test/unit/org/apache/cassandra/auth/CreateAndAlterRoleTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.cassandra.auth;

import org.junit.BeforeClass;
import org.junit.Test;

import com.datastax.driver.core.exceptions.AuthenticationException;
import org.apache.cassandra.Util;
import org.apache.cassandra.cql3.CQLTester;

import static org.junit.Assert.assertTrue;
import static org.mindrot.jbcrypt.BCrypt.gensalt;
import static org.mindrot.jbcrypt.BCrypt.hashpw;

public class CreateAndAlterRoleTest extends CQLTester
{
    @BeforeClass
    public static void setUpClass()
    {
        CQLTester.setUpClass();
        requireAuthentication();
        requireNetwork();
    }

    @Test
    public void createAlterRoleWithHashedPassword() throws Throwable
    {
        String user1 = "hashed_pw_role";
        String user2 = "pw_role";
        String plainTextPwd = "super_secret_thing";
        String plainTextPwd2 = "much_safer_password";
        String hashedPassword = hashpw(plainTextPwd, gensalt(4));
        String hashedPassword2 = hashpw(plainTextPwd2, gensalt(4));

        useSuperUser();

        assertInvalidMessage("Invalid hashed password value",
                             String.format("CREATE ROLE %s WITH login=true AND hashed password='%s'",
                                           user1, "this_is_an_invalid_hash"));
        assertInvalidMessage("Options 'password' and 'hashed password' are mutually exclusive",
                             String.format("CREATE ROLE %s WITH login=true AND password='%s' AND hashed password='%s'",
                                           user1, plainTextPwd, hashedPassword));
        executeNet(String.format("CREATE ROLE %s WITH login=true AND hashed password='%s'", user1, hashedPassword));
        executeNet(String.format("CREATE ROLE %s WITH login=true AND password='%s'", user2, plainTextPwd));

        useUser(user1, plainTextPwd);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useUser(user2, plainTextPwd);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useSuperUser();

        assertInvalidMessage("Options 'password' and 'hashed password' are mutually exclusive",
                             String.format("ALTER ROLE %s WITH password='%s' AND hashed password='%s'",
                                           user1, plainTextPwd2, hashedPassword2));
        executeNet(String.format("ALTER ROLE %s WITH password='%s'", user1, plainTextPwd2));
        executeNet(String.format("ALTER ROLE %s WITH hashed password='%s'", user2, hashedPassword2));

        useUser(user1, plainTextPwd2);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useUser(user2, plainTextPwd2);

        executeNetWithAuthSpin("SELECT key FROM system.local");
    }

    @Test
    public void createAlterUserWithHashedPassword() throws Throwable
    {
        String user1 = "hashed_pw_user";
        String user2 = "pw_user";
        String plainTextPwd = "super_secret_thing";
        String plainTextPwd2 = "much_safer_password";
        String hashedPassword = hashpw(plainTextPwd, gensalt(4));
        String hashedPassword2 = hashpw(plainTextPwd2, gensalt(4));

        useSuperUser();

        assertInvalidMessage("Invalid hashed password value",
                             String.format("CREATE USER %s WITH hashed password '%s'",
                                           user1, "this_is_an_invalid_hash"));
        executeNet(String.format("CREATE USER %s WITH hashed password '%s'", user1, hashedPassword));
        executeNet(String.format("CREATE USER %s WITH password '%s'",  user2, plainTextPwd));

        useUser(user1, plainTextPwd);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useUser(user2, plainTextPwd);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useSuperUser();

        executeNet(String.format("ALTER USER %s WITH password '%s'", user1, plainTextPwd2));
        executeNet(String.format("ALTER USER %s WITH hashed password '%s'", user2, hashedPassword2));

        useUser(user1, plainTextPwd2);

        executeNetWithAuthSpin("SELECT key FROM system.local");

        useUser(user2, plainTextPwd2);

        executeNetWithAuthSpin("SELECT key FROM system.local");
    }

    /**
     * Altering or creating auth may take some time to be effective
     *
     * @param query
     */
    void executeNetWithAuthSpin(String query)
    {
        Util.spinAssertEquals(true, () -> {
            try
            {
                executeNet(query);
                return true;
            }
            catch (Throwable e)
            {
                assertTrue("Unexpected exception: " + e, e instanceof AuthenticationException);
                reinitializeNetwork();
                return false;
            }
        }, 10);
    }
}