Merge pull request alibaba#9178 from karsonto/develop-issue#9175

[ISSUE alibaba#9175] Support ldap filter config
onewe · Sep 20, 2022 · 091f530 · 091f530
2 parents 45f38b5 + f27113b
commit 091f530
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 4 deletions.
diff --git a/console/src/main/resources/application.properties b/console/src/main/resources/application.properties
@@ -145,6 +145,7 @@ nacos.core.auth.plugin.nacos.token.secret.key=SecretKey0123456789012345678901234
 #nacos.core.auth.ldap.userDn=cn=admin,${nacos.core.auth.ldap.basedc}
 #nacos.core.auth.ldap.password=admin
 #nacos.core.auth.ldap.userdn=cn={0},dc=example,dc=org
+#nacos.core.auth.ldap.filter.prefix=uid
 
 
 #*************** Istio Related Configurations ***************#

diff --git a/distribution/conf/application.properties b/distribution/conf/application.properties
@@ -171,6 +171,7 @@ nacos.core.auth.plugin.nacos.token.secret.key=SecretKey0123456789012345678901234
 #nacos.core.auth.ldap.userDn=cn=admin,${nacos.core.auth.ldap.basedc}
 #nacos.core.auth.ldap.password=admin
 #nacos.core.auth.ldap.userdn=cn={0},dc=example,dc=org
+#nacos.core.auth.ldap.filter.prefix=uid
 
 
 #*************** Istio Related Configurations ***************#

diff --git a/distribution/conf/application.properties.example b/distribution/conf/application.properties.example
@@ -155,6 +155,7 @@ nacos.core.auth.enabled=false
 #nacos.core.auth.ldap.userDn=cn=admin,${nacos.core.auth.ldap.basedc}
 #nacos.core.auth.ldap.password=admin
 #nacos.core.auth.ldap.userdn=cn={0},dc=example,dc=org
+#nacos.core.auth.ldap.filter.prefix=uid
 
 
 ### The token expiration in seconds:

diff --git a/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthConfig.java b/plugin-default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthConfig.java
@@ -55,6 +55,9 @@ public class LdapAuthConfig {
     @Value(("${" + AuthConstants.NACOS_CORE_AUTH_LDAP_PASSWORD + ":password}"))
     private String password;
 
+    @Value(("${" + AuthConstants.NACOS_CORE_AUTH_LDAP_FILTER_PREFIX + ":uid}"))
+    private String filterPrefix;
+
     @Bean
     @Conditional(ConditionOnLdapAuth.class)
     public LdapTemplate ldapTemplate() {
@@ -76,8 +79,8 @@ public LdapTemplate ldapTemplate() {
     @Bean
     @Conditional(ConditionOnLdapAuth.class)
     public LdapAuthenticationProvider ldapAuthenticationProvider(LdapTemplate ldapTemplate,
-            NacosUserDetailsServiceImpl userDetailsService, NacosRoleServiceImpl nacosRoleService) {
-        return new LdapAuthenticationProvider(ldapTemplate, userDetailsService, nacosRoleService);
+            NacosUserDetailsServiceImpl userDetailsService, NacosRoleServiceImpl nacosRoleService, String filterPrefix) {
+        return new LdapAuthenticationProvider(ldapTemplate, userDetailsService, nacosRoleService, filterPrefix);
     }
 
 }
diff --git a/...ult-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthenticationProvider.java b/...ult-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthenticationProvider.java
@@ -52,11 +52,14 @@ public class LdapAuthenticationProvider implements AuthenticationProvider {
 
     private final LdapTemplate ldapTemplate;
 
+    private final String filterPrefix;
+
     public LdapAuthenticationProvider(LdapTemplate ldapTemplate, NacosUserDetailsServiceImpl userDetailsService,
-            NacosRoleServiceImpl nacosRoleService) {
+            NacosRoleServiceImpl nacosRoleService, String filterPrefix) {
         this.ldapTemplate = ldapTemplate;
         this.nacosRoleService = nacosRoleService;
         this.userDetailsService = userDetailsService;
+        this.filterPrefix = filterPrefix;
     }
 
     @Override
@@ -110,7 +113,7 @@ private boolean isAdmin(String username) {
     }
 
     private boolean ldapLogin(String username, String password) throws AuthenticationException {
-        return ldapTemplate.authenticate("", "(uid=" + username + ")", password);
+        return ldapTemplate.authenticate("", "(" + filterPrefix + "=" + username + ")", password);
     }
 
