[tomcat] 05/10: Expand tests and fix an issue in escaping for group search

Tue, 13 Apr 2021 07:30:51 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Apr 13 12:11:35 2021 +0100

    Expand tests and fix an issue in escaping for group search
---
 java/org/apache/catalina/realm/JNDIRealm.java      |  9 +++++++-
 .../catalina/realm/TestJNDIRealmIntegration.java   | 26 ++++++++++++++--------
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index a1e9bc7..d6976c7 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1855,7 +1855,11 @@ public class JNDIRealm extends RealmBase {
             return null;
         }
 
+        // This is returned from the directory so will be attribute value
+        // escaped if required
         String dn = user.getDN();
+        // This is the name the user provided to the authentication process so
+        // it will not be escaped
         String username = user.getUserName();
         String userRoleId = user.getUserRoleId();
 
@@ -1888,7 +1892,10 @@ public class JNDIRealm extends RealmBase {
         }
 
         // Set up parameters for an appropriate search
-        String filter = connection.roleFormat.format(new String[] { 
doFilterEscaping(dn), username, userRoleId });
+        String filter = connection.roleFormat.format(new String[] {
+                doFilterEscaping(dn),
+                doFilterEscaping(doAttributeValueEscaping(username)),
+                userRoleId });
         SearchControls controls = new SearchControls();
         if (roleSubtree) {
             controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
diff --git a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java 
b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
index ef0cc35..3d9969e 100644
--- a/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+++ b/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
@@ -46,24 +46,29 @@ public class TestJNDIRealmIntegration {
     private static final String USER_PATTERN = 
"cn={0},ou=people,dc=example,dc=com";
     private static final String USER_SEARCH = "cn={0}";
     private static final String USER_BASE = "ou=people,dc=example,dc=com";
+    private static final String ROLE_SEARCH_A = "member={0}";
+    private static final String ROLE_SEARCH_B = 
"member=cn={1},ou=people,dc=example,dc=com";
 
     private static InMemoryDirectoryServer ldapServer;
 
     @Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]")
     public static Collection<Object[]> parameters() {
         List<Object[]> parameterSets = new ArrayList<>();
-        addUsers(USER_PATTERN, null, null, parameterSets);
-        addUsers(null, USER_SEARCH, USER_BASE, parameterSets);
+        for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B 
}) {
+            addUsers(USER_PATTERN, null, null, roleSearch, parameterSets);
+            addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets);
+        }
         return parameterSets;
     }
 
 
-    private static void addUsers(String userPattern, String userSearch, String 
userBase, List<Object[]> parameterSets) {
-        parameterSets.add(new Object[] { userPattern, userSearch, userBase,
+    private static void addUsers(String userPattern, String userSearch, String 
userBase, String roleSearch,
+            List<Object[]> parameterSets) {
+        parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch,
                 "test", "test", new String[] {"TestGroup"} });
-        parameterSets.add(new Object[] { userPattern, userSearch, userBase,
+        parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch,
                 "t;", "test", new String[] {"TestGroup"} });
-        parameterSets.add(new Object[] { userPattern, userSearch, userBase,
+        parameterSets.add(new Object[] { userPattern, userSearch, userBase, 
roleSearch,
                 "t*", "test", new String[] {"TestGroup"} });
     }
 
@@ -75,10 +80,12 @@ public class TestJNDIRealmIntegration {
     @Parameter(2)
     public String realmConfigUserBase;
     @Parameter(3)
-    public String username;
+    public String realmConfigRoleSearch;
     @Parameter(4)
-    public String credentials;
+    public String username;
     @Parameter(5)
+    public String credentials;
+    @Parameter(6)
     public String[] groups;
 
     @Test
@@ -90,9 +97,10 @@ public class TestJNDIRealmIntegration {
         realm.setUserPattern(realmConfigUserPattern);
         realm.setUserSearch(realmConfigUserSearch);
         realm.setUserBase(realmConfigUserBase);
+        realm.setUserRoleAttribute("cn");
         realm.setRoleName("cn");
         realm.setRoleBase("ou=people,dc=example,dc=com");
-        realm.setRoleSearch("member={0}");
+        realm.setRoleSearch(realmConfigRoleSearch);
 
         GenericPrincipal p = (GenericPrincipal) realm.authenticate(username, 
credentials);
 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to