Examples with LoginNamePrincipal org.dcache.auth.LoginNamePrincipal used on opensource projects

Search in sources :

Example 1 with LoginNamePrincipal

use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.

the class AuthzDbPlugin method map.

@Override
public void map(Set<Principal> principals) throws AuthenticationException {
    /* Classify input principals.
         */
    List<String> names = Lists.newArrayList();
    String loginName = null;
    Long loginUid = null;
    Long loginGid = null;
    String userName = null;
    String primaryGroup = null;
    boolean hasPrimaryGid = false;
    for (Principal principal : principals) {
        if (principal instanceof LoginNamePrincipal) {
            checkAuthentication(loginName == null, "multiple login names");
            loginName = principal.getName();
        } else if (principal instanceof LoginUidPrincipal) {
            checkAuthentication(loginUid == null, "multiple login UIDs");
            loginUid = ((LoginUidPrincipal) principal).getUid();
        } else if (principal instanceof LoginGidPrincipal) {
            checkAuthentication(loginGid == null, "multiple login GIDs");
            loginGid = ((LoginGidPrincipal) principal).getGid();
        } else if (principal instanceof UserNamePrincipal) {
            checkAuthentication(userName == null, "multiple usernames");
            userName = principal.getName();
            names.add(userName);
        } else if (principal instanceof GroupNamePrincipal) {
            if (((GroupNamePrincipal) principal).isPrimaryGroup()) {
                checkAuthentication(primaryGroup == null, "multiple primary group names");
                primaryGroup = principal.getName();
            }
            names.add(principal.getName());
        } else if (principal instanceof GidPrincipal) {
            hasPrimaryGid |= ((GidPrincipal) principal).isPrimaryGroup();
        }
    }
    /* Determine the UIDs and GIDs available to the user
         */
    List<Long> uids = Lists.newArrayList();
    List<Long> gids = Lists.newArrayList();
    for (String name : names) {
        Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name);
        for (UserAuthzInformation mapping : mappings) {
            uids.add(mapping.getUid());
            gids.addAll(Longs.asList(mapping.getGids()));
        }
    }
    /* Verify that the login name, login UID and login GID are
         * among the valid values.
         */
    checkAuthentication(loginName == null || names.contains(loginName), "not authorized to use login name: " + loginName);
    checkAuthentication(loginUid == null || uids.contains(loginUid), "not authorized to use UID: " + loginUid);
    checkAuthentication(loginGid == null || gids.contains(loginGid), "not authorized to use GID: " + loginGid);
    /* Pick a UID and user name.
         */
    UserAuthzInformation user = getEntity(_uidOrder, loginUid, null, loginName, userName, primaryGroup);
    principals.add(new UidPrincipal(user.getUid()));
    if (user.getUsername() != null) {
        // If UID is not based on user name but on some other principle, then it
        // may be that the UserNamePrincipal is inconsistent with the UID. Since
        // space manager uses user name for authorization, we replace the principal
        // with the on matching the selected UID.
        removeIf(principals, instanceOf(UserNamePrincipal.class));
        principals.add(new UserNamePrincipal(user.getUsername()));
    }
    /* Pick the first gid.  This is the primary gid provided the user does
         * not already have a primary gid.
         */
    UserAuthzInformation group = getEntity(_gidOrder, null, loginGid, loginName, userName, primaryGroup);
    long primaryGid = group.getGids()[0];
    principals.add(new GidPrincipal(primaryGid, !hasPrimaryGid));
    /* Add remaining GIDs.
         */
    for (long gid : gids) {
        if (gid != primaryGid) {
            principals.add(new GidPrincipal(gid, false));
        }
    }
}
Also used : LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal) UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation) GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) UserNamePrincipal(org.dcache.auth.UserNamePrincipal) LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal) UidPrincipal(org.dcache.auth.UidPrincipal) OptionalLong(java.util.OptionalLong) LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal) LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal) LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal) GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal) GidPrincipal(org.dcache.auth.GidPrincipal) UserNamePrincipal(org.dcache.auth.UserNamePrincipal) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) Principal(java.security.Principal) UidPrincipal(org.dcache.auth.UidPrincipal) LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal) GidPrincipal(org.dcache.auth.GidPrincipal)

Example 2 with LoginNamePrincipal

use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.

the class MutatorPluginTest method testMutation.

@Test
public void testMutation() throws Exception {
    Properties prop = new Properties();
    prop.setProperty(MutatorPlugin.IN_OPTION, "org.dcache.auth.LoginNamePrincipal");
    prop.setProperty(MutatorPlugin.OUT_OPTION, "username");
    MutatorPlugin mutator = new MutatorPlugin(prop);
    Set<Principal> principals = Sets.newHashSet((Principal) new LoginNamePrincipal("myname"));
    mutator.map(principals);
    // will throw exception if no  match
    find(principals, instanceOf(UserNamePrincipal.class));
}
Also used : UserNamePrincipal(org.dcache.auth.UserNamePrincipal) Properties(java.util.Properties) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) UserNamePrincipal(org.dcache.auth.UserNamePrincipal) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) Principal(java.security.Principal) Test(org.junit.Test)

Example 3 with LoginNamePrincipal

use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.

the class GssFtpDoorV1 method ftp_user.

@Override
public void ftp_user(String arg) throws FTPCommandException {
    checkFTPCommand(!arg.isEmpty(), 500, "Missing argument");
    checkFTPCommand(context != null && context.isEstablished(), 530, "Authentication required");
    Subject subject = context.getSubject();
    subject.getPrincipals().add(_origin);
    if (!arg.equals(GLOBUS_URL_COPY_DEFAULT_USER)) {
        subject.getPrincipals().add(new LoginNamePrincipal(arg));
    }
    try {
        login(subject);
        reply("200 User " + arg + " logged in");
    } catch (PermissionDeniedCacheException e) {
        LOGGER.warn("Login denied for {}: {}", context.getPeerName(), e.getMessage());
        throw new FTPCommandException(530, "Login denied");
    } catch (CacheException e) {
        LOGGER.error("Login failed for {}: {}", context.getPeerName(), e.getMessage());
        throw new FTPCommandException(530, "Login failed: " + e.getMessage());
    }
}
Also used : PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException) PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException) CacheException(diskCacheV111.util.CacheException) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) Subject(javax.security.auth.Subject)

Example 4 with LoginNamePrincipal

use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.

the class AuthenticationHandler method addAuthCredentialsToSubject.

private void addAuthCredentialsToSubject(HttpServletRequest request, Subject subject) throws PermissionDeniedCacheException {
    Optional<AuthInfo> optional = parseAuthenticationHeader(request);
    if (optional.isPresent()) {
        AuthInfo info = optional.get();
        switch(info.getScheme()) {
            case HttpServletRequest.BASIC_AUTH:
                if (!_isBasicAuthenticationEnabled) {
                    return;
                }
                try {
                    byte[] bytes = Base64.getDecoder().decode(info.getData().getBytes(StandardCharsets.US_ASCII));
                    String credential = new String(bytes, StandardCharsets.UTF_8);
                    int colon = credential.indexOf(":");
                    if (colon >= 0) {
                        String user = credential.substring(0, colon);
                        int lastHash = user.lastIndexOf('#');
                        if (lastHash != -1 && lastHash < (user.length() - 1)) {
                            Splitter.on(',').trimResults().omitEmptyStrings().split(user.substring(lastHash + 1)).forEach(r -> subject.getPrincipals().add(new DesiredRole(r)));
                            user = user.substring(0, lastHash);
                        }
                        String password = credential.substring(colon + 1);
                        subject.getPrivateCredentials().add(new PasswordCredential(user, password));
                    } else {
                        subject.getPrincipals().add(new LoginNamePrincipal(credential));
                    }
                } catch (IllegalArgumentException e) {
                    LOG.warn("Authentication Data in the header received is not Base64 encoded {}", request.getHeader("Authorization"));
                }
                break;
            case "BEARER":
                if (!_acceptBearerTokenUnencrypted && !request.isSecure()) {
                    throw new PermissionDeniedCacheException("not allowed to send bearer token unencrypted");
                }
                try {
                    subject.getPrivateCredentials().add(new BearerTokenCredential(info.getData()));
                } catch (IllegalArgumentException e) {
                    LOG.info("Bearer Token in invalid {}", request.getHeader("Authorization"));
                }
                break;
            default:
                LOG.debug("Unknown authentication scheme {}", info.getScheme());
        }
    }
}
Also used : PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException) PasswordCredential(org.dcache.auth.PasswordCredential) DesiredRole(org.dcache.auth.DesiredRole) BearerTokenCredential(org.dcache.auth.BearerTokenCredential) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)

Example 5 with LoginNamePrincipal

use of org.dcache.auth.LoginNamePrincipal in project dcache by dCache.

the class KpwdPlugin method map.

/**
 * Maps KpwdPrincipal, DN, and Kerberos Principal to UserName, UID and GID.
 * <p>
 * Authorizes user name, DN, Kerberos principal, UID and GID.
 */
@SuppressWarnings({ "null", "deprecation" })
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
    KpwdPrincipal kpwd = getFirst(filter(principals, KpwdPrincipal.class), null);
    boolean havePrimaryGid = false;
    if (kpwd == null) {
        KAuthFile authFile = getAuthFile();
        String loginName = null;
        Principal principal = null;
        for (Principal p : principals) {
            if (p instanceof LoginNamePrincipal) {
                checkAuthentication(loginName == null, errorMessage(principal, p));
                loginName = p.getName();
            } else if (p instanceof GlobusPrincipal) {
                checkAuthentication(principal == null, errorMessage(principal, p));
                principal = p;
            } else if (p instanceof KerberosPrincipal) {
                checkAuthentication(principal == null, errorMessage(principal, p));
                principal = p;
            } else if (p instanceof UserNamePrincipal) {
                /*
                     * This case handles e.g. authenticated dcap
                     * doors, particularly statement like
                     *
                     * mapping "user1" user2
                     *
                     * in kpwd file
                     */
                checkAuthentication(principal == null, errorMessage(principal, p));
                principal = p;
            } else if (p instanceof GidPrincipal) {
                havePrimaryGid |= ((GidPrincipal) p).isPrimaryGroup();
            }
        }
        checkAuthentication(principal != null, "no mappable principals");
        if (loginName == null) {
            loginName = authFile.getIdMapping(principal.getName());
            checkAuthentication(loginName != null, "no login name");
        }
        UserAuthRecord authRecord = authFile.getUserRecord(loginName);
        checkAuthentication(authRecord != null, "unknown login name: " + loginName);
        checkAuthentication(authRecord.hasSecureIdentity(principal.getName()), "not allowed to login as " + loginName);
        authRecord.DN = principal.getName();
        kpwd = new KpwdPrincipal(authRecord);
    } else {
        havePrimaryGid |= principals.stream().filter(GidPrincipal.class::isInstance).map(GidPrincipal.class::cast).anyMatch(GidPrincipal::isPrimaryGroup);
    }
    principals.add(kpwd);
    /* We explicitly check whether the user record is banned and
         * don't authorize the remaining principals. We do however
         * authorize the KpwdPrincipal to allow blacklisting in the
         * account step.
         */
    checkAuthentication(!kpwd.isDisabled, "account disabled");
    principals.add(new UserNamePrincipal(kpwd.getName()));
    principals.add(new UidPrincipal(kpwd.uid));
    for (long gid : kpwd.gids) {
        principals.add(new GidPrincipal(gid, !havePrimaryGid));
        havePrimaryGid = true;
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GlobusPrincipal(org.globus.gsi.gssapi.jaas.GlobusPrincipal) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) KAuthFile(org.dcache.auth.KAuthFile) UserNamePrincipal(org.dcache.auth.UserNamePrincipal) UserAuthRecord(org.dcache.auth.UserAuthRecord) UidPrincipal(org.dcache.auth.UidPrincipal) GlobusPrincipal(org.globus.gsi.gssapi.jaas.GlobusPrincipal) GidPrincipal(org.dcache.auth.GidPrincipal) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) UserNamePrincipal(org.dcache.auth.UserNamePrincipal) LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal) Principal(java.security.Principal) UidPrincipal(org.dcache.auth.UidPrincipal) GidPrincipal(org.dcache.auth.GidPrincipal)

Aggregations

LoginNamePrincipal (org.dcache.auth.LoginNamePrincipal)6 Principal (java.security.Principal)3 UserNamePrincipal (org.dcache.auth.UserNamePrincipal)3 PermissionDeniedCacheException (diskCacheV111.util.PermissionDeniedCacheException)2 Subject (javax.security.auth.Subject)2 GidPrincipal (org.dcache.auth.GidPrincipal)2 UidPrincipal (org.dcache.auth.UidPrincipal)2 CacheException (diskCacheV111.util.CacheException)1 OptionalLong (java.util.OptionalLong)1 Properties (java.util.Properties)1 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)1 BearerTokenCredential (org.dcache.auth.BearerTokenCredential)1 DesiredRole (org.dcache.auth.DesiredRole)1 GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)1 KAuthFile (org.dcache.auth.KAuthFile)1 LoginGidPrincipal (org.dcache.auth.LoginGidPrincipal)1 LoginReply (org.dcache.auth.LoginReply)1 LoginUidPrincipal (org.dcache.auth.LoginUidPrincipal)1 Origin (org.dcache.auth.Origin)1 PasswordCredential (org.dcache.auth.PasswordCredential)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial