From 63e4a30ed73a383f2426e5615cd3b3d61e605ad7 Mon Sep 17 00:00:00 2001 From: Enquier Date: Wed, 29 Jun 2022 10:27:35 -0600 Subject: [PATCH 01/11] Add property to specify allowed cross-site-origins --- .../mms/example/config/ExampleSecurityConfig.java | 10 ++++++++-- example/src/main/resources/application-test.properties | 2 ++ .../src/main/resources/application.properties.example | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/example/src/main/java/org/openmbee/mms/example/config/ExampleSecurityConfig.java b/example/src/main/java/org/openmbee/mms/example/config/ExampleSecurityConfig.java index ac7f771a1..d7ccd3397 100644 --- a/example/src/main/java/org/openmbee/mms/example/config/ExampleSecurityConfig.java +++ b/example/src/main/java/org/openmbee/mms/example/config/ExampleSecurityConfig.java @@ -2,6 +2,7 @@ import org.openmbee.mms.authenticator.config.AuthSecurityConfig; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.MediaType; @@ -31,6 +32,9 @@ @EnableAsync public class ExampleSecurityConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer { + @Value("${cors.allowed.origins:*}") + private String allowedOrigins; + @Autowired AuthSecurityConfig authSecurityConfig; @@ -57,7 +61,7 @@ public AuthenticationManager authenticationManagerBean() throws Exception { @Override public void addCorsMappings(CorsRegistry registry) { - registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE"); + registry.addMapping("/**").allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS"); } private CorsFilter corsFilter() { @@ -70,7 +74,9 @@ private CorsFilter corsFilter() { CorsConfiguration config = new CorsConfiguration(); config.setAllowCredentials(true); - config.addAllowedOrigin("*"); + for(String origin: allowedOrigins.split(",")) { + config.addAllowedOrigin(origin); + } config.addAllowedHeader(ORIGIN); config.addAllowedHeader(CONTENT_TYPE); config.addAllowedHeader(ACCEPT); diff --git a/example/src/main/resources/application-test.properties b/example/src/main/resources/application-test.properties index 2a9b572e1..f36a8f0c7 100644 --- a/example/src/main/resources/application-test.properties +++ b/example/src/main/resources/application-test.properties @@ -4,6 +4,8 @@ mms.admin.password=test mms.stream.batch.size=100000 +cors.allowed.origins=* + jwt.secret=12345678901234567890123456789012 jwt.expiration=86400 jwt.header=Authorization diff --git a/example/src/main/resources/application.properties.example b/example/src/main/resources/application.properties.example index 339250a5f..8f49b45a1 100644 --- a/example/src/main/resources/application.properties.example +++ b/example/src/main/resources/application.properties.example @@ -4,6 +4,9 @@ mms.admin.password=test mms.stream.batch.size=100000 +#Comma Separated list of allowed cross site origins +cors.allowed.origins=* + jwt.secret=make_me_something_really_long jwt.expiration=86400 jwt.header=Authorization From 8772e54442dc35c3e9e9c2e8b1cc0c9d1f769b2f Mon Sep 17 00:00:00 2001 From: Ivan Gomes Date: Sun, 7 Aug 2022 17:14:08 -0400 Subject: [PATCH 02/11] fix: support users and groups in difference DN bases --- .../openmbee/mms/ldap/LdapSecurityConfig.java | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 01bde33e6..7040e8739 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -113,7 +113,7 @@ LdapAuthoritiesPopulator ldapAuthoritiesPopulator(@Qualifier("contextSource") Ba /* Specificity here : we don't get the Role by reading the members of available groups (which is implemented by - default in Spring security LDAP), but we retrieve the groups from the field memberOf of the user. + default in Spring security LDAP), but we retrieve the groups the user belongs to. */ class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { @@ -126,11 +126,11 @@ private CustomLdapAuthoritiesPopulator(BaseLdapPathContextSource ldapContextSour @Override public Collection getGrantedAuthorities( DirContextOperations userData, String username) { + logger.debug("Populating authorities using LDAP"); Optional userOptional = userRepository.findByUsername(username); - if (!userOptional.isPresent()) { + if (userOptional.isEmpty()) { User newUser = createLdapUser(userData); - userOptional = Optional.of(newUser); } @@ -139,13 +139,20 @@ public Collection getGrantedAuthorities( saveLdapUser(userData, user); } user.setPassword(null); - String userDn = userAttributesUsername + "=" + user.getUsername() + "," + providerBase; + + StringBuilder userDnBuilder = new