From 2538abc3b177ba8182806dbb43e6e70153c90fdc Mon Sep 17 00:00:00 2001
From: Jacek Poreda <jacek.poreda@sonarsource.com>
Date: Thu, 9 Nov 2023 14:40:33 +0100
Subject: [PATCH] [NO-JIRA] Update apache ds 2.0.0.AM26 -> 2.0.0.AM27

---
 .../java/org/sonar/auth/ldap/KerberosIT.java  | 11 +++
 .../sonar-auth-ldap/src/it/resources/krb.ldif | 12 ++++
 sonar-testing-ldap/build.gradle               |  5 +-
 .../main/java/org/sonar/ldap/ApacheDS.java    | 71 +++++++++++--------
 4 files changed, 68 insertions(+), 31 deletions(-)

diff --git a/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java b/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java
index 0f933d5e148..9bec8b423b9 100644
--- a/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java
+++ b/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java
@@ -33,6 +33,17 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.sonar.process.ProcessProperties.Property.SONAR_SECURITY_REALM;
 
+/**
+ * Kerby's implementation of Kerberos requires to set following attributes:
+ *
+ * krb5AccountExpirationTime: 20300101000000Z
+ * krb5AccountDisabled: FALSE
+ * krb5KDCFlags: 126
+ * krb5AccountLockedOut: FALSE
+ *
+ * In case failure of expiration time is reported updated following attribute:
+ * krb5AccountExpirationTime: 20300101000000Z
+ */
 public class KerberosIT {
 
   static {
diff --git a/server/sonar-auth-ldap/src/it/resources/krb.ldif b/server/sonar-auth-ldap/src/it/resources/krb.ldif
index 6c8235dc91e..a611603e788 100644
--- a/server/sonar-auth-ldap/src/it/resources/krb.ldif
+++ b/server/sonar-auth-ldap/src/it/resources/krb.ldif
@@ -20,6 +20,10 @@ uid: krbtgt
 userPassword: secret
 krb5PrincipalName: krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
 krb5KeyVersionNumber: 0
+krb5AccountExpirationTime: 20300101000000Z
+krb5AccountDisabled: FALSE
+krb5KDCFlags: 126
+krb5AccountLockedOut: FALSE
 
 dn: cn=SonarQube,ou=Users,dc=example,dc=org
 objectClass: top
@@ -31,6 +35,10 @@ cn: SonarQube
 userPassword: bind_password
 krb5PrincipalName: SonarQube@EXAMPLE.ORG
 krb5KeyVersionNumber: 0
+krb5AccountExpirationTime: 20300101000000Z
+krb5AccountDisabled: FALSE
+krb5KDCFlags: 126
+krb5AccountLockedOut: FALSE
 
 dn: uid=godin,ou=Users,dc=example,dc=org
 objectClass: top
@@ -44,6 +52,10 @@ uid: godin
 userPassword: user_password
 krb5PrincipalName: Godin@EXAMPLE.ORG
 krb5KeyVersionNumber: 0
+krb5AccountExpirationTime: 20300101000000Z
+krb5AccountDisabled: FALSE
+krb5KDCFlags: 126
+krb5AccountLockedOut: FALSE
 
 dn: ou=Groups,dc=example,dc=org
 objectclass:organizationalunit
diff --git a/sonar-testing-ldap/build.gradle b/sonar-testing-ldap/build.gradle
index 7cbb18d3fad..1900ce7ef7b 100644
--- a/sonar-testing-ldap/build.gradle
+++ b/sonar-testing-ldap/build.gradle
@@ -6,10 +6,13 @@ sonar {
 
 dependencies {
     api 'org.apache.mina:mina-core:2.2.3'
-    implementation ('org.apache.directory.server:apacheds-server-integ:2.0.0.AM26') {
+    implementation ('org.apache.directory.server:apacheds-server-integ:2.0.0.AM27') {
         exclude group: 'log4j', module: 'log4j'
     }
 
