commit | author | age
|
f3b625
|
1 |
/* |
JC |
2 |
* Copyright 2012 John Crygier |
|
3 |
* Copyright 2012 gitblit.com |
|
4 |
* |
|
5 |
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
6 |
* you may not use this file except in compliance with the License. |
|
7 |
* You may obtain a copy of the License at |
|
8 |
* |
|
9 |
* http://www.apache.org/licenses/LICENSE-2.0 |
|
10 |
* |
|
11 |
* Unless required by applicable law or agreed to in writing, software |
|
12 |
* distributed under the License is distributed on an "AS IS" BASIS, |
|
13 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 |
* See the License for the specific language governing permissions and |
|
15 |
* limitations under the License. |
|
16 |
*/ |
|
17 |
package com.gitblit.tests; |
|
18 |
|
afe3f1
|
19 |
import java.io.File; |
04a985
|
20 |
import java.io.FileInputStream; |
f3b625
|
21 |
import java.util.HashMap; |
JC |
22 |
import java.util.Map; |
|
23 |
|
afe3f1
|
24 |
import org.apache.commons.io.FileUtils; |
f3b625
|
25 |
import org.junit.Before; |
7e0ce4
|
26 |
import org.junit.BeforeClass; |
afe3f1
|
27 |
import org.junit.Rule; |
f3b625
|
28 |
import org.junit.Test; |
afe3f1
|
29 |
import org.junit.rules.TemporaryFolder; |
f3b625
|
30 |
|
eb1264
|
31 |
import com.gitblit.Constants.AccountType; |
04a985
|
32 |
import com.gitblit.IStoredSettings; |
4e8d63
|
33 |
import com.gitblit.Keys; |
04a985
|
34 |
import com.gitblit.auth.LdapAuthProvider; |
b4a63a
|
35 |
import com.gitblit.manager.AuthenticationManager; |
eb1264
|
36 |
import com.gitblit.manager.IUserManager; |
04a985
|
37 |
import com.gitblit.manager.RuntimeManager; |
JM |
38 |
import com.gitblit.manager.UserManager; |
f6d7de
|
39 |
import com.gitblit.models.TeamModel; |
f3b625
|
40 |
import com.gitblit.models.UserModel; |
JC |
41 |
import com.gitblit.tests.mock.MemorySettings; |
fc3a39
|
42 |
import com.gitblit.utils.XssFilter; |
JM |
43 |
import com.gitblit.utils.XssFilter.AllowXssFilter; |
f3b625
|
44 |
import com.unboundid.ldap.listener.InMemoryDirectoryServer; |
JC |
45 |
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; |
|
46 |
import com.unboundid.ldap.listener.InMemoryListenerConfig; |
eb1264
|
47 |
import com.unboundid.ldap.sdk.SearchResult; |
AS |
48 |
import com.unboundid.ldap.sdk.SearchScope; |
f3b625
|
49 |
import com.unboundid.ldif.LDIFReader; |
JC |
50 |
|
|
51 |
/** |
|
52 |
* An Integration test for LDAP that tests going against an in-memory UnboundID |
|
53 |
* LDAP server. |
c00577
|
54 |
* |
f3b625
|
55 |
* @author jcrygier |
JC |
56 |
* |
|
57 |
*/ |
04a985
|
58 |
public class LdapAuthenticationTest extends GitblitUnitTest { |
afe3f1
|
59 |
@Rule |
AS |
60 |
public TemporaryFolder folder = new TemporaryFolder(); |
c00577
|
61 |
|
04a985
|
62 |
private static final String RESOURCE_DIR = "src/test/resources/ldap/"; |
JM |
63 |
|
afe3f1
|
64 |
private File usersConf; |
6659fa
|
65 |
|
afe3f1
|
66 |
private LdapAuthProvider ldap; |
c00577
|
67 |
|
d2426e
|
68 |
static int ldapPort = 1389; |
c00577
|
69 |
|
eb1264
|
70 |
private static InMemoryDirectoryServer ds; |
AS |
71 |
|
|
72 |
private IUserManager userManager; |
ca4d98
|
73 |
|
b4a63a
|
74 |
private AuthenticationManager auth; |
afe3f1
|
75 |
|
AS |
76 |
private MemorySettings settings; |
eb1264
|
77 |
|
7e0ce4
|
78 |
@BeforeClass |
JC |
79 |
public static void createInMemoryLdapServer() throws Exception { |
f3b625
|
80 |
InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig("dc=MyDomain"); |
JC |
81 |
config.addAdditionalBindCredentials("cn=Directory Manager", "password"); |
98b4b9
|
82 |
config.setListenerConfigs(InMemoryListenerConfig.createLDAPConfig("default", ldapPort)); |
f3b625
|
83 |
config.setSchema(null); |
