Skip to content
GitLab
Commit fad6284f authored by Sara Bertocco's avatar Sara Bertocco
Browse files

Merge remote-tracking branch 'upstream/master'

parents 092f7316 c4ba0ea6
Expand all Hide whitespace changes
Inline Side-by-side
cadc-access-control-server/build.gradle
View file @ fad6284f
......@@ -13,7 +13,7 @@ repositories {
sourceCompatibility = 1.7
group = 'org.opencadc'
version = '1.1.0'
version = '1.1.1'
dependencies {
compile 'log4j:log4j:1.2.+'
......@@ -22,7 +22,7 @@ dependencies {
compile 'xerces:xercesImpl:2.+'
compile 'com.unboundid:unboundid-ldapsdk:2.3.+'
compile 'org.opencadc:cadc-access-control:1.1.+'
compile 'org.opencadc:cadc-access-control:[1.1.1,)'
compile 'org.opencadc:cadc-util:1.+'
compile 'org.opencadc:cadc-log:1.+'
compile 'org.opencadc:cadc-registry:1.+'
......
cadc-access-control/build.gradle
View file @ fad6284f
......@@ -15,9 +15,9 @@ sourceCompatibility = 1.7
group = 'org.opencadc'
version = '1.1.0'
version = '1.1.3'
mainClassName = 'ca.nrc.cadc.ac.client.GMSClientMain'
mainClassName = 'ca.nrc.cadc.ac.client.Main'
dependencies {
compile 'log4j:log4j:1.2.+'
......@@ -25,6 +25,7 @@ dependencies {
compile 'org.json:json:20160212'
compile 'org.opencadc:cadc-util:1.+'
compile 'org.opencadc:cadc-cdp:[1.0,)'
compile 'org.opencadc:cadc-registry:1.+'
testCompile 'junit:junit:4.+'
......
cadc-access-control/src/main/java/ca/nrc/cadc/ac/GroupURI.java
View file @ fad6284f
......@@ -83,7 +83,6 @@ public class GroupURI
private static Logger log = Logger.getLogger(GroupURI.class);
private URI uri;
private String name;
/**
* Attempts to create a URI using the specified uri.
......@@ -99,8 +98,6 @@ public class GroupURI
throw new IllegalArgumentException("Null URI");
}
this.uri = uri;
// Ensure the scheme is correct
if (uri.getScheme() == null)
{
......@@ -117,13 +114,9 @@ public class GroupURI
throw new IllegalArgumentException("Missing authority and/or path.");
}
log.debug("URI: " + uri);
log.debug(" scheme: " + uri.getScheme());
log.debug(" authority: " + uri.getAuthority());
log.debug(" path: " + uri.getPath());
String fragment = uri.getFragment();
String query = uri.getQuery();
String name = null;
if (query == null)
{
if (fragment != null)
......@@ -144,6 +137,9 @@ public class GroupURI
}
name = query;
}
this.uri = URI.create(
uri.getScheme() + "://" + uri.getAuthority() + uri.getPath() + "?" + name);
}
/**
......@@ -156,16 +152,16 @@ public class GroupURI
}
@Override
public boolean equals(Object rhs)
public boolean equals(Object other)
{
if (rhs == null)
if (other == null)
return false;
if (this == rhs)
if (this == other)
return true;
if (rhs instanceof GroupURI)
if (other instanceof GroupURI)
{
GroupURI vu = (GroupURI) rhs;
return uri.toString().equals(vu.uri.toString());
GroupURI otherURI = (GroupURI) other;
return uri.equals(otherURI.getURI());
}
return false;
}
......@@ -180,16 +176,6 @@ public class GroupURI
return uri;
}
/**
* Returns the decoded authority component of the URI.
*
* @return authority of the URI, or null if the authority is undefined.
*/
public String getAuthority()
{
return uri.getAuthority();
}
/**
* Returns the decoded fragment component of the URI.
