Google Git
Sign in
apache / directory-server / 889a203d418713eefe7a0c21e8b0156e94b4ea0c / . / old_trunk / server-unit / src / test / java / org / apache / directory / server / ssl / ConfidentialityRequiredITest.java
blob: af848be1cef921f1e993338682e536716f4766e0 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.server.ssl;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import javax.naming.AuthenticationNotSupportedException;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import org.apache.directory.server.unit.AbstractServerTest;
import org.apache.directory.shared.ldap.message.AttributeImpl;
import org.apache.directory.shared.ldap.message.AttributesImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Test case to verify proper operation of confidentiality requirements as
* specified in https://issues.apache.org/jira/browse/DIRSERVER-1189.
*
* Starts up the server binds via SUN JNDI provider to perform various
* operations on entries which should be rejected when a TLS secured
* connection is not established.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev: 639006 $
*/
public class ConfidentialityRequiredITest extends AbstractServerTest
{
private static final Logger LOG = LoggerFactory.getLogger( ConfidentialityRequiredITest.class );
private File ksFile;
/**
* Sets up the key store and installs the self signed certificate for the
* server (created on first startup) which is to be used by the StartTLS
* JDNDI client that will connect. The key store is created from scratch
* programmatically and whipped on each run. The certificate is acquired
* by pulling down the bytes for administrator's userCertificate from
* uid=admin,ou=system. We use sysRoot direct context instead of one over
* the wire since the server is configured to prevent connections without
* TLS secured connections.
*/
public void setUp() throws Exception
{
super.setUp();
if ( ksFile != null && ksFile.exists() )
{
ksFile.delete();
}
ksFile = File.createTempFile( "testStore", "ks" );
Attributes adminEntry = sysRoot.getAttributes( "uid=admin" );
Attribute userCertificateAttr = adminEntry.get( "userCertificate" );
assertNotNull( userCertificateAttr );
byte[] userCertificate = ( byte[] ) userCertificateAttr.get();
assertNotNull( userCertificate );
ByteArrayInputStream in = new ByteArrayInputStream( userCertificate );
CertificateFactory factory = CertificateFactory.getInstance( "X.509" );
Certificate cert = factory.generateCertificate( in );
KeyStore ks = KeyStore.getInstance( KeyStore.getDefaultType() );
ks.load( null, null );
ks.setCertificateEntry( "apacheds", cert );
ks.store( new FileOutputStream( ksFile ), "changeit".toCharArray() );
LOG.debug( "Keystore file installed: {}", ksFile.getAbsolutePath() );
}
/**
* Just deletes the generated key store file.
*/
public void tearDown() throws Exception
{
if ( ksFile != null && ksFile.exists() )
{
ksFile.delete();
}
LOG.debug( "Keystore file deleted: {}", ksFile.getAbsolutePath() );
super.tearDown();
}
/**
* Setup confidentiality to be required.
*/
protected void configureLdapServer()
{
super.configureLdapServer();
ldapServer.setConfidentialityRequired( true );
}
private LdapContext getSecuredContext() throws Exception
{
System.setProperty ( "javax.net.ssl.trustStore", ksFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStore", ksFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStorePassword", "changeit" );
LOG.debug( "testStartTls() test starting ... " );
// Set up environment for creating initial context
Hashtable<String, Object> env = new Hashtable<String,Object>();
env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
// Must use the name of the server that is found in its certificate?
env.put( Context.PROVIDER_URL, "ldap://localhost:" + port );
// Create initial context
LOG.debug( "About to get initial context" );
LdapContext ctx = new InitialLdapContext( env, null );
// Start TLS
LOG.debug( "About send startTls extended operation" );
StartTlsResponse tls = ( StartTlsResponse ) ctx.extendedOperation( new StartTlsRequest() );
LOG.debug( "Extended operation issued" );
tls.setHostnameVerifier( new HostnameVerifier() {
public boolean verify( String hostname, SSLSession session )
{
return true;
}
} );
LOG.debug( "TLS negotion about to begin" );
tls.negotiate();
return ctx;
}
/**
* Checks to make sure insecure binds fail while secure binds succeed.
*/
public void testConfidentiality() throws Exception
{
// -------------------------------------------------------------------
// Unsecured bind should fail
// -------------------------------------------------------------------
try
{
getWiredContext();
fail( "Should not get here due to violation of confidentiality requirements" );
}
catch( AuthenticationNotSupportedException e )
{
}
// -------------------------------------------------------------------
// get anonymous connection with StartTLS (no bind request sent)
// -------------------------------------------------------------------
LdapContext ctx = getSecuredContext();
assertNotNull( ctx );
// -------------------------------------------------------------------
// upgrade connection via bind request (same physical connection - TLS)
// -------------------------------------------------------------------
ctx.addToEnvironment( Context.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
ctx.addToEnvironment( Context.SECURITY_CREDENTIALS, "secret" );
ctx.addToEnvironment( Context.SECURITY_AUTHENTICATION, "simple" );
ctx.reconnect( null );
// -------------------------------------------------------------------
// do a search and confirm
// -------------------------------------------------------------------
NamingEnumeration<SearchResult> results = ctx.search( "ou=system", "(objectClass=*)", new SearchControls() );
Set<String> names = new HashSet<String>();
while( results.hasMore() )
{
names.add( results.next().getName() );
}
results.close();
assertTrue( names.contains( "prefNodeName=sysPrefRoot" ) );
assertTrue( names.contains( "ou=users" ) );
assertTrue( names.contains( "ou=configuration" ) );
assertTrue( names.contains( "uid=admin" ) );
assertTrue( names.contains( "ou=groups" ) );
// -------------------------------------------------------------------
// do add and confirm
// -------------------------------------------------------------------
AttributesImpl attrs = new AttributesImpl( "objectClass", "person", true );
attrs.put( "sn", "foo" );
attrs.put( "cn", "foo bar" );
ctx.createSubcontext( "cn=foo bar,ou=system", attrs );
assertNotNull( ctx.lookup( "cn=foo bar,ou=system" ) );
// -------------------------------------------------------------------
// do modify and confirm
// -------------------------------------------------------------------
ModificationItem[] mods = new ModificationItem[] {
new ModificationItem( DirContext.ADD_ATTRIBUTE, new AttributeImpl( "cn", "fbar" ) )
};
ctx.modifyAttributes( "cn=foo bar,ou=system", mods );
Attributes reread = ( Attributes ) ctx.getAttributes( "cn=foo bar,ou=system" );
assertTrue( reread.get( "cn" ).contains( "fbar" ) );
// -------------------------------------------------------------------
// do rename and confirm
// -------------------------------------------------------------------
ctx.rename( "cn=foo bar,ou=system", "cn=fbar,ou=system" );
try
{
ctx.getAttributes( "cn=foo bar,ou=system" );
fail( "old name of renamed entry should not be found" );
}
catch ( NameNotFoundException e )
{
}
reread = ( Attributes ) ctx.getAttributes( "cn=fbar,ou=system" );
assertTrue( reread.get( "cn" ).contains( "fbar" ) );
// -------------------------------------------------------------------
// do delete and confirm
// -------------------------------------------------------------------
ctx.destroySubcontext( "cn=fbar,ou=system" );
try
{
ctx.getAttributes( "cn=fbar,ou=system" );
fail( "deleted entry should not be found" );
}
catch ( NameNotFoundException e )
{
}
ctx.close();
}
}