X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FLdapUserAdmin.java;h=7129cfb56190a1e68d8b9b124e334ed08f7fa960;hb=e91af5c65a42b3ff98400caa552965cdb3f730e6;hp=dabae718c2f1c9f71124d7f9ee4400086f2683e7;hpb=50911fdcc6df5cd35e71a0a4ecddf03f98f742a2;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java index dabae718c..7129cfb56 100644 --- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java +++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java @@ -1,7 +1,9 @@ package org.argeo.osgi.useradmin; -import java.net.URI; +import static org.argeo.osgi.useradmin.LdifName.objectClass; + import java.util.ArrayList; +import java.util.Dictionary; import java.util.Hashtable; import java.util.List; @@ -11,38 +13,32 @@ import javax.naming.InvalidNameException; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attributes; +import javax.naming.directory.DirContext; import javax.naming.directory.SearchControls; import javax.naming.directory.SearchResult; import javax.naming.ldap.InitialLdapContext; -import javax.naming.ldap.LdapContext; import javax.naming.ldap.LdapName; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.argeo.ArgeoException; -import org.osgi.framework.InvalidSyntaxException; -import org.osgi.service.useradmin.Authorization; -import org.osgi.service.useradmin.Group; -import org.osgi.service.useradmin.Role; +import org.osgi.framework.Filter; import org.osgi.service.useradmin.User; -public class LdapUserAdmin extends AbstractLdapUserAdmin { +public class LdapUserAdmin extends AbstractUserDirectory { private final static Log log = LogFactory.getLog(LdapUserAdmin.class); - private String baseDn = "dc=example,dc=com"; private InitialLdapContext initialLdapContext = null; - public LdapUserAdmin(String uri) { + public LdapUserAdmin(Dictionary properties) { + super(properties); try { - setUri(new URI(uri)); Hashtable connEnv = new Hashtable(); connEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); connEnv.put(Context.PROVIDER_URL, getUri().toString()); - connEnv.put("java.naming.ldap.attributes.binary", "userPassword"); - // connEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); - // connEnv.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system"); - // connEnv.put(Context.SECURITY_CREDENTIALS, "secret"); + connEnv.put("java.naming.ldap.attributes.binary", + LdifName.userPassword.name()); initialLdapContext = new InitialLdapContext(connEnv, null); // StartTlsResponse tls = (StartTlsResponse) ctx @@ -50,16 +46,23 @@ public class LdapUserAdmin extends AbstractLdapUserAdmin { // tls.negotiate(); initialLdapContext.addToEnvironment( Context.SECURITY_AUTHENTICATION, "simple"); - initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, - "uid=admin,ou=system"); - initialLdapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, - "secret"); - LdapContext ldapContext = (LdapContext) initialLdapContext - .lookup("uid=root,ou=users,dc=example,dc=com"); - log.debug(initialLdapContext.getAttributes( - "uid=root,ou=users,dc=example,dc=com").get("cn")); + Object principal = properties.get(Context.SECURITY_PRINCIPAL); + if (principal != null) { + initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, + principal.toString()); + Object creds = properties.get(Context.SECURITY_CREDENTIALS); + if (creds != null) { + initialLdapContext.addToEnvironment( + Context.SECURITY_CREDENTIALS, creds.toString()); + + } + } + // initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, + // "uid=admin,ou=system"); + // initialLdapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, + // "secret"); } catch (Exception e) { - throw new ArgeoUserAdminException("Cannot connect to LDAP", e); + throw new UserDirectoryException("Cannot connect to LDAP", e); } } @@ -72,97 +75,89 @@ public class LdapUserAdmin extends AbstractLdapUserAdmin { } } - @Override - public Role createRole(String name, int type) { - // TODO Auto-generated method stub - return null; + protected InitialLdapContext getLdapContext() { + return initialLdapContext; } @Override - public boolean removeRole(String name) { - // TODO Auto-generated method stub - return false; + protected Boolean daoHasRole(LdapName dn) { + return daoGetRole(dn) != null; } @Override - public Role getRole(String