mirrors
/
gitblit
ミラー元 https://github.com/gitblit/gitblit.git
ウォッチ 1
スター 0
フォーク 0
コード 課題 0 リリース 43 Wiki アクティビティ
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
3290 コミット
11 ブランチ
ツリー: 3c54c9f736
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'3c54c9f736' から
${ noResults }
gitblit/src/test/java/com/gitblit/tests/LdapPublicKeyManagerTest.java

LdapPublicKeyManagerTest.java 27KB
Raw Blame 履歴

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723 
  1. /*

  2.  * Copyright 2016 Florian Zschocke

  3.  * Copyright 2016 gitblit.com

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. package com.gitblit.tests;

  18. 

  19. import static org.junit.Assume.assumeTrue;

  20. 

  21. import java.security.GeneralSecurityException;

  22. import java.security.InvalidAlgorithmParameterException;

  23. import java.security.KeyPair;

  24. import java.security.KeyPairGenerator;

  25. import java.security.Signature;

  26. import java.security.spec.ECGenParameterSpec;

  27. import java.util.HashMap;

  28. import java.util.List;

  29. import java.util.Map;

  30. 

  31. import org.apache.sshd.common.util.security.SecurityUtils;

  32. import org.junit.BeforeClass;

  33. import org.junit.Test;

  34. import org.junit.runner.RunWith;

  35. import org.junit.runners.Parameterized;

  36. 

  37. import com.gitblit.Keys;

  38. import com.gitblit.Constants.AccessPermission;

  39. import com.gitblit.transport.ssh.LdapKeyManager;

  40. import com.gitblit.transport.ssh.SshKey;

  41. import com.unboundid.ldap.sdk.LDAPException;

  42. import com.unboundid.ldap.sdk.Modification;

  43. import com.unboundid.ldap.sdk.ModificationType;

  44. 

  45. /**

  46.  * Test LdapPublicKeyManager going against an in-memory UnboundID

  47.  * LDAP server.

  48.  *

  49.  * @author Florian Zschocke

  50.  *

  51.  */

  52. @RunWith(Parameterized.class)

  53. public class LdapPublicKeyManagerTest extends LdapBasedUnitTest {

  54. 

  55. 	private static Map<String,KeyPair> keyPairs = new HashMap<>(10);

  56. 	private static KeyPairGenerator rsaGenerator;

  57. 	private static KeyPairGenerator dsaGenerator;

  58. 	private static KeyPairGenerator ecGenerator;

  59. 

  60. 

  61. 

  62. 	@BeforeClass

  63. 	public static void init() throws GeneralSecurityException {

  64. 		rsaGenerator = SecurityUtils.getKeyPairGenerator("RSA");

  65. 		dsaGenerator = SecurityUtils.getKeyPairGenerator("DSA");

  66. 		ecGenerator = SecurityUtils.getKeyPairGenerator("ECDSA");

  67. 	}

  68. 

  69. 

  70. 

  71. 	@Test

  72. 	public void testGetKeys() throws LDAPException {

  73. 		String keyRsaOne = getRsaPubKey("UserOne@example.com");

  74. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));

  75. 

  76. 		String keyRsaTwo = getRsaPubKey("UserTwo@example.com");

  77. 		String keyDsaTwo = getDsaPubKey("UserTwo@example.com");

  78. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaTwo, keyDsaTwo));

  79. 

  80. 		String keyRsaThree = getRsaPubKey("UserThree@example.com");

  81. 		String keyDsaThree = getDsaPubKey("UserThree@example.com");

  82. 		String keyEcThree  = getEcPubKey("UserThree@example.com");

  83. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyEcThree, keyRsaThree, keyDsaThree));

  84. 

  85. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  86. 

  87. 		List<SshKey> keys = kmgr.getKeys("UserOne");

  88. 		assertNotNull(keys);

  89. 		assertTrue(keys.size() == 1);

  90. 		assertEquals(keyRsaOne, keys.get(0).getRawData());

  91. 

  92. 

