From 2538abc3b177ba8182806dbb43e6e70153c90fdc Mon Sep 17 00:00:00 2001 From: Jacek Poreda Date: Thu, 9 Nov 2023 14:40:33 +0100 Subject: [PATCH] [NO-JIRA] Update apache ds 2.0.0.AM26 -> 2.0.0.AM27 --- .../java/org/sonar/auth/ldap/KerberosIT.java | 11 +++ .../sonar-auth-ldap/src/it/resources/krb.ldif | 12 ++++ sonar-testing-ldap/build.gradle | 5 +- .../main/java/org/sonar/ldap/ApacheDS.java | 71 +++++++++++-------- 4 files changed, 68 insertions(+), 31 deletions(-) diff --git a/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java b/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java index 0f933d5e148..9bec8b423b9 100644 --- a/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java +++ b/server/sonar-auth-ldap/src/it/java/org/sonar/auth/ldap/KerberosIT.java @@ -33,6 +33,17 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.sonar.process.ProcessProperties.Property.SONAR_SECURITY_REALM; +/** + * Kerby's implementation of Kerberos requires to set following attributes: + * + * krb5AccountExpirationTime: 20300101000000Z + * krb5AccountDisabled: FALSE + * krb5KDCFlags: 126 + * krb5AccountLockedOut: FALSE + * + * In case failure of expiration time is reported updated following attribute: + * krb5AccountExpirationTime: 20300101000000Z + */ public class KerberosIT { static { diff --git a/server/sonar-auth-ldap/src/it/resources/krb.ldif b/server/sonar-auth-ldap/src/it/resources/krb.ldif index 6c8235dc91e..a611603e788 100644 --- a/server/sonar-auth-ldap/src/it/resources/krb.ldif +++ b/server/sonar-auth-ldap/src/it/resources/krb.ldif @@ -20,6 +20,10 @@ uid: krbtgt userPassword: secret krb5PrincipalName: krbtgt/EXAMPLE.ORG@EXAMPLE.ORG krb5KeyVersionNumber: 0 +krb5AccountExpirationTime: 20300101000000Z +krb5AccountDisabled: FALSE +krb5KDCFlags: 126 +krb5AccountLockedOut: FALSE dn: cn=SonarQube,ou=Users,dc=example,dc=org objectClass: top @@ -31,6 +35,10 @@ cn: SonarQube userPassword: bind_password krb5PrincipalName: SonarQube@EXAMPLE.ORG krb5KeyVersionNumber: 0 +krb5AccountExpirationTime: 20300101000000Z +krb5AccountDisabled: FALSE +krb5KDCFlags: 126 +krb5AccountLockedOut: FALSE dn: uid=godin,ou=Users,dc=example,dc=org objectClass: top @@ -44,6 +52,10 @@ uid: godin userPassword: user_password krb5PrincipalName: Godin@EXAMPLE.ORG krb5KeyVersionNumber: 0 +krb5AccountExpirationTime: 20300101000000Z +krb5AccountDisabled: FALSE +krb5KDCFlags: 126 +krb5AccountLockedOut: FALSE dn: ou=Groups,dc=example,dc=org objectclass:organizationalunit diff --git a/sonar-testing-ldap/build.gradle b/sonar-testing-ldap/build.gradle index 7cbb18d3fad..1900ce7ef7b 100644 --- a/sonar-testing-ldap/build.gradle +++ b/sonar-testing-ldap/build.gradle @@ -6,10 +6,13 @@ sonar { dependencies { api 'org.apache.mina:mina-core:2.2.3' - implementation ('org.apache.directory.server:apacheds-server-integ:2.0.0.AM26') { + implementation ('org.apache.directory.server:apacheds-server-integ:2.0.0.AM27') { exclude group: 'log4j', module: 'log4j' } + implementation 'org.apache.kerby:kerb-simplekdc:2.0.3' + implementation 'org.apache.kerby:ldap-backend:2.0.3' + testImplementation 'junit:junit' testImplementation 'org.assertj:assertj-core' testImplementation 'org.hamcrest:hamcrest-core' diff --git a/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java b/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java index 14911fa09ca..9aa94d31483 100644 --- a/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java +++ b/sonar-testing-ldap/src/main/java/org/sonar/ldap/ApacheDS.java @@ -30,7 +30,6 @@ import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms; import org.apache.directory.api.ldap.model.entry.DefaultEntry; import org.apache.directory.api.ldap.model.entry.DefaultModification; import org.apache.directory.api.ldap.model.entry.ModificationOperation; -import org.apache.directory.api.ldap.model.exception.LdapOperationException; import org.apache.directory.api.ldap.model.ldif.ChangeType; import org.apache.directory.api.ldap.model.ldif.LdifEntry; import org.apache.directory.api.ldap.model.ldif.LdifReader; @@ -42,8 +41,6 @@ import org.apache.directory.server.core.api.InstanceLayout; import org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory; import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor; import