123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723 |
- /*
- * Copyright 2016 Florian Zschocke
- * Copyright 2016 gitblit.com
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- package com.gitblit.tests;
-
- import static org.junit.Assume.assumeTrue;
-
- import java.security.GeneralSecurityException;
- import java.security.InvalidAlgorithmParameterException;
- import java.security.KeyPair;
- import java.security.KeyPairGenerator;
- import java.security.Signature;
- import java.security.spec.ECGenParameterSpec;
- import java.util.HashMap;
- import java.util.List;
- import java.util.Map;
-
- import org.apache.sshd.common.util.security.SecurityUtils;
- import org.junit.BeforeClass;
- import org.junit.Test;
- import org.junit.runner.RunWith;
- import org.junit.runners.Parameterized;
-
- import com.gitblit.Keys;
- import com.gitblit.Constants.AccessPermission;
- import com.gitblit.transport.ssh.LdapKeyManager;
- import com.gitblit.transport.ssh.SshKey;
- import com.unboundid.ldap.sdk.LDAPException;
- import com.unboundid.ldap.sdk.Modification;
- import com.unboundid.ldap.sdk.ModificationType;
-
- /**
- * Test LdapPublicKeyManager going against an in-memory UnboundID
- * LDAP server.
- *
- * @author Florian Zschocke
- *
- */
- @RunWith(Parameterized.class)
- public class LdapPublicKeyManagerTest extends LdapBasedUnitTest {
-
- private static Map<String,KeyPair> keyPairs = new HashMap<>(10);
- private static KeyPairGenerator rsaGenerator;
- private static KeyPairGenerator dsaGenerator;
- private static KeyPairGenerator ecGenerator;
-
-
-
- @BeforeClass
- public static void init() throws GeneralSecurityException {
- rsaGenerator = SecurityUtils.getKeyPairGenerator("RSA");
- dsaGenerator = SecurityUtils.getKeyPairGenerator("DSA");
- ecGenerator = SecurityUtils.getKeyPairGenerator("ECDSA");
- }
-
-
-
- @Test
- public void testGetKeys() throws LDAPException {
- String keyRsaOne = getRsaPubKey("UserOne@example.com");
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
-
- String keyRsaTwo = getRsaPubKey("UserTwo@example.com");
- String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaTwo, keyDsaTwo));
-
- String keyRsaThree = getRsaPubKey("UserThree@example.com");
- String keyDsaThree = getDsaPubKey("UserThree@example.com");
- String keyEcThree = getEcPubKey("UserThree@example.com");
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyEcThree, keyRsaThree, keyDsaThree));
-
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- List<SshKey> keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertTrue(keys.size() == 1);
- assertEquals(keyRsaOne, keys.get(0).getRawData());
-
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertTrue(keys.size() == 2);
- if (keyRsaTwo.equals(keys.get(0).getRawData())) {
- assertEquals(keyDsaTwo, keys.get(1).getRawData());
- } else if (keyDsaTwo.equals(keys.get(0).getRawData())) {
- assertEquals(keyRsaTwo, keys.get(1).getRawData());
- } else {
- fail("Mismatch in UserTwo keys.");
- }
-
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertTrue(keys.size() == 3);
- assertEquals(keyEcThree, keys.get(0).getRawData());
- assertEquals(keyRsaThree, keys.get(1).getRawData());
- assertEquals(keyDsaThree, keys.get(2).getRawData());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertTrue(keys.size() == 0);
- }
-
-
- @Test
- public void testGetKeysAttributeName() throws LDAPException {
- settings.put(Keys.realm.ldap.sshPublicKey, "sshPublicKey");
-
- String keyRsaOne = getRsaPubKey("UserOne@example.com");
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
-
- String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "publicsshkey", keyDsaTwo));
-
- String keyRsaThree = getRsaPubKey("UserThree@example.com");
- String keyDsaThree = getDsaPubKey("UserThree@example.com");
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "publicsshkey", keyDsaThree));
-
-
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- List<SshKey> keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyRsaOne, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyRsaThree, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
-
- settings.put(Keys.realm.ldap.sshPublicKey, "publicsshkey");
-
- keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyDsaTwo, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyDsaThree, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertEquals(0, keys.size());
- }
-
-
- @Test
- public void testGetKeysPrefixed() throws LDAPException {
- // This test is independent from authentication mode, so run only once.
