DIRSTUDIO-1220: SASL security layer

apache · Jun 20, 2021 · 18ad16e · 18ad16e
1 parent fa240c3
commit 18ad16e
Show file tree

Hide file tree

Showing 9 changed files with 581 additions and 46 deletions.
diff --git a/eclipse-trgt-platform/template/org.apache.directory.studio.eclipse-trgt-platform.template b/eclipse-trgt-platform/template/org.apache.directory.studio.eclipse-trgt-platform.template
@@ -19,7 +19,7 @@
   @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
 -->
 <?pde version="3.8"?>
-<target name="Apache Directory Studio Platform" sequenceNumber="473">
+<target name="Apache Directory Studio Platform" sequenceNumber="477">
   <locations>
 
     <location includeAllPlatforms="false" includeConfigurePhase="true" includeMode="planner" includeSource="true" type="InstallableUnit">

diff --git a/pom.xml b/pom.xml
@@ -94,8 +94,8 @@
     <org.apache.commons.lang3.bundleversion>3.12.0</org.apache.commons.lang3.bundleversion>
     <org.apache.commons.pool.version>2.9.0</org.apache.commons.pool.version>
     <org.apache.commons.pool.bundleversion>2.9.0</org.apache.commons.pool.bundleversion>
-    <org.apache.directory.api.version>2.0.2</org.apache.directory.api.version>
-    <org.apache.directory.api.bundleversion>2.0.2</org.apache.directory.api.bundleversion>
+    <org.apache.directory.api.version>2.0.3-SNAPSHOT</org.apache.directory.api.version>
+    <org.apache.directory.api.bundleversion>2.0.3.SNAPSHOT</org.apache.directory.api.bundleversion>
     <org.apache.directory.server.version>2.0.0.AM26</org.apache.directory.server.version>
     <org.apache.mina.version>2.1.3</org.apache.mina.version>
     <org.apache.mina.bundleversion>2.1.3</org.apache.mina.bundleversion>

diff --git a/.../org/apache/directory/studio/test/integration/core/DirectoryApiConnectionWrapperTest.java b/.../org/apache/directory/studio/test/integration/core/DirectoryApiConnectionWrapperTest.java
@@ -92,7 +92,6 @@
 import org.apache.directory.studio.connection.core.ConnectionParameter;
 import org.apache.directory.studio.connection.core.ConnectionParameter.AuthenticationMethod;
 import org.apache.directory.studio.connection.core.ConnectionParameter.EncryptionMethod;
-import org.apache.directory.studio.connection.core.ConnectionParameter.Krb5Configuration;
 import org.apache.directory.studio.connection.core.ConnectionParameter.Krb5CredentialConfiguration;
 import org.apache.directory.studio.connection.core.ICertificateHandler.TrustLevel;
 import org.apache.directory.studio.connection.core.IReferralHandler;
@@ -378,16 +377,45 @@ public void testSimpleBindStartTls( TestLdapServer ldapServer )
 
 
     /**
-     * Test binding to the server using SASL and no encryption.
+     * Test binding to the server using SASL auth and no encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All)
-    public void testSaslBindPlain( TestLdapServer ldapServer )
+    public void testSaslDigestMd5BindAuthPlain( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindPlain( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-int and no encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthIntPlain( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindPlain( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-conf and no encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthConfPlain( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindPlain( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslDigestMd5BindPlain( TestLdapServer ldapServer, SaslQoP saslQoP )
     {
         ldapServer.setConfidentialityRequired( false );
         StudioProgressMonitor monitor = getProgressMonitor();
         Connection connection = getConnection( monitor, ldapServer, "user.1", "password" );
         connection.setAuthMethod( AuthenticationMethod.SASL_DIGEST_MD5 );
+        connection.getConnectionParameter().setSaslQop( SaslQoP.AUTH_CONF );
 
         assertFalse( connectionWrapper.isConnected() );
 
@@ -432,18 +460,47 @@ public void testSaslBindPlainConfidentiallyRequired( TestLdapServer ldapServer )
 
 
     /**
-     * Test binding to the server using SASL and ldaps:// encryption.
+     * Test binding to the server using SASL auth and ldaps:// encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthLdaps( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindLdaps( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-int and ldaps:// encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthIntLdaps( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindLdaps( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-conf and ldaps:// encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All)
-    public void testSaslBindLdaps( TestLdapServer ldapServer )
+    public void testSaslDigestMd5BindAuthConfLdaps( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindLdaps( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslDigestMd5BindLdaps( TestLdapServer ldapServer, SaslQoP saslQoP )
     {
         ldapServer.setConfidentialityRequired( true );
         StudioProgressMonitor monitor = getProgressMonitor();
         Connection connection = getConnection( monitor, ldapServer, "user.1", "password" );
         connection.setPort( ldapServer.getPortSSL() );
         connection.setEncryptionMethod( EncryptionMethod.LDAPS );
         connection.setAuthMethod( AuthenticationMethod.SASL_DIGEST_MD5 );
+        connection.getConnectionParameter().setSaslQop( saslQoP );
         acceptAllCertificates();
 
         assertFalse( connectionWrapper.isConnected() );
@@ -462,17 +519,46 @@ public void testSaslBindLdaps( TestLdapServer ldapServer )
 
