X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fldap%2FArgeoSecurityDaoLdap.java;h=bf4beb0e8bfa00299bfdbf83528245ca564018bf;hb=136dab5338b5f731b285d17c804861bd5e5a9b5c;hp=83e090661533ea71e00f01d36606663ce488cf17;hpb=ff1367187d728854f39a55e360f8908d4ab04159;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java index 83e090661..bf4beb0e8 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java @@ -1,9 +1,30 @@ +/* + * Copyright (C) 2010 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.argeo.security.ldap; -import static org.argeo.security.core.ArgeoUserDetails.createBasicArgeoUser; +import static org.argeo.security.core.ArgeoUserDetails.createSimpleArgeoUser; -import java.util.ArrayList; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; +import java.util.Collections; import java.util.List; +import java.util.Random; +import java.util.Set; +import java.util.TreeSet; import javax.naming.Name; import javax.naming.NamingException; @@ -11,22 +32,29 @@ import javax.naming.directory.DirContext; import org.argeo.security.ArgeoSecurityDao; import org.argeo.security.ArgeoUser; +import org.argeo.security.SimpleArgeoUser; import org.argeo.security.core.ArgeoUserDetails; import org.springframework.beans.factory.InitializingBean; import org.springframework.ldap.core.ContextExecutor; import org.springframework.ldap.core.ContextMapper; -import org.springframework.ldap.core.ContextSource; import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DistinguishedName; import org.springframework.ldap.core.LdapTemplate; +import org.springframework.ldap.core.support.BaseLdapPathContextSource; +import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.ldap.DefaultLdapUsernameToDnMapper; import org.springframework.security.ldap.LdapAuthoritiesPopulator; import org.springframework.security.ldap.LdapUsernameToDnMapper; import org.springframework.security.ldap.LdapUtils; import org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator; +import org.springframework.security.ldap.search.FilterBasedLdapUserSearch; +import org.springframework.security.providers.UsernamePasswordAuthenticationToken; +import org.springframework.security.providers.ldap.authenticator.LdapShaPasswordEncoder; import org.springframework.security.userdetails.UserDetails; import org.springframework.security.userdetails.UserDetailsManager; +import org.springframework.security.userdetails.UserDetailsService; import org.springframework.security.userdetails.ldap.LdapUserDetailsManager; +import org.springframework.security.userdetails.ldap.LdapUserDetailsService; import org.springframework.security.userdetails.ldap.UserDetailsContextMapper; public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean { @@ -34,21 +62,37 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean private UserDetailsManager userDetailsManager; private LdapAuthoritiesPopulator authoritiesPopulator; - private String userBase = "ou=users"; + private String userBase = "ou=People"; private String usernameAttributeName = "uid"; - private String groupBase = "ou=groups"; + private String groupBase = "ou=Roles"; + private String[] groupClasses = { "top", "groupOfNames" }; private String groupRoleAttributeName = "cn"; - private String groupMemberAttributeName = "uniquemember"; + private String groupMemberAttributeName = "member"; private String defaultRole = "ROLE_USER"; private String rolePrefix = "ROLE_"; + private final BaseLdapPathContextSource contextSource; private final LdapTemplate ldapTemplate; private LdapUsernameToDnMapper usernameMapper = null; private UserDetailsContextMapper userDetailsMapper; + private LdapUserDetailsService ldapUserDetailsService; private List userNatureMappers; + private LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder(); + private Random random; + + public ArgeoSecurityDaoLdap(BaseLdapPathContextSource contextSource) { + this.contextSource = contextSource; + ldapTemplate = new LdapTemplate(this.contextSource); + try { + random = SecureRandom.getInstance("SHA1PRNG"); + } catch (NoSuchAlgorithmException e) { + random = new Random(System.currentTimeMillis()); + } + } + public void afterPropertiesSet() throws Exception { if (usernameMapper == null) usernameMapper = new DefaultLdapUsernameToDnMapper(userBase, @@ -78,22 +122,41 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean userDetailsManager = ludm; } + if (ldapUserDetailsService == null) { + FilterBasedLdapUserSearch ldapUserSearch = new FilterBasedLdapUserSearch( + userBase, "(" + usernameAttributeName + "={0})", + contextSource); + ldapUserDetailsService = new LdapUserDetailsService(ldapUserSearch, + authoritiesPopulator); + ldapUserDetailsService.setUserDetailsMapper(userDetailsMapper); + } } - public ArgeoSecurityDaoLdap(ContextSource contextSource) { - ldapTemplate = new LdapTemplate(contextSource); + public synchronized void createUser(ArgeoUser user) { + userDetailsManager.createUser(new ArgeoUserDetails(user)); } - public void create(ArgeoUser user) { - userDetailsManager.createUser(new ArgeoUserDetails(user)); + public synchronized ArgeoUser getUser(String uname) { + SimpleArgeoUser user = createSimpleArgeoUser(getDetails(uname)); + user.setPassword(null); + return user; } - public ArgeoUser getUser(String uname) { - return createBasicArgeoUser(getDetails(uname)); + public synchronized ArgeoUser getUserWithPassword(String uname) { + return createSimpleArgeoUser(getDetails(uname)); } + // public ArgeoUser getCurrentUser() { + // ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser(); + // if (argeoUser == null) + // return null; + // if (argeoUser.getRoles().contains(defaultRole)) + // argeoUser.getRoles().remove(defaultRole); + // return argeoUser; + // } + @SuppressWarnings("unchecked") - public List listUsers() { + public synchronized Set listUsers() { List usernames = (List) ldapTemplate.listBindings( new DistinguishedName(userBase), new ContextMapper() { public Object mapFromContext(Object ctxArg) { @@ -102,39 +165,63 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean } }); - List lst = new ArrayList(); + TreeSet lst = new TreeSet(); for (String username : usernames) { - lst.add(createBasicArgeoUser(getDetails(username))); + lst.add(createSimpleArgeoUser(getDetails(username))); } - return lst; + return Collections.unmodifiableSortedSet(lst); } @SuppressWarnings("unchecked") - public List listEditableRoles() { - return (List) ldapTemplate.listBindings(groupBase, - new ContextMapper() { + public Set listEditableRoles() { + return Collections.unmodifiableSortedSet(new TreeSet( + ldapTemplate.listBindings(groupBase, new ContextMapper() { public Object mapFromContext(Object ctxArg) { String groupName = ((DirContextAdapter) ctxArg) .getStringAttribute(groupRoleAttributeName); String roleName = convertGroupToRole(groupName); return roleName; } + }))); + } + + @SuppressWarnings("unchecked") + public Set listUsersInRole(String role) { + return (Set) ldapTemplate.lookup( + buildGroupDn(convertRoleToGroup(role)), new ContextMapper() { + public Object mapFromContext(Object ctxArg) { + DirContextAdapter ctx = (DirContextAdapter) ctxArg; + String[] userDns = ctx + .getStringAttributes(groupMemberAttributeName); + TreeSet set = new TreeSet(); + for (String userDn : userDns) { + DistinguishedName dn = new DistinguishedName(userDn); + String username = dn + .getValue(usernameAttributeName); + set.add(createSimpleArgeoUser(getDetails(username))); + } + return Collections.unmodifiableSortedSet(set); + } }); } - public void update(ArgeoUser user) { + public synchronized void updateUser(ArgeoUser user) { + ArgeoUserDetails argeoUserDetails = new ArgeoUserDetails(user); userDetailsManager.updateUser(new ArgeoUserDetails(user)); + // refresh logged in user + if (ArgeoUserDetails.securityContextUser().getUsername() + .equals(argeoUserDetails.getUsername())) { + SecurityContextHolder.getContext().setAuthentication( + new UsernamePasswordAuthenticationToken(argeoUserDetails, + null, argeoUserDetails.getAuthorities())); + } } - public void delete(String username) { + public synchronized void deleteUser(String username) { userDetailsManager.deleteUser(username); } - public void updatePassword(String oldPassword, String newPassword) { - userDetailsManager.changePassword(oldPassword, newPassword); - } - - public Boolean userExists(String username) { + public synchronized Boolean userExists(String username) { return userDetailsManager.userExists(username); } @@ -144,19 +231,19 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean .executeReadWrite(new ContextExecutor() { public Object executeWithContext(DirContext ctx) throws NamingException { - return LdapUtils.getFullDn(usernameMapper - .buildDn(superuserName), ctx); + return LdapUtils.getFullDn( + usernameMapper.buildDn(superuserName), ctx); } }); Name groupDn = buildGroupDn(group); DirContextAdapter context = new DirContextAdapter(); - context.setAttributeValues("objectClass", new String[] { "top", - "groupOfUniqueNames" }); + context.setAttributeValues("objectClass", groupClasses); context.setAttributeValue("cn", group); // Add superuser because cannot create empty group - context.setAttributeValue("uniqueMember", superuserDn.toString()); + context.setAttributeValue(groupMemberAttributeName, + superuserDn.toString()); ldapTemplate.bind(groupDn, context, null); } @@ -167,6 +254,18 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean ldapTemplate.unbind(dn); } + public Boolean isPasswordValid(String encoded, String raw) { + return ldapShaPasswordEncoder.isPasswordValid(encoded, raw, null); + } + + public String encodePassword(String raw) { + byte[] salt = null; + // TODO: check that Linux auth supports SSHA + // byte[] salt = new byte[16]; + // random.nextBytes(salt); + return ldapShaPasswordEncoder.encodePassword(raw, salt); + } + protected String convertRoleToGroup(String role) { String group = role; if (group.startsWith(rolePrefix)) { @@ -247,4 +346,17 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean public void setUserNatureMappers(List userNatureMappers) { this.userNatureMappers = userNatureMappers; } + + public String getDefaultRole() { + return defaultRole; + } + + public void setGroupClasses(String[] groupClasses) { + this.groupClasses = groupClasses; + } + + public UserDetailsService getUserDetailsService() { + return ldapUserDetailsService; + } + }