View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.common.lib.auth;
20  
21  import java.io.Serializable;
22  import java.util.ArrayList;
23  import java.util.List;
24  import java.util.Map;
25  import java.util.concurrent.TimeUnit;
26  import org.apache.syncope.common.lib.AbstractLDAPConf;
27  import org.apache.syncope.common.lib.to.AuthModuleTO;
28  import org.apache.syncope.common.lib.types.X509PolicySetting;
29  import org.apache.syncope.common.lib.types.X509PrincipalType;
30  import org.apache.syncope.common.lib.types.X509RevocationCheckerType;
31  import org.apache.syncope.common.lib.types.X509RevocationFetcherType;
32  import org.apache.syncope.common.lib.types.X509SubjectDnFormat;
33  
34  public class X509AuthModuleConf implements AuthModuleConf {
35  
36      private static final long serialVersionUID = 1915254775199296906L;
37  
38      public static class LDAP extends AbstractLDAPConf implements Serializable {
39  
40          private static final long serialVersionUID = -7274446267090678730L;
41  
42          /**
43           * The LDAP attribute that holds the certificate revocation list.
44           */
45          private String certificateAttribute = "certificateRevocationList";
46  
47          public String getCertificateAttribute() {
48              return certificateAttribute;
49          }
50  
51          public void setCertificateAttribute(final String certificateAttribute) {
52              this.certificateAttribute = certificateAttribute;
53          }
54      }
55  
56      /**
57       * The authentication handler name.
58       */
59      private String name;
60  
61      /**
62       * The order of the authentication handler in the chain.
63       */
64      private int order = Integer.MAX_VALUE;
65  
66      /**
67       * Threshold value if expired CRL revocation policy is to be handled via threshold.
68       */
69      private int revocationPolicyThreshold = 172_800;
70  
71      /**
72       * Whether revocation checking should check all resources, or stop at first one.
73       */
74      private boolean checkAll;
75  
76      /**
77       * The refresh interval of the internal scheduler in cases where CRL revocation checking
78       * is done via resources.
79       */
80      private int refreshIntervalSeconds = 3_600;
81  
82      /**
83       * When CRL revocation checking is done via distribution points,
84       * decide if fetch failures should throw errors.
85       */
86      private boolean throwOnFetchFailure;
87  
88      private X509PrincipalType principalType = X509PrincipalType.SUBJECT_DN;
89  
90      /**
91       * Relevant for {@code CN_EDIPI}, {@code RFC822_EMAIL}, {@code SUBJECT}, {@code SUBJECT_ALT_NAME} principal types.
92       */
93      private String principalAlternateAttribute;
94  
95      /**
96       * Relevant for {@code SUBJECT_DN} principal type.
97       */
98      private X509SubjectDnFormat principalTypeSubjectDnFormat = X509SubjectDnFormat.DEFAULT;
99  
100     /**
101      * Relevant for {@code SERIAL_NO_DN} principal type.
102      * The serial number prefix used for principal resolution.
103      */
104     private String principalTypeSerialNoDnSerialNumberPrefix = "SERIALNUMBER=";
105 
106     /**
107      * Relevant for {@code SERIAL_NO_DN} principal type.
108      * Value delimiter used for principal resolution.
109      */
110     private String principalTypeSerialNoDnValueDelimiter = ", ";
111 
112     /**
113      * Relevant for {@code SERIAL_NO} principal type.
114      * Radix used.
115      */
116     private int principalTypeSerialNoSNRadix;
117 
118     /**
119      * Relevant for {@code SERIAL_NO} principal type.
120      * If radix hex padding should be used.
121      */
122     private boolean principalTypeSerialNoHexSNZeroPadding;
123 
124     /**
125      * Revocation certificate checking is carried out according to this setting.
126      */
127     private X509RevocationCheckerType revocationChecker = X509RevocationCheckerType.NONE;
128 
129     /**
130      * Options to describe how to fetch CRL resources.
131      */
132     private X509RevocationFetcherType crlFetcher = X509RevocationFetcherType.RESOURCE;
133 
134     /**
135      * List of CRL resources to use for fetching.
136      */
137     private final List<String> crlResources = new ArrayList<>(0);
138 
139     /**
140      * When CRLs are cached, indicate maximum number of elements kept in memory.
141      */
142     private int cacheMaxElementsInMemory = 1_000;
143 
144     /**
145      * When CRLs are cached, indicate whether cache should overflow to disk.
