/*
|
* CDDL HEADER START
|
*
|
* The contents of this file are subject to the terms of the
|
* Common Development and Distribution License, Version 1.0 only
|
* (the "License"). You may not use this file except in compliance
|
* with the License.
|
*
|
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
|
* or http://forgerock.org/license/CDDLv1.0.html.
|
* See the License for the specific language governing permissions
|
* and limitations under the License.
|
*
|
* When distributing Covered Code, include this CDDL HEADER in each
|
* file and include the License file at legal-notices/CDDLv1_0.txt.
|
* If applicable, add the following below this CDDL HEADER, with the
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
* information:
|
* Portions Copyright [yyyy] [name of copyright owner]
|
*
|
* CDDL HEADER END
|
*
|
*
|
* Copyright 2007-2010 Sun Microsystems, Inc.
|
* Portions Copyright 2013 ForgeRock AS
|
*/
|
package org.opends.server.core;
|
|
import static org.opends.messages.CoreMessages.*;
|
import static org.opends.server.config.ConfigConstants.*;
|
import static org.opends.server.loggers.AccessLogger.*;
|
import static org.opends.server.loggers.debug.DebugLogger.*;
|
|
import java.util.ArrayList;
|
import java.util.List;
|
|
import org.opends.messages.Message;
|
import org.opends.server.api.ClientConnection;
|
import org.opends.server.api.plugin.PluginResult;
|
import org.opends.server.core.networkgroups.NetworkGroup;
|
import org.opends.server.loggers.debug.DebugLogger;
|
import org.opends.server.loggers.debug.DebugTracer;
|
import org.opends.server.types.*;
|
import org.opends.server.types.operation.PreParseBindOperation;
|
import org.opends.server.workflowelement.localbackend.LocalBackendBindOperation;
|
|
/**
|
* This class defines an operation that may be used to authenticate a user to
|
* the Directory Server. Note that for security restrictions, response messages
|
* that may be returned to the client must be carefully cleaned to ensure that
|
* they do not provide a malicious client with information that may be useful in
|
* an attack. This does impact the debugability of the server, but that can
|
* be addressed by calling the <CODE>setAuthFailureReason</CODE> method, which
|
* can provide a reason for a failure in a form that will not be returned to the
|
* client but may be written to a log file.
|
*/
|
public class BindOperationBasis
|
extends AbstractOperation
|
implements BindOperation, PreParseBindOperation
|
{
|
/**
|
* The tracer object for the debug logger.
|
*/
|
private static final DebugTracer TRACER = DebugLogger.getTracer();
|
|
/** The credentials used for SASL authentication. */
|
private ByteString saslCredentials;
|
|
/** The server SASL credentials provided to the client in the response. */
|
private ByteString serverSASLCredentials;
|
|
/** The authentication info for this bind operation. */
|
private AuthenticationInfo authInfo = null;
|
|
/** The authentication type used for this bind operation. */
|
private AuthenticationType authType;
|
|
/** The raw, unprocessed bind DN as contained in the client request. */
|
private ByteString rawBindDN;
|
|
/** The password used for simple authentication. */
|
private ByteString simplePassword;
|
|
/** The bind DN used for this bind operation. */
|
private DN bindDN;
|
|
/** The DN of the user entry that is attempting to authenticate. */
|
private DN userEntryDN;
|
|
/**
|
* The DN of the user as whom a SASL authentication was attempted (regardless
|
* of whether the authentication was successful) for the purpose of updating
|
* password policy state information.
|
*/
|
private Entry saslAuthUserEntry;
|
|
/** The set of response controls for this bind operation. */
|
private List<Control> responseControls;
|
|
/** A message explaining the reason for the authentication failure. */
|
private Message authFailureReason;
|
|
/** The SASL mechanism used for SASL authentication. */
|
private String saslMechanism;
|
|
/**
|
* A string representation of the protocol version for this bind operation.
|
*/
|
private String protocolVersion;
|
|
/**
|
* Creates a new simple bind operation with the provided information.
|
*
|
* @param clientConnection The client connection with which this operation
|
* is associated.
|
* @param operationID The operation ID for this operation.
|
* @param messageID The message ID of the request with which this
|
* operation is associated.
|
* @param requestControls The set of controls included in the request.