name) { + protected DirectoryUser daoGetRole(LdapName name) { try { - Attributes attrs = initialLdapContext.getAttributes(name); + Attributes attrs = getLdapContext().getAttributes(name); + if (attrs.size() == 0) + return null; LdifUser res; - if (attrs.get("objectClass").contains("groupOfNames")) - res = new LdifGroup(this, new LdapName(name), attrs); - else if (attrs.get("objectClass").contains("inetOrgPerson")) - res = new LdifUser(new LdapName(name), attrs); + if (attrs.get(objectClass.name()).contains(getGroupObjectClass())) + res = new LdifGroup(this, name, attrs); + else if (attrs.get(objectClass.name()).contains( + getUserObjectClass())) + res = new LdifUser(this, name, attrs); else - throw new ArgeoUserAdminException("Unsupported LDAP type for " + throw new UserDirectoryException("Unsupported LDAP type for " + name); return res; } catch (NamingException e) { - throw new ArgeoUserAdminException("Cannot get role for " + name, e); + throw new UserDirectoryException("Cannot get role for " + name, e); } } @Override - public Role[] getRoles(String filter) throws InvalidSyntaxException { + protected List doGetRoles(Filter f) { + // TODO Auto-generated method stub try { - String searchFilter = filter; - if (searchFilter == null) - searchFilter = "(|(objectClass=inetOrgPerson)(objectClass=groupOfNames))"; + String searchFilter = f != null ? f.toString() : "(|(" + + objectClass + "=" + getUserObjectClass() + ")(" + + objectClass + "=" + getGroupObjectClass() + "))"; SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); - String searchBase = baseDn; - NamingEnumeration results = initialLdapContext - .search(searchBase, searchFilter, searchControls); + String searchBase = getBaseDn(); + NamingEnumeration results = getLdapContext().search( + searchBase, searchFilter, searchControls); - ArrayList res = new ArrayList(); + ArrayList res = new ArrayList(); while (results.hasMoreElements()) { SearchResult searchResult = results.next(); Attributes attrs = searchResult.getAttributes(); LdifUser role; - if (attrs.get("objectClass").contains("groupOfNames")) + if (attrs.get(objectClass.name()).contains( + getGroupObjectClass())) role = new LdifGroup(this, toDn(searchBase, searchResult), attrs); - else if (attrs.get("objectClass").contains("inetOrgPerson")) - role = new LdifUser(toDn(searchBase, searchResult), attrs); + else if (attrs.get(objectClass.name()).contains( + getUserObjectClass())) + role = new LdifUser(this, toDn(searchBase, searchResult), + attrs); else - throw new ArgeoUserAdminException( + throw new UserDirectoryException( "Unsupported LDAP type for " + searchResult.getName()); res.add(role); } - return res.toArray(new Role[res.size()]); + return res; } catch (Exception e) { - throw new ArgeoUserAdminException("Cannot get roles for filter " - + filter, e); + throw new UserDirectoryException( + "Cannot get roles for filter " + f, e); } } @Override - public User getUser(String key, String value) { - if (key == null) { - List users = new ArrayList(); - for (String prop : getIndexedUserProperties()) { - User user = getUser(prop, value); - if (user != null) - users.add(user); - } - if (users.size() == 1) - return users.get(0); - else - return null; - } - + protected void doGetUser(String key, String value, + List collectedUsers) { try { - String searchFilter = "(&(objectClass=inetOrgPerson)(" + key + "=" - + value + "))"; + String searchFilter = "(&(" + objectClass + "=" + + getUserObjectClass() + ")(" + key + "=" + value + "))"; SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); - String searchBase = baseDn; - NamingEnumeration results = initialLdapContext - .search(searchBase, searchFilter, searchControls); + String searchBase = getBaseDn(); + NamingEnumeration results = getLdapContext().search( + searchBase, searchFilter, searchControls); SearchResult searchResult = null; if (results.hasMoreElements()) { @@ -170,21 +165,14 @@ public class LdapUserAdmin extends AbstractLdapUserAdmin { if (results.hasMoreElements()) searchResult = null; } - if (searchResult == null) - return null; - return new LdifUser(toDn(searchBase, searchResult), - searchResult.getAttributes()); + if (searchResult != null) + collectedUsers.add(new LdifUser(this, toDn(searchBase, + searchResult), searchResult.getAttributes())); } catch (Exception e) { - throw new ArgeoUserAdminException("Cannot get user with " + key + throw new UserDirectoryException("Cannot get user with " + key + "=" + value, e); } - } - @Override - public Authorization getAuthorization(User user) { - LdifUser u = (LdifUser) user; - // populateDirectMemberOf(u); - return new LdifAuthorization(u, getAllRoles(u)); } private LdapName toDn(String baseDn, Binding binding) @@ -193,48 +181,20 @@ public class LdapUserAdmin extends AbstractLdapUserAdmin { + baseDn : binding.getName()); } - // void populateDirectMemberOf(LdifUser user) { - // - // try { - // String searchFilter = "(&(objectClass=groupOfNames)(member=" - // + user.getName() + "))"; - // - // SearchControls searchControls = new SearchControls(); - // searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); - // - // String searchBase = "ou=node"; - // NamingEnumeration results = initialLdapContext - // .search(searchBase, searchFilter, searchControls); - // - // // TODO synchro - // //user.directMemberOf.clear(); - // while (results.hasMoreElements()) { - // SearchResult searchResult = (SearchResult) results - // .nextElement(); - // LdifGroup group = new LdifGroup(toDn(searchBase, searchResult), - // searchResult.getAttributes()); - // populateDirectMemberOf(group); - // //user.directMemberOf.add(group); - // } - // } catch (Exception e) { - // throw new ArgeoException("Cannot populate direct members of " - // + user, e); - // } - // } - @Override - protected List getDirectGroups(User user) { - List directGroups = new ArrayList(); + protected List getDirectGroups(User user) { + List directGroups = new ArrayList(); try { - String searchFilter = "(&(objectClass=groupOfNames)(member=" - + user.getName() + "))"; + String searchFilter = "(&(" + objectClass + "=" + + getGroupObjectClass() + ")(" + getMemberAttributeId() + + "=" + user.getName() + "))"; SearchControls searchControls = new SearchControls(); searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE); - String searchBase = getGroupsSearchBase(); - NamingEnumeration results = initialLdapContext - .search(searchBase, searchFilter, searchControls); + String searchBase = getBaseDn(); + NamingEnumeration results = getLdapContext().search( + searchBase, searchFilter, searchControls); while (results.hasMoreElements()) { SearchResult searchResult = (SearchResult) results @@ -250,8 +210,63 @@ public class LdapUserAdmin extends AbstractLdapUserAdmin { } } - protected String getGroupsSearchBase() { - // TODO configure group search base - return baseDn; + @Override + protected void prepare(WorkingCopy wc) { + try { + getLdapContext().reconnect(getLdapContext().getConnectControls()); + // delete + for (LdapName dn : wc.getDeletedUsers().keySet()) { + if (!entryExists(dn)) + throw new UserDirectoryException("User to delete no found " + + dn); + } + // add + for (LdapName dn : wc.getNewUsers().keySet()) { + if (!entryExists(dn)) + throw new UserDirectoryException("User to create found " + + dn); + } + // modify + for (LdapName dn : wc.getModifiedUsers().keySet()) { + if (!entryExists(dn)) + throw new UserDirectoryException("User to modify no found " + + dn); + } + } catch (NamingException e) { + throw new UserDirectoryException("Cannot prepare LDAP", e); + } + } + + private boolean entryExists(LdapName dn) throws NamingException { + return getLdapContext().getAttributes(dn).size() != 0; + } + + @Override + protected void commit(WorkingCopy wc) { + try { + // delete + for (LdapName dn : wc.getDeletedUsers().keySet()) { + getLdapContext().destroySubcontext(dn); + } + // add + for (LdapName dn : wc.getNewUsers().keySet()) { + DirectoryUser user = wc.getNewUsers().get(dn); + getLdapContext().createSubcontext(dn, user.getAttributes()); + } + // modify + for (LdapName dn : wc.getModifiedUsers().keySet()) { + Attributes modifiedAttrs = wc.getModifiedUsers().get(dn); + getLdapContext().modifyAttributes(dn, + DirContext.REPLACE_ATTRIBUTE, modifiedAttrs); + } + } catch (NamingException e) { + throw new UserDirectoryException("Cannot commit LDAP", e); + } } + + @Override + protected void rollback(WorkingCopy wc) { + // prepare not impacting + } + }