mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29584 Commits
59 Branches
Tree: a5e56c8d40
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a5e56c8d40'
${ noResults }
sonarqube/server/sonar-auth-ldap/src/main/java/org/sonar/auth/ldap/LdapContextFactory.java

LdapContextFactory.java 9.2KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2020 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.ldap;

  21. 

  22. import java.io.IOException;

  23. import java.security.PrivilegedActionException;

  24. import java.security.PrivilegedExceptionAction;

  25. import java.util.Properties;

  26. import javax.annotation.Nullable;

  27. import javax.naming.Context;

  28. import javax.naming.NamingException;

  29. import javax.naming.directory.InitialDirContext;

  30. import javax.naming.ldap.InitialLdapContext;

  31. import javax.naming.ldap.StartTlsRequest;

  32. import javax.naming.ldap.StartTlsResponse;

  33. import javax.security.auth.Subject;

  34. import javax.security.auth.login.Configuration;

  35. import javax.security.auth.login.LoginContext;

  36. import javax.security.auth.login.LoginException;

  37. import org.apache.commons.lang.StringUtils;

  38. import org.sonar.api.utils.log.Logger;

  39. import org.sonar.api.utils.log.Loggers;

  40. 

  41. /**

  42.  * @author Evgeny Mandrikov

  43.  */

  44. public class LdapContextFactory {

  45. 

  46.   private static final Logger LOG = Loggers.get(LdapContextFactory.class);

  47. 

  48.   // visible for testing

  49.   static final String AUTH_METHOD_SIMPLE = "simple";

  50.   static final String AUTH_METHOD_GSSAPI = "GSSAPI";

  51.   static final String AUTH_METHOD_DIGEST_MD5 = "DIGEST-MD5";

  52.   static final String AUTH_METHOD_CRAM_MD5 = "CRAM-MD5";

  53. 

  54.   private static final String REFERRALS_FOLLOW_MODE = "follow";

  55.   private static final String REFERRALS_IGNORE_MODE = "ignore";

  56. 

  57.   private static final String DEFAULT_AUTHENTICATION = AUTH_METHOD_SIMPLE;

  58.   private static final String DEFAULT_FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";

  59. 

  60.   /**

  61.    * The Sun LDAP property used to enable connection pooling. This is used in the default implementation to enable

  62.    * LDAP connection pooling.

  63.    */

  64.   private static final String SUN_CONNECTION_POOLING_PROPERTY = "com.sun.jndi.ldap.connect.pool";

  65. 

  66.   private static final String SASL_REALM_PROPERTY = "java.naming.security.sasl.realm";

  67. 

  68.   private final String providerUrl;

  69.   private final boolean startTLS;

  70.   private final String authentication;

  71.   private final String factory;

  72.   private final String username;

  73.   private final String password;

  74.   private final String realm;

  75.   private final String referral;

  76. 

  77.   public LdapContextFactory(org.sonar.api.config.Configuration config, String settingsPrefix, String ldapUrl) {

  78.     this.authentication = StringUtils.defaultString(config.get(settingsPrefix + ".authentication").orElse(null), DEFAULT_AUTHENTICATION);

  79.     this.factory = StringUtils.defaultString(config.get(settingsPrefix + ".contextFactoryClass").orElse(null), DEFAULT_FACTORY);

  80.     this.realm = config.get(settingsPrefix + ".realm").orElse(null);

  81.     this.providerUrl = ldapUrl;

  82.     this.startTLS = config.getBoolean(settingsPrefix + ".StartTLS").orElse(false);

  83.     this.username = config.get(settingsPrefix + ".bindDn").orElse(null);

  84.     this.password = config.get(settingsPrefix + ".bindPassword").orElse(null);

  85.     this.referral = getReferralsMode(config, settingsPrefix + ".followReferrals");

  86.   }

  87. 

  88.   /**

  89.    * Returns {@code InitialDirContext} for Bind user.

  90.    */

  91.   public InitialDirContext createBindContext() throws NamingException {

  92.     if (isGssapi()) {

  93.       return createInitialDirContextUsingGssapi(username, password);

  94.     } else {

  95.       return createInitialDirContext(username, password, true);

  96.     }

  97.   }

  98. 

  99.   /**

  100.    * Returns {@code InitialDirContext} for specified user.

  101.    * Note that pooling intentionally disabled by this method.

  102.    */

  103.   public InitialDirContext createUserContext(String principal, String credentials) throws NamingException {

  104.     return createInitialDirContext(principal, credentials, false);

  105.   }

  106. 

  107.   private InitialDirContext createInitialDirContext(String principal, String credentials, boolean pooling) throws NamingException {

  108.     final InitialLdapContext ctx;

  109.     if (startTLS) {

  110.       // Note that pooling is not enabled for such connections, because "Stop TLS" is not performed.

