moved ost of the internal code to cadcCDP-Server and re-org packages; made...

    <property name="cadcLog"             value="${lib}/cadcLog.jar" />

    <property name="cadcUtil"            value="${lib}/cadcUtil.jar" />

    <property name="cadcCDP"             value="${lib}/cadcCDP.jar" />

    <property name="cadcVOSI"            value="${lib}/cadcVOSI.jar" />

    <property name="log4j"               value="${ext.lib}/log4j.jar" />

    <property name="servlet"             value="${ext.lib}/servlet-api.jar" />

    <property name="bouncy"              value="${ext.lib}/bcprov.jar" />

    <property name="spring"              value="${ext.lib}/spring.jar" />

    <property name="jars" value="${log4j}:${servlet}:${bouncy}:${cadcLog}:${cadcUtil}:${cadcVOSI}:${spring}" />

    <property name="jars" value="${log4j}:${servlet}:${bouncy}:${cadcLog}:${cadcUtil}:${cadcCDP}:${cadcVOSI}:${spring}" />

    <target name="build" depends="compile">

        <jar jarfile="${build}/lib/${project}.jar"

                <include name="**/**.class" />

        </jar>

    </target>

    <target name="setup-test">

        <copy overwrite="true" file="${env.CADC_PREFIX}/etc/proxy.pem" tofile="${build}/test/class/proxy.pem" />

    </target>

    <property name="easyMock"       value="${ext.dev}/easymock.jar" />

    <property name="junit"          value="${ext.dev}/junit.jar" />

    <property name="cglib"          value="${ext.dev}/cglib.jar" />

    <property name="objenesis"      value="${ext.dev}/objenesis.jar" />

    <property name="asm"            value="${ext.dev}/asm.jar" />

    <property name="testingJars"    value="${easyMock}:${junit}:${cglib}:${asm}:${objenesis}" />

</project>

/*

 ************************************************************************

 ****  C A N A D I A N   A S T R O N O M Y   D A T A   C E N T R E  *****

 *

 * (c) 2010.                            (c) 2010.

 * National Research Council            Conseil national de recherches

 * Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6

 * All rights reserved                  Tous droits reserves

 *

 * NRC disclaims any warranties         Le CNRC denie toute garantie

 * expressed, implied, or statu-        enoncee, implicite ou legale,

 * tory, of any kind with respect       de quelque nature que se soit,

 * to the software, including           concernant le logiciel, y com-

 * without limitation any war-          pris sans restriction toute

 * ranty of merchantability or          garantie de valeur marchande

 * fitness for a particular pur-        ou de pertinence pour un usage

 * pose.  NRC shall not be liable       particulier.  Le CNRC ne

 * in any event for any damages,        pourra en aucun cas etre tenu

 * whether direct or indirect,          responsable de tout dommage,

 * special or general, consequen-       direct ou indirect, particul-

 * tial or incidental, arising          ier ou general, accessoire ou

 * from the use of the software.        fortuit, resultant de l'utili-

 *                                      sation du logiciel.

 *

 *

 * @author adriand

 * 

 * @version $Revision: $

 * 

 * 

 ****  C A N A D I A N   A S T R O N O M Y   D A T A   C E N T R E  *****

 ************************************************************************

 */

package ca.nrc.cadc.cred.server;

import java.io.IOException;

import java.security.AccessControlException;

import java.security.PrivilegedActionException;

import java.security.PrivilegedExceptionAction;

import java.security.cert.X509Certificate;

import java.util.Arrays;

import java.util.Collection;

import java.util.HashSet;

import java.util.Set;

import javax.security.auth.Subject;

import javax.security.auth.x500.X500Principal;

import javax.servlet.ServletConfig;

import javax.servlet.ServletException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

import org.astrogrid.security.delegation.DelegationServlet;

import ca.nrc.cadc.auth.AuthenticationUtil;

import ca.nrc.cadc.log.ServletLogInfo;

import ca.nrc.cadc.log.WebServiceLogInfo;

/**

 * This servlet is used in inject AccessControl information

 */

public class CadcDelegationServlet extends DelegationServlet

{

    private static final long serialVersionUID = 2740612605831268729L;

    private static Logger LOGGER = Logger.getLogger(CadcDelegationServlet.class);

    public static final String SU_DNS = "suDNs";

    private Set<X500Principal> suDNs = new HashSet<X500Principal>();

    /**

     * Read the configuration.

