From 5421a7b9fd925018c037a254b7287756ee2f301c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 18:43:48 +1000 Subject: [PATCH 171/175] Update ACLInterceptor to support external principals For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359 --- .../org/dogtagpki/server/rest/ACLInterceptor.java | 41 +++++++++++++++------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java index 49001168130831bbb002711120891195b5d54ba5..8e02ec21c438426fe7f0b3e5d571084b7f784a70 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java @@ -31,14 +31,17 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.acls.ACLMapping; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.authorization.IAuthzSubsystem; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ForbiddenException; @@ -140,18 +143,33 @@ public class ACLInterceptor implements ContainerRequestFilter { if (principal != null) CMS.debug("ACLInterceptor: principal: " + principal.getName()); - // If unrecognized principal, reject request. - if (principal != null && !(principal instanceof PKIPrincipal)) { - CMS.debug("ACLInterceptor: Invalid user principal."); - // audit comment: no Principal, no one to blame here - throw new ForbiddenException("Invalid user principal."); - } + IAuthzSubsystem authzSubsystem = + (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - PKIPrincipal pkiPrincipal = null; IAuthToken authToken = null; + String authzMgrName = null; if (principal != null) { - pkiPrincipal = (PKIPrincipal) principal; - authToken = pkiPrincipal.getAuthToken(); + if (principal instanceof PKIPrincipal) { + authzMgrName = "DirAclAuthz"; + authToken = ((PKIPrincipal) principal).getAuthToken(); + } + else if (principal instanceof GenericPrincipal) { + String realm = null; + String[] parts = principal.getName().split("@", 2); + if (parts.length == 2) { + realm = parts[1]; + } + try { + authzMgrName = authzSubsystem.getAuthzManagerNameByRealm(realm); + } catch (EAuthzUnknownRealm e) { + throw new ForbiddenException( + "Cannot find AuthzManager for external principal " + principal.getName(), + e + ); + } + authToken = new ExternalAuthToken((GenericPrincipal) principal); + } + CMS.debug("ACLInterceptor: will use authz manager " + authzMgrName); } // If missing auth token, reject request. @@ -249,9 +267,8 @@ public class ACLInterceptor implements ContainerRequestFilter { try { // Check authorization. - IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - AuthzToken authzToken = mAuthz.authorize( - "DirAclAuthz", + AuthzToken authzToken = authzSubsystem.authorize( + authzMgrName, authToken, values[0], // resource values[1]); // operation -- 2.9.3