123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508 |
- /*
- * Copyright 2012 John Crygier
- * Copyright 2012 gitblit.com
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- package com.gitblit.auth;
-
- import java.net.URI;
- import java.net.URISyntaxException;
- import java.security.GeneralSecurityException;
- import java.util.Arrays;
- import java.util.HashMap;
- import java.util.List;
- import java.util.Map;
- import java.util.concurrent.TimeUnit;
- import java.util.concurrent.atomic.AtomicLong;
-
- import com.gitblit.Constants;
- import com.gitblit.Constants.AccountType;
- import com.gitblit.Keys;
- import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider;
- import com.gitblit.models.TeamModel;
- import com.gitblit.models.UserModel;
- import com.gitblit.utils.ArrayUtils;
- import com.gitblit.utils.StringUtils;
- import com.unboundid.ldap.sdk.Attribute;
- import com.unboundid.ldap.sdk.DereferencePolicy;
- import com.unboundid.ldap.sdk.ExtendedResult;
- import com.unboundid.ldap.sdk.LDAPConnection;
- import com.unboundid.ldap.sdk.LDAPException;
- import com.unboundid.ldap.sdk.LDAPSearchException;
- import com.unboundid.ldap.sdk.ResultCode;
- import com.unboundid.ldap.sdk.SearchRequest;
- import com.unboundid.ldap.sdk.SearchResult;
- import com.unboundid.ldap.sdk.SearchResultEntry;
- import com.unboundid.ldap.sdk.SearchScope;
- import com.unboundid.ldap.sdk.SimpleBindRequest;
- import com.unboundid.ldap.sdk.extensions.StartTLSExtendedRequest;
- import com.unboundid.util.ssl.SSLUtil;
- import com.unboundid.util.ssl.TrustAllTrustManager;
-
- /**
- * Implementation of an LDAP user service.
- *
- * @author John Crygier
- */
- public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider {
-
- private AtomicLong lastLdapUserSync = new AtomicLong(0L);
-
- public LdapAuthProvider() {
- super("ldap");
- }
-
- private long getSynchronizationPeriod() {
- final String cacheDuration = settings.getString(Keys.realm.ldap.ldapCachePeriod, "2 MINUTES");
- try {
- final String[] s = cacheDuration.split(" ", 2);
- long duration = Long.parseLong(s[0]);
- TimeUnit timeUnit = TimeUnit.valueOf(s[1]);
- return timeUnit.toMillis(duration);
- } catch (RuntimeException ex) {
- throw new IllegalArgumentException(Keys.realm.ldap.ldapCachePeriod + " must have format '<long> <TimeUnit>' where <TimeUnit> is one of 'MILLISECONDS', 'SECONDS', 'MINUTES', 'HOURS', 'DAYS'");
- }
- }
-
- @Override
- public void setup() {
- synchronizeLdapUsers();
- }
-
- protected synchronized void synchronizeLdapUsers() {
- final boolean enabled = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.enable, false);
- if (enabled) {
- if (System.currentTimeMillis() > (lastLdapUserSync.get() + getSynchronizationPeriod())) {
- logger.info("Synchronizing with LDAP @ " + settings.getRequiredString(Keys.realm.ldap.server));
- final boolean deleteRemovedLdapUsers = settings.getBoolean(Keys.realm.ldap.synchronizeUsers.removeDeleted, true);
- LDAPConnection ldapConnection = getLdapConnection();
- if (ldapConnection != null) {
- try {
- String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
- String uidAttribute = settings.getString(Keys.realm.ldap.uid, "uid");
- String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
- accountPattern = StringUtils.replace(accountPattern, "${username}", "*");
-
- SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
- if (result != null && result.getEntryCount() > 0) {
- final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>();
-
- for (SearchResultEntry loggingInUser : result.getSearchEntries()) {
-
- final String username = loggingInUser.getAttribute(uidAttribute).getValue();
- logger.debug("LDAP synchronizing: " + username);
-
- UserModel user = userManager.getUserModel(username);
- if (user == null) {
- user = new UserModel(username);
- }
-
- if (!supportsTeamMembershipChanges()) {
- getTeamsFromLdap(ldapConnection, username, loggingInUser, user);
- }
-
- // Get User Attributes
- setUserAttributes(user, loggingInUser);
-
- // store in map
- ldapUsers.put(username.toLowerCase(), user);
- }
-
- if (deleteRemovedLdapUsers) {
- logger.debug("detecting removed LDAP users...");
-
- for (UserModel userModel : userManager.getAllUsers()) {
- if (Constants.EXTERNAL_ACCOUNT.equals(userModel.password)) {
- if (!ldapUsers.containsKey(userModel.username)) {
- logger.info("deleting removed LDAP user " + userModel.username + " from user service");
- userManager.deleteUser(userModel.username);
- }
- }
- }
- }
-
- userManager.updateUserModels(ldapUsers.values());
-
- if (!supportsTeamMembershipChanges()) {
- final Map<String, TeamModel> userTeams = new HashMap<String, TeamModel>();
- for (UserModel user : ldapUsers.values()) {
- for (TeamModel userTeam : user.teams) {
- userTeams.put(userTeam.name, userTeam);
- }
- }
- userManager.updateTeamModels(userTeams.values());
- }
- }
- lastLdapUserSync.set(System.currentTimeMillis());
- } finally {
- ldapConnection.close();
- }
- }
- }
- }
- }