     */

    public void init(final ServletConfig config) 

        throws ServletException

    {

        super.init(config);

        String suDNStr = config.getInitParameter(SU_DNS);

        if (suDNStr != null)

        {

            String[] dns = suDNStr.split("\n");

            for (String dn : dns)

            {

                X500Principal su = new X500Principal(dn);

                suDNs.add(su);

                LOGGER.info("SU: " + su.getName());

            }

        }

    }

    /**

     * Determines the caller subject before passing the request to the

     * DelegationServlet.

     * 

     * @param request

     *            servlet request

     * @param response

     *            servlet response

     */

    @Override

    protected void service(final HttpServletRequest request,

            final HttpServletResponse response) throws IOException

    {

        WebServiceLogInfo logInfo = new ServletLogInfo(request);

        LOGGER.info(logInfo.start());

        long start = System.currentTimeMillis();

        try

        {

            final Subject currentSubject = createSubject(request);

            logInfo.setSubject(currentSubject);

            Subject.doAs(currentSubject,

                    new PrivilegedExceptionAction<Object>()

                    {

                        public Object run() throws IOException

                        {

                            handleService(request, response);

                            return null; // nothing to return

                        }

                    });

        }

        catch (Throwable t)

        {

            LOGGER.debug(t);

            if (t instanceof PrivilegedActionException)

            {

                t = ((PrivilegedActionException)t).getCause();

                LOGGER.debug(t);

            }

            logInfo.setMessage(t.getMessage());

            logInfo.setSuccess(false);

            if (t instanceof AccessControlException)

            {

                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

                response.getWriter().println("Unauthorized");

            }

            else if (t instanceof IllegalArgumentException)

            {

                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);

                response.getWriter().println("Bad Request: " + t.getMessage());

            }

            else

            {

                response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);

                response.getWriter().println("Internal Error: " + t.getMessage());

            }

        }

        finally

        {

            logInfo.setElapsedTime(System.currentTimeMillis() - start);

            LOGGER.info(logInfo.end());

        }

    }

    private void handleService(HttpServletRequest request,

            HttpServletResponse response) throws IOException

    {

        super.service(request, response);

    }

    /**

     * Create a subject, and add all of the X509 Principals into it.

     * 

     * @param request

     *            The Request to create from.

     * @return An instance of a Subject.

     */

    @SuppressWarnings("unchecked")

    private Subject createSubject(final HttpServletRequest request)

    {

        X509Certificate[] ca = (X509Certificate[]) request

                .getAttribute("javax.servlet.request.X509Certificate");

        Collection<X509Certificate> certs = null;

        if (ca != null && ca.length > 0)

            certs = Arrays.asList(ca);

        // only ssl connections accepted (no remote user)

        Subject callerSubject = AuthenticationUtil.getSubject(request);

        Subject ret = callerSubject;

        // check whether user is superuser executing something on users

        // behalf

        String userDN = request.getParameter("DN");

        if (userDN != null)

        {

            Set<X500Principal> authPS = callerSubject.getPrincipals(X500Principal.class);

            boolean isSU = false;

            for (X500Principal caller : authPS)

            {

                for (X500Principal suDN : suDNs)

                {

                    if (AuthenticationUtil.equals(caller, suDN))

                    {

                        // super user doing something on users behalf

                        // build and return a different subject

                        isSU = true;

                    }

                }

            }

            if (isSU)

            {

                X500Principal delegatedPrinc = new X500Principal(userDN);

                ret = new Subject();

                ret.getPrincipals().add(delegatedPrinc);

                LOGGER.debug("Superuser ... access on behalf of user " + userDN);

            }

            else

            {

                throw new AccessControlException("create certficate for " + userDN);

            }

        }

        return ret;

    }

}

/*

************************************************************************

 ****  C A N A D I A N   A S T R O N O M Y   D A T A   C E N T R E  *****

*******************  CANADIAN ASTRONOMY DATA CENTRE  *******************

**************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************

*

 * (c) 2010.                            (c) 2010.

*  (c) 2011.                            (c) 2011.

*  Government of Canada                 Gouvernement du Canada

*  National Research Council            Conseil national de recherches

*  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6

 * All rights reserved                  Tous droits reserves

*  All rights reserved                  Tous droits réservés

*

 * NRC disclaims any warranties         Le CNRC denie toute garantie

 * expressed, implied, or statu-        enoncee, implicite ou legale,

 * tory, of any kind with respect       de quelque nature que se soit,

 * to the software, including           concernant le logiciel, y com-

 * without limitation any war-          pris sans restriction toute

 * ranty of merchantability or          garantie de valeur marchande

 * fitness for a particular pur-        ou de pertinence pour un usage

 * pose.  NRC shall not be liable       particulier.  Le CNRC ne

 * in any event for any damages,        pourra en aucun cas etre tenu

 * whether direct or indirect,          responsable de tout dommage,

 * special or general, consequen-       direct ou indirect, particul-

 * tial or incidental, arising          ier ou general, accessoire ou

 * from the use of the software.        fortuit, resultant de l'utili-

 *                                      sation du logiciel.

