mirrors
/
gitblit
mirror of https://github.com/gitblit/gitblit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 43 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2967 Commits
11 Branches
Tree: ffadc2e187
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ffadc2e187'
${ noResults }
gitblit/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java

LdapAuthenticationTest.java 21KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595 
  1. /*

  2.  * Copyright 2012 John Crygier

  3.  * Copyright 2012 gitblit.com

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. package com.gitblit.tests;

  18. 

  19. import static org.junit.Assume.*;

  20. 

  21. import java.io.File;

  22. import java.util.Arrays;

  23. import java.util.Collection;

  24. import java.util.EnumSet;

  25. import java.util.HashMap;

  26. import java.util.Map;

  27. 

  28. import org.apache.commons.io.FileUtils;

  29. import org.junit.AfterClass;

  30. import org.junit.Before;

  31. import org.junit.BeforeClass;

  32. import org.junit.Rule;

  33. import org.junit.Test;

  34. import org.junit.rules.TemporaryFolder;

  35. import org.junit.runner.RunWith;

  36. import org.junit.runners.Parameterized;

  37. import org.junit.runners.Parameterized.Parameter;

  38. import org.junit.runners.Parameterized.Parameters;

  39. 

  40. import com.gitblit.Constants.AccountType;

  41. import com.gitblit.IStoredSettings;

  42. import com.gitblit.Keys;

  43. import com.gitblit.auth.LdapAuthProvider;

  44. import com.gitblit.manager.AuthenticationManager;

  45. import com.gitblit.manager.IUserManager;

  46. import com.gitblit.manager.RuntimeManager;

  47. import com.gitblit.manager.UserManager;

  48. import com.gitblit.models.TeamModel;

  49. import com.gitblit.models.UserModel;

  50. import com.gitblit.tests.mock.MemorySettings;

  51. import com.gitblit.utils.XssFilter;

  52. import com.gitblit.utils.XssFilter.AllowXssFilter;

  53. import com.unboundid.ldap.listener.InMemoryDirectoryServer;

  54. import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;

  55. import com.unboundid.ldap.listener.InMemoryDirectoryServerSnapshot;

  56. import com.unboundid.ldap.listener.InMemoryListenerConfig;

  57. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedRequest;

  58. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedResult;

  59. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchEntry;

  60. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchRequest;

  61. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;

  62. import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSimpleBindResult;

  63. import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;

  64. import com.unboundid.ldap.sdk.BindRequest;

  65. import com.unboundid.ldap.sdk.BindResult;

  66. import com.unboundid.ldap.sdk.LDAPException;

  67. import com.unboundid.ldap.sdk.LDAPResult;

  68. import com.unboundid.ldap.sdk.OperationType;

  69. import com.unboundid.ldap.sdk.ResultCode;

  70. import com.unboundid.ldap.sdk.SearchResult;

  71. import com.unboundid.ldap.sdk.SearchScope;

  72. import com.unboundid.ldap.sdk.SimpleBindRequest;

  73. import com.unboundid.ldif.LDIFReader;

  74. 

  75. /**

  76.  * An Integration test for LDAP that tests going against an in-memory UnboundID

  77.  * LDAP server.

  78.  *

  79.  * @author jcrygier

  80.  *

  81.  */

  82. @RunWith(Parameterized.class)

  83. public class LdapAuthenticationTest extends GitblitUnitTest {

  84. 

  85. 	private static final String RESOURCE_DIR = "src/test/resources/ldap/";

  86. 	private static final String DIRECTORY_MANAGER = "cn=Directory Manager";

  87. 	private static final String USER_MANAGER = "cn=UserManager";

  88. 	private static final String ACCOUNT_BASE = "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain";

  89. 	private static final String GROUP_BASE  = "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain";

  90. 

  91. 

  92. 	/**

  93. 	 * Enumeration of different test modes, representing different use scenarios.

  94. 	 * With ANONYMOUS anonymous binds are used to search LDAP.

  95. 	 * DS_MANAGER will use a DIRECTORY_MANAGER to search LDAP. Normal users are prohibited to search the DS.

  96. 	 * With USR_MANAGER, a USER_MANAGER account is used to search in LDAP. This account can only search users

  97. 	 * but not groups. Normal users can search groups, though.

  98. 	 *

  99. 	 */

  100. 	enum AuthMode {

  101. 		ANONYMOUS(1389),

  102. 		DS_MANAGER(2389),

  103. 		USR_MANAGER(3389);

  104. 

