mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36209 Commits
59 Branches
Tree: 4592d63590
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4592d63590'
${ noResults }
sonarqube/server/sonar-auth-ldap/src/main/java/org/sonar/auth/ldap/LdapContextFactory.java

LdapContextFactory.java 9.8KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.ldap;

  21. 

  22. import java.io.IOException;

  23. import java.security.PrivilegedActionException;

  24. import java.security.PrivilegedExceptionAction;

  25. import java.util.Properties;

  26. import javax.annotation.Nullable;

  27. import javax.naming.Context;

  28. import javax.naming.NamingException;

  29. import javax.naming.directory.InitialDirContext;

  30. import javax.naming.ldap.InitialLdapContext;

  31. import javax.naming.ldap.StartTlsRequest;

  32. import javax.naming.ldap.StartTlsResponse;

  33. import javax.security.auth.Subject;

  34. import javax.security.auth.login.Configuration;

  35. import javax.security.auth.login.LoginContext;

  36. import javax.security.auth.login.LoginException;

  37. import org.apache.commons.lang3.StringUtils;

  38. import org.slf4j.Logger;

  39. import org.slf4j.LoggerFactory;

  40. 

  41. /**

  42.  * @author Evgeny Mandrikov

  43.  */

  44. public class LdapContextFactory {

  45. 

  46.   private static final Logger LOG = LoggerFactory.getLogger(LdapContextFactory.class);

  47. 

  48.   // visible for testing

  49.   static final String AUTH_METHOD_SIMPLE = "simple";

  50.   static final String AUTH_METHOD_GSSAPI = "GSSAPI";

  51.   static final String AUTH_METHOD_DIGEST_MD5 = "DIGEST-MD5";

  52.   static final String AUTH_METHOD_CRAM_MD5 = "CRAM-MD5";

  53. 

  54.   private static final String REFERRALS_FOLLOW_MODE = "follow";

  55.   private static final String REFERRALS_IGNORE_MODE = "ignore";

  56. 

  57.   private static final String DEFAULT_AUTHENTICATION = AUTH_METHOD_SIMPLE;

  58.   private static final String DEFAULT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";

  59. 

  60.   /**

  61.    * The Sun LDAP property used to enable connection pooling. This is used in the default implementation to enable

  62.    * LDAP connection pooling.

  63.    */

  64.   private static final String SUN_CONNECTION_POOLING_PROPERTY = "com.sun.jndi.ldap.connect.pool";

  65. 

  66.   private static final String SASL_REALM_PROPERTY = "java.naming.security.sasl.realm";

  67. 

  68.   private final String providerUrl;

  69.   private final boolean startTLS;

  70.   private final String authentication;

  71.   private final String factory;

  72.   private final String username;

  73.   private final String password;

  74.   private final String realm;

  75.   private final String referral;

  76.   private final String saslQop;

  77.   private final String saslStrength;

  78.   private final String saslMaxbuf;

  79. 

  80.   public LdapContextFactory(org.sonar.api.config.Configuration config, String settingsPrefix, String ldapUrl) {

  81.     this.authentication = StringUtils.defaultString(config.get(settingsPrefix + ".authentication").orElse(null), DEFAULT_AUTHENTICATION);

  82.     this.factory = StringUtils.defaultString(config.get(settingsPrefix + ".contextFactoryClass").orElse(null), DEFAULT_FACTORY);

  83.     this.realm = config.get(settingsPrefix + ".realm").orElse(null);

  84.     this.providerUrl = ldapUrl;

  85.     this.startTLS = config.getBoolean(settingsPrefix + ".StartTLS").orElse(false);

  86.     this.username = config.get(settingsPrefix + ".bindDn").orElse(null);

  87.     this.password = config.get(settingsPrefix + ".bindPassword").orElse(null);

  88.     this.referral = getReferralsMode(config, settingsPrefix + ".followReferrals");

  89.     this.saslQop = config.get(settingsPrefix + ".saslQop").orElse(null);

  90.     this.saslStrength = config.get(settingsPrefix + ".saslStrength").orElse(null);

  91.     this.saslMaxbuf = config.get(settingsPrefix + ".saslMaxbuf").orElse(null);

  92.   }

  93. 

  94.   /**

  95.    * Returns {@code InitialDirContext} for Bind user.

  96.    */

  97.   public InitialDirContext createBindContext() throws NamingException {

  98.     if (isGssapi()) {

  99.       return createInitialDirContextUsingGssapi(username, password);

  100.     } else {

  101.       return createInitialDirContext(username, password, true);

  102.     }

  103.   }

  104. 

  105.   /**

  106.    * Returns {@code InitialDirContext} for specified user.

  107.    * Note that pooling intentionally disabled by this method.

  108.    */

  109.   public InitialDirContext createUserContext(String principal, String credentials) throws NamingException {

  110.     return createInitialDirContext(principal, credentials, false);

  111.   }

  112. 

  113.   private InitialDirContext createInitialDirContext(String principal, String credentials, boolean pooling) throws NamingException {

  114.     final InitialLdapContext ctx;

  115.     if (startTLS) {

  116.       // Note that pooling is not enabled for such connections, because "Stop TLS" is not performed.

