Search in sources :

Example 1 with InvalidCaveatException

use of org.dcache.macaroons.InvalidCaveatException in project dcache by dCache.

the class MacaroonRequestHandler method buildMacaroon.

private String buildMacaroon(String target, Request request) throws ErrorResponseException {
    checkValidRequest(request.isSecure(), "Not secure transport");
    if (Subjects.isNobody(getSubject())) {
        throw new ErrorResponseException(SC_UNAUTHORIZED, "Authentication required");
    }
    MacaroonContext context = buildContext(target, request);
    MacaroonRequest macaroonRequest = parseJSON(request);
    try {
        List<Caveat> caveats = new ArrayList<>();
        List<Caveat> beforeCaveats = new ArrayList<>();
        for (String serialisedCaveat : macaroonRequest.getCaveats()) {
            Caveat caveat = new Caveat(serialisedCaveat);
            (caveat.hasType(BEFORE) ? beforeCaveats : caveats).add(caveat);
        }
        macaroonRequest.getValidity().map(Duration::parse).map(Instant.now()::plus).map(i -> new Caveat(BEFORE, i)).ifPresent(beforeCaveats::add);
        Instant expiry = calculateExpiry(context, beforeCaveats);
        MacaroonProcessor.MacaroonBuildResult result = _processor.buildMacaroon(expiry, context, caveats);
        request.setAttribute(MACAROON_ID_ATTRIBUTE, result.getId());
        return result.getMacaroon();
    } catch (DateTimeParseException e) {
        throw new ErrorResponseException(SC_BAD_REQUEST, "Bad validity value: " + e.getMessage());
    } catch (InvalidCaveatException e) {
        throw new ErrorResponseException(SC_BAD_REQUEST, "Bad requested caveat: " + e.getMessage());
    } catch (InternalErrorException e) {
        throw new ErrorResponseException(SC_INTERNAL_SERVER_ERROR, "Internal error: " + e.getMessage());
    }
}
Also used : Request(org.eclipse.jetty.server.Request) Restriction(org.dcache.auth.attributes.Restriction) Subjects(org.dcache.auth.Subjects) URISyntaxException(java.net.URISyntaxException) LoggerFactory(org.slf4j.LoggerFactory) Expiry(org.dcache.auth.attributes.Expiry) GsonBuilder(com.google.gson.GsonBuilder) Preconditions.checkArgument(com.google.common.base.Preconditions.checkArgument) AuthenticationHandler(org.dcache.http.AuthenticationHandler) JSONObject(org.json.JSONObject) CharStreams(com.google.common.io.CharStreams) PathMapper(org.dcache.http.PathMapper) Duration(java.time.Duration) URI(java.net.URI) CDC(dmg.cells.nucleus.CDC) PrintWriter(java.io.PrintWriter) ImmutableSet(com.google.common.collect.ImmutableSet) Collection(java.util.Collection) Caveat(org.dcache.macaroons.Caveat) Instant(java.time.Instant) MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize) Objects(java.util.Objects) BEFORE(org.dcache.macaroons.CaveatType.BEFORE) DateTimeParseException(java.time.format.DateTimeParseException) List(java.util.List) InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException) Optional(java.util.Optional) AccessController(java.security.AccessController) TRUE(java.lang.Boolean.TRUE) LoginAttribute(org.dcache.auth.attributes.LoginAttribute) JsonParseException(com.google.gson.JsonParseException) FsPath(diskCacheV111.util.FsPath) SC_INTERNAL_SERVER_ERROR(javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR) AbstractHandler(org.eclipse.jetty.server.handler.AbstractHandler) CellAddressCore(dmg.cells.nucleus.CellAddressCore) ArrayList(java.util.ArrayList) HttpServletRequest(javax.servlet.http.HttpServletRequest) CellIdentityAware(dmg.cells.nucleus.CellIdentityAware) HomeDirectory(org.dcache.auth.attributes.HomeDirectory) MacaroonContext(org.dcache.macaroons.MacaroonContext) SC_UNAUTHORIZED(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED) MacaroonProcessor(org.dcache.macaroons.MacaroonProcessor) InvalidCaveatException.checkCaveat(org.dcache.macaroons.InvalidCaveatException.checkCaveat) Logger(org.slf4j.Logger) PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction) Subject(javax.security.auth.Subject) NDC(org.dcache.util.NDC) Strings.emptyToNull(com.google.common.base.Strings.emptyToNull) ChronoUnit(java.time.temporal.ChronoUnit) RootDirectory(org.dcache.auth.attributes.RootDirectory) SC_BAD_REQUEST(javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST) InternalErrorException(org.dcache.macaroons.InternalErrorException) Required(org.springframework.beans.factory.annotation.Required) Collections(java.util.Collections) InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException) Caveat(org.dcache.macaroons.Caveat) InvalidCaveatException.checkCaveat(org.dcache.macaroons.InvalidCaveatException.checkCaveat) Instant(java.time.Instant) ArrayList(java.util.ArrayList) InternalErrorException(org.dcache.macaroons.InternalErrorException) MacaroonProcessor(org.dcache.macaroons.MacaroonProcessor) MacaroonContext(org.dcache.macaroons.MacaroonContext) DateTimeParseException(java.time.format.DateTimeParseException)

