Add support for mapping of LDAP groups to ROLES

- Pump to spring-cloud-common-security-config
  1.0.1 snapshots.
- Add tests
- Add documentation
- Fixes #2084

Author: ghillert

pom.xml

@@ -39,7 +39,7 @@
 		<!-- Note: Change ./spring-cloud-dataflow-server-local/pom.xml to match the spring-cloud.version -->
 		<spring-cloud.version>Edgware.SR2</spring-cloud.version>
 
-		<spring-cloud-common-security-config.version>1.0.0.RELEASE</spring-cloud-common-security-config.version>
+		<spring-cloud-common-security-config.version>1.0.1.BUILD-SNAPSHOT</spring-cloud-common-security-config.version>
 
 		<spring-analytics.version>1.1.3.RELEASE</spring-analytics.version>
 		<spring-batch-admin-manager.version>1.3.1.RELEASE</spring-batch-admin-manager.version>

spring-cloud-dataflow-docs/src/main/asciidoc/configuration.adoc

@@ -584,6 +584,39 @@ TIP: For more information, please also see the
 http://docs.spring.io/spring-security/site/docs/current/reference/html/ldap.html[LDAP Authentication]
 chapter of the Spring Security reference guide.
 
+===== LDAP Role Mapping
+
+By default, the role name retrieved from Ldap needs to match the name of the
+role in Spring Cloud Data Flow. However, it is also possible to explicitly
+provide a mapping between LDAP roles and Spring Cloud Data Flow roles.
+[source,yaml]
+----
+security:
+  basic:
+    enabled: true
+    realm: Spring Cloud Data Flow
+spring:
+  cloud:
+    dataflow:
+      security:
+        authentication:
+          ldap:
+            enabled: true
+            url: ldap://localhost:10389
+            managerDn: uid=admin,ou=system
+            managerPassword: secret
+            userSearchBase: ou=otherpeople,dc=example,dc=com
+            userSearchFilter: uid={0}
+            roleMappings:                                                 # <1>
+              ROLE_MANAGE: foo-manage                                     # <2>
+              ROLE_VIEW: bar-view
+              ROLE_CREATE: foo-manage
+----
+
+<1> Enables explicit role mapping support
+<2> When role mapping support is enabled, you must provide a mapping for
+all 3 Spring Cloud Data Flow roles *ROLE_MANAGE*, *ROLE_VIEW*, *ROLE_CREATE*.
+
 ===== LDAP Transport Security
 
 When connecting to an LDAP server, you typically (in the LDAP world) have two options

spring-cloud-starter-dataflow-server-local/src/test/java/org/springframework/cloud/dataflow/server/local/security/LdapServerResource.java

@@ -55,12 +55,21 @@ public class LdapServerResource extends ExternalResource {
 
 	private boolean enabledSsl = false;
 
+	private final String ldapFileName;
+
 	public LdapServerResource() {
 		super();
+		this.ldapFileName = "testUsers.ldif";
+	}
+
+	public LdapServerResource(String ldapFileName) {
+		super();
+		this.ldapFileName = ldapFileName;
 	}
 
 	public LdapServerResource(boolean enabledSsl) {
 		this.enabledSsl = true;
+		this.ldapFileName = "testUsers.ldif";
 	}
 
 	@Override
@@ -70,9 +79,8 @@ protected void before() throws Throwable {
 
 		temporaryFolder.create();
 		apacheDSContainer = new ApacheDSContainerWithSecurity("dc=springframework,dc=org",
-				"classpath:org/springframework/cloud/dataflow/server/local/security/testUsers.ldif");
+				"classpath:org/springframework/cloud/dataflow/server/local/security/" + this.ldapFileName);
 		int ldapPort = SocketUtils.findAvailableTcpPort();
-
 		if (enabledSsl) {
 
 			apacheDSContainer.setEnabledLdapOverSsl(true);

