BE: Auth: Support LDAPS for AD

fix review notes

Author: wernerdv

api/src/main/java/io/kafbat/ui/config/auth/LdapSecurityConfig.java

@@ -9,6 +9,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.stream.Stream;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -68,18 +69,10 @@ public AbstractLdapAuthenticationProvider authenticationProvider(LdapAuthorities
 
     AbstractLdapAuthenticationProvider authProvider;
 
-    if (!props.isActiveDirectory()) {
-      authProvider = new LdapAuthenticationProvider(ba, authoritiesExtractor);
+    if (props.isActiveDirectory()) {
+      authProvider = activeDirectoryProvider(authoritiesExtractor);
     } else {
-      authProvider = new ActiveDirectoryLdapAuthenticationProvider(props.getActiveDirectoryDomain(),
-          props.getUrls());
-      authProvider.setUseAuthenticationRequestCredentials(true);
-      ((ActiveDirectoryLdapAuthenticationProvider) authProvider).setAuthoritiesPopulator(authoritiesExtractor);
-
-      List<String> urls = List.of(props.getUrls().split(","));
-      if (urls.stream().anyMatch(url -> url.startsWith("ldaps://"))) {
-        ((ActiveDirectoryLdapAuthenticationProvider) authProvider).setContextEnvironmentProperties(BASE_ENV_PROPS);
-      }
+      authProvider = new LdapAuthenticationProvider(ba, authoritiesExtractor);
     }
 
     if (rbacEnabled) {
@@ -169,6 +162,22 @@ public SecurityWebFilterChain configureLdap(ServerHttpSecurity http) {
     return builder.build();
   }
 
+  private ActiveDirectoryLdapAuthenticationProvider activeDirectoryProvider(LdapAuthoritiesPopulator populator) {
+    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(
+        props.getActiveDirectoryDomain(),
+        props.getUrls()
+    );
+
+    provider.setUseAuthenticationRequestCredentials(true);
+    provider.setAuthoritiesPopulator(populator);
+
+    if (Stream.of(props.getUrls().split(",")).anyMatch(url -> url.startsWith("ldaps://"))) {
+      provider.setContextEnvironmentProperties(BASE_ENV_PROPS);
+    }
+
+    return provider;
+  }
+
   private static class RbacUserDetailsMapper extends LdapUserDetailsMapper {
     @Override
     public UserDetails mapUserFromContext(DirContextOperations ctx, String username,

api/src/main/java/io/kafbat/ui/util/CustomSslSocketFactory.java

@@ -1,24 +1,23 @@
 package io.kafbat.ui.util;
 
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
 import java.security.SecureRandom;
-import java.security.cert.X509Certificate;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 
 public class CustomSslSocketFactory extends SSLSocketFactory {
   private final SSLSocketFactory socketFactory;
 
   public CustomSslSocketFactory() {
     try {
-      SSLContext ctx = SSLContext.getInstance("TLS");
-      ctx.init(null, new TrustManager[] { new DisabledX509TrustManager() }, new SecureRandom());
-      socketFactory = ctx.getSocketFactory();
+      SSLContext sslContext = SSLContext.getInstance("TLS");
+      sslContext.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), new SecureRandom());
+
+      socketFactory = sslContext.getSocketFactory();
     } catch (Exception e) {
       throw new RuntimeException(e);
     }
@@ -67,24 +66,4 @@ public Socket createSocket(InetAddress ia, int i, InetAddress ia1, int i1) throw
   public Socket createSocket() throws IOException {
     return socketFactory.createSocket();
   }
-
-  private static class DisabledX509TrustManager implements X509TrustManager {
-    /** Empty certificate array. */
-    private static final X509Certificate[] CERTS = new X509Certificate[0];
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
-      // No-op, all clients are trusted.
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {
-      // No-op, all servers are trusted.
-    }
-
-    @Override
-    public X509Certificate[] getAcceptedIssuers() {
-      return CERTS;
-    }
-  }
 }

api/src/test/java/io/kafbat/ui/AbstractActiveDirectoryIntegrationTest.java

@@ -16,8 +16,6 @@
 import io.kafbat.ui.model.UserPermissionDTO;
 import java.util.List;
 import java.util.Objects;
-import org.junit.jupiter.api.Test;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.MediaType;
@@ -31,12 +29,8 @@
 public abstract class AbstractActiveDirectoryIntegrationTest {
   private static final String SESSION = "SESSION";
 
-  @Autowired
-  private WebTestClient webTestClient;
-
-  @Test
-  public void testUserPermissions() {
-    AuthenticationInfoDTO info = authenticationInfo(FIRST_USER_WITH_GROUP);
+  protected static void checkUserPermissions(WebTestClient client) {
+    AuthenticationInfoDTO info = authenticationInfo(client, FIRST_USER_WITH_GROUP);
 
     assertNotNull(info);
     assertTrue(info.getRbacEnabled());
@@ -46,22 +40,21 @@ public void testUserPermissions() {
     assertFalse(permissions.isEmpty());
     assertTrue(permissions.stream().anyMatch(permission ->
         permission.getClusters().contains(LOCAL) && permission.getResource() == ResourceTypeDTO.TOPIC));
-    assertEquals(permissions, authenticationInfo(SECOND_USER_WITH_GROUP).getUserInfo().getPermissions());
-    assertEquals(permissions, authenticationInfo(USER_WITHOUT_GROUP).getUserInfo().getPermissions());
+    assertEquals(permissions, authenticationInfo(client, SECOND_USER_WITH_GROUP).getUserInfo().getPermissions());
+    assertEquals(permissions, authenticationInfo(client, USER_WITHOUT_GROUP).getUserInfo().getPermissions());
   }
 
-  @Test
-  public void testEmptyPermissions() {
-    assertTrue(Objects.requireNonNull(authenticationInfo(EMPTY_PERMISSIONS_USER))
+  protected static void checkEmptyPermissions(WebTestClient client) {
+    assertTrue(Objects.requireNonNull(authenticationInfo(client, EMPTY_PERMISSIONS_USER))
         .getUserInfo()
         .getPermissions()
         .isEmpty()
     );
   }
 
-  private String session(String name) {
+  protected static String session(WebTestClient client, String name) {
     return Objects.requireNonNull(
-            webTestClient
+            client
                 .post()
                 .uri("/login")
                 .contentType(MediaType.APPLICATION_FORM_URLENCODED)
@@ -75,11 +68,11 @@ private String session(String name) {
         .getValue();
   }
 
-  private AuthenticationInfoDTO authenticationInfo(String name) {
-    return webTestClient
+  protected static AuthenticationInfoDTO authenticationInfo(WebTestClient client, String name) {
+    return client
         .get()
         .uri("/api/authorization")
-        .cookie(SESSION, session(name))
+        .cookie(SESSION, session(client, name))
         .exchange()
         .expectStatus()
         .isOk()

api/src/test/java/io/kafbat/ui/ActiveDirectoryLdapTest.java

@@ -6,14 +6,20 @@
 import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContextInitializer;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.web.reactive.server.WebTestClient;
 
 @ContextConfiguration(initializers = {ActiveDirectoryLdapTest.Initializer.class})
 public class ActiveDirectoryLdapTest extends AbstractActiveDirectoryIntegrationTest {
   private static final ActiveDirectoryContainer ACTIVE_DIRECTORY = new ActiveDirectoryContainer(false);
 
+  @Autowired
+  private WebTestClient webTestClient;
+
   @BeforeAll
   public static void setup() {
     ACTIVE_DIRECTORY.start();
@@ -24,6 +30,16 @@ public static void shutdown() {
     ACTIVE_DIRECTORY.stop();
   }
 
