Search in sources :

Example 1 with AuthorizationException

use of org.opengrok.indexer.authorization.AuthorizationException in project OpenGrok by OpenGrok.

the class LdapAttrPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    updateSession(req, false);
    LdapUser ldapUser = (LdapUser) req.getSession().getAttribute(LdapUserPlugin.getSessionAttrName(ldapUserInstance));
    if (ldapUser == null) {
        LOGGER.log(Level.WARNING, "cannot get {0} attribute from {1}", new Object[] { LdapUserPlugin.SESSION_ATTR, user });
        return;
    }
    // Check attributes cached in LDAP user object first, then query LDAP server
    // (and if found, cache the result in the LDAP user object).
    Set<String> attributeValues = ldapUser.getAttribute(ldapAttr);
    if (attributeValues == null) {
        Map<String, Set<String>> records = null;
        AbstractLdapProvider ldapProvider = getLdapProvider();
        try {
            String dn = ldapUser.getDn();
            if (dn != null) {
                LOGGER.log(Level.FINEST, "searching with dn={0} on {1}", new Object[] { dn, ldapProvider });
                AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
                if ((res = ldapProvider.lookupLdapContent(dn, new String[] { ldapAttr })) == null) {
                    LOGGER.log(Level.WARNING, "cannot lookup attributes {0} for user {1} on {2})", new Object[] { ldapAttr, ldapUser, ldapProvider });
                    return;
                }
                records = res.getAttrs();
            } else {
                LOGGER.log(Level.FINE, "no DN for LDAP user {0} on {1}", new Object[] { ldapUser, ldapProvider });
            }
        } catch (LdapException ex) {
            throw new AuthorizationException(ex);
        }
        if (records == null || records.isEmpty() || (attributeValues = records.get(ldapAttr)) == null) {
            LOGGER.log(Level.WARNING, "empty records or attribute values {0} for user {1} on {2}", new Object[] { ldapAttr, ldapUser, ldapProvider });
            return;
        }
        ldapUser.setAttribute(ldapAttr, attributeValues);
    }
    boolean isAttrInWhitelist = attributeValues.stream().anyMatch(whitelist::contains);
    LOGGER.log(Level.FINEST, "LDAP user {0} {1} against {2}", new Object[] { ldapUser, isAttrInWhitelist ? "allowed" : "denied", filePath });
    updateSession(req, isAttrInWhitelist);
}
Also used : LdapUser(opengrok.auth.entity.LdapUser) Set(java.util.Set) TreeSet(java.util.TreeSet) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) Map(java.util.Map) LdapException(opengrok.auth.plugin.ldap.LdapException)

Example 2 with AuthorizationException

use of org.opengrok.indexer.authorization.AuthorizationException in project OpenGrok by OpenGrok.

the class LdapFilterPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    LdapUser ldapUser;
    updateSession(req, false);
    if ((ldapUser = (LdapUser) req.getSession().getAttribute(getSessionAttr())) == null) {
        LOGGER.log(Level.WARNING, "failed to get LDAP attribute ''{0}'' from session for user {1}", new Object[] { LdapUserPlugin.SESSION_ATTR, user });
        return;
    }
    String expandedFilter = expandFilter(ldapFilter, ldapUser, user);
    LOGGER.log(Level.FINEST, "expanded filter ''{0}'' for user {1} and LDAP user {2} into ''{3}''", new Object[] { ldapFilter, user, ldapUser, expandedFilter });
    AbstractLdapProvider ldapProvider = getLdapProvider();
    try {
        if ((ldapProvider.lookupLdapContent(null, expandedFilter)) == null) {
            LOGGER.log(Level.FINER, "empty content for LDAP user {0} with filter ''{1}'' on {2}", new Object[] { ldapUser, expandedFilter, ldapProvider });
            return;
        }
    } catch (LdapException ex) {
        throw new AuthorizationException(ex);
    }
    LOGGER.log(Level.FINER, "LDAP user {0} allowed on {1}", new Object[] { ldapUser, ldapProvider });
    updateSession(req, true);
}
Also used : LdapUser(opengrok.auth.entity.LdapUser) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) LdapException(opengrok.auth.plugin.ldap.LdapException)

Example 3 with AuthorizationException

use of org.opengrok.indexer.authorization.AuthorizationException in project OpenGrok by OpenGrok.

the class LdapUserPlugin method fillSession.

