Merge branch 'feature/ldap_groups_as_scopes' into develop

https://www.pivotaltracker.com/story/show/53029645
[#53029645]
Completes LDAP functionality

common/pom.xml

@@ -88,6 +88,12 @@
             <groupId>org.apache.directory.api</groupId>
             <artifactId>api-ldap-model</artifactId>
             <version>${apacheds.api.ldap.model.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
 
@@ -218,6 +224,29 @@
             </exclusions>
         </dependency>
 
+        <dependency>
+            <groupId>com.unboundid.product.scim</groupId>
+            <artifactId>scim-sdk</artifactId>
+            <version>1.6.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.mortbay.jetty</groupId>
+                    <artifactId>servlet-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpclient</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.wink</groupId>
+                    <artifactId>wink-client-apache-httpclient</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
 
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -247,8 +276,13 @@
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
             <version>4.11</version>
-            <scope>compile</scope>
-            <optional>true</optional>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-all</artifactId>
+            <version>1.3</version>
+            <scope>test</scope>
         </dependency>
 
         <dependency>

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalGroupAuthorizationEvent.java

@@ -0,0 +1,37 @@
+/*******************************************************************************
+ *     Cloud Foundry 
+ *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *     You may not use this product except in compliance with the License.
+ *
+ *     This product includes a number of subcomponents with
+ *     separate copyright notices and license terms. Your use of these
+ *     subcomponents is subject to the terms and conditions of the
+ *     subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
+
+package org.cloudfoundry.identity.uaa.authentication.manager;
+
+import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+public class ExternalGroupAuthorizationEvent extends NewUserAuthenticatedEvent {
+
+    public Collection<? extends GrantedAuthority> getExternalAuthorities() {
+        return externalAuthorities;
+    }
+
+    private Collection<? extends GrantedAuthority> externalAuthorities;
+
+    public ExternalGroupAuthorizationEvent(UaaUser user, Collection<? extends GrantedAuthority> externalAuthorities) {
+        super(user);
+        this.externalAuthorities = externalAuthorities;
+    }
+
+
+
+}

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java

@@ -72,6 +72,7 @@ public void setApplicationEventPublisher(ApplicationEventPublisher eventPublishe
     public void setUserDatabase(UaaUserDatabase userDatabase) {
         this.userDatabase = userDatabase;
     }
+    public UaaUserDatabase getUserDatabase() { return this.userDatabase; }
 
     @Override
     public Authentication authenticate(Authentication request) throws AuthenticationException {
@@ -111,6 +112,8 @@ public Authentication authenticate(Authentication request) throws Authentication
                 throw new BadCredentialsException("Bad credentials");
             }
         }
+        //user is authenticated and exists in UAA
+        user = userAuthenticated(request, user);
 
         UaaAuthenticationDetails uaaAuthenticationDetails = null;
         if (request.getDetails() instanceof UaaAuthenticationDetails) {
@@ -141,6 +144,10 @@ protected void publish(ApplicationEvent event) {
         }
     }
 
+    protected UaaUser userAuthenticated(Authentication request, UaaUser user) {
+        return user;
+    }
+
     protected UaaUser getUser(UserDetails details, Map<String, String> info) {
         String name = details.getUsername();
         String email = info.get("email");

common/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java

@@ -16,13 +16,15 @@
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
 import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.ldap.userdetails.LdapUserDetails;
 
 import java.util.Map;
 
 public class LdapLoginAuthenticationManager extends ExternalLoginAuthenticationManager {
 
+    private boolean autoAddAuthorities = false;
 
