hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.security;

 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.mockito.Mockito.*;

 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.Writer;
 import java.util.Arrays;
 import java.util.List;

 import javax.naming.CommunicationException;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.BasicAttribute;
 import javax.naming.directory.BasicAttributes;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;

 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.alias.CredentialProvider;
 import org.apache.hadoop.security.alias.CredentialProviderFactory;
 import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;

 @SuppressWarnings("unchecked")
 public class TestLdapGroupsMapping {
   private DirContext mockContext;

   private LdapGroupsMapping mappingSpy = spy(new LdapGroupsMapping());
   private NamingEnumeration mockUserNamingEnum = mock(NamingEnumeration.class);
   private NamingEnumeration mockGroupNamingEnum = mock(NamingEnumeration.class);
   private String[] testGroups = new String[] {"group1", "group2"};

   @Before
   public void setupMocks() throws NamingException {
     mockContext = mock(DirContext.class);
     doReturn(mockContext).when(mappingSpy).getDirContext();

     SearchResult mockUserResult = mock(SearchResult.class);
     // We only ever call hasMoreElements once for the user NamingEnum, so
     // we can just have one return value
     when(mockUserNamingEnum.hasMoreElements()).thenReturn(true);
     when(mockUserNamingEnum.nextElement()).thenReturn(mockUserResult);
     when(mockUserResult.getNameInNamespace()).thenReturn("CN=some_user,DC=test,DC=com");

     SearchResult mockGroupResult = mock(SearchResult.class);
     // We're going to have to define the loop here. We want two iterations,
     // to get both the groups
     when(mockGroupNamingEnum.hasMoreElements()).thenReturn(true, true, false);
     when(mockGroupNamingEnum.nextElement()).thenReturn(mockGroupResult);

     // Define the attribute for the name of the first group
     Attribute group1Attr = new BasicAttribute("cn");
     group1Attr.add(testGroups[0]);
     Attributes group1Attrs = new BasicAttributes();
     group1Attrs.put(group1Attr);

     // Define the attribute for the name of the second group
     Attribute group2Attr = new BasicAttribute("cn");
     group2Attr.add(testGroups[1]);
     Attributes group2Attrs = new BasicAttributes();
     group2Attrs.put(group2Attr);

     // This search result gets reused, so return group1, then group2
     when(mockGroupResult.getAttributes()).thenReturn(group1Attrs, group2Attrs);
   }

   @Test
   public void testGetGroups() throws IOException, NamingException {
     // The search functionality of the mock context is reused, so we will
     // return the user NamingEnumeration first, and then the group
     when(mockContext.search(anyString(), anyString(), any(Object[].class),
         any(SearchControls.class)))
         .thenReturn(mockUserNamingEnum, mockGroupNamingEnum);

     doTestGetGroups(Arrays.asList(testGroups), 2);
   }

   @Test
   public void testGetGroupsWithConnectionClosed() throws IOException, NamingException {
     // The case mocks connection is closed/gc-ed, so the first search call throws CommunicationException,
     // then after reconnected return the user NamingEnumeration first, and then the group
     when(mockContext.search(anyString(), anyString(), any(Object[].class),
         any(SearchControls.class)))
         .thenThrow(new CommunicationException("Connection is closed"))
         .thenReturn(mockUserNamingEnum, mockGroupNamingEnum);

     // Although connection is down but after reconnected it still should retrieve the result groups
     doTestGetGroups(Arrays.asList(testGroups), 1 + 2); // 1 is the first failure call
   }

   @Test
   public void testGetGroupsWithLdapDown() throws IOException, NamingException {
     // This mocks the case where Ldap server is down, and always throws CommunicationException
     when(mockContext.search(anyString(), anyString(), any(Object[].class),
         any(SearchControls.class)))
         .thenThrow(new CommunicationException("Connection is closed"));

     // Ldap server is down, no groups should be retrieved
     doTestGetGroups(Arrays.asList(new String[] {}),
         1 + LdapGroupsMapping.RECONNECT_RETRY_COUNT); // 1 is the first normal call
   }

   private void doTestGetGroups(List<String> expectedGroups, int searchTimes) throws IOException, NamingException {
     Configuration conf = new Configuration();
     // Set this, so we don't throw an exception
     conf.set(LdapGroupsMapping.LDAP_URL_KEY, "ldap://test");

     mappingSpy.setConf(conf);
     // Username is arbitrary, since the spy is mocked to respond the same,
     // regardless of input
     List<String> groups = mappingSpy.getGroups("some_user");

     Assert.assertEquals(expectedGroups, groups);

     // We should have searched for a user, and then two groups
     verify(mockContext, times(searchTimes)).search(anyString(),
                                          anyString(),
                                          any(Object[].class),
                                          any(SearchControls.class));
   }

