/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.acegisecurity.providers.ldap.populator;

 import org.acegisecurity.GrantedAuthority;

 import org.acegisecurity.GrantedAuthorityImpl;

 import org.acegisecurity.ldap.InitialDirContextFactory;

 import org.acegisecurity.ldap.LdapTemplate;

 import org.acegisecurity.providers.ldap.LdapAuthoritiesPopulator;

 import org.acegisecurity.userdetails.ldap.LdapUserDetails;

 import org.apache.commons.logging.Log;

 import org.apache.commons.logging.LogFactory;

 import org.springframework.util.Assert;

 import java.util.HashSet;

 import java.util.Iterator;

 import java.util.Set;

 import javax.naming.directory.Attributes;

 import javax.naming.directory.SearchControls;

 /**

  * The default strategy for obtaining user role information from the directory.

  * <p/>

  * <p>It obtains roles by performing a search for "groups" the user is a member of.</p>

  * <p/>

  * <p/>

  * A typical group search scenario would be where each group/role is specified using the <tt>groupOfNames</tt>

  * (or <tt>groupOfUniqueNames</tt>) LDAP objectClass and the user's DN is listed in the <tt>member</tt> (or

  * <tt>uniqueMember</tt>) attribute to indicate that they should be assigned that role. The following LDIF sample has

  * the groups stored under the DN <tt>ou=groups,dc=acegisecurity,dc=org</tt> and a group called "developers" with

  * "ben" and "marissa" as members:

  * <pre>

  * dn: ou=groups,dc=acegisecurity,dc=orgobjectClass: top

  * objectClass: organizationalUnitou: groupsdn: cn=developers,ou=groups,dc=acegisecurity,dc=org

  * objectClass: groupOfNamesobjectClass: topcn: developersdescription: Acegi Security Developers

  * member: uid=ben,ou=people,dc=acegisecurity,dc=orgmember: uid=marissa,ou=people,dc=acegisecurity,dc=orgou: developer

  * </pre>

  * </p>

  * <p/>

  * The group search is performed within a DN specified by the <tt>groupSearchBase</tt> property, which should

  * be relative to the root DN of its <tt>InitialDirContextFactory</tt>. If the search base is null, group searching is

  * disabled. The filter used in the search is defined by the <tt>groupSearchFilter</tt> property, with the filter

  * argument {0} being the full DN of the user. You can also optionally use the parameter {1}, which will be substituted

  * with the username. You can also specify which attribute defines the role name by setting

  * the <tt>groupRoleAttribute</tt> property (the default is "cn").</p>

  * <p/>

  * <p>The configuration below shows how the group search might be performed with the above schema.

  * <pre>

  * <bean id="ldapAuthoritiesPopulator"

  *         class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">

  *   <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>

  *   <constructor-arg><value>ou=groups</value></constructor-arg>

  *   <property name="groupRoleAttribute"><value>ou</value></property>

  * <!-- the following properties are shown with their default values -->

  *   <property name="searchSubTree"><value>false</value></property>

  *   <property name="rolePrefix"><value>ROLE_</value></property>

  *   <property name="convertToUpperCase"><value>true</value></property>

  * </bean>

  * </pre>

  * A search for roles for user "uid=ben,ou=people,dc=acegisecurity,dc=org" would return the single granted authority

  * "ROLE_DEVELOPER".

  * </p>

  * <p/>

  * The single-level search is performed by default. Setting the <tt>searchSubTree</tt> property to true will enable

  * a search of the entire subtree under <tt>groupSearchBase</tt>.

  *

  * @author Luke Taylor

  * @version $Id: DefaultLdapAuthoritiesPopulator.java 1996 2007-08-30 21:15:14Z luke_t $

  */

 public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {

     //~ Static fields/initializers =====================================================================================

     private static final Log logger = LogFactory.getLog(DefaultLdapAuthoritiesPopulator.class);

     //~ Instance fields ================================================================================================

     /**

      * A default role which will be assigned to all authenticated users if set

      */

     private GrantedAuthority defaultRole = null;

     /**

      * An initial context factory is only required if searching for groups is required.

