Issue #2846 Jaas ldap unit test (#2864)

* #2846 add jaas ldap unit tests Signed-off-by: olivier lamy <oliver.lamy@gmail.com>
2018-08-30 14:17:08 +10:00 · 2018-08-30 14:17:08 +10:00 · 9cb9be83fd
parent 88363dd3c1
commit 9cb9be83fd
4 changed files with 252 additions and 8 deletions
--- a/jetty-jaas/pom.xml
+++ b/jetty-jaas/pom.xml
@ -10,6 +10,8 @@
  <description>Jetty JAAS support</description>
  <properties>
    <bundle-symbolic-name>${project.groupId}.jaas</bundle-symbolic-name>
+    <!-- 2.0.0.AM25 is breaking surefire -->
+    <apacheds.version>2.0.0-M24</apacheds.version>
  </properties>
  <build>
    <plugins>
@ -39,5 +41,64 @@
      <artifactId>jetty-test-helper</artifactId>
      <scope>test</scope>
    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-all</artifactId>
+      <version>${apacheds.version}</version>
+      <scope>test</scope>
+      <exclusions>
+        <!-- exclude additional LDIF schema files to avoid conflicts through
+          multiple copies -->
+        <exclusion>
+          <groupId>org.apache.directory.shared</groupId>
+          <artifactId>shared-ldap-schema</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.directory.api</groupId>
+          <artifactId>api-ldap-schema-data</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-server-integ</artifactId>
+      <version>${apacheds.version}</version>
+      <scope>test</scope>
+      <exclusions>
+        <!-- exclude additional LDIF schema files to avoid conflicts through
+          multiple copies -->
+        <exclusion>
+          <groupId>org.apache.directory.shared</groupId>
+          <artifactId>shared-ldap-schema</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.directory.api</groupId>
+          <artifactId>api-ldap-schema-data</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.directory.server</groupId>
+      <artifactId>apacheds-core-integ</artifactId>
+      <version>${apacheds.version}</version>
+      <scope>test</scope>
+      <exclusions>
+        <!-- exclude additional LDIF schema files to avoid conflicts through
+          multiple copies -->
+        <exclusion>
+          <groupId>org.apache.directory.shared</groupId>
+          <artifactId>shared-ldap-schema</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.directory.api</groupId>
+          <artifactId>api-ldap-schema-data</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
  </dependencies>
 </project>
--- a/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
+++ b/jetty-jaas/src/main/java/org/eclipse/jetty/jaas/spi/LdapLoginModule.java
@ -304,7 +304,7 @@ public class LdapLoginModule extends AbstractLoginModule
            }
        }

-        LOG.debug("user cred is: " + ldapCredential);
+        if(LOG.isDebugEnabled()) LOG.debug("user cred is: " + ldapCredential);

        return ldapCredential;
    }
@ -341,7 +341,7 @@ public class LdapLoginModule extends AbstractLoginModule

    private List<String> getUserRolesByDn(DirContext dirContext, String userDn) throws LoginException, NamingException
    {
-        List<String> roleList = new ArrayList<String>();
+        List<String> roleList = new ArrayList<>();

        if (dirContext == null || _roleBaseDn == null || _roleMemberAttribute == null || _roleObjectClass == null)
        {
@ -357,11 +357,11 @@ public class LdapLoginModule extends AbstractLoginModule
        Object[] filterArguments = {_roleObjectClass, _roleMemberAttribute, userDn};
        NamingEnumeration<SearchResult> results = dirContext.search(_roleBaseDn, filter, filterArguments, ctls);

-        LOG.debug("Found user roles?: " + results.hasMoreElements());
+        if(LOG.isDebugEnabled()) LOG.debug("Found user roles?: " + results.hasMoreElements());

        while (results.hasMoreElements())
        {
-            SearchResult result = (SearchResult)results.nextElement();
+            SearchResult result = results.nextElement();

            Attributes attributes = result.getAttributes();

@ -425,7 +425,8 @@ public class LdapLoginModule extends AbstractLoginModule
            if (_forceBindingLogin)
            {
                authed = bindingLogin(webUserName, webCredential);
-            } else
+            }
+            else
            {
                // This sets read and the credential
                UserInfo userInfo = getUserInfo(webUserName);
@ -458,7 +459,7 @@ public class LdapLoginModule extends AbstractLoginModule
        {
            if (_debug)
            {
-                e.printStackTrace();
+                LOG.info( e );
            }
            throw new LoginException("IO Error performing login.");
        }
@ -466,7 +467,7 @@ public class LdapLoginModule extends AbstractLoginModule
        {
            if (_debug)
            {
-                e.printStackTrace();
+                LOG.info( e );
            }
            throw new LoginException("Error obtaining user info.");
        }
@ -556,7 +557,7 @@ public class LdapLoginModule extends AbstractLoginModule
            throw new LoginException("User not found.");
        }

-        return (SearchResult)results.nextElement();
+        return results.nextElement();
    }


--- a/jetty-jaas/src/test/java/org/eclipse/jetty/jaas/JAASLdapLoginServiceTest.java
+++ b/jetty-jaas/src/test/java/org/eclipse/jetty/jaas/JAASLdapLoginServiceTest.java
@ -0,0 +1,177 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2018 Mort Bay Consulting Pty. Ltd.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+
+package org.eclipse.jetty.jaas;
+
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.LdapServer;
+import org.eclipse.jetty.jaas.spi.LdapLoginModule;
+import org.eclipse.jetty.security.DefaultIdentityService;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.UserIdentity;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
+import javax.security.auth.login.Configuration;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+/**
+ * JAASLdapLoginServiceTest
+ *
+ *
+ */
+@RunWith( FrameworkRunner.class)
+@CreateLdapServer( transports = { @CreateTransport(protocol = "LDAP" ) } )
+@CreateDS(allowAnonAccess = false, partitions = {
+    @CreatePartition(name = "Users Partition", suffix = "ou=people,dc=jetty,dc=org"),
+    @CreatePartition(name = "Groups Partition", suffix = "ou=groups,dc=jetty,dc=org")})
+@ApplyLdifs({
+    // Entry 1
+    "dn: ou=people,dc=jetty,dc=org",
+    "objectClass: organizationalunit",
+    "objectClass: top",
+    "ou: people",
+    // Entry # 2
+    "dn:uid=someone, ou=people,dc=jetty,dc=org",
+    "objectClass: inetOrgPerson",
+    "cn: someone",
+    "sn: sn test",
+    "userPassword: complicatedpassword",
+    // Entry # 3
+    "dn:uid=someoneelse, ou=people,dc=jetty,dc=org",
+    "objectClass: inetOrgPerson",
+    "cn: someoneelse",
+    "sn: sn test",
+    "userPassword: verycomplicatedpassword",
+    // Entry 4
+    "dn: ou=groups,dc=jetty,dc=org",
+    "objectClass: organizationalunit",
+    "objectClass: top",
+    "ou: groups",
+    // Entry 5
+    "dn: cn=developers,ou=groups,dc=jetty,dc=org",
+    "objectClass: groupOfUniqueNames",
+    "objectClass: top",
+    "ou: groups",
+    "description: People who try to build good software",
+    "uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
+    "cn: developers",
+    // Entry 6
+    "dn: cn=admin,ou=groups,dc=jetty,dc=org",
+    "objectClass: groupOfUniqueNames",
+    "objectClass: top",
+    "ou: groups",
+    "description: People who try to run software build by developers",
+    "uniquemember: uid=someone, ou=people, dc=jetty,dc=org",
+    "uniquemember: uid=someoneelse, ou=people, dc=jetty,dc=org",
+    "cn: admin"
+})
+public class JAASLdapLoginServiceTest
+{
+    private static LdapServer _ldapServer;
+
+    public static LdapServer getLdapServer() {