@Override
public void fillSession(HttpServletRequest req, User user) {
    Map<String, Set<String>> records;
    updateSession(req, null);
    if (getLdapProvider() == null) {
        LOGGER.log(Level.WARNING, "cannot get LDAP provider");
        return;
    }
    String dn = null;
    if (Boolean.TRUE.equals(useDN)) {
        dn = user.getUsername();
        LOGGER.log(Level.FINEST, "using DN ''{0}'' for user {1}", new Object[] { dn, user });
    }
    String expandedFilter = null;
    if (ldapFilter != null) {
        expandedFilter = expandFilter(user);
        LOGGER.log(Level.FINEST, "expanded filter for user {0} into ''{1}''", new Object[] { user, expandedFilter });
    }
    AbstractLdapProvider ldapProvider = getLdapProvider();
    try {
        AbstractLdapProvider.LdapSearchResult<Map<String, Set<String>>> res;
        if ((res = ldapProvider.lookupLdapContent(dn, expandedFilter, attrSet.toArray(new String[0]))) == null) {
            LOGGER.log(Level.WARNING, "failed to get LDAP attributes ''{2}'' for user {0} " + "with filter ''{1}'' from LDAP provider {3}", new Object[] { user, expandedFilter, attrSet, getLdapProvider() });
            LdapUser ldapUser = new LdapUser(dn, null);
            ldapUser.setAttribute(NEGATIVE_CACHE_ATTR, Collections.singleton(null));
            updateSession(req, ldapUser);
            return;
        }
        records = res.getAttrs();
        if (Boolean.FALSE.equals(useDN)) {
            dn = res.getDN();
            LOGGER.log(Level.FINEST, "got DN ''{0}'' for user {1}", new Object[] { dn, user });
        }
    } catch (LdapException ex) {
        throw new AuthorizationException(ex);
    }
    if (records.isEmpty()) {
        LOGGER.log(Level.WARNING, "LDAP records for user {0} are empty on {1}", new Object[] { user, ldapProvider });
        return;
    }
    for (String attrName : attrSet) {
        if (!records.containsKey(attrName) || records.get(attrName) == null || records.get(attrName).isEmpty()) {
            LOGGER.log(Level.WARNING, "''{0}'' record for user {1} is not present or empty on {2}", new Object[] { attrName, user, ldapProvider });
        }
    }
    Map<String, Set<String>> userAttrSet = new HashMap<>();
    for (String attrName : this.attrSet) {
        userAttrSet.put(attrName, records.get(attrName));
    }
    LOGGER.log(Level.FINEST, "DN for user {0} is ''{1}'' on {2}", new Object[] { user, dn, ldapProvider });
    updateSession(req, new LdapUser(dn, userAttrSet));
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) LdapUser(opengrok.auth.entity.LdapUser) AuthorizationException(org.opengrok.indexer.authorization.AuthorizationException) HashMap(java.util.HashMap) AbstractLdapProvider(opengrok.auth.plugin.ldap.AbstractLdapProvider) HashMap(java.util.HashMap) Map(java.util.Map) LdapException(opengrok.auth.plugin.ldap.LdapException)

Aggregations

LdapUser (opengrok.auth.entity.LdapUser)3 AbstractLdapProvider (opengrok.auth.plugin.ldap.AbstractLdapProvider)3 LdapException (opengrok.auth.plugin.ldap.LdapException)3 AuthorizationException (org.opengrok.indexer.authorization.AuthorizationException)3 Map (java.util.Map)2 Set (java.util.Set)2 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 TreeSet (java.util.TreeSet)1