ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations

2020-09-07 16:32:57 +01:00 · 2020-09-07 16:32:57 +01:00 · ec1c5a96c7
parent 77bbf49a4f
commit ec1c5a96c7
4 changed files with 70 additions and 2 deletions
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/LDAPLoginModule.java
@ -587,6 +587,7 @@ public class LDAPLoginModule implements AuditLoginModule {
      if (logger.isDebugEnabled()) {
         logger.debug("Binding the user.");
      }
+      context.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
      context.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
      context.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
      try {
@ -612,6 +613,7 @@ public class LDAPLoginModule implements AuditLoginModule {
      } else {
         context.removeFromEnvironment(Context.SECURITY_CREDENTIALS);
      }
+      context.addToEnvironment(Context.SECURITY_AUTHENTICATION, getLDAPPropertyValue(AUTHENTICATION));

      return isValid;
   }
--- a/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
+++ b/artemis-server/src/test/java/org/apache/activemq/artemis/core/security/jaas/LDAPLoginModuleTest.java
@ -62,7 +62,7 @@ import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;

@RunWith(FrameworkRunner.class)
-@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)}, allowAnonymousAccess = true)
@ApplyLdifFiles("test.ldif")
 public class LDAPLoginModuleTest extends AbstractLdapTestUnit {

@ -230,6 +230,52 @@ public class LDAPLoginModuleTest extends AbstractLdapTestUnit {
      assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length == 0));
   }

+
+   @Test
+   public void testAuthenticatedViaBindOnAnonConnection() throws Exception {
+      LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
+         @Override
+         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+            for (int i = 0; i < callbacks.length; i++) {
+               if (callbacks[i] instanceof NameCallback) {
+                  ((NameCallback) callbacks[i]).setName("first");
+               } else if (callbacks[i] instanceof PasswordCallback) {
+                  ((PasswordCallback) callbacks[i]).setPassword("wrongSecret".toCharArray());
+               } else {
+                  throw new UnsupportedCallbackException(callbacks[i]);
+               }
+            }
+         }
+      });
+      try {
+         context.login();
+         fail("Should have failed authenticating");
+      } catch (FailedLoginException expected) {
+      }
+      assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length == 0));
+   }
+
+   @Test
+   public void testAuthenticatedOkViaBindOnAnonConnection() throws Exception {
+      LoginContext context = new LoginContext("AnonBindCheckUserLDAPLogin", new CallbackHandler() {
+         @Override
+         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+            for (int i = 0; i < callbacks.length; i++) {
+               if (callbacks[i] instanceof NameCallback) {
+                  ((NameCallback) callbacks[i]).setName("first");
+               } else if (callbacks[i] instanceof PasswordCallback) {
+                  ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray());
+               } else {
+                  throw new UnsupportedCallbackException(callbacks[i]);
+               }
+            }
+         }
+      });
+      context.login();
+      context.logout();
+      assertTrue("sessions still active after logout", waitFor(() -> ldapServer.getLdapSessionManager().getSessions().length == 0));
+   }
+
   @Test
   public void testCommitOnFailedLogin() throws LoginException {
      LoginModule loginModule = new LDAPLoginModule();
--- a/artemis-server/src/test/resources/login.config
+++ b/artemis-server/src/test/resources/login.config
@ -89,6 +89,26 @@ UnAuthenticatedLDAPLogin {
        ;
 };

+AnonBindCheckUserLDAPLogin {
+    org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
+        debug=true
+        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
+        connectionURL="ldap://localhost:1024"
+        connectionUsername=none
+        connectionPassword=none
+        connectionProtocol=s
+        authentication=none
+        authenticateUser=true
+        userBase="ou=system"
+        userSearchMatching="(uid={0})"
+        userSearchSubtree=false
+        roleBase="ou=system"
+        roleName=cn
+        roleSearchMatching="(member=uid={1},ou=system)"
+        roleSearchSubtree=false
+        ;
+};
+
 ExpandedLDAPLogin {
    org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
        debug=true
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@ -769,7 +769,7 @@ system. It is implemented by

 - `authenticateUser` - boolean flag to disable authentication. Useful as an
  optimisation when this module is used just for role mapping of a Subject's
-  existing authenticated principals; default is `false`.
+  existing authenticated principals; default is `true`.

 - `referral` - specify how to handle referrals; valid values: `ignore`,
  `follow`, `throw`; default is `ignore`.