directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1482887 - in /directory/apacheds/trunk: core-annotations/src/main/java/org/apache/directory/server/core/annotations/ core-annotations/src/main/java/org/apache/directory/server/core/factory/ interceptors/authn/src/main/java/org/apache/direc...
Date Wed, 15 May 2013 15:06:39 GMT
Author: elecharny
Date: Wed May 15 15:06:39 2013
New Revision: 1482887

URL: http://svn.apache.org/r1482887
Log:
Made the delegated authentication working for SSL and TLS (default to NoVerificationTrustManager
atm)

Added:
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
Modified:
    directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
    directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
    directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java

Modified: directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
(original)
+++ directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/annotations/CreateAuthenticator.java
Wed May 15 15:06:39 2013
@@ -57,6 +57,22 @@ public @interface CreateAuthenticator
     int delegatePort() default -1;
 
 
+    /** The base DN from which we will delegate authentication */
+    String delegateBaseDn() default "";
+
+
     /** Tells if we use SSL to connect */
-    boolean delegateSsl() default true;
+    boolean delegateSsl() default false;
+
+
+    /** Tells if we use startTls to connect */
+    boolean delegateTls() default true;
+
+
+    /** The SSL TrustManager FQCN */
+    String delegateSslTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
+
+
+    /** The startTls TrustManager FQCN */
+    String delegateTlsTrustManagerFQCN() default "org.apache.directory.ldap.client.api.NoVerificationTrustManager";
 }

Modified: directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
(original)
+++ directory/apacheds/trunk/core-annotations/src/main/java/org/apache/directory/server/core/factory/DSAnnotationProcessor.java
Wed May 15 15:06:39 2013
@@ -125,6 +125,10 @@ public class DSAnnotationProcessor
                     dauth.setDelegateHost( createAuthenticator.delegateHost() );
                     dauth.setDelegatePort( createAuthenticator.delegatePort() );
                     dauth.setDelegateSsl( createAuthenticator.delegateSsl() );
+                    dauth.setDelegateTls( createAuthenticator.delegateTls() );
+                    dauth.setDelegateBaseDn( createAuthenticator.delegateBaseDn() );
+                    dauth.setDelegateSslTrustManagerFQCN( createAuthenticator.delegateSslTrustManagerFQCN()
);
+                    dauth.setDelegateTlsTrustManagerFQCN( createAuthenticator.delegateTlsTrustManagerFQCN()
);
                 }
 
                 authenticators.add( auth );

Modified: directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java?rev=1482887&r1=1482886&r2=1482887&view=diff
==============================================================================
--- directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
(original)
+++ directory/apacheds/trunk/interceptors/authn/src/main/java/org/apache/directory/server/core/authn/DelegatingAuthenticator.java
Wed May 15 15:06:39 2013
@@ -28,8 +28,9 @@ import org.apache.directory.api.ldap.mod
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.util.Strings;
-import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapConnectionConfig;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.ldap.client.api.NoVerificationTrustManager;
 import org.apache.directory.server.core.api.LdapPrincipal;
 import org.apache.directory.server.core.api.interceptor.context.BindOperationContext;
 import org.apache.directory.server.i18n.I18n;
@@ -55,9 +56,18 @@ public class DelegatingAuthenticator ext
     /** Tells if we use SSL to connect */
     private boolean delegateSsl;
 
+    /** Tells if we use StartTLS to connect */
+    private boolean delegateTls;
+
     /** The base DN which will be the starting point from which we use the delegator authenticator
*/
     private String delegateBaseDn;
 
+    /** The SSL TrustManager FQCN to use */
+    private String delegateSslTrustManagerFQCN;
+
+    /** The startTLS TrustManager FQCN to use */
+    private String delegateTlsTrustManagerFQCN;
+
 
     /**
      * Creates a new instance.
@@ -153,6 +163,60 @@ public class DelegatingAuthenticator ext
 
 
     /**
+     * @return the delegateTls
+     */
+    public boolean isDelegateTls()
+    {
+        return delegateTls;
+    }
+
+
+    /**
+     * @param delegateTls the delegateTls to set
+     */
+    public void setDelegateTls( boolean delegateTls )
+    {
+        this.delegateTls = delegateTls;
+    }
+
+
+    /**
+     * @return the delegateSslTrustManagerFQCN
+     */
+    public String getDelegateSslTrustManagerFQCN()
+    {
+        return delegateSslTrustManagerFQCN;
+    }
+
+
+    /**
+     * @param delegateSslTrustManagerFQCN the delegateSslTrustManagerFQCN to set
+     */
+    public void setDelegateSslTrustManagerFQCN( String delegateSslTrustManagerFQCN )
+    {
+        this.delegateSslTrustManagerFQCN = delegateSslTrustManagerFQCN;
+    }
+
+
+    /**
+     * @return the delegateTlsTrustManagerFQCN
+     */
+    public String getDelegateTlsTrustManagerFQCN()
+    {
+        return delegateTlsTrustManagerFQCN;
+    }
+
+
+    /**
+     * @param delegateTlsTrustManagerFQCN the delegateTlsTrustManagerFQCN to set
+     */
+    public void setDelegateTlsTrustManagerFQCN( String delegateTlsTrustManagerFQCN )
+    {
+        this.delegateTlsTrustManagerFQCN = delegateTlsTrustManagerFQCN;
+    }
+
+
+    /**
      * {@inheritDoc}
      */
     public LdapPrincipal authenticate( BindOperationContext bindContext )
@@ -165,8 +229,44 @@ public class DelegatingAuthenticator ext
             LOG.debug( "Authenticating {}", bindContext.getDn() );
         }
 
+        LdapConnectionConfig connectionConfig;
+        LdapNetworkConnection ldapConnection;
+
         // Create a connection on the remote host
-        LdapConnection ldapConnection = new LdapNetworkConnection( delegateHost, delegatePort,
delegateSsl );
+        if ( delegateTls )
+        {
+            connectionConfig = new LdapConnectionConfig();
+            connectionConfig.setLdapHost( delegateHost );
+            connectionConfig.setLdapPort( delegatePort );
+            connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+            ldapConnection = new LdapNetworkConnection( connectionConfig );
+            ldapConnection.connect();
+            ldapConnection.startTls();
+        }
+        else if ( delegateSsl )
+        {
+            connectionConfig = new LdapConnectionConfig();
+            connectionConfig.setLdapHost( delegateHost );
+            connectionConfig.setUseSsl( true );
+            connectionConfig.setLdapPort( delegatePort );
+            connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+            ldapConnection = new LdapNetworkConnection( connectionConfig );
+            ldapConnection.connect();
+        }
+        else
+        {
+            connectionConfig = new LdapConnectionConfig();
+            connectionConfig.setLdapHost( delegateHost );
+            connectionConfig.setLdapPort( delegatePort );
+            connectionConfig.setTrustManagers( new NoVerificationTrustManager() );
+
+            ldapConnection = new LdapNetworkConnection( delegateHost, delegatePort );
+            ldapConnection.connect();
+        }
+
+        ldapConnection.setTimeOut( 0L );
 
         try
         {
@@ -211,6 +311,10 @@ public class DelegatingAuthenticator ext
             LOG.info( message );
             throw new LdapAuthenticationException( message );
         }
+        finally
+        {
+            ldapConnection.close();
+        }
     }
 
 

Added: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java?rev=1482887&view=auto
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
(added)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverSslIT.java
Wed May 15 15:06:39 2013
@@ -0,0 +1,142 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.server.operations.bind;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.junit.tools.MultiThreadedMultiInvoker;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.CreateAuthenticator;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.authn.DelegatingAuthenticator;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests the Delegated authenticator using SSL
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(
+    allowAnonAccess = true,
+    name = "DelegatedAuthIT-class",
+    authenticators =
+        {
+            @CreateAuthenticator(
+                type = DelegatingAuthenticator.class,
+                delegateHost = "localhost",
+                delegatePort = 10201,
+                delegateSsl = true,
+                delegateTls = false) })
+@ApplyLdifs(
+    {
+        // Entry # 1
+        "dn: uid=emmanuel,ou=users,ou=system",
+        "objectClass: uidObject",
+        "objectClass: person",
+        "objectClass: top",
+        "uid: emmanuel",
+        "cn: Emmanuel Lecharny",
+        "sn: Lecharny",
+        "userPassword: sesame" })
+@CreateLdapServer(
+    transports =
+        {
+            @CreateTransport(protocol = "LDAP", port = 10200)
+    },
+    allowAnonymousAccess = true)
+public class DelegatedAuthOverSslIT extends AbstractLdapTestUnit
+{
+    @Rule
+    public MultiThreadedMultiInvoker i = new MultiThreadedMultiInvoker( MultiThreadedMultiInvoker.NOT_THREADSAFE
);
+
+
+    /**
+     * Test with bindDn which is not even found under any namingContext of the
+     * server.
+     * 
+     * @throws Exception
+     */
+    @CreateDS(
+        allowAnonAccess = true,
+        name = "DelegatedAuthIT-method")
+    @ApplyLdifs(
+        {
+            // Entry # 1
+            "dn: uid=antoine,ou=users,ou=system",
+            "objectClass: uidObject",
+            "objectClass: person",
+            "objectClass: top",
+            "uid: antoine",
+            "cn: Antoine Levy-Lambert",
+            "sn: Levy-Lambert",
+            "userPassword: secret" })
+    @CreateLdapServer(
+        transports =
+            {
+                @CreateTransport(protocol = "LDAPS", port = 10201)
+        },
+        extendedOpHandlers =
+            {
+                StartTlsHandler.class
+        }
+        )
+        @Test
+        public void testDelegatedSSLAuthentication() throws Exception
+    {
+        assertTrue( getService().isStarted() );
+        assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
+        LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", 10200 );
+
+        ldapConnection.setTimeOut( 0L );
+        ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
+
+        assertTrue( ldapConnection.isAuthenticated() );
+
+        ldapConnection.unBind();
+
+        try
+        {
+            ldapConnection.bind( "uid=antoine,ou=users,ou=system", "sesame" );
+            fail();
+        }
+        catch ( LdapAuthenticationException lae )
+        {
+            assertTrue( true );
+        }
+
+        ldapConnection.unBind();
+        ldapConnection.close();
+    }
+}

Added: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java?rev=1482887&view=auto
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
(added)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/DelegatedAuthOverTlsIT.java
Wed May 15 15:06:39 2013
@@ -0,0 +1,142 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.server.operations.bind;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.junit.tools.MultiThreadedMultiInvoker;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.CreateAuthenticator;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.authn.DelegatingAuthenticator;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests the Delegated authenticator using SSL
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(FrameworkRunner.class)
+@CreateDS(
+    allowAnonAccess = true,
+    name = "DelegatedAuthIT-class",
+    authenticators =
+        {
+            @CreateAuthenticator(
+                type = DelegatingAuthenticator.class,
+                delegateHost = "localhost",
+                delegatePort = 10201,
+                delegateSsl = false,
+                delegateTls = true) })
+@ApplyLdifs(
+    {
+        // Entry # 1
+        "dn: uid=emmanuel,ou=users,ou=system",
+        "objectClass: uidObject",
+        "objectClass: person",
+        "objectClass: top",
+        "uid: emmanuel",
+        "cn: Emmanuel Lecharny",
+        "sn: Lecharny",
+        "userPassword: sesame" })
+@CreateLdapServer(
+    transports =
+        {
+            @CreateTransport(protocol = "LDAP", port = 10200)
+    },
+    allowAnonymousAccess = true)
+public class DelegatedAuthOverTlsIT extends AbstractLdapTestUnit
+{
+    @Rule
+    public MultiThreadedMultiInvoker i = new MultiThreadedMultiInvoker( MultiThreadedMultiInvoker.NOT_THREADSAFE
);
+
+
+    /**
+     * Test with bindDn which is not even found under any namingContext of the
+     * server.
+     * 
+     * @throws Exception
+     */
+    @CreateDS(
+        allowAnonAccess = true,
+        name = "DelegatedAuthIT-method")
+    @ApplyLdifs(
+        {
+            // Entry # 1
+            "dn: uid=antoine,ou=users,ou=system",
+            "objectClass: uidObject",
+            "objectClass: person",
+            "objectClass: top",
+            "uid: antoine",
+            "cn: Antoine Levy-Lambert",
+            "sn: Levy-Lambert",
+            "userPassword: secret" })
+    @CreateLdapServer(
+        transports =
+            {
+                @CreateTransport(protocol = "LDAP", port = 10201)
+        },
+        extendedOpHandlers =
+            {
+                StartTlsHandler.class
+        }
+        )
+        @Test
+        public void testDelegatedTlsAuthentication() throws Exception
+    {
+        assertTrue( getService().isStarted() );
+        assertEquals( "DelegatedAuthIT-method", getService().getInstanceId() );
+        LdapConnection ldapConnection = new LdapNetworkConnection( "localhost", 10200 );
+
+        ldapConnection.setTimeOut( 0L );
+        ldapConnection.bind( "uid=antoine,ou=users,ou=system", "secret" );
+
+        assertTrue( ldapConnection.isAuthenticated() );
+
+        ldapConnection.unBind();
+
+        try
+        {
+            ldapConnection.bind( "uid=antoine,ou=users,ou=system", "sesame" );
+            fail();
+        }
+        catch ( LdapAuthenticationException lae )
+        {
+            assertTrue( true );
+        }
+
+        ldapConnection.unBind();
+        ldapConnection.close();
+    }
+}



Mime
View raw message