org.apache.directory.server.core.partition.impl.avl.AvlPartition; -import org.apache.directory.server.kerberos.KerberosConfig; -import org.apache.directory.server.kerberos.kdc.KdcServer; import org.apache.directory.server.ldap.LdapServer; import org.apache.directory.server.ldap.handlers.sasl.MechanismHandler; import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler; @@ -51,18 +48,22 @@ import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5Mechani import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler; import org.apache.directory.server.ldap.handlers.sasl.plain.PlainMechanismHandler; import org.apache.directory.server.protocol.shared.transport.TcpTransport; -import org.apache.directory.server.protocol.shared.transport.UdpTransport; import org.apache.directory.server.xdbm.impl.avl.AvlIndex; +import org.apache.kerby.kerberos.kerb.KrbException; +import org.apache.kerby.kerberos.kerb.client.KrbConfigKey; +import org.apache.kerby.kerberos.kerb.identity.backend.BackendConfig; +import org.apache.kerby.kerberos.kerb.server.KdcConfigKey; +import org.apache.kerby.kerberos.kerb.server.KdcServer; import org.apache.mina.util.AvailablePortFinder; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public final class ApacheDS { - private static final Logger LOG = LoggerFactory.getLogger(ApacheDS.class); - + private static final String HOSTNAME_LOCALHOST = "localhost"; private final String realm; private final String baseDn; + private int ldapPort; private DirectoryService directoryService; private LdapServer ldapServer; @@ -77,8 +78,8 @@ public final class ApacheDS { public static ApacheDS start(String realm, String baseDn, String workDir, Integer port) throws Exception { return new ApacheDS(realm, baseDn) .startDirectoryService(workDir) - .startKdcServer() .startLdapServer(port == null ? AvailablePortFinder.getNextAvailable(1024) : port) + .startKdcServer() .activateNis(); } @@ -173,6 +174,7 @@ public final class ApacheDS { } private ApacheDS startLdapServer(int port) throws Exception { + this.ldapPort = port; ldapServer.setTransports(new TcpTransport(port)); ldapServer.setDirectoryService(directoryService); @@ -195,34 +197,43 @@ public final class ApacheDS { return this; } - private ApacheDS startKdcServer() throws IOException, LdapOperationException { + + private ApacheDS startKdcServer() throws IOException, KrbException { int port = AvailablePortFinder.getNextAvailable(6088); - KerberosConfig kdcConfig = new KerberosConfig(); - kdcConfig.setServicePrincipal("krbtgt/EXAMPLE.ORG@EXAMPLE.ORG"); - kdcConfig.setPrimaryRealm("EXAMPLE.ORG"); - kdcConfig.setPaEncTimestampRequired(false); + File krbConf = new File("target/krb5.conf"); + FileUtils.writeStringToFile(krbConf, "" + + "[libdefaults]\n" + + " default_realm = EXAMPLE.ORG\n" + + "\n" + + "[realms]\n" + + " EXAMPLE.ORG = {\n" + + " kdc = localhost:" + port + "\n" + + " }\n" + + "\n" + + "[domain_realm]\n" + + " .example.org = EXAMPLE.ORG\n" + + " example.org = EXAMPLE.ORG\n", + StandardCharsets.UTF_8.name()); - kdcServer = new KdcServer(kdcConfig); - kdcServer.setSearchBaseDn("dc=example,dc=org"); - kdcServer.addTransports(new UdpTransport("localhost", port)); - kdcServer.setDirectoryService(directoryService); - kdcServer.start(); + kdcServer = new KdcServer(krbConf); + kdcServer.setKdcRealm("EXAMPLE.ORG"); + kdcServer.getKdcConfig().setBoolean(KrbConfigKey.PA_ENC_TIMESTAMP_REQUIRED, false); - FileUtils.writeStringToFile(new File("target/krb5.conf"), "" - + "[libdefaults]\n" - + " default_realm = EXAMPLE.ORG\n" - + "\n" - + "[realms]\n" - + " EXAMPLE.ORG = {\n" - + " kdc = localhost:" + port + "\n" - + " }\n" - + "\n" - + "[domain_realm]\n" - + " .example.org = EXAMPLE.ORG\n" - + " example.org = EXAMPLE.ORG\n", - StandardCharsets.UTF_8.name()); + BackendConfig backendConfig = kdcServer.getBackendConfig(); + backendConfig.setString("host", HOSTNAME_LOCALHOST); + backendConfig.setString("base_dn", baseDn); + backendConfig.setInt("port", this.ldapPort); + backendConfig.setString(KdcConfigKey.KDC_IDENTITY_BACKEND, + "org.apache.kerby.kerberos.kdc.identitybackend.LdapIdentityBackend"); + kdcServer.setAllowUdp(true); + kdcServer.setAllowTcp(false); + kdcServer.setKdcUdpPort(port); + kdcServer.setKdcHost(HOSTNAME_LOCALHOST); + + kdcServer.init(); + kdcServer.start(); return this; } -- 2.39.5