Skip to content

Commit

Permalink
Merge pull request #13038 from hartimcwildfly/ldap-add-property-searc…
Browse files Browse the repository at this point in the history
…h-recursive

added searchRecursive property in elytron ldap config
  • Loading branch information
machi1990 authored Nov 1, 2020
2 parents 52fa87a + c9b7140 commit dfecb89
Show file tree
Hide file tree
Showing 6 changed files with 86 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,13 @@ public void testSecureAccessFailure() {
.statusCode(401);
}

@Test()
public void testNotSearchingRecursiveFailure() {
RestAssured.given().auth().preemptive().basic("subUser", "subUserPassword")
.when().get("/servlet-secured").then()
.statusCode(401);
}

@Test()
public void testSecureRoleFailure() {
RestAssured.given().auth().preemptive().basic("noRoleUser", "noRoleUserPassword")
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package io.quarkus.elytron.security.ldap;

import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.spec.JavaArchive;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

import io.quarkus.elytron.security.ldap.rest.SingleRoleSecuredServlet;
import io.quarkus.test.QuarkusUnitTest;
import io.quarkus.test.common.QuarkusTestResource;
import io.quarkus.test.ldap.LdapServerTestResource;
import io.restassured.RestAssured;

@QuarkusTestResource(LdapServerTestResource.class)
public class SearchRecursiveTest {

protected static Class[] testClasses = {
SingleRoleSecuredServlet.class
};

@RegisterExtension
static final QuarkusUnitTest config = new QuarkusUnitTest()
.setArchiveProducer(() -> ShrinkWrap.create(JavaArchive.class)
.addClasses(testClasses)
.addAsResource("search-recursive/application.properties", "application.properties"));

@Test()
public void testNotSearchingRecursiveFailure() {
RestAssured.given().auth().preemptive().basic("subUser", "subUserPassword")
.when().get("/servlet-secured").then()
.statusCode(200);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
quarkus.security.ldap.enabled=true

quarkus.security.ldap.dir-context.principal=uid=admin,ou=system
quarkus.security.ldap.dir-context.url=ldap://127.0.0.1:10389
quarkus.security.ldap.dir-context.password=secret

quarkus.security.ldap.identity-mapping.search-recursive=true
quarkus.security.ldap.identity-mapping.search-base-dn=ou=Users,dc=quarkus,dc=io

quarkus.security.ldap.identity-mapping.attribute-mappings."0".from=cn
quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter=(member=uid={0},ou=SubUsers,ou=Users,dc=quarkus,dc=io)
quarkus.security.ldap.identity-mapping.attribute-mappings."0".filter-base-dn=ou=Roles,dc=quarkus,dc=io
Original file line number Diff line number Diff line change
Expand Up @@ -29,19 +29,25 @@ public class LdapRecorder {
* @return runtime value wrapper for the SecurityRealm
*/
public RuntimeValue<SecurityRealm> createRealm(LdapSecurityRealmRuntimeConfig runtimeConfig) {
LdapSecurityRealmBuilder builder = LdapSecurityRealmBuilder.builder()
LdapSecurityRealmBuilder.IdentityMappingBuilder identityMappingBuilder = LdapSecurityRealmBuilder.builder()
.setDirContextSupplier(createDirContextSupplier(runtimeConfig.dirContext))
.identityMapping()
.identityMapping();

if (runtimeConfig.identityMapping.searchRecursive) {
identityMappingBuilder.searchRecursive();
}

LdapSecurityRealmBuilder ldapSecurityRealmBuilder = identityMappingBuilder
.map(createAttributeMappings(runtimeConfig.identityMapping))
.setRdnIdentifier(runtimeConfig.identityMapping.rdnIdentifier)
.setSearchDn(runtimeConfig.identityMapping.searchBaseDn)
.build();

if (runtimeConfig.directVerification) {
builder.addDirectEvidenceVerification(false);
ldapSecurityRealmBuilder.addDirectEvidenceVerification(false);
}

return new RuntimeValue<>(builder.build());
return new RuntimeValue<>(ldapSecurityRealmBuilder.build());
}

private ExceptionSupplier<DirContext, NamingException> createDirContextSupplier(DirContextConfig dirContext) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ public class IdentityMappingConfig {
@ConfigItem
public String searchBaseDn;

/**
* If the child nodes are also searched for identities
*/
@ConfigItem(defaultValue = "false")
public boolean searchRecursive;

/**
* The configs how we get from the attribute to the Role
*/
Expand All @@ -31,6 +37,7 @@ public String toString() {
return "IdentityMappingConfig{" +
"rdnIdentifier='" + rdnIdentifier + '\'' +
", searchBaseDn='" + searchBaseDn + '\'' +
", searchRecursive=" + searchRecursive +
", attributeMappings=" + attributeMappings +
'}';
}
Expand Down
17 changes: 17 additions & 0 deletions test-framework/ldap/src/main/resources/quarkus-io.ldif
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,22 @@ sn: adminUser
uid: adminUser
userPassword: adminUserPassword

# A sub OU of Users

dn: ou=SubUsers,ou=Users,dc=quarkus,dc=io
objectclass: organizationalUnit
objectclass: top
ou: SubUsers

dn: uid=subUser,ou=SubUsers,ou=Users,dc=quarkus,dc=io
objectclass: top
objectclass: person
objectclass: inetOrgPerson
cn: SubUser
sn: subUser
uid: subUser
userpassword: subUserPassword


#The roles OU

Expand All @@ -56,6 +72,7 @@ objectClass: top
objectClass: groupOfNames
cn: standardRole
member: uid=standardUser,ou=Users,dc=quarkus,dc=io
member: uid=subUser,ou=SubUsers,ou=Users,dc=quarkus,dc=io

dn: cn=adminRole,ou=Roles,dc=quarkus,dc=io
objectClass: top
Expand Down

0 comments on commit dfecb89

Please sign in to comment.