Re-introduce additional filters for authorisation and user status
authFilter, userNotBlockedFilter
Change-Id: I04fed94a5b1e9de7f00c8d5dd3351e3c6a24b075
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
index 7608761..92ae6d6 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LDAPConfig.java
@@ -19,6 +19,8 @@
public final boolean useEmbeddedServer;
public final String emailAttribute;
public final String ldif;
+ public final String authFilter;
+ public final String userNotBlockedFilter;
public LDAPConfig(String ldapConfigFilename) throws LdapConfigurationException {
Map<String, String> ldapConfig = null;
@@ -34,14 +36,14 @@
searchBase = getConfigOrThrow(ldapConfig, "searchBase");
sLoginDN = getConfigOrThrow(ldapConfig, "sLoginDN");
searchFilter = getConfigOrThrow(ldapConfig, "searchFilter");
+ authFilter = ldapConfig.getOrDefault("authFilter", null);
+ userNotBlockedFilter = ldapConfig.getOrDefault("userNotBlockedFilter", null);
sPwd = ldapConfig.getOrDefault("pwd", "");
trustStorePath = ldapConfig.getOrDefault("trustStore", "");
additionalCipherSuites = ldapConfig.getOrDefault("additionalCipherSuites", "");
useEmbeddedServer = Boolean.parseBoolean(ldapConfig.getOrDefault("useEmbeddedServer", "false"));
emailAttribute = ldapConfig.getOrDefault("emailAttribute", "mail");
ldif = ldapConfig.getOrDefault("ldifFile", null);
-
-
}
static HashMap<String, String> typeCastConvert(Properties prop) {
diff --git a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
index 9975fcc..603ec38 100644
--- a/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
+++ b/full/src/main/java/de/ids_mannheim/korap/authentication/LdapAuth3.java
@@ -6,6 +6,7 @@
import com.nimbusds.jose.JOSEException;
import com.unboundid.ldap.sdk.*;
+import com.unboundid.util.NotNull;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustAllTrustManager;
import com.unboundid.util.ssl.TrustStoreTrustManager;
@@ -31,11 +32,9 @@
public static final int LDAP_AUTH_ROK = 0;
public static final int LDAP_AUTH_RCONNECT = 1; // cannot connect to LDAP Server
public static final int LDAP_AUTH_RINTERR = 2; // internal error: cannot verify User+Pwd.
- /* cannot be distinguished, currently
public static final int LDAP_AUTH_RUNKNOWN = 3; // User Account or Pwd unknown;
public static final int LDAP_AUTH_RLOCKED = 4; // User Account locked;
public static final int LDAP_AUTH_RNOTREG = 5; // User known, but has not registered to KorAP/C2 Service yet;
- */
public static final int LDAP_AUTH_RNOEMAIL = 6; // cannot obtain email for sUserDN
public static final int LDAP_AUTH_RNAUTH = 7; // User Account or Pwd unknown, or not authorized
final static Boolean DEBUGLOG = false; // log debug output.
@@ -52,14 +51,12 @@
return "LDAP Authentication: connecting to LDAP Server failed!";
case LDAP_AUTH_RINTERR:
return "LDAP Authentication failed due to an internal error!";
-/* cannot be distinguished, currently
case LDAP_AUTH_RUNKNOWN:
return "LDAP Authentication failed due to unknown user or password!";
case LDAP_AUTH_RLOCKED:
return "LDAP Authentication: known user is locked!";
case LDAP_AUTH_RNOTREG:
- return "LDAP Authentication: known user has not registered yet!";
-*/
+ return "LDAP Authentication: known user, but not registered for this service!";
case LDAP_AUTH_RNOEMAIL:
return "LDAP Authentication: known user, but cannot obtain email!";
case LDAP_AUTH_RNAUTH:
@@ -83,16 +80,19 @@
}
}
- SearchResult srchRes = search(login, password, ldapConfig, !ldapConfig.searchFilter.contains("${password}"));
+ LdapAuth3Result ldapAuth3Result = search(login, password, ldapConfig, !ldapConfig.searchFilter.contains("${password}"), true);
+ SearchResult srchRes = ldapAuth3Result.getSearchResultValue();
- if (srchRes == null || srchRes.getEntryCount() == 0) {
+ if (ldapAuth3Result.getErrorCode() != 0 || srchRes == null || srchRes.getEntryCount() == 0) {
if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
- return LDAP_AUTH_RNAUTH;
+ return ldapAuth3Result.getErrorCode();
}
return LDAP_AUTH_ROK;
}
- public static SearchResult search(String login, String password, LDAPConfig ldapConfig, boolean bindWithFoundDN) throws LDAPException {
+
+ @NotNull
+ public static LdapAuth3Result search(String login, String password, LDAPConfig ldapConfig, boolean bindWithFoundDN, boolean applyExtraFilters) {
Map<String, String> valuesMap = new HashMap<>();
valuesMap.put("login", login);
valuesMap.put("password", password);
@@ -108,11 +108,9 @@
//System.out.printf("LDAP Version = %d.\n", LDAPConnection.LDAP_V3);
System.out.printf("LDAP Host & Port = '%s':%d.\n", ldapConfig.host, ldapConfig.port);
System.out.printf("Login User = '%s'\n", login);
+ System.out.println("LDAPS " + ldapConfig.useSSL);
}
- // LDAP Connection:
- if (DEBUGLOG) System.out.println("LDAPS " + ldapConfig.useSSL);
-
LDAPConnection lc;
if (ldapConfig.useSSL) {
@@ -131,7 +129,7 @@
} catch (GeneralSecurityException e) {
System.err.printf("Error: login: Connecting to LDAPS Server: failed: '%s'!\n", e);
ldapTerminate(null);
- return null;
+ return new LdapAuth3Result(null, LDAP_AUTH_RCONNECT);
}
} else {
lc = new LDAPConnection();
@@ -144,10 +142,8 @@
String fullStackTrace = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
System.err.printf("Error: login: Connecting to LDAP Server: failed: '%s'!\n", fullStackTrace);
ldapTerminate(lc);
- return null;
+ return new LdapAuth3Result(null, LDAP_AUTH_RCONNECT);
}
-
-
if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
try {
@@ -158,31 +154,28 @@
} catch (LDAPException e) {
System.err.printf("Error: login: Binding failed: '%s'!\n", e);
ldapTerminate(lc);
- return null;
+ return new LdapAuth3Result(null, LDAP_AUTH_RINTERR);
}
if (DEBUGLOG) System.out.printf("Debug: isConnected=%d\n", lc.isConnected() ? 1 : 0);
if (DEBUGLOG) System.out.printf("Finding user '%s'...\n", login);
- SearchResult srchRes;
+ SearchResult srchRes = null;
try {
- // SCOPE_SUB = Scope Subtree.
