use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.
the class AuthzDbPlugin method map.
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
/* Classify input principals.
*/
List<String> names = Lists.newArrayList();
String loginName = null;
Long loginUid = null;
Long loginGid = null;
String userName = null;
String primaryGroup = null;
boolean hasPrimaryGid = false;
for (Principal principal : principals) {
if (principal instanceof LoginNamePrincipal) {
checkAuthentication(loginName == null, "multiple login names");
loginName = principal.getName();
} else if (principal instanceof LoginUidPrincipal) {
checkAuthentication(loginUid == null, "multiple login UIDs");
loginUid = ((LoginUidPrincipal) principal).getUid();
} else if (principal instanceof LoginGidPrincipal) {
checkAuthentication(loginGid == null, "multiple login GIDs");
loginGid = ((LoginGidPrincipal) principal).getGid();
} else if (principal instanceof UserNamePrincipal) {
checkAuthentication(userName == null, "multiple usernames");
userName = principal.getName();
names.add(userName);
} else if (principal instanceof GroupNamePrincipal) {
if (((GroupNamePrincipal) principal).isPrimaryGroup()) {
checkAuthentication(primaryGroup == null, "multiple primary group names");
primaryGroup = principal.getName();
}
names.add(principal.getName());
} else if (principal instanceof GidPrincipal) {
hasPrimaryGid |= ((GidPrincipal) principal).isPrimaryGroup();
}
}
/* Determine the UIDs and GIDs available to the user
*/
List<Long> uids = Lists.newArrayList();
List<Long> gids = Lists.newArrayList();
for (String name : names) {
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name);
for (UserAuthzInformation mapping : mappings) {
uids.add(mapping.getUid());
gids.addAll(Longs.asList(mapping.getGids()));
}
}
/* Verify that the login name, login UID and login GID are
* among the valid values.
*/
checkAuthentication(loginName == null || names.contains(loginName), "not authorized to use login name: " + loginName);
checkAuthentication(loginUid == null || uids.contains(loginUid), "not authorized to use UID: " + loginUid);
checkAuthentication(loginGid == null || gids.contains(loginGid), "not authorized to use GID: " + loginGid);
/* Pick a UID and user name.
*/
UserAuthzInformation user = getEntity(_uidOrder, loginUid, null, loginName, userName, primaryGroup);
principals.add(new UidPrincipal(user.getUid()));
if (user.getUsername() != null) {
// If UID is not based on user name but on some other principle, then it
// may be that the UserNamePrincipal is inconsistent with the UID. Since
// space manager uses user name for authorization, we replace the principal
// with the on matching the selected UID.
removeIf(principals, instanceOf(UserNamePrincipal.class));
principals.add(new UserNamePrincipal(user.getUsername()));
}
/* Pick the first gid. This is the primary gid provided the user does
* not already have a primary gid.
*/
UserAuthzInformation group = getEntity(_gidOrder, null, loginGid, loginName, userName, primaryGroup);
long primaryGid = group.getGids()[0];
principals.add(new GidPrincipal(primaryGid, !hasPrimaryGid));
/* Add remaining GIDs.
*/
for (long gid : gids) {
if (gid != primaryGid) {
principals.add(new GidPrincipal(gid, false));
}
}
}
use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.
the class MutatorPluginTest method testMutation.
@Test
public void testMutation() throws Exception {
Properties prop = new Properties();
prop.setProperty(MutatorPlugin.IN_OPTION, "org.dcache.auth.LoginNamePrincipal");
prop.setProperty(MutatorPlugin.OUT_OPTION, "username");
MutatorPlugin mutator = new MutatorPlugin(prop);
Set<Principal> principals = Sets.newHashSet((Principal) new LoginNamePrincipal("myname"));
mutator.map(principals);
// will throw exception if no match
find(principals, instanceOf(UserNamePrincipal.class));
}
use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.
the class GssFtpDoorV1 method ftp_user.
@Override
public void ftp_user(String arg) throws FTPCommandException {
checkFTPCommand(!arg.isEmpty(), 500, "Missing argument");
checkFTPCommand(context != null && context.isEstablished(), 530, "Authentication required");
Subject subject = context.getSubject();
subject.getPrincipals().add(_origin);
if (!arg.equals(GLOBUS_URL_COPY_DEFAULT_USER)) {
subject.getPrincipals().add(new LoginNamePrincipal(arg));
}
try {
login(subject);
reply("200 User " + arg + " logged in");
} catch (PermissionDeniedCacheException e) {
LOGGER.warn("Login denied for {}: {}", context.getPeerName(), e.getMessage());
throw new FTPCommandException(530, "Login denied");
} catch (CacheException e) {
LOGGER.error("Login failed for {}: {}", context.getPeerName(), e.getMessage());
throw new FTPCommandException(530, "Login failed: " + e.getMessage());
}
}
use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.
