X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.enterprise%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FAbstractUserDirectory.java;h=f2d7c88fc232ca8d1090c065a5a2a5f9c1b5a975;hb=73a89e099608a51d9aef814a3f85a62947275f59;hp=e8dd6f2a6974af43f0b5dda922256c847c27f8b7;hpb=0243aa5633af84d8608ba912483dbaaaefac42f1;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java index e8dd6f2a6..f2d7c88fc 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java @@ -1,6 +1,7 @@ package org.argeo.osgi.useradmin; import static org.argeo.naming.LdapAttrs.objectClass; +import static org.argeo.naming.LdapObjs.extensibleObject; import static org.argeo.naming.LdapObjs.inetOrgPerson; import static org.argeo.naming.LdapObjs.organizationalPerson; import static org.argeo.naming.LdapObjs.person; @@ -18,6 +19,9 @@ import java.util.Iterator; import java.util.List; import javax.naming.InvalidNameException; +import javax.naming.NameNotFoundException; +import javax.naming.NamingEnumeration; +import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; @@ -27,8 +31,6 @@ import javax.transaction.SystemException; import javax.transaction.Transaction; import javax.transaction.TransactionManager; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.argeo.naming.LdapAttrs; import org.osgi.framework.Filter; import org.osgi.framework.FrameworkUtil; @@ -40,45 +42,59 @@ import org.osgi.service.useradmin.UserAdmin; /** Base class for a {@link UserDirectory}. */ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { - private final static Log log = LogFactory.getLog(AbstractUserDirectory.class); + static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name"; + static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password"; private final Hashtable properties; - private final LdapName baseDn; + private final LdapName baseDn, userBaseDn, groupBaseDn; private final String userObjectClass, userBase, groupObjectClass, groupBase; private final boolean readOnly; - private final URI uri; + private final boolean disabled; + private final String uri; private UserAdmin externalRoles; - private List indexedUserProperties = Arrays - .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), LdapAttrs.cn.name() }); + // private List indexedUserProperties = Arrays + // .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), + // LdapAttrs.cn.name() }); + + private final boolean scoped; private String memberAttributeId = "member"; - private List credentialAttributeIds = Arrays.asList(new String[] { LdapAttrs.userPassword.name() }); + private List credentialAttributeIds = Arrays + .asList(new String[] { LdapAttrs.userPassword.name(), LdapAttrs.authPassword.name() }); // JTA private TransactionManager transactionManager; private WcXaResource xaResource = new WcXaResource(this); - public AbstractUserDirectory(Dictionary props) { + AbstractUserDirectory(URI uriArg, Dictionary props, boolean scoped) { + this.scoped = scoped; properties = new Hashtable(); for (Enumeration keys = props.keys(); keys.hasMoreElements();) { String key = keys.nextElement(); properties.put(key, props.get(key)); } - String uriStr = UserAdminConf.uri.getValue(properties); - if (uriStr == null) - uri = null; - else - try { - uri = new URI(uriStr); - } catch (URISyntaxException e) { - throw new UserDirectoryException("Badly formatted URI " + uriStr, e); - } + if (uriArg != null) { + uri = uriArg.toString(); + // uri from properties is ignored + } else { + String uriStr = UserAdminConf.uri.getValue(properties); + if (uriStr == null) + uri = null; + else + uri = uriStr; + } + userObjectClass = UserAdminConf.userObjectClass.getValue(properties); + userBase = UserAdminConf.userBase.getValue(properties); + groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties); + groupBase = UserAdminConf.groupBase.getValue(properties); try { baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties)); + userBaseDn = new LdapName(userBase + "," + baseDn); + groupBaseDn = new LdapName(groupBase + "," + baseDn); } catch (InvalidNameException e) { throw new UserDirectoryException("Badly formated base DN " + UserAdminConf.baseDn.getValue(properties), e); } @@ -87,12 +103,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory readOnly = readOnlyDefault(uri); properties.put(UserAdminConf.readOnly.name(), Boolean.toString(readOnly)); } else - readOnly = new Boolean(readOnlyStr); - - userObjectClass = UserAdminConf.userObjectClass.getValue(properties); - userBase = UserAdminConf.userBase.getValue(properties); - groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties); - groupBase = UserAdminConf.groupBase.getValue(properties); + readOnly = Boolean.parseBoolean(readOnlyStr); + String disabledStr = UserAdminConf.disabled.getValue(properties); + if (disabledStr != null) + disabled = Boolean.parseBoolean(disabledStr); + else + disabled = false; } /** Returns the groups this user is a direct member of. */ @@ -100,10 +116,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory protected abstract Boolean daoHasRole(LdapName dn); - protected abstract DirectoryUser daoGetRole(LdapName key); + protected abstract DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException; protected abstract List doGetRoles(Filter f); + protected abstract AbstractUserDirectory scope(User user); + public void init() { } @@ -153,11 +171,32 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory } private void collectRoles(DirectoryUser user, List allRoles) { - for (LdapName groupDn : getDirectGroups(user.getDn())) { - // TODO check for loops - DirectoryUser group = doGetRole(groupDn); - allRoles.add(group); - collectRoles(group, allRoles); + Attributes attrs = user.getAttributes(); + // TODO centralize attribute name + Attribute memberOf = attrs.get(LdapAttrs.memberOf.name()); + // if user belongs to this directory, we only check meberOf + if (memberOf != null && user.getDn().startsWith(getBaseDn())) { + try { + NamingEnumeration values = memberOf.getAll(); + while (values.hasMore()) { + Object value = values.next(); + LdapName groupDn = new LdapName(value.toString()); + DirectoryUser