external-software/github_OpenIdentityPlatform_OpenDJ.git

Fix: Use the LDAPContext to get an internal connection.

Yannick Lecaillez

02.08.2016 cae0b3dbcf69335667bde9e7586d1ba146dda0cd

 opendj-server-legacy/src/main/java/org/opends/server/protocols/http/LDAPContext.java

@@ -17,10 +17,10 @@
package org.opends.server.protocols.http;

import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.services.context.AbstractContext;
import org.forgerock.services.context.Context;
import org.opends.server.types.Entry;

/**
 * Context provided by a Directory Server. It contains a reference to a
@@ -64,13 +64,12 @@
    /**
     * Get a direct {@link Connection} to this Directory Server.
     *
     * @param userDN
     *          DN of the user's used to validate authorization.
     * @param userEntry
     *          The returned connection will be authenticated as userEntry.
     * @return A direct {@link Connection} to this Directory Server.
     * @throws LdapException
     *           If a connection cannot be create (i.e: because the userDN
     *           doesn't exists).
     *           If a connection cannot be created (i.e: because an administrative limit has been exceeded).
     */
    Connection getConnection(DN userDN) throws LdapException;
    Connection getAuthenticatedConnection(Entry userEntry) throws LdapException;
  }
}

 opendj-server-legacy/src/main/java/org/opends/server/protocols/http/LDAPContextInjectionFilter.java

@@ -20,7 +20,6 @@
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.services.context.Context;
@@ -30,7 +29,6 @@
import org.opends.server.core.ServerContext;
import org.opends.server.protocols.http.LDAPContext.InternalConnectionFactory;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;

/**
@@ -55,11 +53,11 @@
    final LDAPContext djContext = new LDAPContext(context, new InternalConnectionFactory()
    {
      @Override
      public Connection getConnection(DN userDN) throws LdapException
      public Connection getAuthenticatedConnection(Entry userEntry) throws LdapException
      {
        final HTTPClientConnection clientConnection =
            new HTTPClientConnection(serverContext, httpConnectionHandler, context, request);
        clientConnection.setAuthenticationInfo(getAuthInfoForDN(userDN));
        clientConnection.setAuthenticationInfo(getAuthInfoForUserEntry(userEntry));
        if (clientConnection.getConnectionID() < 0)
        {
          throw LdapException.newLdapException(ResultCode.ADMIN_LIMIT_EXCEEDED);
@@ -68,31 +66,9 @@
        return new SdkConnectionAdapter(clientConnection);
      }

      private AuthenticationInfo getAuthInfoForDN(DN userDN) throws LdapException
      private AuthenticationInfo getAuthInfoForUserEntry(Entry userEntry)
      {
        if (userDN == null || userDN.isRootDN())
        {
          return new AuthenticationInfo();
        }
        final DN rootUserDN = DirectoryServer.getActualRootBindDN(userDN);
        if (rootUserDN != null)
        {
          userDN = rootUserDN;
        }
        Entry userEntry;
        try
        {
          userEntry = DirectoryServer.getEntry(userDN);
        }
        catch (DirectoryException e)
        {
          throw LdapException.newLdapException(e.getResultCode());
        }
        if (userEntry == null)
        {
          throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
        }
        return new AuthenticationInfo(userEntry, DirectoryServer.isRootDN(userDN));
        return new AuthenticationInfo(userEntry, DirectoryServer.isRootDN(userEntry.getName()));
      }
    });
    return next.handle(djContext, request);

 opendj-server-legacy/src/main/java/org/opends/server/protocols/http/authz/HttpBasicAuthorizationMechanism.java

@@ -16,7 +16,6 @@
package org.opends.server.protocols.http.authz;

import static org.forgerock.http.filter.Filters.chainOf;
import static org.forgerock.opendj.adapter.server3x.Adapters.newConnection;
import static org.forgerock.opendj.adapter.server3x.Adapters.newRootConnectionFactory;
import static org.forgerock.opendj.ldap.LdapException.newLdapException;
import static org.forgerock.opendj.ldap.ResultCode.INVALID_CREDENTIALS;
@@ -32,7 +31,6 @@
import static org.forgerock.util.promise.Promises.newExceptionPromise;
import static org.forgerock.util.promise.Promises.newResultPromise;
import static org.opends.server.core.DirectoryServer.getIdentityMapper;
import static org.opends.server.core.DirectoryServer.isRootDN;

import java.util.HashMap;
import java.util.Map;
@@ -55,8 +53,7 @@
import org.forgerock.util.promise.Promise;
import org.opends.server.api.IdentityMapper;
import org.opends.server.core.ServerContext;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.protocols.http.LDAPContext;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;