      */

     private InitialDirContextFactory initialDirContextFactory = null;

     private LdapTemplate ldapTemplate;

     /**

      * Controls used to determine whether group searches should be performed over the full sub-tree from the

      * base DN. Modified by searchSubTree property

      */

     private SearchControls searchControls = new SearchControls();

     /**

      * The ID of the attribute which contains the role name for a group

      */

     private String groupRoleAttribute = "cn";

     /**

      * The base DN from which the search for group membership should be performed

      */

     private String groupSearchBase = null;

     /**

      * The pattern to be used for the user search. {0} is the user's DN

      */

     private String groupSearchFilter = "(member={0})";

     /**

      * Attributes of the User's LDAP Object that contain role name information.

      */

 //    private String[] userRoleAttributes = null;

     private String rolePrefix = "ROLE_";

     private boolean convertToUpperCase = true;

     //~ Constructors ===================================================================================================

     /**

      * Constructor for group search scenarios. <tt>userRoleAttributes</tt> may still be

      * set as a property.

      *

      * @param initialDirContextFactory supplies the contexts used to search for user roles.

      * @param groupSearchBase          if this is an empty string the search will be performed from the root DN of the

      *                                 context factory.

      */

     public DefaultLdapAuthoritiesPopulator(InitialDirContextFactory initialDirContextFactory, String groupSearchBase) {

         this.setInitialDirContextFactory(initialDirContextFactory);

         this.setGroupSearchBase(groupSearchBase);

     }

     //~ Methods ========================================================================================================

     /**

      * This method should be overridden if required to obtain any additional

      * roles for the given user (on top of those obtained from the standard

      * search implemented by this class).

      *

      * @param ldapUser the user who's roles are required

      * @return the extra roles which will be merged with those returned by the group search

      */

     protected Set getAdditionalRoles(LdapUserDetails ldapUser) {

         return null;

     }

     /**

      * Obtains the authorities for the user who's directory entry is represented by

      * the supplied LdapUserDetails object.

      *

      * @param userDetails the user who's authorities are required

      * @return the set of roles granted to the user.

      */

     public final GrantedAuthority[] getGrantedAuthorities(LdapUserDetails userDetails) {

         String userDn = userDetails.getDn();

         if (logger.isDebugEnabled()) {

             logger.debug("Getting authorities for user " + userDn);

         }

         Set roles = getGroupMembershipRoles(userDn, userDetails.getUsername());

         // Temporary use of deprecated method

         Set oldGroupRoles = getGroupMembershipRoles(userDn, userDetails.getAttributes());

         if (oldGroupRoles != null) {

             roles.addAll(oldGroupRoles);

         }

         Set extraRoles = getAdditionalRoles(userDetails);

         if (extraRoles != null) {

             roles.addAll(extraRoles);

         }

         if (defaultRole != null) {

             roles.add(defaultRole);

         }

         return (GrantedAuthority[]) roles.toArray(new GrantedAuthority[roles.size()]);

     }

 //    protected Set getRolesFromUserAttributes(String userDn, Attributes userAttributes) {

 //        Set userRoles = new HashSet();

 //

 //        for(int i=0; userRoleAttributes != null && i < userRoleAttributes.length; i++) {

 //            Attribute roleAttribute = userAttributes.get(userRoleAttributes[i]);

 //

 //            addAttributeValuesToRoleSet(roleAttribute, userRoles);

 //        }

 //

 //        return userRoles;

 //    }

     public Set getGroupMembershipRoles(String userDn, String username) {

         Set authorities = new HashSet();

         if (getGroupSearchBase() == null) {

             return authorities;

         }

         if (logger.isDebugEnabled()) {

             logger.debug("Searching for roles for user '" + username + "', DN = " + "'" + userDn + "', with filter "

                     + groupSearchFilter + " in search base '" + getGroupSearchBase() + "'");

