This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit e393ce35cb769c3e54d0904db3ec349efb53ffbc
Author: Michael Osipov <micha...@apache.org>
AuthorDate: Fri Jun 23 15:07:25 2023 +0200

    Bug 66665: Provide option to supply role mapping from a properties file
---
 .../apache/catalina/core/LocalStrings.properties   |   7 +
 .../core/PropertiesRoleMappingListener.java        | 168 +++++++++++++++++++++
 .../core/TestPropertiesRoleMappingListener.java    | 168 +++++++++++++++++++++
 .../com/example/prefixed-role-mapping.properties   |   2 +
 .../classes/com/example/role-mapping.properties    |   2 +
 .../WEB-INF/prefixed-role-mapping.properties       |   2 +
 .../WEB-INF/role-mapping.properties                |   2 +
 test/webapp-role-mapping/admin                     |   1 +
 test/webapp-role-mapping/unmapped                  |   1 +
 test/webapp-role-mapping/user                      |   1 +
 webapps/docs/changelog.xml                         |   6 +
 webapps/docs/config/listeners.xml                  |  31 ++++
 12 files changed, 391 insertions(+)

diff --git a/java/org/apache/catalina/core/LocalStrings.properties 
b/java/org/apache/catalina/core/LocalStrings.properties
index d1a5762c84..744a93b31b 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -170,6 +170,13 @@ noPluggabilityServletContext.notAllowed=Section 4.4 of the 
Servlet 3.0 specifica
 
