[CXF-6283] - Support binary attributes in the LDAPClaimsHandler Conflicts: systests/kerberos/src/test/resources/ldap.properties
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dff1ddd5 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dff1ddd5 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dff1ddd5 Branch: refs/heads/3.0.x-fixes Commit: dff1ddd57cf1210561bd8708b7bc9796ddc510e6 Parents: d9fb073 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Mar 6 18:43:48 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Mar 6 18:50:46 2015 +0000 ---------------------------------------------------------------------- .../cxf/sts/claims/LdapClaimsHandler.java | 40 +++++++++------- .../systest/kerberos/ldap/LDAPClaimsTest.java | 49 ++++++++++++++++++++ systests/kerberos/src/test/resources/ldap.ldif | 28 +++++++++++ .../kerberos/src/test/resources/ldap.properties | 8 +++- systests/kerberos/src/test/resources/ldap.xml | 1 + 5 files changed, 108 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/dff1ddd5/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java index 238544c..2863d0d 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/claims/LdapClaimsHandler.java @@ -234,32 +234,38 @@ public class LdapClaimsHandler implements ClaimsHandler, RealmSupport { NamingEnumeration<?> list = (NamingEnumeration<?>)attr.getAll(); while (list.hasMore()) { Object obj = list.next(); - if (!(obj instanceof String)) { + if (obj instanceof String) { + String itemValue = (String)obj; + if (this.isX500FilterEnabled()) { + try { + X500Principal x500p = new X500Principal(itemValue); + itemValue = x500p.getName(); + int index = itemValue.indexOf('='); + itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index)); + } catch (Exception ex) { + //Ignore, not X500 compliant thus use the whole string as the value + } + } + claimValue.append(itemValue); + if (list.hasMore()) { + claimValue.append(this.getDelimiter()); + } + } else if (obj instanceof byte[]) { + // Just store byte[] + c.addValue(obj); + } else { LOG.warning("LDAP attribute '" + ldapAttribute + "' has got an unsupported value type"); break; } - String itemValue = (String)obj; - if (this.isX500FilterEnabled()) { - try { - X500Principal x500p = new X500Principal(itemValue); - itemValue = x500p.getName(); - int index = itemValue.indexOf('='); - itemValue = itemValue.substring(index + 1, itemValue.indexOf(',', index)); - } catch (Exception ex) { - //Ignore, not X500 compliant thus use the whole string as the value - } - } - claimValue.append(itemValue); - if (list.hasMore()) { - claimValue.append(this.getDelimiter()); - } } } catch (NamingException ex) { LOG.warning("Failed to read value of LDAP attribute '" + ldapAttribute + "'"); } - c.addValue(claimValue.toString()); + if (claimValue.length() > 0) { + c.addValue(claimValue.toString()); + } // c.setIssuer(issuer); // c.setOriginalIssuer(originalIssuer); // c.setNamespace(namespace); http://git-wip-us.apache.org/repos/asf/cxf/blob/dff1ddd5/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java index 5e3c198..182ad91 100644 --- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/ldap/LDAPClaimsTest.java @@ -19,11 +19,14 @@ package org.apache.cxf.systest.kerberos.ldap; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.net.URI; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.List; import java.util.Map; @@ -266,7 +269,53 @@ public class LDAPClaimsTest extends AbstractLdapTestUnit { ); } } + + @org.junit.Test + public void testRetrieveBinaryClaims() throws Exception { + LdapClaimsHandler claimsHandler = (LdapClaimsHandler)appContext.getBean("testClaimsHandler"); + + String user = props.getProperty("binaryClaimUser"); + Assert.notNull(user, "Property 'binaryClaimUser' not configured"); + ClaimCollection requestedClaims = createRequestClaimCollection(); + // Ask for the (binary) cert as well + Claim claim = new Claim(); + claim.setClaimType(URI.create("http://custom/x509")); + claim.setOptional(true); + requestedClaims.add(claim); + + List<URI> expectedClaims = new ArrayList<URI>(); + expectedClaims.add(ClaimTypes.FIRSTNAME); + expectedClaims.add(ClaimTypes.LASTNAME); + expectedClaims.add(ClaimTypes.EMAILADDRESS); + expectedClaims.add(URI.create("http://custom/x509")); + + ClaimsParameters params = new ClaimsParameters(); + params.setPrincipal(new CustomTokenPrincipal(user)); + ProcessedClaimCollection retrievedClaims = + claimsHandler.retrieveClaimValues(requestedClaims, params); + + Assert.isTrue( + retrievedClaims.size() == expectedClaims.size(), + "Retrieved number of claims [" + retrievedClaims.size() + + "] doesn't match with expected [" + expectedClaims.size() + "]" + ); + + boolean foundCert = false; + for (ProcessedClaim c : retrievedClaims) { + if (URI.create("http://custom/x509").equals(c.getClaimType())) { + foundCert = true; + Assert.isTrue(c.getValues().get(0) instanceof byte[]); + CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); + InputStream in = new ByteArrayInputStream((byte[])c.getValues().get(0)); + X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in); + Assert.isTrue(cert != null); + } + } + + Assert.isTrue(foundCert); + } + private ClaimCollection createRequestClaimCollection() { ClaimCollection claims = new ClaimCollection(); Claim claim = new Claim(); http://git-wip-us.apache.org/repos/asf/cxf/blob/dff1ddd5/systests/kerberos/src/test/resources/ldap.ldif ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/ldap.ldif b/systests/kerberos/src/test/resources/ldap.ldif index bdb6a83..0456f93 100644 --- a/systests/kerberos/src/test/resources/ldap.ldif +++ b/systests/kerberos/src/test/resources/ldap.ldif @@ -59,6 +59,34 @@ mail: al...@users.apache.org givenname: alice2 userpassword: security +# Other principal. +dn: cn=dave,ou=users,dc=example,dc=com +objectclass: top +objectclass: person +objectclass: inetOrgPerson +objectclass: organizationalPerson +cn: dave +sn: smith +uid: dave +mail: d...@users.apache.org +givenname: dave2 +userpassword: security +userCertificate:: MIIDFjCCAn+gAwIBAgIJAI3hLAppEXfSMA0GCSqGSIb3DQEBBQU + AMGYxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xDzANBgNVBAcTBk11bmljaDENMAsGA1 + UEChMESG9tZTEVMBMGA1UECxMMQXBhY2hlIFdTUzRKMQ8wDQYDVQQDEwZXZXJuZXIwHhcNMDkwN + DI0MTAzMjQ2WhcNMTkwNDIyMTAzMjQ2WjBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJu + MQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjE + PMA0GA1UEAxMGV2VybmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWyYLtAg1XlEGC5d + Cc4SP1Rg4SbEVLWvXBIZrAIG1MqDpjDFM7WlOdMudqmVFn6+z+PMPfuQdTET7+udhDty4ukhycu + Akiv80lie+6tbfWddR9i3gZt0YMTq2PvXOpKiBAjD7umjbzbGnSbXAWKAYLQO5Nzcjc9eYVWxNu + rUqJvwIDAQABo4HLMIHIMB0GA1UdDgQWBBRWF+/2a4tZ/iMZaN54wOFNZ33QZjCBmAYDVR0jBIG + QMIGNgBRWF+/2a4tZ/iMZaN54wOFNZ33QZqFqpGgwZjELMAkGA1UEBhMCREUxDzANBgNVBAgTBk + JheWVybjEPMA0GA1UEBxMGTXVuaWNoMQ0wCwYDVQQKEwRIb21lMRUwEwYDVQQLEwxBcGFjaGUgV + 1NTNEoxDzANBgNVBAMTBldlcm5lcoIJAI3hLAppEXfSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN + AQEFBQADgYEAYTuCjZSScbxzaWtItIL0Szh410aAisfB12MDWTGvxOL6YdqXtlwpA/miTK67KaE + Bnsb7PwnUGClKvGIoFYAtvgAyKclzsl4dl4pA8P2a4ofSKsdVKLyIIS7Vqgj0fmlc6lYJlhXIxU + Hz4tR1T97/ZU1uAr5KwXiEA7SYQzZkHZg= + dn: uid=admin,dc=example,dc=com objectClass: top objectClass: person http://git-wip-us.apache.org/repos/asf/cxf/blob/dff1ddd5/systests/kerberos/src/test/resources/ldap.properties ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/ldap.properties b/systests/kerberos/src/test/resources/ldap.properties index 8654096..c4ea789 100644 --- a/systests/kerberos/src/test/resources/ldap.properties +++ b/systests/kerberos/src/test/resources/ldap.properties @@ -17,4 +17,10 @@ # under the License. # -claimUser=alice \ No newline at end of file +<<<<<<< HEAD +claimUser=alice +======= +claimUser=alice +otherClaimUser=bob +binaryClaimUser=dave +>>>>>>> 5903132... [CXF-6283] - Support binary attributes in the LDAPClaimsHandler http://git-wip-us.apache.org/repos/asf/cxf/blob/dff1ddd5/systests/kerberos/src/test/resources/ldap.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/ldap.xml b/systests/kerberos/src/test/resources/ldap.xml index 8c137b4..d73b9a8 100644 --- a/systests/kerberos/src/test/resources/ldap.xml +++ b/systests/kerberos/src/test/resources/ldap.xml @@ -33,6 +33,7 @@ <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" value="sn"/> <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" value="mail"/> <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" value="c"/> + <entry key="http://custom/x509" value="usercertificate"/> </util:map> <bean id="testClaimsHandler" class="org.apache.cxf.sts.claims.LdapClaimsHandler"> <property name="ldapTemplate" ref="ldapTemplate" />