use of org.dcache.auth.LoginGidPrincipal in project dcache by dCache.
the class AuthzDbPlugin method map.
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
/* Classify input principals.
*/
List<String> names = Lists.newArrayList();
String loginName = null;
Long loginUid = null;
Long loginGid = null;
String userName = null;
String primaryGroup = null;
boolean hasPrimaryGid = false;
for (Principal principal : principals) {
if (principal instanceof LoginNamePrincipal) {
checkAuthentication(loginName == null, "multiple login names");
loginName = principal.getName();
} else if (principal instanceof LoginUidPrincipal) {
checkAuthentication(loginUid == null, "multiple login UIDs");
loginUid = ((LoginUidPrincipal) principal).getUid();
} else if (principal instanceof LoginGidPrincipal) {
checkAuthentication(loginGid == null, "multiple login GIDs");
loginGid = ((LoginGidPrincipal) principal).getGid();
} else if (principal instanceof UserNamePrincipal) {
checkAuthentication(userName == null, "multiple usernames");
userName = principal.getName();
names.add(userName);
} else if (principal instanceof GroupNamePrincipal) {
if (((GroupNamePrincipal) principal).isPrimaryGroup()) {
checkAuthentication(primaryGroup == null, "multiple primary group names");
primaryGroup = principal.getName();
}
names.add(principal.getName());
} else if (principal instanceof GidPrincipal) {
hasPrimaryGid |= ((GidPrincipal) principal).isPrimaryGroup();
}
}
/* Determine the UIDs and GIDs available to the user
*/
List<Long> uids = Lists.newArrayList();
List<Long> gids = Lists.newArrayList();
for (String name : names) {
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name);
for (UserAuthzInformation mapping : mappings) {
uids.add(mapping.getUid());
gids.addAll(Longs.asList(mapping.getGids()));
}
}
/* Verify that the login name, login UID and login GID are
* among the valid values.
*/
checkAuthentication(loginName == null || names.contains(loginName), "not authorized to use login name: " + loginName);
checkAuthentication(loginUid == null || uids.contains(loginUid), "not authorized to use UID: " + loginUid);
checkAuthentication(loginGid == null || gids.contains(loginGid), "not authorized to use GID: " + loginGid);
/* Pick a UID and user name.
*/
UserAuthzInformation user = getEntity(_uidOrder, loginUid, null, loginName, userName, primaryGroup);
principals.add(new UidPrincipal(user.getUid()));
if (user.getUsername() != null) {
// If UID is not based on user name but on some other principle, then it
// may be that the UserNamePrincipal is inconsistent with the UID. Since
// space manager uses user name for authorization, we replace the principal
// with the on matching the selected UID.
removeIf(principals, instanceOf(UserNamePrincipal.class));
principals.add(new UserNamePrincipal(user.getUsername()));
}
/* Pick the first gid. This is the primary gid provided the user does
* not already have a primary gid.
*/
UserAuthzInformation group = getEntity(_gidOrder, null, loginGid, loginName, userName, primaryGroup);
long primaryGid = group.getGids()[0];
principals.add(new GidPrincipal(primaryGid, !hasPrimaryGid));
/* Add remaining GIDs.
*/
for (long gid : gids) {
if (gid != primaryGid) {
principals.add(new GidPrincipal(gid, false));
}
}
}
use of org.dcache.auth.LoginGidPrincipal in project dcache by dCache.
the class XACMLPlugin method authenticate.
/*
* (non-Javadoc) Combines authentication and XACML mapping into one step by
* extracting (and optionally validating) the VOMS extensions necessary for
* the XACML client configuration, then retrieving the (first valid) mapping
* from the XACML service and adding it as a UserNamePrincipal to the
* identified principals. Note that if there already exists a
* UserNamePrincipal, an AuthenticationException is thrown.
*
* Calls {@link #extractExensionsFromChain(X509Certificate[], Set,
* VOMSValidator)} and {@link #getMappingFor(Set)}.
*/
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException {
checkAuthentication(!any(identifiedPrincipals, instanceOf(UserNamePrincipal.class)), "username already defined");
Set<VomsExtensions> extensions = new LinkedHashSet<>();
/*
* extract all sets of extensions from certificate chains
*/
for (Object credential : publicCredentials) {
if (isX509CertPath(credential)) {
CertPath certPath = (CertPath) credential;
identifiedPrincipals.add(getOriginalUserDnAsGlobusPrincipal(certPath));
extractExtensionsFromChain(certPath, extensions, validator);
}
}
logger.debug("VOMS extensions found: {}", extensions);
checkAuthentication(!extensions.isEmpty(), "no subjects found to map");
Principal login = find(identifiedPrincipals, instanceOf(LoginNamePrincipal.class), null);
/*
* retrieve the first valid mapping and add it to the identified
* principals
*/
final LocalId localId = getMappingFor(login, extensions);
checkAuthentication(localId != null, "no mapping for: " + extensions);
checkAuthentication(localId.getUserName() != null, "no mapping for: " + extensions);
identifiedPrincipals.add(new UserNamePrincipal(localId.getUserName()));
if (localId.getGID() != null) {
identifiedPrincipals.add(new LoginGidPrincipal(localId.getGID()));
}
}
Aggregations