support ldap login (#5225)

auth/src/main/java/com/alibaba/nacos/auth/common/AuthSystemTypes.java

@@ -28,5 +28,9 @@ public enum AuthSystemTypes {
     /**
      * Nacos builtin auth system.
      */
-    NACOS
+    NACOS,
+    /**
+     * LDAP.
+     */
+    LDAP
 }

console/src/main/java/com/alibaba/nacos/console/controller/UserController.java

@@ -204,7 +204,8 @@ public class UserController {
     public Object login(@RequestParam String username, @RequestParam String password, HttpServletResponse response,
             HttpServletRequest request) throws AccessException {
         
-        if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
+        if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType()) || AuthSystemTypes.LDAP
+                .name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
             NacosUser user = (NacosUser) authManager.login(request);
             
             response.addHeader(NacosAuthConfig.AUTHORIZATION_HEADER, NacosAuthConfig.TOKEN_PREFIX + user.getToken());

console/src/main/java/com/alibaba/nacos/console/security/nacos/LdapAuthenticationProvider.java

@@ -0,0 +1,162 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.security.nacos;
+
+import com.alibaba.nacos.common.utils.CollectionUtils;
+import com.alibaba.nacos.config.server.auth.RoleInfo;
+import com.alibaba.nacos.config.server.model.User;
+import com.alibaba.nacos.console.security.nacos.roles.NacosRoleServiceImpl;
+import com.alibaba.nacos.console.security.nacos.users.NacosUserDetails;
+import com.alibaba.nacos.console.security.nacos.users.NacosUserDetailsServiceImpl;
+import com.alibaba.nacos.console.utils.PasswordEncoderUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Component;
+
+import javax.naming.CommunicationException;
+import javax.naming.Context;
+import javax.naming.directory.DirContext;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import java.util.Hashtable;
+import java.util.List;
+
+import static com.alibaba.nacos.console.security.nacos.roles.NacosRoleServiceImpl.GLOBAL_ADMIN_ROLE;
+
+/**
+ * LDAP auth provider.
+ *
+ * @author zjw
+ */
+@Component
+public class LdapAuthenticationProvider implements AuthenticationProvider {
+    
+    private static final Logger LOG = LoggerFactory.getLogger(LdapAuthenticationProvider.class);
+    
+    private static final String FACTORY = "com.sun.jndi.ldap.LdapCtxFactory";
+    
+    private static final String TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
+    
+    private static final String DEFAULT_PASSWORD = "nacos";
+    
+    private static final String LDAP_PREFIX = "LDAP_";
+    
+    @Autowired
+    private NacosUserDetailsServiceImpl userDetailsService;
+    
+    @Autowired
+    private NacosRoleServiceImpl nacosRoleService;
+    
+    @Value(("${nacos.core.auth.ldap.url:ldap://localhost:389}"))
+    private String ldapUrl;
+    
+    @Value(("${nacos.core.auth.ldap.timeout:3000}"))
+    private String time;
+    
+    @Value(("${nacos.core.auth.ldap.userdn:cn={0},ou=user,dc=company,dc=com}"))
+    private String userNamePattern;
+    
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        String username = (String) authentication.getPrincipal();
+        String password = (String) authentication.getCredentials();
+        
+        if (isAdmin(username)) {
+            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
+            if (PasswordEncoderUtil.matches(password, userDetails.getPassword())) {
+                return new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
+            } else {
+                return null;
+            }
+        }
+        
+        if (!ldapLogin(username, password)) {
+            return null;
+        }
+        
+        UserDetails userDetails;
+        try {
+            userDetails = userDetailsService.loadUserByUsername(LDAP_PREFIX + username);
+        } catch (UsernameNotFoundException exception) {
+            String nacosPassword = PasswordEncoderUtil.encode(DEFAULT_PASSWORD);
+            userDetailsService.createUser(LDAP_PREFIX + username, nacosPassword);
+            User user = new User();
+            user.setUsername(LDAP_PREFIX + username);
+            user.setPassword(nacosPassword);
+            userDetails = new NacosUserDetails(user);
+        }
+        return new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
+    }
+    
+    private boolean isAdmin(String username) {
+        List<RoleInfo> roleInfos = nacosRoleService.getRoles(username);
+        if (CollectionUtils.isNotEmpty(roleInfos)) {
+            for (RoleInfo roleinfo : roleInfos) {
+                if (GLOBAL_ADMIN_ROLE.equals(roleinfo.getRole())) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    
+    private boolean ldapLogin(String username, String password) throws AuthenticationException {
+        Hashtable<String, String> env = new Hashtable<>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, FACTORY);
+        env.put(Context.PROVIDER_URL, ldapUrl);
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        
+        env.put(Context.SECURITY_PRINCIPAL, userNamePattern.replace("{0}", username));
+        env.put(Context.SECURITY_CREDENTIALS, password);
+        env.put(TIMEOUT, time);
+        LdapContext ctx = null;
+        try {
+            ctx = new InitialLdapContext(env, null);
+        } catch (CommunicationException e) {
+            throw new RuntimeException("LDAP Service connect timeout");
+        } catch (Exception e) {
+            LOG.warn("Exception cause by:{}", e.getMessage());
+            return false;
+        } finally {
+            closeContext(ctx);
+        }
+        return true;
+    }
+    
+    @Override
+    public boolean supports(Class<?> aClass) {
+        return aClass.equals(UsernamePasswordAuthenticationToken.class);
+    }
+    
+    private void closeContext(DirContext ctx) {
+        if (ctx != null) {
+            try {
+                ctx.close();
+            } catch (Exception e) {
+                LOG.error("Exception closing context", e);
+            }
+        }
+    }
+}

