X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fuseradmin%2Fldap%2FArgeoLdapUserDetailsManager.java;fp=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fuseradmin%2Fldap%2FArgeoLdapUserDetailsManager.java;h=4381fa9914ce1699ae5dae2d2a7dad2b24e68f14;hb=6ddb7b6b224a00344a182761e42b2241a721224f;hp=0000000000000000000000000000000000000000;hpb=92dee1606725534bdfc067cd2cae017f0501ac5d;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/useradmin/ldap/ArgeoLdapUserDetailsManager.java b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/ldap/ArgeoLdapUserDetailsManager.java
new file mode 100644
index 000000000..4381fa991
--- /dev/null
+++ b/org.argeo.cms/src/org/argeo/cms/internal/useradmin/ldap/ArgeoLdapUserDetailsManager.java
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.cms.internal.useradmin.ldap;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Random;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.argeo.ArgeoException;
+import org.argeo.security.UserAdminService;
+import org.springframework.ldap.core.ContextSource;
+import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.ldap.userdetails.LdapUserDetailsManager;
+
+/** Extends {@link LdapUserDetailsManager} by adding password encoding support. */
+@SuppressWarnings("deprecation")
+public class ArgeoLdapUserDetailsManager extends LdapUserDetailsManager
+		implements UserAdminService {
+	private String superUsername = "root";
+	private ArgeoUserAdminDaoLdap userAdminDao;
+	private PasswordEncoder passwordEncoder;
+	private final Random random;
+
+	public ArgeoLdapUserDetailsManager(ContextSource contextSource) {
+		super(contextSource);
+		this.random = createRandom();
+	}
+
+	private static Random createRandom() {
+		try {
+			return SecureRandom.getInstance("SHA1PRNG");
+		} catch (NoSuchAlgorithmException e) {
+			return new Random(System.currentTimeMillis());
+		}
+	}
+
+	@Override
+	public void changePassword(String oldPassword, String newPassword) {
+		Authentication authentication = SecurityContextHolder.getContext()
+				.getAuthentication();
+		if (authentication == null)
+			throw new ArgeoException(
+					"Cannot change password without authentication");
+		String username = authentication.getName();
+		UserDetails userDetails = loadUserByUsername(username);
+		String currentPassword = userDetails.getPassword();
+		if (currentPassword == null)
+			throw new ArgeoException("Cannot access current password");
+		if (!passwordEncoder
+				.isPasswordValid(currentPassword, oldPassword, null))
+			throw new ArgeoException("Old password invalid");
+		// Spring Security LDAP 2.0 is buggy when used with OpenLDAP and called
+		// with oldPassword argument
+		super.changePassword(null, encodePassword(newPassword));
+	}
+
+	public void newRole(String role) {
+		userAdminDao.createRole(role, superUsername);
+	}
+
+	public void synchronize() {
+		for (String username : userAdminDao.listUsers())
+			loadUserByUsername(username);
+		// TODO: find a way to remove from JCR
+	}
+
+	public void deleteRole(String role) {
+		userAdminDao.deleteRole(role);
+	}
+
+	public Set<String> listUsers() {
+		return userAdminDao.listUsers();
+	}
+
+	public Set<String> listUsersInRole(String role) {
+		Set<String> lst = new TreeSet<String>(
+				userAdminDao.listUsersInRole(role));
+		Iterator<String> it = lst.iterator();
+		while (it.hasNext()) {
+			if (it.next().equals(superUsername)) {
+				it.remove();
+				break;
+			}
+		}
+		return lst;
+	}
+
+	public List<String> listUserRoles(String username) {
+		UserDetails userDetails = loadUserByUsername(username);
+		List<String> roles = new ArrayList<String>();
+		for (GrantedAuthority ga : userDetails.getAuthorities()) {
+			roles.add(ga.getAuthority());
+		}
+		return Collections.unmodifiableList(roles);
+	}
+
+	public Set<String> listEditableRoles() {
+		return userAdminDao.listEditableRoles();
+	}
+
+	protected String encodePassword(String password) {
+		if (!password.startsWith("{")) {
+			byte[] salt = new byte[16];
+			random.nextBytes(salt);
+			return passwordEncoder.encodePassword(password, salt);
+		} else {
+			return password;
+		}
+	}
+
+	public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+		this.passwordEncoder = passwordEncoder;
+	}
+
+	public void setSuperUsername(String superUsername) {
+		this.superUsername = superUsername;
+	}
+
+	public void setUserAdminDao(ArgeoUserAdminDaoLdap userAdminDao) {
+		this.userAdminDao = userAdminDao;
+	}
+
+}