Added TLS/startTLS support to LDAP authentication

SpagoBILdapSecurityProvider/src/main/java/it/eng/spagobi/security/LDAPConnector.java

@@ -19,7 +19,14 @@
 import com.novell.ldap.LDAPConnection;
 import com.novell.ldap.LDAPEntry;
 import com.novell.ldap.LDAPException;
+import com.novell.ldap.LDAPJSSESecureSocketFactory;
+import com.novell.ldap.LDAPJSSEStartTLSFactory;
 import com.novell.ldap.LDAPSearchResults;
+import com.novell.ldap.LDAPSocketFactory;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 
 public class LDAPConnector {
 
@@ -32,6 +39,10 @@ public class LDAPConnector {
     final public static String ADMIN_PSW = "ADMIN_PSW"; // password
     final public static String BASE_DN = "BASE_DN";
 
+    //TLS/startTLS
+    final public static String STARTTLS = "STARTTLS";
+    final public static String TRUSTSTORE_PATH = "TRUSTSTORE_PATH";
+
     // user
     final public static String USER_SEARCH_PATH = "USER_SEARCH_PATH"; // base search path
     final public static String USER_OBJECT_CLASS = "USER_OBJECT_CLASS";
@@ -55,6 +66,9 @@ public class LDAPConnector {
     private String adminUsername;
     private String adminPassword;
     private String baseDN;
+
+    private boolean startTLS;
+    private String trustStore;
 
     private String userSearchPath;
     private String userObjectClass;
@@ -78,7 +92,11 @@ public LDAPConnector(Map<String, Object> configuration) {
 		this.adminPassword = (String) configuration.get(ADMIN_PSW);
 		this.baseDN = (String) configuration.get(BASE_DN);
 
-		// user
+                // tls properties
+                this.startTLS = Boolean.parseBoolean((String) configuration.get(STARTTLS));
+                this.trustStore = (String) configuration.get(TRUSTSTORE_PATH);
+
+                // user
 		this.userSearchPath = (String) configuration.get(USER_SEARCH_PATH);
 		this.userObjectClass = (String) configuration.get(USER_OBJECT_CLASS);
 		this.userMemberOfAttributeName = (String) configuration.get(USER_MEMBEROF_ATTRIBUTE_NAME);
@@ -103,7 +121,24 @@ protected LDAPConnection connectToLDAP() {
     	connection = null;
     	try {
     		logger.debug("Connecting to LDAP at url [" + host + ": " + port + "] ...");
-    		connection = new LDAPConnection();
+                    if (this.trustStore != null) {
+                        FileInputStream truststoreFile = new FileInputStream(this.trustStore);
+                        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+                        keyStore.load(truststoreFile,null);
+                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                        trustManagerFactory.init(keyStore);
+                        SSLContext sslContext = SSLContext.getInstance("TLS");
+                        sslContext.init(null, trustManagerFactory.getTrustManagers(), new java.security.SecureRandom());
+                        LDAPSocketFactory socketFactory = null;
+                        if (this.startTLS) {
+                            socketFactory = new LDAPJSSEStartTLSFactory(sslContext.getSocketFactory());
+                        } else {
+                            socketFactory = new LDAPJSSESecureSocketFactory(sslContext.getSocketFactory());
+                        }
+                        connection = new LDAPConnection(socketFactory);
+                    } else {
+                        connection = new LDAPConnection();
+                    }
 		    connection.connect(host, port);
 		    if(connection.isConnected() == false) {
 		    	throw new RuntimeException("Impossible to open the connection to LDAP at url [" + host + ": " + port + "]");

SpagoBILdapSecurityProvider/src/test/java/it/eng/spagobi/security/LDAPConnectorTest.java

