You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2021/05/26 09:06:36 UTC
svn commit: r1890220 - in /jackrabbit/oak/trunk/oak-auth-ldap: ./
src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/
Author: angela
Date: Wed May 26 09:06:36 2021
New Revision: 1890220
URL: http://svn.apache.org/viewvc?rev=1890220&view=rev
Log:
OAK-9442 : LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
Modified:
jackrabbit/oak/trunk/oak-auth-ldap/pom.xml
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java
jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java
Modified: jackrabbit/oak/trunk/oak-auth-ldap/pom.xml
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/pom.xml?rev=1890220&r1=1890219&r2=1890220&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/pom.xml (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/pom.xml Wed May 26 09:06:36 2021
@@ -35,8 +35,8 @@
<apacheds.test.version>2.0.0-M24</apacheds.test.version>
<!-- enable execution of jacoco and set minimal line coverage -->
<skip.coverage>false</skip.coverage>
- <minimum.line.coverage>0.92</minimum.line.coverage>
- <minimum.branch.coverage>0.86</minimum.branch.coverage>
+ <minimum.line.coverage>0.93</minimum.line.coverage>
+ <minimum.branch.coverage>0.88</minimum.branch.coverage>
</properties>
<build>
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1890220&r1=1890219&r2=1890220&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Wed May 26 09:06:36 2021
@@ -17,7 +17,6 @@
package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -29,7 +28,6 @@ import java.util.NoSuchElementException;
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
-import javax.net.ssl.SSLContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.pool2.impl.DefaultPooledObject;
@@ -126,11 +124,6 @@ public class LdapIdentityProvider implem
private PoolableUnboundConnectionFactory userConnectionFactory;
/**
- * SSL protocols (initialized on init)
- */
- private String[] enabledSSLProtocols;
-
- /**
* Default constructor for OSGi
*/
@SuppressWarnings("UnusedDeclaration")
@@ -502,15 +495,6 @@ public class LdapIdentityProvider implem
throw new IllegalStateException("Provider already initialized.");
}
- // make sure the JVM supports the TLSv1.1
- try {
- enabledSSLProtocols = null;
- SSLContext.getInstance("TLSv1.1");
- } catch (NoSuchAlgorithmException e) {
- log.warn("JDK does not support TLSv1.1. Disabling it.");
- enabledSSLProtocols = new String[]{"TLSv1"};
- }
-
// setup admin connection pool
LdapConnectionConfig cc = createConnectionConfig();
String bindDN = config.getBindDN();
@@ -573,8 +557,9 @@ public class LdapIdentityProvider implem
cc.setTrustManagers(new NoVerificationTrustManager());
}
- if (enabledSSLProtocols != null) {
- cc.setEnabledProtocols(enabledSSLProtocols);
+ String[] enabledProtocols = config.enabledProtocols();
+ if (enabledProtocols != null && enabledProtocols.length > 0) {
+ cc.setEnabledProtocols(enabledProtocols);
}
return cc;
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java?rev=1890220&r1=1890219&r2=1890220&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java Wed May 26 09:06:36 2021
@@ -128,6 +128,17 @@ public class LdapProviderConfig {
boolValue = PARAM_NO_CERT_CHECK_DEFAULT
)
public static final String PARAM_NO_CERT_CHECK = "host.noCertCheck";
+
+ /**
+ * @see #enabledProtocols()
+ */
+ @Property(
+ label = "Enabled Protocols",
+ description = "Allows to explicitly set the enabled protocols on the LdapConnectionConfig.",
+ value = {},
+ cardinality = Integer.MAX_VALUE
+ )
+ public static final String PARAM_ENABLED_PROTOCOLS = "host.enabledProtocols";
/**
* @see #getBindDN()
@@ -927,6 +938,10 @@ public class LdapProviderConfig {
cfg.getUserPoolConfig().setTimeBetweenEvictionRunsMillis(msTberUser.value);
}
+ String[] enabledProtocols = params.getConfigValue(PARAM_ENABLED_PROTOCOLS, new String[0]);
+ if (enabledProtocols.length > 0) {
+ cfg.setEnabledProtocols(enabledProtocols);
+ }
return cfg;
}
@@ -941,6 +956,8 @@ public class LdapProviderConfig {
private boolean useTLS = PARAM_USE_TLS_DEFAULT;
private boolean noCertCheck = PARAM_NO_CERT_CHECK_DEFAULT;
+
+ private String[] enabledProtocols = null;
private String bindDN = PARAM_BIND_DN_DEFAULT;
@@ -1111,6 +1128,30 @@ public class LdapProviderConfig {
}
/**
+ * Configures whether enabled protocols should be set on the {@code LdapConnectionConfig}.
+ *
+ * @return an array of enabled protocols or null if no protocols should be explicitly enabled
+ */
+ @Nullable
+ public String[] enabledProtocols() {
+ return enabledProtocols;
+ }
+
+ /**
+ * Configures the enabled protocols to be set to the {@code LdapConnectionConfig}. By default no protocols are
+ * set explicitly.
+ *
+ * @param enabledProtocols The protocols to be enabled on the {@code LdapConnectionConfig}.
