blob: eb3cee8806121557c8dc296fce55d12f3dcf1a8c [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.syncope.core.provisioning.java.propagation;
import java.util.Base64;
import java.util.Set;
import javax.xml.bind.DatatypeConverter;
import org.apache.syncope.common.lib.types.AnyTypeKind;
import org.apache.syncope.common.lib.types.CipherAlgorithm;
import org.apache.syncope.core.persistence.api.dao.UserDAO;
import org.apache.syncope.core.persistence.api.entity.ConnInstance;
import org.apache.syncope.core.persistence.api.entity.task.PropagationData;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.provisioning.api.propagation.PropagationActions;
import org.apache.syncope.core.provisioning.api.propagation.PropagationManager;
import org.apache.syncope.core.provisioning.api.propagation.PropagationTaskInfo;
import org.apache.syncope.core.spring.implementation.InstanceScope;
import org.apache.syncope.core.spring.implementation.SyncopeImplementation;
import org.identityconnectors.common.security.GuardedString;
import org.identityconnectors.framework.common.objects.Attribute;
import org.identityconnectors.framework.common.objects.AttributeBuilder;
import org.identityconnectors.framework.common.objects.AttributeUtil;
import org.identityconnectors.framework.common.objects.OperationalAttributes;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.transaction.annotation.Transactional;
/**
* Propagate a non-cleartext password out to a resource, if the PropagationManager has not already
* added a password. The CipherAlgorithm associated with the password must match the password
* hash algorithm property of the LDAP Connector.
*/
@SyncopeImplementation(scope = InstanceScope.PER_CONTEXT)
public class LDAPPasswordPropagationActions implements PropagationActions {
private static final String CLEARTEXT = "CLEARTEXT";
@Autowired
private UserDAO userDAO;
@Transactional(readOnly = true)
@Override
public void before(final PropagationTaskInfo taskInfo) {
if (AnyTypeKind.USER == taskInfo.getAnyTypeKind()) {
User user = userDAO.find(taskInfo.getEntityKey());
PropagationData data = taskInfo.getPropagationData();
if (user != null && user.getPassword() != null && data.getAttributes() != null) {
Set<Attribute> attrs = data.getAttributes();
Attribute missing = AttributeUtil.find(PropagationManager.MANDATORY_MISSING_ATTR_NAME, attrs);
ConnInstance connInstance = taskInfo.getResource().getConnector();
String cipherAlgorithm = getCipherAlgorithm(connInstance);
if (missing != null && missing.getValue() != null && missing.getValue().size() == 1
&& missing.getValue().get(0).equals(OperationalAttributes.PASSWORD_NAME)
&& cipherAlgorithmMatches(getCipherAlgorithm(connInstance), user.getCipherAlgorithm())) {
String password = user.getPassword().toLowerCase();
byte[] decodedPassword = DatatypeConverter.parseHexBinary(password);
String base64EncodedPassword = Base64.getEncoder().encodeToString(decodedPassword);
String cipherPlusPassword = ('{' + cipherAlgorithm.toLowerCase() + '}' + base64EncodedPassword);
Attribute passwordAttribute = AttributeBuilder.buildPassword(
new GuardedString(cipherPlusPassword.toCharArray()));
attrs.add(passwordAttribute);
attrs.remove(missing);
}
}
}
}
protected String getCipherAlgorithm(final ConnInstance connInstance) {
return connInstance.getConf().stream().
filter(property -> "passwordHashAlgorithm".equals(property.getSchema().getName())
&& property.getValues() != null && !property.getValues().isEmpty()).findFirst().
map(cipherAlgorithm -> (String) cipherAlgorithm.getValues().get(0)).
orElse(CLEARTEXT);
}
protected boolean cipherAlgorithmMatches(final String connectorAlgo, final CipherAlgorithm userAlgo) {
if (userAlgo == null) {
return false;
}
if (connectorAlgo.equals(userAlgo.name())) {
return true;
}
// Special check for "SHA" and "SSHA" (user pulled from LDAP)
return ("SHA".equals(connectorAlgo) && userAlgo.name().startsWith("SHA"))
|| ("SSHA".equals(connectorAlgo) && userAlgo.name().startsWith("SSHA"));
}
}