diff --git a/modules/gplazma2/src/main/java/org/dcache/gplazma/GPlazma.java b/modules/gplazma2/src/main/java/org/dcache/gplazma/GPlazma.java index d01ede32fe4..05339caccfb 100644 --- a/modules/gplazma2/src/main/java/org/dcache/gplazma/GPlazma.java +++ b/modules/gplazma2/src/main/java/org/dcache/gplazma/GPlazma.java @@ -203,6 +203,16 @@ public LoginReply buildReply(LoginMonitor monitor, Subject originalSubject, Subject subject = new Subject(false, principals, publicCredentials, privateCredentials); + + // REVISIT: some parts of dCache use Subject to identify the users role, thus require RolePrincipal, + // others use solo Role attributes. For now, enforce RolePrincipal if Role attribute is set. + for (Object attribute : attributes) { + if (attribute instanceof org.dcache.auth.attributes.Role) { + String roleName = ((org.dcache.auth.attributes.Role) attribute).getRole(); + subject.getPrincipals().add(new org.dcache.auth.RolePrincipal(roleName)); + } + } + reply.setSubject(subject); reply.setSessionAttributes(attributes); diff --git a/modules/gplazma2/src/test/java/org/dcache/gplazma/AddHomeRootSessionPlugin.java b/modules/gplazma2/src/test/java/org/dcache/gplazma/AddHomeRootSessionPlugin.java index deb98b26296..ca937797d69 100644 --- a/modules/gplazma2/src/test/java/org/dcache/gplazma/AddHomeRootSessionPlugin.java +++ b/modules/gplazma2/src/test/java/org/dcache/gplazma/AddHomeRootSessionPlugin.java @@ -5,10 +5,13 @@ import java.security.Principal; import java.util.Properties; import java.util.Set; + +import org.dcache.auth.DesiredRole; import org.dcache.auth.UserNamePrincipal; import org.dcache.auth.attributes.HomeDirectory; import org.dcache.auth.attributes.Restriction; import org.dcache.auth.attributes.Restrictions; +import org.dcache.auth.attributes.Role; import org.dcache.auth.attributes.RootDirectory; import org.dcache.gplazma.plugins.GPlazmaSessionPlugin; @@ -55,6 +58,9 @@ public void session(Set authorizedPrincipals, if (restriction != null) { attrib.add(restriction); } + authorizedPrincipals.stream().filter(p -> p instanceof DesiredRole) + .map(DesiredRole.class::cast).map(DesiredRole::getName) + .forEach(r -> attrib.add(new Role(r))); return; } } diff --git a/modules/gplazma2/src/test/java/org/dcache/gplazma/GPlazmaTests.java b/modules/gplazma2/src/test/java/org/dcache/gplazma/GPlazmaTests.java index c72d6f9c188..49e8dff291f 100644 --- a/modules/gplazma2/src/test/java/org/dcache/gplazma/GPlazmaTests.java +++ b/modules/gplazma2/src/test/java/org/dcache/gplazma/GPlazmaTests.java @@ -18,7 +18,11 @@ import java.util.Properties; import java.util.Set; import javax.security.auth.Subject; + +import org.dcache.auth.DesiredRole; import org.dcache.auth.GidPrincipal; +import org.dcache.auth.RolePrincipal; +import org.dcache.auth.Subjects; import org.dcache.auth.UidPrincipal; import org.dcache.auth.UserNamePrincipal; import org.dcache.auth.attributes.HomeDirectory; @@ -352,6 +356,20 @@ public void testLoginWithoutAuthentication() throws AuthenticationException { Assert.assertNotNull(result); } + + @Test + public void testRolePropagation() throws AuthenticationException { + Configuration config = newConfiguration( + AUTH_CONFIG_ITEM, + MAPPING_CONFIG_ITEM, + ACCOUNT_CONFIG_ITEM, + SESSION_CONFIG_ITEM); + + _inputSubject.getPrincipals().add(new DesiredRole("qos-user")); + LoginReply result = new GPlazma(newLoadStrategy(config), EMPTY_PROPERTIES).login(_inputSubject); + assertTrue("Missing qos-user role", Subjects.hasRole(result.getSubject(), RolePrincipal.Role.QOS_USER)); + } + private static Configuration newConfiguration(ConfigurationItem... items) { return new Configuration( Arrays.asList(items));