X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;ds=sidebyside;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Futil%2Fdirectory%2Fldap%2FAbstractLdapDirectory.java;h=54d9776b5fd15106bf6de8b560ef81f863f1d470;hb=285c23f26c4d634cd139d393ebcb708187d5e960;hp=d8e8e7d2127a27de54c2aa0906021c6bc6a585ee;hpb=dc27b57704278684e72efcaf72b01c5b91df39f8;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java b/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java index d8e8e7d21..54d9776b5 100644 --- a/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java +++ b/org.argeo.util/src/org/argeo/util/directory/ldap/AbstractLdapDirectory.java @@ -19,6 +19,7 @@ import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; +import javax.naming.directory.BasicAttributes; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; import javax.transaction.xa.XAResource; @@ -33,12 +34,13 @@ import org.argeo.util.transaction.WorkControl; import org.argeo.util.transaction.WorkingCopyXaResource; import org.argeo.util.transaction.XAResourceProvider; +/** A {@link Directory} based either on LDAP or LDIF. */ public abstract class AbstractLdapDirectory implements Directory, XAResourceProvider { protected static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name"; protected static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password"; - protected final LdapName baseDn; - protected final Hashtable properties; + private final LdapName baseDn; + private final Hashtable configProperties; private final Rdn userBaseRdn, groupBaseRdn, systemRoleBaseRdn; private final String userObjectClass, groupObjectClass; private String memberAttributeId = "member"; @@ -60,33 +62,37 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv private LdapDirectoryDao directoryDao; public AbstractLdapDirectory(URI uriArg, Dictionary props, boolean scoped) { - this.properties = new Hashtable(); + this.configProperties = new Hashtable(); for (Enumeration keys = props.keys(); keys.hasMoreElements();) { String key = keys.nextElement(); - properties.put(key, props.get(key)); + configProperties.put(key, props.get(key)); } - baseDn = toLdapName(DirectoryConf.baseDn.getValue(properties)); + + String baseDnStr = DirectoryConf.baseDn.getValue(configProperties); + if (baseDnStr == null) + throw new IllegalArgumentException("Base DN must be specified: " + configProperties); + baseDn = toLdapName(baseDnStr); this.scoped = scoped; if (uriArg != null) { uri = uriArg.toString(); // uri from properties is ignored } else { - String uriStr = DirectoryConf.uri.getValue(properties); + String uriStr = DirectoryConf.uri.getValue(configProperties); if (uriStr == null) uri = null; else uri = uriStr; } - forcedPassword = DirectoryConf.forcedPassword.getValue(properties); + forcedPassword = DirectoryConf.forcedPassword.getValue(configProperties); - userObjectClass = DirectoryConf.userObjectClass.getValue(properties); - groupObjectClass = DirectoryConf.groupObjectClass.getValue(properties); + userObjectClass = DirectoryConf.userObjectClass.getValue(configProperties); + groupObjectClass = DirectoryConf.groupObjectClass.getValue(configProperties); - String userBase = DirectoryConf.userBase.getValue(properties); - String groupBase = DirectoryConf.groupBase.getValue(properties); - String systemRoleBase = DirectoryConf.systemRoleBase.getValue(properties); + String userBase = DirectoryConf.userBase.getValue(configProperties); + String groupBase = DirectoryConf.groupBase.getValue(configProperties); + String systemRoleBase = DirectoryConf.systemRoleBase.getValue(configProperties); try { // baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties)); userBaseRdn = new Rdn(userBase); @@ -95,58 +101,53 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv // groupBaseDn = new LdapName(groupBase + "," + baseDn); systemRoleBaseRdn = new Rdn(systemRoleBase); } catch (InvalidNameException e) { - throw new IllegalArgumentException("Badly formated base DN " + DirectoryConf.baseDn.getValue(properties), - e); + throw new IllegalArgumentException( + "Badly formated base DN " + DirectoryConf.baseDn.getValue(configProperties), e); } // read only - String readOnlyStr = DirectoryConf.readOnly.getValue(properties); + String readOnlyStr = DirectoryConf.readOnly.getValue(configProperties); if (readOnlyStr == null) { readOnly = readOnlyDefault(uri); - properties.put(DirectoryConf.readOnly.name(), Boolean.toString(readOnly)); + configProperties.put(DirectoryConf.readOnly.name(), Boolean.toString(readOnly)); } else readOnly = Boolean.parseBoolean(readOnlyStr); // disabled - String disabledStr = DirectoryConf.disabled.getValue(properties); + String disabledStr = DirectoryConf.disabled.getValue(configProperties); if (disabledStr != null) disabled = Boolean.parseBoolean(disabledStr); else disabled = false; - - URI u = URI.create(uri); - if (!getRealm().isEmpty() || DirectoryConf.SCHEME_LDAP.equals(u.getScheme()) - || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) { + if (!getRealm().isEmpty()) { + // IPA multiple LDAP causes URI parsing to fail + // TODO manage generic redundant LDAP case directoryDao = new LdapDao(this); - } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) { - directoryDao = new LdifDao(this); - } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) { - directoryDao = new OsUserDirectory(this); - // singleUser = true; } else { - throw new IllegalArgumentException("Unsupported scheme " + u.getScheme()); + if (uri != null) { + URI u = URI.create(uri); + if (DirectoryConf.SCHEME_LDAP.equals(u.getScheme()) + || DirectoryConf.SCHEME_LDAPS.equals(u.getScheme())) { + directoryDao = new LdapDao(this); + } else if (DirectoryConf.SCHEME_FILE.equals(u.getScheme())) { + directoryDao = new LdifDao(this); + } else if (DirectoryConf.SCHEME_OS.equals(u.getScheme())) { + directoryDao = new OsUserDirectory(this); + // singleUser = true; + } else { + throw new IllegalArgumentException("Unsupported scheme " + u.getScheme()); + } + } else { + // in memory + directoryDao = new LdifDao(this); + } } - xaResource = new WorkingCopyXaResource<>(directoryDao); + if (directoryDao != null) + xaResource = new WorkingCopyXaResource<>(directoryDao); } /* - * ABSTRACT METHODS - */ - -// public abstract HierarchyUnit doGetHierarchyUnit(LdapName dn); -// -// public abstract Iterable doGetDirectHierarchyUnits(LdapName searchBase, boolean functionalOnly); -// -// protected abstract Boolean daoHasEntry(LdapName dn); -// -// protected abstract LdapEntry daoGetEntry(LdapName key) throws NameNotFoundException; -// -// protected abstract List doGetEntries(LdapName searchBase, Filter f, boolean deep); -// -// /** Returns the groups this user is a direct member of. */ -// protected abstract List getDirectGroups(LdapName dn); - /* - * INITIALIZATION + * INITIALISATION */ public void init() { @@ -160,9 +161,9 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv /* * CREATION */ - protected abstract LdapEntry newUser(LdapName name, Attributes attrs); + protected abstract LdapEntry newUser(LdapName name); - protected abstract LdapEntry newGroup(LdapName name, Attributes attrs); + protected abstract LdapEntry newGroup(LdapName name); /* * EDITION @@ -202,7 +203,7 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv checkEdit(); LdapEntryWorkingCopy wc = getWorkingCopy(); boolean actuallyDeleted; - if (getDirectoryDao().daoHasEntry(dn) || wc.getNewData().containsKey(dn)) { + if (getDirectoryDao().entryExists(dn) || wc.getNewData().containsKey(dn)) { LdapEntry user = doGetRole(dn); wc.getDeletedData().put(dn, user); actuallyDeleted = true; @@ -224,7 +225,7 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv LdapEntryWorkingCopy wc = getWorkingCopy(); LdapEntry user; try { - user = getDirectoryDao().daoGetEntry(dn); + user = getDirectoryDao().doGetEntry(dn); } catch (NameNotFoundException e) { user = null; } @@ -249,17 +250,30 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv Object value = values.next(); LdapName groupDn = new LdapName(value.toString()); LdapEntry group = doGetRole(groupDn); - if (group != null) + if (group != null) { + allRoles.add(group); + } else { + // user doesn't have the right to retrieve role, but we know it exists + // otherwise memberOf would not work +// Attributes a = new