 
     /**
-     * Test binding to the server using SASL and StartTLS encryption.
+     * Test binding to the server using SASL auth and StartTLS encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthStartTls( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindStartTls( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-int and StartTLS encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.Fedora389ds)
+    public void testSaslDigestMd5BindAuthIntStartTls( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindStartTls( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using SASL auth-conf and StartTLS encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All)
-    public void testSaslBindStartTls( TestLdapServer ldapServer )
+    public void testSaslDigestMd5BindAuthConfStartTls( TestLdapServer ldapServer )
+    {
+        testSaslDigestMd5BindStartTls( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslDigestMd5BindStartTls( TestLdapServer ldapServer, SaslQoP saslQoP )
     {
         ldapServer.setConfidentialityRequired( true );
         StudioProgressMonitor monitor = getProgressMonitor();
         Connection connection = getConnection( monitor, ldapServer, "user.1", "password" );
         connection.setEncryptionMethod( EncryptionMethod.START_TLS );
         connection.setAuthMethod( AuthenticationMethod.SASL_DIGEST_MD5 );
+        connection.getConnectionParameter().setSaslQop( saslQoP );
         acceptAllCertificates();
 
         assertFalse( connectionWrapper.isConnected() );
@@ -491,11 +577,39 @@ public void testSaslBindStartTls( TestLdapServer ldapServer )
 
 
     /**
-     * Test binding to the server using GSSAPI and no encryption.
+     * Test binding to the server using GSSAPI auth and no encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
-    public void testSaslGssapiBindPlain( TestLdapServer ldapServer )
+    public void testSaslGssapiBindAuthPlain( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindPlain( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-int and no encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthIntPlain( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindPlain( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-conf and no encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthConfPlain( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindPlain( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslGssapiBindPlain( TestLdapServer ldapServer, SaslQoP saslQoP )
     {
         TestFixture.skipIfKdcServerIsNotAvailable();
 
@@ -504,6 +618,7 @@ public void testSaslGssapiBindPlain( TestLdapServer ldapServer )
         Connection connection = getConnection( monitor, ldapServer, "hnelson", "secret" );
         connection.setAuthMethod( AuthenticationMethod.SASL_GSSAPI );
         connection.getConnectionParameter().setKrb5CredentialConfiguration( Krb5CredentialConfiguration.OBTAIN_TGT );
+        connection.getConnectionParameter().setSaslQop( saslQoP );
 
         assertFalse( connectionWrapper.isConnected() );
 
@@ -521,11 +636,39 @@ public void testSaslGssapiBindPlain( TestLdapServer ldapServer )
 
 
     /**
-     * Test binding to the server using GSSAPI and ldaps:// encryption.
+     * Test binding to the server using GSSAPI auth and ldaps:// encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthLdaps( TestLdapServer ldapServer ) throws Exception
+    {
+        testSaslGssapiBindLdaps( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-int and ldaps:// encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthIntLdaps( TestLdapServer ldapServer ) throws Exception
+    {
+        testSaslGssapiBindLdaps( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-conf and ldaps:// encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
-    public void testSaslGssapiBindLdaps( TestLdapServer ldapServer ) throws Exception
+    public void testSaslGssapiBindAuthConfLdaps( TestLdapServer ldapServer ) throws Exception
+    {
+        testSaslGssapiBindLdaps( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslGssapiBindLdaps( TestLdapServer ldapServer, SaslQoP saslQoP ) throws Exception
     {
         TestFixture.skipIfKdcServerIsNotAvailable();
 
@@ -543,6 +686,7 @@ public void testSaslGssapiBindLdaps( TestLdapServer ldapServer ) throws Exceptio
         connection.setEncryptionMethod( EncryptionMethod.LDAPS );
         connection.setAuthMethod( AuthenticationMethod.SASL_GSSAPI );
         connection.getConnectionParameter().setKrb5CredentialConfiguration( Krb5CredentialConfiguration.USE_NATIVE );
+        connection.getConnectionParameter().setSaslQop( saslQoP );
         acceptAllCertificates();
 
         assertFalse( connectionWrapper.isConnected() );
@@ -561,11 +705,39 @@ public void testSaslGssapiBindLdaps( TestLdapServer ldapServer ) throws Exceptio
 
 
     /**
-     * Test binding to the server using GSSAPI and StartTLS encryption.
+     * Test binding to the server using GSSAPI auth and StartTLS encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthStartTls( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindStartTls( ldapServer, SaslQoP.AUTH );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-int and StartTLS encryption.
      */
     @ParameterizedTest
     @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
-    public void testSaslGssapiBindStartTls( TestLdapServer ldapServer )
+    public void testSaslGssapiBindAuthIntStartTls( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindStartTls( ldapServer, SaslQoP.AUTH_INT );
+    }
+
+
+    /**
+     * Test binding to the server using GSSAPI auth-conf and StartTLS encryption.
+     */
+    @ParameterizedTest
+    @LdapServersSource(mode = Mode.All, except = LdapServerType.ApacheDS, reason = "Missing OSGi import: org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntryModifier cannot be found by org.apache.directory.server.protocol.shared_2.0.0.AM26")
+    public void testSaslGssapiBindAuthConfStartTls( TestLdapServer ldapServer )
+    {
+        testSaslGssapiBindStartTls( ldapServer, SaslQoP.AUTH_CONF );
+    }
+
+
+    private void testSaslGssapiBindStartTls( TestLdapServer ldapServer, SaslQoP saslQoP )
     {
         TestFixture.skipIfKdcServerIsNotAvailable();
 
