Example 1 with MaxUploadSize
use of org.dcache.auth.attributes.MaxUploadSize in project dcache by dCache.
the class AuthzDbPlugin method session.
@Override
public void session(Set<Principal> authorizedPrincipals, Set<Object> attrib) throws AuthenticationException {
Principal principal = find(authorizedPrincipals, instanceOf(UserNamePrincipal.class), null);
checkAuthentication(principal != null, "no username principal");
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(principal.getName());
checkAuthentication(!mappings.isEmpty(), "no mapping found for " + principal);
for (UserAuthzInformation mapping : mappings) {
attrib.add(new HomeDirectory(mapping.getHome()));
attrib.add(new RootDirectory(mapping.getRoot()));
if (mapping.isReadOnly()) {
attrib.add(Restrictions.readOnly());
}
mapping.getMaxUpload().ifPresent(s -> {
attrib.add(new MaxUploadSize(s));
});
}
}
Also used :
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
Example 2 with MaxUploadSize
use of org.dcache.auth.attributes.MaxUploadSize in project dcache by dCache.
the class AbstractFtpDoorV1 method acceptLogin.
protected void acceptLogin(Subject mappedSubject, Set<LoginAttribute> loginAttributes, Restriction restriction, FsPath doorRootPath) {
FsPath userRootPath = FsPath.ROOT;
String userHomePath = "/";
for (LoginAttribute attribute : loginAttributes) {
if (attribute instanceof RootDirectory) {
userRootPath = FsPath.create(((RootDirectory) attribute).getRoot());
} else if (attribute instanceof HomeDirectory) {
userHomePath = ((HomeDirectory) attribute).getHome();
} else if (attribute instanceof MaxUploadSize) {
long max = ((MaxUploadSize) attribute).getMaximumSize();
if (!_maximumUploadSize.isPresent() || max < _maximumUploadSize.getAsLong()) {
_maximumUploadSize = OptionalLong.of(max);
}
}
}
_authz = Restrictions.concat(_doorRestriction, restriction);
String cwd;
if (doorRootPath == null) {
doorRootPath = userRootPath;
cwd = userHomePath;
} else {
if (userRootPath.hasPrefix(doorRootPath)) {
cwd = userRootPath.chroot(userHomePath).stripPrefix(doorRootPath);
} else {
cwd = "/";
}
}
_pnfs = _settings.createPnfsHandler(_cellEndpoint);
_pnfs.setSubject(mappedSubject);
_pnfs.setRestriction(_authz);
_listSource = new ListDirectoryHandler(_pnfs);
_subject = mappedSubject;
_cwd = cwd;
_doorRootPath = doorRootPath;
_userRootPath = userRootPath;
_userHomePath = FsPath.create(userHomePath);
_identityResolver = _identityResolverFactory.withSubject(mappedSubject);
}
Also used :
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
ListDirectoryHandler(org.dcache.util.list.ListDirectoryHandler)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
FsPath(diskCacheV111.util.FsPath)
Example 3 with MaxUploadSize
use of org.dcache.auth.attributes.MaxUploadSize in project dcache by dCache.
the class MacaroonLoginStrategy method login.
@Override
public LoginReply login(Subject subject) throws CacheException {
LOGGER.debug("Login attempted: {}", subject);
Origin origin = extractClientIP(subject);
String macaroon = extractCredential(subject);
try {
MacaroonContext context = processor.expandMacaroon(macaroon, origin.getAddress());
LoginReply reply = new LoginReply();
FsPath root = context.getRoot().orElse(FsPath.ROOT);
Set<LoginAttribute> attributes = reply.getLoginAttributes();
attributes.add(new HomeDirectory(context.getHome().orElse(FsPath.ROOT)));
attributes.add(new RootDirectory(root));
context.getExpiry().map(Expiry::new).ifPresent(attributes::add);
context.getPath().map(root::chroot).map(PrefixRestriction::new).ifPresent(attributes::add);
context.getAllowedActivities().map(EnumSet::complementOf).map(DenyActivityRestriction::new).ifPresent(attributes::add);
context.getMaxUpload().ifPresent(s -> attributes.add(new MaxUploadSize(s)));
Set<Principal> principals = reply.getSubject().getPrincipals();
principals.add(new UidPrincipal(context.getUid()));
principals.addAll(asGidPrincipals(context.getGids()));
principals.add(new UserNamePrincipal(context.getUsername()));
principals.add(origin);
principals.add(new MacaroonPrincipal(context.getId()));
LOGGER.debug("Login successful: {}", reply);
return reply;
} catch (InvalidMacaroonException e) {
throw new PermissionDeniedCacheException("macaroon login denied: " + e.getMessage());
}
}
Also used :
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
EnumSet(java.util.EnumSet)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
InvalidMacaroonException(org.dcache.macaroons.InvalidMacaroonException)
Principal(java.security.Principal)
FsPath(diskCacheV111.util.FsPath)
Example 4 with MaxUploadSize
use of org.dcache.auth.attributes.MaxUploadSize in project dcache by dCache.
the class MacaroonRequestHandler method buildContext.
