Add test for DIGEST-MD5 SASL auth and switch to newer OpenLDAP docker image

author: Stefan Seelmann <mail@stefan-seelmann.de> 2021-05-30 01:03:54 +0300
committer: Stefan Seelmann <mail@stefan-seelmann.de> 2021-05-30 01:03:54 +0300
commit: 8c758465c5a3e96e921e2b0083f85d025e16799f (patch)
tree: d427595f7cccfc0ace81d9ba33d0749d4b062f29
parent: 832c1e90837a30ab60c0504cab5c1470cfdbef7c (diff)
5 files changed, 178 insertions, 7 deletions
diff --git a/Jenkinsfile b/Jenkinsfile
index b00de7f11..a70db523c 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -37,7 +37,7 @@ pipeline {
       }
       steps {
         script {
-          docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
+          docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
             docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds ->
               docker.image('apachedirectory/maven-build:jdk-8').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") {
                 sh 'export DISPLAY=:99; env; ps aux'
@@ -64,7 +64,7 @@ pipeline {
           }
           steps {
             script {
-              docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
+              docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
                 docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds ->
                   docker.image('apachedirectory/maven-build:jdk-11').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") {
                     sh 'export DISPLAY=:99; mvn -V -U -f pom-first.xml clean install && mvn -V clean install -Dorg.eclipse.swtbot.search.timeout=20000 -Denable-ui-tests'
@@ -91,7 +91,7 @@ pipeline {
           }
           steps {
             script {
-              docker.image('osixia/openldap:1.3.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
+              docker.image('osixia/openldap:1.5.0').withRun('-e LDAP_TLS_VERIFY_CLIENT=never') { openldap ->
                 docker.image('389ds/dirsrv').withRun('-e DS_DM_PASSWORD=admin', 'bash -c "set -m; /usr/lib/dirsrv/dscontainer -r & while ! /usr/lib/dirsrv/dscontainer -H; do sleep 5; done; sleep 5; /usr/sbin/dsconf localhost backend create --suffix dc=example,dc=org --be-name example; fg"') { fedora389ds ->
                   docker.image('apachedirectory/maven-build:jdk-17').inside("--link=${openldap.id}:openldap -e OPENLDAP_HOST=openldap -e OPENLDAP_PORT=389 -e OPENLDAP_PORT_SSL=636 --link=${fedora389ds.id}:fedora389ds -e FEDORA_389DS_HOST=fedora389ds -e FEDORA_389DS_PORT=3389 -e FEDORA_389DS_PORT_SSL=3636") {
                     sh 'export DISPLAY=:99; mvn -V -U -f pom-first.xml clean install && mvn -V clean install -Dorg.eclipse.swtbot.search.timeout=20000 -Denable-ui-tests'
diff --git a/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java b/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java
index 3f0d9af0c..ade8ddffe 100644
--- a/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java
+++ b/tests/test.integration.core/src/main/java/org/apache/directory/studio/test/integration/junit5/ApacheDirectoryServer.java
@@ -24,6 +24,8 @@ package org.apache.directory.studio.test.integration.junit5;
 import static org.apache.directory.studio.test.integration.junit5.Constants.LOCALHOST;
 
 import java.io.File;
+import java.util.Collections;
+import java.util.stream.Collectors;
 
 import org.apache.directory.server.core.api.DirectoryService;
 import org.apache.directory.server.core.api.partition.Partition;
@@ -32,6 +34,9 @@ import org.apache.directory.server.ldap.LdapServer;
 import org.apache.directory.server.ldap.handlers.extended.PwdModifyHandler;
 import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
 import org.apache.directory.server.ldap.handlers.extended.WhoAmIHandler;
+import org.apache.directory.server.ldap.handlers.sasl.SimpleMechanismHandler;
+import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
+import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler;
 import org.apache.directory.server.protocol.shared.transport.TcpTransport;
 import org.apache.directory.server.protocol.shared.transport.Transport;
 import org.apache.mina.util.AvailablePortFinder;
@@ -77,6 +82,11 @@ public class ApacheDirectoryServer extends TestLdapServer
             partition.initialize();
             service.addPartition( partition );
             service.getSchemaManager().enable( "nis", "krb5kdc" );
+            service.getInterceptor( "passwordHashingInterceptor" );
+            service.setInterceptors( service.getInterceptors().stream()
+                .filter( i -> !i.getName().equals( "ConfigurableHashingInterceptor" ) )
+                .collect( Collectors.toList() ) );
+            System.out.println( service.getInterceptors() );
 
