This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit d1ba0e2ecf652f963c5887a9680e0271ecf900b4 Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Wed May 15 12:09:20 2019 +0100 CXF-8043 - XKMS LdapCertificateRepo searching using DN doesn't work (cherry picked from commit 12f635546b2b2d84db78d07e20f58d23b04a8640) --- .../xkms/x509/repo/ldap/LdapCertificateRepo.java | 26 ++-- .../x509/repo/ldap/LDAPCertificateRepoTest.java | 150 -------------------- .../cxf/xkms/x509/repo/ldap/LDAPSearchTest.java | 51 ------- systests/ldap/pom.xml | 6 + .../systest/ldap/xkms/LDAPCertificateRepoTest.java | 151 +++++++++++++++++++++ systests/ldap/src/test/resources/ldap.ldif | 5 + .../org/apache/cxf/systest/ldap/xkms}/cert1.cer | 0 7 files changed, 177 insertions(+), 212 deletions(-) diff --git a/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java b/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java index 5b81655..6f4bafb 100644 --- a/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java +++ b/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java @@ -186,11 +186,13 @@ public class LdapCertificateRepo implements CertificateRepo { } catch (NamingException e) { // Not found } - // Try to find certificate by search for uid attribute - try { - cert = getCertificateForUIDAttr(id); - } catch (NamingException e) { - // Not found + if (cert == null) { + // Try to find certificate by search for uid attribute + try { + cert = getCertificateForUIDAttr(id); + } catch (NamingException e) { + // Not found + } } return cert; } @@ -204,12 +206,14 @@ public class LdapCertificateRepo implements CertificateRepo { } catch (NamingException e) { // Not found } - // Try to find certificate by search for uid attribute - try { - String uidAttr = String.format(ldapConfig.getServiceCertUIDTemplate(), serviceName); - cert = getCertificateForUIDAttr(uidAttr); - } catch (NamingException e) { - // Not found + if (cert == null) { + // Try to find certificate by search for uid attribute + try { + String uidAttr = String.format(ldapConfig.getServiceCertUIDTemplate(), serviceName); + cert = getCertificateForUIDAttr(uidAttr); + } catch (NamingException e) { + // Not found + } } return cert; } diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java b/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java deleted file mode 100644 index 970b03b..0000000 --- a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java +++ /dev/null @@ -1,150 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.xkms.x509.repo.ldap; - -import java.io.File; -import java.io.FileInputStream; -import java.io.FileNotFoundException; -import java.io.IOException; -import java.net.URISyntaxException; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; - -import javax.naming.NamingException; -import javax.naming.directory.Attributes; - -import org.apache.cxf.xkms.handlers.Applications; -import org.apache.cxf.xkms.model.xkms.UseKeyWithType; -import org.apache.cxf.xkms.x509.repo.CertificateRepo; - -import org.easymock.EasyMock; -import org.easymock.IMocksControl; -import org.junit.Assert; -import org.junit.Ignore; -import org.junit.Test; - -/** - * Tests need a real ldap server - */ -public class LDAPCertificateRepoTest { - private static final String EXPECTED_SUBJECT_DN = "CN=www.issuer.com, L=CGN, ST=NRW, C=DE, O=Issuer"; - private static final String ROOT_DN = "dc=example,dc=com"; - private static final String EXPECTED_SUBJECT_DN2 = "CN=www.issuer.com,L=CGN,ST=NRW,C=DE,O=Issuer"; - private static final String EXPECTED_SERVICE_URI = "http://myservice.apache.org/MyServiceName";; - private static final String EXPECTED_DN_FOR_SERVICE = - "cn=http:\\/\\/myservice.apache.org\\/MyServiceName,ou=services"; - private static final LdapSchemaConfig LDAP_CERT_CONFIG = new LdapSchemaConfig(); - - @Test - @Ignore - public void testFindUserCert() throws URISyntaxException, NamingException, CertificateException { - CertificateRepo persistenceManager = createLdapCertificateRepo(); - testFindBySubjectDnInternal(persistenceManager); - } - - @Test - @Ignore - public void testFindUserCertForNonExistantDn() throws URISyntaxException, NamingException, CertificateException { - CertificateRepo persistenceManager = createLdapCertificateRepo(); - X509Certificate cert = persistenceManager.findBySubjectDn("CN=wrong"); - Assert.assertNull("Certifiacte should be null", cert); - } - - @Test - @Ignore - public void testFindServiceCert() throws URISyntaxException, NamingException, CertificateException { - CertificateRepo persistenceManager = createLdapCertificateRepo(); - String serviceUri = "cn=http:\\/\\/myservice.apache.org\\/MyServiceName,ou=services"; - X509Certificate cert = persistenceManager.findByServiceName(serviceUri); - Assert.assertEquals(EXPECTED_SUBJECT_DN, cert.getSubjectDN().toString()); - } - - @Test - @Ignore - public void testSave() throws Exception { - CertificateRepo persistenceManager = createLdapCertificateRepo(); - File certFile = new File("src/test/java/cert1.cer"); - Assert.assertTrue(certFile.exists()); - FileInputStream