Skip to content

Commit

Permalink
AS7-5737 extend LdapExtLoginModule tests to cover referrals in role s…
Browse files Browse the repository at this point in the history
…earch
  • Loading branch information
kwart authored and bstansberry committed Mar 14, 2013
1 parent f1cfcc5 commit dc36255
Show file tree
Hide file tree
Showing 3 changed files with 179 additions and 90 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,8 @@
<security-role><role-name>R4</role-name></security-role>
<security-role><role-name>R5</role-name></security-role>
<security-role><role-name>Roles</role-name></security-role>
<security-role><role-name>User</role-name></security-role>
<security-role><role-name>Admin</role-name></security-role>
<security-role><role-name>SharedRoles</role-name></security-role>

</web-app>
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,18 @@
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.naming.Context;
import javax.security.auth.login.LoginException;

import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.text.StrSubstitutor;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.AnnotationUtils;
Expand Down Expand Up @@ -80,6 +85,7 @@
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
Expand Down Expand Up @@ -111,12 +117,13 @@ public class LdapExtLoginModuleTestCase {

private static final String DEP1 = "DEP1";
private static final String DEP2 = "DEP2";
private static final String DEP2_THROW = "DEP2-throw";
private static final String DEP3 = "DEP3";
private static final String DEP4 = "DEP4";
private static final String DEP5 = "DEP5";

private static final String[] ROLE_NAMES = { "TheDuke", "Echo", "TheDuke2", "Echo2", "JBossAdmin", "jduke", "jduke2",
"RG1", "RG2", "RG3", "R1", "R2", "R3", "R4", "R5", "Roles" };
"RG1", "RG2", "RG3", "R1", "R2", "R3", "R4", "R5", "Roles", "User", "Admin", "SharedRoles" };

private static final String QUERY_ROLES;
static {
Expand Down Expand Up @@ -149,6 +156,16 @@ public static WebArchive deployment2() {
return createWar(SECURITY_DOMAIN_NAME_PREFIX + DEP2);
}

/**
* Creates {@link WebArchive} for {@link #test2throw(URL)}.
*
* @return
*/
@Deployment(name = DEP2_THROW)
public static WebArchive deployment2throw() {
return createWar(SECURITY_DOMAIN_NAME_PREFIX + DEP2_THROW);
}

/**
* Creates {@link WebArchive} for {@link #test3(URL)}.
*
Expand Down Expand Up @@ -186,8 +203,9 @@ public static WebArchive deployment5() {
*/
@Test
@OperateOnDeployment(DEP1)
@Ignore("AS7-5737 LdapExtLoginModule fails with follow referral")
public void test1(@ArquillianResource URL webAppURL) throws Exception {
testDeployment(webAppURL, "jduke", false);
testDeployment(webAppURL, "jduke", "TheDuke", "Echo", "Admin");
}

/**
Expand All @@ -198,7 +216,15 @@ public void test1(@ArquillianResource URL webAppURL) throws Exception {
@Test
@OperateOnDeployment(DEP2)
public void test2(@ArquillianResource URL webAppURL) throws Exception {
testDeployment(webAppURL, "jduke", true);
testDeployment(webAppURL, "jduke", "TheDuke", "Echo", "jduke");
}

@Test
@OperateOnDeployment(DEP2_THROW)
public void test2throw(@ArquillianResource URL webAppURL) throws Exception {
final URL rolesPrintingURL = new URL(webAppURL.toExternalForm() + RolePrintingServlet.SERVLET_PATH.substring(1) + "?"
+ QUERY_ROLES);
Utils.makeCallWithBasicAuthn(rolesPrintingURL, "jduke", "theduke", 401);
}

/**
Expand All @@ -208,8 +234,9 @@ public void test2(@ArquillianResource URL webAppURL) throws Exception {
*/
@Test
@OperateOnDeployment(DEP3)
@Ignore("AS7-5737 LdapExtLoginModule fails with follow referral")
public void test3(@ArquillianResource URL webAppURL) throws Exception {
testDeployment(webAppURL, "Java Duke", false);
testDeployment(webAppURL, "Java Duke", "TheDuke", "Echo", "Admin");
}

