diff options
author | Stefan Seelmann <mail@stefan-seelmann.de> | 2021-05-30 01:03:54 +0300 |
---|---|---|
committer | Stefan Seelmann <mail@stefan-seelmann.de> | 2021-05-30 01:03:54 +0300 |
commit | 8c758465c5a3e96e921e2b0083f85d025e16799f (patch) | |
tree | d427595f7cccfc0ace81d9ba33d0749d4b062f29 | |
parent | 832c1e90837a30ab60c0504cab5c1470cfdbef7c (diff) |
Add test for DIGEST-MD5 SASL auth and switch to newer OpenLDAP docker image
5 files changed, 178 insertions, 7 deletions
diff --git a/Jenkinsfile b/Jenkinsfile index b00de7f11..a70db523c 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -37,7 +37,7 @@ pipeline { } steps { script { - docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> + docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds -> docker.image('apachedirectory/maven-build:jdk-8').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") { sh 'export DISPLAY=:99; env; ps aux' @@ -64,7 +64,7 @@ pipeline { } steps { script { - docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> + docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds -> docker.image('apachedirectory/maven-build:jdk-11').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") { sh 'export DISPLAY=:99; mvn -V -U -f pom-first.xml clean install && mvn -V clean install -Dorg.eclipse.swtbot.search.timeout=20000 -Denable-ui-tests' @@ -91,7 +91,7 @@ pipeline { } steps { script { - docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> + docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap -> docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds -> docker.image('apachedirectory/maven-build:jdk-17').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") { sh 'export DISPLAY=:99; mvn -V -U -f pom-first.xml clean install && mvn -V clean install -Dorg.eclipse.swtbot.search.timeout=20000 -Denable-ui-tests' diff --git a/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java b/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java index 3f0d9af0c..ade8ddffe 100644 --- a/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java +++ b/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java @@ -24,6 +24,8 @@ package org.apache.directory.studio.test.integration.junit5; import static org.apache.directory.studio.test.integration.junit5.Constants.LOCALHOST; import java.io.File; +import java.util.Collections; +import java.util.stream.Collectors; import org.apache.directory.server.core.api.DirectoryService; import org.apache.directory.server.core.api.partition.Partition; @@ -32,6 +34,9 @@ import org.apache.directory.server.ldap.LdapServer; import org.apache.directory.server.ldap.handlers.extended.PwdModifyHandler; import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler; import org.apache.directory.server.ldap.handlers.extended.WhoAmIHandler; +import org.apache.directory.server.ldap.handlers.sasl.SimpleMechanismHandler; +import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler; +import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler; import org.apache.directory.server.protocol.shared.transport.TcpTransport; import org.apache.directory.server.protocol.shared.transport.Transport; import org.apache.mina.util.AvailablePortFinder; @@ -77,6 +82,11 @@ public class ApacheDirectoryServer extends TestLdapServer partition.initialize(); service.addPartition( partition ); service.getSchemaManager().enable( "nis", "krb5kdc" ); + service.getInterceptor( "passwordHashingInterceptor" ); + service.setInterceptors( service.getInterceptors().stream() + .filter( i -> !i.getName().equals( "ConfigurableHashingInterceptor" ) ) + .collect( Collectors.toList() ) ); + System.out.println( service.getInterceptors() ); server = new LdapServer(); server.setDirectoryService( service ); @@ -85,6 +95,13 @@ public class ApacheDirectoryServer extends TestLdapServer Transport ldaps = new TcpTransport( portSSL ); ldaps.setEnableSSL( true ); server.addTransports( ldaps ); + + server.addSaslMechanismHandler( "SIMPLE", new SimpleMechanismHandler() ); + server.addSaslMechanismHandler( "DIGEST-MD5", new DigestMd5MechanismHandler() ); + server.setSaslRealms( Collections.singletonList( "EXAMPLE.ORG" ) ); + server.setSaslHost( getHost() ); + server.setSearchBaseDn( TestFixture.CONTEXT_DN.getName() ); + server.addExtendedOperationHandler( new