fis = new FileInputStream(certFile); - CertificateFactory factory = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate) factory.generateCertificate(fis); - fis.close(); - - UseKeyWithType key = new UseKeyWithType(); - key.setApplication(Applications.PKIX.getUri()); - key.setIdentifier(EXPECTED_SUBJECT_DN); - persistenceManager.saveCertificate(cert, key); - testFindBySubjectDnInternal(persistenceManager); - } - - private CertificateRepo createLdapCertificateRepo() throws CertificateException { - LdapSearch ldapSearch = new LdapSearch("ldap://localhost:2389";, - "cn=Directory Manager,dc=example,dc=com", "test", 2); - return new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, "dc=example,dc=com"); - } - - private void testFindBySubjectDnInternal(CertificateRepo persistenceManager) throws CertificateException { - X509Certificate cert2 = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN); - Assert.assertEquals(EXPECTED_SUBJECT_DN, cert2.getSubjectDN().toString()); - } - - @Test - public void testSaveUserCert() throws Exception { - IMocksControl c = EasyMock.createControl(); - LdapSearch ldapSearch = c.createMock(LdapSearch.class); - ldapSearch.bind(EasyMock.eq(EXPECTED_SUBJECT_DN2 + "," + ROOT_DN), EasyMock.anyObject(Attributes.class)); - EasyMock.expectLastCall().once(); - LdapCertificateRepo ldapCertRepo = new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, ROOT_DN); - X509Certificate cert = getTestCert(); - - c.replay(); - UseKeyWithType key = new UseKeyWithType(); - key.setApplication(Applications.PKIX.getUri()); - key.setIdentifier(EXPECTED_SUBJECT_DN2); - ldapCertRepo.saveCertificate(cert, key); - c.verify(); - } - - @Test - public void testSaveServiceCert() throws Exception { - IMocksControl c = EasyMock.createControl(); - LdapSearch ldapSearch = c.createMock(LdapSearch.class); - ldapSearch.bind(EasyMock.eq(EXPECTED_DN_FOR_SERVICE + "," + ROOT_DN), EasyMock.anyObject(Attributes.class)); - EasyMock.expectLastCall().once(); - LdapCertificateRepo ldapCertRepo = new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, ROOT_DN); - X509Certificate cert = getTestCert(); - - c.replay(); - UseKeyWithType key = new UseKeyWithType(); - key.setApplication(Applications.SERVICE_NAME.getUri()); - key.setIdentifier(EXPECTED_SERVICE_URI); - ldapCertRepo.saveCertificate(cert, key); - c.verify(); - } - - private X509Certificate getTestCert() throws FileNotFoundException, CertificateException, IOException { - File certFile = new File("src/test/resources/cert1.cer"); - Assert.assertTrue(certFile.exists()); - try (FileInputStream fis = new FileInputStream(certFile)) { - CertificateFactory factory = CertificateFactory.getInstance("X.509"); - return (X509Certificate) factory.generateCertificate(fis); - } - } -} diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java b/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java deleted file mode 100644 index e029023..0000000 --- a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.xkms.x509.repo.ldap; - -import java.net.URISyntaxException; - -import javax.naming.NamingEnumeration; -import javax.naming.NamingException; -import javax.naming.directory.Attribute; -import javax.naming.directory.Attributes; -import javax.naming.directory.SearchResult; - -import org.junit.Ignore; -import org.junit.Test; - -/** - * Tests need a real ldap server - */ -public class LDAPSearchTest { - @Test - @Ignore - public void testSearch() throws URISyntaxException, NamingException { - LdapSearch ldapSearch = new LdapSearch("ldap://localhost:2389";, - "cn=Directory Manager,dc=example,dc=com", "test", 2); - NamingEnumeration<SearchResult> answer = ldapSearch.searchSubTree("dc=example, dc=com", - "(cn=Testuser)"); - while (answer.hasMore()) { - SearchResult sr = answer.next(); - Attributes attrs = sr.getAttributes(); - Attribute cn = attrs.get("sn"); - System.out.println(cn.get()); - } - } - -} diff --git a/systests/ldap/pom.xml b/systests/ldap/pom.xml index e52a6be..cfe5b5b 100644 --- a/systests/ldap/pom.xml +++ b/systests/ldap/pom.xml @@ -163,6 +163,12 @@ <scope>test</scope> </dependency> <dependency> + <groupId>org.apache.cxf.services.xkms</groupId> + <artifactId>cxf-services-xkms-x509-repo-ldap</artifactId> + <version>${project.version}</version> + <scope>test</scope> + </dependency> + <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </dependency> diff --git a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java new file mode 100644 index 0000000..001c2e4 --- /dev/null +++ b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java @@ -0,0 +1,151 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ldap.xkms; + +import java.net.URISyntaxException; +import java.net.URL; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; + +import javax.naming.NamingException; + +import org.apache.cxf.testutil.common.AbstractClientServerTestBase; +import org.apache.cxf.xkms.handlers.Applications; +import org.apache.cxf.xkms.model.xkms.UseKeyWithType; +import org.apache.cxf.xkms.x509.repo.CertificateRepo; +import