commit | author | age
|
04a985
|
1 |
/* |
JM |
2 |
* Copyright 2012 John Crygier |
|
3 |
* Copyright 2012 gitblit.com |
|
4 |
* |
|
5 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
6 |
* you may not use this file except in compliance with the License. |
|
7 |
* You may obtain a copy of the License at |
|
8 |
* |
|
9 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
10 |
* |
|
11 |
* Unless required by applicable law or agreed to in writing, software |
|
12 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
13 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 |
* See the License for the specific language governing permissions and |
|
15 |
* limitations under the License. |
|
16 |
*/ |
|
17 |
package com.gitblit.auth; |
|
18 |
|
|
19 |
import java.net.URI; |
|
20 |
import java.net.URISyntaxException; |
|
21 |
import java.security.GeneralSecurityException; |
6659fa
|
22 |
import java.text.MessageFormat; |
04a985
|
23 |
import java.util.Arrays; |
JM |
24 |
import java.util.HashMap; |
|
25 |
import java.util.List; |
|
26 |
import java.util.Map; |
eb1264
|
27 |
import java.util.concurrent.Executors; |
AS |
28 |
import java.util.concurrent.ScheduledExecutorService; |
04a985
|
29 |
import java.util.concurrent.TimeUnit; |
JM |
30 |
|
|
31 |
import com.gitblit.Constants; |
|
32 |
import com.gitblit.Constants.AccountType; |
6e3481
|
33 |
import com.gitblit.Constants.Role; |
04a985
|
34 |
import com.gitblit.Keys; |
JM |
35 |
import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; |
|
36 |
import com.gitblit.models.TeamModel; |
|
37 |
import com.gitblit.models.UserModel; |
eb1264
|
38 |
import com.gitblit.service.LdapSyncService; |
04a985
|
39 |
import com.gitblit.utils.ArrayUtils; |
JM |
40 |
import com.gitblit.utils.StringUtils; |
|
41 |
import com.unboundid.ldap.sdk.Attribute; |
|
42 |
import com.unboundid.ldap.sdk.DereferencePolicy; |
|
43 |
import com.unboundid.ldap.sdk.ExtendedResult; |
|
44 |
import com.unboundid.ldap.sdk.LDAPConnection; |
|
45 |
import com.unboundid.ldap.sdk.LDAPException; |
|
46 |
import com.unboundid.ldap.sdk.LDAPSearchException; |
|
47 |
import com.unboundid.ldap.sdk.ResultCode; |
|
48 |
import com.unboundid.ldap.sdk.SearchRequest; |
|
49 |
import com.unboundid.ldap.sdk.SearchResult; |
|
50 |
import com.unboundid.ldap.sdk.SearchResultEntry; |
|
51 |
import com.unboundid.ldap.sdk.SearchScope; |
|
52 |
import com.unboundid.ldap.sdk.SimpleBindRequest; |
|
53 |
import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest; |
|
54 |
import com.unboundid.util.ssl.SSLUtil; |
|
55 |
import com.unboundid.util.ssl.TrustAllTrustManager; |
|
56 |
|
|
57 |
/** |
|
58 |
* Implementation of an LDAP user service. |
|
59 |
* |
|
60 |
* @author John Crygier |
|
61 |
*/ |
|
62 |
public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { |
|
63 |
|
6659fa
|
64 |
private final ScheduledExecutorService scheduledExecutorService; |
04a985
|
65 |
|
JM |
66 |
public LdapAuthProvider() { |
|
67 |
super("ldap"); |
6659fa
|
68 |
|
JM |
69 |
scheduledExecutorService = Executors.newSingleThreadScheduledExecutor(); |
04a985
|
70 |
} |
JM |
71 |
|
6659fa
|
72 |
private long getSynchronizationPeriodInMilliseconds() { |
JM |
73 |
String period = settings.getString(Keys.realm.ldap.syncPeriod, null); |
|
74 |
if (StringUtils.isEmpty(period)) { |
|
75 |
period = settings.getString("realm.ldap.ldapCachePeriod", null); |
|
76 |
if (StringUtils.isEmpty(period)) { |
|
77 |
period = "5 MINUTES"; |
|
78 |
} else { |
|
79 |
logger.warn("realm.ldap.ldapCachePeriod is obsolete!"); |
|
80 |
