Search in sources :

Example 1 with AXSchemaType

use of org.exist.security.AXSchemaType in project exist by eXist-db.

the class LDAPRealm method createAccountInDatabase.

private Account createAccountInDatabase(final LdapContext ctx, final String username, final SearchResult ldapUser, final String primaryGroupName) throws AuthenticationException {
    try {
        return executeAsSystemUser(ctx, (ctx2, broker) -> {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Saving account '{}'.", username);
            }
            // get (or create) the primary group if it doesnt exist
            final Group primaryGroup = getGroup(ctx, broker, primaryGroupName);
            // get (or create) member groups
            /*LDAPSearchContext search = ensureContextFactory().getSearch();
                    String userDistinguishedName = (String)ldapUser.getAttributes().get(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.DN)).get();
                    List<String> memberOf_groupNames = findGroupnamesForUserDistinguishedName(invokingUser, userDistinguishedName);

                    List<Group> memberOf_groups = new ArrayList<Group>();
                    for(String memberOf_groupName : memberOf_groupNames) {
                        memberOf_groups.add(getGroup(invokingUser, memberOf_groupName));
                    }*/
            // create the user account
            final UserAider userAider = new UserAider(ID, username, primaryGroup);
            // add the member groups
            for (final Group memberOf_group : getGroupMembershipForLdapUser(ctx, broker, ldapUser)) {
                userAider.addGroup(memberOf_group);
            }
            // store any requested metadata
            for (final SimpleEntry<AXSchemaType, String> metadata : getMetadataForLdapUser(ldapUser)) {
                userAider.setMetadataValue(metadata.getKey(), metadata.getValue());
            }
            final Account account = getSecurityManager().addAccount(userAider);
            return account;
        });
    } catch (final Exception e) {
        if (LOG.isDebugEnabled()) {
            LOG.debug(e);
        }
        throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, e.getMessage(), e);
    }
}
Also used : Group(org.exist.security.Group) Account(org.exist.security.Account) AbstractAccount(org.exist.security.AbstractAccount) AuthenticationException(org.exist.security.AuthenticationException) UserAider(org.exist.security.internal.aider.UserAider) NamingException(javax.naming.NamingException) PermissionDeniedException(org.exist.security.PermissionDeniedException) EXistException(org.exist.EXistException) AuthenticationException(org.exist.security.AuthenticationException) AXSchemaType(org.exist.security.AXSchemaType)

Example 2 with AXSchemaType

use of org.exist.security.AXSchemaType in project exist by eXist-db.

the class LDAPRealm method getMetadataForLdapUser.

private List<SimpleEntry<AXSchemaType, String>> getMetadataForLdapUser(final SearchResult ldapUser) throws NamingException {
    final List<SimpleEntry<AXSchemaType, String>> metadata = new ArrayList<>();
    final LDAPSearchAccount searchAccount = ensureContextFactory().getSearch().getSearchAccount();
    final Attributes userAttributes = ldapUser.getAttributes();
    // store any requested metadata
    for (final AXSchemaType axSchemaType : searchAccount.getMetadataSearchAttributeKeys()) {
        final String searchAttribute = searchAccount.getMetadataSearchAttribute(axSchemaType);
        if (userAttributes != null) {
            final Attribute userAttribute = userAttributes.get(searchAttribute);
            if (userAttribute != null) {
                final String attributeValue = userAttribute.get().toString();
                metadata.add(new SimpleEntry<>(axSchemaType, attributeValue));
            }
        }
    }
    return metadata;
}
Also used : Attribute(javax.naming.directory.Attribute) SimpleEntry(java.util.AbstractMap.SimpleEntry) ArrayList(java.util.ArrayList) Attributes(javax.naming.directory.Attributes) AXSchemaType(org.exist.security.AXSchemaType)

Example 3 with AXSchemaType

use of org.exist.security.AXSchemaType in project exist by eXist-db.

the class LDAPRealm method refreshAccountFromLdap.

