ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java - ranger - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.ranger.ldapconfigcheck;

 import java.io.PrintStream;
 import java.util.ArrayList;
 import java.util.List;
 import org.springframework.ldap.core.support.LdapContextSource;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
 import org.springframework.security.ldap.authentication.BindAuthenticator;
 import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.ldap.DefaultSpringSecurityContextSource;


 public class AuthenticationCheck {
     private String ldapUrl = null;
     private String authMethod = "NONE";
     private String adDomain = null;
     private String userDnPattern = null;
     private String roleAttribute = null;
     private String groupSearchBase = null;
     private String groupSearchFilter = null;

     private PrintStream logFile = null;
     private PrintStream ambariProps = null;
     private PrintStream installProps = null;

     public AuthenticationCheck(String ldapUrl, UserSync userSyncObj, PrintStream logFile,
                                PrintStream ambariProps, PrintStream installProps) {

         this.logFile = logFile;
         this.ambariProps = ambariProps;
         this.installProps = installProps;

         if (userSyncObj.getUserNameAttribute().equalsIgnoreCase("sAMAccountName")) {
             authMethod = "AD";
         } else {
             authMethod = "LDAP";
         }
         this.ldapUrl = ldapUrl;
         adDomain = userSyncObj.getSearchBase();
         userDnPattern = userSyncObj.getUserNameAttribute() + "={0}," + userSyncObj.getUserSearchBase();
         roleAttribute = userSyncObj.getGroupNameAttrName();
         groupSearchBase = userSyncObj.getGroupSearchBase();
         groupSearchFilter = userSyncObj.getGroupMemberName() + "=" + userDnPattern;

     }

     public void discoverAuthProperties() {

         ambariProps.println("\n# Possible values for authetication properties:");
         installProps.println("\n# Possible values for authetication properties:");
         if (authMethod.equalsIgnoreCase("AD")) {
             installProps.println("xa_ldap_ad_url=" + ldapUrl);
             installProps.println("xa_ldap_ad_domain=" + adDomain);
         } else {
             installProps.println("xa_ldap_url=" + ldapUrl);
             installProps.println("xa_ldap_userDNpattern=" + userDnPattern);
             installProps.println("xa_ldap_groupRoleAttribute=" + roleAttribute);
             installProps.println("xa_ldap_groupSearchBase=" + groupSearchBase);
             installProps.println("xa_ldap_groupSearchFilter=" + groupSearchFilter);
         }

         ambariProps.println("ranger.authentication.method=" + authMethod);
         if (authMethod.equalsIgnoreCase("AD")) {
             ambariProps.println("ranger.ldap.ad.url=" + ldapUrl);
             ambariProps.println("ranger.ldap.ad.domain=" + adDomain);
         } else {
             ambariProps.println("ranger.ldap.url=" + ldapUrl);
             ambariProps.println("ranger.ldap.user.dnpattern=" + userDnPattern);
             ambariProps.println("ranger.ldap.group.roleattribute=" + roleAttribute);
             ambariProps.println("ranger.ldap.group.searchbase=" + groupSearchBase);
             ambariProps.println("ranger.ldap.group.searchfilter=" + groupSearchFilter);
         }
     }

     public boolean isAuthenticated(String ldapUrl, String bindDn, String bindPassword, String userName,
                                    String userPassword) {
         boolean isAuthenticated = false;
         //Verify Authentication
         Authentication authentication;
         if (authMethod.equalsIgnoreCase("AD")) {
             authentication = getADBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
         } else {
             authentication = getLdapBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
         }
         if (authentication != null) {
             isAuthenticated = authentication.isAuthenticated();
         }

         return isAuthenticated;
     }

     private Authentication getADBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
                                                    String userName, String userPassword) {
         Authentication result = null;
         try {
             LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
             ldapContextSource.setUserDn(bindDn);
             ldapContextSource.setPassword(bindPassword);
             ldapContextSource.setReferral("follow");
             ldapContextSource.setCacheEnvironmentProperties(true);
             ldapContextSource.setAnonymousReadOnly(false);
             ldapContextSource.setPooled(true);
             ldapContextSource.afterPropertiesSet();

             String searchFilter="(sAMAccountName={0})";
             FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
             userSearch.setSearchSubtree(true);

             BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
             bindAuthenticator.setUserSearch(userSearch);
             bindAuthenticator.afterPropertiesSet();

             LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);

             if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) {
                 final List<GrantedAuthority> grantedAuths = new ArrayList<>();
                 grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
                 final UserDetails principal = new User(userName, userPassword, grantedAuths);
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);

                 result = ldapAuthenticationProvider.authenticate(finalAuthentication);
             }

         } catch (BadCredentialsException bce) {
             logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
                     "ranger.admin.auth.samplepassword\n");
         } catch (Exception e) {
             logFile.println("ERROR: LDAP Authentication Failed: " + e);
         }
         return result;
     }

     private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
                                                      String userName, String userPassword) {
         Authentication result = null;
         try {
             LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
             ldapContextSource.setUserDn(bindDn);
             ldapContextSource.setPassword(bindPassword);
             ldapContextSource.setReferral("follow");
             ldapContextSource.setCacheEnvironmentProperties(false);
             ldapContextSource.setAnonymousReadOnly(true);
             ldapContextSource.setPooled(true);
             ldapContextSource.afterPropertiesSet();

             DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, groupSearchBase);
             defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(roleAttribute);
             defaultLdapAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
             defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);

             String searchFilter="(uid={0})";
             FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
             userSearch.setSearchSubtree(true);

             BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
             bindAuthenticator.setUserSearch(userSearch);
             String[] userDnPatterns = new String[] { userDnPattern };
             bindAuthenticator.setUserDnPatterns(userDnPatterns);
             bindAuthenticator.afterPropertiesSet();

             LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator);

             if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
                 final List<GrantedAuthority> grantedAuths = new ArrayList<>();
                 grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
                 final UserDetails principal = new User(userName, userPassword,grantedAuths);
                 final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);

                 result = ldapAuthenticationProvider.authenticate(finalAuthentication);
             }
         } catch (BadCredentialsException bce) {
             logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
                     "ranger.admin.auth.samplepassword\n");
         } catch (Exception e) {
             logFile.println("ERROR: LDAP Authentication Failed: " + e);
         }
         return result;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.ranger.ldapconfigcheck;

	import java.io.PrintStream;
	import java.util.ArrayList;
	import java.util.List;
	import org.springframework.ldap.core.support.LdapContextSource;
	import org.springframework.security.authentication.BadCredentialsException;
	import org.springframework.security.core.Authentication;
	import org.springframework.security.core.authority.SimpleGrantedAuthority;
	import org.springframework.security.core.userdetails.UserDetails;
	import org.springframework.security.core.userdetails.User;
	import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
	import org.springframework.security.core.GrantedAuthority;
	import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
	import org.springframework.security.ldap.authentication.BindAuthenticator;
	import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
	import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
	import org.springframework.security.ldap.DefaultSpringSecurityContextSource;


	public class AuthenticationCheck {
	private String ldapUrl = null;
	private String authMethod = "NONE";
	private String adDomain = null;
	private String userDnPattern = null;
	private String roleAttribute = null;
	private String groupSearchBase = null;
	private String groupSearchFilter = null;

	private PrintStream logFile = null;
	private PrintStream ambariProps = null;
	private PrintStream installProps = null;

	public AuthenticationCheck(String ldapUrl, UserSync userSyncObj, PrintStream logFile,
	PrintStream ambariProps, PrintStream installProps) {

	this.logFile = logFile;
	this.ambariProps = ambariProps;
	this.installProps = installProps;

	if (userSyncObj.getUserNameAttribute().equalsIgnoreCase("sAMAccountName")) {
	authMethod = "AD";
	} else {
	authMethod = "LDAP";
	}
	this.ldapUrl = ldapUrl;
	adDomain = userSyncObj.getSearchBase();
	userDnPattern = userSyncObj.getUserNameAttribute() + "={0}," + userSyncObj.getUserSearchBase();
	roleAttribute = userSyncObj.getGroupNameAttrName();
	groupSearchBase = userSyncObj.getGroupSearchBase();
	groupSearchFilter = userSyncObj.getGroupMemberName() + "=" + userDnPattern;

