From c5fcabea2379d68967ae4dc09a780459d1fd301e Mon Sep 17 00:00:00 2001
From: neil_a_wilson <neil_a_wilson@localhost>
Date: Tue, 10 Jul 2007 22:52:19 +0000
Subject: [PATCH] Update the server's DIGEST-MD5 SASL mechanism handler so that it provides support for parsing the digest-uri element of the request.  By default, no parsing is performed and any digest-uri value will be accepted.  However, if the DIGEST-MD5 SASL mechanism handler is configured with the ds-cfg-server-fqdn attribute, then the digest-uri value will be expected to be "ldap/" followed by the value of that configuration attribute.

---
 opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java                |   19 ++++++++-
 opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java                             |   14 +++++++
 opendj-sdk/opends/resource/schema/02-config.ldif                                                            |    3 +
 opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml |   32 +++++++++++++++
 4 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/opendj-sdk/opends/resource/schema/02-config.ldif b/opendj-sdk/opends/resource/schema/02-config.ldif
index 648087f..d677b58 100644
--- a/opendj-sdk/opends/resource/schema/02-config.ldif
+++ b/opendj-sdk/opends/resource/schema/02-config.ldif
@@ -1709,7 +1709,8 @@
 objectClasses: ( 1.3.6.1.4.1.26027.1.2.47
   NAME 'ds-cfg-digest-md5-sasl-mechanism-handler'
   SUP ds-cfg-sasl-mechanism-handler MUST ds-cfg-identity-mapper-dn
-  MAY ds-cfg-realm X-ORIGIN 'OpenDS Directory Server' )
+  MAY ( ds-cfg-realm $ ds-cfg-server-fqdn )
+  X-ORIGIN 'OpenDS Directory Server' )
 objectClasses: ( 1.3.6.1.4.1.26027.1.2.48
   NAME 'ds-cfg-gssapi-sasl-mechanism-handler'
   SUP ds-cfg-sasl-mechanism-handler MAY ( ds-cfg-identity-mapper-dn $
diff --git a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
index c5866ce..2ba5eed 100644
--- a/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
+++ b/opendj-sdk/opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml
@@ -60,7 +60,7 @@
     <adm:description>
       Specifies the realm that should be used by the server for DIGEST-MD5
       authentication.  If this is not provided, then the server will default
-      to using a set of realm names that correspond to the defined suffixes. 
+      to using a set of realm names that correspond to the defined suffixes.
       Changes to this configuration attribute will take effect immediately.
     </adm:description>
     <adm:default-behavior>
@@ -102,5 +102,35 @@
       </ldap:attribute>
     </adm:profile>
   </adm:property>
+  <adm:property name="server-fqdn" mandatory="false">
+    <adm:synopsis>
+      Specifies the fully-qualified domain name for the system.  This is the
+      value expected to be present in the host field of the digest-uri-value
+      element.
+    </adm:synopsis>
+    <adm:description>
+      Specifies the DNS-resolvable fully-qualified domain name for the system.
+      If this is not provided, then the server will attempt to determine this
+      dynamically.  Changes to this configuration attribute will take effect
+      immediately.
+    </adm:description>
+    <adm:default-behavior>
+      <adm:alias>
+        <adm:synopsis>
+          The server will attempt to dynamically determine the fully-qualified
+          domain name.
+        </adm:synopsis>
+      </adm:alias>
+    </adm:default-behavior>
+    <adm:syntax>
+      <adm:string />
+    </adm:syntax>
+    <adm:profile name="ldap">
+      <ldap:attribute>
+        <ldap:oid>1.3.6.1.4.1.26027.1.1.115</ldap:oid>
+        <ldap:name>ds-cfg-server-fqdn</ldap:name>
+      </ldap:attribute>
+    </adm:profile>
+  </adm:property>
 </adm:managed-object>
 
diff --git a/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java b/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
index 72ec9f1..bbae357 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/extensions/DigestMD5SASLMechanismHandler.java
@@ -594,8 +594,23 @@
       {
         responseDigestURI = tokenValue;
 
-        // FIXME -- Add the ability to validate this URI, at least to check the
-        // hostname.
+        String serverFQDN = config.getServerFqdn();
+        if ((serverFQDN != null) && (serverFQDN.length() > 0))
+        {
+          // If a server FQDN is populated, then we'll use it to validate the
+          // digest-uri, which should be in the form "ldap/serverfqdn".
+          String expectedDigestURI = "ldap/" + serverFQDN;
+          if (! expectedDigestURI.equalsIgnoreCase(responseDigestURI))
+          {
+            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
+
+            int    msgID   = MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI;
+            String message = getMessage(msgID, responseDigestURI,
+                                        expectedDigestURI);
+            bindOperation.setAuthFailureReason(msgID, message);
+            return;
+          }
+        }
       }
       else if (tokenName.equals("response"))
       {
diff --git a/opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java b/opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java
index 94afc25..36d4a23 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/messages/ExtensionsMessages.java
@@ -5492,6 +5492,16 @@
 
 
   /**
+   * The message ID for the message that will be used if the client request
+   * included an invalid digest URI.  This takes two arguments, which are the
+   * provided digest URI and the expected digest URI.
+   */
+  public static final int MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI =
+       CATEGORY_MASK_EXTENSIONS | SEVERITY_MASK_MILD_ERROR | 529;
+
+
+
+  /**
    * Associates a set of generic messages with the message IDs defined in this
    * class.
    */
@@ -6775,6 +6785,10 @@
                     "The DIGEST-MD5 credentials provided by the client " +
                     "requested an invalid quality of protection mechanism of " +
                     "%s");
+    registerMessage(MSGID_SASLDIGESTMD5_INVALID_DIGEST_URI,
+                    "The DIGEST-MD5 credentials provided by the client " +
+                    "requested an invalid digest URI of %s.  The expected " +
+                    "digest URI was %s");
     registerMessage(MSGID_SASLDIGESTMD5_CANNOT_PARSE_RESPONSE_DIGEST,
                     "The DIGEST-MD5 credentials provided by the client " +
                     "included a digest that could not be decoded as a " +

--
Gitblit v1.10.0