You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2014/10/21 01:06:57 UTC

[40/50] git commit: FC-143 - Add SSL to Unbound connection pool

FC-143 - Add SSL to Unbound connection pool


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/9f428f04
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/9f428f04
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/9f428f04

Branch: refs/heads/master
Commit: 9f428f04da4821d89f35acfbc3d9cda900e76166
Parents: 35ef63d
Author: Shawn McKinney <sh...@jts.us>
Authored: Sat Aug 2 22:55:52 2014 -0500
Committer: Shawn McKinney <sh...@jts.us>
Committed: Sat Aug 2 22:55:52 2014 -0500

----------------------------------------------------------------------
 .../openldap/fortress/ldap/ConnectionPool.java  | 140 ++++++++++++++++---
 1 file changed, 121 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/9f428f04/src/main/java/org/openldap/fortress/ldap/ConnectionPool.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/ldap/ConnectionPool.java b/src/main/java/org/openldap/fortress/ldap/ConnectionPool.java
index 424e538..b092ead 100755
--- a/src/main/java/org/openldap/fortress/ldap/ConnectionPool.java
+++ b/src/main/java/org/openldap/fortress/ldap/ConnectionPool.java
@@ -1,4 +1,17 @@
-/* Notice:
+/*
+ * This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2014 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
+ *
  * The contents of this file are subject to the Netscape Public
  * License Version 1.1 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of
@@ -31,33 +44,33 @@
 package org.openldap.fortress.ldap;
 
 
+import java.security.GeneralSecurityException;
 import java.util.Date;
 
+import com.unboundid.ldap.sdk.migrate.ldapjdk.JavaToLDAPSocketFactory;
+import com.unboundid.util.ssl.SSLUtil;
+import com.unboundid.util.ssl.TrustStoreTrustManager;
+import org.openldap.fortress.cfg.Config;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
 import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
 
+import javax.net.ssl.SSLSocketFactory;
+
 
 /**
- * Connection pool class is used by {@link PoolMgr} to manage live connections to the ldap server.  The connection pools
- * increase speed for data access by avoiding cost of recreating connections for every ldap request.
- * </p>
- * <p/>
- * The contents of this file were derived from the ConnectionPool in Mozilla Java LDAP SDK and are subject to the Netscape Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of the License at
- * <a href="http://www.mozilla.org/MPL/MPL-1.1.html/">Mozilla Public License Version 1.1</a> or see
- * <a href="http://www.mozilla.org/MPL/">Mozilla Public License</a> for more info.
- * <p/>
- * </p>
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * <p/>
+ * This connection pool class is used by Fortress {@link PoolMgr}.
+ * PoolMgr operations utilize multiple instances of this class to connections for different purposes.
+ * For example the 'admin' pool contains connections that have privileges to make modifications to the directory data during administrative operations {@link org.openldap.fortress.AdminMgr}.
+ * The 'user' pool contain unprivileged connections used for authentication processing only, {@link org.openldap.fortress.AccessMgr}.
+ * A 3rd pool, may be used to interrogate data stored by OpenLDAP's slapo access log info, This is used interrogating the fortress audit log events, {@link org.openldap.fortress.AuditMgr}.
+ * The contents of this file have been derived from the original, Mozilla Java LDAP SDK, and are subject to the Netscape Public License Version 1.1 (the "License")
+ * as described at the top of this file;
+ * The code mods include additional functionality to enable SSL connections in pool.  There have been other updates to the original functions to integrate with UnboundID's Java LDAP SDK.
  * </p>
+ * Original Mozilla javadoc:
  * Class to maintain a pool of individual connections to the
  * same server. Specify the initial size and the max size
  * when constructing a pool. Call getConnection() to obtain
@@ -436,6 +449,14 @@ class ConnectionPool
     }
 
 
+    /**
+     * *** FORTRESS MOD ****
+     *
+     * Create pool of LDAP connections to server.  Add SSL capability using unboundId's compatibility utility.
+     *
+     * @param size number of connections to generate and store in pool
+     * @throws LDAPException in the event of system error.
+     */
     private synchronized void setUpPool( int size )
         throws LDAPException
     {
@@ -444,8 +465,8 @@ class ConnectionPool
         {
             LDAPConnectionObject co =
                 new LDAPConnectionObject();
-            // Make LDAP connection, using template if available
-            LDAPConnection newConn = new LDAPConnection();
+
+            LDAPConnection newConn = createConnection( );
             newConn.connect( host, port, authdn, authpw );
             co.setLDAPConn( newConn );
             co.setInUse( false ); // Mark not in use
@@ -453,6 +474,87 @@ class ConnectionPool
         }
     }
 
