chore(ldap): add property to throw authentication exceptions in pw check

Related to camunda#3474

distro/run/core/src/main/java/org/camunda/bpm/run/property/CamundaBpmRunLdapProperties.java

@@ -60,6 +60,7 @@ public String toString() {
         ", useSsl=" + useSsl +
         ", usePosixGroups=" + usePosixGroups +
         ", allowAnonymousLogin=" + allowAnonymousLogin +
-        ", authorizationCheckEnabled=" + authorizationCheckEnabled + "]";
+        ", authorizationCheckEnabled=" + authorizationCheckEnabled +
+        ", passwordCheckCatchAuthenticationException=" + passwordCheckCatchAuthenticationException + "]";
   }
 }

distro/run/core/src/test/java/org/camunda/bpm/run/test/config/identity/LdapConfigurationTest.java

@@ -32,7 +32,7 @@
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
 @RunWith(SpringRunner.class)
 @SpringBootTest(classes = { CamundaBpmRun.class })
-@ActiveProfiles(profiles = { "test-auth-disabled" , "test-ldap-enabled" })
+@ActiveProfiles(profiles = { "test-auth-disabled" , "test-ldap-enabled", "test-ldap-auth-exception" })
 public class LdapConfigurationTest {
 
   @Autowired
@@ -68,6 +68,7 @@ public void shouldPickUpConfiguration() {
     assertThat(props.isAcceptUntrustedCertificates()).isEqualTo(plugin.isAcceptUntrustedCertificates());
     assertThat(props.getInitialContextFactory()).isEqualTo(plugin.getInitialContextFactory());
     assertThat(props.getSecurityAuthentication()).isEqualTo(plugin.getSecurityAuthentication());
+    assertThat(props.isPasswordCheckCatchAuthenticationException()).isEqualTo(plugin.isPasswordCheckCatchAuthenticationException());
   }
 
   @Test

distro/run/core/src/test/resources/application-test-ldap-auth-exception.yml

@@ -0,0 +1,2 @@
+camunda.bpm.run.ldap:
+  password-check-catch-authentication-exception: false

engine-plugins/identity-ldap/src/main/java/org/camunda/bpm/identity/impl/ldap/LdapConfiguration.java

@@ -19,7 +19,6 @@
 
 import java.util.HashMap;
 import java.util.Map;
-
 import javax.naming.directory.SearchControls;
 
 
@@ -73,6 +72,8 @@ public class LdapConfiguration {
 
   protected Integer pageSize = null; // null => disabled
 
+  protected boolean passwordCheckCatchAuthenticationException = true;
+
   // getters / setters //////////////////////////////////////
 
   public String getInitialContextFactory() {
@@ -298,4 +299,12 @@ public void setPageSize(Integer pageSize) {
     this.pageSize = pageSize;
   }
 
+  public boolean isPasswordCheckCatchAuthenticationException() {
+    return passwordCheckCatchAuthenticationException;
+  }
+
+  public void setPasswordCheckCatchAuthenticationException(boolean passwordCheckCatchAuthenticationException) {
+    this.passwordCheckCatchAuthenticationException = passwordCheckCatchAuthenticationException;
+  }
+
 }

engine-plugins/identity-ldap/src/main/java/org/camunda/bpm/identity/impl/ldap/LdapIdentityProviderSession.java

@@ -26,13 +26,10 @@
 
 import java.io.IOException;
 import java.io.StringWriter;
-import java.io.IOException;
-
 import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
-
 import javax.naming.AuthenticationException;
 import javax.naming.Context;
 import javax.naming.NamingEnumeration;
@@ -43,12 +40,10 @@
 import javax.naming.ldap.Control;
 import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
-import javax.naming.ldap.SortControl;
-import javax.naming.ldap.SortKey;
 import javax.naming.ldap.PagedResultsControl;
 import javax.naming.ldap.PagedResultsResponseControl;
-
-
+import javax.naming.ldap.SortControl;
+import javax.naming.ldap.SortKey;
 import org.camunda.bpm.engine.BadUserRequestException;
 import org.camunda.bpm.engine.authorization.Permission;
 import org.camunda.bpm.engine.authorization.Resource;
@@ -60,16 +55,16 @@
 import org.camunda.bpm.engine.identity.User;
 import org.camunda.bpm.engine.identity.UserQuery;
 import org.camunda.bpm.engine.impl.AbstractQuery;
+import org.camunda.bpm.engine.impl.Direction;
+import org.camunda.bpm.engine.impl.GroupQueryProperty;
 import org.camunda.bpm.engine.impl.QueryOrderingProperty;
 import org.camunda.bpm.engine.impl.UserQueryImpl;
 import org.camunda.bpm.engine.impl.UserQueryProperty;
-import org.camunda.bpm.engine.impl.GroupQueryProperty;
 import org.camunda.bpm.engine.impl.identity.IdentityProviderException;
 import org.camunda.bpm.engine.impl.identity.ReadOnlyIdentityProvider;
 import org.camunda.bpm.engine.impl.interceptor.CommandContext;
 import org.camunda.bpm.engine.impl.persistence.entity.GroupEntity;
 import org.camunda.bpm.engine.impl.persistence.entity.UserEntity;
-import org.camunda.bpm.engine.impl.Direction;
 import org.camunda.bpm.identity.impl.ldap.util.LdapPluginLogger;
 