+ * @return {@code this}
+ * @see #enabledProtocols()
+ */
+ @NotNull
+ public LdapProviderConfig setEnabledProtocols(@NotNull String... enabledProtocols) {
+ this.enabledProtocols = enabledProtocols;
+ return this;
+ }
+
+ /**
* Configures the DN that is used to bind to the LDAP server. If this value is {@code null} or an empty string,
* anonymous connections are used.
* @return the bind DN or {@code null}.
@@ -1387,6 +1428,7 @@ public class LdapProviderConfig {
sb.append(", useSSL=").append(useSSL);
sb.append(", useTLS=").append(useTLS);
sb.append(", noCertCheck=").append(noCertCheck);
+ sb.append(", enabledProtocols=").append(enabledProtocols);
sb.append(", bindDN='").append(bindDN).append('\'');
sb.append(", bindPassword='***'");
sb.append(", searchTimeout=").append(searchTimeout);
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java?rev=1890220&r1=1890219&r2=1890220&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java Wed May 26 09:06:36 2021
@@ -20,6 +20,7 @@ package org.apache.jackrabbit.oak.securi
import com.google.common.collect.Lists;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
@@ -36,20 +37,27 @@ import static org.junit.Assert.assertNot
@RunWith(Parameterized.class)
public class LdapIdentityProviderUseSSLTest extends AbstractLdapIdentityProviderTest {
+ private static final String PROTOCOL = "TLSv1.2";
+
@Parameterized.Parameters(name = "LdapConfiguration with {2}")
public static Collection<Object[]> parameters() {
return Lists.newArrayList(
- new Object[] {false, false, "useSSL=false, useTLS=false"},
- new Object[] {true, false, "useSSL=true, useTLS=false"},
- new Object[] {false, true, "useSSL=false, useTLS=true"},
- new Object[] {true, true, "useSSL=true, useTLS=true"}
+ new Object[] {false, false, null, "useSSL=false, useTLS=false, enabled_protocols=NA"},
+ new Object[] {true, false, null, "useSSL=true, useTLS=false, enabled_protocols=NA"},
+ new Object[] {true, false, new String[] {PROTOCOL}, "useSSL=true, useTLS=false, enabled_protocols=["+PROTOCOL+"]"},
+ new Object[] {false, true, null, "useSSL=false, useTLS=true, enabled_protocols=NA"},
+ new Object[] {false, true, new String[] {PROTOCOL}, "useSSL=false, useTLS=true, enabled_protocols=["+PROTOCOL+"]"},
+ new Object[] {true, true, new String[0], "useSSL=true, useTLS=true, enabled_protocols=[]"}
);
}
+
+ private final String[] enabledProtocols;
- public LdapIdentityProviderUseSSLTest(boolean useSSL, boolean useTLS, String name) {
+ public LdapIdentityProviderUseSSLTest(boolean useSSL, boolean useTLS, @Nullable String[] enabledProtocols, @NotNull String name) {
super();
this.useSSL = useSSL;
this.useTLS = useTLS;
+ this.enabledProtocols = enabledProtocols;
}
@Override
@@ -59,6 +67,9 @@ public class LdapIdentityProviderUseSSLT
config.setUseSSL(useSSL);
config.setUseTLS(useTLS);
config.setNoCertCheck(true);
+ if (enabledProtocols != null) {
+ config.setEnabledProtocols(enabledProtocols);
+ }
return config;
}
Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java?rev=1890220&r1=1890219&r2=1890220&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java Wed May 26 09:06:36 2021
@@ -24,12 +24,14 @@ import java.util.Map;
import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME;
import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS;
+import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ENABLED_PROTOCOLS;
import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_SEARCH_TIMEOUT_DEFAULT;
import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME;
import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
public class LdapProviderConfigTest {
@@ -314,4 +316,19 @@ public class LdapProviderConfigTest {
LdapProviderConfig config = LdapProviderConfig.of(ConfigurationParameters.of(LdapProviderConfig.PARAM_SEARCH_TIMEOUT, "invalid"));
assertEquals(ConfigurationParameters.Milliseconds.of(PARAM_SEARCH_TIMEOUT_DEFAULT).value, config.getSearchTimeout());
}
+
+ @Test
+ public void testEnabledProtocols() {
+ LdapProviderConfig config = LdapProviderConfig.of(ConfigurationParameters.of());
+ assertNull(config.enabledProtocols());
+
+ config.setEnabledProtocols("TLSv1.3", "TLSv1.2");
+ assertArrayEquals(new String[] {"TLSv1.3", "TLSv1.2"}, config.enabledProtocols());
+
+ config = LdapProviderConfig.of(ConfigurationParameters.of(PARAM_ENABLED_PROTOCOLS, "TLSv1.3"));
+ assertArrayEquals(new String[] {"TLSv1.3"}, config.enabledProtocols());
+
+ config = LdapProviderConfig.of(ConfigurationParameters.of(PARAM_ENABLED_PROTOCOLS, new String[] {"TLSv1.3", "TLSv1.2"}));
+ assertArrayEquals(new String[] {"TLSv1.3", "TLSv1.2"}, config.enabledProtocols());
+ }
}
\ No newline at end of file