org.argeo.util/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java

   1 package org.argeo.osgi.useradmin;
   2
   3 import static org.argeo.util.naming.LdapAttrs.objectClass;
   4 import static org.argeo.util.naming.LdapObjs.extensibleObject;
   5 import static org.argeo.util.naming.LdapObjs.inetOrgPerson;
   6 import static org.argeo.util.naming.LdapObjs.organizationalPerson;
   7 import static org.argeo.util.naming.LdapObjs.person;
   8 import static org.argeo.util.naming.LdapObjs.top;
   9
  10 import java.io.File;
  11 import java.net.URI;
  12 import java.net.URISyntaxException;
  13 import java.util.ArrayList;
  14 import java.util.Arrays;
  15 import java.util.Dictionary;
  16 import java.util.Enumeration;
  17 import java.util.Hashtable;
  18 import java.util.Iterator;
  19 import java.util.List;
  20 import java.util.Optional;
  21
  22 import javax.naming.InvalidNameException;
  23 import javax.naming.NameNotFoundException;
  24 import javax.naming.NamingEnumeration;
  25 import javax.naming.NamingException;
  26 import javax.naming.directory.Attribute;
  27 import javax.naming.directory.Attributes;
  28 import javax.naming.directory.BasicAttribute;
  29 import javax.naming.directory.BasicAttributes;
  30 import javax.naming.ldap.LdapName;
  31 import javax.naming.ldap.Rdn;
  32
  33 import org.argeo.osgi.transaction.WorkControl;
  34 import org.argeo.util.naming.LdapAttrs;
  35 import org.osgi.framework.Filter;
  36 import org.osgi.framework.FrameworkUtil;
  37 import org.osgi.framework.InvalidSyntaxException;
  38 import org.osgi.service.useradmin.Authorization;
  39 import org.osgi.service.useradmin.Role;
  40 import org.osgi.service.useradmin.User;
  41 import org.osgi.service.useradmin.UserAdmin;
  42
  43 /** Base class for a {@link UserDirectory}. */
  44 abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
  45         static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name";
  46         static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password";
  47
  48         private final Hashtable<String, Object> properties;
  49         private final LdapName baseDn, userBaseDn, groupBaseDn;
  50         private final String userObjectClass, userBase, groupObjectClass, groupBase;
  51
  52         private final boolean readOnly;
  53         private final boolean disabled;
  54         private final String uri;
  55
  56         private UserAdmin externalRoles;
  57         // private List<String> indexedUserProperties = Arrays
  58         // .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(),
  59         // LdapAttrs.cn.name() });
  60
  61         private final boolean scoped;
  62
  63         private String memberAttributeId = "member";
  64         private List<String> credentialAttributeIds = Arrays
  65                         .asList(new String[] { LdapAttrs.userPassword.name(), LdapAttrs.authPassword.name() });
  66
  67         // Transaction
  68 //      private TransactionManager transactionManager;
  69         private WorkControl transactionControl;
  70         private WcXaResource xaResource = new WcXaResource(this);
  71
  72         private String forcedPassword;
  73
  74         AbstractUserDirectory(URI uriArg, Dictionary<String, ?> props, boolean scoped) {
  75                 this.scoped = scoped;
  76                 properties = new Hashtable<String, Object>();
  77                 for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
  78                         String key = keys.nextElement();
  79                         properties.put(key, props.get(key));
  80                 }
  81
  82                 if (uriArg != null) {
  83                         uri = uriArg.toString();
  84                         // uri from properties is ignored
  85                 } else {
  86                         String uriStr = UserAdminConf.uri.getValue(properties);
  87                         if (uriStr == null)
  88                                 uri = null;
  89                         else
  90                                 uri = uriStr;
  91                 }
  92
  93                 forcedPassword = UserAdminConf.forcedPassword.getValue(properties);
  94
  95                 userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
  96                 userBase = UserAdminConf.userBase.getValue(properties);
  97                 groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties);
  98                 groupBase = UserAdminConf.groupBase.getValue(properties);
  99                 try {
 100                         baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties));
 101                         userBaseDn = new LdapName(userBase + "," + baseDn);
 102                         groupBaseDn = new LdapName(groupBase + "," + baseDn);