logger.warn(MessageFormat.format("Please set {0}={1} in gitblit.properties!", Keys.realm.ldap.syncPeriod, period)); |
|
81 |
settings.overrideSetting(Keys.realm.ldap.syncPeriod, period); |
|
82 |
} |
|
83 |
} |
|
84 |
|
04a985
|
85 |
try { |
6659fa
|
86 |
final String[] s = period.split(" ", 2); |
edae53
|
87 |
long duration = Math.abs(Long.parseLong(s[0])); |
04a985
|
88 |
TimeUnit timeUnit = TimeUnit.valueOf(s[1]); |
JM |
89 |
return timeUnit.toMillis(duration); |
|
90 |
} catch (RuntimeException ex) { |
6659fa
|
91 |
throw new IllegalArgumentException(Keys.realm.ldap.syncPeriod + " must have format '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS'"); |
04a985
|
92 |
} |
JM |
93 |
} |
|
94 |
|
|
95 |
@Override |
|
96 |
public void setup() { |
6659fa
|
97 |
configureSyncService(); |
04a985
|
98 |
} |
JM |
99 |
|
6659fa
|
100 |
@Override |
JM |
101 |
public void stop() { |
|
102 |
scheduledExecutorService.shutdownNow(); |
|
103 |
} |
04a985
|
104 |
|
6659fa
|
105 |
public synchronized void sync() { |
JM |
106 |
final boolean enabled = settings.getBoolean(Keys.realm.ldap.synchronize, false); |
|
107 |
if (enabled) { |
|
108 |
logger.info("Synchronizing with LDAP @ " + settings.getRequiredString(Keys.realm.ldap.server)); |
|
109 |
final boolean deleteRemovedLdapUsers = settings.getBoolean(Keys.realm.ldap.removeDeletedUsers, true); |
|
110 |
LDAPConnection ldapConnection = getLdapConnection(); |
|
111 |
if (ldapConnection != null) { |
|
112 |
try { |
|
113 |
String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); |
|
114 |
String uidAttribute = settings.getString(Keys.realm.ldap.uid, "uid"); |
|
115 |
String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); |
|
116 |
accountPattern = StringUtils.replace(accountPattern, "${username}", "*"); |
04a985
|
117 |
|
6659fa
|
118 |
SearchResult result = doSearch(ldapConnection, accountBase, accountPattern); |
JM |
119 |
if (result != null && result.getEntryCount() > 0) { |
|
120 |
final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>(); |
04a985
|
121 |
|
6659fa
|
122 |
for (SearchResultEntry loggingInUser : result.getSearchEntries()) { |
ef4c45
|
123 |
Attribute uid = loggingInUser.getAttribute(uidAttribute); |
JM |
124 |
if (uid == null) { |
|
125 |
logger.error("Can not synchronize with LDAP, missing \"{}\" attribute", uidAttribute); |
|
126 |
continue; |
|
127 |
} |
|
128 |
final String username = uid.getValue(); |
6659fa
|
129 |
logger.debug("LDAP synchronizing: " + username); |
04a985
|
130 |
|
6659fa
|
131 |
UserModel user = userManager.getUserModel(username); |
JM |
132 |
if (user == null) { |
|
133 |
user = new UserModel(username); |
|
134 |
} |
04a985
|
135 |
|
6659fa
|
136 |
if (!supportsTeamMembershipChanges()) { |
JM |
137 |
getTeamsFromLdap(ldapConnection, username, loggingInUser, user); |
|
138 |
} |
04a985
|
139 |
|
6659fa
|
140 |
// Get User Attributes |
JM |
141 |
setUserAttributes(user, loggingInUser); |
04a985
|
142 |
|
6659fa
|
143 |
// store in map |
JM |
144 |
ldapUsers.put(username.toLowerCase(), user); |
|
145 |
} |
04a985
|
146 |
|
6659fa
|
147 |
if (deleteRemovedLdapUsers) { |
JM |
148 |
logger.debug("detecting removed LDAP users..."); |
04a985
|
149 |
|
6659fa
|
150 |
for (UserModel userModel : userManager.getAllUsers()) { |
JM |
151 |
if (AccountType.LDAP == userModel.accountType) { |
|
152 |
if (!ldapUsers.containsKey(userModel.username)) { |
|
153 |
logger.info("deleting removed LDAP user " + userModel.username + " from user service"); |
|
154 |
userManager.deleteUser(userModel.username); |
|
155 |
} |
|
156 |
} |
|
157 |
} |
