IPA authentication working.

[lgpl/argeo-commons.git] / org.argeo.enterprise / src / org / argeo / osgi / useradmin / AbstractUserDirectory.java
diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java

index 66b6e91e27eac392fc4af28fb7791a3efb454a40..f2d7c88fc232ca8d1090c065a5a2a5f9c1b5a975 100644 (file)
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
@@ -31,10 +31,7 @@ import javax.transaction.SystemException;
  import javax.transaction.Transaction;
  import javax.transaction.TransactionManager;
  
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
  import org.argeo.naming.LdapAttrs;
-import org.argeo.naming.LdapObjs;
  import org.osgi.framework.Filter;
  import org.osgi.framework.FrameworkUtil;
  import org.osgi.framework.InvalidSyntaxException;
@@ -48,20 +45,21 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
         static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name";
         static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password";
  
-       private final static Log log = LogFactory.getLog(AbstractUserDirectory.class);
-
         private final Hashtable<String, Object> properties;
         private final LdapName baseDn, userBaseDn, groupBaseDn;
         private final String userObjectClass, userBase, groupObjectClass, groupBase;
  
         private final boolean readOnly;
-       private final URI uri;
+       private final boolean disabled;
+       private final String uri;
  
         private UserAdmin externalRoles;
         // private List<String> indexedUserProperties = Arrays
         // .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(),
         // LdapAttrs.cn.name() });
  
+       private final boolean scoped;
+
         private String memberAttributeId = "member";
         private List<String> credentialAttributeIds = Arrays
                         .asList(new String[] { LdapAttrs.userPassword.name(), LdapAttrs.authPassword.name() });
@@ -70,7 +68,8 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
         private TransactionManager transactionManager;
         private WcXaResource xaResource = new WcXaResource(this);
  
-       public AbstractUserDirectory(URI uriArg, Dictionary<String, ?> props) {
+       AbstractUserDirectory(URI uriArg, Dictionary<String, ?> props, boolean scoped) {
+               this.scoped = scoped;
                 properties = new Hashtable<String, Object>();
                 for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
                         String key = keys.nextElement();
@@ -78,18 +77,14 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                 }
  
                 if (uriArg != null) {
-                       uri = uriArg;
+                       uri = uriArg.toString();
                         // uri from properties is ignored
                 } else {
                         String uriStr = UserAdminConf.uri.getValue(properties);
                         if (uriStr == null)
                                 uri = null;
                         else
-                               try {
-                                       uri = new URI(uriStr);
-                               } catch (URISyntaxException e) {
-                                       throw new UserDirectoryException("Badly formatted URI " + uriStr, e);
-                               }
+                               uri = uriStr;
                 }
  
                 userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
@@ -108,7 +103,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                         readOnly = readOnlyDefault(uri);
                         properties.put(UserAdminConf.readOnly.name(), Boolean.toString(readOnly));
                 } else
-                       readOnly = new Boolean(readOnlyStr);
+                       readOnly = Boolean.parseBoolean(readOnlyStr);
+               String disabledStr = UserAdminConf.disabled.getValue(properties);
+               if (disabledStr != null)
+                       disabled = Boolean.parseBoolean(disabledStr);
+               else
+                       disabled = false;
         }
  
         /** Returns the groups this user is a direct member of. */
@@ -173,17 +173,17 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
         private void collectRoles(DirectoryUser user, List<Role> allRoles) {
                 Attributes attrs = user.getAttributes();
                 // TODO centralize attribute name
-               Attribute memberOf = attrs.get("memberOf");
-               if (memberOf != null) {
+               Attribute memberOf = attrs.get(LdapAttrs.memberOf.name());
+               // if user belongs to this directory, we only check meberOf
+               if (memberOf != null && user.getDn().startsWith(getBaseDn())) {
                         try {
                                 NamingEnumeration<?> values = memberOf.getAll();
                                 while (values.hasMore()) {
                                         Object value = values.next();
                                         LdapName groupDn = new LdapName(value.toString());
                                         DirectoryUser group = doGetRole(groupDn);
-                                       allRoles.add(group);
-                                       if (log.isDebugEnabled())
-                                               log.debug("Add memberOf " + groupDn);
+                                       if (group != null)
+                                               allRoles.add(group);
                                 }
                         } catch (Exception e) {
                                 throw new UserDirectoryException("Cannot get memberOf groups for " + user, e);
@@ -192,10 +192,10 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                         for (LdapName groupDn : getDirectGroups(user.getDn())) {
                                 // TODO check for loops
                                 DirectoryUser group = doGetRole(groupDn);
-                               allRoles.add(group);
-                               if (log.isDebugEnabled())
-                                       log.debug("Add direct group " + groupDn);
-                               collectRoles(group, allRoles);
+                               if (group != null) {
+                                       allRoles.add(group);
+                                       collectRoles(group, allRoles);
+                               }
                         }
                 }
         }
@@ -227,7 +227,6 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                 return user;
         }
  