+  @Test
+  public void testUserPermissions() {
+    checkUserPermissions(webTestClient);
+  }
+
+  @Test
+  public void testEmptyPermissions() {
+    checkEmptyPermissions(webTestClient);
+  }
+
   public static class Initializer implements ApplicationContextInitializer<ConfigurableApplicationContext> {
     @Override
     public void initialize(@NotNull ConfigurableApplicationContext context) {

api/src/test/java/io/kafbat/ui/ActiveDirectoryLdapsTest.java

@@ -4,15 +4,13 @@
 import static io.kafbat.ui.container.ActiveDirectoryContainer.CONTAINER_KEY_PATH;
 import static io.kafbat.ui.container.ActiveDirectoryContainer.DOMAIN;
 import static io.kafbat.ui.container.ActiveDirectoryContainer.PASSWORD;
+import static java.nio.file.Files.writeString;
 import static org.testcontainers.utility.MountableFile.forHostPath;
 
 import io.kafbat.ui.container.ActiveDirectoryContainer;
-import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileWriter;
-import java.io.OutputStreamWriter;
+import java.io.StringWriter;
 import java.net.InetAddress;
-import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
@@ -22,9 +20,12 @@
 import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContextInitializer;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.web.reactive.server.WebTestClient;
 import org.testcontainers.shaded.org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
 import org.testcontainers.shaded.org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
 import org.testcontainers.shaded.org.bouncycastle.util.io.pem.PemWriter;
@@ -36,6 +37,9 @@ public class ActiveDirectoryLdapsTest extends AbstractActiveDirectoryIntegration
   private static File certPem = null;
   private static File privateKeyPem = null;
 
+  @Autowired
+  private WebTestClient webTestClient;
+
   @BeforeAll
   public static void setup() throws Exception {
     generateCerts();
@@ -51,6 +55,16 @@ public static void shutdown() {
     ACTIVE_DIRECTORY.stop();
   }
 
+  @Test
+  public void testUserPermissions() {
+    checkUserPermissions(webTestClient);
+  }
+
+  @Test
+  public void testEmptyPermissions() {
+    checkEmptyPermissions(webTestClient);
+  }
+
   private static void generateCerts() throws Exception {
     File truststore = File.createTempFile("truststore", ".jks");
 
@@ -67,26 +81,22 @@ private static void generateCerts() throws Exception {
     TestSslUtils.createTrustStore(truststore.getPath(), new Password(PASSWORD), Map.of("client", clientCert));
 
     certPem = File.createTempFile("cert", ".pem");
-    try (FileWriter fw = new FileWriter(certPem)) {
-      fw.write(certOrKeyToString(clientCert));
-    }
+    writeString(certPem.toPath(), certOrKeyToString(clientCert));
 
     privateKeyPem = File.createTempFile("key", ".pem");
-    try (FileWriter fw = new FileWriter(privateKeyPem)) {
-      fw.write(certOrKeyToString(clientKeyPair.getPrivate()));
-    }
+    writeString(privateKeyPem.toPath(), certOrKeyToString(clientKeyPair.getPrivate()));
   }
 
   private static String certOrKeyToString(Object certOrKey) throws Exception {
-    ByteArrayOutputStream out = new ByteArrayOutputStream();
-    try (PemWriter pemWriter = new PemWriter(new OutputStreamWriter(out, StandardCharsets.UTF_8))) {
+    StringWriter sw = new StringWriter();
+    try (PemWriter pw = new PemWriter(sw)) {
       if (certOrKey instanceof X509Certificate) {
-        pemWriter.writeObject(new JcaMiscPEMGenerator(certOrKey));
+        pw.writeObject(new JcaMiscPEMGenerator(certOrKey));
       } else {
-        pemWriter.writeObject(new JcaPKCS8Generator((PrivateKey) certOrKey, null));
+        pw.writeObject(new JcaPKCS8Generator((PrivateKey) certOrKey, null));
       }
     }
-    return out.toString(StandardCharsets.UTF_8);
+    return sw.toString();
   }
 
   public static class Initializer implements ApplicationContextInitializer<ConfigurableApplicationContext> {