Expand tests and fix escaping issue in userRoleAttribute filter · apache/tomcat@e500674 · GitHub
Skip to content

Commit

Permalink
Expand tests and fix escaping issue in userRoleAttribute filter
Browse files Browse the repository at this point in the history
  • Loading branch information
markt-asf committed Apr 13, 2021
1 parent 91ecdc6 commit e500674
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 5 deletions.
6 changes: 4 additions & 2 deletions java/org/apache/catalina/realm/JNDIRealm.java
Original file line number Diff line number Diff line change
Expand Up @@ -1883,11 +1883,13 @@ protected List<String> getRoles(JNDIConnection connection, User user) throws Nam
return list;
}

// Set up parameters for an appropriate search
// Set up parameters for an appropriate search filter
// The dn is already attribute value escaped but the others are not
// This is a filter so all input will require filter escaping
String filter = connection.roleFormat.format(new String[] {
doFilterEscaping(dn),
doFilterEscaping(doAttributeValueEscaping(username)),
userRoleId });
doFilterEscaping(doAttributeValueEscaping(userRoleId)) });
SearchControls controls = new SearchControls();
if (roleSubtree) {
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
Expand Down
8 changes: 5 additions & 3 deletions test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,14 @@ public class TestJNDIRealmIntegration {
private static final String USER_BASE = "ou=people,dc=example,dc=com";
private static final String ROLE_SEARCH_A = "member={0}";
private static final String ROLE_SEARCH_B = "member=cn={1},ou=people,dc=example,dc=com";
private static final String ROLE_SEARCH_C = "member=cn={2},ou=people,dc=example,dc=com";

private static InMemoryDirectoryServer ldapServer;

@Parameterized.Parameters(name = "{index}: user[{3}], pwd[{4}]")
public static Collection<Object[]> parameters() {
List<Object[]> parameterSets = new ArrayList<>();
for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B }) {
for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, ROLE_SEARCH_C }) {
addUsers(USER_PATTERN, null, null, roleSearch, parameterSets);
addUsers(null, USER_SEARCH, USER_BASE, roleSearch, parameterSets);
}
Expand Down Expand Up @@ -128,6 +129,7 @@ public static void createLDAP() throws Exception {

try (LDAPConnection conn = ldapServer.getConnection()) {

// Note: Only the DNs need attribute value escaping
AddRequest addBase = new AddRequest(
"dn: dc=example,dc=com",
"objectClass: top",
Expand Down Expand Up @@ -159,7 +161,7 @@ public static void createLDAP() throws Exception {
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"cn: t\\;",
"cn: t;",
"sn: Tsemicolon",
"userPassword: test");
result = conn.processOperation(addUserTestSemicolon);
Expand All @@ -170,7 +172,7 @@ public static void createLDAP() throws Exception {
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"cn: t\\*",
"cn: t*",
"sn: Tasterisk",
"userPassword: test");
result = conn.processOperation(addUserTestAsterisk);
Expand Down

0 comments on commit e500674

Please sign in to comment.