1b28a5538SAdam Hornacek /* 2b28a5538SAdam Hornacek * CDDL HEADER START 3b28a5538SAdam Hornacek * 4b28a5538SAdam Hornacek * The contents of this file are subject to the terms of the 5b28a5538SAdam Hornacek * Common Development and Distribution License (the "License"). 6b28a5538SAdam Hornacek * You may not use this file except in compliance with the License. 7b28a5538SAdam Hornacek * 8b28a5538SAdam Hornacek * See LICENSE.txt included in this distribution for the specific 9b28a5538SAdam Hornacek * language governing permissions and limitations under the License. 10b28a5538SAdam Hornacek * 11b28a5538SAdam Hornacek * When distributing Covered Code, include this CDDL HEADER in each 12b28a5538SAdam Hornacek * file and include the License file at LICENSE.txt. 13b28a5538SAdam Hornacek * If applicable, add the following below this CDDL HEADER, with the 14b28a5538SAdam Hornacek * fields enclosed by brackets "[]" replaced with your own identifying 15b28a5538SAdam Hornacek * information: Portions Copyright [yyyy] [name of copyright owner] 16b28a5538SAdam Hornacek * 17b28a5538SAdam Hornacek * CDDL HEADER END 18b28a5538SAdam Hornacek */ 19b28a5538SAdam Hornacek 20b28a5538SAdam Hornacek /* 2153c33ae5SVladimir Kotal * Copyright (c) 2016, 2019 Oracle and/or its affiliates. All rights reserved. 22b28a5538SAdam Hornacek */ 23b28a5538SAdam Hornacek package opengrok.auth.plugin; 24b28a5538SAdam Hornacek 2553c33ae5SVladimir Kotal import java.util.Arrays; 26b28a5538SAdam Hornacek import java.util.HashMap; 2753c33ae5SVladimir Kotal import java.util.HashSet; 28b28a5538SAdam Hornacek import java.util.Map; 29b28a5538SAdam Hornacek import java.util.Set; 30b28a5538SAdam Hornacek import java.util.logging.Level; 31b28a5538SAdam Hornacek import java.util.logging.Logger; 32b28a5538SAdam Hornacek import javax.servlet.http.HttpServletRequest; 33b28a5538SAdam Hornacek import opengrok.auth.entity.LdapUser; 34b28a5538SAdam Hornacek import opengrok.auth.plugin.entity.User; 3517deb9edSVladimir Kotal import opengrok.auth.plugin.ldap.AbstractLdapProvider; 36b28a5538SAdam Hornacek import opengrok.auth.plugin.ldap.LdapException; 37b28a5538SAdam Hornacek import org.opengrok.indexer.authorization.AuthorizationException; 38b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Group; 39b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Project; 40b28a5538SAdam Hornacek 41f305899cSVladimir Kotal import static opengrok.auth.plugin.util.FilterUtil.expandUserFilter; 42f305899cSVladimir Kotal 43b28a5538SAdam Hornacek /** 44b28a5538SAdam Hornacek * Authorization plug-in to extract user's LDAP attributes. 45b28a5538SAdam Hornacek * The attributes can be then used by the other LDAP plugins down the stack. 46b28a5538SAdam Hornacek * 47b28a5538SAdam Hornacek * @author Krystof Tulinger 48b28a5538SAdam Hornacek */ 49b28a5538SAdam Hornacek public class LdapUserPlugin extends AbstractLdapPlugin { 50b28a5538SAdam Hornacek 51b28a5538SAdam Hornacek private static final Logger LOGGER = Logger.getLogger(LdapUserPlugin.class.getName()); 52b28a5538SAdam Hornacek 53b28a5538SAdam Hornacek public static final String SESSION_ATTR = "opengrok-ldap-plugin-user"; 54b28a5538SAdam Hornacek 5553c33ae5SVladimir Kotal /** 56*0e7ff20bSVladimir Kotal * List of configuration names. 5753c33ae5SVladimir Kotal * <ul> 5853c33ae5SVladimir Kotal * <li><code>filter</code> is LDAP filter used for searching (optional)</li> 599f40699fSVladimir Kotal * <li><code>useDN</code> boolean value indicating if User.username should be used as search Distinguished Name (optional, default is false)</li> 6053c33ae5SVladimir Kotal * <li><code>attributes</code> is comma separated list of LDAP attributes to be produced (mandatory)</li> 6153c33ae5SVladimir Kotal * </ul> 6253c33ae5SVladimir Kotal */ 6353c33ae5SVladimir Kotal protected static final String LDAP_FILTER = "filter"; 64b28a5538SAdam Hornacek protected static final