/*
* Copyright 2016 Florian Zschocke
* Copyright 2016 gitblit.com
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.gitblit.tests;
import static org.junit.Assume.assumeTrue;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.spec.ECGenParameterSpec;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.sshd.common.util.SecurityUtils;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import com.gitblit.Keys;
import com.gitblit.Constants.AccessPermission;
import com.gitblit.transport.ssh.LdapKeyManager;
import com.gitblit.transport.ssh.SshKey;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.Modification;
import com.unboundid.ldap.sdk.ModificationType;
/**
* Test LdapPublicKeyManager going against an in-memory UnboundID
* LDAP server.
*
* @author Florian Zschocke
*
*/
@RunWith(Parameterized.class)
public class LdapPublicKeyManagerTest extends LdapBasedUnitTest {
private static Map<String,KeyPair> keyPairs = new HashMap<>(10);
private static KeyPairGenerator rsaGenerator;
private static KeyPairGenerator dsaGenerator;
private static KeyPairGenerator ecGenerator;
@BeforeClass
public static void init() throws GeneralSecurityException {
rsaGenerator = SecurityUtils.getKeyPairGenerator("RSA");
dsaGenerator = SecurityUtils.getKeyPairGenerator("DSA");
ecGenerator = SecurityUtils.getKeyPairGenerator("ECDSA");
}
@Test
public void testGetKeys() throws LDAPException {
String keyRsaOne = getRsaPubKey("UserOne@example.com");
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
String keyRsaTwo = getRsaPubKey("UserTwo@example.com");
String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaTwo, keyDsaTwo));
String keyRsaThree = getRsaPubKey("UserThree@example.com");
String keyDsaThree = getDsaPubKey("UserThree@example.com");
String keyEcThree = getEcPubKey("UserThree@example.com");
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyEcThree, keyRsaThree, keyDsaThree));
LdapKeyManager kmgr = new LdapKeyManager(settings);
List<SshKey> keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertTrue(keys.size() == 1);
assertEquals(keyRsaOne, keys.get(0).getRawData());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertTrue(keys.size() == 2);
if (keyRsaTwo.equals(keys.get(0).getRawData())) {
assertEquals(keyDsaTwo, keys.get(1).getRawData());
} else if (keyDsaTwo.equals(keys.get(0).getRawData())) {
assertEquals(keyRsaTwo, keys.get(1).getRawData());
} else {
fail("Mismatch in UserTwo keys.");
}
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertTrue(keys.size() == 3);
assertEquals(keyEcThree, keys.get(0).getRawData());
assertEquals(keyRsaThree, keys.get(1).getRawData());
assertEquals(keyDsaThree, keys.get(2).getRawData());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertTrue(keys.size() == 0);
}
@Test
public void testGetKeysAttributeName() throws LDAPException {
settings.put(Keys.realm.ldap.sshPublicKey, "sshPublicKey");
String keyRsaOne = getRsaPubKey("UserOne@example.com");
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "publicsshkey", keyDsaTwo));
String keyRsaThree = getRsaPubKey("UserThree@example.com");
String keyDsaThree = getDsaPubKey("UserThree@example.com");
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "publicsshkey", keyDsaThree));
LdapKeyManager kmgr = new LdapKeyManager(settings);
List<SshKey> keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyRsaOne, keys.get(0).getRawData());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyRsaThree, keys.get(0).getRawData());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertEquals(0, keys.size());
settings.put(Keys.realm.ldap.sshPublicKey, "publicsshkey");
keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyDsaTwo, keys.get(0).getRawData());
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyDsaThree, keys.get(0).getRawData());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertEquals(0, keys.size());
}
@Test
public void testGetKeysPrefixed() throws LDAPException {
// This test is independent from authentication mode, so run only once.
assumeTrue(authMode == AuthMode.ANONYMOUS);
String keyRsaOne = getRsaPubKey("UserOne@example.com");
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
String keyRsaTwo = getRsaPubKey("UserTwo@example.com");
String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", keyRsaTwo));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey: " + keyDsaTwo));
String keyRsaThree = getRsaPubKey("UserThree@example.com");
String keyDsaThree = getDsaPubKey("UserThree@example.com");
String keyEcThree = getEcPubKey("UserThree@example.com");
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " SshKey :\r\n" + keyRsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " sshkey: " + keyDsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "ECDSAKey :\n " + keyEcThree));
LdapKeyManager kmgr = new LdapKeyManager(settings);
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities");
List<SshKey> keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyRsaTwo, keys.get(0).getRawData());
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertEquals(0, keys.size());
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHKey");
keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyDsaTwo, keys.get(0).getRawData());
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(2, keys.size());
assertEquals(keyRsaThree, keys.get(0).getRawData());
assertEquals(keyDsaThree, keys.get(1).getRawData());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertEquals(0, keys.size());
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:ECDSAKey");
keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(0, keys.size());
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(1, keys.size());
assertEquals(keyEcThree, keys.get(0).getRawData());
keys = kmgr.getKeys("UserFour");
assertNotNull(keys);
assertEquals(0, keys.size());
}
@Test
public void testGetKeysPermissions() throws LDAPException {
// This test is independent from authentication mode, so run only once.
assumeTrue(authMode == AuthMode.ANONYMOUS);
String keyRsaOne = getRsaPubKey("UserOne@example.com");
String keyRsaTwo = getRsaPubKey("");
String keyDsaTwo = getDsaPubKey("UserTwo at example.com");
String keyRsaThree = getRsaPubKey("UserThree@example.com");
String keyDsaThree = getDsaPubKey("READ key for user 'Three' @example.com");
String keyEcThree = getEcPubKey("UserThree@example.com");
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", keyRsaOne));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " " + keyRsaTwo));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "no-agent-forwarding " + keyDsaTwo));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\" " + keyRsaOne));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " restrict,environment=\"gbperm=V\" " + keyRsaTwo));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "restrict,environment=\"GBPerm=RW\",pty " + keyDsaTwo));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"gbPerm=CLONE\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environment=\"XYZ='Ali Baba'\" " + keyEcThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", " environment=\" gbPerm = V \" " + keyRsaTwo));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "command=\"sh echo \\\"Nope, not you!\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", " command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "sshPublicKey", "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));
LdapKeyManager kmgr = new LdapKeyManager(settings);
List<SshKey> keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(6, keys.size());
for (SshKey key : keys) {
assertEquals(AccessPermission.PUSH, key.getPermission());
}
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(6, keys.size());
int seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(63, seen);
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(6, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(63, seen);
}
@Test
public void testGetKeysPrefixedPermissions() throws LDAPException {
// This test is independent from authentication mode, so run only once.
assumeTrue(authMode == AuthMode.ANONYMOUS);
String keyRsaOne = getRsaPubKey("UserOne@example.com");
String keyRsaTwo = getRsaPubKey("UserTwo at example.com");
String keyDsaTwo = getDsaPubKey("UserTwo@example.com");
String keyRsaThree = getRsaPubKey("example.com: user Three");
String keyDsaThree = getDsaPubKey("");
String keyEcThree = getEcPubKey(" ");
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "permitopen=\"host:220\"" + keyRsaOne));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "sshkey:" + " " + keyRsaTwo));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKEY :" + "no-agent-forwarding " + keyDsaTwo));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"sh /etc/netstart tun0 \" " + keyRsaThree));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"netstat -nult\",environment=\"gb=\\\"What now\\\"\" " + keyDsaThree));
getDS().modify(DN_USER_ONE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerms=VIEW\" " + keyEcThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\" " + keyRsaOne));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHKey : " + " restrict,environment=\"gbPerm=V\",permitopen=\"sshkey: 220\" " + keyRsaTwo));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "permitopen=\"sshkey: 443\",restrict,environment=\"gbPerm=RW\",pty " + keyDsaTwo));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=CLONE\",permitopen=\"pubkey: 29184\",environment=\"X=\\\" Y \\\"\" " + keyRsaThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " environment=\"A = B \",from=\"*.example.com,!pc.example.com\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",environment=\"gbPerm=PUSH\",environemnt=\"XYZ='Ali Baba'\" " + keyEcThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "environment=\"gbPerm=R\",environment=\"josh=\\\"mean\\\"\",tunnel=\"0\" " + keyRsaOne));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey : " + " environment=\" gbPerm = V \" " + keyRsaTwo));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "SSHkey: " + "command=\"sh echo \\\"Nope, not you! \\b (bell)\\\" \",user-rc,environment=\"gbPerm=RW\" " + keyDsaTwo));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"gbPerm=VIEW\",command=\"sh /etc/netstart tun0 \",environment=\"gbPerm=CLONE\",no-pty " + keyRsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + " command=\"netstat -nult\",environment=\"gbPerm=VIEW\" " + keyDsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "pubkey: " + "environment=\"SSH=git\",command=\"netstat -nult\",environment=\"gbPerm=PUSH\" " + keyEcThree));
// Weird stuff, not to specification but shouldn't make it stumble.
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", "opttest: " + "permitopen=host:443,command=,environment=\"gbPerm=CLONE\",no-pty= " + keyRsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " opttest: " + " cmd=git,environment=\"gbPerm=\\\"VIEW\\\"\" " + keyDsaThree));
getDS().modify(DN_USER_THREE, new Modification(ModificationType.ADD, "altSecurityIdentities", " opttest:" + "environment=,command=netstat,environment=gbperm=push " + keyEcThree));
LdapKeyManager kmgr = new LdapKeyManager(settings);
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:SSHkey");
List<SshKey> keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(2, keys.size());
int seen = 0;
for (SshKey key : keys) {
assertEquals(AccessPermission.PUSH, key.getPermission());
if (keyRsaOne.equals(key.getRawData())) {
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
seen += 1 << 5;
}
}
assertEquals(6, seen);
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(7, seen);
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(7, seen);
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:pubKey");
keys = kmgr.getKeys("UserOne");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
assertEquals(AccessPermission.PUSH, key.getPermission());
if (keyRsaOne.equals(key.getRawData())) {
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
seen += 1 << 5;
}
}
assertEquals(56, seen);
keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(56, seen);
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(56, seen);
settings.put(Keys.realm.ldap.sshPublicKey, "altSecurityIdentities:opttest");
keys = kmgr.getKeys("UserThree");
assertNotNull(keys);
assertEquals(3, keys.size());
seen = 0;
for (SshKey key : keys) {
if (keyRsaOne.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 0;
}
else if (keyRsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 1;
}
else if (keyDsaTwo.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 2;
}
else if (keyRsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.CLONE, key.getPermission());
seen += 1 << 3;
}
else if (keyDsaThree.equals(key.getRawData())) {
assertEquals(AccessPermission.VIEW, key.getPermission());
seen += 1 << 4;
}
else if (keyEcThree.equals(key.getRawData())) {
assertEquals(AccessPermission.PUSH, key.getPermission());
seen += 1 << 5;
}
}
assertEquals(56, seen);
}
@Test
public void testKeyValidity() throws LDAPException, GeneralSecurityException {
LdapKeyManager kmgr = new LdapKeyManager(settings);
String comment = "UserTwo@example.com";
String keyDsaTwo = getDsaPubKey(comment);
getDS().modify(DN_USER_TWO, new Modification(ModificationType.ADD, "sshPublicKey", keyDsaTwo));
List<SshKey> keys = kmgr.getKeys("UserTwo");
assertNotNull(keys);
assertEquals(1, keys.size());
SshKey sshKey = keys.get(0);
assertEquals(keyDsaTwo, sshKey.getRawData());
Signature signature = SecurityUtils.getSignature("DSA");
signature.initSign(getDsaKeyPair(comment).getPrivate());
byte[] message = comment.getBytes();
signature.update(message);
byte[] sigBytes = signature.sign();
signature.initVerify(sshKey.getPublicKey());
signature.update(message);
assertTrue("Verify failed with retrieved SSH key.", signature.verify(sigBytes));
}
private KeyPair getDsaKeyPair(String comment) {
return getKeyPair("DSA", comment, dsaGenerator);
}
private KeyPair getKeyPair(String type, String comment, KeyPairGenerator generator) {
String kpkey = type + ":" + comment;
KeyPair kp = keyPairs.get(kpkey);
if (kp == null) {
if ("EC".equals(type)) {
ECGenParameterSpec ecSpec = new ECGenParameterSpec("P-384");
try {
ecGenerator.initialize(ecSpec);
} catch (InvalidAlgorithmParameterException e) {
kp = generator.generateKeyPair();
e.printStackTrace();
}
kp = ecGenerator.generateKeyPair();
} else {
kp = generator.generateKeyPair();
}
keyPairs.put(kpkey, kp);
}
return kp;
}
private String getRsaPubKey(String comment) {
return getPubKey("RSA", comment, rsaGenerator);
}
private String getDsaPubKey(String comment) {
return getPubKey("DSA", comment, dsaGenerator);
}
private String getEcPubKey(String comment) {
return getPubKey("EC", comment, ecGenerator);
}
private String getPubKey(String type, String comment, KeyPairGenerator generator) {
KeyPair kp = getKeyPair(type, comment, generator);
if (kp == null) {
return null;
}
SshKey sk = new SshKey(kp.getPublic());
sk.setComment(comment);
return sk.getRawData();
}
}