the class AuthenticationHandler method addAuthCredentialsToSubject.
private void addAuthCredentialsToSubject(HttpServletRequest request, Subject subject) throws PermissionDeniedCacheException {
Optional<AuthInfo> optional = parseAuthenticationHeader(request);
if (optional.isPresent()) {
AuthInfo info = optional.get();
switch(info.getScheme()) {
case HttpServletRequest.BASIC_AUTH:
if (!_isBasicAuthenticationEnabled) {
return;
}
try {
byte[] bytes = Base64.getDecoder().decode(info.getData().getBytes(StandardCharsets.US_ASCII));
String credential = new String(bytes, StandardCharsets.UTF_8);
int colon = credential.indexOf(":");
if (colon >= 0) {
String user = credential.substring(0, colon);
int lastHash = user.lastIndexOf('#');
if (lastHash != -1 && lastHash < (user.length() - 1)) {
Splitter.on(',').trimResults().omitEmptyStrings().split(user.substring(lastHash + 1)).forEach(r -> subject.getPrincipals().add(new DesiredRole(r)));
user = user.substring(0, lastHash);
}
String password = credential.substring(colon + 1);
subject.getPrivateCredentials().add(new PasswordCredential(user, password));
} else {
subject.getPrincipals().add(new LoginNamePrincipal(credential));
}
} catch (IllegalArgumentException e) {
LOG.warn("Authentication Data in the header received is not Base64 encoded {}", request.getHeader("Authorization"));
}
break;
case "BEARER":
if (!_acceptBearerTokenUnencrypted && !request.isSecure()) {
throw new PermissionDeniedCacheException("not allowed to send bearer token unencrypted");
}
try {
subject.getPrivateCredentials().add(new BearerTokenCredential(info.getData()));
} catch (IllegalArgumentException e) {
LOG.info("Bearer Token in invalid {}", request.getHeader("Authorization"));
}
break;
default:
LOG.debug("Unknown authentication scheme {}", info.getScheme());
}
}
}
use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.
the class KpwdPlugin method map.
/**
* Maps KpwdPrincipal, DN, and Kerberos Principal to UserName, UID and GID.
* <p>
* Authorizes user name, DN, Kerberos principal, UID and GID.
*/
@SuppressWarnings({ "null", "deprecation" })
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
KpwdPrincipal kpwd = getFirst(filter(principals, KpwdPrincipal.class), null);
boolean havePrimaryGid = false;
if (kpwd == null) {
KAuthFile authFile = getAuthFile();
String loginName = null;
Principal principal = null;
for (Principal p : principals) {
if (p instanceof LoginNamePrincipal) {
checkAuthentication(loginName == null, errorMessage(principal, p));
loginName = p.getName();
} else if (p instanceof GlobusPrincipal) {
checkAuthentication(principal == null, errorMessage(principal, p));
principal = p;
} else if (p instanceof KerberosPrincipal) {
checkAuthentication(principal == null, errorMessage(principal, p));
principal = p;
} else if (p instanceof UserNamePrincipal) {
/*
* This case handles e.g. authenticated dcap
* doors, particularly statement like
*
* mapping "user1" user2
*
* in kpwd file
*/
checkAuthentication(principal == null, errorMessage(principal, p));
principal = p;
} else if (p instanceof GidPrincipal) {
havePrimaryGid |= ((GidPrincipal) p).isPrimaryGroup();
}
}
checkAuthentication(principal != null, "no mappable principals");
if (loginName == null) {
loginName = authFile.getIdMapping(principal.getName());
checkAuthentication(loginName != null, "no login name");
}
UserAuthRecord authRecord = authFile.getUserRecord(loginName);
checkAuthentication(authRecord != null, "unknown login name: " + loginName);
checkAuthentication(authRecord.hasSecureIdentity(principal.getName()), "not allowed to login as " + loginName);
authRecord.DN = principal.getName();
kpwd = new KpwdPrincipal(authRecord);
} else {
havePrimaryGid |= principals.stream().filter(GidPrincipal.class::isInstance).map(GidPrincipal.class::cast).anyMatch(GidPrincipal::isPrimaryGroup);
}
principals.add(kpwd);
/* We explicitly check whether the user record is banned and
* don't authorize the remaining principals. We do however
* authorize the KpwdPrincipal to allow blacklisting in the
* account step.
*/
checkAuthentication(!kpwd.isDisabled, "account disabled");
principals.add(new UserNamePrincipal(kpwd.getName()));
principals.add(new UidPrincipal(kpwd.uid));
for (long gid : kpwd.gids) {
principals.add(new GidPrincipal(gid, !havePrimaryGid));
havePrimaryGid = true;
}
}
Aggregations