Add option allow_empty_password

vikingUnet · smiklosovic · commit d2be62a05114 · 2025-01-07T13:18:38.000+01:00
see issue 53
diff --git a/README.adoc b/README.adoc
@@ -103,6 +103,9 @@ The content of the configuration file is as follows:
 
 |cassandra_ldap_admin_user
 |name of a user/role which will be considered a default superuser, instead of `cassandra`. Please consult "How it Works" section to know more about the usage.
+
+|allow_empty_password
+|allow or disallow empty passwords when trying to connect to ldap server to prevent insecure behavior, defaults to `true`
 |===
 
 
@@ -228,4 +231,4 @@ Only one role can be specified.
 
 ## Further Information
 - See blog by Stefan Miklosovic about https://www.instaclustr.com/the-instaclustr-ldap-plugin-for-cassandra/[Apache Cassandra LDAP Authentication]
-- Please see https://www.instaclustr.com/support/documentation/announcements/instaclustr-open-source-project-status/[Instaclustr support status] of this project
+- Please see https://www.instaclustr.com/support/documentation/announcements/instaclustr-open-source-project-status/[Instaclustr support status] of this project
diff --git a/base/src/main/java/com/instaclustr/cassandra/ldap/conf/LdapAuthenticatorConfiguration.java b/base/src/main/java/com/instaclustr/cassandra/ldap/conf/LdapAuthenticatorConfiguration.java
@@ -53,6 +53,9 @@ public final class LdapAuthenticatorConfiguration
 
     public static final String CASSANDRA_AUTH_CACHE_ENABLED_PROP = "auth_cache_enabled";
 
+    // allow as default or disallow empty passwords when trying to connect to ldap server - empty passwords make do some unexpected behavior
+    public static final String ALLOW_EMPTY_PASSWORD_PROP = "allow_empty_password";
+
     public static final String GENSALT_LOG2_ROUNDS_PROP = "auth_bcrypt_gensalt_log2_rounds";
     public static final int GENSALT_LOG2_ROUNDS_DEFAULT = 10;
 
@@ -134,6 +137,8 @@ public Properties parseProperties() throws ConfigurationException
 
         properties.setProperty(CASSANDRA_AUTH_CACHE_ENABLED_PROP, Boolean.toString(parseBoolean(properties.getProperty(CASSANDRA_AUTH_CACHE_ENABLED_PROP, "true"))));
 
+        properties.setProperty(ALLOW_EMPTY_PASSWORD_PROP, Boolean.toString(parseBoolean(properties.getProperty(ALLOW_EMPTY_PASSWORD_PROP, "true"))));
+
         properties.setProperty(CONSISTENCY_FOR_ROLE, properties.getProperty(CONSISTENCY_FOR_ROLE, DEFAULT_CONSISTENCY_FOR_ROLE));
 
         String filterTemplate = properties.getProperty(FILTER_TEMPLATE, "(cn=%s)");
diff --git a/base/src/main/java/org/apache/cassandra/auth/LDAPAuthenticator.java b/base/src/main/java/org/apache/cassandra/auth/LDAPAuthenticator.java
@@ -18,6 +18,7 @@
 package org.apache.cassandra.auth;
 
 import static com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration.CASSANDRA_AUTH_CACHE_ENABLED_PROP;
+import static com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration.ALLOW_EMPTY_PASSWORD_PROP;
 import static com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration.CASSANDRA_LDAP_ADMIN_USER;
 import static com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration.CASSANDRA_LDAP_ADMIN_USER_SYSTEM_PROPERTY;
 import static com.instaclustr.cassandra.ldap.conf.LdapAuthenticatorConfiguration.DEFAULT_ROLE_MEMBERSHIP;
@@ -65,6 +66,8 @@ public class LDAPAuthenticator extends AbstractLDAPAuthenticator
 
     private static final Logger logger = LoggerFactory.getLogger(AbstractLDAPAuthenticator.class);
 
+    private boolean allow_empty_password;
+
     protected CacheDelegate cacheDelegate;
 
     public void setup()
@@ -114,6 +117,8 @@ public void setup()
                            ldapUserRetriever::retrieve,
                            parseBoolean(properties.getProperty(CASSANDRA_AUTH_CACHE_ENABLED_PROP)));
 
+        allow_empty_password = parseBoolean(properties.getProperty(ALLOW_EMPTY_PASSWORD_PROP));
+
         logger.info("{} was initialised", LDAPAuthenticator.class.getName());
     }
 
@@ -136,6 +141,9 @@ public AuthenticatedUser authenticate(String username, String password) throws A
     {
         try
         {
+            if (!allow_empty_password && password.isEmpty())
+                throw new AuthenticationException("empty password is not supported");
+
             final User user = new User(username, password);
 
             final User cachedUser = cacheDelegate.get(user);
diff --git a/conf/ldap.properties b/conf/ldap.properties
@@ -20,6 +20,9 @@ filter_template: (cn=%s)
 # This option is irrelevant for Cassandra version <= 3.0
 #auth_cache_enabled: false
 
+# Allow or disallow empty passwords when trying to connect to ldap server to prevent insecure behavior, defaults to `true`
+#allow_empty_password: true
+
 # if you set this property, Cassandra will internally consider 'dba` to be same as 'cassandra'.
 # so you might get rid of `cassandra` role (not recommended) or you might make it unable to log in at least.
 # You need to create this admin role beforehand, it has to be super user.
