Search in sources :

Example 41 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModule method commit.

@Override
public boolean commit() throws LoginException {
    // If our login is ok, then remove any principals from the subject principals list that match our type.
    // If another login module produces a DatawavePrincipal before us, it will be associated with the subject
    // and later retrieved instead of the one we produce here. Therefore we remove any DatawavePrincipals
    // associated with the subject so that doesn't happen.
    log.trace("Committing login for " + getIdentity() + "@" + System.identityHashCode(getIdentity()) + ". loginOk=" + loginOk);
    if (loginOk) {
        DatawavePrincipal dp = (DatawavePrincipal) getIdentity();
        for (DatawavePrincipal p : subject.getPrincipals(DatawavePrincipal.class)) {
            if (dp.getName().equals(p.getName())) {
                log.trace("Removing duplicate principal " + p + "@" + System.identityHashCode(p));
                subject.getPrincipals().remove(p);
            } else {
                log.trace("Skipping " + p + "@" + System.identityHashCode(p) + " since [" + p.getName() + "] != [" + p.getName() + "]");
            }
        }
        // There is also a CallerPrincipal group that login modules create and add the identity to. Other login modules will
        // then maybe add a DatawavePrincipal to this group. The identity manager uses the CallerPrincipal group and the
        // principals on the subject to determine the true caller principal, so we need to be sure to remove the previously
        // created DatawavePrincipal from the CallerPrincipal group as well.
        Group callerGroup = getCallerPrincipalGroup(subject.getPrincipals());
        if (callerGroup != null) {
            Set<Principal> principalsToRemove = new HashSet<>();
            for (Enumeration<? extends Principal> e = callerGroup.members(); e.hasMoreElements(); ) {
                Principal p = e.nextElement();
                if (p instanceof DatawavePrincipal) {
                    if (dp.getName().equals(p.getName())) {
                        principalsToRemove.add(p);
                    } else {
                        log.trace("Skipping from CallerPrincipal group " + p + "@" + System.identityHashCode(p) + " since [" + p.getName() + "] != [" + p.getName() + "]");
                    }
                }
            }
            for (Principal p : principalsToRemove) {
                log.trace("Removing from CallerPrincipal group duplicate principal " + p + "@" + System.identityHashCode(p));
                callerGroup.removeMember(p);
            }
        }
    }
    boolean ok = super.commit();
    if (ok && certificateCredential != null)
        subject.getPublicCredentials().add(certificateCredential);
    return ok;
}
Also used : SimpleGroup(org.jboss.security.SimpleGroup) Group(java.security.acl.Group) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) HashSet(java.util.HashSet)

Example 42 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testGetRoleSetsFiltersRequiredRoles.

@Test
public void testGetRoleSetsFiltersRequiredRoles() throws Exception {
    // Proxied entities has the original user DN, plus it came through a server and
    // the request is being made by a second server. Make sure that the resulting
    // principal has all 3 server DNs in its list, and the user DN is not one of the
    // server DNs.
    String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
    String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
    String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
    String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
    String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
    DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    List<String> userRoles = Arrays.asList("Role1", "AuthorizedUser");
    List<String> s1Roles = Collections.singletonList("Role2");
    List<String> s2Roles = Arrays.asList("Role3", "AuthorizedServer");
    DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, userRoles, null, System.currentTimeMillis());
    DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, s1Roles, null, System.currentTimeMillis());
    DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, s2Roles, null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
    expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
    expect(securityDomain.getTrustStore()).andReturn(truststore);
    expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertTrue("Login did not succeed.", success);
    assertEquals(userDN, expected.getUserDN());
    Group[] roleSets = datawaveLoginModule.getRoleSets();
    assertEquals(2, roleSets.length);
    assertEquals("Roles", roleSets[0].getName());
    List<String> groupSetRoles = Collections.list(roleSets[0].members()).stream().map(Principal::getName).collect(Collectors.toList());
    assertEquals(Lists.newArrayList("Role1"), groupSetRoles);
    verifyAll();
}
Also used : SimpleGroup(org.jboss.security.SimpleGroup) Group(java.security.acl.Group) DatawaveCredential(datawave.security.auth.DatawaveCredential) SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair) DatawaveUser(datawave.security.authorization.DatawaveUser) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Example 43 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testBlacklistedProxiedUser.

@Test(expected = AccountLockedException.class)
public void testBlacklistedProxiedUser() throws Exception {
    // Proxied entities has the original user DN, plus it came through a server and
    // the request is being made by a second server. Make sure that the resulting
    // principal has all 3 server DNs in its list, and the user DN is not one of the
    // server DNs.
    String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
    String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
    String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
    String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
    String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
    DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    List<String> blacklistRoles = Arrays.asList(BLACKLIST_ROLE, "TEST_ROLE");
    List<String> otherRoles = Collections.singletonList("TEST_ROLE");
    DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, otherRoles, null, System.currentTimeMillis());
    DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, otherRoles, null, System.currentTimeMillis());
    DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, blacklistRoles, null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
    expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
    expect(securityDomain.getTrustStore()).andReturn(truststore);
    expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertFalse("Login should not have succeeded.", success);
    verifyAll();
}
Also used : DatawaveCredential(datawave.security.auth.DatawaveCredential) SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair) DatawaveUser(datawave.security.authorization.DatawaveUser) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Example 44 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testJWTLogin.

@Test
public void testJWTLogin() throws Exception {
    Whitebox.setInternalState(datawaveLoginModule, "jwtHeaderLogin", true);
    JWTTokenHandler tokenHandler = Whitebox.getInternalState(datawaveLoginModule, JWTTokenHandler.class);
    // Proxied entities has the original user DN, plus it came through a server and
    // the request is being made by a second server. Make sure that the resulting
    // principal has all 3 server DNs in its list, and the user DN is not one of the
    // server DNs.
    String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
    String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
    String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
    DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, null, null, System.currentTimeMillis());
    DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, null, null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(defaultPrincipal.getPrimaryUser(), s1, s2));
    String token = tokenHandler.createTokenFromUsers(expected.getName(), expected.getProxiedUsers());
    DatawaveCredential datawaveCredential = new DatawaveCredential(token);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertTrue("Login did not succeed.", success);
    assertEquals(userDN, expected.getUserDN());
    verifyAll();
}
Also used : DatawaveCredential(datawave.security.auth.DatawaveCredential) SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair) DatawaveUser(datawave.security.authorization.DatawaveUser) JWTTokenHandler(datawave.security.authorization.JWTTokenHandler) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Example 45 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testProxiedEntitiesLogin.

@Test
public void testProxiedEntitiesLogin() throws Exception {
    // Proxied entities has the original user DN, plus it came through a server and
    // the request is being made by a second server. Make sure that the resulting
    // principal has all 3 server DNs in its list, and the user DN is not one of the
    // server DNs.
    String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
    String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
    String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
    String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
    String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
    DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, null, null, System.currentTimeMillis());
    DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, null, null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(defaultPrincipal.getPrimaryUser(), s1, s2));
    expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
    expect(securityDomain.getTrustStore()).andReturn(truststore);
    expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertTrue("Login did not succeed.", success);
    assertEquals(userDN, expected.getUserDN());
    verifyAll();
}
Also used : DatawaveCredential(datawave.security.auth.DatawaveCredential) SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair) DatawaveUser(datawave.security.authorization.DatawaveUser) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Aggregations

DatawavePrincipal (datawave.security.authorization.DatawavePrincipal)93 DatawaveUser (datawave.security.authorization.DatawaveUser)41 Principal (java.security.Principal)37 HashSet (java.util.HashSet)33 Test (org.junit.Test)29 QueryException (datawave.webservice.query.exception.QueryException)24 Connector (org.apache.accumulo.core.client.Connector)23 IOException (java.io.IOException)19 DatawaveWebApplicationException (datawave.webservice.common.exception.DatawaveWebApplicationException)18 NotFoundQueryException (datawave.webservice.query.exception.NotFoundQueryException)18 Authorizations (org.apache.accumulo.core.security.Authorizations)17 Query (datawave.webservice.query.Query)16 UnauthorizedQueryException (datawave.webservice.query.exception.UnauthorizedQueryException)15 NoResultsException (datawave.webservice.common.exception.NoResultsException)13 ArrayList (java.util.ArrayList)13 Path (javax.ws.rs.Path)13 Produces (javax.ws.rs.Produces)13 SubjectIssuerDNPair (datawave.security.authorization.SubjectIssuerDNPair)12 WebApplicationException (javax.ws.rs.WebApplicationException)12 BadRequestException (datawave.webservice.common.exception.BadRequestException)11