Google Git
Sign in
apache / directory-server / 889a203d418713eefe7a0c21e8b0156e94b4ea0c / . / old_trunk / core-integ / src / test / java / org / apache / directory / server / core / authn / SimpleAuthenticationIT.java
blob: b40f1b93ced05a84c6d85db90db790d5467de575 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.server.core.authn;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.integ.CiRunner;
import static org.apache.directory.server.core.integ.IntegrationUtils.*;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.message.AttributeImpl;
import org.apache.directory.shared.ldap.message.ModificationItemImpl;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.ArrayUtils;
import org.apache.directory.shared.ldap.util.StringTools;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
import org.junit.Test;
import org.junit.runner.RunWith;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.ldap.LdapContext;
/**
* A set of simple tests to make sure simple authentication is working as it
* should.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
@RunWith( CiRunner.class )
public class SimpleAuthenticationIT
{
public static DirectoryService service;
public static LdapContext getRootDSE() throws NamingException
{
if ( service.isStarted() )
{
LdapDN dn = new LdapDN( "uid=admin,ou=system" );
dn.normalize( service.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
return service.getJndiContext( new LdapPrincipal( dn, AuthenticationLevel.SIMPLE ) );
}
throw new IllegalStateException( "Cannot acquire rootDSE before the service has been started!" );
}
public static LdapContext getRootDSE( String bindDn ) throws NamingException
{
if ( service.isStarted() )
{
LdapDN dn = new LdapDN( bindDn );
dn.normalize( service.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
return service.getJndiContext( new LdapPrincipal( dn, AuthenticationLevel.SIMPLE ) );
}
throw new IllegalStateException( "Cannot acquire rootDSE before the service has been started!" );
}
public static LdapContext getSystemRoot() throws NamingException
{
if ( service.isStarted() )
{
LdapDN dn = new LdapDN( "uid=admin,ou=system" );
dn.normalize( service.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
return service.getJndiContext( new LdapPrincipal(
dn, AuthenticationLevel.SIMPLE ), "ou=system" );
}
throw new IllegalStateException( "Cannot acquire rootDSE before the service has been started!" );
}
public static LdapContext getSystemRoot( String bindDn ) throws NamingException
{
if ( service.isStarted() )
{
LdapDN dn = new LdapDN( bindDn );
dn.normalize( service.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
return service.getJndiContext( new LdapPrincipal( dn, AuthenticationLevel.SIMPLE ), "ou=system" );
}
throw new IllegalStateException( "Cannot acquire rootDSE before the service has been started!" );
}
/**
* Checks all attributes of the admin account entry minus the userPassword
* attribute.
*
* @param attrs the entries attributes
*/
protected void performAdminAccountChecks( Attributes attrs )
{
assertTrue( attrs.get( "objectClass" ).contains( "top" ) );
assertTrue( attrs.get( "objectClass" ).contains( "person" ) );
assertTrue( attrs.get( "objectClass" ).contains( "organizationalPerson" ) );
assertTrue( attrs.get( "objectClass" ).contains( "inetOrgPerson" ) );
assertTrue( attrs.get( "displayName" ).contains( "Directory Superuser" ) );
}
/**
* Check the creation of the admin account and persistence across restarts.
*
* @throws NamingException if there are failures
*/
@Test
public void testAdminAccountCreation() throws NamingException
{
String userDn = "uid=admin,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn,
"secret".getBytes(), "simple", "ou=system" );
Attributes attrs = ctx.getAttributes( "uid=admin" );
performAdminAccountChecks( attrs );
assertTrue( ArrayUtils.isEquals( attrs.get( "userPassword" ).get(), StringTools.getBytesUtf8( "secret" ) ) );
ctx.close();
service.shutdown();
service.startup();
ctx = service.getJndiContext( new LdapDN( userDn ), userDn,
"secret".getBytes(), "simple", "ou=system" );
attrs = ctx.getAttributes( "uid=admin" );
performAdminAccountChecks( attrs );
assertTrue( ArrayUtils.isEquals( attrs.get( "userPassword" ).get(), StringTools.getBytesUtf8( "secret" ) ) );
ctx.close();
}
@Test
public void test3UseAkarasulu() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
Attributes attrs = ctx.getAttributes( "" );
Attribute ou = attrs.get( "ou" );
assertTrue( ou.contains( "Engineering" ) );
assertTrue( ou.contains( "People" ) );
Attribute objectClass = attrs.get( "objectClass" );
assertTrue( objectClass.contains( "top" ) );
assertTrue( objectClass.contains( "person" ) );
assertTrue( objectClass.contains( "organizationalPerson" ) );
assertTrue( objectClass.contains( "inetOrgPerson" ) );
assertTrue( attrs.get( "telephonenumber" ).contains( "+1 408 555 4798" ) );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
assertTrue( attrs.get( "givenname" ).contains( "Alex" ) );
assertTrue( attrs.get( "mail" ).contains( "akarasulu@apache.org" ) );
assertTrue( attrs.get( "l" ).contains( "Bogusville" ) );
assertTrue( attrs.get( "sn" ).contains( "Karasulu" ) );
assertTrue( attrs.get( "cn" ).contains( "Alex Karasulu" ) );
assertTrue( attrs.get( "facsimiletelephonenumber" ).contains( "+1 408 555 9751" ) );
assertTrue( attrs.get( "roomnumber" ).contains( "4612" ) );
}
/**
* Tests to make sure we can authenticate after the database has already
* been started by the admin user when simple authentication is in effect.
*
* @throws Exception if anything goes wrong
*/
@Test
public void test8PassPrincAuthTypeSimple() throws Exception
{
String userDn = "uid=admin,ou=system";
assertNotNull( service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn ) );
}
/**
* Checks to see if we can authenticate as a test user after the admin fires
* up and builds the the system database.