 /**
@@ -428,7 +423,11 @@ public boolean checkPassword(String userId, String password) {
         return true;
 
       } catch (LdapAuthenticationException e) {
-        return false;
+        if(ldapConfiguration.isPasswordCheckCatchAuthenticationException()) {
+          return false;
+        } else {
+          throw e;
+        }
 
       } finally {
         closeLdapCtx(context);

engine-plugins/identity-ldap/src/test/java/org/camunda/bpm/identity/impl/ldap/LdapLoginCatchAuthenticationExceptionTest.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.camunda.bpm.identity.impl.ldap;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import org.camunda.bpm.engine.IdentityService;
+import org.camunda.bpm.engine.test.ProcessEngineRule;
+import org.camunda.bpm.identity.ldap.util.LdapTestEnvironmentRule;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+
+public class LdapLoginCatchAuthenticationExceptionTest {
+
+  @ClassRule
+  public static LdapTestEnvironmentRule ldapRule = new LdapTestEnvironmentRule();
+
+  @Rule
+  public ProcessEngineRule engineRule = new ProcessEngineRule("camunda.ldap.disable.catch.authentication.exception.cfg.xml");
+
+  IdentityService identityService;
+
+  @Before
+  public void setup() {
+    identityService = engineRule.getIdentityService();
+  }
+
+  @Test
+  public void shouldThrowExceptionOnFailedLogin() {
+    // given config passwordCheckCatchAuthenticationException=false
+
+    // when
+    assertThatThrownBy(() -> identityService.checkPassword("roman", "wrongPW"))
+      .isInstanceOf(LdapAuthenticationException.class)
+      .hasMessage("Could not authenticate with LDAP server");
+  }
+}

engine-plugins/identity-ldap/src/test/resources/camunda.ldap.disable.catch.authentication.exception.cfg.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans xmlns="http://www.springframework.org/schema/beans" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans   http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+  <bean id="processEngineConfiguration" class="org.camunda.bpm.engine.impl.cfg.StandaloneInMemProcessEngineConfiguration">
+
+    <property name="processEngineName" value="LdapLoginCatchAuthenticationExceptionTest-engine" />
+
+    <property name="jdbcUrl" value="jdbc:h2:mem:LdapLoginCatchAuthenticationExceptionTest;DB_CLOSE_DELAY=1000" />
+    <property name="jdbcDriver" value="org.h2.Driver" />
+    <property name="jdbcUsername" value="sa" />
+    <property name="jdbcPassword" value="" />
+
+    <!-- Database configurations -->
+    <property name="history" value="audit" />
+    <property name="databaseSchemaUpdate" value="create-drop" />
+
+    <!-- job executor configurations -->
+    <property name="jobExecutorActivate" value="false" />
+
+    <property name="createDiagramOnDeploy" value="true" />
+
+    <property name="processEnginePlugins">
+      <list>
+        <ref bean="ldapIdentityProviderPlugin" />
+      </list>
+    </property>
+
+  </bean>
+
+  <bean id="ldapIdentityProviderPlugin" class="org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin">
+
+    <property name="serverUrl" value="ldap://localhost:${ldap.server.port}/" />
+    <property name="managerDn" value="uid=daniel,ou=office-berlin,o=camunda,c=org" />
+    <property name="managerPassword" value="daniel" />
+    <property name="baseDn" value="o=camunda,c=org" />
+
+    <property name="userSearchBase" value="" />
+    <property name="userSearchFilter" value="(objectclass=person)" />
+    <property name="userIdAttribute" value="uid" />
+    <property name="userFirstnameAttribute" value="cn" />
+    <property name="userLastnameAttribute" value="sn" />
+    <property name="userEmailAttribute" value="mail" />
+    <property name="userPasswordAttribute" value="userpassword" />
+
+    <property name="groupSearchBase" value="" />
+    <property name="groupSearchFilter" value="(objectclass=groupOfNames)" />
+    <property name="groupIdAttribute" value="ou" />
+    <property name="groupNameAttribute" value="cn" />
+    <property name="groupMemberAttribute" value="member" />
+
+    <property name="passwordCheckCatchAuthenticationException" value="false" />
+
+  </bean>
+
+</beans>