@@ -10,8 +10,11 @@
 import java.util.Map;
 
 import com.novell.ldap.LDAPConnection;
+import static it.eng.spagobi.commons.constants.SpagoBIConstants.URL;
 
 import it.eng.spagobi.security.LDAPConnector;
+import java.net.URL;
+import java.nio.file.Paths;
 import junit.framework.TestCase;
 
 public class LDAPConnectorTest extends TestCase {
@@ -55,6 +58,55 @@ protected void setUp() throws Exception {
 		ldapConnector=new LDAPConnector(configurationProperties);	
 	}
 
+    /*
+         This test will require the ldap server to be listening for TLS connections
+        on port 10686. The file 'trustore' is the tuststore which must contain
+        the signing ca public key of the ldap servers cert or the ldap servers
+        cert for a self signed key
+     */
+        public void testTLSConnectToLDAP() {
+            try {
+                URL truststoreUrl = this.getClass().getClassLoader().getResource("truststore");
+                String path = Paths.get(truststoreUrl.toURI()).toFile().getAbsolutePath();
+                configurationProperties.put(LDAPConnector.TRUSTSTORE_PATH, path);
+                configurationProperties.put(LDAPConnector.PORT, "10636");
+                ldapConnector = new LDAPConnector(configurationProperties);
+                LDAPConnection ldapConnection = ldapConnector.connectToLDAP();
+                assertNotNull("Connection cannot be null", ldapConnection);
+                assertTrue("Connection mus be opened", ldapConnection.isConnected());
+                assertTrue("Connection must be alive", ldapConnection.isConnectionAlive());
+                assertFalse("Connection must be unbound", ldapConnection.isBound());
+            } catch (Throwable t) {
+                fail("An unexpected exception occured: " + t.getMessage());
+            } finally {
+                configurationProperties.put(LDAPConnector.TRUSTSTORE_PATH, null);
+            }
+        }
+
+        /*
+           This test requires startTLS to be enabled on port 10389 of the LDAP server.
+           The file 'trustore' is the tuststore which must contain
+           the signing ca public key of the ldap servers cert or the ldap servers
+            cert for a self signed key
+        */
+        public void testStartTLSConnectToLDAP() {
+            try {
+                URL truststoreUrl = this.getClass().getClassLoader().getResource("truststore");
+                String path = Paths.get(truststoreUrl.toURI()).toFile().getAbsolutePath();
+                configurationProperties.put(LDAPConnector.TRUSTSTORE_PATH, path);
+                configurationProperties.put(LDAPConnector.PORT, "10389");
+                configurationProperties.put(LDAPConnector.STARTTLS, "true");
+                ldapConnector = new LDAPConnector(configurationProperties);
+                LDAPConnection ldapConnection = ldapConnector.connectToLDAP();
+                assertNotNull("Connection cannot be null", ldapConnection);
+                assertTrue("Connection mus be opened", ldapConnection.isConnected());
+                assertTrue("Connection must be alive", ldapConnection.isConnectionAlive());
+                assertFalse("Connection must be unbound", ldapConnection.isBound());
+                assertTrue("Connection must be secure", ldapConnection.isTLS());
+            } catch (Throwable t) {
+                fail("An unexpected exception occured: " + t.getMessage());
+            }
+        }
 
 	public void testConnectToLDAP() {
 		try {

SpagoBIProject/src/main/webapp/WEB-INF/conf/webapp/ldap_authorizations.xml

@@ -8,7 +8,14 @@
 		<ADMIN_USER>uid=admin,ou=system</ADMIN_USER>
 		<ADMIN_PSW>secret</ADMIN_PSW> <!-- password in clear text -->
 		<BASE_DN></BASE_DN> <!-- base domain, if any -->
-
+
+
+                <!-- TLS/startTLS -->
+                <!--
+                <STARTTLS>false</STARTTLS>
+                <TRUSTSTORE_PATH>truststore</TRUSTSTORE_PATH>
+                -->
+
 		<!-- USERS -->
 		<USER_SEARCH_PATH>ou=users,ou=system</USER_SEARCH_PATH> <!-- SpagoBI will look for users under this node -->
 		<USER_OBJECT_CLASS>person</USER_OBJECT_CLASS> <!-- class for users' objects -->