LDAP SASL EXTERNAL with KeyStore SPI

Signed-off-by: Tero Saarni <[email protected]>

Author: tsaarni

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPContextManager.java

@@ -59,6 +59,12 @@ public void close() {
     public LDAPContextManager(KeycloakSession session, LDAPConfig connectionProperties) {
         this.session = session;
         this.ldapConfig = connectionProperties;
+
+        String useTruststoreSpi = connectionProperties.getUseTruststoreSpi();
+        if (useTruststoreSpi != null && !useTruststoreSpi.equals(LDAPConstants.USE_TRUSTSTORE_NEVER)) {
+            // Initialize LDAP socket factory that utilizes TrustStore SPI and KeyStore SPI.
+            LDAPSSLSocketFactory.initialize(session);
+        }
     }
 
     public static LDAPContextManager create(KeycloakSession session, LDAPConfig connectionProperties) {
@@ -81,8 +87,7 @@ private void createLdapContext() throws NamingException {
         if (ldapConfig.isStartTls()) {
             SSLSocketFactory sslSocketFactory = null;
             if (LDAPUtil.shouldUseTruststoreSpi(ldapConfig)) {
-                TruststoreProvider provider = session.getProvider(TruststoreProvider.class);
-                sslSocketFactory = provider.getSSLSocketFactory();
+                sslSocketFactory = LDAPSSLSocketFactory.getDefault();
             }
 
             tlsResponse = startTLS(ldapContext, ldapConfig.getAuthType(), ldapConfig.getBindDN(),
@@ -193,7 +198,7 @@ public static Hashtable<Object, Object> getNonAuthConnectionProperties(LDAPConfi
         // when using Start TLS, use default socket factory for LDAP client but pass the TrustStore SSL socket factory later
         // when calling StartTlsResponse.negotiate(trustStoreSSLSocketFactory)
         if (!ldapConfig.isStartTls() && LDAPUtil.shouldUseTruststoreSpi(ldapConfig)) {
-            env.put("java.naming.ldap.factory.socket", "org.keycloak.truststore.SSLSocketFactory");
+            env.put("java.naming.ldap.factory.socket", "org.keycloak.storage.ldap.idm.store.ldap.LDAPSSLSocketFactory");
         }
 
         String connectionPooling = ldapConfig.getConnectionPooling();

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java

@@ -27,7 +27,6 @@
 import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
 import org.keycloak.storage.ldap.idm.store.ldap.extended.PasswordModifyRequest;
 import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
-import org.keycloak.truststore.TruststoreProvider;
 
 import javax.naming.AuthenticationException;
 import javax.naming.Binding;
@@ -511,8 +510,10 @@ public void authenticate(LdapName dn, String password) throws AuthenticationExce
             if (config.isStartTls()) {
                 SSLSocketFactory sslSocketFactory = null;
                 if (LDAPUtil.shouldUseTruststoreSpi(config)) {
-                    TruststoreProvider provider = session.getProvider(TruststoreProvider.class);
-                    sslSocketFactory = provider.getSSLSocketFactory();
+                    // In this code path LDAPContextManager is not used, so we'd need to make sure that
+                    // the SSL socket factory has been initialized before using.
+                    LDAPSSLSocketFactory.initialize(session);
+                    sslSocketFactory = LDAPSSLSocketFactory.getDefault();
                 }
 
                 tlsResponse = LDAPContextManager.startTLS(authCtx, "simple", dn.toString(), password.toCharArray(), sslSocketFactory);
@@ -532,7 +533,7 @@ public void authenticate(LdapName dn, String password) throws AuthenticationExce
             if (logger.isDebugEnabled()) {
                 logger.debugf(re, "LDAP Connection TimeOut for DN [%s]", dn);
             }
-            
+
             throw re;
 
