/**
* This file is part of Graylog.
*
* Graylog is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Graylog is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Graylog. If not, see <http://www.gnu.org/licenses/>.
*/
package org.graylog2.security.ldap;
import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.inject.assistedinject.Assisted;
import com.google.inject.assistedinject.AssistedInject;
import com.mongodb.BasicDBList;
import com.mongodb.DBObject;
import org.apache.shiro.codec.Hex;
import org.bson.types.ObjectId;
import org.graylog2.Configuration;
import org.graylog2.database.CollectionName;
import org.graylog2.database.NotFoundException;
import org.graylog2.database.PersistedImpl;
import org.graylog2.plugin.database.validators.Validator;
import org.graylog2.security.AESTools;
import org.graylog2.shared.security.ldap.LdapSettings;
import org.graylog2.shared.users.Role;
import org.graylog2.shared.users.Roles;
import org.graylog2.users.RoleService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.net.URI;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
@CollectionName("ldap_settings")
public class LdapSettingsImpl extends PersistedImpl implements LdapSettings {
public interface Factory {
LdapSettingsImpl createEmpty();
LdapSettingsImpl create(ObjectId objectId, Map<String, Object> fields);
}
private static final Logger LOG = LoggerFactory.getLogger(LdapSettingsImpl.class);
public static final String ENABLED = "enabled";
public static final String SYSTEM_USERNAME = "system_username";
public static final String SYSTEM_PASSWORD = "system_password";
public static final String SYSTEM_PASSWORD_SALT = "system_password_salt";
public static final String LDAP_URI = "ldap_uri";
public static final String SEARCH_PATTERN = "principal_search_pattern";
public static final String SEARCH_BASE = "search_base";
public static final String DISPLAY_NAME_ATTRIBUTE = "username_attribute";
public static final String USE_START_TLS = "use_start_tls";
public static final String ACTIVE_DIRECTORY = "active_directory";
public static final String DEFAULT_GROUP = "default_group";
public static final String TRUST_ALL_CERTS = "trust_all_certificates";
public static final String GROUP_MAPPING = "group_role_mapping";
public static final String GROUP_MAPPING_LIST = "group_role_mapping_list";
public static final String GROUP_SEARCH_BASE = "group_search_base";
public static final String GROUP_ID_ATTRIBUTE = "group_id_attribute";
public static final String GROUP_SEARCH_PATTERN = "group_search_pattern";
public static final String ADDITIONAL_DEFAULT_GROUPS = "additional_default_groups";
public static final String LDAP_GROUP_MAPPING_NAMEKEY = "group";
public static final String LDAP_GROUP_MAPPING_ROLEKEY = "role_id";
protected Configuration configuration;
private final RoleService roleService;
@AssistedInject
public LdapSettingsImpl(Configuration configuration, RoleService roleService) {
super(Maps.<String, Object>newHashMap());
this.configuration = configuration;
this.roleService = roleService;
}
@AssistedInject
public LdapSettingsImpl(Configuration configuration, RoleService roleService, @Assisted ObjectId id, @Assisted Map<String, Object> fields) {
super(id, fields);
this.configuration = configuration;
this.roleService = roleService;
}
@Override
public Map<String, Validator> getValidations() {
return null;
}
@Override
public Map<String, Validator> getEmbeddedValidations(String key) {
return null;
}
@Override
public String getSystemUserName() {
return Strings.nullToEmpty((String) fields.get(SYSTEM_USERNAME));
}
@Override
public void setSystemUsername(String systemUsername) {
fields.put(SYSTEM_USERNAME, systemUsername);
}
@Override
public String getSystemPassword() {
final Object o = fields.get(SYSTEM_PASSWORD);
if (o == null) return "";
if (getSystemPasswordSalt().isEmpty()) {
// this is an old version of the database that doesn't have the salt value,
// simply return the password, because it's unencrypted.
// The next time we will generate a salt and then re-use that value.
// TODO remove this after 0.20 is out, and the RC versions are pulled.
