diff --git a/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java b/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java index 2dbfb9aa2b9..48acf190e76 100644 --- a/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java +++ b/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java @@ -35,11 +35,10 @@ import org.dcache.gplazma.AuthenticationException; import org.dcache.gplazma.util.CertPaths; -import static com.google.common.base.Preconditions.checkArgument; import static eu.emi.security.authn.x509.helpers.CertificateHelpers.getExtensionBytes; import static org.dcache.auth.EntityDefinition.*; import static org.dcache.auth.LoA.*; -import static org.dcache.gplazma.util.CertPaths.*; +import static org.dcache.gplazma.util.CertPaths.isX509CertPath; import static org.dcache.gplazma.util.Preconditions.checkAuthentication; /** @@ -56,15 +55,9 @@ public class X509Plugin implements GPlazmaAuthenticationPlugin private static final String OID_CERTIFICATE_POLICIES = "2.5.29.32"; private static final String OID_ANY_POLICY = "2.5.29.32"; private static final DERSequence ANY_POLICY = new DERSequence(new ASN1ObjectIdentifier(OID_ANY_POLICY)); - private static final String POLICY_PRINCIPALS_PROPERTY = "gplazma.x509.use-policy-principals"; - - private final boolean isPolicyPrincipalsEnabled; public X509Plugin(Properties properties) { - String enablePolicies = properties.getProperty(POLICY_PRINCIPALS_PROPERTY); - checkArgument(enablePolicies != null, "Undefined property: " + POLICY_PRINCIPALS_PROPERTY); - isPolicyPrincipalsEnabled = Boolean.parseBoolean(enablePolicies); } @Override @@ -104,15 +97,13 @@ public void authenticate(Set publicCredentials, identifiedPrincipals.add(new GlobusPrincipal( OpensslNameUtils.convertFromRfc2253(eec.getSubjectX500Principal().getName(), true))); - if (isPolicyPrincipalsEnabled) { - listPolicies(eec).stream() - .map(PolicyInformation::getInstance) - .map(PolicyInformation::getPolicyIdentifier) - .map(DERObjectIdentifier::getId) - .map(X509Plugin::asPrincipal) - .filter(Objects::nonNull) - .forEach(identifiedPrincipals::add); - } + listPolicies(eec).stream() + .map(PolicyInformation::getInstance) + .map(PolicyInformation::getPolicyIdentifier) + .map(DERObjectIdentifier::getId) + .map(X509Plugin::asPrincipal) + .filter(Objects::nonNull) + .forEach(identifiedPrincipals::add); found = true; } @@ -141,7 +132,7 @@ private List listPolicies(X509Certificate eec) } Enumeration policySource = ASN1Sequence.getInstance(encoded).getObjects(); - List policies = new ArrayList(); + List policies = new ArrayList<>(); while (policySource.hasMoreElements()) { DEREncodable policy = policySource.nextElement(); if (!policy.equals(ANY_POLICY)) { diff --git a/skel/share/defaults/gplazma.properties b/skel/share/defaults/gplazma.properties index 860c3c7f32e..af06d98e6fc 100644 --- a/skel/share/defaults/gplazma.properties +++ b/skel/share/defaults/gplazma.properties @@ -174,18 +174,6 @@ gplazma.authzdb.uid=uid,login,user,group # gplazma.authzdb.gid=gid,login,group,user -# X.509 certificates can contain labels called policies. Policies -# describe how the certificate was generated. Some policies also -# describe something about the entity they identify. -# -# The X.509 certificate has been updated to add additional principals -# based on the presence certain well-defined policies; however, this -# breaks backwards compatibility with versions of dCache earlier than -# 2.14. Therefore this behaviour is optional and must only be -# enabled when all nodes in the dCache cluster run 2.14 or later. -# -(one-of?true|false)gplazma.x509.use-policy-principals = false - # ---- Path to the vomsdir directory gplazma.vomsdir.dir=${dcache.authn.vomsdir} @@ -333,3 +321,4 @@ gplazma.oidc.hostnames = (obsolete)gplazma.xacml.vomsdir.dir = Use gplazma.xacml.vomsdir (obsolete)gplazma.xacml.vomsdir.ca = Use gplazma.xacml.ca (obsolete)gplazma.cell.export = See gplazma.cell.consume +(obsolete)gplazma.x509.use-policy-principals =