From f6800b59112a2c7690e81c1c202b20093f4f2480 Mon Sep 17 00:00:00 2001
From: DenisSinelnikov <142215442+DenisSinelnikov@users.noreply.github.com>
Date: Tue, 14 Jan 2025 20:06:25 +0400
Subject: [PATCH] CB-5461. Added compare ldap group and user team (#3189)

* CB-5461. Added compare ldap group and user team

* CB-5461. Fixed codestyle

* CB-5361. Fixed to create new ldap user with full dn

---------

Co-authored-by: Daria Marutkina <125263541+dariamarutkina@users.noreply.github.com>
Co-authored-by: Ainur <59531286+yagudin10@users.noreply.github.com>
---
 .../plugin.xml                                |  7 ++
 .../service/ldap/auth/LdapAuthProvider.java   | 80 +++++++++++++++++--
 .../service/ldap/auth/LdapConstants.java      |  4 +-
 3 files changed, 85 insertions(+), 6 deletions(-)

diff --git a/server/bundles/io.cloudbeaver.service.ldap.auth/plugin.xml b/server/bundles/io.cloudbeaver.service.ldap.auth/plugin.xml
index ed76a9973b..bf59248e18 100644
--- a/server/bundles/io.cloudbeaver.service.ldap.auth/plugin.xml
+++ b/server/bundles/io.cloudbeaver.service.ldap.auth/plugin.xml
@@ -38,6 +38,13 @@
                               user="true" encryption="plain"/>
                 </propertyGroup>
             </credentials>
+
+            <metaParameters type="team">
+                <propertyGroup label="LDAP group name">
+                    <property id="ldap.group-name" label="LDAP Group name" type="string"
+                              description="LDAP group name."/>
+                </propertyGroup>
+            </metaParameters>
         </authProvider>
     </extension>
 </plugin>
diff --git a/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapAuthProvider.java b/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapAuthProvider.java
index a10626b6c4..f50a517ae2 100644
--- a/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapAuthProvider.java
+++ b/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapAuthProvider.java
@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2024 DBeaver Corp and others
+ * Copyright (C) 2010-2025 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,7 +17,9 @@
 package io.cloudbeaver.service.ldap.auth;
 
 import io.cloudbeaver.DBWUserIdentity;
+import io.cloudbeaver.auth.SMAuthProviderAssigner;
 import io.cloudbeaver.auth.SMAuthProviderExternal;
+import io.cloudbeaver.auth.SMAutoAssign;
 import io.cloudbeaver.auth.SMBruteForceProtected;
 import io.cloudbeaver.auth.provider.local.LocalAuthProviderConstants;
 import io.cloudbeaver.model.session.WebSession;
@@ -43,7 +45,7 @@
 import java.util.Map;
 import java.util.UUID;
 
-public class LdapAuthProvider implements SMAuthProviderExternal<SMSession>, SMBruteForceProtected {
+public class LdapAuthProvider implements SMAuthProviderExternal<SMSession>, SMBruteForceProtected, SMAuthProviderAssigner {
     private static final Log log = Log.getLog(LdapAuthProvider.class);
 
     public LdapAuthProvider() {
@@ -77,9 +79,8 @@ public Map<String, Object> authExternalUser(
 
         }
         if (userData == null) {
-            String fullUserDN = buildFullUserDN(userName, ldapSettings);
-            validateUserAccess(fullUserDN, ldapSettings);
-            userData = authenticateLdap(fullUserDN, password, ldapSettings, null, environment);
+            validateUserAccess(userName, ldapSettings);
+            userData = authenticateLdap(userName, password, ldapSettings, null, environment);
         }
         return userData;
     }
@@ -331,6 +332,7 @@ private Map<String, Object> authenticateLdap(
             userContext = new InitialDirContext(environment);
             Map<String, Object> userData = new HashMap<>();
             userData.put(LdapConstants.CRED_USERNAME, findUserNameFromDN(userDN, ldapSettings));
+            userData.put(LdapConstants.CRED_FULL_DN, userDN);
             userData.put(LdapConstants.CRED_SESSION_ID, UUID.randomUUID());
             if (login != null) {
                 userData.put(LdapConstants.CRED_DISPLAY_NAME, login);
@@ -349,4 +351,72 @@ private Map<String, Object> authenticateLdap(
         }
     }
 
