Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix "ldaps hostname verification" ITT-1786 #21

Merged
merged 4 commits into from Dec 17, 2018

Conversation

Projects
None yet
3 participants
@floragunncom
Copy link
Owner

commented Dec 13, 2018

I added an additional property "trust_all" to disable SSL checking completely (so all certs are trusted). By default, it's of course false.

@nibix we need to include this fix also into the ldap2 implementation

System property com.sun.jndi.ldap.object.disableEndpointIdentification
cannot be changed at runtime, so just check it and log a warning in case
it has the wrong value.
@jochenkressin
Copy link
Collaborator

left a comment

LGTM, just a question, do we need to grant a specific/additional permission for com.sun.jndi.ldap.object.disableEndpointIdentification in plugin-security.policy?

@nibix

This comment has been minimized.

Copy link
Collaborator

commented Dec 14, 2018

In coordination with @floragunncom, I just changed the code so that it no longer tries to write the property as it would not work reliably due to implementation details of com.sun.jndi.ldap.Connection. It now just reads the property and logs a warning if it does not have a value which is consistent with SG config.

@jochenkressin: In plugin-security.policy, I see:

permission java.util.PropertyPermission "*","read,write";

That should be enough, shouldn't it?

@nibix

nibix approved these changes Dec 14, 2018

@nibix

This comment has been minimized.

Copy link
Collaborator

commented Dec 14, 2018

#18 contains now the corresponding implementation for the new ldap auth module.

@floragunncom floragunncom merged commit 8c3e7f5 into master Dec 17, 2018

1 check was pending

ci/circleci CircleCI is running your tests
Details

floragunncom added a commit that referenced this pull request Dec 19, 2018

Merge branch 'master' into feature/ldap-connection-pooling
* master:
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)

# Conflicts:
#	src/main/java/com/floragunn/dlic/auth/http/jwt/keybyoidc/KeySetRetriever.java

floragunncom added a commit that referenced this pull request Dec 20, 2018

Merge branch '6.5.x' into es-6.5.3
* 6.5.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)

floragunncom added a commit that referenced this pull request Dec 20, 2018

Merge branch '6.5.x' into es-6.5.1
* 6.5.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)

floragunncom added a commit that referenced this pull request Dec 20, 2018

Merge branch '6.5.x' into es-6.5.2
* 6.5.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)

floragunncom added a commit that referenced this pull request Dec 22, 2018

Merge branch 'master' into 6.4.x
* master:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

# Conflicts:
#	pom.xml

floragunncom added a commit that referenced this pull request Dec 22, 2018

Merge branch 'master' into 6.3.x
* master:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

# Conflicts:
#	pom.xml

floragunncom added a commit that referenced this pull request Dec 22, 2018

Merge branch '6.4.x' into es-6.4.3
* 6.4.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 22, 2018

Merge branch '6.3.x' into es-6.3.2
* 6.3.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 23, 2018

Merge branch '6.3.x' into es-6.3.1
* 6.3.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 23, 2018

Merge branch '6.3.x' into es-6.3.0
* 6.3.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 23, 2018

Merge branch '6.4.x' into es-6.4.0
* 6.4.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 23, 2018

Merge branch '6.4.x' into es-6.4.1
* 6.4.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Dec 23, 2018

Merge branch '6.4.x' into es-6.4.2
* 6.4.x:
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  Fix "REST API should support the username attribute" ITT-1785
  Duplicate field 'audit_utc_timestamp' to '@timestamp' ITT-1787
  "Implement retry for all auditlog sinks" ITT-1762
  [TESTS] for "If a field is not visible due to FLS, the field capabilities API still returns a result" ITT-1690
  LDAP authz: Skipping users not working as expected (ITT-1719)
  Bump to 6.5.1

floragunncom added a commit that referenced this pull request Jan 30, 2019

Merge branch '6.6.x' into 7.0.x
* 6.6.x: (26 commits)
  Bump to 6.6.0
  add field caps test
  Fix "forward slash handling in LDAP module" ITT-1824  (#26)
  Support KRB5 MECH and multiple acceptors ITT-1827
  Fix "Masked fields not evaluated correctly" ITT-1833
  Fix "Get attributes from LDAP entry instead of DN" ITT-1826 (#25)
  Harmonize returned messages punctuation wise (floragunncom/search-guard-rest-api#11)
  Fix "?pretty not working with REST Api" ITT-1798
  Update jackson version
  [REST API] Only validate passwords for PUT and PATCH requests
  Add support for ldap connection pooling (ITT-1239) and multiple rolesbase (ITT-1683) (#18)
  [TESTS] Fix compile error in testcases
  Feature/saml idp initiated sso (#23)
  Test ${user.roles} property
  ITT-1783 REST API: Validate masked fields when regex or custom hashing algo used
  Add custom field hashing and anonymization (ITT-1559)
  Cleanup usage of Jackson ObjectMapper
  Fix "ldaps hostname verification" ITT-1786 (#21)
  Implement password rules for REST Api (#14)
  set rerunFailingTestsCount to 3
  ...

# Conflicts:
#	pom.xml

@floragunncom floragunncom deleted the ITT-1786 branch Mar 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.