  93. 		keys = kmgr.getKeys("UserTwo");

  94. 		assertNotNull(keys);

  95. 		assertTrue(keys.size() == 2);

  96. 		if (keyRsaTwo.equals(keys.get(0).getRawData())) {

  97. 			assertEquals(keyDsaTwo, keys.get(1).getRawData());

  98. 		} else if (keyDsaTwo.equals(keys.get(0).getRawData())) {

  99. 			assertEquals(keyRsaTwo, keys.get(1).getRawData());

  100. 		} else {

  101. 			fail("Mismatch in UserTwo keys.");

  102. 		}

  103. 

  104. 

  105. 		keys = kmgr.getKeys("UserThree");

  106. 		assertNotNull(keys);

  107. 		assertTrue(keys.size() == 3);

  108. 		assertEquals(keyEcThree, keys.get(0).getRawData());

  109. 		assertEquals(keyRsaThree, keys.get(1).getRawData());

  110. 		assertEquals(keyDsaThree, keys.get(2).getRawData());

  111. 

  112. 		keys = kmgr.getKeys("UserFour");

  113. 		assertNotNull(keys);

  114. 		assertTrue(keys.size() == 0);

  115. 	}

  116. 

  117. 

  118. 	@Test

  119. 	public void testGetKeysAttributeName() throws LDAPException {

  120. 		settings.put(Keys.realm.ldap.sshPublicKey, "sshPublicKey");

  121. 

  122. 		String keyRsaOne = getRsaPubKey("UserOne@example.com");

  123. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));

  124. 

  125. 		String keyDsaTwo = getDsaPubKey("UserTwo@example.com");

  126. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "publicsshkey", keyDsaTwo));

  127. 

  128. 		String keyRsaThree = getRsaPubKey("UserThree@example.com");

  129. 		String keyDsaThree = getDsaPubKey("UserThree@example.com");

  130. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaThree));

  131. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "publicsshkey", keyDsaThree));

  132. 

  133. 

  134. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  135. 

  136. 		List<SshKey> keys = kmgr.getKeys("UserOne");

  137. 		assertNotNull(keys);

  138. 		assertEquals(1, keys.size());

  139. 		assertEquals(keyRsaOne, keys.get(0).getRawData());

  140. 

  141. 		keys = kmgr.getKeys("UserTwo");

  142. 		assertNotNull(keys);

  143. 		assertEquals(0, keys.size());

  144. 

  145. 		keys = kmgr.getKeys("UserThree");

  146. 		assertNotNull(keys);

  147. 		assertEquals(1, keys.size());

  148. 		assertEquals(keyRsaThree, keys.get(0).getRawData());

  149. 

  150. 		keys = kmgr.getKeys("UserFour");

  151. 		assertNotNull(keys);

  152. 		assertEquals(0, keys.size());

  153. 

  154. 

  155. 		settings.put(Keys.realm.ldap.sshPublicKey, "publicsshkey");

  156. 

  157. 		keys = kmgr.getKeys("UserOne");

  158. 		assertNotNull(keys);

  159. 		assertEquals(0, keys.size());

  160. 

  161. 		keys = kmgr.getKeys("UserTwo");

  162. 		assertNotNull(keys);

  163. 		assertEquals(1, keys.size());

  164. 		assertEquals(keyDsaTwo, keys.get(0).getRawData());

  165. 

  166. 		keys = kmgr.getKeys("UserThree");

  167. 		assertNotNull(keys);

  168. 		assertEquals(1, keys.size());

  169. 		assertEquals(keyDsaThree, keys.get(0).getRawData());

  170. 

  171. 		keys = kmgr.getKeys("UserFour");

  172. 		assertNotNull(keys);

  173. 		assertEquals(0, keys.size());

  174. 	}

  175. 

  176. 

  177. 	@Test

  178. 	public void testGetKeysPrefixed() throws LDAPException {

  179. 		// This test is independent from authentication mode, so run only once.

  180. 		assumeTrue(authMode == AuthMode.ANONYMOUS);

  181. 

  182. 		String keyRsaOne = getRsaPubKey("UserOne@example.com");

  183. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));

  184. 

  185. 		String keyRsaTwo = getRsaPubKey("UserTwo@example.com");

  186. 		String keyDsaTwo = getDsaPubKey("UserTwo@example.com");

  187. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", keyRsaTwo));

  188. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey: " + keyDsaTwo));

  189. 

