You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2021/09/08 08:52:26 UTC
[brooklyn-server] branch master updated: Separate logic for domain
name and user name regex
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push:
new ec61309 Separate logic for domain name and user name regex
new 47dfe1c This closes #1252
ec61309 is described below
commit ec61309b1bfda17affae1046b1774c5af47493ab
Author: Juan Cabrerizo <ju...@cloudsoft.io>
AuthorDate: Tue Sep 7 18:23:25 2021 +0100
Separate logic for domain name and user name regex
---
.../org/apache/brooklyn/rest/BrooklynWebConfig.java | 5 ++++-
.../rest/security/provider/LdapSecurityProvider.java | 17 +++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
index eee2b49..148456c 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/BrooklynWebConfig.java
@@ -79,8 +79,11 @@ public class BrooklynWebConfig {
return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".sha256");
}
+ public final static ConfigKey<String> LDAP_DOMAIN_REGEX = ConfigKeys.newStringConfigKey(
+ BASE_NAME_SECURITY+".ldap.domain_name_regex","Regex pattern for the domain","");
+
public final static ConfigKey<String> LDAP_USERNAME_REGEX = ConfigKeys.newStringConfigKey(
- BASE_NAME_SECURITY+".ldap.user_name_regex");
+ BASE_NAME_SECURITY+".ldap.user_name_regex","Regex pattern for the username","");
public final static ConfigKey<String> LDAP_URL = ConfigKeys.newStringConfigKey(
BASE_NAME_SECURITY+".ldap.url");
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
index 61dedf8..7721a3c 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/LdapSecurityProvider.java
@@ -75,6 +75,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
private final String defaultLdapRealm;
private final String organizationUnit;
private final String userNameRegex;
+ private final String domainRegex;
private boolean logUserLoginAttempt;
private boolean fetchUserGroups = false;
private List<String> validGroups;
@@ -85,6 +86,7 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
Strings.checkNonEmpty(ldapUrl, "LDAP security provider configuration missing required property " + BrooklynWebConfig.LDAP_URL);
fetchUserGroups = properties.getConfig(BrooklynWebConfig.LDAP_FETCH_USER_GROUPS);
logUserLoginAttempt = properties.getConfig(BrooklynWebConfig.LDAP_LOGIN_INFO_LOG);
+ domainRegex = properties.getConfig(BrooklynWebConfig.LDAP_DOMAIN_REGEX);
userNameRegex = properties.getConfig(BrooklynWebConfig.LDAP_USERNAME_REGEX);
List ldapGroupsPrefixes = properties.getConfig(BrooklynWebConfig.GROUP_CONFIG_KEY_NAME);
if (fetchUserGroups && !ldapGroupsPrefixes.isEmpty()) {
@@ -113,14 +115,16 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
this.defaultLdapRealm = ldapRealm;
this.organizationUnit = organizationUnit;
this.userNameRegex = "";
+ this.domainRegex = "";
}
@SuppressWarnings({"rawtypes", "unchecked"})
@Override
public boolean authenticate(HttpServletRequest request, Supplier<HttpSession> sessionSupplierOnSuccess, String user, String pass) throws SecurityProviderDeniedAuthentication {
if (user == null) return false;
- if(Strings.isNonEmpty(userNameRegex) && !user.matches(userNameRegex)){
- LOG.debug("Rejecting authenticating attempt for user `{}` due to userNameRegex configuration: {}", user, userNameRegex);
+ String ldapRegex = getLdapRegexPattern();
+ if(Strings.isNonEmpty(ldapRegex) && !user.matches(ldapRegex)){
+ LOG.debug("Rejecting authenticating attempt for user `{}` due to userNameRegex configuration: {}", user, ldapRegex);
return false;
}
checkCanLoad();
@@ -160,6 +164,15 @@ public class LdapSecurityProvider extends AbstractSecurityProvider implements Se
}
}
+ private String getLdapRegexPattern() {
+ if(Strings.isBlank(domainRegex) && Strings.isBlank(userNameRegex)) return "";
+ if(Strings.isBlank(domainRegex)) return userNameRegex;
+ return Strings.join(new String[]{
+ domainRegex,
+ Strings.isNonBlank(userNameRegex) ? userNameRegex : ".*"}
+ , "\\\\");
+ }
+
private List<String> getConfiguredGroups(StringConfigMap properties, List<String> prefixes) {
ImmutableList.Builder<String> configuredGroupsBuilder = ImmutableList.builder();
for (String prefix : prefixes){