gplazma: Make gplazma.x509.use-policy-principals obsolete

Motivation: gplazma.x509.use-policy-principals was introduced to maintain compatibility with old pools. Modification: Make gplazma.x509.use-policy-principals obsolete and always include policy principals if present in the certificate. Result: gplazma.x509.use-policy-principals is obsolete. Target: trunk Require-notes: yes Require-book: no Acked-by: Paul Millar <paul.millar@desy.de> Reviewed at https://rb.dcache.org/r/9383/
dCache · Jun 8, 2016 · b40b8bd · b40b8bd
1 parent ddfdbd0
commit b40b8bd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 30 deletions.
diff --git a/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java b/modules/gplazma2-grid/src/main/java/org/dcache/gplazma/plugins/X509Plugin.java
@@ -35,11 +35,10 @@
 import org.dcache.gplazma.AuthenticationException;
 import org.dcache.gplazma.util.CertPaths;
 
-import static com.google.common.base.Preconditions.checkArgument;
 import static eu.emi.security.authn.x509.helpers.CertificateHelpers.getExtensionBytes;
 import static org.dcache.auth.EntityDefinition.*;
 import static org.dcache.auth.LoA.*;
-import static org.dcache.gplazma.util.CertPaths.*;
+import static org.dcache.gplazma.util.CertPaths.isX509CertPath;
 import static org.dcache.gplazma.util.Preconditions.checkAuthentication;
 
 /**
@@ -56,15 +55,9 @@ public class X509Plugin implements GPlazmaAuthenticationPlugin
     private static final String OID_CERTIFICATE_POLICIES = "2.5.29.32";
     private static final String OID_ANY_POLICY = "2.5.29.32";
     private static final DERSequence ANY_POLICY = new DERSequence(new ASN1ObjectIdentifier(OID_ANY_POLICY));
-    private static final String POLICY_PRINCIPALS_PROPERTY = "gplazma.x509.use-policy-principals";
-
-    private final boolean isPolicyPrincipalsEnabled;
 
     public X509Plugin(Properties properties)
     {
-        String enablePolicies = properties.getProperty(POLICY_PRINCIPALS_PROPERTY);
-        checkArgument(enablePolicies != null, "Undefined property: " + POLICY_PRINCIPALS_PROPERTY);
-        isPolicyPrincipalsEnabled = Boolean.parseBoolean(enablePolicies);
     }
 
     @Override
@@ -104,15 +97,13 @@ public void authenticate(Set<Object> publicCredentials,
                     identifiedPrincipals.add(new GlobusPrincipal(
                             OpensslNameUtils.convertFromRfc2253(eec.getSubjectX500Principal().getName(), true)));
 
-                    if (isPolicyPrincipalsEnabled) {
-                        listPolicies(eec).stream()
-                                .map(PolicyInformation::getInstance)
-                                .map(PolicyInformation::getPolicyIdentifier)
-                                .map(DERObjectIdentifier::getId)
-                                .map(X509Plugin::asPrincipal)
-                                .filter(Objects::nonNull)
-                                .forEach(identifiedPrincipals::add);
-                    }
+                    listPolicies(eec).stream()
+                            .map(PolicyInformation::getInstance)
+                            .map(PolicyInformation::getPolicyIdentifier)
+                            .map(DERObjectIdentifier::getId)
+                            .map(X509Plugin::asPrincipal)
+                            .filter(Objects::nonNull)
+                            .forEach(identifiedPrincipals::add);
 
                     found = true;
                 }
@@ -141,7 +132,7 @@ private List<DEREncodable> listPolicies(X509Certificate eec)
         }
 
         Enumeration<DEREncodable> policySource = ASN1Sequence.getInstance(encoded).getObjects();
-        List<DEREncodable> policies = new ArrayList();
+        List<DEREncodable> policies = new ArrayList<>();
         while (policySource.hasMoreElements()) {
             DEREncodable policy = policySource.nextElement();
             if (!policy.equals(ANY_POLICY)) {

diff --git a/skel/share/defaults/gplazma.properties b/skel/share/defaults/gplazma.properties
@@ -174,18 +174,6 @@ gplazma.authzdb.uid=uid,login,user,group
 #
 gplazma.authzdb.gid=gid,login,group,user
 
-#  X.509 certificates can contain labels called policies.  Policies
-#  describe how the certificate was generated.  Some policies also
-#  describe something about the entity they identify.
-#
-#  The X.509 certificate has been updated to add additional principals
-#  based on the presence certain well-defined policies; however, this
-#  breaks backwards compatibility with versions of dCache earlier than
-#  2.14.  Therefore this behaviour is optional and must only be
-#  enabled when all nodes in the dCache cluster run 2.14 or later.
-#
-(one-of?true|false)gplazma.x509.use-policy-principals = false
-
 #  ---- Path to the vomsdir directory
 gplazma.vomsdir.dir=${dcache.authn.vomsdir}
 
@@ -333,3 +321,4 @@ gplazma.oidc.hostnames =
 (obsolete)gplazma.xacml.vomsdir.dir = Use gplazma.xacml.vomsdir
 (obsolete)gplazma.xacml.vomsdir.ca = Use gplazma.xacml.ca
 (obsolete)gplazma.cell.export = See gplazma.cell.consume
+(obsolete)gplazma.x509.use-policy-principals =