Search in sources :

Example 6 with LdapUser

use of opengrok.auth.entity.LdapUser in project OpenGrok by OpenGrok.

the class LdapAttrPluginTest method testAttrLookup.

/**
 * Test the interaction between {@code LdapUserPlugin} and {@code LdapAttrPlugin}. Namely:
 * <ul>
 *     <li>use of DN from the <code>LdapUser</code> object cached in the session by <code>LdapUserPlugin</code></li>
 *     <li>configuration of the cached session attribute name</li>
 * </ul>
 */
@Test
void testAttrLookup() throws LdapException {
    String attr_to_get = "mail";
    String instance_num = "42";
    String mail_attr_value = "james@bond.com";
    // Create mock LDAP provider, simulating the work of LDAP server for LdapAttrPlugin#fillSession().
    AbstractLdapProvider mockProvider = mock(LdapFacade.class);
    Map<String, Set<String>> attrs = new HashMap<>();
    attrs.put(attr_to_get, Collections.singleton(mail_attr_value));
    final String dn = "cn=FOO_BAR,L=EMEA,DC=FOO,DC=COM";
    AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> result = new AbstractLdapProvider.LdapSearchResult<>(dn, attrs);
    assertNotNull(result);
    when(mockProvider.lookupLdapContent(anyString(), any(String[].class))).thenReturn(result);
    // Load the LdapAttrPlugin using the mock LDAP provider.
    LdapAttrPlugin plugin = new LdapAttrPlugin();
    Map<String, Object> parameters = new TreeMap<>();
    parameters.put(LdapAttrPlugin.FILE_PARAM, whitelistFile.getAbsolutePath());
    parameters.put(LdapAttrPlugin.ATTR_PARAM, attr_to_get);
    parameters.put(LdapAttrPlugin.INSTANCE_PARAM, instance_num);
    plugin.load(parameters, mockProvider);
    LdapUser ldapUser = new LdapUser(dn, null);
    HttpServletRequest request = new DummyHttpServletRequestLdap();
    request.getSession().setAttribute(LdapUserPlugin.SESSION_ATTR + instance_num, ldapUser);
    // Here it comes all together.
    User user = new User("jbond", "007");
    plugin.fillSession(request, user);
    // See if LdapAttrPlugin set its own session attribute based on the mocked query.
    assertTrue((Boolean) request.getSession().getAttribute(plugin.getSessionAllowedAttrName()));
    assertTrue(ldapUser.getAttribute(attr_to_get).contains(mail_attr_value));
}
Also used : TreeSet(java.util.TreeSet) Set(java.util.Set) LdapUser(opengrok.auth.entity.LdapUser) User(opengrok.auth.plugin.entity.User) HashMap(java.util.HashMap) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) TreeMap(java.util.TreeMap) HttpServletRequest(jakarta.servlet.http.HttpServletRequest) DummyHttpServletRequestLdap(opengrok.auth.plugin.util.DummyHttpServletRequestLdap) LdapUser(opengrok.auth.entity.LdapUser) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) HashMap(java.util.HashMap) Map(java.util.Map) TreeMap(java.util.TreeMap) Test(org.junit.jupiter.api.Test)

Example 7 with LdapUser

use of opengrok.auth.entity.LdapUser in project OpenGrok by OpenGrok.

the class LdapAttrPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    updateSession(req, false);
    LdapUser ldapUser = (LdapUser) req.getSession().getAttribute(LdapUserPlugin.getSessionAttrName(ldapUserInstance));
    if (ldapUser == null) {
        LOGGER.log(Level.WARNING, "cannot get {0} attribute from {1}", new Object[] { LdapUserPlugin.SESSION_ATTR, user });
        return;
    }
    // Check attributes cached in LDAP user object first, then query LDAP server
    // (and if found, cache the result in the LDAP user object).
    Set<String> attributeValues = ldapUser.getAttribute(ldapAttr);
    if (attributeValues == null) {
        Map<String, Set<String>> records = null;
        AbstractLdapProvider ldapProvider = getLdapProvider();
        try {
            String dn = ldapUser.getDn();
            if (dn != null) {
                LOGGER.log(Level.FINEST, "searching with dn={0} on {1}", new Object[] { dn, ldapProvider });
                AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
                if ((res = ldapProvider.lookupLdapContent(dn, new String[] { ldapAttr })) == null) {
                    LOGGER.log(Level.WARNING, "cannot lookup attributes {0} for user {1} on {2})", new Object[] { ldapAttr, ldapUser, ldapProvider });
                    return;
                }
                records = res.getAttrs();
            } else {
                LOGGER.log(Level.FINE, "no DN for LDAP user {0} on {1}", new Object[] { ldapUser, ldapProvider });
            }
        } catch (LdapException ex) {
            throw new AuthorizationException(ex);
        }
        if (records == null || records.isEmpty() || (attributeValues = records.get(ldapAttr)) == null) {
            LOGGER.log(Level.WARNING, "empty records or attribute values {0} for user {1} on {2}", new Object[] { ldapAttr, ldapUser, ldapProvider });
            return;
        }
        ldapUser.setAttribute(ldapAttr, attributeValues);
    }
    boolean isAttrInWhitelist = attributeValues.stream().anyMatch(whitelist::contains);
    LOGGER.log(Level.FINEST, "LDAP user {0} {1} against {2}", new Object[] { ldapUser, isAttrInWhitelist ? "allowed" : "denied", filePath });
    updateSession(req, isAttrInWhitelist);
}
Also used : LdapUser(opengrok.auth.entity.LdapUser) Set(java.util.Set) TreeSet(java.util.TreeSet) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) Map(java.util.Map) LdapException(opengrok.auth.plugin.ldap.LdapException)

Example 8 with LdapUser

use of opengrok.auth.entity.LdapUser in project OpenGrok by OpenGrok.

the class LdapFilterPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    LdapUser ldapUser;
    updateSession(req, false);
    if ((ldapUser = (LdapUser) req.getSession().getAttribute(getSessionAttr())) == null) {
        LOGGER.log(Level.WARNING, "failed to get LDAP attribute ''{0}'' from session for user {1}", new Object[] { LdapUserPlugin.SESSION_ATTR, user });
        return;
    }
    String expandedFilter = expandFilter(ldapFilter, ldapUser, user);
    LOGGER.log(Level.FINEST, "expanded filter ''{0}'' for user {1} and LDAP user {2} into ''{3}''", new Object[] { ldapFilter, user, ldapUser, expandedFilter });
    AbstractLdapProvider ldapProvider = getLdapProvider();
    try {
        if ((ldapProvider.lookupLdapContent(null, expandedFilter)) == null) {
            LOGGER.log(Level.FINER, "empty content for LDAP user {0} with filter ''{1}'' on {2}", new Object[] { ldapUser, expandedFilter, ldapProvider });
            return;
        }
    } catch (LdapException ex) {
        throw new AuthorizationException(ex);
    }
    LOGGER.log(Level.FINER, "LDAP user {0} allowed on {1}", new Object[] { ldapUser, ldapProvider });
    updateSession(req, true);
}
Also used : LdapUser(opengrok.auth.entity.LdapUser) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) LdapException(opengrok.auth.plugin.ldap.LdapException)

Example 9 with LdapUser

use of opengrok.auth.entity.LdapUser in project OpenGrok by OpenGrok.

the class LdapUserPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    Map<String, Set<String>> records;
    updateSession(req, null);
    if (getLdapProvider() == null) {
        LOGGER.log(Level.WARNING, "cannot get LDAP provider");
        return;
    }
    String dn = null;
    if (Boolean.TRUE.equals(useDN)) {
        dn = user.getUsername();
        LOGGER.log(Level.FINEST, "using DN ''{0}'' for user {1}", new Object[] { dn, user });
    }
    String expandedFilter = null;
    if (ldapFilter != null) {
        expandedFilter = expandFilter(user);
        LOGGER.log(Level.FINEST, "expanded filter for user {0} into ''{1}''", new Object[] { user, expandedFilter });
    }
    AbstractLdapProvider ldapProvider = getLdapProvider();
    try {
        AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
        if ((res = ldapProvider.lookupLdapContent(dn, expandedFilter, attrSet.toArray(new String[0]))) == null) {
            LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " + "with filter ''{1}'' from LDAP provider {3}", new Object[] { user, expandedFilter, attrSet, getLdapProvider() });
            LdapUser ldapUser = new LdapUser(dn, null);
            ldapUser.setAttribute(NEGATIVE_CACHE_ATTR, Collections.singleton(null));
            updateSession(req, ldapUser);
            return;
        }
        records = res.getAttrs();
        if (Boolean.FALSE.equals(useDN)) {
            dn = res.getDN();
            LOGGER.log(Level.FINEST, "got DN ''{0}'' for user {1}", new Object[] { dn, user });
        }
    } catch (LdapException ex) {
        throw new AuthorizationException(ex);
    }
    if (records.isEmpty()) {
        LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty on {1}", new Object[] { user, ldapProvider });
        return;
    }
    for (String attrName : attrSet) {
        if (!records.containsKey(attrName) || records.get(attrName) == null || records.get(attrName).isEmpty()) {
            LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty on {2}", new Object[] { attrName, user, ldapProvider });
        }
    }
    Map<String, Set<String>> userAttrSet = new HashMap<>();
    for (String attrName : this.attrSet) {
        userAttrSet.put(attrName, records.get(attrName));
    }
    LOGGER.log(Level.FINEST, "DN for user {0} is ''{1}'' on {2}", new Object[] { user, dn, ldapProvider });
    updateSession(req, new LdapUser(dn, userAttrSet));
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) LdapUser(opengrok.auth.entity.LdapUser) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) HashMap(java.util.HashMap) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) HashMap(java.util.HashMap) Map(java.util.Map) LdapException(opengrok.auth.plugin.ldap.LdapException)

Aggregations

LdapUser (opengrok.auth.entity.LdapUser)9 User (opengrok.auth.plugin.entity.User)5 AbstractLdapProvider (opengrok.auth.plugin.ldap.AbstractLdapProvider)5 Test (org.junit.jupiter.api.Test)5 Map (java.util.Map)4 Set (java.util.Set)4 DummyHttpServletRequestLdap (opengrok.auth.plugin.util.DummyHttpServletRequestLdap)4 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)3 HashMap (java.util.HashMap)3 LdapException (opengrok.auth.plugin.ldap.LdapException)3 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)3 AuthorizationException (org.opengrok.indexer.authorization.AuthorizationException)3 TreeMap (java.util.TreeMap)2 TreeSet (java.util.TreeSet)2 HashSet (java.util.HashSet)1