LOG.debug("Old database version does not have salted, encrypted password. Please save the LDAP settings again.");
return o.toString();
}
String encryptedPw = o.toString();
return AESTools.decrypt(
encryptedPw,
configuration.getPasswordSecret().substring(0, 16),
getSystemPasswordSalt());
}
@Override
public void setSystemPassword(String systemPassword) {
// set new salt value, if we didn't have any.
if (getSystemPasswordSalt().isEmpty()) {
LOG.debug("Generating new salt for LDAP system password.");
final SecureRandom random = new SecureRandom();
byte[] saltBytes = new byte[8];
random.nextBytes(saltBytes);
setSystemPasswordSalt(Hex.encodeToString(saltBytes));
}
final String encrypted = AESTools.encrypt(
systemPassword,
configuration.getPasswordSecret().substring(0, 16),
getSystemPasswordSalt());
fields.put(SYSTEM_PASSWORD, encrypted);
}
@Override
public String getSystemPasswordSalt() {
return Strings.nullToEmpty((String) fields.get(SYSTEM_PASSWORD_SALT));
}
@Override
public void setSystemPasswordSalt(String salt) {
fields.put(SYSTEM_PASSWORD_SALT, salt);
}
@Override
public URI getUri() {
final Object o = fields.get(LDAP_URI);
return o != null ? URI.create(o.toString()) : null;
}
@Override
public void setUri(URI ldapUri) {
fields.put(LDAP_URI, ldapUri.toString());
}
@Override
public String getSearchBase() {
return Strings.nullToEmpty((String) fields.get(SEARCH_BASE));
}
@Override
public void setSearchBase(String searchBase) {
fields.put(SEARCH_BASE, searchBase);
}
@Override
public String getSearchPattern() {
return Strings.nullToEmpty((String) fields.get(SEARCH_PATTERN));
}
@Override
public void setSearchPattern(String searchPattern) {
fields.put(SEARCH_PATTERN, searchPattern);
}
@Override
public String getDisplayNameAttribute() {
return Strings.nullToEmpty((String) fields.get(DISPLAY_NAME_ATTRIBUTE));
}
@Override
public void setDisplayNameAttribute(String displayNameAttribute) {
fields.put(DISPLAY_NAME_ATTRIBUTE, displayNameAttribute);
}
@Override
public boolean isEnabled() {
final Object o = fields.get(ENABLED);
return o != null ? Boolean.valueOf(o.toString()) : false;
}
@Override
public void setEnabled(boolean enabled) {
fields.put(ENABLED, enabled);
}
@Override
public void setUseStartTls(boolean useStartTls) {
fields.put(USE_START_TLS, useStartTls);
}
@Override
public boolean isUseStartTls() {
final Object o = fields.get(USE_START_TLS);
return o != null ? Boolean.valueOf(o.toString()) : false;
}
@Override
public void setActiveDirectory(boolean activeDirectory) {
fields.put(ACTIVE_DIRECTORY, activeDirectory);
}
@Override
public boolean isActiveDirectory() {
final Object o = fields.get(ACTIVE_DIRECTORY);
return o != null ? Boolean.valueOf(o.toString()) : false;
}
@Override
public String getDefaultGroup() {
final String defaultGroupId = getDefaultGroupId();
if (defaultGroupId.equals(roleService.getReaderRoleObjectId())) {
return "Reader";
}
try {
final Map<String, Role> idToRole = roleService.loadAllIdMap();
return idToRole.get(defaultGroupId).getName();
} catch (Exception e) {
LOG.error("Unable to load role mapping");
return "Reader";
}
}
@Override
public String getDefaultGroupId() {
final Object o = fields.get(DEFAULT_GROUP);
return o == null ? roleService.getReaderRoleObjectId() : (String) o;
}
@Override
public void setDefaultGroup(String defaultGroup) {
String groupId = roleService.getReaderRoleObjectId();
try {
groupId = roleService.load(defaultGroup).getId();
} catch (NotFoundException e) {
LOG.error("Unable to load role mapping");
}
fields.put(DEFAULT_GROUP, groupId);
}
@Override
public boolean isTrustAllCertificates() {
final Object o = fields.get(TRUST_ALL_CERTS);
return o != null ? Boolean.valueOf(o.toString()) : false;
}
@Override
public void setTrustAllCertificates(boolean trustAllCertificates) {
fields.put(TRUST_ALL_CERTS, trustAllCertificates);
}
@Nonnull
@SuppressWarnings("unchecked")
@Override
public Map<String, String> getGroupMapping() {
final BasicDBList groupMappingList = (BasicDBList) fields.get(GROUP_MAPPING_LIST);
final Map<String, String> groupMapping;
if (groupMappingList == null) {
// pre-2.0 storage format, convert after read
// should actually have been converted during start, but let's play safe here
