From 7917af2c614fe7bba9e74f08c6207e9c9721233a Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Mon, 8 Jul 2024 08:58:02 -0300 Subject: [PATCH] Testing ldap connection should not process or bind the credentials (#31081) Closes #30821 Signed-off-by: Pedro Igor --- .../managers/LDAPServerCapabilitiesManager.java | 2 +- .../admin/UserFederationLdapConnectionTest.java | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/federation/ldap/src/main/java/org/keycloak/services/managers/LDAPServerCapabilitiesManager.java b/federation/ldap/src/main/java/org/keycloak/services/managers/LDAPServerCapabilitiesManager.java index e43da438764b..66a3777828dc 100755 --- a/federation/ldap/src/main/java/org/keycloak/services/managers/LDAPServerCapabilitiesManager.java +++ b/federation/ldap/src/main/java/org/keycloak/services/managers/LDAPServerCapabilitiesManager.java @@ -67,7 +67,7 @@ private static int parseConnectionTimeout(String connectionTimeout) { public static LDAPConfig buildLDAPConfig(TestLdapConnectionRepresentation config, RealmModel realm) { String bindCredential = config.getBindCredential(); - if (config.getComponentId() != null && !LDAPConstants.AUTH_TYPE.equals(LDAPConstants.AUTH_TYPE_NONE) + if (config.getComponentId() != null && !LDAPConstants.AUTH_TYPE_NONE.equals(config.getAuthType()) && ComponentRepresentation.SECRET_VALUE.equals(bindCredential)) { // check the connection URL and the bind DN are the same to allow using the same configured password ComponentModel component = realm.getComponent(config.getComponentId()); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationLdapConnectionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationLdapConnectionTest.java index 37f9462523ad..ecc4382fd33f 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationLdapConnectionTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationLdapConnectionTest.java @@ -48,7 +48,7 @@ public class UserFederationLdapConnectionTest extends AbstractAdminTest { public static LDAPRule ldapRule = new LDAPRule(); @Test - public void testLdapConnections1() { + public void testLdapConnections() { // Unknown action Response response = realm.testLDAPConnection(new TestLdapConnectionRepresentation("unknown", "ldap://localhost:10389", "foo", "bar", "false", null)); assertStatus(response, 400); @@ -61,6 +61,14 @@ public void testLdapConnections1() { response = realm.testLDAPConnection(new TestLdapConnectionRepresentation(LDAPServerCapabilitiesManager.TEST_CONNECTION, "ldap://localhost:10389", null, null, "false", null, "false", LDAPConstants.AUTH_TYPE_NONE)); assertStatus(response, 204); + // Connection success with invalid credentials + String ldapModelId = testingClient.testing().ldap(REALM_NAME).createLDAPProvider(ldapRule.getConfig(), false); + getCleanup().addCleanup(() -> { + adminClient.realm(REALM_NAME).components().removeComponent(ldapModelId);; + }); + response = realm.testLDAPConnection(new TestLdapConnectionRepresentation(LDAPServerCapabilitiesManager.TEST_CONNECTION, "ldap://localhost:10389", "invalid-db", ComponentRepresentation.SECRET_VALUE, "false", null, "false", LDAPConstants.AUTH_TYPE_SIMPLE, ldapModelId)); + assertStatus(response, 204); + // Bad authentication response = realm.testLDAPConnection(new TestLdapConnectionRepresentation(LDAPServerCapabilitiesManager.TEST_AUTHENTICATION, "ldap://localhost:10389", "foo", "bar", "false", "10000")); assertStatus(response, 400);