[tomcat] 07/10: Expanded tests to cover nested roles and fix escaping issues in search

Tue, 13 Apr 2021 07:26:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit b5585a9e5d4fec020cc5ebadb82f899fae22bc43
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Apr 13 12:54:24 2021 +0100

    Expanded tests to cover nested roles and fix escaping issues in search
---
 java/org/apache/catalina/realm/JNDIRealm.java      |  9 ++++--
 .../catalina/realm/TestJNDIRealmIntegration.java   | 34 +++++++++++++++++++++-
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index 3e494c1..1c11f8c 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1961,8 +1961,13 @@ public class JNDIRealm extends RealmBase {
                 Map<String, String> newThisRound = new HashMap<>(); // Stores 
the groups we find in this iteration
 
                 for (Entry<String, String> group : newGroups.entrySet()) {
-                    filter = connection.roleFormat.format(new String[] { 
doFilterEscaping(group.getKey()),
-                            group.getValue(), group.getValue() });
+                    // Group key is already value escaped if required
+                    // Group value is not value escaped
+                    // Everything needs to be filter escaped
+                    filter = connection.roleFormat.format(new String[] {
+                            doFilterEscaping(group.getKey()),
+                            
doFilterEscaping(doAttributeValueEscaping(group.getValue())),
+                            
doFilterEscaping(doAttributeValueEscaping(group.getValue())) });
 
                     if (containerLog.isTraceEnabled()) {
                         containerLog.trace("Perform a nested group search with 
base "+ roleBase +
diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java 
b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
index 8302e47..cf47369 100644
--- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
@@ -52,7 +52,7 @@ public class TestJNDIRealmIntegration {
 
     private static InMemoryDirectoryServer ldapServer;
 
-    @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]")
+    @Parameterized.Parameters(name = "{index}: user[{4}], pwd[{5}]")
     public static Collection<Object[]> parameters() {
         List<Object[]> parameterSets = new ArrayList<>();
         for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, 
ROLE_SEARCH_C }) {
@@ -71,6 +71,8 @@ public class TestJNDIRealmIntegration {
                 "t;", "test", new String[] {"TestGroup"} });
         parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch,
                 "t*", "test", new String[] {"TestGroup"} });
+        parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch,
+                "t=", "test", new String[] {"Test<Group*2", "Test>Group*3"} });
     }
 
 
@@ -102,6 +104,7 @@ public class TestJNDIRealmIntegration {
         realm.setRoleName("cn");
         realm.setRoleBase("ou=people,dc=example,dc=com");
         realm.setRoleSearch(realmConfigRoleSearch);
+        realm.setRoleNested(true);
 
         GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, 
credentials);
 
@@ -178,6 +181,17 @@ public class TestJNDIRealmIntegration {
             result = conn.processOperation(addUserTestAsterisk);
             Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
 
+            AddRequest addUserTestEquals = new AddRequest(
+                    "dn: cn=t\\=,ou=people,dc=example,dc=com",
+                    "objectClass: top",
+                    "objectClass: person",
+                    "objectClass: organizationalPerson",
+                    "cn: t=",
+                    "sn: Tequals",
+                    "userPassword: test");
+            result = conn.processOperation(addUserTestEquals);
+            Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
+
             AddRequest addGroupTest = new AddRequest(
                     "dn: cn=TestGroup,ou=people,dc=example,dc=com",
                     "objectClass: top",
@@ -188,6 +202,24 @@ public class TestJNDIRealmIntegration {
                     "member: cn=t\\*,ou=people,dc=example,dc=com");
             result = conn.processOperation(addGroupTest);
             Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
+
+            AddRequest addGroupTest2 = new AddRequest(
+                    "dn: cn=Test\\<Group*2,ou=people,dc=example,dc=com",
+                    "objectClass: top",
+                    "objectClass: groupOfNames",
+                    "cn: Test<Group*2",
+                    "member: cn=t\\=,ou=people,dc=example,dc=com");
+            result = conn.processOperation(addGroupTest2);
+            Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
+
+            AddRequest addGroupTest3 = new AddRequest(
+                    "dn: cn=Test\\>Group*3,ou=people,dc=example,dc=com",
+                    "objectClass: top",
+                    "objectClass: groupOfNames",
+                    "cn: Test>Group*3",
+                    "member: cn=Test\\<Group*2,ou=people,dc=example,dc=com");
+            result = conn.processOperation(addGroupTest3);
+            Assert.assertEquals(ResultCode.SUCCESS, result.getResultCode());
         }
     }
 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to