java source code of LdapAuthenticator

keywhiz-master
- CONTRIBUTORS
- BUG-BOUNTY.md
- checkstyle.xml
- pom.xml
- client
  - src
    - main
      - java
        keywhiz
        client
        KeywhizClient.java
  - pom.xml
- LICENSE
- api
  - src
    - main
      - java
        keywhiz
        api
        AutomationSecretResponse.java
        SecretDetailResponse.java
        CreateSecretRequest.java
        LoginRequest.java
        validation
        ValidBase64Validator.java
        ValidBase64.java
        ValidX500Name.java
        ValidX500NameValidator.java
        model
        Client.java
        AutomationClient.java
        Secret.java
        SecretSeries.java
        SanitizedSecretWithGroupsListAndCursor.java
        SecretRetrievalCursor.java
        SanitizedSecret.java
        SecretSeriesAndContent.java
        SecretContent.java
        SanitizedSecretWithGroups.java
        Group.java
        ApiDate.java
        SecretsResponse.java
        CreateGroupRequest.java
        automation
        v2
        CreateClientRequestV2.java
        SecretDetailResponseV2.java
        PartialUpdateSecretRequestV2.java
        ModifyClientRequestV2.java
        SecretContentsResponseV2.java
        CreateGroupRequestV2.java
        GroupDetailResponseV2.java
        SetSecretVersionRequestV2.java
        ClientDetailResponseV2.java
        CreateOrUpdateSecretRequestV2.java
        CreateSecretRequestV2.java
        ModifyGroupsRequestV2.java
        SecretContentsRequestV2.java
        CreateClientRequest.java
        GroupDetailResponse.java
        ClientDetailResponse.java
        SecretDeliveryResponse.java
    - test
      - resources
        fixtures
        secretDeliveryResponseWithVersion.json
        groupDetailResponse.json
        secretDetailResponse.json
        createSecretRequest.json
        clientDetailResponse_NullLastSeen.json
        sanitizedSecretWithGroupsListAndCursor.json
        secretDeliveryResponse.json
        v2
        groupDetailResponse.json
        secretDetailResponse.json
        createSecretRequest.json
        secretContentsRequest.json
        clientDetailResponse.json
        createGroupRequest.json
        modifyClientRequest.json
        secretContentsResponse.json
        clientDetailResponse_LastSeenNull.json
        createClientRequest.json
        modifyGroupsRequest.json
        secretsResponse.json
        clientDetailResponse.json
        automationSecretResponse.json
        createGroupRequest.json
        loginRequest.json
        client.json
        sanitizedSecret.json
        sanitizedSecretWithGroups.json
        createClientRequest.json
        group.json
        automationSecretResponseWithMetadata.json
        secretDeliveryResponseWithMetadata.json
      - java
        keywhiz
        api
        LoginRequestTest.java
        SecretDeliveryResponseTest.java
        SecretDetailResponseTest.java
        ClientDetailResponseTest.java
        CreateGroupRequestTest.java
        CreateSecretRequestTest.java
        validation
        ValidBase64ValidatorTest.java
        ValidX500NameValidatorTest.java
        model
        SanitizedSecretTest.java
        ClientTest.java
        SanitizedSecretWithGroupsTest.java
        SecretTest.java
        SecretRetrievalCursorTest.java
        SanitizedSecretWithGroupsListAndCursorTest.java
        GroupTest.java
        GroupDetailResponseTest.java
        AutomationSecretResponseTest.java
        automation
        v2
        ModifyGroupsRequestV2Test.java
        CreateClientRequestV2Test.java
        SecretContentsRequestV2Test.java
        SecretDetailResponseV2Test.java
        GroupDetailResponseV2Test.java
        ClientDetailResponseV2Test.java
