diff --git a/src/main/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolver.java b/src/main/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolver.java index 5692f103dbb..ade9fee8ab0 100644 --- a/src/main/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolver.java +++ b/src/main/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolver.java @@ -9,6 +9,7 @@ import org.elasticsearch.common.Strings; import org.elasticsearch.common.logging.ESLogger; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; +import org.elasticsearch.shield.ShieldSettingsException; import org.elasticsearch.shield.authc.support.ldap.AbstractLdapConnection; import org.elasticsearch.shield.authc.support.ldap.ClosableNamingEnumeration; import org.elasticsearch.shield.authc.support.ldap.SearchScope; @@ -34,6 +35,9 @@ class SearchGroupsResolver implements AbstractLdapConnection.GroupsResolver { public SearchGroupsResolver(Settings settings) { baseDn = settings.get("base_dn"); + if (baseDn == null) { + throw new ShieldSettingsException("base_dn must be specified"); + } filter = settings.get("filter", GROUP_SEARCH_DEFAULT_FILTER); userAttribute = filter == null ? null : settings.get("user_attribute"); scope = SearchScope.resolve(settings.get("scope"), SearchScope.SUB_TREE); diff --git a/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTest.java b/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java similarity index 81% rename from src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTest.java rename to src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java index 9c40c496117..6e431795f16 100644 --- a/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTest.java +++ b/src/test/java/org/elasticsearch/shield/authc/ldap/SearchGroupsResolverTests.java @@ -8,6 +8,7 @@ package org.elasticsearch.shield.authc.ldap; import org.elasticsearch.common.settings.ImmutableSettings; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.unit.TimeValue; +import org.elasticsearch.shield.ShieldSettingsException; import org.elasticsearch.shield.authc.support.ldap.AbstractLdapSslSocketFactory; import org.elasticsearch.shield.authc.support.ldap.ConnectionFactory; import org.elasticsearch.shield.authc.support.ldap.LdapSslSocketFactory; @@ -31,7 +32,7 @@ import java.util.List; import static org.hamcrest.Matchers.*; @Network -public class SearchGroupsResolverTest extends ElasticsearchTestCase { +public class SearchGroupsResolverTests extends ElasticsearchTestCase { public static final String BRUCE_BANNER_DN = "uid=hulk,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com"; private InitialDirContext ldapContext; @@ -39,7 +40,7 @@ public class SearchGroupsResolverTest extends ElasticsearchTestCase { @Before public void setup() throws Exception { super.setUp(); - Path keystore = Paths.get(SearchGroupsResolverTest.class.getResource("../support/ldap/ldaptrust.jks").toURI()).toAbsolutePath(); + Path keystore = Paths.get(SearchGroupsResolverTests.class.getResource("../support/ldap/ldaptrust.jks").toURI()).toAbsolutePath(); /* * Prior to each test we reinitialize the socket factory with a new SSLService so that we get a new SSLContext. @@ -127,22 +128,44 @@ public class SearchGroupsResolverTest extends ElasticsearchTestCase { assertThat(groups, hasItem(containsString("Geniuses"))); } + @Test + public void testSearchWithoutSpecifyingBaseDN() throws Exception { + Settings settings = ImmutableSettings.builder() + .put("scope", SearchScope.SUB_TREE) + .build(); + + try { + new SearchGroupsResolver(settings); + } catch (ShieldSettingsException e) { + assertThat(e.getMessage(), containsString("base_dn must be specified")); + } + } + @Test public void testReadUserAttribute() throws Exception { { - Settings settings = ImmutableSettings.builder().put("user_attribute", "uid").build(); + Settings settings = ImmutableSettings.builder() + .put("base_dn", "dc=oldap,dc=test,dc=elasticsearch,dc=com") + .put("user_attribute", "uid") + .build(); SearchGroupsResolver resolver = new SearchGroupsResolver(settings); assertThat(resolver.readUserAttribute(ldapContext, BRUCE_BANNER_DN), is("hulk")); } { - Settings settings = ImmutableSettings.builder().put("user_attribute", "cn").build(); + Settings settings = ImmutableSettings.builder() + .put("base_dn", "dc=oldap,dc=test,dc=elasticsearch,dc=com") + .put("user_attribute", "cn") + .build(); SearchGroupsResolver resolver = new SearchGroupsResolver(settings); assertThat(resolver.readUserAttribute(ldapContext, BRUCE_BANNER_DN), is("Bruce Banner")); } try { - Settings settings = ImmutableSettings.builder().put("user_attribute", "doesntExists").build(); + Settings settings = ImmutableSettings.builder() + .put("base_dn", "dc=oldap,dc=test,dc=elasticsearch,dc=com") + .put("user_attribute", "doesntExists") + .build(); SearchGroupsResolver resolver = new SearchGroupsResolver(settings); resolver.readUserAttribute(ldapContext, BRUCE_BANNER_DN); fail("searching for a non-existing attribute should throw an LdapException"); @@ -151,7 +174,10 @@ public class SearchGroupsResolverTest extends ElasticsearchTestCase { } try { - Settings settings = ImmutableSettings.builder().put("user_attribute", "userPassword").build(); + Settings settings = ImmutableSettings.builder() + .put("base_dn", "dc=oldap,dc=test,dc=elasticsearch,dc=com") + .put("user_attribute", "userPassword") + .build(); SearchGroupsResolver resolver = new SearchGroupsResolver(settings); resolver.readUserAttribute(ldapContext, BRUCE_BANNER_DN); fail("searching for a binary attribute should throw an LdapException");