OF-1139: User-to-provider mapping

This commit introduces a new AuthProvider and UserProvider that, similar to the
HybridAuthProvider and -UserProvider can be configured to use more than one backend
store. Where the Hybrids iterate over all of their providers in an attempt to
fulfill a request, these new 'Mapped' variants will first determine what provider
is to be used for a particular user, and will then operate on only that provider.
This is useful where particular users are required to be restricted to specific
backends.
parent 9df61650
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.auth;
import java.util.Set;
import java.util.SortedSet;
/**
* Implementations are used to determine what AuthProvider is to be used for a particular username.
*
* Implementation must have a no-argument constructor.
*
* @author Guus der Kinderen, guus@goodbytes.nl
* @see MappedAuthProvider
*/
public interface AuthProviderMapper
{
/**
* Finds a suitable AuthProvider for the user. Returns null when no AuthProvider can be found for the particular
* user.
*
* @param username A user identifier (cannot be null or empty).
* @return An AuthProvider for the user (possibly null).
*/
AuthProvider getAuthProvider( String username );
/**
* Returns all providers that are used by this instance.
*
* The returned collection should have a consistent, predictable iteration order.
*
* @return all providers (never null).
*/
Set<AuthProvider> getAuthProviders();
}
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.auth;
import org.jivesoftware.openfire.admin.AdminManager;
import org.jivesoftware.util.ClassUtils;
import org.jivesoftware.util.JiveGlobals;
import java.util.SortedSet;
import java.util.TreeSet;
/**
* A {@link AuthProviderMapper} that can be used to draw administrative users from another source than the regular, non-
* administrative users.
*
* This implementation uses {@link AdminManager} to determine if a particular user is an administrative user. When a
* user is not recognized, it is deemed a regular, non-administrative user.
*
* To configure this provider, the both system properties from the example below <em>must</em> be defined. Their value
* must reference the classname of an {@link AuthProvider}.
*
* <ul>
* <li><tt>authorizationBasedAuthMapper.adminProvider.className = org.jivesoftware.openfire.auth.DefaultAuthProvider</tt></li>
* <li><tt>authorizationBasedAuthMapper.userProvider.className = org.jivesoftware.openfire.auth.NativeAuthProvider</tt></li>
* </ul>
*
* @author Guus der Kinderen, guus@goodbytes.nl
*/
public class AuthorizationBasedAuthProviderMapper implements AuthProviderMapper
{
/**
* Name of the property of which the value is expected to be the classname of the AuthProvider which will serve the
* administrative users.
*/
public static final String PROPERTY_ADMINPROVIDER_CLASSNAME = "authorizationBasedAuthMapper.adminProvider.className";
/**
* Name of the property of which the value is expected to be the classname of the AuthProvider which will serve the
* regular, non-administrative users.
*/
public static final String PROPERTY_USERPROVIDER_CLASSNAME = "authorizationBasedAuthMapper.userProvider.className";
/**
* Serves the administrative users.
*/
protected final AuthProvider adminProvider;
/**
* Serves the regular, non-administrative users.
*/
protected final AuthProvider userProvider;
public AuthorizationBasedAuthProviderMapper()
{
// Migrate properties.
JiveGlobals.migrateProperty( PROPERTY_ADMINPROVIDER_CLASSNAME );
JiveGlobals.migrateProperty( PROPERTY_USERPROVIDER_CLASSNAME );
// Instantiate providers.
adminProvider = instantiateProvider( PROPERTY_ADMINPROVIDER_CLASSNAME );
userProvider = instantiateProvider( PROPERTY_USERPROVIDER_CLASSNAME );
}
protected static AuthProvider instantiateProvider( String propertyName )
{
final String className = JiveGlobals.getProperty( propertyName );
if ( className == null )
{
throw new IllegalStateException( "A class name must be specified via openfire.xml or the system properties." );
}
try
{
final Class c = ClassUtils.forName( className );
return (AuthProvider) c.newInstance();
}
catch ( Exception e )
{
throw new IllegalStateException( "Unable to create new instance of AuthProvider: " + className, e );
}
}
@Override
public AuthProvider getAuthProvider( String username )
{
// TODO add optional caching, to prevent retrieving the administrative users upon every invocation.
final boolean isAdmin = AdminManager.getAdminProvider().getAdmins().contains( username );
if ( isAdmin )
{
return adminProvider;
} else
{
return userProvider;
}
}
@Override
public SortedSet<AuthProvider> getAuthProviders()
{
final SortedSet<AuthProvider> result = new TreeSet<>();
result.add( adminProvider );
result.add( userProvider );
return result;
}
}
...@@ -39,6 +39,10 @@ import org.slf4j.LoggerFactory; ...@@ -39,6 +39,10 @@ import org.slf4j.LoggerFactory;
* <li>If the tertiary provider is defined, attempt authentication. * <li>If the tertiary provider is defined, attempt authentication.
* </ol> * </ol>
* *
* This class related to, but is distinct from {@link MappedAuthProvider}. The Hybrid variant of the provider iterates
* over providers, operating on the first applicable instance. The Mapped variant, however, maps each user to exactly
* one provider.
*
* To enable this provider, set the <tt>provider.auth.className</tt> system property to * To enable this provider, set the <tt>provider.auth.className</tt> system property to
* <tt>org.jivesoftware.openfire.auth.HybridAuthProvider</tt>. * <tt>org.jivesoftware.openfire.auth.HybridAuthProvider</tt>.
* *
...@@ -77,7 +81,7 @@ import org.slf4j.LoggerFactory; ...@@ -77,7 +81,7 @@ import org.slf4j.LoggerFactory;
*/ */
public class HybridAuthProvider implements AuthProvider { public class HybridAuthProvider implements AuthProvider {
private static final Logger Log = LoggerFactory.getLogger(HybridAuthProvider.class); private static final Logger Log = LoggerFactory.getLogger(HybridAuthProvider.class);
private AuthProvider primaryProvider; private AuthProvider primaryProvider;
private AuthProvider secondaryProvider; private AuthProvider secondaryProvider;
......
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.auth;
import org.jivesoftware.openfire.user.UserNotFoundException;
import org.jivesoftware.util.ClassUtils;
import org.jivesoftware.util.JiveGlobals;
/**
* A {@link AuthProvider} that delegates to a user-specific AuthProvider.
*
* This class related to, but is distinct from {@link HybridAuthProvider}. The Hybrid variant of the provider iterates
* over providers, operating on the first applicable instance. This Mapped variant, however, maps each user to exactly
* one provider.
*
* To use this provider, use the following system property definition:
*
* <ul>
* <li><tt>provider.auth.className = org.jivesoftware.openfire.user.MappedAuthProvider</tt></li>
* </ul>
*
* To be usable, a {@link AuthProviderMapper} must be configured using the <tt>mappedAuthProvider.mapper.className</tt>
* system property. It is of importance to note that most AuthProviderMapper implementations will require additional
* configuration.
*
* @author Guus der Kinderen, guus@goodbytes.nl
*/
public class MappedAuthProvider implements AuthProvider
{
/**
* Name of the property of which the value is expected to be the classname of the AuthProviderMapper instance to be
* used by instances of this class.
*/
public static final String PROPERTY_MAPPER_CLASSNAME = "mappedAuthProvider.mapper.className";
/**
* Used to determine what provider is to be used to operate on a particular user.
*/
protected final AuthProviderMapper mapper;
public MappedAuthProvider()
{
// Migrate properties.
JiveGlobals.migrateProperty( PROPERTY_MAPPER_CLASSNAME );
// Instantiate mapper.
final String mapperClass = JiveGlobals.getProperty( PROPERTY_MAPPER_CLASSNAME );
if ( mapperClass == null )
{
throw new IllegalStateException( "A mapper must be specified via openfire.xml or the system properties." );
}
try
{
final Class c = ClassUtils.forName( mapperClass );
mapper = (AuthProviderMapper) c.newInstance();
}
catch ( Exception e )
{
throw new IllegalStateException( "Unable to create new instance of AuthProviderMapper class: " + mapperClass, e );
}
}
@Override
public void authenticate( String username, String password ) throws UnauthorizedException, ConnectionException, InternalUnauthenticatedException
{
final AuthProvider provider = mapper.getAuthProvider( username );
if ( provider == null )
{
throw new UnauthorizedException();
}
provider.authenticate( username, password );
}
@Override
public String getPassword( String username ) throws UserNotFoundException, UnsupportedOperationException
{
final AuthProvider provider = mapper.getAuthProvider( username );
if ( provider == null )
{
throw new UserNotFoundException();
}
return provider.getPassword( username );
}
@Override
public void setPassword( String username, String password ) throws UserNotFoundException, UnsupportedOperationException
{
final AuthProvider provider = mapper.getAuthProvider( username );
if ( provider == null )
{
throw new UserNotFoundException();
}
provider.setPassword( username, password );
}
@Override
public boolean supportsPasswordRetrieval()
{
// TODO Make calls concurrent for improved throughput.
