Polish LDAP Module

Issue gh-3834

Author: jzheaux

ldap/src/main/java/org/springframework/security/ldap/DefaultSpringSecurityContextSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,6 @@
 
 package org.springframework.security.ldap;
 
-import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
@@ -84,7 +83,7 @@ public DefaultSpringSecurityContextSource(String providerUrl) {
 		setAuthenticationStrategy(new SimpleDirContextAuthenticationStrategy() {
 
 			@Override
-			@SuppressWarnings("rawtypes")
+			@SuppressWarnings("unchecked")
 			public void setupEnvironment(Hashtable env, String dn, String password) {
 				super.setupEnvironment(env, dn, password);
 				// Remove the pooling flag unless authenticating as the 'manager' user.
@@ -145,7 +144,7 @@ private static String buildProviderUrl(List<String> urls, String baseDn) {
 		StringBuilder providerUrl = new StringBuilder();
 		for (String serverUrl : urls) {
 			String trimmedUrl = serverUrl.trim();
-			if ("".equals(trimmedUrl)) {
+			if (trimmedUrl.isEmpty()) {
 				continue;
 			}
 			providerUrl.append(trimmedUrl);
@@ -160,21 +159,11 @@ private static String buildProviderUrl(List<String> urls, String baseDn) {
 	}
 
 	private static String encodeUrl(String url) {
-		try {
-			return URLEncoder.encode(url, StandardCharsets.UTF_8.toString());
-		}
-		catch (UnsupportedEncodingException ex) {
-			throw new IllegalStateException(ex);
-		}
+		return URLEncoder.encode(url, StandardCharsets.UTF_8);
 	}
 
 	private String decodeUrl(String url) {
-		try {
-			return URLDecoder.decode(url, StandardCharsets.UTF_8.toString());
-		}
-		catch (UnsupportedEncodingException ex) {
-			throw new IllegalStateException(ex);
-		}
+		return URLDecoder.decode(url, StandardCharsets.UTF_8);
 	}
 
 }

ldap/src/main/java/org/springframework/security/ldap/LdapEncoder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2005-2010 the original author or authors.
+ * Copyright 2005-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,6 @@
 
 package org.springframework.security.ldap;
 
-import org.springframework.ldap.BadLdapGrammarException;
-
 /**
  * Helper class to encode and decode ldap names and values.
  *
@@ -31,26 +29,7 @@
  */
 final class LdapEncoder {
 
-	private static final int HEX = 16;
-
-	private static String[] NAME_ESCAPE_TABLE = new String[96];
-	static {
-		// all below 0x20 (control chars)
-		for (char c = 0; c < ' '; c++) {
-			NAME_ESCAPE_TABLE[c] = "\\" + toTwoCharHex(c);
-		}
-		NAME_ESCAPE_TABLE['#'] = "\\#";
-		NAME_ESCAPE_TABLE[','] = "\\,";
-		NAME_ESCAPE_TABLE[';'] = "\\;";
-		NAME_ESCAPE_TABLE['='] = "\\=";
-		NAME_ESCAPE_TABLE['+'] = "\\+";
-		NAME_ESCAPE_TABLE['<'] = "\\<";
-		NAME_ESCAPE_TABLE['>'] = "\\>";
-		NAME_ESCAPE_TABLE['\"'] = "\\\"";
-		NAME_ESCAPE_TABLE['\\'] = "\\\\";
-	}
-
-	private static String[] FILTER_ESCAPE_TABLE = new String['\\' + 1];
+	private static final String[] FILTER_ESCAPE_TABLE = new String['\\' + 1];
 
 	static {
 		// fill with char itself
@@ -71,11 +50,6 @@ final class LdapEncoder {
 	private LdapEncoder() {
 	}
 
-	protected static String toTwoCharHex(char c) {
-		String raw = Integer.toHexString(c).toUpperCase();
-		return (raw.length() > 1) ? raw : "0" + raw;
-	}
-
 	/**
 	 * Escape a value for use in a filter.
 	 * @param value the value to escape.
@@ -94,102 +68,4 @@ static String filterEncode(String value) {
 		return encodedValue.toString();
 	}
 
