Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'master' into JENKINS-48917
  • Loading branch information
dwnusbaum committed Jan 30, 2018
2 parents 23ae449 + e0e794e commit eea7336
Show file tree
Hide file tree
Showing 9 changed files with 551 additions and 30 deletions.
95 changes: 69 additions & 26 deletions src/main/java/hudson/security/LDAPSecurityRealm.java
Expand Up @@ -44,6 +44,7 @@
import jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy;
import jenkins.security.plugins.ldap.LDAPConfiguration;
import jenkins.security.plugins.ldap.LDAPGroupMembershipStrategy;
import jenkins.security.plugins.ldap.LDAPExtendedTemplate;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.acegisecurity.AcegiSecurityException;
Expand All @@ -56,6 +57,7 @@
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.ldap.InitialDirContextFactory;
import org.acegisecurity.ldap.LdapDataAccessException;
import org.acegisecurity.ldap.LdapEntryMapper;
import org.acegisecurity.ldap.LdapUserSearch;
import org.acegisecurity.ldap.search.FilterBasedLdapUserSearch;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
Expand Down Expand Up @@ -88,6 +90,7 @@
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttributes;
import javax.naming.ldap.Control;
import javax.naming.ldap.LdapName;
import java.io.IOException;
import java.io.Serializable;
import java.net.URI;
Expand Down Expand Up @@ -393,7 +396,7 @@ group target (CN is a reasonable default)
/**
* The group details cache.
*/
private transient Map<String,CacheEntry<Set<String>>> groupDetailsCache = null;
private transient Map<String,CacheEntry<GroupDetailsImpl>> groupDetailsCache = null;

@Deprecated @Restricted(NoExternalUse.class)
private transient Map<String,String> extraEnvVars;
Expand Down Expand Up @@ -842,57 +845,70 @@ public LdapUserDetails updateUserDetails(LdapUserDetails d) {

@Override
public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
return loadGroupByGroupname(groupname, false);
}

@Override
public GroupDetails loadGroupByGroupname(String groupname, boolean fetchMembers) throws UsernameNotFoundException, DataAccessException {
groupname = fixGroupname(groupname);
Set<String> cachedGroups;
GroupDetailsImpl cachedGroup;
if (cache != null) {
final CacheEntry<Set<String>> cached;
final CacheEntry<GroupDetailsImpl> cached;
synchronized (this) {
cached = groupDetailsCache != null ? groupDetailsCache.get(groupname) : null;
}
if (cached != null && cached.isValid()) {
cachedGroups = cached.getValue();
GroupDetailsImpl cachedValue = cached.getValue();
if (!fetchMembers || cachedValue.getMembers() != null) {
cachedGroup = cachedValue;
} else {
cachedGroup = null;
}
} else {
cachedGroups = null;
cachedGroup = null;
}
} else {
cachedGroups = null;
cachedGroup = null;
}

// TODO: obtain a DN instead so that we can obtain multiple attributes later

final Set<String> groups = cachedGroups != null
? cachedGroups
: searchForGroupName(groupname);
if (cache != null && cachedGroups == null && !groups.isEmpty()) {
final GroupDetailsImpl group = cachedGroup != null
? cachedGroup
: searchForGroupName(groupname, fetchMembers);
if (cache != null && cachedGroup == null) {
synchronized (this) {
if (groupDetailsCache == null) {
groupDetailsCache = new CacheMap<String, Set<String>>(cache.getSize());
groupDetailsCache = new CacheMap<>(cache.getSize());
}
groupDetailsCache.put(groupname, new CacheEntry<Set<String>>(cache.getTtl(), groups));
groupDetailsCache.put(groupname, new CacheEntry<>(cache.getTtl(), group));
}
}

if(groups.isEmpty())
throw new UsernameNotFoundException(groupname);

return new GroupDetailsImpl(fixGroupname(groups.iterator().next()));
return group;
}

private Set<String> searchForGroupName(String groupname) {
Set<String> groups = new TreeSet<>();
private @Nonnull GroupDetailsImpl searchForGroupName(String groupname, boolean fetchMembers) throws UsernameNotFoundException, DataAccessException {
for (LDAPConfiguration conf : configurations) {
try {
String searchBase = conf.getGroupSearchBase() != null ? conf.getGroupSearchBase() : "";
String searchFilter = conf.getGroupSearchFilter() != null ? conf.getGroupSearchFilter() : GROUP_SEARCH;
groups.addAll(conf.getLdapTemplate().searchForSingleAttributeValues(searchBase, searchFilter, new String[]{groupname}, "cn"));
String searchBase = conf.getGroupSearchBase() != null ? conf.getGroupSearchBase() : "";
String searchFilter = conf.getGroupSearchFilter() != null ? conf.getGroupSearchFilter() : GROUP_SEARCH;
LDAPExtendedTemplate template = conf.getLdapTemplate();
GroupDetailsImpl groupDetails = (GroupDetailsImpl)template.searchForFirstEntry(searchBase, searchFilter,
new Object[]{groupname}, new String[]{}, new GroupDetailsMapper());
if (groupDetails != null) {
if (fetchMembers) {
Set<String> members = conf.getGroupMembershipStrategy().getGroupMembers(groupDetails.getDn(), conf);
groupDetails = new GroupDetailsImpl(groupDetails.getDn(), groupDetails.getName(), members);
}
return groupDetails;
}
// Make sure we don't throw BadCredentialsException. Catch logic matches LDAPUserDetailsService#loadUserByUsername.
} catch (DataAccessException e) {
throwUnlessConfigIsIgnorable(e, conf);
} catch (RuntimeException e) {
throwUnlessConfigIsIgnorable(new LdapDataAccessException("Failed to search LDAP for group: " + groupname, e), conf);
}
}
return groups;
throw new UsernameNotFoundException(groupname);
}

private static String fixGroupname(String groupname) {
Expand Down Expand Up @@ -921,15 +937,42 @@ private static <T extends Exception> void throwUnlessConfigIsIgnorable(T e, @Che

private static class GroupDetailsImpl extends GroupDetails {

private String name;
private final String dn;
private final String name;
private final Set<String> members;

public GroupDetailsImpl(String dn, String name) {
this(dn, name, null);
}

public GroupDetailsImpl(String name) {
public GroupDetailsImpl(String dn, String name, Set<String> members) {
this.dn = dn;
this.name = name;
this.members = members;
}

public String getDn() {
return dn;
}

@Override
public String getName() {
return name;
}

@Override
public Set<String> getMembers() {
return members;
}
}

private static class GroupDetailsMapper implements LdapEntryMapper {
@Override
public GroupDetailsImpl mapAttributes(String dn, Attributes attributes) throws NamingException {
LdapName name = new LdapName(dn);
String groupName = fixGroupname(String.valueOf(name.getRdn(name.size() - 1).getValue()));
return new GroupDetailsImpl(dn, groupName);
}
}

private class LDAPAuthenticationManager implements AuthenticationManager {
Expand Down
Expand Up @@ -25,18 +25,31 @@

import hudson.Extension;
import hudson.security.LDAPSecurityRealm;
import java.util.Collections;
import java.util.Set;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.ldap.LdapName;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.ldap.LdapEntryMapper;
import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;
import org.acegisecurity.userdetails.ldap.LdapUserDetails;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.springframework.dao.DataAccessException;

/**
* Traditional strategy.
* @since 1.10
*/
public class FromGroupSearchLDAPGroupMembershipStrategy extends LDAPGroupMembershipStrategy {

private static final Logger LOGGER = Logger.getLogger(FromGroupSearchLDAPGroupMembershipStrategy.class.getName());
/**
* The search filter to apply to groups. Only those groups matching this criteria will be considered as groups
* that the user belongs to.
Expand Down Expand Up @@ -68,6 +81,13 @@ public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
return getAuthoritiesPopulator().getGrantedAuthorities(ldapUser);
}

@Override
public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) throws DataAccessException {
LDAPExtendedTemplate template = conf.getLdapTemplate();
String[] memberAttributes = { "member", "uniqueMember", "memberUid" };
return (Set<String>) template.retrieveEntry(groupDn, new GroupMembersMapper(), memberAttributes);
}

@Extension
public static class DescriptorImpl extends LDAPGroupMembershipStrategyDescriptor {

Expand All @@ -76,4 +96,41 @@ public String getDisplayName() {
return Messages.FromGroupSearchLDAPGroupMembershipStrategy_DisplayName();
}
}

/**
* Maps member attributes in groups to a set of member names.
*/
private static class GroupMembersMapper implements LdapEntryMapper {
@Override
public Set<String> mapAttributes(String dn, Attributes attributes) throws NamingException {
NamingEnumeration<?> enumeration;
boolean expectingUidInsteadOfDn = false;
if (attributes.get("member") != null) {
enumeration = attributes.get("member").getAll();
} else if (attributes.get("uniqueMember") != null) {
enumeration = attributes.get("uniqueMember").getAll();
} else if (attributes.get("memberUid") != null) {
enumeration = attributes.get("memberUid").getAll();
expectingUidInsteadOfDn = true;
} else {
LOGGER.log(Level.FINEST, "No members for {0}", dn);
return Collections.emptySet();
}
Set<String> members = new TreeSet<>();
while (enumeration.hasMore()) {
String memberDn = String.valueOf(enumeration.next());
if (expectingUidInsteadOfDn) {
members.add(memberDn);
} else {
try {
LdapName memberName = new LdapName(memberDn);
members.add(String.valueOf(memberName.getRdn(memberName.size() - 1).getValue()));
} catch (InvalidNameException e) {
LOGGER.log(Level.FINEST, "Expecting DN but found {0}", memberDn);
}
}
}
return members;
}
}
}
Expand Up @@ -28,9 +28,11 @@
import java.util.Set;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.ldap.LdapEntryMapper;
import org.acegisecurity.userdetails.ldap.LdapUserDetails;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.DataBoundConstructor;
import org.springframework.dao.DataAccessException;

import javax.naming.InvalidNameException;
import javax.naming.NamingException;
Expand All @@ -39,6 +41,7 @@
import javax.naming.ldap.LdapName;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.LogRecord;
Expand All @@ -51,6 +54,7 @@
public class FromUserRecordLDAPGroupMembershipStrategy extends LDAPGroupMembershipStrategy {

private static final Logger LOGGER = Logger.getLogger(FromUserRecordLDAPGroupMembershipStrategy.class.getName());
private static final String USER_SEARCH_FILTER = "({0}={1})";
private final String attributeName;

@DataBoundConstructor
Expand Down Expand Up @@ -116,6 +120,26 @@ public GrantedAuthority[] getGrantedAuthorities(LdapUserDetails ldapUser) {
return result.toArray(new GrantedAuthority[result.size()]);
}

@Override
public Set<String> getGroupMembers(String groupDn, LDAPConfiguration conf) throws DataAccessException {
LDAPExtendedTemplate template = conf.getLdapTemplate();
String searchBase = conf.getUserSearchBase() != null ? conf.getUserSearchBase() : "";
String[] filterArgs = { getAttributeName(), groupDn };
return new HashSet<>((List<String>)template.searchForAllEntries(searchBase, USER_SEARCH_FILTER,
filterArgs, new String[]{}, new UserRecordMapper()));
}

/**
* Maps users records to names.
*/
private static class UserRecordMapper implements LdapEntryMapper {
@Override
public String mapAttributes(String dn, Attributes attributes) throws NamingException {
LdapName name = new LdapName(dn);
return String.valueOf(name.getRdn(name.size() - 1).getValue());
}
}

@Extension
public static class DescriptorImpl extends LDAPGroupMembershipStrategyDescriptor {

Expand Down
Expand Up @@ -141,7 +141,7 @@ public class LDAPConfiguration extends AbstractDescribableImpl<LDAPConfiguration
/**
* Set in {@link #createApplicationContext(LDAPSecurityRealm, boolean)}
*/
private transient LdapTemplate ldapTemplate;
private transient LDAPExtendedTemplate ldapTemplate;
private transient String id;

@DataBoundConstructor
Expand Down Expand Up @@ -600,7 +600,7 @@ public WebApplicationContext createApplicationContext(LDAPSecurityRealm realm, b
}
WebApplicationContext appContext = builder.createApplicationContext();

ldapTemplate = new LdapTemplate(SecurityRealm.findBean(InitialDirContextFactory.class, appContext));
ldapTemplate = new LDAPExtendedTemplate(SecurityRealm.findBean(InitialDirContextFactory.class, appContext));

if (groupMembershipStrategy != null) {
groupMembershipStrategy.setAuthoritiesPopulator(SecurityRealm.findBean(LdapAuthoritiesPopulator.class, appContext));
Expand All @@ -610,7 +610,7 @@ public WebApplicationContext createApplicationContext(LDAPSecurityRealm realm, b
}

@Restricted(NoExternalUse.class)
public LdapTemplate getLdapTemplate() {
public LDAPExtendedTemplate getLdapTemplate() {
return ldapTemplate;
}

Expand Down

0 comments on commit eea7336

Please sign in to comment.