test/unit/org/apache/cassandra/auth/RoleOptionsTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.cassandra.auth;

import java.lang.reflect.Field;
import java.util.*;

import com.google.common.collect.ImmutableSet;
import org.junit.Test;

import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.*;
import org.apache.cassandra.utils.FBUtilities;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;

public class RoleOptionsTest
{
    @Test
    public void validateValueTypes()
    {
        setupRoleManager(getRoleManager(IRoleManager.Option.values()));

        RoleOptions opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.LOGIN, "test");
        assertInvalidOptions(opts, "Invalid value for property 'LOGIN'. It must be a boolean");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.PASSWORD, 99);
        assertInvalidOptions(opts, "Invalid value for property 'PASSWORD'. It must be a string");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.SUPERUSER, new HashSet<>());
        assertInvalidOptions(opts, "Invalid value for property 'SUPERUSER'. It must be a boolean");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.HASHED_PASSWORD, 99);
        assertInvalidOptions(opts, "Invalid value for property 'HASHED_PASSWORD'. It must be a string");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.HASHED_PASSWORD, "invalid_hash");
        assertInvalidOptions(opts, "Invalid hashed password value. Please use jBcrypt.");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.OPTIONS, false);
        assertInvalidOptions(opts, "Invalid value for property 'OPTIONS'. It must be a map");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.PASSWORD, "abc");
        opts.setOption(IRoleManager.Option.HASHED_PASSWORD, "$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG");
        assertInvalidOptions(opts, "Properties 'PASSWORD' and 'HASHED_PASSWORD' are mutually exclusive");

        opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.LOGIN, true);
        opts.setOption(IRoleManager.Option.SUPERUSER, false);
        opts.setOption(IRoleManager.Option.PASSWORD, "test");
        opts.setOption(IRoleManager.Option.OPTIONS, Collections.singletonMap("key", "value"));
        opts.validate();
    }

    @Test
    public void rejectUnsupportedOptions()
    {
        // Our hypothetical IRoleManager only supports the LOGIN option
        IRoleManager roleManager = getRoleManager(IRoleManager.Option.LOGIN);
        setupRoleManager(roleManager);
        RoleOptions opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.PASSWORD, "test");
        assertInvalidOptions(opts, String.format("%s doesn't support PASSWORD", roleManager.getClass().getName()));
    }

    @Test
    public void rejectSettingSameOptionMultipleTimes()
    {
        RoleOptions opts = new RoleOptions();
        opts.setOption(IRoleManager.Option.LOGIN, true);
        try
        {
            opts.setOption(IRoleManager.Option.LOGIN, false);
        }
        catch (SyntaxException e)
        {
            assertEquals("Multiple definition for property 'LOGIN'", e.getMessage());
        }
    }

    @Test
    public void emptyByDefault()
    {
        RoleOptions opts = new RoleOptions();
        assertTrue(opts.isEmpty());
        assertFalse(opts.getLogin().isPresent());

        opts.setOption(IRoleManager.Option.LOGIN, true);
        assertFalse(opts.isEmpty());
        assertTrue(opts.getLogin().isPresent());
        assertTrue(opts.getLogin().get());
    }

    private void assertInvalidOptions(RoleOptions opts, String message)
    {
        try
        {
            opts.validate();
            fail("Expected error but didn't get one");
        }
        catch (InvalidRequestException e)
        {
            assertEquals(message, e.getMessage());
        }
    }

    private void setupRoleManager(IRoleManager manager)
    {
        Field field = FBUtilities.getProtectedField(DatabaseDescriptor.class, "roleManager");
        try
        {
            field.set(null, manager);
        }
        catch (IllegalAccessException e)
        {
            fail("Error setting IRoleManager instance for test");
        }
    }

    private IRoleManager getRoleManager(final IRoleManager.Option...supportedOptions)
    {
        return new IRoleManager()
        {
            public Set<Option> supportedOptions()
            {
                return ImmutableSet.copyOf(supportedOptions);
            }

            public Set<Option> alterableOptions()
            {
                return null;
            }

            public void createRole(AuthenticatedUser performer,
                                   RoleResource role,
                                   RoleOptions options) throws RequestValidationException, RequestExecutionException
            {

            }

            public void dropRole(AuthenticatedUser performer,
                                 RoleResource role) throws RequestValidationException, RequestExecutionException
            {

            }

            public void alterRole(AuthenticatedUser performer,
                                  RoleResource role,
                                  RoleOptions options) throws RequestValidationException, RequestExecutionException
            {

            }

            public void grantRole(AuthenticatedUser performer,
                                  RoleResource role,
                                  RoleResource grantee) throws RequestValidationException, RequestExecutionException
            {

            }

            public void revokeRole(AuthenticatedUser performer,
                                   RoleResource role,
                                   RoleResource revokee) throws RequestValidationException, RequestExecutionException
            {

            }

            public Set<RoleResource> getRoles(RoleResource grantee,
                                              boolean includeInherited) throws RequestValidationException, RequestExecutionException
            {
                return null;
            }

            public Set<RoleResource> getAllRoles() throws RequestValidationException, RequestExecutionException
            {
                return null;
            }

            public boolean isSuper(RoleResource role)
            {
                return false;
            }

            public boolean canLogin(RoleResource role)
            {
                return false;
            }

            public Map<String, String> getCustomOptions(RoleResource role)
            {
                return Collections.EMPTY_MAP;
            }

            public boolean isExistingRole(RoleResource role)
            {
                return false;
            }

            public Set<? extends IResource> protectedResources()
            {
                return null;
            }

            public void validateConfiguration() throws ConfigurationException
            {

            }

            public void setup()
            {

            }
        };
    }
}