/* * The contents of this file are subject to the terms of the Common Development and * Distribution License (the License). You may not use this file except in compliance with the * License. * * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the * specific language governing permission and limitations under the License. * * When distributing Covered Software, include this CDDL Header Notice in each file and include * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL * Header, with the fields enclosed by brackets [] replaced by your own identifying * information: "Portions copyright [year] [name of copyright owner]". * * Copyright 2016 ForgeRock AS. */ package org.forgerock.opendj.rest2ldap.authz; import static org.forgerock.opendj.ldap.requests.Requests.newPlainSASLBindRequest; import static org.forgerock.services.context.SecurityContext.AUTHZID_DN; import static org.forgerock.services.context.SecurityContext.AUTHZID_ID; import static org.forgerock.util.Reject.checkNotNull; import static org.forgerock.opendj.rest2ldap.authz.Utils.close; import java.util.LinkedHashMap; import java.util.Map; import java.util.concurrent.atomic.AtomicReference; import org.forgerock.i18n.LocalizedIllegalArgumentException; import org.forgerock.opendj.ldap.Connection; import org.forgerock.opendj.ldap.ConnectionFactory; import org.forgerock.opendj.ldap.DN; import org.forgerock.opendj.ldap.DecodeException; import org.forgerock.opendj.ldap.DecodeOptions; import org.forgerock.opendj.ldap.LdapException; import org.forgerock.opendj.ldap.ResultCode; import org.forgerock.opendj.ldap.controls.AuthorizationIdentityRequestControl; import org.forgerock.opendj.ldap.controls.AuthorizationIdentityResponseControl; import org.forgerock.opendj.ldap.responses.BindResult; import org.forgerock.opendj.ldap.schema.Schema; import org.forgerock.services.context.Context; import org.forgerock.services.context.SecurityContext; import org.forgerock.util.AsyncFunction; import org.forgerock.util.Function; import org.forgerock.util.promise.Promise; /** Bind using a computed DN from a template and the current request/context. */ final class SaslPlainStrategy implements AuthenticationStrategy { private final ConnectionFactory connectionFactory; private final Function formatter; /** * Create a new SASLPlainStrategy. * * @param connectionFactory * Factory used to get {@link Connection} receiving the sasl-bind requests * @param authcIdTemplate * Authentication identity template containing a single %s which will be replaced by the authenticating * user's name. (i.e: (u:%s) * @param schema * Schema used to perform DN validation. * @throws NullPointerException * If a parameter is null */ public SaslPlainStrategy(final ConnectionFactory connectionFactory, final Schema schema, final String authcIdTemplate) { this.connectionFactory = checkNotNull(connectionFactory, "connectionFactory cannot be null"); checkNotNull(schema, "schema cannot be null"); checkNotNull(authcIdTemplate, "authcIdTemplate cannot be null"); if (authcIdTemplate.startsWith("dn:")) { formatter = new Function() { @Override public String apply(String value) throws LdapException { try { return DN.format(authcIdTemplate, schema, value).toString(); } catch (LocalizedIllegalArgumentException e) { throw LdapException.newLdapException(ResultCode.INVALID_DN_SYNTAX, e.getMessageObject(), e); } } }; } else { formatter = new Function() { @Override public String apply(String value) throws LdapException { return String.format(authcIdTemplate, value); } }; } } @Override public Promise authenticate(final String username, final String password, final Context parentContext) { final AtomicReference connectionHolder = new AtomicReference(); return connectionFactory .getConnectionAsync() .thenAsync(new AsyncFunction() { @Override public Promise apply(Connection connection) throws LdapException { connectionHolder.set(connection); return doSaslPlainBind(connection, parentContext, username, password); } }).thenFinally(close(connectionHolder)); } private Promise doSaslPlainBind(final Connection connection, final Context parentContext, final String authzId, final String password) throws LdapException { final String authcId = formatter.apply(authzId); return connection .bindAsync(newPlainSASLBindRequest(authcId, password.toCharArray()) .addControl(AuthorizationIdentityRequestControl.newControl(true))) .then(new Function() { @Override public SecurityContext apply(BindResult result) throws LdapException { final Map authz = new LinkedHashMap<>(2); try { final AuthorizationIdentityResponseControl control = result.getControl(AuthorizationIdentityResponseControl.DECODER, new DecodeOptions()); if (control != null) { final String authzDN = control.getAuthorizationID(); if (authzDN.startsWith("dn:")) { authz.put(AUTHZID_DN, authzDN.substring(3)); } } } catch (DecodeException e) { // Just ignore } authz.put(AUTHZID_ID, authzId); return new SecurityContext(parentContext, authcId, authz); } }); } }