+    @NotNull
+    @Override
+    public SMAutoAssign detectAutoAssignments(
+        @NotNull DBRProgressMonitor monitor,
+        @NotNull SMAuthProviderCustomConfiguration providerConfig,
+        @NotNull Map<String, Object> authParameters
+    ) throws DBException {
+        String userName = JSONUtils.getString(authParameters, LdapConstants.CRED_USERNAME);
+        if (CommonUtils.isEmpty(userName)) {
+            throw new DBException("LDAP user name is empty");
+        }
+
+        LdapSettings ldapSettings = new LdapSettings(providerConfig);
+        String fullDN = JSONUtils.getString(authParameters, LdapConstants.CRED_FULL_DN);
+        String userDN;
+        if (!CommonUtils.isEmpty(fullDN)) {
+            userDN = fullDN;
+        } else {
+            userDN = getUserDN(ldapSettings, JSONUtils.getString(authParameters, LdapConstants.CRED_DISPLAY_NAME));
+        }
+        if (userDN == null) {
+            return new SMAutoAssign();
+        }
+
+        SMAutoAssign smAutoAssign = new SMAutoAssign();
+        smAutoAssign.addExternalTeamId(userDN);
+
+        String groupDN = getGroupForMember(userDN, ldapSettings);
+        if (groupDN != null) {
+            smAutoAssign.addExternalTeamId(groupDN);
+        }
+
+        return smAutoAssign;
+    }
+
+    private String getUserDN(LdapSettings ldapSettings, String displayName) {
+        DirContext context;
+        try {
+            context = new InitialDirContext(creteAuthEnvironment(ldapSettings));
+            return findUserDN(context, ldapSettings, displayName);
+        } catch (Exception e) {
+            log.error("User not found", e);
+            return null;
+        }
+    }
+
+    private String getGroupForMember(String fullDN, LdapSettings ldapSettings) {
+        DirContext context;
+        try {
+            context = new InitialDirContext(creteAuthEnvironment(ldapSettings));
+            String searchFilter = "(member=" + fullDN + ")";
+            SearchControls searchControls = new SearchControls();
+            searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+
+            NamingEnumeration<SearchResult> results = context.search(ldapSettings.getBaseDN(), searchFilter, searchControls);
+            if (results.hasMore()) {
+                return results.next().getName();
+            }
+        } catch (Exception e) {
+            log.error("Group not found", e);
+        }
+        return null;
+    }
+
+    @Override
+    public String getExternalTeamIdMetadataFieldName() {
+        return LdapConstants.LDAP_META_GROUP_NAME;
+    }
 }
diff --git a/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapConstants.java b/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapConstants.java
index 8b18c1fb6e..b6148bbb1a 100644
--- a/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapConstants.java
+++ b/server/bundles/io.cloudbeaver.service.ldap.auth/src/io/cloudbeaver/service/ldap/auth/LdapConstants.java
@@ -1,6 +1,6 @@
 /*
  * DBeaver - Universal Database Manager
- * Copyright (C) 2010-2024 DBeaver Corp and others
+ * Copyright (C) 2010-2025 DBeaver Corp and others
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,4 +32,6 @@ public interface LdapConstants {
     String CRED_USER_DN = "user-dn";
     String CRED_PASSWORD = "password";
     String CRED_SESSION_ID = "session-id";
+    String CRED_FULL_DN = "full-dn";
+    String LDAP_META_GROUP_NAME = "ldap.group-name";
 }