xref: /OpenGrok/plugins/src/main/java/opengrok/auth/plugin/LdapUserPlugin.java (revision e188d1dd8790cb251440e76ab494f32fb7fa95e1) 
1b28a5538SAdam Hornacek /*
2b28a5538SAdam Hornacek  * CDDL HEADER START
3b28a5538SAdam Hornacek  *
4b28a5538SAdam Hornacek  * The contents of this file are subject to the terms of the
5b28a5538SAdam Hornacek  * Common Development and Distribution License (the "License").
6b28a5538SAdam Hornacek  * You may not use this file except in compliance with the License.
7b28a5538SAdam Hornacek  *
8b28a5538SAdam Hornacek  * See LICENSE.txt included in this distribution for the specific
9b28a5538SAdam Hornacek  * language governing permissions and limitations under the License.
10b28a5538SAdam Hornacek  *
11b28a5538SAdam Hornacek  * When distributing Covered Code, include this CDDL HEADER in each
12b28a5538SAdam Hornacek  * file and include the License file at LICENSE.txt.
13b28a5538SAdam Hornacek  * If applicable, add the following below this CDDL HEADER, with the
14b28a5538SAdam Hornacek  * fields enclosed by brackets "[]" replaced with your own identifying
15b28a5538SAdam Hornacek  * information: Portions Copyright [yyyy] [name of copyright owner]
16b28a5538SAdam Hornacek  *
17b28a5538SAdam Hornacek  * CDDL HEADER END
18b28a5538SAdam Hornacek  */
19b28a5538SAdam Hornacek 
20b28a5538SAdam Hornacek /*
2153c33ae5SVladimir Kotal  * Copyright (c) 2016, 2019 Oracle and/or its affiliates. All rights reserved.
22b28a5538SAdam Hornacek  */
23b28a5538SAdam Hornacek package opengrok.auth.plugin;
24b28a5538SAdam Hornacek 
2553c33ae5SVladimir Kotal import java.util.Arrays;
26b28a5538SAdam Hornacek import java.util.HashMap;
2753c33ae5SVladimir Kotal import java.util.HashSet;
28b28a5538SAdam Hornacek import java.util.Map;
29b28a5538SAdam Hornacek import java.util.Set;
30b28a5538SAdam Hornacek import java.util.logging.Level;
31b28a5538SAdam Hornacek import java.util.logging.Logger;
32b28a5538SAdam Hornacek import javax.servlet.http.HttpServletRequest;
33b28a5538SAdam Hornacek import opengrok.auth.entity.LdapUser;
34b28a5538SAdam Hornacek import opengrok.auth.plugin.entity.User;
3517deb9edSVladimir Kotal import opengrok.auth.plugin.ldap.AbstractLdapProvider;
36b28a5538SAdam Hornacek import opengrok.auth.plugin.ldap.LdapException;
37b28a5538SAdam Hornacek import org.opengrok.indexer.authorization.AuthorizationException;
38b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Group;
39b28a5538SAdam Hornacek import org.opengrok.indexer.configuration.Project;
40b28a5538SAdam Hornacek 
41f305899cSVladimir Kotal import static opengrok.auth.plugin.util.FilterUtil.expandUserFilter;
42f305899cSVladimir Kotal 
43b28a5538SAdam Hornacek /**
44b28a5538SAdam Hornacek  * Authorization plug-in to extract user's LDAP attributes.
45b28a5538SAdam Hornacek  * The attributes can be then used by the other LDAP plugins down the stack.
