/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * trunk/opends/resource/legal-notices/OpenDS.LICENSE * or https://OpenDS.dev.java.net/OpenDS.LICENSE. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Copyright 2006-2008 Sun Microsystems, Inc. * Portions copyright 2011-2013 ForgeRock AS. */ package org.opends.server.controls; import java.io.IOException; import java.util.concurrent.locks.Lock; import org.opends.messages.Message; import org.opends.server.api.AuthenticationPolicyState; import org.opends.server.api.IdentityMapper; import org.opends.server.core.DirectoryServer; import org.opends.server.core.PasswordPolicyState; import org.opends.server.loggers.debug.DebugTracer; import org.opends.server.protocols.asn1.ASN1; import org.opends.server.protocols.asn1.ASN1Reader; import org.opends.server.protocols.asn1.ASN1Writer; import org.opends.server.types.*; import static org.opends.messages.ProtocolMessages.*; import static org.opends.server.loggers.debug.DebugLogger.*; import static org.opends.server.util.ServerConstants.*; import static org.opends.server.util.StaticUtils.*; import static org.opends.server.util.Validator.*; /** * This class implements version 2 of the proxied authorization control as * defined in RFC 4370. It makes it possible for one user to request that an * operation be performed under the authorization of another. The target user * is specified using an authorization ID, which may be in the form "dn:" * immediately followed by the DN of that user, or "u:" followed by a user ID * string. */ public class ProxiedAuthV2Control extends Control { /** * ControlDecoder implementation to decode this control from a ByteString. */ private static final class Decoder implements ControlDecoder { /** * {@inheritDoc} */ @Override public ProxiedAuthV2Control decode(boolean isCritical, ByteString value) throws DirectoryException { if (!isCritical) { Message message = ERR_PROXYAUTH2_CONTROL_NOT_CRITICAL.get(); throw new DirectoryException(ResultCode.PROTOCOL_ERROR, message); } if (value == null) { Message message = ERR_PROXYAUTH2_NO_CONTROL_VALUE.get(); throw new DirectoryException(ResultCode.PROTOCOL_ERROR, message); } ASN1Reader reader = ASN1.getReader(value); ByteString authorizationID; try { // Try the legacy encoding where the value is wrapped by an // extra octet string authorizationID = reader.readOctetString(); } catch (Exception e) { // Try just getting the value. authorizationID = value; String lowerAuthZIDStr = toLowerCase(authorizationID.toString()); if (!lowerAuthZIDStr.startsWith("dn:") && !lowerAuthZIDStr.startsWith("u:")) { if (debugEnabled()) { TRACER.debugCaught(DebugLogLevel.ERROR, e); } Message message = ERR_PROXYAUTH2_INVALID_AUTHZID.get(lowerAuthZIDStr); throw new DirectoryException(ResultCode.PROTOCOL_ERROR, message, e); } } return new ProxiedAuthV2Control(isCritical, authorizationID); } @Override public String getOID() { return OID_PROXIED_AUTH_V2; } } /** * The Control Decoder that can be used to decode this control. */ public static final ControlDecoder DECODER = new Decoder(); /** * The tracer object for the debug logger. */ private static final DebugTracer TRACER = getTracer(); // The authorization ID from the control value. private ByteString authorizationID; /** * Creates a new instance of the proxied authorization v2 control with the * provided information. * * @param authorizationID The authorization ID from the control value. */ public ProxiedAuthV2Control(ByteString authorizationID) { this(true, authorizationID); } /** * Creates a new instance of the proxied authorization v2 control with the * provided information. * * @param isCritical Indicates whether support for this control * should be considered a critical part of the * server processing. * @param authorizationID The authorization ID from the control value. */ public ProxiedAuthV2Control(boolean isCritical, ByteString authorizationID) { super(OID_PROXIED_AUTH_V2, isCritical); ensureNotNull(authorizationID); this.authorizationID = authorizationID; } /** * Writes this control's value to an ASN.1 writer. The value (if any) must be * written as an ASN1OctetString. * * @param writer The ASN.1 writer to use. * @throws IOException If a problem occurs while writing to the stream. */ @Override protected void writeValue(ASN1Writer writer) throws IOException { writer.writeOctetString(authorizationID); } /** * Retrieves the authorization ID for this proxied authorization V2 control. * * @return The authorization ID for this proxied authorization V2 control. */ public ByteString getAuthorizationID() { return authorizationID; } /** * Retrieves the authorization entry for this proxied authorization V2 * control. It will also perform any necessary password policy checks to * ensure that the associated user account is suitable for use in performing * this processing. * * @return The entry for user specified as the authorization identity in this * proxied authorization V1 control, or {@code null} if the * authorization DN is the null DN. * * @throws DirectoryException If the target user does not exist or is not * available for use, or if a problem occurs * while making the determination. */ public Entry getAuthorizationEntry() throws DirectoryException { // Check for a zero-length value, which would be for an anonymous user. if (authorizationID.length() == 0) { return null; } // Get a lowercase string representation. It must start with either "dn:" // or "u:". String lowerAuthzID = toLowerCase(authorizationID.toString()); if (lowerAuthzID.startsWith("dn:")) { // It's a DN, so decode it and see if it exists. If it's the null DN, // then just assume that it does. DN authzDN = DN.decode(lowerAuthzID.substring(3)); if (authzDN.isNullDN()) { return null; } else { // See if the authorization DN is one of the alternate bind DNs for one // of the root users and if so then map it accordingly. DN actualDN = DirectoryServer.getActualRootBindDN(authzDN); if (actualDN != null) { authzDN = actualDN; } final Lock entryLock = LockManager.lockRead(authzDN); if (entryLock == null) { throw new DirectoryException(ResultCode.BUSY, ERR_PROXYAUTH2_CANNOT_LOCK_USER.get(String.valueOf(authzDN))); } try { Entry userEntry = DirectoryServer.getEntry(authzDN); if (userEntry == null) { // The requested user does not exist. Message message = ERR_PROXYAUTH2_NO_SUCH_USER.get(lowerAuthzID); throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, message); } // FIXME -- We should provide some mechanism for enabling debug // processing. checkAccountIsUsable(userEntry); // If we've made it here, then the user is acceptable. return userEntry; } finally { LockManager.unlock(authzDN, entryLock); } } } else if (lowerAuthzID.startsWith("u:")) { // If the authorization ID is just "u:", then it's an anonymous request. if (lowerAuthzID.length() == 2) { return null; } // Use the proxied authorization identity mapper to resolve the username // to an entry. IdentityMapper proxyMapper = DirectoryServer.getProxiedAuthorizationIdentityMapper(); if (proxyMapper == null) { Message message = ERR_PROXYAUTH2_NO_IDENTITY_MAPPER.get(); throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, message); } Entry userEntry = proxyMapper.getEntryForID(lowerAuthzID.substring(2)); if (userEntry == null) { Message message = ERR_PROXYAUTH2_NO_SUCH_USER.get(lowerAuthzID); throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, message); } else { // FIXME -- We should provide some mechanism for enabling debug // processing. checkAccountIsUsable(userEntry); return userEntry; } } else { Message message = ERR_PROXYAUTH2_INVALID_AUTHZID.get(lowerAuthzID); throw new DirectoryException(ResultCode.PROTOCOL_ERROR, message); } } private void checkAccountIsUsable(Entry userEntry) throws DirectoryException { AuthenticationPolicyState state = AuthenticationPolicyState.forUser( userEntry, false); if (state.isDisabled()) { Message message = ERR_PROXYAUTH2_UNUSABLE_ACCOUNT.get(String .valueOf(userEntry.getDN())); throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, message); } if (state.isPasswordPolicy()) { PasswordPolicyState pwpState = (PasswordPolicyState) state; if (pwpState.isAccountExpired() || pwpState.lockedDueToFailures() || pwpState.lockedDueToIdleInterval() || pwpState.lockedDueToMaximumResetAge() || pwpState.isPasswordExpired()) { Message message = ERR_PROXYAUTH2_UNUSABLE_ACCOUNT.get(String .valueOf(userEntry.getDN())); throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED, message); } } } /** * Appends a string representation of this proxied authorization v2 control * to the provided buffer. * * @param buffer The buffer to which the information should be appended. */ @Override public void toString(StringBuilder buffer) { buffer.append("ProxiedAuthorizationV2Control(authzID=\""); buffer.append(authorizationID); buffer.append("\")"); } }