ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 * 
 * http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.ranger.ldapconfigcheck;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.PagedResultsControl;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintStream;
import java.util.Properties;

import org.apache.commons.lang.NullArgumentException;

public class LdapConfigCheckMain {

    private static final String LOG_FILE = "ldapConfigCheck.log";
    private static final String AMBARI_PROPERTIES = "ambari.properties";
    private static final String INSTALL_PROPERTIES = "install.properties";

    public static void main(String[] args) {

        CommandLineOptions cli = new CommandLineOptions(args);
        cli.parse();
        String inFileName = cli.getInput();
        String outputDir = cli.getOutput();
        if (!outputDir.endsWith("/")) {
            outputDir = outputDir.concat("/");
        }

        LdapConfig config = new LdapConfig(inFileName);
        if (cli.getLdapUrl() != null && !cli.getLdapUrl().isEmpty()) {
            config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(),
                    cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass());
        }

        PrintStream logFile = null;
        PrintStream ambariProps = null;
        PrintStream installProps = null;
        LdapContext ldapContext;

        try {
            logFile = new PrintStream(new File(outputDir + LOG_FILE));
            ambariProps = new PrintStream(new File(outputDir + AMBARI_PROPERTIES));
            installProps = new PrintStream(new File(outputDir + INSTALL_PROPERTIES));

            UserSync userSyncObj = new UserSync(config, logFile, ambariProps, installProps);

            String bindDn = config.getLdapBindDn();

            Properties env = new Properties();
            env.put(Context.INITIAL_CONTEXT_FACTORY,
                    "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, config.getLdapUrl());
            env.put(Context.SECURITY_PRINCIPAL, bindDn);
            env.put(Context.SECURITY_CREDENTIALS, config.getLdapBindPassword());
            env.put(Context.SECURITY_AUTHENTICATION, config.getLdapAuthenticationMechanism());
            env.put(Context.REFERRAL, "follow");

            ldapContext = new InitialLdapContext(env, null);

            if (config.isPagedResultsEnabled())   {
                ldapContext.setRequestControls(new Control[]{
                        new PagedResultsControl(config.getPagedResultsSize(), Control.CRITICAL) });
            }

            String retrieveValues = "all";

            if (cli.getDiscoverProperties() != null) {
                retrieveValues = cli.getDiscoverProperties();
                if (cli.getDiscoverProperties().equalsIgnoreCase("users")) {
                    userSyncObj.findUserProperties(ldapContext);
                } else if (cli.getDiscoverProperties().equalsIgnoreCase("groups")) {
                    userSyncObj.findGroupProperties(ldapContext);
                } else {
                    findAllUserSyncProperties(ldapContext, userSyncObj);
                }
            }else if (cli.getRetrieveValues() != null){
                retrieveValues = cli.getRetrieveValues();

            } else {
                cli.help();
            }

            if (cli.isAuthEnabled()) {
                authenticate(userSyncObj, config, logFile, ambariProps, installProps);
            }

            retrieveUsersGroups(ldapContext, userSyncObj, retrieveValues);

            if (ldapContext != null) {
                ldapContext.close();
            }

        } catch (FileNotFoundException fe) {
            System.out.println(fe.getMessage());
        } catch (IOException ioe) {
            logFile.println("ERROR: Failed while setting the paged results controls\n" + ioe);
        } catch (NamingException ne) {
            System.out.println("ERROR: Failed to perfom ldap bind. Please verify values for " +
                    "ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword\n" + ne);
        } catch (Throwable t) {
            if (logFile != null) {
                logFile.println("ERROR: Connection failed: " + t.getMessage());
            } else {
                System.out.println("ERROR: Connection failed: " + t.getMessage());
            }
        } finally {
            if (logFile != null) {
                logFile.close();
            }
            if (ambariProps != null) {
                ambariProps.close();
            }
            if (installProps != null) {
                installProps.close();
            }
        }
    }

    private static void findAllUserSyncProperties(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {

        userSyncObj.findUserProperties(ldapContext);
        userSyncObj.findGroupProperties(ldapContext);
    }

    private static void authenticate(UserSync userSyncObj, LdapConfig config,
                                     PrintStream logFile, PrintStream ambariProps,
                                     PrintStream installProps) throws Throwable{
        AuthenticationCheck auth = new AuthenticationCheck(config.getLdapUrl(), userSyncObj, logFile, ambariProps, installProps);

        auth.discoverAuthProperties();

        String msg;
        if (config.getAuthUsername() == null || config.getAuthUsername().isEmpty()) {
            msg = "ranger.admin.auth.sampleuser ";
            throw new NullArgumentException(msg);
        }

        if (config.getAuthPassword() == null || config.getAuthPassword().isEmpty()) {
            msg = "ranger.admin.auth.samplepassword ";
            throw new NullArgumentException(msg);
        }

        if (auth.isAuthenticated(config.getLdapUrl(), config.getLdapBindDn(), config.getLdapBindPassword(),
                config.getAuthUsername(), config.getAuthPassword())) {
            logFile.println("INFO: Authentication verified successfully");
        } else {
            logFile.println("ERROR: Failed to authenticate " + config.getAuthUsername());
        }
    }

    private static void retrieveUsersGroups(LdapContext ldapContext, UserSync userSyncObj,
                                            String retrieve) throws Throwable {
        String msg;
        if (retrieve == null || userSyncObj == null || ldapContext == null) {
            msg = "Input validation failed while retrieving Users or Groups";
            throw new NullArgumentException(msg);
        }

        if (retrieve.equalsIgnoreCase("users")) {
            retrieveUsers(ldapContext, userSyncObj);
        } else if (retrieve.equalsIgnoreCase("groups")){
            retrieveGroups(ldapContext, userSyncObj);
        } else {
            // retrieve both
            retrieveUsers(ldapContext, userSyncObj);
            retrieveGroups(ldapContext, userSyncObj);
        }
    }

    private static void retrieveUsers(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
        String msg;
        if (userSyncObj.getUserNameAttribute() == null || userSyncObj.getUserNameAttribute().isEmpty()) {
            msg = "ranger.usersync.ldap.user.nameattribute ";
            throw new NullArgumentException(msg);
        }
        if (userSyncObj.getUserObjClassName() == null || userSyncObj.getUserObjClassName().isEmpty()) {
            msg = "ranger.usersync.ldap.user.objectclass ";
            throw new NullArgumentException(msg);
        }
        if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) &&
                (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
            msg = "ranger.usersync.ldap.user.searchbase and " +
                    "ranger.usersync.ldap.searchBase ";
            throw new NullArgumentException(msg);
        }
        userSyncObj.getAllUsers(ldapContext);
    }

    private static void retrieveGroups(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
        String msg;
        if (userSyncObj.getGroupNameAttrName() == null || userSyncObj.getGroupNameAttrName().isEmpty()) {
            msg = "ranger.usersync.group.nameattribute ";
            throw new NullArgumentException(msg);
        }
        if (userSyncObj.getGroupObjClassName() == null || userSyncObj.getGroupObjClassName().isEmpty()) {
            msg = "ranger.usersync.group.objectclass ";
            throw new NullArgumentException(msg);
        }
        if (userSyncObj.getGroupMemberName() == null || userSyncObj.getGroupMemberName().isEmpty()) {
            msg = "ranger.usersync.group.memberattributename ";
            throw new NullArgumentException(msg);
        }
        if ((userSyncObj.getGroupSearchBase() == null || userSyncObj.getGroupSearchBase().isEmpty()) &&
                (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
            msg = "ranger.usersync.group.searchbase and " +
                    "ranger.usersync.ldap.searchBase ";
            throw new NullArgumentException(msg);
        }
        userSyncObj.getAllGroups(ldapContext);
    }


}