group = doGetRole(groupDn); + if (group != null) + allRoles.add(group); + } + } catch (Exception e) { + throw new UserDirectoryException("Cannot get memberOf groups for " + user, e); + } + } else { + for (LdapName groupDn : getDirectGroups(user.getDn())) { + // TODO check for loops + DirectoryUser group = doGetRole(groupDn); + if (group != null) { + allRoles.add(group); + collectRoles(group, allRoles); + } + } } } @@ -173,7 +212,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory protected DirectoryUser doGetRole(LdapName dn) { UserDirectoryWorkingCopy wc = getWorkingCopy(); - DirectoryUser user = daoGetRole(dn); + DirectoryUser user; + try { + user = daoGetRole(dn); + } catch (NameNotFoundException e) { + user = null; + } if (wc != null) { if (user == null && wc.getNewUsers().containsKey(dn)) user = wc.getNewUsers().get(dn); @@ -183,7 +227,6 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return user; } - @SuppressWarnings("unchecked") @Override public Role[] getRoles(String filter) throws InvalidSyntaxException { UserDirectoryWorkingCopy wc = getWorkingCopy(); @@ -209,27 +252,19 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory @Override public User getUser(String key, String value) { // TODO check value null or empty - List collectedUsers = new ArrayList(getIndexedUserProperties().size()); + List collectedUsers = new ArrayList(); if (key != null) { doGetUser(key, value, collectedUsers); } else { - // try dn - DirectoryUser user = null; - try { - user = (DirectoryUser) getRole(value); - if (user != null) - collectedUsers.add(user); - } catch (Exception e) { - // silent - } - // try all indexes - for (String attr : getIndexedUserProperties()) - doGetUser(attr, value, collectedUsers); + throw new UserDirectoryException("Key cannot be null"); } - if (collectedUsers.size() == 1) + + if (collectedUsers.size() == 1) { return collectedUsers.get(0); - else if (collectedUsers.size() > 1) - log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" : "") + value); + } else if (collectedUsers.size() > 1) { + // log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" : + // "") + value); + } return null; } @@ -245,7 +280,22 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory @Override public Authorization getAuthorization(User user) { - return new LdifAuthorization((DirectoryUser) user, getAllRoles((DirectoryUser) user)); + if (user == null || user instanceof DirectoryUser) { + return new LdifAuthorization(user, getAllRoles((DirectoryUser) user)); + } else { + // bind + AbstractUserDirectory scopedUserAdmin = scope(user); + try { + DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); + if (directoryUser == null) + throw new UserDirectoryException("No scoped user found for " + user); + LdifAuthorization authorization = new LdifAuthorization(directoryUser, + scopedUserAdmin.getAllRoles(directoryUser)); + return authorization; + } finally { + scopedUserAdmin.destroy(); + } + } } @Override @@ -263,12 +313,13 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory if (wc.getDeletedUsers().containsKey(dn)) { wc.getDeletedUsers().remove(dn); wc.getModifiedUsers().put(dn, attrs); + return getRole(name); } else { wc.getModifiedUsers().put(dn, attrs); DirectoryUser newRole = newRole(dn, type, attrs); wc.getNewUsers().put(dn, newRole); + return newRole; } - return getRole(name); } protected DirectoryUser newRole(LdapName dn, int type, Attributes attrs) { @@ -284,6 +335,7 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory objClass.add(person.name()); } objClass.add(top.name()); + objClass.add(extensibleObject.name()); attrs.put(objClass); newRole = new LdifUser(this, dn, attrs); } else if (type == Role.GROUP) { @@ -349,42 +401,56 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return credentialAttributeIds; } - protected URI getUri() { + protected String getUri() { return uri; } - protected List getIndexedUserProperties() { - return indexedUserProperties; - } - - protected void setIndexedUserProperties(List indexedUserProperties) { - this.indexedUserProperties = indexedUserProperties; - } - - private static boolean readOnlyDefault(URI uri) { - if (uri == null) + private static boolean readOnlyDefault(String uriStr) { + if (uriStr == null) return true; - if (uri.getScheme().equals("file")) { + /// TODO make it more generic + URI uri; + try { + uri = new URI(uriStr.split(" ")[0]); + } catch (URISyntaxException e) { + throw new IllegalArgumentException(e); + } + if (uri.getScheme() == null) + return false;// assume relative file to be writable + if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) { File file = new File(uri); if (file.exists()) return !file.canWrite(); else return !file.getParentFile().canWrite(); + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) { + if (uri.getAuthority() != null)// assume writable if authenticated + return false; + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) { + return true; } - return true; + return true;// read only by default } public boolean isReadOnly() { return readOnly; } + public boolean isDisabled() { + return disabled; + } + protected UserAdmin getExternalRoles() { return externalRoles; } - public LdapName getBaseDn() { - // always clone so that the property is not modified by reference - return (LdapName) baseDn.clone(); + protected int roleType(LdapName dn) { + if (dn.startsWith(groupBaseDn)) + return Role.GROUP; + else if (dn.startsWith(userBaseDn)) + return Role.USER; + else + return Role.GROUP; } /** dn can be null, in that case a default should be returned. */ @@ -408,10 +474,18 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return groupBase; } + public LdapName getBaseDn() { + return (LdapName) baseDn.clone(); + } + public Dictionary getProperties() { return properties; } + public Dictionary cloneProperties() { + return new Hashtable<>(properties); + } + public void setExternalRoles(UserAdmin externalRoles) { this.externalRoles = externalRoles; } @@ -424,4 +498,8 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return xaResource; } + public boolean isScoped() { + return scoped; + } + }