Search in sources :

Example 66 with Attribute

use of javax.naming.directory.Attribute in project orientdb by orientechnologies.

the class OStorageRemote method parseServerURLs.

/**
   * Parse the URLs. Multiple URLs must be separated by semicolon (;)
   */
protected void parseServerURLs() {
    String lastHost = null;
    int dbPos = url.indexOf('/');
    if (dbPos == -1) {
        // SHORT FORM
        addHost(url);
        lastHost = url;
        name = url;
    } else {
        name = url.substring(url.lastIndexOf("/") + 1);
        for (String host : url.substring(0, dbPos).split(ADDRESS_SEPARATOR)) {
            lastHost = host;
            addHost(host);
        }
    }
    synchronized (serverURLs) {
        if (serverURLs.size() == 1 && OGlobalConfiguration.NETWORK_BINARY_DNS_LOADBALANCING_ENABLED.getValueAsBoolean()) {
            // LOOK FOR LOAD BALANCING DNS TXT RECORD
            final String primaryServer = lastHost;
            OLogManager.instance().debug(this, "Retrieving URLs from DNS '%s' (timeout=%d)...", primaryServer, OGlobalConfiguration.NETWORK_BINARY_DNS_LOADBALANCING_TIMEOUT.getValueAsInteger());
            try {
                final Hashtable<String, String> env = new Hashtable<String, String>();
                env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
                env.put("com.sun.jndi.ldap.connect.timeout", OGlobalConfiguration.NETWORK_BINARY_DNS_LOADBALANCING_TIMEOUT.getValueAsString());
                final DirContext ictx = new InitialDirContext(env);
                final String hostName = !primaryServer.contains(":") ? primaryServer : primaryServer.substring(0, primaryServer.indexOf(":"));
                final Attributes attrs = ictx.getAttributes(hostName, new String[] { "TXT" });
                final Attribute attr = attrs.get("TXT");
                if (attr != null) {
                    for (int i = 0; i < attr.size(); ++i) {
                        String configuration = (String) attr.get(i);
                        if (configuration.startsWith("\""))
                            configuration = configuration.substring(1, configuration.length() - 1);
                        if (configuration != null) {
                            serverURLs.clear();
                            final String[] parts = configuration.split(" ");
                            for (String part : parts) {
                                if (part.startsWith("s=")) {
                                    addHost(part.substring("s=".length()));
                                }
                            }
                        }
                    }
                }
            } catch (NamingException ignore) {
            }
        }
    }
}
Also used : Attribute(javax.naming.directory.Attribute) Attributes(javax.naming.directory.Attributes) NamingException(javax.naming.NamingException) InitialDirContext(javax.naming.directory.InitialDirContext) DirContext(javax.naming.directory.DirContext) InitialDirContext(javax.naming.directory.InitialDirContext)

Example 67 with Attribute

use of javax.naming.directory.Attribute in project neo4j by neo4j.

the class LdapRealm method findRoleNamesForUser.

// TODO: Extract to an LdapAuthorizationStrategy ? This ("group by attribute") is one of multiple possible strategies
Set<String> findRoleNamesForUser(String username, LdapContext ldapContext) throws NamingException {
    Set<String> roleNames = new LinkedHashSet<>();
    SearchControls searchCtls = new SearchControls();
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    searchCtls.setReturningAttributes(membershipAttributeNames.toArray(new String[1]));
    // Use search argument to prevent potential code injection
    Object[] searchArguments = new Object[] { username };
    NamingEnumeration result = ldapContext.search(userSearchBase, userSearchFilter, searchArguments, searchCtls);
    if (result.hasMoreElements()) {
        SearchResult searchResult = (SearchResult) result.next();
        if (result.hasMoreElements()) {
            securityLog.warn(securityLog.isDebugEnabled() ? withRealm("LDAP user search for user principal '%s' is ambiguous. The first match that will " + "be checked for group membership is '%s' but the search also matches '%s'. " + "Please check your LDAP realm configuration.", username, searchResult.toString(), result.next().toString()) : withRealm("LDAP user search for user principal '%s' is ambiguous. The search matches more " + "than one entry. Please check your LDAP realm configuration.", username));
        }
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null) {
            NamingEnumeration attributeEnumeration = attributes.getAll();
            while (attributeEnumeration.hasMore()) {
                Attribute attribute = (Attribute) attributeEnumeration.next();
                String attributeId = attribute.getID();
                if (membershipAttributeNames.stream().anyMatch(attributeId::equalsIgnoreCase)) {
                    Collection<String> groupNames = LdapUtils.getAllAttributeValues(attribute);
                    Collection<String> rolesForGroups = getRoleNamesForGroups(groupNames);
                    roleNames.addAll(rolesForGroups);
                }
            }
        }
    }
    return roleNames;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Attribute(javax.naming.directory.Attribute) Attributes(javax.naming.directory.Attributes) SearchControls(javax.naming.directory.SearchControls) NamingEnumeration(javax.naming.NamingEnumeration) SearchResult(javax.naming.directory.SearchResult)

Example 68 with Attribute

use of javax.naming.directory.Attribute in project neo4j by neo4j.

the class LdapRealmTest method shouldAllowMultipleGroupMembershipAttributes.

@Test
public void shouldAllowMultipleGroupMembershipAttributes() throws NamingException {
    when(config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("{0}");
    when(config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(asList("attr0", "attr1", "attr2"));
    when(config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group1=role1;group2=role2,role3");
    LdapContext ldapContext = mock(LdapContext.class);
    NamingEnumeration result = mock(NamingEnumeration.class);
    SearchResult searchResult = mock(SearchResult.class);
    Attributes attributes = mock(Attributes.class);
    Attribute attribute1 = mock(Attribute.class);
    Attribute attribute2 = mock(Attribute.class);
    Attribute attribute3 = mock(Attribute.class);
    NamingEnumeration attributeEnumeration = mock(NamingEnumeration.class);
    NamingEnumeration groupEnumeration1 = mock(NamingEnumeration.class);
    NamingEnumeration groupEnumeration2 = mock(NamingEnumeration.class);
    NamingEnumeration groupEnumeration3 = mock(NamingEnumeration.class);
    // Mock ldap search result "attr1" contains "group1" and "attr2" contains "group2" (a bit brittle...)
    // "attr0" is non-existing and should have no effect
    when(ldapContext.search(anyString(), anyString(), anyObject(), anyObject())).thenReturn(result);
    when(result.hasMoreElements()).thenReturn(true, false);
    when(result.next()).thenReturn(searchResult);
    when(searchResult.getAttributes()).thenReturn(attributes);
    when(attributes.getAll()).thenReturn(attributeEnumeration);
    when(attributeEnumeration.hasMore()).thenReturn(true, true, false);
    when(attributeEnumeration.next()).thenReturn(attribute1, attribute2, attribute3);
    // This attribute should yield role1
    when(attribute1.getID()).thenReturn("attr1");
    when(attribute1.getAll()).thenReturn(groupEnumeration1);
    when(groupEnumeration1.hasMore()).thenReturn(true, false);
    when(groupEnumeration1.next()).thenReturn("group1");
    // This attribute should yield role2 and role3
    when(attribute2.getID()).thenReturn("attr2");
    when(attribute2.getAll()).thenReturn(groupEnumeration2);
    when(groupEnumeration2.hasMore()).thenReturn(true, false);
    when(groupEnumeration2.next()).thenReturn("group2");
    // This attribute should have no effect
    when(attribute3.getID()).thenReturn("attr3");
    when(attribute3.getAll()).thenReturn(groupEnumeration3);
    when(groupEnumeration3.hasMore()).thenReturn(true, false);
    when(groupEnumeration3.next()).thenReturn("groupWithNoRole");
    // When
    LdapRealm realm = new LdapRealm(config, securityLog, secureHasher);
    Set<String> roles = realm.findRoleNamesForUser("username", ldapContext);
    // Then
    assertThat(roles, hasItems("role1", "role2", "role3"));
}
Also used : Attribute(javax.naming.directory.Attribute) Attributes(javax.naming.directory.Attributes) NamingEnumeration(javax.naming.NamingEnumeration) SearchResult(javax.naming.directory.SearchResult) Matchers.anyString(org.mockito.Matchers.anyString) LdapContext(javax.naming.ldap.LdapContext) Test(org.junit.Test)

Example 69 with Attribute

use of javax.naming.directory.Attribute in project neo4j by neo4j.

the class LdapGroupHasUsersAuthPlugin method authorize.

private Set<String> authorize(LdapContext ctx, String username) throws NamingException {
    Set<String> roleNames = new LinkedHashSet<>();
    // Setup our search controls
    SearchControls searchCtls = new SearchControls();
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    searchCtls.setReturningAttributes(new String[] { GROUP_ID });
    // Use a search argument to prevent potential code injection
    Object[] searchArguments = new Object[] { username };
    // Search for groups that has the user as a member
    NamingEnumeration result = ctx.search(GROUP_SEARCH_BASE, GROUP_SEARCH_FILTER, searchArguments, searchCtls);
    if (result.hasMoreElements()) {
        SearchResult searchResult = (SearchResult) result.next();
        Attributes attributes = searchResult.getAttributes();
        if (attributes != null) {
            NamingEnumeration attributeEnumeration = attributes.getAll();
            while (attributeEnumeration.hasMore()) {
                Attribute attribute = (Attribute) attributeEnumeration.next();
                String attributeId = attribute.getID();
                if (attributeId.equalsIgnoreCase(GROUP_ID)) {
                    // We found a group that the user is a member of. See if it has a role mapped to it
                    String groupId = (String) attribute.get();
                    String neo4jGroup = getNeo4jRoleForGroupId(groupId);
                    if (neo4jGroup != null) {
                        // Yay! Add it to our set of roles
                        roleNames.add(neo4jGroup);
                    }
                }
            }
        }
    }
    return roleNames;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Attribute(javax.naming.directory.Attribute) Attributes(javax.naming.directory.Attributes) SearchControls(javax.naming.directory.SearchControls) NamingEnumeration(javax.naming.NamingEnumeration) SearchResult(javax.naming.directory.SearchResult)

Example 70 with Attribute

use of javax.naming.directory.Attribute in project hadoop by apache.

the class TestLdapGroupsMappingBase method setupMocksBase.