     @Override
     protected UaaUser getUser(UserDetails details, Map<String, String> info) {
@@ -34,4 +36,25 @@ protected UaaUser getUser(UserDetails details, Map<String, String> info) {
             return user.modifySource(getOrigin(), user.getExternalId());
         }
     }
+
+    @Override
+    protected UaaUser userAuthenticated(Authentication request, UaaUser user) {
+        if (isAutoAddAuthorities()) {
+            ExternalGroupAuthorizationEvent event = new ExternalGroupAuthorizationEvent(user, request.getAuthorities());
+            publish(event);
+            return getUserDatabase().retrieveUserById(user.getId());
+        } else {
+            return super.userAuthenticated(request, user);
+        }
+    }
+
+    public boolean isAutoAddAuthorities() {
+        return autoAddAuthorities;
+    }
+
+    public void setAutoAddAuthorities(boolean autoAddAuthorities) {
+        this.autoAddAuthorities = autoAddAuthorities;
+    }
+
+
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authorization/DoNothingExternalAuthorizationManager.java

@@ -12,13 +12,15 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authorization;
 
+import org.springframework.security.core.GrantedAuthority;
+
 import java.util.Set;
 
 public class DoNothingExternalAuthorizationManager implements ExternalGroupMappingAuthorizationManager {
 
     @Override
-    public Set<String> findScopesFromAuthorities(String authorities) {
-        return null;
+    public Set<? extends GrantedAuthority> findScopesFromAuthorities(Set<? extends GrantedAuthority> authorities) {
+        return authorities;
     }
 
 }

common/src/main/java/org/cloudfoundry/identity/uaa/authorization/ExternalGroupMappingAuthorizationManager.java

@@ -12,10 +12,12 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.authorization;
 
+import org.springframework.security.core.GrantedAuthority;
+
 import java.util.Set;
 
 public interface ExternalGroupMappingAuthorizationManager {
 
-    public Set<String> findScopesFromAuthorities(String authorities);
+    public Set<? extends GrantedAuthority> findScopesFromAuthorities(Set<? extends GrantedAuthority> authorities);
 
 }

common/src/main/java/org/cloudfoundry/identity/uaa/ldap/CommaSeparatedScopesMapper.java

@@ -0,0 +1,40 @@
+/*
+ * ******************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * ******************************************************************************
+ */
+package org.cloudfoundry.identity.uaa.ldap;
+
+import org.cloudfoundry.identity.uaa.ldap.extension.LdapAuthority;
+import org.cloudfoundry.identity.uaa.user.UaaAuthority;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.util.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+public class CommaSeparatedScopesMapper implements GrantedAuthoritiesMapper {
+
+    @Override
+    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
+        ArrayList<GrantedAuthority> result = new ArrayList<>();
+        for (GrantedAuthority authority : authorities) {
+            LdapAuthority ldapAuthority = (LdapAuthority)authority;
+            for (String scope : StringUtils.commaDelimitedListToSet(authority.getAuthority())) {
+                LdapAuthority a = new LdapAuthority(scope, ldapAuthority.getDn(), ldapAuthority.getAttributes());
+                result.add(a);
+            }
+        }
+        return result;
+    }
+}

common/src/main/java/org/cloudfoundry/identity/uaa/ldap/LdapGroupToScopesMapper.java

@@ -0,0 +1,44 @@
+/*
+ * ******************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
+ *
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * ******************************************************************************
+ */
+package org.cloudfoundry.identity.uaa.ldap;
+
+import org.cloudfoundry.identity.uaa.authorization.ExternalGroupMappingAuthorizationManager;
+import org.cloudfoundry.identity.uaa.ldap.extension.LdapAuthority;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.util.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+public class LdapGroupToScopesMapper implements GrantedAuthoritiesMapper {
+
+    public ExternalGroupMappingAuthorizationManager getGroupMapper() {
+        return groupMapper;
+    }
+
+    public void setGroupMapper(ExternalGroupMappingAuthorizationManager groupMapper) {
+        this.groupMapper = groupMapper;
+    }
+
+    private ExternalGroupMappingAuthorizationManager groupMapper;
+
+    @Override
+    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
+        return getGroupMapper().findScopesFromAuthorities(new HashSet<>(authorities));
+    }
+}