/
LdapLoginAuthenticationManager.java
137 lines (124 loc) · 6.79 KB
/
LdapLoginAuthenticationManager.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*
* ******************************************************************************
* Cloud Foundry
* Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
*
* This product is licensed to you under the Apache License, Version 2.0 (the "License").
* You may not use this product except in compliance with the License.
*
* This product includes a number of subcomponents with
* separate copyright notices and license terms. Your use of these
* subcomponents is subject to the terms and conditions of the
* subcomponent's license, as noted in the LICENSE file.
* ******************************************************************************
*/
package org.cloudfoundry.identity.uaa.authentication.manager;
import org.apache.commons.lang.StringUtils;
import org.cloudfoundry.identity.uaa.ldap.ExtendedLdapUserDetails;
import org.cloudfoundry.identity.uaa.provider.LdapIdentityProviderDefinition;
import org.cloudfoundry.identity.uaa.ldap.extension.LdapAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.util.ObjectUtils;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.zone.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.MultiValueMap;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import static java.util.Collections.EMPTY_LIST;
public class LdapLoginAuthenticationManager extends ExternalLoginAuthenticationManager {
public static final String USER_ATTRIBUTE_PREFIX = "user.attribute.";
private IdentityProviderProvisioning provisioning;
public void setProvisioning(IdentityProviderProvisioning provisioning) {
this.provisioning = provisioning;
}
@Override
protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
MultiValueMap<String, String> result = super.getUserAttributes(request);
if (provisioning!=null) {
IdentityProvider provider = provisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
if (request instanceof ExtendedLdapUserDetails) {
ExtendedLdapUserDetails ldapDetails = ((ExtendedLdapUserDetails) request);
LdapIdentityProviderDefinition ldapIdentityProviderDefinition = ObjectUtils.castInstance(provider.getConfig(),LdapIdentityProviderDefinition.class);
Map<String, Object> providerMappings = ldapIdentityProviderDefinition.getAttributeMappings();
for (Map.Entry<String, Object> entry : providerMappings.entrySet()) {
if (entry.getKey().startsWith(USER_ATTRIBUTE_PREFIX) && entry.getValue() != null) {
String key = entry.getKey().substring(USER_ATTRIBUTE_PREFIX.length());
String[] values = ldapDetails.getAttribute((String) entry.getValue(), false);
if (values != null && values.length > 0) {
result.put(key, Arrays.asList(values));
}
}
}
}
}
return result;
}
@Override
protected List<String> getExternalUserAuthorities(UserDetails request) {
List<String> result = super.getExternalUserAuthorities(request);
if (provisioning!=null) {
IdentityProvider provider = provisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
LdapIdentityProviderDefinition ldapIdentityProviderDefinition = ObjectUtils.castInstance(provider.getConfig(),LdapIdentityProviderDefinition.class);
List<String> externalWhiteList = ldapIdentityProviderDefinition.getExternalGroupsWhitelist();
result = new LinkedList<>(getAuthoritesAsNames(request.getAuthorities()));
result.retainAll(externalWhiteList);
}
return result;
}
protected Set<String> getAuthoritesAsNames(Collection<? extends GrantedAuthority> authorities) {
Set<String> result = new HashSet<>();
authorities = new LinkedList(authorities!=null?authorities: EMPTY_LIST);
for (GrantedAuthority a : authorities) {
if (a instanceof LdapAuthority) {
LdapAuthority la = (LdapAuthority)a;
String[] groupNames = la.getAttributeValues("cn");
if (groupNames!=null) {
result.addAll(Arrays.asList(groupNames));
}
}
}
return result;
}
@Override
protected UaaUser userAuthenticated(Authentication request, UaaUser user) {
boolean userModified = false;
//we must check and see if the email address has changed between authentications
if (request.getPrincipal() !=null && request.getPrincipal() instanceof ExtendedLdapUserDetails) {
UaaUser fromRequest = getUser(request);
if (haveUserAttributesChanged(user, fromRequest)) {
user = user.modifyAttributes(fromRequest.getEmail(), fromRequest.getGivenName(), fromRequest.getFamilyName(), fromRequest.getPhoneNumber()).modifyUsername(fromRequest.getUsername());
userModified = true;
}
}
ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(user, userModified, request.getAuthorities(), isAutoAddAuthorities());
publish(event);
return getUserDatabase().retrieveUserById(user.getId());
}
protected boolean isAutoAddAuthorities() {
Boolean result = true;
if (provisioning!=null) {
IdentityProvider provider = provisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
LdapIdentityProviderDefinition ldapIdentityProviderDefinition = ObjectUtils.castInstance(provider.getConfig(), LdapIdentityProviderDefinition.class);
if (ldapIdentityProviderDefinition!=null) {
result = ldapIdentityProviderDefinition.isAutoAddGroups();
}
}
return result!=null ? result.booleanValue() : true;
}
private boolean haveUserAttributesChanged(UaaUser existingUser, UaaUser user) {
if (!StringUtils.equals(existingUser.getGivenName(), user.getGivenName()) || !StringUtils.equals(existingUser.getFamilyName(), user.getFamilyName()) ||
!StringUtils.equals(existingUser.getPhoneNumber(), user.getPhoneNumber()) || !StringUtils.equals(existingUser.getEmail(), user.getEmail())) {
return true;
}
return false;
}
}