Enable configuration of LDAPS and allow SSL verification to be skipped

https://www.pivotaltracker.com/story/show/89437874
[#89437874]

Set ldap.ssl.skipverification default to false

common/src/main/java/org/cloudfoundry/identity/uaa/ldap/LdapIdentityProviderDefinition.java

@@ -37,6 +37,7 @@ public class LdapIdentityProviderDefinition {
     private boolean autoAddGroups;
     private boolean groupSearchSubTree;
     private int maxGroupSearchDepth;
+    private boolean skipSSLVerification;
 
     public static LdapIdentityProviderDefinition searchAndBindMapGroupToScopes(
         String baseUrl,
@@ -51,7 +52,8 @@ public static LdapIdentityProviderDefinition searchAndBindMapGroupToScopes(
         boolean mailSubstituteOverridesLdap,
         boolean autoAddGroups,
         boolean groupSearchSubTree,
-        int groupMaxSearchDepth) {
+        int groupMaxSearchDepth,
+        boolean skipSSLVerification) {
 
         LdapIdentityProviderDefinition definition = new LdapIdentityProviderDefinition();
         definition.baseUrl = baseUrl;
@@ -69,12 +71,16 @@ public static LdapIdentityProviderDefinition searchAndBindMapGroupToScopes(
         definition.autoAddGroups = autoAddGroups;
         definition.groupSearchSubTree = groupSearchSubTree;
         definition.maxGroupSearchDepth = groupMaxSearchDepth;
+        definition.skipSSLVerification = skipSSLVerification;
         return definition;
     }
 
     @JsonIgnore
     public ConfigurableEnvironment getLdapConfigurationEnvironment() {
         Map<String,Object> properties = new HashMap<>();
+
+        properties.put("ldap.ssl.skipverification", isSkipSSLVerification());
+
         if ("ldap/ldap-search-and-bind.xml".equals(ldapProfileFile)) {
             properties.put("ldap.profile.file", getLdapProfileFile());
             properties.put("ldap.base.url", getBaseUrl());
@@ -219,6 +225,14 @@ public void setMaxGroupSearchDepth(int maxGroupSearchDepth) {
         this.maxGroupSearchDepth = maxGroupSearchDepth;
     }
 
+    public boolean isSkipSSLVerification() {
+        return skipSSLVerification;
+    }
+
+    public void setSkipSSLVerification(boolean skipSSLVerification) {
+        this.skipSSLVerification = skipSSLVerification;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -248,6 +262,8 @@ public boolean equals(Object o) {
             return false;
         if (maxGroupSearchDepth!=that.maxGroupSearchDepth)
             return false;
+        if (skipSSLVerification!=that.skipSSLVerification)
+            return false;
 
         return true;
     }
@@ -268,6 +284,7 @@ public int hashCode() {
         result = 31 * result + (mailSubstituteOverridesLdap ? 1 : 0);
         result = 31 * result + (autoAddGroups ? 1 : 0);
         result = 31 * result + (groupSearchSubTree ? 1 : 0);
+        result = 31 * result + (skipSSLVerification ? 1 : 0);
         result = 31 * result + maxGroupSearchDepth;
         return result;
     }

common/src/main/java/org/cloudfoundry/identity/uaa/ldap/ProcessLdapProperties.java

@@ -0,0 +1,55 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.ldap;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+public class ProcessLdapProperties {
+
+    public static final String LDAP_SOCKET_FACTORY = "java.naming.ldap.factory.socket";
+    public static final String SKIP_SSL_VERIFICATION_SOCKET_FACTORY = "org.apache.directory.shared.ldap.util.DummySSLSocketFactory";
+
+    private boolean disableSslVerification;
+    private String baseUrl;
+
+    public ProcessLdapProperties(String baseUrl, boolean disableSslVerification) {
+        this.baseUrl = baseUrl;
+        this.disableSslVerification = disableSslVerification;
+    }
+
+    public Map process(Map map) {
+        Map result = new LinkedHashMap(map);
+        if (isDisableSslVerification() && isLdapsUrl()) {
+            result.put(LDAP_SOCKET_FACTORY, SKIP_SSL_VERIFICATION_SOCKET_FACTORY);
+        }
+        return result;
+    }
+
+    public boolean isLdapsUrl() {
+        return baseUrl!=null && baseUrl.startsWith("ldaps");
+    }
+    public boolean isDisableSslVerification() {
+        return disableSslVerification;
+    }
+
+    public void setDisableSslVerification(boolean disableSslVerification) {
+        this.disableSslVerification = disableSslVerification;
+    }
+
+    public void setBaseUrl(String baseUrl) {
+        this.baseUrl = baseUrl;
+    }
+}

common/src/test/java/org/cloudfoundry/identity/uaa/ldap/LdapIdentityProviderDefinitionTest.java

@@ -21,6 +21,7 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 public class LdapIdentityProviderDefinitionTest {
 
@@ -46,7 +47,8 @@ public void testSearchAndBindConfiguration() throws Exception {
             false,
             true,
             true,
-            100);
+            100,
+            true);
 
         String config = JsonUtils.writeValueAsString(ldapIdentityProviderDefinition);
         LdapIdentityProviderDefinition deserialized = JsonUtils.readValue(config, LdapIdentityProviderDefinition.class);
@@ -79,6 +81,10 @@ public void testSearchAndBindConfiguration() throws Exception {
         assertNotNull(environment.getProperty("ldap.groups.maxSearchDepth"));
         assertEquals("100", environment.getProperty("ldap.groups.maxSearchDepth"));
 