-
- private LDAPConnection getLdapConnection() {
- try {
-
- URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
- String ldapHost = ldapUrl.getHost();
- int ldapPort = ldapUrl.getPort();
- String bindUserName = settings.getString(Keys.realm.ldap.username, "");
- String bindPassword = settings.getString(Keys.realm.ldap.password, "");
-
-
- LDAPConnection conn;
- if (ldapUrl.getScheme().equalsIgnoreCase("ldaps")) {
- // SSL
- SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
- conn = new LDAPConnection(sslUtil.createSSLSocketFactory());
- } else if (ldapUrl.getScheme().equalsIgnoreCase("ldap") || ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
- // no encryption or StartTLS
- conn = new LDAPConnection();
- } else {
- logger.error("Unsupported LDAP URL scheme: " + ldapUrl.getScheme());
- return null;
- }
-
- conn.connect(ldapHost, ldapPort);
-
- if (ldapUrl.getScheme().equalsIgnoreCase("ldap+tls")) {
- SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
- ExtendedResult extendedResult = conn.processExtendedOperation(
- new StartTLSExtendedRequest(sslUtil.createSSLContext()));
- if (extendedResult.getResultCode() != ResultCode.SUCCESS) {
- throw new LDAPException(extendedResult.getResultCode());
- }
- }
-
- if (!StringUtils.isEmpty(bindUserName) || !StringUtils.isEmpty(bindPassword)) {
- conn.bind(new SimpleBindRequest(bindUserName, bindPassword));
- }
-
- return conn;
-
- } catch (URISyntaxException e) {
- logger.error("Bad LDAP URL, should be in the form: ldap(s|+tls)://<server>:<port>", e);
- } catch (GeneralSecurityException e) {
- logger.error("Unable to create SSL Connection", e);
- } catch (LDAPException e) {
- logger.error("Error Connecting to LDAP", e);
- }
-
- return null;
- }
-
- /**
- * Credentials are defined in the LDAP server and can not be manipulated
- * from Gitblit.
- *
- * @return false
- * @since 1.0.0
- */
- @Override
- public boolean supportsCredentialChanges() {
- return false;
- }
-
- /**
- * If no displayName pattern is defined then Gitblit can manage the display name.
- *
- * @return true if Gitblit can manage the user display name
- * @since 1.0.0
- */
- @Override
- public boolean supportsDisplayNameChanges() {
- return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.displayName, ""));
- }
-
- /**
- * If no email pattern is defined then Gitblit can manage the email address.
- *
- * @return true if Gitblit can manage the user email address
- * @since 1.0.0
- */
- @Override
- public boolean supportsEmailAddressChanges() {
- return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));
- }
-
-
- /**
- * If the LDAP server will maintain team memberships then LdapUserService
- * will not allow team membership changes. In this scenario all team
- * changes must be made on the LDAP server by the LDAP administrator.
- *
- * @return true or false
- * @since 1.0.0
- */
- @Override
- public boolean supportsTeamMembershipChanges() {
- return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
- }
-
- @Override
- public AccountType getAccountType() {
- return AccountType.LDAP;
- }
-
- @Override
- public UserModel authenticate(String username, char[] password) {
- String simpleUsername = getSimpleUsername(username);
-
- LDAPConnection ldapConnection = getLdapConnection();
- if (ldapConnection != null) {
- try {
- // Find the logging in user's DN
- String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
- String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
- accountPattern = StringUtils.replace(accountPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
-
- SearchResult result = doSearch(ldapConnection, accountBase, accountPattern);
- if (result != null && result.getEntryCount() == 1) {
- SearchResultEntry loggingInUser = result.getSearchEntries().get(0);
- String loggingInUserDN = loggingInUser.getDN();
-
- if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
- logger.debug("LDAP authenticated: " + username);
-
- UserModel user = null;
- synchronized (this) {
- user = userManager.getUserModel(simpleUsername);
- if (user == null) // create user object for new authenticated user
- user = new UserModel(simpleUsername);
-
- // create a user cookie
- if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
- user.cookie = StringUtils.getSHA1(user.username + new String(password));
- }
-
- if (!supportsTeamMembershipChanges())
- getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
-
- // Get User Attributes
- setUserAttributes(user, loggingInUser);
-
- // Push the ldap looked up values to backing file
- updateUser(user);
-
- if (!supportsTeamMembershipChanges()) {
- for (TeamModel userTeam : user.teams)
- updateTeam(userTeam);
- }
- }
-
- return user;
- }
- }
- } finally {
- ldapConnection.close();
- }
- }
- return null;
- }
-
- /**
- * Set the admin attribute from team memberships retrieved from LDAP.
- * If we are not storing teams in LDAP and/or we have not defined any
- * administrator teams, then do not change the admin flag.
