/** {@inheritDoc} */
@Override
public void initializeSASLMechanismHandler(ExternalSASLMechanismHandlerCfg configuration)
throws ConfigException, InitializationException {
configuration.addExternalChangeListener(this);
currentConfig = configuration;
// See if we should attempt to validate client certificates against those in
// the corresponding user's entry.
switch (configuration.getCertificateValidationPolicy()) {
case NEVER:
validationPolicy = CertificateValidationPolicy.NEVER;
break;
case IFPRESENT:
validationPolicy = CertificateValidationPolicy.IFPRESENT;
break;
case ALWAYS:
validationPolicy = CertificateValidationPolicy.ALWAYS;
break;
}
// Get the attribute type to use for validating the certificates. If none
// is provided, then default to the userCertificate type.
certificateAttributeType = configuration.getCertificateAttribute();
if (certificateAttributeType == null) {
certificateAttributeType =
DirectoryServer.getAttributeType(DEFAULT_VALIDATION_CERT_ATTRIBUTE, true);
}
DirectoryServer.registerSASLMechanismHandler(SASL_MECHANISM_EXTERNAL, this);
}
/** {@inheritDoc} */
public ConfigChangeResult applyConfigurationChange(
ExternalSASLMechanismHandlerCfg configuration) {
final ConfigChangeResult ccr = new ConfigChangeResult();
// See if we should attempt to validate client certificates against those in
// the corresponding user's entry.
CertificateValidationPolicy newValidationPolicy = CertificateValidationPolicy.ALWAYS;
switch (configuration.getCertificateValidationPolicy()) {
case NEVER:
newValidationPolicy = CertificateValidationPolicy.NEVER;
break;
case IFPRESENT:
newValidationPolicy = CertificateValidationPolicy.IFPRESENT;
break;
case ALWAYS:
newValidationPolicy = CertificateValidationPolicy.ALWAYS;
break;
}
// Get the attribute type to use for validating the certificates. If none
// is provided, then default to the userCertificate type.
AttributeType newCertificateType = configuration.getCertificateAttribute();
if (newCertificateType == null) {
newCertificateType =
DirectoryServer.getAttributeType(DEFAULT_VALIDATION_CERT_ATTRIBUTE, true);
}
if (ccr.getResultCode() == ResultCode.SUCCESS) {
validationPolicy = newValidationPolicy;
certificateAttributeType = newCertificateType;
currentConfig = configuration;
}
return ccr;
}
/** {@inheritDoc} */
@Override
public void processSASLBind(BindOperation bindOperation) {
ExternalSASLMechanismHandlerCfg config = currentConfig;
AttributeType certificateAttributeType = this.certificateAttributeType;
CertificateValidationPolicy validationPolicy = this.validationPolicy;
// Get the client connection used for the bind request, and get the
// security manager for that connection. If either are null, then fail.
ClientConnection clientConnection = bindOperation.getClientConnection();
if (clientConnection == null) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message = ERR_SASLEXTERNAL_NO_CLIENT_CONNECTION.get();
bindOperation.setAuthFailureReason(message);
return;
}
if (!(clientConnection instanceof LDAPClientConnection)) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message = ERR_SASLEXTERNAL_NOT_LDAP_CLIENT_INSTANCE.get();
bindOperation.setAuthFailureReason(message);
return;
}
LDAPClientConnection lc = (LDAPClientConnection) clientConnection;
Certificate[] clientCertChain = lc.getClientCertificateChain();
if ((clientCertChain == null) || (clientCertChain.length == 0)) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message = ERR_SASLEXTERNAL_NO_CLIENT_CERT.get();
bindOperation.setAuthFailureReason(message);
return;
}
// Get the certificate mapper to use to map the certificate to a user entry.
DN certificateMapperDN = config.getCertificateMapperDN();
CertificateMapper<?> certificateMapper =
DirectoryServer.getCertificateMapper(certificateMapperDN);
// Use the Directory Server certificate mapper to map the client certificate
// chain to a single user DN.
Entry userEntry;
try {
userEntry = certificateMapper.mapCertificateToUser(clientCertChain);
} catch (DirectoryException de) {
logger.traceException(de);
bindOperation.setResponseData(de);
return;
}
// If the user DN is null, then we couldn't establish a mapping and
// therefore the authentication failed.
if (userEntry == null) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message = ERR_SASLEXTERNAL_NO_MAPPING.get();
bindOperation.setAuthFailureReason(message);
return;
} else {
bindOperation.setSASLAuthUserEntry(userEntry);
}
// Get the userCertificate attribute from the user's entry for use in the
// validation process.
List<Attribute> certAttrList = userEntry.getAttribute(certificateAttributeType);
switch (validationPolicy) {
case ALWAYS:
if (certAttrList == null) {
if (validationPolicy == CertificateValidationPolicy.ALWAYS) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message = ERR_SASLEXTERNAL_NO_CERT_IN_ENTRY.get(userEntry.getName());
bindOperation.setAuthFailureReason(message);
return;
}
} else {
try {
ByteString certBytes = ByteString.wrap(clientCertChain[0].getEncoded());
if (!find(certAttrList, certBytes)) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message =
ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(userEntry.getName());
bindOperation.setAuthFailureReason(message);
return;
}
} catch (Exception e) {
logger.traceException(e);
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message =
ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(
userEntry.getName(), getExceptionMessage(e));
bindOperation.setAuthFailureReason(message);
return;
}
}
break;
case IFPRESENT:
if (certAttrList != null) {
try {
ByteString certBytes = ByteString.wrap(clientCertChain[0].getEncoded());
if (!find(certAttrList, certBytes)) {
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message =
ERR_SASLEXTERNAL_PEER_CERT_NOT_FOUND.get(userEntry.getName());
bindOperation.setAuthFailureReason(message);
return;
}
} catch (Exception e) {
logger.traceException(e);
bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
LocalizableMessage message =
ERR_SASLEXTERNAL_CANNOT_VALIDATE_CERT.get(
userEntry.getName(), getExceptionMessage(e));
bindOperation.setAuthFailureReason(message);
return;
}
}
}
AuthenticationInfo authInfo =
new AuthenticationInfo(
userEntry, SASL_MECHANISM_EXTERNAL, DirectoryServer.isRootDN(userEntry.getName()));
bindOperation.setAuthenticationInfo(authInfo);
bindOperation.setResultCode(ResultCode.SUCCESS);
}
/** {@inheritDoc} */
@Override
public void finalizeSASLMechanismHandler() {
currentConfig.removeExternalChangeListener(this);
DirectoryServer.deregisterSASLMechanismHandler(SASL_MECHANISM_EXTERNAL);
}