-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
ActiveDirectoryRealmTest.java
204 lines (166 loc) · 7.75 KB
/
ActiveDirectoryRealmTest.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.shiro.realm.activedirectory;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.UserIdPrincipal;
import org.apache.shiro.realm.UsernamePrincipal;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.easymock.Capture;
import org.easymock.CaptureType;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import java.util.HashSet;
import java.util.Set;
import static org.easymock.EasyMock.anyObject;
import static org.easymock.EasyMock.anyString;
import static org.easymock.EasyMock.capture;
import static org.easymock.EasyMock.createMock;
import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.replay;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.*;
import static org.junit.Assert.assertTrue;
/**
* Simple test case for ActiveDirectoryRealm.
* <p/>
* todo: While the original incarnation of this test case does not actually test the
* heart of ActiveDirectoryRealm (no meaningful implemenation of queryForLdapAccount, etc) it obviously should.
* This version was intended to mimic my current usage scenario in an effort to debug upgrade issues which were not related
* to LDAP connectivity.
*
*/
public class ActiveDirectoryRealmTest {
DefaultSecurityManager securityManager = null;
AuthorizingRealm realm;
private static final String USERNAME = "testuser";
private static final String PASSWORD = "password";
private static final int USER_ID = 12345;
private static final String ROLE = "admin";
@Before
public void setup() {
ThreadContext.remove();
realm = new TestActiveDirectoryRealm();
securityManager = new DefaultSecurityManager(realm);
SecurityUtils.setSecurityManager(securityManager);
}
@After
public void tearDown() {
SecurityUtils.setSecurityManager(null);
securityManager.destroy();
ThreadContext.remove();
}
@Test
public void testDefaultConfig() {
String localhost = "localhost";
Subject subject = SecurityUtils.getSubject();
subject.login(new UsernamePasswordToken(USERNAME, PASSWORD, localhost));
assertTrue(subject.isAuthenticated());
assertTrue(subject.hasRole(ROLE));
UsernamePrincipal usernamePrincipal = subject.getPrincipals().oneByType(UsernamePrincipal.class);
assertTrue(usernamePrincipal.getUsername().equals(USERNAME));
UserIdPrincipal userIdPrincipal = subject.getPrincipals().oneByType(UserIdPrincipal.class);
assertTrue(userIdPrincipal.getUserId() == USER_ID);
assertTrue(realm.hasRole(subject.getPrincipals(), ROLE));
subject.logout();
}
@Test
public void testExistingUserSuffix() throws Exception {
assertExistingUserSuffix(USERNAME, "testuser@ExAmple.COM"); // suffix case matches configure suffix
// suffix matches user entry
assertExistingUserSuffix(USERNAME + "@example.com", "testuser@example.com");
assertExistingUserSuffix(USERNAME + "@EXAMPLE.com", "testuser@EXAMPLE.com");
}
public void assertExistingUserSuffix(String username, String expectedPrincipalName) throws Exception {
LdapContext ldapContext = createMock(LdapContext.class);
NamingEnumeration<SearchResult> results = createMock(NamingEnumeration.class);
Capture<Object[]> captureArgs = Capture.newInstance(CaptureType.ALL);
expect(ldapContext.search(anyString(), anyString(), capture(captureArgs), anyObject(SearchControls.class))).andReturn(results);
replay(ldapContext);
ActiveDirectoryRealm activeDirectoryRealm = new ActiveDirectoryRealm() {{
this.principalSuffix = "@ExAmple.COM";
}};
SecurityManager securityManager = new DefaultSecurityManager(activeDirectoryRealm);
Subject subject = new Subject.Builder(securityManager).buildSubject();
subject.execute(() -> {
try {
activeDirectoryRealm.getRoleNamesForUser(username, ldapContext);
} catch (NamingException e) {
Assert.fail("Unexpected NamingException thrown during test");
}
});
Object[] args = captureArgs.getValue();
assertThat(args, arrayWithSize(1));
assertThat(args[0], is(expectedPrincipalName));
}
public class TestActiveDirectoryRealm extends ActiveDirectoryRealm {
/*--------------------------------------------
| C O N S T R U C T O R S |
============================================*/
CredentialsMatcher credentialsMatcher;
public TestActiveDirectoryRealm() {
super();
credentialsMatcher = new CredentialsMatcher() {
public boolean doCredentialsMatch(AuthenticationToken object, AuthenticationInfo object1) {
return true;
}
};
setCredentialsMatcher(credentialsMatcher);
}
public void setPrincipalSuffix(String principalSuffix) {
this.principalSuffix = principalSuffix;
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
SimpleAccount account = (SimpleAccount) super.doGetAuthenticationInfo(token);
if (account != null) {
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add(new UserIdPrincipal(USER_ID), getName());
principals.add(new UsernamePrincipal(USERNAME), getName());
account.setPrincipals(principals);
}
return account;
}
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Set<String> roles = new HashSet<String>();
roles.add(ROLE);
return new SimpleAuthorizationInfo(roles);
}
// override ldap query because i don't care about testing that piece in this case
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
return new SimpleAccount(token.getPrincipal(), token.getCredentials(), getName());
}
}
}