*
* @throws Exception if anything goes wrong
*/
@Test
public void test10TestNonAdminUser() throws Exception
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
assertNotNull( service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn ) );
}
@Test
public void test11InvalidateCredentialCache() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
assertNotNull( ctx );
Attributes attrs = ctx.getAttributes( "" );
Attribute ou = attrs.get( "ou" );
assertTrue( ou.contains( "Engineering" ) );
assertTrue( ou.contains( "People" ) );
Attribute objectClass = attrs.get( "objectClass" );
assertTrue( objectClass.contains( "top" ) );
assertTrue( objectClass.contains( "person" ) );
assertTrue( objectClass.contains( "organizationalPerson" ) );
assertTrue( objectClass.contains( "inetOrgPerson" ) );
assertTrue( attrs.get( "telephonenumber" ).contains( "+1 408 555 4798" ) );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
assertTrue( attrs.get( "givenname" ).contains( "Alex" ) );
assertTrue( attrs.get( "mail" ).contains( "akarasulu@apache.org" ) );
assertTrue( attrs.get( "l" ).contains( "Bogusville" ) );
assertTrue( attrs.get( "sn" ).contains( "Karasulu" ) );
assertTrue( attrs.get( "cn" ).contains( "Alex Karasulu" ) );
assertTrue( attrs.get( "facsimiletelephonenumber" ).contains( "+1 408 555 9751" ) );
assertTrue( attrs.get( "roomnumber" ).contains( "4612" ) );
// now modify the password for akarasulu
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "newpwd" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
// close and try again now with new password (should fail)
ctx.close();
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "newpwd".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
ou = attrs.get( "ou" );
assertTrue( ou.contains( "Engineering" ) );
assertTrue( ou.contains( "People" ) );
objectClass = attrs.get( "objectClass" );
assertTrue( objectClass.contains( "top" ) );
assertTrue( objectClass.contains( "person" ) );
assertTrue( objectClass.contains( "organizationalPerson" ) );
assertTrue( objectClass.contains( "inetOrgPerson" ) );
assertTrue( attrs.get( "telephonenumber" ).contains( "+1 408 555 4798" ) );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
assertTrue( attrs.get( "givenname" ).contains( "Alex" ) );
assertTrue( attrs.get( "mail" ).contains( "akarasulu@apache.org" ) );
assertTrue( attrs.get( "l" ).contains( "Bogusville" ) );
assertTrue( attrs.get( "sn" ).contains( "Karasulu" ) );
assertTrue( attrs.get( "cn" ).contains( "Alex Karasulu" ) );
assertTrue( attrs.get( "facsimiletelephonenumber" ).contains( "+1 408 555 9751" ) );
assertTrue( attrs.get( "roomnumber" ).contains( "4612" ) );
}
@Test
public void testSHA() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
// Check that we can get the attributes
Attributes attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// now modify the password for akarasulu : 'secret', encrypted using SHA
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
// try again now with new password (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// close and try again now with new password, to check that the
// cache is updated (should be successfull)
ctx.close();
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
}
@Test
public void testSSHA() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
// Check that we can get the attributes
Attributes attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// now modify the password for akarasulu : 'secret', encrypted using SHA
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "{SSHA}mjVVxasFkk59wMW4L1Ldt+YCblfhULHs03WW7g==" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
// try again now with new password (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// close and try again now with new password, to check that the
// cache is updated (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
}
@Test
public void testMD5() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
// Check that we can get the attributes
Attributes attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// now modify the password for akarasulu : 'secret', encrypted using MD5
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
// try again now with new password (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// try again now with new password, to check that the
// cache is updated (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
}
@Test
public void testSMD5() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
// Check that we can get the attributes
Attributes attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// now modify the password for akarasulu : 'secret', encrypted using SHA
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "{SMD5}tQ9wo/VBuKsqBtylMMCcORbnYOJFMyDJ" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
// try again now with new password (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// try again now with new password, to check that the
// cache is updated (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
}
@Test
public void testCRYPT() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
// Check that we can get the attributes
Attributes attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// now modify the password for akarasulu : 'secret', encrypted using CRYPT
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "{crypt}qFkH8Z1woBlXw" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
// close and try with old password (should fail)
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
// try again now with new password (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
// try again now with new password, to check that the
// cache is updated (should be successfull)
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
attrs = ctx.getAttributes( "" );
assertNotNull( attrs );
assertTrue( attrs.get( "uid" ).contains( "akarasulu" ) );
}
@Test
public void testInvalidateCredentialCacheForUpdatingAnotherUsersPassword() throws NamingException
{
apply( getRootDSE(), getUserAddLdif() );
// bind as akarasulu
String userDn = "uid=akarasulu,ou=users,ou=system";
LdapContext ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
ctx.close();
// bind as admin
userDn = "uid=admin,ou=system";
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "secret".getBytes(), "simple", userDn );
// now modify the password for akarasulu (while we're admin)
AttributeImpl userPasswordAttribute = new AttributeImpl( "userPassword", "newpwd" );
ctx.modifyAttributes( "", new ModificationItemImpl[] {
new ModificationItemImpl( DirContext.REPLACE_ATTRIBUTE, userPasswordAttribute ) } );
ctx.close();
try
{
ctx = service.getJndiContext( new LdapDN( userDn ), userDn, "test".getBytes(), "simple", userDn );
fail( "Authentication with old password should fail" );
}
catch ( NamingException e )
{
// we should fail
}
finally
{
if ( ctx != null )
{
ctx.close();
}
}
}
}