prevent blank password for ldap login #1273

rundeck · Jul 29, 2015 · 5f251f8 · 5f251f8
1 parent 13f9e52
commit 5f251f8
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 1 deletion.
diff --git a/...etty-server/src/main/java/com/dtolabs/rundeck/jetty/jaas/JettyCachingLdapLoginModule.java b/...etty-server/src/main/java/com/dtolabs/rundeck/jetty/jaas/JettyCachingLdapLoginModule.java
@@ -647,7 +647,7 @@ protected Object[] getCallBackAuth() throws IOException, UnsupportedCallbackExce
     protected boolean authenticate(final String webUserName, final Object webCredential) throws LoginException {
         try {
 
-            if (webUserName == null || webCredential == null) {
+            if (isEmptyOrNull(webUserName) || isEmptyOrNull(webCredential)) {
                 setAuthenticated(false);
                 return isAuthenticated();
             }
@@ -695,6 +695,10 @@ protected boolean authenticate(final String webUserName, final Object webCredent
         }
     }
 
+    private boolean isEmptyOrNull(final Object value) {
+        return null==value || "".equals(value);
+    }
+
     /**
      * password supplied authentication check
      *

diff --git a/...-server/src/test/java/com/dtolabs/rundeck/jetty/jaas/JettyCachingLdapLoginModuleTest.java b/...-server/src/test/java/com/dtolabs/rundeck/jetty/jaas/JettyCachingLdapLoginModuleTest.java
@@ -16,21 +16,29 @@
 
 package com.dtolabs.rundeck.jetty.jaas;
 
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.List;
 
+import org.eclipse.jetty.plus.jaas.callback.ObjectCallback;
 import org.eclipse.jetty.plus.jaas.spi.UserInfo;
 import org.junit.Assert;
 import org.junit.Test;
 
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.*;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
 
 import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
 import static org.mockito.Matchers.*;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -195,6 +203,72 @@ public void testShouldNotGetNestedGroups() {
         }
     }
 
+
+    private CallbackHandler createCallbacks(final String user1, final String password) {
+        return new CallbackHandler() {
+            @Override
+            public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+                NameCallback name = (NameCallback) callbacks[0];
+                name.setName(user1);
+                ObjectCallback pass = (ObjectCallback) callbacks[1];
+                pass.setObject(password);
+            }
+        };
+    }
+
+    @Test
+    public void testDisallowEmptyPassword() {
+        JettyCachingLdapLoginModule module = new JettyCachingLdapLoginModule();
+        module._debug=true;
+        module.setCallbackHandler( createCallbacks("user1", ""));
+        try {
+            assertFalse(module.login());
+
+        } catch (Exception e) {
+            e.printStackTrace();
+            fail();
+        }
+    }
+    @Test
+    public void testDisallowNullPasword() {
+        JettyCachingLdapLoginModule module = new JettyCachingLdapLoginModule();
+        module._debug=true;
+        module.setCallbackHandler( createCallbacks("user1", null));
+        try {
+            assertFalse(module.login());
+
+        } catch (Exception e) {
+            e.printStackTrace();
+            fail();
+        }
+    }
+    @Test
+    public void testDisallowEmptyUsername() {
+        JettyCachingLdapLoginModule module = new JettyCachingLdapLoginModule();
+        module._debug=true;
+        module.setCallbackHandler( createCallbacks("", "xyz"));
+        try {
+            assertFalse(module.login());
+
+        } catch (Exception e) {
+            e.printStackTrace();
+            fail();
+        }
+    }
+    @Test
+    public void testDisallowNullUsername() {
+        JettyCachingLdapLoginModule module = new JettyCachingLdapLoginModule();
+        module._debug=true;
+        module.setCallbackHandler( createCallbacks(null, "xyz"));
+        try {
+            assertFalse(module.login());
+
+        } catch (Exception e) {
+            e.printStackTrace();
+            fail();
+        }
+    }
+
     private JettyCachingLdapLoginModule getJettyCachingLdapLoginModule(boolean activeDirectory) {
         JettyCachingLdapLoginModule module = new JettyCachingLdapLoginModule();