  117.       Properties env = new Properties();

  118.       env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  119.       env.put(Context.PROVIDER_URL, providerUrl);

  120.       env.put(Context.REFERRAL, referral);

  121.       // At this point env should not contain properties SECURITY_AUTHENTICATION, SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to avoid

  122.       // "bind" operation prior to StartTLS:

  123.       ctx = new InitialLdapContext(env, null);

  124.       // http://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html

  125.       StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());

  126.       try {

  127.         tls.negotiate();

  128.       } catch (IOException e) {

  129.         NamingException ex = new NamingException("StartTLS failed");

  130.         ex.initCause(e);

  131.         throw ex;

  132.       }

  133.       // Explicitly initiate "bind" operation:

  134.       ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, authentication);

  135.       if (principal != null) {

  136.         ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, principal);

  137.       }

  138.       if (credentials != null) {

  139.         ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);

  140.       }

  141.       ctx.reconnect(null);

  142.     } else {

  143.       ctx = new InitialLdapContext(getEnvironment(principal, credentials, pooling), null);

  144.     }

  145.     return ctx;

  146.   }

  147. 

  148.   private InitialDirContext createInitialDirContextUsingGssapi(String principal, String credentials) throws NamingException {

  149.     Configuration.setConfiguration(new Krb5LoginConfiguration());

  150.     InitialDirContext initialDirContext;

  151.     try {

  152.       LoginContext lc = new LoginContext(getClass().getName(), new CallbackHandlerImpl(principal, credentials));

  153.       lc.login();

  154.       initialDirContext = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<InitialDirContext>() {

  155.         @Override

  156.         public InitialDirContext run() throws NamingException {

  157.           Properties env = new Properties();

  158.           env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  159.           env.put(Context.PROVIDER_URL, providerUrl);

  160.           env.put(Context.REFERRAL, referral);

  161.           return new InitialLdapContext(env, null);

  162.         }

  163.       });

  164.     } catch (LoginException | PrivilegedActionException e) {

  165.       NamingException namingException = new NamingException(e.getMessage());

  166.       namingException.initCause(e);

  167.       throw namingException;

  168.     }

  169.     return initialDirContext;

  170.   }

  171. 

  172.   private Properties getEnvironment(@Nullable String principal, @Nullable String credentials, boolean pooling) {

  173.     Properties env = new Properties();

  174.     env.put(Context.SECURITY_AUTHENTICATION, authentication);

  175.     if (realm != null) {

  176.       env.put(SASL_REALM_PROPERTY, realm);

  177.     }

  178.     if (pooling) {

  179.       // Enable connection pooling

  180.       env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");

  181.     }

  182.     env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  183.     env.put(Context.PROVIDER_URL, providerUrl);

  184.     env.put(Context.REFERRAL, referral);

  185.     if (principal != null) {

  186.       env.put(Context.SECURITY_PRINCIPAL, principal);

  187.     }

  188.     if (saslQop != null) {

  189.       env.put("javax.security.sasl.qop", saslQop);

  190.     }

  191.     if (saslStrength != null) {

  192.       env.put("javax.security.sasl.strength", saslStrength);

  193.     }

  194.     if (saslMaxbuf != null) {

  195.       env.put("javax.security.sasl.maxbuf", saslMaxbuf);

  196.     }

  197. 

  198.     // Note: debug is intentionally was placed here - in order to not expose password in log

  199.     LOG.debug("Initializing LDAP context {}", env);

  200.     if (credentials != null) {

  201.       env.put(Context.SECURITY_CREDENTIALS, credentials);

  202.     }

  203.     return env;

  204.   }

  205. 

  206.   public boolean isSasl() {

  207.     return AUTH_METHOD_DIGEST_MD5.equals(authentication) ||

  208.       AUTH_METHOD_CRAM_MD5.equals(authentication) ||

  209.       AUTH_METHOD_GSSAPI.equals(authentication);

  210.   }

  211. 

  212.   public boolean isGssapi() {

  213.     return AUTH_METHOD_GSSAPI.equals(authentication);

  214.   }

  215. 

  216.   /**

  217.    * Tests connection.

  218.    *

  219.    * @throws LdapException if unable to open connection

  220.    */

  221.   public void testConnection() {

  222.     if (StringUtils.isBlank(username) && isSasl()) {

  223.       throw new IllegalArgumentException("When using SASL - property ldap.bindDn is required");

  224.     }

  225.     try {

  226.       createBindContext();

  227.       LOG.info("Test LDAP connection on {}: OK", providerUrl);

  228.     } catch (NamingException e) {

  229.       LOG.info("Test LDAP connection: FAIL");

  230.       throw new LdapException("Unable to open LDAP connection", e);

  231.     }

  232.   }

  233. 

  234.   public String getProviderUrl() {

  235.     return providerUrl;

  236.   }

  237. 

  238.   public String getReferral() {

  239.     return referral;

  240.   }

  241. 

  242.   private static String getReferralsMode(org.sonar.api.config.Configuration config, String followReferralsSettingKey) {

  243.     // By default follow referrals

  244.     return config.getBoolean(followReferralsSettingKey).orElse(true) ? REFERRALS_FOLLOW_MODE : REFERRALS_IGNORE_MODE;

  245.   }

  246. 

  247.   @Override

  248.   public String toString() {

  249.     return getClass().getSimpleName() + "{" +

  250.       "url=" + providerUrl +

  251.       ", authentication=" + authentication +

  252.       ", factory=" + factory +

  253.       ", bindDn=" + username +

  254.       ", realm=" + realm +

  255.       ", referral=" + referral +

  256.       "}";

  257.   }

  258. 

  259. }