Add support for multiple ldap connections (#315)

* Add support for multiple ldap connections
* Old ldap properties removed, no backwards compatibility

Author: Christoffer-Cortes

pom.xml

@@ -345,6 +345,13 @@
             <version>5.4.1</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.zapodot</groupId>
+            <artifactId>embedded-ldap-junit</artifactId>
+            <version>0.7</version>
+            <scope>test</scope>
+        </dependency>
+
         <!-- Cucumber -->
         <dependency>
             <groupId>io.cucumber</groupId>

src/functionaltests/java/com/ericsson/ei/subscriptions/authentication/AuthenticationSteps.java

@@ -1,3 +1,16 @@
+/*
+   Copyright 2019 Ericsson AB.
+   For a full list of individual contributors, please see the commit history.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
 package com.ericsson.ei.subscriptions.authentication;
 
 import static org.junit.Assert.assertEquals;
@@ -11,15 +24,13 @@
 import org.springframework.boot.web.server.LocalServerPort;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 
 import com.ericsson.ei.controller.model.GetSubscriptionResponse;
 import com.ericsson.ei.utils.FunctionalTestBase;
 import com.ericsson.ei.utils.HttpExecutor;
 import com.ericsson.ei.utils.HttpRequest;
 import com.ericsson.ei.utils.HttpRequest.HttpMethod;
-import com.ericsson.ei.utils.TestLDAPInitializer;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 import cucumber.api.java.Before;
@@ -33,12 +44,7 @@
         "missedNotificationDataBaseName: AuthenticationSteps-missedNotifications",
         "rabbitmq.exchange.name: AuthenticationSteps-exchange",
         "rabbitmq.consumerName: AuthenticationStepsConsumer",
-        "ldap.enabled: true",
-        "ldap.url: ldap://ldap.forumsys.com:389/dc=example,dc=com",
-        "ldap.base.dn: dc=example,dc=com",
-        "ldap.username : cn=read-only-admin,dc=example,dc=com",
-        "ldap.user.filter: uid={0}" })
-@ContextConfiguration(initializers = TestLDAPInitializer.class)
+        "ldap.enabled: true" })
 public class AuthenticationSteps extends FunctionalTestBase {
 
     private static final String SUBSCRIPTION = "src/functionaltests/resources/subscription_single.json";

src/functionaltests/java/com/ericsson/ei/subscriptions/authentication/TestAuthenticationRunner.java

@@ -1,13 +1,50 @@
+/*
+   Copyright 2019 Ericsson AB.
+   For a full list of individual contributors, please see the commit history.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
 package com.ericsson.ei.subscriptions.authentication;
 
+import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+
+import com.ericsson.ei.utils.TestLDAPStarter;
+
 import cucumber.api.CucumberOptions;
 import cucumber.api.junit.Cucumber;
-import org.junit.runner.RunWith;
 
 @RunWith(Cucumber.class)
-@CucumberOptions(features = "src/functionaltests/resources/features/authentication.feature", glue = {
-        "com.ericsson.ei.subscriptions.authentication" }, plugin = { "pretty",
-                "html:target/cucumber-reports/TestAuthenticationRunner" })
-public class TestAuthenticationRunner {
+@CucumberOptions(features = { "src/functionaltests/resources/features/authentication.feature",
+        "src/functionaltests/resources/features/authenticationMultiLDAP.feature" }, glue = {
+                "com.ericsson.ei.subscriptions.authentication" }, plugin = { "pretty",
+                        "html:target/cucumber-reports/TestAuthenticationRunner" })
+public class TestAuthenticationRunner extends TestLDAPStarter {
 
+    @BeforeClass
+    public static void configureLdapProperties() {
+        int ldapPort1 = TestLDAPStarter.embeddedLdapRule1.embeddedServerPort();
+        int ldapPort2 = TestLDAPStarter.embeddedLdapRule2.embeddedServerPort();
+        System.setProperty("ldap.server.list", "[{" +
+                "\"url\":\"ldap://localhost:" + ldapPort1 + "/dc=example,dc=com\"," +
+                "\"base.dn\":\"\"," +
+                "\"username\":\"\"," +
+                "\"password\":\"\"," +
+                "\"user.filter\":\"uid={0}\"" +
+                "}," +
+                "{" +
+                "\"url\":\"ldap://localhost:" + ldapPort2 + "/dc=example,dc=com\"," +
+                "\"base.dn\":\"\"," +
+                "\"username\":\"\"," +
+                "\"password\":\"\"," +
+                "\"user.filter\":\"uid={0}\"" +
+                "}]");
+    }
 }

src/functionaltests/java/com/ericsson/ei/utils/TestLDAPInitializer.java

@@ -0,0 +1,28 @@
+/*
+   Copyright 2019 Ericsson AB.
+   For a full list of individual contributors, please see the commit history.
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package com.ericsson.ei.utils;
+
+import org.junit.ClassRule;
+import org.zapodot.junit.ldap.EmbeddedLdapRule;
+import org.zapodot.junit.ldap.EmbeddedLdapRuleBuilder;
+
+public class TestLDAPStarter {
+    private static final String DOMAIN_DSN = "dc=example,dc=com";
+    @ClassRule
+    public static EmbeddedLdapRule embeddedLdapRule1 = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
+    .importingLdifs("ldap-users-first.ldif").build();
+    @ClassRule
+    public static EmbeddedLdapRule embeddedLdapRule2 = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN)
+    .importingLdifs("ldap-users-second.ldif").build();
+}

src/functionaltests/java/com/ericsson/ei/utils/TestLDAPStarter.java

@@ -37,7 +37,7 @@ Feature: Test Authentication
   @RESTWithTokenId
   Scenario: Call an REST API with session credentials
     Given LDAP is activated
-    When a GET request is prepared for REST API "/auth/logout"  
+    When a GET request is prepared for REST API "/auth/logout"
     And request is sent
     When a GET request is prepared for REST API "/auth/login"
     And request is sent

src/functionaltests/resources/features/authentication.feature

@@ -0,0 +1,32 @@
+# Author: christoffer.cortes.sjowall@ericsson.com
+
+@AuthenticationMultiLDAP
+Feature: Test Authentication with multiple LDAP servers
+
+  @RESTWithUniqueUsersInDifferentLDAPServers
+  Scenario: Login using unique users from two different LDAP servers
+    Given LDAP is activated
+    When a GET request is prepared for REST API "/auth/login"
+    And username "gauss" and password "password" is used as credentials
+    And request is sent
+    Then response code 200 is received
+    When a GET request is prepared for REST API "/auth/logout"
+    And request is sent
+    When a GET request is prepared for REST API "/auth/login"
+    And username "einstein" and password "e=mc2" is used as credentials
+    And request is sent
+    Then response code 200 is received
+
+  @RESTWithIdenticalUsernamesInDifferentLDAPServers
+  Scenario: Login using identical usernames with different passwords from two different LDAP servers
+    Given LDAP is activated
+    When a GET request is prepared for REST API "/auth/login"
+    And username "newton" and password "password" is used as credentials
+    And request is sent
+    Then response code 200 is received
+    When a GET request is prepared for REST API "/auth/logout"
+    And request is sent
+    When a GET request is prepared for REST API "/auth/login"
+    And username "newton" and password "password2" is used as credentials
+    And request is sent
+    Then response code 200 is received

src/functionaltests/resources/features/authenticationMultiLDAP.feature

@@ -0,0 +1,24 @@
+dn: dc=example,dc=com
+objectClass: domain
+objectClass: top
+dc: example
+ 
+dn: uid=gausss,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: gauss
+sn: 1
+uid: gauss
+userPassword: password
+ 
+dn: uid=newton,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: newton
+sn: 2
+uid: newton
+userPassword: password

src/functionaltests/resources/ldap-users-first.ldif

@@ -0,0 +1,24 @@
+dn: dc=example,dc=com
+objectClass: domain
+objectClass: top
+dc: example
+
+dn: uid=einstein,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: einstein
+sn: 1
+uid: einstein
+userPassword: e=mc2
+
+dn: uid=newton,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: newton
+sn: 2
+uid: newton
+userPassword: password2

src/functionaltests/resources/ldap-users-second.ldif

@@ -19,6 +19,8 @@
 
 import org.apache.tomcat.util.codec.binary.Base64;
 import org.apache.tomcat.util.codec.binary.StringUtils;
+import org.json.JSONArray;
+import org.json.JSONObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
@@ -39,20 +41,8 @@ public class EndpointSecurity extends WebSecurityConfigurerAdapter {
     @Value("${ldap.enabled:false}")
     private boolean ldapEnabled;
 
-    @Value("${ldap.url}")
-    private String ldapUrl;
-
-    @Value("${ldap.base.dn}")
-    private String ldapBaseDn;
-
-    @Value("${ldap.username}")
-    private String ldapUsername;
-
-    @Value("${ldap.password}")
-    private String ldapPassword;
-
-    @Value("${ldap.user.filter}")
-    private String ldapUserFilter;
+    @Value("${ldap.server.list:}")
+    private String ldapServerList;
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
@@ -84,20 +74,28 @@ protected void configure(HttpSecurity http) throws Exception {
 
     @Override
     public void configure(AuthenticationManagerBuilder auth) throws Exception {
-        if(ldapEnabled) {
-            auth
-            .eraseCredentials(false)
-            .ldapAuthentication()
-                .userSearchFilter(ldapUserFilter)
-                .contextSource()
-                    .url(ldapUrl)
-                    .root(ldapBaseDn)
-                    .managerDn(ldapUsername)
-                    .managerPassword(decodeBase64(ldapPassword));
+        if (ldapEnabled && !ldapServerList.isEmpty()) {
+            JSONArray serverList = new JSONArray(ldapServerList);
+            addLDAPServersFromList(serverList, auth);
         }
     }
 
     private String decodeBase64(String password) {
         return StringUtils.newStringUtf8(Base64.decodeBase64(password));
     }
+
+    private void addLDAPServersFromList(JSONArray serverList, AuthenticationManagerBuilder auth) throws Exception {
+        for (int i = 0; i < serverList.length(); i++) {
+            JSONObject server = (JSONObject) serverList.get(i);
+            auth
+            .eraseCredentials(false)
+            .ldapAuthentication()
+                .userSearchFilter(server.getString("user.filter"))
+                .contextSource()
+                    .url(server.getString("url"))
+                    .root(server.getString("base.dn"))
+                    .managerDn(server.getString("username"))
+                    .managerPassword(decodeBase64(server.getString("password")));
+        }
+    }
 }