             server = new LdapServer();
             server.setDirectoryService( service );
@@ -85,6 +95,13 @@ public class ApacheDirectoryServer extends TestLdapServer
             Transport ldaps = new TcpTransport( portSSL );
             ldaps.setEnableSSL( true );
             server.addTransports( ldaps );
+
+            server.addSaslMechanismHandler( "SIMPLE", new SimpleMechanismHandler() );
+            server.addSaslMechanismHandler( "DIGEST-MD5", new DigestMd5MechanismHandler() );
+            server.setSaslRealms( Collections.singletonList( "EXAMPLE.ORG" ) );
+            server.setSaslHost( getHost() );
+            server.setSearchBaseDn( TestFixture.CONTEXT_DN.getName() );
+
             server.addExtendedOperationHandler( new StartTlsHandler() );
             server.addExtendedOperationHandler( new PwdModifyHandler() );
             server.addExtendedOperationHandler( new WhoAmIHandler() );
diff --git a/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif b/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif
index f28f33888..9fe06a588 100644
--- a/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif
+++ b/tests/test.integration.core/src/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif
@@ -23,3 +23,21 @@ olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 olcAccess: {1}to dn.exact="" by * read
 olcAccess: {2}to dn.base="cn=Subschema" by dn.exact="uid=user.1,ou=users,dc=example,dc=org" none by * read
 -
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none
+olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by anonymous auth by * none
+-
+
+dn: cn=config
+changetype: modify
+replace: olcAuthzRegexp
+olcAuthzRegexp: uid=([^,]*),cn=digest-md5,cn=auth uid=$1,ou=users,dc=example,dc=org
+-
+replace: olcSaslSecProps
+olcSaslSecProps: noplain,noanonymous,minssf=128
+-
+
diff --git a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java
index 279399d57..93df03f20 100644
--- a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java
+++ b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/NewConnectionWizardTest.java
@@ -34,12 +34,16 @@ import java.lang.reflect.Method;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 
+import org.apache.directory.api.ldap.model.constants.SaslQoP;
+import org.apache.directory.api.ldap.model.constants.SaslSecurityStrength;
 import org.apache.directory.studio.connection.core.Connection;
 import org.apache.directory.studio.connection.core.ConnectionCorePlugin;
 import org.apache.directory.studio.connection.core.ConnectionManager;
 import org.apache.directory.studio.connection.core.ConnectionParameter.AuthenticationMethod;
 import org.apache.directory.studio.test.integration.junit5.Constants;
+import org.apache.directory.studio.test.integration.junit5.LdapServerType;
 import org.apache.directory.studio.test.integration.junit5.LdapServersSource;
+import org.apache.directory.studio.test.integration.junit5.LdapServersSource.Mode;
 import org.apache.directory.studio.test.integration.junit5.TestLdapServer;
 import org.apache.directory.studio.test.integration.ui.bots.NewConnectionWizardBot;
 import org.apache.mina.util.AvailablePortFinder;
@@ -477,7 +481,7 @@ public class NewConnectionWizardTest extends AbstractTestBase
      */
     @ParameterizedTest
     @LdapServersSource
-    public void testCheckAuthenticationButtonOK( TestLdapServer server )
+    public void testCheckAuthenticationButtonSimpleAuthOK( TestLdapServer server )
     {
         // enter connection parameter
         wizardBot.typeConnectionName( getConnectionName() );
@@ -502,7 +506,7 @@ public class NewConnectionWizardTest extends AbstractTestBase
      */
     @ParameterizedTest
     @LdapServersSource
-    public void testCheckAuthenticationButtonNotOK( TestLdapServer server )
+    public void testCheckAuthenticationButtonSimpleAuthNotOK( TestLdapServer server )
     {
         // enter connection parameter
         wizardBot.typeConnectionName( getConnectionName() );
@@ -522,4 +526,96 @@ public class NewConnectionWizardTest extends AbstractTestBase
         wizardBot.clickCancelButton();
     }
 
