1b28a5538SAdam Hornacek /* 2b28a5538SAdam Hornacek * CDDL HEADER START 3b28a5538SAdam Hornacek * 4b28a5538SAdam Hornacek * The contents of this file are subject to the terms of the 5b28a5538SAdam Hornacek * Common Development and Distribution License (the "License"). 6b28a5538SAdam Hornacek * You may not use this file except in compliance with the License. 7b28a5538SAdam Hornacek * 8b28a5538SAdam Hornacek * See LICENSE.txt included in this distribution for the specific 9b28a5538SAdam Hornacek * language governing permissions and limitations under the License. 10b28a5538SAdam Hornacek * 11b28a5538SAdam Hornacek * When distributing Covered Code, include this CDDL HEADER in each 12b28a5538SAdam Hornacek * file and include the License file at LICENSE.txt. 13b28a5538SAdam Hornacek * If applicable, add the following below this CDDL HEADER, with the 14b28a5538SAdam Hornacek * fields enclosed by brackets "[]" replaced with your own identifying 15b28a5538SAdam Hornacek * information: Portions Copyright [yyyy] [name of copyright owner] 16b28a5538SAdam Hornacek * 17b28a5538SAdam Hornacek * CDDL HEADER END 18b28a5538SAdam Hornacek */ 19b28a5538SAdam Hornacek 20b28a5538SAdam Hornacek /* 21*5aedecbdSVladimir Kotal * Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved. 22b28a5538SAdam Hornacek */ 23b28a5538SAdam Hornacek package opengrok.auth.plugin; 24b28a5538SAdam Hornacek 2553c33ae5SVladimir Kotal import java.util.Arrays; 26b28a5538SAdam Hornacek import java.util.HashMap; 2753c33ae5SVladimir Kotal import java.util.HashSet; 28b28a5538SAdam Hornacek import java.util.Map; 29b28a5538SAdam Hornacek import java.util.Set; 30b28a5538SAdam Hornacek import java.util.logging.Level; 31b28a5538SAdam Hornacek import java.util.logging.Logger; 32aa6abf42SAdam Hornacek 33aa6abf42SAdam Hornacek import jakarta.servlet.http.HttpServletRequest; 34b28a5538SAdam Hornacek import opengrok.auth.entity.LdapUser; 35b28a5538SAdam Hornacek import opengrok.auth.plugin.entity.User; 3617deb9edSVladimir Kotal import opengrok.auth.plugin.ldap.AbstractLdapProvider; 37b28a5538SAdam Hornacek import opengrok.auth.plugin.ldap.LdapException; 38b28a5538SAdam Hornacek import org.opengrok.indexer.authorization.AuthorizationException; 39b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Group; 40b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Project; 41b28a5538SAdam Hornacek 42f305899cSVladimir Kotal import static opengrok.auth.plugin.util.FilterUtil.expandUserFilter; 43f305899cSVladimir Kotal 44b28a5538SAdam Hornacek /** 45b28a5538SAdam Hornacek * Authorization plug-in to extract user's LDAP attributes. 46b28a5538SAdam Hornacek * The attributes can be then used by the other LDAP plugins down the stack. 47b28a5538SAdam Hornacek * 48b28a5538SAdam Hornacek * @author Krystof Tulinger 49b28a5538SAdam Hornacek */ 50b28a5538SAdam Hornacek public class LdapUserPlugin extends AbstractLdapPlugin { 51b28a5538SAdam Hornacek 52b28a5538SAdam Hornacek private static final Logger LOGGER = Logger.getLogger(LdapUserPlugin.class.getName()); 53b28a5538SAdam Hornacek 54bf4d2fd4SVladimir Kotal static final String SESSION_ATTR = "opengrok-ldap-plugin-user"; 55b28a5538SAdam Hornacek 5653c33ae5SVladimir Kotal /** 570e7ff20bSVladimir Kotal * List of configuration names. 