-       @SuppressWarnings("unchecked")
         @Override
         public Role[] getRoles(String filter) throws InvalidSyntaxException {
                 UserDirectoryWorkingCopy wc = getWorkingCopy();
@@ -258,23 +257,14 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                         doGetUser(key, value, collectedUsers);
                 } else {
                         throw new UserDirectoryException("Key cannot be null");
-                       // // try dn
-                       // DirectoryUser user = null;
-                       // try {
-                       // user = (DirectoryUser) getRole(value);
-                       // if (user != null)
-                       // collectedUsers.add(user);
-                       // } catch (Exception e) {
-                       // // silent
-                       // }
-                       // // try all indexes
-                       // for (String attr : getIndexedUserProperties())
-                       // doGetUser(attr, value, collectedUsers);
                 }
-               if (collectedUsers.size() == 1)
+
+               if (collectedUsers.size() == 1) {
                         return collectedUsers.get(0);
-               else if (collectedUsers.size() > 1)
-                       log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" : "") + value);
+               } else if (collectedUsers.size() > 1) {
+                       // log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" :
+                       // "") + value);
+               }
                 return null;
         }
  
@@ -297,6 +287,8 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                         AbstractUserDirectory scopedUserAdmin = scope(user);
                         try {
                                 DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
+                               if (directoryUser == null)
+                                       throw new UserDirectoryException("No scoped user found for " + user);
                                 LdifAuthorization authorization = new LdifAuthorization(directoryUser,
                                                 scopedUserAdmin.getAllRoles(directoryUser));
                                 return authorization;
@@ -409,38 +401,45 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                 return credentialAttributeIds;
         }
  
-       protected URI getUri() {
+       protected String getUri() {
                 return uri;
         }
  
-       // protected List<String> getIndexedUserProperties() {
-       // return indexedUserProperties;
-       // }
-       //
-       // protected void setIndexedUserProperties(List<String>
-       // indexedUserProperties) {
-       // this.indexedUserProperties = indexedUserProperties;
-       // }
-
-       private static boolean readOnlyDefault(URI uri) {
-               if (uri == null)
+       private static boolean readOnlyDefault(String uriStr) {
+               if (uriStr == null)
                         return true;
+               /// TODO make it more generic
+               URI uri;
+               try {
+                       uri = new URI(uriStr.split(" ")[0]);
+               } catch (URISyntaxException e) {
+                       throw new IllegalArgumentException(e);
+               }
                 if (uri.getScheme() == null)
                         return false;// assume relative file to be writable
-               if (uri.getScheme().equals("file")) {
+               if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) {
                         File file = new File(uri);
                         if (file.exists())
                                 return !file.canWrite();
                         else
                                 return !file.getParentFile().canWrite();
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) {
+                       if (uri.getAuthority() != null)// assume writable if authenticated
+                               return false;
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) {
+                       return true;
                 }
-               return true;
+               return true;// read only by default
         }
  
         public boolean isReadOnly() {
                 return readOnly;
         }
  
+       public boolean isDisabled() {
+               return disabled;
+       }
+
         protected UserAdmin getExternalRoles() {
                 return externalRoles;
         }
@@ -499,4 +498,8 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                 return xaResource;
         }
  
+       public boolean isScoped() {
+               return scoped;
+       }
+
  }