ldapresolver.java

iiitAccessServer是一个用Java编写的基于规则的企业鉴别系统。它作为一个服务器工作

/*******************************************************************************
 * Copyright (C) 2002, 2003
 * ingenieurbuero fuer innovative informationstechnik (iiit)
 * Dipl.-Ing. Joerg Beckmann, Dortmund, Germany
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *
 * version $Id: LdapResolver.java,v 1.26 2003/04/14 19:19:24 joerg Exp $
 ******************************************************************************/

package de.iiit.access.server.plugins.parser;

import de.iiit.access.common.api.*;

import de.iiit.access.server.*;
import de.iiit.access.server.api.*;
import de.iiit.access.server.plugins.parser.*;
import de.iiit.access.server.util.*;

import de.iiit.ldap.*;
import de.iiit.xmlconfig.*;
import de.iiit.cache.*;

import org.apache.log4j.Logger;

import java.util.*;
import java.io.*;

import javax.naming.*;

/** Implementation of resolver which uses a LDAP database as its data source. */
public class LdapResolver implements ResolverPluginIf
{    
    /** CVS Version Tag */
    private static final String vcid = "$Id: LdapResolver.java,v 1.26 2003/04/14 19:19:24 joerg Exp $";

    private Logger logger = Logger.getLogger(this.getClass());

    private String ldapGroupClass  = null;
    private String ldapGroupBase   = null;
    private String ldapGroupMember = null;

    private String ldapFormulaClass = null;
    private String ldapFormulaBase  = null;
    private String ldapFormulaExpr  = null;
    
    private String ldapPersonClass = null;
    private String ldapPersonBase  = null;
    private String ldapUserId      = null;
    
    private LdapUtil ldapUtil = null;

    private boolean verifyUser = false;
    
    /** Creates a new instance of LdapResolver */
    public LdapResolver()
    {
    }
    
    /** Initialize the current object.
     * The plug-in configuration - which may be null - will be searched for an entity
     * named <I>LdapConfig</I>. If none is found, the AccessServer itself will be asked
     * for such an configuration entity. If none is found System.exit(1) will be
     * called.
     * The configuration is used to initialize a instance of {@link
     * de.iiit.access.server.util.LdapUtil#initialize LdapUtil}. The configuration requirements are described
     * there.
     * @param config The plug-in configuration
     */    
    public void initialize(Configuration config)
    {
        Configuration ldapConfig = null;
        
        AccessServer.setIgnoreCase(true);
        verifyUser = AccessServer.getVerifyUser();
        
        if (config != null)
            ldapConfig = config.getSubConfiguration("LdapConfig");
        
        if (ldapConfig == null)
            ldapConfig = AccessServer.getSubConfiguration("LdapConfig");
        
        if (ldapConfig == null)
        {
            logger.fatal("The LdapResolver can not work without a LDAP configuration");
            System.exit(1);
        }
        else
        {
            ldapUtil = new LdapUtil();
            ldapUtil.initialize(ldapConfig);

            ldapGroupClass  = ldapUtil.getLdapGroupClass();
            ldapGroupBase   = ldapUtil.getLdapGroupBase();
            ldapGroupMember = ldapUtil.getLdapGroupMember();
        
            ldapFormulaClass = ldapUtil.getLdapFormulaClass();
            ldapFormulaBase  = ldapUtil.getLdapFormulaBase();
            ldapFormulaExpr  = ldapUtil.getLdapExpression();

            ldapPersonClass = ldapUtil.getLdapPersonClass();
            ldapPersonBase  = ldapUtil.getLdapPersonBase();
            ldapUserId      = ldapUtil.getLdapUserId();
        }
    }
    
    /** This method is called by the AccessServer when the background threads should
     * stop because of a shutdown of the AccessServer itself.
     *
     */
    public void shutdown()
    {
        if (ldapUtil != null)
            ldapUtil.shutdown();
    }
    
    /** This method is called by the AccessServer when the background thread should
     * start. It is called after the method initialize() is called for all plug-ins.
     *
     */
    public void start()
    {
        // Do nothing
    }
        
    private Set evaluateLdapExpression(ParserStackIf argStack, String name) throws NamingException, ParserException
    {
        Set result = null;
        String expression = (String) argStack.peek();

