This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch 4.19
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.19 by this push:
new cbd2b5a0224 Add check for ldap truststore password (#11055)
cbd2b5a0224 is described below
commit cbd2b5a022476e8b85f8ce745d01db5370fb185f
Author: Pearl Dsilva <[email protected]>
AuthorDate: Thu Jun 19 04:03:58 2025 -0400
Add check for ldap truststore password (#11055)
---
.../apache/cloudstack/ldap/LdapContextFactory.java | 34 ++++++++++++++++++++--
.../apache/cloudstack/ldap/LdapManagerImpl.java | 5 ++++
2 files changed, 37 insertions(+), 2 deletions(-)
diff --git
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
index 0161adf9fda..ee48e8cc027 100644
---
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
+++
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
@@ -16,6 +16,7 @@
// under the License.
package org.apache.cloudstack.ldap;
+import java.io.FileInputStream;
import java.io.IOException;
import java.util.Hashtable;
@@ -24,6 +25,7 @@ import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
+import java.security.KeyStore;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
@@ -72,8 +74,36 @@ public class LdapContextFactory {
if (sslStatus) {
s_logger.info("LDAP SSL enabled.");
environment.put(Context.SECURITY_PROTOCOL, "ssl");
- System.setProperty("javax.net.ssl.trustStore",
_ldapConfiguration.getTrustStore(domainId));
- System.setProperty("javax.net.ssl.trustStorePassword",
_ldapConfiguration.getTrustStorePassword(domainId));
+ String trustStore = _ldapConfiguration.getTrustStore(domainId);
+ String trustStorePassword =
_ldapConfiguration.getTrustStorePassword(domainId);
+
+ if (!validateTrustStore(trustStore, trustStorePassword)) {
+ throw new RuntimeException("Invalid truststore or truststore
password");
+ }
+
+ System.setProperty("javax.net.ssl.trustStore", trustStore);
+ System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePassword);
+ }
+ }
+
+ private boolean validateTrustStore(String trustStore, String
trustStorePassword) {
+ if (trustStore == null) {
+ return true;
+ }
+
+ if (trustStorePassword == null) {
+ return false;
+ }
+
+ try {
+ KeyStore.getInstance("JKS").load(
+ new FileInputStream(trustStore),
+ trustStorePassword.toCharArray()
+ );
+ return true;
+ } catch (Exception e) {
+ s_logger.warn("Failed to validate truststore: " + e.getMessage());
+ return false;
}
}
diff --git
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
index 6ed79a0c69f..352e439b50c 100644
---
a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
+++
b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
@@ -186,6 +186,11 @@ public class LdapManagerImpl extends
ComponentLifecycleBase implements LdapManag
} catch (NamingException | IOException e) {
LOGGER.debug("NamingException while doing an LDAP bind", e);
throw new InvalidParameterValueException("Unable to bind to
the given LDAP server");
+ } catch (RuntimeException e) {
+ if (e.getMessage().contains("Invalid truststore")) {
+ throw new InvalidParameterValueException("Invalid
truststore or truststore password");
+ }
+ throw e;
} finally {
closeContext(context);
}
