ldap: Adds configuration for timeouts

This adds configuration for ldap connection timeouts and ldap operation timeouts.  Both default to 5 seconds.

Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/461

Original commit: elastic/x-pack-elasticsearch@3e6ed97d52

src/main/java/org/elasticsearch/shield/authc/active_directory/ActiveDirectoryConnectionFactory.java

@@ -53,6 +53,8 @@ public class ActiveDirectoryConnectionFactory extends ConnectionFactory {
         ImmutableMap.Builder<String, Serializable> builder = ImmutableMap.<String, Serializable>builder()
                 .put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
                 .put(Context.PROVIDER_URL, Strings.arrayToCommaDelimitedString(ldapUrls))
+                .put(JNDI_LDAP_CONNECT_TIMEOUT, Long.toString(settings.getAsTime(TIMEOUT_CONNECTION_SETTING, TIMEOUT_DEFAULT).millis()))
+                .put(JNDI_LDAP_READ_TIMEOUT, Long.toString(settings.getAsTime(TIMEOUT_CONNECTION_SETTING, TIMEOUT_DEFAULT).millis()))
                 .put("java.naming.ldap.attributes.binary", "tokenGroups")
                 .put(Context.REFERRAL, "follow");
 

src/main/java/org/elasticsearch/shield/authc/ldap/LdapConnectionFactory.java

@@ -41,7 +41,8 @@ public class LdapConnectionFactory extends ConnectionFactory {
     protected final boolean groupSubTreeSearch;
     protected final boolean findGroupsByAttribute;
 
-    @Inject
+
+    @Inject()
     public LdapConnectionFactory(Settings settings) {
         super(settings);
         userDnTemplates = settings.getAsArray(USER_DN_TEMPLATES_SETTING);
@@ -56,6 +57,8 @@ public class LdapConnectionFactory extends ConnectionFactory {
         ImmutableMap.Builder<String, Serializable> builder = ImmutableMap.<String, Serializable>builder()
                 .put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
                 .put(Context.PROVIDER_URL, Strings.arrayToCommaDelimitedString(ldapUrls))
+                .put(JNDI_LDAP_READ_TIMEOUT, Long.toString(settings.getAsTime(TIMEOUT_READ_SETTING, TIMEOUT_DEFAULT).millis()))
+                .put(JNDI_LDAP_CONNECT_TIMEOUT, Long.toString(settings.getAsTime(TIMEOUT_CONNECTION_SETTING, TIMEOUT_DEFAULT).millis()))
                 .put(Context.REFERRAL, "follow");
 
         LdapSslSocketFactory.configureJndiSSL(ldapUrls, builder);

src/main/java/org/elasticsearch/shield/authc/support/ldap/ConnectionFactory.java

@@ -8,6 +8,7 @@ package org.elasticsearch.shield.authc.support.ldap;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.shield.authc.support.SecuredString;
 
 /**
@@ -25,6 +26,11 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 public abstract class ConnectionFactory {
 
     public static final String URLS_SETTING = "url";
+    public static final String JNDI_LDAP_READ_TIMEOUT = "com.sun.jndi.ldap.read.timeout";
+    public static final String JNDI_LDAP_CONNECT_TIMEOUT = "com.sun.jndi.ldap.connect.timeout";
+    public static final String TIMEOUT_CONNECTION_SETTING = "connect_timeout";
+    public static final String TIMEOUT_READ_SETTING = "read_timeout";
+    public static final TimeValue TIMEOUT_DEFAULT = TimeValue.timeValueSeconds(5);
 
     protected final ESLogger logger = Loggers.getLogger(getClass());
     private final Settings settings;

src/main/java/org/elasticsearch/shield/authc/support/ldap/LdapSslSocketFactory.java

@@ -85,6 +85,11 @@ public class LdapSslSocketFactory extends SocketFactory {
 
     //The following methods are all wrappers around the instance of socketFactory
 
+    @Override
+    public Socket createSocket() throws IOException {
+        return socketFactory.createSocket();
+    }
+
     @Override
     public Socket createSocket(String host, int port) throws IOException {
         return socketFactory.createSocket(host, port);

src/test/java/org/elasticsearch/shield/authc/ldap/LdapConnectionTests.java

@@ -5,8 +5,11 @@
  */
 package org.elasticsearch.shield.authc.ldap;
 
+import org.elasticsearch.common.settings.ImmutableSettings;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
+import org.elasticsearch.shield.authc.support.ldap.ConnectionFactory;
 import org.elasticsearch.shield.authc.support.ldap.LdapTest;
 import org.junit.Test;
 
@@ -17,6 +20,26 @@ import static org.hamcrest.Matchers.containsString;
 
 public class LdapConnectionTests extends LdapTest {
 
+    @Test(expected = LdapException.class, timeout = 2000) //if the LDAP timeout doesn't occur within 2 seconds, fail
+    public void testBindWithTimeout() {
+        String[] ldapUrls = new String[] { "ldap://example.com:1111" };
+        String groupSearchBase = "o=sevenSeas";
+        String[] userTemplates = new String[] {
+                "cn={0},ou=people,o=sevenSeas",
+        };
+        Settings settings = ImmutableSettings.builder()
+                .put(buildLdapSettings(ldapUrls, userTemplates, groupSearchBase, true))
+                .put(ConnectionFactory.TIMEOUT_CONNECTION_SETTING, "1ms") //1 millisecond
+                .build();
+        LdapConnectionFactory connectionFactory = new LdapConnectionFactory(settings);
+        String user = "Horatio Hornblower";
+        SecuredString userPass = SecuredStringTests.build("pass");
+
+        try (LdapConnection ldap = connectionFactory.open(user, userPass)) {
+
+        }
+    }
+
     @Test
     public void testBindWithTemplates() {
         String[] ldapUrls = new String[] { ldapUrl() };
@@ -39,6 +62,7 @@ public class LdapConnectionTests extends LdapTest {
         }
     }
 
+
     @Test(expected = LdapException.class)
     public void testBindWithBogusTemplates() {
         String[] ldapUrl = new String[] { ldapUrl() };
@@ -88,4 +112,23 @@ public class LdapConnectionTests extends LdapTest {
             assertThat(groups, contains("cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas"));
         }
     }
+
+    @Test(expected = LdapException.class, timeout = 2000) //if the LDAP timeout doesn't occur in 2 seconds, fail
+    public void testGroupLookupWithTimeout() {
+        String groupSearchBase = "o=sevenSeas";
+        String userTemplate = "cn={0},ou=people,o=sevenSeas";
+
+        Settings settings = ImmutableSettings.builder()
+                .put(buildLdapSettings(ldapUrl(), userTemplate, groupSearchBase, true))
+                .put(ConnectionFactory.TIMEOUT_READ_SETTING, "1ms") //1 millisecond
+                .build();
+
+        LdapConnectionFactory ldapFac = new LdapConnectionFactory(settings);
+        String user = "Horatio Hornblower";
+        SecuredString userPass = SecuredStringTests.build("pass");
+
+        try (LdapConnection ldap = ldapFac.open(user, userPass)) {
+            List<String> groups = ldap.getGroupsFromSearch(ldap.authenticatedUserDn());
+        }
+    }
 }