*  NRC disclaims any warranties,        Le CNRC dénie toute garantie

*  expressed, implied, or               énoncée, implicite ou légale,

*  statutory, of any kind with          de quelque nature que ce

*  respect to the software,             soit, concernant le logiciel,

*  including without limitation         y compris sans restriction

*  any warranty of merchantability      toute garantie de valeur

*  or fitness for a particular          marchande ou de pertinence

*  purpose. NRC shall not be            pour un usage particulier.

*  liable in any event for any          Le CNRC ne pourra en aucun cas

*  damages, whether direct or           être tenu responsable de tout

*  indirect, special or general,        dommage, direct ou indirect,

*  consequential or incidental,         particulier ou général,

*  arising from the use of the          accessoire ou fortuit, résultant

*  software.  Neither the name          de l'utilisation du logiciel. Ni

*  of the National Research             le nom du Conseil National de

*  Council of Canada nor the            Recherches du Canada ni les noms

*  names of its contributors may        de ses  participants ne peuvent

*  be used to endorse or promote        être utilisés pour approuver ou

*  products derived from this           promouvoir les produits dérivés

*  software without specific prior      de ce logiciel sans autorisation

*  written permission.                  préalable et particulière

*                                       par écrit.

*

*  This file is part of the             Ce fichier fait partie du projet

*  OpenCADC project.                    OpenCADC.

*

 * @version $Revision: $

*  OpenCADC is free software:           OpenCADC est un logiciel libre ;

*  you can redistribute it and/or       vous pouvez le redistribuer ou le

*  modify it under the terms of         modifier suivant les termes de

*  the GNU Affero General Public        la “GNU Affero General Public

*  License as published by the          License” telle que publiée

*  Free Software Foundation,            par la Free Software Foundation

*  either version 3 of the              : soit la version 3 de cette

*  License, or (at your option)         licence, soit (à votre gré)

*  any later version.                   toute version ultérieure.

*

*  OpenCADC is distributed in the       OpenCADC est distribué

*  hope that it will be useful,         dans l’espoir qu’il vous

*  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE

*  without even the implied             GARANTIE : sans même la garantie

*  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ

*  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF

*  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence

*  General Public License for           Générale Publique GNU Affero

*  more details.                        pour plus de détails.

*

*  You should have received             Vous devriez avoir reçu une

*  a copy of the GNU Affero             copie de la Licence Générale

*  General Public License along         Publique GNU Affero avec

*  with OpenCADC.  If not, see          OpenCADC ; si ce n’est

*  <http://www.gnu.org/licenses/>.      pas le cas, consultez :

*                                       <http://www.gnu.org/licenses/>.

*

*  $Revision: 5 $

*

 ****  C A N A D I A N   A S T R O N O M Y   D A T A   C E N T R E  *****

************************************************************************

*/

package ca.nrc.cadc.cdp.server;

package ca.nrc.cadc.cred.server;

import java.security.PrivateKey;

import java.security.cert.X509Certificate;

import org.springframework.jdbc.core.JdbcTemplate;

/**

 * Sybase implementation of CertificateDAO.

 * Class to persist certificates in a relational database table. This class has 

 * been only tested with Sybase ASE 15 so far.

 * 

 * @author pdowler

 *

 */

public class CertificateDAO

{

    private static Logger logger = Logger.getLogger(CertificateDAO.class);

    private static final Logger logger = Logger.getLogger(CertificateDAO.class);

    private final CertificateSchema config;

    public static class CertificateSchema

    {

        private final String dataSourceName;

        private final String table = "x509_certificates";

    private String certTable;

        private final String certTable;

    private String dataSourceName = "jdbc/sybase";

    private DataSource dataSource;

        public CertificateSchema(String dataSourceName, String catalog, String schema)

        {

            this.dataSourceName = dataSourceName;

            this.certTable = catalog + "." + schema + "." + table;

        }

    // TODO: make these configurable

    private String database = "archive";

    private String schema = "dbo";

    private String table = "x509_certificates";

        public String getTable()

        {

            return certTable;

        }

    public CertificateDAO()

        public DataSource getDataSource()

        {

            try

            {

            this.dataSource = DBUtil.getDataSource(dataSourceName);

                return DBUtil.getDataSource(dataSourceName);