5853c33ae5SVladimir Kotal * <ul> 5953c33ae5SVladimir Kotal * <li><code>filter</code> is LDAP filter used for searching (optional)</li> 60*5aedecbdSVladimir Kotal * <li><code>useDN</code> boolean value indicating if User.username should be treated as Distinguished Name 61*5aedecbdSVladimir Kotal * (optional, default is false)</li> 6253c33ae5SVladimir Kotal * <li><code>attributes</code> is comma separated list of LDAP attributes to be produced (mandatory)</li> 63*5aedecbdSVladimir Kotal * <li><code>instance</code> integer that can be used to identify instance of this plugin by other LDAP plugins 64*5aedecbdSVladimir Kotal * (optional, default empty)</li> 6553c33ae5SVladimir Kotal * </ul> 6653c33ae5SVladimir Kotal */ 67bf4d2fd4SVladimir Kotal static final String LDAP_FILTER = "filter"; 68bf4d2fd4SVladimir Kotal static final String ATTRIBUTES = "attributes"; 69bf4d2fd4SVladimir Kotal static final String USE_DN = "useDN"; 70bf4d2fd4SVladimir Kotal static final String INSTANCE = "instance"; 71b28a5538SAdam Hornacek 7253c33ae5SVladimir Kotal private String ldapFilter; 7353c33ae5SVladimir Kotal private Boolean useDN; 7482105c7dSVladimir Kotal private Set<String> attrSet; 7582105c7dSVladimir Kotal private Integer instanceNum; 76b28a5538SAdam Hornacek 773c16dad8SVladimir Kotal // for testing load(Map<String, Object> parameters, AbstractLdapProvider provider)783c16dad8SVladimir Kotal void load(Map<String, Object> parameters, AbstractLdapProvider provider) { 793c16dad8SVladimir Kotal super.load(provider); 803c16dad8SVladimir Kotal 813c16dad8SVladimir Kotal init(parameters); 823c16dad8SVladimir Kotal } 833c16dad8SVladimir Kotal 84b28a5538SAdam Hornacek @Override load(Map<String, Object> parameters)85b28a5538SAdam Hornacek public void load(Map<String, Object> parameters) { 86b28a5538SAdam Hornacek super.load(parameters); 87b28a5538SAdam Hornacek 883c16dad8SVladimir Kotal init(parameters); 893c16dad8SVladimir Kotal } 903c16dad8SVladimir Kotal init(Map<String, Object> parameters)913c16dad8SVladimir Kotal private void init(Map<String, Object> parameters) { 92b28a5538SAdam Hornacek String attributesVal; 93b28a5538SAdam Hornacek if ((attributesVal = (String) parameters.get(ATTRIBUTES)) == null) { 94*5aedecbdSVladimir Kotal throw new NullPointerException("Missing configuration parameter [" + ATTRIBUTES + "] in the setup"); 95b28a5538SAdam Hornacek } 9682105c7dSVladimir Kotal attrSet = new HashSet<>(Arrays.asList(attributesVal.split(","))); 97b28a5538SAdam Hornacek 9853c33ae5SVladimir Kotal ldapFilter = (String) parameters.get(LDAP_FILTER); 9953c33ae5SVladimir Kotal 10053c33ae5SVladimir Kotal if ((useDN = (Boolean) parameters.get(USE_DN)) == null) { 10153c33ae5SVladimir Kotal useDN = false; 10253c33ae5SVladimir Kotal } 10353c33ae5SVladimir Kotal 10482105c7dSVladimir Kotal String instanceParam = (String) parameters.get(INSTANCE); 10582105c7dSVladimir Kotal if (instanceParam != null) { 10682105c7dSVladimir Kotal instanceNum = Integer.parseInt(instanceParam); 107e173e36dSVladimir Kotal } 10866cf937cSVladimir Kotal 10953c33ae5SVladimir Kotal LOGGER.log(Level.FINE, "LdapUser plugin loaded with filter={0}, " + 11066cf937cSVladimir Kotal "attributes={1}, useDN={2}, instance={3}", 11182105c7dSVladimir Kotal new Object[]{ldapFilter, attrSet, useDN, instanceNum}); 112b28a5538SAdam Hornacek } 113b28a5538SAdam Hornacek 114b28a5538SAdam Hornacek /** 115b28a5538SAdam Hornacek * Check if the session exists and contains all necessary fields required by 116b28a5538SAdam Hornacek * this plug-in. 117b28a5538SAdam Hornacek * 118b28a5538SAdam Hornacek * @param