         } catch (Exception e) {

federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPSSLSocketFactory.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.storage.ldap.idm.store.ldap;
+
+import org.jboss.logging.Logger;
+import org.keycloak.keystore.KeyStoreProvider;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.truststore.TruststoreProvider;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Comparator;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.KeyStoreBuilderParameters;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+
+public class LDAPSSLSocketFactory extends SSLSocketFactory implements Comparator<String> {
+
+    private static final String NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY = "Not implemented by LDAPSSLSocketFactory";
+
+    private static final Logger log = Logger.getLogger(LDAPSSLSocketFactory.class);
+
+    private static SSLSocketFactory instance = null;
+
+    private LDAPSSLSocketFactory() {
+    }
+
+    public static synchronized void initialize(KeycloakSession session) {
+        if (instance == null) {
+            try {
+                // Initialize TrustManager with TrustStore provided by TrustStore SPI.
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                TruststoreProvider tsp = session.getProvider(TruststoreProvider.class);
+                if (tsp == null) {
+                    new RuntimeException("Truststore SPI used but Truststore was not configured");
+                }
+                tmf.init(tsp.getTruststore());
+                TrustManager[] tms = tmf.getTrustManagers();
+
+                // Initialize KeyManager with KeyStore provided by KeyStore SPI.
+                KeyManager[] kms = null;
+                KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
+                KeyStore.Builder ksb = session.getProvider(KeyStoreProvider.class)
+                        .loadKeyStoreBuilder(KeyStoreProvider.LDAP_CLIENT_KEYSTORE);
+                if (ksb != null) {
+                    kmf.init(new KeyStoreBuilderParameters(ksb));
+                    kms = kmf.getKeyManagers();
+                }
+
+                log.infov("Initializing LDAPSSLSocketFactory: trustStore={0}, keyStore={1}",
+                        tms != null ? "yes" : "no",
+                        kms != null ? "yes" : "no");
+
+                SSLContext context = SSLContext.getInstance("TLS");
+                context.init(kms, tms, null);
+
+                instance = context.getSocketFactory();
+            } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException | InvalidAlgorithmParameterException e) {
+                log.error("Failed to initialize SSLContext for LDAP: " + e.toString());
+                throw new RuntimeException("Failed to initialize SSLContext: " + e.toString());
+            }
+        }
+    }
+
+    public static SSLSocketFactory getDefault() {
+        return instance;
+    }
+
+    /**
+     * Enables LDAP connection pooling for sockets from custom socket factory.
+     * See https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html#pooling
+     *
+     * Note that Comparator<String> needs to be implemented since JDK uses the class name as string for the comparison.
+     *
+     * For more information, see:
+     * https://stackoverflow.com/questions/23898970/pooling-ldap-connections-with-custom-socket-factory
+     * https://bugs.openjdk.org/browse/JDK-6587244?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aworklog-tabpanel
+     */
+    @Override
+    public int compare(String o1, String o2) {
+        return o1.compareTo(o2);
+    }
+
+    // Following methods are not used by the JNDI LDAP implementation and therefore do not need to be implemented.
+
+    @Override
+    public Socket createSocket(String host, int port) throws IOException {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public Socket createSocket(String host, int port, InetAddress localHost, int localPort)
+            throws IOException {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public Socket createSocket(InetAddress host, int port) throws IOException {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort)
+            throws IOException {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public String[] getDefaultCipherSuites() {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public String[] getSupportedCipherSuites() {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+    @Override
+    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+        throw new UnsupportedOperationException(NOT_IMPLEMENTED_BY_LDAP_SOCKET_FACTORY);
+    }
+
+}

server-spi-private/src/main/java/org/keycloak/models/LDAPConstants.java

@@ -55,6 +55,7 @@ public class LDAPConstants {
     public static final String AUTH_TYPE = "authType";
     public static final String AUTH_TYPE_NONE = "none";
     public static final String AUTH_TYPE_SIMPLE = "simple";
+    public static final String AUTH_TYPE_EXTERNAL = "EXTERNAL";
 
     public static final String USE_TRUSTSTORE_SPI = "useTruststoreSpi";
     public static final String USE_TRUSTSTORE_ALWAYS = "always";

testsuite/integration-arquillian/servers/auth-server/quarkus/src/main/content/conf/keycloak.conf

@@ -28,6 +28,10 @@ spi-hostname-default-frontend-url = ${keycloak.frontendUrl:}
 spi-truststore-file-file=${kc.home.dir}/conf/keycloak.truststore
 spi-truststore-file-password=secret
 
+# KeyStore Provider
+spi-keystore-default-ldap-keystore-file=${kc.home.dir}/conf/keycloak.jks
+spi-keystore-default-ldap-keystore-password=secret
+
 # Declarative User Profile
 spi-user-profile-provider=declarative-user-profile
 spi-user-profile-declarative-user-profile-read-only-attributes=deniedFoo,deniedBar*,deniedSome/thing,deniedsome*thing