for ( final AuthProvider provider : mapper.getAuthProviders() )
{
// If at least one provider supports password retrieval, so does this proxy.
if ( provider.supportsPasswordRetrieval() )
{
return true;
}
}
return false;
}
@Override
public boolean isScramSupported()
{
// TODO Make calls concurrent for improved throughput.
for ( final AuthProvider provider : mapper.getAuthProviders() )
{
// If at least one provider supports SCRAM, so does this proxy.
if ( provider.isScramSupported() )
{
return true;
}
}
return false;
}
}
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.user;
import org.jivesoftware.openfire.admin.AdminManager;
import org.jivesoftware.util.JiveGlobals;
import java.util.SortedSet;
import java.util.TreeSet;
/**
* A {@link UserProviderMapper} that can be used to draw administrative users from another source than the regular, non-
* administrative users.
*
* This implementation uses {@link AdminManager} to determine if a particular user is an administrative user. When a
* user is not recognized, it is deemed a regular, non-administrative user.
*
* To configure this provider, the both system properties from the example below <em>must</em> be defined. Their value
* must reference the classname of an {@link UserProvider}.
*
* <ul>
* <li><tt>authorizationBasedUserMapper.adminProvider.className = org.jivesoftware.openfire.auth.DefaultUserProvider</tt></li>
* <li><tt>authorizationBasedUserMapper.userProvider.className = org.jivesoftware.openfire.auth.NativeUserProvider</tt></li>
* </ul>
*
* @author Guus der Kinderen, guus@goodbytes.nl
*/
public class AuthorizationBasedUserProviderMapper implements UserProviderMapper
{
/**
* Name of the property of which the value is expected to be the classname of the UserProvider which will serve the
* administrative users.
*/
public static final String PROPERTY_ADMINPROVIDER_CLASSNAME = "authorizationBasedUserMapper.adminProvider.className";
/**
* Name of the property of which the value is expected to be the classname of the UserProvider which will serve the
* regular, non-administrative users.
*/
public static final String PROPERTY_USERPROVIDER_CLASSNAME = "authorizationBasedUserMapper.userProvider.className";
/**
* Serves the administrative users.
*/
protected final UserProvider adminProvider;
/**
* Serves the regular, non-administrative users.
*/
protected final UserProvider userProvider;
public AuthorizationBasedUserProviderMapper()
{
// Migrate properties.
JiveGlobals.migrateProperty( PROPERTY_ADMINPROVIDER_CLASSNAME );
JiveGlobals.migrateProperty( PROPERTY_USERPROVIDER_CLASSNAME );
// Instantiate providers.
adminProvider = UserMultiProvider.instantiate( PROPERTY_ADMINPROVIDER_CLASSNAME );
if ( adminProvider == null )
{
throw new IllegalStateException( "A class name for the admin provider must be specified via openfire.xml or the system properties using property: " + PROPERTY_ADMINPROVIDER_CLASSNAME );
}
userProvider = UserMultiProvider.instantiate( PROPERTY_USERPROVIDER_CLASSNAME );
if ( userProvider == null )
{
throw new IllegalStateException( "A class name for the user provider must be specified via openfire.xml or the system properties using property: " + PROPERTY_USERPROVIDER_CLASSNAME );
}
}
@Override
public UserProvider getUserProvider( String username )
{
// TODO add optional caching, to prevent retrieving the administrative users upon every invocation.
final boolean isAdmin = AdminManager.getAdminProvider().getAdmins().contains( username );
if ( isAdmin )
{
return adminProvider;
} else
{
return userProvider;
}
}
@Override
public SortedSet<UserProvider> getUserProviders()
{
final SortedSet<UserProvider> result = new TreeSet<>();
result.add( adminProvider );
result.add( userProvider );
return result;
}
}
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.user;
import org.jivesoftware.util.ClassUtils;
import org.jivesoftware.util.JiveGlobals;
import java.util.Collection;
import java.util.Date;
/**
* A {@link UserProvider} that delegates to a user-specific UserProvider.
