/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.server.core.authn;
import java.net.SocketAddress;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import javax.naming.Context;
import org.apache.commons.collections.map.LRUMap;
import org.apache.commons.lang.ArrayUtils;
import org.apache.directory.server.core.api.LdapPrincipal;
import org.apache.directory.server.core.api.authn.PasswordUtil;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.model.constants.LdapSecurityConstants;
import org.apache.directory.shared.ldap.model.constants.SchemaConstants;
import org.apache.directory.shared.ldap.model.entry.Attribute;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.entry.Value;
import org.apache.directory.shared.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.model.exception.LdapException;
import org.apache.directory.shared.ldap.model.name.Dn;
import org.apache.directory.shared.util.Base64;
import org.apache.directory.shared.util.StringConstants;
import org.apache.directory.shared.util.Strings;
import org.apache.directory.shared.util.UnixCrypt;
import org.apache.mina.core.session.IoSession;
/**
* A simple {@link Authenticator} that authenticates clear text passwords
* contained within the <code>userPassword</code> attribute in DIT. If the
* password is stored with a one-way encryption applied (e.g. SHA), the password
* is hashed the same way before comparison.
*
* We use a cache to speedup authentication, where the Dn/password are stored.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
public class SimpleAuthenticator extends AbstractAuthenticator
{
/** A speedup for logger in debug mode */
private static final boolean IS_DEBUG = LOG.isDebugEnabled();
/**
* A cache to store passwords. It's a speedup, we will be able to avoid backend lookups.
*
* Note that the backend also use a cache mechanism, but for performance gain, it's good
* to manage a cache here. The main problem is that when a user modify his password, we will
* have to update it at three different places :
* - in the backend,
* - in the partition cache,
* - in this cache.
*
* The update of the backend and partition cache is already correctly handled, so we will
* just have to offer an access to refresh the local cache.
*
* We need to be sure that frequently used passwords be always in cache, and not discarded.
* We will use a LRU cache for this purpose.
*/
private final LRUMap credentialCache;
/** Declare a default for this cache. 100 entries seems to be enough */
private static final int DEFAULT_CACHE_SIZE = 100;
/**
* Creates a new instance.
* @see AbstractAuthenticator
*/
public SimpleAuthenticator()
{
super( AuthenticationLevel.SIMPLE );
credentialCache = new LRUMap( DEFAULT_CACHE_SIZE );
}
/**
* Creates a new instance, with an initial cache size
* @param cacheSize the size of the credential cache
*/
public SimpleAuthenticator( int cacheSize )
{
super( AuthenticationLevel.SIMPLE );
credentialCache = new LRUMap( cacheSize > 0 ? cacheSize : DEFAULT_CACHE_SIZE );
}
/**
* Get the password either from cache or from backend.
* @param principalDN The Dn from which we want the password
* @return A byte array which can be empty if the password was not found
* @throws Exception If we have a problem during the lookup operation
*/
private LdapPrincipal getStoredPassword( BindOperationContext bindContext ) throws LdapException
{
LdapPrincipal principal = null;
// use cache only if pwdpolicy is not enabled
if ( !getDirectoryService().isPwdPolicyEnabled() )
{
synchronized ( credentialCache )
{
principal = ( LdapPrincipal ) credentialCache.get( bindContext.getDn().getNormName() );
}
}
byte[] storedPassword;
if ( principal == null )
{
// Not found in the cache
// Get the user password from the backend
storedPassword = lookupUserPassword( bindContext );
// Deal with the special case where the user didn't enter a password
// We will compare the empty array with the credentials. Sometime,
// a user does not set a password. This is bad, but there is nothing
// we can do against that, except education ...
if ( storedPassword == null )
{
storedPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
}
// Create the new principal before storing it in the cache
principal = new LdapPrincipal( getDirectoryService().getSchemaManager(), bindContext.getDn(),
AuthenticationLevel.SIMPLE, storedPassword );
// Now, update the local cache ONLY if pwdpolicy is not enabled.
if ( !getDirectoryService().isPwdPolicyEnabled() )
{
synchronized ( credentialCache )
{
credentialCache.put( bindContext.getDn().getNormName(), principal );
}
}
}
return principal;
}
/**
* <p>
* Looks up <tt>userPassword</tt> attribute of the entry whose name is the
* value of {@link Context#SECURITY_PRINCIPAL} environment variable, and
* authenticates a user with the plain-text password.
* </p>
*/
public LdapPrincipal authenticate( BindOperationContext bindContext ) throws LdapException
{
if ( IS_DEBUG )
{
LOG.debug( "Authenticating {}", bindContext.getDn() );
}
// ---- extract password from JNDI environment
byte[] credentials = bindContext.getCredentials();
LdapPrincipal principal = getStoredPassword( bindContext );
IoSession session = bindContext.getIoSession();
if ( session != null )
{
SocketAddress clientAddress = session.getRemoteAddress();
principal.setClientAddress( clientAddress );
SocketAddress serverAddress = session.getServiceAddress();
principal.setServerAddress( serverAddress );
}
// Get the stored password, either from cache or from backend
byte[] storedPassword = principal.getUserPassword();
// Now, compare the two passwords.
if ( PasswordUtil.compareCredentials( credentials, storedPassword ) )
{
if ( IS_DEBUG )
{
LOG.debug( "{} Authenticated", bindContext.getDn() );
}
return principal;
}
else
{
// Bad password ...
String message = I18n.err( I18n.ERR_230, bindContext.getDn().getName() );
LOG.info( message );
throw new LdapAuthenticationException( message );
}
}
/**
* Local function which request the password from the backend
* @param bindContext the Bind operation context
* @return the credentials from the backend
* @throws Exception if there are problems accessing backend
*/
private byte[] lookupUserPassword( BindOperationContext bindContext ) throws LdapException
{
// ---- lookup the principal entry's userPassword attribute
Entry userEntry;
try
{
/*
* NOTE: at this point the BindOperationContext does not has a
* null session since the user has not yet authenticated so we
* cannot use lookup() yet. This is a very special
* case where we cannot rely on the bindContext to perform a new
* sub operation.
*/
LookupOperationContext lookupContext = new LookupOperationContext( getDirectoryService().getAdminSession(),
bindContext.getDn() );
lookupContext.addAttrsId( SchemaConstants.ALL_USER_ATTRIBUTES );
// OP attributes required for ppolicy
lookupContext.addAttrsId( SchemaConstants.ALL_OPERATIONAL_ATTRIBUTES );
userEntry = getDirectoryService().getPartitionNexus().lookup( lookupContext );
if ( userEntry == null )
{
Dn dn = bindContext.getDn();
String upDn = ( dn == null ? "" : dn.getName() );
throw new LdapAuthenticationException( I18n.err( I18n.ERR_231, upDn ) );
}
}
catch ( Exception cause )
{
LOG.error( I18n.err( I18n.ERR_6, cause.getLocalizedMessage() ) );
LdapAuthenticationException e = new LdapAuthenticationException( cause.getLocalizedMessage() );
e.initCause( e );
throw e;
}
checkPwdPolicy( userEntry );
Value<?> userPassword;
Attribute userPasswordAttr = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
bindContext.setEntry( new ClonedServerEntry( userEntry ) );
// ---- assert that credentials match
if ( userPasswordAttr == null )
{
return StringConstants.EMPTY_BYTES;
}
else
{
userPassword = userPasswordAttr.get();
return userPassword.getBytes();
}
}
/**
* Get the algorithm of a password, which is stored in the form "{XYZ}...".
* The method returns null, if the argument is not in this form. It returns
* XYZ, if XYZ is an algorithm known to the MessageDigest class of
* java.security.
*
* @param password a byte[]
* @return included message digest alorithm, if any
* @throws IllegalArgumentException if the algorithm cannot be identified
*/
protected String getAlgorithmForHashedPassword( byte[] password ) throws IllegalArgumentException
{
String result = null;
// Check if password arg is string or byte[]
String sPassword = Strings.utf8ToString( password );
int rightParen = sPassword.indexOf( '}' );
if ( ( sPassword.length() > 2 ) && ( sPassword.charAt( 0 ) == '{' ) && ( rightParen > -1 ) )
{
String algorithm = sPassword.substring( 1, rightParen );
if ( LdapSecurityConstants.HASH_METHOD_CRYPT.getName().equalsIgnoreCase( algorithm ) )
{
return algorithm;
}
try
{
MessageDigest.getInstance( algorithm );
result = algorithm;
}
catch ( NoSuchAlgorithmException e )
{
LOG.warn( "Unknown message digest algorithm in password: " + algorithm, e );
}
}
return result;
}
/**
* Creates a digested password. For a given hash algorithm and a password
* value, the algorithm is applied to the password, and the result is Base64
* encoded. The method returns a String which looks like "{XYZ}bbbbbbb",
* whereas XYZ is the name of the algorithm, and bbbbbbb is the Base64
* encoded value of XYZ applied to the password.
*
* @param algorithm
* an algorithm which is supported by
* java.security.MessageDigest, e.g. SHA
* @param password
* password value, a byte[]
*
* @return a digested password, which looks like
* {SHA}LhkDrSoM6qr0fW6hzlfOJQW61tc=
*
* @throws IllegalArgumentException
* if password is neither a String nor a byte[], or algorithm is
* not known to java.security.MessageDigest class
*/
protected String createDigestedPassword( String algorithm, byte[] password ) throws IllegalArgumentException
{
// create message digest object
try
{
if ( LdapSecurityConstants.HASH_METHOD_CRYPT.getName().equalsIgnoreCase( algorithm ) )
{
String saltWithCrypted = UnixCrypt.crypt( Strings.utf8ToString( password ), "" );
String crypted = saltWithCrypted.substring( 2 );
return '{' + algorithm + '}' + Arrays.toString( Strings.getBytesUtf8( crypted ) );
}
else
{
MessageDigest digest = MessageDigest.getInstance( algorithm );
// calculate hashed value of password
byte[] fingerPrint = digest.digest( password );
char[] encoded = Base64.encode( fingerPrint );
// create return result of form "{alg}bbbbbbb"
return '{' + algorithm + '}' + new String( encoded );
}
}
catch ( NoSuchAlgorithmException nsae )
{
LOG.error( I18n.err( I18n.ERR_7, algorithm ) );
throw new IllegalArgumentException( nsae.getLocalizedMessage() );
}
}
/**
* Remove the principal form the cache. This is used when the user changes
* his password.
*/
public void invalidateCache( Dn bindDn )
{
synchronized ( credentialCache )
{
credentialCache.remove( bindDn.getNormName() );
}
}
}