1b28a5538SAdam Hornacek /* 2b28a5538SAdam Hornacek * CDDL HEADER START 3b28a5538SAdam Hornacek * 4b28a5538SAdam Hornacek * The contents of this file are subject to the terms of the 5b28a5538SAdam Hornacek * Common Development and Distribution License (the "License"). 6b28a5538SAdam Hornacek * You may not use this file except in compliance with the License. 7b28a5538SAdam Hornacek * 8b28a5538SAdam Hornacek * See LICENSE.txt included in this distribution for the specific 9b28a5538SAdam Hornacek * language governing permissions and limitations under the License. 10b28a5538SAdam Hornacek * 11b28a5538SAdam Hornacek * When distributing Covered Code, include this CDDL HEADER in each 12b28a5538SAdam Hornacek * file and include the License file at LICENSE.txt. 13b28a5538SAdam Hornacek * If applicable, add the following below this CDDL HEADER, with the 14b28a5538SAdam Hornacek * fields enclosed by brackets "[]" replaced with your own identifying 15b28a5538SAdam Hornacek * information: Portions Copyright [yyyy] [name of copyright owner] 16b28a5538SAdam Hornacek * 17b28a5538SAdam Hornacek * CDDL HEADER END 18b28a5538SAdam Hornacek */ 19b28a5538SAdam Hornacek 20b28a5538SAdam Hornacek /* 215d9f3aa0SAdam Hornáček * Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. 22b28a5538SAdam Hornacek */ 23b28a5538SAdam Hornacek package opengrok.auth.plugin; 24b28a5538SAdam Hornacek 2553c33ae5SVladimir Kotal import java.util.Arrays; 26b28a5538SAdam Hornacek import java.util.HashMap; 2753c33ae5SVladimir Kotal import java.util.HashSet; 28b28a5538SAdam Hornacek import java.util.Map; 29b28a5538SAdam Hornacek import java.util.Set; 30b28a5538SAdam Hornacek import java.util.logging.Level; 31b28a5538SAdam Hornacek import java.util.logging.Logger; 32*aa6abf42SAdam Hornacek 33*aa6abf42SAdam Hornacek import jakarta.servlet.http.HttpServletRequest; 34b28a5538SAdam Hornacek import opengrok.auth.entity.LdapUser; 35b28a5538SAdam Hornacek import opengrok.auth.plugin.entity.User; 3617deb9edSVladimir Kotal import opengrok.auth.plugin.ldap.AbstractLdapProvider; 37b28a5538SAdam Hornacek import opengrok.auth.plugin.ldap.LdapException; 38b28a5538SAdam Hornacek import org.opengrok.indexer.authorization.AuthorizationException; 39b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Group; 40b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Project; 41b28a5538SAdam Hornacek 42f305899cSVladimir Kotal import static opengrok.auth.plugin.util.FilterUtil.expandUserFilter; 43f305899cSVladimir Kotal 44b28a5538SAdam Hornacek /** 45b28a5538SAdam Hornacek * Authorization plug-in to extract user's LDAP attributes. 46b28a5538SAdam Hornacek * The attributes can be then used by the other LDAP plugins down the stack. 47b28a5538SAdam Hornacek * 48b28a5538SAdam Hornacek * @author Krystof Tulinger 49b28a5538SAdam Hornacek */ 50b28a5538SAdam Hornacek public class LdapUserPlugin extends AbstractLdapPlugin { 51b28a5538SAdam Hornacek 52b28a5538SAdam Hornacek private static final Logger LOGGER = Logger.getLogger(LdapUserPlugin.class.getName()); 53b28a5538SAdam Hornacek 54bf4d2fd4SVladimir Kotal static final String SESSION_ATTR = "opengrok-ldap-plugin-user"; 55b28a5538SAdam Hornacek 5653c33ae5SVladimir Kotal /** 570e7ff20bSVladimir Kotal * List of configuration names. 