- assumeTrue(authMode == AuthMode.ANONYMOUS);
-
- String keyRsaOne = getRsaPubKey("UserOne@example.com");
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
-
- String keyRsaTwo = getRsaPubKey("UserTwo@example.com");
- String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", keyRsaTwo));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey: " + keyDsaTwo));
-
- String keyRsaThree = getRsaPubKey("UserThree@example.com");
- String keyDsaThree = getDsaPubKey("UserThree@example.com");
- String keyEcThree = getEcPubKey("UserThree@example.com");
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " SshKey :\r\n" + keyRsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " sshkey: " + keyDsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "ECDSAKey :\n " + keyEcThree));
-
-
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities");
-
- List<SshKey> keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyRsaTwo, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
-
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHKey");
-
- keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyDsaTwo, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(2, keys.size());
- assertEquals(keyRsaThree, keys.get(0).getRawData());
- assertEquals(keyDsaThree, keys.get(1).getRawData());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
-
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:ECDSAKey");
-
- keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(0, keys.size());
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- assertEquals(keyEcThree, keys.get(0).getRawData());
-
- keys = kmgr.getKeys("UserFour");
- assertNotNull(keys);
- assertEquals(0, keys.size());
- }
-
-
- @Test
- public void testGetKeysPermissions() throws LDAPException {
- // This test is independent from authentication mode, so run only once.
- assumeTrue(authMode == AuthMode.ANONYMOUS);
-
- String keyRsaOne = getRsaPubKey("UserOne@example.com");
- String keyRsaTwo = getRsaPubKey("");
- String keyDsaTwo = getDsaPubKey("UserTwo at example.com");
- String keyRsaThree = getRsaPubKey("UserThree@example.com");
- String keyDsaThree = getDsaPubKey("READ key for user 'Three' @example.com");
- String keyEcThree = getEcPubKey("UserThree@example.com");
-
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " " + keyRsaTwo));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "no-agent-forwarding " + keyDsaTwo));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));
-
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\" " + keyRsaOne));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " restrict,environment=\"gbperm=V\" " + keyRsaTwo));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "restrict,environment=\"GBPerm=RW\",pty " + keyDsaTwo));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"gbPerm=CLONE\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environment=\"XYZ='Ali Baba'\" " + keyEcThree));
-
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\" gbPerm = V \" " + keyRsaTwo));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "command=\"sh echo \\\"Nope, not you!\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));
-
-
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- List<SshKey> keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(6, keys.size());
- for (SshKey key : keys) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- }
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(6, keys.size());
- int seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(63, seen);
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(6, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(63, seen);
- }
-
-
- @Test
- public void testGetKeysPrefixedPermissions() throws LDAPException {
- // This test is independent from authentication mode, so run only once.
- assumeTrue(authMode == AuthMode.ANONYMOUS);
-
- String keyRsaOne = getRsaPubKey("UserOne@example.com");
- String keyRsaTwo = getRsaPubKey("UserTwo at example.com");
- String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
- String keyRsaThree = getRsaPubKey("example.com: user Three");
- String keyDsaThree = getDsaPubKey("");
- String keyEcThree = getEcPubKey(" ");
-
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "permitopen=\"host:220\"" + keyRsaOne));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "sshkey:" + " " + keyRsaTwo));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKEY :" + "no-agent-forwarding " + keyDsaTwo));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));
- getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));
-
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\" " + keyRsaOne));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey : " + " restrict,environment=\"gbPerm=V\",permitopen=\"sshkey: 220\" " + keyRsaTwo));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "permitopen=\"sshkey: 443\",restrict,environment=\"gbPerm=RW\",pty " + keyDsaTwo));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=CLONE\",permitopen=\"pubkey: 29184\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environemnt=\"XYZ='Ali Baba'\" " + keyEcThree));
-
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey : " + " environment=\" gbPerm = V \" " + keyRsaTwo));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "command=\"sh echo \\\"Nope, not you! \\b (bell)\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));
-
- // Weird stuff, not to specification but shouldn't make it stumble.