console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthConfig.java

@@ -71,6 +71,9 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter {
     @Autowired
     private NacosUserDetailsServiceImpl userDetailsService;
     
+    @Autowired
+    private LdapAuthenticationProvider ldapAuthenticationProvider;
+    
     @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
     @Override
     public AuthenticationManager authenticationManagerBean() throws Exception {
@@ -83,6 +86,8 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter {
         String ignoreUrls = null;
         if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
             ignoreUrls = "/**";
+        } else if (AuthSystemTypes.LDAP.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
+            ignoreUrls = "/**";
         }
         if (StringUtils.isBlank(authConfigs.getNacosAuthSystemType())) {
             ignoreUrls = env.getProperty("nacos.security.ignore.urls", "/**");
@@ -96,7 +101,11 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter {
     
     @Override
     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
             auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
+        } else if (AuthSystemTypes.LDAP.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) {
+            auth.authenticationProvider(ldapAuthenticationProvider);
+        }
     }
     
     @Override

console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java

@@ -179,15 +179,22 @@ public class NacosAuthManager implements AuthManager {
     }
     
     private String resolveTokenFromUser(String userName, String rawPassword) throws AccessException {
-        
+        String finalName;
+        Authentication authenticate;
         try {
             UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userName,
                     rawPassword);
-            authenticationManager.authenticate(authenticationToken);
+            authenticate = authenticationManager.authenticate(authenticationToken);
         } catch (AuthenticationException e) {
             throw new AccessException("unknown user!");
         }
         
-        return tokenManager.createToken(userName);
+        if (null == authenticate || StringUtils.isBlank(authenticate.getName())) {
+            finalName = userName;
+        } else {
+            finalName = authenticate.getName();
+        }
+        
+        return tokenManager.createToken(finalName);
     }
 }

console/src/main/resources/application.properties

@@ -111,12 +111,16 @@ server.tomcat.basedir=
 ### The ignore urls of auth, is deprecated in 1.2.0:
 nacos.security.ignore.urls=/,/error,/**/*.css,/**/*.js,/**/*.html,/**/*.map,/**/*.svg,/**/*.png,/**/*.ico,/console-ui/public/**,/v1/auth/**,/v1/console/health/**,/actuator/**,/v1/console/server/**
 
-### The auth system to use, currently only 'nacos' is supported:
+### The auth system to use, currently only 'nacos' and 'ldap' is supported:
 nacos.core.auth.system.type=nacos
 
 ### If turn on auth system:
 nacos.core.auth.enabled=false
 
+### worked when nacos.core.auth.system.type=ldap，{0} is Placeholder,replace login username
+# nacos.core.auth.ldap.url=ldap://localhost:389
+# nacos.core.auth.ldap.userdn=cn={0},ou=user,dc=company,dc=com
+
 ### The token expiration in seconds:
 nacos.core.auth.default.token.expire.seconds=18000
 

distribution/conf/application.properties

@@ -138,9 +138,13 @@ server.tomcat.basedir=
 ### The ignore urls of auth, is deprecated in 1.2.0:
 nacos.security.ignore.urls=/,/error,/**/*.css,/**/*.js,/**/*.html,/**/*.map,/**/*.svg,/**/*.png,/**/*.ico,/console-ui/public/**,/v1/auth/**,/v1/console/health/**,/actuator/**,/v1/console/server/**
 
-### The auth system to use, currently only 'nacos' is supported:
+### The auth system to use, currently only 'nacos' and 'ldap' is supported:
 nacos.core.auth.system.type=nacos
 
+### worked when nacos.core.auth.system.type=ldap，{0} is Placeholder,replace login username
+# nacos.core.auth.ldap.url=ldap://localhost:389
+# nacos.core.auth.ldap.userdn=cn={0},ou=user,dc=company,dc=com
+
 ### If turn on auth system:
 nacos.core.auth.enabled=false