trunk/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/gssapi/GssapiMechanismHandler.java - directory-server - Git at Google

 /*
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
  *  under the License.
  *
  */
 package org.apache.directory.server.ldap.handlers.sasl.gssapi;


 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
 import java.util.Map;

 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.sasl.Sasl;
 import javax.security.sasl.SaslServer;

 import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
 import org.apache.directory.api.ldap.model.message.BindRequest;
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.server.core.api.CoreSession;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.directory.server.protocol.shared.kerberos.GetPrincipal;
 import org.apache.directory.server.ldap.LdapServer;
 import org.apache.directory.server.ldap.LdapSession;
 import org.apache.directory.server.ldap.handlers.sasl.AbstractMechanismHandler;
 import org.apache.directory.server.ldap.handlers.sasl.SaslConstants;
 import org.apache.directory.server.protocol.shared.ServiceConfigurationException;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
 import org.apache.directory.shared.kerberos.components.EncryptionKey;


 /**
  * The GSSAPI Sasl mechanism handler.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public class GssapiMechanismHandler extends AbstractMechanismHandler
 {
     public SaslServer handleMechanism( LdapSession ldapSession, BindRequest bindRequest ) throws Exception
     {
         SaslServer ss = ( SaslServer ) ldapSession.getSaslProperty( SaslConstants.SASL_SERVER );

         if ( ss == null )
         {
             //Subject subject = ( Subject ) ldapSession.getIoSession().getAttribute( "saslSubject" );

             Subject subject = getSubject( ldapSession.getLdapServer() );
             final String saslHost = ( String ) ldapSession.getSaslProperty( SaslConstants.SASL_HOST );
             final Map<String, String> saslProps = ( Map<String, String> ) ldapSession
                 .getSaslProperty( SaslConstants.SASL_PROPS );

             CoreSession adminSession = ldapSession.getLdapServer().getDirectoryService().getAdminSession();

             final CallbackHandler callbackHandler = new GssapiCallbackHandler( ldapSession, adminSession, bindRequest );

             ss = ( SaslServer ) Subject.doAs( subject, new PrivilegedExceptionAction<SaslServer>()
             {
                 public SaslServer run() throws Exception
                 {
                     return Sasl.createSaslServer( SupportedSaslMechanisms.GSSAPI, SaslConstants.LDAP_PROTOCOL,
                         saslHost, saslProps, callbackHandler );
                 }
             } );

             ldapSession.putSaslProperty( SaslConstants.SASL_SERVER, ss );
         }

         return ss;
     }


     /**
      * {@inheritDoc}
      */
     public void init( LdapSession ldapSession )
     {
         // Store the host in the ldap session
         String saslHost = ldapSession.getLdapServer().getSaslHost();
         ldapSession.putSaslProperty( SaslConstants.SASL_HOST, saslHost );

         Map<String, String> saslProps = new HashMap<String, String>();
         saslProps.put( Sasl.QOP, ldapSession.getLdapServer().getSaslQopString() );
         //saslProps.put( "com.sun.security.sasl.digest.realm", getActiveRealms( ldapSession.getLdapServer() ) );
         ldapSession.putSaslProperty( SaslConstants.SASL_PROPS, saslProps );
     }


     /**
      * Remove the Host, UserBaseDn, props and Mechanism property.
      *
      * @param ldapSession the Ldapsession instance
      */
     public void cleanup( LdapSession ldapSession )
     {
         // Inject the Sasl Filter
         insertSaslFilter( ldapSession );

         // and remove the useless informations
         ldapSession.removeSaslProperty( SaslConstants.SASL_HOST );
         ldapSession.removeSaslProperty( SaslConstants.SASL_USER_BASE_DN );
         ldapSession.removeSaslProperty( SaslConstants.SASL_MECH );
         ldapSession.removeSaslProperty( SaslConstants.SASL_PROPS );
         ldapSession.removeSaslProperty( SaslConstants.SASL_AUTHENT_USER );
     }


     private Subject getSubject( LdapServer ldapServer ) throws Exception
     {
         String servicePrincipalName = ldapServer.getSaslPrincipal();
         KerberosPrincipal servicePrincipal = new KerberosPrincipal( servicePrincipalName );
         GetPrincipal getPrincipal = new GetPrincipal( servicePrincipal );

         PrincipalStoreEntry entry = null;

         try
         {
             entry = findPrincipal( ldapServer, getPrincipal );
         }
         catch ( ServiceConfigurationException sce )
         {
             String message = I18n.err( I18n.ERR_659, servicePrincipalName, ldapServer.getSearchBaseDn() );
             throw new ServiceConfigurationException( message, sce );
         }

         if ( entry == null )
         {
             String message = I18n.err( I18n.ERR_659, servicePrincipalName, ldapServer.getSearchBaseDn() );
             throw new ServiceConfigurationException( message );
         }

         Subject subject = new Subject();

         for ( EncryptionType encryptionType : entry.getKeyMap().keySet() )
         {
             EncryptionKey key = entry.getKeyMap().get( encryptionType );

             byte[] keyBytes = key.getKeyValue();
             int type = key.getKeyType().getValue();
             int kvno = key.getKeyVersion();

             KerberosKey serviceKey = new KerberosKey( servicePrincipal, keyBytes, type, kvno );

             subject.getPrivateCredentials().add( serviceKey );
         }

         return subject;
     }


     private PrincipalStoreEntry findPrincipal( LdapServer ldapServer, GetPrincipal getPrincipal ) throws Exception
     {
         CoreSession adminSession = ldapServer.getDirectoryService().getAdminSession();
         return ( PrincipalStoreEntry ) getPrincipal.execute( adminSession, new Dn( ldapServer.getSearchBaseDn() ) );
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.server.ldap.handlers.sasl.gssapi;


	import java.security.PrivilegedExceptionAction;
	import java.util.HashMap;
	import java.util.Map;

	import javax.security.auth.Subject;
	import javax.security.auth.callback.CallbackHandler;
	import javax.security.auth.kerberos.KerberosKey;
	import javax.security.auth.kerberos.KerberosPrincipal;
	import javax.security.sasl.Sasl;
	import javax.security.sasl.SaslServer;

	import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
	import org.apache.directory.api.ldap.model.message.BindRequest;
	import org.apache.directory.api.ldap.model.name.Dn;
	import org.apache.directory.server.core.api.CoreSession;
	import org.apache.directory.server.i18n.I18n;
	import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
	import org.apache.directory.server.protocol.shared.kerberos.GetPrincipal;
	import org.apache.directory.server.ldap.LdapServer;
	import org.apache.directory.server.ldap.LdapSession;
	import org.apache.directory.server.ldap.handlers.sasl.AbstractMechanismHandler;
	import org.apache.directory.server.ldap.handlers.sasl.SaslConstants;
	import org.apache.directory.server.protocol.shared.ServiceConfigurationException;
	import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
	import org.apache.directory.shared.kerberos.components.EncryptionKey;


	/**
	* The GSSAPI Sasl mechanism handler.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public class GssapiMechanismHandler extends AbstractMechanismHandler
	{
	public SaslServer handleMechanism( LdapSession ldapSession, BindRequest bindRequest ) throws Exception
	{
	SaslServer ss = ( SaslServer ) ldapSession.getSaslProperty( SaslConstants.SASL_SERVER );

	if ( ss == null )
	{
	//Subject subject = ( Subject ) ldapSession.getIoSession().getAttribute( "saslSubject" );

	Subject subject = getSubject( ldapSession.getLdapServer() );
	final String saslHost = ( String ) ldapSession.getSaslProperty( SaslConstants.SASL_HOST );
	final Map<String, String> saslProps = ( Map<String, String> ) ldapSession
	.getSaslProperty( SaslConstants.SASL_PROPS );

	CoreSession adminSession = ldapSession.getLdapServer().getDirectoryService().getAdminSession();

	final CallbackHandler callbackHandler = new GssapiCallbackHandler( ldapSession, adminSession, bindRequest );

	ss = ( SaslServer ) Subject.doAs( subject, new PrivilegedExceptionAction<SaslServer>()
	{
	public SaslServer run() throws Exception
	{
	return Sasl.createSaslServer( SupportedSaslMechanisms.GSSAPI, SaslConstants.LDAP_PROTOCOL,
	saslHost, saslProps, callbackHandler );
	}
	} );

	ldapSession.putSaslProperty( SaslConstants.SASL_SERVER, ss );
	}

	return ss;
	}


	/**
	* {@inheritDoc}
	*/
	public void init( LdapSession ldapSession )
	{
	// Store the host in the ldap session
	String saslHost = ldapSession.getLdapServer().getSaslHost();
	ldapSession.putSaslProperty( SaslConstants.SASL_HOST, saslHost );

	Map<String, String> saslProps = new HashMap<String, String>();
	saslProps.put( Sasl.QOP, ldapSession.getLdapServer().getSaslQopString() );
	//saslProps.put( "com.sun.security.sasl.digest.realm", getActiveRealms( ldapSession.getLdapServer() ) );
	ldapSession.putSaslProperty( SaslConstants.SASL_PROPS, saslProps );
	}


	/**
	* Remove the Host, UserBaseDn, props and Mechanism property.
	*
	* @param ldapSession the Ldapsession instance
	*/
	public void cleanup( LdapSession ldapSession )
	{
	// Inject the Sasl Filter
	insertSaslFilter( ldapSession );

	// and remove the useless informations
	ldapSession.removeSaslProperty( SaslConstants.SASL_HOST );
	ldapSession.removeSaslProperty( SaslConstants.SASL_USER_BASE_DN );
	ldapSession.removeSaslProperty( SaslConstants.SASL_MECH );
	ldapSession.removeSaslProperty( SaslConstants.SASL_PROPS );
	ldapSession.removeSaslProperty( SaslConstants.SASL_AUTHENT_USER );
	}


	private Subject getSubject( LdapServer ldapServer ) throws Exception
	{
	String servicePrincipalName = ldapServer.getSaslPrincipal();
	KerberosPrincipal servicePrincipal = new KerberosPrincipal( servicePrincipalName );
	GetPrincipal getPrincipal = new GetPrincipal( servicePrincipal );

	PrincipalStoreEntry entry = null;

	try
	{
	entry = findPrincipal( ldapServer, getPrincipal );
	}
	catch ( ServiceConfigurationException sce )
	{
	String message = I18n.err( I18n.ERR_659, servicePrincipalName, ldapServer.getSearchBaseDn() );
	throw new ServiceConfigurationException( message, sce );
	}

	if ( entry == null )
	{
	String message = I18n.err( I18n.ERR_659, servicePrincipalName, ldapServer.getSearchBaseDn() );
	throw new ServiceConfigurationException( message );
	}

	Subject subject = new Subject();

	for ( EncryptionType encryptionType : entry.getKeyMap().keySet() )
	{
	EncryptionKey key = entry.getKeyMap().get( encryptionType );

	byte[] keyBytes = key.getKeyValue();
	int type = key.getKeyType().getValue();
	int kvno = key.getKeyVersion();

	KerberosKey serviceKey = new KerberosKey( servicePrincipal, keyBytes, type, kvno );

	subject.getPrivateCredentials().add( serviceKey );
	}

	return subject;
	}


	private PrincipalStoreEntry findPrincipal( LdapServer ldapServer, GetPrincipal getPrincipal ) throws Exception
	{
	CoreSession adminSession = ldapServer.getDirectoryService().getAdminSession();
	return ( PrincipalStoreEntry ) getPrincipal.execute( adminSession, new Dn( ldapServer.getSearchBaseDn() ) );
	}
	}