Example 1 with LoginGidPrincipal
use of org.dcache.auth.LoginGidPrincipal in project dcache by dCache.
the class AuthzDbPlugin method map.
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
/* Classify input principals.
*/
List<String> names = Lists.newArrayList();
String loginName = null;
Long loginUid = null;
Long loginGid = null;
String userName = null;
String primaryGroup = null;
boolean hasPrimaryGid = false;
for (Principal principal : principals) {
if (principal instanceof LoginNamePrincipal) {
checkAuthentication(loginName == null, "multiple login names");
loginName = principal.getName();
} else if (principal instanceof LoginUidPrincipal) {
checkAuthentication(loginUid == null, "multiple login UIDs");
loginUid = ((LoginUidPrincipal) principal).getUid();
} else if (principal instanceof LoginGidPrincipal) {
checkAuthentication(loginGid == null, "multiple login GIDs");
loginGid = ((LoginGidPrincipal) principal).getGid();
} else if (principal instanceof UserNamePrincipal) {
checkAuthentication(userName == null, "multiple usernames");
userName = principal.getName();
names.add(userName);
} else if (principal instanceof GroupNamePrincipal) {
if (((GroupNamePrincipal) principal).isPrimaryGroup()) {
checkAuthentication(primaryGroup == null, "multiple primary group names");
primaryGroup = principal.getName();
}
names.add(principal.getName());
} else if (principal instanceof GidPrincipal) {
hasPrimaryGid |= ((GidPrincipal) principal).isPrimaryGroup();
}
}
/* Determine the UIDs and GIDs available to the user
*/
List<Long> uids = Lists.newArrayList();
List<Long> gids = Lists.newArrayList();
for (String name : names) {
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name);
for (UserAuthzInformation mapping : mappings) {
uids.add(mapping.getUid());
gids.addAll(Longs.asList(mapping.getGids()));
}
}
/* Verify that the login name, login UID and login GID are
* among the valid values.
*/
checkAuthentication(loginName == null || names.contains(loginName), "not authorized to use login name: " + loginName);
checkAuthentication(loginUid == null || uids.contains(loginUid), "not authorized to use UID: " + loginUid);
checkAuthentication(loginGid == null || gids.contains(loginGid), "not authorized to use GID: " + loginGid);
/* Pick a UID and user name.
*/
UserAuthzInformation user = getEntity(_uidOrder, loginUid, null, loginName, userName, primaryGroup);
principals.add(new UidPrincipal(user.getUid()));
if (user.getUsername() != null) {
// If UID is not based on user name but on some other principle, then it
// may be that the UserNamePrincipal is inconsistent with the UID. Since
// space manager uses user name for authorization, we replace the principal
// with the on matching the selected UID.
removeIf(principals, instanceOf(UserNamePrincipal.class));
principals.add(new UserNamePrincipal(user.getUsername()));
}
/* Pick the first gid. This is the primary gid provided the user does
* not already have a primary gid.
*/
UserAuthzInformation group = getEntity(_gidOrder, null, loginGid, loginName, userName, primaryGroup);
long primaryGid = group.getGids()[0];
principals.add(new GidPrincipal(primaryGid, !hasPrimaryGid));
/* Add remaining GIDs.
*/
for (long gid : gids) {
if (gid != primaryGid) {
principals.add(new GidPrincipal(gid, false));
}
}
}
Also used :
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
UidPrincipal(org.dcache.auth.UidPrincipal)
OptionalLong(java.util.OptionalLong)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
Example 2 with LoginGidPrincipal
use of org.dcache.auth.LoginGidPrincipal in project dcache by dCache.
the class XACMLPlugin method authenticate.
/*
* (non-Javadoc) Combines authentication and XACML mapping into one step by
* extracting (and optionally validating) the VOMS extensions necessary for
* the XACML client configuration, then retrieving the (first valid) mapping
* from the XACML service and adding it as a UserNamePrincipal to the
* identified principals. Note that if there already exists a
* UserNamePrincipal, an AuthenticationException is thrown.
*
* Calls {@link #extractExensionsFromChain(X509Certificate[], Set,
* VOMSValidator)} and {@link #getMappingFor(Set)}.
*/
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException {
checkAuthentication(!any(identifiedPrincipals, instanceOf(UserNamePrincipal.class)), "username already defined");
Set<VomsExtensions> extensions = new LinkedHashSet<>();
/*
* extract all sets of extensions from certificate chains
*/
for (Object credential : publicCredentials) {
if (isX509CertPath(credential)) {
CertPath certPath = (CertPath) credential;
identifiedPrincipals.add(getOriginalUserDnAsGlobusPrincipal(certPath));
extractExtensionsFromChain(certPath, extensions, validator);
}
}
logger.debug("VOMS extensions found: {}", extensions);
checkAuthentication(!extensions.isEmpty(), "no subjects found to map");
Principal login = find(identifiedPrincipals, instanceOf(LoginNamePrincipal.class), null);
/*
* retrieve the first valid mapping and add it to the identified
* principals
*/
final LocalId localId = getMappingFor(login, extensions);
checkAuthentication(localId != null, "no mapping for: " + extensions);
checkAuthentication(localId.getUserName() != null, "no mapping for: " + extensions);
identifiedPrincipals.add(new UserNamePrincipal(localId.getUserName()));
if (localId.getGID() != null) {
identifiedPrincipals.add(new LoginGidPrincipal(localId.getGID()));
}
}
Also used :
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LinkedHashSet(java.util.LinkedHashSet)
LocalId(org.opensciencegrid.authz.xacml.common.LocalId)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
CertPaths.isX509CertPath(org.dcache.gplazma.util.CertPaths.isX509CertPath)
CertPath(java.security.cert.CertPath)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Principal(java.security.Principal)
CertPaths.getOriginalUserDnAsGlobusPrincipal(org.dcache.gplazma.util.CertPaths.getOriginalUserDnAsGlobusPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
Aggregations
Principal (java.security.Principal)2
LoginGidPrincipal (org.dcache.auth.LoginGidPrincipal)2
LoginNamePrincipal (org.dcache.auth.LoginNamePrincipal)2
UserNamePrincipal (org.dcache.auth.UserNamePrincipal)2
CertPath (java.security.cert.CertPath)1
LinkedHashSet (java.util.LinkedHashSet)1
OptionalLong (java.util.OptionalLong)1
GidPrincipal (org.dcache.auth.GidPrincipal)1
GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)1
LoginUidPrincipal (org.dcache.auth.LoginUidPrincipal)1
UidPrincipal (org.dcache.auth.UidPrincipal)1
UserAuthzInformation (org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)1
CertPaths.getOriginalUserDnAsGlobusPrincipal (org.dcache.gplazma.util.CertPaths.getOriginalUserDnAsGlobusPrincipal)1
CertPaths.isX509CertPath (org.dcache.gplazma.util.CertPaths.isX509CertPath)1
LocalId (org.opensciencegrid.authz.xacml.common.LocalId)1
