8288895: LdapContext doesn't honor set referrals limit

Reviewed-by: dfuchs, aefimov
This commit is contained in:
rmartinc 2022-06-30 09:17:57 +00:00 committed by Aleksei Efimov
parent 1305fb5ca8
commit c3addbb1c0
2 changed files with 183 additions and 8 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -310,10 +310,8 @@ abstract class AbstractLdapNamingEnumeration<T extends NameClassPair>
*/ */
protected final boolean hasMoreReferrals() throws NamingException { protected final boolean hasMoreReferrals() throws NamingException {
if ((refEx != null) && if ((refEx != null) && !(errEx instanceof LimitExceededException) &&
(refEx.hasMoreReferrals() || (refEx.hasMoreReferrals() || refEx.hasMoreReferralExceptions())) {
refEx.hasMoreReferralExceptions()
&& !(errEx instanceof LimitExceededException))) {
if (homeCtx.handleReferrals == LdapClient.LDAP_REF_THROW) { if (homeCtx.handleReferrals == LdapClient.LDAP_REF_THROW) {
throw (NamingException)(refEx.fillInStackTrace()); throw (NamingException)(refEx.fillInStackTrace());
@ -333,9 +331,13 @@ abstract class AbstractLdapNamingEnumeration<T extends NameClassPair>
} catch (LdapReferralException re) { } catch (LdapReferralException re) {
// record a previous exception // record a previous exception and quit if any limit is reached
if (errEx == null) { var namingException = re.getNamingException();
errEx = re.getNamingException(); if (namingException instanceof LimitExceededException) {
errEx = namingException;
break;
} else if (errEx == null) {
errEx = namingException;
} }
refEx = re; refEx = re;
continue; continue;
@ -381,6 +383,10 @@ abstract class AbstractLdapNamingEnumeration<T extends NameClassPair>
entries = ne.entries; entries = ne.entries;
refEx = ne.refEx; refEx = ne.refEx;
listArg = ne.listArg; listArg = ne.listArg;
// record a previous exception and quit if any limit is reached
if (errEx == null || ne.errEx instanceof LimitExceededException) {
errEx = ne.errEx;
}
} }
@SuppressWarnings("removal") @SuppressWarnings("removal")

View File

@ -0,0 +1,169 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
* @test
* @bug 8288895
* @summary LdapContext doesn't honor set referrals limit
* @library lib /test/lib
*/
import java.io.IOException;
import java.io.OutputStream;
import java.net.Socket;
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import java.nio.charset.StandardCharsets;
import java.net.InetAddress;
import java.util.Properties;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import javax.naming.Context;
import javax.naming.LimitExceededException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchResult;
import jdk.test.lib.net.URIBuilder;
/**
* <p>Little test for referral limit. The ldap server is configured to
* always return a referral so LimitExceededException is expected when
* <em>java.naming.ldap.referral.limit</em> is reached.</p>
*
* @author rmartinc
*/
public class ReferralLimitSearchTest {
// number of referral hops to test
private static final int MAX_REFERRAL_LIMIT = 4;
// position of the message-id inside the responses
private static final int MESSAGE_ID_IDX = 4;
// success bind response
private static final byte[] BIND_RESPONSE = {
0x30, 0x0C, 0x02, 0x01, 0x00, 0x61, 0x07, 0x0A,
0x01, 0x00, 0x04, 0x00, 0x04, 0x00
};
// search res done
private static final byte[] SEARCH_RESPONSE = {
0x30, 0x0C, 0x02, 0x01, 0x00, 0x65, 0x07, 0x0A,
0x01, 0x00, 0x04, 0x00, 0x04, 0x00
};
public static void main(String[] args) throws Exception {
final CountDownLatch latch = new CountDownLatch(1);
// Start the LDAP server
BaseLdapServer ldapServer = new BaseLdapServer() {
AtomicInteger hops = new AtomicInteger(0);
@Override
protected void handleRequest(Socket socket, LdapMessage request,
OutputStream out) throws IOException {
switch (request.getOperation()) {
case BIND_REQUEST:
byte[] bindResponse = BIND_RESPONSE.clone();
bindResponse[MESSAGE_ID_IDX] = (byte) request.getMessageID();
out.write(bindResponse);
break;
case SEARCH_REQUEST:
if (hops.incrementAndGet() > MAX_REFERRAL_LIMIT + 1) {
throw new IOException("Referral limit not enforced. Number of hops=" + hops);
}
byte[] referral = new StringBuilder("ldap://")
.append(InetAddress.getLoopbackAddress().getHostAddress())
.append(":")
.append(getPort())
.append("/ou=People??sub")
.toString()
.getBytes(StandardCharsets.UTF_8);
out.write(0x30);
out.write(referral.length + 7);
out.write(new byte[] {0x02, 0x01});
out.write(request.getMessageID());
out.write(0x73);
out.write(referral.length + 2);
out.write(0x04);
out.write(referral.length);
out.write(referral);
byte[] searchResponse = SEARCH_RESPONSE.clone();
searchResponse[MESSAGE_ID_IDX] = (byte) request.getMessageID();
out.write(searchResponse);
break;
default:
break;
}
}
protected void beforeAcceptingConnections() {
latch.countDown();
}
}.start();
try (ldapServer) {
if (!latch.await(5, TimeUnit.SECONDS)) {
throw new RuntimeException("LdapServer not started in time");
}
// Setup JNDI parameters
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.referral.limit", Integer.toString(MAX_REFERRAL_LIMIT));
env.put(Context.PROVIDER_URL, URIBuilder.newBuilder()
.scheme("ldap")
.loopback()
.port(ldapServer.getPort())
.build().toString());
System.out.println("Client: connecting...");
DirContext ctx = new InitialDirContext(env);
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
sc.setReturningAttributes(new String[]{"uid"});
System.out.println("Client: performing search...");
NamingEnumeration<SearchResult> ne = ctx.search("ou=People", "(uid=*)", sc);
while (ne.hasMore()) {
SearchResult sr = ne.next();
System.out.println("Client: Search result " + sr);
}
System.out.println("Client: search done...");
ctx.close();
// LimitExceededException expected throw error if this point is reached
throw new RuntimeException("LimitExceededException expected");
} catch (LimitExceededException e) {
System.out.println("Passed: caught the expected Exception - " + e);
} catch (Exception e) {
System.err.println("Failed: caught an unexpected Exception - " + e);
throw e;
}
}
}