From 5b2746ff2941c87f67719f1bfc214a9b364c7fd7 Mon Sep 17 00:00:00 2001 From: Patrick Dowler Date: Wed, 24 Jul 2024 12:07:55 -0700 Subject: [PATCH] cadc-gms: add timeouts in PosixMapperClientmake StandardIdentityManagerTest work with owner change --- .../opencadc/auth/StandardIdentityManagerTest.java | 13 +++++++------ .../resources/config/cadc-registry.properties | 5 +++-- .../java/org/opencadc/auth/PosixMapperClient.java | 14 +++++++++++++- .../org/opencadc/auth/StandardIdentityManager.java | 3 +-- 4 files changed, 24 insertions(+), 11 deletions(-) diff --git a/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java b/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java index fd3c8f4c..97064d89 100644 --- a/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java +++ b/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java @@ -71,7 +71,7 @@ import ca.nrc.cadc.auth.AuthorizationTokenPrincipal; import ca.nrc.cadc.auth.HttpPrincipal; import ca.nrc.cadc.auth.IdentityManager; -import ca.nrc.cadc.auth.NumericPrincipal; +import ca.nrc.cadc.auth.OpenIdPrincipal; import ca.nrc.cadc.auth.PrincipalExtractor; import ca.nrc.cadc.auth.SSLUtil; import ca.nrc.cadc.auth.X509CertificateChain; @@ -102,8 +102,9 @@ public class StandardIdentityManagerTest { private static final Logger log = Logger.getLogger(StandardIdentityManagerTest.class); static { - Log4jInit.setLevel("ca.nrc.cadc.auth", Level.INFO); Log4jInit.setLevel("org.opencadc.auth", Level.INFO); + Log4jInit.setLevel("ca.nrc.cadc.auth", Level.INFO); + Log4jInit.setLevel("ca.nrc.cadc.net", Level.INFO); } private X509CertificateChain chain; @@ -168,26 +169,26 @@ public void testAccessToken() { Subject validated = AuthenticationUtil.getSubject(new DummyPrincipalExtractor(false, true), false); final StandardIdentityManager im = new StandardIdentityManager(); log.info("validated: " + validated); - Assert.assertFalse("oidc uuid", validated.getPrincipals(NumericPrincipal.class).isEmpty()); + Assert.assertFalse("oidc iss/sub", validated.getPrincipals(OpenIdPrincipal.class).isEmpty()); Assert.assertFalse("oidc username", validated.getPrincipals(HttpPrincipal.class).isEmpty()); Subject augmented = im.augment(validated); log.info("augmented: " + augmented); - Assert.assertFalse("oidc uuid", validated.getPrincipals(NumericPrincipal.class).isEmpty()); + Assert.assertFalse("oidc iss/sub", validated.getPrincipals(OpenIdPrincipal.class).isEmpty()); Assert.assertFalse("oidc username", validated.getPrincipals(HttpPrincipal.class).isEmpty()); final Object owner = im.toOwner(augmented); Subject s = im.toSubject(owner); log.info("owner round trip: " + s); Assert.assertNotNull(s); - Assert.assertFalse(s.getPrincipals(NumericPrincipal.class).isEmpty()); + Assert.assertFalse(s.getPrincipals(OpenIdPrincipal.class).isEmpty()); Assert.assertTrue(s.getPrincipals(HttpPrincipal.class).isEmpty()); // test using current subject as cache for augment Subject as = Subject.doAs(augmented, (PrivilegedExceptionAction) () -> im.toSubject(owner)); log.info("owner round trip inside doAs(augmented): " + as); Assert.assertNotNull(as); - Assert.assertFalse(as.getPrincipals(NumericPrincipal.class).isEmpty()); + Assert.assertFalse(as.getPrincipals(OpenIdPrincipal.class).isEmpty()); Assert.assertFalse(as.getPrincipals(HttpPrincipal.class).isEmpty()); } catch (Exception unexpected) { diff --git a/cadc-gms/src/intTest/resources/config/cadc-registry.properties b/cadc-gms/src/intTest/resources/config/cadc-registry.properties index dc10416c..e30a550d 100644 --- a/cadc-gms/src/intTest/resources/config/cadc-registry.properties +++ b/cadc-gms/src/intTest/resources/config/cadc-registry.properties @@ -5,6 +5,7 @@ ca.nrc.cadc.reg.client.RegistryClient.baseURL = https://haproxy.cadc.dao.nrc.ca/ # configure LocalAuthority lookups ## SRC IAM prototype ivo://ivoa.net/sso#OpenID = https://ska-iam.stfc.ac.uk/ - -http://www.opencadc.org/std/posix#user-mapping-0.1 = ivo://opencadc.org/src/posix-mapper +## these make the StandardIdentityManagerTest require a running posix-mapper so +## commented out by default +#http://www.opencadc.org/std/posix#user-mapping-0.1 = ivo://opencadc.org/src/posix-mapper #http://www.opencadc.org/std/posix#user-mapping-0.1 = https://haproxy.cadc.dao.nrc.ca/src/posix-mapper diff --git a/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java b/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java index f28dc336..f27bd3ae 100644 --- a/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java +++ b/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java @@ -115,8 +115,10 @@ public PosixMapperClient(URI resourceID) { this.service = resourceID.toASCIIString(); try { final RegistryClient regClient = new RegistryClient(); + regClient.setConnectionTimeout(6000); // ms + regClient.setReadTimeout(12000); // ms this.capabilities = regClient.getCapabilities(resourceID); - } catch (ResourceNotFoundException | IOException ex) { + } catch (Exception ex) { throw new RuntimeException("failed to read capabilities for " + service, ex); } } @@ -129,6 +131,8 @@ public PosixMapperClient(URL baseURL) { try { URL capURL = new URL(baseURL.toExternalForm() + "/capabilities"); HttpGet get = new HttpGet(capURL, true); + get.setConnectionTimeout(6000); // ms + get.setReadTimeout(12000); // ms get.prepare(); CapabilitiesReader r = new CapabilitiesReader(); this.capabilities = r.read(get.getInputStream()); @@ -179,6 +183,8 @@ public Subject augment(Subject subject) URL queryURL = new URL(query.toString()); HttpGet get = new HttpGet(queryURL, true); + get.setConnectionTimeout(6000); // ms + get.setReadTimeout(30000); // ms get.setRequestProperty("accept", "text/tab-separated-values"); get.prepare(); @@ -238,6 +244,8 @@ public ResourceIterator getUserMap() throws IOException, Resourc ResourceAlreadyExistsException, InterruptedException { final URL userMapURL = getServiceURL(Standards.POSIX_USERMAP); final HttpGet get = new HttpGet(userMapURL, true); + get.setConnectionTimeout(6000); // ms + get.setReadTimeout(30000); // ms get.setRequestProperty("accept", "text/tab-separated-values"); get.prepare(); @@ -284,6 +292,8 @@ public ResourceIterator getGroupMap() throws IOException, ResourceNo ResourceAlreadyExistsException, InterruptedException { final URL userMapURL = getServiceURL(Standards.POSIX_GROUPMAP); final HttpGet get = new HttpGet(userMapURL, true); + get.setConnectionTimeout(6000); // ms + get.setReadTimeout(30000); // ms get.setRequestProperty("accept", "text/tab-separated-values"); get.prepare(); @@ -334,6 +344,8 @@ private List getPosixGroups(List groupURIs, List URL queryURL = new URL(query.toString()); HttpGet get = new HttpGet(queryURL, true); + get.setConnectionTimeout(6000); // ms + get.setReadTimeout(30000); // ms get.setRequestProperty("accept", "text/tab-separated-values"); get.prepare(); diff --git a/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java b/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java index 968d69c8..25f38f09 100644 --- a/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java +++ b/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java @@ -287,13 +287,12 @@ public Subject toSubject(Object owner) { @Override public Object toOwner(Subject subject) { - // use NumericPrincipal aka OIDC sub for persistence Set ps = subject.getPrincipals(OpenIdPrincipal.class); if (ps.isEmpty()) { return null; } OpenIdPrincipal openIdPrincipal = ps.iterator().next(); - return openIdPrincipal.getIssuer().toString() + OID_OWNER_DELIM + openIdPrincipal.getName(); + return openIdPrincipal.getIssuer().toExternalForm() + OID_OWNER_DELIM + openIdPrincipal.getName(); } @Override