Mercurial > lada > lada-server

view src/main/java/de/intevation/lada/authentication/LdapAuthentication.java @ 204:a43caf307a98

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Extended authentication interface and implementaion.
author Raimund Renkert <rrenkert@intevation.de>
date Tue, 02 Jul 2013 13:09:09 +0200
parents cfa61bb7a86f
children a305412206a3
line wrap: on
line source
package de.intevation.lada.authentication;

import java.util.ArrayList;
import java.util.List;

import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
import javax.inject.Named;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.persistence.EntityManager;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
import javax.ws.rs.core.HttpHeaders;

import de.intevation.lada.data.QueryBuilder;
import de.intevation.lada.model.Auth;
import de.intevation.lada.model.LProbe;
import de.intevation.lada.model.LProbeInfo;

@RequestScoped
@Named("ldapauth")
public class LdapAuthentication
implements Authentication
{
    @Inject
    private EntityManager em;

    @Override
    public boolean isAuthorizedUser(HttpHeaders headers)
    throws AuthenticationException {
        AuthenticationResponse auth = authorizedGroups(headers);
        if (auth.getMst().isEmpty() ||
            auth.getNetzbetreiber().isEmpty()) {
            return false;
        }
        return true;
    }

    @Override
    public AuthenticationResponse authorizedGroups(HttpHeaders headers)
    throws AuthenticationException {
        List<String> groups = new ArrayList<String>();
        try {
            LdapName ldap = extractLdapName(headers);
            List<Rdn> rdns = ldap.getRdns();
            for (Rdn rdn: rdns) {
                String value = (String)rdn.getValue();
                if (rdn.getType().equals("cn")) {
                    groups.add(value);
                }
            }
        }
        catch(InvalidNameException ine) {
            throw new AuthenticationException();
        }
        AuthenticationResponse response = getDatabaseAtributes(groups);
        String user = extractUser(headers);
        if (user == null) {
            throw new AuthenticationException();
        }
        response.setUser(user);
        return response;
    }

    public boolean hasAccess (HttpHeaders headers, String probeId)
    throws AuthenticationException {
        QueryBuilder<LProbe> builder = new QueryBuilder<LProbe>(em, LProbe.class);
        builder.and("probeId", probeId);
        List<LProbe> probe = em.createQuery(builder.getQuery()).getResultList();
        if (probe.isEmpty()) {
            return false;
        }
        String nbId = probe.get(0).getNetzbetreiberId();
        String mstId = probe.get(0).getMstId();
        AuthenticationResponse auth = authorizedGroups(headers);
        if (auth.getNetzbetreiber().contains(nbId) &&
            auth.getMst().contains(mstId)) {
            return true;
        }
        return false;
    }

    public boolean isReadOnly(HttpHeaders headers, String probeId) {
        //TODO: test if probe has messung with status 'fertig'.
        return false;
    }

    private String extractUser(HttpHeaders headers) {
        List<String> user = headers.getRequestHeader("x-ldap-user");
        if (user == null || user.isEmpty()) {
            return null;
        }
        return user.get(0);
    }

    private LdapName extractLdapName(HttpHeaders headers) throws InvalidNameException {
        List<String> attributes = headers.getRequestHeader("x-ldap-groups");
        if (attributes == null ||attributes.isEmpty()) {
            return new LdapName("");
        }
        LdapName ldap = new LdapName("");
        String all = attributes.get(0);
        String[] groups = all.split(";");
        for (int i = 0; i < groups.length; i++) {
            String[] items = groups[i].trim().split(",");
            for (int j = 0; j < items.length; j++) {
                ldap.add(items[j]);
            }
        }
        return ldap;
    }

    private AuthenticationResponse getDatabaseAtributes(List<String> groups) {
        CriteriaBuilder builder = em.getCriteriaBuilder();
        CriteriaQuery<Auth> criteria = builder.createQuery(Auth.class);
        Root<Auth> member = criteria.from(Auth.class);
        List<Predicate> orFilter = new ArrayList<Predicate>();
        for (String group: groups) {
            orFilter.add(builder.equal(member.get("ldapGroup"), group));
        }
        Predicate orf = builder.or(orFilter.toArray(new Predicate[orFilter.size()]));
        criteria.where(orf);
        List<Auth> result = em.createQuery(criteria).getResultList();
        List<String> mst = new ArrayList<String>();
        List<String> nb = new ArrayList<String>();
        for (Auth a: result) {
            if (a.getSMessStelle() != null) {
                mst.add(a.getSMessStelle().getMstId());
            }
            if (a.getSNetzBetreiber() != null) {
                nb.add(a.getSNetzBetreiber().getNetzbetreiberId());
            }
        }
        AuthenticationResponse response = new AuthenticationResponse();
        response.setMst(mst);
        response.setNetzbetreiber(nb);
        return response;
    }

}
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)