From 846a0a04b6ae681033b3e7a0900c8c4d927cf441 Mon Sep 17 00:00:00 2001 From: Ancoron Luciferis Date: Mon, 24 Nov 2014 18:09:10 +0100 Subject: [PATCH] [jaas/modules] Add configuration parameter 'role.mapping' for LDAP integration --- .../karaf/jaas/modules/ldap/LDAPLoginModule.java | 66 +++++++++++++++- .../jaas/modules/ldap/LdapLoginModuleTest.java | 92 ++++++++++++++++++++++ 2 files changed, 157 insertions(+), 1 deletion(-) diff --git a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java index e77a38f..f7cab8b 100644 --- a/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java +++ b/jaas/modules/src/main/java/org/apache/karaf/jaas/modules/ldap/LDAPLoginModule.java @@ -33,10 +33,12 @@ import javax.security.auth.login.LoginException; import java.io.IOException; import java.security.Principal; import java.util.ArrayList; +import java.util.HashMap; import java.util.HashSet; import java.util.Hashtable; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.concurrent.Callable; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -60,6 +62,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { public final static String ROLE_FILTER = "role.filter"; public final static String ROLE_NAME_ATTRIBUTE = "role.name.attribute"; public final static String ROLE_SEARCH_SUBTREE = "role.search.subtree"; + public final static String ROLE_MAPPING = "role.mapping"; public final static String AUTHENTICATION = "authentication"; public final static String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords"; public final static String INITIAL_CONTEXT_FACTORY = "initial.context.factory"; @@ -85,6 +88,7 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { private String roleFilter; private String roleNameAttribute; private boolean roleSearchSubtree = true; + private Map> roleMapping; private String authentication = DEFAULT_AUTHENTICATION; private boolean allowEmptyPasswords = false; private String initialContextFactory = null; @@ -109,6 +113,8 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { roleFilter = (String) options.get(ROLE_FILTER); roleNameAttribute = (String) options.get(ROLE_NAME_ATTRIBUTE); roleSearchSubtree = Boolean.parseBoolean((String) options.get(ROLE_SEARCH_SUBTREE)); + String roleMappingOption = (String) options.get(ROLE_MAPPING); + roleMapping = parseRoleMapping(roleMappingOption); initialContextFactory = (String) options.get(INITIAL_CONTEXT_FACTORY); if (initialContextFactory == null) { initialContextFactory = DEFAULT_INITIAL_CONTEXT_FACTORY; @@ -139,6 +145,32 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { } } + private Map> parseRoleMapping(String option) { + Map> rm = new HashMap>(); + + if (option != null) { + if (logger.isDebugEnabled()) { + logger.debug("Parsing role mapping: " + option); + } + + String[] mappings = option.split(";"); + for (String mapping : mappings) { + String[] m = mapping.split("=", 2); + String remoteRole = m[0]; + String[] karafRoles = m[1].split(","); + if (rm.get(remoteRole) == null) { + rm.put(remoteRole, new HashSet()); + } + final Set kr = rm.get(remoteRole); + for (String r : karafRoles) { + kr.add(r); + } + } + } + + return rm; + } + public boolean login() throws LoginException { ClassLoader tccl = Thread.currentThread().getContextClassLoader(); try { @@ -340,7 +372,18 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { for (int i = 0; i < roles.size(); i++) { String role = (String) roles.get(i); if (role != null) { - rolesList.add(role); + if (logger.isDebugEnabled()) { + logger.debug("User '" + user + "' is a member of role '" + role + "'"); + } + // handle role mapping... + Set mapped = tryMapRole(role); + if (mapped.isEmpty()) { + rolesList.add(role); + } else { + for (String r : mapped) { + rolesList.add(r); + } + } } } } @@ -367,6 +410,27 @@ public class LDAPLoginModule extends AbstractKarafLoginModule { return true; } + protected Set tryMapRole(String roleName) { + Set roles = new HashSet(); + + if (roleMapping == null || roleMapping.isEmpty()) { + return roles; + } + + Set karafRoles = roleMapping.get(roleName); + if (karafRoles != null) { + // add all mapped roles... + for (String karafRole : karafRoles) { + if (logger.isDebugEnabled()) { + logger.debug("Remote role '" + roleName + "' is mapped to karaf role '" + karafRole + "'"); + } + roles.add(karafRole); + } + } + + return roles; + } + protected void setupSsl(Hashtable env) throws LoginException { ServiceReference ref = null; try { diff --git a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java index 0f24705..afe72b4 100644 --- a/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java +++ b/jaas/modules/src/test/java/org/apache/karaf/jaas/modules/ldap/LdapLoginModuleTest.java @@ -37,6 +37,10 @@ import javax.security.auth.login.LoginException; import java.io.File; import java.io.IOException; import java.security.Principal; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertEquals; @@ -216,5 +220,93 @@ public class LdapLoginModuleTest extends AbstractLdapTestUnit { assertTrue(e.getMessage().equals("Empty passwords not allowed")); } } + + public void testRoleMappingSimple() throws Exception { + Properties options = ldapLoginModuleOptions(); + options.put(LDAPLoginModule.ROLE_MAPPING, "admin=karaf"); + LDAPLoginModule module = new LDAPLoginModule(); + CallbackHandler cb = new CallbackHandler() { + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : callbacks) { + if (cb instanceof NameCallback) { + ((NameCallback) cb).setName("admin"); + } else if (cb instanceof PasswordCallback) { + ((PasswordCallback) cb).setPassword("admin123".toCharArray()); + } + } + } + }; + Subject subject = new Subject(); + module.initialize(subject, cb, null, options); + + assertEquals("Precondition", 0, subject.getPrincipals().size()); + assertTrue(module.login()); + assertTrue(module.commit()); + + assertEquals(2, subject.getPrincipals().size()); + + boolean foundUser = false; + boolean foundRole = false; + for (Principal pr : subject.getPrincipals()) { + if (pr instanceof UserPrincipal) { + assertEquals("admin", pr.getName()); + foundUser = true; + } else if (pr instanceof RolePrincipal) { + assertEquals("karaf", pr.getName()); + foundRole = true; + } + } + assertTrue(foundUser); + assertTrue(foundRole); + + assertTrue(module.logout()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + } + + @Test + public void testRoleMappingAdvanced() throws Exception { + Properties options = ldapLoginModuleOptions(); + options.put(LDAPLoginModule.ROLE_MAPPING, "admin=karaf,test;admin=another"); + LDAPLoginModule module = new LDAPLoginModule(); + CallbackHandler cb = new CallbackHandler() { + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : callbacks) { + if (cb instanceof NameCallback) { + ((NameCallback) cb).setName("admin"); + } else if (cb instanceof PasswordCallback) { + ((PasswordCallback) cb).setPassword("admin123".toCharArray()); + } + } + } + }; + Subject subject = new Subject(); + module.initialize(subject, cb, null, options); + + assertEquals("Precondition", 0, subject.getPrincipals().size()); + assertTrue(module.login()); + assertTrue(module.commit()); + + assertEquals(4, subject.getPrincipals().size()); + + final List roles = new ArrayList(Arrays.asList("karaf", "test", "another")); + + boolean foundUser = false; + boolean foundRole = false; + for (Principal pr : subject.getPrincipals()) { + if (pr instanceof UserPrincipal) { + assertEquals("admin", pr.getName()); + foundUser = true; + } else if (pr instanceof RolePrincipal) { + assertTrue(roles.remove(pr.getName())); + foundRole = true; + } + } + assertTrue(foundUser); + assertTrue(foundRole); + assertTrue(roles.isEmpty()); + + assertTrue(module.logout()); + assertEquals("Principals should be gone as the user has logged out", 0, subject.getPrincipals().size()); + } } \ No newline at end of file -- 1.9.1