ldap: truststore per domain (#5816)

Co-authored-by: Daan Hoogland <dahn@onecht.net>

Author: DaanHoogland

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LDAPConfigCmd.java

@@ -189,7 +189,7 @@ public void execute() throws ResourceUnavailableException, InsufficientCapacityE
             List<LDAPConfigResponse> responses = new ArrayList<LDAPConfigResponse>();
 
             if (result.second() > 0) {
-                boolean useSSlConfig = _ldapConfiguration.getSSLStatus();
+                boolean useSSlConfig = _ldapConfiguration.getSSLStatus(null);
                 String searchBaseConfig = _ldapConfiguration.getBaseDn(null);
                 String bindDnConfig = _ldapConfiguration.getBindPrincipal(null);
                 for (LdapConfigurationVO ldapConfigurationVO : result.first()) {

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapConfiguration.java

@@ -238,7 +238,7 @@ public String getLastnameAttribute(final Long domainId) {
     }
 
     public String getProviderUrl(final Long domainId) {
-        final String protocol = getSSLStatus() == true ? "ldaps://" : "ldap://";
+        final String protocol = getSSLStatus(domainId) == true ? "ldaps://" : "ldap://";
         final Pair<List<LdapConfigurationVO>, Integer> result = _ldapConfigurationDao.searchConfigurations(null, 0, domainId);
         final StringBuilder providerUrls = new StringBuilder();
         String delim = "";
@@ -270,20 +270,20 @@ public String getSearchGroupPrinciple(final Long domainId) {
         return ldapSearchGroupPrinciple.valueIn(domainId);
     }
 
-    public boolean getSSLStatus() {
+    public boolean getSSLStatus(Long domainId) {
         boolean sslStatus = false;
-        if (getTrustStore() != null && getTrustStorePassword() != null) {
+        if (getTrustStore(domainId) != null && getTrustStorePassword(domainId) != null) {
             sslStatus = true;
         }
         return sslStatus;
     }
 
-    public String getTrustStore() {
-        return ldapTrustStore.value();
+    public String getTrustStore(Long domainId) {
+        return ldapTrustStore.valueIn(domainId);
     }
 
-    public String getTrustStorePassword() {
-        return ldapTrustStorePassword.value();
+    public String getTrustStorePassword(Long domainId) {
+        return ldapTrustStorePassword.valueIn(domainId);
     }
 
     public String getUsernameAttribute(final Long domainId) {

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java

@@ -66,14 +66,14 @@ public LdapContext createUserContext(final String principal, final String passwo
         return createInitialDirContext(principal, password, false, domainId);
     }
 
-    private void enableSSL(final Hashtable<String, String> environment) {
-        final boolean sslStatus = _ldapConfiguration.getSSLStatus();
+    private void enableSSL(final Hashtable<String, String> environment, Long domainId) {
+        final boolean sslStatus = _ldapConfiguration.getSSLStatus(domainId);
 
         if (sslStatus) {
             s_logger.info("LDAP SSL enabled.");
             environment.put(Context.SECURITY_PROTOCOL, "ssl");
-            System.setProperty("javax.net.ssl.trustStore", _ldapConfiguration.getTrustStore());
-            System.setProperty("javax.net.ssl.trustStorePassword", _ldapConfiguration.getTrustStorePassword());
+            System.setProperty("javax.net.ssl.trustStore", _ldapConfiguration.getTrustStore(domainId));
+            System.setProperty("javax.net.ssl.trustStorePassword", _ldapConfiguration.getTrustStorePassword(domainId));
         }
     }
 
@@ -92,7 +92,7 @@ private Hashtable<String, String> getEnvironment(final String principal, final S
         environment.put("com.sun.jndi.ldap.read.timeout", _ldapConfiguration.getReadTimeout(domainId).toString());
         environment.put("com.sun.jndi.ldap.connect.pool", "true");
 
-        enableSSL(environment);
+        enableSSL(environment, domainId);
         setAuthentication(environment, isSystemContext, domainId);
 
         if (principal != null) {

plugins/user-authenticators/ldap/src/test/groovy/org/apache/cloudstack/ldap/LdapContextFactorySpec.groovy

@@ -49,9 +49,9 @@ class LdapContextFactorySpec extends spock.lang.Specification {
         ldapConfiguration.getFirstnameAttribute() >> "givenname"
         ldapConfiguration.getLastnameAttribute() >> "sn"
         ldapConfiguration.getBaseDn(_) >> "dc=cloudstack,dc=org"
-		ldapConfiguration.getSSLStatus() >> true
-		ldapConfiguration.getTrustStore() >> "/tmp/ldap.ts"
-		ldapConfiguration.getTrustStorePassword() >> "password"
+		ldapConfiguration.getSSLStatus(domainId) >> true
+		ldapConfiguration.getTrustStore(domainId) >> "/tmp/ldap.ts"
+		ldapConfiguration.getTrustStorePassword(domainId) >> "password"
         ldapConfiguration.getReadTimeout(_) >> 1000
         ldapConfiguration.getLdapPageSize() >> 1
 

plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/ldap/LdapConfigurationTest.java

@@ -78,7 +78,7 @@ private void overrideConfigValue(LdapConfiguration ldapConfiguration, final Stri
         ldapTestConfigTool.overrideConfigValue(ldapConfiguration, "ldapTrustStore", "/tmp/ldap.ts");
         ldapTestConfigTool.overrideConfigValue(ldapConfiguration, "ldapTrustStorePassword", "password");
 
-        assertTrue("A request is made to get the status of SSL should result in true", ldapConfiguration.getSSLStatus());
+        assertTrue("A request is made to get the status of SSL should result in true", ldapConfiguration.getSSLStatus(null));
     }
 
     @Test public void getSearchGroupPrincipleReturnsSuccessfully() throws Exception {
@@ -93,7 +93,7 @@ private void overrideConfigValue(LdapConfiguration ldapConfiguration, final Stri
         // We have a ConfigDao with a value for truststore password
         ldapTestConfigTool.overrideConfigValue(ldapConfiguration, "ldapTrustStorePassword", "password");
 
-        String result = ldapConfiguration.getTrustStorePassword();
+        String result = ldapConfiguration.getTrustStorePassword(null);
 
         assertEquals("The result is password", "password", result);
     }