This is an automated email from the ASF dual-hosted git repository.
fmartelli pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/3_0_X by this push:
new dd732de5fe [SYNCOPE-1816] Enables LDAP parameters configuration for
SPNEGO authentication module (#699)
dd732de5fe is described below
commit dd732de5fe9d38f0fec09662d7e15511adf8a850
Author: Fabio Martelli <[email protected]>
AuthorDate: Wed Apr 24 17:48:57 2024 +0200
[SYNCOPE-1816] Enables LDAP parameters configuration for SPNEGO
authentication module (#699)
---
.../console/wizards/AuthModuleWizardBuilder.java | 22 ++++++++-----
...uthModuleWizardBuilder$AuthModuleConfLDAP.html} | 0
...uleWizardBuilder$AuthModuleConfLDAP.properties} | 0
...ardBuilder$AuthModuleConfLDAP_fr_CA.properties} | 0
...WizardBuilder$AuthModuleConfLDAP_it.properties} | 0
...WizardBuilder$AuthModuleConfLDAP_ja.properties} | 0
...ardBuilder$AuthModuleConfLDAP_pt_BR.properties} | 0
...WizardBuilder$AuthModuleConfLDAP_ru.properties} | 0
.../syncope/common/lib/auth/AuthModuleConf.java | 2 +-
.../common/lib/auth/GoogleMfaAuthModuleConf.java | 7 +++-
.../lib/auth/LDAPDependantAuthModuleConf.java | 28 ++++++++++++++++
...thModuleConf.java => SpnegoAuthModuleConf.java} | 37 ++++++++++++++++++++--
.../common/lib/auth/X509AuthModuleConf.java | 7 +++-
.../mapping/AuthModulePropertySourceMapper.java | 13 ++++++--
14 files changed, 101 insertions(+), 15 deletions(-)
diff --git
a/client/am/console/src/main/java/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder.java
b/client/am/console/src/main/java/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder.java
index 195e6e3234..f42f6d0b7c 100644
---
a/client/am/console/src/main/java/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder.java
+++
b/client/am/console/src/main/java/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder.java
@@ -33,8 +33,9 @@ import
org.apache.syncope.client.ui.commons.markup.html.form.AjaxDropDownChoiceP
import
org.apache.syncope.client.ui.commons.markup.html.form.AjaxSpinnerFieldPanel;
import
org.apache.syncope.client.ui.commons.markup.html.form.AjaxTextFieldPanel;
import org.apache.syncope.client.ui.commons.wizards.AjaxWizard;
+import org.apache.syncope.common.lib.AbstractLDAPConf;
import org.apache.syncope.common.lib.auth.AuthModuleConf;
-import org.apache.syncope.common.lib.auth.GoogleMfaAuthModuleConf;
+import org.apache.syncope.common.lib.auth.LDAPDependantAuthModuleConf;
import org.apache.syncope.common.lib.to.AuthModuleTO;
import org.apache.syncope.common.lib.types.AuthModuleState;
import org.apache.wicket.PageReference;
@@ -90,7 +91,7 @@ public class AuthModuleWizardBuilder extends
BaseAjaxWizardBuilder<AuthModuleTO>
protected WizardModel buildModelSteps(final AuthModuleTO modelObject,
final WizardModel wizardModel) {
wizardModel.add(new Profile(modelObject, authModuleConfs,
authModuleConfClass));
wizardModel.add(new Configuration(modelObject));
- wizardModel.add(new GoogleMfaAuthModuleConfLDAP(modelObject,
authModuleConfClass));
+ wizardModel.add(new AuthModuleConfLDAP(modelObject,
authModuleConfClass));
wizardModel.add(new Mapping(modelObject));
return wizardModel;
}
@@ -174,19 +175,19 @@ public class AuthModuleWizardBuilder extends
BaseAjaxWizardBuilder<AuthModuleTO>
}
}
- protected class GoogleMfaAuthModuleConfLDAP extends WizardStep implements
WizardModel.ICondition {
+ protected class AuthModuleConfLDAP extends WizardStep implements
WizardModel.ICondition {
private static final long serialVersionUID = 5328049907748683944L;
private final Model<Class<? extends AuthModuleConf>>
authModuleConfClass;
- GoogleMfaAuthModuleConfLDAP(
+ AuthModuleConfLDAP(
final AuthModuleTO authModule,
final Model<Class<? extends AuthModuleConf>>
authModuleConfClass) {
this.authModuleConfClass = authModuleConfClass;
- PropertyModel<GoogleMfaAuthModuleConf.LDAP> beanPanelModel = new
PropertyModel<>(authModule, "conf.ldap");
+ PropertyModel<AbstractLDAPConf> beanPanelModel = new
