change LdapUserPlugin user lookup to avoid using full username dn,

rather extract just common name and match using filter with objectclass.

Author: Vladimir Kotal

plugins/LdapPlugin/src/opengrok/auth/plugin/AbstractLdapPlugin.java

@@ -60,7 +60,7 @@ abstract public class AbstractLdapPlugin implements IAuthorizationPlugin {
      */
     public static long nextId = 1;
 
-    private static final String CONFIGURATION_PARAM = "configuration";
+    protected static final String CONFIGURATION_PARAM = "configuration";
     protected static final String FAKE_PARAM = "fake";
 
     protected String SESSION_USERNAME = "opengrok-group-plugin-username";

plugins/LdapPlugin/src/opengrok/auth/plugin/LdapUserPlugin.java

@@ -24,6 +24,10 @@
 
 import java.util.Map;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 import opengrok.auth.entity.LdapUser;
 import opengrok.auth.plugin.entity.User;
@@ -37,8 +41,46 @@
  */
 public class LdapUserPlugin extends AbstractLdapPlugin {
 
+    private static final Logger LOGGER = Logger.getLogger(LdapUserPlugin.class.getName());
+    
     public static final String SESSION_ATTR = "opengrok-ldap-plugin-user";
+    protected static final String OBJECT_CLASS = "objectclass";
+    
+    private String objectClass;
 
+    private boolean isAlphanumeric(String str) {
+        for (int i = 0; i < str.length(); i++) {
+            char c = str.charAt(i);
+            if (!Character.isDigit(c) && !Character.isLetter(c)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+    
+    private Pattern usernameCnPattern = null;
+    
+    @Override
+    public void load(Map<String, Object> parameters) {
+        super.load(parameters);
+
+        if ((objectClass = (String) parameters.get(OBJECT_CLASS)) == null) {
+            throw new NullPointerException("Missing param [" + OBJECT_CLASS +
+                    "] in the setup");
+        }
+
+        if (!isAlphanumeric(objectClass)) {
+            throw new NullPointerException("object class '" + objectClass +
+                    "' contains non-alphanumeric characters");
+        }
+    
+        usernameCnPattern = Pattern.compile("(cn=[a-zA-Z_]+)");
+        
+        LOGGER.log(Level.FINE, "LdapUser plugin loaded with objectclass={0}",
+                objectClass);
+    }
+    
     /**
      * Check if the session exists and contains all necessary fields required by
      * this plug-in.
@@ -52,26 +94,59 @@ protected boolean sessionExists(HttpServletRequest req) {
                 && req.getSession().getAttribute(SESSION_ATTR) != null;
     }
 
+    protected String getFilter(User user) {
+        String filter = null;
+        String commonName;
+
+        Matcher matcher = usernameCnPattern.matcher(user.getUsername());
+        if (matcher.find()) {
+            commonName = matcher.group(1);
+            LOGGER.log(Level.FINEST, "extracted common name {0} from {1}",
+                new Object[]{commonName, user.getUsername()});
+        } else {
+            LOGGER.log(Level.WARNING, "cannot get common name out of {0}",
+                    user.getUsername());
+            return filter;
+        }
+        
+        filter = "(&(objectclass=" + this.objectClass + ")(" + commonName + "))";
+        
+        return filter;
+    }
+    
     @Override
     public void fillSession(HttpServletRequest req, User user) {
         Map<String, Set<String>> records;
+        
         updateSession(req, null);
 
         if (getLdapProvider() == null) {
             return;
         }
 
-        if ((records = getLdapProvider().lookupLdapContent(user, new String[]{"uid", "mail", "ou"})) == null) {
+        String filter = getFilter(user);
+        if ((records = getLdapProvider().lookupLdapContent(null, filter,
+                new String[]{"uid", "mail", "ou"})) == null) {
+            LOGGER.log(Level.FINER, "failed to get LDAP contents for user '{0}' with filter '{1}'",
+                    new Object[]{user, filter});
+            return;
+        }
+
+        if (records.isEmpty()) {
+            LOGGER.log(Level.FINER, "LDAP records for user {0} are empty",
+                    user);
             return;
         }
 
-        if (records.isEmpty()
-                || !records.containsKey("uid")
-                || !records.containsKey("mail")) {
+        if (!records.containsKey("uid") || records.get("uid").isEmpty()) {
+            LOGGER.log(Level.FINER, "uid record for user {0} is not present or empty",
+                    user);
             return;
         }
 
-        if (records.get("uid").isEmpty() || records.get("mail").isEmpty()) {
+        if (!records.containsKey("mail") || records.get("mail").isEmpty()) {
+            LOGGER.log(Level.FINER, "mail record for user {0} is not present or empty",
+                    user);
             return;
         }
 

plugins/LdapPlugin/src/opengrok/auth/plugin/ldap/LdapFacade.java

@@ -48,7 +48,7 @@ public class LdapFacade extends AbstractLdapProvider {
     private static final Logger LOGGER = Logger.getLogger(LdapFacade.class.getName());
 
     /**
-     * LDAP filter.
+     * default LDAP filter
      */
     private static final String LDAP_FILTER = "objectclass=*";
 
