Example 1 with InvalidCaveatException
use of org.dcache.macaroons.InvalidCaveatException in project dcache by dCache.
the class MacaroonRequestHandler method buildMacaroon.
private String buildMacaroon(String target, Request request) throws ErrorResponseException {
checkValidRequest(request.isSecure(), "Not secure transport");
if (Subjects.isNobody(getSubject())) {
throw new ErrorResponseException(SC_UNAUTHORIZED, "Authentication required");
}
MacaroonContext context = buildContext(target, request);
MacaroonRequest macaroonRequest = parseJSON(request);
try {
List<Caveat> caveats = new ArrayList<>();
List<Caveat> beforeCaveats = new ArrayList<>();
for (String serialisedCaveat : macaroonRequest.getCaveats()) {
Caveat caveat = new Caveat(serialisedCaveat);
(caveat.hasType(BEFORE) ? beforeCaveats : caveats).add(caveat);
}
macaroonRequest.getValidity().map(Duration::parse).map(Instant.now()::plus).map(i -> new Caveat(BEFORE, i)).ifPresent(beforeCaveats::add);
Instant expiry = calculateExpiry(context, beforeCaveats);
MacaroonProcessor.MacaroonBuildResult result = _processor.buildMacaroon(expiry, context, caveats);
request.setAttribute(MACAROON_ID_ATTRIBUTE, result.getId());
return result.getMacaroon();
} catch (DateTimeParseException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Bad validity value: " + e.getMessage());
} catch (InvalidCaveatException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Bad requested caveat: " + e.getMessage());
} catch (InternalErrorException e) {
throw new ErrorResponseException(SC_INTERNAL_SERVER_ERROR, "Internal error: " + e.getMessage());
}
}
Also used :
Request(org.eclipse.jetty.server.Request)
Restriction(org.dcache.auth.attributes.Restriction)
Subjects(org.dcache.auth.Subjects)
URISyntaxException(java.net.URISyntaxException)
LoggerFactory(org.slf4j.LoggerFactory)
Expiry(org.dcache.auth.attributes.Expiry)
GsonBuilder(com.google.gson.GsonBuilder)
Preconditions.checkArgument(com.google.common.base.Preconditions.checkArgument)
AuthenticationHandler(org.dcache.http.AuthenticationHandler)
JSONObject(org.json.JSONObject)
CharStreams(com.google.common.io.CharStreams)
PathMapper(org.dcache.http.PathMapper)
Duration(java.time.Duration)
URI(java.net.URI)
CDC(dmg.cells.nucleus.CDC)
PrintWriter(java.io.PrintWriter)
ImmutableSet(com.google.common.collect.ImmutableSet)
Collection(java.util.Collection)
Caveat(org.dcache.macaroons.Caveat)
Instant(java.time.Instant)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
Objects(java.util.Objects)
BEFORE(org.dcache.macaroons.CaveatType.BEFORE)
DateTimeParseException(java.time.format.DateTimeParseException)
List(java.util.List)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
Optional(java.util.Optional)
AccessController(java.security.AccessController)
TRUE(java.lang.Boolean.TRUE)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
JsonParseException(com.google.gson.JsonParseException)
FsPath(diskCacheV111.util.FsPath)
SC_INTERNAL_SERVER_ERROR(javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR)
AbstractHandler(org.eclipse.jetty.server.handler.AbstractHandler)
CellAddressCore(dmg.cells.nucleus.CellAddressCore)
ArrayList(java.util.ArrayList)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
CellIdentityAware(dmg.cells.nucleus.CellIdentityAware)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
SC_UNAUTHORIZED(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED)
MacaroonProcessor(org.dcache.macaroons.MacaroonProcessor)
InvalidCaveatException.checkCaveat(org.dcache.macaroons.InvalidCaveatException.checkCaveat)
Logger(org.slf4j.Logger)
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
Subject(javax.security.auth.Subject)
NDC(org.dcache.util.NDC)
Strings.emptyToNull(com.google.common.base.Strings.emptyToNull)
ChronoUnit(java.time.temporal.ChronoUnit)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
SC_BAD_REQUEST(javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST)
InternalErrorException(org.dcache.macaroons.InternalErrorException)
Required(org.springframework.beans.factory.annotation.Required)
Collections(java.util.Collections)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
Caveat(org.dcache.macaroons.Caveat)
InvalidCaveatException.checkCaveat(org.dcache.macaroons.InvalidCaveatException.checkCaveat)
Instant(java.time.Instant)
ArrayList(java.util.ArrayList)
InternalErrorException(org.dcache.macaroons.InternalErrorException)
MacaroonProcessor(org.dcache.macaroons.MacaroonProcessor)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
DateTimeParseException(java.time.format.DateTimeParseException)
Example 2 with InvalidCaveatException
use of org.dcache.macaroons.InvalidCaveatException in project dcache by dCache.