/**
Expand All @@ -220,27 +247,7 @@ public void test3(@ArquillianResource URL webAppURL) throws Exception {
@Test
@OperateOnDeployment(DEP4)
public void test4(@ArquillianResource URL webAppURL) throws Exception {
final URL rolesPrintingURL = new URL(webAppURL.toExternalForm() + RolePrintingServlet.SERVLET_PATH.substring(1) + "?"
+ QUERY_ROLES);
final String userName = "Java Duke";
final String rolesResponse = Utils.makeCallWithBasicAuthn(rolesPrintingURL, userName, "theduke", 200);

assertNotInRole(rolesResponse, "jduke");
assertNotInRole(rolesResponse, "Java Duke");
assertNotInRole(rolesResponse, "Roles");
assertNotInRole(rolesResponse, "JBossAdmin");
assertNotInRole(rolesResponse, "R4");
//assigned roles
assertInRole(rolesResponse, "RG2");
assertInRole(rolesResponse, "R1");
assertInRole(rolesResponse, "R2");
assertInRole(rolesResponse, "R3");
assertInRole(rolesResponse, "R5");

final URL principalPrintingURL = new URL(webAppURL.toExternalForm()
+ PrincipalPrintingServlet.SERVLET_PATH.substring(1) + "?" + QUERY_ROLES);
final String principal = Utils.makeCallWithBasicAuthn(principalPrintingURL, userName, "theduke", 200);
assertEquals("Unexpected Principal name", userName, principal);
testDeployment(webAppURL, "Java Duke", "RG2", "R1", "R2", "R3", "R5");
}

/**
Expand All @@ -251,51 +258,29 @@ public void test4(@ArquillianResource URL webAppURL) throws Exception {
@Test
@OperateOnDeployment(DEP5)
public void test5(@ArquillianResource URL webAppURL) throws Exception {
final URL rolesPrintingURL = new URL(webAppURL.toExternalForm() + RolePrintingServlet.SERVLET_PATH.substring(1) + "?"
+ QUERY_ROLES);
final String rolesResponse = Utils.makeCallWithBasicAuthn(rolesPrintingURL, "jduke", "theduke", 200);

assertInRole(rolesResponse, "R1");
assertNotInRole(rolesResponse, "R2");
assertNotInRole(rolesResponse, "jduke");
assertNotInRole(rolesResponse, "Java Duke");
assertNotInRole(rolesResponse, "Roles");
assertNotInRole(rolesResponse, "JBossAdmin");
assertNotInRole(rolesResponse, "RG1");
testDeployment(webAppURL, "jduke", "R1");
}

// Private methods -------------------------------------------------------

/**
* Tests role assignment.
*
* @param webAppURL
* @throws MalformedURLException
* @throws ClientProtocolException
* @throws IOException
* @throws URISyntaxException
* Tests role assignment for given deployment (web-app URL).
*/
private void testDeployment(URL webAppURL, String username, boolean hasJdukeRole) throws MalformedURLException,
ClientProtocolException, IOException, URISyntaxException {
private void testDeployment(URL webAppURL, String username, String... assignedRoles) throws MalformedURLException,
ClientProtocolException, IOException, URISyntaxException, LoginException {
final URL rolesPrintingURL = new URL(webAppURL.toExternalForm() + RolePrintingServlet.SERVLET_PATH.substring(1) + "?"
+ QUERY_ROLES);
final String rolesResponse = Utils.makeCallWithBasicAuthn(rolesPrintingURL, username, "theduke", 200);

if (hasJdukeRole) {
assertInRole(rolesResponse, "jduke");
} else {
assertNotInRole(rolesResponse, "jduke");
}
assertNotInRole(rolesResponse, "Java Duke");
assertNotInRole(rolesResponse, "Roles");
assertNotInRole(rolesResponse, "JBossAdmin");
assertNotInRole(rolesResponse, "TheDuke2");
assertNotInRole(rolesResponse, "Echo2");

//assigned roles
assertInRole(rolesResponse, "TheDuke");
assertInRole(rolesResponse, "Echo");
final List<String> assignedRolesList = Arrays.asList(assignedRoles);

