You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/05/15 11:26:15 UTC
[cxf] 01/02: CXF-8043 - XKMS LdapCertificateRepo searching using DN
doesn't work
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit d1ba0e2ecf652f963c5887a9680e0271ecf900b4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed May 15 12:09:20 2019 +0100
CXF-8043 - XKMS LdapCertificateRepo searching using DN doesn't work
(cherry picked from commit 12f635546b2b2d84db78d07e20f58d23b04a8640)
---
.../xkms/x509/repo/ldap/LdapCertificateRepo.java | 26 ++--
.../x509/repo/ldap/LDAPCertificateRepoTest.java | 150 --------------------
.../cxf/xkms/x509/repo/ldap/LDAPSearchTest.java | 51 -------
systests/ldap/pom.xml | 6 +
.../systest/ldap/xkms/LDAPCertificateRepoTest.java | 151 +++++++++++++++++++++
systests/ldap/src/test/resources/ldap.ldif | 5 +
.../org/apache/cxf/systest/ldap/xkms}/cert1.cer | 0
7 files changed, 177 insertions(+), 212 deletions(-)
diff --git a/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java b/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
index 5b81655..6f4bafb 100644
--- a/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
+++ b/services/xkms/xkms-x509-repo-ldap/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
@@ -186,11 +186,13 @@ public class LdapCertificateRepo implements CertificateRepo {
} catch (NamingException e) {
// Not found
}
- // Try to find certificate by search for uid attribute
- try {
- cert = getCertificateForUIDAttr(id);
- } catch (NamingException e) {
- // Not found
+ if (cert == null) {
+ // Try to find certificate by search for uid attribute
+ try {
+ cert = getCertificateForUIDAttr(id);
+ } catch (NamingException e) {
+ // Not found
+ }
}
return cert;
}
@@ -204,12 +206,14 @@ public class LdapCertificateRepo implements CertificateRepo {
} catch (NamingException e) {
// Not found
}
- // Try to find certificate by search for uid attribute
- try {
- String uidAttr = String.format(ldapConfig.getServiceCertUIDTemplate(), serviceName);
- cert = getCertificateForUIDAttr(uidAttr);
- } catch (NamingException e) {
- // Not found
+ if (cert == null) {
+ // Try to find certificate by search for uid attribute
+ try {
+ String uidAttr = String.format(ldapConfig.getServiceCertUIDTemplate(), serviceName);
+ cert = getCertificateForUIDAttr(uidAttr);
+ } catch (NamingException e) {
+ // Not found
+ }
}
return cert;
}
diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java b/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
deleted file mode 100644
index 970b03b..0000000
--- a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
+++ /dev/null
@@ -1,150 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.xkms.x509.repo.ldap;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-
-import javax.naming.NamingException;
-import javax.naming.directory.Attributes;
-
-import org.apache.cxf.xkms.handlers.Applications;
-import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
-import org.apache.cxf.xkms.x509.repo.CertificateRepo;
-
-import org.easymock.EasyMock;
-import org.easymock.IMocksControl;
-import org.junit.Assert;
-import org.junit.Ignore;
-import org.junit.Test;
-
-/**
- * Tests need a real ldap server
- */
-public class LDAPCertificateRepoTest {
- private static final String EXPECTED_SUBJECT_DN = "CN=www.issuer.com, L=CGN, ST=NRW, C=DE, O=Issuer";
- private static final String ROOT_DN = "dc=example,dc=com";
- private static final String EXPECTED_SUBJECT_DN2 = "CN=www.issuer.com,L=CGN,ST=NRW,C=DE,O=Issuer";
- private static final String EXPECTED_SERVICE_URI = "http://myservice.apache.org/MyServiceName";
- private static final String EXPECTED_DN_FOR_SERVICE =
