diff --git a/hsarback/src/de/hsadmin/cliClientConnector/CLIClientConnectorServlet.java b/hsarback/src/de/hsadmin/cliClientConnector/CLIClientConnectorServlet.java index 916a078..42727ef 100644 --- a/hsarback/src/de/hsadmin/cliClientConnector/CLIClientConnectorServlet.java +++ b/hsarback/src/de/hsadmin/cliClientConnector/CLIClientConnectorServlet.java @@ -22,7 +22,6 @@ import org.apache.commons.codec.binary.Base64; import de.hsadmin.core.model.AbstractEntity; import de.hsadmin.core.model.GenericModuleImpl; import de.hsadmin.core.model.ModuleInterface; -import de.hsadmin.core.model.TicketAuthentication; import de.hsadmin.core.model.Transaction; import de.hsadmin.core.model.onetier.TicketValidator; @@ -460,9 +459,9 @@ public class CLIClientConnectorServlet extends HttpServlet { String login = a[0]; ticket = a[1]; try { - if (TicketAuthentication.getInstance().login(login, ticket)) { + tx = new Transaction(login); + if (tx.login(login, ticket)) { // login successful - tx = new Transaction(login); module = new GenericModuleImpl(tx); // read arguments diff --git a/hsarback/src/de/hsadmin/cliClientConnector/TechnicalException.java b/hsarback/src/de/hsadmin/cliClientConnector/TechnicalException.java index e8fb368..ce7c1e0 100644 --- a/hsarback/src/de/hsadmin/cliClientConnector/TechnicalException.java +++ b/hsarback/src/de/hsadmin/cliClientConnector/TechnicalException.java @@ -13,6 +13,10 @@ public class TechnicalException extends RuntimeException { super(extractCauseMessage(e)); } + public TechnicalException(String errorMsg) { + super(errorMsg); + } + private static String extractCauseMessage(Throwable e) { if (e.getMessage() != null && !(e instanceof RollbackException)) { return e.getMessage(); diff --git a/hsarback/src/de/hsadmin/core/model/TicketAuthentication.java b/hsarback/src/de/hsadmin/core/model/TicketAuthentication.java deleted file mode 100644 index bf9f5c0..0000000 --- a/hsarback/src/de/hsadmin/core/model/TicketAuthentication.java +++ /dev/null @@ -1,17 +0,0 @@ -package de.hsadmin.core.model; - -import de.hsadmin.core.model.onetier.TicketValidator; - -public class TicketAuthentication { - - private static TicketAuthentication auth = new TicketAuthentication(); - - public static TicketAuthentication getInstance() { - return auth; - } - - public boolean login(String login, String ticket) throws AuthenticationException { - return TicketValidator.getInstance().validateTicket(login, ticket); - } - -} diff --git a/hsarback/src/de/hsadmin/core/model/Transaction.java b/hsarback/src/de/hsadmin/core/model/Transaction.java index 254a26f..696fac7 100644 --- a/hsarback/src/de/hsadmin/core/model/Transaction.java +++ b/hsarback/src/de/hsadmin/core/model/Transaction.java @@ -4,6 +4,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Set; import javax.jms.Queue; import javax.jms.QueueConnectionFactory; @@ -21,9 +22,12 @@ import org.apache.openjpa.persistence.OpenJPAEntityManager; import de.hsadmin.cliClientConnector.TechnicalException; import de.hsadmin.core.model.onetier.PersistenceManager; +import de.hsadmin.core.model.onetier.TicketValidator; import de.hsadmin.core.qserv.QueueClient; import de.hsadmin.core.qserv.QueueTask; import de.hsadmin.core.util.Config; +import de.hsadmin.mods.cust.Customer; +import de.hsadmin.mods.pac.Pac; import de.hsadmin.mods.user.UnixUser; public class Transaction { @@ -76,8 +80,10 @@ public class Transaction { } public String getLoginName() { - if (loginName != null) return loginName; - return null; + if (loginName != null) { + return loginName; + } + throw new TechnicalException("no login"); } public void enqueue(String hiveName, QueueTask task) { @@ -193,4 +199,44 @@ public class Transaction { return unixUser; } + public boolean login(String user, String ticket) throws AuthenticationException { + String ticketUser = TicketValidator.getInstance().validateTicket(ticket); + if (user != null && user.equals(ticketUser)) { + return true; // user himself + } + if (ticketUser != null && ticketUser.length() == 2) { + return true; // 2-letter hostmaster + } + String hostmasterAccountPrefix = Config.getInstance().getProperty("accountprefix.hostmaster", "hsh01") + "-"; + if (ticketUser != null && ticketUser.startsWith(hostmasterAccountPrefix) && ticketUser.length() == 8) { + return true; // hsh01 hostmaster + } + if (ticketUser != null && ticketUser.length() == 5) { + Query userQuery = getEntityManager().createQuery("SELECT u FROM UnixUsers u WHERE u.name = :username"); + userQuery.setParameter("username", user); + UnixUser unixUser = (UnixUser) userQuery.getSingleResult(); + String pacName = unixUser.getPac().getName(); + return ticketUser.equals(pacName); // pac-admin + } + if (ticketUser != null && ticketUser.length() == 3) { + String memberAccountPrefix = Config.getInstance().getProperty("accountprefix.customer", "hsh00") + "-"; + Query memberQuery = getEntityManager().createQuery("SELECT c FROM Customers c WHERE c.name = :membername"); + memberQuery.setParameter("membername", memberAccountPrefix + ticketUser); + Customer member = (Customer) memberQuery.getSingleResult(); + Set pacs = member.getPacs(); + for (Pac p : pacs) { + if (p.getName().equals(user)) { + return true; // member as pac-admin + } + Set users = p.getUnixUser(); + for (UnixUser u : users) { + if (u.getName().equals(user)) { + return true; // member as pac-user + } + } + } + } + throw new AuthenticationException("User " + ticketUser + " is not allowed to run as " + user); + } + } diff --git a/hsarback/src/de/hsadmin/core/model/onetier/TicketValidator.java b/hsarback/src/de/hsadmin/core/model/onetier/TicketValidator.java index bb081cd..d80e64b 100644 --- a/hsarback/src/de/hsadmin/core/model/onetier/TicketValidator.java +++ b/hsarback/src/de/hsadmin/core/model/onetier/TicketValidator.java @@ -39,24 +39,7 @@ public class TicketValidator { proxyValidateURL = validateURL; } - public boolean validateTicket(String runAsUser, String ticket) throws AuthenticationException { - String ticketUser = validateTicket(ticket); - if (runAsUser != null && - (runAsUser.equals(ticketUser) // user himself - || (ticketUser.length() == 5 && runAsUser.startsWith(ticketUser)) - // pac-admin - || (ticketUser.length() == 3 && runAsUser.startsWith(ticketUser)) - // member - || ticketUser.length() == 2) // hostmaster - // TODO: add test for member-account - ) { - return true; - } else { - throw new AuthenticationException("User " + ticketUser + " is not allowed to run as " + runAsUser); - } - } - - private String validateTicket(String ticket) throws AuthenticationException { + public String validateTicket(String ticket) throws AuthenticationException { if (proxyServiceURL == null || proxyServiceURL == null) { log.fatal("TicketValidator is not initialized."); throw new RuntimeException("TicketValidator is not initialized."); diff --git a/hsarback/src/de/hsadmin/remote/AbstractRemote.java b/hsarback/src/de/hsadmin/remote/AbstractRemote.java index 1138bca..174302e 100644 --- a/hsarback/src/de/hsadmin/remote/AbstractRemote.java +++ b/hsarback/src/de/hsadmin/remote/AbstractRemote.java @@ -8,24 +8,17 @@ import java.util.Iterator; import java.util.List; import java.util.Map; +import de.hsadmin.core.model.AbstractEntity; import