Search in sources :

Example 6 with ClaimImpl

use of ddf.security.claims.impl.ClaimImpl in project ddf by codice.

the class CertificateClaimsHandler method buildClaim.

private void buildClaim(ClaimsCollection claimsColl, String claimType, Object value) {
    if (value == null) {
        return;
    }
    Claim claim = new ClaimImpl(claimType);
    if (value instanceof List) {
        List<String> valueList = (List<String>) value;
        valueList.forEach(claim::addValue);
    } else {
        claim.addValue(value.toString());
    }
    claimsColl.add(claim);
}
Also used : ClaimImpl(ddf.security.claims.impl.ClaimImpl) List(java.util.List) Claim(ddf.security.claims.Claim)

Example 7 with ClaimImpl

use of ddf.security.claims.impl.ClaimImpl in project ddf by codice.

the class LdapClaimsHandler method retrieveClaims.

@Override
public ClaimsCollection retrieveClaims(ClaimsParameters parameters) {
    Principal principal = parameters.getPrincipal();
    String user = attributeMapLoader.getUser(principal);
    if (user == null) {
        LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
        return new ClaimsCollectionImpl();
    }
    ClaimsCollection claimsColl = new ClaimsCollectionImpl();
    Connection connection = null;
    try {
        AndFilter filter = new AndFilter();
        filter.and(new EqualsFilter("objectclass", this.getObjectClass())).and(new EqualsFilter(this.getUserNameAttribute(), user));
        List<String> searchAttributeList = new ArrayList<String>();
        for (Map.Entry<String, String> claimEntry : getClaimsLdapAttributeMapping().entrySet()) {
            searchAttributeList.add(claimEntry.getValue());
        }
        String[] searchAttributes = null;
        searchAttributes = searchAttributeList.toArray(new String[searchAttributeList.size()]);
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = selectBindMethod();
            BindResult bindResult = connection.bind(request);
            if (bindResult.isSuccess()) {
                String baseDN = attributeMapLoader.getBaseDN(principal, getUserBaseDN(), overrideCertDn);
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", baseDN, filter);
                ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), searchAttributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    if (entryReader.isEntry()) {
                        entry = entryReader.readEntry();
                        for (Map.Entry<String, String> claimEntry : getClaimsLdapAttributeMapping().entrySet()) {
                            String claimType = claimEntry.getKey();
                            String ldapAttribute = claimEntry.getValue();
                            Attribute attr = entry.getAttribute(ldapAttribute);
                            if (attr == null) {
                                LOGGER.trace("Claim '{}' is null", claimType);
                            } else {
                                Claim claim = new ClaimImpl(claimType);
                                for (ByteString value : attr) {
                                    String itemValue = value.toString();
                                    if (this.isX500FilterEnabled()) {
                                        try {
                                            X500Principal x500p = new X500Principal(itemValue);
                                            itemValue = x500p.getName();
                                            int index = itemValue.indexOf('=');
                                            itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index));
                                        } catch (Exception ex) {
                                            // Ignore, not X500 compliant thus use the whole
                                            // string as the value
                                            LOGGER.debug("Not X500 compliant", ex);
                                        }
                                    }
                                    claim.addValue(itemValue);
                                }
                                claimsColl.add(claim);
                            }
                        }
                    } else {
                        // Got a continuation reference
                        LOGGER.debug("Referral ignored while searching for user {}", user);
                        entryReader.readReference();
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Cannot connect to server, therefore unable to set user attributes.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set user attributes. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information");
        LOGGER.debug("Unable to set user attributes.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) ArrayList(java.util.ArrayList) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ByteString(org.forgerock.opendj.ldap.ByteString) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) Connection(org.forgerock.opendj.ldap.Connection) ClaimImpl(ddf.security.claims.impl.ClaimImpl) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) LdapException(org.forgerock.opendj.ldap.LdapException) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ClaimsCollectionImpl(ddf.security.claims.impl.ClaimsCollectionImpl) ClaimsCollection(ddf.security.claims.ClaimsCollection) BindResult(org.forgerock.opendj.ldap.responses.BindResult) X500Principal(javax.security.auth.x500.X500Principal) Map(java.util.Map) X500Principal(javax.security.auth.x500.X500Principal) Principal(java.security.Principal) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Example 8 with ClaimImpl

use of ddf.security.claims.impl.ClaimImpl in project ddf by codice.

the class RoleClaimsHandler method retrieveClaims.

