Merge pull request opencadc#22 from brianmajor/master

Consider credentials valid when cookie available.
andamian · Mar 19, 2018 · 292dee2 · 292dee2
2 parents 3fb393b + 3537716
commit 292dee2
Show file tree

Hide file tree

Showing 4 changed files with 171 additions and 69 deletions.
diff --git a/cadc-cdp/build.gradle b/cadc-cdp/build.gradle
@@ -15,7 +15,7 @@ sourceCompatibility = 1.7
 
 group = 'org.opencadc'
 
-version = '1.1.3'
+version = '1.2.0'
 
 mainClassName = 'ca.nrc.cadc.cred.client.Main'
 
@@ -29,6 +29,8 @@ dependencies {
     compile 'org.opencadc:cadc-util:1.+'
     compile 'org.opencadc:cadc-log:1.+'
     compile 'org.opencadc:cadc-registry:1.+'
+
+    testCompile 'junit:junit:4.+'
 }
 
 configurations {

diff --git a/cadc-cdp/src/main/java/ca/nrc/cadc/cred/client/CredUtil.java b/cadc-cdp/src/main/java/ca/nrc/cadc/cred/client/CredUtil.java
@@ -69,10 +69,10 @@
 
 package ca.nrc.cadc.cred.client;
 
-
 import ca.nrc.cadc.auth.AuthMethod;
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.SSLUtil;
+import ca.nrc.cadc.auth.SSOCookieCredential;
 import ca.nrc.cadc.auth.X509CertificateChain;
 import ca.nrc.cadc.reg.Standards;
 import ca.nrc.cadc.reg.client.LocalAuthority;
@@ -85,38 +85,40 @@
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.util.Iterator;
+import java.util.Set;
+
 import javax.naming.InitialContext;
 import javax.naming.NameNotFoundException;
 import javax.naming.NamingException;
 import javax.security.auth.Subject;
 import org.apache.log4j.Logger;
 
 /**
- * Utility class to support a standard server-side use of the CredClient. Server-side
- * applications typically have to have valid credentials for the current user in order 
- * to call other services on the user's behalf. The methods here support the standard
- * usage as follows:
+ * Utility class to support a standard server-side use of the CredClient.
+ * Server-side applications typically have to have valid credentials for the
+ * current user in order to call other services on the user's behalf. The
+ * methods here support the standard usage as follows:
  * <ul>
  * <li>check Subject for a valid proxy certificate
  * <li>discard stored but invalid certificate
  * <li>load certificate for ops user from${user.home}/.ssl/cadcproxy.pem
- * <li>use CredClient as ops user to retrieve a new proxy certificate for the current user
+ * <li>use CredClient as ops user to retrieve a new proxy certificate for the
+ * current user
  * <li>store the user certificate in the Subject
  * </ul>
  * 
  * @author pdowler
  */
-public class CredUtil 
-{
+public class CredUtil {
     private static final Logger log = Logger.getLogger(CredUtil.class);
-    
+
     public static final double PROXY_CERT_DURATION = 0.1; // couple of hours
     public static final String SERVOPS_JNDI_NAME = "servops-cert";
 
-    private CredUtil() { }
-
-    public static Subject createOpsSubject()
-    {
+    private CredUtil() {
+    }
+
+    public static Subject createOpsSubject() {
         // First check for a JNDI binding, then look on disk
         Subject s = createServopsSubjectFromJNDI();
         log.debug("servops subject from JNDI: " + s);
@@ -131,37 +133,27 @@ public static Subject createOpsSubject()
         throw new IllegalStateException("servops.pem not found in JNDI or on disk.");
     }
 
-    private static Subject createServopsSubjectFromJNDI()
-    {
-        try
-        {
+    private static Subject createServopsSubjectFromJNDI() {
+        try {
             InitialContext ic = new InitialContext();
             Object entry = ic.lookup(SERVOPS_JNDI_NAME);
             if (entry == null)
                 return null;
             X509CertificateChain chain = (X509CertificateChain) entry;
             return AuthenticationUtil.getSubject(chain);
-        }
-        catch (NameNotFoundException e)
-        {
+        } catch (NameNotFoundException e) {
             return null;
-        }
-        catch (NamingException e)
-        {
+        } catch (NamingException e) {
             log.warn("Unexpected JNDI exception.", e);
             return null;
         }
     }
 
-    private static Subject createServopsSubjectFromFile()
-    {
+    private static Subject createServopsSubjectFromFile() {
         File pemFile = new File(System.getProperty("user.home") + "/.ssl/cadcproxy.pem");
-        if (pemFile != null)
-            return SSLUtil.createSubject(pemFile);
-        else
-            return null;
+        return SSLUtil.createSubject(pemFile);
     }
-    
+
     /**
      * Check if the current subject has usable credentials (a valid X509 proxy
      * certificate) and call the local CDP service if necessary.
@@ -172,18 +164,15 @@ private static Subject createServopsSubjectFromFile()
      * @throws java.security.cert.CertificateNotYetValidException
      */
     public static boolean checkCredentials()
-        throws AccessControlException,  CertificateExpiredException, CertificateNotYetValidException
-    {
+            throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException {
         return checkCredentials(AuthenticationUtil.getCurrentSubject());
     }
-
-
 
     /**
      * Check if the specified subject has usable credentials (a valid X509 proxy
      * certificate) and call the local CDP service if necessary. This method uses
      * the <code>ca.nrc.cadc.reg.client.LocalAuthority</code> class to find the
-     * local CDP service. Thus, this usage only makes sense in server-side 
+     * local CDP service. Thus, this usage only makes sense in server-side
      * applications.
      * 
      * @param subject
@@ -192,68 +181,66 @@ public static boolean checkCredentials()
      * @throws java.security.cert.CertificateNotYetValidException
      */
     public static boolean checkCredentials(final Subject subject)
-        throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException
-    {
+            throws AccessControlException, CertificateExpiredException, CertificateNotYetValidException {
         AuthMethod am = AuthenticationUtil.getAuthMethod(subject);
-        if (am == null || AuthMethod.ANON.equals(am))
+        if (am == null || AuthMethod.ANON.equals(am)) {
             return false;
-
-        try
-        {
-            X509CertificateChain privateKeyChain = X509CertificateChain.findPrivateKeyChain(
-                    subject.getPublicCredentials());
+        }
+
+        // first see if there are valid cookie credentials
+        Set<SSOCookieCredential> cookieCreds = subject.getPublicCredentials(SSOCookieCredential.class);
+        for (SSOCookieCredential nextCookie : cookieCreds) {
+            log.debug("Checking cookie credential: " + nextCookie);
+            if (!nextCookie.isExpired()) {
+                return true;
+            }
+        }
+
+        // next see if there is a valid certificate chain. get one from cdp
+        // if there isn't
+        try {
+            X509CertificateChain privateKeyChain = X509CertificateChain
+                    .findPrivateKeyChain(subject.getPublicCredentials());
 
-            if (privateKeyChain != null)
-            {
-                try
-                {
+            if (privateKeyChain != null) {
+                try {
                     privateKeyChain.getChain()[0].checkValidity();
-                }
-                catch(CertificateException ex)
-                {
+                } catch (CertificateException ex) {
                     privateKeyChain = null; // get new one below
                 }
             }
-
-            if (privateKeyChain == null)
-            {
+
+            if (privateKeyChain == null) {
                 LocalAuthority loc = new LocalAuthority();
                 URI credURI = loc.getServiceURI(Standards.CRED_PROXY_10.toASCIIString());
                 final CredClient cred = new CredClient(credURI);
                 Subject opsSubject = createOpsSubject();
-                try
-                {
-                    privateKeyChain = Subject.doAs(opsSubject, new PrivilegedExceptionAction<X509CertificateChain>()
-                    {
-                        public X509CertificateChain run() throws Exception
-                        {
+                try {
+                    privateKeyChain = Subject.doAs(opsSubject, new PrivilegedExceptionAction<X509CertificateChain>() {
+                        public X509CertificateChain run() throws Exception {
                             return cred.getProxyCertificate(subject, PROXY_CERT_DURATION);
                         }
                     });
-                }
-                catch(PrivilegedActionException ex)
-                {
+                } catch (PrivilegedActionException ex) {
                     throw new RuntimeException("CredClient.getProxyCertficate failed", ex.getException());
                 }
-
-                if (privateKeyChain == null)
-                {
+
+                if (privateKeyChain == null) {
                     throw new AccessControlException("credential service did not return a delegated certificate");
                 }
 