the class MacaroonRequestHandler method buildContext.
private MacaroonContext buildContext(String target, Request request) throws ErrorResponseException {
MacaroonContext context = new MacaroonContext();
FsPath desiredPath = _pathMapper.asDcachePath(request, target);
FsPath userRoot = FsPath.ROOT;
FsPath prefixRestrictionPath = null;
for (LoginAttribute attr : AuthenticationHandler.getLoginAttributes(request)) {
if (attr instanceof HomeDirectory) {
context.setHome(FsPath.ROOT.resolve(((HomeDirectory) attr).getHome()));
} else if (attr instanceof RootDirectory) {
userRoot = FsPath.ROOT.resolve(((RootDirectory) attr).getRoot());
} else if (attr instanceof Expiry) {
context.updateExpiry(((Expiry) attr).getExpiry());
} else if (attr instanceof DenyActivityRestriction) {
context.removeActivities(((DenyActivityRestriction) attr).getDenied());
} else if (attr instanceof PrefixRestriction) {
ImmutableSet<FsPath> paths = ((PrefixRestriction) attr).getPrefixes();
if (target.equals("/")) {
checkArgument(paths.size() == 1, "Cannot serialise with multiple path restrictions");
prefixRestrictionPath = paths.iterator().next();
} else {
prefixRestrictionPath = paths.stream().filter(desiredPath::hasPrefix).findFirst().orElseThrow(() -> new ErrorResponseException(SC_BAD_REQUEST, "Bad request path: Desired path not within existing path"));
}
} else if (attr instanceof Restriction) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot serialise restriction " + attr.getClass().getSimpleName());
} else if (attr instanceof MaxUploadSize) {
try {
context.updateMaxUpload(((MaxUploadSize) attr).getMaximumSize());
} catch (InvalidCaveatException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot add max-upload: " + e.getMessage());
}
}
}
Subject subject = getSubject();
context.setUid(Subjects.getUid(subject));
context.setGids(Subjects.getGids(subject));
context.setUsername(Subjects.getUserName(subject));
FsPath effectiveRoot = _pathMapper.effectiveRoot(userRoot, m -> new ErrorResponseException(SC_BAD_REQUEST, m));
context.setRoot(effectiveRoot);
FsPath path = prefixRestrictionPath != null ? prefixRestrictionPath : target.equals("/") ? null : desiredPath;
if (path != null) {
context.setPath(path.stripPrefix(effectiveRoot));
}
return context;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
Subject(javax.security.auth.Subject)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
Restriction(org.dcache.auth.attributes.Restriction)
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
Expiry(org.dcache.auth.attributes.Expiry)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
FsPath(diskCacheV111.util.FsPath)
Aggregations
FsPath (diskCacheV111.util.FsPath)2
Subject (javax.security.auth.Subject)2
DenyActivityRestriction (org.dcache.auth.attributes.DenyActivityRestriction)2
Expiry (org.dcache.auth.attributes.Expiry)2
HomeDirectory (org.dcache.auth.attributes.HomeDirectory)2
LoginAttribute (org.dcache.auth.attributes.LoginAttribute)2
MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)2
PrefixRestriction (org.dcache.auth.attributes.PrefixRestriction)2
Restriction (org.dcache.auth.attributes.Restriction)2
Preconditions.checkArgument (com.google.common.base.Preconditions.checkArgument)1
Strings.emptyToNull (com.google.common.base.Strings.emptyToNull)1
ImmutableSet (com.google.common.collect.ImmutableSet)1
CharStreams (com.google.common.io.CharStreams)1
GsonBuilder (com.google.gson.GsonBuilder)1
JsonParseException (com.google.gson.JsonParseException)1
CDC (dmg.cells.nucleus.CDC)1
CellAddressCore (dmg.cells.nucleus.CellAddressCore)1
CellIdentityAware (dmg.cells.nucleus.CellIdentityAware)1
IOException (java.io.IOException)1
PrintWriter (java.io.PrintWriter)1
