From 13620e08e639e40bfd5eac986f6a692dd6e88ffc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 29 Nov 2016 17:58:50 +1000
Subject: [PATCH 167/175] Add groups and request attributes to external
 principals

Add the ExternalAuthenticationValve valve, which, if an externally
authenticated principal is available, reads the REMOTE_USER_GROUP
information from the Coyote request and adds the groups ("roles" in
Tomcat terminology) to the principal.

It also saves a complete copy of the request attribute map in the
princpial.  The new class ExternalPrincipal is used to achieve this.

Part of: https://pagure.io/dogtagpki/issue/1359
---
 base/ca/tomcat8/conf/Catalina/localhost/ca.xml     |  2 +
 base/server/tomcat/src/CMakeLists.txt              |  8 +++
 .../cms/tomcat/ExternalAuthenticationValve.java    | 80 ++++++++++++++++++++++
 .../com/netscape/cms/tomcat/ExternalPrincipal.java | 43 ++++++++++++
 4 files changed, 133 insertions(+)
 create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
 create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java

diff --git a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
index 46f270817a58282b950b75a15bb3bd052f178f0c..0268bc17e055b98198a9a44275319e77217c87fd 100644
--- a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
+++ b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
@@ -27,6 +27,8 @@
     <Manager
         secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
 
+    <Valve className="com.netscape.cms.tomcat.ExternalAuthenticationValve" />
+
     <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
         alwaysUseSession="true"
         secureRandomProvider="Mozilla-JSS"
diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
index 087bcd9acd7f0be8de274c9716466e3920bc3f52..b9a3b4c5d5aa5f8914851ffed63a40555519f8ef 100644
--- a/base/server/tomcat/src/CMakeLists.txt
+++ b/base/server/tomcat/src/CMakeLists.txt
@@ -104,6 +104,13 @@ find_file(NUXWDOG_JAR
         /usr/share/java
 )
 
+find_file(TOMCAT_COYOTE_JAR
+    NAMES
+        tomcat-coyote.jar
+    PATHS
+        /usr/share/java/tomcat
+)
+
 # build pki-tomcat
 javac(pki-tomcat-classes
     SOURCES
@@ -111,6 +118,7 @@ javac(pki-tomcat-classes
     CLASSPATH
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
 		${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
+		${TOMCAT_COYOTE_JAR}
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/../../tomcat
     DEPENDS
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
new file mode 100644
index 0000000000000000000000000000000000000000..6bc570b4692e518a482ec91fc93d51def77dff27
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2015 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import javax.servlet.ServletException;
+
+import org.apache.catalina.Session;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.valves.ValveBase;
+
+public class ExternalAuthenticationValve extends ValveBase {
+
+    public void invoke(Request req, Response resp)
+            throws IOException, ServletException {
+        System.out.println("ExternalAuthenticationValve; authType: "
+                + req.getAuthType());
+        System.out.println("ExternalAuthenticationValve; principal: "
+                + req.getUserPrincipal());
+        //System.out.println(req.getCoyoteRequest().getAttributes().toString());
+
+        org.apache.coyote.Request coyoteReq = req.getCoyoteRequest();
+        Principal principal = req.getUserPrincipal();
+
+        if (principal != null) {
+            Integer numGroups = 0;
+            String numGroupsStr = (String)
+                coyoteReq.getAttribute("REMOTE_USER_GROUP_N");
+            if (numGroupsStr != null) {
+                try {
+                    numGroups = new Integer(numGroupsStr);
+                } catch (NumberFormatException e) {
+                    System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e);
+                }
+            }
+
+            ArrayList<String> groups = new ArrayList<>();
+            for (int i = 1; i <= numGroups; i++) {
+                String k = "REMOTE_USER_GROUP_" + i;
+                String s = (String) coyoteReq.getAttribute(k);
+                if (s != null && !s.isEmpty())
+                    groups.add(s);
+                else
+                    System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k);
+            }
+
+            // replace the principal
+            principal = new ExternalPrincipal(
+                principal.getName(), null, groups, coyoteReq.getAttributes());
+            System.out.println("ExternalAuthenticationValve: setting new principal: " + principal);
+            req.setUserPrincipal(principal);
+
+            // cache principal in session
+            Session session = req.getSessionInternal();
+            session.setAuthType(req.getAuthType());
+            session.setPrincipal(principal);
+        }
+
+        getNext().invoke(req, resp);
+    }
+}
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java
new file mode 100644
index 0000000000000000000000000000000000000000..a7bb0e110382d6b45e66d0c2748b4ac206ce99e2
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import org.apache.catalina.realm.GenericPrincipal;
+
+import java.util.List;
+import java.util.HashMap;
+
+/**
+ * Principal that carries additional request attributes.
+ */
+public class ExternalPrincipal extends GenericPrincipal {
+
+    private HashMap<String, Object> attributes;
+
+    public ExternalPrincipal(String name, String password, List<String> roles,
+            HashMap<String, Object> attributes) {
+        super(name, password, roles);
+        this.attributes = attributes;
+    }
+
+    public HashMap<String, Object> getAttributes() {
+        return attributes;
+    }
+
+}
-- 
2.9.3