LdapUserAttributesToRolesAuthorizationGenerator.java

package org.apereo.cas.authorization;

import org.ldaptive.ConnectionFactory;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.SearchExecutor;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Provides a simple {@link AuthorizationGenerator} implementation that obtains user roles from an LDAP search.
 * Searches are performed by this component for every user details lookup:
 * <ol>
 * <li>Search for an entry to resolve the username. In most cases the search should return exactly one result,
 * but the {@link #allowMultipleResults} property may be toggled to change that behavior.</li>
 * </ol>
 *
 * @author Jerome Leleu
 * @author Marvin S. Addison
 * @author Misagh Moayyed
 * @since 4.0.0
 */
public class LdapUserAttributesToRolesAuthorizationGenerator extends BaseUseAttributesAuthorizationGenerator {

    private static final Logger LOGGER = LoggerFactory.getLogger(LdapUserAttributesToRolesAuthorizationGenerator.class);

    private final String roleAttribute;
    private final String rolePrefix;

    /**
     * Creates a new instance with the given required parameters.
     *
     * @param factory              Source of LDAP connections for searches.
     * @param userSearchExecutor   Executes the LDAP search for user data.
     * @param allowMultipleResults allow multiple search results in which case the first result
     *                             returned is used to construct user details, or false to indicate that
     *                             a runtime exception should be raised on multiple search results for user details.
     * @param roleAttribute        the role attribute
     * @param rolePrefix           the role prefix
     */
    public LdapUserAttributesToRolesAuthorizationGenerator(final ConnectionFactory factory,
                                                           final SearchExecutor userSearchExecutor,
                                                           final boolean allowMultipleResults,
                                                           final String roleAttribute,
                                                           final String rolePrefix) {
        super(factory, userSearchExecutor, allowMultipleResults);
        this.roleAttribute = roleAttribute;
        this.rolePrefix = rolePrefix;
    }

    @Override
    protected CommonProfile generateAuthorizationForLdapEntry(final CommonProfile profile, final LdapEntry userEntry) {
        if (userEntry.getAttributes().isEmpty()) {
            throw new IllegalStateException("No attributes are retrieved for this user.");
        }

        final LdapAttribute attribute = userEntry.getAttribute(this.roleAttribute);
        if (attribute == null) {
            throw new IllegalStateException("Configured role attribute cannot be found for this user");
        }

        addProfileRoles(userEntry, profile, attribute, this.rolePrefix);
        return profile;
    }
}