+
+    /**
+     * Tests the "Check Authentication" button.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testCheckAuthenticationButtonDigestMD5OK( TestLdapServer server )
+    {
+        // enter connection parameter
+        wizardBot.typeConnectionName( getConnectionName() );
+        wizardBot.typeHost( server.getHost() );
+        wizardBot.typePort( server.getPort() );
+        wizardBot.clickNextButton();
+
+        // enter correct authentication parameter
+        wizardBot.selectDigestMD5Authentication();
+        wizardBot.typeUser( "user.8" );
+        wizardBot.typePassword( "password" );
+        if ( server.getType() == LdapServerType.ApacheDS )
+        {
+            wizardBot.typeRealm( "EXAMPLE.ORG" );
+        }
+        wizardBot.selectQualityOfProtection( SaslQoP.AUTH_CONF );
+        wizardBot.selectProtectionStrength( SaslSecurityStrength.HIGH );
+
+        // click "Check Network Parameter" button
+        String result = wizardBot.clickCheckAuthenticationButton();
+        assertNull( result, "Expected OK" );
+
+        wizardBot.clickCancelButton();
+    }
+
+
+    /**
+     * Tests the "Check Authentication" button.
+     */
+    @ParameterizedTest
+    @LdapServersSource(only = LdapServerType.OpenLdap)
+    public void testCheckAuthenticationButtonDigestMD5OKTooWeek( TestLdapServer server )
+    {
+        // enter connection parameter
+        wizardBot.typeConnectionName( getConnectionName() );
+        wizardBot.typeHost( server.getHost() );
+        wizardBot.typePort( server.getPort() );
+        wizardBot.clickNextButton();
+
+        // enter correct authentication parameter
+        wizardBot.selectDigestMD5Authentication();
+        wizardBot.typeUser( "user.8" );
+        wizardBot.typePassword( "password" );
+        wizardBot.selectQualityOfProtection( SaslQoP.AUTH );
+        wizardBot.selectProtectionStrength( SaslSecurityStrength.LOW );
+
+        // click "Check Network Parameter" button
+        String result = wizardBot.clickCheckAuthenticationButton();
+        assertThat( result, containsString( "DIGEST-MD5: No common protection layer between client and server" ) );
+
+        wizardBot.clickCancelButton();
+    }
+
+
+    /**
+     * Tests the "Check Authentication" button.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testCheckAuthenticationButtonDigestMD5NotOKWrongPassword( TestLdapServer server )
+    {
+        // enter connection parameter
+        wizardBot.typeConnectionName( getConnectionName() );
+        wizardBot.typeHost( server.getHost() );
+        wizardBot.typePort( server.getPort() );
+        wizardBot.clickNextButton();
+
+        // enter correct authentication parameter
+        wizardBot.selectDigestMD5Authentication();
+        wizardBot.typeUser( "user.8" );
+        wizardBot.typePassword( "wrong" );
+        if ( server.getType() == LdapServerType.ApacheDS )
+        {
+            wizardBot.typeRealm( "EXAMPLE.ORG" );
+        }
+        wizardBot.selectQualityOfProtection( SaslQoP.AUTH_CONF );
+        wizardBot.selectProtectionStrength( SaslSecurityStrength.HIGH );
+
+        // click "Check Network Parameter" button
+        String result = wizardBot.clickCheckAuthenticationButton();
+        assertThat( result, containsString( "[LDAP result code 49 - invalidCredentials]" ) );
+
+        wizardBot.clickCancelButton();
+    }
+
 }
diff --git a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java
index e39f4f879..029b6c10a 100644
--- a/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java
+++ b/tests/test.integration.ui/src/main/java/org/apache/directory/studio/test/integration/ui/bots/NewConnectionWizardBot.java
@@ -20,6 +20,8 @@
 package org.apache.directory.studio.test.integration.ui.bots;
 
 
+import org.apache.directory.api.ldap.model.constants.SaslQoP;
+import org.apache.directory.api.ldap.model.constants.SaslSecurityStrength;
 import org.apache.directory.studio.ldapbrowser.core.BrowserCoreMessages;
 import org.apache.directory.studio.test.integration.ui.utils.JobWatcher;
 import org.eclipse.swtbot.swt.finder.widgets.SWTBotCombo;
@@ -41,6 +43,8 @@ public class NewConnectionWizardBot extends WizardBot
     private static final String GET_BASE_DNS_FROM_ROOT_DSE = "Get base DNs from Root DSE";
     private static final String SAVE_PASSWORD = "Save password";
     private static final String SASL_REALM = "SASL Realm:";
+    private static final String SASL_QUALITY_OF_PROTECTION = "Quality of Protection:";
+    private static final String SASL_PROTECTION_STRENGH = "Protection Strength:";
     private static final String BIND_PASSWORD = "Bind password:";
     private static final String BIND_DN_OR_USER = "Bind DN or user:";
     private static final String CRAM_MD5_SASL = "CRAM-MD5 (SASL)";
@@ -208,8 +212,44 @@ public class NewConnectionWizardBot extends WizardBot
 
     public void typeRealm( String realm )
     {
-        SWTBotCombo dnCombo = bot.comboBoxWithLabel( SASL_REALM );
-        dnCombo.setText( realm );
+        SWTBotCombo combo = bot.comboBoxWithLabel( SASL_REALM );
+        combo.setText( realm );
+    }
+
+
+    public void selectQualityOfProtection( SaslQoP saslQoP )
+    {
+        SWTBotCombo combo = bot.comboBoxWithLabel( SASL_QUALITY_OF_PROTECTION );
+        switch ( saslQoP )
+        {
+            case AUTH:
+                combo.setSelection( 0 );
+                break;
+            case AUTH_INT:
+                combo.setSelection( 1 );
+                break;
+            case AUTH_CONF:
+                combo.setSelection( 2 );
+                break;
+        }
+    }
+
+
+    public void selectProtectionStrength( SaslSecurityStrength saslSecurityStrength )
+    {
+        SWTBotCombo combo = bot.comboBoxWithLabel( SASL_PROTECTION_STRENGH );
+        switch ( saslSecurityStrength )
+        {
+            case HIGH:
+                combo.setSelection( 0 );
+                break;
+            case MEDIUM:
+                combo.setSelection( 1 );
+                break;
+            case LOW:
+                combo.setSelection( 2 );
+                break;
+        }
     }
author	Stefan Seelmann <mail@stefan-seelmann.de>	2021-05-30 01:03:54 +0300
committer	Stefan Seelmann <mail@stefan-seelmann.de>	2021-05-30 01:03:54 +0300
commit	8c758465c5a3e96e921e2b0083f85d025e16799f (patch)
tree	d427595f7cccfc0ace81d9ba33d0749d4b062f29
parent	832c1e90837a30ab60c0504cab5c1470cfdbef7c (diff)