        SecretContentsResponseV2Test.java
        CreateSecretRequestV2Test.java
        CreateGroupRequestV2Test.java
        ModifyClientRequestV2Test.java
        CreateClientRequestTest.java
        SecretsResponseTest.java
  - pom.xml
- cli
  - src
    - main
      - resources
        logback.xml
        dev_and_test_truststore.p12
      - java
        keywhiz
        cli
        CliModule.java
        CommandExecutor.java
        commands
        AssignAction.java
        DescribeAction.java
        ListAction.java
        ListVersionsAction.java
        AddAction.java
        UnassignAction.java
        RollbackAction.java
        UpdateAction.java
        DeleteAction.java
        Printing.java
        Utilities.java
        DevTrustStore.java
        ClientUtils.java
        configs
        ListVersionsActionConfig.java
        DescribeActionConfig.java
        LoginActionConfig.java
        UnassignActionConfig.java
        DeleteActionConfig.java
        UpdateActionConfig.java
        AddActionConfig.java
        RollbackActionConfig.java
        AddOrUpdateActionConfig.java
        CliConfiguration.java
        AssignActionConfig.java
        ListActionConfig.java
        CliMain.java
        JsonCookie.java
    - test
      - resources
        logback-test.xml
        fixtures
        cookies.json
        cookie_valid.json
        cookie_with_version.json
      - java
        keywhiz
        client
        ClientUtilsTest.java
        cli
        UtilitiesTest.java
        commands
        UnassignActionTest.java
        RollbackActionTest.java
        ListActionTest.java
        DeleteActionTest.java
        ListVersionsActionTest.java
        AddActionTest.java
        UpdateActionTest.java
        DescribeActionTest.java
        AssignActionTest.java
        JsonCookieTest.java
  - pom.xml
- log
  - src
    - main
      - java
        keywhiz
        log
        Event.java
        AuditLog.java
        SimpleLogger.java
        EventTag.java
  - pom.xml
- update-javadocs.sh
- CONTRIBUTING.md
- CHANGELOG.md
- docker
  - wizard.sh
  - keywhiz-config.tpl
  - entry.sh
- .travis.yml
- README.md
- server
  - src
    - main
      - resources
        keywhiz-development.yaml
        ca.crt
        dev_and_test.crl
        db
        mysql
        migration
        V10__add_row_hmacs.sql
        V5__add_index_current_to_secrets.sql
        V1__create_tables.sql
        V1.5__alter_groups_to_add_metadata.sql
        V1.2__alter_secret_content_to_remove_version.sql
        V6__drop_unique_constraint_on_secret_name.sql
        V12__make_spiffe_id_unique.sql
        V7__add_client_expiration_column.sql
        V4__alter_secret_content_to_add_hmac.sql
        V1.3__alter_secrets_to_add_current.sql
        V1.4__add_indexes.sql
        V8__add_memberships_group_index.sql
        V1.7__alter_clients_to_add_last_seen.sql
        V1.1__alter_secret_content_to_add_expiry.sql
        V1.6__add_accessgrants_index.sql
        V9__add_unique_constraint_on_secret_name.sql
        V11__add_spiffe_id_to_clients.sql
        dev_and_test_cookiekey.base64
        dev_and_test_keystore.p12
        dev_and_test_truststore.p12
        derivation.jceks
      - java
        keywhiz
        ManualStatusServlet.java
        utility
        DSLContexts.java
        commands
        PreviewMigrateCommand.java
        AddUserCommand.java
        DropDeletedSecretsCommand.java
        DbSeedCommand.java
        MigrateCommand.java
        GenerateAesKeyCommand.java
        KeywhizService.java
        service
        providers
        ClientAuthenticator.java
        ClientAuthFactory.java
        AuthResolver.java
        UserAuthFactory.java
