trunk/protocol-shared/src/main/java/org/apache/directory/server/protocol/shared/kerberos/StoreUtils.java - directory-server - Git at Google

 /*
  *   Licensed to the Apache Software Foundation (ASF) under one
  *   or more contributor license agreements.  See the NOTICE file
  *   distributed with this work for additional information
  *   regarding copyright ownership.  The ASF licenses this file
  *   to you under the Apache License, Version 2.0 (the
  *   "License"); you may not use this file except in compliance
  *   with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing,
  *   software distributed under the License is distributed on an
  *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *   KIND, either express or implied.  See the License for the
  *   specific language governing permissions and limitations
  *   under the License.
  *
  */
 package org.apache.directory.server.protocol.shared.kerberos;


 import java.nio.ByteBuffer;

 import org.apache.directory.api.ldap.model.constants.Loggers;
 import org.apache.directory.api.ldap.model.constants.SchemaConstants;
 import org.apache.directory.api.ldap.model.cursor.Cursor;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.entry.StringValue;
 import org.apache.directory.api.ldap.model.entry.Value;
 import org.apache.directory.api.ldap.model.filter.EqualityNode;
 import org.apache.directory.api.ldap.model.filter.ExprNode;
 import org.apache.directory.api.ldap.model.message.AliasDerefMode;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.ldap.model.schema.AttributeType;
 import org.apache.directory.api.ldap.model.schema.SchemaManager;
 import org.apache.directory.server.core.api.CoreSession;
 import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
 import org.apache.directory.shared.kerberos.KerberosAttribute;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
 import org.apache.directory.shared.kerberos.components.EncryptionKey;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;


 /**
  * Commonly used store utility operations.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public class StoreUtils
 {
     /** Loggers for this class */
     private static final Logger LOG = LoggerFactory.getLogger( StoreUtils.class );
     private static final Logger LOG_KRB = LoggerFactory.getLogger( Loggers.KERBEROS_LOG.getName() );


     /**
      * Creates a Entry for a PrincipalStoreEntry, doing what a state
      * factory does but for Entry instead of Attributes.
      *
      * @param session the session to use to access the directory's registries
      * @param dn the distinguished name of the principal to be
      * @param principalEntry the principal entry to convert into a Entry
      * @return the resultant server entry for the PrincipalStoreEntry argument
      * @throws Exception if there are problems accessing registries
      */
     public static Entry toServerEntry( CoreSession session, Dn dn, PrincipalStoreEntry principalEntry )
         throws Exception
     {
         Entry outAttrs = session.getDirectoryService().newEntry( dn );

         // process the objectClass attribute
         outAttrs.add( SchemaConstants.OBJECT_CLASS_AT,
             SchemaConstants.TOP_OC, SchemaConstants.UID_OBJECT_AT,
             "uidObject", SchemaConstants.EXTENSIBLE_OBJECT_OC,
             SchemaConstants.PERSON_OC, SchemaConstants.ORGANIZATIONAL_PERSON_OC,
             SchemaConstants.INET_ORG_PERSON_OC, SchemaConstants.KRB5_PRINCIPAL_OC,
             "krb5KDCEntry" );

         outAttrs.add( SchemaConstants.UID_AT, principalEntry.getUserId() );
         outAttrs.add( KerberosAttribute.APACHE_SAM_TYPE_AT, "7" );
         outAttrs.add( SchemaConstants.SN_AT, principalEntry.getUserId() );
         outAttrs.add( SchemaConstants.CN_AT, principalEntry.getCommonName() );

         EncryptionKey encryptionKey = principalEntry.getKeyMap().get( EncryptionType.DES_CBC_MD5 );