         }

         Set userRoles = ldapTemplate.searchForSingleAttributeValues(getGroupSearchBase(), groupSearchFilter,

                 new String[]{userDn, username}, groupRoleAttribute);

         if (logger.isDebugEnabled()) {

             logger.debug("Roles from search: " + userRoles);

         }

         Iterator it = userRoles.iterator();

         while (it.hasNext()) {

             String role = (String) it.next();

             if (convertToUpperCase) {

                 role = role.toUpperCase();

             }

             authorities.add(new GrantedAuthorityImpl(rolePrefix + role));

         }

         return authorities;

     }

     /**

      * Searches for groups the user is a member of.

      *

      * @param userDn         the user's distinguished name.

      * @param userAttributes the retrieved user's attributes (unused by default).

      * @return the set of roles obtained from a group membership search, or null if <tt>groupSearchBase</tt> has been

      *         set.

      * @deprecated Subclasses should implement <tt>getAdditionalRoles</tt> instead.

      */

     protected Set getGroupMembershipRoles(String userDn, Attributes userAttributes) {

         return new HashSet();

     }

     protected InitialDirContextFactory getInitialDirContextFactory() {

         return initialDirContextFactory;

     }

     /**

      * Set the {@link InitialDirContextFactory}

      *

      * @param initialDirContextFactory supplies the contexts used to search for user roles.

      */

     private void setInitialDirContextFactory(InitialDirContextFactory initialDirContextFactory) {

         Assert.notNull(initialDirContextFactory, "InitialDirContextFactory must not be null");

         this.initialDirContextFactory = initialDirContextFactory;

         ldapTemplate = new LdapTemplate(initialDirContextFactory);

         ldapTemplate.setSearchControls(searchControls);

     }

     /**

      * Set the group search base (name to search under)

      *

      * @param groupSearchBase if this is an empty string the search will be performed from the root DN of the context

      *                        factory.

      */

     private void setGroupSearchBase(String groupSearchBase) {

         Assert.notNull(groupSearchBase, "The groupSearchBase (name to search under), must not be null.");

         this.groupSearchBase = groupSearchBase;

         if (groupSearchBase.length() == 0) {

             logger.info("groupSearchBase is empty. Searches will be performed from the root: "

                     + getInitialDirContextFactory().getRootDn());

         }

     }

     protected String getGroupSearchBase() {

         return groupSearchBase;

     }

     public void setConvertToUpperCase(boolean convertToUpperCase) {

         this.convertToUpperCase = convertToUpperCase;

     }

     /**

      * The default role which will be assigned to all users.

      *

      * @param defaultRole the role name, including any desired prefix.

      */

     public void setDefaultRole(String defaultRole) {

         Assert.notNull(defaultRole, "The defaultRole property cannot be set to null");

         this.defaultRole = new GrantedAuthorityImpl(defaultRole);

     }

     public void setGroupRoleAttribute(String groupRoleAttribute) {

         Assert.notNull(groupRoleAttribute, "groupRoleAttribute must not be null");

         this.groupRoleAttribute = groupRoleAttribute;

     }

     public void setGroupSearchFilter(String groupSearchFilter) {

         Assert.notNull(groupSearchFilter, "groupSearchFilter must not be null");

         this.groupSearchFilter = groupSearchFilter;

     }

     public void setRolePrefix(String rolePrefix) {

         Assert.notNull(rolePrefix, "rolePrefix must not be null");

         this.rolePrefix = rolePrefix;

     }

     /**

      * If set to true, a subtree scope search will be performed. If false a single-level search is used.

      *

      * @param searchSubtree set to true to enable searching of the entire tree below the <tt>groupSearchBase</tt>.

      */

     public void setSearchSubtree(boolean searchSubtree) {

         int searchScope = searchSubtree ? SearchControls.SUBTREE_SCOPE : SearchControls.ONELEVEL_SCOPE;

         searchControls.setSearchScope(searchScope);

     }

 }