Example 11 with HomeDirectory
use of org.dcache.auth.attributes.HomeDirectory in project dcache by dCache.
the class MacaroonLoginStrategy method login.
@Override
public LoginReply login(Subject subject) throws CacheException {
LOGGER.debug("Login attempted: {}", subject);
Origin origin = extractClientIP(subject);
String macaroon = extractCredential(subject);
try {
MacaroonContext context = processor.expandMacaroon(macaroon, origin.getAddress());
LoginReply reply = new LoginReply();
FsPath root = context.getRoot().orElse(FsPath.ROOT);
Set<LoginAttribute> attributes = reply.getLoginAttributes();
attributes.add(new HomeDirectory(context.getHome().orElse(FsPath.ROOT)));
attributes.add(new RootDirectory(root));
context.getExpiry().map(Expiry::new).ifPresent(attributes::add);
context.getPath().map(root::chroot).map(PrefixRestriction::new).ifPresent(attributes::add);
context.getAllowedActivities().map(EnumSet::complementOf).map(DenyActivityRestriction::new).ifPresent(attributes::add);
context.getMaxUpload().ifPresent(s -> attributes.add(new MaxUploadSize(s)));
Set<Principal> principals = reply.getSubject().getPrincipals();
principals.add(new UidPrincipal(context.getUid()));
principals.addAll(asGidPrincipals(context.getGids()));
principals.add(new UserNamePrincipal(context.getUsername()));
principals.add(origin);
principals.add(new MacaroonPrincipal(context.getId()));
LOGGER.debug("Login successful: {}", reply);
return reply;
} catch (InvalidMacaroonException e) {
throw new PermissionDeniedCacheException("macaroon login denied: " + e.getMessage());
}
}
Also used :
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
EnumSet(java.util.EnumSet)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
InvalidMacaroonException(org.dcache.macaroons.InvalidMacaroonException)
Principal(java.security.Principal)
FsPath(diskCacheV111.util.FsPath)
Example 12 with HomeDirectory
use of org.dcache.auth.attributes.HomeDirectory in project dcache by dCache.
the class GPlazmaTests method runLoginAssertions.
private void runLoginAssertions(Configuration config) throws AuthenticationException {
assertFalse(CheckUIDAccountPlugin.isCalled());
// do the work here
LoginReply result = new GPlazma(newLoadStrategy(config), EMPTY_PROPERTIES).login(_inputSubject);
// check the results
assertTrue(CheckUIDAccountPlugin.isCalled());
Set<Principal> expectedPrincipals = new HashSet<>();
expectedPrincipals.add(new UserNamePrincipal(USER_NAME));
expectedPrincipals.add(new UidPrincipal(ROOT_UID));
expectedPrincipals.add(new GidPrincipal(ROOT_GID, true));
Set<Principal> resultPrincipals = result.getSubject().getPrincipals();
assertEquals(resultPrincipals, expectedPrincipals);
Set<Object> expectedAttributes = new HashSet<>();
expectedAttributes.add(new HomeDirectory(HOME_PATH_ARG_VALUE));
expectedAttributes.add(new RootDirectory(ROOT_PATH_ARG_VALUE));
expectedAttributes.add(Restrictions.readOnly());
Set<Object> resultAttributes = result.getSessionAttributes();
assertEquals(expectedAttributes, resultAttributes);
}
Also used :
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
UidPrincipal(org.dcache.auth.UidPrincipal)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
HashSet(java.util.HashSet)
Example 13 with HomeDirectory
use of org.dcache.auth.attributes.HomeDirectory in project dcache by dCache.
the class MacaroonRequestHandler method buildContext.
private MacaroonContext buildContext(String target, Request request) throws ErrorResponseException {
MacaroonContext context = new MacaroonContext();
FsPath desiredPath = _pathMapper.asDcachePath(request, target);
FsPath userRoot = FsPath.ROOT;
FsPath prefixRestrictionPath = null;
for (LoginAttribute attr : AuthenticationHandler.getLoginAttributes(request)) {
if (attr instanceof HomeDirectory) {
context.setHome(FsPath.ROOT.resolve(((HomeDirectory) attr).getHome()));
} else if (attr instanceof RootDirectory) {
userRoot = FsPath.ROOT.resolve(((RootDirectory) attr).getRoot());
} else if (attr instanceof Expiry) {
context.updateExpiry(((Expiry) attr).getExpiry());
} else if (attr instanceof DenyActivityRestriction) {
context.removeActivities(((DenyActivityRestriction) attr).getDenied());
} else if (attr instanceof PrefixRestriction) {
ImmutableSet<FsPath> paths = ((PrefixRestriction) attr).getPrefixes();
if (target.equals("/")) {
checkArgument(paths.size() == 1, "Cannot serialise with multiple path restrictions");
prefixRestrictionPath = paths.iterator().next();
} else {
prefixRestrictionPath = paths.stream().filter(desiredPath::hasPrefix).findFirst().orElseThrow(() -> new ErrorResponseException(SC_BAD_REQUEST, "Bad request path: Desired path not within existing path"));
}
} else if (attr instanceof Restriction) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot serialise restriction " + attr.getClass().getSimpleName());
} else if (attr instanceof MaxUploadSize) {
try {
context.updateMaxUpload(((MaxUploadSize) attr).getMaximumSize());
} catch (InvalidCaveatException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot add max-upload: " + e.getMessage());
}
}
}
Subject subject = getSubject();
context.setUid(Subjects.getUid(subject));
context.setGids(Subjects.getGids(subject));
context.setUsername(Subjects.getUserName(subject));
FsPath effectiveRoot = _pathMapper.effectiveRoot(userRoot, m -> new ErrorResponseException(SC_BAD_REQUEST, m));
context.setRoot(effectiveRoot);
FsPath path = prefixRestrictionPath != null ? prefixRestrictionPath : target.equals("/") ? null : desiredPath;
if (path != null) {
context.setPath(path.stripPrefix(effectiveRoot));
}
return context;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
Subject(javax.security.auth.Subject)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
Restriction(org.dcache.auth.attributes.Restriction)
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
Expiry(org.dcache.auth.attributes.Expiry)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
FsPath(diskCacheV111.util.FsPath)
Example 14 with HomeDirectory
use of org.dcache.auth.attributes.HomeDirectory in project dcache by dCache.