   @Test
   public void testExtractPassword() throws IOException {
     File testDir = new File(System.getProperty("test.build.data",
                                                "target/test-dir"));
     testDir.mkdirs();
     File secretFile = new File(testDir, "secret.txt");
     Writer writer = new FileWriter(secretFile);
     writer.write("hadoop");
     writer.close();

     LdapGroupsMapping mapping = new LdapGroupsMapping();
     Assert.assertEquals("hadoop",
         mapping.extractPassword(secretFile.getPath()));
   }

   @Test
   public void testConfGetPassword() throws Exception {
     File testDir = new File(System.getProperty("test.build.data",
                                                "target/test-dir"));
     Configuration conf = new Configuration();
     final String ourUrl =
         JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";

     File file = new File(testDir, "test.jks");
     file.delete();
     conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

     CredentialProvider provider =
         CredentialProviderFactory.getProviders(conf).get(0);
     char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
     char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

     // ensure that we get nulls when the key isn't there
     assertEquals(null, provider.getCredentialEntry(
         LdapGroupsMapping.BIND_PASSWORD_KEY));
     assertEquals(null, provider.getCredentialEntry
         (LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

     // create new aliases
     try {
       provider.createCredentialEntry(
           LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

       provider.createCredentialEntry(
           LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
       provider.flush();
     } catch (Exception e) {
       e.printStackTrace();
       throw e;
     }
     // make sure we get back the right key
     assertArrayEquals(bindpass, provider.getCredentialEntry(
         LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
     assertArrayEquals(storepass, provider.getCredentialEntry(
         LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

     LdapGroupsMapping mapping = new LdapGroupsMapping();
     Assert.assertEquals("bindpass",
         mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
     Assert.assertEquals("storepass",
         mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
            ""));
     // let's make sure that a password that doesn't exist returns an
     // empty string as currently expected and used to trigger a call to
     // extract password
     Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
   }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.security;

	import static org.junit.Assert.assertArrayEquals;
	import static org.junit.Assert.assertEquals;
	import static org.mockito.Mockito.*;

	import java.io.File;
	import java.io.FileWriter;
	import java.io.IOException;
	import java.io.Writer;
	import java.util.Arrays;
	import java.util.List;

	import javax.naming.CommunicationException;
	import javax.naming.NamingEnumeration;
	import javax.naming.NamingException;
	import javax.naming.directory.Attribute;
	import javax.naming.directory.Attributes;
	import javax.naming.directory.BasicAttribute;
	import javax.naming.directory.BasicAttributes;
	import javax.naming.directory.DirContext;
	import javax.naming.directory.SearchControls;
	import javax.naming.directory.SearchResult;

	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.security.alias.CredentialProvider;
	import org.apache.hadoop.security.alias.CredentialProviderFactory;
	import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
	import org.junit.Assert;
	import org.junit.Before;
	import org.junit.Test;

	@SuppressWarnings("unchecked")
	public class TestLdapGroupsMapping {
	private DirContext mockContext;

	private LdapGroupsMapping mappingSpy = spy(new LdapGroupsMapping());
	private NamingEnumeration mockUserNamingEnum = mock(NamingEnumeration.class);
	private NamingEnumeration mockGroupNamingEnum = mock(NamingEnumeration.class);
	private String[] testGroups = new String[] {"group1", "group2"};

	@Before
	public void setupMocks() throws NamingException {
	mockContext = mock(DirContext.class);
	doReturn(mockContext).when(mappingSpy).getDirContext();

	SearchResult mockUserResult = mock(SearchResult.class);
	// We only ever call hasMoreElements once for the user NamingEnum, so
	// we can just have one return value
	when(mockUserNamingEnum.hasMoreElements()).thenReturn(true);
	when(mockUserNamingEnum.nextElement()).thenReturn(mockUserResult);
	when(mockUserResult.getNameInNamespace()).thenReturn("CN=some_user,DC=test,DC=com");

	SearchResult mockGroupResult = mock(SearchResult.class);
	// We're going to have to define the loop here. We want two iterations,
	// to get both the groups
	when(mockGroupNamingEnum.hasMoreElements()).thenReturn(true, true, false);
	when(mockGroupNamingEnum.nextElement()).thenReturn(mockGroupResult);

	// Define the attribute for the name of the first group
	Attribute group1Attr = new BasicAttribute("cn");
	group1Attr.add(testGroups[0]);
	Attributes group1Attrs = new BasicAttributes();
	group1Attrs.put(group1Attr);

	// Define the attribute for the name of the second group
	Attribute group2Attr = new BasicAttribute("cn");
	group2Attr.add(testGroups[1]);
	Attributes group2Attrs = new BasicAttributes();
	group2Attrs.put(group2Attr);

	// This search result gets reused, so return group1, then group2
	when(mockGroupResult.getAttributes()).thenReturn(group1Attrs, group2Attrs);
	}

	@Test
	public void testGetGroups() throws IOException, NamingException {
	// The search functionality of the mock context is reused, so we will
	// return the user NamingEnumeration first, and then the group
	when(mockContext.search(anyString(), anyString(), any(Object[].class),
	any(SearchControls.class)))
	.thenReturn(mockUserNamingEnum, mockGroupNamingEnum);

	doTestGetGroups(Arrays.asList(testGroups), 2);
	}

	@Test
	public void testGetGroupsWithConnectionClosed() throws IOException, NamingException {
	// The case mocks connection is closed/gc-ed, so the first search call throws CommunicationException,
	// then after reconnected return the user NamingEnumeration first, and then the group
	when(mockContext.search(anyString(), anyString(), any(Object[].class),
	any(SearchControls.class)))
	.thenThrow(new CommunicationException("Connection is closed"))
	.thenReturn(mockUserNamingEnum, mockGroupNamingEnum);

	// Although connection is down but after reconnected it still should retrieve the result groups
	doTestGetGroups(Arrays.asList(testGroups), 1 + 2); // 1 is the first failure call
	}

	@Test
	public void testGetGroupsWithLdapDown() throws IOException, NamingException {
	// This mocks the case where Ldap server is down, and always throws CommunicationException
	when(mockContext.search(anyString(), anyString(), any(Object[].class),
	any(SearchControls.class)))
	.thenThrow(new CommunicationException("Connection is closed"));

	// Ldap server is down, no groups should be retrieved
	doTestGetGroups(Arrays.asList(new String[] {}),
	1 + LdapGroupsMapping.RECONNECT_RETRY_COUNT); // 1 is the first normal call
	}

	private void doTestGetGroups(List<String> expectedGroups, int searchTimes) throws IOException, NamingException {
	Configuration conf = new Configuration();
	// Set this, so we don't throw an exception
	conf.set(LdapGroupsMapping.LDAP_URL_KEY, "ldap://test");

	mappingSpy.setConf(conf);
	// Username is arbitrary, since the spy is mocked to respond the same,
	// regardless of input
	List<String> groups = mappingSpy.getGroups("some_user");

	Assert.assertEquals(expectedGroups, groups);

	// We should have searched for a user, and then two groups
	verify(mockContext, times(searchTimes)).search(anyString(),
	anyString(),
	any(Object[].class),
	any(SearchControls.class));
	}

	@Test
	public void testExtractPassword() throws IOException {
	File testDir = new File(System.getProperty("test.build.data",
	"target/test-dir"));
	testDir.mkdirs();
	File secretFile = new File(testDir, "secret.txt");
	Writer writer = new FileWriter(secretFile);
	writer.write("hadoop");
	writer.close();

	LdapGroupsMapping mapping = new LdapGroupsMapping();
	Assert.assertEquals("hadoop",
	mapping.extractPassword(secretFile.getPath()));
	}

	@Test
	public void testConfGetPassword() throws Exception {
	File testDir = new File(System.getProperty("test.build.data",
	"target/test-dir"));
	Configuration conf = new Configuration();
	final String ourUrl =
	JavaKeyStoreProvider.SCHEME_NAME + "://file/" + testDir + "/test.jks";

	File file = new File(testDir, "test.jks");
	file.delete();
	conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);

	CredentialProvider provider =
	CredentialProviderFactory.getProviders(conf).get(0);
	char[] bindpass = {'b', 'i', 'n', 'd', 'p', 'a', 's', 's'};
	char[] storepass = {'s', 't', 'o', 'r', 'e', 'p', 'a', 's', 's'};

	// ensure that we get nulls when the key isn't there
	assertEquals(null, provider.getCredentialEntry(
	LdapGroupsMapping.BIND_PASSWORD_KEY));
	assertEquals(null, provider.getCredentialEntry
	(LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY));

	// create new aliases
	try {
	provider.createCredentialEntry(
	LdapGroupsMapping.BIND_PASSWORD_KEY, bindpass);

	provider.createCredentialEntry(
	LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY, storepass);
	provider.flush();
	} catch (Exception e) {
	e.printStackTrace();
	throw e;
	}
	// make sure we get back the right key
	assertArrayEquals(bindpass, provider.getCredentialEntry(
	LdapGroupsMapping.BIND_PASSWORD_KEY).getCredential());
	assertArrayEquals(storepass, provider.getCredentialEntry(
	LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY).getCredential());

	LdapGroupsMapping mapping = new LdapGroupsMapping();
	Assert.assertEquals("bindpass",
	mapping.getPassword(conf, LdapGroupsMapping.BIND_PASSWORD_KEY, ""));
	Assert.assertEquals("storepass",
	mapping.getPassword(conf, LdapGroupsMapping.LDAP_KEYSTORE_PASSWORD_KEY,
	""));
	// let's make sure that a password that doesn't exist returns an
	// empty string as currently expected and used to trigger a call to
	// extract password
	Assert.assertEquals("", mapping.getPassword(conf,"invalid-alias", ""));
	}
	}