LDAP uid case (in)sensitivity fix for LdapFilter plugin (#2949)

Vladimir Kotal · web-flow · commit 555fbbc81ac6 · 2019-10-14T14:15:53.000+02:00
fixes #2946
diff --git a/plugins/src/main/java/opengrok/auth/plugin/LdapFilterPlugin.java b/plugins/src/main/java/opengrok/auth/plugin/LdapFilterPlugin.java
@@ -25,18 +25,21 @@
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Set;
+import java.util.TreeMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.PatternSyntaxException;
 import javax.servlet.http.HttpServletRequest;
 import opengrok.auth.entity.LdapUser;
 import opengrok.auth.plugin.entity.User;
 import opengrok.auth.plugin.ldap.LdapException;
+import opengrok.auth.plugin.util.FilterUtil;
 import org.opengrok.indexer.authorization.AuthorizationException;
 import org.opengrok.indexer.configuration.Group;
 import org.opengrok.indexer.configuration.Project;
 
 import static opengrok.auth.plugin.util.FilterUtil.expandUserFilter;
+import static opengrok.auth.plugin.util.FilterUtil.replace;
 
 /**
  * Authorization plug-in to check if given user matches configured LDAP filter.
@@ -48,6 +51,7 @@ public class LdapFilterPlugin extends AbstractLdapPlugin {
     private static final Logger LOGGER = Logger.getLogger(LdapFilterPlugin.class.getName());
 
     protected static final String FILTER_PARAM = "filter";
+    protected static final String TRANSFORMS_PARAM = "transforms";
     private static final String SESSION_ALLOWED_PREFIX = "opengrok-filter-plugin-allowed";
     private static final String INSTANCE = "instance";
     private String sessionAllowed = SESSION_ALLOWED_PREFIX;
@@ -57,10 +61,13 @@ public class LdapFilterPlugin extends AbstractLdapPlugin {
      * <ul>
      * <li><code>filter</code> is LDAP filter used for searching (mandatory)</li>
      * <li><code>instance</code> is number of <code>LdapUserInstance</code> plugin to use (optional)</li>
+     * <li><code>transforms</code> are comma separated string transforms, where each transform is name:value pair,
+     * allowed values: <code>toLowerCase</code>, <code>toUpperCase</code></li>
      * </ul>
      */
     private String ldapFilter;
     private Integer ldapUserInstance;
+    private Map<String, String> transforms;
 
     public LdapFilterPlugin() {
         sessionAllowed += "-" + nextId++;
@@ -79,8 +86,23 @@ public void load(Map<String, Object> parameters) {
             ldapUserInstance = Integer.parseInt(instance);
         }
 
-        LOGGER.log(Level.FINE, "LdapFilter plugin loaded with filter={0}, instance={1}",
-                new Object[]{ldapFilter, ldapUserInstance});
+        String transformsString = (String) parameters.get(TRANSFORMS_PARAM);
+        if (transformsString != null) {
+            loadTransforms(transformsString);
+        }
+
+        LOGGER.log(Level.FINE, "LdapFilter plugin loaded with filter={0}, instance={1}, transforms={2}",
+                new Object[]{ldapFilter, ldapUserInstance, transforms});
+    }
+
+    void loadTransforms(String transformsString) throws NullPointerException {
+        transforms = new TreeMap<>();
+        String[] transformsArray = transformsString.split(",");
+        for (String elem: transformsArray) {
+            String[] tran = elem.split(":");
+            transforms.put(tran[0], tran[1]);
+        }
+        FilterUtil.checkTransforms(transforms);
     }
 
     @Override
@@ -133,14 +155,13 @@ public void fillSession(HttpServletRequest req, User user) {
      */
     String expandFilter(String filter, LdapUser ldapUser, User user) {
 
-        filter = expandUserFilter(user, filter);
+        filter = expandUserFilter(user, filter, transforms);
 
         for (Entry<String, Set<String>> entry : ldapUser.getAttributes().entrySet()) {
             if (entry.getValue().size() == 1) {
                 try {
-                    filter = filter.replaceAll(
-                            "(?<!\\\\)%" + entry.getKey() + "(?<!\\\\)%",
-                            entry.getValue().iterator().next());
+                    filter = replace(filter, entry.getKey(),
+                            entry.getValue().iterator().next(), transforms);
                 } catch (PatternSyntaxException ex) {
                     LOGGER.log(Level.WARNING, "The pattern for expanding is not valid", ex);
                 }
diff --git a/plugins/src/main/java/opengrok/auth/plugin/util/FilterUtil.java b/plugins/src/main/java/opengrok/auth/plugin/util/FilterUtil.java
@@ -25,12 +25,76 @@
 
 import opengrok.auth.plugin.entity.User;
 
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
 public class FilterUtil {
 
     private FilterUtil() {
         // utility class
     }
 
+    private static final String LOWER_CASE = "toLowerCase";
+    private static final String UPPER_CASE = "toUpperCase";
+
+    /**
+     * Verify the names of the transforms in the map.
+     * @param transforms map of attribute transforms. Valid values: <code>toLowerCase, toUpperCase</code>
+     * @throws UnsupportedOperationException in case of invalid transform name
+     */
+    public static void checkTransforms(Map<String, String> transforms) {
+        Set<String> possibleTransforms = new HashSet<>(Arrays.asList(LOWER_CASE, UPPER_CASE));
+        for (String transform : transforms.values()) {
+            if (!possibleTransforms.contains(transform)) {
+                throw new UnsupportedOperationException(String.format("invalid transform: %s", transform));
+            }
+        }
+    }
+
+    static String doTransform(String value, String transform) {
+        switch (transform) {
+            case LOWER_CASE:
+                return value.toLowerCase(Locale.ROOT);
+            case UPPER_CASE:
+                return value.toUpperCase(Locale.ROOT);
+            default:
+                throw new UnsupportedOperationException(String.format("transform '%s' is unsupported", transform));
+        }
+    }
+
+    /**
+     * Expand attributes in filter string.
+     * @param filter input string
+     * @param name attribute name
+     * @param value value to replace
+     * @param transforms map of transformations to be potentially applied on the value
+     * @return new value of the string
+     */
+    public static String replace(String filter, String name, String value, Map<String, String> transforms) {
+        if (transforms != null) {
+            String transform;
+            if ((transform = transforms.get(name)) != null) {
+                value = doTransform(value, transform);
+            }
+        }
+
+        return filter.replaceAll("(?<!\\\\)%" + name + "(?<!\\\\)%", value);
+    }
+
+    /**
+     * Replace attribute names with values in filter string.
+     * @param user User object
+     * @param filter filter string
+     * @return filter with the values replaced
+     * @see #expandUserFilter(User, String, Map)
+     */
+    public static String expandUserFilter(User user, String filter) {
+        return expandUserFilter(user, filter, null);
+    }
+
     /**
      * Expand {@code User} object attribute values into the filter.
      *
@@ -41,14 +105,16 @@ private FilterUtil() {
      * </ul>
      *
      * @param user User object from the request (created by {@code UserPlugin})
+     * @param filter filter
+     * @param transforms map of transforms
      * @return replaced result
      */
-    public static String expandUserFilter(User user, String filter) {
+    public static String expandUserFilter(User user, String filter, Map<String, String> transforms) {
         if (user.getUsername() != null) {
-            filter = filter.replaceAll("(?<!\\\\)%username(?<!\\\\)%", user.getUsername());
+            filter = replace(filter, "username", user.getUsername(), transforms);
         }
         if (user.getId() != null) {
-            filter = filter.replaceAll("(?<!\\\\)%guid(?<!\\\\)%", user.getId());
+            filter = replace(filter, "guid", user.getId(), transforms);
         }
 
         return filter;
diff --git a/plugins/src/test/java/opengrok/auth/plugin/LdapFilterPluginTest.java b/plugins/src/test/java/opengrok/auth/plugin/LdapFilterPluginTest.java
@@ -97,4 +97,14 @@ public void expandFilterTest2() {
         assertEquals("(objectclass=%%%%)",
                 plugin.expandFilter("(objectclass=\\%%\\%\\%)", ldapUser, user));
     }
+
+    @Test
+    public void testLoadTransforms() {
+        plugin.loadTransforms("foo:toUpperCase,bar:toLowerCase");
+    }
+
+    @Test(expected = UnsupportedOperationException.class)
+    public void testLoadTransformsNegative() {
+        plugin.loadTransforms("foo:toUpperCase,ugly:nice");
+    }
 }
diff --git a/plugins/src/test/java/opengrok/auth/plugin/util/FilterUtilTest.java b/plugins/src/test/java/opengrok/auth/plugin/util/FilterUtilTest.java
@@ -0,0 +1,69 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * See LICENSE.txt included in this distribution for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at LICENSE.txt.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+ */
+
+package opengrok.auth.plugin.util;
+
+import org.junit.Test;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Map;
+import java.util.TreeMap;
+
+import static opengrok.auth.plugin.util.FilterUtil.doTransform;
+import static org.junit.Assert.assertEquals;
+
+public class FilterUtilTest {
+    @Test
+    public void testTransforms() {
+        assertEquals("FOO", doTransform("foo", "toUpperCase"));
+        assertEquals("foo", doTransform("FOO", "toLowerCase"));
+    }
+
+    @Test
+    public void testTransformsUTF() throws UnsupportedEncodingException {
+        assertEquals(new String("ČUČKAŘ".getBytes("UTF-8"), "UTF-8"),
+                doTransform(new String("čučkař".getBytes("UTF-8"), "UTF-8"), "toUpperCase"));
+        assertEquals(new String("čučkař".getBytes("UTF-8"), "UTF-8"),
+                doTransform(new String("ČUČKAŘ".getBytes("UTF-8"), "UTF-8"), "toLowerCase"));
+    }
+
+    @Test(expected = UnsupportedOperationException.class)
+    public void testInvalidTransform() {
+        doTransform("foo", "bar");
+    }
+
+    @Test
+    public void testReplace() {
+        Map<String, String> transforms = new TreeMap<>();
+        transforms.put("uid", "toUpperCase");
+        assertEquals("fooUSERbar",
+                FilterUtil.replace("foo%uid%bar", "uid", "user", transforms));
+    }
+
+    @Test(expected = UnsupportedOperationException.class)
+    public void testCheckTransforms() {
+        Map<String, String> transforms = new TreeMap<>();
+        transforms.put("uid", "xxx");
+        FilterUtil.checkTransforms(transforms);
+    }
+}
