Examples with FQAN org.dcache.auth.FQAN used on opensource projects

Example 1 with FQAN

use of org.dcache.auth.FQAN in project dcache by dCache.

the class SrmAuthorizer method getRequestCredential.

/**
 * Obtain a RequestCredential containing the delegated credential for the current user with the
 * specified role (primary FQAN).  If an existing delegated credential already exists then this
 * method will use the "best" available credential, where best is the credential that will
 * remain valid for the longest.  The method ensures the best credential is saved in the
 * storage.
 */
public RequestCredential getRequestCredential() throws SRMAuthenticationException {
    X509Certificate[] certificates = Axis.getCertificateChain().orElseThrow(() -> new SRMAuthenticationException("Client's certificate chain is missing from request"));
    String dn = Axis.getDN().orElseThrow(() -> new SRMAuthenticationException("Failed to resolve DN"));
    X509Credential credential = Axis.getDelegatedCredential().orElse(null);
    FQAN role = getPrimary(validator.validate(certificates));
    RequestCredential requestCredential = RequestCredential.newRequestCredential(dn, Objects.toString(role, null), storage);
    requestCredential.keepBestDelegatedCredential(credential);
    requestCredential.saveCredential();
    return requestCredential;
}

Example 2 with FQAN

use of org.dcache.auth.FQAN in project dcache by dCache.

the class VoRoleMapPlugin method map.

@Override
public void map(Set<Principal> principals) throws AuthenticationException {
    List<FQANPrincipal> fqanPrincipals = Lists.newArrayList(filter(principals, FQANPrincipal.class));
    List<GlobusPrincipal> globusPrincipals = Lists.newArrayList(filter(principals, GlobusPrincipal.class));
    boolean hasPrimary = containsPrimaryGroupName(principals);
    boolean authorized = false;
    for (FQANPrincipal fqanPrincipal : fqanPrincipals) {
        boolean found = false;
        boolean isPrimary = fqanPrincipal.isPrimaryGroup() && !hasPrimary;
        FQAN fqan = fqanPrincipal.getFqan();
        do {
            for (GlobusPrincipal globusPrincipal : globusPrincipals) {
                if (addMappingFor(globusPrincipal, fqanPrincipal, fqan, isPrimary, principals)) {
                    authorized = true;
                    found = true;
                    hasPrimary |= isPrimary;
                }
            }
            fqan = fqan.getParent();
        } while (isPrimary && !found && fqan != null);
    }
    checkAuthentication(authorized, "no record");
}

Example 3 with FQAN

use of org.dcache.auth.FQAN in project dcache by dCache.

the class VOMapLineParser method accept.

@Override
public Map.Entry<DNFQANPredicate, String> accept(String line) {
    if (Strings.isNullOrEmpty(line.trim()) || line.startsWith("#")) {
        return null;
    }
    Matcher matcher = ROLE_MAP_FILE_LINE_PATTERN.matcher(line);
    if (matcher.matches()) {
        String dn = matcher.group(RM_DN_GROUP).replace("\"", "");
        String vorole = Strings.nullToEmpty(matcher.group(RM_FQAN_GROUP));
        FQAN fqan = new FQAN(vorole.replace("\"", ""));
        return new DNFQANStringEntry(new DNFQANPredicate(dn, fqan), matcher.group(RM_KEY_GROUP));
    }
    _log.warn("Ignored malformed line in VORoleMap-File: '{}'", line);
    return null;
}

Example 4 with FQAN

use of org.dcache.auth.FQAN in project dcache by dCache.

the class CheckStagePermission method canPerformStaging.

/**
 * Check whether staging is allowed for a particular subject on a particular object.
 *
 * @param subject        The subject
 * @param fileAttributes The attributes of the file
 * @return true if and only if the subject is allowed to perform staging
 */
public boolean canPerformStaging(Subject subject, FileAttributes fileAttributes, ProtocolInfo protocolInfo) throws PatternSyntaxException, IOException {
    if (Subjects.isRoot(subject)) {
        return true;
    }
    if (!_allowAnonymousStaging && Subjects.isNobody(subject)) {
        return false;
    }
    if (!_isEnabled) {
        return true;
    }
    try {
        String dn = Subjects.getDn(subject);
        Collection<FQAN> fqans = Subjects.getFqans(subject);
        String storageClass = fileAttributes.getStorageClass();
        String hsm = fileAttributes.getHsm();
        String storeUnit = "";
        if (storageClass != null && hsm != null) {
            storeUnit = storageClass + "@" + hsm;
        }
        if (dn == null) {
            dn = "";
        }
        String protocol = protocolInfo.getProtocol() + "/" + protocolInfo.getMajorVersion();
        if (fqans.isEmpty()) {
            return canPerformStaging(dn, null, storeUnit, protocol);
        } else {
            for (FQAN fqan : fqans) {
                if (canPerformStaging(dn, fqan, storeUnit, protocol)) {
                    return true;
                }
            }
            return false;
        }
    } catch (NoSuchElementException e) {
        throw new IllegalArgumentException("Subject has multiple DNs");
    }
}

Example 5 with FQAN

use of org.dcache.auth.FQAN in project dcache by dCache.

the class LoginResultPrinter method fqanInfoFor.

private static String fqanInfoFor(VOMSAttribute attribute) {
    List<String> fqans = attribute.getFQANs();
    if (fqans.size() > 0) {
        StringBuilder sb = new StringBuilder();
        FQAN fqan = new FQAN(String.valueOf(fqans.get(0)));
        sb.append(fqan);
        if (fqans.size() > 1) {
            FQAN fqan2 = new FQAN(String.valueOf(fqans.get(1)));
            sb.append(", ").append(fqan2);
            if (fqans.size() > 2) {
                sb.append(", ...");
            }
        }
        return sb.toString();
    } else {
        return "";
    }
}