+    /**
+     * *** FORTRESS MOD ****
+     *
+     * Used to manage trust store properties.  If enabled, create SSL connection.
+     *
+     */
+    private static final String ENABLE_LDAP_SSL = "enable.ldap.ssl";
+    private static final String ENABLE_LDAP_SSL_DEBUG = "enable.ldap.ssl.debug";
+    private static final String TRUST_STORE = Config.getProperty( "trust.store" );
+    private static final String TRUST_STORE_PW = Config.getProperty( "trust.store.password" );
+    private static final boolean IS_SSL = (
+        Config.getProperty( ENABLE_LDAP_SSL ) != null   &&
+        Config.getProperty( ENABLE_LDAP_SSL ).equalsIgnoreCase( "true" ) &&
+        TRUST_STORE      != null   &&
+        TRUST_STORE_PW   != null );
+
+    private static final String SET_TRUST_STORE_PROP = "trust.store.set.prop";
+    private static final boolean IS_SET_TRUST_STORE_PROP = (
+        IS_SSL &&
+        Config.getProperty( SET_TRUST_STORE_PROP ) != null   &&
+        Config.getProperty( SET_TRUST_STORE_PROP ).equalsIgnoreCase( "true" ));
+
+    private static final boolean IS_SSL_DEBUG = ( ( Config.getProperty( ENABLE_LDAP_SSL_DEBUG ) != null ) && ( Config
+        .getProperty( ENABLE_LDAP_SSL_DEBUG ).equalsIgnoreCase( "true" ) ) );
+
+    static
+    {
+        if(IS_SET_TRUST_STORE_PROP)
+        {
+            LOG.info( "Set JSSE truststore properties:");
+            LOG.info( "javax.net.ssl.trustStore: " + TRUST_STORE );
+            LOG.info( "javax.net.debug: " + new Boolean( IS_SSL_DEBUG ).toString());
+            System.setProperty( "javax.net.ssl.trustStore", TRUST_STORE );
+            System.setProperty( "javax.net.ssl.trustStorePassword", TRUST_STORE_PW );
+            System.setProperty( "javax.net.debug", new Boolean( IS_SSL_DEBUG ).toString() );
+        }
+    }
+
+    /**
+     * *** FORTRESS MOD ****
+     *
+     * If enabled, use Unbound compatibility lib to create SSL connection.
+     *
+     * @return handle to LDAPConnection
+     * @throws LDAPException wrap GeneralSecurityException or throws ldapexcep.
+     */
+    private LDAPConnection createConnection() throws LDAPException
+    {
+        LDAPConnection newConn = null;
+        if(IS_SSL)
+        {
+            // Generate SSL Connection using Unbound compatibility lib utils:
+            // http://stackoverflow.com/questions/22672477/unboundid-ldap-jdk-migration
+            SSLSocketFactory sslSocketFactory;
+            //SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
+            // These config values set in fortress.properties
+            SSLUtil sslUtil = new SSLUtil(
+                new TrustStoreTrustManager(
+                    TRUST_STORE,
+                    TRUST_STORE_PW.toCharArray() , null, true ) );
+            try
+            {
+                sslSocketFactory = sslUtil.createSSLSocketFactory();
+            }
+            catch(GeneralSecurityException e)
+            {
+                String error = "GeneralSecurityException while creating SSL socket factory=" + e;
+                throw new LDAPException( error, LDAPException.CONNECT_ERROR );
+            }
+            JavaToLDAPSocketFactory ldapSocketFactory =
+                new JavaToLDAPSocketFactory(sslSocketFactory);
+            newConn = new LDAPConnection(ldapSocketFactory);
+        }
+        else
+        {
+            // Make LDAP connection, using template if available
+            newConn = new LDAPConnection();
+        }
+        return newConn;
+    }
+
 
     private int find( LDAPConnection con )
     {