c00577
|
84 |
|
eb1264
|
85 |
ds = new InMemoryDirectoryServer(config); |
f3b625
|
86 |
ds.startListening(); |
JC |
87 |
} |
c00577
|
88 |
|
f3b625
|
89 |
@Before |
afe3f1
|
90 |
public void init() throws Exception { |
AS |
91 |
ds.clear(); |
|
92 |
ds.importFromLDIF(true, new LDIFReader(new FileInputStream(RESOURCE_DIR + "sampledata.ldif"))); |
|
93 |
usersConf = folder.newFile("users.conf"); |
|
94 |
FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf); |
|
95 |
settings = getSettings(); |
|
96 |
ldap = newLdapAuthentication(settings); |
b4a63a
|
97 |
auth = newAuthenticationManager(settings); |
04a985
|
98 |
} |
JM |
99 |
|
4e8d63
|
100 |
private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) { |
fc3a39
|
101 |
XssFilter xssFilter = new AllowXssFilter(); |
JM |
102 |
RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start(); |
ca4d98
|
103 |
userManager = new UserManager(runtime, null).start(); |
04a985
|
104 |
LdapAuthProvider ldap = new LdapAuthProvider(); |
eb1264
|
105 |
ldap.setup(runtime, userManager); |
04a985
|
106 |
return ldap; |
b4a63a
|
107 |
} |
ca4d98
|
108 |
|
b4a63a
|
109 |
private AuthenticationManager newAuthenticationManager(IStoredSettings settings) { |
fc3a39
|
110 |
XssFilter xssFilter = new AllowXssFilter(); |
JM |
111 |
RuntimeManager runtime = new RuntimeManager(settings, xssFilter, GitBlitSuite.BASEFOLDER).start(); |
b4a63a
|
112 |
AuthenticationManager auth = new AuthenticationManager(runtime, userManager); |
JM |
113 |
auth.addAuthenticationProvider(newLdapAuthentication(settings)); |
|
114 |
return auth; |
7e0ce4
|
115 |
} |
c00577
|
116 |
|
7e0ce4
|
117 |
private MemorySettings getSettings() { |
874be0
|
118 |
Map<String, Object> backingMap = new HashMap<String, Object>(); |
4e8d63
|
119 |
backingMap.put(Keys.realm.userService, usersConf.getAbsolutePath()); |
AS |
120 |
backingMap.put(Keys.realm.ldap.server, "ldap://localhost:" + ldapPort); |
|
121 |
// backingMap.put(Keys.realm.ldap.domain, ""); |
|
122 |
backingMap.put(Keys.realm.ldap.username, "cn=Directory Manager"); |
|
123 |
backingMap.put(Keys.realm.ldap.password, "password"); |
|
124 |
// backingMap.put(Keys.realm.ldap.backingUserService, "users.conf"); |
|
125 |
backingMap.put(Keys.realm.ldap.maintainTeams, "true"); |
|
126 |
backingMap.put(Keys.realm.ldap.accountBase, "OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
127 |
backingMap.put(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); |
|
128 |
backingMap.put(Keys.realm.ldap.groupBase, "OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
129 |
backingMap.put(Keys.realm.ldap.groupMemberPattern, "(&(objectClass=group)(member=${dn}))"); |
|
130 |
backingMap.put(Keys.realm.ldap.admins, "UserThree @Git_Admins \"@Git Admins\""); |
|
131 |
backingMap.put(Keys.realm.ldap.displayName, "displayName"); |
|
132 |
backingMap.put(Keys.realm.ldap.email, "email"); |
|
133 |
backingMap.put(Keys.realm.ldap.uid, "sAMAccountName"); |
c00577
|
134 |
|
f3b625
|
135 |
MemorySettings ms = new MemorySettings(backingMap); |
7e0ce4
|
136 |
return ms; |
f3b625
|
137 |
} |
c00577
|
138 |
|
f3b625
|
139 |
@Test |
c00577
|
140 |
public void testAuthenticate() { |
04a985
|
141 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
f3b625
|
142 |
assertNotNull(userOneModel); |
JC |
143 |
assertNotNull(userOneModel.getTeam("git_admins")); |
|
144 |
assertNotNull(userOneModel.getTeam("git_users")); |
|
145 |
assertTrue(userOneModel.canAdmin); |
c00577
|
146 |
|
04a985
|
147 |
UserModel userOneModelFailedAuth = ldap.authenticate("UserOne", "userTwoPassword".toCharArray()); |
f3b625
|
148 |
assertNull(userOneModelFailedAuth); |
c00577
|
149 |
|
04a985
|
150 |
