Example 1 with UserAuthzInformation
use of org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation in project dcache by dCache.
the class AuthzDbPlugin method session.
@Override
public void session(Set<Principal> authorizedPrincipals, Set<Object> attrib) throws AuthenticationException {
Principal principal = find(authorizedPrincipals, instanceOf(UserNamePrincipal.class), null);
checkAuthentication(principal != null, "no username principal");
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(principal.getName());
checkAuthentication(!mappings.isEmpty(), "no mapping found for " + principal);
for (UserAuthzInformation mapping : mappings) {
attrib.add(new HomeDirectory(mapping.getHome()));
attrib.add(new RootDirectory(mapping.getRoot()));
if (mapping.isReadOnly()) {
attrib.add(Restrictions.readOnly());
}
mapping.getMaxUpload().ifPresent(s -> {
attrib.add(new MaxUploadSize(s));
});
}
}
Also used :
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
Example 2 with UserAuthzInformation
use of org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation in project dcache by dCache.
the class AuthzDbPlugin method map.
@Override
public void map(Set<Principal> principals) throws AuthenticationException {
/* Classify input principals.
*/
List<String> names = Lists.newArrayList();
String loginName = null;
Long loginUid = null;
Long loginGid = null;
String userName = null;
String primaryGroup = null;
boolean hasPrimaryGid = false;
for (Principal principal : principals) {
if (principal instanceof LoginNamePrincipal) {
checkAuthentication(loginName == null, "multiple login names");
loginName = principal.getName();
} else if (principal instanceof LoginUidPrincipal) {
checkAuthentication(loginUid == null, "multiple login UIDs");
loginUid = ((LoginUidPrincipal) principal).getUid();
} else if (principal instanceof LoginGidPrincipal) {
checkAuthentication(loginGid == null, "multiple login GIDs");
loginGid = ((LoginGidPrincipal) principal).getGid();
} else if (principal instanceof UserNamePrincipal) {
checkAuthentication(userName == null, "multiple usernames");
userName = principal.getName();
names.add(userName);
} else if (principal instanceof GroupNamePrincipal) {
if (((GroupNamePrincipal) principal).isPrimaryGroup()) {
checkAuthentication(primaryGroup == null, "multiple primary group names");
primaryGroup = principal.getName();
}
names.add(principal.getName());
} else if (principal instanceof GidPrincipal) {
hasPrimaryGid |= ((GidPrincipal) principal).isPrimaryGroup();
}
}
/* Determine the UIDs and GIDs available to the user
*/
List<Long> uids = Lists.newArrayList();
List<Long> gids = Lists.newArrayList();
for (String name : names) {
Collection<UserAuthzInformation> mappings = _map.getValuesForPredicatesMatching(name);
for (UserAuthzInformation mapping : mappings) {
uids.add(mapping.getUid());
gids.addAll(Longs.asList(mapping.getGids()));
}
}
/* Verify that the login name, login UID and login GID are
* among the valid values.
*/
checkAuthentication(loginName == null || names.contains(loginName), "not authorized to use login name: " + loginName);
checkAuthentication(loginUid == null || uids.contains(loginUid), "not authorized to use UID: " + loginUid);
checkAuthentication(loginGid == null || gids.contains(loginGid), "not authorized to use GID: " + loginGid);
/* Pick a UID and user name.
*/
UserAuthzInformation user = getEntity(_uidOrder, loginUid, null, loginName, userName, primaryGroup);
principals.add(new UidPrincipal(user.getUid()));
if (user.getUsername() != null) {
// If UID is not based on user name but on some other principle, then it
// may be that the UserNamePrincipal is inconsistent with the UID. Since
// space manager uses user name for authorization, we replace the principal
// with the on matching the selected UID.
removeIf(principals, instanceOf(UserNamePrincipal.class));
principals.add(new UserNamePrincipal(user.getUsername()));
}
/* Pick the first gid. This is the primary gid provided the user does
* not already have a primary gid.
*/
UserAuthzInformation group = getEntity(_gidOrder, null, loginGid, loginName, userName, primaryGroup);
long primaryGid = group.getGids()[0];
principals.add(new GidPrincipal(primaryGid, !hasPrimaryGid));
/* Add remaining GIDs.
*/
for (long gid : gids) {
if (gid != primaryGid) {
principals.add(new GidPrincipal(gid, false));
}
}
}
Also used :
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
UidPrincipal(org.dcache.auth.UidPrincipal)
OptionalLong(java.util.OptionalLong)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
LoginUidPrincipal(org.dcache.auth.LoginUidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
LoginGidPrincipal(org.dcache.auth.LoginGidPrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
Example 3 with UserAuthzInformation
use of org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation in project dcache by dCache.
the class CachedAuthzMapTest method testValidUsername.
@Test
public void testValidUsername() throws IOException {
Collection<UserAuthzInformation> results = loadFixture(TEST_FIXTURE).getValuesForPredicatesMatching(VALID_USERNAME_RESPONSE);
assertCollectionContains(results, new UserAuthzInformation(VALID_USERNAME_RESPONSE, "read-write", VALID_USERNAME_UID, new long[] { VALID_USERNAME_GID }, "/ fff/fff/!@# $% /", "/", null, OptionalLong.empty()));
assertCollectionContainsNot(results, new UserAuthzInformation(VALID_USERNAME_RESPONSE, null, INVALID_UID, new long[] { -1 }, null, null, null, OptionalLong.empty()));
}
Also used :
UserAuthzInformation(org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)
Test(org.junit.Test)
Aggregations
UserAuthzInformation (org.dcache.gplazma.plugins.AuthzMapLineParser.UserAuthzInformation)3
Principal (java.security.Principal)2
GidPrincipal (org.dcache.auth.GidPrincipal)2
GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)2
LoginGidPrincipal (org.dcache.auth.LoginGidPrincipal)2
LoginNamePrincipal (org.dcache.auth.LoginNamePrincipal)2
LoginUidPrincipal (org.dcache.auth.LoginUidPrincipal)2
UidPrincipal (org.dcache.auth.UidPrincipal)2
UserNamePrincipal (org.dcache.auth.UserNamePrincipal)2
OptionalLong (java.util.OptionalLong)1
HomeDirectory (org.dcache.auth.attributes.HomeDirectory)1
MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)1
RootDirectory (org.dcache.auth.attributes.RootDirectory)1
Test (org.junit.Test)1
