From ba0412c8bcc57dd8e8efb25419c151c6b699d74d Mon Sep 17 00:00:00 2001
From: Vipin Rathor <v.rathor@gmail.com>
Date: Thu, 15 Jun 2017 12:13:21 -0700
Subject: [PATCH] ZEPPELIN-2657 Add group search filter option to LdapRealm

This commit adds a new option to LdapReam to limit group search in LDAP.
---
 .../org/apache/zeppelin/realm/LdapRealm.java  | 26 ++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
index 97c223c2fce..dc10749c5b1 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/realm/LdapRealm.java
@@ -101,6 +101,8 @@
  * # ability set searchScopes subtree (default), one, base
  * ldapRealm.userSearchScope = subtree;
  * ldapRealm.groupSearchScope = subtree;
+ * ldapRealm.userSearchFilter = (&(objectclass=person)(sAMAccountName={0}))
+ * ldapRealm.groupSearchFilter = (&(objectclass=groupofnames)(member={0}))
  * ldapRealm.memberAttributeValueTemplate=cn={0},ou=people,dc=hadoop,dc=apache,
  * dc=org
  * # enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator
@@ -160,6 +162,7 @@ public class LdapRealm extends JndiLdapRealm {
   private Pattern principalPattern = Pattern.compile(DEFAULT_PRINCIPAL_REGEX);
   private String userDnTemplate = "{0}";
   private String userSearchFilter = null;
+  private String groupSearchFilter = null;
   private String userSearchAttributeTemplate = "{0}";
   private String userSearchScope = "subtree";
   private String groupSearchScope = "subtree";
@@ -356,9 +359,22 @@ private Set<String> rolesFor(PrincipalCollection principals,
               }
             }                
           } else {
+            // Default group search filter
+            String searchFilter = String.format("(objectclass=%1$s)", groupObjectClass);
+
+            // If group search filter is defined in Shiro config, then use it
+            if (groupSearchFilter != null) {
+              Matcher matchedPrincipal = matchPrincipal(userDn);
+              searchFilter = expandTemplate(groupSearchFilter, matchedPrincipal);
+              //searchFilter = String.format("%1$s", groupSearchFilter);
+            }
+            if (log.isDebugEnabled()) {
+              log.debug("Group SearchBase|SearchFilter|GroupSearchScope: " + getGroupSearchBase()
+                    + "|" + searchFilter + "|" + groupSearchScope);
+            }
             searchResultEnum = ldapCtx.search(
                 getGroupSearchBase(),
-                "objectClass=" + groupObjectClass,
+                searchFilter,
                 searchControls);
             while (searchResultEnum != null && searchResultEnum.hasMore()) { 
               // searchResults contains all the groups in search scope
@@ -737,6 +753,14 @@ public void setUserSearchFilter(final String filter) {
     this.userSearchFilter = (filter == null ? null : filter.trim());
   }
   
+  public String getGroupSearchFilter() {
+    return groupSearchFilter;
+  }
+
+  public void setGroupSearchFilter(final String filter) {
+    this.groupSearchFilter = (filter == null ? null : filter.trim());
+  }
+
   public boolean getUserLowerCase() {
     return userLowerCase;
   }