-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ldap - avoid providing sensitive (salted password) on the /whoami end…
…point This is a kind of revisit of the PR#88.
- Loading branch information
Showing
9 changed files
with
192 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
.../src/main/java/org/georchestra/gateway/security/ldap/NoPasswordLdapUserDetailsMapper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package org.georchestra.gateway.security.ldap; | ||
|
||
import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper; | ||
|
||
public class NoPasswordLdapUserDetailsMapper extends LdapUserDetailsMapper { | ||
|
||
@Override | ||
protected String mapPassword(Object passwordValue) { | ||
return null; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
.../src/test/java/org/georchestra/gateway/security/ldap/basic/BasicLdapAuthenticationIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package org.georchestra.gateway.security.ldap.basic; | ||
|
||
import org.georchestra.gateway.app.GeorchestraGatewayApplication; | ||
import org.georchestra.testcontainers.ldap.GeorchestraLdapContainer; | ||
import org.hamcrest.Matchers; | ||
import org.junit.jupiter.api.AfterAll; | ||
import org.junit.jupiter.api.BeforeAll; | ||
import org.junit.jupiter.api.Disabled; | ||
import org.junit.jupiter.api.Test; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; | ||
import org.springframework.boot.test.context.SpringBootTest; | ||
import org.springframework.test.context.ActiveProfiles; | ||
import org.springframework.test.web.reactive.server.WebTestClient; | ||
|
||
@SpringBootTest(classes = GeorchestraGatewayApplication.class) | ||
@ActiveProfiles({ "basicldap" }) | ||
@AutoConfigureWebTestClient(timeout = "PT20S") | ||
@Disabled("ExtendedLdapAuthenticationProvider being built instead of a Basic one after https://github.com/georchestra/georchestra-gateway/pull/50/files ?") | ||
public class BasicLdapAuthenticationIT { | ||
|
||
public static GeorchestraLdapContainer ldap = new GeorchestraLdapContainer(); | ||
|
||
private @Autowired WebTestClient testClient; | ||
|
||
public static @BeforeAll void startUpContainers() { | ||
ldap.start(); | ||
} | ||
|
||
public static @AfterAll void shutDownContainers() { | ||
ldap.stop(); | ||
} | ||
|
||
public @Test void testWhoamiNoPasswordRevealed() { | ||
testClient.get().uri("/whoami")// | ||
.header("Authorization", "Basic dGVzdGFkbWluOnRlc3RhZG1pbg==") // testadmin:testadmin | ||
.exchange()// | ||
.expectStatus()// | ||
.is2xxSuccessful()// | ||
.expectBody(String.class)// | ||
.value(Matchers.not(Matchers.containsString("{SHA}"))); | ||
} | ||
|
||
} |
71 changes: 71 additions & 0 deletions
71
...est/java/org/georchestra/gateway/security/ldap/extended/ExtendedLdapAuthenticationIT.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
package org.georchestra.gateway.security.ldap.extended; | ||
|
||
import org.georchestra.gateway.app.GeorchestraGatewayApplication; | ||
import org.georchestra.gateway.filter.headers.providers.JsonPayloadHeadersContributor; | ||
import org.georchestra.gateway.model.GatewayConfigProperties; | ||
import org.georchestra.testcontainers.ldap.GeorchestraLdapContainer; | ||
import org.junit.jupiter.api.AfterAll; | ||
import org.junit.jupiter.api.BeforeAll; | ||
import org.junit.jupiter.api.Test; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; | ||
import org.springframework.boot.test.context.SpringBootTest; | ||
import org.springframework.context.ApplicationContext; | ||
import org.springframework.test.context.ActiveProfiles; | ||
import org.springframework.test.context.DynamicPropertyRegistry; | ||
import org.springframework.test.context.DynamicPropertySource; | ||
import org.springframework.test.web.reactive.server.WebTestClient; | ||
import org.springframework.web.context.WebApplicationContext; | ||
import org.testcontainers.containers.GenericContainer; | ||
import org.testcontainers.utility.DockerImageName; | ||
|
||
import java.util.Arrays; | ||
import java.util.Optional; | ||
|
||
import static org.junit.jupiter.api.Assertions.assertNotNull; | ||
|
||
@SpringBootTest(classes = GeorchestraGatewayApplication.class) | ||
@ActiveProfiles({ "createaccount" }) | ||
@AutoConfigureWebTestClient(timeout = "PT20S") | ||
public class ExtendedLdapAuthenticationIT { | ||
public static GeorchestraLdapContainer ldap = new GeorchestraLdapContainer(); | ||
|
||
private @Autowired WebTestClient testClient; | ||
|
||
public static @BeforeAll void startUpContainers() { | ||
ldap.start(); | ||
} | ||
|
||
public static @AfterAll void shutDownContainers() { | ||
ldap.stop(); | ||
} | ||
|
||
@DynamicPropertySource | ||
static void registerLdap(DynamicPropertyRegistry registry) { | ||
registry.add("testcontainers.georchestra.ldap.host", () -> "127.0.0.1"); | ||
registry.add("testcontainers.georchestra.ldap.port", ldap::getMappedLdapPort); | ||
} | ||
|
||
public @Test void testWhoami() { | ||
testClient.get().uri("/whoami")// | ||
.header("Authorization", "Basic dGVzdGFkbWluOnRlc3RhZG1pbg==") // testadmin:testadmin | ||
.exchange()// | ||
.expectStatus()// | ||
.is2xxSuccessful()// | ||
.expectBody()// | ||
.jsonPath("$.GeorchestraUser.username").isEqualTo("testadmin"); | ||
} | ||
|
||
public @Test void testWhoamiNoPasswordRevealed() { | ||
testClient.get().uri("/whoami")// | ||
.header("Authorization", "Basic dGVzdGFkbWluOnRlc3RhZG1pbg==") // testadmin:testadmin | ||
.exchange()// | ||
.expectStatus()// | ||
.is2xxSuccessful()// | ||
.expectBody()// | ||
.jsonPath( | ||
"$.['org.georchestra.gateway.security.ldap.extended.GeorchestraUserNamePasswordAuthenticationToken'].principal.password") | ||
.isEmpty(); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# This YAML file configures the geOrchestra gateway with | ||
# a basic LDAP (extended set to false). | ||
# | ||
georchestra: | ||
gateway: | ||
default-headers: | ||
# Default security headers to append to proxied requests | ||
proxy: true | ||
username: true | ||
roles: true | ||
org: true | ||
orgname: true | ||
global-access-rules: | ||
- intercept-url: | ||
- "/**" | ||
- "/proxy/?url=*" | ||
anonymous: true | ||
security: | ||
ldap: | ||
default: | ||
enabled: true | ||
extended: false | ||
url: ldap://${ldapHost}:${ldapPort}/ | ||
baseDn: dc=georchestra,dc=org | ||
adminDn: cn=admin,dc=georchestra,dc=org | ||
adminPassword: secret | ||
spring: | ||
cloud: | ||
gateway: | ||
enabled: true | ||
default-filters: | ||
- SecureHeaders | ||
- TokenRelay | ||
- RemoveSecurityHeaders | ||
# AddSecHeaders appends sec-* headers to proxied requests based on the | ||
# georchestra.gateway.default-headers and georchestra.gateway.servies.<service>.headers config properties | ||
- AddSecHeaders | ||
httpclient.wiretap: true | ||
httpserver.wiretap: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters