Merge pull request #171 from pdowler/openid

cadc-gms: add timeouts in PosixMapperClient
opencadc · Jul 25, 2024 · aba9c42 · aba9c42
2 parents e00fab6 + 5b2746f
commit aba9c42
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java b/cadc-gms/src/intTest/java/org/opencadc/auth/StandardIdentityManagerTest.java
@@ -71,7 +71,7 @@
 import ca.nrc.cadc.auth.AuthorizationTokenPrincipal;
 import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.auth.IdentityManager;
-import ca.nrc.cadc.auth.NumericPrincipal;
+import ca.nrc.cadc.auth.OpenIdPrincipal;
 import ca.nrc.cadc.auth.PrincipalExtractor;
 import ca.nrc.cadc.auth.SSLUtil;
 import ca.nrc.cadc.auth.X509CertificateChain;
@@ -102,8 +102,9 @@ public class StandardIdentityManagerTest {
     private static final Logger log = Logger.getLogger(StandardIdentityManagerTest.class);
 
     static {
-        Log4jInit.setLevel("ca.nrc.cadc.auth", Level.INFO);
         Log4jInit.setLevel("org.opencadc.auth", Level.INFO);
+        Log4jInit.setLevel("ca.nrc.cadc.auth", Level.INFO);
+        Log4jInit.setLevel("ca.nrc.cadc.net", Level.INFO);
     }
 
     private X509CertificateChain chain;
@@ -168,26 +169,26 @@ public void testAccessToken() {
             Subject validated = AuthenticationUtil.getSubject(new DummyPrincipalExtractor(false, true), false);
             final StandardIdentityManager im = new StandardIdentityManager();
             log.info("validated: " + validated);
-            Assert.assertFalse("oidc uuid", validated.getPrincipals(NumericPrincipal.class).isEmpty());
+            Assert.assertFalse("oidc iss/sub", validated.getPrincipals(OpenIdPrincipal.class).isEmpty());
             Assert.assertFalse("oidc username", validated.getPrincipals(HttpPrincipal.class).isEmpty());
 
             Subject augmented = im.augment(validated);
             log.info("augmented: " + augmented);
-            Assert.assertFalse("oidc uuid", validated.getPrincipals(NumericPrincipal.class).isEmpty());
+            Assert.assertFalse("oidc iss/sub", validated.getPrincipals(OpenIdPrincipal.class).isEmpty());
             Assert.assertFalse("oidc username", validated.getPrincipals(HttpPrincipal.class).isEmpty());
 
             final Object owner = im.toOwner(augmented);
             Subject s = im.toSubject(owner);
             log.info("owner round trip: " + s);
             Assert.assertNotNull(s);
-            Assert.assertFalse(s.getPrincipals(NumericPrincipal.class).isEmpty());
+            Assert.assertFalse(s.getPrincipals(OpenIdPrincipal.class).isEmpty());
             Assert.assertTrue(s.getPrincipals(HttpPrincipal.class).isEmpty());
 
             // test using current subject as cache for augment
             Subject as = Subject.doAs(augmented, (PrivilegedExceptionAction<Subject>) () -> im.toSubject(owner));
             log.info("owner round trip inside doAs(augmented): " + as);
             Assert.assertNotNull(as);
-            Assert.assertFalse(as.getPrincipals(NumericPrincipal.class).isEmpty());
+            Assert.assertFalse(as.getPrincipals(OpenIdPrincipal.class).isEmpty());
             Assert.assertFalse(as.getPrincipals(HttpPrincipal.class).isEmpty());
 
         } catch (Exception unexpected) {

diff --git a/cadc-gms/src/intTest/resources/config/cadc-registry.properties b/cadc-gms/src/intTest/resources/config/cadc-registry.properties
@@ -5,6 +5,7 @@ ca.nrc.cadc.reg.client.RegistryClient.baseURL = https://haproxy.cadc.dao.nrc.ca/
 # configure LocalAuthority lookups
 ## SRC IAM prototype 
 ivo://ivoa.net/sso#OpenID = https://ska-iam.stfc.ac.uk/                                                                                       
-
-http://www.opencadc.org/std/posix#user-mapping-0.1 = ivo://opencadc.org/src/posix-mapper
+## these make the StandardIdentityManagerTest require a running posix-mapper so
+## commented out by default
+#http://www.opencadc.org/std/posix#user-mapping-0.1 = ivo://opencadc.org/src/posix-mapper
 #http://www.opencadc.org/std/posix#user-mapping-0.1 = https://haproxy.cadc.dao.nrc.ca/src/posix-mapper
diff --git a/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java b/cadc-gms/src/main/java/org/opencadc/auth/PosixMapperClient.java
@@ -115,8 +115,10 @@ public PosixMapperClient(URI resourceID) {
         this.service = resourceID.toASCIIString();
         try {
             final RegistryClient regClient = new RegistryClient();
+            regClient.setConnectionTimeout(6000); // ms
+            regClient.setReadTimeout(12000);      // ms
             this.capabilities = regClient.getCapabilities(resourceID);
-        } catch (ResourceNotFoundException | IOException ex) {
+        } catch (Exception ex) {
             throw new RuntimeException("failed to read capabilities for " + service, ex);
         }
     }
@@ -129,6 +131,8 @@ public PosixMapperClient(URL baseURL) {
         try {
             URL capURL = new URL(baseURL.toExternalForm() + "/capabilities");
             HttpGet get = new HttpGet(capURL, true);
+            get.setConnectionTimeout(6000); // ms
+            get.setReadTimeout(12000);      // ms
             get.prepare();
             CapabilitiesReader r = new CapabilitiesReader();
             this.capabilities = r.read(get.getInputStream());
@@ -179,6 +183,8 @@ public Subject augment(Subject subject)
         URL queryURL = new URL(query.toString());
 
         HttpGet get = new HttpGet(queryURL, true);
+        get.setConnectionTimeout(6000); // ms
+        get.setReadTimeout(30000);      // ms
         get.setRequestProperty("accept", "text/tab-separated-values");
         get.prepare();
 
@@ -238,6 +244,8 @@ public ResourceIterator<PosixPrincipal> getUserMap() throws IOException, Resourc
                                                                 ResourceAlreadyExistsException, InterruptedException {
         final URL userMapURL = getServiceURL(Standards.POSIX_USERMAP);
         final HttpGet get = new HttpGet(userMapURL, true);
+        get.setConnectionTimeout(6000); // ms
+        get.setReadTimeout(30000);      // ms
         get.setRequestProperty("accept", "text/tab-separated-values");
         get.prepare();
 
@@ -284,6 +292,8 @@ public ResourceIterator<PosixGroup> getGroupMap() throws IOException, ResourceNo
                                                      ResourceAlreadyExistsException, InterruptedException  {
         final URL userMapURL = getServiceURL(Standards.POSIX_GROUPMAP);
         final HttpGet get = new HttpGet(userMapURL, true);
+        get.setConnectionTimeout(6000); // ms
+        get.setReadTimeout(30000);      // ms
         get.setRequestProperty("accept", "text/tab-separated-values");
         get.prepare();
 
@@ -334,6 +344,8 @@ private List<PosixGroup> getPosixGroups(List<GroupURI> groupURIs, List<Integer>
         URL queryURL = new URL(query.toString());
 
         HttpGet get = new HttpGet(queryURL, true);
+        get.setConnectionTimeout(6000); // ms
+        get.setReadTimeout(30000);      // ms
         get.setRequestProperty("accept", "text/tab-separated-values");
         get.prepare();
 

diff --git a/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java b/cadc-gms/src/main/java/org/opencadc/auth/StandardIdentityManager.java
@@ -287,13 +287,12 @@ public Subject toSubject(Object owner) {
 
     @Override
     public Object toOwner(Subject subject) {
-        // use NumericPrincipal aka OIDC sub for persistence
         Set<OpenIdPrincipal> ps = subject.getPrincipals(OpenIdPrincipal.class);
         if (ps.isEmpty()) {
             return null;
         }
         OpenIdPrincipal openIdPrincipal = ps.iterator().next();
-        return openIdPrincipal.getIssuer().toString() + OID_OWNER_DELIM + openIdPrincipal.getName();
+        return openIdPrincipal.getIssuer().toExternalForm() + OID_OWNER_DELIM + openIdPrincipal.getName();
     }
 
     @Override