        XfccHeader.java
        AutomationClientAuthFactory.java
        crypto
        CryptoModule.java
        ContentEncodingException.java
        ContentCryptographer.java
        SecretTransformer.java
        RowHmacGenerator.java
        resources
        SecretsDeliveryResource.java
        admin
        SecretsResource.java
        SessionLogoutResource.java
        MembershipResource.java
        ClientsResource.java
        SessionLoginResource.java
        GroupsResource.java
        SessionMeResource.java
        StatusResource.java
        SecretDeliveryResource.java
        automation
        AutomationEnrollClientGroupResource.java
        AutomationSecretResource.java
        AutomationGroupResource.java
        v2
        BackupResource.java
        GroupResource.java
        BackfillRowHmacResource.java
        ClientResource.java
        SecretResource.java
        ExpirationExtractor.java
        AutomationSecretAccessResource.java
        AutomationClientResource.java
        config
        ClientAuthConfig.java
        TemplatedHttpsConnectorFactory.java
        ClientAuthTypeConfig.java
        Readonly.java
        KeyStoreConfig.java
        ResourcesHttpsConnectorFactory.java
        Templates.java
        XfccSourceConfig.java
        filters
        SecurityHeadersFilter.java
        CookieRenewingFilter.java
        daos
        GroupMapper.java
        SecretSeriesMapper.java
        GroupDAO.java
        ClientMapper.java
        AclDAO.java
        SecretSeriesDAO.java
        SecretContentDAO.java
        SecretController.java
        SecretContentMapper.java
        SecretDAO.java
        ClientDAO.java
        DAOFactory.java
        UserDAO.java
        exceptions
        UnprocessableEntityException.java
        ConflictException.java
        ServiceModule.java
        ManualStatusHealthCheck.java
        auth
        mutualssl
        CertificatePrincipal.java
        SimplePrincipal.java
        ClientCertificateFilter.java
        CertificateSecurityContext.java
        Subtles.java
        ldap
        LdapConnectionFactory.java
        LdapAuthenticator.java
        EndpointIdentificationSocketFactory.java
        LdapAuthenticatorFactory.java
        LdapLookupConfig.java
        BouncyCastle.java
        cookie
        CookieModule.java
        UserCookieData.java
        CookieConfig.java
        SessionCookie.java
        CookieAuthenticator.java
        GCMEncryptor.java
        AuthenticatedEncryptedCookieFactory.java
        UserAuthenticatorFactory.java
        bcrypt
        BcryptAuthenticatorFactory.java
        BcryptAuthenticator.java
        User.java
        KeywhizConfig.java
        JooqHealthCheck.java
      - scripts
        preview-migrate
        migrate
    - test
      - resources
        CA
        cacert.key
        cacert.crt
        fixtures
        expiring-keystore.jceks
        expiring-certificates.crt
        expiring-pubring.gpg
        keywhiz-ldap-lookup-test.yaml
        expiring-keystore.p12
        keywhiz-test.yaml
        clients
        client.p12
        noSecretsClient.p12
        certificates
        validCert.crt
        truncated.crt
        CNWithSpace.crt
      - java
        keywhiz
        FakeRandom.java
        JooqHealthCheckTest.java
        TestClients.java
        commands
        DropDeletedSecretsCommandTest.java
        GenerateAesKeyCommandTest.java
        AuthHelper.java
        KeywhizTestRunner.java
        MigrationsRule.java
        service
        providers
        AutomationClientAuthFactoryTest.java
        XfccHeaderTest.java
        UserAuthFactoryTest.java
        ClientAuthFactoryTest.java
        ClientAuthenticatorTest.java
        crypto
        CryptoFixtures.java
        ContentCryptographerTest.java
        resources
        StatusResourceTest.java
        StatusResourceIntegrationTest.java
        SecretDeliveryResourceIntegrationTest.java
        admin
        SessionLogoutResourceTest.java
        GroupsResourceTest.java
        GroupsResourceIntegrationTest.java
        SessionLoginResourceTest.java
        SessionLoginResourceIntegrationTest.java
        SecretsResourceTest.java
        SessionMeResourceTest.java
        SecretsResourceIntegrationTest.java
        SessionLogoutResourceIntegrationTest.java
        ClientsResourceIntegrationTest.java
        MembershipResourceTest.java
        ClientsResourceTest.java
        MembershipResourceIntegrationTest.java
        SessionMeResourceIntegrationTest.java
        SecretDeliveryResourceTest.java
        SecretsDeliveryResourceIntegrationTest.java
        SecretsDeliveryResourceTest.java
        automation
        AutomationSecretResourceTest.java
        AutomationClientResourceTest.java
        v2
        SecretResourceTest.java
        ClientResourceTest.java
        GroupResourceTest.java
        BackupResourceTest.java
        AutomationClientResourceIntegrationTest.java
        AutomationGroupResourceIntegrationTest.java
        AutomationSecretAccessResourceIntegrationTest.java
        AutomationEnrollClientGroupResourceIntegrationTest.java
        AutomationSecretResourceIntegrationTest.java
        AutomationGroupResourceTest.java
        config
        TemplatesTest.java
        filters
        CookieRenewingFilterTest.java
        SecurityHeadersFilterTest.java
        daos
        ClientDAOTest.java
        SecretDAOTest.java
        SecretControllerTest.java
        UserDAOTest.java
        AclDAOTest.java
        SecretContentDAOTest.java
        GroupDAOTest.java
        SecretFixtures.java
        SecretSeriesDAOTest.java
        IntegrationTestRule.java
        auth
        ldap
        LdapAuthenticatorTest.java
        SubtlesTest.java
        cookie
        GCMEncryptorTest.java
        AuthenticatedEncryptedCookieFactoryTest.java
        LdapLookupConfigTest.java
        bcrypt
        BcryptAuthenticatorTest.java
        model
        TinyIntConverterTest.java
        TimestampConverterTest.java
  - pom.xml
  - README.md
  - tools
    - integration_tests_spec.rb
    - integration-tests.rb
  - .gitignore
- model
  - src
    - main
      - java
        keywhiz
        model
        LongConverter.java
        TimestampConverter.java
        TinyIntConverter.java
  - pom.xml
- Dockerfile
- .gitignore
- docs
  - slides
    - 04_pki.svg
    - 02_admin_authentication_1.svg
    - 01_what_is_keywhiz_2.svg
    - 05_get_secret_2.svg
    - 01_what_is_keywhiz_1.svg
    - 01_what_is_keywhiz_3.svg
    - 05_get_secret_1.svg
    - next.svg
    - slides.js
    - 05_get_secret_3.svg
    - prev.svg
    - 03_admin_add_secret_2.svg
    - 03_admin_add_secret_3.svg
    - 02_admin_authentication_2.svg
    - 03_admin_add_secret_1.svg
    - 05_get_secret_4.svg
  - presentation.html
  - index.html
  - static
    - html5shiv.min.js
    - bootstrap.min.js
    - app-theme.css
    - bootstrap-combined.min.css
    - jquery.smooth-scroll.min.js
    - app.css
    - jquery-maven-artifact.min.js
    - prettify.js
- findbugs-exclude.xml
- testing
  - src
    - main
      - java
        keywhiz
        testing
        HttpClients.java
        JsonHelpers.java
  - pom.xml
- hkdf
  - src
    - main
      - java
        keywhiz
        hkdf
        Hash.java
        Hkdf.java
    - test
      - java
        keywhiz
        hkdf
        HashTest.java
        HkdfTest.java
        HkdfRfcVectorsTest.java
  - pom.xml