PropertyModel<>(authModule, "conf.ldap");
AjaxCheckBoxPanel enable = new AjaxCheckBoxPanel("enable",
"enableLDAP", new IModel<Boolean>() {
@@ -209,11 +210,16 @@ public class AuthModuleWizardBuilder extends
BaseAjaxWizardBuilder<AuthModuleTO>
@Override
protected void onUpdate(final AjaxRequestTarget target) {
if (beanPanelModel.getObject() == null) {
- beanPanelModel.setObject(new
GoogleMfaAuthModuleConf.LDAP());
+ try {
+ beanPanelModel.setObject((AbstractLDAPConf)
authModuleConfClass.getObject().
+ getMethod("ldapInstance", new Class<?>[]
{}).invoke(authModule.getConf()));
+ } catch (Exception e) {
+ LOG.warn("Error instantiating beanPanel model
object", e);
+ }
} else {
beanPanelModel.setObject(null);
}
- target.add(GoogleMfaAuthModuleConfLDAP.this);
+ target.add(AuthModuleConfLDAP.this);
}
});
add(enable);
@@ -224,7 +230,7 @@ public class AuthModuleWizardBuilder extends
BaseAjaxWizardBuilder<AuthModuleTO>
@Override
public boolean evaluate() {
- return
GoogleMfaAuthModuleConf.class.equals(authModuleConfClass.getObject());
+ return
LDAPDependantAuthModuleConf.class.isAssignableFrom(authModuleConfClass.getObject());
}
}
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP.html
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP.html
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP.html
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP.html
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP.properties
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_fr_CA.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_fr_CA.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_fr_CA.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_fr_CA.properties
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_it.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_it.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_it.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_it.properties
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_ja.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_ja.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_ja.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_ja.properties
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_pt_BR.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_pt_BR.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_pt_BR.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_pt_BR.properties
diff --git
a/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_ru.properties
b/client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_ru.properties
similarity index 100%
rename from
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$GoogleMfaAuthModuleConfLDAP_ru.properties
rename to
client/am/console/src/main/resources/org/apache/syncope/client/console/wizards/AuthModuleWizardBuilder$AuthModuleConfLDAP_ru.properties
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
index 8414ba9a6e..bf416cdc9d 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/AuthModuleConf.java
@@ -62,7 +62,7 @@ public interface AuthModuleConf extends BaseBean {
Map<String, Object> map(AuthModuleTO authModule,
SimpleMfaAuthModuleConf conf);
- Map<String, Object> map(AuthModuleTO authModule,
JcifsSpnegoAuthModuleConf conf);
+ Map<String, Object> map(AuthModuleTO authModule, SpnegoAuthModuleConf
conf);
}
Map<String, Object> map(AuthModuleTO authModule, Mapper mapper);
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/GoogleMfaAuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/GoogleMfaAuthModuleConf.java
index 0fa3230002..829fa1d29a 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/GoogleMfaAuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/GoogleMfaAuthModuleConf.java
@@ -23,7 +23,7 @@ import java.util.Map;
import org.apache.syncope.common.lib.AbstractLDAPConf;
import org.apache.syncope.common.lib.to.AuthModuleTO;
-public class GoogleMfaAuthModuleConf implements MFAAuthModuleConf {