@@ -130,7 +127,11 @@
      {
        final Entry userEntry = getMappedIdentity(username);
        doBind(userEntry.getName().toString(), password);
        final Context authcContext = new AuthenticatedConnectionContext(parentContext, newConnectionAs(userEntry));
        final Connection connection =
            parentContext.asContext(LDAPContext.class)
                         .getInternalConnectionFactory()
                         .getAuthenticatedConnection(userEntry);
        final Context authcContext = new AuthenticatedConnectionContext(parentContext, connection);
        final Map<String, Object> authz = new HashMap<>();
        authz.put(AUTHZID_DN, userEntry.getName().toString());

@@ -171,11 +172,5 @@
        }
      }
    }

    private Connection newConnectionAs(Entry userEntry)
    {
      return newConnection(new InternalClientConnection(
          new AuthenticationInfo(userEntry, isRootDN(userEntry.getName()))));
    }
  }
}

 opendj-server-legacy/src/main/java/org/opends/server/protocols/http/authz/InternalProxyAuthzFilter.java

@@ -42,6 +42,7 @@
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;
import org.opends.server.api.IdentityMapper;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.http.LDAPContext;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
@@ -71,7 +72,8 @@
    Connection tmp = null;
    try
    {
      tmp = ldapContext.getInternalConnectionFactory().getConnection(getUserDN(securityContext));
      tmp = ldapContext.getInternalConnectionFactory()
                       .getAuthenticatedConnection(getUserEntry(securityContext));
    }
    catch (LdapException | DirectoryException e)
    {
@@ -90,14 +92,14 @@
               });
  }

  private DN getUserDN(final SecurityContext securityContext) throws LdapException, DirectoryException
  private Entry getUserEntry(final SecurityContext securityContext) throws LdapException, DirectoryException
  {
    final Map<String, Object> authz = securityContext.getAuthorization();
    if (authz.containsKey(AUTHZID_DN))
    {
      try
      {
        return DN.valueOf(authz.get(AUTHZID_DN).toString(), schema);
        return DirectoryServer.getEntry(DN.valueOf(authz.get(AUTHZID_DN).toString(), schema));
      }
      catch (LocalizedIllegalArgumentException e)
      {
@@ -111,7 +113,7 @@
      {
        throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
      }
      return entry.getName();
      return entry;
    }
    throw LdapException.newLdapException(ResultCode.AUTHORIZATION_DENIED);
  }

			@@ -17,10 +17,10 @@
			package org.opends.server.protocols.http;

			import org.forgerock.opendj.ldap.Connection;
			import org.forgerock.opendj.ldap.DN;
			import org.forgerock.opendj.ldap.LdapException;
			import org.forgerock.services.context.AbstractContext;
			import org.forgerock.services.context.Context;
			import org.opends.server.types.Entry;

			/**
			* Context provided by a Directory Server. It contains a reference to a
			@@ -64,13 +64,12 @@
			/**
			* Get a direct {@link Connection} to this Directory Server.
			*
			* @param userDN
			* DN of the user's used to validate authorization.
			* @param userEntry
			* The returned connection will be authenticated as userEntry.
			* @return A direct {@link Connection} to this Directory Server.
			* @throws LdapException
			* If a connection cannot be create (i.e: because the userDN
			* doesn't exists).
			* If a connection cannot be created (i.e: because an administrative limit has been exceeded).
			*/
			Connection getConnection(DN userDN) throws LdapException;
			Connection getAuthenticatedConnection(Entry userEntry) throws LdapException;
			}
			}

			@@ -20,7 +20,6 @@
			import org.forgerock.http.protocol.Request;
			import org.forgerock.http.protocol.Response;
			import org.forgerock.opendj.ldap.Connection;
			import org.forgerock.opendj.ldap.DN;
			import org.forgerock.opendj.ldap.LdapException;
			import org.forgerock.opendj.ldap.ResultCode;
			import org.forgerock.services.context.Context;
			@@ -30,7 +29,6 @@
			import org.opends.server.core.ServerContext;
			import org.opends.server.protocols.http.LDAPContext.InternalConnectionFactory;
			import org.opends.server.types.AuthenticationInfo;
			import org.opends.server.types.DirectoryException;
			import org.opends.server.types.Entry;

			/**
			@@ -55,11 +53,11 @@
			final LDAPContext djContext = new LDAPContext(context, new InternalConnectionFactory()
			{
			@Override
			public Connection getConnection(DN userDN) throws LdapException
			public Connection getAuthenticatedConnection(Entry userEntry) throws LdapException
			{
			final HTTPClientConnection clientConnection =
			new HTTPClientConnection(serverContext, httpConnectionHandler, context, request);
			clientConnection.setAuthenticationInfo(getAuthInfoForDN(userDN));
			clientConnection.setAuthenticationInfo(getAuthInfoForUserEntry(userEntry));
			if (clientConnection.getConnectionID() < 0)
			{
			throw LdapException.newLdapException(ResultCode.ADMIN_LIMIT_EXCEEDED);
			@@ -68,31 +66,9 @@
			return new SdkConnectionAdapter(clientConnection);
			}