*
......@@ -197,18 +183,18 @@ public class GroupURI
*/
public String getName()
{
return name;
return uri.getQuery();
}
public URI getServiceID()
{
String serviceID = uri.getScheme() +
String serviceIDString = uri.getScheme() +
"://" +
uri.getAuthority() +
uri.getPath();
try
{
return new URI(serviceID);
return new URI(serviceIDString);
}
catch (URISyntaxException e)
{
......@@ -220,7 +206,7 @@ public class GroupURI
@Override
public String toString()
{
return getServiceID() + "?" + name;
return uri.toString();
}
}
cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GroupAuthorizer.java 0 → 100644
View file @ fad6284f
/*
************************************************************************
******************* CANADIAN ASTRONOMY DATA CENTRE *******************
************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES **************
*
* (c) 2016. (c) 2016.
* Government of Canada Gouvernement du Canada
* National Research Council Conseil national de recherches
* Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6
* All rights reserved Tous droits réservés
*
* NRC disclaims any warranties, Le CNRC dénie toute garantie
* expressed, implied, or énoncée, implicite ou légale,
* statutory, of any kind with de quelque nature que ce
* respect to the software, soit, concernant le logiciel,
* including without limitation y compris sans restriction
* any warranty of merchantability toute garantie de valeur
* or fitness for a particular marchande ou de pertinence
* purpose. NRC shall not be pour un usage particulier.
* liable in any event for any Le CNRC ne pourra en aucun cas
* damages, whether direct or être tenu responsable de tout
* indirect, special or general, dommage, direct ou indirect,
* consequential or incidental, particulier ou général,
* arising from the use of the accessoire ou fortuit, résultant
* software. Neither the name de l'utilisation du logiciel. Ni
* of the National Research le nom du Conseil National de
* Council of Canada nor the Recherches du Canada ni les noms
* names of its contributors may de ses participants ne peuvent
* be used to endorse or promote être utilisés pour approuver ou
* products derived from this promouvoir les produits dérivés
* software without specific prior de ce logiciel sans autorisation
* written permission. préalable et particulière
* par écrit.
*
* This file is part of the Ce fichier fait partie du projet
* OpenCADC project. OpenCADC.
*
* OpenCADC is free software: OpenCADC est un logiciel libre ;
* you can redistribute it and/or vous pouvez le redistribuer ou le
* modify it under the terms of modifier suivant les termes de
* the GNU Affero General Public la “GNU Affero General Public
* License as published by the License” telle que publiée
* Free Software Foundation, par la Free Software Foundation
* either version 3 of the : soit la version 3 de cette
* License, or (at your option) licence, soit (à votre gré)
* any later version. toute version ultérieure.
*
* OpenCADC is distributed in the OpenCADC est distribué
* hope that it will be useful, dans l’espoir qu’il vous
* but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE
* without even the implied GARANTIE : sans même la garantie
* warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ
* or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF
* PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence
* General Public License for Générale Publique GNU Affero
* more details. pour plus de détails.
*
* You should have received Vous devriez avoir reçu une
* a copy of the GNU Affero copie de la Licence Générale
* General Public License along Publique GNU Affero avec
* with OpenCADC. If not, see OpenCADC ; si ce n’est
* <http://www.gnu.org/licenses/>. pas le cas, consultez :
* <http://www.gnu.org/licenses/>.
*
************************************************************************
*/
package ca.nrc.cadc.ac.client;
import ca.nrc.cadc.ac.GroupURI;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.auth.Authorizer;
import ca.nrc.cadc.cred.client.CredUtil;
import ca.nrc.cadc.net.TransientException;
import java.io.FileNotFoundException;
import java.net.URI;
import java.security.AccessControlException;
import org.apache.log4j.Logger;
/**
*
* @author pdowler
*/
public class GroupAuthorizer implements Authorizer
{
private static final Logger log = Logger.getLogger(GroupAuthorizer.class);
private GroupURI groupURI;
private GroupAuthorizer() { }
/**
* Create an authorizer that allows members of the specified group and denies
* all other users. The string argument must be a valid GroupURI.