StringBuilder(); + userDnBuilder.append(userData.getDn().toString()); + if (providerBase != null && !providerBase.isEmpty()) { + userDnBuilder.append(','); + userDnBuilder.append(providerBase); + } + String userDn = userDnBuilder.toString(); List definedGroups = groupRepository.findAll(); OrFilter orFilter = new OrFilter(); - for (int i = 0; i < definedGroups.size(); i++) { - orFilter.or(new EqualsFilter(groupRoleAttribute, definedGroups.get(i).getName())); + for (Group definedGroup : definedGroups) { + orFilter.or(new EqualsFilter(groupRoleAttribute, definedGroup.getName())); } AndFilter andFilter = new AndFilter(); @@ -154,9 +161,11 @@ public Collection getGrantedAuthorities( andFilter.and(groupsFilter); andFilter.and(orFilter); + String filter = andFilter.encode(); + logger.debug("Searching LDAP with filter: {}", filter); Set memberGroups = ldapTemplate - .searchForSingleAttributeValues("", andFilter.encode(), new Object[]{""}, - groupRoleAttribute); + .searchForSingleAttributeValues(groupSearchBase, filter, new Object[]{""}, groupRoleAttribute); + logger.debug("LDAP search result: {}", Arrays.toString(memberGroups.toArray())); Set addGroups = new HashSet<>(); for (String memberGroup : memberGroups) { @@ -186,6 +195,7 @@ public BaseLdapPathContextSource contextSource() { providerUrl); contextSource.setUserDn(providerUserDn); contextSource.setPassword(providerPassword); + contextSource.setBase(providerBase); return contextSource; } @@ -210,13 +220,14 @@ private User saveLdapUser(DirContextOperations userData, User saveUser) { } private User createLdapUser(DirContextOperations userData) { + String username = userData.getStringAttribute(userAttributesUsername); + logger.debug("Creating user for {} using LDAP", username); User user = saveLdapUser(userData, new User()); - user.setUsername(userData.getStringAttribute(userAttributesUsername)); + user.setUsername(username); user.setEnabled(true); user.setAdmin(false); userRepository.save(user); - return user; } } \ No newline at end of file From eb043664d05c2dc1f5235541e6128e37f4fad836 Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 10:31:46 -0700 Subject: [PATCH 03/11] Add properties loading for authentication binding support. --- ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java | 1 + 1 file changed, 1 insertion(+) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 01bde33e6..1cf543bba 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -184,6 +184,7 @@ public Collection getGrantedAuthorities( public BaseLdapPathContextSource contextSource() { DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource( providerUrl); + contextSource.afterPropertiesSet(); contextSource.setUserDn(providerUserDn); contextSource.setPassword(providerPassword); return contextSource; From 43220b40be7bf9f3d73d8f126d98168a0b1bd50d Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 14:49:53 -0700 Subject: [PATCH 04/11] Replace DefaultSpringSecurityContextSource with LdapContextSource --- .../mms/authenticator/config/AuthSecurityConfig.java | 3 +-- .../org/openmbee/mms/ldap/LdapSecurityConfig.java | 12 ++++++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/authenticator/src/main/java/org/openmbee/mms/authenticator/config/AuthSecurityConfig.java b/authenticator/src/main/java/org/openmbee/mms/authenticator/config/AuthSecurityConfig.java index b1a8b452f..627c649c7 100644 --- a/authenticator/src/main/java/org/openmbee/mms/authenticator/config/AuthSecurityConfig.java +++ b/authenticator/src/main/java/org/openmbee/mms/authenticator/config/AuthSecurityConfig.java @@ -19,8 +19,7 @@ public class AuthSecurityConfig { private static Logger logger = LoggerFactory.getLogger(AuthSecurityConfig.class); @Autowired - public void setAuthProvider(AuthenticationManagerBuilder auth, - JwtAuthenticationProvider provider) { + public void setAuthProvider(AuthenticationManagerBuilder auth, JwtAuthenticationProvider provider) { auth.authenticationProvider(provider); } diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 1cf543bba..d8495fac8 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -20,12 +20,12 @@ import org.springframework.context.annotation.Configuration; import org.springframework.ldap.core.DirContextOperations; import org.springframework.ldap.core.support.BaseLdapPathContextSource; +import org.springframework.ldap.core.support.LdapContextSource; import org.springframework.ldap.filter.*; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.ldap.DefaultSpringSecurityContextSource; import org.springframework.security.ldap.SpringSecurityLdapTemplate; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.transaction.annotation.EnableTransactionManagement; @@ -91,7 +91,7 @@ public void setGroupRepository(GroupRepository groupRepository) { @Autowired public void configureLdapAuth(AuthenticationManagerBuilder auth, - LdapAuthoritiesPopulator ldapAuthoritiesPopulator, @Qualifier("contextSource") BaseLdapPathContextSource contextSource) + LdapAuthoritiesPopulator ldapAuthoritiesPopulator, @Qualifier("contextSource") BaseLdapPathContextSource contextSource) throws Exception { if (providerUrl != null) { logger.info("LDAP Module is loading..."); @@ -181,10 +181,10 @@ public Collection getGrantedAuthorities( } @Bean - public BaseLdapPathContextSource contextSource() { - DefaultSpringSecurityContextSource contextSource = new DefaultSpringSecurityContextSource( - providerUrl); - contextSource.afterPropertiesSet(); + public LdapContextSource contextSource() { + LdapContextSource contextSource = new LdapContextSource(); + contextSource.setUrl(providerUrl); + contextSource.setBase(providerBase); contextSource.setUserDn(providerUserDn); contextSource.setPassword(providerPassword); return contextSource; From a2d5be021a959ab680cbbf72de5dfaa5ae34f25f Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:41:33 -0700 Subject: [PATCH 05/11] Adding debug logging to ease configuration woes. --- .../openmbee/mms/ldap/LdapSecurityConfig.java | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index d8495fac8..0d2d57d21 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -117,7 +117,7 @@ LdapAuthoritiesPopulator ldapAuthoritiesPopulator(@Qualifier("contextSource") Ba */ class CustomLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator { - SpringSecurityLdapTemplate ldapTemplate; + final SpringSecurityLdapTemplate ldapTemplate; private CustomLdapAuthoritiesPopulator(BaseLdapPathContextSource ldapContextSource) { ldapTemplate = new SpringSecurityLdapTemplate(ldapContextSource); @@ -128,9 +128,9 @@ public Collection getGrantedAuthorities( DirContextOperations userData, String username) { Optional userOptional = userRepository.findByUsername(username); - if (!userOptional.isPresent()) { + if (userOptional.isEmpty()) { + logger.info("No user record for {} in the userRepository, creating...", userData.getDn()); User newUser = createLdapUser(userData); - userOptional = Optional.of(newUser); } @@ -154,6 +154,8 @@ public Collection getGrantedAuthorities( andFilter.and(groupsFilter); andFilter.and(orFilter); + logger.debug("Generated LDAP query filter for groups: " + andFilter); + Set memberGroups = ldapTemplate .searchForSingleAttributeValues("", andFilter.encode(), new Object[]{""}, groupRoleAttribute); @@ -163,6 +165,17 @@ public Collection getGrantedAuthorities( Optional group = groupRepository.findByName(memberGroup); group.ifPresent(addGroups::add); } + + if (logger.isDebugEnabled()) { + if ((long) addGroups.size() > 0) { + addGroups.forEach(group -> { + logger.debug("Group received: " + group.getName()); + }); + } else { + logger.debug("No configured groups returned from LDAP"); + } + } + user.setGroups(addGroups); userRepository.save(user); @@ -183,10 +196,17 @@ public Collection getGrantedAuthorities( @Bean public LdapContextSource contextSource() { LdapContextSource contextSource = new LdapContextSource(); + + logger.debug("Initializing LDAP ContextSource with the following values: "); + contextSource.setUrl(providerUrl); contextSource.setBase(providerBase); contextSource.setUserDn(providerUserDn); contextSource.setPassword(providerPassword); + + logger.debug("BaseLdapPath: " + contextSource.getBaseLdapPathAsString()); + logger.debug("UserDn: " + contextSource.getUserDn()); + return contextSource; } From 6146e527869f9d99651a7c0725d8ea74648d9e90 Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:43:14 -0700 Subject: [PATCH 06/11] Remove ridiculous space --- .../src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 0d2d57d21..a770f5d08 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -91,7 +91,7 @@ public void setGroupRepository(GroupRepository groupRepository) { @Autowired public void configureLdapAuth(AuthenticationManagerBuilder auth, - LdapAuthoritiesPopulator ldapAuthoritiesPopulator, @Qualifier("contextSource") BaseLdapPathContextSource contextSource) + LdapAuthoritiesPopulator ldapAuthoritiesPopulator, @Qualifier("contextSource") BaseLdapPathContextSource contextSource) throws Exception { if (providerUrl != null) { logger.info("LDAP Module is loading..."); From 9d51175dd9f6d35e1305179c49a72b764940f83a Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:43:43 -0700 Subject: [PATCH 07/11] Clean unused import --- ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java | 1 - 1 file changed, 1 deletion(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index a770f5d08..7b6f7a6be 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -5,7 +5,6 @@ import java.util.*; import org.openmbee.mms.core.config.AuthorizationConstants; -import org.openmbee.mms.data.domains.global.Base; import org.openmbee.mms.data.domains.global.Group; import org.openmbee.mms.rdb.repositories.GroupRepository; import org.openmbee.mms.rdb.repositories.UserRepository; From 04de2123edd1a1b833d1f1877b95c89ca7710866 Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:47:05 -0700 Subject: [PATCH 08/11] Merge from develop --- .../src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index 3b90626b8..a060737a8 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -5,7 +5,6 @@ import java.util.*; import org.openmbee.mms.core.config.AuthorizationConstants; -import org.openmbee.mms.data.domains.global.Base; import org.openmbee.mms.data.domains.global.Group; import org.openmbee.mms.rdb.repositories.GroupRepository; import org.openmbee.mms.rdb.repositories.UserRepository; @@ -26,7 +25,6 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.ldap.DefaultSpringSecurityContextSource; import org.springframework.security.ldap.SpringSecurityLdapTemplate; import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator; import org.springframework.transaction.annotation.EnableTransactionManagement; From 6e3884fb03823c46010ca20c5ef868b2476c46d3 Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:54:13 -0700 Subject: [PATCH 09/11] Updating examples for properties definitions --- example/src/main/resources/application.properties.example | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/example/src/main/resources/application.properties.example b/example/src/main/resources/application.properties.example index 8f49b45a1..128954249 100644 --- a/example/src/main/resources/application.properties.example +++ b/example/src/main/resources/application.properties.example @@ -12,18 +12,18 @@ jwt.expiration=86400 jwt.header=Authorization # See ldap module for example configuration -ldap.provider.base=ou=something,dc=openmbee,dc=org -ldap.provider.url=ldaps://ldap.openmbee.org/${ldap.provider.base} +ldap.provider.base=dc=directory,dc=openmbee,dc=org +ldap.provider.url=ldaps://ldap.openmbee.org ldap.provider.userdn= ldap.provider.password= -ldap.user.dn.pattern=uid={0} +ldap.user.dn.pattern=uid={0},ou=personnel ldap.user.attributes.username= ldap.user.attributes.email= ldap.user.attributes.firstname= ldap.user.attributes.lastname= ldap.user.attributes.update=24 ldap.group.role.attribute=cn -ldap.group.search.base= +ldap.group.search.base=ou=groups ldap.group.search.filter=uniqueMember={0} # See core module for example configuration From cef85cb7871f993045eb1313923e15011c710f3c Mon Sep 17 00:00:00 2001 From: Jason Han Date: Tue, 30 Aug 2022 15:55:25 -0700 Subject: [PATCH 10/11] Remove superfluous logging --- .../main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java index a060737a8..8f0adc6f4 100644 --- a/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java +++ b/ldap/src/main/java/org/openmbee/mms/ldap/LdapSecurityConfig.java @@ -163,7 +163,6 @@ public Collection getGrantedAuthorities( String filter = andFilter.encode(); logger.debug("Searching LDAP with filter: {}", filter); - logger.debug("Generated LDAP query filter for groups: " + andFilter); Set memberGroups = ldapTemplate .searchForSingleAttributeValues(groupSearchBase, filter, new Object[]{""}, groupRoleAttribute); @@ -178,7 +177,7 @@ public Collection getGrantedAuthorities( if (logger.isDebugEnabled()) { if ((long) addGroups.size() > 0) { addGroups.forEach(group -> { - logger.debug("Group received: " + group.getName()); + logger.debug("Group received: {}", group.getName()); }); } else { logger.debug("No configured groups returned from LDAP"); From 0f2767bd8fd64a4b60d261da78ab9048a2fa0b5e Mon Sep 17 00:00:00 2001 From: Jason Han Date: Wed, 31 Aug 2022 10:49:10 -0700 Subject: [PATCH 11/11] Update version for release --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 8be66ab85..6c5dbbab5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -version=4.0.8 +version=4.0.9 group=org.openmbee.mms springBootVersion=2.6.7