46b28a5538SAdam Hornacek  *
47b28a5538SAdam Hornacek  * @author Krystof Tulinger
48b28a5538SAdam Hornacek  */
49b28a5538SAdam Hornacek public class LdapUserPlugin extends AbstractLdapPlugin {
50b28a5538SAdam Hornacek 
51b28a5538SAdam Hornacek     private static final Logger LOGGER = Logger.getLogger(LdapUserPlugin.class.getName());
52b28a5538SAdam Hornacek 
53b28a5538SAdam Hornacek     public static final String SESSION_ATTR = "opengrok-ldap-plugin-user";
54b28a5538SAdam Hornacek 
5553c33ae5SVladimir Kotal     /**
5653c33ae5SVladimir Kotal      * configuration names
5753c33ae5SVladimir Kotal      * <ul>
5853c33ae5SVladimir Kotal      * <li><code>filter</code> is LDAP filter used for searching (optional)</li>
599f40699fSVladimir Kotal      * <li><code>useDN</code> boolean value indicating if User.username should be used as search Distinguished Name (optional, default is false)</li>
6053c33ae5SVladimir Kotal      * <li><code>attributes</code> is comma separated list of LDAP attributes to be produced (mandatory)</li>
6153c33ae5SVladimir Kotal      * </ul>
6253c33ae5SVladimir Kotal      */
6353c33ae5SVladimir Kotal     protected static final String LDAP_FILTER = "filter";
64b28a5538SAdam Hornacek     protected static final String ATTRIBUTES = "attributes";
6553c33ae5SVladimir Kotal     protected static final String USE_DN = "useDN";
66b28a5538SAdam Hornacek 
6753c33ae5SVladimir Kotal     private String ldapFilter;
6853c33ae5SVladimir Kotal     private Boolean useDN;
6953c33ae5SVladimir Kotal     private Set<String> attributes;
70b28a5538SAdam Hornacek 
71b28a5538SAdam Hornacek     @Override
load(Map<String, Object> parameters)72b28a5538SAdam Hornacek     public void load(Map<String, Object> parameters) {
73b28a5538SAdam Hornacek         super.load(parameters);
74b28a5538SAdam Hornacek 
75b28a5538SAdam Hornacek         String attributesVal;
76b28a5538SAdam Hornacek         if ((attributesVal = (String) parameters.get(ATTRIBUTES)) == null) {
7753c33ae5SVladimir Kotal             throw new NullPointerException("Missing configuration parameter [" + ATTRIBUTES +
78b28a5538SAdam Hornacek                     "] in the setup");
79b28a5538SAdam Hornacek         }
8053c33ae5SVladimir Kotal         attributes = new HashSet<>(Arrays.asList(attributesVal.split(",")));
81b28a5538SAdam Hornacek 
8253c33ae5SVladimir Kotal         ldapFilter = (String) parameters.get(LDAP_FILTER);
8353c33ae5SVladimir Kotal 
8453c33ae5SVladimir Kotal         if ((useDN = (Boolean) parameters.get(USE_DN)) == null) {
8553c33ae5SVladimir Kotal             useDN = false;
8653c33ae5SVladimir Kotal         }
8753c33ae5SVladimir Kotal 
8853c33ae5SVladimir Kotal         LOGGER.log(Level.FINE, "LdapUser plugin loaded with filter={0}, " +
8953c33ae5SVladimir Kotal                         "attributes={1}, useDN={2}",
90172ba845SVladimir Kotal                 new Object[]{ldapFilter, attributes, useDN});
91b28a5538SAdam Hornacek     }
92b28a5538SAdam Hornacek 
93b28a5538SAdam Hornacek     /**
94b28a5538SAdam Hornacek      * Check if the session exists and contains all necessary fields required by
95b28a5538SAdam Hornacek      * this plug-in.
96b28a5538SAdam Hornacek      *
97b28a5538SAdam Hornacek      * @param req the HTTP request
98b28a5538SAdam Hornacek      * @return true if it does; false otherwise
99b28a5538SAdam Hornacek      */
100b28a5538SAdam Hornacek     @Override
sessionExists(HttpServletRequest req)101b28a5538SAdam Hornacek     protected boolean sessionExists(HttpServletRequest req) {
102b28a5538SAdam Hornacek         return super.sessionExists(req)
103b28a5538SAdam Hornacek                 && req.getSession().getAttribute(SESSION_ATTR) != null;
104b28a5538SAdam Hornacek     }
105b28a5538SAdam Hornacek 
10653c33ae5SVladimir Kotal     /**
107f305899cSVladimir Kotal      * Expand {@code User} object attribute values into the filter.
10853c33ae5SVladimir Kotal      *
109f305899cSVladimir Kotal      * @see opengrok.auth.plugin.util.FilterUtil
11053c33ae5SVladimir Kotal      *
11153c33ae5SVladimir Kotal      * Use \% for printing the '%' character.