|
158 |
} |
04a985
|
159 |
|
6659fa
|
160 |
userManager.updateUserModels(ldapUsers.values()); |
JM |
161 |
|
|
162 |
if (!supportsTeamMembershipChanges()) { |
|
163 |
final Map<String, TeamModel> userTeams = new HashMap<String, TeamModel>(); |
|
164 |
for (UserModel user : ldapUsers.values()) { |
|
165 |
for (TeamModel userTeam : user.teams) { |
|
166 |
userTeams.put(userTeam.name, userTeam); |
|
167 |
} |
|
168 |
} |
|
169 |
userManager.updateTeamModels(userTeams.values()); |
|
170 |
} |
|
171 |
} |
|
172 |
if (!supportsTeamMembershipChanges()) { |
|
173 |
getEmptyTeamsFromLdap(ldapConnection); |
|
174 |
} |
|
175 |
} finally { |
|
176 |
ldapConnection.close(); |
|
177 |
} |
|
178 |
} |
|
179 |
} |
|
180 |
} |
04a985
|
181 |
|
JM |
182 |
private LDAPConnection getLdapConnection() { |
|
183 |
try { |
|
184 |
|
|
185 |
URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); |
|
186 |
String ldapHost = ldapUrl.getHost(); |
|
187 |
int ldapPort = ldapUrl.getPort(); |
|
188 |
String bindUserName = settings.getString(Keys.realm.ldap.username, ""); |
|
189 |
String bindPassword = settings.getString(Keys.realm.ldap.password, ""); |
|
190 |
|
|
191 |
LDAPConnection conn; |
|
192 |
if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) { |
|
193 |
// SSL |
|
194 |
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); |
|
195 |
conn = new LDAPConnection(sslUtil.createSSLSocketFactory()); |
4ce3ff
|
196 |
if (ldapPort == -1) { |
JM |
197 |
ldapPort = 636; |
|
198 |
} |
04a985
|
199 |
} else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { |
JM |
200 |
// no encryption or StartTLS |
|
201 |
conn = new LDAPConnection(); |
4ce3ff
|
202 |
if (ldapPort == -1) { |
JM |
203 |
ldapPort = 389; |
|
204 |
} |
04a985
|
205 |
} else { |
JM |
206 |
logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme()); |
|
207 |
return null; |
|
208 |
} |
|
209 |
|
|
210 |
conn.connect(ldapHost, ldapPort); |
|
211 |
|
|
212 |
if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { |
|
213 |
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); |
|
214 |
ExtendedResult extendedResult = conn.processExtendedOperation( |
|
215 |
new StartTLSExtendedRequest(sslUtil.createSSLContext())); |
|
216 |
if (extendedResult.getResultCode() != ResultCode.SUCCESS) { |
|
217 |
throw new LDAPException(extendedResult.getResultCode()); |
|
218 |
} |
|
219 |
} |
|
220 |
|
4ce3ff
|
221 |
if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) { |
JM |
222 |
// anonymous bind |
|
223 |
conn.bind(new SimpleBindRequest()); |
|
224 |
} else { |
|
225 |
// authenticated bind |
04a985
|
226 |
conn.bind(new SimpleBindRequest(bindUserName, bindPassword)); |
JM |
227 |
} |
|
228 |
|
|
229 |
return conn; |
|
230 |
|
|
231 |
} catch (URISyntaxException e) { |
|
232 |
logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e); |
|
233 |
} catch (GeneralSecurityException e) { |
|
234 |
logger.error("Unable to create SSL Connection", e); |
|
235 |
} catch (LDAPException e) { |
|
236 |
logger.error("Error Connecting to LDAP", e); |
|
237 |
} |
|
238 |
|
|
239 |
return null; |
|
240 |
} |
|
241 |
|
|
242 |
/** |
|
243 |
* Credentials are defined in the LDAP server and can not be manipulated |
|
244 |
* from Gitblit. |
|
245 |
* |
|
246 |
* @return false |
|
247 |
* @since 1.0.0 |
|
248 |
*/ |
|
249 |
@Override |
|
250 |
public boolean supportsCredentialChanges() { |
|
251 |
return false; |
|
252 |
} |
|
253 |
|
|
254 |
/** |
|
255 |
* If no displayName pattern is defined then Gitblit can manage the display name. |
|
256 |
* |
|
257 |
* @return true if Gitblit can manage the user display name |
|
258 |
* @since 1.0.0 |
|
259 |
*/ |
|
260 |
@Override |
|
261 |
public boolean supportsDisplayNameChanges() { |
|
262 |
return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, "")); |
|
263 |
} |
|
264 |
|
|
265 |
/** |
|
266 |
* If no email pattern is defined then Gitblit can manage the email address. |
|
267 |
* |
|
268 |
* @return true if Gitblit can manage the user email address |
|
269 |
* @since 1.0.0 |
|
270 |
*/ |
|
271 |
@Override |
|
272 |
public boolean supportsEmailAddressChanges() { |
|
273 |
return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, "")); |
|
274 |
} |
|
275 |
|
|
276 |
/** |
|
277 |
* If the LDAP server will maintain team memberships then LdapUserService |
|
278 |
* will not allow team membership changes. In this scenario all team |
|
279 |
* changes must be made on the LDAP server by the LDAP administrator. |
|
280 |
* |
|
281 |
* @return true or false |
|
282 |
* @since 1.0.0 |
|
283 |
*/ |
|
284 |
@Override |
|
285 |
public boolean supportsTeamMembershipChanges() { |
|
286 |
return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false); |
|
287 |
} |
|
288 |
|
6e3481
|
289 |
@Override |
JM |
290 |
public boolean supportsRoleChanges(UserModel user, Role role) { |
|
291 |
if (Role.ADMIN == role) { |
|
292 |
if (!supportsTeamMembershipChanges()) { |
|
293 |
List<String> admins = settings.getStrings(Keys.realm.ldap.admins); |
|
294 |
if (admins.contains(user.username)) { |
|
295 |
return false; |
|
296 |
} |
|
297 |
} |
|
298 |
} |
|
299 |
return true; |
|
300 |
} |
|
301 |
|
|
302 |
@Override |
|
303 |
public boolean supportsRoleChanges(TeamModel team, Role role) { |
|
304 |
if (Role.ADMIN == role) { |
|
305 |
if (!supportsTeamMembershipChanges()) { |
|
306 |
List<String> admins = settings.getStrings(Keys.realm.ldap.admins); |
|
307 |
if (admins.contains("@" + team.name)) { |
|
308 |
return false; |
|
309 |
} |
|
310 |
} |
|
311 |
} |
|
312 |
return true; |
|
313 |
} |
|
314 |
|
04a985
|
315 |
@Override |
JM |
316 |
public AccountType getAccountType() { |
|
317 |
return AccountType.LDAP; |
|
318 |
} |
|
319 |
|
|
320 |
@Override |
|
321 |
public UserModel authenticate(String username, char[] password) { |
|
322 |
String simpleUsername = getSimpleUsername(username); |
|
323 |
|
|
324 |
LDAPConnection ldapConnection = getLdapConnection(); |
|
325 |
if (ldapConnection != null) { |
|
326 |
try { |
e4b0ae
|
327 |
boolean alreadyAuthenticated = false; |
ef4c45
|
328 |
|
e4b0ae
|
329 |
String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); |
J |
330 |
if (!StringUtils.isEmpty(bindPattern)) { |
|
331 |
try { |
c30c2b
|
332 |
String bindUser = StringUtils.replace(bindPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); |
e4b0ae
|
333 |
ldapConnection.bind(bindUser, new String(password)); |
ef4c45
|
334 |
|
e4b0ae
|
335 |
alreadyAuthenticated = true; |
J |
336 |
} catch (LDAPException e) { |
|
337 |
return null; |
|
338 |
} |
|
339 |
} |
|
340 |
|
04a985
|
341 |
// Find the logging in user's DN |
JM |
342 |
String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); |
|
343 |
String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); |
|
344 |
accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); |
|
345 |
|
|
346 |
SearchResult result = doSearch(ldapConnection, accountBase, accountPattern); |
|
347 |
if (result != null && result.getEntryCount() == 1) { |
|
348 |
SearchResultEntry loggingInUser = result.getSearchEntries().get(0); |
|
349 |
String loggingInUserDN = loggingInUser.getDN(); |
|
350 |
|
e4b0ae
|
