• Search by APIs
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• aws-iam-ldap-bridge-master
  • src
    • com
      • denismo
        • aws
          • iam
            • IAMDualValidator.java
            • _IAMPasswordValidator.java
            • IAMSecretKeyValidator.java
            • IAMAccountPasswordValidator.java
            • LDAPIAMPoller.java
        • apacheds
          • Runner.java
          • auth
            • AWSIAMAuthenticator.java
          • ApacheDSUtils.java
  • build.xml
  • build
  • version
  • dist
    • apacheds
      • instances
      • LICENSE
      • lib
      • iam.ldif
      • bin
        • cpappend.bat
        • apacheds.sh
        • apacheds.bat
      • NOTICE
  • LICENSE
  • .gitattributes
  • ivy.xml
  • README.md
  • scripts
    • release.sh
    • install.sh
    • packer_ami.json
  • BUILD.md
  • ivysettings.xml
  • .gitignore
  • INSTALL.md

/*
 * Copyright (c) 2014 Denis Mikhalkin.
 *
 * This software is provided to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License.  You may obtain a copy of the
 * License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package com.denismo.aws.iam;

import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.SystemDefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.IOException;
import java.nio.charset.Charset;
import java.util.*;

/**
 * User: Denis Mikhalkin
 * Date: 27/11/2014
 * Time: 6:48 PM
 */
public class IAMAccountPasswordValidator implements _IAMPasswordValidator {
    private static final Logger LOG = LoggerFactory.getLogger(IAMAccountPasswordValidator.class);
    @Override
    public boolean verifyIAMPassword(Entry user, String pw) throws LdapInvalidAttributeValueException, LdapAuthenticationException {
        try {
            LOG.debug("Verifying {} {} with accessKey <hidden> and secretKey <hidden>",
                    "user", user.get("uid").getString());
            HttpClient client = new SystemDefaultHttpClient();
            HttpPost post = new HttpPost("https://signin.aws.amazon.com/oauth");
            post.setHeader("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36");
            post.setHeader("Referer", "https://signin.aws.amazon.com/oauth");
            List<NameValuePair> urlParameters = new ArrayList<NameValuePair>();
            urlParameters.add(new BasicNameValuePair("client_id", "arn:aws:iam::015428540659:user/homepage"));
            urlParameters.add(new BasicNameValuePair("isIAMUser", "1"));
            urlParameters.add(new BasicNameValuePair("account", user.get("accountNumber").getString()));
            urlParameters.add(new BasicNameValuePair("username", user.get("uid").getString()));
            urlParameters.add(new BasicNameValuePair("password", pw));
            urlParameters.add(new BasicNameValuePair("Action", "login"));
            urlParameters.add(new BasicNameValuePair("redirect_uri", "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true"));
            urlParameters.add(new BasicNameValuePair("forceMobileApp", ""));
            urlParameters.add(new BasicNameValuePair("forceMobileLayout", ""));
            urlParameters.add(new BasicNameValuePair("mfaLoginFailure", ""));
            urlParameters.add(new BasicNameValuePair("RemainingExpiryPeriod", ""));
            urlParameters.add(new BasicNameValuePair("mfacode", ""));
            urlParameters.add(new BasicNameValuePair("next_mfacode", ""));
            post.setEntity(new UrlEncodedFormEntity(urlParameters, Charset.forName("UTF-8")));

            HttpResponse response = client.execute(post);
            return containsHeaders(response, "aws-account-alias", "aws-creds");
        } catch (IOException e) {
            LOG.error("Exception validating password for " + user.get("uid").getString(), e);
            return false;
        } catch (RuntimeException t) {
            LOG.error("Exception validating password for " + user.get("uid").getString(), t);
            throw t;
        }
    }

    private boolean containsHeaders(HttpResponse response, String... headers) {
        Header[] headerList = response.getHeaders("Set-Cookie");
        Set<String> lookup = new HashSet<String>(Arrays.asList(headers));
        for (Header header : headerList) {
            String value = header.getValue();
            if (!value.contains("=")) continue;
            String[] parts = value.split("=");
            if (parts.length < 2) continue;
            lookup.remove(parts[0]);
        }
        return lookup.isEmpty();
    }
}