                 privateKeyChain.getChain()[0].checkValidity();
                 // carefully remove the previous chain
                 Iterator iter = subject.getPublicCredentials().iterator();
-                while ( iter.hasNext() )
-                {
+                while (iter.hasNext()) {
                     Object o = iter.next();
                     if (o instanceof X509CertificateChain)
                         iter.remove();
                 }
                 subject.getPublicCredentials().add(privateKeyChain);
             }
+        } finally {
         }
-        finally { }
         return true;
     }
 }
diff --git a/cadc-cdp/src/test/java/TODO b/cadc-cdp/src/test/java/TODO
diff --git a/cadc-cdp/src/test/java/ca/nrc/cadc/cred/client/CredUtilTest.java b/cadc-cdp/src/test/java/ca/nrc/cadc/cred/client/CredUtilTest.java
@@ -0,0 +1,113 @@
+/*
+************************************************************************
+*******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+**************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+*
+*  (c) 2011.                            (c) 2011.
+*  Government of Canada                 Gouvernement du Canada
+*  National Research Council            Conseil national de recherches
+*  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+*  All rights reserved                  Tous droits réservés
+*
+*  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+*  expressed, implied, or               énoncée, implicite ou légale,
+*  statutory, of any kind with          de quelque nature que ce
+*  respect to the software,             soit, concernant le logiciel,
+*  including without limitation         y compris sans restriction
+*  any warranty of merchantability      toute garantie de valeur
+*  or fitness for a particular          marchande ou de pertinence
+*  purpose. NRC shall not be            pour un usage particulier.
+*  liable in any event for any          Le CNRC ne pourra en aucun cas
+*  damages, whether direct or           être tenu responsable de tout
+*  indirect, special or general,        dommage, direct ou indirect,
+*  consequential or incidental,         particulier ou général,
+*  arising from the use of the          accessoire ou fortuit, résultant
+*  software.  Neither the name          de l'utilisation du logiciel. Ni
+*  of the National Research             le nom du Conseil National de
+*  Council of Canada nor the            Recherches du Canada ni les noms
+*  names of its contributors may        de ses  participants ne peuvent
+*  be used to endorse or promote        être utilisés pour approuver ou
+*  products derived from this           promouvoir les produits dérivés
+*  software without specific prior      de ce logiciel sans autorisation
+*  written permission.                  préalable et particulière
+*                                       par écrit.
+*
+*  This file is part of the             Ce fichier fait partie du projet
+*  OpenCADC project.                    OpenCADC.
+*
+*  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+*  you can redistribute it and/or       vous pouvez le redistribuer ou le
+*  modify it under the terms of         modifier suivant les termes de
+*  the GNU Affero General Public        la “GNU Affero General Public
+*  License as published by the          License” telle que publiée
+*  Free Software Foundation,            par la Free Software Foundation
+*  either version 3 of the              : soit la version 3 de cette
+*  License, or (at your option)         licence, soit (à votre gré)
+*  any later version.                   toute version ultérieure.
+*
+*  OpenCADC is distributed in the       OpenCADC est distribué
+*  hope that it will be useful,         dans l’espoir qu’il vous
+*  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+*  without even the implied             GARANTIE : sans même la garantie
+*  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+*  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+*  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+*  General Public License for           Générale Publique GNU Affero
+*  more details.                        pour plus de détails.
+*
+*  You should have received             Vous devriez avoir reçu une
+*  a copy of the GNU Affero             copie de la Licence Générale
+*  General Public License along         Publique GNU Affero avec
+*  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+*  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+*                                       <http://www.gnu.org/licenses/>.
+*
+*  $Revision: 5 $
+*
+************************************************************************
+*/
+
+package ca.nrc.cadc.cred.client;
+
+import java.security.PrivilegedAction;
+import java.util.Date;
+
+import javax.security.auth.Subject;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.junit.Assert;
+import org.junit.Test;
+
+import ca.nrc.cadc.auth.AuthMethod;
+import ca.nrc.cadc.auth.SSOCookieCredential;
+import ca.nrc.cadc.util.Log4jInit;
+
+public class CredUtilTest {
+
+    private static Logger log = Logger.getLogger(CredUtilTest.class);
+
+    public CredUtilTest()
+    {
+        Log4jInit.setLevel("ca.nrc.cadc.util", Level.INFO);
+        Log4jInit.setLevel("ca.nrc.cadc.cred", Level.DEBUG);
+    }
+
+    @Test
+    public void testValidCookieCredentails() {
+        try {
+            // add valid cookie
+            Subject s = new Subject();
+            s.getPublicCredentials().add(AuthMethod.COOKIE);
+            Date tomorrow = new Date(System.currentTimeMillis() + (1000*60*60*24));
+            SSOCookieCredential valid = new SSOCookieCredential(null, null, tomorrow);
+            s.getPublicCredentials().add(valid);
+            Assert.assertTrue(CredUtil.checkCredentials(s));
+        }
+        catch (Exception e) {
+            log.error("Unexpected", e);
+            Assert.fail("Unexpected error: " + e.getMessage());
+        }
+    }
+
+}