use of org.exist.security.AuthenticationException in project exist by eXist-db.
the class AccountFunctions method eval.
@Override
public Sequence eval(final Sequence[] args, final Sequence contextSequence) throws XPathException {
final SecurityManager sm = context.getBroker().getBrokerPool().getSecurityManager();
final LDAPRealm ldapRealm = getLdapRealm(sm);
final String accountName = args[0].itemAt(0).getStringValue();
final Account ldapAccount = sm.getAccount(accountName);
if (ldapAccount == null)
throw new XPathException("The Account '" + accountName + "' does not exist!");
try {
ldapRealm.refreshAccountFromLdap(ldapAccount);
} catch (final PermissionDeniedException | AuthenticationException pde) {
throw new XPathException(this, pde);
}
return Sequence.EMPTY_SEQUENCE;
}
use of org.exist.security.AuthenticationException in project exist by eXist-db.
the class LDAPRealm method getAccount.
private synchronized Account getAccount(final LdapContext ctx, String name) {
name = ensureCase(name);
if (LOG.isDebugEnabled()) {
LOG.debug("Get request for account '{}'.", name);
}
// first attempt to get the cached account
final Account acct = super.getAccount(name);
if (acct != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("Cached used.");
}
// XXX: synchronize with LDAP
return acct;
} else {
// if the account is not cached, we should try and find it in LDAP and cache it if it exists
try {
// do the lookup
final SearchResult ldapUser = findAccountByAccountName(ctx, name);
if (LOG.isDebugEnabled()) {
LOG.debug("LDAP search return '{}'.", ldapUser);
}
if (ldapUser == null) {
return null;
} else {
// found a user from ldap so cache them and return
try {
final String primaryGroupSID = getPrimaryGroupSID(ldapUser);
final String primaryGroup = findGroupBySID(ctx, primaryGroupSID);
if (LOG.isDebugEnabled()) {
LOG.debug("LDAP search for primary group by SID '{}', found '{}'.", primaryGroupSID, primaryGroup);
}
if (primaryGroup == null) {
// or exception?
return null;
}
return createAccountInDatabase(ctx, name, ldapUser, ensureCase(primaryGroup));
// registerAccount(acct); //TODO do we need this
} catch (final AuthenticationException ae) {
LOG.error(ae.getMessage(), ae);
return null;
}
}
} catch (final NamingException ne) {
if (LOG.isDebugEnabled()) {
LOG.debug(ne.getMessage(), ne);
}
// LOG.error(new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage()));
return null;
}
}
}
use of org.exist.security.AuthenticationException in project exist by eXist-db.
the class LDAPRealm method findAllGroupMembers.
@Override
public List<String> findAllGroupMembers(final String groupName) {
final String name = escapeSearchAttribute(ensureCase(groupName));
final List<String> groupMembers = new ArrayList<>();
if (!checkGroupRestrictionList(name)) {
return groupMembers;
}
LdapContext ctx = null;
try {
ctx = getContext(getSecurityManager().getCurrentSubject());
// find the dn of the group
SearchResult searchResult = findGroupByGroupName(ctx, removeDomainPostfix(name));
if (searchResult == null) {
// no such group
return groupMembers;
}
final LDAPSearchContext search = ensureContextFactory().getSearch();
final String dnGroup = (String) searchResult.getAttributes().get(search.getSearchGroup().getSearchAttribute(LDAPSearchAttributeKey.DN)).get();
// find all accounts that are a member of the group
final SearchAttribute sa = new SearchAttribute(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.MEMBER_OF), escapeSearchAttribute(dnGroup));
final String searchFilter = buildSearchFilter(search.getSearchAccount().getSearchFilterPrefix(), sa);
final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchControls.setReturningAttributes(new String[] { search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.NAME) });
final NamingEnumeration<SearchResult> results = ctx.search(search.getBase(), searchFilter, searchControls);
while (results.hasMoreElements()) {
searchResult = results.nextElement();
final String member = ensureCase(addDomainPostfix((String) searchResult.getAttributes().get(search.getSearchAccount().getSearchAttribute(LDAPSearchAttributeKey.NAME)).get()));
if (checkAccountRestrictionList(member)) {
groupMembers.add(member);
}
}
} catch (final NamingException ne) {
LOG.error(new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage()));
} finally {
if (ctx != null) {
LdapUtils.closeContext(ctx);
}
}
return groupMembers;
}
use of org.exist.security.AuthenticationException in project exist by eXist-db.
the class LDAPRealm method findGroupnamesForUserDistinguishedName.