         ByteBuffer buffer = ByteBuffer.allocate( encryptionKey.computeLength() );
         outAttrs.add( KerberosAttribute.KRB5_KEY_AT, encryptionKey.encode( buffer ).array() );

         int keyVersion = encryptionKey.getKeyVersion();

         outAttrs.add( KerberosAttribute.KRB5_PRINCIPAL_NAME_AT, principalEntry.getPrincipal().toString() );
         outAttrs.add( KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT, Integer.toString( keyVersion ) );

         return outAttrs;
     }


     /**
      * Constructs a filter expression tree for the filter used to search the
      * directory.
      *
      * @param schemaManager The server schemaManager to use for attribute lookups
      * @param principal the principal to use for building the filter
      * @return the filter expression tree
      * @throws Exception if there are problems while looking up attributes
      */
     private static ExprNode getFilter( SchemaManager schemaManager, String principal ) throws Exception
     {
         AttributeType type = schemaManager.lookupAttributeTypeRegistry( KerberosAttribute.KRB5_PRINCIPAL_NAME_AT );
         Value<String> value = new StringValue( type, principal );

         return new EqualityNode<String>( type, value );
     }


     /**
      * Finds the Entry associated with the Kerberos principal name.
      *
      * @param session the session to use for the search
      * @param searchBaseDn the base to use while searching
      * @param principal the name of the principal to search for
      * @return the server entry for the principal or null if non-existent
      * @throws Exception if there are problems while searching the directory
      */
     public static Entry findPrincipalEntry( CoreSession session, Dn searchBaseDn, String principal )
         throws Exception
     {
         Cursor<Entry> cursor = null;

         try
         {
             SchemaManager schemaManager = session.getDirectoryService().getSchemaManager();
             cursor = session.search( searchBaseDn, SearchScope.SUBTREE,
                 getFilter( schemaManager, principal ), AliasDerefMode.DEREF_ALWAYS, "*" );

             cursor.beforeFirst();

             if ( cursor.next() )
             {
                 Entry entry = cursor.get();
                 LOG.debug( "Found entry {} for kerberos principal name {}", entry.getDn(), principal );
                 LOG_KRB.debug( "Found entry {} for kerberos principal name {}", entry.getDn(), principal );

                 while ( cursor.next() )
                 {
                     LOG.error( I18n.err( I18n.ERR_149, principal, cursor.next() ) );
                 }

                 return entry;
             }
             else
             {
                 LOG.warn( "No server entry found for kerberos principal name {}", principal );
                 LOG_KRB.warn( "No server entry found for kerberos principal name {}", principal );

                 return null;
             }
         }
         finally
         {
             if ( cursor != null )
             {
                 cursor.close();
             }
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.server.protocol.shared.kerberos;


	import java.nio.ByteBuffer;

	import org.apache.directory.api.ldap.model.constants.Loggers;
	import org.apache.directory.api.ldap.model.constants.SchemaConstants;
	import org.apache.directory.api.ldap.model.cursor.Cursor;
	import org.apache.directory.api.ldap.model.entry.Entry;
	import org.apache.directory.api.ldap.model.entry.StringValue;
	import org.apache.directory.api.ldap.model.entry.Value;
	import org.apache.directory.api.ldap.model.filter.EqualityNode;
	import org.apache.directory.api.ldap.model.filter.ExprNode;
	import org.apache.directory.api.ldap.model.message.AliasDerefMode;
	import org.apache.directory.api.ldap.model.message.SearchScope;
	import org.apache.directory.api.ldap.model.name.Dn;
	import org.apache.directory.api.ldap.model.schema.AttributeType;
	import org.apache.directory.api.ldap.model.schema.SchemaManager;
	import org.apache.directory.server.core.api.CoreSession;
	import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
	import org.apache.directory.server.i18n.I18n;
	import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
	import org.apache.directory.shared.kerberos.KerberosAttribute;
	import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
	import org.apache.directory.shared.kerberos.components.EncryptionKey;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;


	/**
	* Commonly used store utility operations.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public class StoreUtils
	{
	/** Loggers for this class */
	private static final Logger LOG = LoggerFactory.getLogger( StoreUtils.class );
	private static final Logger LOG_KRB = LoggerFactory.getLogger( Loggers.KERBEROS_LOG.getName() );


	/**
	* Creates a Entry for a PrincipalStoreEntry, doing what a state
	* factory does but for Entry instead of Attributes.
	*
	* @param session the session to use to access the directory's registries
	* @param dn the distinguished name of the principal to be
	* @param principalEntry the principal entry to convert into a Entry
	* @return the resultant server entry for the PrincipalStoreEntry argument
	* @throws Exception if there are problems accessing registries
	*/
	public static Entry toServerEntry( CoreSession session, Dn dn, PrincipalStoreEntry principalEntry )
	throws Exception
	{
	Entry outAttrs = session.getDirectoryService().newEntry( dn );