+public class GoogleMfaAuthModuleConf implements MFAAuthModuleConf,
LDAPDependantAuthModuleConf {
private static final long serialVersionUID = -7883257599139312426L;
@@ -77,6 +77,11 @@ public class GoogleMfaAuthModuleConf implements
MFAAuthModuleConf {
private LDAP ldap;
+ @Override
+ public AbstractLDAPConf ldapInstance() {
+ return new GoogleMfaAuthModuleConf.LDAP();
+ }
+
@Override
public String getFriendlyName() {
return "Google Authenticator";
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/LDAPDependantAuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/LDAPDependantAuthModuleConf.java
new file mode 100644
index 0000000000..117455cf6c
--- /dev/null
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/LDAPDependantAuthModuleConf.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.common.lib.auth;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import org.apache.syncope.common.lib.AbstractLDAPConf;
+
+public interface LDAPDependantAuthModuleConf extends AuthModuleConf {
+
+ @JsonIgnore
+ AbstractLDAPConf ldapInstance();
+}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/JcifsSpnegoAuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/SpnegoAuthModuleConf.java
similarity index 91%
rename from
common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/JcifsSpnegoAuthModuleConf.java
rename to
common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/SpnegoAuthModuleConf.java
index 06ef008a91..df4431ec1c 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/JcifsSpnegoAuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/SpnegoAuthModuleConf.java
@@ -28,7 +28,7 @@ import org.apache.syncope.common.lib.to.AuthModuleTO;
* running on Windows running under Active Directory domain credentials. There
are three actors involved: the client,
* the CAS server, and the Active Directory Domain Controller/KDC.
*/
-public class JcifsSpnegoAuthModuleConf implements AuthModuleConf {
+public class SpnegoAuthModuleConf implements LDAPDependantAuthModuleConf {
private static final long serialVersionUID = -7775771400312303131L;
@@ -63,6 +63,11 @@ public class JcifsSpnegoAuthModuleConf implements
AuthModuleConf {
*/
private String kerberosKdc = "172.10.1.10";
+ /**
+ * The Jcifs service principal.
+ */
+ private String jcifsServicePrincipal;
+
/**
* The Kerberos realm.
*/
@@ -108,7 +113,7 @@ public class JcifsSpnegoAuthModuleConf implements
AuthModuleConf {
/**
* LDAP settings for spnego to validate clients, etc.
*/
- private LDAP ldap = new LDAP();
+ private LDAP ldap;
/**
* When validating clients, specifies the DNS timeout used to look up an
address.
@@ -164,6 +169,34 @@ public class JcifsSpnegoAuthModuleConf implements
AuthModuleConf {
*/
private String poolTimeout = "PT2S";
+ /**
+ * Activated attribute repository identifiers that should be used for
fetching attributes if attribute resolution is
+ * enabled.
+ * The list here may include identifiers separated by comma.
+ */
+ private String attributeRepoId;
+
+ @Override
+ public AbstractLDAPConf ldapInstance() {
+ return new SpnegoAuthModuleConf.LDAP();
+ }
+
+ public String getJcifsServicePrincipal() {
+ return jcifsServicePrincipal;
+ }
+
+ public void setJcifsServicePrincipal(final String jcifsServicePrincipal) {
+ this.jcifsServicePrincipal = jcifsServicePrincipal;
+ }
+
+ public String getAttributeRepoId() {
+ return attributeRepoId;
+ }
+
+ public void setAttributeRepoId(final String attributeRepoId) {
+ this.attributeRepoId = attributeRepoId;
+ }
+
public String getLoginConf() {
return loginConf;
}
diff --git
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/X509AuthModuleConf.java
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/X509AuthModuleConf.java
index c6ef6fc6bb..33fbba8ee4 100644
---
a/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/X509AuthModuleConf.java
+++
b/common/am/lib/src/main/java/org/apache/syncope/common/lib/auth/X509AuthModuleConf.java