*
* @param uri group identifier for the allow group
*/
public GroupAuthorizer(String uri)
{
try
{
this.groupURI = new GroupURI(uri);
}
finally { }
}
@Override
public Object getReadPermission(URI uri)
throws AccessControlException, FileNotFoundException, TransientException
{
checkMembership();
return null;
}
@Override
public Object getWritePermission(URI uri) throws AccessControlException, FileNotFoundException, TransientException
{
checkMembership();
return null;
}
private void checkMembership()
{
try
{
if ( CredUtil.checkCredentials())
{
GMSClient gms = new GMSClient(groupURI.getServiceID());
if ( gms.isMember(groupURI.getName(), Role.MEMBER))
return;
throw new AccessControlException("permission denied");
}
throw new AccessControlException("permission denied (no credentials)");
}
catch (AccessControlException e)
{
throw e;
}
catch (Throwable e)
{
String errorMessage = "Failed to check " + groupURI + " group membership: " + e
.getMessage();
log.error(errorMessage, e);
Throwable cause = e.getCause();
while (cause != null)
{
log.error(" reason: "
+ cause.getCause());
cause = cause.getCause();
}
throw new IllegalStateException(errorMessage);
}
}
}
cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/GMSClientMain.java cadc-access-control/src/main/java/ca/nrc/cadc/ac/client/Main.java
View file @ fad6284f
......@@ -69,6 +69,7 @@
package ca.nrc.cadc.ac.client;
import java.net.URI;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
......@@ -95,10 +96,10 @@ import ca.nrc.cadc.util.Log4jInit;
* only used for testing. Should not be used for production
* work.
*/
public class GMSClientMain implements PrivilegedAction<Object>
public class Main implements PrivilegedAction<Object>
{
private static Logger log = Logger.getLogger(GMSClientMain.class);
private static Logger log = Logger.getLogger(Main.class);
public static final String ARG_ADD_MEMBER = "add-member";
public static final String ARG_DEL_MEMBER = "remove-member";
......@@ -118,12 +119,11 @@ public class GMSClientMain implements PrivilegedAction<Object>
public static final String ARG_V = "v";
public static final String ARG_D = "d";
private GMSClient client;
private ArgumentMap argMap;
private GMSClientMain()
private Main(ArgumentMap args)
{
client = new GMSClient();
this.argMap = args;
}
public static void main(String[] args)
......@@ -149,8 +149,7 @@ public class GMSClientMain implements PrivilegedAction<Object>
else
Log4jInit.setLevel("ca", Level.WARN);
GMSClientMain main = new GMSClientMain();
main.argMap = argMap;
Main main = new Main(argMap);
Subject subject = CertCmdArgUtil.initSubject(argMap, true);
......@@ -192,15 +191,15 @@ public class GMSClientMain implements PrivilegedAction<Object>
private static void usage()
{
System.out.println("--create --group=<g>");
System.out.println("--get --group=<g>");
System.out.println("--delete --group=<g>");
System.out.println("--create --group=<uri>");
System.out.println("--get --group=<uri>");
System.out.println("--delete --group=<uri>");
System.out.println();
System.out.println("--add-member --group=<g> --userid=<u>");
System.out.println("--remove-member --group=<g> --userid=<u>");
System.out.println("--add-member --group=<uri> --userid=<u>");
System.out.println("--remove-member --group=<uri> --userid=<u>");
System.out.println();
System.out.println("--add-admin --group=<g> --userid=<u>");
System.out.println("--remove-admin --group=<g> --userid=<u>");
System.out.println("--add-admin --group=<uri> --userid=<u>");
System.out.println("--remove-admin --group=<uri> --userid=<u>");
}
@Override
......@@ -209,12 +208,14 @@ public class GMSClientMain implements PrivilegedAction<Object>
try
{
String command = getCommand();
GroupURI groupID = null;
String suri = argMap.getValue(ARG_GROUP);
