if (tmpBuilder.length() > 1) {
builder.append("(&(").append(LdapAttrs.objectClass.name()).append("=")
.append(LdapObjs.groupOfNames.name()).append(")");
+ // hide tokens
+ builder.append("(!(").append(LdapAttrs.DN).append("=*").append(NodeConstants.TOKENS_BASEDN)
+ .append("))");
+
if (!showSystemRoles)
builder.append("(!(").append(LdapAttrs.DN).append("=*").append(NodeConstants.ROLES_BASEDN)
.append("))");
if (!showSystemRoles)
builder.append("(&(").append(LdapAttrs.objectClass.name()).append("=")
.append(LdapObjs.groupOfNames.name()).append(")(!(").append(LdapAttrs.DN).append("=*")
- .append(NodeConstants.ROLES_BASEDN).append(")))");
+ .append(NodeConstants.ROLES_BASEDN).append("))(!(").append(LdapAttrs.DN).append("=*")
+ .append(NodeConstants.TOKENS_BASEDN).append(")))");
else
- builder.append("(").append(LdapAttrs.objectClass.name()).append("=")
- .append(LdapObjs.groupOfNames.name()).append(")");
+ builder.append("(&(").append(LdapAttrs.objectClass.name()).append("=")
+ .append(LdapObjs.groupOfNames.name()).append(")(!(").append(LdapAttrs.DN).append("=*")
+ .append(NodeConstants.TOKENS_BASEDN).append(")))");
}
roles = userAdminWrapper.getUserAdmin().getRoles(builder.toString());
package org.argeo.cms.auth;
import static org.argeo.naming.LdapAttrs.cn;
-import static org.argeo.naming.LdapAttrs.description;
import java.io.IOException;
import java.security.PrivilegedAction;
-import java.time.Instant;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import org.argeo.cms.CmsException;
import org.argeo.cms.internal.kernel.Activator;
import org.argeo.naming.LdapAttrs;
-import org.argeo.naming.NamingUtils;
import org.argeo.node.NodeConstants;
import org.argeo.node.security.CryptoKeyring;
import org.argeo.osgi.useradmin.AuthenticatingUser;
import org.argeo.osgi.useradmin.IpaUtils;
import org.argeo.osgi.useradmin.OsUserUtils;
+import org.argeo.osgi.useradmin.TokenUtils;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceReference;
}
protected Authorization getAuthorizationFromToken(UserAdmin userAdmin, Group tokenGroup) {
- String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
- if (expiryDateStr != null) {
- Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
- if (expiryDate.isBefore(Instant.now())) {
- if (log.isDebugEnabled())
- log.debug("Token " + tokenGroup.getName() + " has expired.");
- return null;
- }
- }
+ if (TokenUtils.isExpired(tokenGroup))
+ return null;
+// String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+// if (expiryDateStr != null) {
+// Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+// if (expiryDate.isBefore(Instant.now())) {
+// if (log.isDebugEnabled())
+// log.debug("Token " + tokenGroup.getName() + " has expired.");
+// return null;
+// }
+// }
Authorization auth = userAdmin.getAuthorization(tokenGroup);
return auth;
}
return user;
}
- @SuppressWarnings("unchecked")
@Override
public Role[] getRoles(String filter) throws InvalidSyntaxException {
UserDirectoryWorkingCopy wc = getWorkingCopy();
import java.util.Collections;
import java.util.List;
-import javax.security.auth.x500.X500Principal;
-
import org.osgi.service.useradmin.Authorization;
class AggregatingAuthorization implements Authorization {
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
-import org.argeo.naming.LdapAttrs;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.Group;
String usernameToUse;
String displayNameToUse;
if (user instanceof Group) {
- String ownerDn = (String) user.getProperties().get(LdapAttrs.owner.name());
+ String ownerDn = TokenUtils.userDn((Group) user);
if (ownerDn != null) {// tokens
UserAdmin ownerUserAdmin = findUserAdmin(ownerDn);
User ownerUser = (User) ownerUserAdmin.getRole(ownerDn);
return User.USER;
}
- @SuppressWarnings("rawtypes")
+ @SuppressWarnings({ "rawtypes", "unchecked" })
@Override
public Dictionary getProperties() {
throw new UnsupportedOperationException();
}
- @SuppressWarnings("rawtypes")
+ @SuppressWarnings({ "rawtypes", "unchecked" })
@Override
public Dictionary getCredentials() {
return credentials;
}
}
- @SuppressWarnings("unchecked")
@Override
protected AbstractUserDirectory scope(User user) {
Dictionary<String, Object> credentials = user.getCredentials();
super(uri, properties);
}
- @SuppressWarnings("unchecked")
@Override
protected AbstractUserDirectory scope(User user) {
Dictionary<String, Object> credentials = user.getCredentials();
return users.containsKey(dn) || groups.containsKey(dn);
}
- @SuppressWarnings("unchecked")
protected List<DirectoryUser> doGetRoles(Filter f) {
ArrayList<DirectoryUser> res = new ArrayList<DirectoryUser>();
if (f == null) {
--- /dev/null
+package org.argeo.osgi.useradmin;
+
+import static org.argeo.naming.LdapAttrs.description;
+import static org.argeo.naming.LdapAttrs.owner;
+
+import java.security.Principal;
+import java.time.Instant;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.security.auth.Subject;
+
+import org.argeo.naming.NamingUtils;
+import org.osgi.service.useradmin.Group;
+
+/**
+ * Canonically implements the Argeo token conventions.
+ */
+public class TokenUtils {
+ public static Set<String> tokensUsed(Subject subject, String tokensBaseDn) {
+ Set<String> res = new HashSet<>();
+ for (Principal principal : subject.getPrincipals()) {
+ String name = principal.getName();
+ if (name.endsWith(tokensBaseDn)) {
+ try {
+ LdapName ldapName = new LdapName(name);
+ String token = ldapName.getRdn(ldapName.size()).getValue().toString();
+ res.add(token);
+ } catch (InvalidNameException e) {
+ throw new UserDirectoryException("Invalid principal " + principal, e);
+ }
+ }
+ }
+ return res;
+ }
+
+ /** The user related to this token group */
+ public static String userDn(Group tokenGroup) {
+ return (String) tokenGroup.getProperties().get(owner.name());
+ }
+
+ public static boolean isExpired(Group tokenGroup) {
+ return isExpired(tokenGroup, Instant.now());
+
+ }
+
+ public static boolean isExpired(Group tokenGroup, Instant instant) {
+ String expiryDateStr = (String) tokenGroup.getProperties().get(description.name());
+ if (expiryDateStr != null) {
+ Instant expiryDate = NamingUtils.ldapDateToInstant(expiryDateStr);
+ if (expiryDate.isBefore(instant)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+// private final String token;
+//
+// public TokenUtils(String token) {
+// this.token = token;
+// }
+//
+// public String getToken() {
+// return token;
+// }
+//
+// @Override
+// public int hashCode() {
+// return token.hashCode();
+// }
+//
+// @Override
+// public boolean equals(Object obj) {
+// if ((obj instanceof TokenUtils) && ((TokenUtils) obj).token.equals(token))
+// return true;
+// return false;
+// }
+//
+// @Override
+// public String toString() {
+// return "Token #" + hashCode();
+// }
+
+}