This is an automated email from the ASF dual-hosted git repository.
iuliana pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push:
new a3a2b2a Add user name regex for LDAP authentication
new f9ee183 Merge pull request #1245 from
jcabrerizo/feature/ladp/userName-regex
a3a2b2a is described below
commit a3a2b2a3c6894a768ba8b42119d8d257ec367b55
Author: Juan Cabrerizo <[email protected]>
AuthorDate: Fri Sep 3 14:38:13 2021 +0100
Add user name regex for LDAP authentication
---
.../src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java | 5 ++++-
.../brooklyn/rest/security/provider/LdapSecurityProvider.java | 7 +++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
index 7307be9..eee2b49 100644
---
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
+++
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
@@ -78,7 +78,10 @@ public class BrooklynWebConfig {
public final static ConfigKey<String> SHA256_FOR_USER(String user) {
return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." +
user + ".sha256");
}
-
+
+ public final static ConfigKey<String> LDAP_USERNAME_REGEX =
ConfigKeys.newStringConfigKey(
+ BASE_NAME_SECURITY+".ldap.user_name_regex");
+
public final static ConfigKey<String> LDAP_URL =
ConfigKeys.newStringConfigKey(
BASE_NAME_SECURITY+".ldap.url");
diff --git
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
index 344f460..61dedf8 100644
---
a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
+++
b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
@@ -74,6 +74,7 @@ public class LdapSecurityProvider extends
AbstractSecurityProvider implements Se
private final String ldapUrl;
private final String defaultLdapRealm;
private final String organizationUnit;
+ private final String userNameRegex;
private boolean logUserLoginAttempt;
private boolean fetchUserGroups = false;
private List<String> validGroups;
@@ -84,6 +85,7 @@ public class LdapSecurityProvider extends
AbstractSecurityProvider implements Se
Strings.checkNonEmpty(ldapUrl, "LDAP security provider configuration
missing required property " + BrooklynWebConfig.LDAP_URL);
fetchUserGroups =
properties.getConfig(BrooklynWebConfig.LDAP_FETCH_USER_GROUPS);
logUserLoginAttempt =
properties.getConfig(BrooklynWebConfig.LDAP_LOGIN_INFO_LOG);
+ userNameRegex =
properties.getConfig(BrooklynWebConfig.LDAP_USERNAME_REGEX);
List ldapGroupsPrefixes =
properties.getConfig(BrooklynWebConfig.GROUP_CONFIG_KEY_NAME);
if (fetchUserGroups && !ldapGroupsPrefixes.isEmpty()) {
validGroups = getConfiguredGroups(properties, ldapGroupsPrefixes);
@@ -110,12 +112,17 @@ public class LdapSecurityProvider extends
AbstractSecurityProvider implements Se
this.ldapUrl = ldapUrl;
this.defaultLdapRealm = ldapRealm;
this.organizationUnit = organizationUnit;
+ this.userNameRegex = "";
}
@SuppressWarnings({"rawtypes", "unchecked"})
@Override
public boolean authenticate(HttpServletRequest request,
Supplier<HttpSession> sessionSupplierOnSuccess, String user, String pass)
throws SecurityProviderDeniedAuthentication {
if (user == null) return false;
+ if(Strings.isNonEmpty(userNameRegex) && !user.matches(userNameRegex)){
+ LOG.debug("Rejecting authenticating attempt for user `{}` due to
userNameRegex configuration: {}", user, userNameRegex);
+ return false;
+ }
checkCanLoad();
if (Strings.isBlank(pass)) {
