/* * Copyright 2012 John Crygier * Copyright 2012 gitblit.com * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.gitblit.auth; import java.net.URI; import java.net.URISyntaxException; import java.security.GeneralSecurityException; import java.text.MessageFormat; import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; import com.gitblit.Constants; import com.gitblit.Constants.AccountType; import com.gitblit.Constants.Role; import com.gitblit.Keys; import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; import com.gitblit.models.TeamModel; import com.gitblit.models.UserModel; import com.gitblit.service.LdapSyncService; import com.gitblit.utils.ArrayUtils; import com.gitblit.utils.StringUtils; import com.unboundid.ldap.sdk.Attribute; import com.unboundid.ldap.sdk.DereferencePolicy; import com.unboundid.ldap.sdk.ExtendedResult; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPSearchException; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchRequest; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; import com.unboundid.ldap.sdk.SimpleBindRequest; import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest; import com.unboundid.util.ssl.SSLUtil; import com.unboundid.util.ssl.TrustAllTrustManager; /** * Implementation of an LDAP user service. * * @author John Crygier */ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { private final ScheduledExecutorService scheduledExecutorService; public LdapAuthProvider() { super("ldap"); scheduledExecutorService = Executors.newSingleThreadScheduledExecutor(); } private long getSynchronizationPeriodInMilliseconds() { String period = settings.getString(Keys.realm.ldap.syncPeriod, null); if (StringUtils.isEmpty(period)) { period = settings.getString("realm.ldap.ldapCachePeriod", null); if (StringUtils.isEmpty(period)) { period = "5 MINUTES"; } else { logger.warn("realm.ldap.ldapCachePeriod is obsolete!"); logger.warn(MessageFormat.format("Please set {0}={1} in gitblit.properties!", Keys.realm.ldap.syncPeriod, period)); settings.overrideSetting(Keys.realm.ldap.syncPeriod, period); } } try { final String[] s = period.split(" ", 2); long duration = Math.abs(Long.parseLong(s[0])); TimeUnit timeUnit = TimeUnit.valueOf(s[1]); return timeUnit.toMillis(duration); } catch (RuntimeException ex) { throw new IllegalArgumentException(Keys.realm.ldap.syncPeriod + " must have format ' ' where is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS'"); } } @Override public void setup() { configureSyncService(); } @Override public void stop() { scheduledExecutorService.shutdownNow(); } public synchronized void sync() { final boolean enabled = settings.getBoolean(Keys.realm.ldap.synchronize, false); if (enabled) { logger.info("Synchronizing with LDAP @ " + settings.getRequiredString(Keys.realm.ldap.server)); final boolean deleteRemovedLdapUsers = settings.getBoolean(Keys.realm.ldap.removeDeletedUsers, true); LDAPConnection ldapConnection = getLdapConnection(); if (ldapConnection != null) { try { String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); String uidAttribute = settings.getString(Keys.realm.ldap.uid, "uid"); String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); accountPattern = StringUtils.replace(accountPattern, "${username}", "*"); SearchResult result = doSearch(ldapConnection, accountBase, accountPattern); if (result != null && result.getEntryCount() > 0) { final Map ldapUsers = new HashMap(); for (SearchResultEntry loggingInUser : result.getSearchEntries()) { Attribute uid = loggingInUser.getAttribute(uidAttribute); if (uid == null) { logger.error("Can not synchronize with LDAP, missing \"{}\" attribute", uidAttribute); continue; } final String username = uid.getValue(); logger.debug("LDAP synchronizing: " + username); UserModel user = userManager.getUserModel(username); if (user == null) { user = new UserModel(username); } if (!supportsTeamMembershipChanges()) { getTeamsFromLdap(ldapConnection, username, loggingInUser, user); } // Get User Attributes setUserAttributes(user, loggingInUser); // store in map ldapUsers.put(username.toLowerCase(), user); } if (deleteRemovedLdapUsers) { logger.debug("detecting removed LDAP users..."); for (UserModel userModel : userManager.getAllUsers()) { if (AccountType.LDAP == userModel.accountType) { if (!ldapUsers.containsKey(userModel.username)) { logger.info("deleting removed LDAP user " + userModel.username + " from user service"); userManager.deleteUser(userModel.username); } } } } userManager.updateUserModels(ldapUsers.values()); if (!supportsTeamMembershipChanges()) { final Map userTeams = new HashMap(); for (UserModel user : ldapUsers.values()) { for (TeamModel userTeam : user.teams) { userTeams.put(userTeam.name, userTeam); } } userManager.updateTeamModels(userTeams.values()); } } if (!supportsTeamMembershipChanges()) { getEmptyTeamsFromLdap(ldapConnection); } } finally { ldapConnection.close(); } } } } private LDAPConnection getLdapConnection() { try { URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server)); String ldapHost = ldapUrl.getHost(); int ldapPort = ldapUrl.getPort(); String bindUserName = settings.getString(Keys.realm.ldap.username, ""); String bindPassword = settings.getString(Keys.realm.ldap.password, ""); LDAPConnection conn; if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) { // SSL SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); conn = new LDAPConnection(sslUtil.createSSLSocketFactory()); if (ldapPort == -1) { ldapPort = 636; } } else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { // no encryption or StartTLS conn = new LDAPConnection(); if (ldapPort == -1) { ldapPort = 389; } } else { logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme()); return null; } conn.connect(ldapHost, ldapPort); if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) { SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); ExtendedResult extendedResult = conn.processExtendedOperation( new StartTLSExtendedRequest(sslUtil.createSSLContext())); if (extendedResult.getResultCode() != ResultCode.SUCCESS) { throw new LDAPException(extendedResult.getResultCode()); } } if (StringUtils.isEmpty(bindUserName) && StringUtils.isEmpty(bindPassword)) { // anonymous bind conn.bind(new SimpleBindRequest()); } else { // authenticated bind conn.bind(new SimpleBindRequest(bindUserName, bindPassword)); } return conn; } catch (URISyntaxException e) { logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://:", e); } catch (GeneralSecurityException e) { logger.error("Unable to create SSL Connection", e); } catch (LDAPException e) { logger.error("Error Connecting to LDAP", e); } return null; } /** * Credentials are defined in the LDAP server and can not be manipulated * from Gitblit. * * @return false * @since 1.0.0 */ @Override public boolean supportsCredentialChanges() { return false; } /** * If no displayName pattern is defined then Gitblit can manage the display name. * * @return true if Gitblit can manage the user display name * @since 1.0.0 */ @Override public boolean supportsDisplayNameChanges() { return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, "")); } /** * If no email pattern is defined then Gitblit can manage the email address. * * @return true if Gitblit can manage the user email address * @since 1.0.0 */ @Override public boolean supportsEmailAddressChanges() { return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, "")); } /** * If the LDAP server will maintain team memberships then LdapUserService * will not allow team membership changes. In this scenario all team * changes must be made on the LDAP server by the LDAP administrator. * * @return true or false * @since 1.0.0 */ @Override public boolean supportsTeamMembershipChanges() { return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false); } @Override public boolean supportsRoleChanges(UserModel user, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains(user.username)) { return false; } } } return true; } @Override public boolean supportsRoleChanges(TeamModel team, Role role) { if (Role.ADMIN == role) { if (!supportsTeamMembershipChanges()) { List admins = settings.getStrings(Keys.realm.ldap.admins); if (admins.contains("@" + team.name)) { return false; } } } return true; } @Override public AccountType getAccountType() { return AccountType.LDAP; } @Override public UserModel authenticate(String username, char[] password) { String simpleUsername = getSimpleUsername(username); LDAPConnection ldapConnection = getLdapConnection(); if (ldapConnection != null) { try { boolean alreadyAuthenticated = false; String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); if (!StringUtils.isEmpty(bindPattern)) { try { String bindUser = StringUtils.replace(bindPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); ldapConnection.bind(bindUser, new String(password)); alreadyAuthenticated = true; } catch (LDAPException e) { return null; } } // Find the logging in user's DN String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); SearchResult result = doSearch(ldapConnection, accountBase, accountPattern); if (result != null && result.getEntryCount() == 1) { SearchResultEntry loggingInUser = result.getSearchEntries().get(0); String loggingInUserDN = loggingInUser.getDN(); if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { logger.debug("LDAP authenticated: " + username); UserModel user = null; synchronized (this) { user = userManager.getUserModel(simpleUsername); if (user == null) { // create user object for new authenticated user user = new UserModel(simpleUsername); } // create a user cookie setCookie(user, password); if (!supportsTeamMembershipChanges()) { getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user); } // Get User Attributes setUserAttributes(user, loggingInUser); // Push the ldap looked up values to backing file updateUser(user); if (!supportsTeamMembershipChanges()) { for (TeamModel userTeam : user.teams) { updateTeam(userTeam); } } } return user; } } } finally { ldapConnection.close(); } } return null; } /** * Set the admin attribute from team memberships retrieved from LDAP. * If we are not storing teams in LDAP and/or we have not defined any * administrator teams, then do not change the admin flag. * * @param user */ private void setAdminAttribute(UserModel user) { if (!supportsTeamMembershipChanges()) { List admins = settings.getStrings(Keys.realm.ldap.admins); // if we have defined administrative teams, then set admin flag // otherwise leave admin flag unchanged if (!ArrayUtils.isEmpty(admins)) { user.canAdmin = false; for (String admin : admins) { if (admin.startsWith("@") && user.isTeamMember(admin.substring(1))) { // admin team user.canAdmin = true; } else if (user.getName().equalsIgnoreCase(admin)) { // admin user user.canAdmin = true; } } } } } private void setUserAttributes(UserModel user, SearchResultEntry userEntry) { // Is this user an admin? setAdminAttribute(user); // Don't want visibility into the real password, make up a dummy user.password = Constants.EXTERNAL_ACCOUNT; user.accountType = getAccountType(); // Get full name Attribute String displayName = settings.getString(Keys.realm.ldap.displayName, ""); if (!StringUtils.isEmpty(displayName)) { // Replace