Merge pull request #178 from Observe-secretly/v2.2.1_ldap

新功能：增加了对LDAP登录的支持

kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/bizenum/AccountRoleEnum.java

@@ -47,4 +47,13 @@ public enum AccountRoleEnum {
         }
         return AccountRoleEnum.UNKNOWN;
     }
+
+    public static AccountRoleEnum getUserRoleEnum(String roleName) {
+        for (AccountRoleEnum elem: AccountRoleEnum.values()) {
+            if (elem.message.equalsIgnoreCase(roleName)) {
+                return elem;
+            }
+        }
+        return AccountRoleEnum.UNKNOWN;
+    }
 }

kafka-manager-common/src/main/java/com/xiaojukeji/kafka/manager/common/utils/ldap/LDAPAuthentication.java

@@ -0,0 +1,120 @@
+package com.xiaojukeji.kafka.manager.common.utils.ldap;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import javax.naming.AuthenticationException;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import java.util.Hashtable;
+
+@Component
+public class LDAPAuthentication {
+
+    @Value(value = "${ldap.url}")
+    private String ldapUrl;
+
+    @Value(value = "${ldap.basedn}")
+    private String ldapBasedn;
+
+    @Value(value = "${ldap.factory}")
+    private String ldapFactory;
+
+    @Value(value = "${ldap.auth-user-registration-role}")
+    private String authUserRegistrationRole;
+
+    @Value(value = "${ldap.security.authentication}")
+    private String securityAuthentication;
+
+    @Value(value = "${ldap.security.principal}")
+    private String securityPrincipal;
+
+    @Value(value = "${ldap.security.credentials}")
+    private String securityCredentials;
+
+    private LdapContext getConnect() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, ldapFactory);
+        env.put(Context.PROVIDER_URL, ldapUrl + ldapBasedn);
+        env.put(Context.SECURITY_AUTHENTICATION, securityAuthentication);
+
+        // 此处若不指定用户名和密码,则自动转换为匿名登录
+        env.put(Context.SECURITY_PRINCIPAL, securityPrincipal);
+        env.put(Context.SECURITY_CREDENTIALS, securityCredentials);
+        try {
+           return new InitialLdapContext(env, null);
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+
+    private String getUserDN(String account,LdapContext ctx) {
+        String userDN = "";
+        try {
+            SearchControls constraints = new SearchControls();
+            constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
+            NamingEnumeration<SearchResult> en = ctx.search("", "account=" + account, constraints);
+            if (en == null || !en.hasMoreElements()) {
+                return "";
+            }
+            // maybe more than one element
+            while (en.hasMoreElements()) {
+                Object obj = en.nextElement();
+                if (obj instanceof SearchResult) {
+                    SearchResult si = (SearchResult) obj;
+                    userDN += si.getName();
+                    userDN += "," + ldapBasedn;
+                    break;
+                }
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return userDN;
+    }
+
+    /**
+     * LDAP账密验证
+     * @param account
+     * @param password
+     * @return
+     */
+    public boolean authenricate(String account, String password) {
+        LdapContext ctx = getConnect();
+
+        boolean valide = false;
+
+        try {
+            String userDN = getUserDN(account,ctx);
+
+            ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN);
+            ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
+            ctx.reconnect(null);
+            valide = true;
+        } catch (AuthenticationException e) {
+            System.out.println(e.toString());
+        } catch (NamingException e) {
+            e.printStackTrace();
+        }finally {
+            if(ctx!=null) {
+                try {
+                    ctx.close();
+                } catch (NamingException e) {
+                    e.printStackTrace();
+                }
+            }
+        }
+
+        return valide;
+    }
+
+}

kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/component/sso/BaseSessionSignOn.java

@@ -2,13 +2,16 @@ package com.xiaojukeji.kafka.manager.account.component.sso;
 
 import com.xiaojukeji.kafka.manager.account.AccountService;
 import com.xiaojukeji.kafka.manager.account.component.AbstractSingleSignOn;
+import com.xiaojukeji.kafka.manager.common.bizenum.AccountRoleEnum;
 import com.xiaojukeji.kafka.manager.common.constant.LoginConstant;
 import com.xiaojukeji.kafka.manager.common.entity.Result;
 import com.xiaojukeji.kafka.manager.common.entity.dto.normal.LoginDTO;
 import com.xiaojukeji.kafka.manager.common.entity.pojo.AccountDO;
 import com.xiaojukeji.kafka.manager.common.utils.EncryptUtil;
 import com.xiaojukeji.kafka.manager.common.utils.ValidateUtils;
+import com.xiaojukeji.kafka.manager.common.utils.ldap.LDAPAuthentication;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 import javax.servlet.http.HttpServletRequest;
@@ -23,12 +26,50 @@ public class BaseSessionSignOn extends AbstractSingleSignOn {
     @Autowired
     private AccountService accountService;
 
+    @Autowired
+    private LDAPAuthentication ldapAuthentication;
+
+    //是否开启ldap验证
+    @Value(value = "${ldap.enabled}")
+    private boolean ldapEnabled;
+
+    //ldap自动注册的默认角色。请注意：它通常来说都是低权限角色
+    @Value(value = "${ldap.auth-user-registration-role}")
+    private String authUserRegistrationRole;
+
+    //ldap自动注册是否开启
+    @Value(value = "${ldap.auth-user-registration}")
+    private boolean authUserRegistration;
+
     @Override
     public Result<String> loginAndGetLdap(HttpServletRequest request, HttpServletResponse response, LoginDTO dto) {
         if (ValidateUtils.isBlank(dto.getUsername()) || ValidateUtils.isNull(dto.getPassword())) {
             return null;
         }
+
         Result<AccountDO> accountResult = accountService.getAccountDO(dto.getUsername());
+
+        //modifier limin
+        //判断是否激活了LDAP验证。若激活并且数据库无此用户则自动注册
+        if(ldapEnabled){
+            //去LDAP验证账密
+            if(!ldapAuthentication.authenricate(dto.getUsername(),dto.getPassword())){
+                return null;
+            }
+
+            if(ValidateUtils.isNull(accountResult) && authUserRegistration){
+                //自动注册
+                AccountDO accountDO = new AccountDO();
+                accountDO.setUsername(dto.getUsername());
+                accountDO.setRole(AccountRoleEnum.getUserRoleEnum(authUserRegistrationRole).getRole());
+                accountDO.setPassword(EncryptUtil.md5(dto.getPassword()));
+                accountService.createAccount(accountDO);
+            }
+
+            return Result.buildSuc(dto.getUsername());
+
+        }
+        
         if (ValidateUtils.isNull(accountResult) || accountResult.failed()) {
             return new Result<>(accountResult.getCode(), accountResult.getMessage());
         }

kafka-manager-web/src/main/resources/application.yml

@@ -11,6 +11,7 @@ spring:
     name: kafkamanager
   datasource:
     kafka-manager:
+
       jdbc-url: jdbc:mysql://127.0.0.1:3306/logi_kafka_manager?characterEncoding=UTF-8&useSSL=false&serverTimezone=GMT%2B8
       username: admin
       password: admin
@@ -82,3 +83,15 @@ notify:
     topic-name: didi-kafka-notify
   order:
     detail-url: http://127.0.0.1
+
+ldap:
+  enabled: false
+  url: ldap://127.0.0.1:389/
+  basedn: dc=tsign,dc=cn
+  factory: com.sun.jndi.ldap.LdapCtxFactory
+  security:
+    authentication: simple
+    principal: cn=admin,dc=tsign,dc=cn
+    credentials: admin
+  auth-user-registration-role: normal
+  auth-user-registration: true