Ldap.java

/*
 * Sonar LDAP Plugin
 * Copyright (C) 2009 SonarSource
 * dev@sonar.codehaus.org
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 3 of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02
 */

package com.teklabs.throng.integration.ldap;

import org.apache.commons.lang.StringUtils;

import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

import static com.teklabs.throng.integration.ldap.LdapContextFactory.*;

/**
 * @author Evgeny Mandrikov
 */
public class Ldap {
  public static final String DEFAULT_USER_OBJECT_CLASS = "inetOrgPerson";
  public static final String DEFAULT_LOGIN_ATTRIBUTE = "uid";

  private LdapContextFactory ldapContextFactory;
  private String baseDN = null;
  private String loginAttribute = DEFAULT_LOGIN_ATTRIBUTE;
  private String userObjectClass = DEFAULT_USER_OBJECT_CLASS;

  /**
   * Creates a new instance of Ldap with specified context factory.
   *
   * @param ldapContextFactory LDAP context factory
   */
  public Ldap(LdapContextFactory ldapContextFactory) {
    if (ldapContextFactory == null) {
      throw new IllegalArgumentException("LDAP context factory is not set");
    }
    this.ldapContextFactory = ldapContextFactory;
  }

  /**
   * Tests connection.
   *
   * @throws NamingException if a naming exception is encountered
   */
  public void testConnection() throws NamingException {
    if (StringUtils.isBlank(ldapContextFactory.getUsername()) && isSasl()) {
      LdapHelper.LOG.warn("Unable to test connection, if using SASL and no username specified");
    } else {
      LdapHelper.LOG.debug("Test connection");
      ldapContextFactory.getInitialDirContext();
    }
  }

  /**
   * Tries to authenticate specified user with specified password.
   *
   * @param login    login
   * @param password password
   * @return true, if user can be authenticated with specified password
   * @throws NamingException if a naming exception is encountered
   */
  public boolean authenticate(String login, String password) throws NamingException {
    String principal;
    // if we are authenticating against DIGEST-MD5 or CRAM-MD5 then username is not the DN
    if (isSasl()) {
      principal = login;
    } else {
      principal = getPrincipal(login);
    }
    if (GSSAPI_METHOD.equals(ldapContextFactory.getAuthentication())) {
      return StringUtils.isNotBlank(principal) && checkPasswordUsingGssapi(principal, password);
    }
    return StringUtils.isNotBlank(principal) && checkPasswordUsingBind(principal, password);
  }

  private boolean isSasl() {
    return DIGEST_MD5_METHOD.equals(ldapContextFactory.getAuthentication()) ||
        CRAM_MD5_METHOD.equals(ldapContextFactory.getAuthentication()) ||
        GSSAPI_METHOD.equals(ldapContextFactory.getAuthentication());
  }

  /**
   * Checks password using GSSAPI.
   *
   * @param principal principal
   * @param password  password
   * @return true, if principal can be authenticated with specified password
   */
  private boolean checkPasswordUsingGssapi(String principal, String password) {
    // Use our custom configuration to avoid reliance on external config
    Configuration.setConfiguration(new Krb5LoginConfiguration());
    LoginContext lc;
    try {
      lc = new LoginContext(
          getClass().getName(),
          new CallbackHandlerImpl(principal, password)
      );
      lc.login();
    } catch (LoginException e) {
      // Bad username:  Client not found in Kerberos database
      // Bad password:  Integrity check on decrypted field failed
      LdapHelper.LOG.debug("Password is not valid for principal: " + principal, e);
      return false;
    }
    try {
      lc.logout();
    } catch (LoginException e) {
      LdapHelper.LOG.warn("Logout fails", e);
    }
    return true;

  }

  /**
   * Checks password using Bind.
   *
   * @param principal principal
   * @param password  password
   * @return true, if principal can be authenticated with specified password
   */
  private boolean checkPasswordUsingBind(String principal, String password) {
    InitialDirContext ctx = null;
    boolean result;
    try {
      ctx = ldapContextFactory.getInitialDirContext(principal, password);
      ctx.getAttributes("");
      result = true;
    } catch (NamingException e) {
      if (LdapHelper.LOG.isDebugEnabled()) {
        LdapHelper.LOG.debug("Password is not valid for principal: " + principal, e);
      }
      result = false;
    } finally {
      LdapHelper.closeContext(ctx);
    }
    return result;
  }

  private String getPrincipal(String login) throws NamingException {
    if (baseDN == null) {
      throw new IllegalArgumentException("LDAP BaseDN is not set");
    }
    InitialDirContext context = null;
    String principal;
    try {
      if (LdapHelper.LOG.isDebugEnabled()) {
        LdapHelper.LOG.debug("Search principal: " + login);
      }

      context = ldapContextFactory.getInitialDirContext();
      String request = "(&(objectClass=" + userObjectClass + ")(" + loginAttribute + "={0}))";
      if (LdapHelper.LOG.isDebugEnabled()) {
        LdapHelper.LOG.debug("LDAP request: " + request);
      }

      SearchControls controls = new SearchControls();
      controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      controls.setReturningAttributes(new String[]{});
      controls.setReturningObjFlag(true);
      NamingEnumeration result = context.search(baseDN, request, new String[]{login}, controls);
      String found = null;
      if (result.hasMore()) {
        SearchResult obj = (SearchResult) result.next();
        found = obj.getNameInNamespace();
        if (found != null && result.hasMore()) {
          found = null;
          LdapHelper.LOG.error("Login \'" + login + "\' is not unique in LDAP (see attribute " + loginAttribute + ")");
        }
      }

      principal = found;
    } finally {
      LdapHelper.closeContext(context);
    }

    return principal;
  }

  /**
   * Returns login attribute.
   *
   * @return login attribute
   */
  public String getLoginAttribute() {
    return loginAttribute;
  }

  /**
   * Sets login attribute.
   *
   * @param loginAttribute login attribute
   */
  public void setLoginAttribute(String loginAttribute) {
    this.loginAttribute = loginAttribute;
  }

  /**
   * Returns object class of LDAP users.
   *
   * @return object class of LDAP users
   */
  public String getUserObjectClass() {
    return userObjectClass;
  }

  /**
   * Sets object class of LDAP users.
   *
   * @param userObjectClass Object class of LDAP users
   */
  public void setUserObjectClass(String userObjectClass) {
    this.userObjectClass = userObjectClass;
  }

  /**
   * Returns Base DN.
   *
   * @return Base DN
   */
  public String getBaseDN() {
    return baseDN;
  }

  /**
   * Sets Base DN.
   *
   * @param baseDN Base DN
   */
  public void setBaseDN(String baseDN) {
    this.baseDN = baseDN;
  }
}