[RHPAM-4754] - Unable to set direct-verification=true individually in…

… LDAP realm by operator (#674) Signed-off-by: Spolti <fspolti@redhat.com>
jboss-container-images · Aug 11, 2023 · bd735ec · bd735ec
1 parent 0300a4e
commit bd735ec
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 4 deletions.
diff --git a/jboss-kie-wildfly-common/added/launch/jboss-kie-wildfly-elytron.sh b/jboss-kie-wildfly-common/added/launch/jboss-kie-wildfly-elytron.sh
@@ -10,6 +10,7 @@ function unset_kie_security_auth_env() {
     unset AUTH_LDAP_BIND_CREDENTIAL
     unset AUTH_LDAP_BIND_DN
     unset AUTH_LDAP_DEFAULT_ROLE
+    unset AUTH_LDAP_DIRECT_VERIFICATION
     unset AUTH_LDAP_MAPPER_KEEP_MAPPED
     unset AUTH_LDAP_MAPPER_KEEP_NON_MAPPED
     unset AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES
@@ -242,8 +243,11 @@ function configure_elytron_ldap_auth() {
 
     # configure ldap-realm
     local allow_empty_pass=""
+    local direct_verification="${AUTH_LDAP_DIRECT_VERIFICATION,,}"
     if [ "${AUTH_LDAP_ALLOW_EMPTY_PASSWORDS^^}" == "TRUE" ]; then
-        allow_empty_pass="direct-verification=\"true\" allow-blank-password=\"true\" "
+        allow_empty_pass="direct-verification=\"${direct_verification:-true}\" allow-blank-password=\"true\" "
+    elif [ ! -z ${AUTH_LDAP_DIRECT_VERIFICATION} ]; then
+        allow_empty_pass="direct-verification=\"${direct_verification}\" "
     fi
 
     local base_filter="${AUTH_LDAP_BASE_FILTER}"

diff --git a/jboss-kie-wildfly-common/module.yaml b/jboss-kie-wildfly-common/module.yaml
@@ -23,6 +23,9 @@ envs:
   - name: "AUTH_LDAP_ALLOW_EMPTY_PASSWORDS"
     description: "Does this realm support blank password direct verification? Blank password attempt will be rejected otherwise. Boolean flag, defaults to false."
     example: "true"
+  - name: "AUTH_LDAP_DIRECT_VERIFICATION"
+    description: "Does this realm support verification of credentials by directly connecting to LDAP as the account being authenticated? Boolean flag, defaults to false."
+    example: "true"
   - name: "AUTH_LDAP_DEFAULT_ROLE"
     description: "A role included for all authenticated users, when set, AUTH_LDAP_MAPPER_KEEP_NON_MAPPED is set to true as well."
     example: "user"

diff --git a/jboss-kie-wildfly-common/tests/bats/jboss-kie-wildfly-elytron.bats b/jboss-kie-wildfly-common/tests/bats/jboss-kie-wildfly-elytron.bats
@@ -504,8 +504,6 @@ teardown() {
     [ "${expected}" = "${result}" ]
 }
 
-
-
 @test "test elytron ldap configuration ldap-realm with identity-mapping and attribute mapping using recursive search and blank password" {
     AUTH_LDAP_URL="ldap://test:12345"
     AUTH_LDAP_BASE_FILTER="(uid={0})"
@@ -535,6 +533,36 @@ teardown() {
     [ "${expected}" = "${result}" ]
 }
 
+@test "test elytron ldap configuration by setting the direct-verification attribute to true" {
+    AUTH_LDAP_URL="ldap://test:12345"
+    AUTH_LDAP_BASE_FILTER="(uid={0})"
+    AUTH_LDAP_BASE_CTX_DN="ou=people,dc=example,dc=com"
+    AUTH_LDAP_ROLE_ATTRIBUTE_ID="cn"
+    AUTH_LDAP_ROLE_FILTER="(member={1})"
+    AUTH_LDAP_ROLES_CTX_DN="ou=roles,dc=example,dc=com"
+    AUTH_LDAP_RECURSIVE_SEARCH="true"
+    AUTH_LDAP_ALLOW_EMPTY_PASSWORDS="false"
+    AUTH_LDAP_DIRECT_VERIFICATION=true
+
+    configure_elytron_ldap_auth
+
+    expected="<ldap-realm name=\"KIELdapRealm\" direct-verification=\"true\" dir-context=\"KIELdapDC\">
+                <identity-mapping rdn-identifier=\"(uid={0})\" search-base-dn=\"ou=people,dc=example,dc=com\" use-recursive-search=\"true\">
+                    <attribute-mapping>
+                        <attribute from=\"cn\" to=\"Roles\" filter=\"(member={1})\" filter-base-dn=\"ou=roles,dc=example,dc=com\"/>
+                    </attribute-mapping>
+                    <!-- ##KIE_LDAP_NEW_IDENTITY_ATTRIBUTES## -->
+                    <user-password-mapper from=\"userPassword\" writable=\"true\"/>
+                </identity-mapping>
+            </ldap-realm>"
+
+    result="$(xmllint --xpath "//*[local-name()='ldap-realm']" $CONFIG_FILE)"
+
+    echo "expected: ${expected}"
+    echo "result  : ${result}"
+    [ "${expected}" = "${result}" ]
+}
+
 
