Update ACLInterceptor to support external principals

For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359
author: Fraser Tweedale <ftweedal@redhat.com> 2016-11-29 18:43:48 +1000
committer: Fraser Tweedale <ftweedal@redhat.com> 2017-03-16 17:46:18 +1000
commit: 67d51413323e1d55fdc04ca5edf5d9f05afb0ebe (patch)
tree: 02f38710ad71837e34538664a12ad0c6b7ca2ab5
parent: ef84ef36be06944a7f6338ed022f13e066cd5c32 (diff)
download: pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.gz
pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.xz
pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.zip
1 files changed, 29 insertions, 12 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
index 490011681..8e02ec21c 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
@@ -31,14 +31,17 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.core.ResourceMethodInvoker;
 import org.jboss.resteasy.spi.Failure;
 
 import com.netscape.certsrv.acls.ACLMapping;
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.ExternalAuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
 import com.netscape.certsrv.authorization.IAuthzSubsystem;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.ForbiddenException;
@@ -140,18 +143,33 @@ public class ACLInterceptor implements ContainerRequestFilter {
         if (principal != null)
             CMS.debug("ACLInterceptor: principal: " + principal.getName());
 
-        // If unrecognized principal, reject request.
-        if (principal != null && !(principal instanceof PKIPrincipal)) {
-            CMS.debug("ACLInterceptor: Invalid user principal.");
-            // audit comment: no Principal, no one to blame here
-            throw new ForbiddenException("Invalid user principal.");
-        }
+        IAuthzSubsystem authzSubsystem =
+            (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
 
-        PKIPrincipal pkiPrincipal = null;
         IAuthToken authToken = null;
+        String authzMgrName = null;
         if (principal != null) {
-            pkiPrincipal = (PKIPrincipal) principal;
-            authToken = pkiPrincipal.getAuthToken();
+            if (principal instanceof PKIPrincipal) {
+                authzMgrName = "DirAclAuthz";
+                authToken = ((PKIPrincipal) principal).getAuthToken();
+            }
+            else if (principal instanceof GenericPrincipal) {
+                String realm = null;
+                String[] parts = principal.getName().split("@", 2);
+                if (parts.length == 2) {
+                    realm = parts[1];
+                }
+                try {
+                    authzMgrName = authzSubsystem.getAuthzManagerNameByRealm(realm);
+                } catch (EAuthzUnknownRealm e) {
+                    throw new ForbiddenException(
+                        "Cannot find AuthzManager for external principal " + principal.getName(),
+                        e
+                    );
+                }
+                authToken = new ExternalAuthToken((GenericPrincipal) principal);
+            }
+            CMS.debug("ACLInterceptor: will use authz manager " + authzMgrName);
         }
 
         // If missing auth token, reject request.
@@ -249,9 +267,8 @@ public class ACLInterceptor implements ContainerRequestFilter {
 
         try {
             // Check authorization.
-            IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ);
-            AuthzToken authzToken = mAuthz.authorize(
-                    "DirAclAuthz",
+            AuthzToken authzToken = authzSubsystem.authorize(
+                    authzMgrName,
                     authToken,
                     values[0], // resource
                     values[1]); // operation
author	Fraser Tweedale <ftweedal@redhat.com>	2016-11-29 18:43:48 +1000
committer	Fraser Tweedale <ftweedal@redhat.com>	2017-03-16 17:46:18 +1000
commit	67d51413323e1d55fdc04ca5edf5d9f05afb0ebe (patch)
tree	02f38710ad71837e34538664a12ad0c6b7ca2ab5
parent	ef84ef36be06944a7f6338ed022f13e066cd5c32 (diff)
download	pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.gz pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.tar.xz pki-67d51413323e1d55fdc04ca5edf5d9f05afb0ebe.zip