BasicAttributes(); +// a.put(LdapNameUtils.getLastRdn(groupDn).getType(), +// LdapNameUtils.getLastRdn(groupDn).getValue()); +// a.put(LdapAttrs.objectClass.name(), LdapObjs.groupOfNames.name()); + group = newGroup(groupDn); allRoles.add(group); + } } } catch (NamingException e) { throw new IllegalStateException("Cannot get memberOf groups for " + user, e); } } else { - for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) { - // TODO check for loops + directGroups: for (LdapName groupDn : getDirectoryDao().getDirectGroups(user.getDn())) { LdapEntry group = doGetRole(groupDn); if (group != null) { + if (allRoles.contains(group)) { + // important in order to avoi loops + continue directGroups; + } allRoles.add(group); collectGroups(group, allRoles); } @@ -281,12 +295,51 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv return directoryDao.doGetDirectHierarchyUnits(baseDn, functionalOnly); } + @Override + public String getHierarchyUnitName() { + return getName(); + } + + @Override + public HierarchyUnit getParent() { + return null; + } + + @Override + public boolean isFunctional() { + return true; + } + + @Override + public Directory getDirectory() { + return this; + } + + @Override + public HierarchyUnit createHierarchyUnit(String path) { + checkEdit(); + LdapEntryWorkingCopy wc = getWorkingCopy(); + LdapName dn = pathToName(path); + if ((getDirectoryDao().entryExists(dn) && !wc.getDeletedData().containsKey(dn)) + || wc.getNewData().containsKey(dn)) + throw new IllegalArgumentException("Already a hierarchy unit " + path); + BasicAttributes attrs = new BasicAttributes(true); + attrs.put(LdapAttrs.objectClass.name(), LdapObjs.organizationalUnit.name()); + Rdn nameRdn = dn.getRdn(dn.size() - 1); + // TODO deal with multiple attr RDN + attrs.put(nameRdn.getType(), nameRdn.getValue()); + wc.getModifiedData().put(dn, attrs); + LdapHierarchyUnit newHierarchyUnit = new LdapHierarchyUnit(this, dn); + wc.getNewData().put(dn, newHierarchyUnit); + return newHierarchyUnit; + } + /* * PATHS */ @Override - public String getContext() { + public String getBase() { return getBaseDn().toString(); } @@ -314,9 +367,11 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv LdapName name = (LdapName) getBaseDn().clone(); String[] segments = path.split("/"); Rdn parentRdn = null; - for (String segment : segments) { + // segments[0] is the directory itself + for (int i = 0; i < segments.length; i++) { + String segment = segments[i]; // TODO make attr names configurable ? - String attr = LdapAttrs.ou.name(); + String attr = path.startsWith("accounts/")/* IPA */ ? LdapAttrs.cn.name() : LdapAttrs.ou.name(); if (parentRdn != null) { if (getUserBaseRdn().equals(parentRdn)) attr = LdapAttrs.uid.name(); @@ -339,6 +394,10 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv /* * UTILITIES */ + protected boolean isExternal(LdapName name) { + return !name.startsWith(baseDn); + } + protected static boolean hasObjectClass(Attributes attrs, LdapObjs objectClass) { return hasObjectClass(attrs, objectClass.name()); } @@ -386,12 +445,27 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv return true;// read only by default } + /* + * AS AN ENTRY + */ + public LdapEntry asLdapEntry() { + try { + return directoryDao.doGetEntry(baseDn); + } catch (NameNotFoundException e) { + throw new IllegalStateException("Cannot get " + baseDn + " entry", e); + } + } + + public Dictionary getProperties() { + return asLdapEntry().getProperties(); + } + /* * ACCESSORS */ @Override public Optional getRealm() { - Object realm = getProperties().get(DirectoryConf.realm.name()); + Object realm = configProperties.get(DirectoryConf.realm.name()); if (realm == null) return Optional.empty(); return Optional.of(realm.toString()); @@ -421,12 +495,12 @@ public abstract class AbstractLdapDirectory implements Directory, XAResourceProv return systemRoleBaseRdn; } - public Dictionary getProperties() { - return properties; - } +// public Dictionary getConfigProperties() { +// return configProperties; +// } - public Dictionary cloneProperties() { - return new Hashtable<>(properties); + public Dictionary cloneConfigProperties() { + return new Hashtable<>(configProperties); } public String getForcedPassword() {