@@ -575,6 +747,7 @@ public void testSaslGssapiBindStartTls( TestLdapServer ldapServer )
         connection.setEncryptionMethod( EncryptionMethod.START_TLS );
         connection.setAuthMethod( AuthenticationMethod.SASL_GSSAPI );
         connection.getConnectionParameter().setKrb5CredentialConfiguration( Krb5CredentialConfiguration.OBTAIN_TGT );
+        connection.getConnectionParameter().setSaslQop( saslQoP );
         acceptAllCertificates();
 
         assertFalse( connectionWrapper.isConnected() );

diff --git a/...ore/src/main/java/org/apache/directory/studio/test/integration/junit5/OpenLdapServer.java b/...ore/src/main/java/org/apache/directory/studio/test/integration/junit5/OpenLdapServer.java
@@ -21,8 +21,6 @@
 package org.apache.directory.studio.test.integration.junit5;
 
 
-import static org.apache.directory.studio.test.integration.junit5.Constants.LOCALHOST;
-
 import org.apache.directory.api.ldap.model.entry.DefaultModification;
 import org.apache.directory.api.ldap.model.entry.Modification;
 import org.apache.directory.api.ldap.model.entry.ModificationOperation;
@@ -88,12 +86,28 @@ public void prepare()
     @Override
     public void setConfidentialityRequired( boolean confidentialityRequired )
     {
+        if ( confidentialityRequired )
+        {
+            setSecurityProps( 256, 256 );
+        }
+        else
+        {
+            setSecurityProps( 0, 0 );
+        }
+    }
+
+
+    public void setSecurityProps( int ssf, int tls )
+    {
+
         try ( LdapConnection connection = openConnection() )
         {
             connection.bind( OPENLDAP_CONFIG_DN, OPENLDAP_CONFIG_PASSWORD );
-            Modification modification = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
-                "olcSecurity", confidentialityRequired ? "ssf=256 tls=256" : "ssf=0 tls=0" );
-            connection.modify( "cn=config", modification );
+            Modification modification1 = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+                "olcSecurity", "ssf=" + ssf + " tls=" + tls );
+            Modification modification2 = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+                "olcSaslSecProps", "noplain,noanonymous,minssf=" + ssf );
+            connection.modify( "cn=config", modification1, modification2 );
         }
         catch ( LdapNoSuchAttributeException e )
         {

diff --git a/...rc/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif b/...rc/main/resources/org/apache/directory/studio/test/integration/junit5/OpenLdapConfig.ldif
@@ -21,7 +21,8 @@ replace: olcAccess
 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
  ,cn=auth manage by * break
 olcAccess: {1}to dn.exact="" by * read
-olcAccess: {2}to dn.base="cn=Subschema" by dn.exact="uid=user.1,ou=users,dc=example,dc=org" none by * read
+# Forbid user.8 to read the schema, used in SchemaBrowserTest
+olcAccess: {2}to dn.base="cn=Subschema" by dn.exact="uid=user.8,ou=users,dc=example,dc=org" none by * read
 -
 
 dn: olcDatabase={1}mdb,cn=config

diff --git a/...on.ui/src/main/java/org/apache/directory/studio/test/integration/ui/AbstractTestBase.java b/...on.ui/src/main/java/org/apache/directory/studio/test/integration/ui/AbstractTestBase.java
@@ -32,6 +32,8 @@
 import org.apache.directory.api.ldap.model.name.Dn;
 import org.apache.directory.api.ldap.model.name.Rdn;
 import org.apache.directory.studio.connection.core.ConnectionCorePlugin;
+import org.apache.directory.studio.ldapbrowser.core.BrowserCoreConstants;
+import org.apache.directory.studio.ldapbrowser.core.BrowserCorePlugin;
 import org.apache.directory.studio.test.integration.junit5.SkipTestIfLdapServerIsNotAvailableInterceptor;
 import org.apache.directory.studio.test.integration.junit5.TestLdapServer;
 import org.apache.directory.studio.test.integration.ui.bots.ApacheDSServersViewBot;
@@ -72,6 +74,8 @@ final void setUpBase() throws Exception
         searchLogsViewBot = studioBot.getSearchLogsViewBot();
         modificationLogsViewBot = studioBot.getModificationLogsViewBot();
         serversViewBot = studioBot.getApacheDSServersViewBot();
+        BrowserCorePlugin.getDefault()
+            .getPluginPreferences().setValue( BrowserCoreConstants.PREFERENCE_LDIF_LINE_WIDTH, 1000 );
     }