Project

General

Profile

« Previous | Next » 

Revision 4589

Added by daigle over 15 years ago

Rename LDAPUtil to AuthUtil

View differences:

src/edu/ucsb/nceas/metacat/util/LDAPUtil.java
1
/**
2
 *  '$RCSfile$'
3
 *    Purpose: A Class that implements administrative methods 
4
 *  Copyright: 2008 Regents of the University of California and the
5
 *             National Center for Ecological Analysis and Synthesis
6
 *    Authors: Michael Daigle
7
 * 
8
 *   '$Author$'
9
 *     '$Date$'
10
 * '$Revision$'
11
 *
12
 * This program is free software; you can redistribute it and/or modify
13
 * it under the terms of the GNU General Public License as published by
14
 * the Free Software Foundation; either version 2 of the License, or
15
 * (at your option) any later version.
16
 *
17
 * This program is distributed in the hope that it will be useful,
18
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20
 * GNU General Public License for more details.
21
 *
22
 * You should have received a copy of the GNU General Public License
23
 * along with this program; if not, write to the Free Software
24
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
25
 */
26

  
27
package edu.ucsb.nceas.metacat.util;
28

  
29
import java.util.Calendar;
30
import java.util.Vector;
31

  
32
import javax.naming.AuthenticationException;
33
import javax.naming.NamingException;
34
import javax.servlet.http.HttpServletRequest;
35
import javax.servlet.http.HttpSession;
36

  
37
import edu.ucsb.nceas.metacat.AuthLdap;
38
import edu.ucsb.nceas.metacat.AuthSession;
39
import edu.ucsb.nceas.metacat.service.PropertyService;
40
import edu.ucsb.nceas.metacat.service.SessionService;
41
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
42
import edu.ucsb.nceas.utilities.StringUtil;
43

  
44
public class LDAPUtil {
45

  
46
	private static Vector<String> administrators = null;
47
	private static Vector<String> moderators = null;
48
	private static Vector<String> allowedSubmitters = null;
49
	private static Vector<String> deniedSubmitters = null;
50

  
51
	/**
52
	 * private constructor - all methods are static so there is no no need to
53
	 * instantiate.
54
	 */
55
	private LDAPUtil() {}
56

  
57
	/**
58
	 * Get the administrators from metacat.properties
59
	 * 
60
	 * @return a Vector of Strings holding the administrators
61
	 */
62
	public static Vector<String> getAdministrators() throws UtilException {
63
		if (administrators == null) {
64
			populateAdministrators();
65
		}
66
		return administrators;
67
	}
68
	
69
	/**
70
	 * Get the allowed submitters from metacat.properties
71
	 * 
72
	 * @return a Vector of Strings holding the submitters
73
	 */
74
	public static Vector<String> getAllowedSubmitters() throws UtilException {
75
		if (allowedSubmitters == null) {			
76
			populateAllowedSubmitters();	
77
		}
78
		return allowedSubmitters;
79
	}
80
	
81
	/**
82
	 * Get the denied submitters from metacat.properties
83
	 * 
84
	 * @return a Vector of Strings holding the denied submitters
85
	 */
86
	public static Vector<String> getDeniedSubmitters() throws UtilException {
87
		if (deniedSubmitters == null) {
88
			populateDeniedSubmitters();
89
		}
90
		return deniedSubmitters;
91
	}
92
	
93
	/**
94
	 * Get the vector of administrator credentials from metacat.properties
95
	 * and put into global administrators list
96
	 */
97
	private static void populateAdministrators() throws UtilException {
98
		String administratorString = null;
99
		try {
100
			administratorString = 
101
				PropertyService.getProperty("ldap.administrators");
102
		} catch (PropertyNotFoundException pnfe) {
103
			throw new UtilException("Could not get metacat property: ldap.administrators. "
104
							+ "There will be no registered metacat adminstrators: "
105
							+ pnfe.getMessage());
106
		}
107
		administrators = StringUtil.toVector(administratorString, ':');
108
	}
109
	
110
	/**
111
	 * Get the vector of allowed submitter credentials from metacat.properties
112
	 * and put into global allowedSubmitters list
113
	 */
114
	private static void populateAllowedSubmitters() throws UtilException {
115
		String allowedSubmitterString = null;
116
		try {
117
			allowedSubmitterString = PropertyService.getProperty("ldap.allowedSubmitters");
118
		} catch (PropertyNotFoundException pnfe) {
119
			throw new UtilException("Could not get metacat property: ldap.allowedSubmitters. "
120
					+ "Anyone will be allowed to submit: "
121
					+ pnfe.getMessage());
122
		}		
123
		allowedSubmitters = StringUtil.toVector(allowedSubmitterString, ':');		
124
	}
125
	
126
	/**
127
	 * Get the vector of denied submitter credentials from metacat.properties
128
	 * and put into global deniedSubmitters list
129
	 */
130
	private static void populateDeniedSubmitters() throws UtilException {
131
		String deniedSubmitterString = null;
132
		try {
133
			deniedSubmitterString = PropertyService.getProperty("ldap.deniedSubmitters");
134
		} catch (PropertyNotFoundException pnfe) {
135
			throw new UtilException("Could not get metacat property: ldap.deniedSubmitters: "
136
					+ pnfe.getMessage());
137
		}		
138
		deniedSubmitters = StringUtil.toVector(deniedSubmitterString, ':');		
139
	}
140

  
141
	/**
142
	 * Validate connectivity to the ldap server. This does not test user
143
	 * authentication. Validation methods return a string error message if there
144
	 * is an issue. This allows the calling code to run several validations and
145
	 * compile the errors into a list that can be displayed on a web page if
146
	 * desired.
147
	 * 
148
	 * @param ldapurl
149
	 *            the url of the ldap server
150
	 * @param ldapbase
151
	 *            the ldap base value to test
152
	 * @return a string holding error message if validation fails.
153
	 */
154
	public static String validateLDAPConnectivity(String ldapurl,
155
			String ldapbase) {
156
		try {
157
			AuthLdap authLdap = new AuthLdap();
158
			authLdap.testCredentials(
159
					"uid=bogusname,o=NCEAS,dc=ecoinformatics,dc=org",
160
					"boguspassword", ldapurl, ldapbase);
161
		} catch (AuthenticationException ae) {
162
			// Do nothing here. We are using dummy uid and password, so we
163
			// expect authentication exceptions
164
		} catch (javax.naming.InvalidNameException ine) {
165
			return "An invalid domain name was provided: " + ine.getMessage();
166
		} catch (NamingException ne) {
167
			return "An invalid ldap name was provided: " + ne.getMessage();
168
		} catch (InstantiationException ie) {
169
			return "Could not instantiate AuthLdap: " + ie.getMessage();
170
		}
171

