Issue #2691 replace static dn by subtee based ldap lookup for an entry inside _userBaseDn (#2842)

* replace static dn by subtee based ldap lookup for an entry inside _userBaseDn * additional ldap tests to cover enhancement of #2842 Signed-off-by: Alexei Pastuchov <alexei.pastuchov@telecolumbus.de>
2018-09-11 07:57:48 +02:00 · 2018-09-11 07:57:48 +02:00 · 04941fd44c
parent 2dd5fec4f4
commit 04941fd44c
2 changed files with 101 additions and 24 deletions
--- a/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
+++ b/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
@ -329,9 +329,16 @@ public class LdapLoginModule extends AbstractLoginModule
            }
        }

-        String userDn = _userRdnAttribute + "=" + rdnValue + "," + _userBaseDn;
+        String filter = "({0}={1})";

-        return getUserRolesByDn(dirContext, userDn);
+        Object[] filterArguments = new Object[]{
+                _userRdnAttribute,
+                rdnValue
+        };
+
+        SearchResult searchResult = findUser(dirContext, filter, filterArguments);
+
+        return getUserRolesByDn(dirContext, searchResult.getNameInNamespace());
    }

    private List<String> getUserRolesByDn(DirContext dirContext, String userDn) throws NamingException
@ -547,11 +554,6 @@ public class LdapLoginModule extends AbstractLoginModule

    private SearchResult findUser(String username) throws LoginException
    {
-        SearchControls ctls = new SearchControls();
-        ctls.setCountLimit(1);
-        ctls.setDerefLinkFlag(true);
-        ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
-
        String filter = "(&(objectClass={0})({1}={2}))";

        if (LOG.isDebugEnabled())
@ -563,24 +565,36 @@ public class LdapLoginModule extends AbstractLoginModule
                username
        };

-        try
-        {
-            NamingEnumeration<SearchResult> results = _rootContext.search(_userBaseDn, filter, filterArguments, ctls);
-
-            if (LOG.isDebugEnabled())
-                LOG.debug("Found user?: " + results.hasMoreElements());
-
-            if (!results.hasMoreElements())
-            {
-                throw new FailedLoginException("User not found.");
+        return findUser(_rootContext, filter, filterArguments);
    }

-            return results.nextElement();
+    private SearchResult findUser(DirContext dirContext, String filter, Object[] filterArguments) throws LoginException
+    {
+        SearchControls ctls = new SearchControls();
+        ctls.setDerefLinkFlag(true);
+        ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
+
+        NamingEnumeration<SearchResult> results;
+        try
+        {
+            results = _rootContext.search(_userBaseDn, filter, filterArguments, ctls);
        }
        catch (NamingException ne)
        {
            throw new FailedLoginException(ne.getMessage());
        }
+
+        if (LOG.isDebugEnabled())
+            LOG.debug("Found user?: " + results.hasMoreElements());
+
+        if (!results.hasMoreElements())
+            throw new FailedLoginException("User not found.");
+
+        SearchResult searchResult = (SearchResult)results.nextElement();
+        if (results.hasMoreElements())
+            throw new FailedLoginException("Search result contains ambiguous entries");
+
+        return searchResult;
    }


--- a/jetty-jaas/src/test/java/org/eclipse/jetty/jaas/JAASLdapLoginServiceTest.java
+++ b/jetty-jaas/src/test/java/org/eclipse/jetty/jaas/JAASLdapLoginServiceTest.java
@ -58,13 +58,13 @@ import static org.junit.Assert.*;
    "objectClass: top",
    "ou: people",
    // Entry # 2
-    "dn:uid=someone, ou=people,dc=jetty,dc=org",
+    "dn:uid=someone,ou=people,dc=jetty,dc=org",
    "objectClass: inetOrgPerson",
    "cn: someone",
    "sn: sn test",
    "userPassword: complicatedpassword",
    // Entry # 3
-    "dn:uid=someoneelse, ou=people,dc=jetty,dc=org",
+    "dn:uid=someoneelse,ou=people,dc=jetty,dc=org",
    "objectClass: inetOrgPerson",
    "cn: someoneelse",
    "sn: sn test",
@ -75,27 +75,67 @@ import static org.junit.Assert.*;
    "objectClass: top",
    "ou: groups",
    // Entry 5
+    "dn: ou=subdir,ou=people,dc=jetty,dc=org",
+    "objectClass: organizationalunit",
+    "objectClass: top",
+    "ou: subdir",
+    // Entry # 6
+    "dn:uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
+    "objectClass: inetOrgPerson",
+    "cn: uniqueuser",
+    "sn: unique user",
+    "userPassword: hello123",
+    // Entry # 7
+    "dn:uid=ambiguousone,ou=people,dc=jetty,dc=org",
+    "objectClass: inetOrgPerson",
+    "cn: ambiguous1",
+    "sn: ambiguous user",
+    "userPassword: foobar",
+    // Entry # 8
+    "dn:uid=ambiguousone,ou=subdir,ou=people,dc=jetty,dc=org",
+    "objectClass: inetOrgPerson",
+    "cn: ambiguous2",
+    "sn: ambiguous subdir user",
+    "userPassword: barfoo",
+    // Entry 9
    "dn: cn=developers,ou=groups,dc=jetty,dc=org",
    "objectClass: groupOfUniqueNames",
    "objectClass: top",
    "ou: groups",
    "description: People who try to build good software",
-    "uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
+    "uniquemember: uid=someone,ou=people,dc=jetty,dc=org",
+    "uniquemember: uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
    "cn: developers",
-    // Entry 6
+    // Entry 10
    "dn: cn=admin,ou=groups,dc=jetty,dc=org",
    "objectClass: groupOfUniqueNames",
    "objectClass: top",
    "ou: groups",
    "description: People who try to run software build by developers",
-    "uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
-    "uniquemember: uid=someoneelse, ou=people, dc=jetty,dc=org",
+    "uniquemember: uid=someone,ou=people,dc=jetty,dc=org",
+    "uniquemember: uid=someoneelse,ou=people,dc=jetty,dc=org",
+    "uniquemember: uid=uniqueuser,ou=subdir,ou=people,dc=jetty,dc=org",
    "cn: admin"
 })
 public class JAASLdapLoginServiceTest
 {
    private static LdapServer _ldapServer;

+    private JAASLoginService jaasLoginService(String name) {
+      JAASLoginService ls = new JAASLoginService("foo");
+      ls.setCallbackHandlerClass("org.eclipse.jetty.jaas.callback.DefaultCallbackHandler");
+      ls.setIdentityService(new DefaultIdentityService());
+      ls.setConfiguration(new TestConfiguration(true));
+      return ls;
+    }
+
+    private UserIdentity doLogin(String username, String password) throws Exception
+    {
+        JAASLoginService ls = jaasLoginService("foo");
+        Request request = new Request(null, null);
+        return ls.login( username, password, request);
+    }
+
    public static LdapServer getLdapServer() {
        return _ldapServer;
    }
@ -174,4 +214,27 @@ public class JAASLdapLoginServiceTest

    }

+    @Test
+    public void testLdapBindingSubdirUniqueUserName() throws Exception
+    {
+        UserIdentity userIdentity = doLogin("uniqueuser", "hello123");
+        assertNotNull( userIdentity );
+        assertTrue( userIdentity.isUserInRole( "developers", null) );
+        assertTrue( userIdentity.isUserInRole( "admin", null) );
+        assertFalse( userIdentity.isUserInRole( "blabla", null) );
+    }
+
+    @Test
+    public void testLdapBindingAmbiguousUserName() throws Exception
+    {
+        UserIdentity userIdentity = doLogin( "ambiguousone", "foobar");
+        assertNull( userIdentity );
+    }
+
+    @Test
+    public void testLdapBindingSubdirAmbiguousUserName() throws Exception
+    {
+        UserIdentity userIdentity = doLogin( "ambiguousone", "barfoo");
+        assertNull( userIdentity );
+    }
 }