StartTlsHandler() ); server.addExtendedOperationHandler( new PwdModifyHandler() ); server.addExtendedOperationHandler( new WhoAmIHandler() ); diff --git a/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif b/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif index f28f33888..9fe06a588 100644 --- a/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif +++ b/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif @@ -23,3 +23,21 @@ olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by dn.exact="uid=user.1,ou=users,dc=example,dc=org" none by * read - + +dn: olcDatabase={1}mdb,cn=config +changetype: modify +replace: olcAccess +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none +olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none +- + +dn: cn=config +changetype: modify +replace: olcAuthzRegexp +olcAuthzRegexp: uid=([^,]*),cn=digest-md5,cn=auth uid=$1,ou=users,dc=example,dc=org +- +replace: olcSaslSecProps +olcSaslSecProps: noplain,noanonymous,minssf=128 +- + diff --git a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java index 279399d57..93df03f20 100644 --- a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java +++ b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java @@ -34,12 +34,16 @@ import java.lang.reflect.Method; import java.net.InetAddress; import java.net.UnknownHostException; +import org.apache.directory.api.ldap.model.constants.SaslQoP; +import org.apache.directory.api.ldap.model.constants.SaslSecurityStrength; import org.apache.directory.studio.connection.core.Connection; import org.apache.directory.studio.connection.core.ConnectionCorePlugin; import org.apache.directory.studio.connection.core.ConnectionManager; import org.apache.directory.studio.connection.core.ConnectionParameter.AuthenticationMethod; import org.apache.directory.studio.test.integration.junit5.Constants; +import org.apache.directory.studio.test.integration.junit5.LdapServerType; import org.apache.directory.studio.test.integration.junit5.LdapServersSource; +import org.apache.directory.studio.test.integration.junit5.LdapServersSource.Mode; import org.apache.directory.studio.test.integration.junit5.TestLdapServer; import org.apache.directory.studio.test.integration.ui.bots.NewConnectionWizardBot; import org.apache.mina.util.AvailablePortFinder; @@ -477,7 +481,7 @@ public class NewConnectionWizardTest extends AbstractTestBase */ @ParameterizedTest @LdapServersSource - public void testCheckAuthenticationButtonOK( TestLdapServer server ) + public void testCheckAuthenticationButtonSimpleAuthOK( TestLdapServer server ) { // enter connection parameter wizardBot.typeConnectionName( getConnectionName() ); @@ -502,7 +506,7 @@ public class NewConnectionWizardTest extends AbstractTestBase */ @ParameterizedTest @LdapServersSource - public void testCheckAuthenticationButtonNotOK( TestLdapServer server ) + public void testCheckAuthenticationButtonSimpleAuthNotOK( TestLdapServer server ) { // enter connection parameter wizardBot.typeConnectionName( getConnectionName() ); @@ -522,4 +526,96 @@ public class NewConnectionWizardTest extends AbstractTestBase wizardBot.clickCancelButton(); } + + /** + * Tests the "Check Authentication" button. + */ + @ParameterizedTest + @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds) + public void testCheckAuthenticationButtonDigestMD5OK( TestLdapServer server ) + { + // enter connection parameter + wizardBot.typeConnectionName( getConnectionName() ); + wizardBot.typeHost( server.getHost() ); + wizardBot.typePort( server.getPort() ); + wizardBot.clickNextButton(); + + // enter correct authentication parameter + wizardBot.selectDigestMD5Authentication(); + wizardBot.typeUser( "user.8" ); + wizardBot.typePassword( "password" ); + if ( server.getType() == LdapServerType.ApacheDS ) + { + wizardBot.typeRealm( "EXAMPLE.ORG" ); + } + wizardBot.selectQualityOfProtection( SaslQoP.AUTH_CONF ); + wizardBot.selectProtectionStrength( SaslSecurityStrength.HIGH ); + + // click "Check Network Parameter" button + String result = wizardBot.clickCheckAuthenticationButton(); + assertNull( result, "Expected OK" ); + + wizardBot.clickCancelButton(); + } + + + /** + * Tests the "Check Authentication" button. + */ + @ParameterizedTest + @LdapServersSource(only = LdapServerType.OpenLdap) + public void testCheckAuthenticationButtonDigestMD5OKTooWeek( TestLdapServer server ) + { + // enter connection parameter + wizardBot.typeConnectionName( getConnectionName() ); + wizardBot.typeHost( server.getHost() ); + wizardBot.typePort( server.getPort() ); + wizardBot.clickNextButton(); + + // enter correct authentication parameter + wizardBot.selectDigestMD5Authentication(); + wizardBot.typeUser( "user.8" ); + wizardBot.typePassword( "password" ); + wizardBot.selectQualityOfProtection( SaslQoP.AUTH ); + wizardBot.selectProtectionStrength( SaslSecurityStrength.LOW ); + + // click "Check Network Parameter" button + String result = wizardBot.clickCheckAuthenticationButton(); + assertThat( result, containsString( "DIGEST-MD5: No common protection layer between client and server" ) ); + + wizardBot.clickCancelButton(); + } + + + /** + * Tests the "Check Authentication" button. + */ + @ParameterizedTest + @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds) + public void testCheckAuthenticationButtonDigestMD5NotOKWrongPassword( TestLdapServer server ) + { + // enter connection parameter + wizardBot.typeConnectionName( getConnectionName() ); + wizardBot.typeHost( server.getHost() ); + wizardBot.typePort( server.getPort() ); + wizardBot.clickNextButton(); + + // enter correct authentication parameter + wizardBot.selectDigestMD5Authentication(); + wizardBot.typeUser( "user.8" ); + wizardBot.typePassword( "wrong" ); + if ( server.getType() == LdapServerType.ApacheDS ) + { + wizardBot.typeRealm( "EXAMPLE.ORG" ); + } + wizardBot.selectQualityOfProtection( SaslQoP.AUTH_CONF ); + wizardBot.selectProtectionStrength( SaslSecurityStrength.HIGH ); + + // click "Check Network Parameter" button + String result = wizardBot.clickCheckAuthenticationButton(); + assertThat( result, containsString( "[LDAP result code 49 - invalidCredentials]" ) ); + + wizardBot.clickCancelButton(); + } + } diff --git a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java index e39f4f879..029b6c10a 100644 --- a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java +++ b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java @@ -20,6 +20,8 @@ package org.apache.directory.studio.test.integration.ui.bots; +import org.apache.directory.api.ldap.model.constants.SaslQoP; +import org.apache.directory.api.ldap.model.constants.SaslSecurityStrength; import org.apache.directory.studio.ldapbrowser.core.BrowserCoreMessages; import org.apache.directory.studio.test.integration.ui.utils.JobWatcher; import org.eclipse.swtbot.swt.finder.widgets.SWTBotCombo; @@ -41,6 +43,8 @@ public class NewConnectionWizardBot extends WizardBot private static final String GET_BASE_DNS_FROM_ROOT_DSE = "Get base DNs from Root DSE"; private static final String SAVE_PASSWORD = "Save password"; private static final String SASL_REALM = "SASL Realm:"; + private static final String SASL_QUALITY_OF_PROTECTION = "Quality of Protection:"; + private static final String SASL_PROTECTION_STRENGH = "Protection Strength:"; private static final String BIND_PASSWORD = "Bind password:"; private static final String BIND_DN_OR_USER = "Bind DN or user:"; private static final String CRAM_MD5_SASL = "CRAM-MD5 (SASL)"; @@ -208,8 +212,44 @@ public class NewConnectionWizardBot extends WizardBot public void typeRealm( String realm ) { - SWTBotCombo dnCombo = bot.comboBoxWithLabel( SASL_REALM ); - dnCombo.setText( realm ); + SWTBotCombo combo = bot.comboBoxWithLabel( SASL_REALM ); + combo.setText( realm ); + } + + + public void selectQualityOfProtection( SaslQoP saslQoP ) + { + SWTBotCombo combo = bot.comboBoxWithLabel( SASL_QUALITY_OF_PROTECTION ); + switch ( saslQoP ) + { + case AUTH: + combo.setSelection( 0 ); + break; + case AUTH_INT: + combo.setSelection( 1 ); + break; + case AUTH_CONF: + combo.setSelection( 2 ); + break; + } + } + + + public void selectProtectionStrength( SaslSecurityStrength saslSecurityStrength ) + { + SWTBotCombo combo = bot.comboBoxWithLabel( SASL_PROTECTION_STRENGH ); + switch ( saslSecurityStrength ) + { + case HIGH: + combo.setSelection( 0 ); + break; + case MEDIUM: + combo.setSelection( 1 ); + break; + case LOW: + combo.setSelection( 2 ); + break; + } } |