  190. 		String keyRsaThree = getRsaPubKey("UserThree@example.com");

  191. 		String keyDsaThree = getDsaPubKey("UserThree@example.com");

  192. 		String keyEcThree =  getEcPubKey("UserThree@example.com");

  193. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " SshKey :\r\n" + keyRsaThree));

  194. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "	sshkey: " + keyDsaThree));

  195. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "ECDSAKey	:\n " + keyEcThree));

  196. 

  197. 

  198. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  199. 

  200. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities");

  201. 

  202. 		List<SshKey> keys = kmgr.getKeys("UserOne");

  203. 		assertNotNull(keys);

  204. 		assertEquals(0, keys.size());

  205. 

  206. 		keys = kmgr.getKeys("UserTwo");

  207. 		assertNotNull(keys);

  208. 		assertEquals(1, keys.size());

  209. 		assertEquals(keyRsaTwo, keys.get(0).getRawData());

  210. 

  211. 		keys = kmgr.getKeys("UserThree");

  212. 		assertNotNull(keys);

  213. 		assertEquals(0, keys.size());

  214. 

  215. 		keys = kmgr.getKeys("UserFour");

  216. 		assertNotNull(keys);

  217. 		assertEquals(0, keys.size());

  218. 

  219. 

  220. 

  221. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHKey");

  222. 

  223. 		keys = kmgr.getKeys("UserOne");

  224. 		assertNotNull(keys);

  225. 		assertEquals(0, keys.size());

  226. 

  227. 		keys = kmgr.getKeys("UserTwo");

  228. 		assertNotNull(keys);

  229. 		assertEquals(1, keys.size());

  230. 		assertEquals(keyDsaTwo, keys.get(0).getRawData());

  231. 

  232. 		keys = kmgr.getKeys("UserThree");

  233. 		assertNotNull(keys);

  234. 		assertEquals(2, keys.size());

  235. 		assertEquals(keyRsaThree, keys.get(0).getRawData());

  236. 		assertEquals(keyDsaThree, keys.get(1).getRawData());

  237. 

  238. 		keys = kmgr.getKeys("UserFour");

  239. 		assertNotNull(keys);

  240. 		assertEquals(0, keys.size());

  241. 

  242. 

  243. 

  244. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:ECDSAKey");

  245. 

  246. 		keys = kmgr.getKeys("UserOne");

  247. 		assertNotNull(keys);

  248. 		assertEquals(0, keys.size());

  249. 

  250. 		keys = kmgr.getKeys("UserTwo");

  251. 		assertNotNull(keys);

  252. 		assertEquals(0, keys.size());

  253. 

  254. 		keys = kmgr.getKeys("UserThree");

  255. 		assertNotNull(keys);

  256. 		assertEquals(1, keys.size());

  257. 		assertEquals(keyEcThree, keys.get(0).getRawData());

  258. 

  259. 		keys = kmgr.getKeys("UserFour");

  260. 		assertNotNull(keys);

  261. 		assertEquals(0, keys.size());

  262. 	}

  263. 

  264. 

  265. 	@Test

  266. 	public void testGetKeysPermissions() throws LDAPException {

  267. 		// This test is independent from authentication mode, so run only once.

  268. 		assumeTrue(authMode == AuthMode.ANONYMOUS);

  269. 

  270. 		String keyRsaOne = getRsaPubKey("UserOne@example.com");

  271. 		String keyRsaTwo = getRsaPubKey("");

  272. 		String keyDsaTwo = getDsaPubKey("UserTwo at example.com");

  273. 		String keyRsaThree = getRsaPubKey("UserThree@example.com");

  274. 		String keyDsaThree = getDsaPubKey("READ key for user 'Three' @example.com");

  275. 		String keyEcThree =  getEcPubKey("UserThree@example.com");

  276. 

  277. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));

  278. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "  	 " + keyRsaTwo));

  279. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "no-agent-forwarding " + keyDsaTwo));

  280. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));

  281. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));

  282. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));

  283. 

  284. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\" " + keyRsaOne));

  285. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " restrict,environment=\"gbperm=V\" 	 " + keyRsaTwo));

  286. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "restrict,environment=\"GBPerm=RW\",pty " + keyDsaTwo));

  287. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"gbPerm=CLONE\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));

  288. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));

  289. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environment=\"XYZ='Ali Baba'\" " + keyEcThree));

  290. 