req the HTTP request 119b28a5538SAdam Hornacek * @return true if it does; false otherwise 120b28a5538SAdam Hornacek */ 121b28a5538SAdam Hornacek @Override sessionExists(HttpServletRequest req)122b28a5538SAdam Hornacek protected boolean sessionExists(HttpServletRequest req) { 123*5aedecbdSVladimir Kotal return super.sessionExists(req) && req.getSession().getAttribute(getSessionAttrName()) != null; 124b28a5538SAdam Hornacek } 125b28a5538SAdam Hornacek 12653c33ae5SVladimir Kotal /** 127f305899cSVladimir Kotal * Expand {@code User} object attribute values into the filter. 12853c33ae5SVladimir Kotal * 129f305899cSVladimir Kotal * @see opengrok.auth.plugin.util.FilterUtil 13053c33ae5SVladimir Kotal * 13153c33ae5SVladimir Kotal * Use \% for printing the '%' character. 13253c33ae5SVladimir Kotal * 133750d880bSVladimir Kotal * @param user User object from the request (created by {@code UserPlugin}) 13453c33ae5SVladimir Kotal * @return replaced result 13553c33ae5SVladimir Kotal */ expandFilter(User user)136bf4d2fd4SVladimir Kotal String expandFilter(User user) { 13753c33ae5SVladimir Kotal String filter = ldapFilter; 138b28a5538SAdam Hornacek 139f305899cSVladimir Kotal filter = expandUserFilter(user, filter); 140b28a5538SAdam Hornacek 1419d74bf96SVladimir Kotal filter = filter.replace("\\%", "%"); 14253c33ae5SVladimir Kotal 14353c33ae5SVladimir Kotal return filter; 144b28a5538SAdam Hornacek } 145b28a5538SAdam Hornacek 146b28a5538SAdam Hornacek @Override fillSession(HttpServletRequest req, User user)147b28a5538SAdam Hornacek public void fillSession(HttpServletRequest req, User user) { 148b28a5538SAdam Hornacek Map<String, Set<String>> records; 149b28a5538SAdam Hornacek 150b28a5538SAdam Hornacek updateSession(req, null); 151b28a5538SAdam Hornacek 152b28a5538SAdam Hornacek if (getLdapProvider() == null) { 15353c33ae5SVladimir Kotal LOGGER.log(Level.WARNING, "cannot get LDAP provider"); 154b28a5538SAdam Hornacek return; 155b28a5538SAdam Hornacek } 156b28a5538SAdam Hornacek 15702df4614SVladimir Kotal String dn = null; 15882105c7dSVladimir Kotal if (Boolean.TRUE.equals(useDN)) { 15902df4614SVladimir Kotal dn = user.getUsername(); 160*5aedecbdSVladimir Kotal LOGGER.log(Level.FINEST, "using DN ''{0}'' for user {1}", new Object[]{dn, user}); 16102df4614SVladimir Kotal } 162cbd2aafbSVladimir Kotal 163cbd2aafbSVladimir Kotal String expandedFilter = null; 16453c33ae5SVladimir Kotal if (ldapFilter != null) { 16553c33ae5SVladimir Kotal expandedFilter = expandFilter(user); 166cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "expanded filter for user {0} into ''{1}''", 167cbd2aafbSVladimir Kotal new Object[]{user, expandedFilter}); 16853c33ae5SVladimir Kotal } 169cbd2aafbSVladimir Kotal 170cbd2aafbSVladimir Kotal AbstractLdapProvider ldapProvider = getLdapProvider(); 171b28a5538SAdam Hornacek try { 17217deb9edSVladimir Kotal AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res; 173cbd2aafbSVladimir Kotal if ((res = ldapProvider.lookupLdapContent(dn, expandedFilter, 17482105c7dSVladimir Kotal attrSet.toArray(new String[0]))) == null) { 175afd2f2f7SVladimir Kotal LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " + 176e5567996SVladimir Kotal "with filter ''{1}'' from LDAP provider {3}", 17782105c7dSVladimir Kotal new Object[]{user, expandedFilter, attrSet, getLdapProvider()}); 178b28a5538SAdam Hornacek return; 179b28a5538SAdam Hornacek } 18017deb9edSVladimir Kotal 