  105. 

  106. 		private int ldapPort;

  107. 		private InMemoryDirectoryServer ds;

  108. 		private InMemoryDirectoryServerSnapshot dsSnapshot;

  109. 

  110. 		AuthMode(int port) {

  111. 			this.ldapPort = port;

  112. 		}

  113. 

  114. 		int ldapPort() {

  115. 			return this.ldapPort;

  116. 		}

  117. 

  118. 		void setDS(InMemoryDirectoryServer ds) {

  119. 			if (this.ds == null) {

  120. 				this.ds = ds;

  121. 				this.dsSnapshot = ds.createSnapshot();

  122. 			};

  123. 		}

  124. 

  125. 		InMemoryDirectoryServer getDS() {

  126. 			return ds;

  127. 		}

  128. 

  129. 		void restoreSnapshot() {

  130. 			ds.restoreSnapshot(dsSnapshot);

  131. 		}

  132. 	};

  133. 

  134. 

  135. 

  136. 	@Parameter

  137. 	public AuthMode authMode;

  138. 

  139. 	@Rule

  140. 	public TemporaryFolder folder = new TemporaryFolder();

  141. 

  142. 	private File usersConf;

  143. 

  144. 

  145. 

  146. 	private LdapAuthProvider ldap;

  147. 

  148. 	private IUserManager userManager;

  149. 

  150. 	private AuthenticationManager auth;

  151. 

  152. 	private MemorySettings settings;

  153. 

  154. 

  155. 	/**

  156. 	 * Run the tests with each authentication scenario once.

  157. 	 */

  158. 	@Parameters(name = "{0}")

  159. 	public static Collection<Object[]> data() {

  160. 		return Arrays.asList(new Object[][] { {AuthMode.ANONYMOUS}, {AuthMode.DS_MANAGER}, {AuthMode.USR_MANAGER} });

  161. 	}

  162. 

  163. 

  164. 

  165. 	/**

  166. 	 * Create three different in memory DS.

  167. 	 *

  168. 	 * Each DS has a different configuration:

  169. 	 * The first allows anonymous binds.

  170. 	 * The second requires authentication for all operations. It will only allow the DIRECTORY_MANAGER account

  171. 	 * to search for users and groups.

  172. 	 * The third one is like the second, but it allows users to search for users and groups, and restricts the

  173. 	 * USER_MANAGER from searching for groups.

  174. 	 */

  175. 	@BeforeClass

  176. 	public static void init() throws Exception {

  177. 		InMemoryDirectoryServer ds;

  178. 		InMemoryDirectoryServerConfig config = createInMemoryLdapServerConfig(AuthMode.ANONYMOUS);

  179. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", AuthMode.ANONYMOUS.ldapPort()));

  180. 		ds = createInMemoryLdapServer(config);

  181. 		AuthMode.ANONYMOUS.setDS(ds);

  182. 

  183. 

  184. 		config = createInMemoryLdapServerConfig(AuthMode.DS_MANAGER);

  185. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", AuthMode.DS_MANAGER.ldapPort()));

  186. 		config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class));

  187. 		ds = createInMemoryLdapServer(config);

  188. 		AuthMode.DS_MANAGER.setDS(ds);

  189. 

  190. 

  191. 		config = createInMemoryLdapServerConfig(AuthMode.USR_MANAGER);

  192. 		config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", AuthMode.USR_MANAGER.ldapPort()));

  193. 		config.setAuthenticationRequiredOperationTypes(EnumSet.allOf(OperationType.class));

  194. 		ds = createInMemoryLdapServer(config);

  195. 		AuthMode.USR_MANAGER.setDS(ds);

  196. 

  197. 	}

  198. 

  199. 	@AfterClass

  200. 	public static void destroy() throws Exception {

  201. 		for (AuthMode am : AuthMode.values()) {

  202. 			am.getDS().shutDown(true);

  203. 		}

  204. 	}

  205. 

  206. 	public static InMemoryDirectoryServer createInMemoryLdapServer(InMemoryDirectoryServerConfig config) throws Exception {

  207. 		InMemoryDirectoryServer imds = new InMemoryDirectoryServer(config);

  208. 		imds.importFromLDIF(true, RESOURCE_DIR + "sampledata.ldif");

  209. 		imds.startListening();

  210. 		return imds;

  211. 	}

  212. 