-	/**
-	 * LDAP Encodes a value for use with a DN. Escapes for LDAP, not JNDI!
-	 *
-	 * <br/>
-	 * Escapes:<br/>
-	 * ' ' [space] - "\ " [if first or last] <br/>
-	 * '#' [hash] - "\#" <br/>
-	 * ',' [comma] - "\," <br/>
-	 * ';' [semicolon] - "\;" <br/>
-	 * '= [equals] - "\=" <br/>
-	 * '+' [plus] - "\+" <br/>
-	 * '&lt;' [less than] - "\&lt;" <br/>
-	 * '&gt;' [greater than] - "\&gt;" <br/>
-	 * '"' [double quote] - "\"" <br/>
-	 * '\' [backslash] - "\\" <br/>
-	 * @param value the value to escape.
-	 * @return The escaped value.
-	 */
-	static String nameEncode(String value) {
-		if (value == null) {
-			return null;
-		}
-		StringBuilder encodedValue = new StringBuilder(value.length() * 2);
-		int length = value.length();
-		int last = length - 1;
-		for (int i = 0; i < length; i++) {
-			char c = value.charAt(i);
-			// space first or last
-			if (c == ' ' && (i == 0 || i == last)) {
-				encodedValue.append("\\ ");
-				continue;
-			}
-			// check in table for escapes
-			if (c < NAME_ESCAPE_TABLE.length) {
-				String esc = NAME_ESCAPE_TABLE[c];
-				if (esc != null) {
-					encodedValue.append(esc);
-					continue;
-				}
-			}
-			// default: add the char
-			encodedValue.append(c);
-		}
-		return encodedValue.toString();
-	}
-
-	/**
-	 * Decodes a value. Converts escaped chars to ordinary chars.
-	 * @param value Trimmed value, so no leading an trailing blanks, except an escaped
-	 * space last.
-	 * @return The decoded value as a string.
-	 * @throws BadLdapGrammarException
-	 */
-	static String nameDecode(String value) throws BadLdapGrammarException {
-		if (value == null) {
-			return null;
-		}
-		StringBuilder decoded = new StringBuilder(value.length());
-		int i = 0;
-		while (i < value.length()) {
-			char currentChar = value.charAt(i);
-			if (currentChar == '\\') {
-				// Ending with a single backslash is not allowed
-				if (value.length() <= i + 1) {
-					throw new BadLdapGrammarException("Unexpected end of value " + "unterminated '\\'");
-				}
-				char nextChar = value.charAt(i + 1);
-				if (isNormalBackslashEscape(nextChar)) {
-					decoded.append(nextChar);
-					i += 2;
-				}
-				else {
-					if (value.length() <= i + 2) {
-						throw new BadLdapGrammarException(
-								"Unexpected end of value " + "expected special or hex, found '" + nextChar + "'");
-					}
-					// This should be a hex value
-					String hexString = "" + nextChar + value.charAt(i + 2);
-					decoded.append((char) Integer.parseInt(hexString, HEX));
-					i += 3;
-				}
-			}
-			else {
-				// This character wasn't escaped - just append it
-				decoded.append(currentChar);
-				i++;
-			}
-		}
-
-		return decoded.toString();
-
-	}
-
-	private static boolean isNormalBackslashEscape(char nextChar) {
-		return nextChar == ',' || nextChar == '=' || nextChar == '+' || nextChar == '<' || nextChar == '>'
-				|| nextChar == '#' || nextChar == ';' || nextChar == '\\' || nextChar == '\"' || nextChar == ' ';
-	}
-
 }

ldap/src/main/java/org/springframework/security/ldap/LdapUtils.java

@@ -83,7 +83,7 @@ public static void closeEnumeration(NamingEnumeration ne) {
 	 */
 	public static String getRelativeName(String fullDn, Context baseCtx) throws NamingException {
 		String baseDn = baseCtx.getNameInNamespace();
-		if (baseDn.length() == 0) {
+		if (baseDn.isEmpty()) {
 			return fullDn;
 		}
 		LdapName base = LdapNameBuilder.newInstance(baseDn).build();

ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,7 +18,7 @@
 
 import java.text.MessageFormat;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -40,7 +40,6 @@
 