@@ -31,7 +31,7 @@ import
org.apache.syncope.common.lib.types.X509RevocationCheckerType;
import org.apache.syncope.common.lib.types.X509RevocationFetcherType;
import org.apache.syncope.common.lib.types.X509SubjectDnFormat;
-public class X509AuthModuleConf implements AuthModuleConf {
+public class X509AuthModuleConf implements LDAPDependantAuthModuleConf {
private static final long serialVersionUID = 1915254775199296906L;
@@ -240,6 +240,11 @@ public class X509AuthModuleConf implements AuthModuleConf {
private LDAP ldap;
+ @Override
+ public AbstractLDAPConf ldapInstance() {
+ return new X509AuthModuleConf.LDAP();
+ }
+
public String getName() {
return name;
}
diff --git
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
index 695f5f1a2a..0ef61cf4d2 100644
---
a/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
+++
b/wa/bootstrap/src/main/java/org/apache/syncope/wa/bootstrap/mapping/AuthModulePropertySourceMapper.java
@@ -33,13 +33,13 @@ import
org.apache.syncope.common.lib.auth.GoogleMfaAuthModuleConf;
import org.apache.syncope.common.lib.auth.GoogleOIDCAuthModuleConf;
import org.apache.syncope.common.lib.auth.JDBCAuthModuleConf;
import org.apache.syncope.common.lib.auth.JaasAuthModuleConf;
-import org.apache.syncope.common.lib.auth.JcifsSpnegoAuthModuleConf;
import org.apache.syncope.common.lib.auth.KeycloakOIDCAuthModuleConf;
import org.apache.syncope.common.lib.auth.LDAPAuthModuleConf;
import org.apache.syncope.common.lib.auth.OAuth20AuthModuleConf;
import org.apache.syncope.common.lib.auth.OIDCAuthModuleConf;
import org.apache.syncope.common.lib.auth.SAML2IdPAuthModuleConf;
import org.apache.syncope.common.lib.auth.SimpleMfaAuthModuleConf;
+import org.apache.syncope.common.lib.auth.SpnegoAuthModuleConf;
import org.apache.syncope.common.lib.auth.StaticAuthModuleConf;
import org.apache.syncope.common.lib.auth.SyncopeAuthModuleConf;
import org.apache.syncope.common.lib.auth.U2FAuthModuleConf;
@@ -70,6 +70,7 @@ import
org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jGoogleOidcClie
import
org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jKeyCloakOidcClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.oidc.Pac4jOidcClientProperties;
import
org.apereo.cas.configuration.model.support.pac4j.saml.Pac4jSamlClientProperties;
+import
org.apereo.cas.configuration.model.support.spnego.SpnegoAuthenticationProperties;
import org.apereo.cas.configuration.model.support.spnego.SpnegoLdapProperties;
import org.apereo.cas.configuration.model.support.spnego.SpnegoProperties;
import
org.apereo.cas.configuration.model.support.syncope.SyncopeAuthenticationProperties;
@@ -471,11 +472,15 @@ public class AuthModulePropertySourceMapper extends
PropertySourceMapper impleme
}
@Override
- public Map<String, Object> map(final AuthModuleTO authModuleTO, final
JcifsSpnegoAuthModuleConf conf) {
+ public Map<String, Object> map(final AuthModuleTO authModuleTO, final
SpnegoAuthModuleConf conf) {
SpnegoProperties props = new SpnegoProperties();
props.setName(authModuleTO.getKey());
props.setOrder(authModuleTO.getOrder());
+ SpnegoAuthenticationProperties jcifsProperties = new
SpnegoAuthenticationProperties();
+
jcifsProperties.setJcifsServicePrincipal(conf.getJcifsServicePrincipal());
+ props.getProperties().add(jcifsProperties);
+
props.setMixedModeAuthentication(conf.isMixedModeAuthentication());
props.setIpsToCheckPattern(conf.getIpsToCheckPattern());
props.setSend401OnAuthenticationFailure(conf.isSend401OnAuthenticationFailure());
@@ -502,8 +507,12 @@ public class AuthModulePropertySourceMapper extends
PropertySourceMapper impleme
SpnegoLdapProperties ldapProps = new SpnegoLdapProperties();
fill(ldapProps, conf.getLdap());
props.setLdap(ldapProps);
+ } else {
+ props.setLdap(null);
}
+
props.getPrincipal().setActiveAttributeRepositoryIds(conf.getAttributeRepoId());
+
return prefix("cas.authn.spnego.",
CasCoreConfigurationUtils.asMap(props));
}
}