private MacaroonContext buildContext(String target, Request request) throws ErrorResponseException {
MacaroonContext context = new MacaroonContext();
FsPath desiredPath = _pathMapper.asDcachePath(request, target);
FsPath userRoot = FsPath.ROOT;
FsPath prefixRestrictionPath = null;
for (LoginAttribute attr : AuthenticationHandler.getLoginAttributes(request)) {
if (attr instanceof HomeDirectory) {
context.setHome(FsPath.ROOT.resolve(((HomeDirectory) attr).getHome()));
} else if (attr instanceof RootDirectory) {
userRoot = FsPath.ROOT.resolve(((RootDirectory) attr).getRoot());
} else if (attr instanceof Expiry) {
context.updateExpiry(((Expiry) attr).getExpiry());
} else if (attr instanceof DenyActivityRestriction) {
context.removeActivities(((DenyActivityRestriction) attr).getDenied());
} else if (attr instanceof PrefixRestriction) {
ImmutableSet<FsPath> paths = ((PrefixRestriction) attr).getPrefixes();
if (target.equals("/")) {
checkArgument(paths.size() == 1, "Cannot serialise with multiple path restrictions");
prefixRestrictionPath = paths.iterator().next();
} else {
prefixRestrictionPath = paths.stream().filter(desiredPath::hasPrefix).findFirst().orElseThrow(() -> new ErrorResponseException(SC_BAD_REQUEST, "Bad request path: Desired path not within existing path"));
}
} else if (attr instanceof Restriction) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot serialise restriction " + attr.getClass().getSimpleName());
} else if (attr instanceof MaxUploadSize) {
try {
context.updateMaxUpload(((MaxUploadSize) attr).getMaximumSize());
} catch (InvalidCaveatException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot add max-upload: " + e.getMessage());
}
}
}
Subject subject = getSubject();
context.setUid(Subjects.getUid(subject));
context.setGids(Subjects.getGids(subject));
context.setUsername(Subjects.getUserName(subject));
FsPath effectiveRoot = _pathMapper.effectiveRoot(userRoot, m -> new ErrorResponseException(SC_BAD_REQUEST, m));
context.setRoot(effectiveRoot);
FsPath path = prefixRestrictionPath != null ? prefixRestrictionPath : target.equals("/") ? null : desiredPath;
if (path != null) {
context.setPath(path.stripPrefix(effectiveRoot));
}
return context;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
Subject(javax.security.auth.Subject)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
Restriction(org.dcache.auth.attributes.Restriction)
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
Expiry(org.dcache.auth.attributes.Expiry)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
FsPath(diskCacheV111.util.FsPath)
Example 5 with MaxUploadSize
use of org.dcache.auth.attributes.MaxUploadSize in project dcache by dCache.
the class ConfigurationParser method parseAttributes.
private List<LoginAttribute> parseAttributes(String description) throws BadLineException {
List<LoginAttribute> attributes = new ArrayList<>();
boolean isReadOnly = false;
Set<Class<? extends LoginAttribute>> addedAttributes = new HashSet<>();
for (String attr : Splitter.on(' ').omitEmptyStrings().split(description)) {
try {
if (attr.equals("read-only")) {
checkBadLine(!isReadOnly, "already defined 'read-only'");
isReadOnly = true;
attributes.add(Restrictions.readOnly());
continue;
}
int idx = attr.indexOf(':');
checkBadLine(idx > -1, "Missing ':'");
checkBadLine(idx != 0, "Missing type");
checkBadLine(idx < attr.length() - 1, "Missing argument");
String type = attr.substring(0, idx);
String arg = attr.substring(idx + 1);
if (PATH_ATTRIBUTES.contains(type)) {
checkBadLine(arg.startsWith("/"), "Argument must be an absolute" + " path");
}
LoginAttribute attribute;
switch(type) {
case "root":
attribute = new RootDirectory(arg);
break;
case "home":
attribute = new HomeDirectory(arg);
break;
case "prefix":
attribute = new PrefixRestriction(FsPath.create(arg));
break;
case "max-upload":
try {
attribute = new MaxUploadSize(SIZE_PARSER.parse(arg));
} catch (NumberFormatException e) {
throw new BadLineException("Bad file size: " + e.getMessage());
}
break;
default:
throw new BadLineException("Unknown type \"" + type + "\"");
}
if (!addedAttributes.add(attribute.getClass())) {
throw new BadLineException("Multiple " + type + " defined.");
}
attributes.add(attribute);
} catch (BadLineException e) {
throw new BadLineException("Bad attribute \"" + attr + "\": " + e.getMessage());
}
}
return attributes;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
ArrayList(java.util.ArrayList)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
HashSet(java.util.HashSet)
Aggregations
HomeDirectory (org.dcache.auth.attributes.HomeDirectory)5
MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)5
RootDirectory (org.dcache.auth.attributes.RootDirectory)5
LoginAttribute (org.dcache.auth.attributes.LoginAttribute)4
FsPath (diskCacheV111.util.FsPath)3
Principal (java.security.Principal)2
PrefixRestriction (org.dcache.auth.attributes.PrefixRestriction)2
MacaroonContext (org.dcache.macaroons.MacaroonContext)2
PermissionDeniedCacheException (diskCacheV111.util.PermissionDeniedCacheException)1
ArrayList (java.util.ArrayList)1
EnumSet (java.util.EnumSet)1
HashSet (java.util.HashSet)1
Subject (javax.security.auth.Subject)1
GidPrincipal (org.dcache.auth.GidPrincipal)1
GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)1
LoginGidPrincipal (org.dcache.auth.LoginGidPrincipal)1
LoginNamePrincipal (org.dcache.auth.LoginNamePrincipal)1
LoginUidPrincipal (org.dcache.auth.LoginUidPrincipal)1
UidPrincipal (org.dcache.auth.UidPrincipal)1
UserNamePrincipal (org.dcache.auth.UserNamePrincipal)1