5853c33ae5SVladimir Kotal * <ul> 5953c33ae5SVladimir Kotal * <li><code>filter</code> is LDAP filter used for searching (optional)</li> 6002df4614SVladimir Kotal * <li><code>useDN</code> boolean value indicating if User.username should be treated as Distinguished Name (optional, default is false)</li> 6153c33ae5SVladimir Kotal * <li><code>attributes</code> is comma separated list of LDAP attributes to be produced (mandatory)</li> 6266cf937cSVladimir Kotal * <li><code>instance</code> integer that can be used to identify instance of this plugin by other LDAP plugins (optional, default empty)</li> 6353c33ae5SVladimir Kotal * </ul> 6453c33ae5SVladimir Kotal */ 65bf4d2fd4SVladimir Kotal static final String LDAP_FILTER = "filter"; 66bf4d2fd4SVladimir Kotal static final String ATTRIBUTES = "attributes"; 67bf4d2fd4SVladimir Kotal static final String USE_DN = "useDN"; 68bf4d2fd4SVladimir Kotal static final String INSTANCE = "instance"; 69b28a5538SAdam Hornacek 7053c33ae5SVladimir Kotal private String ldapFilter; 7153c33ae5SVladimir Kotal private Boolean useDN; 7253c33ae5SVladimir Kotal private Set<String> attributes; 7366cf937cSVladimir Kotal private Integer instance; 74b28a5538SAdam Hornacek 753c16dad8SVladimir Kotal // for testing load(Map<String, Object> parameters, AbstractLdapProvider provider)763c16dad8SVladimir Kotal void load(Map<String, Object> parameters, AbstractLdapProvider provider) { 773c16dad8SVladimir Kotal super.load(provider); 783c16dad8SVladimir Kotal 793c16dad8SVladimir Kotal init(parameters); 803c16dad8SVladimir Kotal } 813c16dad8SVladimir Kotal 82b28a5538SAdam Hornacek @Override load(Map<String, Object> parameters)83b28a5538SAdam Hornacek public void load(Map<String, Object> parameters) { 84b28a5538SAdam Hornacek super.load(parameters); 85b28a5538SAdam Hornacek 863c16dad8SVladimir Kotal init(parameters); 873c16dad8SVladimir Kotal } 883c16dad8SVladimir Kotal init(Map<String, Object> parameters)893c16dad8SVladimir Kotal private void init(Map<String, Object> parameters) { 90b28a5538SAdam Hornacek String attributesVal; 91b28a5538SAdam Hornacek if ((attributesVal = (String) parameters.get(ATTRIBUTES)) == null) { 9253c33ae5SVladimir Kotal throw new NullPointerException("Missing configuration parameter [" + ATTRIBUTES + 93b28a5538SAdam Hornacek "] in the setup"); 94b28a5538SAdam Hornacek } 9553c33ae5SVladimir Kotal attributes = new HashSet<>(Arrays.asList(attributesVal.split(","))); 96b28a5538SAdam Hornacek 9753c33ae5SVladimir Kotal ldapFilter = (String) parameters.get(LDAP_FILTER); 9853c33ae5SVladimir Kotal 9953c33ae5SVladimir Kotal if ((useDN = (Boolean) parameters.get(USE_DN)) == null) { 10053c33ae5SVladimir Kotal useDN = false; 10153c33ae5SVladimir Kotal } 10253c33ae5SVladimir Kotal 103e173e36dSVladimir Kotal String instance_param = (String) parameters.get(INSTANCE); 104e173e36dSVladimir Kotal if (instance_param != null) { 105e173e36dSVladimir Kotal instance = Integer.parseInt(instance_param); 106e173e36dSVladimir Kotal } 10766cf937cSVladimir Kotal 10853c33ae5SVladimir Kotal LOGGER.log(Level.FINE, "LdapUser plugin loaded with filter={0}, " + 10966cf937cSVladimir Kotal "attributes={1}, useDN={2}, instance={3}", 11066cf937cSVladimir Kotal new Object[]{ldapFilter, attributes, useDN, instance}); 111b28a5538SAdam Hornacek } 112b28a5538SAdam Hornacek 113b28a5538SAdam Hornacek /** 114b28a5538SAdam Hornacek * Check if the session exists and contains all necessary fields required by 115b28a5538SAdam Hornacek * this plug-in. 116b28a5538SAdam Hornacek * 117b28a5538SAdam Hornacek * @param req the HTTP request 118b28a5538SAdam Hornacek * @return true if it does; false otherwise 119b28a5538SAdam Hornacek */ 120b28a5538SAdam Hornacek @Override sessionExists(HttpServletRequest req)121b28a5538SAdam Hornacek protected boolean sessionExists(HttpServletRequest req) { 122b28a5538SAdam Hornacek return super.sessionExists(req) 123d7630e3aSVladimir Kotal && req.getSession().getAttribute(getSessionAttrName()) != null; 124b28a5538SAdam Hornacek } 125b28a5538SAdam Hornacek 12653c33ae5SVladimir Kotal /** 127f305899cSVladimir Kotal * Expand {@code User} object attribute values into the filter. 12853c33ae5SVladimir Kotal * 129f305899cSVladimir Kotal * @see opengrok.auth.plugin.util.FilterUtil 13053c33ae5SVladimir Kotal * 13153c33ae5SVladimir Kotal * Use \% for printing the '%' character. 13253c33ae5SVladimir Kotal * 133750d880bSVladimir Kotal * @param user User object from the request (created by {@code UserPlugin}) 13453c33ae5SVladimir Kotal * @return replaced result 13553c33ae5SVladimir Kotal */ expandFilter(User user)136bf4d2fd4SVladimir Kotal String expandFilter(User user) { 13753c33ae5SVladimir Kotal String filter = ldapFilter; 138b28a5538SAdam Hornacek 139f305899cSVladimir Kotal filter = expandUserFilter(user, filter); 140b28a5538SAdam Hornacek 14153c33ae5SVladimir Kotal filter = filter.replaceAll("\\\\%", "%"); 14253c33ae5SVladimir Kotal 14353c33ae5SVladimir Kotal return filter; 144b28a5538SAdam Hornacek } 145b28a5538SAdam Hornacek 146b28a5538SAdam Hornacek @Override fillSession(HttpServletRequest req, User user)147b28a5538SAdam Hornacek public void fillSession(HttpServletRequest req, User user) { 148b28a5538SAdam Hornacek Map<String, Set<String>> records; 149b28a5538SAdam Hornacek 150b28a5538SAdam Hornacek updateSession(req, null); 151b28a5538SAdam Hornacek 152b28a5538SAdam Hornacek if (getLdapProvider() == null) { 15353c33ae5SVladimir Kotal LOGGER.log(Level.WARNING, "cannot get LDAP provider"); 154b28a5538SAdam Hornacek return; 155b28a5538SAdam Hornacek } 156b28a5538SAdam Hornacek 15702df4614SVladimir Kotal String dn = null; 15802df4614SVladimir Kotal if (useDN) { 15902df4614SVladimir Kotal dn = user.getUsername(); 160cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "using DN ''{0}'' for user {1}", 161cbd2aafbSVladimir Kotal new Object[]{dn, user}); 16202df4614SVladimir Kotal } 163cbd2aafbSVladimir Kotal 164cbd2aafbSVladimir Kotal String expandedFilter = null; 16553c33ae5SVladimir Kotal if (ldapFilter != null) { 16653c33ae5SVladimir Kotal expandedFilter = expandFilter(user); 167cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "expanded filter for user {0} into ''{1}''", 168cbd2aafbSVladimir Kotal new Object[]{user, expandedFilter}); 16953c33ae5SVladimir Kotal } 170cbd2aafbSVladimir Kotal 171cbd2aafbSVladimir Kotal AbstractLdapProvider ldapProvider = getLdapProvider(); 172b28a5538SAdam Hornacek try { 17317deb9edSVladimir Kotal AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res; 174cbd2aafbSVladimir Kotal if ((res = ldapProvider.lookupLdapContent(dn, expandedFilter, 175b91b7b82SVladimir Kotal attributes.toArray(new String[0]))) == null) { 176afd2f2f7SVladimir Kotal LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " + 177e5567996SVladimir Kotal "with filter ''{1}'' from LDAP provider {3}", 178e5567996SVladimir Kotal new Object[]{user, expandedFilter, attributes, getLdapProvider()}); 179b28a5538SAdam Hornacek return; 180b28a5538SAdam Hornacek } 18117deb9edSVladimir Kotal 18217deb9edSVladimir