Bug 6449 – implement getGatewayIdentity method

Bug 6449 - implement getGatewayIdentity method

Summary:

implement getGatewayIdentity method

Status:	RESOLVED FIXED

Product:	GridShib
Component:	SAML/Binding Tools
Version:	0.5.2
Platform:	All All

Importance:	P3 normal
Target Milestone:	0.5.3
Assigned To:	Tom Scavo

URL:
Keywords:

Depends on:
Blocks:	6428 6450
	Show dependency tree / graph

Reported:	2008-10-10 14:02 by Tom Scavo
Modified:	2009-03-18 12:53 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2008-10-10 14:02:15

Implement a utility class with the following static method:

public static String getGatewayIdentity(javax.security.auth.Subject subject);

The GRAM code will dynamically load the class and call the above method.

------- Comment #1 From Tom Scavo 2008-10-10 14:05:15 -------

Implemented class org.teragrid.ncsa.gridshib.security.util.SAMLUtil with the
required static method.  Implemented a corresponding unit test.

------- Comment #2 From Tom Scavo 2008-10-10 14:30:54 -------

Committed all resources to CVS HEAD.  This new feature will be distributed with
the next release of GridShib SAML Tools (or the next release of GridShib for GT
depending on the resolution of Bug 6426).

------- Comment #3 From Tom Scavo 2008-10-10 14:39:01 -------

New resources:

http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/teragrid/java/src/org/teragrid/ncsa/gridshib/security/util/SAMLUtil.java?view=log
http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/teragrid/java/tests/org/teragrid/ncsa/gridshib/security/util/SAMLUtilTest.java?view=log
http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/teragrid/java/tests/org/teragrid/ncsa/gridshib/security/GatewaySecurityContext.java?view=log

------- Comment #4 From Tom Scavo 2009-03-08 21:20:50 -------

Reopening this bug.  Adding gram-dev to the cc list since GRAM depends on this
class.

The SAMLUtil class defines a getGatewayIdentity method that retrieves the
gateway user identifier from the security context:

http://viewcvs.globus.org/viewcvs.cgi/gridshib/saml/teragrid/java/src/org/teragrid/ncsa/gridshib/security/util/SAMLUtil.java?view=log

The current version of the getGatewayIdentity method identifies a potential
gateway user by examining a prefix of the corresponding SAML issuer (i.e., the
entityID).  Since the prefix is hardcoded into the SAMLUtil class, this method
is brittle.

Actually, this method of determining the gateway user is a bug.  Suppose an RP
mistakenly configures metadata containing an entityID such that a prefix of the
entityID matches the prefix hardcoded in the SAMLUtil class.  Then the SAML
issuer corresponding to this entityID can impersonate a Science Gateway.  This
may result in an incorrect access control decision.  In the very least, it will
result in a bogus gateway user identifier appearing in the GRAM audit DB and
subsequently in the TGCDB.

------- Comment #5 From Tom Scavo 2009-03-08 21:35:04 -------

(In reply to comment #4)
> 
> Actually, this method of determining the gateway user is a bug.

The solution to this problem is to implement a PIP in GS4GT that computes the
gateway user identifier *and then stores the identifier in the user's security
context* (Bug 6652).  The getGatewayIdentity method in the SAMLUtil class can
retrieve the identifier from the security context.  (I'm not sure why I didn't
think of this before.)

To this end, we define a TGSecurityContext interface with a
getTeraGridPrincipal method:

public interface TGSecurityContext extends SecurityContext {
    public TeraGridPrincipal getTeraGridPrincipal();
}

We provide an implementation of the TeraGridPrincipal class as well.  The
SAMLUtil class can use these components to implement the getGatewayIdentity
method.

------- Comment #6 From Tom Scavo 2009-03-08 21:46:16 -------

Removed these constants from the SAMLUtil class:

final public static String ENTITYID_PREFIX =
    "https://saml.teragrid.org/gateway";

final public static String TGPN =
    "http://teragrid.org/names/nameid-format/principalname";

TGPN is no longer needed since it is now part of the Globus SAML Library (Bug
6679). ENTITYID_PREFIX is involved in the buggy computation described in
Comment #4, so it definitely has to go :-)

------- Comment #7 From Tom Scavo 2009-03-08 21:48:55 -------

Completely refactored the getGatewayIdentity method in the SAMLUtil class.  The
method relies on the TGSecurityContext interface and the TeraGridPrincipal
class described in Comment #5.

------- Comment #8 From Tom Scavo 2009-03-08 21:56:42 -------

Changed the visibility of some members of the SAMLPrincipal class to
accommodate the TeraGridPrincipal class (which is a subclass).

------- Comment #9 From Tom Scavo 2009-03-08 21:59:40 -------

Implemented a new getTeraGridPrincipal method in the GatewaySecurityContext
class (which is a helper class for the SAMLUtil unit test).  The
GatewaySecurityContext class is essentially a proof of concept for the eventual
implementation of the TGSecurityContext interface.

------- Comment #10 From Tom Scavo 2009-03-08 22:02:50 -------

Committed all resources to CVS HEAD.  This patch will distributed with GS-ST
v0.5.4, which unfortunately is not bundled with Capability Kit V2.  Keeping
this bug open until we figure out how to distribute this patch.

------- Comment #11 From Tom Scavo 2009-03-09 07:05:00 -------

(In reply to comment #10)
> This patch will distributed with GS-ST
> v0.5.4, which unfortunately is not bundled with Capability Kit V2.  Keeping
> this bug open until we figure out how to distribute this patch.

It was a mistake to reopen this bug (which blocks Capability Kit V2).  Instead,
a new bug should be opened for this work.  All of the content of Comment #4,
Comment #5, Comment #6, Comment #7, Comment #8, Comment #9, and Comment #10 has
been moved to Bug 6683.

This bug is now closed (and it should not be reopened).