gplazma: fix banfile plugin

DmitryLitvintsev · mksahakyan · commit 35d4965eff82 · 2025-11-24T13:19:32.000+01:00
Motivation: ----------- Issue #7947 reports that banfile only bans user if there is only one 'ban foo:bar' line is present (one line per alias). Further investigation showed that actually only last line is taken. Modification: ------------- Modified BanFilePlugin to use List<String> containing elements already suitable for Pincipal coversion instead of Map<String, String> that naturally only kept the last instance of ban statement. Result: ------- Banfile plugin works as expected. Ticket: #7947 Acked-by: Paul Millar Target: trunk Request: 11.1, 11.0, 10.2 Require-book: no Require-notes: yes
diff --git a/modules/gplazma2-banfile/src/main/java/org/dcache/gplazma/plugins/BanFilePlugin.java b/modules/gplazma2-banfile/src/main/java/org/dcache/gplazma/plugins/BanFilePlugin.java
@@ -11,6 +11,7 @@
 import java.nio.file.attribute.BasicFileAttributes;
 import java.security.Principal;
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -93,8 +94,8 @@ private synchronized Set<Principal> loadConfigIfNeeded() throws AuthenticationEx
                 // alias -> value, like uid=org.dcache.auth.UidPrincipal
                 Map<String, String> aliases = new HashMap<>();
 
-                // class/alias -> value, like uid:123 or org.dcache.auth.UidPrincipal:123
-                Map<String, String> bans = new HashMap<>();
+                // List of banned names like "uid:123" or "org.dcache.auth.UidPrincipal:123"
+                List<String> bannedNames = new ArrayList<>();
 
                 // group all 'alias' and all 'ban' records, skip comments and empty lines
                 Map<String, List<String>> config = loadConfigLines().stream()
@@ -129,7 +130,7 @@ private synchronized Set<Principal> loadConfigIfNeeded() throws AuthenticationEx
                         }
                         String clazz = m.group(1);
                         String value = m.group(2);
-                        bans.put(aliases.getOrDefault(clazz, clazz), value);
+                        bannedNames.add(aliases.getOrDefault(clazz, clazz)+":"+value);
                     });
                 }
 
@@ -140,13 +141,6 @@ private synchronized Set<Principal> loadConfigIfNeeded() throws AuthenticationEx
                     throw new IllegalArgumentException("Line has bad format: '" + badLines
                           + "', expected '[alias|ban] <key>:<value>'");
                 }
-
-                // construct lines suitable for Subjects.principalsFromArgs
-                // class:value or shortname:value
-                List<String> bannedNames = bans.entrySet().stream()
-                      .map(e -> e.getKey() + ":" + e.getValue())
-                      .collect(Collectors.toList());
-
                 bannedPrincipals = Subjects.principalsFromArgs(bannedNames);
                 lastFileRead = Instant.now();
             }
diff --git a/modules/gplazma2-banfile/src/test/java/org/dcache/gplazma/plugins/BanFilePluginTest.java b/modules/gplazma2-banfile/src/test/java/org/dcache/gplazma/plugins/BanFilePluginTest.java
@@ -98,10 +98,22 @@ public void shouldWorkMultipleInvocations() throws IOException, AuthenticationEx
 
     @Test(expected = AuthenticationException.class)
     public void shouldFailForBannedUserByAlias() throws IOException, AuthenticationException {
-        givenConfig("alias foo=org.dcache.auth.UserNamePrincipal\nban foo:bert");
+        givenConfig("alias foo=org.dcache.auth.UserNamePrincipal\nban foo:bert\n");
         plugin.account(Set.of(new UserNamePrincipal("bert")));
     }
 
+    @Test(expected = AuthenticationException.class)
+    public void shouldFailForBannedUserByAliasFirstInList() throws IOException, AuthenticationException {
+        givenConfig("alias foo=org.dcache.auth.UserNamePrincipal\nban foo:bert\nban foo:bart\n");
+        plugin.account(Set.of(new UserNamePrincipal("bert")));
+    }
+
+    @Test(expected = AuthenticationException.class)
+    public void shouldFailForBannedUserByAliasLastInList() throws IOException, AuthenticationException {
+        givenConfig("alias foo=org.dcache.auth.UserNamePrincipal\nban foo:bert\nban foo:bart\n");
+        plugin.account(Set.of(new UserNamePrincipal("bart")));
+    }
+
     @Test(expected = AuthenticationException.class)
     public void shouldFailForBannedUserByStandardAlias()
           throws IOException, AuthenticationException {