351 |
if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { |
04a985
|
352 |
logger.debug("LDAP authenticated: " + username); |
JM |
353 |
|
|
354 |
UserModel user = null; |
|
355 |
synchronized (this) { |
|
356 |
user = userManager.getUserModel(simpleUsername); |
1293c2
|
357 |
if (user == null) { |
JM |
358 |
// create user object for new authenticated user |
04a985
|
359 |
user = new UserModel(simpleUsername); |
1293c2
|
360 |
} |
04a985
|
361 |
|
JM |
362 |
// create a user cookie |
c1b0e4
|
363 |
setCookie(user, password); |
04a985
|
364 |
|
1293c2
|
365 |
if (!supportsTeamMembershipChanges()) { |
04a985
|
366 |
getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user); |
1293c2
|
367 |
} |
04a985
|
368 |
|
JM |
369 |
// Get User Attributes |
|
370 |
setUserAttributes(user, loggingInUser); |
|
371 |
|
|
372 |
// Push the ldap looked up values to backing file |
|
373 |
updateUser(user); |
|
374 |
|
|
375 |
if (!supportsTeamMembershipChanges()) { |
1293c2
|
376 |
for (TeamModel userTeam : user.teams) { |
04a985
|
377 |
updateTeam(userTeam); |
1293c2
|
378 |
} |
04a985
|
379 |
} |
JM |
380 |
} |
|
381 |
|
|
382 |
return user; |
|
383 |
} |
|
384 |
} |
|
385 |
} finally { |
|
386 |
ldapConnection.close(); |
|
387 |
} |
|
388 |
} |
|
389 |
return null; |
|
390 |
} |
|
391 |
|
|
392 |
/** |
|
393 |
* Set the admin attribute from team memberships retrieved from LDAP. |
|
394 |
* If we are not storing teams in LDAP and/or we have not defined any |
|
395 |
* administrator teams, then do not change the admin flag. |
|
396 |
* |
|
397 |
* @param user |
|
398 |
*/ |
|
399 |
private void setAdminAttribute(UserModel user) { |
|
400 |
if (!supportsTeamMembershipChanges()) { |
|
401 |
List<String> admins = settings.getStrings(Keys.realm.ldap.admins); |
|
402 |
// if we have defined administrative teams, then set admin flag |
|
403 |
// otherwise leave admin flag unchanged |
|
404 |
if (!ArrayUtils.isEmpty(admins)) { |
|
405 |
user.canAdmin = false; |
|
406 |
for (String admin : admins) { |
1293c2
|
407 |
if (admin.startsWith("@") && user.isTeamMember(admin.substring(1))) { |
JM |
408 |
// admin team |
|
409 |
user.canAdmin = true; |
|
410 |
} else if (user.getName().equalsIgnoreCase(admin)) { |
|
411 |
// admin user |
|
412 |
user.canAdmin = true; |
|
413 |
} |
04a985
|
414 |
} |
JM |
415 |
} |
|
416 |
} |
|
417 |
} |
|
418 |
|
|
419 |
private void setUserAttributes(UserModel user, SearchResultEntry userEntry) { |
|
420 |
// Is this user an admin? |
|
421 |
setAdminAttribute(user); |
|
422 |
|
|
423 |
// Don't want visibility into the real password, make up a dummy |
|
424 |
user.password = Constants.EXTERNAL_ACCOUNT; |
|
425 |
user.accountType = getAccountType(); |
|
426 |
|
|
427 |
// Get full name Attribute |
|
428 |
String displayName = settings.getString(Keys.realm.ldap.displayName, ""); |
|
429 |
if (!StringUtils.isEmpty(displayName)) { |
|
430 |
// Replace embedded ${} with attributes |
|
431 |
if (displayName.contains("${")) { |
1293c2
|
432 |
for (Attribute userAttribute : userEntry.getAttributes()) { |
04a985
|
433 |
displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue()); |
1293c2
|
434 |
} |
04a985
|
435 |
user.displayName = displayName; |
JM |
436 |
} else { |
|
437 |
Attribute attribute = userEntry.getAttribute(displayName); |
|
438 |
if (attribute != null && attribute.hasValue()) { |
|
439 |
user.displayName = attribute.getValue(); |
|
440 |
} |
|
441 |
} |
|
442 |
} |
|
443 |
|
|
444 |
// Get email address Attribute |
|
445 |
String email = settings.getString(Keys.realm.ldap.email, ""); |
