Search in sources :

Example 26 with ClaimsCollection

use of ddf.security.claims.ClaimsCollection in project ddf by codice.

the class LdapClaimsHandler method retrieveClaims.

@Override
public ClaimsCollection retrieveClaims(ClaimsParameters parameters) {
    Principal principal = parameters.getPrincipal();
    String user = attributeMapLoader.getUser(principal);
    if (user == null) {
        LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
        return new ClaimsCollectionImpl();
    }
    ClaimsCollection claimsColl = new ClaimsCollectionImpl();
    Connection connection = null;
    try {
        AndFilter filter = new AndFilter();
        filter.and(new EqualsFilter("objectclass", this.getObjectClass())).and(new EqualsFilter(this.getUserNameAttribute(), user));
        List<String> searchAttributeList = new ArrayList<String>();
        for (Map.Entry<String, String> claimEntry : getClaimsLdapAttributeMapping().entrySet()) {
            searchAttributeList.add(claimEntry.getValue());
        }
        String[] searchAttributes = null;
        searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = selectBindMethod();
            BindResult bindResult = connection.bind(request);
            if (bindResult.isSuccess()) {
                String baseDN = attributeMapLoader.getBaseDN(principal, getUserBaseDN(), overrideCertDn);
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", baseDN, filter);
                ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), searchAttributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    if (entryReader.isEntry()) {
                        entry = entryReader.readEntry();
                        for (Map.Entry<String, String> claimEntry : getClaimsLdapAttributeMapping().entrySet()) {
                            String claimType = claimEntry.getKey();
                            String ldapAttribute = claimEntry.getValue();
                            Attribute attr = entry.getAttribute(ldapAttribute);
                            if (attr == null) {
                                LOGGER.trace("Claim '{}' is null", claimType);
                            } else {
                                Claim claim = new ClaimImpl(claimType);
                                for (ByteString value : attr) {
                                    String itemValue = value.toString();
                                    if (this.isX500FilterEnabled()) {
                                        try {
                                            X500Principal x500p = new X500Principal(itemValue);
                                            itemValue = x500p.getName();
                                            int index = itemValue.indexOf('=');
                                            itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
                                        } catch (Exception ex) {
                                            // Ignore, not X500 compliant thus use the whole
                                            // string as the value
                                            LOGGER.debug("Not X500 compliant", ex);
                                        }
                                    }
                                    claim.addValue(itemValue);
                                }
                                claimsColl.add(claim);
                            }
                        }
                    } else {
                        // Got a continuation reference
                        LOGGER.debug("Referral ignored while searching for user {}", user);
                        entryReader.readReference();
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Cannot connect to server, therefore unable to set user attributes.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Unable to set user attributes.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) ArrayList(java.util.ArrayList) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) Connection(org.forgerock.opendj.ldap.Connection) ClaimImpl(ddf.security.claims.impl.ClaimImpl) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LdapException(org.forgerock.opendj.ldap.LdapException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ClaimsCollectionImpl(ddf.security.claims.impl.ClaimsCollectionImpl) ClaimsCollection(ddf.security.claims.ClaimsCollection) BindResult(org.forgerock.opendj.ldap.responses.BindResult) X500Principal(javax.security.auth.x500.X500Principal) Map(java.util.Map) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 27 with ClaimsCollection

use of ddf.security.claims.ClaimsCollection in project ddf by codice.

the class RoleClaimsHandler method retrieveClaims.