String ATTRIBUTES = "attributes"; 6553c33ae5SVladimir Kotal protected static final String USE_DN = "useDN"; 66b28a5538SAdam Hornacek 6753c33ae5SVladimir Kotal private String ldapFilter; 6853c33ae5SVladimir Kotal private Boolean useDN; 6953c33ae5SVladimir Kotal private Set<String> attributes; 70b28a5538SAdam Hornacek 713c16dad8SVladimir Kotal // for testing load(Map<String, Object> parameters, AbstractLdapProvider provider)723c16dad8SVladimir Kotal void load(Map<String, Object> parameters, AbstractLdapProvider provider) { 733c16dad8SVladimir Kotal super.load(provider); 743c16dad8SVladimir Kotal 753c16dad8SVladimir Kotal init(parameters); 763c16dad8SVladimir Kotal } 773c16dad8SVladimir Kotal 78b28a5538SAdam Hornacek @Override load(Map<String, Object> parameters)79b28a5538SAdam Hornacek public void load(Map<String, Object> parameters) { 80b28a5538SAdam Hornacek super.load(parameters); 81b28a5538SAdam Hornacek 823c16dad8SVladimir Kotal init(parameters); 833c16dad8SVladimir Kotal } 843c16dad8SVladimir Kotal init(Map<String, Object> parameters)853c16dad8SVladimir Kotal private void init(Map<String, Object> parameters) { 86b28a5538SAdam Hornacek String attributesVal; 87b28a5538SAdam Hornacek if ((attributesVal = (String) parameters.get(ATTRIBUTES)) == null) { 8853c33ae5SVladimir Kotal throw new NullPointerException("Missing configuration parameter [" + ATTRIBUTES + 89b28a5538SAdam Hornacek "] in the setup"); 90b28a5538SAdam Hornacek } 9153c33ae5SVladimir Kotal attributes = new HashSet<>(Arrays.asList(attributesVal.split(","))); 92b28a5538SAdam Hornacek 9353c33ae5SVladimir Kotal ldapFilter = (String) parameters.get(LDAP_FILTER); 9453c33ae5SVladimir Kotal 9553c33ae5SVladimir Kotal if ((useDN = (Boolean) parameters.get(USE_DN)) == null) { 9653c33ae5SVladimir Kotal useDN = false; 9753c33ae5SVladimir Kotal } 9853c33ae5SVladimir Kotal 9953c33ae5SVladimir Kotal LOGGER.log(Level.FINE, "LdapUser plugin loaded with filter={0}, " + 10053c33ae5SVladimir Kotal "attributes={1}, useDN={2}", 101172ba845SVladimir Kotal new Object[]{ldapFilter, attributes, useDN}); 102b28a5538SAdam Hornacek } 103b28a5538SAdam Hornacek 104b28a5538SAdam Hornacek /** 105b28a5538SAdam Hornacek * Check if the session exists and contains all necessary fields required by 106b28a5538SAdam Hornacek * this plug-in. 107b28a5538SAdam Hornacek * 108b28a5538SAdam Hornacek * @param req the HTTP request 109b28a5538SAdam Hornacek * @return true if it does; false otherwise 110b28a5538SAdam Hornacek */ 111b28a5538SAdam Hornacek @Override sessionExists(HttpServletRequest req)112b28a5538SAdam Hornacek protected boolean sessionExists(HttpServletRequest req) { 113b28a5538SAdam Hornacek return super.sessionExists(req) 114b28a5538SAdam Hornacek && req.getSession().getAttribute(SESSION_ATTR) != null; 115b28a5538SAdam Hornacek } 116b28a5538SAdam Hornacek 11753c33ae5SVladimir Kotal /** 118f305899cSVladimir Kotal * Expand {@code User} object attribute values into the filter. 11953c33ae5SVladimir Kotal * 120f305899cSVladimir Kotal * @see opengrok.auth.plugin.util.FilterUtil 12153c33ae5SVladimir Kotal * 12253c33ae5SVladimir Kotal * Use \% for printing the '%' character. 12353c33ae5SVladimir Kotal * 124750d880bSVladimir Kotal * @param user User object from the request (created by {@code UserPlugin}) 12553c33ae5SVladimir Kotal * @return replaced result 12653c33ae5SVladimir Kotal */ expandFilter(User user)12753c33ae5SVladimir Kotal protected String expandFilter(User user) { 12853c33ae5SVladimir Kotal String filter = ldapFilter; 129b28a5538SAdam Hornacek 130f305899cSVladimir Kotal filter = expandUserFilter(user, filter); 131b28a5538SAdam Hornacek 13253c33ae5SVladimir Kotal filter = filter.replaceAll("\\\\%", "%"); 13353c33ae5SVladimir Kotal 13453c33ae5SVladimir Kotal return filter; 135b28a5538SAdam Hornacek } 136b28a5538SAdam Hornacek 137b28a5538SAdam Hornacek @Override fillSession(HttpServletRequest req, User user)138b28a5538SAdam Hornacek public void fillSession(HttpServletRequest req, User user) { 139b28a5538SAdam Hornacek Map<String, Set<String>> records; 140b28a5538SAdam Hornacek 141b28a5538SAdam Hornacek updateSession(req, null); 142b28a5538SAdam Hornacek 143b28a5538SAdam Hornacek if (getLdapProvider() == null) { 14453c33ae5SVladimir Kotal LOGGER.log(Level.WARNING, "cannot get LDAP provider"); 145b28a5538SAdam Hornacek return; 146b28a5538SAdam Hornacek } 147b28a5538SAdam Hornacek 14853c33ae5SVladimir Kotal String expandedFilter = null; 14917deb9edSVladimir Kotal String dn; 15053c33ae5SVladimir Kotal if (ldapFilter != null) { 15153c33ae5SVladimir Kotal expandedFilter = expandFilter(user); 15253c33ae5SVladimir Kotal } 153b28a5538SAdam Hornacek try { 15417deb9edSVladimir Kotal AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res; 15517deb9edSVladimir Kotal if ((res = getLdapProvider().lookupLdapContent(useDN ? user.getUsername() : null, 15653c33ae5SVladimir Kotal expandedFilter, attributes.toArray(new String[attributes.size()]))) == null) { 157afd2f2f7SVladimir Kotal LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " + 158b28a5538SAdam Hornacek "with filter ''{1}''", 159172ba845SVladimir Kotal new Object[]{user, expandedFilter, attributes}); 160b28a5538SAdam Hornacek return; 161b28a5538SAdam Hornacek } 16217deb9edSVladimir Kotal 16317deb9edSVladimir Kotal records = res.getAttrs(); 16417deb9edSVladimir Kotal dn = res.getDN(); 165b28a5538SAdam Hornacek } catch (LdapException ex) { 166b28a5538SAdam Hornacek throw new AuthorizationException(ex); 167b28a5538SAdam Hornacek } 168b28a5538SAdam Hornacek 169b28a5538SAdam Hornacek if (records.isEmpty()) { 170b28a5538SAdam Hornacek LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty", 171b28a5538SAdam Hornacek user); 172b28a5538SAdam Hornacek return; 173b28a5538SAdam Hornacek } 174b28a5538SAdam Hornacek 175b28a5538SAdam Hornacek for (String attrName : attributes) { 176b28a5538SAdam Hornacek if (!records.containsKey(attrName) || records.get(attrName).isEmpty()) { 17753c33ae5SVladimir Kotal LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty (LDAP provider: {2})", 17853c33ae5SVladimir Kotal new Object[]{attrName, user, getLdapProvider()}); 179b28a5538SAdam Hornacek } 180b28a5538SAdam Hornacek } 181b28a5538SAdam Hornacek 182b28a5538SAdam Hornacek Map<String, Set<String>> attrSet = new HashMap<>(); 183b28a5538SAdam Hornacek for (String attrName : attributes) { 184b28a5538SAdam Hornacek attrSet.put(attrName, records.get(attrName)); 185b28a5538SAdam Hornacek } 186b28a5538SAdam Hornacek 187e188d1ddSVladimir Kotal updateSession(req, new LdapUser(useDN ? user.getUsername() : dn, attrSet)); 188b28a5538SAdam Hornacek } 189b28a5538SAdam Hornacek 190b28a5538SAdam Hornacek /** 191b28a5538SAdam Hornacek * Add a new user value into the session. 192b28a5538SAdam Hornacek * 193b28a5538SAdam Hornacek * @param req the request 194b28a5538SAdam Hornacek * @param user the new value for user 195b28a5538SAdam Hornacek */ updateSession(HttpServletRequest req, LdapUser user)196b28a5538SAdam Hornacek protected void updateSession(HttpServletRequest req, LdapUser user) { 197b28a5538SAdam Hornacek req.getSession().setAttribute(SESSION_ATTR, user); 198b28a5538SAdam Hornacek } 199b28a5538SAdam Hornacek 200b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Project project)201b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Project project) { 202b28a5538SAdam Hornacek return request.getSession().getAttribute(SESSION_ATTR) != null; 203b28a5538SAdam Hornacek } 204b28a5538SAdam Hornacek 205b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Group group)206b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Group group) { 207b28a5538SAdam Hornacek return request.getSession().getAttribute(SESSION_ATTR) != null; 208b28a5538SAdam Hornacek } 209b28a5538SAdam Hornacek } 210