- if (DEBUGLOG) System.out.printf("Finding Filter: '%s'.\n", insensitiveSearchFilter);
+ if (DEBUGLOG) System.out.printf("Searching with searchFilter: '%s'.\n", insensitiveSearchFilter);
srchRes = lc.search(ldapConfig.searchBase, SearchScope.SUB, searchFilterInstance);
- if (DEBUGLOG) System.out.printf("Finding '%s': %d entries.\n", login, srchRes.getEntryCount());
+ if (DEBUGLOG) System.out.printf("Found '%s': %d entries.\n", login, srchRes.getEntryCount());
} catch (LDAPSearchException e) {
System.err.printf("Error: Search for User failed: '%s'!\n", e);
- ldapTerminate(lc);
- return null;
}
if (srchRes == null || srchRes.getEntryCount() == 0) {
if (DEBUGLOG) System.out.printf("Finding '%s': no entry found!\n", login);
ldapTerminate(lc);
- return null;
+ return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
}
if (bindWithFoundDN) {
@@ -191,16 +184,52 @@
try {
// bind to server:
if (DEBUGLOG) System.out.printf("Binding with '%s' ...\n", matchedDN);
- lc.bind(matchedDN, password);
+ BindResult bindResult = lc.bind(matchedDN, password);
if (DEBUGLOG) System.out.print("Binding: OK.\n");
+ if (!bindResult.getResultCode().equals(ResultCode.SUCCESS)) {
+ ldapTerminate(lc);
+ return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
+ }
} catch (LDAPException e) {
System.err.printf("Error: login: Binding failed: '%s'!\n", e);
ldapTerminate(lc);
- return null;
+ return new LdapAuth3Result(null, LDAP_AUTH_RUNKNOWN);
+ }
+ }
+
+ if (applyExtraFilters) {
+ if (ldapConfig.authFilter != null && !ldapConfig.authFilter.isEmpty()) {
+ srchRes = applyAdditionalFilter(login, ldapConfig, ldapConfig.authFilter, searchFilterInstance, lc);
+ if (srchRes == null || srchRes.getEntryCount() == 0) {
+ ldapTerminate(lc);
+ return new LdapAuth3Result(null, LDAP_AUTH_RNOTREG);
+ }
+ }
+
+ if (ldapConfig.userNotBlockedFilter != null && !ldapConfig.userNotBlockedFilter.isEmpty()) {
+ srchRes = applyAdditionalFilter(login, ldapConfig, ldapConfig.userNotBlockedFilter, searchFilterInstance, lc);
+ if (srchRes == null || srchRes.getEntryCount() == 0) {
+ ldapTerminate(lc);
+ return new LdapAuth3Result(null, LDAP_AUTH_RLOCKED);
+ }
}
}
ldapTerminate(lc);
+ return new LdapAuth3Result(srchRes, LDAP_AUTH_ROK);
+ }
+
+ private static SearchResult applyAdditionalFilter(String login, LDAPConfig ldapConfig, String searchFilterInstance, String extraFilter, LDAPConnection lc) {
+ SearchResult srchRes;
+ srchRes = null;
+ try {
+ String combindedFilterInstance = "(&" + searchFilterInstance + extraFilter + ")";
+ if (DEBUGLOG) System.out.printf("Searching with additional Filter: '%s'.\n", extraFilter);
+ srchRes = lc.search(ldapConfig.searchBase, SearchScope.SUB, combindedFilterInstance);
+ if (DEBUGLOG) System.out.printf("Found '%s': %d entries.\n", login, srchRes.getEntryCount());
+ } catch (LDAPSearchException e) {
+ System.err.printf("Error: Search for User failed: '%s'!\n", e);
+ }
return srchRes;
}
@@ -209,7 +238,7 @@
LDAPConfig ldapConfig = new LDAPConfig(ldapConfigFilename);
final String emailAttribute = ldapConfig.emailAttribute;
- SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig, false);
+ SearchResult searchResult = search(sUserDN, sUserPwd, ldapConfig, false, false).getSearchResultValue();
if (searchResult == null) {
return null;
@@ -246,4 +275,26 @@
return TokenType.API;
}
+ public static class LdapAuth3Result {
+ final int errorCode;
+ final Object value;
+
+
+ public LdapAuth3Result(Object value, int errorCode) {
+ this.errorCode = errorCode;
+ this.value = value;
+ }
+
+ public int getErrorCode() {
+ return errorCode;
+ }
+
+ public Object getValue() {
+ return value;
+ }
+
+ public SearchResult getSearchResultValue() {
+ return (SearchResult) value;
+ }
+ }
}