/*
* Copyright 2010-2013 Ning, Inc.
*
* Ning licenses this file to you under the Apache License, version 2.0
* (the "License"); you may not use this file except in compliance with the
* License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package org.killbill.billing.util.security.shiro.realm;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.config.Ini;
import org.apache.shiro.config.Ini.Section;
import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
import org.apache.shiro.realm.ldap.JndiLdapRealm;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.realm.ldap.LdapUtils;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.killbill.billing.util.config.definition.SecurityConfig;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterators;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
public class KillBillJndiLdapRealm extends JndiLdapRealm {
private static final Logger log = LoggerFactory.getLogger(KillBillJndiLdapRealm.class);
private static final String USERDN_SUBSTITUTION_TOKEN = "{0}";
private static final SearchControls SUBTREE_SCOPE = new SearchControls();
static {
SUBTREE_SCOPE.setSearchScope(SearchControls.SUBTREE_SCOPE);
}
private static final Splitter SPLITTER = Splitter.on(',').omitEmptyStrings().trimResults();
private final String searchBase;
private final String groupSearchFilter;
private final String groupNameId;
private final Map<String, Collection<String>> permissionsByGroup = Maps.newLinkedHashMap();
@Inject
public KillBillJndiLdapRealm(final SecurityConfig securityConfig) {
super();
if (securityConfig.getShiroLDAPUserDnTemplate() != null) {
setUserDnTemplate(securityConfig.getShiroLDAPUserDnTemplate());
}
final JndiLdapContextFactory contextFactory = (JndiLdapContextFactory) getContextFactory();
if (securityConfig.disableShiroLDAPSSLCheck()) {
contextFactory.getEnvironment().put("java.naming.ldap.factory.socket", SkipSSLCheckSocketFactory.class.getName());
}
if (securityConfig.getShiroLDAPUrl() != null) {
contextFactory.setUrl(securityConfig.getShiroLDAPUrl());
}
if (securityConfig.getShiroLDAPSystemUsername() != null) {
contextFactory.setSystemUsername(securityConfig.getShiroLDAPSystemUsername());
}
if (securityConfig.getShiroLDAPSystemPassword() != null) {
contextFactory.setSystemPassword(securityConfig.getShiroLDAPSystemPassword());
}
if (securityConfig.getShiroLDAPAuthenticationMechanism() != null) {
contextFactory.setAuthenticationMechanism(securityConfig.getShiroLDAPAuthenticationMechanism());
}
setContextFactory(contextFactory);
searchBase = securityConfig.getShiroLDAPSearchBase();
groupSearchFilter = securityConfig.getShiroLDAPGroupSearchFilter();
groupNameId = securityConfig.getShiroLDAPGroupNameID();
if (securityConfig.getShiroLDAPPermissionsByGroup() != null) {
final Ini ini = new Ini();
// When passing properties on the command line, \n can be escaped
ini.load(securityConfig.getShiroLDAPPermissionsByGroup().replace("\\n", "\n"));
for (final Section section : ini.getSections()) {
for (final String role : section.keySet()) {
final Collection<String> permissions = ImmutableList.<String>copyOf(SPLITTER.split(section.get(role)));
permissionsByGroup.put(role, permissions);
}
}
}
}
@Override
protected AuthorizationInfo queryForAuthorizationInfo(final PrincipalCollection principals, final LdapContextFactory ldapContextFactory) throws NamingException {
final Set<String> userGroups = findLDAPGroupsForUser(principals, ldapContextFactory);
final SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(userGroups);
final Set<String> stringPermissions = groupsPermissions(userGroups);
simpleAuthorizationInfo.setStringPermissions(stringPermissions);
return simpleAuthorizationInfo;
}
private Set<String> findLDAPGroupsForUser(final PrincipalCollection principals, final LdapContextFactory ldapContextFactory) throws NamingException {
final String username = (String) getAvailablePrincipal(principals);
LdapContext systemLdapCtx = null;
try {
systemLdapCtx = ldapContextFactory.getSystemLdapContext();
return findLDAPGroupsForUser(username, systemLdapCtx);
} catch (AuthenticationException ex) {
log.info("LDAP authentication exception='{}'", ex.getLocalizedMessage());
return ImmutableSet.<String>of();
} finally {
LdapUtils.closeContext(systemLdapCtx);
}
}
private Set<String> findLDAPGroupsForUser(final String userName, final LdapContext ldapCtx) throws NamingException {
final NamingEnumeration<SearchResult> foundGroups = ldapCtx.search(searchBase,
groupSearchFilter.replace(USERDN_SUBSTITUTION_TOKEN, userName),
SUBTREE_SCOPE);
// Extract the name of all the groups
final Iterator<SearchResult> groupsIterator = Iterators.<SearchResult>forEnumeration(foundGroups);
final Iterator<String> groupsNameIterator = Iterators.<SearchResult, String>transform(groupsIterator,
new Function<SearchResult, String>() {
@Override
public String apply(final SearchResult groupEntry) {
return extractGroupNameFromSearchResult(groupEntry);
}
});
final Iterator<String> finalGroupsNameIterator = Iterators.<String>filter(groupsNameIterator, Predicates.notNull());
return Sets.newHashSet(finalGroupsNameIterator);
}
private String extractGroupNameFromSearchResult(final SearchResult searchResult) {
// Get all attributes for that group
final Iterator<? extends Attribute> attributesIterator = Iterators.forEnumeration(searchResult.getAttributes().getAll());
// Find the attribute representing the group name
final Iterator<? extends Attribute> groupNameAttributesIterator = Iterators.filter(attributesIterator,
new Predicate<Attribute>() {
@Override
public boolean apply(final Attribute attribute) {
return groupNameId.equalsIgnoreCase(attribute.getID());
}
});
// Extract the group name from the attribute
// Note: at this point, groupNameAttributesIterator should really contain a single element
final Iterator<String> groupNamesIterator = Iterators.transform(groupNameAttributesIterator,
new Function<Attribute, String>() {
@Override
public String apply(final Attribute groupNameAttribute) {
try {
final NamingEnumeration<?> enumeration = groupNameAttribute.getAll();
if (enumeration.hasMore()) {
return enumeration.next().toString();
} else {
return null;
}
} catch (NamingException namingException) {
log.warn("Unable to read group name", namingException);
return null;
}
}
});
final Iterator<String> finalGroupNamesIterator = Iterators.<String>filter(groupNamesIterator, Predicates.notNull());
if (finalGroupNamesIterator.hasNext()) {
return finalGroupNamesIterator.next();
} else {
log.warn("Unable to find an attribute matching {}", groupNameId);
return null;
}
}
private Set<String> groupsPermissions(final Set<String> groups) {
final Set<String> permissions = new HashSet<String>();
for (final String group : groups) {
final Collection<String> permissionsForGroup = permissionsByGroup.get(group);
if (permissionsForGroup != null) {
permissions.addAll(permissionsForGroup);
}
}
return permissions;
}
@VisibleForTesting
public Map<String, Collection<String>> getPermissionsByGroup() {
return permissionsByGroup;
}
}