Kotal records = res.getAttrs(); 18302df4614SVladimir Kotal if (!useDN) { 18417deb9edSVladimir Kotal dn = res.getDN(); 185cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "got DN ''{0}'' for user {1} on {2}", 186cbd2aafbSVladimir Kotal new Object[]{dn, user}); 18702df4614SVladimir Kotal } 188b28a5538SAdam Hornacek } catch (LdapException ex) { 189b28a5538SAdam Hornacek throw new AuthorizationException(ex); 190b28a5538SAdam Hornacek } 191b28a5538SAdam Hornacek 192b28a5538SAdam Hornacek if (records.isEmpty()) { 193cbd2aafbSVladimir Kotal LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty on {1}", 194cbd2aafbSVladimir Kotal new Object[]{user, ldapProvider}); 195b28a5538SAdam Hornacek return; 196b28a5538SAdam Hornacek } 197b28a5538SAdam Hornacek 198b28a5538SAdam Hornacek for (String attrName : attributes) { 19902df4614SVladimir Kotal if (!records.containsKey(attrName) || records.get(attrName) == null || records.get(attrName).isEmpty()) { 200cbd2aafbSVladimir Kotal LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty on {2}", 201cbd2aafbSVladimir Kotal new Object[]{attrName, user, ldapProvider}); 202b28a5538SAdam Hornacek } 203b28a5538SAdam Hornacek } 204b28a5538SAdam Hornacek 205b28a5538SAdam Hornacek Map<String, Set<String>> attrSet = new HashMap<>(); 206b28a5538SAdam Hornacek for (String attrName : attributes) { 207b28a5538SAdam Hornacek attrSet.put(attrName, records.get(attrName)); 208b28a5538SAdam Hornacek } 209b28a5538SAdam Hornacek 210cbd2aafbSVladimir Kotal LOGGER.log(Level.FINEST, "DN for user {0} is ''{1}'' on {2}", 211cbd2aafbSVladimir Kotal new Object[]{user, dn, ldapProvider}); 21202df4614SVladimir Kotal updateSession(req, new LdapUser(dn, attrSet)); 213b28a5538SAdam Hornacek } 214b28a5538SAdam Hornacek 215b28a5538SAdam Hornacek /** 216b28a5538SAdam Hornacek * Add a new user value into the session. 217b28a5538SAdam Hornacek * 218b28a5538SAdam Hornacek * @param req the request 219b28a5538SAdam Hornacek * @param user the new value for user 220b28a5538SAdam Hornacek */ updateSession(HttpServletRequest req, LdapUser user)221d7630e3aSVladimir Kotal void updateSession(HttpServletRequest req, LdapUser user) { 222d7630e3aSVladimir Kotal req.getSession().setAttribute(getSessionAttrName(), user); 22366cf937cSVladimir Kotal } 22466cf937cSVladimir Kotal getSessionAttrName(Integer instance)225d7630e3aSVladimir Kotal static String getSessionAttrName(Integer instance) { 22666cf937cSVladimir Kotal return (SESSION_ATTR + (instance != null ? instance.toString() : "")); 227b28a5538SAdam Hornacek } 228b28a5538SAdam Hornacek getSessionAttrName()229d7630e3aSVladimir Kotal private String getSessionAttrName() { 230d7630e3aSVladimir Kotal return getSessionAttrName(instance); 231d7630e3aSVladimir Kotal } 232d7630e3aSVladimir Kotal 233b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Project project)234b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Project project) { 235d7630e3aSVladimir Kotal return request.getSession().getAttribute(getSessionAttrName()) != null; 236b28a5538SAdam Hornacek } 237b28a5538SAdam Hornacek 238b28a5538SAdam Hornacek @Override checkEntity(HttpServletRequest request, Group group)239b28a5538SAdam Hornacek public boolean checkEntity(HttpServletRequest request, Group group) { 240d7630e3aSVladimir Kotal return request.getSession().getAttribute(getSessionAttrName()) != null; 241b28a5538SAdam Hornacek } 242b28a5538SAdam Hornacek } 243