directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r669254 - /directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
Date Wed, 18 Jun 2008 18:58:06 GMT
Author: akarasulu
Date: Wed Jun 18 11:58:06 2008
New Revision: 669254

URL: http://svn.apache.org/viewvc?rev=669254&view=rev
Log:
Adding tests for confidentiality required feature for LdapServer which should be implemented
differently later on for the 1.5.4 release with new protocol-ldap module: see DIRSERVER-1189

Added:
    directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
  (with props)

Added: directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java?rev=669254&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
(added)
+++ directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
Wed Jun 18 11:58:06 2008
@@ -0,0 +1,276 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.ssl;
+
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.util.HashSet;
+import java.util.Hashtable;
+import java.util.Set;
+
+import javax.naming.AuthenticationNotSupportedException;
+import javax.naming.Context;
+import javax.naming.NameNotFoundException;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.ModificationItem;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.StartTlsRequest;
+import javax.naming.ldap.StartTlsResponse;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+
+import org.apache.directory.server.unit.AbstractServerTest;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * Test case to verify proper operation of confidentiality requirements as 
+ * specified in https://issues.apache.org/jira/browse/DIRSERVER-1189.  
+ * 
+ * Starts up the server binds via SUN JNDI provider to perform various 
+ * operations on entries which should be rejected when a TLS secured 
+ * connection is not established.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev: 639006 $
+ */
+public class ConfidentialityRequiredITest extends AbstractServerTest 
+{
+    private static final Logger LOG = LoggerFactory.getLogger( ConfidentialityRequiredITest.class
);
+    private File ksFile;
+    
+    
+    /**
+     * Sets up the key store and installs the self signed certificate for the 
+     * server (created on first startup) which is to be used by the StartTLS 
+     * JDNDI client that will connect.  The key store is created from scratch
+     * programmatically and whipped on each run.  The certificate is acquired 
+     * by pulling down the bytes for administrator's userCertificate from 
+     * uid=admin,ou=system.  We use sysRoot direct context instead of one over
+     * the wire since the server is configured to prevent connections without
+     * TLS secured connections.
+     */
+    public void setUp() throws Exception
+    {
+    	super.setUp();
+    	
+    	if ( ksFile != null && ksFile.exists() )
+    	{
+    		ksFile.delete();
+    	}
+    	
+    	ksFile = File.createTempFile( "testStore", "ks" );
+
+        Attributes adminEntry = sysRoot.getAttributes( "uid=admin" );
+    	Attribute userCertificateAttr = adminEntry.get( "userCertificate" );
+    	
+    	assertNotNull( userCertificateAttr );
+    	byte[] userCertificate = ( byte[] ) userCertificateAttr.get();
+    	assertNotNull( userCertificate );
+    	ByteArrayInputStream in = new ByteArrayInputStream( userCertificate );
+    	
+    	CertificateFactory factory = CertificateFactory.getInstance( "X.509" );
+    	Certificate cert = factory.generateCertificate( in );
+    	KeyStore ks = KeyStore.getInstance( KeyStore.getDefaultType() );
+    	ks.load( null, null );
+    	ks.setCertificateEntry( "apacheds", cert );
+    	ks.store( new FileOutputStream( ksFile ), "changeit".toCharArray() );
+    	LOG.debug( "Keystore file installed: {}", ksFile.getAbsolutePath() );
+    }
+    
+    
+    /**
+     * Just deletes the generated key store file.
+     */
+    public void tearDown() throws Exception
+    {
+    	if ( ksFile != null && ksFile.exists() )
+    	{
+    		ksFile.delete();
+    	}
+    	
+    	LOG.debug( "Keystore file deleted: {}", ksFile.getAbsolutePath() );
+    	super.tearDown();
+    }
+    
+
+    /**
+     * Setup confidentiality to be required.
+     */
+    protected void configureLdapServer()
+    {
+    	super.configureLdapServer();
+    	ldapServer.setConfidentialityRequired( true );
+    }
+
+    
+    private LdapContext getSecuredContext() throws Exception
+    {
+    	System.setProperty ( "javax.net.ssl.trustStore", ksFile.getAbsolutePath() );
+    	System.setProperty ( "javax.net.ssl.keyStore", ksFile.getAbsolutePath() );
+    	System.setProperty ( "javax.net.ssl.keyStorePassword", "changeit" );
+    	LOG.debug( "testStartTls() test starting ... " );
+    	
+    	// Set up environment for creating initial context
+    	Hashtable<String, Object> env = new Hashtable<String,Object>();
+        env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
+        
+        // Must use the name of the server that is found in its certificate?
+        env.put( Context.PROVIDER_URL, "ldap://localhost:" + port );
+
+        // Create initial context
+        LOG.debug( "About to get initial context" );
+        LdapContext ctx = new InitialLdapContext( env, null );
+
+        // Start TLS
+        LOG.debug( "About send startTls extended operation" );
+        StartTlsResponse tls = ( StartTlsResponse ) ctx.extendedOperation( new StartTlsRequest()
);
+        LOG.debug( "Extended operation issued" );
+        tls.setHostnameVerifier( new HostnameVerifier() {
+            public boolean verify( String hostname, SSLSession session )
+            {
+                return true;
+            } 
+        } );
+        LOG.debug( "TLS negotion about to begin" );
+        tls.negotiate();
+        return ctx;
+    }
+    
+
+    /**
+     * Checks to make sure insecure binds fail while secure binds succeed.
+     */
+    public void testConfidentiality() throws Exception
+    {
+    	// -------------------------------------------------------------------
+    	// Unsecured bind should fail
+    	// -------------------------------------------------------------------
+
+    	try
+    	{
+    		getWiredContext();
+    		fail( "Should not get here due to violation of confidentiality requirements" );
+    	}
+    	catch( AuthenticationNotSupportedException e )
+    	{
+    	}
+    	
+    	// -------------------------------------------------------------------
+    	// get anonymous connection with StartTLS (no bind request sent)
+    	// -------------------------------------------------------------------
+
+    	LdapContext ctx = getSecuredContext();
+    	assertNotNull( ctx );
+    	
+    	// -------------------------------------------------------------------
+    	// upgrade connection via bind request (same physical connection - TLS)
+    	// -------------------------------------------------------------------
+
+    	ctx.addToEnvironment( Context.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
+    	ctx.addToEnvironment( Context.SECURITY_CREDENTIALS, "secret" );
+    	ctx.addToEnvironment( Context.SECURITY_AUTHENTICATION, "simple" );
+    	ctx.reconnect( null );
+    	
+    	// -------------------------------------------------------------------
+    	// do a search and confirm
+    	// -------------------------------------------------------------------
+
+    	NamingEnumeration<SearchResult> results = ctx.search( "ou=system", "(objectClass=*)",
new SearchControls() );
+    	Set<String> names = new HashSet<String>();
+    	while( results.hasMore() )
+    	{
+    		names.add( results.next().getName() );
+    	}
+    	results.close();
+    	assertTrue( names.contains( "prefNodeName=sysPrefRoot" ) );
+    	assertTrue( names.contains( "ou=users" ) );
+    	assertTrue( names.contains( "ou=configuration" ) );
+    	assertTrue( names.contains( "uid=admin" ) );
+    	assertTrue( names.contains( "ou=groups" ) );
+    	
+    	// -------------------------------------------------------------------
+    	// do add and confirm
+    	// -------------------------------------------------------------------
+
+    	AttributesImpl attrs = new AttributesImpl( "objectClass", "person", true );
+    	attrs.put( "sn", "foo" );
+    	attrs.put( "cn", "foo bar" );
+    	ctx.createSubcontext( "cn=foo bar,ou=system", attrs );
+    	assertNotNull( ctx.lookup( "cn=foo bar,ou=system" ) );
+    	
+    	// -------------------------------------------------------------------
+    	// do modify and confirm
+    	// -------------------------------------------------------------------
+
+    	ModificationItem[] mods = new ModificationItem[] {
+    			new ModificationItem( DirContext.ADD_ATTRIBUTE, new AttributeImpl( "cn", "fbar" )
)
+    	};
+    	ctx.modifyAttributes( "cn=foo bar,ou=system", mods );
+    	Attributes reread = ( Attributes ) ctx.getAttributes( "cn=foo bar,ou=system" );
+    	assertTrue( reread.get( "cn" ).contains( "fbar" ) );
+    	
+    	// -------------------------------------------------------------------
+    	// do rename and confirm 
+    	// -------------------------------------------------------------------
+
+    	ctx.rename( "cn=foo bar,ou=system", "cn=fbar,ou=system" );
+    	try
+    	{
+    		ctx.getAttributes( "cn=foo bar,ou=system" );
+    		fail( "old name of renamed entry should not be found" );
+    	}
+    	catch ( NameNotFoundException e )
+    	{
+    	}
+    	reread = ( Attributes ) ctx.getAttributes( "cn=fbar,ou=system" );
+    	assertTrue( reread.get( "cn" ).contains( "fbar" ) );
+    	
+    	// -------------------------------------------------------------------
+    	// do delete and confirm
+    	// -------------------------------------------------------------------
+
+    	ctx.destroySubcontext( "cn=fbar,ou=system" );
+    	try
+    	{
+    		ctx.getAttributes( "cn=fbar,ou=system" );
+    		fail( "deleted entry should not be found" );
+    	}
+    	catch ( NameNotFoundException e )
+    	{
+    	}
+    	
+    	ctx.close();
+    }
+}

Propchange: directory/apacheds/branches/bigbang/server-unit/src/test/java/org/apache/directory/server/ssl/ConfidentialityRequiredITest.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message