11253c33ae5SVladimir Kotal      *
113750d880bSVladimir Kotal      * @param user User object from the request (created by {@code UserPlugin})
11453c33ae5SVladimir Kotal      * @return replaced result
11553c33ae5SVladimir Kotal      */
expandFilter(User user)11653c33ae5SVladimir Kotal     protected String expandFilter(User user) {
11753c33ae5SVladimir Kotal         String filter = ldapFilter;
118b28a5538SAdam Hornacek 
119f305899cSVladimir Kotal         filter = expandUserFilter(user, filter);
120b28a5538SAdam Hornacek 
12153c33ae5SVladimir Kotal         filter = filter.replaceAll("\\\\%", "%");
12253c33ae5SVladimir Kotal 
12353c33ae5SVladimir Kotal         return filter;
124b28a5538SAdam Hornacek     }
125b28a5538SAdam Hornacek 
126b28a5538SAdam Hornacek     @Override
fillSession(HttpServletRequest req, User user)127b28a5538SAdam Hornacek     public void fillSession(HttpServletRequest req, User user) {
128b28a5538SAdam Hornacek         Map<String, Set<String>> records;
129b28a5538SAdam Hornacek 
130b28a5538SAdam Hornacek         updateSession(req, null);
131b28a5538SAdam Hornacek 
132b28a5538SAdam Hornacek         if (getLdapProvider() == null) {
13353c33ae5SVladimir Kotal             LOGGER.log(Level.WARNING, "cannot get LDAP provider");
134b28a5538SAdam Hornacek             return;
135b28a5538SAdam Hornacek         }
136b28a5538SAdam Hornacek 
13753c33ae5SVladimir Kotal         String expandedFilter = null;
13817deb9edSVladimir Kotal         String dn;
13953c33ae5SVladimir Kotal         if (ldapFilter != null) {
14053c33ae5SVladimir Kotal             expandedFilter = expandFilter(user);
14153c33ae5SVladimir Kotal         }
142b28a5538SAdam Hornacek         try {
14317deb9edSVladimir Kotal             AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
14417deb9edSVladimir Kotal             if ((res = getLdapProvider().lookupLdapContent(useDN ? user.getUsername() : null,
14553c33ae5SVladimir Kotal                     expandedFilter, attributes.toArray(new String[attributes.size()]))) == null) {
146afd2f2f7SVladimir Kotal                 LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " +
147b28a5538SAdam Hornacek                                 "with filter ''{1}''",
148172ba845SVladimir Kotal                         new Object[]{user, expandedFilter, attributes});
149b28a5538SAdam Hornacek                 return;
150b28a5538SAdam Hornacek             }
15117deb9edSVladimir Kotal 
15217deb9edSVladimir Kotal             records = res.getAttrs();
15317deb9edSVladimir Kotal             dn = res.getDN();
154b28a5538SAdam Hornacek         } catch (LdapException ex) {
155b28a5538SAdam Hornacek             throw new AuthorizationException(ex);
156b28a5538SAdam Hornacek         }
157b28a5538SAdam Hornacek 
158b28a5538SAdam Hornacek         if (records.isEmpty()) {
159b28a5538SAdam Hornacek             LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty",
160b28a5538SAdam Hornacek                     user);
161b28a5538SAdam Hornacek             return;
162b28a5538SAdam Hornacek         }
163b28a5538SAdam Hornacek 
164b28a5538SAdam Hornacek         for (String attrName : attributes) {
165b28a5538SAdam Hornacek             if (!records.containsKey(attrName) || records.get(attrName).isEmpty()) {
16653c33ae5SVladimir Kotal                 LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty (LDAP provider: {2})",
16753c33ae5SVladimir Kotal                         new Object[]{attrName, user, getLdapProvider()});
168b28a5538SAdam Hornacek             }
169b28a5538SAdam Hornacek         }
170b28a5538SAdam Hornacek 
171b28a5538SAdam Hornacek         Map<String, Set<String>> attrSet = new HashMap<>();
172b28a5538SAdam Hornacek         for (String attrName : attributes) {
173b28a5538SAdam Hornacek             attrSet.put(attrName, records.get(attrName));
174b28a5538SAdam Hornacek         }
175b28a5538SAdam Hornacek 
176*e188d1ddSVladimir Kotal         updateSession(req, new LdapUser(useDN ? user.getUsername() : dn, attrSet));
177b28a5538SAdam Hornacek     }
178b28a5538SAdam Hornacek 
179b28a5538SAdam Hornacek     /**
180b28a5538SAdam Hornacek      * Add a new user value into the session.
181b28a5538SAdam Hornacek      *
182b28a5538SAdam Hornacek      * @param req the request
183b28a5538SAdam Hornacek      * @param user the new value for user
184b28a5538SAdam Hornacek      */
updateSession(HttpServletRequest req, LdapUser user)185b28a5538SAdam Hornacek     protected void updateSession(HttpServletRequest req, LdapUser user) {
186b28a5538SAdam Hornacek         req.getSession().setAttribute(SESSION_ATTR, user);
187b28a5538SAdam Hornacek     }
188b28a5538SAdam Hornacek 
189b28a5538SAdam Hornacek     @Override
checkEntity(HttpServletRequest request, Project project)190b28a5538SAdam Hornacek     public boolean checkEntity(HttpServletRequest request, Project project) {
191b28a5538SAdam Hornacek         return request.getSession().getAttribute(SESSION_ATTR) != null;
192b28a5538SAdam Hornacek     }
193b28a5538SAdam Hornacek 
194b28a5538SAdam Hornacek     @Override
checkEntity(HttpServletRequest request, Group group)195b28a5538SAdam Hornacek     public boolean checkEntity(HttpServletRequest request, Group group) {
196b28a5538SAdam Hornacek         return request.getSession().getAttribute(SESSION_ATTR) != null;
197b28a5538SAdam Hornacek     }
198b28a5538SAdam Hornacek }
199