[JENKINS-44743] Normalize userSearchBase as key instead of rootDB and…

… userSearchBase
jenkinsci · Jun 12, 2017 · 0002799 · 0002799
1 parent 82b6bdb
commit 0002799
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 9 deletions.
diff --git a/src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java b/src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
@@ -88,6 +88,8 @@
 import static hudson.Util.fixEmpty;
 import static hudson.Util.fixEmptyAndTrim;
 import static hudson.Util.fixNull;
+import static org.apache.commons.lang.StringUtils.isBlank;
+import static org.apache.commons.lang.StringUtils.isNotBlank;
 
 /**
  * A configuration for one ldap connection
@@ -503,30 +505,44 @@ private String generateId() {
     static String generateId(String serverUrl, String rootDN, String userSearchBase, String userSearch) {
         final MessageDigest digest = DigestUtils.getMd5Digest();
         digest.update(normalizeServer(serverUrl).getBytes(Charsets.UTF_8));
-        if (StringUtils.isNotBlank(rootDN)) {
-            digest.update(rootDN.getBytes(Charsets.UTF_8)); //Should have been inferred in the constructor if needed
+        String userSearchBaseNormalized = normalizeUserSearchBase(rootDN, userSearchBase);
+        if (isNotBlank(userSearchBaseNormalized)) {
+            digest.update(userSearchBaseNormalized.getBytes(Charsets.UTF_8));
         } else {
             digest.update(new byte[]{0});
         }
-        if (StringUtils.isNotBlank(userSearchBase)) {
-            digest.update(userSearchBase.getBytes(Charsets.UTF_8));
-        } else {
-            digest.update(new byte[]{0});
-        }
-        if (StringUtils.isNotBlank(userSearch)) {
+        if (isNotBlank(userSearch)) {
             digest.update(userSearch.getBytes(Charsets.UTF_8));
         } else {
             digest.update(LDAPConfigurationDescriptor.DEFAULT_USER_SEARCH.getBytes(Charsets.UTF_8));
         }
         return new String(Base64.encode(digest.digest()));
     }
 
+    private static String normalizeUserSearchBase(String rootDN, String userSearchBase) {
+        if (isBlank(rootDN) && isBlank(userSearchBase)) {
+            return "";
+        }
+        if (isBlank(rootDN)) {
+            return userSearchBase;
+        }
+        if (isBlank(userSearchBase)) {
+            return rootDN;
+        }
+        rootDN = rootDN.trim();
+        userSearchBase = userSearchBase.trim();
+        if (userSearchBase.endsWith(rootDN)) {
+            return userSearchBase;
+        }
+        return userSearchBase + "," + rootDN;
+    }
+
     @Restricted(NoExternalUse.class)
     static String normalizeServer(String server) { /*package scope for testing*/
         String[] urls = Util.fixNull(server).split("\\s+");
         List<String> normalised = new ArrayList<>(urls.length);
         for (String url : urls) {
-            if (StringUtils.isBlank(url)) {
+            if (isBlank(url)) {
                 continue;
             }
             url = addPrefix(url);

diff --git a/src/test/java/jenkins/security/plugins/ldap/LDAPConfigurationTest.java b/src/test/java/jenkins/security/plugins/ldap/LDAPConfigurationTest.java
@@ -36,7 +36,9 @@
 import java.util.logging.SimpleFormatter;
 import java.util.logging.StreamHandler;
 
+import static org.hamcrest.CoreMatchers.allOf;
 import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.collection.IsArrayWithSize.arrayWithSize;
 import static org.junit.Assert.*;
 
@@ -151,6 +153,29 @@ public void generateIdJustOneServer() {
         assertNotEquals(id1, idDiff);
     }
 
+    @Test
+    public void generateIdWithNormalizedUserSearchBase() {
+        String id1 = LDAPConfiguration.generateId("ldap.example.com", "dc=example,dc=com", "dc=users,dc=example,dc=com", null);
+        String id2 = LDAPConfiguration.generateId("ldap.example.com", "dc=example,dc=com", "dc=users", null);
+        String id3 = LDAPConfiguration.generateId("ldap.example.com", "dc=com", "dc=users,dc=example", null);
+        String id4 = LDAPConfiguration.generateId("ldap.example.com", null, "dc=users,dc=example,dc=com", null);
+        String id5 = LDAPConfiguration.generateId("ldap.example.com", "", "dc=users,dc=example,dc=com", null);
+        String id6 = LDAPConfiguration.generateId("ldap.example.com", "dc=users,dc=example,dc=com", "", null);
+        String id7 = LDAPConfiguration.generateId("ldap.example.com", "dc=users,dc=example,dc=com", null, null);
+
+        assertEquals(id1, id2);
+        assertEquals(id1, id3);
+        assertEquals(id1, id4);
+        assertEquals(id1, id5);
+        assertEquals(id1, id6);
+        assertEquals(id1, id7);
+
+        id1 = LDAPConfiguration.generateId("ldap.example.com", "dc=example,dc=com", "dc=users", null);
+        id2 = LDAPConfiguration.generateId("ldap.example.com", "dc=example,dc=com", "dc=expats", null);
+
+        assertNotEquals(id1, id2);
+    }
+
     @Test
     public void normalizeServerSameButDifferent() {
         String s1 = "ldap.example.com ldap://ad.example.com ldaps://ad2.example.com";