 103                 } catch (InvalidNameException e) {
 104                         throw new IllegalArgumentException("Badly formated base DN " + UserAdminConf.baseDn.getValue(properties),
 105                                         e);
 106                 }
 107                 String readOnlyStr = UserAdminConf.readOnly.getValue(properties);
 108                 if (readOnlyStr == null) {
 109                         readOnly = readOnlyDefault(uri);
 110                         properties.put(UserAdminConf.readOnly.name(), Boolean.toString(readOnly));
 111                 } else
 112                         readOnly = Boolean.parseBoolean(readOnlyStr);
 113                 String disabledStr = UserAdminConf.disabled.getValue(properties);
 114                 if (disabledStr != null)
 115                         disabled = Boolean.parseBoolean(disabledStr);
 116                 else
 117                         disabled = false;
 118         }
 119
 120         /** Returns the groups this user is a direct member of. */
 121         protected abstract List<LdapName> getDirectGroups(LdapName dn);
 122
 123         protected abstract Boolean daoHasRole(LdapName dn);
 124
 125         protected abstract DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException;
 126
 127         protected abstract List<DirectoryUser> doGetRoles(Filter f);
 128
 129         protected abstract AbstractUserDirectory scope(User user);
 130
 131         public void init() {
 132
 133         }
 134
 135         public void destroy() {
 136
 137         }
 138
 139         @Override
 140         public String getBasePath() {
 141                 return getBaseDn().toString();
 142         }
 143
 144         @Override
 145         public Optional<String> getRealm() {
 146                 Object realm = getProperties().get(UserAdminConf.realm.name());
 147                 if (realm == null)
 148                         return Optional.empty();
 149                 return Optional.of(realm.toString());
 150         }
 151
 152         protected boolean isEditing() {
 153                 return xaResource.wc() != null;
 154         }
 155
 156         protected UserDirectoryWorkingCopy getWorkingCopy() {
 157                 UserDirectoryWorkingCopy wc = xaResource.wc();
 158                 if (wc == null)
 159                         return null;
 160                 return wc;
 161         }
 162
 163         protected void checkEdit() {
 164                 if (xaResource.wc() == null) {
 165                         try {
 166                                 transactionControl.getWorkContext().registerXAResource(xaResource, null);
 167                         } catch (Exception e) {
 168                                 throw new IllegalStateException("Cannot enlist " + xaResource, e);
 169                         }
 170                 } else {
 171                 }
 172         }
 173
 174         protected List<Role> getAllRoles(DirectoryUser user) {
 175                 List<Role> allRoles = new ArrayList<Role>();
 176                 if (user != null) {
 177                         collectRoles(user, allRoles);
 178                         allRoles.add(user);
 179                 } else
 180                         collectAnonymousRoles(allRoles);
 181                 return allRoles;
 182         }
 183
 184         private void collectRoles(DirectoryUser user, List<Role> allRoles) {
 185                 Attributes attrs = user.getAttributes();
 186                 // TODO centralize attribute name
 187                 Attribute memberOf = attrs.get(LdapAttrs.memberOf.name());
 188                 // if user belongs to this directory, we only check meberOf
 189                 if (memberOf != null && user.getDn().startsWith(getBaseDn())) {
 190                         try {
 191                                 NamingEnumeration<?> values = memberOf.getAll();
 192                                 while (values.hasMore()) {
 193                                         Object value = values.next();
 194                                         LdapName groupDn = new LdapName(value.toString());
 195                                         DirectoryUser group = doGetRole(groupDn);
 196                                         if (group != null)
 197                                                 allRoles.add(group);
 198                                 }
 199                         } catch (NamingException e) {
 200                                 throw new IllegalStateException("Cannot get memberOf groups for " + user, e);
 201                         }
 202                 } else {
 203                         for (LdapName groupDn : getDirectGroups(user.getDn())) {
 204                                 // TODO check for loops