UserModel userTwoModel = ldap.authenticate("UserTwo", "userTwoPassword".toCharArray()); |
f3b625
|
151 |
assertNotNull(userTwoModel); |
JC |
152 |
assertNotNull(userTwoModel.getTeam("git_users")); |
|
153 |
assertNull(userTwoModel.getTeam("git_admins")); |
3d699c
|
154 |
assertNotNull(userTwoModel.getTeam("git admins")); |
U |
155 |
assertTrue(userTwoModel.canAdmin); |
c00577
|
156 |
|
04a985
|
157 |
UserModel userThreeModel = ldap.authenticate("UserThree", "userThreePassword".toCharArray()); |
f3b625
|
158 |
assertNotNull(userThreeModel); |
JC |
159 |
assertNotNull(userThreeModel.getTeam("git_users")); |
|
160 |
assertNull(userThreeModel.getTeam("git_admins")); |
|
161 |
assertTrue(userThreeModel.canAdmin); |
|
162 |
} |
c00577
|
163 |
|
7e0ce4
|
164 |
@Test |
JC |
165 |
public void testDisplayName() { |
04a985
|
166 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
167 |
assertNotNull(userOneModel); |
JC |
168 |
assertEquals("User One", userOneModel.displayName); |
c00577
|
169 |
|
7e0ce4
|
170 |
// Test more complicated scenarios - concat |
JC |
171 |
MemorySettings ms = getSettings(); |
|
172 |
ms.put("realm.ldap.displayName", "${personalTitle}. ${givenName} ${surname}"); |
04a985
|
173 |
ldap = newLdapAuthentication(ms); |
c00577
|
174 |
|
04a985
|
175 |
userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
176 |
assertNotNull(userOneModel); |
JC |
177 |
assertEquals("Mr. User One", userOneModel.displayName); |
|
178 |
} |
c00577
|
179 |
|
7e0ce4
|
180 |
@Test |
JC |
181 |
public void testEmail() { |
04a985
|
182 |
UserModel userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
183 |
assertNotNull(userOneModel); |
JC |
184 |
assertEquals("userone@gitblit.com", userOneModel.emailAddress); |
c00577
|
185 |
|
7e0ce4
|
186 |
// Test more complicated scenarios - concat |
JC |
187 |
MemorySettings ms = getSettings(); |
|
188 |
ms.put("realm.ldap.email", "${givenName}.${surname}@gitblit.com"); |
04a985
|
189 |
ldap = newLdapAuthentication(ms); |
c00577
|
190 |
|
04a985
|
191 |
userOneModel = ldap.authenticate("UserOne", "userOnePassword".toCharArray()); |
7e0ce4
|
192 |
assertNotNull(userOneModel); |
JC |
193 |
assertEquals("User.One@gitblit.com", userOneModel.emailAddress); |
|
194 |
} |
c00577
|
195 |
|
7e0ce4
|
196 |
@Test |
JC |
197 |
public void testLdapInjection() { |
|
198 |
// Inject so "(&(objectClass=person)(sAMAccountName=${username}))" becomes "(&(objectClass=person)(sAMAccountName=*)(userPassword=userOnePassword))" |
|
199 |
// Thus searching by password |
c00577
|
200 |
|
04a985
|
201 |
UserModel userOneModel = ldap.authenticate("*)(userPassword=userOnePassword", "userOnePassword".toCharArray()); |
7e0ce4
|
202 |
assertNull(userOneModel); |
4e3c15
|
203 |
} |
f3b625
|
204 |
|
eb1264
|
205 |
@Test |
afe3f1
|
206 |
public void checkIfUsersConfContainsAllUsersFromSampleDataLdif() throws Exception { |
eb1264
|
207 |
SearchResult searchResult = ds.search("OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain", SearchScope.SUB, "objectClass=person"); |
AS |
208 |
assertEquals("Number of ldap users in gitblit user model", searchResult.getEntryCount(), countLdapUsersInUserManager()); |
|
209 |
} |
|
210 |
|
|
211 |
@Test |
afe3f1
|
212 |
public void addingUserInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception { |
eb1264
|
213 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif")); |
6659fa
|
214 |
ldap.sync(); |
eb1264
|
215 |
assertEquals("Number of ldap users in gitblit user model", 5, countLdapUsersInUserManager()); |
AS |
216 |
} |
|
217 |
|
afe3f1
|
218 |
@Test |
AS |
219 |
public void addingUserInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception { |
4e8d63
|
220 |
settings.put(Keys.realm.ldap.synchronize, "true"); |