- *
- * @param user
- */
- private void setAdminAttribute(UserModel user) {
- if (!supportsTeamMembershipChanges()) {
- List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
- // if we have defined administrative teams, then set admin flag
- // otherwise leave admin flag unchanged
- if (!ArrayUtils.isEmpty(admins)) {
- user.canAdmin = false;
- for (String admin : admins) {
- if (admin.startsWith("@")) { // Team
- if (user.getTeam(admin.substring(1)) != null)
- user.canAdmin = true;
- } else
- if (user.getName().equalsIgnoreCase(admin))
- user.canAdmin = true;
- }
- }
- }
- }
-
- private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {
- // Is this user an admin?
- setAdminAttribute(user);
-
- // Don't want visibility into the real password, make up a dummy
- user.password = Constants.EXTERNAL_ACCOUNT;
- user.accountType = getAccountType();
-
- // Get full name Attribute
- String displayName = settings.getString(Keys.realm.ldap.displayName, "");
- if (!StringUtils.isEmpty(displayName)) {
- // Replace embedded ${} with attributes
- if (displayName.contains("${")) {
- for (Attribute userAttribute : userEntry.getAttributes())
- displayName = StringUtils.replace(displayName, "${" + userAttribute.getName() + "}", userAttribute.getValue());
-
- user.displayName = displayName;
- } else {
- Attribute attribute = userEntry.getAttribute(displayName);
- if (attribute != null && attribute.hasValue()) {
- user.displayName = attribute.getValue();
- }
- }
- }
-
- // Get email address Attribute
- String email = settings.getString(Keys.realm.ldap.email, "");
- if (!StringUtils.isEmpty(email)) {
- if (email.contains("${")) {
- for (Attribute userAttribute : userEntry.getAttributes())
- email = StringUtils.replace(email, "${" + userAttribute.getName() + "}", userAttribute.getValue());
-
- user.emailAddress = email;
- } else {
- Attribute attribute = userEntry.getAttribute(email);
- if (attribute != null && attribute.hasValue()) {
- user.emailAddress = attribute.getValue();
- }
- }
- }
- }
-
- private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {
- String loggingInUserDN = loggingInUser.getDN();
-
- user.teams.clear(); // Clear the users team memberships - we're going to get them from LDAP
- String groupBase = settings.getString(Keys.realm.ldap.groupBase, "");
- String groupMemberPattern = settings.getString(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");
-
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${dn}", escapeLDAPSearchFilter(loggingInUserDN));
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
-
- // Fill in attributes into groupMemberPattern
- for (Attribute userAttribute : loggingInUser.getAttributes()) {
- groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));
- }
-
- SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));
- if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {
- for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {
- SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);
- String teamName = teamEntry.getAttribute("cn").getValue();
-
- TeamModel teamModel = userManager.getTeamModel(teamName);
- if (teamModel == null) {
- teamModel = createTeamFromLdap(teamEntry);
- }
-
- user.teams.add(teamModel);
- teamModel.addUser(user.getName());
- }
- }
- }
-
- private TeamModel createTeamFromLdap(SearchResultEntry teamEntry) {
- TeamModel answer = new TeamModel(teamEntry.getAttributeValue("cn"));
- answer.accountType = getAccountType();
- // potentially retrieve other attributes here in the future
-
- return answer;
- }
-
- private SearchResult doSearch(LDAPConnection ldapConnection, String base, String filter) {
- try {
- return ldapConnection.search(base, SearchScope.SUB, filter);
- } catch (LDAPSearchException e) {
- logger.error("Problem Searching LDAP", e);
-
- return null;
- }
- }
-
- private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {
- try {
- SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);
- if (dereferenceAliases) {
- searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);
- }
- if (attributes != null) {
- searchRequest.setAttributes(attributes);
- }
- return ldapConnection.search(searchRequest);
-
- } catch (LDAPSearchException e) {
- logger.error("Problem Searching LDAP", e);
-
- return null;
- } catch (LDAPException e) {
- logger.error("Problem creating LDAP search", e);
- return null;
- }
- }
-
- private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {
- try {
- // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN
- ldapConnection.bind(userDn, password);
- return true;
- } catch (LDAPException e) {
- logger.error("Error authenticating user", e);
- return false;
- }
- }
-
- /**
- * Returns a simple username without any domain prefixes.
- *
- * @param username
- * @return a simple username
- */
- protected String getSimpleUsername(String username) {
- int lastSlash = username.lastIndexOf('\\');
- if (lastSlash > -1) {
- username = username.substring(lastSlash + 1);
- }
-
- return username;
- }
-
- // From: https://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
- public static final String escapeLDAPSearchFilter(String filter) {
- StringBuilder sb = new StringBuilder();
- for (int i = 0; i < filter.length(); i++) {
- char curChar = filter.charAt(i);
- switch (curChar) {
- case '\\':
- sb.append("\\5c");
- break;
- case '*':
- sb.append("\\2a");
- break;
- case '(':
- sb.append("\\28");
- break;
- case ')':
- sb.append("\\29");
- break;
- case '\u0000':
- sb.append("\\00");
- break;
- default:
- sb.append(curChar);
- }
- }
- return sb.toString();
- }
- }
|