[OPENAM-13720] Public API method LDAPUtils.convertToLDAPURLs can not handle IPv6 literals Created: 08/Oct/18  Updated: 28/Jun/19  Resolved: 04/Dec/18

Status: Resolved
Project: OpenAM
Component/s: other
Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0
Fix Version/s: 13.5.3, 14.1.2, 6.5.0.1, 6.5.1, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Java Source File LDAPUtilsTest.java    
Issue Links:
Depends
depends on OPENDJ-5558 SDK: LdapUrl is not IPv6 clean Done
Target Version/s:
Sprint: AM Sustaining Sprint 57, AM Sustaining Sprint 58
Story Points: 3
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
Yes
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

LDAPUtils.convertToLDAPURLs can not handle IPv6 literals as specified in https://tools.ietf.org/html/rfc4516#section-2 and https://tools.ietf.org/html/rfc3986#section-3.2.2

How to reproduce the issue

Find unit test attached.

Expected behaviour
IPv6 literals should be usable
Current behaviour
If IPv6 literals are used a wrong port / host for the LDAPURL object is returned

Code analysis

org.forgerock.openam.ldap.LDAPURL.java
public static LDAPURL valueOf(String url) {
    Boolean isSSL = null;
    String host;
    int port;
    int firstIdx = url.indexOf(COLON_SLASH_SLASH);
    if (firstIdx != -1) {
        String scheme = url.substring(0, firstIdx);
        if (scheme.equalsIgnoreCase("ldaps")) {
            isSSL = true;
        } else {
            isSSL = false;
        }
    }
    int lastIdx = url.indexOf(SEPARATOR, firstIdx + 1);
    if (lastIdx != -1) {
        try {
            port = Integer.parseInt(url.substring(lastIdx + 1));
        } catch (NumberFormatException nfe) {
            port = DEFAULT_PORT;
        }
    } else {
        port = DEFAULT_PORT;
    }
    firstIdx = firstIdx == -1 ? 0 : firstIdx + COLON_SLASH_SLASH.length();
    lastIdx = lastIdx == -1 ? url.length() : lastIdx;
    host = url.substring(firstIdx, lastIdx);
    if (port < 1 || port > 65535) {
        port = DEFAULT_PORT;
    }

    return new LDAPURL(host, port, isSSL);
}


 Comments   
Comment by Bernhard Thalmayr [ 08/Oct/18 ]

The attached file is an extended Unit test of AM 6.0.0.4.

IPv6 Unit test is missing from "LDAPURLParsingTest" of artifact openam-ldap-utils

Comment by Peter Major [X] (Inactive) [ 08/Oct/18 ]

Use DNS instead?

Comment by Chris Ridd [ 09/Oct/18 ]

I was going to suggest using the LdapUrl class from opendj-core, but that's broken too! OPENDJ-5558

Perhaps fix LdapUrl and then use that class here instead of AM having its own LDAPURL?

Comment by Bernhard Thalmayr [ 15/Oct/18 ]

Tweaking the resolver (hosts file , DNS, NIS, LDAP) could be a workaround, but sometimes this is not possible. E.g. when there is a server certificate that does not have the needed Subject Alternative Name extension.

Comment by Jonathan Thomas [ 06/Nov/18 ]

AM LDAPURL class does not look to be easily swapped with the DS LdapUrl.

We need to see if we can pull in fix logic to the AM version.

Comment by Ľubomír Mlích [ 10/Jan/19 ]

Attached unit test fail in 6.5 with

org.junit.ComparisonFailure:
Expected :1636
Actual   :389

And succeed in 6.5.0.1

Comment by Ľubomír Mlích [ 25/Mar/19 ]

Verified in 6.5.1

Generated at Thu Dec 03 20:03:54 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.