org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo; +import org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig; +import org.apache.cxf.xkms.x509.repo.ldap.LdapSearch; +import org.apache.directory.server.annotations.CreateLdapServer; +import org.apache.directory.server.annotations.CreateTransport; +import org.apache.directory.server.core.annotations.ApplyLdifFiles; +import org.apache.directory.server.core.annotations.CreateDS; +import org.apache.directory.server.core.annotations.CreateIndex; +import org.apache.directory.server.core.annotations.CreatePartition; +import org.apache.directory.server.core.integ.AbstractLdapTestUnit; +import org.apache.directory.server.core.integ.FrameworkRunner; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + +@RunWith(FrameworkRunner.class) + +//Define the DirectoryService +@CreateDS(name = "LDAPCertificateRepoTest-class", + enableAccessControl = false, + allowAnonAccess = false, + enableChangeLog = true, + partitions = { + @CreatePartition( + name = "example", + suffix = "dc=example,dc=com", + indexes = { + @CreateIndex(attribute = "objectClass"), + @CreateIndex(attribute = "dc"), + @CreateIndex(attribute = "ou") + } + ) } + ) + +@CreateLdapServer( + transports = { + @CreateTransport(protocol = "LDAP", address = "localhost") + } + ) + +//Inject an file containing entries +@ApplyLdifFiles("ldap.ldif") + +/** + * Add a test for the XKMS LDAP CertificateRepo + */ +public class LDAPCertificateRepoTest extends AbstractLdapTestUnit { + private static final String EXPECTED_SUBJECT_DN = "cn=dave,ou=users"; + private static final String ROOT_DN = "dc=example,dc=com"; + private static final String EXPECTED_SUBJECT_DN2 = "cn=newuser,ou=users"; + private static final String EXPECTED_SERVICE_URI = "http://myservice.apache.org/MyServiceName";; + + @org.junit.AfterClass + public static void cleanup() throws Exception { + AbstractClientServerTestBase.stopAllServers(); + } + + @Test + public void testFindUserCert() throws URISyntaxException, NamingException, CertificateException { + CertificateRepo persistenceManager = createLdapCertificateRepo(); + X509Certificate cert = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN); + assertNotNull(cert); + } + + @Test + public void testFindUserCertForNonExistentDn() throws URISyntaxException, NamingException, CertificateException { + CertificateRepo persistenceManager = createLdapCertificateRepo(); + X509Certificate cert = persistenceManager.findBySubjectDn("CN=wrong"); + assertNull("Certificate should be null", cert); + } + + @Test + public void testSave() throws Exception { + CertificateRepo persistenceManager = createLdapCertificateRepo(); + URL url = this.getClass().getResource("cert1.cer"); + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate) factory.generateCertificate(url.openStream()); + assertNotNull(cert); + + UseKeyWithType key = new UseKeyWithType(); + key.setApplication(Applications.PKIX.getUri()); + key.setIdentifier(EXPECTED_SUBJECT_DN2); + persistenceManager.saveCertificate(cert, key); + + X509Certificate foundCert = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN2); + assertNotNull(foundCert); + } + + @Test + public void testSaveServiceCert() throws Exception { + CertificateRepo persistenceManager = createLdapCertificateRepo(); + URL url = this.getClass().getResource("cert1.cer"); + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + X509Certificate cert = (X509Certificate) factory.generateCertificate(url.openStream()); + assertNotNull(cert); + + UseKeyWithType key = new UseKeyWithType(); + key.setApplication(Applications.SERVICE_NAME.getUri()); + key.setIdentifier(EXPECTED_SERVICE_URI); + persistenceManager.saveCertificate(cert, key); + + X509Certificate foundCert = persistenceManager.findByServiceName(EXPECTED_SERVICE_URI); + assertNotNull(foundCert); + } + + private CertificateRepo createLdapCertificateRepo() throws CertificateException { + LdapSearch ldapSearch = new LdapSearch("ldap://localhost:"; + super.getLdapServer().getPort(), + "UID=admin,DC=example,DC=com", "ldap_su", 2); + + LdapSchemaConfig ldapSchemaConfig = new LdapSchemaConfig(); + ldapSchemaConfig.setAttrCrtBinary("userCertificate"); + return new LdapCertificateRepo(ldapSearch, ldapSchemaConfig, ROOT_DN); + } + +} diff --git a/systests/ldap/src/test/resources/ldap.ldif b/systests/ldap/src/test/resources/ldap.ldif index ac82b07..6c8345e 100644 --- a/systests/ldap/src/test/resources/ldap.ldif +++ b/systests/ldap/src/test/resources/ldap.ldif @@ -13,6 +13,11 @@ objectClass: organizationalUnit objectClass: top ou: other-users +dn: ou=services,dc=example,dc=com +objectClass: organizationalUnit +objectClass: top +ou: services + dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/resources/cert1.cer b/systests/ldap/src/test/resources/org/apache/cxf/systest/ldap/xkms/cert1.cer similarity index 100% rename from services/xkms/xkms-x509-repo-ldap/src/test/resources/cert1.cer rename to systests/ldap/src/test/resources/org/apache/cxf/systest/ldap/xkms/cert1.cer