@Override
public ClaimsCollection retrieveClaims(ClaimsParameters parameters) {
    String[] attributes = { groupNameAttribute, memberNameAttribute };
    ClaimsCollection claimsColl = new ClaimsCollectionImpl();
    Connection connection = null;
    try {
        Principal principal = parameters.getPrincipal();
        String user = attributeMapLoader.getUser(principal);
        if (user == null) {
            LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
            return new ClaimsCollectionImpl();
        }
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
            BindResult bindResult = connection.bind(request);
            String membershipValue = user;
            String baseDN = attributeMapLoader.getBaseDN(principal, userBaseDn, overrideCertDn);
            AndFilter filter = new AndFilter();
            filter.and(new EqualsFilter(this.getLoginUserAttribute(), user));
            ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), membershipUserAttribute);
            String userDN = String.format("%s=%s,%s", loginUserAttribute, user, baseDN);
            String specificUserBaseDN = baseDN;
            while (entryReader.hasNext()) {
                if (entryReader.isEntry()) {
                    SearchResultEntry entry = entryReader.readEntry();
                    userDN = entry.getName().toString();
                    specificUserBaseDN = userDN.substring(userDN.indexOf(',') + 1);
                    if (!membershipUserAttribute.equals(loginUserAttribute)) {
                        Attribute attr = entry.getAttribute(membershipUserAttribute);
                        if (attr != null) {
                            for (ByteString value : attr) {
                                membershipValue = value.toString();
                            }
                        }
                    }
                } else {
                    // Got a continuation reference
                    LOGGER.debug("Referral ignored while searching for user {}", user);
                    entryReader.readReference();
                }
            }
            filter = new AndFilter();
            filter.and(new EqualsFilter("objectClass", getObjectClass())).and(new OrFilter().or(new EqualsFilter(getMemberNameAttribute(), getMembershipUserAttribute() + "=" + membershipValue + "," + specificUserBaseDN)).or(new EqualsFilter(getMemberNameAttribute(), userDN)));
            if (bindResult.isSuccess()) {
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", groupBaseDn, filter);
                entryReader = connection.search(groupBaseDn, SearchScope.WHOLE_SUBTREE, filter.toString(), attributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    if (entryReader.isEntry()) {
                        entry = entryReader.readEntry();
                        Attribute attr = entry.getAttribute(groupNameAttribute);
                        if (attr == null) {
                            LOGGER.trace("Claim '{}' is null", roleClaimType);
                        } else {
                            Claim claim = new ClaimImpl(roleClaimType);
                            for (ByteString value : attr) {
                                String itemValue = value.toString();
                                claim.addValue(itemValue);
                            }
                            claimsColl.add(claim);
                        }
                    } else {
                        // Got a continuation reference
                        LOGGER.debug("Referral ignored while searching for user {}", user);
                        entryReader.readReference();
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Cannot connect to server, therefore unable to set role claims.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Unable to set role claims.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) Connection(org.forgerock.opendj.ldap.Connection) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ClaimImpl(ddf.security.claims.impl.ClaimImpl) ByteString(org.forgerock.opendj.ldap.ByteString) OrFilter(org.springframework.ldap.filter.OrFilter) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ClaimsCollectionImpl(ddf.security.claims.impl.ClaimsCollectionImpl) ClaimsCollection(ddf.security.claims.ClaimsCollection) BindResult(org.forgerock.opendj.ldap.responses.BindResult) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) Principal(java.security.Principal) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 28 with ClaimsCollection

use of ddf.security.claims.ClaimsCollection in project ddf by codice.

the class RoleClaimsHandlerTest method testRetrieveClaimsValuesNestedUserOU.