			private AuthenticationInfo getAuthInfoForDN(DN userDN) throws LdapException
			private AuthenticationInfo getAuthInfoForUserEntry(Entry userEntry)
			{
			if (userDN == null \|\| userDN.isRootDN())
			{
			return new AuthenticationInfo();
			}
			final DN rootUserDN = DirectoryServer.getActualRootBindDN(userDN);
			if (rootUserDN != null)
			{
			userDN = rootUserDN;
			}
			Entry userEntry;
			try
			{
			userEntry = DirectoryServer.getEntry(userDN);
			}
			catch (DirectoryException e)
			{
			throw LdapException.newLdapException(e.getResultCode());
			}
			if (userEntry == null)
			{
			throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
			}
			return new AuthenticationInfo(userEntry, DirectoryServer.isRootDN(userDN));
			return new AuthenticationInfo(userEntry, DirectoryServer.isRootDN(userEntry.getName()));
			}
			});
			return next.handle(djContext, request);

			@@ -16,7 +16,6 @@
			package org.opends.server.protocols.http.authz;

			import static org.forgerock.http.filter.Filters.chainOf;
			import static org.forgerock.opendj.adapter.server3x.Adapters.newConnection;
			import static org.forgerock.opendj.adapter.server3x.Adapters.newRootConnectionFactory;
			import static org.forgerock.opendj.ldap.LdapException.newLdapException;
			import static org.forgerock.opendj.ldap.ResultCode.INVALID_CREDENTIALS;
			@@ -32,7 +31,6 @@
			import static org.forgerock.util.promise.Promises.newExceptionPromise;
			import static org.forgerock.util.promise.Promises.newResultPromise;
			import static org.opends.server.core.DirectoryServer.getIdentityMapper;
			import static org.opends.server.core.DirectoryServer.isRootDN;

			import java.util.HashMap;
			import java.util.Map;
			@@ -55,8 +53,7 @@
			import org.forgerock.util.promise.Promise;
			import org.opends.server.api.IdentityMapper;
			import org.opends.server.core.ServerContext;
			import org.opends.server.protocols.internal.InternalClientConnection;
			import org.opends.server.types.AuthenticationInfo;
			import org.opends.server.protocols.http.LDAPContext;
			import org.opends.server.types.DirectoryException;
			import org.opends.server.types.Entry;

			@@ -130,7 +127,11 @@
			{
			final Entry userEntry = getMappedIdentity(username);
			doBind(userEntry.getName().toString(), password);
			final Context authcContext = new AuthenticatedConnectionContext(parentContext, newConnectionAs(userEntry));
			final Connection connection =
			parentContext.asContext(LDAPContext.class)
			.getInternalConnectionFactory()
			.getAuthenticatedConnection(userEntry);
			final Context authcContext = new AuthenticatedConnectionContext(parentContext, connection);
			final Map<String, Object> authz = new HashMap<>();
			authz.put(AUTHZID_DN, userEntry.getName().toString());

			@@ -171,11 +172,5 @@
			}
			}
			}

			private Connection newConnectionAs(Entry userEntry)
			{
			return newConnection(new InternalClientConnection(
			new AuthenticationInfo(userEntry, isRootDN(userEntry.getName()))));
			}
			}
			}

			@@ -42,6 +42,7 @@
			import org.forgerock.util.promise.Promise;
			import org.forgerock.util.promise.Promises;
			import org.opends.server.api.IdentityMapper;
			import org.opends.server.core.DirectoryServer;
			import org.opends.server.protocols.http.LDAPContext;
			import org.opends.server.types.DirectoryException;
			import org.opends.server.types.Entry;
			@@ -71,7 +72,8 @@
			Connection tmp = null;
			try
			{
			tmp = ldapContext.getInternalConnectionFactory().getConnection(getUserDN(securityContext));
			tmp = ldapContext.getInternalConnectionFactory()
			.getAuthenticatedConnection(getUserEntry(securityContext));
			}
			catch (LdapException \| DirectoryException e)
			{
			@@ -90,14 +92,14 @@
			});
			}

			private DN getUserDN(final SecurityContext securityContext) throws LdapException, DirectoryException
			private Entry getUserEntry(final SecurityContext securityContext) throws LdapException, DirectoryException
			{
			final Map<String, Object> authz = securityContext.getAuthorization();
			if (authz.containsKey(AUTHZID_DN))
			{
			try
			{
			return DN.valueOf(authz.get(AUTHZID_DN).toString(), schema);
			return DirectoryServer.getEntry(DN.valueOf(authz.get(AUTHZID_DN).toString(), schema));
			}
			catch (LocalizedIllegalArgumentException e)
			{
			@@ -111,7 +113,7 @@
			{
			throw LdapException.newLdapException(ResultCode.INVALID_CREDENTIALS);
			}
			return entry.getName();
			return entry;
			}
			throw LdapException.newLdapException(ResultCode.AUTHORIZATION_DENIED);
			}