commit | author | age
|
f3b625
|
1 |
/* |
JC |
2 |
* Copyright 2012 John Crygier |
|
3 |
* Copyright 2012 gitblit.com |
|
4 |
* |
|
5 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
6 |
* you may not use this file except in compliance with the License. |
|
7 |
* You may obtain a copy of the License at |
|
8 |
* |
|
9 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
10 |
* |
|
11 |
* Unless required by applicable law or agreed to in writing, software |
|
12 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
13 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 |
* See the License for the specific language governing permissions and |
|
15 |
* limitations under the License. |
|
16 |
*/ |
|
17 |
package com.gitblit.tests; |
|
18 |
|
afe3f1
|
19 |
import java.io.File; |
04a985
|
20 |
import java.io.FileInputStream; |
f3b625
|
21 |
import java.util.HashMap; |
JC |
22 |
import java.util.Map; |
|
23 |
|
afe3f1
|
24 |
import org.apache.commons.io.FileUtils; |
f3b625
|
25 |
import org.junit.Before; |
7e0ce4
|
26 |
import org.junit.BeforeClass; |
afe3f1
|
27 |
import org.junit.Rule; |
f3b625
|
28 |
import org.junit.Test; |
afe3f1
|
29 |
import org.junit.rules.TemporaryFolder; |
f3b625
|
30 |
|
eb1264
|
31 |
import com.gitblit.Constants.AccountType; |
04a985
|
32 |
import com.gitblit.IStoredSettings; |
4e8d63
|
33 |
import com.gitblit.Keys; |
04a985
|
34 |
import com.gitblit.auth.LdapAuthProvider; |
b4a63a
|
35 |
import com.gitblit.manager.AuthenticationManager; |
eb1264
|
36 |
import com.gitblit.manager.IUserManager; |
04a985
|
37 |
import com.gitblit.manager.RuntimeManager; |
JM |
38 |
import com.gitblit.manager.UserManager; |
f6d7de
|
39 |
import com.gitblit.models.TeamModel; |
f3b625
|
40 |
import com.gitblit.models.UserModel; |
JC |
41 |
import com.gitblit.tests.mock.MemorySettings; |
|
42 |
import com.unboundid.ldap.listener.InMemoryDirectoryServer; |
|
43 |
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; |
|
44 |
import com.unboundid.ldap.listener.InMemoryListenerConfig; |
eb1264
|
45 |
import com.unboundid.ldap.sdk.SearchResult; |
AS |
46 |
import com.unboundid.ldap.sdk.SearchScope; |
f3b625
|
47 |
import com.unboundid.ldif.LDIFReader; |
JC |
48 |
|
|
49 |
/** |
|
50 |
* An Integration test for LDAP that tests going against an in-memory UnboundID |
|
51 |
* LDAP server. |
c00577
|
52 |
* |
f3b625
|
53 |
* @author jcrygier |
JC |
54 |
* |
|
55 |
*/ |
04a985
|
56 |
public class LdapAuthenticationTest extends GitblitUnitTest { |
afe3f1
|
57 |
@Rule |
AS |
58 |
public TemporaryFolder folder = new TemporaryFolder(); |
c00577
|
59 |
|
04a985
|
60 |
private static final String RESOURCE_DIR = "src/test/resources/ldap/"; |
JM |
61 |
|
afe3f1
|
62 |
private File usersConf; |
6659fa
|
63 |
|
afe3f1
|
64 |
private LdapAuthProvider ldap; |
c00577
|
65 |
|
d2426e
|
66 |
static int ldapPort = 1389; |
c00577
|
67 |
|
eb1264
|
68 |
private static InMemoryDirectoryServer ds; |
AS |
69 |
|
|
70 |
private IUserManager userManager; |
ca4d98
|
71 |
|
b4a63a
|
72 |
private AuthenticationManager auth; |
afe3f1
|
73 |
|
AS |
74 |
private MemorySettings settings; |
eb1264
|
75 |
|
7e0ce4
|
76 |
@BeforeClass |
JC |
77 |
public static void createInMemoryLdapServer() throws Exception { |
f3b625
|
78 |
InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain"); |
JC |
79 |
config.addAdditionalBindCredentials("cn=Directory Manager", "password"); |
98b4b9
|
80 |
config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", ldapPort)); |
f3b625
|
81 |
config.setSchema(null); |
c00577
|
82 |
|
eb1264
|
83 |
ds = new InMemoryDirectoryServer(config); |
f3b625
|
84 |
ds.startListening(); |
JC |
85 |
} |
c00577
|
86 |
|
f3b625
|
87 |
@Before |
afe3f1
|
88 |
public void init() throws Exception { |
AS |
89 |
ds.clear(); |
|
90 |
ds.importFromLDIF(true, new LDIFReader(new FileInputStream(RESOURCE_DIR + "sampledata.ldif"))); |
|
91 |
usersConf = folder.newFile("users.conf"); |
|
92 |
FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf); |
|
93 |
settings = getSettings(); |
|
94 |
ldap = newLdapAuthentication(settings); |
b4a63a
|
95 |
auth = newAuthenticationManager(settings); |
04a985
|
96 |
} |
JM |
97 |
|
4e8d63
|
98 |
private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) { |
04a985
|
99 |
RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start(); |
ca4d98
|
100 |
userManager = new UserManager(runtime, null).start(); |
04a985
|
101 |
LdapAuthProvider ldap = new LdapAuthProvider(); |
eb1264
|
102 |
ldap.setup(runtime, userManager); |
04a985
|
103 |
return ldap; |
b4a63a
|
104 |
} |
ca4d98
|
105 |
|
b4a63a
|
106 |
private AuthenticationManager newAuthenticationManager(IStoredSettings settings) { |
JM |
107 |
RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start(); |
|
108 |
AuthenticationManager auth = new AuthenticationManager(runtime, userManager); |
|
109 |
auth.addAuthenticationProvider(newLdapAuthentication(settings)); |
|
110 |
return auth; |
7e0ce4
|
111 |
} |
c00577
|
112 |
|
7e0ce4
|
113 |
private MemorySettings getSettings() { |
874be0
|
114 |
Map<String, Object> backingMap = new HashMap<String, Object>(); |
4e8d63
|
115 |
backingMap.put(Keys.realm.userService, usersConf.getAbsolutePath()); |
AS |
116 |
backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + ldapPort); |
|
117 |
// backingMap.put(Keys.realm.ldap.domain, ""); |
|
118 |
backingMap.put(Keys.realm.ldap.username, "cn=Directory Manager"); |
|
119 |
backingMap.put(Keys.realm.ldap.password, "password"); |
|
120 |
// backingMap.put(Keys.realm.ldap.backingUserService, "users.conf"); |
|
121 |
backingMap.put(Keys.realm.ldap.maintainTeams, "true"); |
|
122 |
backingMap.put(Keys.realm.ldap.accountBase, "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
123 |
backingMap.put(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); |
|
124 |
backingMap.put(Keys.realm.ldap.groupBase, "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
125 |
backingMap.put(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"); |
|
126 |
backingMap.put(Keys.realm.ldap.admins, "UserThree @Git_Admins \"@Git Admins\""); |
|
127 |
backingMap.put(Keys.realm.ldap.displayName, "displayName"); |
|
128 |
backingMap.put(Keys.realm.ldap.email, "email"); |
|
129 |
backingMap.put(Keys.realm.ldap.uid, "sAMAccountName"); |
c00577
|
130 |
|
f3b625
|
131 |
MemorySettings ms = new MemorySettings(backingMap); |
7e0ce4
|
132 |
return ms; |
f3b625
|
133 |
} |
c00577
|
134 |
|
f3b625
|
135 |
@Test |
c00577
|
136 |
public void testAuthenticate() { |
04a985
|
137 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
f3b625
|
138 |
assertNotNull(userOneModel); |
JC |
139 |
assertNotNull(userOneModel.getTeam("git_admins")); |
|
140 |
assertNotNull(userOneModel.getTeam("git_users")); |
|
141 |
assertTrue(userOneModel.canAdmin); |
c00577
|
142 |
|
04a985
|
143 |
UserModel userOneModelFailedAuth = ldap.authenticate("UserOne", "userTwoPassword".toCharArray()); |
f3b625
|
144 |
assertNull(userOneModelFailedAuth); |
c00577
|
145 |
|
04a985
|
146 |
UserModel userTwoModel = ldap.authenticate("UserTwo", "userTwoPassword".toCharArray()); |
f3b625
|
147 |