  291. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));

  292. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\" gbPerm = V \" 	 " + keyRsaTwo));

  293. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "command=\"sh echo \\\"Nope, not you!\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));

  294. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));

  295. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "	command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));

  296. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));

  297. 

  298. 

  299. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  300. 

  301. 		List<SshKey> keys = kmgr.getKeys("UserOne");

  302. 		assertNotNull(keys);

  303. 		assertEquals(6, keys.size());

  304. 		for (SshKey key : keys) {

  305. 			assertEquals(AccessPermission.PUSH, key.getPermission());

  306. 		}

  307. 

  308. 		keys = kmgr.getKeys("UserTwo");

  309. 		assertNotNull(keys);

  310. 		assertEquals(6, keys.size());

  311. 		int seen = 0;

  312. 		for (SshKey key : keys) {

  313. 			if (keyRsaOne.equals(key.getRawData())) {

  314. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  315. 				seen += 1 << 0;

  316. 			}

  317. 			else if (keyRsaTwo.equals(key.getRawData())) {

  318. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  319. 				seen += 1 << 1;

  320. 			}

  321. 			else if (keyDsaTwo.equals(key.getRawData())) {

  322. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  323. 				seen += 1 << 2;

  324. 			}

  325. 			else if (keyRsaThree.equals(key.getRawData())) {

  326. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  327. 				seen += 1 << 3;

  328. 			}

  329. 			else if (keyDsaThree.equals(key.getRawData())) {

  330. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  331. 				seen += 1 << 4;

  332. 			}

  333. 			else if (keyEcThree.equals(key.getRawData())) {

  334. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  335. 				seen += 1 << 5;

  336. 			}

  337. 		}

  338. 		assertEquals(63, seen);

  339. 

  340. 		keys = kmgr.getKeys("UserThree");

  341. 		assertNotNull(keys);

  342. 		assertEquals(6, keys.size());

  343. 		seen = 0;

  344. 		for (SshKey key : keys) {

  345. 			if (keyRsaOne.equals(key.getRawData())) {

  346. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  347. 				seen += 1 << 0;

  348. 			}

  349. 			else if (keyRsaTwo.equals(key.getRawData())) {

  350. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  351. 				seen += 1 << 1;

  352. 			}

  353. 			else if (keyDsaTwo.equals(key.getRawData())) {

  354. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  355. 				seen += 1 << 2;

  356. 			}

  357. 			else if (keyRsaThree.equals(key.getRawData())) {

  358. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  359. 				seen += 1 << 3;

  360. 			}

  361. 			else if (keyDsaThree.equals(key.getRawData())) {

  362. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  363. 				seen += 1 << 4;

  364. 			}

  365. 			else if (keyEcThree.equals(key.getRawData())) {

  366. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  367. 				seen += 1 << 5;

  368. 			}

  369. 		}

  370. 		assertEquals(63, seen);

  371. 	}

  372. 

  373. 

  374. 	@Test

  375. 	public void testGetKeysPrefixedPermissions() throws LDAPException {

  376. 		// This test is independent from authentication mode, so run only once.

  377. 		assumeTrue(authMode == AuthMode.ANONYMOUS);

  378. 

  379. 		String keyRsaOne = getRsaPubKey("UserOne@example.com");

  380. 		String keyRsaTwo = getRsaPubKey("UserTwo at example.com");

  381. 		String keyDsaTwo = getDsaPubKey("UserTwo@example.com");

  382. 		String keyRsaThree = getRsaPubKey("example.com: user Three");

  383. 		String keyDsaThree = getDsaPubKey("");

  384. 		String keyEcThree =  getEcPubKey("  ");

  385. 

  386. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities",          "permitopen=\"host:220\"" + keyRsaOne));

  387. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "sshkey:" + "  	 " + keyRsaTwo));

  388. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKEY :" + "no-agent-forwarding " + keyDsaTwo));

  389. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));

  390. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));

  391. 		getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));

  392. 

  393. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\" " + keyRsaOne));

  394. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey : " + " restrict,environment=\"gbPerm=V\",permitopen=\"sshkey: 220\" " + keyRsaTwo));

  395. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "permitopen=\"sshkey: 443\",restrict,environment=\"gbPerm=RW\",pty " + keyDsaTwo));

  396. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=CLONE\",permitopen=\"pubkey: 29184\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));

  397. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));

  398. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environemnt=\"XYZ='Ali Baba'\" " + keyEcThree));

  399. 