146      */
147     private boolean cacheDiskOverflow;
148 
149     /**
150      * Size of cache on disk.
151      */
152     private String cacheDiskSize = "100MB";
153 
154     /**
155      * When CRLs are cached, indicate if cache items should be eternal.
156      */
157     private boolean cacheEternal;
158 
159     /**
160      * Determine whether X509 authentication should allow other forms of authentication such as username/password.
161      * If this setting is turned off, typically the ability to view the login form as the primary form of
162      * authentication is turned off.
163      */
164     private boolean mixedMode = true;
165 
166     /**
167      * When CRLs are cached, indicate the time-to-live of cache items.
168      */
169     private long cacheTimeToLiveSeconds = TimeUnit.HOURS.toSeconds(4);
170 
171     /**
172      * If the CRL resource is unavailable, activate the this policy.
173      */
174     private X509PolicySetting crlResourceUnavailablePolicy = X509PolicySetting.DENY;
175 
176     /**
177      * If the CRL resource has expired, activate the this policy.
178      * Activated if {@link #revocationChecker} is {@code RESOURCE}.
179      */
180     private X509PolicySetting crlResourceExpiredPolicy = X509PolicySetting.DENY;
181 
182     /**
183      * If the CRL is unavailable, activate the this policy.
184      * Activated if {@link #revocationChecker} is {@code CRL}.
185      */
186     private X509PolicySetting crlUnavailablePolicy = X509PolicySetting.DENY;
187 
188     /**
189      * If the CRL has expired, activate the this policy.
190      * Activated if {@link #revocationChecker} is {@code CRL}.
191      */
192     private X509PolicySetting crlExpiredPolicy = X509PolicySetting.DENY;
193 
194     /**
195      * The compiled pattern supplied by the deployer.
196      */
197     private String regExTrustedIssuerDnPattern;
198 
199     /**
200      * Deployer supplied setting for maximum pathLength in a SUPPLIED
201      * certificate.
202      */
203     private int maxPathLength = 1;
204 
205     /**
206      * Deployer supplied setting to allow unlimited pathLength in a SUPPLIED
207      * certificate.
208      */
209     private boolean maxPathLengthAllowUnspecified = false;
210 
211     /**
212      * Deployer supplied setting to check the KeyUsage extension.
213      */
214     private boolean checkKeyUsage = false;
215 
216     /**
217      * Deployer supplied setting to force require the correct KeyUsage
218      * extension.
219      */
220     private boolean requireKeyUsage = false;
221 
222     /**
223      * The pattern that authorizes an acceptable certificate by its subject dn.
224      */
225     private String regExSubjectDnPattern = ".+";
226 
227     /**
228      * Whether to extract certificate from request.
229      * The default implementation extracts certificate from header via Tomcat SSLValve parsing logic
230      * and using the {@link #sslHeaderName} header.
231      * Must be false by default because if someone enables it they need to make sure they are
232      * behind proxy that won't let the header arrive directly from the browser.
233      */
234     private boolean extractCert;
235 
236     /**
237      * The name of the header to consult for an X509 cert (e.g. when behind proxy).