spring-cloud-starter-dataflow-server-local/src/test/java/org/springframework/cloud/dataflow/server/local/security/LocalServerSecurityWithLdapSimpleBindGroupMappingTests.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.cloud.dataflow.server.local.security;
+
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.rules.RuleChain;
+import org.junit.rules.TestRule;
+
+import org.springframework.cloud.dataflow.server.local.LocalDataflowResource;
+
+import static org.springframework.cloud.dataflow.server.local.security.SecurityTestUtils.basicAuthorizationHeader;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author Gunnar Hillert
+ */
+public class LocalServerSecurityWithLdapSimpleBindGroupMappingTests {
+
+	private final static LocalDataflowResource localDataflowResource = new LocalDataflowResource(
+			"classpath:org/springframework/cloud/dataflow/server/local/security/ldapSimpleBindGroupMapping.yml");
+
+	@ClassRule
+	public static TestRule springDataflowAndLdapServer = RuleChain.outerRule(
+		new LdapServerResource("testUsersWithCustomRoles.ldif")).around(localDataflowResource);
+
+	@Test
+	public void testWrongUsernameFails() throws Exception {
+		localDataflowResource.getMockMvc()
+				.perform(get("/apps").header("Authorization", basicAuthorizationHeader("joe", "wrongspassword")))
+				.andDo(print()).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void testDefaultSpringBootConfigurationFails() throws Exception {
+		localDataflowResource.getMockMvc()
+				.perform(get("/apps").header("Authorization", basicAuthorizationHeader("admin", "whosThere")))
+				.andDo(print()).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void testWrongPasswordFails() throws Exception {
+		localDataflowResource.getMockMvc()
+				.perform(get("/apps").header("Authorization", basicAuthorizationHeader("bob", "bobpassword999")))
+				.andDo(print()).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void testUnauthenticatedAccessToAppsEndpointFails() throws Exception {
+		localDataflowResource.getMockMvc().perform(get("/apps")).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void testUnauthenticatedAccessToManagementEndpointFails() throws Exception {
+		localDataflowResource.getMockMvc().perform(get("/management/metrics")).andExpect(status().isUnauthorized());
+	}
+
+	@Test
+	public void testAuthenticatedAccessToAppsEndpointSucceeds() throws Exception {
+		localDataflowResource.getMockMvc()
+				.perform(get("/apps").header("Authorization", basicAuthorizationHeader("joe", "joespassword")))
+				.andDo(print()).andExpect(status().isOk());
+	}
+
+	@Test
+	public void testAuthenticatedAccessToManagementEndpointSucceeds() throws Exception {
+		localDataflowResource.getMockMvc().perform(
+				get("/management/metrics").header("Authorization", basicAuthorizationHeader("joe", "joespassword")))
+				.andDo(print()).andExpect(status().isOk());
+	}
+
+}

spring-cloud-starter-dataflow-server-local/src/test/resources/org/springframework/cloud/dataflow/server/local/security/ldapSimpleBindGroupMapping.yml

@@ -0,0 +1,23 @@
+management:
+  security:
+    enabled: true
+security:
+  basic:
+    enabled: true
+    realm: Spring Cloud Data Flow
+spring:
+  cloud:
+    dataflow:
+      security:
+        authentication:
+          ldap:
+            enabled: true
+            url: ldap://localhost:${ldap.port}
+            userDnPattern: uid={0},ou=otherpeople,dc=springframework,dc=org
+            groupSearchFilter: member={0}
+            groupRoleAttribute: cn
+            groupSearchBase: ou=groups,dc=springframework,dc=org
+            roleMappings:
+              ROLE_MANAGE: foo-manage
+              ROLE_VIEW: bar-view
+              ROLE_CREATE: foo-manage

spring-cloud-starter-dataflow-server-local/src/test/resources/org/springframework/cloud/dataflow/server/local/security/testUsersWithCustomRoles.ldif

@@ -0,0 +1,138 @@
+dn: ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: groups
+
+dn: ou=subgroups,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: subgroups
+
+dn: ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: people
+
+dn: ou=space cadets,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: space cadets
+
+dn: ou=\"quoted people\",dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: "quoted people"
+
+dn: ou=otherpeople,dc=springframework,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: otherpeople
+
+dn: uid=ben,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Ben Alex
+sn: Alex
+uid: ben
+userPassword: {SHA}nFCebWjxfaLbHHG1Qk5UU4trbvQ=
+
+dn: uid=bob,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Bob Hamilton
+sn: Hamilton
+uid: bob
+userPassword: bobspassword
+
+dn: uid=joe,ou=otherpeople,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Joe Smeth
+sn: Smeth
+uid: joe
+userPassword: joespassword
+
+dn: cn=mouse\, jerry,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Mouse, Jerry
+sn: Mouse
+uid: jerry
+userPassword: jerryspassword
+
+dn: cn=slash/guy,ou=people,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: slash/guy
+sn: Slash
+uid: slashguy
+userPassword: slashguyspassword
+
+dn: cn=quote\"guy,ou=\"quoted people\",dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: quote\"guy
+sn: Quote
+uid: quoteguy
+userPassword: quoteguyspassword
+
+dn: uid=space cadet,ou=space cadets,dc=springframework,dc=org
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Space Cadet
+sn: Cadet
+uid: space cadet
+userPassword: spacecadetspassword
+
+
+
+dn: cn=developers,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: developers
+ou: developer
+member: uid=ben,ou=people,dc=springframework,dc=org
+member: uid=bob,ou=people,dc=springframework,dc=org
+
+dn: cn=bar-view,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: bar-view
+ou: bar-view
+member: uid=joe,ou=otherpeople,dc=springframework,dc=org
+
+dn: cn=foo-manage,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: foo-manage
+ou: foo-manage
+member: uid=joe,ou=otherpeople,dc=springframework,dc=org
+
+dn: cn=managers,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: manager
+ou: manager
+member: uid=ben,ou=people,dc=springframework,dc=org
+member: cn=mouse\, jerry,ou=people,dc=springframework,dc=org
+
+dn: cn=submanagers,ou=subgroups,ou=groups,dc=springframework,dc=org
+objectclass: top
+objectclass: groupOfNames
+cn: submanagers
+ou: submanager
+member: uid=ben,ou=people,dc=springframework,dc=org