 pushBuilder.noPath=It is illegal to call push() before setting a path
 
+propertiesRoleMappingListener.roleMappingFileNull=Role mapping file cannot be 
null
+propertiesRoleMappingListener.roleMappingFileEmpty=Role mapping file cannot be 
empty
+propertiesRoleMappingListener.roleMappingFileNotFound=Role mapping file [{0}] 
not found
+propertiesRoleMappingListener.roleMappingFileFail=Failed to load role mapping 
file [{0}]
+propertiesRoleMappingListener.linkedRole=Successfully linked application role 
[{0}] to technical role [{1}]
+propertiesRoleMappingListener.linkedRoleCount=Linked [{0}] application roles 
to technical roles
+
 standardContext.applicationListener=Error configuring application listener of 
class [{0}]
 standardContext.applicationSkipped=Skipped installing application listeners 
due to previous error(s)
 standardContext.backgroundProcess.instanceManager=Exception processing 
instance manager [{0}] background process
diff --git a/java/org/apache/catalina/core/PropertiesRoleMappingListener.java 
b/java/org/apache/catalina/core/PropertiesRoleMappingListener.java
new file mode 100644
index 0000000000..60b135d27f
--- /dev/null
+++ b/java/org/apache/catalina/core/PropertiesRoleMappingListener.java
@@ -0,0 +1,168 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map.Entry;
+import java.util.Objects;
+import java.util.Properties;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.Lifecycle;
+import org.apache.catalina.LifecycleEvent;
+import org.apache.catalina.LifecycleListener;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.file.ConfigFileLoader;
+import org.apache.tomcat.util.res.StringManager;
+
+/**
+ * Implementation of {@code LifecycleListener} that will populate the 
context's role mapping from a properties file.
+ * <p>
+ * This listener must only be nested within {@link Context} elements.
+ * <p>
+ * The keys represent application roles (e.g., admin, user, uservisor, etc.) 
while the values represent technical roles
+ * (e.g., DNs, SIDs, UUIDs, etc.). A key can also be prefixed if, e.g., the 
properties file contains generic
+ * application configuration as well: {@code app-roles.}.
+ * <p>
+ * Note: The default value for the {@code roleMappingFile} is {@code 
webapp:/WEB-INF/role-mapping.properties}.
+ */
+public class PropertiesRoleMappingListener implements LifecycleListener {
+
+    private static final String WEBAPP_PROTOCOL = "webapp:";
+
+    private static final Log log = 
LogFactory.getLog(PropertiesRoleMappingListener.class);
+    /**
+     * The string manager for this package.
+     */
+    private static final StringManager sm = 
StringManager.getManager(ContextNamingInfoListener.class);
+
+    private String roleMappingFile = WEBAPP_PROTOCOL + 
"/WEB-INF/role-mapping.properties";
+    private String keyPrefix;
+
+    /**
+     * Sets the path to the role mapping properties file. You can use protocol 
{@code webapp:} and whatever
+     * {@link ConfigFileLoader} supports.
+     *
+     * @param roleMappingFile the role mapping properties file to load from
+     * @throws NullPointerException if roleMappingFile is null
+     * @throws IllegalArgumentException if roleMappingFile is empty
+     */
+    public void setRoleMappingFile(String roleMappingFile) {
+        Objects.requireNonNull(roleMappingFile, 
sm.getString("propertiesRoleMappingListener.roleMappingFileNull"));
+        if (roleMappingFile.isEmpty()) {
+            throw new 
IllegalArgumentException(sm.getString("propertiesRoleMappingListener.roleMappingFileEmpty"));
+        }
+
+        this.roleMappingFile = roleMappingFile;
+    }
+
+    /**
+     * Gets the path to the role mapping properties file.
+     *
+     * @return the path to the role mapping properties file
+     */
+    public String getRoleMappingFile() {
+        return roleMappingFile;
+    }
+
+    /**
+     * Sets the prefix to filter from property keys. All other keys will be 
ignored which do not have the prefix.
+     *
+     * @param keyPrefix the properties key prefix
+     */
+    public void setKeyPrefix(String keyPrefix) {
+        this.keyPrefix = keyPrefix;
+    }
+
+    /**
+     * Gets the prefix to filter from property keys.
+     *
+     * @return the properties key prefix
+     */
+    public String getKeyPrefix() {
+        return keyPrefix;
+    }
+
+    @Override
+    public void lifecycleEvent(LifecycleEvent event) {
+        if (event.getType().equals(Lifecycle.CONFIGURE_START_EVENT)) {
+            if (!(event.getLifecycle() instanceof Context)) {
+                log.warn(sm.getString("listener.notContext", 
event.getLifecycle().getClass().getSimpleName()));
+                return;
+            }
+            Context context = (Context) event.getLifecycle();
+
+            InputStream is;
+            if (roleMappingFile.startsWith(WEBAPP_PROTOCOL)) {
+                String path = 
roleMappingFile.substring(WEBAPP_PROTOCOL.length());
+                is = context.getServletContext().getResourceAsStream(path);
+            } else {
+                try {
+                    is = 
ConfigFileLoader.getSource().getResource(roleMappingFile).getInputStream();
+                } catch (FileNotFoundException e1) {
+                    is = null;
+                } catch (IOException e2) {
+                    throw new IllegalStateException(
+                            
sm.getString("propertiesRoleMappingListener.roleMappingFileFail", 
roleMappingFile), e2);
+                }
+            }
+
+            if (is == null) {
+                throw new IllegalStateException(
+                        
sm.getString("propertiesRoleMappingListener.roleMappingFileNotFound", 
roleMappingFile));
+            }
+
+            Properties props = new Properties();
+
+            try (InputStream _is = is) {
+                props.load(_is);
+            } catch (IOException e) {
+                throw new IllegalStateException(
+                        
sm.getString("propertiesRoleMappingListener.roleMappingFileFail", 
roleMappingFile), e);
+            }
+
+            int linkCount = 0;
+            for (Entry<Object, Object> prop : props.entrySet()) {
+                String role = (String) prop.getKey();
+
+                if (keyPrefix != null) {
+                    if (role.startsWith(keyPrefix)) {
+                        role = role.substring(keyPrefix.length());
+                    } else {
+                        continue;
+                    }
+                }
+
+                String link = (String) prop.getValue();
+
+                if (log.isTraceEnabled()) {
+                    
log.trace(sm.getString("propertiesRoleMappingListener.linkedRole", role, link));
+                }
+                context.addRoleMapping(role, link);
+                linkCount++;
+            }
+
+            if (log.isDebugEnabled()) {
+                
log.debug(sm.getString("propertiesRoleMappingListener.linkedRoleCount", 
linkCount));
+            }
+        }
+    }
+
+}
diff --git 
a/test/org/apache/catalina/core/TestPropertiesRoleMappingListener.java 
b/test/org/apache/catalina/core/TestPropertiesRoleMappingListener.java
new file mode 100644
index 0000000000..ac247d24b6
--- /dev/null
+++ b/test/org/apache/catalina/core/TestPropertiesRoleMappingListener.java
@@ -0,0 +1,168 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.catalina.core;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.authenticator.BasicAuthenticator;
+import org.apache.catalina.servlets.DefaultServlet;
+import org.apache.catalina.startup.TesterMapRealm;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.codec.binary.Base64;
+import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestPropertiesRoleMappingListener extends TomcatBaseTest {
+
+    @Test(expected = NullPointerException.class)
+    public void testNullRoleMappingFile() throws Exception {
+        PropertiesRoleMappingListener listener = new 
PropertiesRoleMappingListener();
+        listener.setRoleMappingFile(null);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testEmptyRoleMappingFile() throws Exception {
+        PropertiesRoleMappingListener listener = new 
PropertiesRoleMappingListener();
+        listener.setRoleMappingFile("");
+    }
+
+    @Test(expected = LifecycleException.class)
+    public void testNotFoundRoleMappingFile() throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        Context ctx = tomcat.addContext("", null);
+
+        PropertiesRoleMappingListener listener = new 
PropertiesRoleMappingListener();
+        ctx.addLifecycleListener(listener);
+
+        try {
+            tomcat.start();
+        } finally {
+            tomcat.stop();
+        }
+    }
+
+    @Test
+    public void testFileFromServletContext() throws Exception {
+        doTest("webapp:/WEB-INF/role-mapping.properties", null);
+    }
+
+    @Test
+    public void testFileFromServletContextWithKeyPrefix() throws Exception {
+        doTest("webapp:/WEB-INF/prefixed-role-mapping.properties", 
"app-roles.");
+    }
+
+    @Test
+    public void testFileFromClasspath() throws Exception {
+        doTest("classpath:/com/example/role-mapping.properties", null);
+    }
+
+    @Test
+    public void testFileFromClasspathWithKeyPrefix() throws Exception {
+        doTest("classpath:/com/example/prefixed-role-mapping.properties", 
"app-roles.");
+    }
+
+    @Test
+    public void testFileFromFile() throws Exception {
+        File appDir = new File("test/webapp-role-mapping");
+        File file = new File(appDir, "WEB-INF/role-mapping.properties");
+        doTest(file.getAbsoluteFile().toURI().toASCIIString(), null);
+    }
+
+    @Test
+    public void testFileFromFileWithKeyPrefix() throws Exception {
+        File appDir = new File("test/webapp-role-mapping");
+        File file = new File(appDir, 
"WEB-INF/prefixed-role-mapping.properties");
+        doTest(file.getAbsoluteFile().toURI().toASCIIString(), "app-roles.");
+    }
+
+    private void doTest(String roleMappingFile, String keyPrefix) throws 
Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File("test/webapp-role-mapping");
+        Context ctx = tomcat.addContext("", appDir.getAbsolutePath());
+
+        PropertiesRoleMappingListener listener = new 
PropertiesRoleMappingListener();
+        listener.setRoleMappingFile(roleMappingFile);
+        listener.setKeyPrefix(keyPrefix);
+        ctx.addLifecycleListener(listener);
+
+        Tomcat.addServlet(ctx, "default", new DefaultServlet());
+        ctx.addServletMappingDecoded("/", "default");
+
+        LoginConfig loginConfig  = new LoginConfig();
+        loginConfig.setAuthMethod(HttpServletRequest.BASIC_AUTH);
+        ctx.setLoginConfig(loginConfig);
+        ctx.getPipeline().addValve(new BasicAuthenticator());
+
+        TesterMapRealm realm = new TesterMapRealm();
+        realm.addUser("foo", "bar");
+        // role 'admin'
+        realm.addUserRole("foo", "de25f8f5-e534-4980-9351-e316384b1127");
+        realm.addUser("waldo", "fred");
+        // role 'user'
+        realm.addUserRole("waldo", "13f6b886-cba8-4b5b-9a1b-06a6fe533356");
+        // role 'supervisor'
+        realm.addUserRole("waldo", "45071e9a-13ef-11ee-89dc-20677cd45840");
+        ctx.setRealm(realm);
+
+        for (String role : Arrays.asList("admin", "user", "unmapped")) {
+            SecurityCollection securityCollection = new SecurityCollection();
+            securityCollection.addPattern("/" + role);
+            SecurityConstraint constraint = new SecurityConstraint();
+            constraint.addAuthRole(role);
+            constraint.addCollection(securityCollection);
+            ctx.addConstraint(constraint);
+            ctx.addSecurityRole(role);
+        }
+
+        tomcat.start();
+
+        testRequest("foo:bar", "/admin", 200);
+        testRequest("waldo:fred", "/user", 200);
+        testRequest("waldo:fred", "/unmapped", 403);
+        testRequest("bar:baz", "/user", 401);
+    }
+
+    private void testRequest(String credentials, String path, int statusCode) 
throws IOException {
+        ByteChunk out = new ByteChunk();
+        Map<String, List<String>> reqHead = new HashMap<>();
+        List<String> head = new ArrayList<>();
+        head.add(HttpServletRequest.BASIC_AUTH + " " +
+                
Base64.encodeBase64String(credentials.getBytes(StandardCharsets.ISO_8859_1)));
+        reqHead.put("Authorization", head);
+        int rc = getUrl("http://localhost:"; + getPort() + path, out, reqHead, 
null);
+        Assert.assertEquals(statusCode, rc);
+    }
+
+}
diff --git 
a/test/webapp-role-mapping/WEB-INF/classes/com/example/prefixed-role-mapping.properties
 