@Test
public void testRetrieveClaimsValuesNestedUserOU() throws LdapException, SearchResultReferenceIOException {
    BindResult bindResult = mock(BindResult.class);
    ClaimsParameters claimsParameters;
    Connection connection = mock(Connection.class);
    ConnectionEntryReader membershipReader = mock(ConnectionEntryReader.class);
    ConnectionEntryReader groupNameReader = mock(ConnectionEntryReader.class);
    LinkedAttribute membershipAttribute = new LinkedAttribute("cn");
    LinkedAttribute groupNameAttribute = new LinkedAttribute("cn");
    ClaimsCollection processedClaims;
    RoleClaimsHandler claimsHandler;
    SearchResultEntry membershipSearchResult = mock(SearchResultEntry.class);
    DN resultDN = DN.valueOf("uid=tstark,OU=nested,");
    SearchResultEntry groupNameSearchResult = mock(SearchResultEntry.class);
    String groupName = "avengers";
    when(bindResult.isSuccess()).thenReturn(true);
    membershipAttribute.add("tstark");
    when(membershipSearchResult.getAttribute(anyString())).thenReturn(membershipAttribute);
    // hasNext() returns 'true' the first time, then 'false' every time after.
    when(membershipReader.hasNext()).thenReturn(true, false);
    when(membershipReader.isEntry()).thenReturn(true);
    when(membershipReader.readEntry()).thenReturn(membershipSearchResult);
    when(membershipSearchResult.getName()).thenReturn(resultDN);
    groupNameAttribute.add(groupName);
    when(groupNameSearchResult.getAttribute(anyString())).thenReturn(groupNameAttribute);
    when(groupNameReader.hasNext()).thenReturn(true, false);
    when(groupNameReader.isEntry()).thenReturn(true);
    when(groupNameReader.readEntry()).thenReturn(groupNameSearchResult);
    when(connection.bind(any())).thenReturn(bindResult);
    when(connection.search(any(), any(), eq("(&(objectClass=groupOfNames)(|(member=cn=tstark,OU=nested,)(member=uid=tstark,OU=nested,)))"), any())).thenReturn(groupNameReader);
    when(connection.search(anyString(), any(), anyString(), matches("cn"))).thenReturn(membershipReader);
    claimsHandler = new RoleClaimsHandler(new AttributeMapLoader(new SubjectUtils()));
    ConnectionFactory mockConnectionFactory = mock(ConnectionFactory.class);
    when(mockConnectionFactory.getConnection()).thenReturn(connection);
    claimsHandler.setLdapConnectionFactory(mockConnectionFactory);
    claimsHandler.setBindMethod("Simple");
    claimsHandler.setBindUserCredentials("foo");
    claimsHandler.setBindUserDN("bar");
    claimsHandler.setMembershipUserAttribute("cn");
    claimsHandler.setLoginUserAttribute("uid");
    claimsParameters = new ClaimsParametersImpl(new UserPrincipal(USER_CN), new HashSet<>(), new HashMap<>());
    processedClaims = claimsHandler.retrieveClaims(claimsParameters);
    assertThat(processedClaims, hasSize(1));
    Claim claim = processedClaims.get(0);
    assertThat(claim.getValues(), hasSize(1));
    assertThat(claim.getValues().get(0), equalTo(groupName));
}
Also used : SubjectUtils(ddf.security.service.impl.SubjectUtils) HashMap(java.util.HashMap) Connection(org.forgerock.opendj.ldap.Connection) DN(org.forgerock.opendj.ldap.DN) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) ClaimsParameters(ddf.security.claims.ClaimsParameters) LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ConnectionFactory(org.forgerock.opendj.ldap.ConnectionFactory) ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl) BindResult(org.forgerock.opendj.ldap.responses.BindResult) ClaimsCollection(ddf.security.claims.ClaimsCollection) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 29 with ClaimsCollection

use of ddf.security.claims.ClaimsCollection in project ddf by codice.

the class RoleClaimsHandlerTest method testRetrieveClaimsValuesNotNullPrincipal.