18117deb9edSVladimir Kotal records = res.getAttrs(); 18282105c7dSVladimir Kotal if (Boolean.FALSE.equals(useDN)) { 18317deb9edSVladimir Kotal dn = res.getDN(); 18482105c7dSVladimir Kotal LOGGER.log(Level.FINEST, "got DN ''{0}'' for user {1}", 185cbd2aafbSVladimir Kotal new Object[]{dn, user}); 18602df4614SVladimir Kotal } 187b28a5538SAdam Hornacek } catch (LdapException ex) { 188b28a5538SAdam Hornacek throw new AuthorizationException(ex); 189b28a5538SAdam Hornacek } 190b28a5538SAdam Hornacek 191b28a5538SAdam Hornacek if (records.isEmpty()) { 192cbd2aafbSVladimir Kotal LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty on {1}", 193cbd2aafbSVladimir Kotal new Object[]{user, ldapProvider}); 194b28a5538SAdam Hornacek return; 195b28a5538SAdam Hornacek } 196b28a5538SAdam Hornacek 19782105c7dSVladimir Kotal for (String attrName : attrSet) { 19802df4614SVladimir Kotal if (!records.containsKey(attrName) || records.get(attrName) == null || records.get(attrName).isEmpty()) { 199cbd2aafbSVladimir Kotal LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty on {2}", 200cbd2aafbSVladimir Kotal new Object[]{attrName, user, ldapProvider}); 201b28a5538SAdam Hornacek } 202b28a5538SAdam Hornacek } 203b28a5538SAdam Hornacek 20482105c7dSVladimir Kotal Map<String, Set<String>> userAttrSet = new HashMap<>(); 20582105c7dSVladimir Kotal for (String attrName : this.attrSet) { 20682105c7dSVladimir Kotal userAttrSet.put(attrName, records.get(attrName)); 207b28a5538SAdam Hornacek } 208b28a5538SAdam Hornacek 209cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "DN for user {0} is ''{1}'' on {2}", 210cbd2aafbSVladimir Kotal new Object[]{user, dn, ldapProvider}); 21182105c7dSVladimir Kotal updateSession(req, new LdapUser(dn, userAttrSet)); 212b28a5538SAdam Hornacek } 213b28a5538SAdam Hornacek 214b28a5538SAdam Hornacek /** 215b28a5538SAdam Hornacek * Add a new user value into the session. 216b28a5538SAdam Hornacek * 217b28a5538SAdam Hornacek * @param req the request 218b28a5538SAdam Hornacek * @param user the new value for user 219b28a5538SAdam Hornacek */ updateSession(HttpServletRequest req, LdapUser user)220d7630e3aSVladimir Kotal void updateSession(HttpServletRequest req, LdapUser user) { 221d7630e3aSVladimir Kotal req.getSession().setAttribute(getSessionAttrName(), user); 22266cf937cSVladimir Kotal } 22366cf937cSVladimir Kotal getSessionAttrName(Integer instance)224d7630e3aSVladimir Kotal static String getSessionAttrName(Integer instance) { 22566cf937cSVladimir Kotal return (SESSION_ATTR + (instance != null ? instance.toString() : "")); 226b28a5538SAdam Hornacek } 227b28a5538SAdam Hornacek getSessionAttrName()228d7630e3aSVladimir Kotal private String getSessionAttrName() { 22982105c7dSVladimir Kotal return getSessionAttrName(instanceNum); 230d7630e3aSVladimir Kotal } 231d7630e3aSVladimir Kotal 232b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Project project)233b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Project project) { 234d7630e3aSVladimir Kotal return request.getSession().getAttribute(getSessionAttrName()) != null; 235b28a5538SAdam Hornacek } 236b28a5538SAdam Hornacek 237b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Group group)238b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Group group) { 239d7630e3aSVladimir Kotal return request.getSession().getAttribute(getSessionAttrName()) != null; 240b28a5538SAdam Hornacek } 241b28a5538SAdam Hornacek } 242