| /* $Id: UserACLServlet.java 988245 2010-08-23 18:39:35Z kwright $ */ |
| |
| /** |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.manifoldcf.authorityservlet; |
| |
| import org.apache.manifoldcf.core.interfaces.*; |
| import org.apache.manifoldcf.authorities.interfaces.*; |
| import org.apache.manifoldcf.authorities.system.ManifoldCF; |
| import org.apache.manifoldcf.authorities.system.Logging; |
| import org.apache.manifoldcf.authorities.system.RequestQueue; |
| import org.apache.manifoldcf.authorities.system.AuthRequest; |
| import org.apache.manifoldcf.authorities.system.MappingRequest; |
| import org.apache.manifoldcf.core.util.URLEncoder; |
| |
| import java.io.*; |
| import java.nio.charset.StandardCharsets; |
| import java.util.*; |
| |
| |
| import javax.servlet.*; |
| import javax.servlet.http.*; |
| |
| /** This servlet class is meant to receive a user name and return a list of access tokens. |
| * The user name is expected to be sent as an argument on the url (the "username" argument), and the |
| * response will simply be a list of access tokens separated by newlines. |
| * This is guaranteed safe because the index system cannot work with access tokens that aren't 7-bit ascii that |
| * have any control characters in them. |
| * |
| * Errors will simply report back with an empty acl. |
| * |
| * The content type will always be text/plain. |
| */ |
| public class UserACLServlet extends HttpServlet |
| { |
| public static final String _rcsid = "@(#)$Id: UserACLServlet.java 988245 2010-08-23 18:39:35Z kwright $"; |
| |
| protected final static String AUTHORIZED_VALUE = "AUTHORIZED:"; |
| protected final static String UNREACHABLE_VALUE = "UNREACHABLEAUTHORITY:"; |
| protected final static String UNAUTHORIZED_VALUE = "UNAUTHORIZED:"; |
| protected final static String USERNOTFOUND_VALUE = "USERNOTFOUND:"; |
| |
| protected final static String ID_PREFIX = "ID:"; |
| protected final static String TOKEN_PREFIX = "TOKEN:"; |
| |
| /** The init method. |
| */ |
| public void init(ServletConfig config) |
| throws ServletException |
| { |
| super.init(config); |
| try |
| { |
| // Set up the environment |
| //ManifoldCF.initializeEnvironment(); |
| IThreadContext itc = ThreadContextFactory.make(); |
| ManifoldCF.startSystem(itc); |
| } |
| catch (ManifoldCFException e) |
| { |
| Logging.misc.error("Error starting authority service: "+e.getMessage(),e); |
| throw new ServletException("Error starting authority service: "+e.getMessage(),e); |
| } |
| |
| } |
| |
| /** The destroy method. |
| */ |
| public void destroy() |
| { |
| try |
| { |
| // Set up the environment |
| //ManifoldCF.initializeEnvironment(); |
| IThreadContext itc = ThreadContextFactory.make(); |
| ManifoldCF.stopSystem(itc); |
| } |
| catch (ManifoldCFException e) |
| { |
| Logging.misc.error("Error shutting down authority service: "+e.getMessage(),e); |
| } |
| super.destroy(); |
| } |
| |
| /** The get method. |
| */ |
| protected void doGet(HttpServletRequest request, HttpServletResponse response) |
| throws ServletException, IOException |
| { |
| try |
| { |
| // Set up the environment |
| //ManifoldCF.initializeEnvironment(); |
| |
| Logging.authorityService.debug("Received request"); |
| |
| Map<String,String> domainMap = new HashMap<String,String>(); |
| |
| // Legacy mode: single user name with optional domain |
| String userID = request.getParameter("username"); |
| if (userID != null) |
| { |
| String domain = request.getParameter("domain"); |
| if (domain == null) |
| domain = ""; |
| domainMap.put(domain,userID); |
| } |
| |
| // Now, go through enumerated username/domain pairs |
| int q = 0; |
| while (true) |
| { |
| String enumUserName = request.getParameter("username_"+q); |
| if (enumUserName == null) |
| break; |
| String enumDomain = request.getParameter("domain_"+q); |
| if (enumDomain == null) |
| enumDomain = ""; |
| domainMap.put(enumDomain,enumUserName); |
| q++; |
| } |
| |
| if (domainMap.size() == 0) |
| { |
| response.sendError(response.SC_BAD_REQUEST); |
| return; |
| } |
| |
| boolean idneeded = false; |
| boolean aclneeded = true; |
| |
| String idneededValue = request.getParameter("idneeded"); |
| if (idneededValue != null) |
| { |
| if (idneededValue.equals("true")) |
| idneeded = true; |
| else if (idneededValue.equals("false")) |
| idneeded = false; |
| } |
| String aclneededValue = request.getParameter("aclneeded"); |
| if (aclneededValue != null) |
| { |
| if (aclneededValue.equals("true")) |
| aclneeded = true; |
| else if (aclneededValue.equals("false")) |
| aclneeded = false; |
| } |
| |
| if (Logging.authorityService.isDebugEnabled()) |
| { |
| StringBuilder sb2 = new StringBuilder("["); |
| boolean first = true; |
| for (String domain : domainMap.keySet()) |
| { |
| if (first) |
| first = false; |
| else |
| sb2.append(","); |
| sb2.append("'").append(domain).append("':'").append(domainMap.get(domain)).append("'"); |
| } |
| sb2.append("]"); |
| Logging.authorityService.debug("Received authority request for domain:user set "+sb2.toString()); |
| } |
| |
| RequestQueue<MappingRequest> mappingQueue = ManifoldCF.getMappingRequestQueue(); |
| if (mappingQueue == null) |
| { |
| // System wasn't started; return unauthorized |
| throw new ManifoldCFException("System improperly initialized"); |
| } |
| |
| RequestQueue<AuthRequest> queue = ManifoldCF.getRequestQueue(); |
| if (queue == null) |
| { |
| // System wasn't started; return unauthorized |
| throw new ManifoldCFException("System improperly initialized"); |
| } |
| |
| |
| IThreadContext itc = ThreadContextFactory.make(); |
| |
| IMappingConnectionManager mappingConnManager = MappingConnectionManagerFactory.make(itc); |
| IAuthorityConnectionManager authConnManager = AuthorityConnectionManagerFactory.make(itc); |
| |
| // Get all mapping connections; we may not need them all but we do need to be able to look them all up |
| IMappingConnection[] mappingConnections = mappingConnManager.getAllConnections(); |
| |
| // One thread per connection, which is responsible for starting the mapping process when it is ready. |
| List<MappingOrderThread> mappingThreads = new ArrayList<MappingOrderThread>(); |
| // One thread per authority, which is responsible for starting the auth request when it is ready. |
| List<AuthOrderThread> authThreads = new ArrayList<AuthOrderThread>(); |
| |
| Map<MapperDescription,MappingRequest> mappingRequests = new HashMap<MapperDescription,MappingRequest>(); |
| Map<String,AuthRequest> authRequests = new HashMap<String,AuthRequest>(); |
| |
| Map<String,IMappingConnection> mappingConnMap = new HashMap<String,IMappingConnection>(); |
| |
| // Fill in mappingConnMap, since we need to be able to find connections given connection names |
| for (IMappingConnection c : mappingConnections) |
| { |
| mappingConnMap.put(c.getName(),c); |
| } |
| |
| // Set of connections we need to fire off |
| Set<MapperDescription> activeConnections = new HashSet<MapperDescription>(); |
| |
| // We do the minimal set of mapping requests and authorities. Since it is the authority tokens we are |
| // looking for, we start there, and build authority requests first, then mapping requests that support them, |
| // etc. |
| // Create auth requests |
| for (String authDomain : domainMap.keySet()) |
| { |
| IAuthorityConnection[] connections = authConnManager.getDomainConnections(authDomain); |
| for (int i = 0; i < connections.length; i++) |
| { |
| IAuthorityConnection thisConnection = connections[i]; |
| String identifyingString = thisConnection.getDescription(); |
| if (identifyingString == null || identifyingString.length() == 0) |
| identifyingString = thisConnection.getName(); |
| |
| // Create a request |
| AuthRequest ar = new AuthRequest(thisConnection,identifyingString); |
| authRequests.put(thisConnection.getName(), ar); |
| |
| // We create an auth thread if there are prerequisites to meet. |
| // Otherwise, we just fire off the request |
| String domainUserID = domainMap.get(authDomain); |
| if (thisConnection.getPrerequisiteMapping() == null) |
| { |
| ar.setUserID(domainUserID); |
| queue.addRequest(ar); |
| } |
| else |
| { |
| MapperDescription md = new MapperDescription(thisConnection.getPrerequisiteMapping(),authDomain); |
| AuthOrderThread thread = new AuthOrderThread(identifyingString, |
| ar, md, |
