X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FLdapUserAdmin.java;h=c2e26ca4cfc09b610cc9880679f9175c8da7ea83;hb=0aeba3e5420ae8502e8f02fcfd2138bcaab4a7f6;hp=23a31fc87f18fc0452b78f993361bc849d7f4fc0;hpb=7eab8a52b56a763e0d0e5153d298ce658e41a22f;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
index 23a31fc87..c2e26ca4c 100644
--- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
+++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/LdapUserAdmin.java
@@ -10,21 +10,27 @@ import java.util.List;
 import javax.naming.Binding;
 import javax.naming.Context;
 import javax.naming.InvalidNameException;
+import javax.naming.NameNotFoundException;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapName;
+import javax.transaction.TransactionManager;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.ArgeoException;
 import org.osgi.framework.Filter;
-import org.osgi.service.useradmin.User;
 
+/**
+ * A user admin based on a LDAP server. Requires a {@link TransactionManager}
+ * and an open transaction for write access.
+ */
 public class LdapUserAdmin extends AbstractUserDirectory {
 	private final static Log log = LogFactory.getLog(LdapUserAdmin.class);
 
@@ -34,26 +40,21 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 		super(properties);
 		try {
 			Hashtable<String, Object> connEnv = new Hashtable<String, Object>();
-			connEnv.put(Context.INITIAL_CONTEXT_FACTORY,
-					"com.sun.jndi.ldap.LdapCtxFactory");
+			connEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
 			connEnv.put(Context.PROVIDER_URL, getUri().toString());
-			connEnv.put("java.naming.ldap.attributes.binary",
-					LdifName.userpassword.name());
+			connEnv.put("java.naming.ldap.attributes.binary", LdifName.userPassword.name());
 
 			initialLdapContext = new InitialLdapContext(connEnv, null);
 			// StartTlsResponse tls = (StartTlsResponse) ctx
 			// .extendedOperation(new StartTlsRequest());
 			// tls.negotiate();
-			initialLdapContext.addToEnvironment(
-					Context.SECURITY_AUTHENTICATION, "simple");
+			initialLdapContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
 			Object principal = properties.get(Context.SECURITY_PRINCIPAL);
 			if (principal != null) {
-				initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL,
-						principal.toString());
+				initialLdapContext.addToEnvironment(Context.SECURITY_PRINCIPAL, principal.toString());
 				Object creds = properties.get(Context.SECURITY_CREDENTIALS);
 				if (creds != null) {
-					initialLdapContext.addToEnvironment(
-							Context.SECURITY_CREDENTIALS, creds.toString());
+					initialLdapContext.addToEnvironment(Context.SECURITY_CREDENTIALS, creds.toString());
 
 				}
 			}
@@ -93,144 +94,96 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 			LdifUser res;
 			if (attrs.get(objectClass.name()).contains(getGroupObjectClass()))
 				res = new LdifGroup(this, name, attrs);
-			else if (attrs.get(objectClass.name()).contains(
-					getUserObjectClass()))
+			else if (attrs.get(objectClass.name()).contains(getUserObjectClass()))
 				res = new LdifUser(this, name, attrs);
 			else
-				throw new UserDirectoryException("Unsupported LDAP type for "
-						+ name);
+				throw new UserDirectoryException("Unsupported LDAP type for " + name);
 			return res;
 		} catch (NamingException e) {
-			throw new UserDirectoryException("Cannot get role for " + name, e);
+			return null;
 		}
 	}
 
 	@Override
 	protected List<DirectoryUser> doGetRoles(Filter f) {
-		// TODO Auto-generated method stub
 		try {
-			String searchFilter = f != null ? f.toString() : "(|("
-					+ objectClass + "=" + getUserObjectClass() + ")("
-					+ objectClass + "=" + getGroupObjectClass() + "))";
+			String searchFilter = f != null ? f.toString()
+					: "(|(" + objectClass + "=" + getUserObjectClass() + ")(" + objectClass + "="
+							+ getGroupObjectClass() + "))";
 			SearchControls searchControls = new SearchControls();
 			searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
 			String searchBase = getBaseDn();
-			NamingEnumeration<SearchResult> results = getLdapContext().search(
-					searchBase, searchFilter, searchControls);
+			NamingEnumeration<SearchResult> results = getLdapContext().search(searchBase, searchFilter, searchControls);
 