     @Override

diff --git a/...default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/constant/AuthConstants.java b/...default-impl/src/main/java/com/alibaba/nacos/plugin/auth/impl/constant/AuthConstants.java
@@ -60,4 +60,6 @@ public class AuthConstants {
     public static final String NACOS_CORE_AUTH_LDAP_USERDN = "nacos.core.auth.ldap.userDn";
 
     public static final String NACOS_CORE_AUTH_LDAP_PASSWORD = "nacos.core.auth.ldap.password";
+
+    public static final String NACOS_CORE_AUTH_LDAP_FILTER_PREFIX = "nacos.core.auth.ldap.filter.prefix";
 }
diff --git a/...impl/src/test/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthenticationProviderTest.java b/...impl/src/test/java/com/alibaba/nacos/plugin/auth/impl/LdapAuthenticationProviderTest.java
@@ -0,0 +1,137 @@
+/*
+ * Copyright 1999-2021 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.plugin.auth.impl;
+
+import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
+import com.alibaba.nacos.plugin.auth.impl.persistence.RoleInfo;
+import com.alibaba.nacos.plugin.auth.impl.roles.NacosRoleServiceImpl;
+import com.alibaba.nacos.plugin.auth.impl.users.NacosUserDetailsServiceImpl;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.invocation.InvocationOnMock;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.mockito.stubbing.Answer;
+import org.springframework.ldap.core.LdapTemplate;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.mockito.Mockito.when;
+
+@RunWith(MockitoJUnitRunner.class)
+public class LdapAuthenticationProviderTest {
+
+    @Mock
+    private NacosUserDetailsServiceImpl userDetailsService;
+
+    @Mock
+    private NacosRoleServiceImpl nacosRoleService;
+
+    @Mock
+    private LdapTemplate ldapTemplate;
+
+    private LdapAuthenticationProvider ldapAuthenticationProvider;
+
+    private List<RoleInfo> roleInfos = new ArrayList<>();
+
+    private final String adminUserName = "nacos";
+
+    private final String normalUserName = "normal";
+
+    private final String filterPrefix = "uid";
+
+    Method isAdmin;
+
+    Method ldapLogin;
+
+    private String defaultPassWord = "nacos";
+
+    @Before
+    public void setUp() throws NoSuchMethodException {
+        RoleInfo adminRole = new RoleInfo();
+        adminRole.setRole(AuthConstants.GLOBAL_ADMIN_ROLE);
+        adminRole.setUsername(adminUserName);
+        roleInfos.add(adminRole);
+        when(nacosRoleService.getRoles(adminUserName)).thenReturn(roleInfos);
+        when(nacosRoleService.getRoles(normalUserName)).thenReturn(new ArrayList<>());
+        when(ldapTemplate.authenticate("", "(" + filterPrefix + "=" + adminUserName + ")", defaultPassWord)).thenAnswer(
+                new Answer<Boolean>() {
+                    @Override
+                    public Boolean answer(InvocationOnMock invocation) throws Throwable {
+                        Object[] args = invocation.getArguments();
+                        String b = (String) args[1];
+                        String c = (String) args[2];
+                        if (defaultPassWord.equals(c)) {
+                            return true;
+                        }
+                        return false;
+                    }
+                });
+        this.ldapAuthenticationProvider = new LdapAuthenticationProvider(ldapTemplate, userDetailsService,
+                nacosRoleService, filterPrefix);
+        isAdmin = LdapAuthenticationProvider.class.getDeclaredMethod("isAdmin", String.class);
+        isAdmin.setAccessible(true);
+        ldapLogin = LdapAuthenticationProvider.class.getDeclaredMethod("ldapLogin", String.class, String.class);
+        ldapLogin.setAccessible(true);
+    }
+
+    @Test
+    public void testIsAdmin() {
+        try {
+            Boolean result = (Boolean) isAdmin.invoke(ldapAuthenticationProvider, adminUserName);
+            Assert.assertTrue(result);
+        } catch (IllegalAccessException e) {
+            Assert.fail();
+        } catch (InvocationTargetException e) {
+            Assert.fail();
+        }
+        try {
+            Boolean result = (Boolean) isAdmin.invoke(ldapAuthenticationProvider, normalUserName);
+            Assert.assertTrue(!result);
+        } catch (IllegalAccessException e) {
+            Assert.fail();
+        } catch (InvocationTargetException e) {
+            Assert.fail();
+        }
+
+    }
+
+    @Test
+    public void testldapLogin() {
+        try {
+            Boolean result = (Boolean) ldapLogin.invoke(ldapAuthenticationProvider, adminUserName, defaultPassWord);
+            Assert.assertTrue(result);
+        } catch (IllegalAccessException e) {
+            Assert.fail();
+        } catch (InvocationTargetException e) {
+            Assert.fail();
+        }
+        try {
+            Boolean result = (Boolean) ldapLogin.invoke(ldapAuthenticationProvider, adminUserName, "123");
+            Assert.assertTrue(!result);
+        } catch (IllegalAccessException e) {
+            Assert.fail();
+        } catch (InvocationTargetException e) {
+            Assert.fail();
+        }
+    }
+}