| queue, mappingRequests); |
| authThreads.add(thread); |
| // The same mapper can be used for multiple domains, although this is likely to be uncommon. Nevertheless, |
| // mapper invocations need to be segregated to prevent trouble |
| activeConnections.add(md); |
| } |
| } |
| } |
| |
| // Create mapping requests |
| while (!activeConnections.isEmpty()) |
| { |
| Iterator<MapperDescription> connectionIter = activeConnections.iterator(); |
| MapperDescription mapperDesc = connectionIter.next(); |
| String connectionName = mapperDesc.mapperName; |
| String authDomain = mapperDesc.authDomain; |
| IMappingConnection thisConnection = mappingConnMap.get(connectionName); |
| String identifyingString = thisConnection.getDescription(); |
| if (identifyingString == null || identifyingString.length() == 0) |
| identifyingString = connectionName; |
| |
| // Create a request |
| MappingRequest mr = new MappingRequest(thisConnection,identifyingString); |
| mappingRequests.put(mapperDesc, mr); |
| |
| // Either start up a thread, or just fire it off immediately. |
| if (thisConnection.getPrerequisiteMapping() == null) |
| { |
| mr.setUserID(domainMap.get(authDomain)); |
| mappingQueue.addRequest(mr); |
| } |
| else |
| { |
| //System.out.println("Mapper: prerequisite found: '"+thisConnection.getPrerequisiteMapping()+"'"); |
| MapperDescription p = new MapperDescription(thisConnection.getPrerequisiteMapping(),authDomain); |
| MappingOrderThread thread = new MappingOrderThread(identifyingString, |
| mr, p, mappingQueue, mappingRequests); |
| mappingThreads.add(thread); |
| if (mappingRequests.get(p) == null) |
| activeConnections.add(p); |
| } |
| activeConnections.remove(mapperDesc); |
| } |
| |
| // Start threads. We have to wait until all the requests have been |
| // at least created before we do this. |
| for (MappingOrderThread thread : mappingThreads) |
| { |
| thread.start(); |
| } |
| for (AuthOrderThread thread : authThreads) |
| { |
| thread.start(); |
| } |
| |
| // Wait for the threads to finish up. This will guarantee that all entities have run to completion. |
| for (MappingOrderThread thread : mappingThreads) |
| { |
| thread.finishUp(); |
| } |
| for (AuthOrderThread thread : authThreads) |
| { |
| thread.finishUp(); |
| } |
| |
| // This is probably unnecessary, but we do it anyway just to adhere to the contract |
| for (MappingRequest mr : mappingRequests.values()) |
| { |
| mr.waitForComplete(); |
| } |
| |
| // Handle all exceptions thrown during mapping. In general this just means logging them, because |
| // the downstream authorities will presumably not find what they are looking for and error out that way. |
| for (MappingRequest mr : mappingRequests.values()) |
| { |
| Throwable exception = mr.getAnswerException(); |
| if (exception != null) |
| { |
| Logging.authorityService.warn("Mapping exception logged from "+mr.getIdentifyingString()+": "+exception.getMessage()+"; mapper aborted", exception); |
| } |
| } |
| |
| // Now, work through the returning answers. |
| |
| // Ask all the interrogated authorities for their ACLs, and merge the final list together. |
| StringBuilder sb = new StringBuilder(); |
| // Set response mime type |
| response.setContentType("text/plain; charset=ISO8859-1"); |
| ServletOutputStream out = response.getOutputStream(); |
| try |
| { |
| for (String connectionName : authRequests.keySet()) |
| { |
| AuthRequest ar = authRequests.get(connectionName); |
| |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug("Waiting for answer from authority connection "+ar.getIdentifyingString()+" for user '"+ar.getUserID()+"'"); |
| |
| ar.waitForComplete(); |
| |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug("Received answer from authority connection "+ar.getIdentifyingString()+" for user '"+ar.getUserID()+"'"); |
| |
| Throwable exception = ar.getAnswerException(); |
| AuthorizationResponse reply = ar.getAnswerResponse(); |
| if (exception != null) |
| { |
| // Exceptions are always bad now |
| // The ManifoldCFException here must disable access to the UI without causing a generic badness thing to happen, so use 403. |
| if (exception instanceof ManifoldCFException) |
| response.sendError(response.SC_FORBIDDEN,"From "+ar.getIdentifyingString()+": "+exception.getMessage()); |
| else |
| response.sendError(response.SC_INTERNAL_SERVER_ERROR,"From "+ar.getIdentifyingString()+": "+exception.getMessage()); |
| return; |
| } |
| |
| String authGroup = ar.getAuthorityConnection().getAuthGroup(); |
| |
| // A null reply means the same as USERNOTFOUND; it occurs because a user mapping failed somewhere. |
| if (reply == null) |
| { |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug("User '"+ar.getUserID()+"' mapping failed for authority '"+ar.getIdentifyingString()+"'"); |
| sb.append(USERNOTFOUND_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n"); |
| } |
| else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_UNREACHABLE) |
| { |
| Logging.authorityService.warn("Authority '"+ar.getIdentifyingString()+"' is unreachable for user '"+ar.getUserID()+"'"); |
| sb.append(UNREACHABLE_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n"); |
| } |
| else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_USERUNAUTHORIZED) |
| { |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug("Authority '"+ar.getIdentifyingString()+"' does not authorize user '"+ar.getUserID()+"'"); |
| sb.append(UNAUTHORIZED_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n"); |
| } |
| else if (reply.getResponseStatus() == AuthorizationResponse.RESPONSE_USERNOTFOUND) |
| { |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug("User '"+ar.getUserID()+"' unknown to authority '"+ar.getIdentifyingString()+"'"); |
| sb.append(USERNOTFOUND_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n"); |
| } |
| else |
| sb.append(AUTHORIZED_VALUE).append(URLEncoder.encode(ar.getIdentifyingString())).append("\n"); |
| |
| String[] acl = reply.getAccessTokens(); |
| if (acl != null) |
| { |
| if (aclneeded) |
| { |
| int j = 0; |
| while (j < acl.length) |
| { |
| if (Logging.authorityService.isDebugEnabled()) |
| Logging.authorityService.debug(" User '"+ar.getUserID()+"' has Acl = '"+acl[j]+"' from authority '"+ar.getIdentifyingString()+"'"); |
| sb.append(TOKEN_PREFIX).append(URLEncoder.encode(authGroup)).append(":").append(URLEncoder.encode(acl[j++])).append("\n"); |
| } |
| } |
| } |
| } |
| |
| // Maintained for backwards compatibility only; no practical use that I can determine here |
| if (idneeded && userID != null) |
| sb.append(ID_PREFIX).append(URLEncoder.encode(userID)).append("\n"); |
| |
| byte[] responseValue = sb.toString().getBytes(StandardCharsets.ISO_8859_1); |
| |
| |
| response.setIntHeader("Content-Length", (int)responseValue.length); |
| out.write(responseValue,0,responseValue.length); |
| out.flush(); |
| } |
| finally |
| { |
| out.close(); |
| } |
| |
| if (Logging.authorityService.isDebugEnabled()) |
| { |
| StringBuilder sb2 = new StringBuilder("["); |
| boolean first = true; |
| for (String domain : domainMap.keySet()) |
| { |
| if (first) |
| first = false; |
| else |
| sb2.append(","); |
| sb2.append("'").append(domain).append("':'").append(domainMap.get(domain)).append("'"); |
| } |
| sb2.append("]"); |
| Logging.authorityService.debug("Done with request for domain:user set "+sb2.toString()); |
| } |
| } |
| catch (InterruptedException e) |
| { |
| // Shut down and don't bother to respond |
| } |
| catch (ManifoldCFException e) |
| { |
| Logging.authorityService.error("User ACL servlet error: "+e.getMessage(),e); |
| response.sendError(response.SC_INTERNAL_SERVER_ERROR,e.getMessage()); |
| } |
| } |
| |
| /** This class represents a tuple of (mapper_name, auth_domain). |
| */ |
| protected static class MapperDescription |
| { |
| public final String mapperName; |
| public final String authDomain; |
| |
| public MapperDescription(String mapperName, String authDomain) |
| { |
| this.mapperName = mapperName; |
| this.authDomain = authDomain; |
| } |
| |
| public int hashCode() |
| { |
| return mapperName.hashCode() + authDomain.hashCode(); |
| } |
| |
| public boolean equals(Object o) |
| { |
| if (!(o instanceof MapperDescription)) |
| return false; |
| MapperDescription other = (MapperDescription)o; |
| return this.mapperName.equals(other.mapperName) && |
| this.authDomain.equals(other.authDomain); |
| } |
| } |
| |
| /** This thread is responsible for making sure that the constraints for a given mapping connection |
| * are met, and then when they are, firing off a MappingRequest. One of these threads is spun up |
| * for every IMappingConnection being handled. |
| * NOTE WELL: The number of threads this might require is worrisome. It is essentially |
| * {@literal<number_of_app_server_threads> * <number_of_mappers>}. I will try later to see if I can find |
| * a way of limiting this to sane numbers. |
| */ |
| protected static class MappingOrderThread extends Thread |
| { |
| protected final MappingRequest request; |
| protected final MapperDescription prerequisite; |
| protected final Map<MapperDescription,MappingRequest> requests; |
| protected final RequestQueue<MappingRequest> mappingRequestQueue; |
| |
| protected Throwable exception = null; |
| |
| public MappingOrderThread( |
| String identifyingString, |
| MappingRequest request, |
| MapperDescription prerequisite, |
| RequestQueue<MappingRequest> mappingRequestQueue, |
| Map<MapperDescription, MappingRequest> requests) |
| { |
| super(); |
| this.request = request; |
| this.prerequisite = prerequisite; |
| this.mappingRequestQueue = mappingRequestQueue; |
| this.requests = requests; |
| setName("Constraint matcher for mapper '"+identifyingString+"'"); |
| setDaemon(true); |
| } |
| |
| public void run() |
| { |
| try |
| { |
| MappingRequest mappingRequest = requests.get(prerequisite); |
| mappingRequest.waitForComplete(); |
| // Constraints are met. Fire off the request. |
| request.setUserID(mappingRequest.getAnswerResponse()); |
| mappingRequestQueue.addRequest(request); |
| } |
| catch (Throwable e) |
| { |
| exception = e; |
| } |
| } |
| |
| public void finishUp() |
| throws InterruptedException |
| { |
| join(); |
| if (exception != null) |
| { |
| if (exception instanceof Error) |
| throw (Error)exception; |
| else if (exception instanceof RuntimeException) |
| throw (RuntimeException)exception; |
| } |
| } |
| |
| } |
| |
| /** This thread is responsible for making sure that the constraints for a given authority connection |
| * are met, and then when they are, firing off an AuthRequest. One of these threads is spun up |
| * for every IAuthorityConnection being handled. |
| * NOTE WELL: The number of threads this might require is worrisome. It is essentially |
| * {@literal<number_of_app_server_threads> * <number_of_authorities>}. I will try later to see if I can find |
| * a way of limiting this to sane numbers. |
| */ |
| protected static class AuthOrderThread extends Thread |
| { |
| protected final AuthRequest request; |
| protected final MapperDescription prerequisite; |
| protected final Map<MapperDescription,MappingRequest> mappingRequests; |
| protected final RequestQueue<AuthRequest> authRequestQueue; |
| |
| protected Throwable exception = null; |
| |
| public AuthOrderThread( |
| String identifyingString, |
| AuthRequest request, |
| MapperDescription prerequisite, |
| RequestQueue<AuthRequest> authRequestQueue, |
| Map<MapperDescription, MappingRequest> mappingRequests) |
| { |
| super(); |
| this.request = request; |
| this.prerequisite = prerequisite; |
| this.authRequestQueue = authRequestQueue; |
| this.mappingRequests = mappingRequests; |
| setName("Constraint matcher for authority '"+identifyingString+"'"); |
| setDaemon(true); |
| } |
| |
| public void run() |
| { |
| try |
| { |
| MappingRequest mappingRequest = mappingRequests.get(prerequisite); |
| mappingRequest.waitForComplete(); |
| // Constraints are met. Fire off the request. User may be null if mapper failed!! |
| request.setUserID(mappingRequest.getAnswerResponse()); |
| authRequestQueue.addRequest(request); |
| } |
| catch (Throwable e) |
| { |
| exception = e; |
| } |
| } |
| |
| public void finishUp() |
| throws InterruptedException |
| { |
| join(); |
| if (exception != null) |
| { |
| if (exception instanceof Error) |
| throw (Error)exception; |
| else if (exception instanceof RuntimeException) |
| throw (RuntimeException)exception; |
| } |
| } |
| |
| } |
| |
| } |