Example 2 with InvalidCaveatException

use of org.dcache.macaroons.InvalidCaveatException in project dcache by dCache.

the class MacaroonRequestHandler method buildContext.

private MacaroonContext buildContext(String target, Request request) throws ErrorResponseException {
    MacaroonContext context = new MacaroonContext();
    FsPath desiredPath = _pathMapper.asDcachePath(request, target);
    FsPath userRoot = FsPath.ROOT;
    FsPath prefixRestrictionPath = null;
    for (LoginAttribute attr : AuthenticationHandler.getLoginAttributes(request)) {
        if (attr instanceof HomeDirectory) {
            context.setHome(FsPath.ROOT.resolve(((HomeDirectory) attr).getHome()));
        } else if (attr instanceof RootDirectory) {
            userRoot = FsPath.ROOT.resolve(((RootDirectory) attr).getRoot());
        } else if (attr instanceof Expiry) {
            context.updateExpiry(((Expiry) attr).getExpiry());
        } else if (attr instanceof DenyActivityRestriction) {
            context.removeActivities(((DenyActivityRestriction) attr).getDenied());
        } else if (attr instanceof PrefixRestriction) {
            ImmutableSet<FsPath> paths = ((PrefixRestriction) attr).getPrefixes();
            if (target.equals("/")) {
                checkArgument(paths.size() == 1, "Cannot serialise with multiple path restrictions");
                prefixRestrictionPath = paths.iterator().next();
            } else {
                prefixRestrictionPath = paths.stream().filter(desiredPath::hasPrefix).findFirst().orElseThrow(() -> new ErrorResponseException(SC_BAD_REQUEST, "Bad request path: Desired path not within existing path"));
            }
        } else if (attr instanceof Restriction) {
            throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot serialise restriction " + attr.getClass().getSimpleName());
        } else if (attr instanceof MaxUploadSize) {
            try {
                context.updateMaxUpload(((MaxUploadSize) attr).getMaximumSize());
            } catch (InvalidCaveatException e) {
                throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot add max-upload: " + e.getMessage());
            }
        }
    }
    Subject subject = getSubject();
    context.setUid(Subjects.getUid(subject));
    context.setGids(Subjects.getGids(subject));
    context.setUsername(Subjects.getUserName(subject));
    FsPath effectiveRoot = _pathMapper.effectiveRoot(userRoot, m -> new ErrorResponseException(SC_BAD_REQUEST, m));
    context.setRoot(effectiveRoot);
    FsPath path = prefixRestrictionPath != null ? prefixRestrictionPath : target.equals("/") ? null : desiredPath;
    if (path != null) {
        context.setPath(path.stripPrefix(effectiveRoot));
    }
    return context;
}
Also used : PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction) InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException) HomeDirectory(org.dcache.auth.attributes.HomeDirectory) LoginAttribute(org.dcache.auth.attributes.LoginAttribute) MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize) RootDirectory(org.dcache.auth.attributes.RootDirectory) Subject(javax.security.auth.Subject) MacaroonContext(org.dcache.macaroons.MacaroonContext) Restriction(org.dcache.auth.attributes.Restriction) PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction) DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction) Expiry(org.dcache.auth.attributes.Expiry) DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction) FsPath(diskCacheV111.util.FsPath)

Aggregations

FsPath (diskCacheV111.util.FsPath)2 Subject (javax.security.auth.Subject)2 DenyActivityRestriction (org.dcache.auth.attributes.DenyActivityRestriction)2 Expiry (org.dcache.auth.attributes.Expiry)2 HomeDirectory (org.dcache.auth.attributes.HomeDirectory)2 LoginAttribute (org.dcache.auth.attributes.LoginAttribute)2 MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)2 PrefixRestriction (org.dcache.auth.attributes.PrefixRestriction)2 Restriction (org.dcache.auth.attributes.Restriction)2 Preconditions.checkArgument (com.google.common.base.Preconditions.checkArgument)1 Strings.emptyToNull (com.google.common.base.Strings.emptyToNull)1 ImmutableSet (com.google.common.collect.ImmutableSet)1 CharStreams (com.google.common.io.CharStreams)1 GsonBuilder (com.google.gson.GsonBuilder)1 JsonParseException (com.google.gson.JsonParseException)1 CDC (dmg.cells.nucleus.CDC)1 CellAddressCore (dmg.cells.nucleus.CellAddressCore)1 CellIdentityAware (dmg.cells.nucleus.CellIdentityAware)1 IOException (java.io.IOException)1 PrintWriter (java.io.PrintWriter)1