mirrors
/
gitblit
peilaus alkaen https://github.com/gitblit/gitblit.git
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Julkaisut 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2974 Commitit
11 Branchit
Puu: cb89090d93
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'cb89090d93'
${ noResults }
gitblit/src/test/java/com/gitblit/tests/LdapBasedUnitTest.java

LdapBasedUnitTest.java 13KB
Raaka Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410 
  1. package com.gitblit.tests;

  2. 

  3. import java.io.File;

  4. import java.util.Arrays;

  5. import java.util.Collection;

  6. import java.util.EnumSet;

  7. import java.util.HashMap;

  8. import java.util.Map;

  9. 

  10. import org.apache.commons.io.FileUtils;

  11. import org.junit.AfterClass;

  12. import org.junit.Before;

  13. import org.junit.BeforeClass;

  14. import org.junit.Rule;

  15. import org.junit.rules.TemporaryFolder;

  16. import org.junit.runners.Parameterized.Parameter;

  17. import org.junit.runners.Parameterized.Parameters;

  18. 

  19. import com.gitblit.Keys;

  20. import com.gitblit.tests.mock.MemorySettings;

  21. import com.unboundid.ldap.listener.InMemoryDirectoryServer;

  22. import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;

  23. import com.unboundid.ldap.listener.InMemoryDirectoryServerSnapshot;

  24. import com.unboundid.ldap.listener.InMemoryListenerConfig;

  25. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedRequest;

  26. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedResult;

  27. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchEntry;

  28. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchRequest;

  29. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;

  30. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSimpleBindResult;

  31. import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;

  32. import com.unboundid.ldap.sdk.BindRequest;

  33. import com.unboundid.ldap.sdk.BindResult;

  34. import com.unboundid.ldap.sdk.LDAPException;

  35. import com.unboundid.ldap.sdk.LDAPResult;

  36. import com.unboundid.ldap.sdk.OperationType;

  37. import com.unboundid.ldap.sdk.ResultCode;

  38. import com.unboundid.ldap.sdk.SimpleBindRequest;

  39. 

  40. 

  41. 

  42. /**

  43.  * Base class for Unit (/Integration) tests that test going against an

  44.  * in-memory UnboundID LDAP server.

  45.  *

  46.  * This base class creates separate in-memory LDAP servers for different scenarios:

  47.  * - ANONYMOUS: anonymous bind to LDAP.

  48.  * - DS_MANAGER: The DIRECTORY_MANAGER is set as DN to bind as an admin.

  49.  *               Normal users are prohibited to search the DS, they can only bind.

  50.  * - USR_MANAGER: The USER_MANAGER is set as DN to bind as an admin.

  51.  *                This account can only search users but not groups. Normal users can search groups.

  52.  *

  53.  * @author Florian Zschocke

  54.  *

  55.  */

  56. public abstract class LdapBasedUnitTest extends GitblitUnitTest {

  57. 

  58. 	protected static final String RESOURCE_DIR = "src/test/resources/ldap/";

  59. 	private static final String DIRECTORY_MANAGER = "cn=Directory Manager";

  60. 	private static final String USER_MANAGER = "cn=UserManager";

  61. 	protected static final String ACCOUNT_BASE = "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain";

  62. 	private static final String GROUP_BASE = "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain";

  63. 	protected static final String DN_USER_ONE = "CN=UserOne,OU=US," + ACCOUNT_BASE;

  64. 	protected static final String DN_USER_TWO = "CN=UserTwo,OU=US," + ACCOUNT_BASE;

  65. 	protected static final String DN_USER_THREE = "CN=UserThree,OU=Canada," + ACCOUNT_BASE;

  66. 

  67. 

  68. 	/**

  69. 	 * Enumeration of different test modes, representing different use scenarios.

  70. 	 * With ANONYMOUS anonymous binds are used to search LDAP.

  71. 	 * DS_MANAGER will use a DIRECTORY_MANAGER to search LDAP. Normal users are prohibited to search the DS.

  72. 	 * With USR_MANAGER, a USER_MANAGER account is used to search in LDAP. This account can only search users

  73. 	 * but not groups. Normal users can search groups, though.

  74. 	 *

  75. 	 */

  76. 	protected enum AuthMode {

  77. 		ANONYMOUS,

  78. 		DS_MANAGER,

  79. 		USR_MANAGER;

  80. 

  81. 

  82. 		private int ldapPort;

  83. 		private InMemoryDirectoryServer ds;

  84. 		private InMemoryDirectoryServerSnapshot dsSnapshot;

  85. 		private BindTracker bindTracker;

  86. 