	// process the objectClass attribute
	outAttrs.add( SchemaConstants.OBJECT_CLASS_AT,
	SchemaConstants.TOP_OC, SchemaConstants.UID_OBJECT_AT,
	"uidObject", SchemaConstants.EXTENSIBLE_OBJECT_OC,
	SchemaConstants.PERSON_OC, SchemaConstants.ORGANIZATIONAL_PERSON_OC,
	SchemaConstants.INET_ORG_PERSON_OC, SchemaConstants.KRB5_PRINCIPAL_OC,
	"krb5KDCEntry" );

	outAttrs.add( SchemaConstants.UID_AT, principalEntry.getUserId() );
	outAttrs.add( KerberosAttribute.APACHE_SAM_TYPE_AT, "7" );
	outAttrs.add( SchemaConstants.SN_AT, principalEntry.getUserId() );
	outAttrs.add( SchemaConstants.CN_AT, principalEntry.getCommonName() );

	EncryptionKey encryptionKey = principalEntry.getKeyMap().get( EncryptionType.DES_CBC_MD5 );

	ByteBuffer buffer = ByteBuffer.allocate( encryptionKey.computeLength() );
	outAttrs.add( KerberosAttribute.KRB5_KEY_AT, encryptionKey.encode( buffer ).array() );

	int keyVersion = encryptionKey.getKeyVersion();

	outAttrs.add( KerberosAttribute.KRB5_PRINCIPAL_NAME_AT, principalEntry.getPrincipal().toString() );
	outAttrs.add( KerberosAttribute.KRB5_KEY_VERSION_NUMBER_AT, Integer.toString( keyVersion ) );

	return outAttrs;
	}


	/**
	* Constructs a filter expression tree for the filter used to search the
	* directory.
	*
	* @param schemaManager The server schemaManager to use for attribute lookups
	* @param principal the principal to use for building the filter
	* @return the filter expression tree
	* @throws Exception if there are problems while looking up attributes
	*/
	private static ExprNode getFilter( SchemaManager schemaManager, String principal ) throws Exception
	{
	AttributeType type = schemaManager.lookupAttributeTypeRegistry( KerberosAttribute.KRB5_PRINCIPAL_NAME_AT );
	Value<String> value = new StringValue( type, principal );

	return new EqualityNode<String>( type, value );
	}


	/**
	* Finds the Entry associated with the Kerberos principal name.
	*
	* @param session the session to use for the search
	* @param searchBaseDn the base to use while searching
	* @param principal the name of the principal to search for
	* @return the server entry for the principal or null if non-existent
	* @throws Exception if there are problems while searching the directory
	*/
	public static Entry findPrincipalEntry( CoreSession session, Dn searchBaseDn, String principal )
	throws Exception
	{
	Cursor<Entry> cursor = null;

	try
	{
	SchemaManager schemaManager = session.getDirectoryService().getSchemaManager();
	cursor = session.search( searchBaseDn, SearchScope.SUBTREE,
	getFilter( schemaManager, principal ), AliasDerefMode.DEREF_ALWAYS, "*" );

	cursor.beforeFirst();

	if ( cursor.next() )
	{
	Entry entry = cursor.get();
	LOG.debug( "Found entry {} for kerberos principal name {}", entry.getDn(), principal );
	LOG_KRB.debug( "Found entry {} for kerberos principal name {}", entry.getDn(), principal );

	while ( cursor.next() )
	{
	LOG.error( I18n.err( I18n.ERR_149, principal, cursor.next() ) );
	}

	return entry;
	}
	else
	{
	LOG.warn( "No server entry found for kerberos principal name {}", principal );
	LOG_KRB.warn( "No server entry found for kerberos principal name {}", principal );

	return null;
	}
	}
	finally
	{
	if ( cursor != null )
	{
	cursor.close();
	}
	}
	}
	}