  213. 	public static InMemoryDirectoryServerConfig createInMemoryLdapServerConfig(AuthMode authMode) throws Exception {

  214. 		InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain");

  215. 		config.addAdditionalBindCredentials(DIRECTORY_MANAGER, "password");

  216. 		config.addAdditionalBindCredentials(USER_MANAGER, "passwd");

  217. 		config.setSchema(null);

  218. 

  219. 		config.addInMemoryOperationInterceptor(new AccessInterceptor(authMode));

  220. 

  221. 		return config;

  222. 	}

  223. 

  224. 

  225. 

  226. 	@Before

  227. 	public void setup() throws Exception {

  228. 		authMode.restoreSnapshot();

  229. 

  230. 		usersConf = folder.newFile("users.conf");

  231. 		FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf);

  232. 		settings = getSettings();

  233. 		ldap = newLdapAuthentication(settings);

  234. 		auth = newAuthenticationManager(settings);

  235. 	}

  236. 

  237. 	private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) {

  238. 		XssFilter xssFilter = new AllowXssFilter();

  239. 		RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();

  240. 		userManager = new UserManager(runtime, null).start();

  241. 		LdapAuthProvider ldap = new LdapAuthProvider();

  242. 		ldap.setup(runtime, userManager);

  243. 		return ldap;

  244. 	}

  245. 

  246. 	private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {

  247. 		XssFilter xssFilter = new AllowXssFilter();

  248. 		RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start();

  249. 		AuthenticationManager auth = new AuthenticationManager(runtime, userManager);

  250. 		auth.addAuthenticationProvider(newLdapAuthentication(settings));

  251. 		return auth;

  252. 	}

  253. 

  254. 	private MemorySettings getSettings() {

  255. 		Map<String, Object> backingMap = new HashMap<String, Object>();

  256. 		backingMap.put(Keys.realm.userService, usersConf.getAbsolutePath());

  257. 		switch(authMode) {

  258. 		case ANONYMOUS:

  259. 			backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + authMode.ldapPort());

  260. 			backingMap.put(Keys.realm.ldap.username, "");

  261. 			backingMap.put(Keys.realm.ldap.password, "");

  262. 			break;

  263. 		case DS_MANAGER:

  264. 			backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + authMode.ldapPort());

  265. 			backingMap.put(Keys.realm.ldap.username, DIRECTORY_MANAGER);

  266. 			backingMap.put(Keys.realm.ldap.password, "password");

  267. 			break;

  268. 		case USR_MANAGER:

  269. 			backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + authMode.ldapPort());

  270. 			backingMap.put(Keys.realm.ldap.username, USER_MANAGER);

  271. 			backingMap.put(Keys.realm.ldap.password, "passwd");

  272. 			break;

  273. 		default:

  274. 			throw new RuntimeException("Unimplemented AuthMode case!");

  275. 

  276. 		}

  277. 		backingMap.put(Keys.realm.ldap.maintainTeams, "true");

  278. 		backingMap.put(Keys.realm.ldap.accountBase, ACCOUNT_BASE);

  279. 		backingMap.put(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");

  280. 		backingMap.put(Keys.realm.ldap.groupBase, GROUP_BASE);

  281. 		backingMap.put(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))");

  282. 		backingMap.put(Keys.realm.ldap.admins, "UserThree @Git_Admins \"@Git Admins\"");

  283. 		backingMap.put(Keys.realm.ldap.displayName, "displayName");

  284. 		backingMap.put(Keys.realm.ldap.email, "email");

  285. 		backingMap.put(Keys.realm.ldap.uid, "sAMAccountName");

  286. 

  287. 		MemorySettings ms = new MemorySettings(backingMap);

  288. 		return ms;

  289. 	}

  290. 

  291. 

  292. 

  293. 	@Test

  294. 	public void testAuthenticate() {

  295. 		UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray());

  296. 		assertNotNull(userOneModel);

  297. 		assertNotNull(userOneModel.getTeam("git_admins"));

  298. 		assertNotNull(userOneModel.getTeam("git_users"));

  299. 		assertTrue(userOneModel.canAdmin);

  300. 

  301. 		UserModel userOneModelFailedAuth = ldap.authenticate("UserOne", "userTwoPassword".toCharArray());

  302. 		assertNull(userOneModelFailedAuth);

  303. 

  304. 		UserModel userTwoModel = ldap.authenticate("UserTwo", "userTwoPassword".toCharArray());

  305. 		assertNotNull(userTwoModel);

  306. 		assertNotNull(userTwoModel.getTeam("git_users"));

  307. 		assertNull(userTwoModel.getTeam("git_admins"));

  308. 		assertNotNull(userTwoModel.getTeam("git admins"));

  309. 		assertTrue(userTwoModel.canAdmin);

  310. 

  311. 		UserModel userThreeModel = ldap.authenticate("UserThree", "userThreePassword".toCharArray());

  312. 		assertNotNull(userThreeModel);

  313. 		assertNotNull(userThreeModel.getTeam("git_users"));

  314. 		assertNull(userThreeModel.getTeam("git_admins"));

  315. 		assertTrue(userThreeModel.canAdmin);

  316. 

  317. 		UserModel userFourModel = ldap.authenticate("UserFour", "userFourPassword".toCharArray());

  318. 		assertNotNull(userFourModel);

  319. 		assertNotNull(userFourModel.getTeam("git_users"));

  320. 		assertNull(userFourModel.getTeam("git_admins"));

  321. 		assertNull(userFourModel.getTeam("git admins"));

  322. 		assertFalse(userFourModel.canAdmin);

  323. 	}

  324. 

  325. 	@Test

  326. 	public void testDisplayName() {

  327. 		UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray());

  328. 		assertNotNull(userOneModel);

  329. 		assertEquals("User One", userOneModel.displayName);

  330. 

  331. 		// Test more complicated scenarios - concat

  332. 		MemorySettings ms = getSettings();

  333. 		ms.put("realm.ldap.displayName", "${personalTitle}. ${givenName} ${surname}");

  334. 		ldap = newLdapAuthentication(ms);

  335. 

  336. 		userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray());

  337. 		assertNotNull(userOneModel);

  338. 		assertEquals("Mr. User One", userOneModel.displayName);

  339. 	}

  340. 

  341. 	@Test

  342. 	public void testEmail() {

  343. 		UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray());

  344. 		assertNotNull(userOneModel);

  345. 		assertEquals("userone@gitblit.com", userOneModel.emailAddress);

  346. 

  347. 		// Test more complicated scenarios - concat

  348. 		MemorySettings ms = getSettings();

  349. 		ms.put("realm.ldap.email", "${givenName}.${surname}@gitblit.com");

  350. 		ldap = newLdapAuthentication(ms);

  351. 

  352. 		userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray());

  353. 		assertNotNull(userOneModel);

  354. 		assertEquals("User.One@gitblit.com", userOneModel.emailAddress);

  355. 	}

  356. 

  357. 	@Test

  358. 	public void testLdapInjection() {

  359. 		// Inject so "(&(objectClass=person)(sAMAccountName=${username}))" becomes "(&(objectClass=person)(sAMAccountName=*)(userPassword=userOnePassword))"

  360. 		// Thus searching by password

  361. 

  362. 		UserModel userOneModel = ldap.authenticate("*)(userPassword=userOnePassword", "userOnePassword".toCharArray());

  363. 		assertNull(userOneModel);

  364. 	}

  365. 

  366. 	@Test

  367. 	public void checkIfUsersConfContainsAllUsersFromSampleDataLdif() throws Exception {

  368. 		SearchResult searchResult = getDS().search(ACCOUNT_BASE, SearchScope.SUB, "objectClass=person");

  369. 		assertEquals("Number of ldap users in gitblit user model", searchResult.getEntryCount(), countLdapUsersInUserManager());

  370. 	}

  371. 

  372. 	@Test

  373. 	public void addingUserInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception {

  374. 		getDS().addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif"));

  375. 		ldap.sync();

  376. 		assertEquals("Number of ldap users in gitblit user model", 5, countLdapUsersInUserManager());

  377. 	}

  378. 

  379. 	@Test

  380. 	public void addingUserInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception {

  381. 		settings.put(Keys.realm.ldap.synchronize, "true");

  382. 		getDS().addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif"));

  383. 		ldap.sync();

  384. 		assertEquals("Number of ldap users in gitblit user model", 6, countLdapUsersInUserManager());

  385. 	}

  386. 

  387. 	@Test

  388. 	public void addingGroupsInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception {

  389. 		getDS().addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif"));

  390. 		ldap.sync();

  391. 		assertEquals("Number of ldap groups in gitblit team model", 0, countLdapTeamsInUserManager());

  392. 	}

  393. 

  394. 	@Test

  395. 	public void addingGroupsInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception {

  396. 		// This test only makes sense if the authentication mode allows for synchronization.

  397. 		assumeTrue(authMode == AuthMode.ANONYMOUS || authMode == AuthMode.DS_MANAGER);

  398. 

  399. 		settings.put(Keys.realm.ldap.synchronize, "true");

  400. 		getDS().addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif"));

  401. 		ldap.sync();

  402. 		assertEquals("Number of ldap groups in gitblit team model", 1, countLdapTeamsInUserManager());

  403. 	}

  404. 

  405. 	@Test

  406. 	public void testAuthenticationManager() {

  407. 		UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray(), null);

  408. 		assertNotNull(userOneModel);

  409. 		assertNotNull(userOneModel.getTeam("git_admins"));

  410. 		assertNotNull(userOneModel.getTeam("git_users"));

  411. 		assertTrue(userOneModel.canAdmin);

  412. 

  413. 		UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray(), null);

  414. 		assertNull(userOneModelFailedAuth);

  415. 

  416. 		UserModel userTwoModel = auth.authenticate("UserTwo", "userTwoPassword".toCharArray(), null);

  417. 		assertNotNull(userTwoModel);

  418. 		assertNotNull(userTwoModel.getTeam("git_users"));

  419. 		assertNull(userTwoModel.getTeam("git_admins"));

  420. 		assertNotNull(userTwoModel.getTeam("git admins"));

  421. 		assertTrue(userTwoModel.canAdmin);

  422. 

  423. 		UserModel userThreeModel = auth.authenticate("UserThree", "userThreePassword".toCharArray(), null);

  424. 		assertNotNull(userThreeModel);

  425. 		assertNotNull(userThreeModel.getTeam("git_users"));

  426. 		assertNull(userThreeModel.getTeam("git_admins"));

  427. 		assertTrue(userThreeModel.canAdmin);

  428. 

  429. 		UserModel userFourModel = auth.authenticate("UserFour", "userFourPassword".toCharArray(), null);

  430. 		assertNotNull(userFourModel);

  431. 		assertNotNull(userFourModel.getTeam("git_users"));

  432. 		assertNull(userFourModel.getTeam("git_admins"));

  433. 		assertNull(userFourModel.getTeam("git admins"));

  434. 		assertFalse(userFourModel.canAdmin);

  435. 	}

  436. 

  437. 	@Test

  438. 	public void testBindWithUser() {

  439. 		// This test only makes sense if the user is not prevented from reading users and teams.

  440. 		assumeTrue(authMode != AuthMode.DS_MANAGER);

  441. 

  442. 		settings.put(Keys.realm.ldap.bindpattern, "CN=${username},OU=US," + ACCOUNT_BASE);

  443. 		settings.put(Keys.realm.ldap.username, "");

  444. 		settings.put(Keys.realm.ldap.password, "");

  445. 

  446. 		UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray(), null);

  447. 		assertNotNull(userOneModel);

  448. 

  449. 		UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray(), null);

  450. 		assertNull(userOneModelFailedAuth);

  451. 	}

  452. 

  453. 

  454. 	private InMemoryDirectoryServer getDS()

  455. 	{

  456. 		return authMode.getDS();

  457. 	}

  458. 

  459. 	private int countLdapUsersInUserManager() {

  460. 		int ldapAccountCount = 0;

  461. 		for (UserModel userModel : userManager.getAllUsers()) {

  462. 			if (AccountType.LDAP.equals(userModel.accountType)) {

  463. 				ldapAccountCount++;

  464. 			}

  465. 		}

  466. 		return ldapAccountCount;

  467. 	}

  468. 

  469. 	private int countLdapTeamsInUserManager() {

  470. 		int ldapAccountCount = 0;

  471. 		for (TeamModel teamModel : userManager.getAllTeams()) {

  472. 			if (AccountType.LDAP.equals(teamModel.accountType)) {

  473. 				ldapAccountCount++;

  474. 			}

  475. 		}

  476. 		return ldapAccountCount;

  477. 	}

  478. 

  479. 

  480. 

  481. 

  482. 	/**

  483. 	 * Operation interceptor for the in memory DS. This interceptor

  484. 	 * implements access restrictions for certain user/DN combinations.

  485. 	 *

  486. 	 * The USER_MANAGER is only allowed to search for users, but not for groups.

  487. 	 * This is to test the original behaviour where the teams were searched under

  488. 	 * the user binding.

  489. 	 * When running in a DIRECTORY_MANAGER scenario, only the manager account

  490. 	 * is allowed to search for users and groups, while a normal user may not do so.

  491. 	 * This tests the scenario where a normal user cannot read teams and thus the

  492. 	 * manager account needs to be used for all searches.

  493. 	 *

  494. 	 */

  495. 	private static class AccessInterceptor extends InMemoryOperationInterceptor {

  496. 		AuthMode authMode;

  497. 		Map<Long,String> lastSuccessfulBindDN = new HashMap<>();

  498. 		Map<Long,Boolean> resultProhibited = new HashMap<>();

  499. 

  500. 		public AccessInterceptor(AuthMode authMode) {

  501. 			this.authMode = authMode;

  502. 		}

  503. 

  504. 

  505. 		@Override

  506. 		public void processSimpleBindResult(InMemoryInterceptedSimpleBindResult bind) {

  507. 			BindResult result = bind.getResult();

  508. 			if (result.getResultCode() == ResultCode.SUCCESS) {

  509. 				 BindRequest bindRequest = bind.getRequest();

  510. 				 lastSuccessfulBindDN.put(bind.getConnectionID(), ((SimpleBindRequest)bindRequest).getBindDN());

  511. 				 resultProhibited.remove(bind.getConnectionID());

  512. 			}

  513. 		}

  514. 

  515. 

  516. 

  517. 		@Override

  518. 		public void processSearchRequest(InMemoryInterceptedSearchRequest request) throws LDAPException {

  519. 			String bindDN = getLastBindDN(request);

  520. 

  521. 			if (USER_MANAGER.equals(bindDN)) {

  522. 				if (request.getRequest().getBaseDN().endsWith(GROUP_BASE)) {

  523. 					throw new LDAPException(ResultCode.NO_SUCH_OBJECT);

  524. 				}

  525. 			}

  526. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  527. 				throw new LDAPException(ResultCode.NO_SUCH_OBJECT);

  528. 			}

  529. 		}

  530. 

  531. 

  532. 		@Override

  533. 		public void processSearchEntry(InMemoryInterceptedSearchEntry entry) {

  534. 			String bindDN = getLastBindDN(entry);

  535. 

  536. 			boolean prohibited = false;

  537. 

  538. 			if (USER_MANAGER.equals(bindDN)) {

  539. 				if (entry.getSearchEntry().getDN().endsWith(GROUP_BASE)) {

  540. 					prohibited = true;

  541. 				}

  542. 			}

  543. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  544. 				prohibited = true;

  545. 			}

  546. 

  547. 			if (prohibited) {

  548. 				// Found entry prohibited for bound user. Setting entry to null.

  549. 				entry.setSearchEntry(null);

  550. 				resultProhibited.put(entry.getConnectionID(), Boolean.TRUE);

  551. 			}

  552. 		}

  553. 

  554. 		@Override

  555. 		public void processSearchResult(InMemoryInterceptedSearchResult result) {

  556. 			String bindDN = getLastBindDN(result);

  557. 

  558. 			boolean prohibited = false;

  559. 

  560. 			Boolean rspb = resultProhibited.get(result.getConnectionID());

  561. 			if (USER_MANAGER.equals(bindDN)) {

  562. 				if (rspb != null && rspb) {

  563. 					prohibited = true;

  564. 				}

  565. 			}

  566. 			else if(authMode == AuthMode.DS_MANAGER && !DIRECTORY_MANAGER.equals(bindDN)) {

  567. 				if (rspb != null && rspb) {

  568. 					prohibited = true;

  569. 				}

  570. 			}

  571. 

  572. 			if (prohibited) {

  573. 				// Result prohibited for bound user. Returning error

  574. 				result.setResult(new LDAPResult(result.getMessageID(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS));

  575. 				resultProhibited.remove(result.getConnectionID());

  576. 			}

  577. 		}

  578. 

  579. 		private String getLastBindDN(InMemoryInterceptedResult result) {

  580. 			String bindDN = lastSuccessfulBindDN.get(result.getConnectionID());

  581. 			if (bindDN == null) {

  582. 				return "UNKNOWN";

  583. 			}

  584. 			return bindDN;

  585. 		}

  586. 		private String getLastBindDN(InMemoryInterceptedRequest request) {

  587. 			String bindDN = lastSuccessfulBindDN.get(request.getConnectionID());

  588. 			if (bindDN == null) {

  589. 				return "UNKNOWN";

  590. 			}

  591. 			return bindDN;

  592. 		}

  593. 	}

  594. 

  595. }