+    implementation 'org.apache.kerby:kerb-simplekdc:2.0.3'
+    implementation 'org.apache.kerby:ldap-backend:2.0.3'
+
     testImplementation 'junit:junit'
     testImplementation 'org.assertj:assertj-core'
     testImplementation 'org.hamcrest:hamcrest-core'
diff --git a/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java b/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java
index 14911fa09ca..9aa94d31483 100644
--- a/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java
+++ b/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java
@@ -30,7 +30,6 @@ import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
 import org.apache.directory.api.ldap.model.entry.DefaultEntry;
 import org.apache.directory.api.ldap.model.entry.DefaultModification;
 import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapOperationException;
 import org.apache.directory.api.ldap.model.ldif.ChangeType;
 import org.apache.directory.api.ldap.model.ldif.LdifEntry;
 import org.apache.directory.api.ldap.model.ldif.LdifReader;
@@ -42,8 +41,6 @@ import org.apache.directory.server.core.api.InstanceLayout;
 import org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory;
 import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
 import org.apache.directory.server.core.partition.impl.avl.AvlPartition;
-import org.apache.directory.server.kerberos.KerberosConfig;
-import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.ldap.LdapServer;
 import org.apache.directory.server.ldap.handlers.sasl.MechanismHandler;
 import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
@@ -51,18 +48,22 @@ import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5Mechani
 import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
 import org.apache.directory.server.ldap.handlers.sasl.plain.PlainMechanismHandler;
 import org.apache.directory.server.protocol.shared.transport.TcpTransport;
-import org.apache.directory.server.protocol.shared.transport.UdpTransport;
 import org.apache.directory.server.xdbm.impl.avl.AvlIndex;
+import org.apache.kerby.kerberos.kerb.KrbException;
+import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
+import org.apache.kerby.kerberos.kerb.identity.backend.BackendConfig;
+import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
+import org.apache.kerby.kerberos.kerb.server.KdcServer;
 import org.apache.mina.util.AvailablePortFinder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public final class ApacheDS {
-
   private static final Logger LOG = LoggerFactory.getLogger(ApacheDS.class);
-
+  private static final String HOSTNAME_LOCALHOST = "localhost";
   private final String realm;
   private final String baseDn;
+  private int ldapPort;
 
   private DirectoryService directoryService;
   private LdapServer ldapServer;
@@ -77,8 +78,8 @@ public final class ApacheDS {
   public static ApacheDS start(String realm, String baseDn, String workDir, Integer port) throws Exception {
     return new ApacheDS(realm, baseDn)
       .startDirectoryService(workDir)
-      .startKdcServer()
       .startLdapServer(port == null ? AvailablePortFinder.getNextAvailable(1024) : port)
+      .startKdcServer()
       .activateNis();
   }
 
@@ -173,6 +174,7 @@ public final class ApacheDS {
   }
 
   private ApacheDS startLdapServer(int port) throws Exception {
+    this.ldapPort = port;
     ldapServer.setTransports(new TcpTransport(port));
     ldapServer.setDirectoryService(directoryService);
 
@@ -195,34 +197,43 @@ public final class ApacheDS {
     return this;
   }
 
-  private ApacheDS startKdcServer() throws IOException, LdapOperationException {
+
+  private ApacheDS startKdcServer() throws IOException, KrbException {
     int port = AvailablePortFinder.getNextAvailable(6088);
 
-    KerberosConfig kdcConfig = new KerberosConfig();
-    kdcConfig.setServicePrincipal("krbtgt/EXAMPLE.ORG@EXAMPLE.ORG");
-    kdcConfig.setPrimaryRealm("EXAMPLE.ORG");
-    kdcConfig.setPaEncTimestampRequired(false);
+    File krbConf = new File("target/krb5.conf");
+    FileUtils.writeStringToFile(krbConf, ""
+        + "[libdefaults]\n"
+        + "    default_realm = EXAMPLE.ORG\n"
+        + "\n"
+        + "[realms]\n"
+        + "    EXAMPLE.ORG = {\n"
+        + "        kdc = localhost:" + port + "\n"
+        + "    }\n"
+        + "\n"
+        + "[domain_realm]\n"
+        + "    .example.org = EXAMPLE.ORG\n"
+        + "    example.org = EXAMPLE.ORG\n",
+      StandardCharsets.UTF_8.name());
 
-    kdcServer = new KdcServer(kdcConfig);
-    kdcServer.setSearchBaseDn("dc=example,dc=org");
-    kdcServer.addTransports(new UdpTransport("localhost", port));
-    kdcServer.setDirectoryService(directoryService);
-    kdcServer.start();
+    kdcServer = new KdcServer(krbConf);
+    kdcServer.setKdcRealm("EXAMPLE.ORG");
+    kdcServer.getKdcConfig().setBoolean(KrbConfigKey.PA_ENC_TIMESTAMP_REQUIRED, false);
 
-    FileUtils.writeStringToFile(new File("target/krb5.conf"), ""
-      + "[libdefaults]\n"
-      + "    default_realm = EXAMPLE.ORG\n"
-      + "\n"
-      + "[realms]\n"
-      + "    EXAMPLE.ORG = {\n"
-      + "        kdc = localhost:" + port + "\n"
-      + "    }\n"
-      + "\n"
-      + "[domain_realm]\n"
-      + "    .example.org = EXAMPLE.ORG\n"
-      + "    example.org = EXAMPLE.ORG\n",
-      StandardCharsets.UTF_8.name());
+    BackendConfig backendConfig = kdcServer.getBackendConfig();
+    backendConfig.setString("host", HOSTNAME_LOCALHOST);
+    backendConfig.setString("base_dn", baseDn);
+    backendConfig.setInt("port", this.ldapPort);
+    backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND,
+      "org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend");
 
+    kdcServer.setAllowUdp(true);
+    kdcServer.setAllowTcp(false);
+    kdcServer.setKdcUdpPort(port);
+    kdcServer.setKdcHost(HOSTNAME_LOCALHOST);
+
+    kdcServer.init();
+    kdcServer.start();
     return this;
   }
 
-- 
2.39.5