 import org.springframework.core.log.LogMessage;
 import org.springframework.dao.IncorrectResultSizeDataAccessException;
-import org.springframework.ldap.core.ContextExecutor;
 import org.springframework.ldap.core.ContextMapper;
 import org.springframework.ldap.core.ContextSource;
 import org.springframework.ldap.core.DirContextAdapter;
@@ -98,7 +97,7 @@ public boolean compare(String dn, String attributeName, Object value) {
 			searchControls.setSearchScope(SearchControls.OBJECT_SCOPE);
 			Object[] params = new Object[] { value };
 			NamingEnumeration<SearchResult> results = ctx.search(dn, comparisonFilter, params, searchControls);
-			Boolean match = results.hasMore();
+			boolean match = results.hasMore();
 			LdapUtils.closeEnumeration(results);
 			return match;
 		});
@@ -112,7 +111,7 @@ public boolean compare(String dn, String attributeName, Object value) {
 	 * @return the object created by the mapper
 	 */
 	public DirContextOperations retrieveEntry(final String dn, final String[] attributesToRetrieve) {
-		return (DirContextOperations) executeReadOnly((ContextExecutor) (ctx) -> {
+		return executeReadOnly((ctx) -> {
 			Attributes attrs = ctx.getAttributes(dn, attributesToRetrieve);
 			return new DirContextAdapter(attrs, LdapNameBuilder.newInstance(dn).build(),
 					LdapNameBuilder.newInstance(ctx.getNameInNamespace()).build());
@@ -169,26 +168,27 @@ public Set<Map<String, List<String>>> searchForMultipleAttributeValues(String ba
 		String formattedFilter = MessageFormat.format(filter, encodedParams);
 		logger.trace(LogMessage.format("Using filter: %s", formattedFilter));
 		HashSet<Map<String, List<String>>> result = new HashSet<>();
-		ContextMapper roleMapper = (ctx) -> {
+		ContextMapper<?> roleMapper = (ctx) -> {
 			DirContextAdapter adapter = (DirContextAdapter) ctx;
 			Map<String, List<String>> record = new HashMap<>();
 			if (ObjectUtils.isEmpty(attributeNames)) {
 				try {
-					for (NamingEnumeration enumeration = adapter.getAttributes().getAll(); enumeration.hasMore();) {
-						Attribute attr = (Attribute) enumeration.next();
+					for (NamingEnumeration<? extends Attribute> enumeration = adapter.getAttributes()
+						.getAll(); enumeration.hasMore();) {
+						Attribute attr = enumeration.next();
 						extractStringAttributeValues(adapter, record, attr.getID());
 					}
 				}
 				catch (NamingException ex) {
-					org.springframework.ldap.support.LdapUtils.convertLdapException(ex);
+					throw org.springframework.ldap.support.LdapUtils.convertLdapException(ex);
 				}
 			}
 			else {
 				for (String attributeName : attributeNames) {
 					extractStringAttributeValues(adapter, record, attributeName);
 				}
 			}
-			record.put(DN_KEY, Arrays.asList(getAdapterDN(adapter)));
+			record.put(DN_KEY, Collections.singletonList(getAdapterDN(adapter)));
 			result.add(record);
 			return null;
 		};
@@ -258,8 +258,7 @@ private void extractStringAttributeValues(DirContextAdapter adapter, Map<String,
 	 * search returns more than one result.
 	 */
 	public DirContextOperations searchForSingleEntry(String base, String filter, Object[] params) {
-		return (DirContextOperations) executeReadOnly((ContextExecutor) (ctx) -> searchForSingleEntryInternal(ctx,
-				this.searchControls, base, filter, params));
+		return executeReadOnly((ctx) -> searchForSingleEntryInternal(ctx, this.searchControls, base, filter, params));
 	}
 
 	/**
@@ -296,8 +295,9 @@ public static DirContextOperations searchForSingleEntryInternal(DirContext ctx,
 	/**
 	 * We need to make sure the search controls has the return object flag set to true, in
 	 * order for the search to return DirContextAdapter instances.
-	 * @param originalControls
-	 * @return
+	 * @param originalControls the {@link SearchControls} that might have the return
+	 * object flag set to true
+	 * @return a {@link SearchControls} that does have the return object flag set to true
 	 */
 	private static SearchControls buildControls(SearchControls originalControls) {
 		return new SearchControls(originalControls.getSearchScope(), originalControls.getCountLimit(),

ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
+import org.springframework.lang.NonNull;
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -117,14 +118,15 @@ public boolean supports(Class<?> authentication) {
 	 * obtained from the UserDetails object created by the configured
 	 * {@code UserDetailsContextMapper}. Often it will not be possible to read the
 	 * password from the directory, so defaults to true.
-	 * @param useAuthenticationRequestCredentials
+	 * @param useAuthenticationRequestCredentials whether to use the credentials in the
+	 * authentication request
 	 */
 	public void setUseAuthenticationRequestCredentials(boolean useAuthenticationRequestCredentials) {
 		this.useAuthenticationRequestCredentials = useAuthenticationRequestCredentials;
 	}
 
 	@Override
-	public void setMessageSource(MessageSource messageSource) {
+	public void setMessageSource(@NonNull MessageSource messageSource) {
 		this.messages = new MessageSourceAccessor(messageSource);
 	}