assertNotNull(userTwoModel); |
JC |
148 |
assertNotNull(userTwoModel.getTeam("git_users")); |
|
149 |
assertNull(userTwoModel.getTeam("git_admins")); |
3d699c
|
150 |
assertNotNull(userTwoModel.getTeam("git admins")); |
U |
151 |
assertTrue(userTwoModel.canAdmin); |
c00577
|
152 |
|
04a985
|
153 |
UserModel userThreeModel = ldap.authenticate("UserThree", "userThreePassword".toCharArray()); |
f3b625
|
154 |
assertNotNull(userThreeModel); |
JC |
155 |
assertNotNull(userThreeModel.getTeam("git_users")); |
|
156 |
assertNull(userThreeModel.getTeam("git_admins")); |
|
157 |
assertTrue(userThreeModel.canAdmin); |
|
158 |
} |
c00577
|
159 |
|
7e0ce4
|
160 |
@Test |
JC |
161 |
public void testDisplayName() { |
04a985
|
162 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
163 |
assertNotNull(userOneModel); |
JC |
164 |
assertEquals("User One", userOneModel.displayName); |
c00577
|
165 |
|
7e0ce4
|
166 |
// Test more complicated scenarios - concat |
JC |
167 |
MemorySettings ms = getSettings(); |
|
168 |
ms.put("realm.ldap.displayName", "${personalTitle}. ${givenName} ${surname}"); |
04a985
|
169 |
ldap = newLdapAuthentication(ms); |
c00577
|
170 |
|
04a985
|
171 |
userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
172 |
assertNotNull(userOneModel); |
JC |
173 |
assertEquals("Mr. User One", userOneModel.displayName); |
|
174 |
} |
c00577
|
175 |
|
7e0ce4
|
176 |
@Test |
JC |
177 |
public void testEmail() { |
04a985
|
178 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
179 |
assertNotNull(userOneModel); |
JC |
180 |
assertEquals("userone@gitblit.com", userOneModel.emailAddress); |
c00577
|
181 |
|
7e0ce4
|
182 |
// Test more complicated scenarios - concat |
JC |
183 |
MemorySettings ms = getSettings(); |
|
184 |
ms.put("realm.ldap.email", "${givenName}.${surname}@gitblit.com"); |
04a985
|
185 |
ldap = newLdapAuthentication(ms); |
c00577
|
186 |
|
04a985
|
187 |
userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
188 |
assertNotNull(userOneModel); |
JC |
189 |
assertEquals("User.One@gitblit.com", userOneModel.emailAddress); |
|
190 |
} |
c00577
|
191 |
|
7e0ce4
|
192 |
@Test |
JC |
193 |
public void testLdapInjection() { |
|
194 |
// Inject so "(&(objectClass=person)(sAMAccountName=${username}))" becomes "(&(objectClass=person)(sAMAccountName=*)(userPassword=userOnePassword))" |
|
195 |
// Thus searching by password |
c00577
|
196 |
|
04a985
|
197 |
UserModel userOneModel = ldap.authenticate("*)(userPassword=userOnePassword", "userOnePassword".toCharArray()); |
7e0ce4
|
198 |
assertNull(userOneModel); |
4e3c15
|
199 |
} |
f3b625
|
200 |
|
eb1264
|
201 |
@Test |
afe3f1
|
202 |
public void checkIfUsersConfContainsAllUsersFromSampleDataLdif() throws Exception { |
eb1264
|
203 |
SearchResult searchResult = ds.search("OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain", SearchScope.SUB, "objectClass=person"); |
AS |
204 |
assertEquals("Number of ldap users in gitblit user model", searchResult.getEntryCount(), countLdapUsersInUserManager()); |
|
205 |
} |
|
206 |
|
|
207 |
@Test |
afe3f1
|
208 |
public void addingUserInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception { |
eb1264
|
209 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif")); |
6659fa
|
210 |
ldap.sync(); |
eb1264
|
211 |
assertEquals("Number of ldap users in gitblit user model", 5, countLdapUsersInUserManager()); |
AS |
212 |
} |
|
213 |
|
afe3f1
|
214 |
@Test |
AS |
215 |
public void addingUserInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception { |
4e8d63
|
216 |
settings.put(Keys.realm.ldap.synchronize, "true"); |
afe3f1
|
217 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif")); |
6659fa
|
218 |
ldap.sync(); |
afe3f1
|
219 |
assertEquals("Number of ldap users in gitblit user model", 6, countLdapUsersInUserManager()); |
AS |
220 |
} |
|
221 |
|
f6d7de
|
222 |
@Test |
AS |
223 |
public void addingGroupsInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception { |
|
224 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif")); |
6659fa
|
225 |
ldap.sync(); |
f6d7de
|
226 |
assertEquals("Number of ldap groups in gitblit team model", 0, countLdapTeamsInUserManager()); |
AS |
227 |
} |
|
228 |
|
|
229 |
@Test |
|
230 |
public void addingGroupsInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception { |
4e8d63
|
231 |
settings.put(Keys.realm.ldap.synchronize, "true"); |
f6d7de
|
232 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif")); |
6659fa
|
233 |
ldap.sync(); |
f6d7de
|
234 |
assertEquals("Number of ldap groups in gitblit team model", 1, countLdapTeamsInUserManager()); |
AS |
235 |
} |
|
236 |
|
b4a63a
|
237 |
@Test |
JM |
238 |
public void testAuthenticationManager() { |
|
239 |
UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray()); |
|
240 |
assertNotNull(userOneModel); |
|
241 |
assertNotNull(userOneModel.getTeam("git_admins")); |
|
242 |
assertNotNull(userOneModel.getTeam("git_users")); |
|
243 |
assertTrue(userOneModel.canAdmin); |
|
244 |
|
|
245 |
UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray()); |
|
246 |
assertNull(userOneModelFailedAuth); |
|
247 |
|
|
248 |
UserModel userTwoModel = auth.authenticate("UserTwo", "userTwoPassword".toCharArray()); |
|
249 |
assertNotNull(userTwoModel); |
|
250 |
assertNotNull(userTwoModel.getTeam("git_users")); |
|
251 |
assertNull(userTwoModel.getTeam("git_admins")); |
|
252 |
assertNotNull(userTwoModel.getTeam("git admins")); |
|
253 |
assertTrue(userTwoModel.canAdmin); |
|
254 |
|
|
255 |
UserModel userThreeModel = auth.authenticate("UserThree", "userThreePassword".toCharArray()); |
|
256 |
assertNotNull(userThreeModel); |
|
257 |
assertNotNull(userThreeModel.getTeam("git_users")); |
|
258 |
assertNull(userThreeModel.getTeam("git_admins")); |
|
259 |
assertTrue(userThreeModel.canAdmin); |
|
260 |
} |
ca4d98
|
261 |
|
a74d67
|
262 |
@Test |
JA |
263 |
public void testBindWithUser() { |
|
264 |
settings.put(Keys.realm.ldap.bindpattern, "CN=${username},OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
265 |
settings.put(Keys.realm.ldap.username, ""); |
|
266 |
settings.put(Keys.realm.ldap.password, ""); |
|
267 |
|
|
268 |
UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray()); |
|
269 |
assertNotNull(userOneModel); |
ca4d98
|
270 |
|
a74d67
|
271 |
UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray()); |
JA |
272 |
assertNull(userOneModelFailedAuth); |
|
273 |
} |
b4a63a
|
274 |
|
eb1264
|
275 |
private int countLdapUsersInUserManager() { |
AS |
276 |
int ldapAccountCount = 0; |
|
277 |
for (UserModel userModel : userManager.getAllUsers()) { |
|
278 |
if (AccountType.LDAP.equals(userModel.accountType)) { |
|
279 |
ldapAccountCount++; |
|
280 |
} |
|
281 |
} |
|
282 |
return ldapAccountCount; |
|
283 |
} |
|
284 |
|
f6d7de
|
285 |
private int countLdapTeamsInUserManager() { |
AS |
286 |
int ldapAccountCount = 0; |
|
287 |
for (TeamModel teamModel : userManager.getAllTeams()) { |
|
288 |
if (AccountType.LDAP.equals(teamModel.accountType)) { |
|
289 |
ldapAccountCount++; |
|
290 |
} |
|
291 |
} |
|
292 |
return ldapAccountCount; |
|
293 |
} |
|
294 |
|
f3b625
|
295 |
} |