projects / lgpl / argeo-commons.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
IPA authentication working.
[lgpl/argeo-commons.git] / org.argeo.enterprise / src / org / argeo / osgi / useradmin / AbstractUserDirectory.java
diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
index e8dd6f2a6974af43f0b5dda922256c847c27f8b7..f2d7c88fc232ca8d1090c065a5a2a5f9c1b5a975 100644 (file)
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java
@@ -1,6 +1,7 @@
 package org.argeo.osgi.useradmin;
 
 import static org.argeo.naming.LdapAttrs.objectClass;
+import static org.argeo.naming.LdapObjs.extensibleObject;
 import static org.argeo.naming.LdapObjs.inetOrgPerson;
 import static org.argeo.naming.LdapObjs.organizationalPerson;
 import static org.argeo.naming.LdapObjs.person;
@@ -18,6 +19,9 @@ import java.util.Iterator;
 import java.util.List;
 
 import javax.naming.InvalidNameException;
+import javax.naming.NameNotFoundException;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.BasicAttribute;
 import javax.naming.directory.BasicAttributes;
@@ -27,8 +31,6 @@ import javax.transaction.SystemException;
 import javax.transaction.Transaction;
 import javax.transaction.TransactionManager;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.argeo.naming.LdapAttrs;
 import org.osgi.framework.Filter;
 import org.osgi.framework.FrameworkUtil;
@@ -40,45 +42,59 @@ import org.osgi.service.useradmin.UserAdmin;
 
 /** Base class for a {@link UserDirectory}. */
 public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory {
-       private final static Log log = LogFactory.getLog(AbstractUserDirectory.class);
+       static final String SHARED_STATE_USERNAME = "javax.security.auth.login.name";
+       static final String SHARED_STATE_PASSWORD = "javax.security.auth.login.password";
 
        private final Hashtable<String, Object> properties;
-       private final LdapName baseDn;
+       private final LdapName baseDn, userBaseDn, groupBaseDn;
        private final String userObjectClass, userBase, groupObjectClass, groupBase;
 
        private final boolean readOnly;
-       private final URI uri;
+       private final boolean disabled;
+       private final String uri;
 
        private UserAdmin externalRoles;
-       private List<String> indexedUserProperties = Arrays
-                       .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), LdapAttrs.cn.name() });
+       // private List<String> indexedUserProperties = Arrays
+       // .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(),
+       // LdapAttrs.cn.name() });
+
+       private final boolean scoped;
 
        private String memberAttributeId = "member";
-       private List<String> credentialAttributeIds = Arrays.asList(new String[] { LdapAttrs.userPassword.name() });
+       private List<String> credentialAttributeIds = Arrays
+                       .asList(new String[] { LdapAttrs.userPassword.name(), LdapAttrs.authPassword.name() });
 
        // JTA
        private TransactionManager transactionManager;
        private WcXaResource xaResource = new WcXaResource(this);
 
-       public AbstractUserDirectory(Dictionary<String, ?> props) {
+       AbstractUserDirectory(URI uriArg, Dictionary<String, ?> props, boolean scoped) {
+               this.scoped = scoped;
                properties = new Hashtable<String, Object>();
                for (Enumeration<String> keys = props.keys(); keys.hasMoreElements();) {
                        String key = keys.nextElement();
                        properties.put(key, props.get(key));
                }
 
-               String uriStr = UserAdminConf.uri.getValue(properties);
-               if (uriStr == null)
-                       uri = null;
-               else
-                       try {
-                               uri = new URI(uriStr);
-                       } catch (URISyntaxException e) {
-                               throw new UserDirectoryException("Badly formatted URI " + uriStr, e);
-                       }
+               if (uriArg != null) {
+                       uri = uriArg.toString();
+                       // uri from properties is ignored
+               } else {
+                       String uriStr = UserAdminConf.uri.getValue(properties);
+                       if (uriStr == null)
+                               uri = null;
+                       else
+                               uri = uriStr;
+               }
 