b/test/webapp-role-mapping/WEB-INF/classes/com/example/prefixed-role-mapping.properties
new file mode 100644
index 0000000000..f2510d7841
--- /dev/null
+++ 
b/test/webapp-role-mapping/WEB-INF/classes/com/example/prefixed-role-mapping.properties
@@ -0,0 +1,2 @@
+app-roles.admin=de25f8f5-e534-4980-9351-e316384b1127
+app-roles.user=13f6b886-cba8-4b5b-9a1b-06a6fe533356
diff --git 
a/test/webapp-role-mapping/WEB-INF/classes/com/example/role-mapping.properties 
b/test/webapp-role-mapping/WEB-INF/classes/com/example/role-mapping.properties
new file mode 100644
index 0000000000..b186493cf5
--- /dev/null
+++ 
b/test/webapp-role-mapping/WEB-INF/classes/com/example/role-mapping.properties
@@ -0,0 +1,2 @@
+admin=de25f8f5-e534-4980-9351-e316384b1127
+user=13f6b886-cba8-4b5b-9a1b-06a6fe533356
diff --git a/test/webapp-role-mapping/WEB-INF/prefixed-role-mapping.properties 
b/test/webapp-role-mapping/WEB-INF/prefixed-role-mapping.properties
new file mode 100644
index 0000000000..f2510d7841
--- /dev/null
+++ b/test/webapp-role-mapping/WEB-INF/prefixed-role-mapping.properties
@@ -0,0 +1,2 @@
+app-roles.admin=de25f8f5-e534-4980-9351-e316384b1127
+app-roles.user=13f6b886-cba8-4b5b-9a1b-06a6fe533356
diff --git a/test/webapp-role-mapping/WEB-INF/role-mapping.properties 
b/test/webapp-role-mapping/WEB-INF/role-mapping.properties
new file mode 100644
index 0000000000..b186493cf5
--- /dev/null
+++ b/test/webapp-role-mapping/WEB-INF/role-mapping.properties
@@ -0,0 +1,2 @@
+admin=de25f8f5-e534-4980-9351-e316384b1127
+user=13f6b886-cba8-4b5b-9a1b-06a6fe533356
diff --git a/test/webapp-role-mapping/admin b/test/webapp-role-mapping/admin
new file mode 100644
index 0000000000..7fbe952b76
--- /dev/null
+++ b/test/webapp-role-mapping/admin
@@ -0,0 +1 @@
+admin
diff --git a/test/webapp-role-mapping/unmapped 
b/test/webapp-role-mapping/unmapped
new file mode 100644
index 0000000000..80a617a00e
--- /dev/null
+++ b/test/webapp-role-mapping/unmapped
@@ -0,0 +1 @@
+unmapped
diff --git a/test/webapp-role-mapping/user b/test/webapp-role-mapping/user
new file mode 100644
index 0000000000..4eb8387fed
--- /dev/null
+++ b/test/webapp-role-mapping/user
@@ -0,0 +1 @@
+user
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 605533ba40..86062aad52 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,12 @@
         a listener which creates context naming information environment 
entries.
         (michaelo)
       </add>
+      <add>
+        <bug>66665</bug>: Add
+        <code>org.apache.catalina.core.PropertiesRoleMappingListener</code>,
+        a listener which populates the context's role mapping from a properties
+        file. (michaelo)
+      </add>
       <fix>
         Fix an edge case where intra-web application symlinks would be followed
         if the web applications were deliberately crafted to allow it even when
diff --git a/webapps/docs/config/listeners.xml 
b/webapps/docs/config/listeners.xml
index 55bd572a80..1ad5c8f24a 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -372,6 +372,37 @@
 