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "opttest: " + "permitopen=host:443,command=,environment=\"gbPerm=CLONE\",no-pty= " + keyRsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " opttest: " + " cmd=git,environment=\"gbPerm=\\\"VIEW\\\"\" " + keyDsaThree));
- getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " opttest:" + "environment=,command=netstat,environment=gbperm=push " + keyEcThree));
-
-
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHkey");
-
- List<SshKey> keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(2, keys.size());
- int seen = 0;
- for (SshKey key : keys) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- if (keyRsaOne.equals(key.getRawData())) {
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- seen += 1 << 5;
- }
- }
- assertEquals(6, seen);
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(7, seen);
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(7, seen);
-
-
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:pubKey");
-
- keys = kmgr.getKeys("UserOne");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- if (keyRsaOne.equals(key.getRawData())) {
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- seen += 1 << 5;
- }
- }
- assertEquals(56, seen);
-
- keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(56, seen);
-
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(56, seen);
-
-
- settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:opttest");
- keys = kmgr.getKeys("UserThree");
- assertNotNull(keys);
- assertEquals(3, keys.size());
- seen = 0;
- for (SshKey key : keys) {
- if (keyRsaOne.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 0;
- }
- else if (keyRsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 1;
- }
- else if (keyDsaTwo.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 2;
- }
- else if (keyRsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.CLONE, key.getPermission());
- seen += 1 << 3;
- }
- else if (keyDsaThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.VIEW, key.getPermission());
- seen += 1 << 4;
- }
- else if (keyEcThree.equals(key.getRawData())) {
- assertEquals(AccessPermission.PUSH, key.getPermission());
- seen += 1 << 5;
- }
- }
- assertEquals(56, seen);
-
- }
-
-
- @Test
- public void testKeyValidity() throws LDAPException, GeneralSecurityException {
- LdapKeyManager kmgr = new LdapKeyManager(settings);
-
- String comment = "UserTwo@example.com";
- String keyDsaTwo = getDsaPubKey(comment);
- getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyDsaTwo));
-
-
- List<SshKey> keys = kmgr.getKeys("UserTwo");
- assertNotNull(keys);
- assertEquals(1, keys.size());
- SshKey sshKey = keys.get(0);
- assertEquals(keyDsaTwo, sshKey.getRawData());
-
- Signature signature = SecurityUtils.getSignature("DSA");
- signature.initSign(getDsaKeyPair(comment).getPrivate());
- byte[] message = comment.getBytes();
- signature.update(message);
- byte[] sigBytes = signature.sign();
-
- signature.initVerify(sshKey.getPublicKey());
- signature.update(message);
- assertTrue("Verify failed with retrieved SSH key.", signature.verify(sigBytes));
- }
-
-
-
-
-
-
-
-
- private KeyPair getDsaKeyPair(String comment) {
- return getKeyPair("DSA", comment, dsaGenerator);
- }
-
- private KeyPair getKeyPair(String type, String comment, KeyPairGenerator generator) {
- String kpkey = type + ":" + comment;
- KeyPair kp = keyPairs.get(kpkey);
- if (kp == null) {
- if ("EC".equals(type)) {
- ECGenParameterSpec ecSpec = new ECGenParameterSpec("P-384");
- try {
- ecGenerator.initialize(ecSpec);
- } catch (InvalidAlgorithmParameterException e) {
- kp = generator.generateKeyPair();
- e.printStackTrace();
- }
- kp = ecGenerator.generateKeyPair();
- } else {
- kp = generator.generateKeyPair();
- }
- keyPairs.put(kpkey, kp);
- }
-
- return kp;
- }
-
-
- private String getRsaPubKey(String comment) {
- return getPubKey("RSA", comment, rsaGenerator);
- }
-
- private String getDsaPubKey(String comment) {
- return getPubKey("DSA", comment, dsaGenerator);
- }
-
- private String getEcPubKey(String comment) {
- return getPubKey("EC", comment, ecGenerator);
- }
-
- private String getPubKey(String type, String comment, KeyPairGenerator generator) {
- KeyPair kp = getKeyPair(type, comment, generator);
- if (kp == null) {
- return null;
- }
-
- SshKey sk = new SshKey(kp.getPublic());
- sk.setComment(comment);
- return sk.getRawData();
- }
-
- }
|