  
172
		return null;
173
	}
174

  
175
	/**
176
	 * log the user in against ldap.  If the login is successful, add
177
	 * the session information to the session list in SessionUtil.
178
	 * 
179
	 * @param request the http request.
180
	 */
181
	public static boolean logUserIn(HttpServletRequest request, String userName, String organization,
182
			Vector<String> dnList, String password) throws UtilException {
183
		AuthSession authSession = null;
184

  
185
		// make sure we have username and password.
186
		if (userName == null || password == null || dnList == null || dnList.size() == 0) {
187
			throw new UtilException("null username, password, or dn list when logging user in");
188
		}
189

  
190
		// put the login credentials into an LDAP string
191
		String ldapString = createLDAPString(userName, organization, dnList);
192

  
193
		// Create auth session
194
		try {
195
			authSession = new AuthSession();
196
		} catch (Exception e) {
197
			throw new UtilException("Could not instantiate AuthSession: "
198
					+ e.getMessage());
199
		}
200
		// authenticate user against ldap
201
		boolean isValid = authSession.authenticate(request, ldapString,
202
				password);
203
		
204
		// if login was successful, add the session information to the 
205
		// global session list.
206
		if (isValid) {
207
			HttpSession session = authSession.getSessions();
208
			String sessionId = session.getId();
209
			SessionService.registerSession(sessionId, 
210
					(String) session.getAttribute("username"), 
211
					(String[]) session.getAttribute("groupnames"),
212
					(String) session.getAttribute("password"));
213
		}
214
		
215
		return isValid;
216
	}
217

  
218
	/**
219
	 * Checks to see if the user is logged in by grabbing the session from the
220
	 * request and seeing if it exists in the global session list.
221
	 * 
222
	 * @param request the http request that holds the login session
223
	 * @return boolean that is true if the user is logged in, false otherwise
224
	 */
225
	public static boolean isUserLoggedIn(HttpServletRequest request) throws UtilException{
226
		SessionData sessionData = null;
227
		String sessionId = request.getSession().getId();
228

  
229
		try {
230

  
231
			if (sessionId != null && SessionService.isSessionRegistered(sessionId)) {
232
				// get the registered session data
233
				sessionData = SessionService.getRegisteredSession(sessionId);
234

  
235
				// get the timeout limit
236
				String sessionTimeout = PropertyService.getProperty("auth.timeoutMinutes");
237
				int sessionTimeoutInt = Integer.parseInt(sessionTimeout);
238

  
239
				// get the last time the session was accessed
240
				Calendar lastAccessedTime = sessionData.getLastAccessedTime();
241
				// get the current time and set back "sessionTimoutInt" minutes
242
				Calendar now = Calendar.getInstance();
243
				now.add(Calendar.MINUTE, 0 - sessionTimeoutInt);
244

  
245
				// if the last accessed time is before now minus the timeout,
246
				// the session has expired. Unregister it and return false.
247
				if (lastAccessedTime.before(now)) {
248
					SessionService.unRegisterSession(sessionId);
249
					return false;
250
				}
251

  
252
				return true;
253
			}
254
			
255
		} catch (PropertyNotFoundException pnfe) {
256
			throw new UtilException("Could not determine if user is logged in because " 
257
					+ "of property error: " + pnfe.getMessage());
258
		} catch (NumberFormatException nfe) {
259
			throw new UtilException("Could not determine if user is logged in because " 
260
					+ "of number conversion error: " + nfe.getMessage());
261
		}
262

  
263
		return false;
264
	}
265

  
266
	/**
267
	 * Checks to see if the user is logged in as admin by first checking if the
268
	 * user is logged in and then seeing if the user's account is on the
269
	 * administrators list in metacat.properties.
270
	 * 
271
	 * @param request
272
	 *            the http request that holds the login session
273
	 * @return boolean that is true if the user is logged in as admin, false
274
	 *         otherwise
275
	 */
276
	public static boolean isUserLoggedInAsAdmin(HttpServletRequest request) throws UtilException {
277
		if (!isUserLoggedIn(request)) {
278
			return false;
279
		}
280

  
281
		String userName = getUserName(request);
282
		boolean isAdmin = isAdministrator(userName, null);
283

  
284
		return isAdmin;
285
	}
286

  
287
	/**
288
	 * Gets the user name from the login session on the http request
289
	 * 
290
	 * @param request
291
	 *            the http request that holds the login session
292
	 * @return String that holds the user name
293
	 */
294
	public static String getUserName(HttpServletRequest request) {
295
		String userName = (String)request.getSession().getAttribute("username");
296

  
297
		return userName;
298
	}
299

  
300
	/**
301
	 * Gets the user group names from the login session on the http request
302
	 * 
303
	 * @param request
304
	 *            the http request that holds the login session
305
	 * @return String array that holds the user groups
306
	 */
307
	public static String[] getGroupNames(HttpServletRequest request) {
308
		String sessionId = request.getSession().getId();;
309
		SessionData sessionData = SessionService.getRegisteredSession(sessionId);
310
		String[] groupNames = { "" };
311

  
312
		if (sessionData != null) {
313
			groupNames = sessionData.getGroupNames();
314
		}
315

  
316
		return groupNames;
317
	}
318

  
319
	/**
320
	 * Creates an ldap credentail string from the username, organization
321
	 * and dn list.
322
	 * 
323
	 * @param username the user name
324
	 * @param organization the organization
325
	 * @param dnList a list of dns
326
	 * @return String holding the ldap login string
327
	 */	
328
	public static String createLDAPString(String username, String organization,
329
			Vector<String> dnList) throws UtilException {
330

  
331
		if (username == null || organization == null || dnList == null || dnList.size() == 0) {
332
			throw new UtilException("Could not generate LDAP user string.  One of the following is null: username, organization or dnlist");
333
		}
334