/*
 * Copyright (C) 2015 Square, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package keywhiz.auth.ldap;

import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.Sets;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import io.dropwizard.auth.Authenticator;
import io.dropwizard.auth.basic.BasicCredentials;
import java.security.GeneralSecurityException;
import java.util.Optional;
import java.util.Set;
import javax.ws.rs.ForbiddenException;
import keywhiz.auth.User;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class LdapAuthenticator implements Authenticator<BasicCredentials, User> {
  private static final Logger logger = LoggerFactory.getLogger(LdapAuthenticator.class);

  private final LdapConnectionFactory connectionFactory;
  private final LdapLookupConfig config;

  public LdapAuthenticator(LdapConnectionFactory connectionFactory, LdapLookupConfig config) {
    this.connectionFactory = connectionFactory;
    this.config = config;
  }

  @Override
  public Optional<User> authenticate(BasicCredentials credentials) {
    User user = null;

    try {
      String username = credentials.getUsername();
      if (!User.isSanitizedUsername(username)) {
        logger.info("Username: {} must match pattern: {}", username, User.USERNAME_PATTERN);
        return Optional.empty();
      }

      String userDN = dnFromUsername(username);
      String password = credentials.getPassword();

      // Must have password for current config
      if (Strings.isNullOrEmpty(password)) {
        logger.info("No password for user provided");
        return Optional.empty();
      }

      LDAPConnection authenticatedConnection = connectionFactory.getLDAPConnection(userDN, password);
      authenticatedConnection.close();

      Set<String> requiredRoles = config.getRequiredRoles();
      if (!requiredRoles.isEmpty()) {
        Set<String> roles = rolesFromDN(userDN);

        boolean accessAllowed = false;
        for (String requiredRole : requiredRoles) {
          if (roles.contains(requiredRole)) {
            accessAllowed = true;
          }
        }

        if (!accessAllowed) {
          logger.warn("User {} not in one of required LDAP roles: [{}].", username, requiredRoles);
          throw new ForbiddenException();
        }
      }

      user = User.named(username);
    } catch (LDAPException le) {
      // The INVALID_CREDENTIALS case is handled by returning an absent optional from this function
      if (le.getResultCode() != ResultCode.INVALID_CREDENTIALS) {
        logger.error("Error connecting to LDAP", le);
        throw Throwables.propagate(le);
      }
    } catch (GeneralSecurityException gse) {
        logger.error("TLS error connecting to LDAP", gse);
        throw Throwables.propagate(gse);
    }

    return Optional.ofNullable(user);
  }

  private String dnFromUsername(String username) throws LDAPException, GeneralSecurityException {
    String baseDN = config.getUserBaseDN();
    String lookup = String.format("(%s=%s)", config.getUserAttribute(), username);
    SearchRequest searchRequest = new SearchRequest(baseDN, SearchScope.SUB, lookup);

    LDAPConnection connection = connectionFactory.getLDAPConnection();
    try {
      SearchResult sr = connection.search(searchRequest);

      if (sr.getEntryCount() == 0) {
        throw new LDAPException(ResultCode.INVALID_CREDENTIALS);
      }

      return sr.getSearchEntries().get(0).getDN();
    } finally {
      connection.close();
    }
  }

  private Set<String> rolesFromDN(String userDN) throws LDAPException, GeneralSecurityException {
    SearchRequest searchRequest = new SearchRequest(config.getRoleBaseDN(),
        SearchScope.SUB, Filter.createEqualityFilter("uniqueMember", userDN));
    Set<String> roles = Sets.newLinkedHashSet();

    LDAPConnection connection = connectionFactory.getLDAPConnection();
    try {
      SearchResult sr = connection.search(searchRequest);

      for (SearchResultEntry sre : sr.getSearchEntries()) {
        X500Name x500Name = new X500Name(sre.getDN());
        RDN[] rdns = x500Name.getRDNs(BCStyle.CN);
        if (rdns.length == 0) {
          logger.error("Could not create X500 Name for role:" + sre.getDN());
        } else {
          String commonName = IETFUtils.valueToString(rdns[0].getFirst().getValue());
          roles.add(commonName);
        }
      }
    } finally {
      connection.close();
    }

    return roles;
  }
}