afe3f1
|
221 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "adduser.ldif")); |
6659fa
|
222 |
ldap.sync(); |
afe3f1
|
223 |
assertEquals("Number of ldap users in gitblit user model", 6, countLdapUsersInUserManager()); |
AS |
224 |
} |
|
225 |
|
f6d7de
|
226 |
@Test |
AS |
227 |
public void addingGroupsInLdapShouldNotUpdateGitBlitUsersAndGroups() throws Exception { |
|
228 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif")); |
6659fa
|
229 |
ldap.sync(); |
f6d7de
|
230 |
assertEquals("Number of ldap groups in gitblit team model", 0, countLdapTeamsInUserManager()); |
AS |
231 |
} |
|
232 |
|
|
233 |
@Test |
|
234 |
public void addingGroupsInLdapShouldUpdateGitBlitUsersAndGroups() throws Exception { |
4e8d63
|
235 |
settings.put(Keys.realm.ldap.synchronize, "true"); |
f6d7de
|
236 |
ds.addEntries(LDIFReader.readEntries(RESOURCE_DIR + "addgroup.ldif")); |
6659fa
|
237 |
ldap.sync(); |
f6d7de
|
238 |
assertEquals("Number of ldap groups in gitblit team model", 1, countLdapTeamsInUserManager()); |
AS |
239 |
} |
|
240 |
|
b4a63a
|
241 |
@Test |
JM |
242 |
public void testAuthenticationManager() { |
0d7c65
|
243 |
UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray(), null); |
b4a63a
|
244 |
assertNotNull(userOneModel); |
JM |
245 |
assertNotNull(userOneModel.getTeam("git_admins")); |
|
246 |
assertNotNull(userOneModel.getTeam("git_users")); |
|
247 |
assertTrue(userOneModel.canAdmin); |
|
248 |
|
0d7c65
|
249 |
UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray(), null); |
b4a63a
|
250 |
assertNull(userOneModelFailedAuth); |
JM |
251 |
|
0d7c65
|
252 |
UserModel userTwoModel = auth.authenticate("UserTwo", "userTwoPassword".toCharArray(), null); |
b4a63a
|
253 |
assertNotNull(userTwoModel); |
JM |
254 |
assertNotNull(userTwoModel.getTeam("git_users")); |
|
255 |
assertNull(userTwoModel.getTeam("git_admins")); |
|
256 |
assertNotNull(userTwoModel.getTeam("git admins")); |
|
257 |
assertTrue(userTwoModel.canAdmin); |
|
258 |
|
0d7c65
|
259 |
UserModel userThreeModel = auth.authenticate("UserThree", "userThreePassword".toCharArray(), null); |
b4a63a
|
260 |
assertNotNull(userThreeModel); |
JM |
261 |
assertNotNull(userThreeModel.getTeam("git_users")); |
|
262 |
assertNull(userThreeModel.getTeam("git_admins")); |
|
263 |
assertTrue(userThreeModel.canAdmin); |
|
264 |
} |
ca4d98
|
265 |
|
a74d67
|
266 |
@Test |
JA |
267 |
public void testBindWithUser() { |
|
268 |
settings.put(Keys.realm.ldap.bindpattern, "CN=${username},OU=US,OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain"); |
|
269 |
settings.put(Keys.realm.ldap.username, ""); |
|
270 |
settings.put(Keys.realm.ldap.password, ""); |
|
271 |
|
0d7c65
|
272 |
UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray(), null); |
a74d67
|
273 |
assertNotNull(userOneModel); |
ca4d98
|
274 |
|
0d7c65
|
275 |
UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray(), null); |
a74d67
|
276 |
assertNull(userOneModelFailedAuth); |
JA |
277 |
} |
b4a63a
|
278 |
|
eb1264
|
279 |
private int countLdapUsersInUserManager() { |
AS |
280 |
int ldapAccountCount = 0; |
|
281 |
for (UserModel userModel : userManager.getAllUsers()) { |
|
282 |
if (AccountType.LDAP.equals(userModel.accountType)) { |
|
283 |
ldapAccountCount++; |
|
284 |
} |
|
285 |
} |
|
286 |
return ldapAccountCount; |
|
287 |
} |
|
288 |
|
f6d7de
|
289 |
private int countLdapTeamsInUserManager() { |
AS |
290 |
int ldapAccountCount = 0; |
|
291 |
for (TeamModel teamModel : userManager.getAllTeams()) { |
|
292 |
if (AccountType.LDAP.equals(teamModel.accountType)) { |
|
293 |
ldapAccountCount++; |
|
294 |
} |
|
295 |
} |
|
296 |
return ldapAccountCount; |
|
297 |
} |
|
298 |
|
f3b625
|
299 |
} |