Repository: karaf Updated Branches: refs/heads/karaf-2.x 5073f85f9 -> b43d91444
[KARAF-3382] Add role mapping support in LDAP login module Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/b43d9144 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/b43d9144 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/b43d9144 Branch: refs/heads/karaf-2.x Commit: b43d91444f9e691cdd8148d82a333d76573d5f18 Parents: 5073f85 Author: Jean-Baptiste Onofré <[email protected]> Authored: Tue Dec 30 09:29:46 2014 +0100 Committer: Jean-Baptiste Onofré <[email protected]> Committed: Tue Dec 30 09:29:46 2014 +0100 ---------------------------------------------------------------------- .../jaas/modules/ldap/LDAPLoginModule.java | 65 +++++++++-- .../jaas/modules/ldap/LdapLoginModuleTest.java | 113 +++++++++++++++++-- .../developers-guide/security-framework.conf | 1 + 3 files changed, 158 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/b43d9144/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java ---------------------------------------------------------------------- diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java index e77a38f..f0726f6 100644 --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java @@ -32,11 +32,7 @@ import javax.security.auth.callback.*; import javax.security.auth.login.LoginException; import java.io.IOException; import java.security.Principal; -import java.util.ArrayList; -import java.util.HashSet; -import java.util.Hashtable; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.concurrent.Callable; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -60,6 +56,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { public final static String ROLE_FILTER = "role.filter"; public final static String ROLE_NAME_ATTRIBUTE = "role.name.attribute"; public final static String ROLE_SEARCH_SUBTREE = "role.search.subtree"; + public final static String ROLE_MAPPING = "role.mapping"; public final static String AUTHENTICATION = "authentication"; public final static String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords"; public final static String INITIAL_CONTEXT_FACTORY = "initial.context.factory"; @@ -85,6 +82,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { private String roleFilter; private String roleNameAttribute; private boolean roleSearchSubtree = true; + private Map<String, Set<String>> roleMapping; private String authentication = DEFAULT_AUTHENTICATION; private boolean allowEmptyPasswords = false; private String initialContextFactory = null; @@ -102,9 +100,10 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { connectionURL = (String) options.get(CONNECTION_URL); connectionUsername = (String) options.get(CONNECTION_USERNAME); connectionPassword = (String) options.get(CONNECTION_PASSWORD); - userBaseDN = (String) options.get(USER_BASE_DN); + userBaseDN = (String) options.get(USER_BASE_DN); userFilter = (String) options.get(USER_FILTER); userSearchSubtree = Boolean.parseBoolean((String) options.get(USER_SEARCH_SUBTREE)); + roleMapping = parseRoleMapping((String) options.get(ROLE_MAPPING)); roleBaseDN = (String) options.get(ROLE_BASE_DN); roleFilter = (String) options.get(ROLE_FILTER); roleNameAttribute = (String) options.get(ROLE_NAME_ATTRIBUTE); @@ -139,6 +138,27 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { } } + private Map<String, Set<String>> parseRoleMapping(String option) { + Map<String, Set<String>> roleMapping = new HashMap<String, Set<String>>(); + if (option != null) { + logger.debug("Parse role mapping {}", option); + String[] mappings = option.split(";"); + for (String mapping : mappings) { + String[] map = mapping.split("=", 2); + String ldapRole = map[0]; + String[] karafRoles = map[1].split(","); + if (roleMapping.get(ldapRole) == null) { + roleMapping.put(ldapRole, new HashSet<String>()); + } + final Set<String> karafRolesSet = roleMapping.get(ldapRole); + for (String karafRole : karafRoles) { + karafRolesSet.add(karafRole); + } + } + } + return roleMapping; + } + public boolean login() throws LoginException { ClassLoader tccl = Thread.currentThread().getContextClassLoader(); try { @@ -165,7 +185,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { user = ((NameCallback) callbacks[0]).getName(); char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword(); - + // If either a username or password is specified don't allow authentication = "none". // This is to prevent someone from logging into Karaf as any user without providing a // valid password (because if authentication = none, the password could be any @@ -176,7 +196,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { authentication = "simple"; } if (!"none".equals(authentication) && !allowEmptyPasswords - && (tmpPassword == null || tmpPassword.length ==0)) { + && (tmpPassword == null || tmpPassword.length == 0)) { throw new LoginException("Empty passwords not allowed"); } @@ -246,7 +266,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { // the second escapes the slashes correctly. String userDN = result.getNameInNamespace().replace("," + userBaseDN, ""); String userDNNamespace = (String) result.getNameInNamespace(); - return new String[] { userDN, userDNNamespace }; + return new String[]{userDN, userDNNamespace}; } finally { if (namingEnumeration != null) { try { @@ -340,7 +360,16 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { for (int i = 0; i < roles.size(); i++) { String role = (String) roles.get(i); if (role != null) { - rolesList.add(role); + logger.debug("User {} is a member of role {}", user, role); + // handle role mapping ... + Set<String> mapped = tryMappingRole(role); + if (mapped.isEmpty()) { + rolesList.add(role); + } else { + for (String r : mapped) { + rolesList.add(r); + } + } } } } @@ -367,6 +396,22 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { return true; } + protected Set<String> tryMappingRole(String role) { + Set<String> roles = new HashSet<String>(); + if (roleMapping == null || roleMapping.isEmpty()) { + return roles; + } + Set<String> karafRoles = roleMapping.get(role); + if (karafRoles != null) { + // add all mapped roles + for (String karafRole : karafRoles) { + logger.debug("LDAP role {} is mapped to Karaf role {}", role, karafRole); + roles.add(karafRole); + } + } + return roles; + } + protected void setupSsl(Hashtable env) throws LoginException { ServiceReference ref = null; try { http://git-wip-us.apache.org/repos/asf/karaf/blob/b43d9144/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java ---------------------------------------------------------------------- diff --git a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java index 0f24705..f82d7d8 100644 --- a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java +++ b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java @@ -13,7 +13,6 @@ * limitations under the License. * under the License. */ - package org.apache.karaf.jaas.modules.ldap; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; @@ -37,18 +36,21 @@ import javax.security.auth.login.LoginException; import java.io.File; import java.io.IOException; import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; - -@RunWith ( FrameworkRunner.class ) -@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port=9999)}) +@RunWith(FrameworkRunner.class) +@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 9999)}) @CreateDS(name = "LdapLoginModuleTest-class", - partitions = { @CreatePartition(name = "example", suffix = "dc=example,dc=com") }) + partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com")}) @ApplyLdifFiles( - "org/apache/karaf/jaas/modules/ldap/example.com.ldif" + "org/apache/karaf/jaas/modules/ldap/example.com.ldif" ) public class LdapLoginModuleTest extends AbstractLdapTestUnit { @@ -96,13 +98,13 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit { assertTrue(foundRole); assertTrue(module.logout()); - assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); } protected Properties ldapLoginModuleOptions() throws IOException { return new Properties(new File("src/test/resources/org/apache/karaf/jaas/modules/ldap/ldap.properties")); } - + @Test public void testNonAdminLogin() throws Exception { Properties options = ldapLoginModuleOptions(); @@ -143,9 +145,9 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit { assertFalse(foundRole); assertTrue(module.logout()); - assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); } - + @Test public void testBadPassword() throws Exception { Properties options = ldapLoginModuleOptions(); @@ -167,7 +169,7 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit { assertEquals("Precondition", 0, subject.getPrincipals().size()); assertFalse(module.login()); } - + @Test public void testUserNotFound() throws Exception { Properties options = ldapLoginModuleOptions(); @@ -216,5 +218,94 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit { assertTrue(e.getMessage().equals("Empty passwords not allowed")); } } + + public void testRoleMappingSimple() throws Exception { + Properties options = ldapLoginModuleOptions(); + options.put(LDAPLoginModule.ROLE_MAPPING, "admin=karaf"); + LDAPLoginModule module = new LDAPLoginModule(); + CallbackHandler cb = new CallbackHandler() { + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : callbacks) { + if (cb instanceof NameCallback) { + ((NameCallback) cb).setName("admin"); + } else if (cb instanceof PasswordCallback) { + ((PasswordCallback) cb).setPassword("admin123".toCharArray()); + } + } + } + }; + Subject subject = new Subject(); + module.initialize(subject, cb, null, options); + + assertEquals("Precondition", 0, subject.getPrincipals().size()); + assertTrue(module.login()); + assertTrue(module.commit()); + + assertEquals(2, subject.getPrincipals().size()); + + boolean foundUser = false; + boolean foundRole = false; + for (Principal pr : subject.getPrincipals()) { + if (pr instanceof UserPrincipal) { + assertEquals("admin", pr.getName()); + foundUser = true; + } else if (pr instanceof RolePrincipal) { + assertEquals("karaf", pr.getName()); + foundRole = true; + } + } + assertTrue(foundUser); + assertTrue(foundRole); + + assertTrue(module.logout()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + } + + @Test + public void testRoleMappingAdvanced() throws Exception { + Properties options = ldapLoginModuleOptions(); + options.put(LDAPLoginModule.ROLE_MAPPING, "admin=karaf,test;admin=another"); + LDAPLoginModule module = new LDAPLoginModule(); + CallbackHandler cb = new CallbackHandler() { + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : callbacks) { + if (cb instanceof NameCallback) { + ((NameCallback) cb).setName("admin"); + } else if (cb instanceof PasswordCallback) { + ((PasswordCallback) cb).setPassword("admin123".toCharArray()); + } + } + } + }; + Subject subject = new Subject(); + module.initialize(subject, cb, null, options); + + assertEquals("Precondition", 0, subject.getPrincipals().size()); + assertTrue(module.login()); + assertTrue(module.commit()); + + assertEquals(4, subject.getPrincipals().size()); + + final List<String> roles = new ArrayList<String>(Arrays.asList("karaf", "test", "another")); + + boolean foundUser = false; + boolean foundRole = false; + for (Principal pr : subject.getPrincipals()) { + if (pr instanceof UserPrincipal) { + assertEquals("admin", pr.getName()); + foundUser = true; + } else if (pr instanceof RolePrincipal) { + assertTrue(roles.remove(pr.getName())); + foundRole = true; + } + } + assertTrue(foundUser); + assertTrue(foundRole); + assertTrue(roles.isEmpty()); + + assertTrue(module.logout()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + } + } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/karaf/blob/b43d9144/manual/src/main/webapp/developers-guide/security-framework.conf ---------------------------------------------------------------------- diff --git a/manual/src/main/webapp/developers-guide/security-framework.conf b/manual/src/main/webapp/developers-guide/security-framework.conf index 3f53b96..6e15be5 100644 --- a/manual/src/main/webapp/developers-guide/security-framework.conf +++ b/manual/src/main/webapp/developers-guide/security-framework.conf @@ -313,6 +313,7 @@ The LDAPLoginModule supports the following parameters: | {{role.filter}} | The LDAP filter used to looking for user's role, e.g. (member:=uid=%u) | | {{role.name.attribute}} | The LDAP role attribute containing the role string used by Karaf, e.g. cn | | {{role.search.subtree}} | If "true", the role lookup will be recursive (SUBTREE). If "false", the role lookup will be performed only at the first level (ONELEVEL). | +| {{role.mapping}} | Define a mapping between roles defined in the LDAP directory for the user, and corresponding roles in Karaf. The format is ldapRole1=karafRole1,karafRole2;ldapRole2=karafRole3,karafRole4. | | {{authentication}} | Define the authentication backend used on the LDAP server. The default is simple. | | {{initial.context.factory}} | Define the initial context factory used to connect to the LDAP server. The default is com.sun.jndi.ldap.LdapCtxFactory | | {{ssl}} | If "true" or if the protocol on the {{connection.url}} is {{ldaps}}, an SSL connection will be used |