 			ArrayList<DirectoryUser> res = new ArrayList<DirectoryUser>();
-			while (results.hasMoreElements()) {
+			results: while (results.hasMoreElements()) {
 				SearchResult searchResult = results.next();
 				Attributes attrs = searchResult.getAttributes();
+				Attribute objectClassAttr = attrs.get(objectClass.name());
+				LdapName dn = toDn(searchBase, searchResult);
 				LdifUser role;
-				if (attrs.get(objectClass.name()).contains(
-						getGroupObjectClass()))
-					role = new LdifGroup(this, toDn(searchBase, searchResult),
-							attrs);
-				else if (attrs.get(objectClass.name()).contains(
-						getUserObjectClass()))
-					role = new LdifUser(this, toDn(searchBase, searchResult),
-							attrs);
-				else
-					throw new UserDirectoryException(
-							"Unsupported LDAP type for "
-									+ searchResult.getName());
+				if (objectClassAttr.contains(getGroupObjectClass()))
+					role = new LdifGroup(this, dn, attrs);
+				else if (objectClassAttr.contains(getUserObjectClass()))
+					role = new LdifUser(this, dn, attrs);
+				else {
+					log.warn("Unsupported LDAP type for " + searchResult.getName());
+					continue results;
+				}
 				res.add(role);
 			}
 			return res;
 		} catch (Exception e) {
-			throw new UserDirectoryException(
-					"Cannot get roles for filter " + f, e);
-		}
-	}
-
-	@Override
-	protected void doGetUser(String key, String value,
-			List<DirectoryUser> collectedUsers) {
-		try {
-			String searchFilter = "(&(" + objectClass + "="
-					+ getUserObjectClass() + ")(" + key + "=" + value + "))";
-
-			SearchControls searchControls = new SearchControls();
-			searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
-
-			String searchBase = getBaseDn();
-			NamingEnumeration<SearchResult> results = getLdapContext().search(
-					searchBase, searchFilter, searchControls);
-
-			SearchResult searchResult = null;
-			if (results.hasMoreElements()) {
-				searchResult = (SearchResult) results.nextElement();
-				if (results.hasMoreElements())
-					searchResult = null;
-			}
-			if (searchResult != null)
-				collectedUsers.add(new LdifUser(this, toDn(searchBase,
-						searchResult), searchResult.getAttributes()));
-		} catch (Exception e) {
-			throw new UserDirectoryException("Cannot get user with " + key
-					+ "=" + value, e);
+			throw new UserDirectoryException("Cannot get roles for filter " + f, e);
 		}
-
 	}
 
-	private LdapName toDn(String baseDn, Binding binding)
-			throws InvalidNameException {
-		return new LdapName(binding.isRelative() ? binding.getName() + ","
-				+ baseDn : binding.getName());
+	private LdapName toDn(String baseDn, Binding binding) throws InvalidNameException {
+		return new LdapName(binding.isRelative() ? binding.getName() + "," + baseDn : binding.getName());
 	}
 
 	@Override
-	protected List<DirectoryGroup> getDirectGroups(User user) {
-		List<DirectoryGroup> directGroups = new ArrayList<DirectoryGroup>();
+	protected List<LdapName> getDirectGroups(LdapName dn) {
+		List<LdapName> directGroups = new ArrayList<LdapName>();
 		try {
-			String searchFilter = "(&(" + objectClass + "="
-					+ getGroupObjectClass() + ")(" + getMemberAttributeId()
-					+ "=" + user.getName() + "))";
+			String searchFilter = "(&(" + objectClass + "=" + getGroupObjectClass() + ")(" + getMemberAttributeId()
+					+ "=" + dn + "))";
 
 			SearchControls searchControls = new SearchControls();
 			searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 
 			String searchBase = getBaseDn();
-			NamingEnumeration<SearchResult> results = getLdapContext().search(
-					searchBase, searchFilter, searchControls);
+			NamingEnumeration<SearchResult> results = getLdapContext().search(searchBase, searchFilter, searchControls);
 
 			while (results.hasMoreElements()) {
-				SearchResult searchResult = (SearchResult) results
-						.nextElement();
-				LdifGroup group = new LdifGroup(this, toDn(searchBase,
-						searchResult), searchResult.getAttributes());
-				directGroups.add(group);
+				SearchResult searchResult = (SearchResult) results.nextElement();
+				directGroups.add(toDn(searchBase, searchResult));
 			}
 			return directGroups;
 		} catch (Exception e) {
-			throw new ArgeoException("Cannot populate direct members of "
-					+ user, e);
+			throw new ArgeoException("Cannot populate direct members of " + dn, e);
 		}
 	}
 
 	@Override
-	protected void prepare(WorkingCopy wc) {
+	protected void prepare(UserDirectoryWorkingCopy wc) {
 		try {
 			getLdapContext().reconnect(getLdapContext().getConnectControls());
 			// delete
 			for (LdapName dn : wc.getDeletedUsers().keySet()) {
 				if (!entryExists(dn))
-					throw new UserDirectoryException("User to delete no found "
-							+ dn);
+					throw new UserDirectoryException("User to delete no found " + dn);
 			}
 			// add
 			for (LdapName dn : wc.getNewUsers().keySet()) {
-				if (!entryExists(dn))
-					throw new UserDirectoryException("User to create found "
-							+ dn);
+				if (entryExists(dn))
+					throw new UserDirectoryException("User to create found " + dn);
 			}
 			// modify
 			for (LdapName dn : wc.getModifiedUsers().keySet()) {
-				if (!entryExists(dn))
-					throw new UserDirectoryException("User to modify no found "
-							+ dn);
+				if (!wc.getNewUsers().containsKey(dn) && !entryExists(dn))
+					throw new UserDirectoryException("User to modify not found " + dn);
 			}
 		} catch (NamingException e) {
 			throw new UserDirectoryException("Cannot prepare LDAP", e);
@@ -238,11 +191,15 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 	}
 
 	private boolean entryExists(LdapName dn) throws NamingException {
-		return getLdapContext().getAttributes(dn).size() != 0;
+		try {
+			return getLdapContext().getAttributes(dn).size() != 0;
+		} catch (NameNotFoundException e) {
+			return false;
+		}
 	}
 
 	@Override
-	protected void commit(WorkingCopy wc) {
+	protected void commit(UserDirectoryWorkingCopy wc) {
 		try {
 			// delete
 			for (LdapName dn : wc.getDeletedUsers().keySet()) {
@@ -256,8 +213,7 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 			// modify
 			for (LdapName dn : wc.getModifiedUsers().keySet()) {
 				Attributes modifiedAttrs = wc.getModifiedUsers().get(dn);
-				getLdapContext().modifyAttributes(dn,
-						DirContext.REPLACE_ATTRIBUTE, modifiedAttrs);
+				getLdapContext().modifyAttributes(dn, DirContext.REPLACE_ATTRIBUTE, modifiedAttrs);
 			}
 		} catch (NamingException e) {
 			throw new UserDirectoryException("Cannot commit LDAP", e);
@@ -265,7 +221,7 @@ public class LdapUserAdmin extends AbstractUserDirectory {
 	}
 
 	@Override
-	protected void rollback(WorkingCopy wc) {
+	protected void rollback(UserDirectoryWorkingCopy wc) {
 		// prepare not impacting
 	}