+               userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
+               userBase = UserAdminConf.userBase.getValue(properties);
+               groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties);
+               groupBase = UserAdminConf.groupBase.getValue(properties);
                try {
                        baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties));
+                       userBaseDn = new LdapName(userBase + "," + baseDn);
+                       groupBaseDn = new LdapName(groupBase + "," + baseDn);
                } catch (InvalidNameException e) {
                        throw new UserDirectoryException("Badly formated base DN " + UserAdminConf.baseDn.getValue(properties), e);
                }
@@ -87,12 +103,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                        readOnly = readOnlyDefault(uri);
                        properties.put(UserAdminConf.readOnly.name(), Boolean.toString(readOnly));
                } else
-                       readOnly = new Boolean(readOnlyStr);
-
-               userObjectClass = UserAdminConf.userObjectClass.getValue(properties);
-               userBase = UserAdminConf.userBase.getValue(properties);
-               groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties);
-               groupBase = UserAdminConf.groupBase.getValue(properties);
+                       readOnly = Boolean.parseBoolean(readOnlyStr);
+               String disabledStr = UserAdminConf.disabled.getValue(properties);
+               if (disabledStr != null)
+                       disabled = Boolean.parseBoolean(disabledStr);
+               else
+                       disabled = false;
        }
 
        /** Returns the groups this user is a direct member of. */
@@ -100,10 +116,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
 
        protected abstract Boolean daoHasRole(LdapName dn);
 
-       protected abstract DirectoryUser daoGetRole(LdapName key);
+       protected abstract DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException;
 
        protected abstract List<DirectoryUser> doGetRoles(Filter f);
 
+       protected abstract AbstractUserDirectory scope(User user);
+
        public void init() {
 
        }
@@ -153,11 +171,32 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
        }
 
        private void collectRoles(DirectoryUser user, List<Role> allRoles) {
-               for (LdapName groupDn : getDirectGroups(user.getDn())) {
-                       // TODO check for loops
-                       DirectoryUser group = doGetRole(groupDn);
-                       allRoles.add(group);
-                       collectRoles(group, allRoles);
+               Attributes attrs = user.getAttributes();
+               // TODO centralize attribute name
+               Attribute memberOf = attrs.get(LdapAttrs.memberOf.name());
+               // if user belongs to this directory, we only check meberOf
+               if (memberOf != null && user.getDn().startsWith(getBaseDn())) {
+                       try {
+                               NamingEnumeration<?> values = memberOf.getAll();
+                               while (values.hasMore()) {
+                                       Object value = values.next();
+                                       LdapName groupDn = new LdapName(value.toString());
+                                       DirectoryUser group = doGetRole(groupDn);
+                                       if (group != null)
+                                               allRoles.add(group);
+                               }
+                       } catch (Exception e) {
+                               throw new UserDirectoryException("Cannot get memberOf groups for " + user, e);
+                       }
+               } else {
+                       for (LdapName groupDn : getDirectGroups(user.getDn())) {
+                               // TODO check for loops
+                               DirectoryUser group = doGetRole(groupDn);
+                               if (group != null) {
+                                       allRoles.add(group);
+                                       collectRoles(group, allRoles);
+                               }
+                       }
                }
        }
 
@@ -173,7 +212,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
 
        protected DirectoryUser doGetRole(LdapName dn) {
                UserDirectoryWorkingCopy wc = getWorkingCopy();
-               DirectoryUser user = daoGetRole(dn);
+               DirectoryUser user;
+               try {
+                       user = daoGetRole(dn);
+               } catch (NameNotFoundException e) {
+                       user = null;
+               }
                if (wc != null) {
                        if (user == null && wc.getNewUsers().containsKey(dn))
                                user = wc.getNewUsers().get(dn);
@@ -183,7 +227,6 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                return user;
        }
 
-       @SuppressWarnings("unchecked")
        @Override
        public Role[] getRoles(String filter) throws InvalidSyntaxException {
                UserDirectoryWorkingCopy wc = getWorkingCopy();
@@ -209,27 +252,19 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
        @Override
        public User getUser(String key, String value) {
                // TODO check value null or empty
-               List<DirectoryUser> collectedUsers = new ArrayList<DirectoryUser>(getIndexedUserProperties().size());
+               List<DirectoryUser> collectedUsers = new ArrayList<DirectoryUser>();
                if (key != null) {
                        doGetUser(key, value, collectedUsers);
                } else {
-                       // try dn
-                       DirectoryUser user = null;
-                       try {
-                               user = (DirectoryUser) getRole(value);
-                               if (user != null)
-                                       collectedUsers.add(user);
-                       } catch (Exception e) {
-                               // silent
-                       }
-                       // try all indexes
-                       for (String attr : getIndexedUserProperties())
-                               doGetUser(attr, value, collectedUsers);
+                       throw new UserDirectoryException("Key cannot be null");
                }
-               if (collectedUsers.size() == 1)
+
+               if (collectedUsers.size() == 1) {
                        return collectedUsers.get(0);
-               else if (collectedUsers.size() > 1)
-                       log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" : "") + value);
+               } else if (collectedUsers.size() > 1) {
+                       // log.warn(collectedUsers.size() + " users for " + (key != null ? key + "=" :
+                       // "") + value);
+               }
                return null;
        }
 