|
* @param protocolVersion The string representation of the protocol version
|
* associated with this bind request.
|
* @param rawBindDN The raw, unprocessed bind DN as provided in the
|
* request from the client.
|
* @param simplePassword The password to use for the simple
|
* authentication.
|
*/
|
public BindOperationBasis(ClientConnection clientConnection, long operationID,
|
int messageID, List<Control> requestControls,
|
String protocolVersion, ByteString rawBindDN,
|
ByteString simplePassword)
|
{
|
super(clientConnection, operationID, messageID, requestControls);
|
|
|
this.protocolVersion = protocolVersion;
|
this.authType = AuthenticationType.SIMPLE;
|
this.saslMechanism = null;
|
this.saslCredentials = null;
|
|
if (rawBindDN == null)
|
{
|
this.rawBindDN = ByteString.empty();
|
}
|
else
|
{
|
this.rawBindDN = rawBindDN;
|
}
|
|
if (simplePassword == null)
|
{
|
this.simplePassword = ByteString.empty();
|
}
|
else
|
{
|
this.simplePassword = simplePassword;
|
}
|
|
bindDN = null;
|
userEntryDN = null;
|
responseControls = new ArrayList<Control>(0);
|
authFailureReason = null;
|
saslAuthUserEntry = null;
|
|
cancelResult = new CancelResult(ResultCode.CANNOT_CANCEL,
|
ERR_CANNOT_CANCEL_BIND.get());
|
}
|
|
|
|
/**
|
* Creates a new SASL bind operation with the provided information.
|
*
|
* @param clientConnection The client connection with which this operation
|
* is associated.
|
* @param operationID The operation ID for this operation.
|
* @param messageID The message ID of the request with which this
|
* operation is associated.
|
* @param requestControls The set of controls included in the request.
|
* @param protocolVersion The string representation of the protocol version
|
* associated with this bind request.
|
* @param rawBindDN The raw, unprocessed bind DN as provided in the
|
* request from the client.
|
* @param saslMechanism The SASL mechanism included in the request.
|
* @param saslCredentials The optional SASL credentials included in the
|
* request.
|
*/
|
public BindOperationBasis(ClientConnection clientConnection, long operationID,
|
int messageID, List<Control> requestControls,
|
String protocolVersion, ByteString rawBindDN,
|
String saslMechanism, ByteString saslCredentials)
|
{
|
super(clientConnection, operationID, messageID, requestControls);
|
|
|
this.protocolVersion = protocolVersion;
|
this.authType = AuthenticationType.SASL;
|
this.saslMechanism = saslMechanism;
|
this.saslCredentials = saslCredentials;
|
this.simplePassword = null;
|
|
if (rawBindDN == null)
|
{
|
this.rawBindDN = ByteString.empty();
|
}
|
else
|
{
|
this.rawBindDN = rawBindDN;
|
}
|
|
bindDN = null;
|
userEntryDN = null;
|
responseControls = new ArrayList<Control>(0);
|
authFailureReason = null;
|
saslAuthUserEntry = null;
|
|
cancelResult = new CancelResult(ResultCode.CANNOT_CANCEL,
|
ERR_CANNOT_CANCEL_BIND.get());
|
}
|
|
|
|
/**
|
* Creates a new simple bind operation with the provided information.
|
*
|
* @param clientConnection The client connection with which this operation
|
* is associated.
|
* @param operationID The operation ID for this operation.
|
* @param messageID The message ID of the request with which this
|
* operation is associated.
|
* @param requestControls The set of controls included in the request.
|
* @param protocolVersion The string representation of the protocol version
|
* associated with this bind request.
|
* @param bindDN The bind DN for this bind operation.
|
* @param simplePassword The password to use for the simple
|
* authentication.