embedded ${} with attributes if (displayName.contains("${")) { for (Attribute userAttribute : userEntry.getAttributes()) { displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue()); } user.displayName = displayName; } else { Attribute attribute = userEntry.getAttribute(displayName); if (attribute != null && attribute.hasValue()) { user.displayName = attribute.getValue(); } } } // Get email address Attribute String email = settings.getString(Keys.realm.ldap.email, ""); if (!StringUtils.isEmpty(email)) { if (email.contains("${")) { for (Attribute userAttribute : userEntry.getAttributes()) { email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue()); } user.emailAddress = email; } else { Attribute attribute = userEntry.getAttribute(email); if (attribute != null && attribute.hasValue()) { user.emailAddress = attribute.getValue(); } else { // issue-456/ticket-134 // allow LDAP to delete an email address user.emailAddress = null; } } } } private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) { String loggingInUserDN = loggingInUser.getDN(); // Clear the users team memberships - we're going to get them from LDAP user.teams.clear(); String groupBase = settings.getString(Keys.realm.ldap.groupBase, ""); String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"); groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN)); groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername)); // Fill in attributes into groupMemberPattern for (Attribute userAttribute : loggingInUser.getAttributes()) { groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue())); } SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn")); if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) { for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) { SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i); String teamName = teamEntry.getAttribute("cn").getValue(); TeamModel teamModel = userManager.getTeamModel(teamName); if (teamModel == null) { teamModel = createTeamFromLdap(teamEntry); } user.teams.add(teamModel); teamModel.addUser(user.getName()); } } } private void getEmptyTeamsFromLdap(LDAPConnection ldapConnection) { logger.info("Start fetching empty teams from ldap."); String groupBase = settings.getString(Keys.realm.ldap.groupBase, ""); String groupMemberPattern = settings.getString(Keys.realm.ldap.groupEmptyMemberPattern, "(&(objectClass=group)(!(member=*)))"); SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, null); if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) { for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) { SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i); if (!teamEntry.hasAttribute("member")) { String teamName = teamEntry.getAttribute("cn").getValue(); TeamModel teamModel = userManager.getTeamModel(teamName); if (teamModel == null) { teamModel = createTeamFromLdap(teamEntry); userManager.updateTeamModel(teamModel); } } } } logger.info("Finished fetching empty teams from ldap."); } private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) { TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn")); answer.accountType = getAccountType(); // potentially retrieve other attributes here in the future return answer; } private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) { try { return ldapConnection.search(base, SearchScope.SUB, filter); } catch (LDAPSearchException e) { logger.error("Problem Searching LDAP", e); return null; } } private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List attributes) { try { SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter); if (dereferenceAliases) { searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING); } if (attributes != null) { searchRequest.setAttributes(attributes); } return ldapConnection.search(searchRequest); } catch (LDAPSearchException e) { logger.error("Problem Searching LDAP", e); return null; } catch (LDAPException e) { logger.error("Problem creating LDAP search", e); return null; } } private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) { try { // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN ldapConnection.bind(userDn, password); return true; } catch (LDAPException e) { logger.error("Error authenticating user", e); return false; } } /** * Returns a simple username without any domain prefixes. * * @param username * @return a simple username */ protected String getSimpleUsername(String username) { int lastSlash = username.lastIndexOf('\\'); if (lastSlash > -1) { username = username.substring(lastSlash + 1); } return username; } // From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java public static final String escapeLDAPSearchFilter(String filter) { StringBuilder sb = new StringBuilder(); for (int i = 0; i < filter.length(); i++) { char curChar = filter.charAt(i); switch (curChar) { case '\\': sb.append("\\5c"); break; case '*': sb.append("\\2a"); break; case '(': sb.append("\\28"); break; case ')': sb.append("\\29"); break; case '\u0000': sb.append("\\00"); break; default: sb.append(curChar); } } return sb.toString(); } private void configureSyncService() { LdapSyncService ldapSyncService = new LdapSyncService(settings, this); if (ldapSyncService.isReady()) { long ldapSyncPeriod = getSynchronizationPeriodInMilliseconds(); int delay = 1; logger.info("Ldap sync service will update users and groups every {} minutes.", TimeUnit.MILLISECONDS.toMinutes(ldapSyncPeriod)); scheduledExecutorService.scheduleAtFixedRate(ldapSyncService, delay, ldapSyncPeriod, TimeUnit.MILLISECONDS); } else { logger.info("Ldap sync service is disabled."); } } }