Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a new gPlazma account phase plugin
gPlazma2 was still missing a simple way to ban users. This patch adds a new plugin that allows blacklisting users based on <principal type>:<value> pairs given in a plain text file. Example file: --- alias name=org.dcache.auth.LoginNamePrincipal alias dn=org.globus.gsi.jaas.GlobusPrincipal ban dn:/C=XY/O=org/OU=Some Where/CN=Some One ban javax.security.auth.kerberos.KerberosPrincipal:SOMEONE@SOMEWHERE.ORG ban name:someone ban dn:/C=XY/O=org/OU=Some Where/CN=Some One Else ban javax.security.auth.kerberos.KerberosPrincipal:SOMEONEELSE@SOMEWHERE.ORG --- Acked-by: Paul Acked-by: Gerd Target: master Request: 2.6 Require-book: yes Require-notes: yes Patch: http://rb.dcache.org/r/5777/
- Loading branch information
Karsten Schwank
committed
Jul 31, 2013
1 parent
3fb26cb
commit eb7c315
Showing
10 changed files
with
430 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<parent> | ||
<groupId>org.dcache</groupId> | ||
<artifactId>dcache-parent</artifactId> | ||
<version>2.7.0-SNAPSHOT</version> | ||
<relativePath>../../pom.xml</relativePath> | ||
</parent> | ||
|
||
<artifactId>gplazma2-banfile</artifactId> | ||
<packaging>jar</packaging> | ||
|
||
<name>gPlazma 2 principal ban file plugin</name> | ||
|
||
<dependencies> | ||
<dependency> | ||
<groupId>org.dcache</groupId> | ||
<artifactId>gplazma2</artifactId> | ||
<version>${project.version}</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.slf4j</groupId> | ||
<artifactId>slf4j-api</artifactId> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.guava</groupId> | ||
<artifactId>guava</artifactId> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.scala-lang</groupId> | ||
<artifactId>scala-library</artifactId> | ||
</dependency> | ||
</dependencies> | ||
|
||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>net.alchim31.maven</groupId> | ||
<artifactId>scala-maven-plugin</artifactId> | ||
<executions> | ||
<execution> | ||
<id>scala-compile-first</id> | ||
<phase>process-resources</phase> | ||
<goals> | ||
<goal>add-source</goal> | ||
<goal>compile</goal> | ||
</goals> | ||
</execution> | ||
<execution> | ||
<id>scala-test-compile</id> | ||
<phase>process-test-resources</phase> | ||
<goals> | ||
<goal>testCompile</goal> | ||
</goals> | ||
</execution> | ||
</executions> | ||
</plugin> | ||
</plugins> | ||
</build> | ||
</project> |
6 changes: 6 additions & 0 deletions
6
modules/gplazma2-banfile/src/main/resources/META-INF/gplazma-plugins.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<plugins> | ||
<plugin> | ||
<name>banfile</name> | ||
<class>org.dcache.gplazma.plugins.BanFilePlugin</class> | ||
</plugin> | ||
</plugins> |
104 changes: 104 additions & 0 deletions
104
modules/gplazma2-banfile/src/main/scala/org/dcache/gplazma/plugins/BanFilePlugin.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
package org.dcache.gplazma.plugins | ||
|
||
import scala.collection.JavaConversions._ | ||
|
||
import java.util | ||
import java.util.Properties | ||
import java.security.Principal | ||
|
||
import org.dcache.auth.Subjects | ||
import org.dcache.gplazma.AuthenticationException | ||
import scala.io.Source | ||
|
||
object BanFilePlugin { | ||
val BAN_FILE = "gplazma.banfile.path" | ||
} | ||
|
||
class BanFilePlugin(properties : Properties) extends GPlazmaAccountPlugin with FileCache[Set[Principal]] { | ||
|
||
/** | ||
* Get the filename of the ban file from the properties. | ||
*/ | ||
val banFile = { | ||
if (properties == null) { | ||
throw new IllegalArgumentException("properties is null") | ||
} | ||
val filename = properties getProperty BanFilePlugin.BAN_FILE | ||
if (filename == null) { | ||
throw new IllegalArgumentException(BanFilePlugin.BAN_FILE + " not set") | ||
} | ||
|
||
filename | ||
} | ||
|
||
private[plugins] def fromSource : Source = try { | ||
