mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29003 Commits
59 Branches
Tree: 274c9faaf5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '274c9faaf5'
${ noResults }
sonarqube/server/sonar-auth-ldap/src/main/java/org/sonar/auth/ldap/LdapAuthenticator.java

LdapAuthenticator.java 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2019 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.ldap;

  21. 

  22. import java.util.Map;

  23. import javax.naming.NamingException;

  24. import javax.naming.directory.InitialDirContext;

  25. import javax.naming.directory.SearchResult;

  26. import javax.security.auth.login.Configuration;

  27. import javax.security.auth.login.LoginContext;

  28. import javax.security.auth.login.LoginException;

  29. import org.apache.commons.lang.StringUtils;

  30. import org.sonar.api.security.Authenticator;

  31. import org.sonar.api.utils.log.Logger;

  32. import org.sonar.api.utils.log.Loggers;

  33. 

  34. /**

  35.  * @author Evgeny Mandrikov

  36.  */

  37. public class LdapAuthenticator extends Authenticator {

  38. 

  39.   private static final Logger LOG = Loggers.get(LdapAuthenticator.class);

  40.   private final Map<String, LdapContextFactory> contextFactories;

  41.   private final Map<String, LdapUserMapping> userMappings;

  42. 

  43.   public LdapAuthenticator(Map<String, LdapContextFactory> contextFactories, Map<String, LdapUserMapping> userMappings) {

  44.     this.contextFactories = contextFactories;

  45.     this.userMappings = userMappings;

  46.   }

  47. 

  48.   @Override

  49.   public boolean doAuthenticate(Context context) {

  50.     return authenticate(context.getUsername(), context.getPassword());

  51.   }

  52. 

  53.   /**

  54.    * Authenticate the user against LDAP servers until first success.

  55.    * @param login The login to use.

  56.    * @param password The password to use.

  57.    * @return false if specified user cannot be authenticated with specified password on any LDAP server

  58.    */

  59.   public boolean authenticate(String login, String password) {

  60.     for (String ldapKey : userMappings.keySet()) {

  61.       final String principal;

  62.       if (contextFactories.get(ldapKey).isSasl()) {

  63.         principal = login;

  64.       } else {

  65.         final SearchResult result;

  66.         try {

  67.           result = userMappings.get(ldapKey).createSearch(contextFactories.get(ldapKey), login).findUnique();

  68.         } catch (NamingException e) {

  69.           LOG.debug("User {} not found in server {}: {}", login, ldapKey, e.getMessage());

  70.           continue;

  71.         }

  72.         if (result == null) {

  73.           LOG.debug("User {} not found in {}", login, ldapKey);

  74.           continue;

  75.         }

  76.         principal = result.getNameInNamespace();

  77.       }

  78.       boolean passwordValid;

  79.       if (contextFactories.get(ldapKey).isGssapi()) {

  80.         passwordValid = checkPasswordUsingGssapi(principal, password, ldapKey);

  81.       } else {

  82.         passwordValid = checkPasswordUsingBind(principal, password, ldapKey);

  83.       }

  84.       if (passwordValid) {

  85.         return true;

  86.       }

  87.     }

  88.     LOG.debug("User {} not found", login);

  89.     return false;

  90.   }

  91. 

  92.   private boolean checkPasswordUsingBind(String principal, String password, String ldapKey) {

  93.     if (StringUtils.isEmpty(password)) {

  94.       LOG.debug("Password is blank.");

  95.       return false;

  96.     }

  97.     InitialDirContext context = null;

  98.     try {

  99.       context = contextFactories.get(ldapKey).createUserContext(principal, password);

  100.       return true;

  101.     } catch (NamingException e) {

  102.       LOG.debug("Password not valid for user {} in server {}: {}", principal, ldapKey, e.getMessage());

  103.       return false;

  104.     } finally {

  105.       ContextHelper.closeQuietly(context);

  106.     }

  107.   }

  108. 

  109.   private boolean checkPasswordUsingGssapi(String principal, String password, String ldapKey) {

  110.     // Use our custom configuration to avoid reliance on external config

  111.     Configuration.setConfiguration(new Krb5LoginConfiguration());

  112.     LoginContext lc;

  113.     try {

  114.       lc = new LoginContext(getClass().getName(), new CallbackHandlerImpl(principal, password));

  115.       lc.login();

  116.     } catch (LoginException e) {

  117.       // Bad username: Client not found in Kerberos database

  118.       // Bad password: Integrity check on decrypted field failed

  119.       LOG.debug("Password not valid for {} in server {}: {}", principal, ldapKey, e.getMessage());

  120.       return false;

  121.     }

  122.     try {

  123.       lc.logout();

  124.     } catch (LoginException e) {

  125.       LOG.warn("Logout fails", e);

  126.     }

  127.     return true;

  128.   }

  129. 

  130. }