  87. 		void setLdapPort(int port) {

  88. 			this.ldapPort = port;

  89. 		}

  90. 

  91. 		int ldapPort() {

  92. 			return this.ldapPort;

  93. 		}

  94. 

  95. 		void setDS(InMemoryDirectoryServer ds) {

  96. 			if (this.ds == null) {

  97. 				this.ds = ds;

  98. 				this.dsSnapshot = ds.createSnapshot();

  99. 			};

  100. 		}

  101. 

  102. 		InMemoryDirectoryServer getDS() {

  103. 			return ds;

  104. 		}

  105. 

  106. 		void setBindTracker(BindTracker bindTracker) {

  107. 			this.bindTracker = bindTracker;

  108. 		}

  109. 

  110. 		BindTracker getBindTracker() {

  111. 			return bindTracker;

  112. 		}

  113. 

  114. 		void restoreSnapshot() {

  115. 			ds.restoreSnapshot(dsSnapshot);

  116. 		}

  117. 	}

  118. 

  119. 	@Parameter

  120. 	public AuthMode authMode = AuthMode.ANONYMOUS;

  121. 

  122. 	@Rule

  123. 	public TemporaryFolder folder = new TemporaryFolder();

  124. 

  125. 

  126. 	protected File usersConf;

  127. 

  128. 	protected MemorySettings settings;

  129. 

  130. 

  131. 	/**

  132. 	 * Run the tests with each authentication scenario once.

  133. 	 */

  134. 	@Parameters(name = "{0}")

  135. 	public static Collection<Object[]> data() {

  136. 		return Arrays.asList(new Object[][] { {AuthMode.ANONYMOUS}, {AuthMode.DS_MANAGER}, {AuthMode.USR_MANAGER} });

  137. 	}

  138. 

  139. 

  140. 	/**

  141. 	 * Create three different in memory DS.

  142. 	 *

  143. 	 * Each DS has a different configuration:

  144. 	 * The first allows anonymous binds.

  145. 	 * The second requires authentication for all operations. It will only allow the DIRECTORY_MANAGER account

  146. 	 * to search for users and groups.

  147. 	 * The third one is like the second, but it allows users to search for users and groups, and restricts the

  148. 	 * USER_MANAGER from searching for groups.

  149. 	 */

  150. 	@BeforeClass

  151. 	public static void ldapInit() throws Exception {

  152. 		InMemoryDirectoryServer ds;

  153. 		InMemoryDirectoryServerConfig config = createInMemoryLdapServerConfig(AuthMode.ANONYMOUS);

  154. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("anonymous"));

  155. 		ds = createInMemoryLdapServer(config);

  156. 		AuthMode.ANONYMOUS.setDS(ds);

  157. 		AuthMode.ANONYMOUS.setLdapPort(ds.getListenPort("anonymous"));

  158. 

  159. 

  160. 		config = createInMemoryLdapServerConfig(AuthMode.DS_MANAGER);

  161. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("ds_manager"));

  162. 		config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class));

  163. 		ds = createInMemoryLdapServer(config);

  164. 		AuthMode.DS_MANAGER.setDS(ds);

  165. 		AuthMode.DS_MANAGER.setLdapPort(ds.getListenPort("ds_manager"));

  166. 

  167. 

  168. 		config = createInMemoryLdapServerConfig(AuthMode.USR_MANAGER);

  169. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("usr_manager"));

  170. 		config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class));

  171. 		ds = createInMemoryLdapServer(config);

  172. 		AuthMode.USR_MANAGER.setDS(ds);

  173. 		AuthMode.USR_MANAGER.setLdapPort(ds.getListenPort("usr_manager"));

  174. 

  175. 	}

  176. 

  177. 	@AfterClass

  178. 	public static void destroy() throws Exception {

  179. 		for (AuthMode am : AuthMode.values()) {

  180. 			am.getDS().shutDown(true);

  181. 		}

  182. 	}

  183. 

  184. 	public static InMemoryDirectoryServer createInMemoryLdapServer(InMemoryDirectoryServerConfig config) throws Exception {

  185. 		InMemoryDirectoryServer imds = new InMemoryDirectoryServer(config);

  186. 		imds.importFromLDIF(true, RESOURCE_DIR + "sampledata.ldif");

  187. 		imds.startListening();

  188. 		return imds;

  189. 	}

  190. 

  191. 	public static InMemoryDirectoryServerConfig createInMemoryLdapServerConfig(AuthMode authMode) throws Exception {

  192. 		InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain");

  193. 		config.addAdditionalBindCredentials(DIRECTORY_MANAGER, "password");

  194. 		config.addAdditionalBindCredentials(USER_MANAGER, "passwd");

  195. 		config.setSchema(null);

  196. 