de.hsadmin.core.model.AuthenticationException; import de.hsadmin.core.model.AuthorisationException; -import de.hsadmin.core.model.AbstractEntity; import de.hsadmin.core.model.GenericModuleImpl; import de.hsadmin.core.model.HSAdminException; import de.hsadmin.core.model.ModuleInterface; -import de.hsadmin.core.model.TicketAuthentication; import de.hsadmin.core.model.Transaction; import de.hsadmin.mods.user.UnixUser; public abstract class AbstractRemote implements IRemote { - private TicketAuthentication authentication; - - public AbstractRemote() { - authentication = new TicketAuthentication(); - } - protected abstract Class getEntityClass(); protected abstract void entity2map(AbstractEntity entity, Map resultMap); @@ -39,7 +32,7 @@ public abstract class AbstractRemote implements IRemote { String user = runAsUser; Transaction transaction = new Transaction(user); try { - if (authentication.login(user, ticket)) { + if (transaction.login(user, ticket)) { ModuleInterface module = new GenericModuleImpl(transaction); UnixUser unixUser = transaction.getLoginUser(); List list = module.search(getEntityClass(), @@ -73,7 +66,7 @@ public abstract class AbstractRemote implements IRemote { String user = runAsUser; Transaction transaction = new Transaction(user); try { - if (authentication.login(user, ticket)) { + if (transaction.login(user, ticket)) { ModuleInterface module = new GenericModuleImpl(transaction); Constructor constructor = getEntityClass().getConstructor(); @@ -100,7 +93,7 @@ public abstract class AbstractRemote implements IRemote { String user = runAsUser; Transaction transaction = new Transaction(user); try { - if (authentication.login(user, ticket)) { + if (transaction.login(user, ticket)) { ModuleInterface module = new GenericModuleImpl(transaction); UnixUser unixUser = transaction.getLoginUser(); String queryCondition = buildQueryCondition(whereParams); @@ -137,7 +130,7 @@ public abstract class AbstractRemote implements IRemote { String user = runAsUser; Transaction transaction = new Transaction(user); try { - if (authentication.login(user, ticket)) { + if (transaction.login(user, ticket)) { ModuleInterface module = new GenericModuleImpl(transaction); UnixUser unixUser = transaction.getLoginUser(); ArrayList> result = new ArrayList>(); diff --git a/hsarback/src/de/hsadmin/remote/RoleRemote.java b/hsarback/src/de/hsadmin/remote/RoleRemote.java index e1a1269..6523ed0 100644 --- a/hsarback/src/de/hsadmin/remote/RoleRemote.java +++ b/hsarback/src/de/hsadmin/remote/RoleRemote.java @@ -9,7 +9,6 @@ import de.hsadmin.core.model.AbstractEntity; import de.hsadmin.core.model.AuthenticationException; import de.hsadmin.core.model.GenericModuleImpl; import de.hsadmin.core.model.HSAdminException; -import de.hsadmin.core.model.TicketAuthentication; import de.hsadmin.core.model.Transaction; import de.hsadmin.core.util.Config; import de.hsadmin.mods.dom.Domain; @@ -17,18 +16,12 @@ import de.hsadmin.mods.pac.Pac; public class RoleRemote implements IRemote { - private TicketAuthentication authentication; - - public RoleRemote() { - authentication = new TicketAuthentication(); - } - @Override public List> search(String runAsUser, String ticket, Map whereParams) throws HSAdminException { String user = runAsUser; Transaction transaction = new Transaction(user); - if (authentication.login(user, ticket)) { + if (transaction.login(user, ticket)) { String role = "USER"; String accoutPrefixCustomer = Config.getInstance().getProperty("accountprefix.customer"); String accoutPrefixHostmaster = Config.getInstance().getProperty("accountprefix.hostmaster");