*
* This class related to, but is distinct from {@link HybridUserProvider}. The Hybrid variant of the provider iterates
* over providers, operating on the first applicable instance. This Mapped variant, however, maps each user to exactly
* one provider.
*
* To use this provider, use the following system property definition:
*
* <ul>
* <li><tt>provider.user.className = org.jivesoftware.openfire.user.MappedUserProvider</tt></li>
* </ul>
*
* To be usable, a {@link UserProviderMapper} must be configured using the <tt>mappedUserProvider.mapper.className</tt>
* system property. It is of importance to note that most UserProviderMapper implementations will require additional
* configuration.
*
* @author Guus der Kinderen, guus@goodbytes.nl
* @see org.jivesoftware.openfire.auth.MappedAuthProvider
*/
public class MappedUserProvider extends UserMultiProvider
{
/**
* Name of the property of which the value is expected to be the classname of the UserProviderMapper instance to be
* used by instances of this class.
*/
public static final String PROPERTY_MAPPER_CLASSNAME = "mappedUserProvider.mapper.className";
/**
* Used to determine what provider is to be used to operate on a particular user.
*/
protected final UserProviderMapper mapper;
public MappedUserProvider()
{
// Migrate properties.
JiveGlobals.migrateProperty( PROPERTY_MAPPER_CLASSNAME );
// Instantiate mapper.
final String mapperClass = JiveGlobals.getProperty( PROPERTY_MAPPER_CLASSNAME );
if ( mapperClass == null )
{
throw new IllegalStateException( "A mapper must be specified via openfire.xml or the system properties." );
}
try
{
final Class c = ClassUtils.forName( mapperClass );
mapper = (UserProviderMapper) c.newInstance();
}
catch ( Exception e )
{
throw new IllegalStateException( "Unable to create new instance of UserProviderMapper class: " + mapperClass, e );
}
}
@Override
public Collection<UserProvider> getUserProviders()
{
return mapper.getUserProviders();
}
@Override
public UserProvider getUserProvider( String username )
{
return mapper.getUserProvider( username );
}
@Override
public User loadUser( String username ) throws UserNotFoundException
{
final UserProvider userProvider;
try{
userProvider = getUserProvider( username );
} catch (RuntimeException e){
throw new UserNotFoundException("Unable to identify user provider for username "+username, e);
}
return userProvider.loadUser( username );
}
@Override
public User createUser( String username, String password, String name, String email ) throws UserAlreadyExistsException
{
return getUserProvider( username ).createUser( username, password, name, email );
}
@Override
public void deleteUser( String username )
{
getUserProvider( username ).deleteUser( username );
}
@Override
public void setName( String username, String name ) throws UserNotFoundException
{
getUserProvider( username ).setName( username, name );
}
@Override
public void setEmail( String username, String email ) throws UserNotFoundException
{
getUserProvider( username ).setEmail( username, email );
}
@Override
public void setCreationDate( String username, Date creationDate ) throws UserNotFoundException
{
getUserProvider( username ).setCreationDate( username, creationDate );
}
@Override
public void setModificationDate( String username, Date modificationDate ) throws UserNotFoundException
{
getUserProvider( username ).setModificationDate( username, modificationDate );
}
}
This diff is collapsed.
/*
* Copyright 2016 IgniteRealtime.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jivesoftware.openfire.user;
import java.util.Set;
import java.util.SortedSet;
/**
* Implementations are used to determine what UserProvider is to be used for a particular username.
*
* Note that the provided username need not reflect a pre-existing user (the instance might be used to determine in
* which provider a new user is to be created).
*
* Implementation must have a no-argument constructor.
*
* @author Guus der Kinderen, guus@goodbytes.nl
* @see MappedUserProvider
*/
public interface UserProviderMapper
{
/**
* Finds a suitable UserProvider for the user.
*
* Note that the provided username need not reflect a pre-existing user (the instance might be used to determine in
* which provider a new user is to be created).
*
* Implementations are expected to be able to find a UserProvider for any username. If an implementation fails to do
* so, such a failure is assumed to be the result of a problem in implementation or configuration.
*
* @param username A user identifier (cannot be null or empty).
* @return A UserProvider for the user (never null).
*/
UserProvider getUserProvider( String username );
/**
* Returns all providers that are used by this instance.
*
* The returned collection should have a consistent, predictable iteration order.
*
* @return all providers (never null).
*/
Set<UserProvider> getUserProviders();
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment