geode-core/src/integrationTest/java/org/apache/geode/management/internal/security/DeployCommandsSecurityTest.java - geode - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
  * agreements. See the NOTICE file distributed with this work for additional information regarding
  * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance with the License. You may obtain a
  * copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software distributed under the License
  * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
  * or implied. See the License for the specific language governing permissions and limitations under
  * the License.
  */
 package org.apache.geode.management.internal.security;

 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;

 import java.io.File;

 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.junit.rules.TemporaryFolder;

 import org.apache.geode.examples.SimpleSecurityManager;
 import org.apache.geode.management.MemberMXBean;
 import org.apache.geode.security.NotAuthorizedException;
 import org.apache.geode.test.junit.categories.SecurityTest;
 import org.apache.geode.test.junit.rules.ConnectionConfiguration;
 import org.apache.geode.test.junit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.rules.ServerStarterRule;

 @Category({SecurityTest.class})
 public class DeployCommandsSecurityTest {

   private MemberMXBean bean;

   @ClassRule
   public static ServerStarterRule server = new ServerStarterRule()
       .withSecurityManager(SimpleSecurityManager.class).withJMXManager().withAutoStart();

   @ClassRule
   public static TemporaryFolder temporaryFolder = new TemporaryFolder();
   private static String deployCommand = null;
   private static String zipFileName = "functions.jar";

   @BeforeClass
   public static void beforeClass() throws Exception {
     File zipFile = temporaryFolder.newFile(zipFileName);
     deployCommand = "deploy --jar=" + zipFile.getAbsolutePath();
   }

   @Rule
   public MBeanServerConnectionRule connectionRule =
       new MBeanServerConnectionRule(server::getJmxPort);

   @Before
   public void setUp() throws Exception {
     bean = connectionRule.getProxyMXBean(MemberMXBean.class);
   }


   @Test // regular user can't deploy
   @ConnectionConfiguration(user = "user", password = "user")
   public void testNoAccess1() {
     assertThatThrownBy(() -> bean.processCommand(deployCommand))
         .isInstanceOf(NotAuthorizedException.class);
   }

   @Test // only data access right is not enough to deploy
   @ConnectionConfiguration(user = "data", password = "data")
   public void testNoAccess2() {
     assertThatThrownBy(() -> bean.processCommand(deployCommand))
         .isInstanceOf(NotAuthorizedException.class);
   }

   @Test // not sufficient privilege
   @ConnectionConfiguration(user = "clusterRead,clusterWrite,dataRead,dataWrite",
       password = "clusterRead,clusterWrite,dataRead,dataWrite")
   public void testNoAccess4() {
     assertThatThrownBy(() -> bean.processCommand(deployCommand))
         .isInstanceOf(NotAuthorizedException.class);
   }

   @Test // only power user can deploy
   @ConnectionConfiguration(user = "cluster,data", password = "cluster,data")
   public void testPowerAccess1() {
     String result = bean.processCommand(deployCommand);

     assertThat(result).contains("can not be executed only from server side");
   }

   @Test // only power user can deploy
   @ConnectionConfiguration(user = "clusterManage,clusterWrite,dataManage,dataWrite",
       password = "clusterManage,clusterWrite,dataManage,dataWrite")
   public void testPowerAccess2() {
     String result = bean.processCommand(deployCommand);
     assertThat(result).contains("can not be executed only from server side");
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
	* agreements. See the NOTICE file distributed with this work for additional information regarding
	* copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance with the License. You may obtain a
	* copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software distributed under the License
	* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
	* or implied. See the License for the specific language governing permissions and limitations under
	* the License.
	*/
	package org.apache.geode.management.internal.security;

	import static org.assertj.core.api.Assertions.assertThat;
	import static org.assertj.core.api.Assertions.assertThatThrownBy;

	import java.io.File;

	import org.junit.Before;
	import org.junit.BeforeClass;
	import org.junit.ClassRule;
	import org.junit.Rule;
	import org.junit.Test;
	import org.junit.experimental.categories.Category;
	import org.junit.rules.TemporaryFolder;

	import org.apache.geode.examples.SimpleSecurityManager;
	import org.apache.geode.management.MemberMXBean;
	import org.apache.geode.security.NotAuthorizedException;
	import org.apache.geode.test.junit.categories.SecurityTest;
	import org.apache.geode.test.junit.rules.ConnectionConfiguration;
	import org.apache.geode.test.junit.rules.MBeanServerConnectionRule;
	import org.apache.geode.test.junit.rules.ServerStarterRule;

	@Category({SecurityTest.class})
	public class DeployCommandsSecurityTest {

	private MemberMXBean bean;

	@ClassRule
	public static ServerStarterRule server = new ServerStarterRule()
	.withSecurityManager(SimpleSecurityManager.class).withJMXManager().withAutoStart();

	@ClassRule
	public static TemporaryFolder temporaryFolder = new TemporaryFolder();
	private static String deployCommand = null;
	private static String zipFileName = "functions.jar";

	@BeforeClass
	public static void beforeClass() throws Exception {
	File zipFile = temporaryFolder.newFile(zipFileName);
	deployCommand = "deploy --jar=" + zipFile.getAbsolutePath();
	}

	@Rule
	public MBeanServerConnectionRule connectionRule =
	new MBeanServerConnectionRule(server::getJmxPort);

	@Before
	public void setUp() throws Exception {
	bean = connectionRule.getProxyMXBean(MemberMXBean.class);
	}


	@Test // regular user can't deploy
	@ConnectionConfiguration(user = "user", password = "user")
	public void testNoAccess1() {
	assertThatThrownBy(() -> bean.processCommand(deployCommand))
	.isInstanceOf(NotAuthorizedException.class);
	}

	@Test // only data access right is not enough to deploy
	@ConnectionConfiguration(user = "data", password = "data")
	public void testNoAccess2() {
	assertThatThrownBy(() -> bean.processCommand(deployCommand))
	.isInstanceOf(NotAuthorizedException.class);
	}

	@Test // not sufficient privilege
	@ConnectionConfiguration(user = "clusterRead,clusterWrite,dataRead,dataWrite",
	password = "clusterRead,clusterWrite,dataRead,dataWrite")
	public void testNoAccess4() {
	assertThatThrownBy(() -> bean.processCommand(deployCommand))
	.isInstanceOf(NotAuthorizedException.class);
	}

	@Test // only power user can deploy
	@ConnectionConfiguration(user = "cluster,data", password = "cluster,data")
	public void testPowerAccess1() {
	String result = bean.processCommand(deployCommand);

	assertThat(result).contains("can not be executed only from server side");
	}

	@Test // only power user can deploy
	@ConnectionConfiguration(user = "clusterManage,clusterWrite,dataManage,dataWrite",
	password = "clusterManage,clusterWrite,dataManage,dataWrite")
	public void testPowerAccess2() {
	String result = bean.processCommand(deployCommand);
	assertThat(result).contains("can not be executed only from server side");
	}
	}