Example 1 with UserDetails
use of org.graylog.security.authservice.UserDetails in project graylog2-server by Graylog2.
the class ADAuthServiceBackend method authenticateAndProvision.
@Override
public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCredentials authCredentials, ProvisionerService provisionerService) {
try (final LDAPConnection connection = ldapConnector.connect(config.getLDAPConnectorConfig())) {
if (connection == null) {
return Optional.empty();
}
final Optional<LDAPUser> optionalUser = findUser(connection, authCredentials);
if (!optionalUser.isPresent()) {
LOG.debug("User <{}> not found in Active Directory", authCredentials.username());
return Optional.empty();
}
final LDAPUser userEntry = optionalUser.get();
if (!userEntry.accountIsEnabled()) {
LOG.warn("Account disabled within Active Directory for user <{}> (DN: {})", authCredentials.username(), userEntry.dn());
return Optional.empty();
}
if (!authCredentials.isAuthenticated()) {
if (!isAuthenticated(connection, userEntry, authCredentials)) {
LOG.debug("Invalid credentials for user <{}> (DN: {})", authCredentials.username(), userEntry.dn());
return Optional.empty();
}
}
final UserDetails userDetails = provisionerService.provision(provisionerService.newDetails(this).authServiceType(backendType()).authServiceId(backendId()).base64AuthServiceUid(userEntry.base64UniqueId()).username(userEntry.username()).accountIsEnabled(userEntry.accountIsEnabled()).fullName(userEntry.fullName()).email(userEntry.email()).defaultRoles(backend.defaultRoles()).build());
return Optional.of(AuthenticationDetails.builder().userDetails(userDetails).build());
} catch (GeneralSecurityException e) {
LOG.error("Error setting up TLS connection", e);
throw new AuthenticationServiceUnavailableException("Error setting up TLS connection", e);
} catch (LDAPException e) {
LOG.error("ActiveDirectory error", e);
throw new AuthenticationServiceUnavailableException("ActiveDirectory error", e);
}
}
Also used :
UserDetails(org.graylog.security.authservice.UserDetails)
LDAPException(com.unboundid.ldap.sdk.LDAPException)
GeneralSecurityException(java.security.GeneralSecurityException)
LDAPUser(org.graylog.security.authservice.ldap.LDAPUser)
LDAPConnection(com.unboundid.ldap.sdk.LDAPConnection)
AuthenticationServiceUnavailableException(org.graylog2.shared.security.AuthenticationServiceUnavailableException)
Example 2 with UserDetails
use of org.graylog.security.authservice.UserDetails in project graylog2-server by Graylog2.
the class MongoDBAuthServiceBackend method authenticateAndProvision.
@Override
public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCredentials authCredentials, ProvisionerService provisionerService) {
final String username = authCredentials.username();
LOG.debug("Trying to load user <{}> from database", username);
final User user = userService.load(username);
if (user == null) {
LOG.debug("User <{}> not found in database", username);
return Optional.empty();
}
if (user.isLocalAdmin()) {
throw new IllegalStateException("Local admin user should have been handled earlier and not reach the authentication service authenticator");
}
if (!user.getAccountStatus().equals(User.AccountStatus.ENABLED)) {
LOG.warn("Account for user <{}> is disabled.", user.getName());
return Optional.empty();
}
if (user.isExternalUser()) {
// We don't store passwords for users synced from an authentication service, so we can't handle them here.
LOG.trace("Skipping mongodb-based password check for external user {}", authCredentials.username());
return Optional.empty();
}
if (!authCredentials.isAuthenticated()) {
if (!isValidPassword(user, authCredentials.password())) {
LOG.warn("Failed to validate password for user <{}>", username);
return Optional.empty();
}
}
LOG.debug("Successfully validated password for user <{}>", username);
final UserDetails userDetails = provisionerService.provision(provisionerService.newDetails(this).databaseId(user.getId()).username(user.getName()).accountIsEnabled(user.getAccountStatus().equals(User.AccountStatus.ENABLED)).email(user.getEmail()).firstName(user.getFirstName().orElse(null)).lastName(user.getLastName().orElse(null)).fullName(user.getFullName()).defaultRoles(Collections.emptySet()).base64AuthServiceUid(Base64.encode(user.getId())).build());
return Optional.of(AuthenticationDetails.builder().userDetails(userDetails).build());
}
Also used :
User(org.graylog2.plugin.database.users.User)
UserDetails(org.graylog.security.authservice.UserDetails)
Example 3 with UserDetails
use of org.graylog.security.authservice.UserDetails in project graylog2-server by Graylog2.
the class LDAPAuthServiceBackend method authenticateAndProvision.
@Override
public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCredentials authCredentials, ProvisionerService provisionerService) {
try (final LDAPConnection connection = ldapConnector.connect(config.getLDAPConnectorConfig())) {
if (connection == null) {
return Optional.empty();
}
final Optional<LDAPUser> optionalUser = findUser(connection, authCredentials);
if (!optionalUser.isPresent()) {
LOG.debug("User <{}> not found in LDAP", authCredentials.username());
return Optional.empty();
}
final LDAPUser userEntry = optionalUser.get();
if (!authCredentials.isAuthenticated()) {
if (!isAuthenticated(connection, userEntry, authCredentials)) {
LOG.debug("Invalid credentials for user <{}> (DN: {})", authCredentials.username(), userEntry.dn());
return Optional.empty();
}
}
final UserDetails userDetails = provisionerService.provision(provisionerService.newDetails(this).authServiceType(backendType()).authServiceId(backendId()).accountIsEnabled(true).base64AuthServiceUid(userEntry.base64UniqueId()).username(userEntry.username()).fullName(userEntry.fullName()).email(userEntry.email()).defaultRoles(backend.defaultRoles()).build());
return Optional.of(AuthenticationDetails.builder().userDetails(userDetails).build());
} catch (GeneralSecurityException e) {
LOG.error("Error setting up TLS connection", e);
throw new AuthenticationServiceUnavailableException("Error setting up TLS connection", e);
} catch (LDAPException e) {
LOG.error("LDAP error", e);
throw new AuthenticationServiceUnavailableException("LDAP error", e);
}
}
Also used :
UserDetails(org.graylog.security.authservice.UserDetails)
LDAPException(com.unboundid.ldap.sdk.LDAPException)
GeneralSecurityException(java.security.GeneralSecurityException)
LDAPUser(org.graylog.security.authservice.ldap.LDAPUser)
LDAPConnection(com.unboundid.ldap.sdk.LDAPConnection)
AuthenticationServiceUnavailableException(org.graylog2.shared.security.AuthenticationServiceUnavailableException)
Aggregations
UserDetails (org.graylog.security.authservice.UserDetails)3
LDAPConnection (com.unboundid.ldap.sdk.LDAPConnection)2
LDAPException (com.unboundid.ldap.sdk.LDAPException)2
GeneralSecurityException (java.security.GeneralSecurityException)2
LDAPUser (org.graylog.security.authservice.ldap.LDAPUser)2
AuthenticationServiceUnavailableException (org.graylog2.shared.security.AuthenticationServiceUnavailableException)2
User (org.graylog2.plugin.database.users.User)1