        String filter = "(& (cn=" + expression + ")(objectClass=" + ldapFormulaClass + "))";
        Vector v = ldapUtil.search(ldapFormulaBase, filter, new String[] { ldapFormulaExpr });
                
        if (v.size() > 0)
        {
            Vector m = ((LdapGenericObject) v.get(0)).getAttribute(ldapFormulaExpr);
                    
            if (m.size() > 0)
            {
                Parser p = new Parser(this);

                argStack.pushArgument(m.get(0));
                result = p.evaluate(argStack, name);
                argStack.pop();
            }
            else
                result = new HashSet();
        }
        
        return result;
    }
    
    /** Resolves the expression on top of the stack. If the result is also an expression
     * the parser has to be called to evaluate it.
     * @param argStack This stack includes all expressions and subexpressions of the current tree
     * inside the orginal expression.
     * @throws ParserException if there is something wrong with the expression. The most common cases are syntax
     * errors or circular references within the expression.
     * @return The set of users described by the expression.
     */    
    public Set resolve(ParserStackIf argStack) throws ParserException
    {
        Set result = null;

        try
        {
            String expression = (String) argStack.peek();
            String filter = "(& (cn=" + expression + ")(objectClass=" + ldapGroupClass + "))";

            Vector v = ldapUtil.search(ldapGroupBase, filter, new String[] { ldapGroupMember });
            
            if (v.size() > 0)
            {
                Vector m = ((LdapGenericObject) v.get(0)).getAttribute(ldapGroupMember);
                
                if (m != null)
                    result = new HashSet(m);
                else
                    result = new HashSet();
            }            

            if (result == null)
                result = evaluateLdapExpression(argStack, null);
        }
        catch (NamingException ne)
        {
            logger.info(ne.getMessage() + " " + ne.getRemainingName());
        }
            
        return result;
    }
    
    private Set resolveFromLdap(ParserStackIf argStack, String name) throws ParserException
    {
        Set result = null;

        try
        {
            String expression = (String) argStack.peek();
            String filter = "(& (cn=" + expression + ")(" + ldapGroupMember + "=" + name + ")(objectClass=" + ldapGroupClass + "))";

            Vector v = ldapUtil.search(ldapGroupBase, filter, new String[] { "cn" });
            
            if (v.size() > 0)
            {
                result = new HashSet();
                result.add(name);
            }            
        
            if (result == null)
                result = evaluateLdapExpression(argStack, name);
        }
        catch (NamingException ne)
        {
            logger.info(ne.getMessage() + " " + ne.getRemainingName());
        }
        
        return result;
    }

    /** The evaluation is optimized in such way that it only retrieves information
     * regarding the given user name.
     * @param argStack This stack includes all expressions and subexpressions of the current tree
     * inside the orginal expression.
     * @param name The name of the user for whom the expression should be resolved.
     * @throws ParserException if there is something wrong with the expression. The most common cases are syntax
     * errors or circular references within the expression.
     * @return An optimized set of users. It is guaranteed that it is correct for the given user
     * but it is not guaranteed that it includes all users described by the expression.
     */    
    public Set resolve(ParserStackIf argStack, String name) throws ParserException
    {
        Set result = null;

        if (name == null || name.equals(""))
            resolve(argStack);
        else
        {        
            String expression = (String) argStack.peek();
            CachePluginIf cache = AccessServer.getCachePlugin();
            
            if (cache != null)
            {
                try
                {
                    if (cache.getUserRight(name, expression))
                    {
                        result = new HashSet();
                        result.add(name);
                    }
                }
                catch(CacheFaultException e)
                {
                    result = resolveFromLdap(argStack, name);
                    
                    boolean answer = (result != null && result.contains(name));
            
                    cache.addUserRight(name, expression, answer);
                }
            }
            else
            {
                result = resolveFromLdap(argStack, name);
            }
        }
        
        return result;
    }
    
    /** Verifies whether a user exists in the user database.
     * @param uid the user ID.
     * @return true if the user exists or if there is no user database, false if the user
     * doesn't exist.
     */    
    public boolean verifyUser(String uid)
    {
        boolean result = false;

        try
        {
            if (verifyUser)
            {
                String filter = "(& (" + ldapUserId + "=" + uid + ")(objectClass=" + ldapPersonClass + "))";
                Vector v = ldapUtil.search(ldapPersonBase, filter, new String[] { "ldapUserId" });
                result = (v != null && v.size() != 0);
            }
            else
                result = true;
        }
        catch (NamingException ne)
        {
            logger.info(ne.getMessage() + " " + ne.getRemainingName());
        }