- "cn=http:\\/\\/myservice.apache.org\\/MyServiceName,ou=services";
- private static final LdapSchemaConfig LDAP_CERT_CONFIG = new LdapSchemaConfig();
-
- @Test
- @Ignore
- public void testFindUserCert() throws URISyntaxException, NamingException, CertificateException {
- CertificateRepo persistenceManager = createLdapCertificateRepo();
- testFindBySubjectDnInternal(persistenceManager);
- }
-
- @Test
- @Ignore
- public void testFindUserCertForNonExistantDn() throws URISyntaxException, NamingException, CertificateException {
- CertificateRepo persistenceManager = createLdapCertificateRepo();
- X509Certificate cert = persistenceManager.findBySubjectDn("CN=wrong");
- Assert.assertNull("Certifiacte should be null", cert);
- }
-
- @Test
- @Ignore
- public void testFindServiceCert() throws URISyntaxException, NamingException, CertificateException {
- CertificateRepo persistenceManager = createLdapCertificateRepo();
- String serviceUri = "cn=http:\\/\\/myservice.apache.org\\/MyServiceName,ou=services";
- X509Certificate cert = persistenceManager.findByServiceName(serviceUri);
- Assert.assertEquals(EXPECTED_SUBJECT_DN, cert.getSubjectDN().toString());
- }
-
- @Test
- @Ignore
- public void testSave() throws Exception {
- CertificateRepo persistenceManager = createLdapCertificateRepo();
- File certFile = new File("src/test/java/cert1.cer");
- Assert.assertTrue(certFile.exists());
- FileInputStream fis = new FileInputStream(certFile);
- CertificateFactory factory = CertificateFactory.getInstance("X.509");
- X509Certificate cert = (X509Certificate) factory.generateCertificate(fis);
- fis.close();
-
- UseKeyWithType key = new UseKeyWithType();
- key.setApplication(Applications.PKIX.getUri());
- key.setIdentifier(EXPECTED_SUBJECT_DN);
- persistenceManager.saveCertificate(cert, key);
- testFindBySubjectDnInternal(persistenceManager);
- }
-
- private CertificateRepo createLdapCertificateRepo() throws CertificateException {
- LdapSearch ldapSearch = new LdapSearch("ldap://localhost:2389",
- "cn=Directory Manager,dc=example,dc=com", "test", 2);
- return new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, "dc=example,dc=com");
- }
-
- private void testFindBySubjectDnInternal(CertificateRepo persistenceManager) throws CertificateException {
- X509Certificate cert2 = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN);
- Assert.assertEquals(EXPECTED_SUBJECT_DN, cert2.getSubjectDN().toString());
- }
-
- @Test
- public void testSaveUserCert() throws Exception {
- IMocksControl c = EasyMock.createControl();
- LdapSearch ldapSearch = c.createMock(LdapSearch.class);
- ldapSearch.bind(EasyMock.eq(EXPECTED_SUBJECT_DN2 + "," + ROOT_DN), EasyMock.anyObject(Attributes.class));
- EasyMock.expectLastCall().once();
- LdapCertificateRepo ldapCertRepo = new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, ROOT_DN);
- X509Certificate cert = getTestCert();
-
- c.replay();
- UseKeyWithType key = new UseKeyWithType();
- key.setApplication(Applications.PKIX.getUri());
- key.setIdentifier(EXPECTED_SUBJECT_DN2);
- ldapCertRepo.saveCertificate(cert, key);
- c.verify();
- }
-
- @Test
- public void testSaveServiceCert() throws Exception {
- IMocksControl c = EasyMock.createControl();
- LdapSearch ldapSearch = c.createMock(LdapSearch.class);
- ldapSearch.bind(EasyMock.eq(EXPECTED_DN_FOR_SERVICE + "," + ROOT_DN), EasyMock.anyObject(Attributes.class));
- EasyMock.expectLastCall().once();
- LdapCertificateRepo ldapCertRepo = new LdapCertificateRepo(ldapSearch, LDAP_CERT_CONFIG, ROOT_DN);
- X509Certificate cert = getTestCert();
-
- c.replay();
- UseKeyWithType key = new UseKeyWithType();