  197. 		authMode.setBindTracker(new BindTracker());

  198. 		config.addInMemoryOperationInterceptor(authMode.getBindTracker());

  199. 		config.addInMemoryOperationInterceptor(new AccessInterceptor(authMode));

  200. 

  201. 		return config;

  202. 	}

  203. 

  204. 

  205. 

  206. 	@Before

  207. 	public void setupBase() throws Exception {

  208. 		authMode.restoreSnapshot();

  209. 		authMode.getBindTracker().reset();

  210. 

  211. 		usersConf = folder.newFile("users.conf");

  212. 		FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf);

  213. 		settings = getSettings();

  214. 	}

  215. 

  216. 

  217. 	protected InMemoryDirectoryServer getDS() {

  218. 		return authMode.getDS();

  219. 	}

  220. 

  221. 

  222. 

  223. 	protected MemorySettings getSettings() {

  224. 		Map<String, Object> backingMap = new HashMap<String, Object>();

  225. 		backingMap.put(Keys.realm.userService, usersConf.getAbsolutePath());

  226. 		backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + authMode.ldapPort());

  227. 		switch(authMode) {

  228. 		case ANONYMOUS:

  229. 			backingMap.put(Keys.realm.ldap.username, "");

  230. 			backingMap.put(Keys.realm.ldap.password, "");

  231. 			break;

  232. 		case DS_MANAGER:

  233. 			backingMap.put(Keys.realm.ldap.username, DIRECTORY_MANAGER);

  234. 			backingMap.put(Keys.realm.ldap.password, "password");

  235. 			break;

  236. 		case USR_MANAGER:

  237. 			backingMap.put(Keys.realm.ldap.username, USER_MANAGER);

  238. 			backingMap.put(Keys.realm.ldap.password, "passwd");

  239. 			break;

  240. 		default:

  241. 			throw new RuntimeException("Unimplemented AuthMode case!");

  242. 

  243. 		}

  244. 		backingMap.put(Keys.realm.ldap.maintainTeams, "true");

  245. 		backingMap.put(Keys.realm.ldap.accountBase, ACCOUNT_BASE);

  246. 		backingMap.put(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

  247. 		backingMap.put(Keys.realm.ldap.groupBase, GROUP_BASE);

  248. 		backingMap.put(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");

  249. 		backingMap.put(Keys.realm.ldap.admins, "UserThree @Git_Admins \"@Git Admins\"");

  250. 		backingMap.put(Keys.realm.ldap.displayName, "displayName");

  251. 		backingMap.put(Keys.realm.ldap.email, "email");

  252. 		backingMap.put(Keys.realm.ldap.uid, "sAMAccountName");

  253. 

  254. 		MemorySettings ms = new MemorySettings(backingMap);

  255. 		return ms;

  256. 	}

  257. 

  258. 

  259. 

  260. 

  261. 	/**

  262. 	 * Operation interceptor for the in memory DS. This interceptor

  263. 	 * tracks bind requests.

  264. 	 *

  265. 	 */

  266. 	protected static class BindTracker extends InMemoryOperationInterceptor {

  267. 		private Map<Integer,String> lastSuccessfulBindDNs = new HashMap<>();

  268. 		private String lastSuccessfulBindDN;

  269. 

  270. 

  271. 		@Override

  272. 		public void processSimpleBindResult(InMemoryInterceptedSimpleBindResult bind) {

  273. 			BindResult result = bind.getResult();

  274. 			if (result.getResultCode() == ResultCode.SUCCESS) {

  275. 				 BindRequest bindRequest = bind.getRequest();

  276. 				 lastSuccessfulBindDNs.put(bind.getMessageID(), ((SimpleBindRequest)bindRequest).getBindDN());

  277. 				 lastSuccessfulBindDN = ((SimpleBindRequest)bindRequest).getBindDN();

  278. 			}

  279. 		}

  280. 

  281. 		String getLastSuccessfulBindDN() {

  282. 			return lastSuccessfulBindDN;

  283. 		}

  284. 

  285. 		String getLastSuccessfulBindDN(int messageID) {

  286. 			return lastSuccessfulBindDNs.get(messageID);

  287. 		}

  288. 

  289. 		void reset() {

  290. 			lastSuccessfulBindDNs = new HashMap<>();

  291. 			lastSuccessfulBindDN = null;

  292. 		}

  293. 	}

  294. 

  295. 

  296. 

  297. 	/**

  298. 	 * Operation interceptor for the in memory DS. This interceptor

  299. 	 * implements access restrictions for certain user/DN combinations.

  300. 	 *

  301. 	 * The USER_MANAGER is only allowed to search for users, but not for groups.

  302. 	 * This is to test the original behaviour where the teams were searched under

  303. 	 * the user binding.

  304. 	 * When running in a DIRECTORY_MANAGER scenario, only the manager account

  305. 	 * is allowed to search for users and groups, while a normal user may not do so.

  306. 	 * This tests the scenario where a normal user cannot read teams and thus the

  307. 	 * manager account needs to be used for all searches.

  308. 	 *

  309. 	 */

  310. 	protected static class AccessInterceptor extends InMemoryOperationInterceptor {

  311. 		AuthMode authMode;

  312. 		Map<Long,String> lastSuccessfulBindDN = new HashMap<>();

  313. 		Map<Long,Boolean> resultProhibited = new HashMap<>();

  314. 

  315. 		public AccessInterceptor(AuthMode authMode) {

  316. 			this.authMode = authMode;

  317. 		}

  318. 

  319. 

  320. 		@Override

  321. 		public void processSimpleBindResult(InMemoryInterceptedSimpleBindResult bind) {

  322. 			BindResult result = bind.getResult();

  323. 			if (result.getResultCode() == ResultCode.SUCCESS) {

  324. 				 BindRequest bindRequest = bind.getRequest();

  325. 				 lastSuccessfulBindDN.put(bind.getConnectionID(), ((SimpleBindRequest)bindRequest).getBindDN());

  326. 				 resultProhibited.remove(bind.getConnectionID());

  327. 			}

  328. 		}

  329. 

  330. 

  331. 

  332. 		@Override

  333. 		public void processSearchRequest(InMemoryInterceptedSearchRequest request) throws LDAPException {

  334. 			String bindDN = getLastBindDN(request);

  335. 

  336. 			if (USER_MANAGER.equals(bindDN)) {

  337. 				if (request.getRequest().getBaseDN().endsWith(GROUP_BASE)) {

  338. 					throw new LDAPException(ResultCode.NO_SUCH_OBJECT);

  339. 				}

  340. 			}

  341. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  342. 				throw new LDAPException(ResultCode.NO_SUCH_OBJECT);

  343. 			}

  344. 		}

  345. 

  346. 

  347. 		@Override

  348. 		public void processSearchEntry(InMemoryInterceptedSearchEntry entry) {

  349. 			String bindDN = getLastBindDN(entry);

  350. 

  351. 			boolean prohibited = false;

  352. 

  353. 			if (USER_MANAGER.equals(bindDN)) {

  354. 				if (entry.getSearchEntry().getDN().endsWith(GROUP_BASE)) {

  355. 					prohibited = true;

  356. 				}

  357. 			}

  358. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  359. 				prohibited = true;

  360. 			}

  361. 

  362. 			if (prohibited) {

  363. 				// Found entry prohibited for bound user. Setting entry to null.

  364. 				entry.setSearchEntry(null);

  365. 				resultProhibited.put(entry.getConnectionID(), Boolean.TRUE);

  366. 			}

  367. 		}

  368. 

  369. 		@Override

  370. 		public void processSearchResult(InMemoryInterceptedSearchResult result) {

  371. 			String bindDN = getLastBindDN(result);

  372. 

  373. 			boolean prohibited = false;

  374. 

  375. 			Boolean rspb = resultProhibited.get(result.getConnectionID());

  376. 			if (USER_MANAGER.equals(bindDN)) {

  377. 				if (rspb != null && rspb) {

  378. 					prohibited = true;

  379. 				}

  380. 			}

  381. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  382. 				if (rspb != null && rspb) {

  383. 					prohibited = true;

  384. 				}

  385. 			}

  386. 

  387. 			if (prohibited) {

  388. 				// Result prohibited for bound user. Returning error

  389. 				result.setResult(new LDAPResult(result.getMessageID(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS));

  390. 				resultProhibited.remove(result.getConnectionID());

  391. 			}

  392. 		}

  393. 

  394. 		private String getLastBindDN(InMemoryInterceptedResult result) {

  395. 			String bindDN = lastSuccessfulBindDN.get(result.getConnectionID());

  396. 			if (bindDN == null) {

  397. 				return "UNKNOWN";

  398. 			}

  399. 			return bindDN;

  400. 		}

  401. 		private String getLastBindDN(InMemoryInterceptedRequest request) {

  402. 			String bindDN = lastSuccessfulBindDN.get(request.getConnectionID());

  403. 			if (bindDN == null) {

  404. 				return "UNKNOWN";

  405. 			}

  406. 			return bindDN;

  407. 		}

  408. 	}

  409. 

  410. }