From 5eb5d125bb5170aa5bac2136ae14079a80fc3e75 Mon Sep 17 00:00:00 2001
From: Manuel Gaupp <m.gaupp@scanplus.de>
Date: Tue, 11 Jun 2013 14:13:35 +0000
Subject: [PATCH] CR-1822 Fix issue OPENDJ-962: Subject Attr To User Attr Cert Mapper has wrong default configuration
---
opends/tests/unit-tests-testng/resource/client-emailAddress.keystore | 0
opends/tests/unit-tests-testng/resource/server.truststore | 0
opends/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.java | 45 ++++++++++
opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapperTestCase.java | 159 ++++++++++++++++++++++++++++++++++++---
opends/resource/schema/00-core.ldif | 6 +
opends/resource/config/config.ldif | 4
opends/tests/unit-tests-testng/src/server/org/opends/server/TestCaseUtils.java | 3
7 files changed, 201 insertions(+), 16 deletions(-)
diff --git a/opends/resource/config/config.ldif b/opends/resource/config/config.ldif
index 7a3a5b1..a37d147 100644
--- a/opends/resource/config/config.ldif
+++ b/opends/resource/config/config.ldif
@@ -22,7 +22,7 @@
#
# Copyright 2006-2010 Sun Microsystems, Inc.
# Portions Copyright 2010-2013 ForgeRock AS.
-# Portions Copyright 2012 Manuel Gaupp
+# Portions Copyright 2012-2013 Manuel Gaupp
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -410,7 +410,7 @@
ds-cfg-java-class: org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper
ds-cfg-enabled: true
ds-cfg-subject-attribute-mapping: cn:cn
-ds-cfg-subject-attribute-mapping: e:mail
+ds-cfg-subject-attribute-mapping: emailAddress:mail
dn: cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config
objectClass: top
diff --git a/opends/resource/schema/00-core.ldif b/opends/resource/schema/00-core.ldif
index 529a55e..f9faa6d 100644
--- a/opends/resource/schema/00-core.ldif
+++ b/opends/resource/schema/00-core.ldif
@@ -23,6 +23,7 @@
#
# Copyright 2006-2010 Sun Microsystems, Inc.
# Portions Copyright 2011-2012 ForgeRock AS
+# Portions Copyright 2013 Manuel Gaupp
#
#
# This file contains a core set of attribute type and objectlass definitions
@@ -525,6 +526,11 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation
X-ORIGIN 'OpenDJ Directory Server' )
+attributeTypes: ( 1.2.840.113549.1.9.1 NAME 'emailAddress'
+ DESC 'Email address'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ X-ORIGIN 'RFC 2985' )
objectClasses: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass
X-ORIGIN 'RFC 4512' )
objectClasses: ( 2.5.6.1 NAME 'alias' SUP top STRUCTURAL MUST aliasedObjectName
diff --git a/opends/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.java b/opends/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.java
index 3c77683..4490e82 100644
--- a/opends/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.java
+++ b/opends/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapper.java
@@ -24,6 +24,7 @@
*
* Copyright 2007-2008 Sun Microsystems, Inc.
* Portions Copyright 2012 ForgeRock AS
+ * Portions Copyright 2013 Manuel Gaupp
*/
package org.opends.server.extensions;
@@ -135,6 +136,10 @@
throw new ConfigException(message);
}
+ // Try to normalize the provided certAttrName
+ certAttrName = normalizeAttributeName(certAttrName);
+
+
if (attributeMap.containsKey(certAttrName))
{
Message message = ERR_SATUACM_DUPLICATE_CERT_ATTR.get(
@@ -271,6 +276,10 @@
for (int j=0; j < rdn.getNumValues(); j++)
{
String lowerName = toLowerCase(rdn.getAttributeName(j));
+
+ // Try to normalize lowerName
+ lowerName = normalizeAttributeName(lowerName);
+
AttributeType attrType = theAttributeMap.get(lowerName);
if (attrType != null)
{
@@ -282,7 +291,8 @@
if (filterComps.isEmpty())
{
- Message message = ERR_SATUACM_NO_MAPPABLE_ATTRIBUTES.get(peerName);
+ Message message = ERR_SATUACM_NO_MAPPABLE_ATTRIBUTES.get(
+ String.valueOf(peerDN));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message);
}
@@ -356,7 +366,7 @@
else
{
Message message = ERR_SATUACM_MULTIPLE_MATCHING_ENTRIES.
- get(peerName, String.valueOf(userEntry.getDN()),
+ get(String.valueOf(peerDN), String.valueOf(userEntry.getDN()),
String.valueOf(entry.getDN()));
throw new DirectoryException(ResultCode.INVALID_CREDENTIALS, message);
}
@@ -425,6 +435,9 @@
break;
}
+ // Try to normalize the provided certAttrName
+ certAttrName = normalizeAttributeName(certAttrName);
+
if (newAttributeMap.containsKey(certAttrName))
{
unacceptableReasons.add(ERR_SATUACM_DUPLICATE_CERT_ATTR.get(
@@ -515,6 +528,9 @@
break;
}
+ // Try to normalize the provided certAttrName
+ certAttrName = normalizeAttributeName(certAttrName);
+
if (newAttributeMap.containsKey(certAttrName))
{
if (resultCode == ResultCode.SUCCESS)
@@ -598,5 +614,30 @@
return new ConfigChangeResult(resultCode, adminActionRequired, messages);
}
+
+
+
+ /**
+ * Tries to normalize the given attribute name; if normalization is not
+ * possible the original String value is returned.
+ *
+ * @param attrName The attribute name which should be normalized.
+ *
+ * @return The normalized attribute name.
+ */
+ private static String normalizeAttributeName(String attrName)
+ {
+ AttributeType attrType =
+ DirectoryServer.getAttributeType(attrName, false);
+ if (attrType != null)
+ {
+ String attrNameNormalized = attrType.getNormalizedPrimaryName();
+ if (attrNameNormalized != null)
+ {
+ attrName = attrNameNormalized;
+ }
+ }
+ return attrName;
+ }
}
diff --git a/opends/tests/unit-tests-testng/resource/client-emailAddress.keystore b/opends/tests/unit-tests-testng/resource/client-emailAddress.keystore
new file mode 100644
index 0000000..5857524
--- /dev/null
+++ b/opends/tests/unit-tests-testng/resource/client-emailAddress.keystore
Binary files differ
diff --git a/opends/tests/unit-tests-testng/resource/server.truststore b/opends/tests/unit-tests-testng/resource/server.truststore
index 4590477..77fc49a 100644
--- a/opends/tests/unit-tests-testng/resource/server.truststore
+++ b/opends/tests/unit-tests-testng/resource/server.truststore
Binary files differ
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/TestCaseUtils.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/TestCaseUtils.java
index 5a4b967..2bb2e77 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/TestCaseUtils.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/TestCaseUtils.java
@@ -24,6 +24,7 @@
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2013 ForgeRock AS
+ * Portions Copyright 2013 Manuel Gaupp
*/
package org.opends.server;
@@ -399,6 +400,8 @@
new File(testConfigDir, "server.truststore"));
copyFile(new File(testResourceDir, "client.keystore"),
new File(testConfigDir, "client.keystore"));
+ copyFile(new File(testResourceDir, "client-emailAddress.keystore"),
+ new File(testConfigDir, "client-emailAddress.keystore"));
copyFile(new File(testResourceDir, "client.truststore"),
new File(testConfigDir, "client.truststore"));
copyFile(new File(testResourceDir, "server-cert.p12"),
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapperTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapperTestCase.java
index 2e914d5..ad2f939 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapperTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/SubjectAttributeToUserAttributeCertificateMapperTestCase.java
@@ -24,6 +24,7 @@
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2012 ForgeRock AS
+ * Portions Copyright 2013 Manuel Gaupp
*/
package org.opends.server.extensions;
@@ -180,7 +181,19 @@
"SubjectAttributeToUserAttributeCertificateMapper",
"ds-cfg-enabled: true",
"ds-cfg-subject-attribute-mapping: cn:cn",
- "ds-cfg-user-base-dn: invalid");
+ "ds-cfg-user-base-dn: invalid",
+ "",
+ "dn: cn=Duplicate Cert Attr OID and Name,cn=Certificate Mappers,cn=config",
+ "objectClass: top",
+ "objectClass: ds-cfg-certificate-mapper",
+ "objectClass: " +
+ "ds-cfg-subject-attribute-to-user-attribute-certificate-mapper",
+ "cn: Duplicate Cert Attr OID and Name",
+ "ds-cfg-java-class: org.opends.server.extensions." +
+ "SubjectAttributeToUserAttributeCertificateMapper",
+ "ds-cfg-enabled: true",
+ "ds-cfg-subject-attribute-mapping: cn:cn",
+ "ds-cfg-subject-attribute-mapping: 2.5.4.3:displayName");
Object[][] configEntries = new Object[entries.size()][1];
@@ -279,6 +292,128 @@
/**
+ * Tests a successful mapping using an OID for the mapping.
+ *
+ * @throws Exception If an unexpected problem occurs.
+ */
+ @Test()
+ public void testSuccessfulMappingUsingAnOID()
+ throws Exception
+ {
+ enableMapper();
+
+ try
+ {
+ setAttributeMappings(new String[] { "cn:cn", "1.2.840.113549.1.9.1:mail" });
+
+ TestCaseUtils.initializeTestBackend(true);
+ TestCaseUtils.addEntry(
+ "dn: uid=test.user,o=test",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: organizationalPerson",
+ "objectClass: inetOrgPerson",
+ "objectClass: ds-certificate-user",
+ "uid: test.user",
+ "givenName: Test",
+ "sn: User",
+ "cn: Test User",
+ "mail: test@example.com");
+
+
+
+ String keyStorePath = DirectoryServer.getInstanceRoot() + File.separator +
+ "config" + File.separator + "client-emailAddress.keystore";
+ String trustStorePath = DirectoryServer.getInstanceRoot() + File.separator +
+ "config" + File.separator + "client.truststore";
+
+ String[] args =
+ {
+ "--noPropertiesFile",
+ "-h", "127.0.0.1",
+ "-p", String.valueOf(TestCaseUtils.getServerLdapsPort()),
+ "-Z",
+ "-K", keyStorePath,
+ "-W", "password",
+ "-P", trustStorePath,
+ "-r",
+ "-b", "",
+ "-s", "base",
+ "(objectClass=*)"
+ };
+
+ assertEquals(LDAPSearch.mainSearch(args, false, null, System.err), 0);
+ }
+ finally
+ {
+ disableMapper();
+ setAttributeMappings(new String[] { "cn:cn", "emailAddress:mail" });
+ }
+ }
+
+
+
+ /**
+ * Tests a successful mapping using the default configuration and a
+ * certificate containing a subject with an emailAddress.
+ *
+ * @throws Exception If an unexpected problem occurs.
+ */
+ @Test()
+ public void testSuccessfulMappingDefaultConfigEmailAddress()
+ throws Exception
+ {
+ enableMapper();
+
+ try
+ {
+ TestCaseUtils.initializeTestBackend(true);
+ TestCaseUtils.addEntry(
+ "dn: uid=test.user,o=test",
+ "objectClass: top",
+ "objectClass: person",
+ "objectClass: organizationalPerson",
+ "objectClass: inetOrgPerson",
+ "objectClass: ds-certificate-user",
+ "uid: test.user",
+ "givenName: Test",
+ "sn: User",
+ "cn: Test User",
+ "mail: test@example.com");
+
+
+
+ String keyStorePath = DirectoryServer.getInstanceRoot() + File.separator +
+ "config" + File.separator + "client-emailAddress.keystore";
+ String trustStorePath = DirectoryServer.getInstanceRoot() + File.separator +
+ "config" + File.separator + "client.truststore";
+
+ String[] args =
+ {
+ "--noPropertiesFile",
+ "-h", "127.0.0.1",
+ "-p", String.valueOf(TestCaseUtils.getServerLdapsPort()),
+ "-Z",
+ "-K", keyStorePath,
+ "-W", "password",
+ "-P", trustStorePath,
+ "-r",
+ "-b", "",
+ "-s", "base",
+ "(objectClass=*)"
+ };
+
+ assertEquals(LDAPSearch.mainSearch(args, false, null, System.err), 0);
+ }
+ finally
+ {
+ disableMapper();
+ }
+ }
+
+
+
+ /**
* Tests a successful mapping with multiple attributes.
*
* @throws Exception If an unexpected problem occurs.
@@ -334,7 +469,7 @@
finally
{
disableMapper();
- setAttributeMappings(new String[] { "cn:cn", "e:mail" });
+ setAttributeMappings(new String[] { "cn:cn", "emailAddress:mail" });
}
}
@@ -353,7 +488,7 @@
try
{
- setAttributeMappings(new String[] { "e:mail" });
+ setAttributeMappings(new String[] { "emailAddress:mail" });
TestCaseUtils.initializeTestBackend(true);
TestCaseUtils.addEntry(
@@ -396,7 +531,7 @@
finally
{
disableMapper();
- setAttributeMappings(new String[] { "cn:cn", "e:mail" });
+ setAttributeMappings(new String[] { "cn:cn", "emailAddress:mail" });
}
}
@@ -592,7 +727,7 @@
/**
- * Tests to ensure that an attmept to remove the subject attribute will fail.
+ * Tests to ensure that an attempt to remove the subject attribute will fail.
*
* @throws Exception If an unexpected problem occurs.
*/
@@ -620,7 +755,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with no colon
+ * Tests to ensure that an attempt to set an attribute mapping with no colon
* will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -635,7 +770,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with no cert
+ * Tests to ensure that an attempt to set an attribute mapping with no cert
* attribute will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -650,7 +785,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with no user
+ * Tests to ensure that an attempt to set an attribute mapping with no user
* attribute will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -665,7 +800,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with an
+ * Tests to ensure that an attempt to set an attribute mapping with an
* undefined user attribute will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -680,7 +815,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with a
+ * Tests to ensure that an attempt to set an attribute mapping with a
* duplicate cert attribute mapping will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -695,7 +830,7 @@
/**
- * Tests to ensure that an attmept to set an attribute mapping with a
+ * Tests to ensure that an attempt to set an attribute mapping with a
* duplicate user attribute mapping will fail.
*
* @throws Exception If an unexpected problem occurs.
@@ -710,7 +845,7 @@
/**
- * Tests to ensure that an attmept to set an invalid base DN will fail.
+ * Tests to ensure that an attempt to set an invalid base DN will fail.
*
* @throws Exception If an unexpected problem occurs.
*/
--
Gitblit v1.10.0