Source fromFile banFile | ||
} catch { | ||
case e:Exception => throw new IllegalStateException("cannot read file " + banFile +": "+e.getMessage, e) | ||
} | ||
|
||
/** | ||
* Create a list of principals from the source file. | ||
* principalsFromSource filters out empty lines and comments, i.e., lines starting with # | ||
* It expects the file to be of the format: | ||
* alias <alias>=<full qualified classname> | ||
* ban <full qualified classname or alias>:<principal string> | ||
* e.g., | ||
* alias username=org.dcache.auth.LoginNamePrincipal | ||
* ban username:Someuser | ||
* or | ||
* ban org.dcache.auth.LoginNamePrincipal:Someuser | ||
* | ||
* @return a set of banned principals | ||
*/ | ||
private def principalsFromFile(filename : String) = { | ||
|
||
def filteredLines(lines : List[String], filtered : List[String], aliases : Map[String, String]) : List[String] = { | ||
lines match { | ||
case Nil => filtered | ||
case line :: rest if line startsWith "#" => filteredLines(rest, filtered, aliases) | ||
case line :: rest if line.trim == "" => filteredLines(rest, filtered, aliases) | ||
case line :: rest if line startsWith "alias" => { | ||
"""^alias\s+([^:]+)=(.*)$""".r("alias", "class") findFirstMatchIn line match { | ||
case None => throw new IllegalArgumentException("Bad alias line format: '"+line+"', expected 'alias <alias>=<class>'") | ||
case Some(m) => filteredLines(rest, filtered, aliases + (m.group("alias").trim -> m.group("class").trim)) | ||
} | ||
} | ||
case line :: rest if line startsWith "ban" => { | ||
"""^ban\s+([^:]+):(.*)$""".r("class", "params") findFirstMatchIn line match { | ||
case None => throw new IllegalArgumentException("Bad ban line format: '"+line+"', expected 'ban <classOrAlias>:<value>'") | ||
case Some(m) => filteredLines(rest, { | ||
aliases.get(m.group("class").trim) match { | ||
case None => m.group("class").trim | ||
case Some(a) => a | ||
} | ||
}+":"+m.group("params") :: filtered, aliases) | ||
} | ||
} | ||
case line :: _ => throw new IllegalArgumentException("Line has bad format: '"+line+"', expected '[alias|ban] <key>:<value>'") | ||
} | ||
} | ||
|
||
Subjects.principalsFromArgs(filteredLines(fromSource.getLines().toList, Nil, Map())).toSet | ||
} | ||
|
||
/** | ||
* Get banned principals from file | ||
* @return a set of banned principals | ||
*/ | ||
private def bannedPrincipals = getOrFetch(banFile)(principalsFromFile) | ||
|
||
/** | ||
* Check if any of the principals in authorizedPrincipals is blacklisted in the | ||
* file specified by the dCache property gplazma.banfile.uri. | ||
* | ||
* @param authorizedPrincipals principals associated with a user | ||
* @throws AuthenticationException indicating a banned user | ||
*/ | ||
def account(authorizedPrincipals: util.Set[Principal]) { | ||
if ((authorizedPrincipals intersect bannedPrincipals).nonEmpty) { | ||
throw new AuthenticationException("user banned") | ||
} | ||
} | ||
} | ||
|
20 changes: 20 additions & 0 deletions
20
modules/gplazma2-banfile/src/main/scala/org/dcache/gplazma/plugins/FileCache.scala
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
package org.dcache.gplazma.plugins | ||
|
||
import scala.collection.mutable | ||
import java.io.File | ||
|
||
trait FileCache[T] { | ||
|
||
private var cache = new mutable.HashMap[String, (Long, T)]() | ||
|
||
def getOrFetch(filename : String)(fetch : (String) => T) : T = { | ||
val file = new File(filename) | ||
cache.get(filename) match { | ||
case None => cache += (filename -> (file.lastModified, fetch(filename))) | ||
case Some((lastFetch, _)) if file.lastModified > lastFetch => cache(filename) = (file.lastModified, fetch(filename)) | ||
case _ => // entry exists and is up to date | ||
} | ||
cache(filename)._2 | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# this is just an empty file for testing plugin initialisation |
Oops, something went wrong.