  400. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));

  401. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey : " + " environment=\" gbPerm = V \" 	 " + keyRsaTwo));

  402. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "command=\"sh echo \\\"Nope, not you! \\b (bell)\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));

  403. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));

  404. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "	command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));

  405. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));

  406. 

  407. 		// Weird stuff, not to specification but shouldn't make it stumble.

  408. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "opttest: " + "permitopen=host:443,command=,environment=\"gbPerm=CLONE\",no-pty= " + keyRsaThree));

  409. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " opttest: " + "	cmd=git,environment=\"gbPerm=\\\"VIEW\\\"\" " + keyDsaThree));

  410. 		getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "	opttest:" + "environment=,command=netstat,environment=gbperm=push " + keyEcThree));

  411. 

  412. 

  413. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  414. 

  415. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHkey");

  416. 

  417. 		List<SshKey> keys = kmgr.getKeys("UserOne");

  418. 		assertNotNull(keys);

  419. 		assertEquals(2, keys.size());

  420. 		int seen = 0;

  421. 		for (SshKey key : keys) {

  422. 			assertEquals(AccessPermission.PUSH, key.getPermission());

  423. 			if (keyRsaOne.equals(key.getRawData())) {

  424. 				seen += 1 << 0;

  425. 			}

  426. 			else if (keyRsaTwo.equals(key.getRawData())) {

  427. 				seen += 1 << 1;

  428. 			}

  429. 			else if (keyDsaTwo.equals(key.getRawData())) {

  430. 				seen += 1 << 2;

  431. 			}

  432. 			else if (keyRsaThree.equals(key.getRawData())) {

  433. 				seen += 1 << 3;

  434. 			}

  435. 			else if (keyDsaThree.equals(key.getRawData())) {

  436. 				seen += 1 << 4;

  437. 			}

  438. 			else if (keyEcThree.equals(key.getRawData())) {

  439. 				seen += 1 << 5;

  440. 			}

  441. 		}

  442. 		assertEquals(6, seen);

  443. 

  444. 		keys = kmgr.getKeys("UserTwo");

  445. 		assertNotNull(keys);

  446. 		assertEquals(3, keys.size());

  447. 		seen = 0;

  448. 		for (SshKey key : keys) {

  449. 			if (keyRsaOne.equals(key.getRawData())) {

  450. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  451. 				seen += 1 << 0;

  452. 			}

  453. 			else if (keyRsaTwo.equals(key.getRawData())) {

  454. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  455. 				seen += 1 << 1;

  456. 			}

  457. 			else if (keyDsaTwo.equals(key.getRawData())) {

  458. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  459. 				seen += 1 << 2;

  460. 			}

  461. 			else if (keyRsaThree.equals(key.getRawData())) {

  462. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  463. 				seen += 1 << 3;

  464. 			}

  465. 			else if (keyDsaThree.equals(key.getRawData())) {

  466. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  467. 				seen += 1 << 4;

  468. 			}

  469. 			else if (keyEcThree.equals(key.getRawData())) {

  470. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  471. 				seen += 1 << 5;

  472. 			}

  473. 		}

  474. 		assertEquals(7, seen);

  475. 

  476. 		keys = kmgr.getKeys("UserThree");

  477. 		assertNotNull(keys);

  478. 		assertEquals(3, keys.size());

  479. 		seen = 0;

  480. 		for (SshKey key : keys) {

  481. 			if (keyRsaOne.equals(key.getRawData())) {

  482. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  483. 				seen += 1 << 0;

  484. 			}

  485. 			else if (keyRsaTwo.equals(key.getRawData())) {

  486. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  487. 				seen += 1 << 1;

  488. 			}

  489. 			else if (keyDsaTwo.equals(key.getRawData())) {

  490. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  491. 				seen += 1 << 2;

  492. 			}

  493. 			else if (keyRsaThree.equals(key.getRawData())) {

  494. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  495. 				seen += 1 << 3;

  496. 			}

  497. 			else if (keyDsaThree.equals(key.getRawData())) {

  498. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  499. 				seen += 1 << 4;

  500. 			}

  501. 			else if (keyEcThree.equals(key.getRawData())) {

  502. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  503. 				seen += 1 << 5;

  504. 			}

  505. 		}

  506. 		assertEquals(7, seen);

  507. 