|
*/
|
public BindOperationBasis(ClientConnection clientConnection, long operationID,
|
int messageID, List<Control> requestControls,
|
String protocolVersion, DN bindDN,
|
ByteString simplePassword)
|
{
|
super(clientConnection, operationID, messageID, requestControls);
|
|
|
this.protocolVersion = protocolVersion;
|
this.authType = AuthenticationType.SIMPLE;
|
this.bindDN = bindDN;
|
this.saslMechanism = null;
|
this.saslCredentials = null;
|
|
if (bindDN == null)
|
{
|
rawBindDN = ByteString.empty();
|
}
|
else
|
{
|
rawBindDN = ByteString.valueOf(bindDN.toString());
|
}
|
|
if (simplePassword == null)
|
{
|
this.simplePassword = ByteString.empty();
|
}
|
else
|
{
|
this.simplePassword = simplePassword;
|
}
|
|
responseControls = new ArrayList<Control>(0);
|
authFailureReason = null;
|
saslAuthUserEntry = null;
|
userEntryDN = null;
|
|
cancelResult = new CancelResult(ResultCode.CANNOT_CANCEL,
|
ERR_CANNOT_CANCEL_BIND.get());
|
}
|
|
|
|
/**
|
* Creates a new SASL bind operation with the provided information.
|
*
|
* @param clientConnection The client connection with which this operation
|
* is associated.
|
* @param operationID The operation ID for this operation.
|
* @param messageID The message ID of the request with which this
|
* operation is associated.
|
* @param requestControls The set of controls included in the request.
|
* @param protocolVersion The string representation of the protocol version
|
* associated with this bind request.
|
* @param bindDN The bind DN for this bind operation.
|
* @param saslMechanism The SASL mechanism included in the request.
|
* @param saslCredentials The optional SASL credentials included in the
|
* request.
|
*/
|
public BindOperationBasis(ClientConnection clientConnection, long operationID,
|
int messageID, List<Control> requestControls,
|
String protocolVersion, DN bindDN,
|
String saslMechanism, ByteString saslCredentials)
|
{
|
super(clientConnection, operationID, messageID, requestControls);
|
|
|
this.protocolVersion = protocolVersion;
|
this.authType = AuthenticationType.SASL;
|
this.bindDN = bindDN;
|
this.saslMechanism = saslMechanism;
|
this.saslCredentials = saslCredentials;
|
this.simplePassword = null;
|
|
if (bindDN == null)
|
{
|
rawBindDN = ByteString.empty();
|
}
|
else
|
{
|
rawBindDN = ByteString.valueOf(bindDN.toString());
|
}
|
|
responseControls = new ArrayList<Control>(0);
|
authFailureReason = null;
|
saslAuthUserEntry = null;
|
userEntryDN = null;
|
|
cancelResult = new CancelResult(ResultCode.CANNOT_CANCEL,
|
ERR_CANNOT_CANCEL_BIND.get());
|
}
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final AuthenticationType getAuthenticationType()
|
{
|
return authType;
|
}
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final ByteString getRawBindDN()
|
{
|
return rawBindDN;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setRawBindDN(ByteString rawBindDN)
|
{
|
if (rawBindDN == null)
|
{
|
this.rawBindDN = ByteString.empty();
|
}
|
else
|
{
|
this.rawBindDN = rawBindDN;
|
}
|
|
bindDN = null;
|
}
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final DN getBindDN()
|
{
|
try
|
{
|
if (bindDN == null)
|
{
|
bindDN = DN.decode(rawBindDN);
|
}
|
}
|
catch (DirectoryException de)
|
{
|
if (debugEnabled())
|
{
|
TRACER.debugCaught(DebugLogLevel.ERROR, de);
|
}
|
|
setResultCode(ResultCode.INVALID_CREDENTIALS);
|
setAuthFailureReason(de.getMessageObject());
|
}
|
return bindDN;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final ByteString getSimplePassword()
|
{
|
return simplePassword;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setSimplePassword(ByteString simplePassword)
|
{
|
if (simplePassword == null)
|
{
|
this.simplePassword = ByteString.empty();
|
}
|
else
|
{
|
this.simplePassword = simplePassword;
|
}
|
|
authType = AuthenticationType.SIMPLE;
|
saslMechanism = null;
|
saslCredentials = null;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final String getSASLMechanism()
|
{
|
return saslMechanism;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final ByteString getSASLCredentials()
|
{
|
return saslCredentials;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setSASLCredentials(String saslMechanism,
|
ByteString saslCredentials)
|
{
|
this.saslMechanism = saslMechanism;
|
this.saslCredentials = saslCredentials;
|
|
authType = AuthenticationType.SASL;
|
simplePassword = null;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final ByteString getServerSASLCredentials()
|
{
|
return serverSASLCredentials;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setServerSASLCredentials(ByteString
|
serverSASLCredentials)
|
{
|
this.serverSASLCredentials = serverSASLCredentials;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final Entry getSASLAuthUserEntry()
|
{
|
return saslAuthUserEntry;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setSASLAuthUserEntry(Entry saslAuthUserEntry)
|
{
|
this.saslAuthUserEntry = saslAuthUserEntry;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final Message getAuthFailureReason()
|
{
|
return authFailureReason;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setAuthFailureReason(Message message)
|
{
|
if (DirectoryServer.returnBindErrorMessages())
|
{
|
appendErrorMessage(message);
|
}
|
else
|
{
|
authFailureReason = message;
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final DN getUserEntryDN()
|
{
|
return userEntryDN;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final AuthenticationInfo getAuthenticationInfo()
|
{
|
return authInfo;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void setAuthenticationInfo(AuthenticationInfo authInfo)
|
{
|
this.authInfo = authInfo;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final OperationType getOperationType()
|
{
|
// Note that no debugging will be done in this method because it is a likely
|
// candidate for being called by the logging subsystem.