  111.       Properties env = new Properties();

  112.       env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  113.       env.put(Context.PROVIDER_URL, providerUrl);

  114.       env.put(Context.REFERRAL, referral);

  115.       // At this point env should not contain properties SECURITY_AUTHENTICATION, SECURITY_PRINCIPAL and SECURITY_CREDENTIALS to avoid

  116.       // "bind" operation prior to StartTLS:

  117.       ctx = new InitialLdapContext(env, null);

  118.       // http://docs.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html

  119.       StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());

  120.       try {

  121.         tls.negotiate();

  122.       } catch (IOException e) {

  123.         NamingException ex = new NamingException("StartTLS failed");

  124.         ex.initCause(e);

  125.         throw ex;

  126.       }

  127.       // Explicitly initiate "bind" operation:

  128.       ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, authentication);

  129.       if (principal != null) {

  130.         ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, principal);

  131.       }

  132.       if (credentials != null) {

  133.         ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, credentials);

  134.       }

  135.       ctx.reconnect(null);

  136.     } else {

  137.       ctx = new InitialLdapContext(getEnvironment(principal, credentials, pooling), null);

  138.     }

  139.     return ctx;

  140.   }

  141. 

  142.   private InitialDirContext createInitialDirContextUsingGssapi(String principal, String credentials) throws NamingException {

  143.     Configuration.setConfiguration(new Krb5LoginConfiguration());

  144.     InitialDirContext initialDirContext;

  145.     try {

  146.       LoginContext lc = new LoginContext(getClass().getName(), new CallbackHandlerImpl(principal, credentials));

  147.       lc.login();

  148.       initialDirContext = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<InitialDirContext>() {

  149.         @Override

  150.         public InitialDirContext run() throws NamingException {

  151.           Properties env = new Properties();

  152.           env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  153.           env.put(Context.PROVIDER_URL, providerUrl);

  154.           env.put(Context.REFERRAL, referral);

  155.           return new InitialLdapContext(env, null);

  156.         }

  157.       });

  158.     } catch (LoginException | PrivilegedActionException e) {

  159.       NamingException namingException = new NamingException(e.getMessage());

  160.       namingException.initCause(e);

  161.       throw namingException;

  162.     }

  163.     return initialDirContext;

  164.   }

  165. 

  166.   private Properties getEnvironment(@Nullable String principal, @Nullable String credentials, boolean pooling) {

  167.     Properties env = new Properties();

  168.     env.put(Context.SECURITY_AUTHENTICATION, authentication);

  169.     if (realm != null) {

  170.       env.put(SASL_REALM_PROPERTY, realm);

  171.     }

  172.     if (pooling) {

  173.       // Enable connection pooling

  174.       env.put(SUN_CONNECTION_POOLING_PROPERTY, "true");

  175.     }

  176.     env.put(Context.INITIAL_CONTEXT_FACTORY, factory);

  177.     env.put(Context.PROVIDER_URL, providerUrl);

  178.     env.put(Context.REFERRAL, referral);

  179.     if (principal != null) {

  180.       env.put(Context.SECURITY_PRINCIPAL, principal);

  181.     }

  182.     // Note: debug is intentionally was placed here - in order to not expose password in log

  183.     LOG.debug("Initializing LDAP context {}", env);

  184.     if (credentials != null) {

  185.       env.put(Context.SECURITY_CREDENTIALS, credentials);

  186.     }

  187.     return env;

  188.   }

  189. 

  190.   public boolean isSasl() {

  191.     return AUTH_METHOD_DIGEST_MD5.equals(authentication) ||

  192.       AUTH_METHOD_CRAM_MD5.equals(authentication) ||

  193.       AUTH_METHOD_GSSAPI.equals(authentication);

  194.   }

  195. 

  196.   public boolean isGssapi() {

  197.     return AUTH_METHOD_GSSAPI.equals(authentication);

  198.   }

  199. 

  200.   /**

  201.    * Tests connection.

  202.    *

  203.    * @throws LdapException if unable to open connection

  204.    */

  205.   public void testConnection() {

  206.     if (StringUtils.isBlank(username) && isSasl()) {

  207.       throw new IllegalArgumentException("When using SASL - property ldap.bindDn is required");

  208.     }

  209.     try {

  210.       createBindContext();

  211.       LOG.info("Test LDAP connection on {}: OK", providerUrl);

  212.     } catch (NamingException e) {

  213.       LOG.info("Test LDAP connection: FAIL");

  214.       throw new LdapException("Unable to open LDAP connection", e);

  215.     }

  216.   }

  217. 

  218.   public String getProviderUrl() {

  219.     return providerUrl;

  220.   }

  221. 

  222.   public String getReferral() {

  223.     return referral;

  224.   }

  225. 

  226.   private static String getReferralsMode(org.sonar.api.config.Configuration config, String followReferralsSettingKey) {

  227.     // By default follow referrals

  228.     return config.getBoolean(followReferralsSettingKey).orElse(true) ? REFERRALS_FOLLOW_MODE : REFERRALS_IGNORE_MODE;

  229.   }

  230. 

  231.   @Override

  232.   public String toString() {

  233.     return getClass().getSimpleName() + "{" +

  234.       "url=" + providerUrl +

  235.       ", authentication=" + authentication +

  236.       ", factory=" + factory +

  237.       ", bindDn=" + username +

  238.       ", realm=" + realm +

  239.       ", referral=" + referral +

  240.       "}";

  241.   }

  242. 

  243. }