Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BE: Auth: Support LDAPS for AD #840

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

BE: Auth: Support LDAPS for AD #840

wants to merge 2 commits into from
+289 −35

Conversation

wernerdv
Copy link
Contributor

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)
In this PR I added CustomSslSocketFactory that trusts all certificates by default.
This allows you to use LDAPS to connect to an AD server without further specifying the path to the truststore/password.

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

@wernerdv wernerdv requested a review from a team as a code owner February 13, 2025 07:13
@kapybro kapybro bot added status/triage Issues pending maintainers triage area/rbac Related to Role Based Access Control feature status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Feb 13, 2025
@wernerdv
Copy link
Contributor Author

@Haarolean PTAL

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2025
View reviewed changes
api/src/main/java/io/kafbat/ui/util/CustomSslSocketFactory.java
private static final X509Certificate[] CERTS = new X509Certificate[0];

@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {

Check failure

Code scanning / SonarCloud

Server certificates should be verified during SSL/TLS connections High

Enable server certificate validation on this SSL/TLS connection. See more on SonarQube Cloud
api/src/main/java/io/kafbat/ui/util/CustomSslSocketFactory.java
}

@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {

Check failure

Code scanning / SonarCloud

Server certificates should be verified during SSL/TLS connections High

Enable server certificate validation on this SSL/TLS connection. See more on SonarQube Cloud
Haarolean
Haarolean requested changes Feb 13, 2025
View reviewed changes
api/src/main/java/io/kafbat/ui/config/auth/LdapSecurityConfig.java Show resolved Hide resolved
api/src/main/java/io/kafbat/ui/config/auth/LdapSecurityConfig.java Show resolved Hide resolved
api/src/main/java/io/kafbat/ui/util/CustomSslSocketFactory.java
public CustomSslSocketFactory() {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] { new DisabledX509TrustManager() }, new SecureRandom());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can achieve the same like that:

SslContext context = SslContextBuilder.forClient()
        .trustManager(InsecureTrustManagerFactory.INSTANCE)
        .build();

and if there's a way to build a SSLSocketFactory via supplying a SslContext, we can reduce all this copypaste.

api/src/test/java/io/kafbat/ui/container/ActiveDirectoryContainer.java
super.start();

if (sslEnabled) {
setCustomCertAndRestartServer();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does it make sense to set the things up before start to avoid restarting?

api/src/test/java/io/kafbat/ui/ActiveDirectoryLdapTest.java
import org.springframework.test.context.ContextConfiguration;

@ContextConfiguration(initializers = {ActiveDirectoryLdapTest.Initializer.class})
public class ActiveDirectoryLdapTest extends AbstractActiveDirectoryIntegrationTest {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like we're missing some tests in this test class :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved the tests to AbstractActiveDirectoryIntegrationTest.
They are run for both classes ActiveDirectoryLdapTest/ActiveDirectoryLdapsTest.
Or did I misunderstand?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, this is kinda counter-intuitive. Usually abstract test classes are used as a test base for setting something up before executing tests. Here, ActiveDirectoryLdapTest looks like it doesn't test anything due to the test itself being pulled up to AbstractActiveDirectoryIntegrationTest instead.

api/src/test/java/io/kafbat/ui/ActiveDirectoryLdapsTest.java Show resolved Hide resolved
api/src/test/java/io/kafbat/ui/ActiveDirectoryLdapsTest.java Show resolved Hide resolved
@Haarolean Haarolean changed the title BE: RBAC: Support LDAPS for AD BE: Auth: Support LDAPS for AD Feb 13, 2025
@Haarolean Haarolean added type/enhancement En enhancement/improvement to an already existing feature scope/backend Related to backend changes area/auth App authentication related issues and removed area/rbac Related to Role Based Access Control feature status/triage/manual Manual triage in progress labels Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haarolean Haarolean Haarolean requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
area/auth App authentication related issues scope/backend Related to backend changes status/triage/completed Automatic triage completed type/enhancement En enhancement/improvement to an already existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wernerdv @Haarolean