@@ -245,7 +280,22 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
 
        @Override
        public Authorization getAuthorization(User user) {
-               return new LdifAuthorization((DirectoryUser) user, getAllRoles((DirectoryUser) user));
+               if (user == null || user instanceof DirectoryUser) {
+                       return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
+               } else {
+                       // bind
+                       AbstractUserDirectory scopedUserAdmin = scope(user);
+                       try {
+                               DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
+                               if (directoryUser == null)
+                                       throw new UserDirectoryException("No scoped user found for " + user);
+                               LdifAuthorization authorization = new LdifAuthorization(directoryUser,
+                                               scopedUserAdmin.getAllRoles(directoryUser));
+                               return authorization;
+                       } finally {
+                               scopedUserAdmin.destroy();
+                       }
+               }
        }
 
        @Override
@@ -263,12 +313,13 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                if (wc.getDeletedUsers().containsKey(dn)) {
                        wc.getDeletedUsers().remove(dn);
                        wc.getModifiedUsers().put(dn, attrs);
+                       return getRole(name);
                } else {
                        wc.getModifiedUsers().put(dn, attrs);
                        DirectoryUser newRole = newRole(dn, type, attrs);
                        wc.getNewUsers().put(dn, newRole);
+                       return newRole;
                }
-               return getRole(name);
        }
 
        protected DirectoryUser newRole(LdapName dn, int type, Attributes attrs) {
@@ -284,6 +335,7 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                                objClass.add(person.name());
                        }
                        objClass.add(top.name());
+                       objClass.add(extensibleObject.name());
                        attrs.put(objClass);
                        newRole = new LdifUser(this, dn, attrs);
                } else if (type == Role.GROUP) {
@@ -349,42 +401,56 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                return credentialAttributeIds;
        }
 
-       protected URI getUri() {
+       protected String getUri() {
                return uri;
        }
 
-       protected List<String> getIndexedUserProperties() {
-               return indexedUserProperties;
-       }
-
-       protected void setIndexedUserProperties(List<String> indexedUserProperties) {
-               this.indexedUserProperties = indexedUserProperties;
-       }
-
-       private static boolean readOnlyDefault(URI uri) {
-               if (uri == null)
+       private static boolean readOnlyDefault(String uriStr) {
+               if (uriStr == null)
                        return true;
-               if (uri.getScheme().equals("file")) {
+               /// TODO make it more generic
+               URI uri;
+               try {
+                       uri = new URI(uriStr.split(" ")[0]);
+               } catch (URISyntaxException e) {
+                       throw new IllegalArgumentException(e);
+               }
+               if (uri.getScheme() == null)
+                       return false;// assume relative file to be writable
+               if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) {
                        File file = new File(uri);
                        if (file.exists())
                                return !file.canWrite();
                        else
                                return !file.getParentFile().canWrite();
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) {
+                       if (uri.getAuthority() != null)// assume writable if authenticated
+                               return false;
+               } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) {
+                       return true;
                }
-               return true;
+               return true;// read only by default
        }
 
        public boolean isReadOnly() {
                return readOnly;
        }
 
+       public boolean isDisabled() {
+               return disabled;
+       }
+
        protected UserAdmin getExternalRoles() {
                return externalRoles;
        }
 
-       public LdapName getBaseDn() {
-               // always clone so that the property is not modified by reference
-               return (LdapName) baseDn.clone();
+       protected int roleType(LdapName dn) {
+               if (dn.startsWith(groupBaseDn))
+                       return Role.GROUP;
+               else if (dn.startsWith(userBaseDn))
+                       return Role.USER;
+               else
+                       return Role.GROUP;
        }
 
        /** dn can be null, in that case a default should be returned. */
@@ -408,10 +474,18 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                return groupBase;
        }
 
+       public LdapName getBaseDn() {
+               return (LdapName) baseDn.clone();
+       }
+
        public Dictionary<String, Object> getProperties() {
                return properties;
        }
 
+       public Dictionary<String, Object> cloneProperties() {
+               return new Hashtable<>(properties);
+       }
+
        public void setExternalRoles(UserAdmin externalRoles) {
                this.externalRoles = externalRoles;
        }
@@ -424,4 +498,8 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory
                return xaResource;
        }
 
+       public boolean isScoped() {
+               return scoped;
+       }
+
 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi