You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by iu...@apache.org on 2021/09/03 18:26:49 UTC

[brooklyn-server] branch master updated: Add user name regex for LDAP authentication

This is an automated email from the ASF dual-hosted git repository.

iuliana pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git


The following commit(s) were added to refs/heads/master by this push:
     new a3a2b2a  Add user name regex for LDAP authentication
     new f9ee183  Merge pull request #1245 from jcabrerizo/feature/ladp/userName-regex
a3a2b2a is described below

commit a3a2b2a3c6894a768ba8b42119d8d257ec367b55
Author: Juan Cabrerizo <ju...@cloudsoft.io>
AuthorDate: Fri Sep 3 14:38:13 2021 +0100

    Add user name regex for LDAP authentication
---
 .../src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java  | 5 ++++-
 .../brooklyn/rest/security/provider/LdapSecurityProvider.java      | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
index 7307be9..eee2b49 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
@@ -78,7 +78,10 @@ public class BrooklynWebConfig {
     public final static ConfigKey<String> SHA256_FOR_USER(String user) {
         return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".sha256");
     }
-    
+
+    public final static ConfigKey<String> LDAP_USERNAME_REGEX = ConfigKeys.newStringConfigKey(
+            BASE_NAME_SECURITY+".ldap.user_name_regex");
+
     public final static ConfigKey<String> LDAP_URL = ConfigKeys.newStringConfigKey(
             BASE_NAME_SECURITY+".ldap.url");
 
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
index 344f460..61dedf8 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
@@ -74,6 +74,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
     private final String ldapUrl;
     private final String defaultLdapRealm;
     private final String organizationUnit;
+    private final String userNameRegex;
     private boolean logUserLoginAttempt;
     private boolean fetchUserGroups = false;
     private List<String> validGroups;
@@ -84,6 +85,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
         Strings.checkNonEmpty(ldapUrl, "LDAP security provider configuration missing required property " + BrooklynWebConfig.LDAP_URL);
         fetchUserGroups = properties.getConfig(BrooklynWebConfig.LDAP_FETCH_USER_GROUPS);
         logUserLoginAttempt = properties.getConfig(BrooklynWebConfig.LDAP_LOGIN_INFO_LOG);
+        userNameRegex = properties.getConfig(BrooklynWebConfig.LDAP_USERNAME_REGEX);
         List ldapGroupsPrefixes = properties.getConfig(BrooklynWebConfig.GROUP_CONFIG_KEY_NAME);
         if (fetchUserGroups && !ldapGroupsPrefixes.isEmpty()) {
             validGroups = getConfiguredGroups(properties, ldapGroupsPrefixes);
@@ -110,12 +112,17 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
         this.ldapUrl = ldapUrl;
         this.defaultLdapRealm = ldapRealm;
         this.organizationUnit = organizationUnit;
+        this.userNameRegex = "";
     }
 
     @SuppressWarnings({"rawtypes", "unchecked"})
     @Override
     public boolean authenticate(HttpServletRequest request, Supplier<HttpSession> sessionSupplierOnSuccess, String user, String pass) throws SecurityProviderDeniedAuthentication {
         if (user == null) return false;
+        if(Strings.isNonEmpty(userNameRegex) && !user.matches(userNameRegex)){
+            LOG.debug("Rejecting authenticating attempt for user `{}` due to userNameRegex configuration: {}", user, userNameRegex);
+            return false;
+        }
         checkCanLoad();
 
         if (Strings.isBlank(pass)) {