+        return _ldapServer;
+    }
+
+    public static void setLdapServer(LdapServer ldapServer) {
+        _ldapServer = ldapServer;
+    }
+
+    public static class TestConfiguration extends Configuration
+    {
+        private boolean forceBindingLogin;
+
+        public TestConfiguration( boolean forceBindingLogin )
+        {
+            this.forceBindingLogin = forceBindingLogin;
+        }
+
+        @Override
+        public AppConfigurationEntry[] getAppConfigurationEntry(String name)
+        {
+            Map<String,String> options = new HashMap<>( );
+            options.put( "hostname", "localhost" );
+            options.put( "port",  Integer.toString(_ldapServer.getTransports()[0].getPort()));
+            options.put( "contextFactory", "com.sun.jndi.ldap.LdapCtxFactory" );
+            options.put( "bindDn", "uid=admin,ou=system");
+            options.put( "bindPassword", "secret");
+            options.put( "userBaseDn", "ou=people,dc=jetty,dc=org" );
+            options.put( "roleBaseDn","ou=groups,dc=jetty,dc=org");
+            options.put( "roleNameAttribute", "cn" );
+            options.put( "forceBindingLogin", Boolean.toString( forceBindingLogin ) );
+            AppConfigurationEntry entry = new AppConfigurationEntry( LdapLoginModule.class.getCanonicalName(), LoginModuleControlFlag.REQUIRED, options);
+
+            return new AppConfigurationEntry[] {entry};
+        }
+        
+    }
+
+
+    @Test
+    public void testLdapUserIdentity() throws Exception
+    {
+        JAASLoginService ls = new JAASLoginService("foo");
+        ls.setCallbackHandlerClass("org.eclipse.jetty.jaas.callback.DefaultCallbackHandler");
+        ls.setIdentityService(new DefaultIdentityService());
+        ls.setConfiguration(new TestConfiguration(false));
+        Request request = new Request(null, null);
+        UserIdentity userIdentity = ls.login( "someone", "complicatedpassword", request);
+        assertNotNull( userIdentity );
+        assertTrue( userIdentity.isUserInRole( "developers", null) );
+        assertTrue( userIdentity.isUserInRole( "admin", null) );
+        assertFalse( userIdentity.isUserInRole( "blabla", null) );
+
+        userIdentity = ls.login( "someoneelse", "verycomplicatedpassword", request);
+        assertNotNull( userIdentity );
+        assertFalse( userIdentity.isUserInRole( "developers", null) );
+        assertTrue( userIdentity.isUserInRole( "admin", null) );
+        assertFalse( userIdentity.isUserInRole( "blabla", null) );
+    }
+
+    @Test
+    public void testLdapUserIdentityBindingLogin() throws Exception
+    {
+        JAASLoginService ls = new JAASLoginService("foo");
+        ls.setCallbackHandlerClass("org.eclipse.jetty.jaas.callback.DefaultCallbackHandler");
+        ls.setIdentityService(new DefaultIdentityService());
+        ls.setConfiguration(new TestConfiguration(true));
+        Request request = new Request(null, null);
+        UserIdentity userIdentity = ls.login( "someone", "complicatedpassword", request);
+        assertNotNull( userIdentity );
+        assertTrue( userIdentity.isUserInRole( "developers", null) );
+        assertTrue( userIdentity.isUserInRole( "admin", null) );
+        assertFalse( userIdentity.isUserInRole( "blabla", null) );
+
+        userIdentity = ls.login( "someone", "wrongpassword", request);
+        assertNull( userIdentity );
+
+    }
+
+}
--- a/pom.xml
+++ b/pom.xml
@ -1028,6 +1028,11 @@
        <artifactId>slf4j-api</artifactId>
        <version>${slf4j.version}</version>
      </dependency>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-simple</artifactId>
+        <version>${slf4j.version}</version>
+      </dependency>
      <dependency>
        <groupId>com.github.jnr</groupId>
        <artifactId>jnr-unixsocket</artifactId>