GroupURI guri = new GroupURI(new URI(suri));
GMSClient client = new GMSClient(guri.getServiceID());
String group = guri.getName();
if (command.equals(ARG_ADD_MEMBER))
{
String group = argMap.getValue(ARG_GROUP);
String userID = argMap.getValue(ARG_USERID);
if (group == null)
......@@ -223,11 +224,10 @@ public class GMSClientMain implements PrivilegedAction<Object>
if (userID == null)
throw new IllegalArgumentException("No userid specified");
client.addUserMember(new GroupURI(group), new HttpPrincipal(userID));
client.addUserMember(group, new HttpPrincipal(userID));
}
else if (command.equals(ARG_DEL_MEMBER))
{
String group = argMap.getValue(ARG_GROUP);
if (group == null)
throw new IllegalArgumentException("No group specified");
......@@ -235,11 +235,10 @@ public class GMSClientMain implements PrivilegedAction<Object>
if (member == null)
throw new IllegalArgumentException("No user specified");
client.removeUserMember(new GroupURI(group), new HttpPrincipal(member));
client.removeUserMember(group, new HttpPrincipal(member));
}
else if (command.equals(ARG_ADD_ADMIN))
{
String group = argMap.getValue(ARG_GROUP);
String userID = argMap.getValue(ARG_USERID);
if (group == null)
......@@ -249,7 +248,7 @@ public class GMSClientMain implements PrivilegedAction<Object>
throw new IllegalArgumentException("No userid specified");
HttpPrincipal hp = new HttpPrincipal(userID);
Group cur = client.getGroup(new GroupURI(group));
Group cur = client.getGroup(group);
boolean update = true;
for (User admin : cur.getUserAdmins())
{
......@@ -280,7 +279,6 @@ public class GMSClientMain implements PrivilegedAction<Object>
}
else if (command.equals(ARG_DEL_ADMIN))
{
String group = argMap.getValue(ARG_GROUP);
if (group == null)
throw new IllegalArgumentException("No group specified");
......@@ -289,7 +287,7 @@ public class GMSClientMain implements PrivilegedAction<Object>
throw new IllegalArgumentException("No user specified");
HttpPrincipal hp = new HttpPrincipal(userID);
Group cur = client.getGroup(new GroupURI(group));
Group cur = client.getGroup(group);
boolean update = false;
Iterator<User> iter = cur.getUserAdmins().iterator();
while (iter.hasNext())
......@@ -319,29 +317,15 @@ public class GMSClientMain implements PrivilegedAction<Object>
}
else if (command.equals(ARG_CREATE_GROUP))
{
String group = argMap.getValue(ARG_GROUP);
if (group == null)
throw new IllegalArgumentException("No group specified");
GroupURI groupURI = null;
try
{
groupURI = new GroupURI(group);
}
catch (Exception e)
{
String message = "Invalid group URI format '" +
group + "': " + e.getMessage();
log.debug(message, e);
throw new IllegalArgumentException(message);
}
AccessControlContext accessControlContext = AccessController.getContext();
Subject subject = Subject.getSubject(accessControlContext);
Set<X500Principal> principals = subject.getPrincipals(X500Principal.class);
X500Principal p = principals.iterator().next();
Group g = new Group(groupURI);
Group g = new Group(guri);
User member = new User();
member.getIdentities().add(p);
......@@ -350,11 +334,10 @@ public class GMSClientMain implements PrivilegedAction<Object>
}
else if (command.equals(ARG_GET_GROUP))
{
String group = argMap.getValue(ARG_GROUP);
if (group == null)
throw new IllegalArgumentException("No group specified");
Group g = client.getGroup(new GroupURI(group));
Group g = client.getGroup(group);
System.out.println("found: " + g.getID());
System.out.println("\t" + g.description);
System.out.println("owner: " + g.getOwner());
......@@ -374,11 +357,10 @@ public class GMSClientMain implements PrivilegedAction<Object>
}
else if (command.equals(ARG_DELETE_GROUP))
{
String group = argMap.getValue(ARG_GROUP);
if (group == null)
throw new IllegalArgumentException("No group specified");
client.deleteGroup(new GroupURI(group));
client.deleteGroup(group);
}
return null;
......@@ -389,4 +371,4 @@ public class GMSClientMain implements PrivilegedAction<Object>
return t;
}
}
}
}
\ No newline at end of file
cadc-access-control/src/test/java/ca/nrc/cadc/ac/GroupURITest.java
View file @ fad6284f
......@@ -18,6 +18,18 @@ public class GroupURITest
Log4jInit.setLevel("ca.nrc.cadc.ac", Level.DEBUG);
}
@Test
public void testEquals()
{
GroupURI uri1 = new GroupURI("ivo://example.org/gms?name");
GroupURI uri2 = new GroupURI("ivo://example.org/gms?name");
Assert.assertTrue(uri1.equals(uri2));
uri1 = new GroupURI("ivo://example.org/gms?name");
uri2 = new GroupURI("ivo://example.org/gms#name");
Assert.assertTrue(uri1.equals(uri2));
}
@Test
public void testMalformed()
{
......@@ -46,7 +58,6 @@ public class GroupURITest
{
GroupURI g = new GroupURI("ivo://my.authority/gms?name");
Assert.assertEquals("ivo", g.getURI().getScheme());
Assert.assertEquals("my.authority", g.getAuthority());
Assert.assertEquals("/gms", g.getURI().getPath());
Assert.assertEquals("name", g.getName());
Assert.assertEquals("ivo://my.authority/gms", g.getServiceID().toString());
......@@ -65,7 +76,6 @@ public class GroupURITest
{
GroupURI g = new GroupURI("ivo://my.authority/gms#name");
Assert.assertEquals("ivo", g.getURI().getScheme());
Assert.assertEquals("my.authority", g.getAuthority());
Assert.assertEquals("/gms", g.getURI().getPath());
Assert.assertEquals("name", g.getName());
Assert.assertEquals("ivo://my.authority/gms", g.getServiceID().toString());
......
cadc-access-control/src/test/java/ca/nrc/cadc/ac/client/GMSClientTest.java
View file @ fad6284f
......@@ -115,11 +115,13 @@ public class GMSClientTest
final RegistryClient mockRegistryClient =
createMock(RegistryClient.class);
// expect(mockRegistryClient.getServiceURL(serviceID, Standards.UMS_USERS_01, AuthMethod.CERT))
// .andReturn(new URL("http://mysite.com/users"));
final URI serviceID = URI.create("ivo://mysite.com/users");
expect(mockRegistryClient.getServiceURL(serviceID, Standards.UMS_USERS_01, AuthMethod.CERT))
.andReturn(new URL("http://mysite.com/users"));
replay(mockRegistryClient);
GMSClient client = new GMSClient()
GMSClient client = new GMSClient(serviceID)
{
@Override
protected RegistryClient getRegistryClient()
......@@ -149,15 +151,15 @@ public class GMSClientTest
final HttpPrincipal test1UserID = new HttpPrincipal("test");
subject.getPrincipals().add(test1UserID);
final URI serviceID = URI.create("ivo://example.org/gms");
final URI serviceID = URI.create("ivo://mysite.com/users");
final RegistryClient mockRegistryClient =
createMock(RegistryClient.class);
expect(mockRegistryClient.getServiceURL(serviceID, Standards.GMS_GROUPS_01, AuthMethod.CERT ))
.andReturn(new URL("http://example.org/gms"));
.andReturn(new URL("http://mysite.com/users"));
replay(mockRegistryClient);
final GMSClient client = new GMSClient()
final GMSClient client = new GMSClient(serviceID)
{
@Override
protected RegistryClient getRegistryClient()
......@@ -173,42 +175,46 @@ public class GMSClientTest
{
List<Group> initial = client
.getCachedGroups(serviceID, test1UserID, Role.MEMBER, true);
.getCachedGroups(test1UserID, Role.MEMBER, true);
Assert.assertNull("Cache should be null", initial);
// add single group as isMember might do
GroupURI group0uri = new GroupURI("ivo://example.org/gms?0");
Group group0 = new Group(group0uri);
client.addCachedGroup(test1UserID, group0, Role.MEMBER);
List<Group> actual = client.getCachedGroups(serviceID, test1UserID, Role.MEMBER, true);
List<Group> actual = client
.getCachedGroups(test1UserID, Role.MEMBER, true);
Assert.assertNull("Cache should be null", actual);