238      */
239     private String sslHeaderName = "ssl_client_cert";
240 
241     private LDAP ldap;
242 
243     public String getName() {
244         return name;
245     }
246 
247     public void setName(final String name) {
248         this.name = name;
249     }
250 
251     public int getOrder() {
252         return order;
253     }
254 
255     public void setOrder(final int order) {
256         this.order = order;
257     }
258 
259     public int getRevocationPolicyThreshold() {
260         return revocationPolicyThreshold;
261     }
262 
263     public void setRevocationPolicyThreshold(final int revocationPolicyThreshold) {
264         this.revocationPolicyThreshold = revocationPolicyThreshold;
265     }
266 
267     public boolean isCheckAll() {
268         return checkAll;
269     }
270 
271     public void setCheckAll(final boolean checkAll) {
272         this.checkAll = checkAll;
273     }
274 
275     public int getRefreshIntervalSeconds() {
276         return refreshIntervalSeconds;
277     }
278 
279     public void setRefreshIntervalSeconds(final int refreshIntervalSeconds) {
280         this.refreshIntervalSeconds = refreshIntervalSeconds;
281     }
282 
283     public boolean isThrowOnFetchFailure() {
284         return throwOnFetchFailure;
285     }
286 
287     public void setThrowOnFetchFailure(final boolean throwOnFetchFailure) {
288         this.throwOnFetchFailure = throwOnFetchFailure;
289     }
290 
291     public X509PrincipalType getPrincipalType() {
292         return principalType;
293     }
294 
295     public void setPrincipalType(final X509PrincipalType principalType) {
296         this.principalType = principalType;
297     }
298 
299     public String getPrincipalAlternateAttribute() {
300         return principalAlternateAttribute;
301     }
302 
303     public void setPrincipalAlternateAttribute(final String principalAlternateAttribute) {
304         this.principalAlternateAttribute = principalAlternateAttribute;
305     }
306 
307     public X509SubjectDnFormat getPrincipalTypeSubjectDnFormat() {
308         return principalTypeSubjectDnFormat;
309     }
310 
311     public void setPrincipalTypeSubjectDnFormat(final X509SubjectDnFormat principalTypeSubjectDnFormat) {
312         this.principalTypeSubjectDnFormat = principalTypeSubjectDnFormat;
313     }
314 
315     public String getPrincipalTypeSerialNoDnSerialNumberPrefix() {
316         return principalTypeSerialNoDnSerialNumberPrefix;
317     }
318 
319     public void setPrincipalTypeSerialNoDnSerialNumberPrefix(final String principalTypeSerialNoDnSerialNumberPrefix) {
320         this.principalTypeSerialNoDnSerialNumberPrefix = principalTypeSerialNoDnSerialNumberPrefix;
321     }
322 
323     public String getPrincipalTypeSerialNoDnValueDelimiter() {
324         return principalTypeSerialNoDnValueDelimiter;
325     }
326 
327     public void setPrincipalTypeSerialNoDnValueDelimiter(final String principalTypeSerialNoDnValueDelimiter) {
328         this.principalTypeSerialNoDnValueDelimiter = principalTypeSerialNoDnValueDelimiter;
329     }
330 
331     public int getPrincipalTypeSerialNoSNRadix() {
332         return principalTypeSerialNoSNRadix;
333     }
334 
335     public void setPrincipalTypeSerialNoSNRadix(final int principalTypeSerialNoSNRadix) {
336         this.principalTypeSerialNoSNRadix = principalTypeSerialNoSNRadix;
337     }
338 
339     public boolean isPrincipalTypeSerialNoHexSNZeroPadding() {
340         return principalTypeSerialNoHexSNZeroPadding;
341     }
342 
343     public void setPrincipalTypeSerialNoHexSNZeroPadding(final boolean principalTypeSerialNoHexSNZeroPadding) {
344         this.principalTypeSerialNoHexSNZeroPadding = principalTypeSerialNoHexSNZeroPadding;
345     }
346 
347     public X509RevocationCheckerType getRevocationChecker() {
348         return revocationChecker;
349     }
350 
351     public void setRevocationChecker(final X509RevocationCheckerType revocationChecker) {
352         this.revocationChecker = revocationChecker;
353     }
354 
355     public X509RevocationFetcherType getCrlFetcher() {
356         return crlFetcher;
357     }
358 
359     public void setCrlFetcher(final X509RevocationFetcherType crlFetcher) {
360         this.crlFetcher = crlFetcher;
361     }
362 
363     public int getCacheMaxElementsInMemory() {
364         return cacheMaxElementsInMemory;
365     }
366 
367     public void setCacheMaxElementsInMemory(final int cacheMaxElementsInMemory) {
368         this.cacheMaxElementsInMemory = cacheMaxElementsInMemory;
369     }
370 
371     public boolean isCacheDiskOverflow() {
372         return cacheDiskOverflow;
373     }
374 