  508. 

  509. 

  510. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:pubKey");

  511. 

  512. 		keys = kmgr.getKeys("UserOne");

  513. 		assertNotNull(keys);

  514. 		assertEquals(3, keys.size());

  515. 		seen = 0;

  516. 		for (SshKey key : keys) {

  517. 			assertEquals(AccessPermission.PUSH, key.getPermission());

  518. 			if (keyRsaOne.equals(key.getRawData())) {

  519. 				seen += 1 << 0;

  520. 			}

  521. 			else if (keyRsaTwo.equals(key.getRawData())) {

  522. 				seen += 1 << 1;

  523. 			}

  524. 			else if (keyDsaTwo.equals(key.getRawData())) {

  525. 				seen += 1 << 2;

  526. 			}

  527. 			else if (keyRsaThree.equals(key.getRawData())) {

  528. 				seen += 1 << 3;

  529. 			}

  530. 			else if (keyDsaThree.equals(key.getRawData())) {

  531. 				seen += 1 << 4;

  532. 			}

  533. 			else if (keyEcThree.equals(key.getRawData())) {

  534. 				seen += 1 << 5;

  535. 			}

  536. 		}

  537. 		assertEquals(56, seen);

  538. 

  539. 		keys = kmgr.getKeys("UserTwo");

  540. 		assertNotNull(keys);

  541. 		assertEquals(3, keys.size());

  542. 		seen = 0;

  543. 		for (SshKey key : keys) {

  544. 			if (keyRsaOne.equals(key.getRawData())) {

  545. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  546. 				seen += 1 << 0;

  547. 			}

  548. 			else if (keyRsaTwo.equals(key.getRawData())) {

  549. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  550. 				seen += 1 << 1;

  551. 			}

  552. 			else if (keyDsaTwo.equals(key.getRawData())) {

  553. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  554. 				seen += 1 << 2;

  555. 			}

  556. 			else if (keyRsaThree.equals(key.getRawData())) {

  557. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  558. 				seen += 1 << 3;

  559. 			}

  560. 			else if (keyDsaThree.equals(key.getRawData())) {

  561. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  562. 				seen += 1 << 4;

  563. 			}

  564. 			else if (keyEcThree.equals(key.getRawData())) {

  565. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  566. 				seen += 1 << 5;

  567. 			}

  568. 		}

  569. 		assertEquals(56, seen);

  570. 

  571. 		keys = kmgr.getKeys("UserThree");

  572. 		assertNotNull(keys);

  573. 		assertEquals(3, keys.size());

  574. 		seen = 0;

  575. 		for (SshKey key : keys) {

  576. 			if (keyRsaOne.equals(key.getRawData())) {

  577. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  578. 				seen += 1 << 0;

  579. 			}

  580. 			else if (keyRsaTwo.equals(key.getRawData())) {

  581. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  582. 				seen += 1 << 1;

  583. 			}

  584. 			else if (keyDsaTwo.equals(key.getRawData())) {

  585. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  586. 				seen += 1 << 2;

  587. 			}

  588. 			else if (keyRsaThree.equals(key.getRawData())) {

  589. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  590. 				seen += 1 << 3;

  591. 			}

  592. 			else if (keyDsaThree.equals(key.getRawData())) {

  593. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  594. 				seen += 1 << 4;

  595. 			}

  596. 			else if (keyEcThree.equals(key.getRawData())) {

  597. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  598. 				seen += 1 << 5;

  599. 			}

  600. 		}

  601. 		assertEquals(56, seen);

  602. 

  603. 