private List<String> findGroupnamesForUserDistinguishedName(final LdapContext ctx, final String userDistinguishedName) {
final List<String> groupnames = new ArrayList<>();
try {
final LDAPSearchContext search = ensureContextFactory().getSearch();
final SearchAttribute sa = new SearchAttribute(search.getSearchGroup().getSearchAttribute(LDAPSearchAttributeKey.MEMBER), escapeSearchAttribute(userDistinguishedName));
final String searchFilter = buildSearchFilter(search.getSearchGroup().getSearchFilterPrefix(), sa);
final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchControls.setReturningAttributes(new String[] { search.getSearchGroup().getSearchAttribute(LDAPSearchAttributeKey.NAME) });
final NamingEnumeration<SearchResult> results = ctx.search(search.getAbsoluteBase(), searchFilter, searchControls);
while (results.hasMoreElements()) {
final SearchResult searchResult = results.nextElement();
final String groupname = ensureCase(addDomainPostfix((String) searchResult.getAttributes().get(search.getSearchGroup().getSearchAttribute(LDAPSearchAttributeKey.NAME)).get()));
if (checkGroupRestrictionList(groupname)) {
groupnames.add(groupname);
}
}
} catch (final NamingException ne) {
LOG.error(new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage()));
}
return groupnames;
}
use of org.exist.security.AuthenticationException in project exist by eXist-db.
the class LDAPRealm method refreshAccountFromLdap.
public Account refreshAccountFromLdap(final Account account) throws PermissionDeniedException, AuthenticationException {
final int UPDATE_NONE = 0;
final int UPDATE_GROUP = 1;
final int UPDATE_METADATA = 2;
final Subject invokingUser = getSecurityManager().getCurrentSubject();
if (!invokingUser.hasDbaRole() && invokingUser.getId() != account.getId()) {
throw new PermissionDeniedException("You do not have permission to modify the account");
}
LdapContext ctx = null;
try {
ctx = getContext(invokingUser);
final SearchResult ldapUser = findAccountByAccountName(ctx, account.getName());
if (ldapUser == null) {
throw new AuthenticationException(AuthenticationException.ACCOUNT_NOT_FOUND, "Could not find the account in the LDAP");
}
return executeAsSystemUser(ctx, (ctx2, broker) -> {
int update = UPDATE_NONE;
// 1) get the ldap group membership
final List<Group> memberOf_groups = getGroupMembershipForLdapUser(ctx2, broker, ldapUser);
// 2) get the ldap primary group
final String primaryGroup = findGroupBySID(ctx2, getPrimaryGroupSID(ldapUser));
// append the ldap primaryGroup to the head of the ldap group list, and compare
// to the account group list
memberOf_groups.add(0, getGroup(ctx2, broker, primaryGroup));
final String[] accountGroups = account.getGroups();
if (!accountGroups[0].equals(ensureCase(primaryGroup))) {
update |= UPDATE_GROUP;
} else {
if (accountGroups.length != memberOf_groups.size()) {
update |= UPDATE_GROUP;
} else {
for (final String accountGroup : accountGroups) {
boolean found = false;
for (final Group memberOf_group : memberOf_groups) {
if (accountGroup.equals(ensureCase(memberOf_group.getName()))) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_GROUP;
break;
}
}
}
}
// 3) check metadata
final List<SimpleEntry<AXSchemaType, String>> ldapMetadatas = getMetadataForLdapUser(ldapUser);
final Set<SchemaType> accountMetadataKeys = account.getMetadataKeys();
if (accountMetadataKeys.size() != ldapMetadatas.size()) {
update |= UPDATE_METADATA;
} else {
for (SchemaType accountMetadataKey : accountMetadataKeys) {
final String accountMetadataValue = account.getMetadataValue(accountMetadataKey);
boolean found = false;
for (SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
if (accountMetadataKey.equals(ldapMetadata.getKey()) && accountMetadataValue.equals(ldapMetadata.getValue())) {
found = true;
break;
}
}
if (!found) {
update |= UPDATE_METADATA;
break;
}
}
}
// update the groups?
if ((update & UPDATE_GROUP) == UPDATE_GROUP) {
try {
final Field fld = account.getClass().getSuperclass().getDeclaredField("groups");
fld.setAccessible(true);
fld.set(account, memberOf_groups);
} catch (final NoSuchFieldException | IllegalAccessException nsfe) {
throw new EXistException(nsfe.getMessage(), nsfe);
}
}
// update the metdata?
if ((update & UPDATE_METADATA) == UPDATE_METADATA) {
account.clearMetadata();
for (final SimpleEntry<AXSchemaType, String> ldapMetadata : ldapMetadatas) {
account.setMetadataValue(ldapMetadata.getKey(), ldapMetadata.getValue());
}
}
if (update != UPDATE_NONE) {
final boolean updated = getSecurityManager().updateAccount(account);
if (!updated) {
LOG.error("Could not update account");
}
}
return account;
});
} catch (final NamingException | EXistException ne) {
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, ne.getMessage(), ne);
} finally {
LdapUtils.closeContext(ctx);
}
}
Aggregations