@Test
public void testRetrieveClaimsValuesNotNullPrincipal() throws LdapException, SearchResultReferenceIOException {
    BindResult bindResult = mock(BindResult.class);
    ClaimsParameters claimsParameters;
    Connection connection = mock(Connection.class);
    ConnectionEntryReader membershipReader = mock(ConnectionEntryReader.class);
    ConnectionEntryReader groupNameReader = mock(ConnectionEntryReader.class);
    LinkedAttribute membershipAttribute = new LinkedAttribute("uid");
    LinkedAttribute groupNameAttribute = new LinkedAttribute("cn");
    ClaimsCollection processedClaims;
    RoleClaimsHandler claimsHandler;
    SearchResultEntry membershipSearchResult = mock(SearchResultEntry.class);
    DN resultDN = DN.valueOf("uid=tstark,");
    SearchResultEntry groupNameSearchResult = mock(SearchResultEntry.class);
    String groupName = "avengers";
    when(bindResult.isSuccess()).thenReturn(true);
    membershipAttribute.add("tstark");
    when(membershipSearchResult.getAttribute(anyString())).thenReturn(membershipAttribute);
    // hasNext() returns 'true' the first time, then 'false' every time after.
    when(membershipReader.hasNext()).thenReturn(true, false);
    when(membershipReader.isEntry()).thenReturn(true);
    when(membershipReader.readEntry()).thenReturn(membershipSearchResult);
    when(membershipSearchResult.getName()).thenReturn(resultDN);
    groupNameAttribute.add(groupName);
    when(groupNameSearchResult.getAttribute(anyString())).thenReturn(groupNameAttribute);
    when(groupNameReader.hasNext()).thenReturn(true, false);
    when(groupNameReader.isEntry()).thenReturn(true);
    when(groupNameReader.readEntry()).thenReturn(groupNameSearchResult);
    when(connection.bind(any())).thenReturn(bindResult);
    when(connection.search(any(), any(), eq("(&(objectClass=groupOfNames)(|(member=uid=tstark,)(member=uid=tstark,)))"), any())).thenReturn(groupNameReader);
    when(connection.search(anyString(), any(), anyString(), matches("uid"))).thenReturn(membershipReader);
    claimsHandler = new RoleClaimsHandler(new AttributeMapLoader(new SubjectUtils()));
    ConnectionFactory mockConnectionFactory = mock(ConnectionFactory.class);
    when(mockConnectionFactory.getConnection()).thenReturn(connection);
    claimsHandler.setLdapConnectionFactory(mockConnectionFactory);
    claimsHandler.setBindMethod("Simple");
    claimsHandler.setBindUserCredentials("foo");
    claimsHandler.setBindUserDN("bar");
    claimsParameters = new ClaimsParametersImpl(new UserPrincipal(USER_CN), new HashSet<>(), new HashMap<>());
    processedClaims = claimsHandler.retrieveClaims(claimsParameters);
    assertThat(processedClaims, hasSize(1));
    Claim claim = processedClaims.get(0);
    assertThat(claim.getValues(), hasSize(1));
    assertThat(claim.getValues().get(0), equalTo(groupName));
}
Also used : SubjectUtils(ddf.security.service.impl.SubjectUtils) HashMap(java.util.HashMap) Connection(org.forgerock.opendj.ldap.Connection) DN(org.forgerock.opendj.ldap.DN) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) UserPrincipal(org.apache.karaf.jaas.boot.principal.UserPrincipal) ClaimsParameters(ddf.security.claims.ClaimsParameters) LinkedAttribute(org.forgerock.opendj.ldap.LinkedAttribute) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ConnectionFactory(org.forgerock.opendj.ldap.ConnectionFactory) ClaimsParametersImpl(ddf.security.claims.impl.ClaimsParametersImpl) BindResult(org.forgerock.opendj.ldap.responses.BindResult) ClaimsCollection(ddf.security.claims.ClaimsCollection) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

ClaimsCollection (ddf.security.claims.ClaimsCollection)29 Test (org.junit.Test)18 Principal (java.security.Principal)16 ClaimsParameters (ddf.security.claims.ClaimsParameters)14 ClaimsParametersImpl (ddf.security.claims.impl.ClaimsParametersImpl)14 HashMap (java.util.HashMap)10 Claim (ddf.security.claims.Claim)9 ClaimsCollectionImpl (ddf.security.claims.impl.ClaimsCollectionImpl)9 ClaimImpl (ddf.security.claims.impl.ClaimImpl)6 ClaimsHandler (ddf.security.claims.ClaimsHandler)4 ArrayList (java.util.ArrayList)4 HashSet (java.util.HashSet)4 X500Principal (javax.security.auth.x500.X500Principal)4 UserPrincipal (org.apache.karaf.jaas.boot.principal.UserPrincipal)4 Connection (org.forgerock.opendj.ldap.Connection)4 BindResult (org.forgerock.opendj.ldap.responses.BindResult)4 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)4 ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)4 SubjectUtils (ddf.security.service.impl.SubjectUtils)3 AttributeStatement (ddf.security.assertion.AttributeStatement)2