1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.operations.bind;
21  
22  
23  import java.util.Hashtable;
24  
25  import javax.naming.AuthenticationException;
26  import javax.naming.Context;
27  import javax.naming.InvalidNameException;
28  import javax.naming.NamingException;
29  import javax.naming.OperationNotSupportedException;
30  import javax.naming.directory.Attribute;
31  import javax.naming.directory.Attributes;
32  import javax.naming.directory.BasicAttribute;
33  import javax.naming.directory.BasicAttributes;
34  import javax.naming.directory.DirContext;
35  import javax.naming.directory.InitialDirContext;
36  
37  import org.apache.directory.server.core.integ.Level;
38  import org.apache.directory.server.core.integ.annotations.ApplyLdifs;
39  import org.apache.directory.server.core.integ.annotations.CleanupLevel;
40  import org.apache.directory.server.integ.SiRunner;
41  import org.apache.directory.server.ldap.LdapService;
42  
43  import static org.junit.Assert.fail;
44  import static org.junit.Assert.assertTrue;
45  import static org.junit.Assert.assertEquals;
46  import static org.junit.Assert.assertNotNull;
47  import org.junit.Test;
48  import org.junit.runner.RunWith;
49  
50  
51  /**
52   * An {@link AbstractServerTest} testing SIMPLE authentication.
53   * 
54   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
55   * @version $Rev$, $Date$
56   */
57  @RunWith ( SiRunner.class ) 
58  @CleanupLevel ( Level.CLASS )
59  @ApplyLdifs( {
60      // Entry # 1
61      "dn: uid=hnelson,ou=users,ou=system\n" +
62      "objectClass: inetOrgPerson\n" +
63      "objectClass: organizationalPerson\n" +
64      "objectClass: person\n" +
65      "objectClass: top\n" +
66      "userPassword: secret\n" +
67      "uid: hnelson\n" +
68      "cn: Horatio Nelson\n" +
69      "sn: Nelson\n\n"
70      }
71  )
72  public class SimpleBindIT
73  {
74      private static final String BASE = "ou=users,ou=system";
75  
76      
77      public static LdapService ldapService;
78  
79      
80      /**
81       * Convenience method for creating a person.
82       */
83      protected Attributes getPersonAttributes( String sn, String cn, String uid, String userPassword )
84      {
85          Attributes attrs = new BasicAttributes( true );
86          Attribute ocls = new BasicAttribute( "objectClass" );
87          ocls.add( "top" );
88          ocls.add( "person" ); // sn $ cn
89          ocls.add( "inetOrgPerson" ); // uid
90          attrs.put( ocls );
91          attrs.put( "cn", cn );
92          attrs.put( "sn", sn );
93          attrs.put( "uid", uid );
94          attrs.put( "userPassword", userPassword );
95  
96          return attrs;
97      }
98  
99  
100     /**
101      * Convenience method for creating an organizational unit.
102      */
103     protected Attributes getOrgUnitAttributes( String ou )
104     {
105         Attributes attrs = new BasicAttributes( true );
106         Attribute ocls = new BasicAttribute( "objectClass" );
107         ocls.add( "top" );
108         ocls.add( "organizationalUnit" );
109         attrs.put( ocls );
110         attrs.put( "ou", ou );
111 
112         return attrs;
113     }
114 
115 
116     /**
117      * Tests to make sure SIMPLE binds works.
118      */
119     @Test
120     public void testSimpleBind()
121     {
122         Hashtable<String, String> env = new Hashtable<String, String>();
123         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
124         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
125         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
126         env.put( Context.SECURITY_PRINCIPAL, "uid=hnelson," + BASE );
127         env.put( Context.SECURITY_CREDENTIALS, "secret" );
128 
129         try
130         {
131             DirContext context = new InitialDirContext( env );
132 
133             String[] attrIDs =
134                 { "uid" };
135 
136             Attributes attrs = context.getAttributes( "uid=hnelson," + BASE, attrIDs );
137 
138             String uid = null;
139 
140             if ( attrs.get( "uid" ) != null )
141             {
142                 uid = ( String ) attrs.get( "uid" ).get();
143             }
144 
145             assertEquals( uid, "hnelson" );
146         }
147         catch ( NamingException e )
148         {
149             fail( "Should not have caught exception." );
150         }
151     }
152 
153 
154     /**
155      * Tests to make sure SIMPLE binds below the RootDSE fail if the password is bad.
156      */
157     @Test
158     public void testSimpleBindBadPassword()
159     {
160         Hashtable<String, String> env = new Hashtable<String, String>();
161         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
162         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
163         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
164         env.put( Context.SECURITY_PRINCIPAL, "uid=hnelson," + BASE );
165         env.put( Context.SECURITY_CREDENTIALS, "badsecret" );
166 
167         try
168         {
169             new InitialDirContext( env );
170         }
171         catch ( AuthenticationException ae )
172         {
173     		// Error code 49 : LDAP_INVALID_CREDENTIALS
174             assertTrue( ae.getMessage().contains( "error code 49" ) );
175         }
176         catch ( NamingException e )
177         {
178             fail();
179         }
180     }
181 
182     
183     /**
184      * try to connect using a user with an invalid DN: we should get a invalidDNSyntax error.
185      */
186     @Test
187     public void testSimpleBindBadUserPassword()
188     {
189         Hashtable<String, String> env = new Hashtable<String, String>();
190         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
191         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
192 
193         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
194         env.put( Context.SECURITY_PRINCIPAL, "hnelson" );
195         env.put( Context.SECURITY_CREDENTIALS, "secret" );
196 
197         try
198         {
199             new InitialDirContext( env );
200         }
201         catch ( InvalidNameException ine )
202         {
203     		// Error code 34 : LDAP_INVALID_DN_SYNTAX
204         	assertTrue( ine.getMessage().startsWith( "[LDAP: error code 34 - Incorrect DN given" ) );
205         }
206         catch ( NamingException e )
207         {
208             fail();
209         }
210     }
211 
212     
213     /**
214      * try to connect using a unknown user: we should get a invalidCredentials error.
215      */
216     @Test
217     public void testSimpleBindUnknowUserPassword()
218     {
219         Hashtable<String, String> env = new Hashtable<String, String>();
220         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
221         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
222         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
223         env.put( Context.SECURITY_PRINCIPAL, "uid=unknown,ou=system" );
224         env.put( Context.SECURITY_CREDENTIALS, "secret" );
225 
226         try
227         {
228             new InitialDirContext( env );
229         }
230         catch ( AuthenticationException ae )
231         {
232         }
233         catch ( NamingException e )
234         {
235             fail( "Expected AuthenticationException with error code 49 for invalidate credentials instead got: " 
236                 + e.getMessage() );
237         }
238     }
239     
240 
241     /**
242      * covers the anonymous authentication : we should be able to read the rootDSE, but that's it
243      */
244     @Test
245     public void testSimpleBindNoUserNoPassword()
246     {
247         boolean oldValue = ldapService.getDirectoryService().isAllowAnonymousAccess();
248         ldapService.getDirectoryService().setAllowAnonymousAccess( false );
249         ldapService.setAllowAnonymousAccess( false );
250 
251         Hashtable<String, String> env = new Hashtable<String, String>();
252         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
253         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
254         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
255         env.put( Context.SECURITY_PRINCIPAL, "" );
256         env.put( Context.SECURITY_CREDENTIALS, "" );
257 
258         String[] attrIDs = { "*", "+" };
259     	DirContext ctx = null;
260     	
261     	// Create the initial context
262     	try
263     	{
264     		ctx = new InitialDirContext(env);
265     	}
266     	catch ( NamingException ne )
267     	{
268     		fail();
269     	}
270     	
271     	// We should be anonymous here. 
272     	// Check that we can read the rootDSE
273     	try
274     	{
275             Attributes attrs = ctx.getAttributes( "", attrIDs );
276     		
277     		assertNotNull( attrs );
278     		assertEquals( "Apache Software Foundation", attrs.get( "vendorName" ).get() );
279     	}
280     	catch ( NamingException ne )
281     	{
282     		fail();
283     	}
284 
285     	// Check that we cannot read another entry being anonymous
286     	try
287     	{
288             Attributes attrs = ctx.getAttributes( "uid=admin,ou=system", attrIDs );
289     		
290     		assertNotNull( attrs );
291     		assertEquals( 0, attrs.size() );
292             fail( "Should not be able to read the root DSE" );
293     	}
294     	catch ( NamingException ne )
295     	{
296     	}
297     	
298     	ldapService.getDirectoryService().setAllowAnonymousAccess( oldValue );
299     	ldapService.setAllowAnonymousAccess( oldValue );
300     }
301     
302     
303     /**
304      * covers the Unauthenticated case : we should get a UnwillingToPerform error.
305      */
306     @Test
307     public void testSimpleBindUserNoPassword()
308     {
309         Hashtable<String, String> env = new Hashtable<String, String>();
310         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
311         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
312         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
313         env.put( Context.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
314         env.put( Context.SECURITY_CREDENTIALS, "" );
315 
316         // Create the initial context
317     	try
318     	{
319     		new InitialDirContext(env);
320     	}
321     	catch ( OperationNotSupportedException onse )
322     	{
323     		// Error code 53 : LDAP_UNWILLING_TO_PERFORM
324     		assertTrue( onse.getMessage().contains( "error code 53" ) );
325     	}
326     	catch ( NamingException ne )
327     	{
328     		fail();
329     	}
330     }    
331     
332     
333     /**
334      * not allowed by the server. We should get a invalidCredentials error.
335      */
336     @Test
337     public void testSimpleBindNoUserPassword() throws Exception
338     {
339         Hashtable<String, String> env = new Hashtable<String, String>();
340         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
341         env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
342 
343         env.put( Context.SECURITY_AUTHENTICATION, "simple" );
344         env.put( Context.SECURITY_PRINCIPAL, "" );
345         env.put( Context.SECURITY_CREDENTIALS, "secret" );
346 
347         // Create the initial context
348     	try
349     	{
350     		new InitialDirContext(env);
351     	}
352     	catch ( AuthenticationException ae )
353     	{
354     	}
355     	catch ( NamingException ne )
356     	{
357     		fail( "Expected AuthenticationException but instead got: " + ne.getMessage() );
358     	}
359     }    
360 
361 
362     /**
363      * Tests to make sure we still have anonymous access to the RootDSE.
364      * The configuration for this test case MUST disable anonymous access.
365      */
366     @Test
367     public void testAnonymousRootDSE()
368     {
369         boolean oldValue = ldapService.getDirectoryService().isAllowAnonymousAccess();
370         ldapService.getDirectoryService().setAllowAnonymousAccess( false );
371 
372         try
373         {
374             Hashtable<String, String> env = new Hashtable<String, String>();
375             env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
376             env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapService.getIpPort() );
377 
378             DirContext context = new InitialDirContext( env );
379 
380             String[] attrIDs =
381                 { "vendorName" };
382 
383             Attributes attrs = context.getAttributes( "", attrIDs );
384 
385             String vendorName = null;
386 
387             if ( attrs.get( "vendorName" ) != null )
388             {
389                 vendorName = ( String ) attrs.get( "vendorName" ).get();
390             }
391 
392             assertEquals( "Apache Software Foundation", vendorName );
393         }
394         catch ( NamingException e )
395         {
396             e.printStackTrace();
397             fail( "Should not have caught exception." );
398         }
399         finally
400         {
401             ldapService.getDirectoryService().setAllowAnonymousAccess( oldValue );
402         }
403     }
404 }