- key.setApplication(Applications.SERVICE_NAME.getUri());
- key.setIdentifier(EXPECTED_SERVICE_URI);
- ldapCertRepo.saveCertificate(cert, key);
- c.verify();
- }
-
- private X509Certificate getTestCert() throws FileNotFoundException, CertificateException, IOException {
- File certFile = new File("src/test/resources/cert1.cer");
- Assert.assertTrue(certFile.exists());
- try (FileInputStream fis = new FileInputStream(certFile)) {
- CertificateFactory factory = CertificateFactory.getInstance("X.509");
- return (X509Certificate) factory.generateCertificate(fis);
- }
- }
-}
diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java b/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java
deleted file mode 100644
index e029023..0000000
--- a/services/xkms/xkms-x509-repo-ldap/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPSearchTest.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.xkms.x509.repo.ldap;
-
-import java.net.URISyntaxException;
-
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.SearchResult;
-
-import org.junit.Ignore;
-import org.junit.Test;
-
-/**
- * Tests need a real ldap server
- */
-public class LDAPSearchTest {
- @Test
- @Ignore
- public void testSearch() throws URISyntaxException, NamingException {
- LdapSearch ldapSearch = new LdapSearch("ldap://localhost:2389",
- "cn=Directory Manager,dc=example,dc=com", "test", 2);
- NamingEnumeration<SearchResult> answer = ldapSearch.searchSubTree("dc=example, dc=com",
- "(cn=Testuser)");
- while (answer.hasMore()) {
- SearchResult sr = answer.next();
- Attributes attrs = sr.getAttributes();
- Attribute cn = attrs.get("sn");
- System.out.println(cn.get());
- }
- }
-
-}
diff --git a/systests/ldap/pom.xml b/systests/ldap/pom.xml
index e52a6be..cfe5b5b 100644
--- a/systests/ldap/pom.xml
+++ b/systests/ldap/pom.xml
@@ -163,6 +163,12 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>org.apache.cxf.services.xkms</groupId>
+ <artifactId>cxf-services-xkms-x509-repo-ldap</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</dependency>
diff --git a/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java
new file mode 100644
index 0000000..001c2e4
--- /dev/null
+++ b/systests/ldap/src/test/java/org/apache/cxf/systest/ldap/xkms/LDAPCertificateRepoTest.java
@@ -0,0 +1,151 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.ldap.xkms;
+
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+import javax.naming.NamingException;
+
+import org.apache.cxf.testutil.common.AbstractClientServerTestBase;
+import org.apache.cxf.xkms.handlers.Applications;
+import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
+import org.apache.cxf.xkms.x509.repo.CertificateRepo;
+import org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo;
+import org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig;
+import org.apache.cxf.xkms.x509.repo.ldap.LdapSearch;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreateIndex;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+
+@RunWith(FrameworkRunner.class)
+
+//Define the DirectoryService
+@CreateDS(name = "LDAPCertificateRepoTest-class",
+ enableAccessControl = false,
+ allowAnonAccess = false,
+ enableChangeLog = true,
+ partitions = {
+ @CreatePartition(
+ name = "example",
+ suffix = "dc=example,dc=com",
+ indexes = {
+ @CreateIndex(attribute = "objectClass"),
+ @CreateIndex(attribute = "dc"),
+ @CreateIndex(attribute = "ou")
+ }
+ ) }
+ )
+
+@CreateLdapServer(
+ transports = {
+ @CreateTransport(protocol = "LDAP", address = "localhost")
+ }
+ )
+
+//Inject an file containing entries
+@ApplyLdifFiles("ldap.ldif")
+
+/**
+ * Add a test for the XKMS LDAP CertificateRepo
+ */
+public class LDAPCertificateRepoTest extends AbstractLdapTestUnit {
+ private static final String EXPECTED_SUBJECT_DN = "cn=dave,ou=users";
+ private static final String ROOT_DN = "dc=example,dc=com";
+ private static final String EXPECTED_SUBJECT_DN2 = "cn=newuser,ou=users";
+ private static final String EXPECTED_SERVICE_URI = "http://myservice.apache.org/MyServiceName";
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ AbstractClientServerTestBase.stopAllServers();
+ }
+
+ @Test
+ public void testFindUserCert() throws URISyntaxException, NamingException, CertificateException {
+ CertificateRepo persistenceManager = createLdapCertificateRepo();
+ X509Certificate cert = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN);
+ assertNotNull(cert);
+ }
+
+ @Test
+ public void testFindUserCertForNonExistentDn() throws URISyntaxException, NamingException, CertificateException {
+ CertificateRepo persistenceManager = createLdapCertificateRepo();
+ X509Certificate cert = persistenceManager.findBySubjectDn("CN=wrong");
+ assertNull("Certificate should be null", cert);
+ }
+
+ @Test
+ public void testSave() throws Exception {
+ CertificateRepo persistenceManager = createLdapCertificateRepo();
+ URL url = this.getClass().getResource("cert1.cer");
+ CertificateFactory factory = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate) factory.generateCertificate(url.openStream());
+ assertNotNull(cert);
+
+ UseKeyWithType key = new UseKeyWithType();
+ key.setApplication(Applications.PKIX.getUri());
+ key.setIdentifier(EXPECTED_SUBJECT_DN2);
+ persistenceManager.saveCertificate(cert, key);
+
+ X509Certificate foundCert = persistenceManager.findBySubjectDn(EXPECTED_SUBJECT_DN2);
+ assertNotNull(foundCert);
+ }
+
+ @Test
+ public void testSaveServiceCert() throws Exception {
+ CertificateRepo persistenceManager = createLdapCertificateRepo();
+ URL url = this.getClass().getResource("cert1.cer");
+ CertificateFactory factory = CertificateFactory.getInstance("X.509");
+ X509Certificate cert = (X509Certificate) factory.generateCertificate(url.openStream());
+ assertNotNull(cert);
+
+ UseKeyWithType key = new UseKeyWithType();
+ key.setApplication(Applications.SERVICE_NAME.getUri());
+ key.setIdentifier(EXPECTED_SERVICE_URI);
+ persistenceManager.saveCertificate(cert, key);
+
+ X509Certificate foundCert = persistenceManager.findByServiceName(EXPECTED_SERVICE_URI);
+ assertNotNull(foundCert);
+ }
+
+ private CertificateRepo createLdapCertificateRepo() throws CertificateException {
+ LdapSearch ldapSearch = new LdapSearch("ldap://localhost:" + super.getLdapServer().getPort(),
+ "UID=admin,DC=example,DC=com", "ldap_su", 2);
+
+ LdapSchemaConfig ldapSchemaConfig = new LdapSchemaConfig();
+ ldapSchemaConfig.setAttrCrtBinary("userCertificate");
+ return new LdapCertificateRepo(ldapSearch, ldapSchemaConfig, ROOT_DN);
+ }
+
+}
diff --git a/systests/ldap/src/test/resources/ldap.ldif b/systests/ldap/src/test/resources/ldap.ldif
index ac82b07..6c8345e 100644
--- a/systests/ldap/src/test/resources/ldap.ldif
+++ b/systests/ldap/src/test/resources/ldap.ldif
@@ -13,6 +13,11 @@ objectClass: organizationalUnit
objectClass: top
ou: other-users
+dn: ou=services,dc=example,dc=com
+objectClass: organizationalUnit
+objectClass: top
+ou: services
+
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
diff --git a/services/xkms/xkms-x509-repo-ldap/src/test/resources/cert1.cer b/systests/ldap/src/test/resources/org/apache/cxf/systest/ldap/xkms/cert1.cer
similarity index 100%
rename from services/xkms/xkms-x509-repo-ldap/src/test/resources/cert1.cer
rename to systests/ldap/src/test/resources/org/apache/cxf/systest/ldap/xkms/cert1.cer