 @test "test elytron ldap configuration ldap-realm with identity-mapping and attribute mapping using recursive search and blank password and using role recursion" {
     AUTH_LDAP_URL="ldap://test:12345"

diff --git a/tests/features/common/kie-security-common.feature b/tests/features/common/kie-security-common.feature
@@ -212,6 +212,35 @@ Feature: KIE Security configuration common tests
     And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <role name="test"/>
     And file /opt/eat/standalone/deploy/ROOT/WEB-INF/jboss-web.xml should not contain <security-domain>other</security-domain>
 
+  Scenario: Configure images to use LDAP the direct-verification attribute to true
+    When container is started with env
+      | variable                                      | value                        |
+      | AUTH_LDAP_URL                                 | test_url                     |
+      | AUTH_LDAP_BIND_DN                             | cn=Manager,dc=example,dc=com |
+      | AUTH_LDAP_BIND_CREDENTIAL                     | admin                        |
+      | AUTH_LDAP_BASE_CTX_DN                         | ou=Users,dc=example,dc=com   |
+      | AUTH_LDAP_BASE_FILTER                         | uid                          |
+      | AUTH_LDAP_ROLE_ATTRIBUTE_ID                   | cn                           |
+      | AUTH_LDAP_ROLES_CTX_DN                        | ou=Roles,dc=example,dc=com   |
+      | AUTH_LDAP_ROLE_FILTER                         | (member={1})                 |
+      | AUTH_LDAP_ALLOW_EMPTY_PASSWORDS               | false                        |
+      | AUTH_LDAP_DIRECT_VERIFICATION                 | true                         |
+      | AUTH_LDAP_DEFAULT_ROLE                        | test                         |
+      | AUTH_LDAP_ROLE_RECURSION                      | 34                           |
+      | AUTH_LDAP_SEARCH_TIME_LIMIT                   | 1000                         |
+    Then file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <dir-context name="KIELdapDC" url="test_url" read-timeout="1000" principal="cn=Manager,dc=example,dc=com">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <credential-reference clear-text="admin"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <attribute from="cn" to="Roles" filter="(member={1})" filter-base-dn="ou=Roles,dc=example,dc=com" role-recursion="34"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <ldap-realm name="KIELdapRealm" direct-verification="true" dir-context="KIELdapDC">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <identity-mapping rdn-identifier="uid" search-base-dn="ou=Users,dc=example,dc=com">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <security-domain name="KIELdapSecurityDomain" default-realm="KIELdapRealm" permission-mapper="default-permission-mapper">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <realm name="KIELdapRealm" role-decoder="from-roles-attribute" role-mapper="kie-ldap-logical-default-role-mapper"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <security elytron-domain="KIELdapSecurityDomain"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <application-security-domain name="other" security-domain="KIELdapSecurityDomain"/>
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <constant-role-mapper name="kie-ldap-role-mapper">
+    And file /opt/eap/standalone/configuration/standalone-openshift.xml should contain <role name="test"/>
+    And file /opt/eat/standalone/deploy/ROOT/WEB-INF/jboss-web.xml should not contain <security-domain>other</security-domain>
+
   Scenario: Configure images to use LDAP authentication with search time limit and referral mode
     When container is started with env
       | variable                                      | value                        |

diff --git a/tests/features/rhpam/rhpam-kieserver.feature b/tests/features/rhpam/rhpam-kieserver.feature
@@ -410,7 +410,6 @@ Feature: RHPAM KIE Server configuration tests
     And file /opt/eap/standalone/configuration/standalone-openshift.xml should not contain <xa-datasource-property name="Port">
     And file /opt/eap/standalone/configuration/standalone-openshift.xml should not contain <xa-datasource-property name="ServerName">
 
-  @wip
   Scenario: Checks if the EJB Timer was successfully configured with MySQL XA with DATASOURCES env
     When container is started with env
       | variable                                  | value                                                                     |