for (String role : ROLE_NAMES) {
if (assignedRolesList.contains(role)) {
assertInRole(rolesResponse, role);
} else {
assertNotInRole(rolesResponse, role);
}
}
final URL principalPrintingURL = new URL(webAppURL.toExternalForm()
+ PrincipalPrintingServlet.SERVLET_PATH.substring(1) + "?" + QUERY_ROLES);
final String principal = Utils.makeCallWithBasicAuthn(principalPrintingURL, username, "theduke", 200);
Expand Down Expand Up @@ -381,70 +366,76 @@ protected SecurityDomain[] getSecurityDomains() {
.name(SECURITY_DOMAIN_NAME_PREFIX + DEP1)
.loginModules(
new SecurityModule.Builder().name("org.jboss.security.auth.spi.LdapExtLoginModule")
.options(getCommonOptions()).putOption("baseCtxDN", "ou=People,dc=jboss,dc=org")
.options(getCommonOptions()).putOption(Context.REFERRAL, "follow")
.putOption("baseCtxDN", "ou=People,dc=jboss,dc=org")
.putOption("java.naming.provider.url", "ldap://" + secondaryTestAddress + ":" + LDAP_PORT)
.putOption("baseFilter", "(uid={0})").putOption("rolesCtxDN", "ou=Roles,dc=jboss,dc=org")
.putOption("roleFilter", "(member={1})").putOption("roleAttributeID", "cn")
.putOption("throwValidateError", "true").build()) //
.build();
final SecurityDomain sd2 = new SecurityDomain.Builder()
.name(SECURITY_DOMAIN_NAME_PREFIX + DEP2)
.loginModules(
new SecurityModule.Builder().name("LdapExtended").options(getCommonOptions())
.putOption("java.naming.provider.url", "ldap://" + secondaryTestAddress + ":" + LDAP_PORT)
.putOption("baseCtxDN", "ou=People,o=example2,dc=jboss,dc=org")
.putOption("baseFilter", "(uid={0})")
.putOption("rolesCtxDN", "ou=Roles,o=example2,dc=jboss,dc=org")
.putOption("roleFilter", "(cn={0})").putOption("roleAttributeID", "description")
.putOption("roleAttributeIsDN", "true").putOption("roleNameAttributeID", "cn")
.putOption("roleRecursion", "0").putOption("throwValidateError", "true").build()) //
.putOption("roleFilter", "(|(objectClass=referral)(member={1}))")
.putOption("roleAttributeID", "cn").build()) //
.build();
final SecurityModule.Builder sd2LoginModuleBuilder = new SecurityModule.Builder().name("LdapExtended")
.options(getCommonOptions()).putOption(Context.REFERRAL, "ignore")
.putOption("java.naming.provider.url", "ldap://" + secondaryTestAddress + ":" + LDAP_PORT)
.putOption("baseCtxDN", "ou=People,o=example2,dc=jboss,dc=org").putOption("baseFilter", "(uid={0})")
.putOption("rolesCtxDN", "ou=Roles,o=example2,dc=jboss,dc=org")
.putOption("roleFilter", "(|(objectClass=referral)(cn={0}))").putOption("roleAttributeID", "description")
.putOption("roleAttributeIsDN", "true").putOption("roleNameAttributeID", "cn")
.putOption("roleRecursion", "0");
final SecurityDomain sd2 = new SecurityDomain.Builder().name(SECURITY_DOMAIN_NAME_PREFIX + DEP2)
.loginModules(sd2LoginModuleBuilder.build()).build();
sd2LoginModuleBuilder.putOption(Context.REFERRAL, "throw");
final SecurityDomain sd2throw = new SecurityDomain.Builder().name(SECURITY_DOMAIN_NAME_PREFIX + DEP2_THROW)
.loginModules(sd2LoginModuleBuilder.build()).build();
final SecurityDomain sd3 = new SecurityDomain.Builder()
.name(SECURITY_DOMAIN_NAME_PREFIX + DEP3)
.loginModules(
new SecurityModule.Builder()
.name(LdapExtLoginModule.class.getName())
.options(getCommonOptions())
.putOption(Context.REFERRAL, "follow")
.putOption("java.naming.provider.url", "ldaps://" + secondaryTestAddress + ":" + LDAPS_PORT)
.putOption("baseCtxDN", "ou=People,o=example3,dc=jboss,dc=org")
.putOption("baseFilter", "(cn={0})")
.putOption("rolesCtxDN", "ou=Roles,o=example3,dc=jboss,dc=org")
.putOption("roleFilter", "(member={1})").putOption("roleAttributeID", "cn")
.putOption("roleRecursion", "0").putOption("throwValidateError", "true").build()) //
.putOption("roleFilter", "(|(objectClass=referral)(member={1}))")
.putOption("roleAttributeID", "cn").putOption("roleRecursion", "0").build()) //
.build();
final SecurityDomain sd4 = new SecurityDomain.Builder()
.name(SECURITY_DOMAIN_NAME_PREFIX + DEP4)
.loginModules(
new SecurityModule.Builder()
.name(LdapExtLoginModule.class.getName())
.options(getCommonOptions())
.putOption(Context.REFERRAL, "ignore")
.putOption("java.naming.provider.url", "ldaps://" + secondaryTestAddress + ":" + LDAPS_PORT)
.putOption("baseCtxDN", "ou=People,o=example4,dc=jboss,dc=org")
.putOption("baseFilter", "(cn={0})")
.putOption("rolesCtxDN", "ou=Roles,o=example4,dc=jboss,dc=org")
.putOption("roleFilter", "(member={1})").putOption("roleAttributeID", "cn")
.putOption("roleRecursion", "1").putOption("throwValidateError", "true").build()) //
.putOption("roleFilter", "(|(objectClass=referral)(member={1}))")
.putOption("roleAttributeID", "cn").putOption("roleRecursion", "1").build()) //
.build();
final SecurityDomain sd5 = new SecurityDomain.Builder()
.name(SECURITY_DOMAIN_NAME_PREFIX + DEP5)
.loginModules(
new SecurityModule.Builder().name(LdapExtLoginModule.class.getName()).options(getCommonOptions())
.putOption(Context.REFERRAL, "throw")
.putOption("java.naming.provider.url", "ldap://" + secondaryTestAddress + ":" + LDAP_PORT) //
.putOption("baseCtxDN", "ou=People,o=example5,dc=jboss,dc=org") //
.putOption("baseFilter", "(uid={0})") //
.putOption("rolesCtxDN", "ou=People,o=example5,dc=jboss,dc=org") //
.putOption("roleFilter", "(uid={0})") //
.putOption("roleAttributeID", "employeeNumber").build()) //
.build();
return new SecurityDomain[] { sd1, sd2, sd3, sd4, sd5 };
return new SecurityDomain[] { sd1, sd2, sd2throw, sd3, sd4, sd5 };
}

private Map<String, String> getCommonOptions() {
final Map<String, String> moduleOptions = new HashMap<String, String>();
moduleOptions.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
moduleOptions.put("java.naming.security.authentication", "simple");
moduleOptions.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
moduleOptions.put(Context.SECURITY_AUTHENTICATION, "simple");
moduleOptions.put("bindDN", SECURITY_PRINCIPAL);
moduleOptions.put("bindCredential", SECURITY_CREDENTIALS);
moduleOptions.put("throwValidateError", "true");
return moduleOptions;
}
}
Expand Down Expand Up @@ -499,11 +490,20 @@ static class LDAPServerSetupTask implements ServerSetupTask {
*/
public void setup(ManagementClient managementClient, String containerId) throws Exception {
directoryService = DSAnnotationProcessor.getDirectoryService();
final String hostname = Utils.getSecondaryTestAddress(managementClient);
final Map<String, String> map = new HashMap<String, String>();
map.put("hostname", hostname);
map.put("ldapPort", Integer.toString(LDAP_PORT));
map.put("ldapsPort", Integer.toString(LDAPS_PORT));
final String ldifContent = StrSubstitutor.replace(
IOUtils.toString(
LdapExtLoginModuleTestCase.class.getResourceAsStream(LdapExtLoginModuleTestCase.class
.getSimpleName() + ".ldif"), "UTF-8"), map);
LOGGER.debug(ldifContent);

final SchemaManager schemaManager = directoryService.getSchemaManager();
try {
for (LdifEntry ldifEntry : new LdifReader(
LdapExtLoginModuleTestCase.class.getResourceAsStream(LdapExtLoginModuleTestCase.class.getSimpleName()
+ ".ldif"))) {
for (LdifEntry ldifEntry : new LdifReader(IOUtils.toInputStream(ldifContent))) {
directoryService.getAdminSession().add(new DefaultEntry(schemaManager, ldifEntry.getEntry()));
}
} catch (Exception e) {
Expand All @@ -516,7 +516,7 @@ public void setup(ManagementClient managementClient, String containerId) throws
IOUtils.copy(getClass().getResourceAsStream(KEYSTORE_FILENAME), fos);
fos.close();
createLdapServer.setKeyStore(KEYSTORE_FILE.getAbsolutePath());
fixTransportAddress(createLdapServer, StringUtils.strip(Utils.getSecondaryTestAddress(managementClient), "[]"));
fixTransportAddress(createLdapServer, Utils.getSecondaryTestAddress(managementClient, false));
ldapServer = ServerAnnotationProcessor.instantiateLdapServer(createLdapServer, directoryService);
ldapServer.start();
}
Expand Down
Loading

0 comments on commit dc36255

Please sign in to comment.