@Before
public void setupMocksBase() throws NamingException {
    MockitoAnnotations.initMocks(this);
    DirContext ctx = getContext();
    doReturn(ctx).when(groupsMapping).getDirContext();
    when(ctx.search(Mockito.anyString(), Mockito.anyString(), Mockito.any(Object[].class), Mockito.any(SearchControls.class))).thenReturn(userNames);
    // We only ever call hasMoreElements once for the user NamingEnum, so
    // we can just have one return value
    when(userNames.hasMoreElements()).thenReturn(true);
    SearchResult groupSearchResult = mock(SearchResult.class);
    // We're going to have to define the loop here. We want two iterations,
    // to get both the groups
    when(groupNames.hasMoreElements()).thenReturn(true, true, false);
    when(groupNames.nextElement()).thenReturn(groupSearchResult);
    // Define the attribute for the name of the first group
    Attribute group1Attr = new BasicAttribute("cn");
    group1Attr.add(testGroups[0]);
    Attributes group1Attrs = new BasicAttributes();
    group1Attrs.put(group1Attr);
    // Define the attribute for the name of the second group
    Attribute group2Attr = new BasicAttribute("cn");
    group2Attr.add(testGroups[1]);
    Attributes group2Attrs = new BasicAttributes();
    group2Attrs.put(group2Attr);
    // This search result gets reused, so return group1, then group2
    when(groupSearchResult.getAttributes()).thenReturn(group1Attrs, group2Attrs);
    when(getUserNames().nextElement()).thenReturn(getUserSearchResult());
    when(getUserSearchResult().getAttributes()).thenReturn(getAttributes());
    // Define results for groups 1 level up
    SearchResult parentGroupResult = mock(SearchResult.class);
    // only one parent group
    when(parentGroupNames.hasMoreElements()).thenReturn(true, false);
    when(parentGroupNames.nextElement()).thenReturn(parentGroupResult);
    // Define the attribute for the parent group
    Attribute parentGroup1Attr = new BasicAttribute("cn");
    parentGroup1Attr.add(testParentGroups[2]);
    Attributes parentGroup1Attrs = new BasicAttributes();
    parentGroup1Attrs.put(parentGroup1Attr);
    // attach the attributes to the result
    when(parentGroupResult.getAttributes()).thenReturn(parentGroup1Attrs);
    when(parentGroupResult.getNameInNamespace()).thenReturn("CN=some_group,DC=test,DC=com");
}
Also used : BasicAttribute(javax.naming.directory.BasicAttribute) BasicAttributes(javax.naming.directory.BasicAttributes) BasicAttribute(javax.naming.directory.BasicAttribute) Attribute(javax.naming.directory.Attribute) BasicAttributes(javax.naming.directory.BasicAttributes) Attributes(javax.naming.directory.Attributes) SearchControls(javax.naming.directory.SearchControls) SearchResult(javax.naming.directory.SearchResult) DirContext(javax.naming.directory.DirContext) Before(org.junit.Before)

Aggregations

Attribute (javax.naming.directory.Attribute)110 Attributes (javax.naming.directory.Attributes)57 NamingException (javax.naming.NamingException)39 BasicAttribute (javax.naming.directory.BasicAttribute)39 BasicAttributes (javax.naming.directory.BasicAttributes)30 ArrayList (java.util.ArrayList)29 SearchResult (javax.naming.directory.SearchResult)25 NamingEnumeration (javax.naming.NamingEnumeration)22 InternalErrorException (cz.metacentrum.perun.core.api.exceptions.InternalErrorException)18 HashSet (java.util.HashSet)17 DirContext (javax.naming.directory.DirContext)17 SearchControls (javax.naming.directory.SearchControls)17 IOException (java.io.IOException)11 InitialDirContext (javax.naming.directory.InitialDirContext)11 ModificationItem (javax.naming.directory.ModificationItem)11 Hashtable (java.util.Hashtable)9 File (java.io.File)7 List (java.util.List)7 MutablePartitionConfiguration (org.apache.directory.server.core.configuration.MutablePartitionConfiguration)7 AbstractBootstrapSchema (org.apache.directory.server.core.schema.bootstrap.AbstractBootstrapSchema)7