| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.syncope.core.provisioning.java.propagation; |
| |
| import java.util.Base64; |
| import java.util.Set; |
| import javax.xml.bind.DatatypeConverter; |
| import org.apache.syncope.common.lib.types.AnyTypeKind; |
| import org.apache.syncope.common.lib.types.CipherAlgorithm; |
| import org.apache.syncope.core.persistence.api.dao.UserDAO; |
| import org.apache.syncope.core.persistence.api.entity.ConnInstance; |
| import org.apache.syncope.core.persistence.api.entity.task.PropagationData; |
| import org.apache.syncope.core.persistence.api.entity.user.User; |
| import org.apache.syncope.core.provisioning.api.propagation.PropagationActions; |
| import org.apache.syncope.core.provisioning.api.propagation.PropagationManager; |
| import org.apache.syncope.core.provisioning.api.propagation.PropagationTaskInfo; |
| import org.apache.syncope.core.spring.implementation.InstanceScope; |
| import org.apache.syncope.core.spring.implementation.SyncopeImplementation; |
| import org.identityconnectors.common.security.GuardedString; |
| import org.identityconnectors.framework.common.objects.Attribute; |
| import org.identityconnectors.framework.common.objects.AttributeBuilder; |
| import org.identityconnectors.framework.common.objects.AttributeUtil; |
| import org.identityconnectors.framework.common.objects.OperationalAttributes; |
| import org.springframework.beans.factory.annotation.Autowired; |
| import org.springframework.transaction.annotation.Transactional; |
| |
| /** |
| * Propagate a non-cleartext password out to a resource, if the PropagationManager has not already |
| * added a password. The CipherAlgorithm associated with the password must match the password |
| * hash algorithm property of the LDAP Connector. |
| */ |
| @SyncopeImplementation(scope = InstanceScope.PER_CONTEXT) |
| public class LDAPPasswordPropagationActions implements PropagationActions { |
| |
| private static final String CLEARTEXT = "CLEARTEXT"; |
| |
| @Autowired |
| private UserDAO userDAO; |
| |
| @Transactional(readOnly = true) |
| @Override |
| public void before(final PropagationTaskInfo taskInfo) { |
| if (AnyTypeKind.USER == taskInfo.getAnyTypeKind()) { |
| User user = userDAO.find(taskInfo.getEntityKey()); |
| |
| PropagationData data = taskInfo.getPropagationData(); |
| if (user != null && user.getPassword() != null && data.getAttributes() != null) { |
| Set<Attribute> attrs = data.getAttributes(); |
| |
| Attribute missing = AttributeUtil.find(PropagationManager.MANDATORY_MISSING_ATTR_NAME, attrs); |
| |
| ConnInstance connInstance = taskInfo.getResource().getConnector(); |
| String cipherAlgorithm = getCipherAlgorithm(connInstance); |
| if (missing != null && missing.getValue() != null && missing.getValue().size() == 1 |
| && missing.getValue().get(0).equals(OperationalAttributes.PASSWORD_NAME) |
| && cipherAlgorithmMatches(getCipherAlgorithm(connInstance), user.getCipherAlgorithm())) { |
| |
| String password = user.getPassword().toLowerCase(); |
| byte[] decodedPassword = DatatypeConverter.parseHexBinary(password); |
| String base64EncodedPassword = Base64.getEncoder().encodeToString(decodedPassword); |
| |
| String cipherPlusPassword = ('{' + cipherAlgorithm.toLowerCase() + '}' + base64EncodedPassword); |
| |
| Attribute passwordAttribute = AttributeBuilder.buildPassword( |
| new GuardedString(cipherPlusPassword.toCharArray())); |
| |
| attrs.add(passwordAttribute); |
| attrs.remove(missing); |
| } |
| } |
| } |
| } |
| |
| protected String getCipherAlgorithm(final ConnInstance connInstance) { |
| return connInstance.getConf().stream(). |
| filter(property -> "passwordHashAlgorithm".equals(property.getSchema().getName()) |
| && property.getValues() != null && !property.getValues().isEmpty()).findFirst(). |
| map(cipherAlgorithm -> (String) cipherAlgorithm.getValues().get(0)). |
| orElse(CLEARTEXT); |
| } |
| |
| protected boolean cipherAlgorithmMatches(final String connectorAlgo, final CipherAlgorithm userAlgo) { |
| if (userAlgo == null) { |
| return false; |
| } |
| |
| if (connectorAlgo.equals(userAlgo.name())) { |
| return true; |
| } |
| |
| // Special check for "SHA" and "SSHA" (user pulled from LDAP) |
| return ("SHA".equals(connectorAlgo) && userAlgo.name().startsWith("SHA")) |
| || ("SSHA".equals(connectorAlgo) && userAlgo.name().startsWith("SSHA")); |
| } |
| } |