groupMapping = (Map<String, String>) fields.get(GROUP_MAPPING);
} else {
groupMapping = Maps.newHashMapWithExpectedSize(groupMappingList.size());
for (Object entry : groupMappingList) {
final DBObject field = (DBObject) entry;
groupMapping.put((String) field.get(LDAP_GROUP_MAPPING_NAMEKEY),
(String) field.get(LDAP_GROUP_MAPPING_ROLEKEY));
}
}
if (groupMapping == null || groupMapping.isEmpty()) {
return Collections.emptyMap();
}
else {
// we store role ids, but the outside world uses role names to identify them
try {
final Map<String, Role> idToRole = roleService.loadAllIdMap();
return Maps.newHashMap(Maps.transformValues(groupMapping, Roles.roleIdToNameFunction(idToRole)));
} catch (NotFoundException e) {
LOG.error("Unable to load role mapping");
return Collections.emptyMap();
}
}
}
@Override
public void setGroupMapping(Map<String, String> mapping) {
Map<String, String> internal;
if (mapping == null) {
internal = Collections.emptyMap();
} else {
// we store ids internally but external users use the group names
try {
final Map<String, Role> nameToRole = Maps.uniqueIndex(roleService.loadAll(), Roles.roleToNameFunction());
internal = Maps.newHashMap(Maps.transformValues(mapping, new Function<String, String>() {
@Nullable
@Override
public String apply(@Nullable String groupName) {
if (groupName == null || !nameToRole.containsKey(groupName)) {
return null;
}
return nameToRole.get(groupName).getId();
}
}));
} catch (NotFoundException e) {
LOG.error("Unable to convert group names to ids", e);
throw new IllegalStateException("Unable to convert group names to ids", e);
}
}
// convert the group -> role_id map to a list of {"group" -> group, "role_id" -> roleid } maps
fields.put(GROUP_MAPPING_LIST,
internal.entrySet().stream()
.map(entry -> {
Map<String, String> m = Maps.newHashMap();
m.put(LDAP_GROUP_MAPPING_NAMEKEY, entry.getKey());
m.put(LDAP_GROUP_MAPPING_ROLEKEY, entry.getValue());
return m;
})
.collect(Collectors.toList()));
}
@Override
public String getGroupSearchBase() {
return Strings.nullToEmpty((String) fields.get(GROUP_SEARCH_BASE));
}
@Override
public void setGroupSearchBase(String groupSearchBase) {
fields.put(GROUP_SEARCH_BASE, groupSearchBase);
}
@Override
public String getGroupIdAttribute() {
return Strings.nullToEmpty((String) fields.get(GROUP_ID_ATTRIBUTE));
}
@Override
public void setGroupIdAttribute(String groupIdAttribute) {
fields.put(GROUP_ID_ATTRIBUTE, groupIdAttribute);
}
@Override
public String getGroupSearchPattern() {
return Strings.nullToEmpty((String) fields.get(GROUP_SEARCH_PATTERN));
}
@Override
public void setGroupSearchPattern(String groupSearchPattern) {
fields.put(GROUP_SEARCH_PATTERN, groupSearchPattern);
}
@Override
public Set<String> getAdditionalDefaultGroups() {
final Set<String> additionalGroups = getAdditionalDefaultGroupIds();
try {
final Map<String, Role> idToRole = roleService.loadAllIdMap();
return Sets.newHashSet(Collections2.transform(additionalGroups, Roles.roleIdToNameFunction(idToRole)));
} catch (NotFoundException e) {
LOG.error("Unable to load role mapping");
return Collections.emptySet();
}
}
@Override
public Set<String> getAdditionalDefaultGroupIds() {
@SuppressWarnings("unchecked")
final List<String> additionalGroups = (List<String>) fields.get(ADDITIONAL_DEFAULT_GROUPS);
return additionalGroups == null ? Collections.<String>emptySet() : Sets.newHashSet(additionalGroups);
}
@Override
public void setAdditionalDefaultGroups(Set<String> groupNames) {
try {
if (groupNames == null) return;
final Map<String, Role> nameToRole = Maps.uniqueIndex(roleService.loadAll(), Roles.roleToNameFunction());
final List<String> groupIds = Lists.newArrayList(Collections2.transform(groupNames, new Function<String, String>() {
@Nullable
@Override
public String apply(@Nullable String groupName) {
if (groupName == null || !nameToRole.containsKey(groupName)) {
return null;
}
return nameToRole.get(groupName).getId();
}
}));
fields.put(ADDITIONAL_DEFAULT_GROUPS, groupIds);
} catch (NotFoundException e) {
LOG.error("Unable to convert group names to ids", e);
throw new IllegalStateException("Unable to convert group names to ids", e);
}
}
}