From 80a5ac922611dfe1a14306b8c1b89c7464c4eeeb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 29 Nov 2016 18:39:45 +1000
Subject: [PATCH 170/175] Update SessionContextInterceptor to handle external
 principals

Part of: https://pagure.io/dogtagpki/issue/1359
---
 .../server/rest/SessionContextInterceptor.java        | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
index b6461abfdee36ea4eeba4d07da815482b02712ba..b3b3c3b8ff377ba602060d79c50bbc1d9081fd70 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
@@ -29,9 +29,11 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.core.ResourceMethodInvoker;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.ExternalAuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.SessionContext;
@@ -80,14 +82,12 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
 
         CMS.debug("SessionContextInterceptor: principal: " + principal.getName());
 
-        // If unrecognized principal, reject request.
-        if (!(principal instanceof PKIPrincipal)) {
-            CMS.debug("SessionContextInterceptor: Invalid user principal.");
-            throw new ForbiddenException("Invalid user principal.");
-        }
+        IAuthToken authToken = null;
 
-        PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
-        IAuthToken authToken = pkiPrincipal.getAuthToken();
+        if (principal instanceof PKIPrincipal)
+            authToken = ((PKIPrincipal) principal).getAuthToken();
+        else if (principal instanceof GenericPrincipal)
+            authToken = new ExternalAuthToken((GenericPrincipal) principal);
 
         // If missing auth token, reject request.
         if (authToken == null) {
@@ -104,7 +104,8 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
         context.put(SessionContext.LOCALE, locale);
 
         context.put(SessionContext.AUTH_TOKEN, authToken);
-        context.put(SessionContext.USER_ID, pkiPrincipal.getName());
-        context.put(SessionContext.USER, pkiPrincipal.getUser());
+        context.put(SessionContext.USER_ID, principal.getName());
+        if (principal instanceof PKIPrincipal)
+            context.put(SessionContext.USER, ((PKIPrincipal) principal).getUser());
     }
 }
-- 
2.9.3