public Account refreshAccountFromLdap(final Account account) throws PermissionDeniedException, AuthenticationException {
    final int UPDATE_NONE = 0;
    final int UPDATE_GROUP = 1;
    final int UPDATE_METADATA = 2;
    final Subject invokingUser = getSecurityManager().getCurrentSubject();
    if (!invokingUser.hasDbaRole() && invokingUser.getId() != account.getId()) {
        throw new PermissionDeniedException("You do not have permission to modify the account");
    }
    LdapContext ctx = null;
    try {
        ctx = getContext(invokingUser);
        final SearchResult ldapUser = findAccountByAccountName(ctx, account.getName());
        if (ldapUser == null) {
            throw new AuthenticationException(AuthenticationException.ACCOUNT_NOT_FOUND, "Could not find the account in the LDAP");
        }
        return executeAsSystemUser(ctx, (ctx2, broker) -> {
            int update = UPDATE_NONE;
            // 1) get the ldap group membership
            final List<Group> memberOf_groups = getGroupMembershipForLdapUser(ctx2, broker, ldapUser);
            // 2) get the ldap primary group
            final String primaryGroup = findGroupBySID(ctx2, getPrimaryGroupSID(ldapUser));
            // append the ldap primaryGroup to the head of the ldap group list, and compare
            // to the account group list
            memberOf_groups.add(0, getGroup(ctx2, broker, primaryGroup));
            final String[] accountGroups = account.getGroups();
            if (!accountGroups[0].equals(ensureCase(primaryGroup))) {
                update |= UPDATE_GROUP;
            } else {
                if (accountGroups.length != memberOf_groups.size()) {
                    update |= UPDATE_GROUP;
                } else {
                    for (final String accountGroup : accountGroups) {
                        boolean found = false;
                        for (final Group memberOf_group : memberOf_groups) {
                            if (accountGroup.equals(ensureCase(memberOf_group.getName()))) {
                                found = true;
                                break;
                            }
                        }
                        if (!found) {
                            update |= UPDATE_GROUP;
                            break;
                        }
                    }
                }
            }
            // 3) check metadata
            final List<SimpleEntry<AXSchemaType, String>> ldapMetadatas = getMetadataForLdapUser(ldapUser);
            final Set<SchemaType> accountMetadataKeys = account.getMetadataKeys();
            if (accountMetadataKeys.size() != ldapMetadatas.size()) {
                update |= UPDATE_METADATA;
            } else {
                for (SchemaType accountMetadataKey : accountMetadataKeys) {
                    final String accountMetadataValue = account.getMetadataValue(accountMetadataKey);
                    boolean found = false;
                    for (SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
                        if (accountMetadataKey.equals(ldapMetadata.getKey()) && accountMetadataValue.equals(ldapMetadata.getValue())) {
                            found = true;
                            break;
                        }
                    }
                    if (!found) {
                        update |= UPDATE_METADATA;
                        break;
                    }
                }
            }
            // update the groups?
            if ((update & UPDATE_GROUP) == UPDATE_GROUP) {
                try {
                    final Field fld = account.getClass().getSuperclass().getDeclaredField("groups");
                    fld.setAccessible(true);
                    fld.set(account, memberOf_groups);
                } catch (final NoSuchFieldException | IllegalAccessException nsfe) {
                    throw new EXistException(nsfe.getMessage(), nsfe);
                }
            }
            // update the metdata?
            if ((update & UPDATE_METADATA) == UPDATE_METADATA) {
                account.clearMetadata();
                for (final SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
                    account.setMetadataValue(ldapMetadata.getKey(), ldapMetadata.getValue());
                }
            }
            if (update != UPDATE_NONE) {
                final boolean updated = getSecurityManager().updateAccount(account);
                if (!updated) {
                    LOG.error("Could not update account");
                }
            }
            return account;
        });
    } catch (final NamingException | EXistException ne) {
        throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage(), ne);
    } finally {
        LdapUtils.closeContext(ctx);
    }
}
Also used : Group(org.exist.security.Group) AuthenticationException(org.exist.security.AuthenticationException) SimpleEntry(java.util.AbstractMap.SimpleEntry) SearchResult(javax.naming.directory.SearchResult) EXistException(org.exist.EXistException) Subject(org.exist.security.Subject) SchemaType(org.exist.security.SchemaType) AXSchemaType(org.exist.security.AXSchemaType) Field(java.lang.reflect.Field) PermissionDeniedException(org.exist.security.PermissionDeniedException) NamingException(javax.naming.NamingException) LdapContext(javax.naming.ldap.LdapContext) AXSchemaType(org.exist.security.AXSchemaType)

Example 4 with AXSchemaType

use of org.exist.security.AXSchemaType in project exist by eXist-db.

the class GetPrincipalMetadataFunction method getPrincipalMetadata.

private Sequence getPrincipalMetadata(final Principal principal, final String metadataAttributeNamespace) {
    final AXSchemaType axSchemaType = AXSchemaType.valueOfNamespace(metadataAttributeNamespace);
    String metadataValue = null;
    if (axSchemaType != null) {
        metadataValue = principal.getMetadataValue(axSchemaType);
    } else {
        final EXistSchemaType exSchemaType = EXistSchemaType.valueOfNamespace(metadataAttributeNamespace);
        if (exSchemaType != null) {
            metadataValue = principal.getMetadataValue(exSchemaType);
        }
    }
    if (metadataValue == null || metadataValue.isEmpty()) {
        return Sequence.EMPTY_SEQUENCE;
    } else {
        return new StringValue(metadataValue);
    }
}
Also used : EXistSchemaType(org.exist.security.EXistSchemaType) StringValue(org.exist.xquery.value.StringValue) AXSchemaType(org.exist.security.AXSchemaType)

Aggregations

AXSchemaType (org.exist.security.AXSchemaType)4 SimpleEntry (java.util.AbstractMap.SimpleEntry)2 NamingException (javax.naming.NamingException)2 EXistException (org.exist.EXistException)2 AuthenticationException (org.exist.security.AuthenticationException)2 Group (org.exist.security.Group)2 PermissionDeniedException (org.exist.security.PermissionDeniedException)2 Field (java.lang.reflect.Field)1 ArrayList (java.util.ArrayList)1 Attribute (javax.naming.directory.Attribute)1 Attributes (javax.naming.directory.Attributes)1 SearchResult (javax.naming.directory.SearchResult)1 LdapContext (javax.naming.ldap.LdapContext)1 AbstractAccount (org.exist.security.AbstractAccount)1 Account (org.exist.security.Account)1 EXistSchemaType (org.exist.security.EXistSchemaType)1 SchemaType (org.exist.security.SchemaType)1 Subject (org.exist.security.Subject)1 UserAider (org.exist.security.internal.aider.UserAider)1 StringValue (org.exist.xquery.value.StringValue)1