@Override
public ClaimsCollection retrieveClaims(ClaimsParameters parameters) {
    String[] attributes = { groupNameAttribute, memberNameAttribute };
    ClaimsCollection claimsColl = new ClaimsCollectionImpl();
    Connection connection = null;
    try {
        Principal principal = parameters.getPrincipal();
        String user = attributeMapLoader.getUser(principal);
        if (user == null) {
            LOGGER.info("Could not determine user name, possible authentication error. Returning no claims.");
            return new ClaimsCollectionImpl();
        }
        connection = connectionFactory.getConnection();
        if (connection != null) {
            BindRequest request = BindMethodChooser.selectBindMethod(bindMethod, bindUserDN, bindUserCredentials, kerberosRealm, kdcAddress);
            BindResult bindResult = connection.bind(request);
            String membershipValue = user;
            String baseDN = attributeMapLoader.getBaseDN(principal, userBaseDn, overrideCertDn);
            AndFilter filter = new AndFilter();
            filter.and(new EqualsFilter(this.getLoginUserAttribute(), user));
            ConnectionEntryReader entryReader = connection.search(baseDN, SearchScope.WHOLE_SUBTREE, filter.toString(), membershipUserAttribute);
            String userDN = String.format("%s=%s,%s", loginUserAttribute, user, baseDN);
            String specificUserBaseDN = baseDN;
            while (entryReader.hasNext()) {
                if (entryReader.isEntry()) {
                    SearchResultEntry entry = entryReader.readEntry();
                    userDN = entry.getName().toString();
                    specificUserBaseDN = userDN.substring(userDN.indexOf(',') + 1);
                    if (!membershipUserAttribute.equals(loginUserAttribute)) {
                        Attribute attr = entry.getAttribute(membershipUserAttribute);
                        if (attr != null) {
                            for (ByteString value : attr) {
                                membershipValue = value.toString();
                            }
                        }
                    }
                } else {
                    // Got a continuation reference
                    LOGGER.debug("Referral ignored while searching for user {}", user);
                    entryReader.readReference();
                }
            }
            filter = new AndFilter();
            filter.and(new EqualsFilter("objectClass", getObjectClass())).and(new OrFilter().or(new EqualsFilter(getMemberNameAttribute(), getMembershipUserAttribute() + "=" + membershipValue + "," + specificUserBaseDN)).or(new EqualsFilter(getMemberNameAttribute(), userDN)));
            if (bindResult.isSuccess()) {
                LOGGER.trace("Executing ldap search with base dn of {} and filter of {}", groupBaseDn, filter);
                entryReader = connection.search(groupBaseDn, SearchScope.WHOLE_SUBTREE, filter.toString(), attributes);
                SearchResultEntry entry;
                while (entryReader.hasNext()) {
                    if (entryReader.isEntry()) {
                        entry = entryReader.readEntry();
                        Attribute attr = entry.getAttribute(groupNameAttribute);
                        if (attr == null) {
                            LOGGER.trace("Claim '{}' is null", roleClaimType);
                        } else {
                            Claim claim = new ClaimImpl(roleClaimType);
                            for (ByteString value : attr) {
                                String itemValue = value.toString();
                                claim.addValue(itemValue);
                            }
                            claimsColl.add(claim);
                        }
                    } else {
                        // Got a continuation reference
                        LOGGER.debug("Referral ignored while searching for user {}", user);
                        entryReader.readReference();
                    }
                }
            } else {
                LOGGER.info("LDAP Connection failed.");
            }
        }
    } catch (LdapException e) {
        LOGGER.info("Cannot connect to server, therefore unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Cannot connect to server, therefore unable to set role claims.", e);
    } catch (SearchResultReferenceIOException e) {
        LOGGER.info("Unable to set role claims. Set log level for \"ddf.security.sts.claimsHandler\" to DEBUG for more information.");
        LOGGER.debug("Unable to set role claims.", e);
    } finally {
        if (connection != null) {
            connection.close();
        }
    }
    return claimsColl;
}
Also used : Attribute(org.forgerock.opendj.ldap.Attribute) ByteString(org.forgerock.opendj.ldap.ByteString) Connection(org.forgerock.opendj.ldap.Connection) BindRequest(org.forgerock.opendj.ldap.requests.BindRequest) ClaimImpl(ddf.security.claims.impl.ClaimImpl) ByteString(org.forgerock.opendj.ldap.ByteString) OrFilter(org.springframework.ldap.filter.OrFilter) SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException) AndFilter(org.springframework.ldap.filter.AndFilter) ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader) ClaimsCollectionImpl(ddf.security.claims.impl.ClaimsCollectionImpl) ClaimsCollection(ddf.security.claims.ClaimsCollection) BindResult(org.forgerock.opendj.ldap.responses.BindResult) EqualsFilter(org.springframework.ldap.filter.EqualsFilter) LdapException(org.forgerock.opendj.ldap.LdapException) Principal(java.security.Principal) Claim(ddf.security.claims.Claim) SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)

Aggregations

ClaimImpl (ddf.security.claims.impl.ClaimImpl)8 Claim (ddf.security.claims.Claim)6 ClaimsCollection (ddf.security.claims.ClaimsCollection)6 ClaimsCollectionImpl (ddf.security.claims.impl.ClaimsCollectionImpl)6 Principal (java.security.Principal)4 ArrayList (java.util.ArrayList)3 X500Principal (javax.security.auth.x500.X500Principal)3 ClaimsHandler (ddf.security.claims.ClaimsHandler)2 Map (java.util.Map)2 Attribute (org.forgerock.opendj.ldap.Attribute)2 ByteString (org.forgerock.opendj.ldap.ByteString)2 Connection (org.forgerock.opendj.ldap.Connection)2 LdapException (org.forgerock.opendj.ldap.LdapException)2 SearchResultReferenceIOException (org.forgerock.opendj.ldap.SearchResultReferenceIOException)2 BindRequest (org.forgerock.opendj.ldap.requests.BindRequest)2 BindResult (org.forgerock.opendj.ldap.responses.BindResult)2 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)2 ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)2 Before (org.junit.Before)2 AndFilter (org.springframework.ldap.filter.AndFilter)2