+        //skip ssl verification
+        assertNotNull(environment.getProperty("ldap.ssl.skipverification"));
+        assertEquals("true", environment.getProperty("ldap.ssl.skipverification"));
+
         ldapIdentityProviderDefinition = LdapIdentityProviderDefinition.searchAndBindMapGroupToScopes(
             "ldap://localhost:389/",
             "cn=admin,ou=Users,dc=test,dc=com",
@@ -92,7 +98,8 @@ public void testSearchAndBindConfiguration() throws Exception {
             true,
             true,
             true,
-            100);
+            100,
+            true);
 
         config = JsonUtils.writeValueAsString(ldapIdentityProviderDefinition);
         LdapIdentityProviderDefinition deserialized2 = JsonUtils.readValue(config, LdapIdentityProviderDefinition.class);

common/src/test/java/org/cloudfoundry/identity/uaa/ldap/ProcessLdapPropertiesTest.java

@@ -0,0 +1,38 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.ldap;
+
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.cloudfoundry.identity.uaa.ldap.ProcessLdapProperties.LDAP_SOCKET_FACTORY;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+public class ProcessLdapPropertiesTest {
+
+    @Test
+    public void testProcess() throws Exception {
+        Map<String,String> properties = new HashMap<>();
+        ProcessLdapProperties process = new ProcessLdapProperties("ldap://localhost:389", false);
+        assertNull(process.process(properties).get(LDAP_SOCKET_FACTORY));
+        process.setDisableSslVerification(true);
+        assertNull(process.process(properties).get(LDAP_SOCKET_FACTORY));
+        process.setBaseUrl("ldaps://localhost:636");
+        assertEquals(ProcessLdapProperties.SKIP_SSL_VERIFICATION_SOCKET_FACTORY, process.process(properties).get(LDAP_SOCKET_FACTORY));
+    }
+}

uaa/src/main/resources/ldap-integration.xml

@@ -26,10 +26,20 @@
     <bean id="ldapPooled" class="java.lang.Boolean">
         <constructor-arg value="false"/>
     </bean>
-    <util:map id="ldapProperties">
+
+    <util:map id="initialLdapProperties">
         <entry key="com.sun.jndi.ldap.connect.pool" value-ref="ldapPooled" />
     </util:map>
 
+    <bean id="ldapPropertyProcessor" class="org.cloudfoundry.identity.uaa.ldap.ProcessLdapProperties">
+        <constructor-arg name="disableSslVerification" value="${ldap.ssl.skipverification:false}"/>
+        <constructor-arg name="baseUrl" value="${ldap.base.url:ldap://localhost:389/dc=test,dc=com}"/>
+    </bean>
+
+    <bean id="ldapProperties" factory-bean="ldapPropertyProcessor" factory-method="process">
+        <constructor-arg ref="initialLdapProperties"/>
+    </bean>
+
     <bean id="ldapGroupMappingAuthorizationManager" class="org.cloudfoundry.identity.uaa.authorization.external.LdapGroupMappingAuthorizationManager">
         <property name="externalMembershipManager" ref="externalGroupMembershipManager" />
         <property name="scimGroupProvisioning" ref="scimGroupProvisioning" />

uaa/src/main/resources/uaa.yml

@@ -1,5 +1,5 @@
 # Configuration in this file is overridden by an external file
-# if any of these exist: 
+# if any of these exist:
 # [$UAA_CONFIG_URL, $UAA_CONFIG_PATH/uaa.yml, $CLOUDFOUNDRY_CONFIG_PATH/uaa.yml]
 
 #spring_profiles: mysql,default
@@ -58,6 +58,7 @@
 #    url: 'ldaps://192.168.3.39:10636/'
 #    userDnPattern: 'cn={0},ou=Users,dc=test,dc=com;cn={0},ou=OtherUsers,dc=example,dc=com'
 #  ssl:
+#    skipverification: false
 #    sslCertificate: ! '-----BEGIN CERTIFICATE-----
 #    MIIBfTCCAScCBgFDfaC2yzANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEMMAoGA1UEChMD
 #    QVNGMRIwEAYDVQQLEwlEaXJlY3RvcnkxETAPBgNVBAMTCEFwYWNoZURTMB4XDTE0MDExMDE5Mjg0
@@ -86,7 +87,7 @@
 #    url: 'ldap://localhost:10389/'
 #    userDn: 'cn=admin,dc=test,dc=com'
 #    password: 'password'
-#    searchBase: '' 
+#    searchBase: ''
 #    searchFilter: 'cn={0}'
 #    passwordAttributeName: userPassword
 #    passwordEncoder: org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator

uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicLdapAuthenticationManagerTest.java

@@ -28,7 +28,8 @@ public class DynamicLdapAuthenticationManagerTest {
         false,
         true,
         true,
-        100);
+        100,
+        true);
 
     @Test
     public void testGetLdapAuthenticationManager() throws Exception {

uaa/src/test/java/org/cloudfoundry/identity/uaa/authentication/manager/DynamicZoneAwareAuthenticationManagerTest.java

@@ -40,7 +40,8 @@ public class DynamicZoneAwareAuthenticationManagerTest {
         false,
         true,
         true,
-        100);
+        100,
+        true);
 
 
     AuthenticationManager authzAuthenticationMgr = mock(AuthenticationManager.class);