  604. 		settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:opttest");

  605. 		keys = kmgr.getKeys("UserThree");

  606. 		assertNotNull(keys);

  607. 		assertEquals(3, keys.size());

  608. 		seen = 0;

  609. 		for (SshKey key : keys) {

  610. 			if (keyRsaOne.equals(key.getRawData())) {

  611. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  612. 				seen += 1 << 0;

  613. 			}

  614. 			else if (keyRsaTwo.equals(key.getRawData())) {

  615. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  616. 				seen += 1 << 1;

  617. 			}

  618. 			else if (keyDsaTwo.equals(key.getRawData())) {

  619. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  620. 				seen += 1 << 2;

  621. 			}

  622. 			else if (keyRsaThree.equals(key.getRawData())) {

  623. 				assertEquals(AccessPermission.CLONE, key.getPermission());

  624. 				seen += 1 << 3;

  625. 			}

  626. 			else if (keyDsaThree.equals(key.getRawData())) {

  627. 				assertEquals(AccessPermission.VIEW, key.getPermission());

  628. 				seen += 1 << 4;

  629. 			}

  630. 			else if (keyEcThree.equals(key.getRawData())) {

  631. 				assertEquals(AccessPermission.PUSH, key.getPermission());

  632. 				seen += 1 << 5;

  633. 			}

  634. 		}

  635. 		assertEquals(56, seen);

  636. 

  637. 	}

  638. 

  639. 

  640. 	@Test

  641. 	public void testKeyValidity() throws LDAPException, GeneralSecurityException {

  642. 		LdapKeyManager kmgr = new LdapKeyManager(settings);

  643. 

  644. 		String comment = "UserTwo@example.com";

  645. 		String keyDsaTwo = getDsaPubKey(comment);

  646. 		getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyDsaTwo));

  647. 

  648. 

  649. 		List<SshKey> keys = kmgr.getKeys("UserTwo");

  650. 		assertNotNull(keys);

  651. 		assertEquals(1, keys.size());

  652. 		SshKey sshKey = keys.get(0);

  653. 		assertEquals(keyDsaTwo, sshKey.getRawData());

  654. 

  655. 		Signature signature = SecurityUtils.getSignature("DSA");

  656. 		signature.initSign(getDsaKeyPair(comment).getPrivate());

  657. 		byte[] message = comment.getBytes();

  658. 		signature.update(message);

  659. 		byte[] sigBytes = signature.sign();

  660. 

  661. 		signature.initVerify(sshKey.getPublicKey());

  662. 		signature.update(message);

  663. 		assertTrue("Verify failed with retrieved SSH key.", signature.verify(sigBytes));

  664. 	}

  665. 

  666. 

  667. 

  668. 

  669. 

  670. 

  671. 

  672. 

  673. 	private KeyPair getDsaKeyPair(String comment) {

  674. 		return getKeyPair("DSA", comment, dsaGenerator);

  675. 	}

  676. 

  677. 	private KeyPair getKeyPair(String type, String comment, KeyPairGenerator generator) {

  678. 		String kpkey = type + ":" + comment;

  679. 		KeyPair kp = keyPairs.get(kpkey);

  680. 		if (kp == null) {

  681. 			if ("EC".equals(type)) {

  682. 				ECGenParameterSpec ecSpec = new ECGenParameterSpec("P-384");

  683. 				try {

  684. 					ecGenerator.initialize(ecSpec);

  685. 				} catch (InvalidAlgorithmParameterException e) {

  686. 					kp = generator.generateKeyPair();

  687. 					e.printStackTrace();

  688. 				}

  689. 				kp = ecGenerator.generateKeyPair();

  690. 			} else {

  691. 				kp = generator.generateKeyPair();

  692. 			}

  693. 			keyPairs.put(kpkey, kp);

  694. 		}

  695. 

  696. 		return kp;

  697. 	}

  698. 

  699. 

  700. 	private String getRsaPubKey(String comment) {

  701. 		return getPubKey("RSA", comment, rsaGenerator);

  702. 	}

  703. 

  704. 	private String getDsaPubKey(String comment) {

  705. 		return getPubKey("DSA", comment, dsaGenerator);

  706. 	}

  707. 

  708. 	private String getEcPubKey(String comment) {

  709. 		return getPubKey("EC", comment, ecGenerator);

  710. 	}

  711. 

  712. 	private String getPubKey(String type, String comment, KeyPairGenerator generator) {

  713. 		KeyPair kp = getKeyPair(type, comment, generator);

  714. 		if (kp == null) {

  715. 			return null;

  716. 		}

  717. 

  718. 		SshKey sk = new SshKey(kp.getPublic());

  719. 		sk.setComment(comment);

  720. 		return sk.getRawData();

  721. 	}

  722. 

  723. }