GetUserModelFromADPrivilegedAction.java

  1. /**
  2.  * Originally contributed by eMation (www.emation.pt)
  3.  */
  4. package org.itracker.services.authentication.adsson;

  6. import org.apache.log4j.Logger;
  7. import org.itracker.model.User;

  9. import javax.naming.Context;
  10. import javax.naming.NamingEnumeration;
  11. import javax.naming.NamingException;
  12. import javax.naming.PartialResultException;
  13. import javax.naming.directory.*;
  14. import java.security.PrivilegedAction;
  15. import java.util.Enumeration;
  16. import java.util.Hashtable;

  18. //TODO: Add Javadocs here

  20. /**
  21.  * @author ricardo
  22.  */
  23. public class GetUserModelFromADPrivilegedAction implements PrivilegedAction<Object> {

  25.     private static String ITRACKER_SUPER_USERS_GROUP = "ITracker Super Users";

  27.     private final Logger logger;
  28.     private String login;
  29.     private String providerUrl;
  30.     private String baseBranch;

  32.     public GetUserModelFromADPrivilegedAction(String login, String baseBranch, String providerUrl) {
  33.         this.logger = Logger.getLogger(getClass());
  34.         this.login = login;
  35.         this.providerUrl = providerUrl;
  36.         this.baseBranch = baseBranch;
  37.     }

  39.     public Object run() {
  40.         try {
  41.             return getUserInfo(login);
  42.         } catch (NamingException e) {
  43.             logger.error(e.getMessage());
  44.             return (null);
  45.         }
  46.     }

  48.     private User getUserInfo(String login) throws NamingException {
  49.         // Set up environment for creating initial context
  50.         Hashtable<String, String> env = new Hashtable<String, String>(11);
  51.         env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  52.         // Must use fully qualified hostname
  53.         env.put(Context.PROVIDER_URL, providerUrl);
  54.         // Request the use of the "GSSAPI" SASL mechanism
  55.         // Authenticate by using already established Kerberos credentials
  56.         env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

  58.         /* Create initial context */
  59.         DirContext ctx = new InitialDirContext(env);
  60.         // do something useful with ctx
  61.         SearchControls sc = new SearchControls();
  62.         sc.setCountLimit(1);
  63.         sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
  64.         String filter = "(&(objectclass=user)(sAMAccountName=" + login + "))";
  65.         NamingEnumeration<?> answer = ctx.search(baseBranch, filter, sc);

  67.         if (!answer.hasMoreElements()) {
  68.             logger.error("A.D. had no info on " + login);
  69.             return (null);
  70.         }

  72.         SearchResult sr;
  73.         try {
  74.             sr = (SearchResult) answer.next();
  75.             logger.info("A.D. had info on " + login);
  76.         } catch (PartialResultException e) {
  77.             logger.error("A.D. had no info on " + login);
  78.             return (null);
  79.         }

  81.         Attributes attributes = sr.getAttributes();
  82.         String mail = "";
  83.         String firstName = "";
  84.         String lastName = "";

  86.         // check that properties are present
  87.         // active directory sometimes doesn't have "mail"
  88.         if ((attributes.get("givenName") == null) || (attributes.get("sn") == null)) {
  89.             logger.error("AD didn't return proper attributes. Check that it has at least [mail, givenName , sn]");
  90.             return (null);
  91.         }

  93.         if (attributes.get("mail") != null) {
  94.             mail = (String) attributes.get("Mail").get();
  95.         }
  96.         if (attributes.get("givenName") != null)
  97.             firstName = (String) attributes.get("givenName").get();
  98.         if (attributes.get("sn") != null) {
  99.             lastName = (String) attributes.get("sn").get();
  100.         }
  101.         logger.info("Got at least givenName and sn from A.D. for user " + login);

  103.         // create user 
  104.         User user = new User();

  106.         user.setEmail(mail);
  107.         user.setFirstName(firstName);
  108.         user.setLastName(lastName);
  109.         user.setLogin(login);
  110.         user.setPassword("notused=");

  112.         // if user belongs to "ITracker Super Users" group
  113.         // make him a super user
  114.         user.setSuperUser(false);

  116.         logger.info("About to check if user " + login + " is a super user");
  117.         logger.debug("User attributes for user " + login + " " + attributes);
  118.         if (attributes.get("memberOf") != null) {
  119.             for (Enumeration<?> groups = attributes.get("memberOf").getAll(); groups.hasMoreElements(); ) {
  120.                 String group = (String) groups.nextElement();
  121.                 logger.info(login + " belongs to NT Group " + group);
  122.                 if (group.indexOf(ITRACKER_SUPER_USERS_GROUP) > 0) {
  123.                     user.setSuperUser(true);
  124.                     logger.info("User " + user.getLogin() + " was made an administrator ");
  125.                 }
  126.             }
  127.         } else {
  128.             logger.info("User attributes didn't contain memberOf...Looks like the A.D. user you specified in the adauth.properties properties file doesn't have enough permissions to check group membership for other users. Give that user enough privileges to read the memberOf attribute from A.D.");
  129.         }

  131.         if (user.isSuperUser()) {
  132.             logger.info(login + " is a super user");
  133.         } else {
  134.             logger.info(login + " is not a super user");
  135.         }

  137.         ctx.close();

  139.         return user;
  140.     }
  141. }
Created with JaCoCo 0.8.5.201910111838