use of org.exist.security.AXSchemaType in project exist by eXist-db.
the class LDAPRealm method createAccountInDatabase.
private Account createAccountInDatabase(final LdapContext ctx, final String username, final SearchResult ldapUser, final String primaryGroupName) throws AuthenticationException {
try {
return executeAsSystemUser(ctx, (ctx2, broker) -> {
if (LOG.isDebugEnabled()) {
LOG.debug("Saving account '{}'.", username);
}
// get (or create) the primary group if it doesnt exist
final Group primaryGroup = getGroup(ctx, broker, primaryGroupName);
// get (or create) member groups
/*LDAPSearchContext search = ensureContextFactory().getSearch();
String userDistinguishedName = (String)ldapUser.getAttributes().get(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.DN)).get();
List<String> memberOf_groupNames = findGroupnamesForUserDistinguishedName(invokingUser, userDistinguishedName);
List<Group> memberOf_groups = new ArrayList<Group>();
for(String memberOf_groupName : memberOf_groupNames) {
memberOf_groups.add(getGroup(invokingUser, memberOf_groupName));
}*/
// create the user account
final UserAider userAider = new UserAider(ID, username, primaryGroup);
// add the member groups
for (final Group memberOf_group : getGroupMembershipForLdapUser(ctx, broker, ldapUser)) {
userAider.addGroup(memberOf_group);
}
// store any requested metadata
for (final SimpleEntry<AXSchemaType, String> metadata : getMetadataForLdapUser(ldapUser)) {
userAider.setMetadataValue(metadata.getKey(), metadata.getValue());
}
final Account account = getSecurityManager().addAccount(userAider);
return account;
});
} catch (final Exception e) {
if (LOG.isDebugEnabled()) {
LOG.debug(e);
}
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, e.getMessage(), e);
}
}
use of org.exist.security.AXSchemaType in project exist by eXist-db.
the class LDAPRealm method getMetadataForLdapUser.
private List<SimpleEntry<AXSchemaType, String>> getMetadataForLdapUser(final SearchResult ldapUser) throws NamingException {
final List<SimpleEntry<AXSchemaType, String>> metadata = new ArrayList<>();
final LDAPSearchAccount searchAccount = ensureContextFactory().getSearch().getSearchAccount();
final Attributes userAttributes = ldapUser.getAttributes();
// store any requested metadata
for (final AXSchemaType axSchemaType : searchAccount.getMetadataSearchAttributeKeys()) {
final String searchAttribute = searchAccount.getMetadataSearchAttribute(axSchemaType);
if (userAttributes != null) {
final Attribute userAttribute = userAttributes.get(searchAttribute);
if (userAttribute != null) {
final String attributeValue = userAttribute.get().toString();
metadata.add(new SimpleEntry<>(axSchemaType, attributeValue));
}
}
}
return metadata;
}
use of org.exist.security.AXSchemaType in project exist by eXist-db.
the class LDAPRealm method refreshAccountFromLdap.
public Account refreshAccountFromLdap(final Account account) throws PermissionDeniedException, AuthenticationException {
final int UPDATE_NONE = 0;
final int UPDATE_GROUP = 1;
final int UPDATE_METADATA = 2;
final Subject invokingUser = getSecurityManager().getCurrentSubject();
if (!invokingUser.hasDbaRole() && invokingUser.getId() != account.getId()) {
throw new PermissionDeniedException("You do not have permission to modify the account");
}
LdapContext ctx = null;
try {
ctx = getContext(invokingUser);
final SearchResult ldapUser = findAccountByAccountName(ctx, account.getName());
if (ldapUser == null) {
throw new AuthenticationException(AuthenticationException.ACCOUNT_NOT_FOUND, "Could not find the account in the LDAP");
}
return executeAsSystemUser(ctx, (ctx2, broker) -> {
int update = UPDATE_NONE;
// 1) get the ldap group membership
final List<Group> memberOf_groups = getGroupMembershipForLdapUser(ctx2, broker, ldapUser);
// 2) get the ldap primary group
final String primaryGroup = findGroupBySID(ctx2, getPrimaryGroupSID(ldapUser));
// append the ldap primaryGroup to the head of the ldap group list, and compare
// to the account group list
memberOf_groups.add(0, getGroup(ctx2, broker, primaryGroup));
final String[] accountGroups = account.getGroups();
if (!accountGroups[0].equals(ensureCase(primaryGroup))) {
update |= UPDATE_GROUP;
} else {
if (accountGroups.length != memberOf_groups.size()) {
update |= UPDATE_GROUP;
} else {
for (final String accountGroup : accountGroups) {
boolean found = false;
for (final Group memberOf_group : memberOf_groups) {
if (accountGroup.equals(ensureCase(memberOf_group.getName()))) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_GROUP;
break;
}
}
}
}
// 3) check metadata
final List<SimpleEntry<AXSchemaType, String>> ldapMetadatas = getMetadataForLdapUser(ldapUser);
final Set<SchemaType> accountMetadataKeys = account.getMetadataKeys();
if (accountMetadataKeys.size() != ldapMetadatas.size()) {
update |= UPDATE_METADATA;
} else {
for (SchemaType accountMetadataKey : accountMetadataKeys) {
final String accountMetadataValue = account.getMetadataValue(accountMetadataKey);
boolean found = false;
for (SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
if (accountMetadataKey.equals(ldapMetadata.getKey()) && accountMetadataValue.equals(ldapMetadata.getValue())) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_METADATA;
break;
}
}
}
// update the groups?
if ((update & UPDATE_GROUP) == UPDATE_GROUP) {
try {
final Field fld = account.getClass().getSuperclass().getDeclaredField("groups");
fld.setAccessible(true);
fld.set(account, memberOf_groups);
} catch (final NoSuchFieldException | IllegalAccessException nsfe) {
throw new EXistException(nsfe.getMessage(), nsfe);
}
}
// update the metdata?
if ((update & UPDATE_METADATA) == UPDATE_METADATA) {
account.clearMetadata();
for (final SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
account.setMetadataValue(ldapMetadata.getKey(), ldapMetadata.getValue());
}
}
if (update != UPDATE_NONE) {
final boolean updated = getSecurityManager().updateAccount(account);
if (!updated) {
LOG.error("Could not update account");
}
}
return account;
});
} catch (final NamingException | EXistException ne) {
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage(), ne);
} finally {
LdapUtils.closeContext(ctx);
}
}
use of org.exist.security.AXSchemaType in project exist by eXist-db.
the class GetPrincipalMetadataFunction method getPrincipalMetadata.
private Sequence getPrincipalMetadata(final Principal principal, final String metadataAttributeNamespace) {
final AXSchemaType axSchemaType = AXSchemaType.valueOfNamespace(metadataAttributeNamespace);
String metadataValue = null;
if (axSchemaType != null) {
metadataValue = principal.getMetadataValue(axSchemaType);
} else {
final EXistSchemaType exSchemaType = EXistSchemaType.valueOfNamespace(metadataAttributeNamespace);
if (exSchemaType != null) {
metadataValue = principal.getMetadataValue(exSchemaType);
}
}
if (metadataValue == null || metadataValue.isEmpty()) {
return Sequence.EMPTY_SEQUENCE;
} else {
return new StringValue(metadataValue);
}
}
Aggregations