375     public void setCacheDiskOverflow(final boolean cacheDiskOverflow) {
376         this.cacheDiskOverflow = cacheDiskOverflow;
377     }
378 
379     public String getCacheDiskSize() {
380         return cacheDiskSize;
381     }
382 
383     public void setCacheDiskSize(final String cacheDiskSize) {
384         this.cacheDiskSize = cacheDiskSize;
385     }
386 
387     public boolean isCacheEternal() {
388         return cacheEternal;
389     }
390 
391     public void setCacheEternal(final boolean cacheEternal) {
392         this.cacheEternal = cacheEternal;
393     }
394 
395     public boolean isMixedMode() {
396         return mixedMode;
397     }
398 
399     public void setMixedMode(final boolean mixedMode) {
400         this.mixedMode = mixedMode;
401     }
402 
403     public long getCacheTimeToLiveSeconds() {
404         return cacheTimeToLiveSeconds;
405     }
406 
407     public void setCacheTimeToLiveSeconds(final long cacheTimeToLiveSeconds) {
408         this.cacheTimeToLiveSeconds = cacheTimeToLiveSeconds;
409     }
410 
411     public X509PolicySetting getCrlResourceUnavailablePolicy() {
412         return crlResourceUnavailablePolicy;
413     }
414 
415     public void setCrlResourceUnavailablePolicy(final X509PolicySetting crlResourceUnavailablePolicy) {
416         this.crlResourceUnavailablePolicy = crlResourceUnavailablePolicy;
417     }
418 
419     public X509PolicySetting getCrlResourceExpiredPolicy() {
420         return crlResourceExpiredPolicy;
421     }
422 
423     public void setCrlResourceExpiredPolicy(final X509PolicySetting crlResourceExpiredPolicy) {
424         this.crlResourceExpiredPolicy = crlResourceExpiredPolicy;
425     }
426 
427     public X509PolicySetting getCrlUnavailablePolicy() {
428         return crlUnavailablePolicy;
429     }
430 
431     public void setCrlUnavailablePolicy(final X509PolicySetting crlUnavailablePolicy) {
432         this.crlUnavailablePolicy = crlUnavailablePolicy;
433     }
434 
435     public X509PolicySetting getCrlExpiredPolicy() {
436         return crlExpiredPolicy;
437     }
438 
439     public void setCrlExpiredPolicy(final X509PolicySetting crlExpiredPolicy) {
440         this.crlExpiredPolicy = crlExpiredPolicy;
441     }
442 
443     public List<String> getCrlResources() {
444         return crlResources;
445     }
446 
447     public String getRegExTrustedIssuerDnPattern() {
448         return regExTrustedIssuerDnPattern;
449     }
450 
451     public void setRegExTrustedIssuerDnPattern(final String regExTrustedIssuerDnPattern) {
452         this.regExTrustedIssuerDnPattern = regExTrustedIssuerDnPattern;
453     }
454 
455     public int getMaxPathLength() {
456         return maxPathLength;
457     }
458 
459     public void setMaxPathLength(final int maxPathLength) {
460         this.maxPathLength = maxPathLength;
461     }
462 
463     public boolean isMaxPathLengthAllowUnspecified() {
464         return maxPathLengthAllowUnspecified;
465     }
466 
467     public void setMaxPathLengthAllowUnspecified(final boolean maxPathLengthAllowUnspecified) {
468         this.maxPathLengthAllowUnspecified = maxPathLengthAllowUnspecified;
469     }
470 
471     public boolean isCheckKeyUsage() {
472         return checkKeyUsage;
473     }
474 
475     public void setCheckKeyUsage(final boolean checkKeyUsage) {
476         this.checkKeyUsage = checkKeyUsage;
477     }
478 
479     public boolean isRequireKeyUsage() {
480         return requireKeyUsage;
481     }
482 
483     public void setRequireKeyUsage(final boolean requireKeyUsage) {
484         this.requireKeyUsage = requireKeyUsage;
485     }
486 
487     public String getRegExSubjectDnPattern() {
488         return regExSubjectDnPattern;
489     }
490 
491     public void setRegExSubjectDnPattern(final String regExSubjectDnPattern) {
492         this.regExSubjectDnPattern = regExSubjectDnPattern;
493     }
494 
495     public boolean isExtractCert() {
496         return extractCert;
497     }
498 
499     public void setExtractCert(final boolean extractCert) {
500         this.extractCert = extractCert;
501     }
502 
503     public String getSslHeaderName() {
504         return sslHeaderName;
505     }
506 
507     public void setSslHeaderName(final String sslHeaderName) {
508         this.sslHeaderName = sslHeaderName;
509     }
510 
511     public LDAP getLdap() {
512         return ldap;
513     }
514 
515     public void setLdap(final LDAP ldap) {
516         this.ldap = ldap;
517     }
518 
519     @Override
520     public Map<String, Object> map(final AuthModuleTO authModule, final Mapper mapper) {
521         return mapper.map(authModule, this);
522     }
523 }