|
|
return OperationType.BIND;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final List<Control> getResponseControls()
|
{
|
return responseControls;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final void addResponseControl(Control control)
|
{
|
responseControls.add(control);
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final void removeResponseControl(Control control)
|
{
|
responseControls.remove(control);
|
}
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final void toString(StringBuilder buffer)
|
{
|
buffer.append("BindOperation(connID=");
|
buffer.append(clientConnection.getConnectionID());
|
buffer.append(", opID=");
|
buffer.append(operationID);
|
buffer.append(", protocol=\"");
|
buffer.append(clientConnection.getProtocol());
|
buffer.append(" ");
|
buffer.append(protocolVersion);
|
buffer.append(", dn=");
|
buffer.append(rawBindDN);
|
buffer.append(", authType=");
|
buffer.append(authType);
|
buffer.append(")");
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public void setUserEntryDN(DN userEntryDN)
|
{
|
this.userEntryDN = userEntryDN;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public String getProtocolVersion()
|
{
|
return protocolVersion;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public void setProtocolVersion(String protocolVersion)
|
{
|
this.protocolVersion = protocolVersion;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public final void run()
|
{
|
setResultCode(ResultCode.UNDEFINED);
|
|
// Start the processing timer and initially set the result to indicate that
|
// the result is unknown.
|
setProcessingStartTime();
|
|
// Log the bind request message.
|
logBindRequest(this);
|
|
ClientConnection clientConnection = getClientConnection();
|
|
// Wipe out any existing authentication for the client connection and create
|
// a placeholder that will be used if the bind is successful.
|
clientConnection.setUnauthenticated();
|
|
// Abandon any operations that may be in progress for the client.
|
Message cancelReason = INFO_CANCELED_BY_BIND_REQUEST.get();
|
CancelRequest cancelRequest = new CancelRequest(true, cancelReason);
|
clientConnection.cancelAllOperationsExcept(cancelRequest, getMessageID());
|
|
|
// Get the plugin config manager that will be used for invoking plugins.
|
PluginConfigManager pluginConfigManager =
|
DirectoryServer.getPluginConfigManager();
|
|
|
// This flag is set to true as soon as a workflow has been executed.
|
boolean workflowExecuted = false;
|
|
|
try
|
{
|
// Invoke the pre-parse bind plugins.
|
PluginResult.PreParse preParseResult =
|
pluginConfigManager.invokePreParseBindPlugins(this);
|
if (!preParseResult.continueProcessing())
|
{
|
setResultCode(preParseResult.getResultCode());
|
appendErrorMessage(preParseResult.getErrorMessage());
|
setMatchedDN(preParseResult.getMatchedDN());
|
setReferralURLs(preParseResult.getReferralURLs());
|
return;
|
}
|
|
|
// Process the bind DN to convert it from the raw form as provided by the
|
// client into the form required for the rest of the bind processing.
|
DN bindDN = getBindDN();
|
if (bindDN == null){
|
return;
|
}
|
|
// If this is a simple bind
|
// Then check wether the bind DN is actually one of the alternate root DNs
|
// defined in the server. If so, then replace it with the actual DN
|
// for that user.