@@ -237,11 +237,9 @@ public boolean isConfigured() {
     /**
      * Lookups the authorization values {
      *
-     *
-     *
-     * @param user the osso headers
-     * @param filter LDAP filter to use
-     * @param values match these LDAP value
+     * @param user user information. If @{code null} then search base will be used.
+     * @param filter LDAP filter to use. If @{code null} then @{link LDAP_FILTER} will be used.
+     * @param values match these LDAP values
      *
      * @return set of strings describing the user's attributes
      * @see #LDAP_VALUES
@@ -289,7 +287,7 @@ private <T> T lookup(String dn, String filter, String[] attributes, AttributeMap
      * @param mapper mapper class implementing @code{AttributeMapper} closed
      * @param fail current count of failures
      *
-     * @return results transformed with mapper
+     * @return results transformed with mapper or {@code null} on failure
      */
     private <T> T lookup(String dn, String filter, String[] attributes, AttributeMapper<T> mapper, int fail) {
 

plugins/LdapPlugin/test/opengrok/auth/plugin/LdapUserPluginTest.java

@@ -0,0 +1,97 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * See LICENSE.txt included in this distribution for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at LICENSE.txt.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ */
+package opengrok.auth.plugin;
+
+import java.util.Map;
+import java.util.TreeMap;
+import opengrok.auth.plugin.entity.User;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ *
+ * @author Vladimir Kotal
+ */
+public class LdapUserPluginTest {
+    private LdapUserPlugin plugin;
+
+    @Before
+    public void setUp() {
+        plugin = new LdapUserPlugin();
+    }
+
+    private Map<String, Object> getParamsMap() {
+        Map<String, Object> params = new TreeMap<>();
+        params.put(AbstractLdapPlugin.CONFIGURATION_PARAM,
+                getClass().getResource("config.xml").getFile());
+        
+        return params;
+    }
+    
+    @Test
+    public void loadTestNegative1() {
+        Map<String, Object> params = getParamsMap();
+        params.put("foo", (Object)"bar");
+        try {
+            plugin.load(params);
+            Assert.fail("should have caused exception");
+        } catch (NullPointerException e) {
+        }
+    }
+    
+    @Test
+    public void loadTestNegative2() {
+        Map<String, Object> params = getParamsMap();
+        params.put(LdapUserPlugin.OBJECT_CLASS, (Object)"#$@");
+        try {
+            plugin.load(params);
+            Assert.fail("should have caused exception");
+        } catch (NullPointerException e) {
+        }
+    }
+    
+    @Test
+    public void loadTestPostitive() {
+        Map<String, Object> params = getParamsMap();
+        params.put(LdapUserPlugin.OBJECT_CLASS, (Object)"posixUser");
+        try {
+            plugin.load(params);
+        } catch (NullPointerException e) {
+            Assert.fail("should not cause exception");
+        }
+    }
+    
+    @Test
+    public void getFilterTest1() {
+        Map<String, Object> params = getParamsMap();
+        String cl = "posixUser";
+        params.put(LdapUserPlugin.OBJECT_CLASS, (Object) cl);
+        plugin.load(params);
+        String cn = "cn=foo";
+        User user = new User(cn + ",l=EMEA,dc=foobar,dc=com", "id", null, false);
+        String filter = plugin.getFilter(user);
+        Assert.assertEquals("(&(" + LdapUserPlugin.OBJECT_CLASS + "=" + cl + ")(" + cn + "))",
+                filter);
+    }
+}

plugins/LdapPlugin/test/opengrok/auth/plugin/config.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<java version="1.8.0_65" class="java.beans.XMLDecoder">
+	<object class="opengrok.auth.plugin.configuration.Configuration">
+                <void property="interval">
+                        <int>100</int>
+                </void>
+                <void property="searchBase">
+                        <string>dc=foobar,dc=com</string>
+                </void>
+		<void property="servers">
+			<void method="add">
+				<object class="opengrok.auth.plugin.ldap.LdapServer">
+					<void property="name">
+						<string>ldap://ldap.foobar.com</string>
+					</void>
+					<void property="timeout">
+						<int>10</int>
+					</void>
+				</object>
+			</void>
+		</void>
+	</object>
+</java>

plugins/README.md

@@ -91,6 +91,12 @@ indexer via the -R option.
                     <string>REQUISITE</string>
                 </void>
             </object>
+	    <void property="setup">
+                <void method="put">
+                    <string>objectclass</string>
+                    <string>posixAccount</string>
+                </void>
+            </void>
         </void>
 
         <!-- Authorization stacks follow -->
@@ -116,7 +122,7 @@ indexer via the -R option.
                 <void method="add">
                     <object class="org.opensolaris.opengrok.authorization.AuthorizationPlugin">
                         <void property="name">
-                            <string>opengrok.auth.plugin.LdapAttr</string>
+                            <string>opengrok.auth.plugin.LdapAttrPlugin</string>
                         </void>
                         <void property="flag">
                             <string>SUFFICIENT</string>
@@ -136,7 +142,7 @@ indexer via the -R option.
                 <void method="add">
                     <object class="org.opensolaris.opengrok.authorization.AuthorizationPlugin">
                         <void property="name">
-                            <string>opengrok.auth.plugin.LdapFilter</string>
+                            <string>opengrok.auth.plugin.LdapFilterPlugin</string>
                         </void>
                         <void property="flag">
                             <string>REQUIRED</string>