use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModule method commit.
@Override
public boolean commit() throws LoginException {
// If our login is ok, then remove any principals from the subject principals list that match our type.
// If another login module produces a DatawavePrincipal before us, it will be associated with the subject
// and later retrieved instead of the one we produce here. Therefore we remove any DatawavePrincipals
// associated with the subject so that doesn't happen.
log.trace("Committing login for " + getIdentity() + "@" + System.identityHashCode(getIdentity()) + ". loginOk=" + loginOk);
if (loginOk) {
DatawavePrincipal dp = (DatawavePrincipal) getIdentity();
for (DatawavePrincipal p : subject.getPrincipals(DatawavePrincipal.class)) {
if (dp.getName().equals(p.getName())) {
log.trace("Removing duplicate principal " + p + "@" + System.identityHashCode(p));
subject.getPrincipals().remove(p);
} else {
log.trace("Skipping " + p + "@" + System.identityHashCode(p) + " since [" + p.getName() + "] != [" + p.getName() + "]");
}
}
// There is also a CallerPrincipal group that login modules create and add the identity to. Other login modules will
// then maybe add a DatawavePrincipal to this group. The identity manager uses the CallerPrincipal group and the
// principals on the subject to determine the true caller principal, so we need to be sure to remove the previously
// created DatawavePrincipal from the CallerPrincipal group as well.
Group callerGroup = getCallerPrincipalGroup(subject.getPrincipals());
if (callerGroup != null) {
Set<Principal> principalsToRemove = new HashSet<>();
for (Enumeration<? extends Principal> e = callerGroup.members(); e.hasMoreElements(); ) {
Principal p = e.nextElement();
if (p instanceof DatawavePrincipal) {
if (dp.getName().equals(p.getName())) {
principalsToRemove.add(p);
} else {
log.trace("Skipping from CallerPrincipal group " + p + "@" + System.identityHashCode(p) + " since [" + p.getName() + "] != [" + p.getName() + "]");
}
}
}
for (Principal p : principalsToRemove) {
log.trace("Removing from CallerPrincipal group duplicate principal " + p + "@" + System.identityHashCode(p));
callerGroup.removeMember(p);
}
}
}
boolean ok = super.commit();
if (ok && certificateCredential != null)
subject.getPublicCredentials().add(certificateCredential);
return ok;
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testGetRoleSetsFiltersRequiredRoles.
@Test
public void testGetRoleSetsFiltersRequiredRoles() throws Exception {
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
List<String> userRoles = Arrays.asList("Role1", "AuthorizedUser");
List<String> s1Roles = Collections.singletonList("Role2");
List<String> s2Roles = Arrays.asList("Role3", "AuthorizedServer");
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, userRoles, null, System.currentTimeMillis());
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, s1Roles, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, s2Roles, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
assertEquals(userDN, expected.getUserDN());
Group[] roleSets = datawaveLoginModule.getRoleSets();
assertEquals(2, roleSets.length);
assertEquals("Roles", roleSets[0].getName());
List<String> groupSetRoles = Collections.list(roleSets[0].members()).stream().map(Principal::getName).collect(Collectors.toList());
assertEquals(Lists.newArrayList("Role1"), groupSetRoles);
verifyAll();
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testBlacklistedProxiedUser.
@Test(expected = AccountLockedException.class)
public void testBlacklistedProxiedUser() throws Exception {
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
List<String> blacklistRoles = Arrays.asList(BLACKLIST_ROLE, "TEST_ROLE");
List<String> otherRoles = Collections.singletonList("TEST_ROLE");
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, otherRoles, null, System.currentTimeMillis());
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, otherRoles, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, blacklistRoles, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertFalse("Login should not have succeeded.", success);
verifyAll();
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testJWTLogin.
@Test
public void testJWTLogin() throws Exception {
Whitebox.setInternalState(datawaveLoginModule, "jwtHeaderLogin", true);
JWTTokenHandler tokenHandler = Whitebox.getInternalState(datawaveLoginModule, JWTTokenHandler.class);
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, null, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, null, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(defaultPrincipal.getPrimaryUser(), s1, s2));
String token = tokenHandler.createTokenFromUsers(expected.getName(), expected.getProxiedUsers());
DatawaveCredential datawaveCredential = new DatawaveCredential(token);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
assertEquals(userDN, expected.getUserDN());
verifyAll();
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testProxiedEntitiesLogin.
@Test
public void testProxiedEntitiesLogin() throws Exception {
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, null, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, null, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(defaultPrincipal.getPrimaryUser(), s1, s2));
expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
assertEquals(userDN, expected.getUserDN());
verifyAll();
}
Aggregations