map active directory memberOf to spring role

spaced · Sep 26, 2024 · df986a7 · df986a7
1 parent e72cb1c
commit df986a7
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 20 deletions.
diff --git a/.../src/main/kotlin/org/ebics/client/ebicsrestapi/ldap/ActiveDirectoryRoleMapperPopulator.kt b/.../src/main/kotlin/org/ebics/client/ebicsrestapi/ldap/ActiveDirectoryRoleMapperPopulator.kt
@@ -0,0 +1,37 @@
+package org.ebics.client.ebicsrestapi.ldap
+
+import org.slf4j.LoggerFactory
+import org.springframework.ldap.core.DirContextOperations
+import org.springframework.ldap.core.DistinguishedName
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.core.authority.AuthorityUtils
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator
+
+
+/**
+ * Translates ad memberOf attribute to role based on ldap search property [LdapSearchProperties.mapping]
+ * inspired by [DefaultActiveDirectoryAuthoritiesPopulator]
+ */
+class ActiveDirectoryRoleMapperPopulator(val mapping: Map<String,String>?) : LdapAuthoritiesPopulator {
+    private val logger = LoggerFactory.getLogger(ActiveDirectoryRoleMapperPopulator::class.java)
+    override fun getGrantedAuthorities(
+        userData: DirContextOperations?,
+        username: String?
+    ): Collection<GrantedAuthority?>? {
+        val groups = userData?.getStringAttributes("memberOf")
+        if (groups == null) {
+            logger.debug("No values for 'memberOf' attribute.");
+            return AuthorityUtils.NO_AUTHORITIES;
+        }
+        if (logger.isDebugEnabled) logger.debug("'memberOf' attribute values: " + groups.asList());
+
+        return buildList {
+            for (group in groups) {
+                val mappedRole = mapping?.get(DistinguishedName(group).removeLast().value)
+                if (mappedRole != null) add(SimpleGrantedAuthority("ROLE_${mappedRole.uppercase()}"))
+            }
+        }
+    }
+
+}
diff --git a/ebics-rest-api/src/main/kotlin/org/ebics/client/ebicsrestapi/ldap/LdapConfiguration.kt b/ebics-rest-api/src/main/kotlin/org/ebics/client/ebicsrestapi/ldap/LdapConfiguration.kt
@@ -1,6 +1,5 @@
 package org.ebics.client.ebicsrestapi.ldap
 
-
 import org.springframework.boot.autoconfigure.ldap.LdapProperties
 import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.context.annotation.Bean
@@ -24,10 +23,8 @@ typealias AuthorityMapper = (AuthorityRecord) -> GrantedAuthority?
 class LdapConfiguration {
 
     @Bean
-    fun authorities(
-        contextSource: BaseLdapPathContextSource,
-        searchProperties: LdapSearchProperties
-    ): LdapAuthoritiesPopulator {
+    @Profile("openldap")
+    fun authorities(contextSource: BaseLdapPathContextSource, searchProperties: LdapSearchProperties): LdapAuthoritiesPopulator {
         val authorities = DefaultLdapAuthoritiesPopulator(contextSource, searchProperties.group.base)
         authorities.setGroupSearchFilter(searchProperties.group.filter)
         val mapper: AuthorityMapper = { record ->
@@ -41,13 +38,14 @@ class LdapConfiguration {
         return authorities
     }
 
+    @Bean
+    fun activeDirectoryAuthorities(searchProperties: LdapSearchProperties): LdapAuthoritiesPopulator {
+        return ActiveDirectoryRoleMapperPopulator(searchProperties.mapping)
+    }
+
     @Bean
     @Profile("openldap")
-    fun authenticationManager(
-        contextSource: BaseLdapPathContextSource,
-        authorities: LdapAuthoritiesPopulator,
-        searchProperties: LdapSearchProperties
-    ): AuthenticationManager {
+    fun authenticationManager(contextSource: BaseLdapPathContextSource, authorities: LdapAuthoritiesPopulator, searchProperties: LdapSearchProperties): AuthenticationManager {
         val factory = LdapBindAuthenticationManagerFactory(contextSource)
         factory.setUserSearchFilter(searchProperties.user.filter)
         factory.setUserSearchBase(searchProperties.user.base)
@@ -56,16 +54,10 @@ class LdapConfiguration {
     }
 
     @Bean
-    fun authenticationProvider(
-        ldapProperties: LdapProperties,
-        searchProperties: LdapSearchProperties
-    ): ActiveDirectoryLdapAuthenticationProvider {
-        return ActiveDirectoryLdapAuthenticationProvider(
-            searchProperties.domain,
-            ldapProperties.urls.get(0),
-            ldapProperties.base
-        )
-
+    fun authenticationProvider(ldapProperties: LdapProperties, searchProperties: LdapSearchProperties, authorities: LdapAuthoritiesPopulator): ActiveDirectoryLdapAuthenticationProvider {
+        val adProvider = ActiveDirectoryLdapAuthenticationProvider(searchProperties.domain, ldapProperties.urls[0], ldapProperties.base)
+        adProvider.setAuthoritiesPopulator(authorities)
+        return adProvider
     }
 
 }