|
switch (getAuthenticationType())
|
{
|
case SIMPLE:
|
DN actualRootDN = DirectoryServer.getActualRootBindDN(bindDN);
|
if (actualRootDN != null)
|
{
|
bindDN = actualRootDN;
|
}
|
}
|
|
|
// Special case to manage RootDNs
|
// RootDNs are stored in cn=config but this workflow is not
|
// available through non-admin network groups.
|
// So if the bind DN is in cn=config, we directly retrieve
|
// the workflow handling cn=config
|
// FIXME: it would be better to store RootDNs in a separate backend.
|
// Issue #3502 has been logged to track this request.
|
boolean isInConfig;
|
try {
|
isInConfig = bindDN.isDescendantOf(DN.decode(DN_CONFIG_ROOT));
|
} catch (DirectoryException ex) {
|
// can not happen
|
isInConfig = false;
|
}
|
|
Workflow workflow;
|
if (isInConfig) {
|
workflow = WorkflowImpl.getWorkflow("__config.ldif__#cn=config");
|
} else {
|
// Retrieve the network group attached to the client connection
|
// and get a workflow to process the operation.
|
NetworkGroup ng = getClientConnection().getNetworkGroup();
|
workflow = ng.getWorkflowCandidate(bindDN);
|
}
|
if (workflow == null)
|
{
|
// We have found no workflow for the requested base DN, just return
|
// a no such entry result code and stop the processing.
|
updateOperationErrMsgAndResCode();
|
return;
|
}
|
workflow.execute(this);
|
workflowExecuted = true;
|
|
}
|
catch(CanceledOperationException coe)
|
{
|
// This shouldn't happen for bind operations. Just cancel anyways
|
if (debugEnabled())
|
{
|
TRACER.debugCaught(DebugLogLevel.ERROR, coe);
|
}
|
|
setResultCode(ResultCode.CANCELED);
|
|
appendErrorMessage(cancelRequest.getCancelReason());
|
}
|
finally
|
{
|
// Stop the processing timer.
|
setProcessingStopTime();
|
|
// Log the bind response.
|
logBindResponse(this);
|
|
// Send the bind response to the client.
|
clientConnection.sendResponse(this);
|
|
// If the bind processing is finished, then unset the "bind in progress"
|
// flag to allow other operations to be processed on the connection.
|
if (getResultCode() != ResultCode.SASL_BIND_IN_PROGRESS)
|
{
|
clientConnection.finishSaslBind();
|
}
|
|
clientConnection.finishBindOrStartTLS();
|
|
// Invoke the post-response bind plugins.
|
invokePostResponsePlugins(workflowExecuted);
|
}
|
}
|
|
|
/**
|
* Invokes the post response plugins. If a workflow has been executed
|
* then invoke the post response plugins provided by the workflow
|
* elements of the worklfow, otherwise invoke the post reponse plugins
|
* that have been registered with the current operation.
|
*
|
* @param workflowExecuted <code>true</code> if a workflow has been
|
* executed
|
*/
|
private void invokePostResponsePlugins(boolean workflowExecuted)
|
{
|
// Get the plugin config manager that will be used for invoking plugins.
|
PluginConfigManager pluginConfigManager =
|
DirectoryServer.getPluginConfigManager();
|
|
// Invoke the post response plugins
|
if (workflowExecuted)
|
{
|
// The post responses are provided by the workflow elements of the
|
// workflow.
|
List localOperations =
|
(List)getAttachment(Operation.LOCALBACKENDOPERATIONS);
|
if (localOperations != null)
|
{
|
for (Object localOp : localOperations)
|
{
|
LocalBackendBindOperation localOperation =
|
(LocalBackendBindOperation)localOp;
|
// Invoke the post-response bind plugins.
|
pluginConfigManager.invokePostResponseBindPlugins(localOperation);
|
}
|
}
|
else
|
{
|
// The current operation does not implement any bind post response
|
// interface so we cannot invoke any post-response plugin.
|
}
|
}
|
}
|
|
|
/**
|
* Updates the error message and the result code of the operation.
|
*
|
* This method is called because no workflows were found to process
|
* the operation.
|
*/
|
private void updateOperationErrMsgAndResCode()
|
{
|
Message message = ERR_BIND_OPERATION_UNKNOWN_USER.get();
|
setResultCode(ResultCode.INVALID_CREDENTIALS);
|
setAuthFailureReason(message);
|
}
|
|
}
|
