3 * Copyright (C) 2009-2019 SonarSource SA
4 * mailto:info AT sonarsource DOT com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 3 of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 package org.sonar.server.authentication;
22 import java.util.Collection;
23 import java.util.HashSet;
24 import java.util.Locale;
25 import java.util.Optional;
26 import javax.servlet.http.HttpServletRequest;
27 import org.sonar.api.Startable;
28 import org.sonar.api.config.Configuration;
29 import org.sonar.api.security.Authenticator;
30 import org.sonar.api.security.ExternalGroupsProvider;
31 import org.sonar.api.security.ExternalUsersProvider;
32 import org.sonar.api.security.SecurityRealm;
33 import org.sonar.api.security.UserDetails;
34 import org.sonar.api.server.authentication.Display;
35 import org.sonar.api.server.authentication.IdentityProvider;
36 import org.sonar.api.server.authentication.UserIdentity;
37 import org.sonar.api.utils.log.Logger;
38 import org.sonar.api.utils.log.Loggers;
39 import org.sonar.db.user.UserDto;
40 import org.sonar.server.authentication.UserRegistration.ExistingEmailStrategy;
41 import org.sonar.server.authentication.event.AuthenticationEvent;
42 import org.sonar.server.authentication.event.AuthenticationEvent.Source;
43 import org.sonar.server.authentication.event.AuthenticationException;
44 import org.sonar.server.user.SecurityRealmFactory;
46 import static java.util.Objects.requireNonNull;
47 import static org.apache.commons.lang.StringUtils.isEmpty;
48 import static org.apache.commons.lang.StringUtils.trimToNull;
49 import static org.sonar.server.user.ExternalIdentity.SQ_AUTHORITY;
52 * Delegates the validation of credentials to an external system, e.g. LDAP.
54 public class CredentialsExternalAuthentication implements Startable {
56 private static final Logger LOG = Loggers.get(CredentialsExternalAuthentication.class);
58 private final Configuration config;
59 private final SecurityRealmFactory securityRealmFactory;
60 private final UserRegistrar userRegistrar;
61 private final AuthenticationEvent authenticationEvent;
63 private SecurityRealm realm;
64 private Authenticator authenticator;
65 private ExternalUsersProvider externalUsersProvider;
66 private ExternalGroupsProvider externalGroupsProvider;
68 public CredentialsExternalAuthentication(Configuration config, SecurityRealmFactory securityRealmFactory,
69 UserRegistrar userRegistrar, AuthenticationEvent authenticationEvent) {
71 this.securityRealmFactory = securityRealmFactory;
72 this.userRegistrar = userRegistrar;
73 this.authenticationEvent = authenticationEvent;
78 realm = securityRealmFactory.getRealm();
80 authenticator = requireNonNull(realm.doGetAuthenticator(), "No authenticator available");
81 externalUsersProvider = requireNonNull(realm.getUsersProvider(), "No users provider available");
82 externalGroupsProvider = realm.getGroupsProvider();
86 public Optional<UserDto> authenticate(Credentials credentials, HttpServletRequest request, AuthenticationEvent.Method method) {
88 return Optional.empty();
90 return Optional.of(doAuthenticate(fixCase(credentials), request, method));
93 private UserDto doAuthenticate(Credentials credentials, HttpServletRequest request, AuthenticationEvent.Method method) {
95 ExternalUsersProvider.Context externalUsersProviderContext = new ExternalUsersProvider.Context(credentials.getLogin(), request);
96 UserDetails details = externalUsersProvider.doGetUserDetails(externalUsersProviderContext);
97 if (details == null) {
98 throw AuthenticationException.newBuilder()
99 .setSource(realmEventSource(method))
100 .setLogin(credentials.getLogin())
101 .setMessage("No user details")
104 Authenticator.Context authenticatorContext = new Authenticator.Context(credentials.getLogin(), credentials.getPassword().orElse(null), request);
105 boolean status = authenticator.doAuthenticate(authenticatorContext);
107 throw AuthenticationException.newBuilder()
108 .setSource(realmEventSource(method))
109 .setLogin(credentials.getLogin())
110 .setMessage("Realm returned authenticate=false")
113 UserDto userDto = synchronize(credentials.getLogin(), details, request, method);
114 authenticationEvent.loginSuccess(request, credentials.getLogin(), realmEventSource(method));
116 } catch (AuthenticationException e) {
118 } catch (Exception e) {
119 // It seems that with Realm API it's expected to log the error and to not authenticate the user
120 LOG.error("Error during authentication", e);
121 throw AuthenticationException.newBuilder()
122 .setSource(realmEventSource(method))
123 .setLogin(credentials.getLogin())
124 .setMessage(e.getMessage())
129 private Source realmEventSource(AuthenticationEvent.Method method) {
130 return Source.realm(method, realm.getName());
133 private UserDto synchronize(String userLogin, UserDetails details, HttpServletRequest request, AuthenticationEvent.Method method) {
134 String name = details.getName();
135 UserIdentity.Builder userIdentityBuilder = UserIdentity.builder()
137 .setName(isEmpty(name) ? userLogin : name)
138 .setEmail(trimToNull(details.getEmail()))
139 .setProviderLogin(userLogin);
140 if (externalGroupsProvider != null) {
141 ExternalGroupsProvider.Context context = new ExternalGroupsProvider.Context(userLogin, request);
142 Collection<String> groups = externalGroupsProvider.doGetGroups(context);
143 userIdentityBuilder.setGroups(new HashSet<>(groups));
145 return userRegistrar.register(
146 UserRegistration.builder()
147 .setUserIdentity(userIdentityBuilder.build())
148 .setProvider(new ExternalIdentityProvider())
149 .setSource(realmEventSource(method))
150 .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
154 private Credentials fixCase(Credentials credentials) {
155 if (config.getBoolean("sonar.authenticator.downcase").orElse(false)) {
156 return new Credentials(credentials.getLogin().toLowerCase(Locale.ENGLISH), credentials.getPassword().orElse(null));
161 private static class ExternalIdentityProvider implements IdentityProvider {
163 public String getKey() {
168 public String getName() {
173 public Display getDisplay() {
178 public boolean isEnabled() {
183 public boolean allowsUsersToSignUp() {