Add groups and request attributes to external principals

Add the ExternalAuthenticationValve valve, which, if an externally authenticated principal is available, reads the REMOTE_USER_GROUP information from the Coyote request and adds the groups ("roles" in Tomcat terminology) to the principal. It also saves a complete copy of the request attribute map in the princpial. The new class ExternalPrincipal is used to achieve this. Part of: https://pagure.io/dogtagpki/issue/1359
author: Fraser Tweedale <ftweedal@redhat.com> 2016-11-29 17:58:50 +1000
committer: Fraser Tweedale <ftweedal@redhat.com> 2017-03-16 17:46:18 +1000
commit: 00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e (patch)
tree: 5fd955cf5fb4c8ca1e12c24a9540eef7cb672cc4 /base/server/tomcat/src
parent: 4cf87aa3babc4c7d8ea60a46cb548ebfee493ae4 (diff)
download: pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.tar.gz
pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.tar.xz
pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.zip
3 files changed, 131 insertions, 0 deletions
diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
index 087bcd9ac..b9a3b4c5d 100644
--- a/base/server/tomcat/src/CMakeLists.txt
+++ b/base/server/tomcat/src/CMakeLists.txt
@@ -104,6 +104,13 @@ find_file(NUXWDOG_JAR
         /usr/share/java
 )
 
+find_file(TOMCAT_COYOTE_JAR
+    NAMES
+        tomcat-coyote.jar
+    PATHS
+        /usr/share/java/tomcat
+)
+
 # build pki-tomcat
 javac(pki-tomcat-classes
     SOURCES
@@ -111,6 +118,7 @@ javac(pki-tomcat-classes
     CLASSPATH
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
 		${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
+		${TOMCAT_COYOTE_JAR}
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/../../tomcat
     DEPENDS
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
new file mode 100644
index 000000000..6bc570b46
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
@@ -0,0 +1,80 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2015 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import javax.servlet.ServletException;
+
+import org.apache.catalina.Session;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.valves.ValveBase;
+
+public class ExternalAuthenticationValve extends ValveBase {
+
+    public void invoke(Request req, Response resp)
+            throws IOException, ServletException {
+        System.out.println("ExternalAuthenticationValve; authType: "
+                + req.getAuthType());
+        System.out.println("ExternalAuthenticationValve; principal: "
+                + req.getUserPrincipal());
+        //System.out.println(req.getCoyoteRequest().getAttributes().toString());
+
+        org.apache.coyote.Request coyoteReq = req.getCoyoteRequest();
+        Principal principal = req.getUserPrincipal();
+
+        if (principal != null) {
+            Integer numGroups = 0;
+            String numGroupsStr = (String)
+                coyoteReq.getAttribute("REMOTE_USER_GROUP_N");
+            if (numGroupsStr != null) {
+                try {
+                    numGroups = new Integer(numGroupsStr);
+                } catch (NumberFormatException e) {
+                    System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e);
+                }
+            }
+
+            ArrayList<String> groups = new ArrayList<>();
+            for (int i = 1; i <= numGroups; i++) {
+                String k = "REMOTE_USER_GROUP_" + i;
+                String s = (String) coyoteReq.getAttribute(k);
+                if (s != null && !s.isEmpty())
+                    groups.add(s);
+                else
+                    System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k);
+            }
+
+            // replace the principal
+            principal = new ExternalPrincipal(
+                principal.getName(), null, groups, coyoteReq.getAttributes());
+            System.out.println("ExternalAuthenticationValve: setting new principal: " + principal);
+            req.setUserPrincipal(principal);
+
+            // cache principal in session
+            Session session = req.getSessionInternal();
+            session.setAuthType(req.getAuthType());
+            session.setPrincipal(principal);
+        }
+
+        getNext().invoke(req, resp);
+    }
+}
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java
new file mode 100644
index 000000000..a7bb0e110
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalPrincipal.java
@@ -0,0 +1,43 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import org.apache.catalina.realm.GenericPrincipal;
+
+import java.util.List;
+import java.util.HashMap;
+
+/**
+ * Principal that carries additional request attributes.
+ */
+public class ExternalPrincipal extends GenericPrincipal {
+
+    private HashMap<String, Object> attributes;
+
+    public ExternalPrincipal(String name, String password, List<String> roles,
+            HashMap<String, Object> attributes) {
+        super(name, password, roles);
+        this.attributes = attributes;
+    }
+
+    public HashMap<String, Object> getAttributes() {
+        return attributes;
+    }
+
+}
author	Fraser Tweedale <ftweedal@redhat.com>	2016-11-29 17:58:50 +1000
committer	Fraser Tweedale <ftweedal@redhat.com>	2017-03-16 17:46:18 +1000
commit	00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e (patch)
tree	5fd955cf5fb4c8ca1e12c24a9540eef7cb672cc4 /base/server/tomcat/src
parent	4cf87aa3babc4c7d8ea60a46cb548ebfee493ae4 (diff)
download	pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.tar.gz pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.tar.xz pki-00cf1cd2c6b9f5d8116921e4c3f1d07e7708388e.zip