 205                                 DirectoryUser group = doGetRole(groupDn);
 206                                 if (group != null) {
 207                                         allRoles.add(group);
 208                                         collectRoles(group, allRoles);
 209                                 }
 210                         }
 211                 }
 212         }
 213
 214         private void collectAnonymousRoles(List<Role> allRoles) {
 215                 // TODO gather anonymous roles
 216         }
 217
 218         // USER ADMIN
 219         @Override
 220         public Role getRole(String name) {
 221                 return doGetRole(toLdapName(name));
 222         }
 223
 224         protected DirectoryUser doGetRole(LdapName dn) {
 225                 UserDirectoryWorkingCopy wc = getWorkingCopy();
 226                 DirectoryUser user;
 227                 try {
 228                         user = daoGetRole(dn);
 229                 } catch (NameNotFoundException e) {
 230                         user = null;
 231                 }
 232                 if (wc != null) {
 233                         if (user == null && wc.getNewUsers().containsKey(dn))
 234                                 user = wc.getNewUsers().get(dn);
 235                         else if (wc.getDeletedUsers().containsKey(dn))
 236                                 user = null;
 237                 }
 238                 return user;
 239         }
 240
 241         @Override
 242         public Role[] getRoles(String filter) throws InvalidSyntaxException {
 243                 UserDirectoryWorkingCopy wc = getWorkingCopy();
 244                 Filter f = filter != null ? FrameworkUtil.createFilter(filter) : null;
 245                 List<DirectoryUser> res = doGetRoles(f);
 246                 if (wc != null) {
 247                         for (Iterator<DirectoryUser> it = res.iterator(); it.hasNext();) {
 248                                 DirectoryUser user = it.next();
 249                                 LdapName dn = user.getDn();
 250                                 if (wc.getDeletedUsers().containsKey(dn))
 251                                         it.remove();
 252                         }
 253                         for (DirectoryUser user : wc.getNewUsers().values()) {
 254                                 if (f == null || f.match(user.getProperties()))
 255                                         res.add(user);
 256                         }
 257                         // no need to check modified users,
 258                         // since doGetRoles was already based on the modified attributes
 259                 }
 260                 return res.toArray(new Role[res.size()]);
 261         }
 262
 263         @Override
 264         public User getUser(String key, String value) {
 265                 // TODO check value null or empty
 266                 List<DirectoryUser> collectedUsers = new ArrayList<DirectoryUser>();
 267                 if (key != null) {
 268                         doGetUser(key, value, collectedUsers);
 269                 } else {
 270                         throw new IllegalArgumentException("Key cannot be null");
 271                 }
 272
 273                 if (collectedUsers.size() == 1) {
 274                         return collectedUsers.get(0);
 275                 } else if (collectedUsers.size() > 1) {
 276                         // log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" :
 277                         // "") + value);
 278                 }
 279                 return null;
 280         }
 281
 282         protected void doGetUser(String key, String value, List<DirectoryUser> collectedUsers) {
 283                 try {
 284                         Filter f = FrameworkUtil.createFilter("(" + key + "=" + value + ")");
 285                         List<DirectoryUser> users = doGetRoles(f);
 286                         collectedUsers.addAll(users);
 287                 } catch (InvalidSyntaxException e) {
 288                         throw new IllegalArgumentException("Cannot get user with " + key + "=" + value, e);
 289                 }
 290         }
 291
 292         @Override
 293         public Authorization getAuthorization(User user) {
 294                 if (user == null || user instanceof DirectoryUser) {
 295                         return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
 296                 } else {
 297                         // bind
 298                         AbstractUserDirectory scopedUserAdmin = scope(user);
 299                         try {
 300                                 DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
 301                                 if (directoryUser == null)
