All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.druid.security.basic.authentication.LdapUserPrincipal Maven / Gradle / Ivy

The newest version!
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.druid.security.basic.authentication;

import com.google.common.annotations.VisibleForTesting;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.validator.PasswordHashGenerator;

import javax.naming.directory.SearchResult;
import java.security.Principal;
import java.time.Instant;
import java.util.Arrays;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;

public class LdapUserPrincipal implements Principal
{
  private static final Logger LOG = new Logger(LdapUserPrincipal.class);

  private final String name;
  private final BasicAuthenticatorCredentials credentials;
  private final SearchResult searchResult;
  private final Instant createdAt;
  private final AtomicReference lastVerified = new AtomicReference<>();

  public LdapUserPrincipal(
      String name,
      BasicAuthenticatorCredentials credentials,
      SearchResult searchResult
  )
  {
    this(name, credentials, searchResult, Instant.now());
  }

  @VisibleForTesting
  public LdapUserPrincipal(
      String name,
      BasicAuthenticatorCredentials credentials,
      SearchResult searchResult,
      Instant createdAt
  )
  {
    Objects.requireNonNull(name, "name is required");
    Objects.requireNonNull(credentials, "credentials is required");
    Objects.requireNonNull(searchResult, "searchResult is required");
    Objects.requireNonNull(createdAt, "createdAt is required");

    this.name = name;
    this.credentials = credentials;
    this.searchResult = searchResult;
    this.createdAt = createdAt;
    this.lastVerified.set(createdAt);
  }

  @Override
  public String getName()
  {
    return this.name;
  }

  public SearchResult getSearchResult()
  {
    return searchResult;
  }

  public Instant getCreatedAt()
  {
    return createdAt;
  }

  public Instant getLastVerified()
  {
    return lastVerified.get();
  }

  public boolean hasSameCredentials(char[] password, PasswordHashGenerator hashGenerator)
  {
    byte[] recalculatedHash = hashGenerator.getOrComputePasswordHash(
        password,
        this.credentials.getSalt(),
        this.credentials.getIterations()
    );
    if (Arrays.equals(recalculatedHash, credentials.getHash())) {
      this.lastVerified.set(Instant.now());
      LOG.debug("Refereshing lastVerified principal user '%s'", this.name);
      return true;
    } else {
      return false;
    }
  }

  public boolean isExpired(int durationSeconds, int maxDurationSeconds)
  {
    return isExpired(durationSeconds, maxDurationSeconds, System.currentTimeMillis());
  }

  @VisibleForTesting
  boolean isExpired(int durationSeconds, int maxDurationSeconds, long nowMillis)
  {
    long maxCutoffMillis = nowMillis - (maxDurationSeconds * 1000L);
    if (this.createdAt.toEpochMilli() < maxCutoffMillis) {
      // max cutoff is up...so expired
      return true;
    } else {
      long cutoffMillis = nowMillis - (durationSeconds * 1000L);
      if (this.lastVerified.get().toEpochMilli() < cutoffMillis) {
        // max cutoff not reached yet but cutoff since verified is up, so expired
        return true;
      }
    }
    return false;
  }

  @Override
  public String toString()
  {
    return StringUtils.format(
        "LdapUserPrincipal[name=%s, searchResult=%s, createdAt=%s, lastVerified=%s]",
        name,
        searchResult,
        createdAt,
        lastVerified
    );
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy