| package com.gitblit.tests; |
| |
| import java.io.File; |
| import java.util.Arrays; |
| import java.util.Collection; |
| import java.util.EnumSet; |
| import java.util.HashMap; |
| import java.util.Map; |
| |
| import org.apache.commons.io.FileUtils; |
| import org.junit.AfterClass; |
| import org.junit.Before; |
| import org.junit.BeforeClass; |
| import org.junit.Rule; |
| import org.junit.rules.TemporaryFolder; |
| import org.junit.runners.Parameterized.Parameter; |
| import org.junit.runners.Parameterized.Parameters; |
| |
| import com.gitblit.Keys; |
| import com.gitblit.tests.mock.MemorySettings; |
| import com.unboundid.ldap.listener.InMemoryDirectoryServer; |
| import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; |
| import com.unboundid.ldap.listener.InMemoryDirectoryServerSnapshot; |
| import com.unboundid.ldap.listener.InMemoryListenerConfig; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedRequest; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedResult; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchEntry; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchRequest; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; |
| import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSimpleBindResult; |
| import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; |
| import com.unboundid.ldap.sdk.BindRequest; |
| import com.unboundid.ldap.sdk.BindResult; |
| import com.unboundid.ldap.sdk.LDAPException; |
| import com.unboundid.ldap.sdk.LDAPResult; |
| import com.unboundid.ldap.sdk.OperationType; |
| import com.unboundid.ldap.sdk.ResultCode; |
| import com.unboundid.ldap.sdk.SimpleBindRequest; |
| |
| |
| |
| /** |
| * Base class for Unit (/Integration) tests that test going against an |
| * in-memory UnboundID LDAP server. |
| * |
| * This base class creates separate in-memory LDAP servers for different scenarios: |
| * - ANONYMOUS: anonymous bind to LDAP. |
| * - DS_MANAGER: The DIRECTORY_MANAGER is set as DN to bind as an admin. |
| * Normal users are prohibited to search the DS, they can only bind. |
| * - USR_MANAGER: The USER_MANAGER is set as DN to bind as an admin. |
| * This account can only search users but not groups. Normal users can search groups. |
| * |
| * @author Florian Zschocke |
| * |
| */ |
| public abstract class LdapBasedUnitTest extends GitblitUnitTest { |
| |
| protected static final String RESOURCE_DIR = "src/test/resources/ldap/"; |
| private static final String DIRECTORY_MANAGER = "cn=Directory Manager"; |
| private static final String USER_MANAGER = "cn=UserManager"; |
| protected static final String ACCOUNT_BASE = "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain"; |
| private static final String GROUP_BASE = "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain"; |
| protected static final String DN_USER_ONE = "CN=UserOne,OU=US," + ACCOUNT_BASE; |
| protected static final String DN_USER_TWO = "CN=UserTwo,OU=US," + ACCOUNT_BASE; |
| protected static final String DN_USER_THREE = "CN=UserThree,OU=Canada," + ACCOUNT_BASE; |
| |
| |
| /** |
| * Enumeration of different test modes, representing different use scenarios. |
| * With ANONYMOUS anonymous binds are used to search LDAP. |
| * DS_MANAGER will use a DIRECTORY_MANAGER to search LDAP. Normal users are prohibited to search the DS. |
| * With USR_MANAGER, a USER_MANAGER account is used to search in LDAP. This account can only search users |
| * but not groups. Normal users can search groups, though. |
| * |
| */ |
| protected enum AuthMode { |
| ANONYMOUS, |
| DS_MANAGER, |
| USR_MANAGER; |
| |
| |
| private int ldapPort; |
| private InMemoryDirectoryServer ds; |
| private InMemoryDirectoryServerSnapshot dsSnapshot; |
| private BindTracker bindTracker; |
| |
| void setLdapPort(int port) { |
| this.ldapPort = port; |
| } |
| |
| int ldapPort() { |
| return this.ldapPort; |
| } |
| |
| void setDS(InMemoryDirectoryServer ds) { |
| if (this.ds == null) { |
| this.ds = ds; |
| this.dsSnapshot = ds.createSnapshot(); |
| }; |
| } |
| |
| InMemoryDirectoryServer getDS() { |
| return ds; |
| } |
| |
| void setBindTracker(BindTracker bindTracker) { |
| this.bindTracker = bindTracker; |
| } |
| |
| BindTracker getBindTracker() { |
| return bindTracker; |
| } |
| |
| void restoreSnapshot() { |
| ds.restoreSnapshot(dsSnapshot); |
| } |
| } |
| |
| @Parameter |
| public AuthMode authMode = AuthMode.ANONYMOUS; |
| |
| @Rule |
| public TemporaryFolder folder = new TemporaryFolder(); |
| |
| |
| protected File usersConf; |
| |
| protected MemorySettings settings; |
| |
| |
| /** |
| * Run the tests with each authentication scenario once. |
| */ |
| @Parameters(name = "{0}") |
| public static Collection<Object[]> data() { |
| return Arrays.asList(new Object[][] { {AuthMode.ANONYMOUS}, {AuthMode.DS_MANAGER}, {AuthMode.USR_MANAGER} }); |
| } |
| |
| |
| /** |
| * Create three different in memory DS. |
| * |
| * Each DS has a different configuration: |
| * The first allows anonymous binds. |
| * The second requires authentication for all operations. It will only allow the DIRECTORY_MANAGER account |
| * to search for users and groups. |
| * The third one is like the second, but it allows users to search for users and groups, and restricts the |
| * USER_MANAGER from searching for groups. |
| */ |
| @BeforeClass |
| public static void ldapInit() throws Exception { |
| InMemoryDirectoryServer ds; |
| InMemoryDirectoryServerConfig config = createInMemoryLdapServerConfig(AuthMode.ANONYMOUS); |
| config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("anonymous")); |
| ds = createInMemoryLdapServer(config); |
| AuthMode.ANONYMOUS.setDS(ds); |
| AuthMode.ANONYMOUS.setLdapPort(ds.getListenPort("anonymous")); |
| |
| |
| config = createInMemoryLdapServerConfig(AuthMode.DS_MANAGER); |
| config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("ds_manager")); |
| config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class)); |
| ds = createInMemoryLdapServer(config); |
| AuthMode.DS_MANAGER.setDS(ds); |
| AuthMode.DS_MANAGER.setLdapPort(ds.getListenPort("ds_manager")); |
| |
| |
| config = createInMemoryLdapServerConfig(AuthMode.USR_MANAGER); |
| config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("usr_manager")); |
| config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class)); |
| ds = createInMemoryLdapServer(config); |
| AuthMode.USR_MANAGER.setDS(ds); |
| AuthMode.USR_MANAGER.setLdapPort(ds.getListenPort("usr_manager")); |
| |
| } |
| |
| @AfterClass |
| public static void destroy() throws Exception { |
| for (AuthMode am : AuthMode.values()) { |
| am.getDS().shutDown(true); |
| } |
| } |
| |
| public static InMemoryDirectoryServer createInMemoryLdapServer(InMemoryDirectoryServerConfig config) throws Exception { |
| InMemoryDirectoryServer imds = new InMemoryDirectoryServer(config); |
| imds.importFromLDIF(true, RESOURCE_DIR + "sampledata.ldif"); |
| imds.startListening(); |
| return imds; |
| } |
| |
| public static InMemoryDirectoryServerConfig createInMemoryLdapServerConfig(AuthMode authMode) throws Exception { |
| InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain"); |
| config.addAdditionalBindCredentials(DIRECTORY_MANAGER, "password"); |
| config.addAdditionalBindCredentials(USER_MANAGER, "passwd"); |
| config.setSchema(null); |
| |
| authMode.setBindTracker(new BindTracker()); |
| config.addInMemoryOperationInterceptor(authMode.getBindTracker()); |
| config.addInMemoryOperationInterceptor(new AccessInterceptor(authMode)); |
| |
| return config; |
| } |
| |
| |
| |
| @Before |
| public void setupBase() throws Exception { |
| authMode.restoreSnapshot(); |
| authMode.getBindTracker().reset(); |
| |
| usersConf = folder.newFile("users.conf"); |
| FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf); |
| settings = getSettings(); |
| } |
| |
| |
| protected InMemoryDirectoryServer getDS() { |
| return authMode.getDS(); |
| } |
| |
| |
| |
| protected MemorySettings getSettings() { |
| Map<String, Object> backingMap = new HashMap<String, Object>(); |
| backingMap.put(Keys.realm.userService, usersConf.getAbsolutePath()); |
| backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + authMode.ldapPort()); |
| switch(authMode) { |
| case ANONYMOUS: |
| backingMap.put(Keys.realm.ldap.username, ""); |
| backingMap.put(Keys.realm.ldap.password, ""); |
| break; |
| case DS_MANAGER: |
| backingMap.put(Keys.realm.ldap.username, DIRECTORY_MANAGER); |
| backingMap.put(Keys.realm.ldap.password, "password"); |
| break; |
| case USR_MANAGER: |
| backingMap.put(Keys.realm.ldap.username, USER_MANAGER); |
| backingMap.put(Keys.realm.ldap.password, "passwd"); |
| break; |
| default: |
| throw new RuntimeException("Unimplemented AuthMode case!"); |
| |
| } |
| backingMap.put(Keys.realm.ldap.maintainTeams, "true"); |
| backingMap.put(Keys.realm.ldap.accountBase, ACCOUNT_BASE); |
| backingMap.put(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); |
| backingMap.put(Keys.realm.ldap.groupBase, GROUP_BASE); |
| backingMap.put(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"); |
| backingMap.put(Keys.realm.ldap.admins, "UserThree @Git_Admins \"@Git Admins\""); |
| backingMap.put(Keys.realm.ldap.displayName, "displayName"); |
| backingMap.put(Keys.realm.ldap.email, "email"); |
| backingMap.put(Keys.realm.ldap.uid, "sAMAccountName"); |
| |
| MemorySettings ms = new MemorySettings(backingMap); |
| return ms; |
| } |
| |
| |
| |
| |
| /** |
| * Operation interceptor for the in memory DS. This interceptor |
| * tracks bind requests. |
| * |
| */ |
| protected static class BindTracker extends InMemoryOperationInterceptor { |
| private Map<Integer,String> lastSuccessfulBindDNs = new HashMap<>(); |
| private String lastSuccessfulBindDN; |
| |
| |
| @Override |
| public void processSimpleBindResult(InMemoryInterceptedSimpleBindResult bind) { |
| BindResult result = bind.getResult(); |
| if (result.getResultCode() == ResultCode.SUCCESS) { |
| BindRequest bindRequest = bind.getRequest(); |
| lastSuccessfulBindDNs.put(bind.getMessageID(), ((SimpleBindRequest)bindRequest).getBindDN()); |
| lastSuccessfulBindDN = ((SimpleBindRequest)bindRequest).getBindDN(); |
| } |
| } |
| |
| String getLastSuccessfulBindDN() { |
| return lastSuccessfulBindDN; |
| } |
| |
| String getLastSuccessfulBindDN(int messageID) { |
| return lastSuccessfulBindDNs.get(messageID); |
| } |
| |
| void reset() { |
| lastSuccessfulBindDNs = new HashMap<>(); |
| lastSuccessfulBindDN = null; |
| } |
| } |
| |
| |
| |
| /** |
| * Operation interceptor for the in memory DS. This interceptor |
| * implements access restrictions for certain user/DN combinations. |
