You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by iu...@apache.org on 2021/09/03 18:26:49 UTC
[brooklyn-server] branch master updated: Add user name regex for
LDAP authentication
This is an automated email from the ASF dual-hosted git repository.
iuliana pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push:
new a3a2b2a Add user name regex for LDAP authentication
new f9ee183 Merge pull request #1245 from jcabrerizo/feature/ladp/userName-regex
a3a2b2a is described below
commit a3a2b2a3c6894a768ba8b42119d8d257ec367b55
Author: Juan Cabrerizo <ju...@cloudsoft.io>
AuthorDate: Fri Sep 3 14:38:13 2021 +0100
Add user name regex for LDAP authentication
---
.../src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java | 5 ++++-
.../brooklyn/rest/security/provider/LdapSecurityProvider.java | 7 +++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
index 7307be9..eee2b49 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
@@ -78,7 +78,10 @@ public class BrooklynWebConfig {
public final static ConfigKey<String> SHA256_FOR_USER(String user) {
return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".sha256");
}
-
+
+ public final static ConfigKey<String> LDAP_USERNAME_REGEX = ConfigKeys.newStringConfigKey(
+ BASE_NAME_SECURITY+".ldap.user_name_regex");
+
public final static ConfigKey<String> LDAP_URL = ConfigKeys.newStringConfigKey(
BASE_NAME_SECURITY+".ldap.url");
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
index 344f460..61dedf8 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
@@ -74,6 +74,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
private final String ldapUrl;
private final String defaultLdapRealm;
private final String organizationUnit;
+ private final String userNameRegex;
private boolean logUserLoginAttempt;
private boolean fetchUserGroups = false;
private List<String> validGroups;
@@ -84,6 +85,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
Strings.checkNonEmpty(ldapUrl, "LDAP security provider configuration missing required property " + BrooklynWebConfig.LDAP_URL);
fetchUserGroups = properties.getConfig(BrooklynWebConfig.LDAP_FETCH_USER_GROUPS);
logUserLoginAttempt = properties.getConfig(BrooklynWebConfig.LDAP_LOGIN_INFO_LOG);
+ userNameRegex = properties.getConfig(BrooklynWebConfig.LDAP_USERNAME_REGEX);
List ldapGroupsPrefixes = properties.getConfig(BrooklynWebConfig.GROUP_CONFIG_KEY_NAME);
if (fetchUserGroups && !ldapGroupsPrefixes.isEmpty()) {
validGroups = getConfiguredGroups(properties, ldapGroupsPrefixes);
@@ -110,12 +112,17 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
this.ldapUrl = ldapUrl;
this.defaultLdapRealm = ldapRealm;
this.organizationUnit = organizationUnit;
+ this.userNameRegex = "";
}
@SuppressWarnings({"rawtypes", "unchecked"})
@Override
public boolean authenticate(HttpServletRequest request, Supplier<HttpSession> sessionSupplierOnSuccess, String user, String pass) throws SecurityProviderDeniedAuthentication {
if (user == null) return false;
+ if(Strings.isNonEmpty(userNameRegex) && !user.matches(userNameRegex)){
+ LOG.debug("Rejecting authenticating attempt for user `{}` due to userNameRegex configuration: {}", user, userNameRegex);
+ return false;
+ }
checkCanLoad();
if (Strings.isBlank(pass)) {