(cloudstack) 01/01: Add check for ldap truststore password

Wed, 18 Jun 2025 09:23:28 -0700 

This is an automated email from the ASF dual-hosted git repository.

pearl11594 pushed a commit to branch add-check-for-truststore-password-ldap
in repository https://gitbox.apache.org/repos/asf/cloudstack.git

commit c55c2c7e810a7206c833166563bae92d2041fa45
Author: Pearl Dsilva <pearl1...@gmail.com>
AuthorDate: Wed Jun 18 12:21:04 2025 -0400

    Add check for ldap truststore password
---
 .../apache/cloudstack/ldap/LdapContextFactory.java | 30 ++++++++++++++++++++--
 .../apache/cloudstack/ldap/LdapManagerImpl.java    |  5 ++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
index 0161adf9fda..e5f20c80f5d 100644
--- 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
+++ 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
@@ -72,8 +72,34 @@ public class LdapContextFactory {
         if (sslStatus) {
             s_logger.info("LDAP SSL enabled.");
             environment.put(Context.SECURITY_PROTOCOL, "ssl");
-            System.setProperty("javax.net.ssl.trustStore", 
_ldapConfiguration.getTrustStore(domainId));
-            System.setProperty("javax.net.ssl.trustStorePassword", 
_ldapConfiguration.getTrustStorePassword(domainId));
+            String trustStore = _ldapConfiguration.getTrustStore(domainId);
+            String trustStorePassword = 
_ldapConfiguration.getTrustStorePassword(domainId);
+
+            // Validate truststore and password before setting system 
properties
+            if (!validateTrustStore(trustStore, trustStorePassword)) {
+                throw new RuntimeException("Invalid truststore or truststore 
password");
+            }
+
+            System.setProperty("javax.net.ssl.trustStore", trustStore);
+            System.setProperty("javax.net.ssl.trustStorePassword", 
trustStorePassword);
+        }
+    }
+
+    private boolean validateTrustStore(String trustStore, String 
trustStorePassword) {
+        if (trustStore == null || trustStorePassword == null) {
+            return false;
+        }
+
+        try {
+            // Try to load the truststore with the provided password
+            java.security.KeyStore.getInstance("JKS").load(
+                new java.io.FileInputStream(trustStore),
+                trustStorePassword.toCharArray()
+            );
+            return true;
+        } catch (Exception e) {
+            s_logger.warn("Failed to validate truststore: " + e.getMessage());
+            return false;
         }
     }
 
diff --git 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
index 6ed79a0c69f..352e439b50c 100644
--- 
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
+++ 
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
@@ -186,6 +186,11 @@ public class LdapManagerImpl extends 
ComponentLifecycleBase implements LdapManag
             } catch (NamingException | IOException e) {
                 LOGGER.debug("NamingException while doing an LDAP bind", e);
                 throw new InvalidParameterValueException("Unable to bind to 
the given LDAP server");
+            } catch (RuntimeException e) {
+                if (e.getMessage().contains("Invalid truststore")) {
+                    throw new InvalidParameterValueException("Invalid 
truststore or truststore password");
+                }
+                throw e;
             } finally {
                 closeContext(context);
             }

Reply via email to