X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fldap%2FArgeoSecurityDaoLdap.java;h=bf4beb0e8bfa00299bfdbf83528245ca564018bf;hb=136dab5338b5f731b285d17c804861bd5e5a9b5c;hp=3d6d8ff9949dd9c22664abb6788ae508e5a55a73;hpb=5bfc0d2e2e34f86b454a1ec209617a9fc0f306b1;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
index 3d6d8ff99..bf4beb0e8 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
@@ -18,8 +18,13 @@ package org.argeo.security.ldap;
 
 import static org.argeo.security.core.ArgeoUserDetails.createSimpleArgeoUser;
 
-import java.util.ArrayList;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.Collections;
 import java.util.List;
+import java.util.Random;
+import java.util.Set;
+import java.util.TreeSet;
 
 import javax.naming.Name;
 import javax.naming.NamingException;
@@ -44,6 +49,7 @@ import org.springframework.security.ldap.LdapUtils;
 import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
+import org.springframework.security.providers.ldap.authenticator.LdapShaPasswordEncoder;
 import org.springframework.security.userdetails.UserDetails;
 import org.springframework.security.userdetails.UserDetailsManager;
 import org.springframework.security.userdetails.UserDetailsService;
@@ -74,6 +80,19 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 	private LdapUserDetailsService ldapUserDetailsService;
 	private List<UserNatureMapper> userNatureMappers;
 
+	private LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder();
+	private Random random;
+
+	public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) {
+		this.contextSource = contextSource;
+		ldapTemplate = new LdapTemplate(this.contextSource);
+		try {
+			random = SecureRandom.getInstance("SHA1PRNG");
+		} catch (NoSuchAlgorithmException e) {
+			random = new Random(System.currentTimeMillis());
+		}
+	}
+
 	public void afterPropertiesSet() throws Exception {
 		if (usernameMapper == null)
 			usernameMapper = new DefaultLdapUsernameToDnMapper(userBase,
@@ -113,12 +132,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		}
 	}
 
-	public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) {
-		this.contextSource = contextSource;
-		ldapTemplate = new LdapTemplate(this.contextSource);
-	}
-
-	public synchronized void create(ArgeoUser user) {
+	public synchronized void createUser(ArgeoUser user) {
 		userDetailsManager.createUser(new ArgeoUserDetails(user));
 	}
 
@@ -132,17 +146,17 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		return createSimpleArgeoUser(getDetails(uname));
 	}
 
-//	public ArgeoUser getCurrentUser() {
-//		ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser();
-//		if (argeoUser == null)
-//			return null;
-//		if (argeoUser.getRoles().contains(defaultRole))
-//			argeoUser.getRoles().remove(defaultRole);
-//		return argeoUser;
-//	}
+	// public ArgeoUser getCurrentUser() {
+	// ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser();
+	// if (argeoUser == null)
+	// return null;
+	// if (argeoUser.getRoles().contains(defaultRole))
+	// argeoUser.getRoles().remove(defaultRole);
+	// return argeoUser;
+	// }
 
 	@SuppressWarnings("unchecked")
-	public synchronized List<ArgeoUser> listUsers() {
+	public synchronized Set<ArgeoUser> listUsers() {
 		List<String> usernames = (List<String>) ldapTemplate.listBindings(
 				new DistinguishedName(userBase), new ContextMapper() {
 					public Object mapFromContext(Object ctxArg) {
@@ -151,27 +165,47 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 					}
 				});
 
-		List<ArgeoUser> lst = new ArrayList<ArgeoUser>();
+		TreeSet<ArgeoUser> lst = new TreeSet<ArgeoUser>();
 		for (String username : usernames) {
 			lst.add(createSimpleArgeoUser(getDetails(username)));
 		}
-		return lst;
+		return Collections.unmodifiableSortedSet(lst);
 	}
 
 	@SuppressWarnings("unchecked")
-	public List<String> listEditableRoles() {
-		return (List<String>) ldapTemplate.listBindings(groupBase,
-				new ContextMapper() {
+	public Set<String> listEditableRoles() {
+		return Collections.unmodifiableSortedSet(new TreeSet<String>(
+				ldapTemplate.listBindings(groupBase, new ContextMapper() {
 					public Object mapFromContext(Object ctxArg) {
 						String groupName = ((DirContextAdapter) ctxArg)
 								.getStringAttribute(groupRoleAttributeName);
 						String roleName = convertGroupToRole(groupName);
 						return roleName;
 					}
+				})));
+	}
+
+	@SuppressWarnings("unchecked")
+	public Set<ArgeoUser> listUsersInRole(String role) {
+		return (Set<ArgeoUser>) ldapTemplate.lookup(
+				buildGroupDn(convertRoleToGroup(role)), new ContextMapper() {
+					public Object mapFromContext(Object ctxArg) {
+						DirContextAdapter ctx = (DirContextAdapter) ctxArg;
+						String[] userDns = ctx
+								.getStringAttributes(groupMemberAttributeName);
+						TreeSet<ArgeoUser> set = new TreeSet<ArgeoUser>();
+						for (String userDn : userDns) {
+							DistinguishedName dn = new DistinguishedName(userDn);
+							String username = dn
+									.getValue(usernameAttributeName);
+							set.add(createSimpleArgeoUser(getDetails(username)));
+						}
+						return Collections.unmodifiableSortedSet(set);
+					}
 				});
 	}
 
-	public synchronized void update(ArgeoUser user) {
+	public synchronized void updateUser(ArgeoUser user) {
 		ArgeoUserDetails argeoUserDetails = new ArgeoUserDetails(user);
 		userDetailsManager.updateUser(new ArgeoUserDetails(user));
 		// refresh logged in user
@@ -183,7 +217,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		}
 	}
 
-	public synchronized void delete(String username) {
+	public synchronized void deleteUser(String username) {
 		userDetailsManager.deleteUser(username);
 	}
 
@@ -220,6 +254,18 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		ldapTemplate.unbind(dn);
 	}
 
+	public Boolean isPasswordValid(String encoded, String raw) {
+		return ldapShaPasswordEncoder.isPasswordValid(encoded, raw, null);
+	}
+
+	public String encodePassword(String raw) {
+		byte[] salt = null;
+		// TODO: check that Linux auth supports SSHA
+		// byte[] salt = new byte[16];
+		// random.nextBytes(salt);
+		return ldapShaPasswordEncoder.encodePassword(raw, salt);
+	}
+
 	protected String convertRoleToGroup(String role) {
 		String group = role;
 		if (group.startsWith(rolePrefix)) {