Bug 5966

Summary: refactor blacklist implementation in GS4GT
Product: GridShib Reporter: Tom Scavo <trscavo@gmail.com>
Component: GT pluginAssignee: Tom Scavo <trscavo@gmail.com>
Status: RESOLVED FIXED    
Severity: normal CC: gridshib-dev@globus.org, jbasney@ncsa.uiuc.edu, trscavo@gmail.com, vwelch@uiuc.edu
Priority: P3    
Version: unspecified   
Target Milestone: beta   
Hardware: All   
OS: All   
Bug Depends on: 5791, 6179    
Bug Blocks: 6167, 6332    

Description From 2008-03-30 19:51:46 
In Bug 5960, we implemented a blacklist of principal name identifiers, which
was released with GS4GTv0.6.0.  A fairly complete list of changes made to GS4GT
at that time is included below.

The notes in parentheses are things that need to be done in a subsequent
version of GS-ST (Bug 5965).  Once that's done, a new gridshib-common*.jar
needs to be integrated into GS4GT.  This will require some refactoring at each
of the touch points indicated below.

--------------------------
SAMLPrincipal:
- extends org.globus.gsi.jaas.SimplePrincipal
- (move this class to GS-ST)

AttributeAcceptancePIPImpl:
- if a SAMLIdentity is trusted, create a SAMLPrincipal
- (push this functionality back into GS-ST)

GS4GTSecurityContext:
- implement getGlobusPrincipal() method
- implement getSAMLPrincipals() method
- (push getSAMLPrincipals() method into GS-ST)
- remove unused getUsernames() method
- implement getUserNamePrincipals() method
- remove redundant toString() method
- refactor toString(boolean) method
- (move most of toString(boolean) to SAMLSecurityContext)

SAMLBlacklistPDPImpl:
- check IP address
- check all SAMLPrincipals
- check GlobusPrincipal

GS4GTSecurityContextLogger:
- log GlobusPrincipal
- log SAMLPrincipals
- (push logging of SAMLPrincipals into GS-ST)
- log UserNamePrincipals
- implement (redundant) quote(String) method
- (make SecurityContextLogger.quote(String) public)
------- Comment #1 From 2008-06-28 21:21:52 ------- 
The blacklist implementation has been refactored and tested.
------- Comment #2 From 2008-07-11 13:26:47 ------- 
Allow blacklisting based on identity attributes.
------- Comment #3 From 2008-07-23 14:04:57 ------- 
(In reply to comment #1)
> The blacklist implementation has been refactored and tested.

Affected source files have been committed to CVS HEAD.  This patch will be
distributed with GS4GT v0.6.1.
------- Comment #4 From 2008-07-29 16:37:14 ------- 
(In reply to comment #2)
> Allow blacklisting based on identity attributes.

Do the following:

0. Create interceptors/java/source/share/identity-attributes.txt
1. Deploy identity-attributes.txt into $G_L/share
2. Dynamically create gridshib-bootstrap.properties
3. Remove call to GS4GTSecurityContext.init() from SAMLAssertionPushPIPImpl
4. Test blacklisting of e-mail addresses
------- Comment #5 From 2008-07-29 16:45:47 ------- 
(In reply to comment #4)
> 
> 0. Create interceptors/java/source/share/identity-attributes.txt

##### BEGIN identity-attributes.txt
# Identity Attributes
#
# By definition, the value(s) of identity attributes are 
# globally unique identifiers for the user.
#
# Since this implementation is restricted to string-valued
# attributes, the value(s) of trusted identity attributes 
# are globally unique SAML principal names.  In GridShib
# for GT, the latter are used to implement a simple, flat 
# file-based blacklisting framework.  In other words, the
# value(s) of trusted identity attributes are blacklistable.

# FriendlyName="eduPersonPrincipalName"
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

# FriendlyName="mail"
urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3
##### END identity-attributes.txt

> 1. Deploy identity-attributes.txt into $G_L/share

Modified interceptors/java/source/build.xml and committed to CVS HEAD.
------- Comment #6 From 2008-07-29 18:10:34 ------- 
(In reply to comment #4)
> 
> 3. Remove call to GS4GTSecurityContext.init() from SAMLAssertionPushPIPImpl

Created a separate bug entry (Bug 6269) for this configuration change.
------- Comment #7 From 2008-07-29 21:19:37 ------- 
(In reply to comment #4)
> 
> 2. Dynamically create gridshib-bootstrap.properties

Modified interceptors/java/source/build.xml and committed to CVS HEAD.
------- Comment #8 From 2008-07-30 20:17:59 ------- 
Changed the name of config parameter "blacklistNameIdentifiersFile" to
"blacklistPrincipalNamesFile".  This breaks backward compatibility but I feel
it's necessary as we roll out GS4GT in CTSS4.  This change will be more
difficult to swallow moving forward.

Patched the EchoService config and the docbook docs.  This patch will be rolled
out in GS4GT v0.6.1.
------- Comment #9 From 2008-07-30 20:21:28 ------- 
Tested the new blacklist framework and committed all resources to CVS HEAD. 
This feature will be rolled out in GS4GT v0.6.1.