	}

	public void discoverAuthProperties() {

	ambariProps.println("\n# Possible values for authetication properties:");
	installProps.println("\n# Possible values for authetication properties:");
	if (authMethod.equalsIgnoreCase("AD")) {
	installProps.println("xa_ldap_ad_url=" + ldapUrl);
	installProps.println("xa_ldap_ad_domain=" + adDomain);
	} else {
	installProps.println("xa_ldap_url=" + ldapUrl);
	installProps.println("xa_ldap_userDNpattern=" + userDnPattern);
	installProps.println("xa_ldap_groupRoleAttribute=" + roleAttribute);
	installProps.println("xa_ldap_groupSearchBase=" + groupSearchBase);
	installProps.println("xa_ldap_groupSearchFilter=" + groupSearchFilter);
	}

	ambariProps.println("ranger.authentication.method=" + authMethod);
	if (authMethod.equalsIgnoreCase("AD")) {
	ambariProps.println("ranger.ldap.ad.url=" + ldapUrl);
	ambariProps.println("ranger.ldap.ad.domain=" + adDomain);
	} else {
	ambariProps.println("ranger.ldap.url=" + ldapUrl);
	ambariProps.println("ranger.ldap.user.dnpattern=" + userDnPattern);
	ambariProps.println("ranger.ldap.group.roleattribute=" + roleAttribute);
	ambariProps.println("ranger.ldap.group.searchbase=" + groupSearchBase);
	ambariProps.println("ranger.ldap.group.searchfilter=" + groupSearchFilter);
	}
	}

	public boolean isAuthenticated(String ldapUrl, String bindDn, String bindPassword, String userName,
	String userPassword) {
	boolean isAuthenticated = false;
	//Verify Authentication
	Authentication authentication;
	if (authMethod.equalsIgnoreCase("AD")) {
	authentication = getADBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
	} else {
	authentication = getLdapBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
	}
	if (authentication != null) {
	isAuthenticated = authentication.isAuthenticated();
	}

	return isAuthenticated;
	}

	private Authentication getADBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
	String userName, String userPassword) {
	Authentication result = null;
	try {
	LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
	ldapContextSource.setUserDn(bindDn);
	ldapContextSource.setPassword(bindPassword);
	ldapContextSource.setReferral("follow");
	ldapContextSource.setCacheEnvironmentProperties(true);
	ldapContextSource.setAnonymousReadOnly(false);
	ldapContextSource.setPooled(true);
	ldapContextSource.afterPropertiesSet();

	String searchFilter="(sAMAccountName={0})";
	FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
	userSearch.setSearchSubtree(true);

	BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
	bindAuthenticator.setUserSearch(userSearch);
	bindAuthenticator.afterPropertiesSet();

	LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);

	if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) {
	final List<GrantedAuthority> grantedAuths = new ArrayList<>();
	grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
	final UserDetails principal = new User(userName, userPassword, grantedAuths);
	final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);

	result = ldapAuthenticationProvider.authenticate(finalAuthentication);
	}

	} catch (BadCredentialsException bce) {
	logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
	"ranger.admin.auth.samplepassword\n");
	} catch (Exception e) {
	logFile.println("ERROR: LDAP Authentication Failed: " + e);
	}
	return result;
	}

	private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
	String userName, String userPassword) {
	Authentication result = null;
	try {
	LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
	ldapContextSource.setUserDn(bindDn);
	ldapContextSource.setPassword(bindPassword);
	ldapContextSource.setReferral("follow");
	ldapContextSource.setCacheEnvironmentProperties(false);
	ldapContextSource.setAnonymousReadOnly(true);
	ldapContextSource.setPooled(true);
	ldapContextSource.afterPropertiesSet();

	DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, groupSearchBase);
	defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(roleAttribute);
	defaultLdapAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
	defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);

	String searchFilter="(uid={0})";
	FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
	userSearch.setSearchSubtree(true);

	BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
	bindAuthenticator.setUserSearch(userSearch);
	String[] userDnPatterns = new String[] { userDnPattern };
	bindAuthenticator.setUserDnPatterns(userDnPatterns);
	bindAuthenticator.afterPropertiesSet();

	LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator);

	if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
	final List<GrantedAuthority> grantedAuths = new ArrayList<>();
	grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
	final UserDetails principal = new User(userName, userPassword,grantedAuths);
	final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);

	result = ldapAuthenticationProvider.authenticate(finalAuthentication);
	}
	} catch (BadCredentialsException bce) {
	logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
	"ranger.admin.auth.samplepassword\n");
	} catch (Exception e) {
	logFile.println("ERROR: LDAP Authentication Failed: " + e);
	}
	return result;
	}
	}