| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| */ |
| |
| package org.apache.directory.server.core.hash; |
| |
| |
| import java.util.ArrayList; |
| import java.util.Collections; |
| import java.util.List; |
| |
| |
| import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants; |
| import org.apache.directory.api.ldap.model.entry.Attribute; |
| import org.apache.directory.api.ldap.model.entry.Modification; |
| import org.apache.directory.api.ldap.model.entry.Value; |
| import org.apache.directory.api.ldap.model.exception.LdapException; |
| import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException; |
| import org.apache.directory.api.ldap.model.password.PasswordUtil; |
| import org.apache.directory.api.ldap.model.schema.AttributeType; |
| import org.apache.directory.server.config.beans.HashInterceptorBean; |
| import org.apache.directory.server.core.api.DirectoryService; |
| import org.apache.directory.server.core.api.interceptor.BaseInterceptor; |
| import org.apache.directory.server.core.api.interceptor.context.AddOperationContext; |
| import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext; |
| |
| |
| /** |
| * An interceptor to hash a configurable set of attributeType(s) using |
| * a configurable hashing algorithm. |
| * |
| * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> |
| */ |
| public class ConfigurableHashingInterceptor extends BaseInterceptor |
| { |
| |
| /** the hashing algorithm to be used */ |
| private HashInterceptorBean config; |
| private LdapSecurityConstants algorithm; |
| private List<AttributeType> attributeTypes; |
| |
| |
| /** |
| * Creates a new instance of ConfigurableHashingInterceptor which hashes the |
| * incoming non-hashed attributeType(s) using the given algorithm. |
| * |
| * @param config The configuration bean |
| */ |
| public ConfigurableHashingInterceptor( HashInterceptorBean config ) |
| { |
| this.config = config; |
| } |
| |
| |
| /** |
| * {@inheritDoc} |
| */ |
| @Override |
| public void add( AddOperationContext addContext ) throws LdapException |
| { |
| if ( algorithm == null ) |
| { |
| next( addContext ); |
| return; |
| } |
| |
| for ( Attribute attribute : addContext.getEntry().getAttributes() ) |
| { |
| if ( attributeTypes.contains( attribute.getAttributeType() ) ) |
| { |
| includeHashed( attribute ); |
| } |
| } |
| |
| next( addContext ); |
| } |
| |
| |
| public LdapSecurityConstants getAlgorithm() |
| { |
| return algorithm; |
| } |
| |
| |
| public List<AttributeType> getAttributeTypes() |
| { |
| return Collections.unmodifiableList( attributeTypes ); |
| } |
| |
| |
| private void includeHashed( Attribute attribute ) throws LdapInvalidAttributeValueException |
| { |
| if ( attribute == null ) |
| { |
| return; |
| } |
| |
| // hash any values if necessary |
| List<byte[]> values = new ArrayList<>(); |
| |
| for ( Value value : attribute ) |
| { |
| byte[] bytes = value.getBytes(); |
| |
| if ( bytes == null ) |
| { |
| // value may be empty, dont wanna attempt to hash empty |
| continue; |
| } |
| |
| // check if the given field is already hashed |
| LdapSecurityConstants existingAlgo = PasswordUtil.findAlgorithm( bytes ); |
| |
| if ( existingAlgo == null ) |
| { |
| // not already hashed, so hash it |
| values.add( PasswordUtil.createStoragePassword( bytes, algorithm ) ); |
| } |
| else |
| { |
| // already hashed, just pass through |
| values.add( bytes ); |
| } |
| } |
| |
| // replace the value(s) |
| attribute.clear(); |
| attribute.add( values.toArray( new byte[values.size()][] ) ); |
| } |
| |
| |
| /** |
| * {@inheritDoc} |
| */ |
| @Override |
| public void init( DirectoryService directoryService ) throws LdapException |
| { |
| // allow base initialization |
| super.init( directoryService ); |
| |
| // initialize from config |
| algorithm = LdapSecurityConstants.getAlgorithm( config.getHashAlgorithm() ); |
| attributeTypes = new ArrayList<>(); |
| for ( String attributeType : config.getHashAttributes() ) |
| { |
| attributeTypes.add( schemaManager.lookupAttributeTypeRegistry( attributeType ) ); |
| } |
| } |
| |
| |
| /** |
| * {@inheritDoc} |
| */ |
| @Override |
| public void modify( ModifyOperationContext modifyContext ) throws LdapException |
| { |
| if ( algorithm == null ) |
| { |
| next( modifyContext ); |
| return; |
| } |
| |
| List<Modification> mods = modifyContext.getModItems(); |
| |
| for ( Modification mod : mods ) |
| { |
| Attribute attribute = mod.getAttribute(); |
| if ( attributeTypes.contains( attribute.getAttributeType() ) ) |
| { |
| includeHashed( attribute ); |
| } |
| } |
| |
| next( modifyContext ); |
| } |
| } |