the class WorkaroundsResponseHandler method respondUnauthorised.
@Override
public void respondUnauthorised(Resource resource, Response response, Request request) {
// home directory for convenience.
if (request.getAbsolutePath().equals("/") && request.getMethod() == Request.Method.GET) {
Set<LoginAttribute> login = AuthenticationHandler.getLoginAttributes(ServletRequest.getRequest());
FsPath userRoot = FsPath.ROOT;
String userHome = "/";
for (LoginAttribute attribute : login) {
if (attribute instanceof RootDirectory) {
userRoot = FsPath.create(((RootDirectory) attribute).getRoot());
} else if (attribute instanceof HomeDirectory) {
userHome = ((HomeDirectory) attribute).getHome();
}
}
try {
FsPath redirectFullPath = userRoot.chroot(userHome);
String redirectPath = pathMapper.asRequestPath(ServletRequest.getRequest(), redirectFullPath);
if (!redirectPath.equals("/")) {
respondRedirect(response, request, redirectPath);
}
return;
} catch (IllegalArgumentException ignored) {
}
}
List<String> challenges = _authenticationService.getChallenges(resource, request);
response.setAuthenticateHeader(challenges);
super.respondUnauthorised(resource, response, request);
}
Also used :
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
FsPath(diskCacheV111.util.FsPath)
Example 15 with HomeDirectory
use of org.dcache.auth.attributes.HomeDirectory in project dcache by dCache.
the class ConfigurationParser method parseAttributes.
private List<LoginAttribute> parseAttributes(String description) throws BadLineException {
List<LoginAttribute> attributes = new ArrayList<>();
boolean isReadOnly = false;
Set<Class<? extends LoginAttribute>> addedAttributes = new HashSet<>();
for (String attr : Splitter.on(' ').omitEmptyStrings().split(description)) {
try {
if (attr.equals("read-only")) {
checkBadLine(!isReadOnly, "already defined 'read-only'");
isReadOnly = true;
attributes.add(Restrictions.readOnly());
continue;
}
int idx = attr.indexOf(':');
checkBadLine(idx > -1, "Missing ':'");
checkBadLine(idx != 0, "Missing type");
checkBadLine(idx < attr.length() - 1, "Missing argument");
String type = attr.substring(0, idx);
String arg = attr.substring(idx + 1);
if (PATH_ATTRIBUTES.contains(type)) {
checkBadLine(arg.startsWith("/"), "Argument must be an absolute" + " path");
}
LoginAttribute attribute;
switch(type) {
case "root":
attribute = new RootDirectory(arg);
break;
case "home":
attribute = new HomeDirectory(arg);
break;
case "prefix":
attribute = new PrefixRestriction(FsPath.create(arg));
break;
case "max-upload":
try {
attribute = new MaxUploadSize(SIZE_PARSER.parse(arg));
} catch (NumberFormatException e) {
throw new BadLineException("Bad file size: " + e.getMessage());
}
break;
default:
throw new BadLineException("Unknown type \"" + type + "\"");
}
if (!addedAttributes.add(attribute.getClass())) {
throw new BadLineException("Multiple " + type + " defined.");
}
attributes.add(attribute);
} catch (BadLineException e) {
throw new BadLineException("Bad attribute \"" + attr + "\": " + e.getMessage());
}
}
return attributes;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
ArrayList(java.util.ArrayList)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
HashSet(java.util.HashSet)
Aggregations
HomeDirectory (org.dcache.auth.attributes.HomeDirectory)16
RootDirectory (org.dcache.auth.attributes.RootDirectory)14
LoginAttribute (org.dcache.auth.attributes.LoginAttribute)7
Principal (java.security.Principal)5
MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)5
FsPath (diskCacheV111.util.FsPath)4
Subject (javax.security.auth.Subject)4
GidPrincipal (org.dcache.auth.GidPrincipal)4
UidPrincipal (org.dcache.auth.UidPrincipal)4
UserNamePrincipal (org.dcache.auth.UserNamePrincipal)4
HashSet (java.util.HashSet)3
GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)3
ArrayList (java.util.ArrayList)2
NamingException (javax.naming.NamingException)2
Attributes (javax.naming.directory.Attributes)2
BasicAttributes (javax.naming.directory.BasicAttributes)2
PrefixRestriction (org.dcache.auth.attributes.PrefixRestriction)2
AuthenticationException (org.dcache.gplazma.AuthenticationException)2
MacaroonContext (org.dcache.macaroons.MacaroonContext)2
Test (org.junit.Test)2