        return result;
    }

}

/**
 * $Log: LdapResolver.java,v $
 * Revision 1.26  2003/04/14 19:19:24  joerg
 * Links changed to reflect new package structure
 *
 * Revision 1.25  2003/04/13 21:09:56  joerg
 * Package structure modified
 *
 * Revision 1.24  2003/04/13 20:28:01  joerg
 * Package structure modified
 *
 * Revision 1.23  2003/04/13 20:16:41  joerg
 * Package structure modified
 *
 * Revision 1.22  2003/04/07 20:08:49  joerg
 * Improved JavaDoc.
 *
 * Revision 1.21  2003/01/17 19:56:10  joerg
 * Neue Methode verifyUser()
 *
 * Revision 1.20  2003/01/16 21:48:52  joerg
 * Kleine Bugfixes
 *
 * Revision 1.19  2003/01/04 17:15:43  joerg
 * Zus鋞zliche Config-Option IgnoreCase
 *
 * Revision 1.18  2003/01/01 21:04:17  joerg
 * Copyright-Statement aktualisiert
 *
 * Revision 1.17  2002/12/24 21:04:33  joerg
 * Umbau der Paketstruktur
 * iiitLdapPlugin integriert
 * JavaDoc-Kommentare weiter vervollstaendigt.
 *
 * Revision 1.16  2002/12/23 11:26:48  joerg
 * shutdown()-Methode hinzugefuegt.
 *
 * Revision 1.15  2002/12/21 19:55:03  joerg
 * Nicht mehr benoetigte Methoden entfernt, interne Methoden auf
 * private oder protected geaendert.
 * JavaDoc Kommentare ergaenzt.
 *
 * Revision 1.14  2002/12/19 15:54:33  joerg
 * Paket umbenannt in iiitLdapPlugin
 *
 * Revision 1.13  2002/12/09 16:12:42  joerg
 * Auskommentierten Code entfernt
 *
 * Revision 1.12  2002/12/08 16:37:33  joerg
 * Aufraeumungsarbeiten nach dem grossen Umbau
 *
 * Revision 1.11  2002/12/08 16:13:06  joerg
 * Nicht mehr benoetigten Code geloescht
 *
 * Revision 1.10  2002/12/08 16:09:46  joerg
 * Paket-Struktur ueberarbeitet
 *
 * Revision 1.9  2002/12/08 14:17:10  joerg
 * Fehler von der letzten Aenderung behoben
 *
 * Revision 1.8  2002/12/08 13:51:59  joerg
 * Das LdapPlugin wird jetzt hier direkt geladen und nicht mehr
 * ueber den AccessServer
 *
 * Revision 1.7  2002/11/27 22:34:30  joerg
 * Caching ueberarbeitet: Alle Einzelargumente werden auch im Cache gesucht.
 *
 * Revision 1.6  2002/11/27 16:41:08  joerg
 * Parameteruebergabe geaendert, um circulaere Recursion
 * zu erkennen
 *
 * Revision 1.5  2002/11/26 14:41:36  joerg
 * Kleine Optimierungen
 * Ueberfluessigen Code entfernt
 *
 * Revision 1.4  2002/11/26 10:56:40  joerg
 * Package exprparser durch parser erstzt.
 *
 * Revision 1.3  2002/11/20 20:30:31  joerg
 * Auskommentierte Teile entfernt
 * ParseException wird weitergereicht
 *
 * Revision 1.2  2002/11/18 21:23:36  joerg
 * LDAP-Anbindung auf LdapPlugin umgestellt.
 *
 * Revision 1.1  2002/11/18 19:36:11  joerg
 * LdapResolver ins LDAP-Plugin verschoben
 *
 * Revision 1.5  2002/11/18 15:28:02  joerg
 * Interface NameResolverIf in Package 'api' verschoben
 *
 * Revision 1.4  2002/11/18 15:22:02  joerg
 * LDAP-Suche jetzt ueber die Klasse LdapClient realisiert.
 *
 * Revision 1.3  2002/11/18 10:14:02  joerg
 * Fehler beim Durchsuchen der Formeln beseitigt.
 *
 * Revision 1.2  2002/11/17 22:05:18  joerg
 * LDAP-Abfrage komplett umgebaut
 *
 * Revision 1.1  2002/11/06 11:12:02  joerg
 * Neue Klasse die Aufloesung von Ausdruecken ueber LDAP
 *
 * Revision 1.1  2002/10/31 15:05:16  joerg
 * Erste Version bestehend aus Config-Reader, Logging und Expressions.
 *
 */