| * |
| * The USER_MANAGER is only allowed to search for users, but not for groups. |
| * This is to test the original behaviour where the teams were searched under |
| * the user binding. |
| * When running in a DIRECTORY_MANAGER scenario, only the manager account |
| * is allowed to search for users and groups, while a normal user may not do so. |
| * This tests the scenario where a normal user cannot read teams and thus the |
| * manager account needs to be used for all searches. |
| * |
| */ |
| protected static class AccessInterceptor extends InMemoryOperationInterceptor { |
| AuthMode authMode; |
| Map<Long,String> lastSuccessfulBindDN = new HashMap<>(); |
| Map<Long,Boolean> resultProhibited = new HashMap<>(); |
| |
| public AccessInterceptor(AuthMode authMode) { |
| this.authMode = authMode; |
| } |
| |
| |
| @Override |
| public void processSimpleBindResult(InMemoryInterceptedSimpleBindResult bind) { |
| BindResult result = bind.getResult(); |
| if (result.getResultCode() == ResultCode.SUCCESS) { |
| BindRequest bindRequest = bind.getRequest(); |
| lastSuccessfulBindDN.put(bind.getConnectionID(), ((SimpleBindRequest)bindRequest).getBindDN()); |
| resultProhibited.remove(bind.getConnectionID()); |
| } |
| } |
| |
| |
| |
| @Override |
| public void processSearchRequest(InMemoryInterceptedSearchRequest request) throws LDAPException { |
| String bindDN = getLastBindDN(request); |
| |
| if (USER_MANAGER.equals(bindDN)) { |
| if (request.getRequest().getBaseDN().endsWith(GROUP_BASE)) { |
| throw new LDAPException(ResultCode.NO_SUCH_OBJECT); |
| } |
| } |
| else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) { |
| throw new LDAPException(ResultCode.NO_SUCH_OBJECT); |
| } |
| } |
| |
| |
| @Override |
| public void processSearchEntry(InMemoryInterceptedSearchEntry entry) { |
| String bindDN = getLastBindDN(entry); |
| |
| boolean prohibited = false; |
| |
| if (USER_MANAGER.equals(bindDN)) { |
| if (entry.getSearchEntry().getDN().endsWith(GROUP_BASE)) { |
| prohibited = true; |
| } |
| } |
| else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) { |
| prohibited = true; |
| } |
| |
| if (prohibited) { |
| // Found entry prohibited for bound user. Setting entry to null. |
| entry.setSearchEntry(null); |
| resultProhibited.put(entry.getConnectionID(), Boolean.TRUE); |
| } |
| } |
| |
| @Override |
| public void processSearchResult(InMemoryInterceptedSearchResult result) { |
| String bindDN = getLastBindDN(result); |
| |
| boolean prohibited = false; |
| |
| Boolean rspb = resultProhibited.get(result.getConnectionID()); |
| if (USER_MANAGER.equals(bindDN)) { |
| if (rspb != null && rspb) { |
| prohibited = true; |
| } |
| } |
| else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) { |
| if (rspb != null && rspb) { |
| prohibited = true; |
| } |
| } |
| |
| if (prohibited) { |
| // Result prohibited for bound user. Returning error |
| result.setResult(new LDAPResult(result.getMessageID(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS)); |
| resultProhibited.remove(result.getConnectionID()); |
| } |
| } |
| |
| private String getLastBindDN(InMemoryInterceptedResult result) { |
| String bindDN = lastSuccessfulBindDN.get(result.getConnectionID()); |
| if (bindDN == null) { |
| return "UNKNOWN"; |
| } |
| return bindDN; |
| } |
| private String getLastBindDN(InMemoryInterceptedRequest request) { |
| String bindDN = lastSuccessfulBindDN.get(request.getConnectionID()); |
| if (bindDN == null) { |
| return "UNKNOWN"; |
| } |
| return bindDN; |
| } |
| } |
| |
| } |