  
335
		String ldapString = "uid=" + username + ",o=" + organization;
336

  
337
		for (String dn : dnList) {
338
			ldapString += "," + dn;
339
		}
340

  
341
		return ldapString;
342
	}
343

  
344
	/**
345
	 * Reports whether LDAP is fully configured.
346
	 * 
347
	 * @return a boolean that is true if all sections are configured and false
348
	 *         otherwise
349
	 */
350
	public static boolean isLDAPConfigured() throws UtilException {
351
		String ldapConfiguredString = PropertyService.UNCONFIGURED;
352
		try {
353
			ldapConfiguredString = PropertyService.getProperty("configutil.ldapConfigured");
354
		} catch (PropertyNotFoundException pnfe) {
355
			throw new UtilException("Could not determine if LDAP is configured: "
356
					+ pnfe.getMessage());
357
		}
358
		return !ldapConfiguredString.equals(PropertyService.UNCONFIGURED);
359
	}
360

  
361
	/**
362
	 * Check if the specified user is part of the administrators list
363
	 * 
364
	 * @param username
365
	 *            the user login credentails
366
	 * @param groups
367
	 *            a list of the user's groups
368
	 */
369
	public static boolean isAdministrator(String username, String[] groups)
370
			throws UtilException {
371
		return onAccessList(getAdministrators(), username, groups);
372
	}
373

  
374
	/**
375
	 * Check if the specified user is part of the moderators list
376
	 * 
377
	 * @param username
378
	 *            the user login credentails
379
	 * @param groups
380
	 *            a list of the user's groups
381
	 */
382
	public static boolean isModerator(String username, String[] groups) {
383
		return onAccessList(moderators, username, groups);
384
	}
385

  
386
	/**
387
	 * Check if the specified user is part of the moderators list
388
	 * 
389
	 * @param username
390
	 *            the user login credentails
391
	 * @param groups
392
	 *            a list of the user's groups
393
	 */
394
	public static boolean isAllowedSubmitter(String username, String[] groups)
395
			throws UtilException {
396
		if (getAllowedSubmitters().size() == 0) {
397
			// no allowedSubmitters list specified -
398
			// hence everyone should be allowed
399
			return true;
400
		}
401
		return (onAccessList(getAllowedSubmitters(), username, groups));
402
	}
403

  
404
	/**
405
	 * Check if the specified user is part of the moderators list
406
	 * 
407
	 * @param username
408
	 *            the user login credentails
409
	 * @param groups
410
	 *            a list of the user's groups
411
	 */
412
	public static boolean isDeniedSubmitter(String username, String[] groups)
413
			throws UtilException {
414
		return (onAccessList(getDeniedSubmitters(), username, groups));
415
	}
416

  
417
	/**
418
	 * Check if the specified user can insert the document
419
	 * 
420
	 * @param username
421
	 *            the user login credentails
422
	 * @param groups
423
	 *            a list of the user's groups
424
	 */
425
	public static boolean canInsertOrUpdate(String username, String[] groups)
426
			throws UtilException {
427
		return (isAllowedSubmitter(username, groups) && !isDeniedSubmitter(username,
428
				groups));
429
	}
430

  
431
	/**
432
	 * Check if the user is on a given access list.  This is true if either the 
433
	 * user or the user's group is on the list.
434
	 * 
435
	 * @param accessList the list we want to check against
436
	 * @param username the name of the user we want to check
437
	 * @param groups a list of the user's groups
438
	 */
439
	private static boolean onAccessList(Vector<String> accessList, String username,
440
			String[] groups) {
441

  
442
		// this should never happen.  All calls to this method should use the 
443
		// appropriate getter to retrieve the accessList.  That should guarentee
444
		// that the access is at least an empty Vector.
445
		if (accessList == null) {
446
			return false;
447
		}
448

  
449
		// Check that the user is authenticated as an administrator account
450
		for (String accessString : accessList) {
451
			// check the given admin dn is a group dn...
452
			if (groups != null && accessString.startsWith("cn=")) {
453
				// is a group dn
454
				for (int j = 0; j < groups.length; j++) {
455
					if (groups[j].equals(accessString)) {
456
						return true;
457
					}
458
				}
459
			} else {
460
				// is a user dn
461
				if (username != null && username.equals(accessString)) {
462
					return true;
463
				}
464
			}
465
		}
466
		return false;
467
	}
468

  
469
}
470 0

  
src/edu/ucsb/nceas/metacat/MetacatReplication.java
39 39
import edu.ucsb.nceas.metacat.service.DatabaseService;
40 40
import edu.ucsb.nceas.metacat.service.PropertyService;
41 41
import edu.ucsb.nceas.metacat.service.SessionService;
42
import edu.ucsb.nceas.metacat.util.LDAPUtil;
42
import edu.ucsb.nceas.metacat.util.AuthUtil;
43 43
import edu.ucsb.nceas.metacat.util.MetaCatUtil;
44 44
import edu.ucsb.nceas.metacat.util.SessionData;
45 45
import edu.ucsb.nceas.metacat.util.SystemUtil;
......
205 205
           username = sessionData.getUserName();
206 206
           logMetacat.warn("The user name from session is: "+ username);
207 207
           groupnames = sessionData.getGroupNames();
208
           if (!LDAPUtil.isAdministrator(username, groupnames)) 
208
           if (!AuthUtil.isAdministrator(username, groupnames)) 
209 209
           {
210 210
               PrintWriter out = response.getWriter();
211 211
               out.print("<error>");
src/edu/ucsb/nceas/metacat/MetaCatServlet.java
83 83
import edu.ucsb.nceas.metacat.service.XMLSchemaService;
84 84
import edu.ucsb.nceas.metacat.spatial.SpatialHarvester;
85 85
import edu.ucsb.nceas.metacat.spatial.SpatialQuery;
86
import edu.ucsb.nceas.metacat.util.LDAPUtil;
86
import edu.ucsb.nceas.metacat.util.AuthUtil;
87 87
import edu.ucsb.nceas.metacat.util.MetaCatUtil;
88 88
import edu.ucsb.nceas.metacat.util.RequestUtil;
89 89
import edu.ucsb.nceas.metacat.util.SystemUtil;
......
812 812
						out.println(name);
813 813
						out.println("\n</name>\n");
814 814
					}
815
					if (LDAPUtil.isAdministrator(userName, groupNames)) {
815
					if (AuthUtil.isAdministrator(userName, groupNames)) {
816 816
						out.println("<isAdministrator></isAdministrator>\n");
817 817
					}
818
					if (LDAPUtil.isModerator(userName, groupNames)) {
818
					if (AuthUtil.isModerator(userName, groupNames)) {
819 819
						out.println("<isModerator></isModerator>\n");
820 820
					}
821 821
					out.println("\n</user>\n");
......
2061 2061
        }
2062 2062
        
2063 2063
        try {
2064
			if (!LDAPUtil.canInsertOrUpdate(user, groups)) {
2064
			if (!AuthUtil.canInsertOrUpdate(user, groups)) {
2065 2065
				out.println("<?xml version=\"1.0\"?>");
2066 2066
				out.println("<error>");
2067 2067
				out.println("User '" + user + "' not allowed to insert and update");
......
2664 2664
            PrintWriter out = response.getWriter();
2665 2665
            
2666 2666
            // Check that the user is authenticated as an administrator account
2667
            if (!LDAPUtil.isAdministrator(username, groups)) {
2667
            if (!AuthUtil.isAdministrator(username, groups)) {
2668 2668
                out.print("<error>");
2669 2669
                out.print("The user \"" + username +
2670 2670
                        "\" is not authorized for this action.");
......
2742 2742
            PrintWriter out = response.getWriter();
2743 2743
            
2744 2744
            // Check that the user is authenticated as an administrator account
2745
            if (!LDAPUtil.isAdministrator(username, groups)) {
2745
            if (!AuthUtil.isAdministrator(username, groups)) {
2746 2746
                out.print("<error>");
2747 2747
                out.print("The user \"" + username +
2748 2748
                        "\" is not authorized for this action.");
src/edu/ucsb/nceas/metacat/DocumentImpl.java
58 58
import edu.ucsb.nceas.metacat.service.XMLSchema;
59 59
import edu.ucsb.nceas.metacat.service.XMLSchemaService;
60 60
import edu.ucsb.nceas.metacat.spatial.SpatialHarvester;
61
import edu.ucsb.nceas.metacat.util.LDAPUtil;
61
import edu.ucsb.nceas.metacat.util.AuthUtil;
62 62
import edu.ucsb.nceas.metacat.util.MetaCatUtil;
63 63
import edu.ucsb.nceas.metacat.util.SystemUtil;
64 64
import edu.ucsb.nceas.utilities.FileUtil;
......
2628 2628
        if (action.equals("UPDATE")) {
2629 2629
            // check for 'write' permission for 'user' to update this document
2630 2630
            if (!hasWritePermission(user, groups, accnum) 
2631
            		&& !LDAPUtil.isAdministrator(user, groups)) {
2631
            		&& !AuthUtil.isAdministrator(user, groups)) {
2632 2632
                throw new Exception(
2633 2633
                    "User " + user
2634 2634
                    + " does not have permission to update XML Document #"
......
3082 3082
            double start = System.currentTimeMillis()/1000;
3083 3083
            // check for 'write' permission for 'user' to delete this document
3084 3084
            if (!hasAllPermission(user, groups, accnum)) {
3085
                if(!LDAPUtil.isAdministrator(user, groups)){
3085
                if(!AuthUtil.isAdministrator(user, groups)){
3086 3086
                    throw new Exception(
3087 3087
                        "User " + user
3088 3088
                        + " does not have permission to delete XML Document #"
src/edu/ucsb/nceas/metacat/service/PropertyService.java
60 60
	
61 61
	private static final String MAIN_CONFIG_NAME = "metacat.properties";
62 62
	private static final String ORG_CONFIG_NAME = "org.properties";
63
	private static final String LDAP_CONFIG_NAME = "ldap.properties";
63
	private static final String AUTH_CONFIG_NAME = "auth.properties";
64 64
	
65 65
	private static boolean bypassAlreadyChecked = false;
66 66
	
......
79 79
	private static String orgMetaDataFilePath = null;
80 80
	private static PropertiesMetaData orgMetaData = null;
81 81
	
82
	private static String ldapBackupPropertiesFilePath = null;
83
	private static SortedProperties ldapBackupProperties = null;
82
	private static String authBackupPropertiesFilePath = null;
83
	private static SortedProperties authBackupProperties = null;
84 84
	
85
	private static String ldapMetaDataFilePath = null;
86
	private static PropertiesMetaData ldapMetaData = null;
85
	private static String authMetaDataFilePath = null;
86
	private static PropertiesMetaData authMetaData = null;
87 87
	
88 88
	
89 89
	private static Logger logMetacat = Logger.getLogger(PropertyService.class);
......
162 162
			}
163 163
			
164 164

  
165
			// ldapMetaData holds configuration information about organization level 
165
			// authMetaData holds configuration information about organization level 
166 166
			// properties.  This is primarily used to display input fields on 
167
			// the ldap configuration page. The information is retrieved 
168
			// from an xml metadata file dedicated just to ldap properties.
169
			ldapMetaDataFilePath = configDir + FileUtil.getFS() + LDAP_CONFIG_NAME + ".metadata.xml";
170
			if (ldapMetaData == null) {
171
				ldapMetaData = new PropertiesMetaData(ldapMetaDataFilePath);
167
			// the auth configuration page. The information is retrieved 
168
			// from an xml metadata file dedicated just to auth properties.
169
			authMetaDataFilePath = configDir + FileUtil.getFS() + AUTH_CONFIG_NAME + ".metadata.xml";
170
			if (authMetaData == null) {
171
				authMetaData = new PropertiesMetaData(authMetaDataFilePath);
172 172
			}
173 173
		} catch (TransformerException te) {
174 174
			throw new GeneralPropertyException(te.getMessage());
......
198 198
			orgBackupProperties.load();
199 199
		}
200 200
		
201
		// The ldapBackupProperties hold properties that were backed up the 
202
		// last time the LDAP was configured.  On disk, the file will
201
		// The authBackupProperties hold properties that were backed up the 
202
		// last time the auth was configured.  On disk, the file will
203 203
		// look like a smaller version of metacat.properties.  It is stored 
204 204
		// in the data storage directory outside the application directories.
205
		ldapBackupPropertiesFilePath = backupDirPath + FileUtil.getFS() +  LDAP_CONFIG_NAME + ".backup";
206
		if (ldapBackupProperties == null) {
207
			ldapBackupProperties = 
208
				new SortedProperties(ldapBackupPropertiesFilePath);
209
			ldapBackupProperties.load();
205
		authBackupPropertiesFilePath = backupDirPath + FileUtil.getFS() +  AUTH_CONFIG_NAME + ".backup";
206
		if (authBackupProperties == null) {
207
			authBackupProperties = 
208
				new SortedProperties(authBackupPropertiesFilePath);
209
			authBackupProperties.load();
210 210
		}
211 211
	
212 212
	}
......
318 318
	}
319 319
	
320 320
	/**
321
	 * Get the LDAP backup properties file. These are configurable 
321
	 * Get the auth backup properties file. These are configurable 
322 322
	 * properties that are stored outside the metacat install directories so 
323 323
	 * the user does not need to re-enter all the configuration information 
324 324
	 * every time they do an upgrade.
325 325
	 * 
326 326
	 * @return a SortedProperties object with the backup properties
327 327
	 */
328
	public static SortedProperties getLDAPBackupProperties() {
329
		return ldapBackupProperties;
328
	public static SortedProperties getAuthBackupProperties() {
329
		return authBackupProperties;
330 330
	}
331 331
	
332 332
	/**
......
351 351
	}
352 352
	
353 353
	/**
354
	 * Get the LDAP properties metadata. This is retrieved from an xml
354
	 * Get the auth properties metadata. This is retrieved from an xml
355 355
	 * file that describes the attributes of configurable properties.
356 356
	 * 
357 357
	 * @return a PropertiesMetaData object with the organization properties
358 358
	 *         metadata
359 359
	 */
360
	public static PropertiesMetaData getLDAPMetaData() {
361
		return ldapMetaData;
360
	public static PropertiesMetaData getAuthMetaData() {
361
		return authMetaData;
362 362
	}
363 363
	
364 364
	/**
......
445 445
	/**
446 446
	 * Writes out backup configurable properties to a file.
447 447
	 */
448
	public static void persistLDAPBackupProperties(ServletContext servletContext)
448
	public static void persistAuthBackupProperties(ServletContext servletContext)
449 449
			throws GeneralPropertyException {
450 450

  
451 451
		// Use the metadata to extract configurable properties from the 
452 452
		// overall properties list, and store those properties.
453 453
		try {
454 454
			SortedProperties backupProperties = 
455
				new SortedProperties(ldapBackupPropertiesFilePath);
455
				new SortedProperties(authBackupPropertiesFilePath);
456 456
			
457
			// Populate the backup properties for ldap properties using
457
			// Populate the backup properties for auth properties using
458 458
			// the associated metadata file
459
			PropertiesMetaData ldapMetadata = new PropertiesMetaData(ldapMetaDataFilePath);
459
			PropertiesMetaData authMetadata = new PropertiesMetaData(authMetaDataFilePath);
460 460

  
461
			Set<String> ldapKeySet = ldapMetadata.getKeys();
462
			for (String propertyKey : ldapKeySet) {
461
			Set<String> authKeySet = authMetadata.getKeys();
462
			for (String propertyKey : authKeySet) {
463 463
				backupProperties.addProperty(propertyKey, getProperty(propertyKey));
464 464
			}
465 465
			
466 466
			// store the properties to file
467 467
			backupProperties.store();
468
			ldapBackupProperties = 
469
				new SortedProperties(ldapBackupPropertiesFilePath);
470
			ldapBackupProperties.load();
468
			authBackupProperties = 
469
				new SortedProperties(authBackupPropertiesFilePath);
470
			authBackupProperties.load();
471 471

  
472 472
		} catch (TransformerException te) {
473 473
			throw new GeneralPropertyException("Could not transform backup properties xml: "
......
560 560
//				setPropertyNoPersist(orgBackupPropertyName, value);
561 561
//			}
562 562

  
563
			logMetacat.debug("bypassConfiguration: setting ldap backup properties.");
564
			SortedProperties ldapBackupProperties = getLDAPBackupProperties();
565
			Vector<String> ldapBackupPropertyNames = 
566
				ldapBackupProperties.getPropertyNames();
567
			for (String ldapBackupPropertyName : ldapBackupPropertyNames) {
568
				String value = ldapBackupProperties.getProperty(ldapBackupPropertyName);
569
				setPropertyNoPersist(ldapBackupPropertyName, value);
563
			logMetacat.debug("bypassConfiguration: setting auth backup properties.");
564
			SortedProperties authBackupProperties = getAuthBackupProperties();
565
			Vector<String> authBackupPropertyNames = 
566
				authBackupProperties.getPropertyNames();
567
			for (String authBackupPropertyName : authBackupPropertyNames) {
568
				String value = authBackupProperties.getProperty(authBackupPropertyName);
569
				setPropertyNoPersist(authBackupPropertyName, value);
570 570
			}
571 571

  
572 572
			logMetacat.debug("bypassConfiguration: setting configutil sections to true.");
573 573
			setPropertyNoPersist("configutil.propertiesConfigured", "true");
574
			setPropertyNoPersist("configutil.ldapConfigured", "true");
574
			setPropertyNoPersist("configutil.authConfigured", "true");
575 575
//			setPropertyNoPersist("configutil.organizationsConfigured", "true");
576 576
			setPropertyNoPersist("configutil.skinsConfigured", "true");
577 577
			setPropertyNoPersist("configutil.databaseConfigured", "true");
src/edu/ucsb/nceas/metacat/util/AuthUtil.java
1
/**
2
 *  '$RCSfile$'
3
 *    Purpose: A Class that implements administrative methods 
4
 *  Copyright: 2008 Regents of the University of California and the
5
 *             National Center for Ecological Analysis and Synthesis
6
 *    Authors: Michael Daigle
7
 * 
8
 *   '$Author$'
9
 *     '$Date$'
10
 * '$Revision$'
11
 *
12
 * This program is free software; you can redistribute it and/or modify
13
 * it under the terms of the GNU General Public License as published by
14
 * the Free Software Foundation; either version 2 of the License, or
15
 * (at your option) any later version.
16
 *
17
 * This program is distributed in the hope that it will be useful,
18
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20
 * GNU General Public License for more details.
21
 *
22
 * You should have received a copy of the GNU General Public License
23
 * along with this program; if not, write to the Free Software
24
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
25
 */
26

  
27
package edu.ucsb.nceas.metacat.util;
28

  
29
import java.util.Calendar;
30
import java.util.Vector;
31

  
32
import javax.naming.AuthenticationException;
33
import javax.naming.NamingException;
34
import javax.servlet.http.HttpServletRequest;
35
import javax.servlet.http.HttpSession;
36

  
37
import edu.ucsb.nceas.metacat.AuthLdap;
38
import edu.ucsb.nceas.metacat.AuthSession;
39
import edu.ucsb.nceas.metacat.service.PropertyService;
40
import edu.ucsb.nceas.metacat.service.SessionService;
41
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
42
import edu.ucsb.nceas.utilities.StringUtil;
43

  
44
public class AuthUtil {
45

  
46
	private static Vector<String> administrators = null;
47
	private static Vector<String> moderators = null;
48
	private static Vector<String> allowedSubmitters = null;
49
	private static Vector<String> deniedSubmitters = null;
50

  
51
	/**
52
	 * private constructor - all methods are static so there is no no need to
53
	 * instantiate.
54
	 */
55
	private AuthUtil() {}
56

  
57
	/**
58
	 * Get the administrators from metacat.properties
59
	 * 
60
	 * @return a Vector of Strings holding the administrators
61
	 */
62
	public static Vector<String> getAdministrators() throws UtilException {
63
		if (administrators == null) {
64
			populateAdministrators();
65
		}
66
		return administrators;
67
	}
68
	
69
	/**
70
	 * Get the allowed submitters from metacat.properties
71
	 * 
72
	 * @return a Vector of Strings holding the submitters
73
	 */
74
	public static Vector<String> getAllowedSubmitters() throws UtilException {
75
		if (allowedSubmitters == null) {			
76
			populateAllowedSubmitters();	
77
		}
78
		return allowedSubmitters;
79
	}
80
	
81
	/**
82
	 * Get the denied submitters from metacat.properties
83
	 * 
84
	 * @return a Vector of Strings holding the denied submitters
85
	 */
86
	public static Vector<String> getDeniedSubmitters() throws UtilException {
87
		if (deniedSubmitters == null) {
88
			populateDeniedSubmitters();
89
		}
90
		return deniedSubmitters;
91
	}
92
	
93
	/**
94
	 * Get the vector of administrator credentials from metacat.properties
95
	 * and put into global administrators list
96
	 */
97
	private static void populateAdministrators() throws UtilException {
98
		String administratorString = null;
99
		try {
100
			administratorString = 
101
				PropertyService.getProperty("auth.administrators");
102
		} catch (PropertyNotFoundException pnfe) {
103
			throw new UtilException("Could not get metacat property: auth.administrators. "
104
							+ "There will be no registered metacat adminstrators: "
105
							+ pnfe.getMessage());
106
		}
107
		administrators = StringUtil.toVector(administratorString, ':');
108
	}
109
	
110
	/**
111
	 * Get the vector of allowed submitter credentials from metacat.properties
112
	 * and put into global allowedSubmitters list
113
	 */
114
	private static void populateAllowedSubmitters() throws UtilException {
115
		String allowedSubmitterString = null;
116
		try {
117
			allowedSubmitterString = PropertyService.getProperty("auth.allowedSubmitters");
118
		} catch (PropertyNotFoundException pnfe) {
119
			throw new UtilException("Could not get metacat property: auth.allowedSubmitters. "
120
					+ "Anyone will be allowed to submit: "
121
					+ pnfe.getMessage());
122
		}		
123
		allowedSubmitters = StringUtil.toVector(allowedSubmitterString, ':');		
124
	}
125
	
126
	/**
127
	 * Get the vector of denied submitter credentials from metacat.properties
128
	 * and put into global deniedSubmitters list
129
	 */
130
	private static void populateDeniedSubmitters() throws UtilException {
131
		String deniedSubmitterString = null;
132
		try {
133
			deniedSubmitterString = PropertyService.getProperty("auth.deniedSubmitters");
134
		} catch (PropertyNotFoundException pnfe) {
135
			throw new UtilException("Could not get metacat property: auth.deniedSubmitters: "
136
					+ pnfe.getMessage());
137
		}		
138
		deniedSubmitters = StringUtil.toVector(deniedSubmitterString, ':');		
139
	}
140

  
141
//	/**
142
//	 * Validate connectivity to the ldap server. This does not test user
143
//	 * authentication. Validation methods return a string error message if there
144
//	 * is an issue. This allows the calling code to run several validations and
145
//	 * compile the errors into a list that can be displayed on a web page if
146
//	 * desired.
147
//	 * 
148
//	 * @param ldapurl
149
//	 *            the url of the ldap server
150
//	 * @param ldapbase
151
//	 *            the ldap base value to test
152
//	 * @return a string holding error message if validation fails.
153
//	 */
154
//	public static String validateLDAPConnectivity(String ldapurl,
155
//			String ldapbase) {
156
//		try {
157
//			AuthLdap authLdap = new AuthLdap();
158
//			authLdap.testCredentials(
159
//					"uid=bogusname,o=NCEAS,dc=ecoinformatics,dc=org",
160
//					"boguspassword", ldapurl, ldapbase);
161
//		} catch (AuthenticationException ae) {
162
//			// Do nothing here. We are using dummy uid and password, so we
163
//			// expect authentication exceptions
164
//		} catch (javax.naming.InvalidNameException ine) {
165
//			return "An invalid domain name was provided: " + ine.getMessage();
166
//		} catch (NamingException ne) {
167
//			return "An invalid ldap name was provided: " + ne.getMessage();
168
//		} catch (InstantiationException ie) {
169
//			return "Could not instantiate AuthLdap: " + ie.getMessage();
170
//		}
171
//
172
//		return null;
173
//	}
174

  
175
	/**
176
	 * log the user in against ldap.  If the login is successful, add
177
	 * the session information to the session list in SessionUtil.
178
	 * 
179
	 * @param request the http request.
180
	 */
181
	public static boolean logUserIn(HttpServletRequest request, String userName, String password) throws UtilException {
182
		AuthSession authSession = null;
183

  
184
		// make sure we have username and password.
185
		if (userName == null || password == null) {
186
			throw new UtilException("null username, password, or dn list when logging user in");
187
		}
188

  
189
		// put the login credentials into an LDAP string
190
//		String ldapString = createLDAPString(userName, organization, dnList);
191

  
192
		// Create auth session
193
		try {
194
			authSession = new AuthSession();
195
		} catch (Exception e) {
196
			throw new UtilException("Could not instantiate AuthSession: "
197
					+ e.getMessage());
198
		}
199
		// authenticate user against ldap
200
		boolean isValid = authSession.authenticate(request, userName,
201
				password);
202
		
203
		// if login was successful, add the session information to the 
204
		// global session list.
205
		if (isValid) {
206
			HttpSession session = authSession.getSessions();
207
			String sessionId = session.getId();
208
			SessionService.registerSession(sessionId, 
209
					(String) session.getAttribute("username"), 
210
					(String[]) session.getAttribute("groupnames"),
211
					(String) session.getAttribute("password"));
212
		}
213
		
214
		return isValid;
215
	}
216

  
217
	/**
218
	 * Checks to see if the user is logged in by grabbing the session from the
219
	 * request and seeing if it exists in the global session list.
220
	 * 
221
	 * @param request the http request that holds the login session
222
	 * @return boolean that is true if the user is logged in, false otherwise
223
	 */
224
	public static boolean isUserLoggedIn(HttpServletRequest request) throws UtilException{
225
		SessionData sessionData = null;
226
		String sessionId = request.getSession().getId();
227

  
228
		try {
229

  
230
			if (sessionId != null && SessionService.isSessionRegistered(sessionId)) {
231
				// get the registered session data
232
				sessionData = SessionService.getRegisteredSession(sessionId);
233

  
234
				// get the timeout limit
235
				String sessionTimeout = PropertyService.getProperty("auth.timeoutMinutes");
236
				int sessionTimeoutInt = Integer.parseInt(sessionTimeout);
237

  
238
				// get the last time the session was accessed
239
				Calendar lastAccessedTime = sessionData.getLastAccessedTime();
240
				// get the current time and set back "sessionTimoutInt" minutes
241
				Calendar now = Calendar.getInstance();
242
				now.add(Calendar.MINUTE, 0 - sessionTimeoutInt);
243

  
244
				// if the last accessed time is before now minus the timeout,
245
				// the session has expired. Unregister it and return false.
246
				if (lastAccessedTime.before(now)) {
247
					SessionService.unRegisterSession(sessionId);
248
					return false;
249
				}
250

  
251
				return true;
252
			}
253
			
254
		} catch (PropertyNotFoundException pnfe) {
255
			throw new UtilException("Could not determine if user is logged in because " 
256
					+ "of property error: " + pnfe.getMessage());
257
		} catch (NumberFormatException nfe) {
258
			throw new UtilException("Could not determine if user is logged in because " 
259
					+ "of number conversion error: " + nfe.getMessage());
260
		}
261

  
262
		return false;
263
	}
264

  
265
	/**
266
	 * Checks to see if the user is logged in as admin by first checking if the
267
	 * user is logged in and then seeing if the user's account is on the
268
	 * administrators list in metacat.properties.
269
	 * 
270
	 * @param request
271
	 *            the http request that holds the login session
272
	 * @return boolean that is true if the user is logged in as admin, false
273
	 *         otherwise
274
	 */
275
	public static boolean isUserLoggedInAsAdmin(HttpServletRequest request) throws UtilException {
276
		if (!isUserLoggedIn(request)) {
277
			return false;
278
		}
279

  
280
		String userName = getUserName(request);
281
		boolean isAdmin = isAdministrator(userName, null);
282

  
283
		return isAdmin;
284
	}
285

  
286
	/**
287
	 * Gets the user name from the login session on the http request
288
	 * 
289
	 * @param request
290
	 *            the http request that holds the login session
291
	 * @return String that holds the user name
292
	 */
293
	public static String getUserName(HttpServletRequest request) {
294
		String userName = (String)request.getSession().getAttribute("username");
295

  
296
		return userName;
297
	}
298

  
299
	/**
300
	 * Gets the user group names from the login session on the http request
301
	 * 
302
	 * @param request
303
	 *            the http request that holds the login session
304
	 * @return String array that holds the user groups
305
	 */
306
	public static String[] getGroupNames(HttpServletRequest request) {
307
		String sessionId = request.getSession().getId();;
308
		SessionData sessionData = SessionService.getRegisteredSession(sessionId);
309
		String[] groupNames = { "" };
310

  
311
		if (sessionData != null) {
312
			groupNames = sessionData.getGroupNames();
313
		}
314

  
315
		return groupNames;
316
	}
317

  
318
	/**
319
	 * Creates an ldap credentail string from the username, organization
320
	 * and dn list.
321
	 * 
322
	 * @param username the user name
323
	 * @param organization the organization
324
	 * @param dnList a list of dns
325
	 * @return String holding the ldap login string
326
	 */	
327
	public static String createLDAPString(String username, String organization,
328
			Vector<String> dnList) throws UtilException {
329

  
330
		if (username == null || organization == null || dnList == null || dnList.size() == 0) {
331
			throw new UtilException("Could not generate LDAP user string.  One of the following is null: username, organization or dnlist");
332
		}
333

  
334
		String ldapString = "uid=" + username + ",o=" + organization;
335

  
336
		for (String dn : dnList) {
337
			ldapString += "," + dn;
338
		}
339

  
340
		return ldapString;
341
	}
342

  
343
	/**
344
	 * Reports whether LDAP is fully configured.
345
	 * 
346
	 * @return a boolean that is true if all sections are configured and false
347
	 *         otherwise
348
	 */
349
	public static boolean isAuthConfigured() throws UtilException {
350
		String authConfiguredString = PropertyService.UNCONFIGURED;
351
		try {
352
			authConfiguredString = PropertyService.getProperty("configutil.authConfigured");
353
		} catch (PropertyNotFoundException pnfe) {
354
			throw new UtilException("Could not determine if LDAP is configured: "
355
					+ pnfe.getMessage());
356
		}
357
		return !authConfiguredString.equals(PropertyService.UNCONFIGURED);
358
	}
359

  
360
	/**
361
	 * Check if the specified user is part of the administrators list
362
	 * 
363
	 * @param username
364
	 *            the user login credentails
365
	 * @param groups
366
	 *            a list of the user's groups
367
	 */
368
	public static boolean isAdministrator(String username, String[] groups)
369
			throws UtilException {
370
		return onAccessList(getAdministrators(), username, groups);
371
	}
372

  
373
	/**
374
	 * Check if the specified user is part of the moderators list
375
	 * 
376
	 * @param username
377
	 *            the user login credentails
378
	 * @param groups
379
	 *            a list of the user's groups
380
	 */
381
	public static boolean isModerator(String username, String[] groups) {
382
		return onAccessList(moderators, username, groups);
383
	}
384

  
385
	/**
386
	 * Check if the specified user is part of the moderators list
387
	 * 
388
	 * @param username
389
	 *            the user login credentails
390
	 * @param groups
391
	 *            a list of the user's groups
392
	 */
393
	public static boolean isAllowedSubmitter(String username, String[] groups)
394
			throws UtilException {
395
		if (getAllowedSubmitters().size() == 0) {
396
			// no allowedSubmitters list specified -
397
			// hence everyone should be allowed
398
			return true;
399
		}
400
		return (onAccessList(getAllowedSubmitters(), username, groups));
401
	}
402

  
403
	/**
404
	 * Check if the specified user is part of the moderators list
405
	 * 
406
	 * @param username
407
	 *            the user login credentails
408
	 * @param groups
409
	 *            a list of the user's groups
410
	 */
411
	public static boolean isDeniedSubmitter(String username, String[] groups)
412
			throws UtilException {
413
		return (onAccessList(getDeniedSubmitters(), username, groups));
414
	}
415

  
416
	/**
417
	 * Check if the specified user can insert the document
418
	 * 
419
	 * @param username
420
	 *            the user login credentails
421
	 * @param groups
422
	 *            a list of the user's groups
423
	 */
424
	public static boolean canInsertOrUpdate(String username, String[] groups)
425
			throws UtilException {
426
		return (isAllowedSubmitter(username, groups) && !isDeniedSubmitter(username,
427
				groups));
428
	}
429

  
430
	/**
431
	 * Check if the user is on a given access list.  This is true if either the 
432
	 * user or the user's group is on the list.
433
	 * 
434
	 * @param accessList the list we want to check against
435
	 * @param username the name of the user we want to check
436
	 * @param groups a list of the user's groups
437
	 */
438
	private static boolean onAccessList(Vector<String> accessList, String username,
439
			String[] groups) {
440

  
441
		// this should never happen.  All calls to this method should use the 
442
		// appropriate getter to retrieve the accessList.  That should guarentee
443
		// that the access is at least an empty Vector.
444
		if (accessList == null) {
445
			return false;
446
		}
447

  
448
		// Check that the user is authenticated as an administrator account
449
		for (String accessString : accessList) {
450
			// check the given admin dn is a group dn...
451
			if (groups != null && accessString.startsWith("cn=")) {
452
				// is a group dn
453
				for (int j = 0; j < groups.length; j++) {
454
					if (groups[j].equals(accessString)) {
455
						return true;
456
					}
457
				}
458
			} else {
459
				// is a user dn
460
				if (username != null && username.equals(accessString)) {
461
					return true;
462
				}
463
			}
464
		}
465
		return false;
466
	}
467

  
468
}
0 469

  
src/edu/ucsb/nceas/metacat/util/MetaCatUtil.java
927 927
		try {
928 928
			metacatConfigured = PropertyService.arePropertiesConfigured()
929 929
//					&& OrganizationUtil.areOrganizationsConfigured() 
930
					&& LDAPUtil.isLDAPConfigured()
930
					&& AuthUtil.isAuthConfigured()
931 931
					&& SkinUtil.areSkinsConfigured()
932 932
					&& DatabaseUtil.isDatabaseConfigured()
933 933
					&& GeoserverUtil.isGeoserverConfigured();
src/edu/ucsb/nceas/metacat/DBQuery.java
49 49
import org.w3c.dom.ls.*;
50 50

  
51 51
import edu.ucsb.nceas.metacat.service.PropertyService;
52
import edu.ucsb.nceas.metacat.util.LDAPUtil;
52
import edu.ucsb.nceas.metacat.util.AuthUtil;
53 53
import edu.ucsb.nceas.metacat.util.MetaCatUtil;
54 54
import edu.ucsb.nceas.morpho.datapackage.Triple;
55 55
import edu.ucsb.nceas.morpho.datapackage.TripleCollection;
......
384 384

  
385 385
         // if the user is a moderator, then pass a param to the 
386 386
         // xsl specifying the fact
387
         if(LDAPUtil.isModerator(user, groups)){
387
         if(AuthUtil.isModerator(user, groups)){
388 388
        	 params.put("isModerator", new String[] {"true"});
389 389
         }
390 390

  
src/edu/ucsb/nceas/metacat/Eml200SAXHandler.java
49 49
import org.xml.sax.SAXException;
50 50

  
51 51
import edu.ucsb.nceas.metacat.service.PropertyService;
52
import edu.ucsb.nceas.metacat.util.LDAPUtil;
52
import edu.ucsb.nceas.metacat.util.AuthUtil;
53 53
import edu.ucsb.nceas.metacat.util.MetaCatUtil;
54 54
import edu.ucsb.nceas.utilities.PropertyNotFoundException;
55 55

  
......
322 322
            if (action != null && action.equals("UPDATE")
323 323
                    && !control.hasPermission(user, groups,
324 324
                            AccessControlInterface.ALLSTRING) 
325
                            && !LDAPUtil.isAdministrator(user, groups))
325
                            && !AuthUtil.isAdministrator(user, groups))
326 326
            {
327 327
                needCheckingAccessModule = true;
328 328
                unChangebleTopAccessSubTree = getTopAccessSubTreeFromDB();

Also available in: Unified diff