
		* @throws UserNotFoundException
		@@ -384,9 +380,9 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		}
		User<X500Principal> user = new User<X500Principal>(
		new X500Principal(searchResult.getAttributeValue(
		(String) userLdapAttrib.get(X500Principal.class))));
		userLdapAttrib.get(X500Principal.class))));
		String princ = searchResult.getAttributeValue(
		(String) userLdapAttrib.get(HttpPrincipal.class));
		userLdapAttrib.get(HttpPrincipal.class));
		if (princ != null)
		{
		user.getIdentities().add(new HttpPrincipal(princ));
		@@ -401,11 +397,13 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		DN getUserDN(User<? extends Principal> user)
		throws UserNotFoundException, TransientException
		{
		String searchField = (String) userLdapAttrib.get(user.getUserID().getClass());
		String searchField =
		userLdapAttrib.get(user.getUserID().getClass());
		if (searchField == null)
		{
		throw new IllegalArgumentException(
		"Unsupported principal type " + user.getUserID().getClass());
		"Unsupported principal type " + user.getUserID()
		.getClass());
		}

		searchField = "(" + searchField + "=" +
		@@ -414,14 +412,16 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
		SearchResultEntry searchResult = null;
		try
		{
		SearchRequest searchRequest = new SearchRequest(this.config.getUsersDN(), SearchScope.SUB,
		searchField, new String[] {"entrydn"});
		SearchRequest searchRequest =
		new SearchRequest(this.config.getUsersDN(), SearchScope.SUB,
		searchField, "entrydn");


		searchResult =
		getConnection().searchForEntry(searchRequest);

		} catch (LDAPException e)
		}
		catch (LDAPException e)
		{
		LdapDAO.checkLdapResult(e.getResultCode());
		}

projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java

+19 −23

Original line number	Diff line number	Diff line
		@@ -68,38 +68,32 @@

		package ca.nrc.cadc.ac.server.ldap;

		import static ca.nrc.cadc.ac.server.ldap.LdapGroupDAOTest.config;
		import static org.junit.Assert.assertTrue;

		import java.security.PrivilegedExceptionAction;

		import javax.net.ssl.SSLSocketFactory;
		import javax.security.auth.Subject;
		import javax.security.auth.x500.X500Principal;

		import org.junit.Test;

		import ca.nrc.cadc.auth.HttpPrincipal;
		import ca.nrc.cadc.auth.NumericPrincipal;

		import com.unboundid.ldap.sdk.LDAPConnection;

		import org.junit.Test;
		import static org.junit.Assert.*;


		public class LdapDAOTest
		{
		static String server = "mach275.cadc.dao.nrc.ca";
		static int port = 389;
		static String adminDN = "uid=webproxy,ou=WebProxy,ou=topologymanagement,o=netscaperoot";
		static String adminPW = "go4it";
		static String usersDN = "ou=Users,ou=ds,dc=canfartest,dc=net";
		static String groupsDN = "ou=Groups,ou=ds,dc=canfartest,dc=net";
		static String adminGroupsDN = "ou=adminGroups,ou=ds,dc=canfartest,dc=net";

		LdapConfig config = new LdapConfig(server, port, adminDN, adminPW, usersDN, groupsDN, adminGroupsDN);
		final LdapConfig config = new TestLDAPConfig();

		@Test
		public void testLdapBindConnection() throws Exception
		{
		//TODO use a test user to test with. To be done when addUser available.
		//LdapUserDAO<X500Principal> userDAO = new LdapUserDAO<X500Principal>();
		final X500Principal subjPrincipal = new X500Principal(
		"cn=cadcdaotest1,ou=cadc,o=hia,c=ca");

		// User authenticated with HttpPrincipal
		HttpPrincipal httpPrincipal = new HttpPrincipal("CadcDaoTest1");
		@@ -115,8 +109,7 @@ public class LdapDAOTest
		{
		try
		{
		LDAPConnection ldapCon = ldapDao.getConnection();
		assertTrue(ldapCon.isConnected());
		testConnection(ldapDao.getConnection());
		return null;
		}
		catch (Exception e)
		@@ -127,8 +120,6 @@ public class LdapDAOTest
		});


		X500Principal subjPrincipal = new X500Principal(
		"cn=cadcdaotest1,ou=cadc,o=hia,c=ca");
		subject = new Subject();
		subject.getPrincipals().add(subjPrincipal);

		@@ -138,8 +129,7 @@ public class LdapDAOTest
		{
		try
		{
		LDAPConnection ldapCon = ldapDao.getConnection();
		assertTrue(ldapCon.isConnected());
		testConnection(ldapDao.getConnection());
		return null;
		}
		catch (Exception e)
		@@ -160,8 +150,7 @@ public class LdapDAOTest
		try
		{

		LDAPConnection ldapCon = ldapDao.getConnection();
		assertTrue(ldapCon.isConnected());
		testConnection(ldapDao.getConnection());
		return null;
		}
		catch (Exception e)
		@@ -172,4 +161,11 @@ public class LdapDAOTest
		});

		}

		private void testConnection(final LDAPConnection ldapCon)
		{
		assertTrue("Not connected but should be.", ldapCon.isConnected());
		assertFalse("Should be SSLSocketFactory.",
		(ldapCon.getSocketFactory() instanceof SSLSocketFactory));
		}
		}