Merge release branch 4.19 to 4.20

* 4.19: Add check for ldap truststore password (#11055)
2025-10-26 08:42:29 +01:00 · 2025-07-03 12:07:05 +02:00 · 2025-07-03 12:07:05 +02:00 · 7cad65d310
commit 7cad65d310
parent c24e4eea85 cbd2b5a022
2 changed files with 37 additions and 2 deletions
--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapContextFactory.java
@ -16,6 +16,7 @@
 // under the License.
 package org.apache.cloudstack.ldap;

+import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.Hashtable;

@ -24,6 +25,7 @@ import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
+import java.security.KeyStore;

 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
@ -73,8 +75,36 @@ public class LdapContextFactory {
        if (sslStatus) {
            logger.info("LDAP SSL enabled.");
            environment.put(Context.SECURITY_PROTOCOL, "ssl");
-            System.setProperty("javax.net.ssl.trustStore", _ldapConfiguration.getTrustStore(domainId));
-            System.setProperty("javax.net.ssl.trustStorePassword", _ldapConfiguration.getTrustStorePassword(domainId));
+            String trustStore = _ldapConfiguration.getTrustStore(domainId);
+            String trustStorePassword = _ldapConfiguration.getTrustStorePassword(domainId);
+
+            if (!validateTrustStore(trustStore, trustStorePassword)) {
+                throw new RuntimeException("Invalid truststore or truststore password");
+            }
+
+            System.setProperty("javax.net.ssl.trustStore", trustStore);
+            System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
+        }
+    }
+
+    private boolean validateTrustStore(String trustStore, String trustStorePassword) {
+        if (trustStore == null) {
+            return true;
+        }
+
+        if (trustStorePassword == null) {
+            return false;
+        }
+
+        try {
+            KeyStore.getInstance("JKS").load(
+                new FileInputStream(trustStore),
+                trustStorePassword.toCharArray()
+            );
+            return true;
+        } catch (Exception e) {
+            s_logger.warn("Failed to validate truststore: " + e.getMessage());
+            return false;
        }
    }

--- a/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
+++ b/plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapManagerImpl.java
@ -184,6 +184,11 @@ public class LdapManagerImpl extends ComponentLifecycleBase implements LdapManag
            } catch (NamingException | IOException e) {
                logger.debug("NamingException while doing an LDAP bind", e);
                throw new InvalidParameterValueException("Unable to bind to the given LDAP server");
+            } catch (RuntimeException e) {
+                if (e.getMessage().contains("Invalid truststore")) {
+                    throw new InvalidParameterValueException("Invalid truststore or truststore password");
+                }
+                throw e;
            } finally {
                closeContext(context);
            }