|
446 |
if (!StringUtils.isEmpty(email)) { |
|
447 |
if (email.contains("${")) { |
1293c2
|
448 |
for (Attribute userAttribute : userEntry.getAttributes()) { |
04a985
|
449 |
email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue()); |
1293c2
|
450 |
} |
04a985
|
451 |
user.emailAddress = email; |
JM |
452 |
} else { |
|
453 |
Attribute attribute = userEntry.getAttribute(email); |
|
454 |
if (attribute != null && attribute.hasValue()) { |
|
455 |
user.emailAddress = attribute.getValue(); |
2f0fe2
|
456 |
} else { |
JM |
457 |
// issue-456/ticket-134 |
|
458 |
// allow LDAP to delete an email address |
|
459 |
user.emailAddress = null; |
04a985
|
460 |
} |
JM |
461 |
} |
|
462 |
} |
|
463 |
} |
|
464 |
|
|
465 |
private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) { |
|
466 |
String loggingInUserDN = loggingInUser.getDN(); |
|
467 |
|
1293c2
|
468 |
// Clear the users team memberships - we're going to get them from LDAP |
JM |
469 |
user.teams.clear(); |
|
470 |
|
04a985
|
471 |
String groupBase = settings.getString(Keys.realm.ldap.groupBase, ""); |
JM |
472 |
String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"); |
|
473 |
|
|
474 |
groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN)); |
|
475 |
groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); |
|
476 |
|
|
477 |
// Fill in attributes into groupMemberPattern |
|
478 |
for (Attribute userAttribute : loggingInUser.getAttributes()) { |
|
479 |
groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue())); |
|
480 |
} |
|
481 |
|
|
482 |
SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn")); |
|
483 |
if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) { |
|
484 |
for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) { |
|
485 |
SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i); |
|
486 |
String teamName = teamEntry.getAttribute("cn").getValue(); |
|
487 |
|
|
488 |
TeamModel teamModel = userManager.getTeamModel(teamName); |
|
489 |
if (teamModel == null) { |
|
490 |
teamModel = createTeamFromLdap(teamEntry); |
|
491 |
} |
|
492 |
|
|
493 |
user.teams.add(teamModel); |
|
494 |
teamModel.addUser(user.getName()); |
|
495 |
} |
|
496 |
} |
|
497 |
} |
|
498 |
|
f6d7de
|
499 |
private void getEmptyTeamsFromLdap(LDAPConnection ldapConnection) { |
6659fa
|
500 |
logger.info("Start fetching empty teams from ldap."); |
f6d7de
|
501 |
String groupBase = settings.getString(Keys.realm.ldap.groupBase, ""); |
AS |
502 |
String groupMemberPattern = settings.getString(Keys.realm.ldap.groupEmptyMemberPattern, "(&(objectClass=group)(!(member=*)))"); |
|
503 |
|
|
504 |
SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, null); |
|
505 |
if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) { |
|
506 |
for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) { |
|
507 |
SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i); |
|
508 |
if (!teamEntry.hasAttribute("member")) { |
|
509 |
String teamName = teamEntry.getAttribute("cn").getValue(); |
6659fa
|
510 |
|
f6d7de
|
511 |
TeamModel teamModel = userManager.getTeamModel(teamName); |
AS |
512 |
if (teamModel == null) { |
|
513 |
teamModel = createTeamFromLdap(teamEntry); |
|
514 |
userManager.updateTeamModel(teamModel); |
|
515 |
} |
|
516 |
} |
|
517 |
} |
|
518 |
} |
6659fa
|
519 |
logger.info("Finished fetching empty teams from ldap."); |
f6d7de
|
520 |
} |
AS |
521 |
|
04a985
|
522 |
private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) { |
JM |
523 |
TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn")); |
|
524 |