            }

            catch(NamingException ex)

            {

                throw new RuntimeException("CONFIG: failed to find DataSource " + dataSourceName);

            }

        this.certTable = database + "." + schema + "." + table;

        }

    // for tests

    CertificateDAO(DataSource dataSource, String db, String schema)

    }

    public CertificateDAO(CertificateSchema config)

    {

        this.dataSource = dataSource;

        this.database = db;

        this.schema = schema;

        this.certTable = database + "." + schema + "." + table;

        this.config = config;

    }

    public CheckResource getCheckResource()

    {

        String sql = "select top 1 hash_dn from " + certTable;

        return new CheckDataSource(dataSource, sql);

        String sql = "select top 1 hash_dn from " + config.getTable();

        return new CheckDataSource(config.getDataSource(), sql);

    }

    public void put(X509CertificateChain chain)

        testBytesPrivateKey[testBytesPrivateKey.length-1]=1;

        String csr = chain.getCsrString();

        JdbcTemplate jdbc = new JdbcTemplate(dataSource);

        JdbcTemplate jdbc = new JdbcTemplate(config.getDataSource());

        if (recordExists(hashKey))

        {

            String sql = "update " + this.certTable

            String sql = "update " + config.getTable()

                    + " set canon_dn = ?, exp_date = ?, cert_chain = ?, private_key = ?, csr = ? where hash_dn=?";

            Object[] args = new Object[] { canonDn, expDate, certChainStr, testBytesPrivateKey, csr, hashKey };

            int[] argTypes = new int[] { Types.VARCHAR, Types.TIMESTAMP, Types.VARCHAR, Types.VARBINARY, Types.VARCHAR, Types.VARCHAR };

        }

        else

        {

            String sql = "insert into " + this.certTable

            String sql = "insert into " + config.getTable()

                + " (canon_dn, exp_date, cert_chain, private_key, csr, hash_dn) values (?,?,?,?,?,?)";

            Object[] args = new Object[] { canonDn, expDate, certChainStr, testBytesPrivateKey, csr, hashKey };

            int[] argTypes = 

        Profiler profiler = new Profiler(this.getClass());

        X509CertificateChain x509CertificateChain = null;

        String query = "select canon_dn, exp_date, cert_chain, private_key, csr from " + this.certTable + " where hash_dn = ? ";

        String query = "select canon_dn, exp_date, cert_chain, private_key, csr from " + config.getTable() + " where hash_dn = ? ";

        try

        {

            JdbcTemplate jdbc = new JdbcTemplate(dataSource);

            JdbcTemplate jdbc = new JdbcTemplate(config.getDataSource());

            Map<String, Object> map = jdbc.queryForMap(query, new String[] { hashKey });

            String canonDn = (String) map.get("canon_dn");

            Date expDate = (Date) map.get("exp_date");

    public void delete(String hashKey)

    {

        Profiler profiler = new Profiler(this.getClass());

        String sql = "delete from " + this.certTable + " where hash_dn = ? ";

        JdbcTemplate jdbc = new JdbcTemplate(dataSource);

        String sql = "delete from " + config.getTable() + " where hash_dn = ? ";

        JdbcTemplate jdbc = new JdbcTemplate(config.getDataSource());

        jdbc.update(sql, new String[] { hashKey });

        profiler.checkpoint("delete");

    }

    private boolean recordExists(String hashKey)

    {

        RowMapper rowMapper = new SingleColumnRowMapper(String.class);

        String query = "select canon_dn from " + this.certTable + " where hash_dn = ? ";

        JdbcTemplate jdbc = new JdbcTemplate(dataSource);

        String query = "select canon_dn from " + config.getTable() + " where hash_dn = ? ";

        JdbcTemplate jdbc = new JdbcTemplate(config.getDataSource());

        List<String> dnList = jdbc.query(query, new String[] { hashKey }, rowMapper);

        return (dnList != null && dnList.size() == 1);

    }

    public List<String> getAllHashKeys()

    {

        Profiler profiler = new Profiler(this.getClass());

        String query = "select hash_dn from " + this.certTable;

        String query = "select hash_dn from " + config.getTable();

        RowMapper rowMapper = new SingleColumnRowMapper(String.class);

        JdbcTemplate jdbc = new JdbcTemplate(dataSource);

        JdbcTemplate jdbc = new JdbcTemplate(config.getDataSource());

        List<String> hashKeyList = jdbc.query(query, rowMapper);

        profiler.checkpoint("getAllHashKeys");

        return hashKeyList;