be/src/util/ldap-util.h

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

#pragma once

#include <string>
#include <unordered_set>
#include <vector>

#include "common/status.h"

struct ldap;
typedef struct ldap LDAP;

namespace impala {

class Status;

// Utility class for checking usernames and passwords in LDAP.
class ImpalaLdap {
 public:
  static Status ValidateFlags();

  /// 'user_filter' and 'group_filter' are optional comma separated lists specifying what
  /// users and groups are allowed to authenticate.
  Status Init(
      const std::string& user_filter, const std::string& group_filter) WARN_UNUSED_RESULT;

  /// Attempts to authenticate to LDAP using the given username and password, applying the
  /// user or group filters as appropriate. 'passlen' is the length of the password.
  /// Returns true if authentication is successful.
  ///
  /// Note that this method uses ldap_sasl_bind_s(), which does *not* provide any security
  /// to the connection between Impala and the LDAP server. You must either set
  /// --ldap_tls or have a URI which has "ldaps://" as the scheme in order to get a secure
  /// connection. Use --ldap_ca_certificate to specify the location of the certificate
  /// used to confirm the authenticity of the LDAP server certificate.
  bool LdapCheckPass(
      const char* username, const char* password, unsigned passlen) WARN_UNUSED_RESULT;

  /// Returns true if 'username' passes the LDAP user and group filters, if configured.
  bool LdapCheckFilters(std::string username) WARN_UNUSED_RESULT;

 private:
  /// If non-empty, only users in this set can successfully authenticate.
  std::unordered_set<std::string> user_filter_;

  /// If non-empty, only users who belong to groups in this set can successfully
  /// authenticate.
  std::unordered_set<std::string> group_filter_;
  /// The base DNs to use when preforming group searches.
  std::vector<std::string> group_filter_dns_;

  /// The output of --ldap_bind_password_cmd, if specified.
  std::string bind_password_;

  /// Attempts a bind with 'user' and 'pass'. Returns true if successful and the handle is
  /// returned in 'ldap', in which case the caller must call 'ldap_unbind_ext' on 'ldap'.
  bool Bind(const std::string& user_dn, const char* pass, unsigned passlen, LDAP** ldap);

  /// Searches LDAP to determine if 'user_str' belong to one of the groups in
  /// 'group_filter_'. Returns true if so.
  bool CheckGroupMembership(LDAP* ld, const std::string& user_str);

  /// Returns the value part of the first attribute in the provided relative DN.
  static std::string GetShortName(const std::string& rdn);

  /// Maps the user string into an acceptable LDAP "DN" (distinguished name) based on the
  /// values of the LDAP config flags.
  static std::string ConstructUserDN(const std::string& user);
};

} // namespace impala