answer.accountType = getAccountType(); |
|
525 |
// potentially retrieve other attributes here in the future |
|
526 |
|
|
527 |
return answer; |
|
528 |
} |
|
529 |
|
|
530 |
private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) { |
|
531 |
try { |
|
532 |
return ldapConnection.search(base, SearchScope.SUB, filter); |
|
533 |
} catch (LDAPSearchException e) { |
|
534 |
logger.error("Problem Searching LDAP", e); |
|
535 |
|
|
536 |
return null; |
|
537 |
} |
|
538 |
} |
|
539 |
|
|
540 |
private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) { |
|
541 |
try { |
|
542 |
SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter); |
|
543 |
if (dereferenceAliases) { |
|
544 |
searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING); |
|
545 |
} |
|
546 |
if (attributes != null) { |
|
547 |
searchRequest.setAttributes(attributes); |
|
548 |
} |
|
549 |
return ldapConnection.search(searchRequest); |
|
550 |
|
|
551 |
} catch (LDAPSearchException e) { |
|
552 |
logger.error("Problem Searching LDAP", e); |
|
553 |
|
|
554 |
return null; |
|
555 |
} catch (LDAPException e) { |
|
556 |
logger.error("Problem creating LDAP search", e); |
|
557 |
return null; |
|
558 |
} |
|
559 |
} |
|
560 |
|
|
561 |
private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) { |
|
562 |
try { |
|
563 |
// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN |
|
564 |
ldapConnection.bind(userDn, password); |
|
565 |
return true; |
|
566 |
} catch (LDAPException e) { |
|
567 |
logger.error("Error authenticating user", e); |
|
568 |
return false; |
|
569 |
} |
|
570 |
} |
|
571 |
|
|
572 |
/** |
|
573 |
* Returns a simple username without any domain prefixes. |
|
574 |
* |
|
575 |
* @param username |
|
576 |
* @return a simple username |
|
577 |
*/ |
|
578 |
protected String getSimpleUsername(String username) { |
|
579 |
int lastSlash = username.lastIndexOf('\\'); |
|
580 |
if (lastSlash > -1) { |
|
581 |
username = username.substring(lastSlash + 1); |
|
582 |
} |
|
583 |
|
|
584 |
return username; |
|
585 |
} |
|
586 |
|
|
587 |
// From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java |
|
588 |
public static final String escapeLDAPSearchFilter(String filter) { |
|
589 |
StringBuilder sb = new StringBuilder(); |
|
590 |
for (int i = 0; i < filter.length(); i++) { |
|
591 |
char curChar = filter.charAt(i); |
|
592 |
switch (curChar) { |
|
593 |
case '\\': |
|
594 |
sb.append("\\5c"); |
|
595 |
break; |
|
596 |
case '*': |
|
597 |
sb.append("\\2a"); |
|
598 |
break; |
|
599 |
case '(': |
|
600 |
sb.append("\\28"); |
|
601 |
break; |
|
602 |
case ')': |
|
603 |
sb.append("\\29"); |
|
604 |
break; |
|
605 |
case '\u0000': |
|
606 |
sb.append("\\00"); |
|
607 |
break; |
|
608 |
default: |
|
609 |
sb.append(curChar); |
|
610 |
} |
|
611 |
} |
|
612 |
return sb.toString(); |
|
613 |
} |
eb1264
|
614 |
|
6659fa
|
615 |
private void configureSyncService() { |
eb1264
|
616 |
LdapSyncService ldapSyncService = new LdapSyncService(settings, this); |
AS |
617 |
if (ldapSyncService.isReady()) { |
6659fa
|
618 |
long ldapSyncPeriod = getSynchronizationPeriodInMilliseconds(); |
eb1264
|
619 |
int delay = 1; |
a1b5df
|
620 |
logger.info("Ldap sync service will update users and groups every {} minutes.", |
JM |
621 |
TimeUnit.MILLISECONDS.toMinutes(ldapSyncPeriod)); |
edae53
|
622 |
scheduledExecutorService.scheduleAtFixedRate(ldapSyncService, delay, ldapSyncPeriod, TimeUnit.MILLISECONDS); |
eb1264
|
623 |
} else { |
AS |
624 |
logger.info("Ldap sync service is disabled."); |
|
625 |
} |
|
626 |
} |
|
627 |
|
04a985
|
628 |
} |