   </subsection>
 
+  <subsection name="Properties Role Mapping Listener - 
org.apache.catalina.core.PropertiesRoleMappingListener">
+
+    <p>The <strong>Properties Role Mapping Listener</strong> populates the 
context's role mapping
+    from a properties file. The keys represent application roles (e.g., admin, 
user, uservisor,
+    etc.) while the values represent technical roles (e.g., DNs, SIDs, UUIDs, 
etc.). A key can
+    also be prefixed if, e.g., the properties file contains generic 
application configuration
+    as well: <code>app-roles.</code>.</p>
+
+    <p>This listener must only be nested within
+    <a href="context.html">Context</a> elements.</p>
+
+    <p>The following additional attributes are supported by the
+    <strong>Properties Role Mapping Listener</strong>:</p>
+
+    <attributes>
+
+      <attribute name="roleMappingFile" required="false">
+        <p>The path to the role mapping properties file. You can use protocol 
<code>webapp:</code>
+        and whatever <code>ConfigFileLoader</code> supports.</p>
+        <p>The default value is 
<code>webapp:/WEB-INF/role-mapping.properties</code>.</p>
+      </attribute>
+
+      <attribute name="keyPrefix" required="false">
+        <p>The prefix to filter from property keys. All other keys will be 
ignored which do
+        not have the prefix.</p>
+      </attribute>
+
+    </attributes>
+
+  </subsection>
+
   <subsection name="Security Lifecycle Listener - 
org.apache.catalina.security.SecurityListener">
 
     <p>The <strong>Security Lifecycle Listener</strong> performs a number of


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to