 302                                         throw new IllegalStateException("No scoped user found for " + user);
 303                                 LdifAuthorization authorization = new LdifAuthorization(directoryUser,
 304                                                 scopedUserAdmin.getAllRoles(directoryUser));
 305                                 return authorization;
 306                         } finally {
 307                                 scopedUserAdmin.destroy();
 308                         }
 309                 }
 310         }
 311
 312         @Override
 313         public Role createRole(String name, int type) {
 314                 checkEdit();
 315                 UserDirectoryWorkingCopy wc = getWorkingCopy();
 316                 LdapName dn = toLdapName(name);
 317                 if ((daoHasRole(dn) && !wc.getDeletedUsers().containsKey(dn)) || wc.getNewUsers().containsKey(dn))
 318                         throw new IllegalArgumentException("Already a role " + name);
 319                 BasicAttributes attrs = new BasicAttributes(true);
 320                 // attrs.put(LdifName.dn.name(), dn.toString());
 321                 Rdn nameRdn = dn.getRdn(dn.size() - 1);
 322                 // TODO deal with multiple attr RDN
 323                 attrs.put(nameRdn.getType(), nameRdn.getValue());
 324                 if (wc.getDeletedUsers().containsKey(dn)) {
 325                         wc.getDeletedUsers().remove(dn);
 326                         wc.getModifiedUsers().put(dn, attrs);
 327                         return getRole(name);
 328                 } else {
 329                         wc.getModifiedUsers().put(dn, attrs);
 330                         DirectoryUser newRole = newRole(dn, type, attrs);
 331                         wc.getNewUsers().put(dn, newRole);
 332                         return newRole;
 333                 }
 334         }
 335
 336         protected DirectoryUser newRole(LdapName dn, int type, Attributes attrs) {
 337                 LdifUser newRole;
 338                 BasicAttribute objClass = new BasicAttribute(objectClass.name());
 339                 if (type == Role.USER) {
 340                         String userObjClass = newUserObjectClass(dn);
 341                         objClass.add(userObjClass);
 342                         if (inetOrgPerson.name().equals(userObjClass)) {
 343                                 objClass.add(organizationalPerson.name());
 344                                 objClass.add(person.name());
 345                         } else if (organizationalPerson.name().equals(userObjClass)) {
 346                                 objClass.add(person.name());
 347                         }
 348                         objClass.add(top.name());
 349                         objClass.add(extensibleObject.name());
 350                         attrs.put(objClass);
 351                         newRole = new LdifUser(this, dn, attrs);
 352                 } else if (type == Role.GROUP) {
 353                         String groupObjClass = getGroupObjectClass();
 354                         objClass.add(groupObjClass);
 355                         // objClass.add(LdifName.extensibleObject.name());
 356                         objClass.add(top.name());
 357                         attrs.put(objClass);
 358                         newRole = new LdifGroup(this, dn, attrs);
 359                 } else
 360                         throw new IllegalArgumentException("Unsupported type " + type);
 361                 return newRole;
 362         }
 363
 364         @Override
 365         public boolean removeRole(String name) {
 366                 checkEdit();
 367                 UserDirectoryWorkingCopy wc = getWorkingCopy();
 368                 LdapName dn = toLdapName(name);
 369                 boolean actuallyDeleted;
 370                 if (daoHasRole(dn) || wc.getNewUsers().containsKey(dn)) {
 371                         DirectoryUser user = (DirectoryUser) getRole(name);
 372                         wc.getDeletedUsers().put(dn, user);
 373                         actuallyDeleted = true;
 374                 } else {// just removing from groups (e.g. system roles)
 375                         actuallyDeleted = false;
 376                 }
 377                 for (LdapName groupDn : getDirectGroups(dn)) {
 378                         DirectoryUser group = doGetRole(groupDn);
 379                         group.getAttributes().get(getMemberAttributeId()).remove(dn.toString());
 380                 }
 381                 return actuallyDeleted;
 382         }
 383
 384         // TRANSACTION
 385         protected void prepare(UserDirectoryWorkingCopy wc) {
 386
 387         }
 388
 389         protected void commit(UserDirectoryWorkingCopy wc) {
 390
 391         }
 392
 393         protected void rollback(UserDirectoryWorkingCopy wc) {
 394
 395         }
 396
 397         // GETTERS
 398         protected String getMemberAttributeId() {
 399                 return memberAttributeId;
 400         }
 401
 402         protected List<String> getCredentialAttributeIds() {
 403                 return credentialAttributeIds;
 404         }
 405
 406         protected String getUri() {
 407                 return uri;
 408         }
 409
 410         private static boolean readOnlyDefault(String uriStr) {
 411                 if (uriStr == null)
 412                         return true;
 413                 /// TODO make it more generic
 414                 URI uri;
 415                 try {
 416                         uri = new URI(uriStr.split(" ")[0]);
 417                 } catch (URISyntaxException e) {
 418                         throw new IllegalArgumentException(e);
 419                 }
 420                 if (uri.getScheme() == null)
 421                         return false;// assume relative file to be writable
 422                 if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) {
 423                         File file = new File(uri);
 424                         if (file.exists())
 425                                 return !file.canWrite();
 426                         else
 427                                 return !file.getParentFile().canWrite();
 428                 } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) {
 429                         if (uri.getAuthority() != null)// assume writable if authenticated
 430                                 return false;
 431                 } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) {
 432                         return true;
 433                 }
 434                 return true;// read only by default
 435         }
 436
 437         public boolean isReadOnly() {
 438                 return readOnly;
 439         }
 440
 441         public boolean isDisabled() {
 442                 return disabled;
 443         }
 444
 445         protected UserAdmin getExternalRoles() {
 446                 return externalRoles;
 447         }
 448
 449         protected int roleType(LdapName dn) {
 450                 if (dn.startsWith(groupBaseDn))
 451                         return Role.GROUP;
 452                 else if (dn.startsWith(userBaseDn))
 453                         return Role.USER;
 454                 else
 455                         return Role.GROUP;
 456         }
 457
 458         /** dn can be null, in that case a default should be returned. */
 459         public String getUserObjectClass() {
 460                 return userObjectClass;
 461         }
 462
 463         public String getUserBase() {
 464                 return userBase;
 465         }
 466
 467         protected String newUserObjectClass(LdapName dn) {
 468                 return getUserObjectClass();
 469         }
 470
 471         public String getGroupObjectClass() {
 472                 return groupObjectClass;
 473         }
 474
 475         public String getGroupBase() {
 476                 return groupBase;
 477         }
 478
 479         public LdapName getBaseDn() {
 480                 return (LdapName) baseDn.clone();
 481         }
 482
 483         public Dictionary<String, Object> getProperties() {
 484                 return properties;
 485         }
 486
 487         public Dictionary<String, Object> cloneProperties() {
 488                 return new Hashtable<>(properties);
 489         }
 490
 491         public void setExternalRoles(UserAdmin externalRoles) {
 492                 this.externalRoles = externalRoles;
 493         }
 494
 495 //      public void setTransactionManager(TransactionManager transactionManager) {
 496 //              this.transactionManager = transactionManager;
 497 //      }
 498
 499         public String getForcedPassword() {
 500                 return forcedPassword;
 501         }
 502
 503         public void setTransactionControl(WorkControl transactionControl) {
 504                 this.transactionControl = transactionControl;
 505         }
 506
 507         public WcXaResource getXaResource() {
 508                 return xaResource;
 509         }
 510
 511         public boolean isScoped() {
 512                 return scoped;
 513         }
 514
 515         /*
 516          * STATIC UTILITIES
 517          */
 518         static LdapName toLdapName(String name) {
 519                 try {
 520                         return new LdapName(name);
 521                 } catch (InvalidNameException e) {
 522                         throw new IllegalArgumentException(name + " is not an LDAP name", e);
 523                 }
 524         }
 525 }