View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.syncope.core.provisioning.java.pushpull;
20  
21  import java.util.Base64;
22  import java.util.Optional;
23  import java.util.Set;
24  import javax.xml.bind.DatatypeConverter;
25  import org.apache.commons.lang3.tuple.Pair;
26  import org.apache.syncope.common.lib.to.EntityTO;
27  import org.apache.syncope.common.lib.to.Provision;
28  import org.apache.syncope.common.lib.to.ProvisioningReport;
29  import org.apache.syncope.common.lib.to.UserTO;
30  import org.apache.syncope.common.lib.types.AnyTypeKind;
31  import org.apache.syncope.common.lib.types.CipherAlgorithm;
32  import org.apache.syncope.core.persistence.api.dao.UserDAO;
33  import org.apache.syncope.core.persistence.api.entity.user.User;
34  import org.apache.syncope.core.provisioning.api.pushpull.ProvisioningProfile;
35  import org.apache.syncope.core.provisioning.api.pushpull.PullActions;
36  import org.identityconnectors.common.security.GuardedString;
37  import org.identityconnectors.common.security.SecurityUtil;
38  import org.identityconnectors.framework.common.objects.AttributeUtil;
39  import org.identityconnectors.framework.common.objects.OperationalAttributes;
40  import org.identityconnectors.framework.common.objects.SyncDelta;
41  import org.quartz.JobExecutionException;
42  import org.slf4j.Logger;
43  import org.slf4j.LoggerFactory;
44  import org.springframework.beans.factory.annotation.Autowired;
45  import org.springframework.transaction.annotation.Transactional;
46  
47  /**
48   * A {@link org.apache.syncope.core.provisioning.api.pushpull.PullActions} implementation which allows the ability to
49   * import passwords from an LDAP backend that are hashed.
50   */
51  public class LDAPPasswordPullActions implements PullActions {
52  
53      protected static final Logger LOG = LoggerFactory.getLogger(LDAPPasswordPullActions.class);
54  
55      @Autowired
56      protected UserDAO userDAO;
57  
58      @Override
59      public Set<String> moreAttrsToGet(final ProvisioningProfile<?, ?> profile, final Provision provision) {
60          if (AnyTypeKind.USER.name().equals(provision.getAnyType())) {
61              return Set.of(OperationalAttributes.PASSWORD_NAME);
62          }
63          return PullActions.super.moreAttrsToGet(profile, provision);
64      }
65  
66      private static Optional<Pair<String, CipherAlgorithm>> parseEncodedPassword(final String password) {
67          if (password != null && password.startsWith("{")) {
68              String digest = Optional.ofNullable(
69                      password.substring(1, password.indexOf('}'))).map(String::toUpperCase).
70                      orElse(null);
71              int closingBracketIndex = password.indexOf('}');
72              try {
73                  return Optional.of(
74                          Pair.of(password.substring(closingBracketIndex + 1), CipherAlgorithm.valueOf(digest)));
75              } catch (IllegalArgumentException e) {
76                  LOG.error("Cipher algorithm not allowed: {}", digest, e);
77              }
78          }
79          return Optional.empty();
80      }
81  
82      @Transactional
83      @Override
84      public void after(
85              final ProvisioningProfile<?, ?> profile,
86              final SyncDelta delta,
87              final EntityTO entity,
88              final ProvisioningReport result) throws JobExecutionException {
89  
90          if (entity instanceof UserTO) {
91              User user = userDAO.find(entity.getKey());
92              if (user != null) {
93                  GuardedString passwordAttr = AttributeUtil.getPasswordValue(delta.getObject().getAttributes());
94                  if (passwordAttr != null) {
95                      parseEncodedPassword(SecurityUtil.decrypt(passwordAttr)).ifPresent(encoded -> {
96                          byte[] encodedPasswordBytes = Base64.getDecoder().decode(encoded.getLeft().getBytes());
97                          String encodedHexStr = DatatypeConverter.printHexBinary(encodedPasswordBytes).toUpperCase();
98  
99                          user.setEncodedPassword(encodedHexStr, encoded.getRight());
100                     });
101                 }
102             }
103         }
104     }
105 }