-
Notifications
You must be signed in to change notification settings - Fork 714
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GUACAMOLE-793: Add abstract mechanism for parsing CAS group names.
- Loading branch information
1 parent
7b8dc36
commit 749e53b
Showing
6 changed files
with
407 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
...ons/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/group/GroupFormat.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.guacamole.auth.cas.group; | ||
|
||
import org.apache.guacamole.properties.EnumGuacamoleProperty.PropertyValue; | ||
|
||
/** | ||
* Possible formats of group names received from CAS. | ||
*/ | ||
public enum GroupFormat { | ||
|
||
/** | ||
* Simple, plain-text group names. | ||
*/ | ||
@PropertyValue("plain") | ||
PLAIN, | ||
|
||
/** | ||
* Group names formatted as LDAP DNs. | ||
*/ | ||
@PropertyValue("ldap") | ||
LDAP | ||
|
||
} |
44 changes: 44 additions & 0 deletions
44
...ons/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/group/GroupParser.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.guacamole.auth.cas.group; | ||
|
||
/** | ||
* Parser which converts the group names returned by CAS into names usable by | ||
* Guacamole. The format of a CAS group name may vary by the underlying | ||
* authentication backend. For example, a CAS deployment backed by LDAP may | ||
* provide group names as LDAP DNs, which must be transformed into normal group | ||
* names to be usable within Guacamole. | ||
* | ||
* @see LDAPGroupParser | ||
*/ | ||
public interface GroupParser { | ||
|
||
/** | ||
* Parses the given CAS group name into a group name usable by Guacamole. | ||
* | ||
* @param casGroup | ||
* The group name retrieved from CAS. | ||
* | ||
* @return | ||
* A group name usable by Guacamole, or null if the group is not valid. | ||
*/ | ||
String parse(String casGroup); | ||
|
||
} |
106 changes: 106 additions & 0 deletions
106
...guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/group/LDAPGroupParser.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.guacamole.auth.cas.group; | ||
|
||
import javax.naming.InvalidNameException; | ||
import javax.naming.ldap.LdapName; | ||
import javax.naming.ldap.Rdn; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
/** | ||
* GroupParser that converts group names from LDAP DNs into normal group names, | ||
* using the last (leftmost) attribute of the DN as the name. Groups may | ||
* optionally be restricted to only those beneath a specific base DN, or only | ||
* those using a specific attribute as their last (leftmost) attribute. | ||
*/ | ||
public class LDAPGroupParser implements GroupParser { | ||
|
||
/** | ||
* Logger for this class. | ||
*/ | ||
private static final Logger logger = LoggerFactory.getLogger(LDAPGroupParser.class); | ||
|
||
/** | ||
* The LDAP attribute to require for all accepted group names. If null, any | ||
* LDAP attribute will be allowed. | ||
*/ | ||
private final String nameAttribute; | ||
|
||
/** | ||
* The base DN to require for all accepted group names. If null, ancestor | ||
* tree structure will not be considered in accepting/rejecting a group. | ||
*/ | ||
private final LdapName baseDn; | ||
|
||
/** | ||
* Creates a new LDAPGroupParser which applies the given restrictions on | ||
* any provided group names. | ||
* | ||
* @param nameAttribute | ||
* The LDAP attribute to require for all accepted group names. This | ||
* restriction applies to the last (leftmost) attribute only, which is | ||
* always used to determine the name of the group. If null, any LDAP | ||
* attribute will be allowed in the last (leftmost) position. | ||
* | ||
* @param baseDn | ||
* The base DN to require for all accepted group names. If null, | ||
* ancestor tree structure will not be considered in | ||
* accepting/rejecting a group. | ||
*/ | ||
public LDAPGroupParser(String nameAttribute, LdapName baseDn) { | ||
this.nameAttribute = nameAttribute; | ||
this.baseDn = baseDn; | ||
} | ||
|
||
@Override | ||
public String parse(String casGroup) { | ||
|
||
// Reject null/empty group names | ||
if (casGroup == null || casGroup.isEmpty()) | ||
return null; | ||
|
||
// Parse group as an LDAP DN | ||
LdapName group; | ||
try { | ||
group = new LdapName(casGroup); | ||
} | ||
catch (InvalidNameException e) { | ||
logger.debug("CAS group \"{}\" has been rejected as it is not a " | ||
+ "valid LDAP DN.", casGroup, e); | ||
return null; | ||
} | ||
|
||
// Reject any group that is not beneath the base DN | ||
if (baseDn != null && !group.startsWith(baseDn)) | ||
return null; | ||
|
||
// If a specific name attribute is defined, restrict to groups that | ||
// use that attribute to distinguish themselves | ||
Rdn last = group.getRdn(group.size() - 1); | ||
if (nameAttribute != null && !nameAttribute.equalsIgnoreCase(last.getType())) | ||
return null; | ||
|
||
// The group name is the string value of the final attribute in the DN | ||
return last.getValue().toString(); | ||
|
||
} | ||
|
||
} |
32 changes: 32 additions & 0 deletions
32
...uacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/group/PlainGroupParser.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package org.apache.guacamole.auth.cas.group; | ||
|
||
/** | ||
* GroupParser which simply passes through all CAS group names untouched. | ||
*/ | ||
public class PlainGroupParser implements GroupParser { | ||
|
||
@Override | ||
public String parse(String casGroup) { | ||
return casGroup; | ||
} | ||
|
||
} |
Oops, something went wrong.