tests/shell/test_shell_commandline_jwt_auth.py - impala - Git at Google

 # -*- coding: utf-8 -*-
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.

 from __future__ import absolute_import, division, print_function
 from tests.common.impala_test_suite import ImpalaTestSuite
 from tests.common.test_dimensions import create_client_protocol_http_transport
 from tests.shell.util import run_impala_shell_cmd


 class TestImpalaShellJwtAuth(ImpalaTestSuite):

   @classmethod
   def add_test_dimensions(cls):
     """Overrides all other add_dimension methods in super classes up the entire class
     hierarchy ensuring that each test in this class only get run once."""
     cls.ImpalaTestMatrix.add_dimension(create_client_protocol_http_transport())

   def test_jwt_cmd_without_jwt_auth(self, vector):
     """Asserts the jwt_cmd arg is only allowed when JWT auth is enabled."""
     result = run_impala_shell_cmd(vector, ['--jwt_cmd=echo', '--protocol=hs2-http',
                                   '--auth_creds_ok_in_clear'], expect_success=False)
     assert "Option --jwt_cmd requires using JWT authentication mechanism (-j)" \
            in result.stderr

   def test_jwt_cmd_invalid(self, vector):
     """Asserts an invalid jwt_cmd arg value produces an explanatory error message."""
     result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http',
                                   '--auth_creds_ok_in_clear', '--jwt_cmd=idontexist'],
                                   expect_success=False)
     assert "Error retrieving JWT" in result.stderr
     assert "command was: 'idontexist'" in result.stderr

   def test_jwt_auth_without_ssl_creds_in_clear(self, vector):
     """Asserts that JWTs do not get sent over insecure network connections if the user
     does not provide the auth_creds_ok_in_clear arg."""
     result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http'],
                                   expect_success=False)
     assert "JWTs may not be sent over insecure connections. Enable SSL or " \
            "set --auth_creds_ok_in_clear" in result.stderr

   def test_jwt_auth_protocol_beeswax(self, vector):
     """Asserts that JWT auth does not work with the beeswax protocol."""
     result = run_impala_shell_cmd(vector, ['-j', '--protocol=beeswax'],
                                   expect_success=False)
     assert "Invalid protocol 'beeswax'. JWT authentication requires using the " \
            "'hs2-http' protocol" in result.stderr

   def test_jwt_auth_protocol_hs2_no_http(self, vector):
     """Asserts that JWT auth does not work with the plain hs2 protocol."""
     result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2'], expect_success=False)
     assert "Invalid protocol 'hs2'. JWT authentication requires using the " \
            "'hs2-http' protocol" in result.stderr

   def test_jwt_auth_protocol_strict_hs2(self, vector):
     """Asserts that JWT auth does not work when strict hs2 is enabled."""
     result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http',
                                            '--strict_hs2_protocol'],
                                            expect_success=False)
     assert "JWT authentication is not supported when using strict hs2." in result.stderr

   def test_multiple_auth_ldap_jwt(self, vector):
     """Asserts that ldap and jwt auth cannot both be enabled."""
     result = run_impala_shell_cmd(vector, ['-l', '-j'], expect_success=False)
     assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
            in result.stderr

   def test_multiple_auth_ldap_kerberos(self, vector):
     """Asserts that ldap and kerberos auth cannot both be enabled."""
     result = run_impala_shell_cmd(vector, ['-l', '-k'], expect_success=False)
     assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
            in result.stderr

   def test_multiple_auth_jwt_kerberos(self, vector):
     """Asserts that jwt and kerberos auth cannot both be enabled."""
     result = run_impala_shell_cmd(vector, ['-j', '-k'], expect_success=False)
     assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
            in result.stderr

   def test_multiple_auth_ldap_jwt_kerberos(self, vector):
     """Asserts ldap, jwt, and kerberos auth cannot all be enabled."""
     result = run_impala_shell_cmd(vector, ['-l', '-j', '-k'], expect_success=False)
     assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
            in result.stderr
	# -- coding: utf-8 --
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.

	from __future__ import absolute_import, division, print_function
	from tests.common.impala_test_suite import ImpalaTestSuite
	from tests.common.test_dimensions import create_client_protocol_http_transport
	from tests.shell.util import run_impala_shell_cmd


	class TestImpalaShellJwtAuth(ImpalaTestSuite):

	@classmethod
	def add_test_dimensions(cls):
	"""Overrides all other add_dimension methods in super classes up the entire class
	hierarchy ensuring that each test in this class only get run once."""
	cls.ImpalaTestMatrix.add_dimension(create_client_protocol_http_transport())

	def test_jwt_cmd_without_jwt_auth(self, vector):
	"""Asserts the jwt_cmd arg is only allowed when JWT auth is enabled."""
	result = run_impala_shell_cmd(vector, ['--jwt_cmd=echo', '--protocol=hs2-http',
	'--auth_creds_ok_in_clear'], expect_success=False)
	assert "Option --jwt_cmd requires using JWT authentication mechanism (-j)" \
	in result.stderr

	def test_jwt_cmd_invalid(self, vector):
	"""Asserts an invalid jwt_cmd arg value produces an explanatory error message."""
	result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http',
	'--auth_creds_ok_in_clear', '--jwt_cmd=idontexist'],
	expect_success=False)
	assert "Error retrieving JWT" in result.stderr
	assert "command was: 'idontexist'" in result.stderr

	def test_jwt_auth_without_ssl_creds_in_clear(self, vector):
	"""Asserts that JWTs do not get sent over insecure network connections if the user
	does not provide the auth_creds_ok_in_clear arg."""
	result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http'],
	expect_success=False)
	assert "JWTs may not be sent over insecure connections. Enable SSL or " \
	"set --auth_creds_ok_in_clear" in result.stderr

	def test_jwt_auth_protocol_beeswax(self, vector):
	"""Asserts that JWT auth does not work with the beeswax protocol."""
	result = run_impala_shell_cmd(vector, ['-j', '--protocol=beeswax'],
	expect_success=False)
	assert "Invalid protocol 'beeswax'. JWT authentication requires using the " \
	"'hs2-http' protocol" in result.stderr

	def test_jwt_auth_protocol_hs2_no_http(self, vector):
	"""Asserts that JWT auth does not work with the plain hs2 protocol."""
	result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2'], expect_success=False)
	assert "Invalid protocol 'hs2'. JWT authentication requires using the " \
	"'hs2-http' protocol" in result.stderr

	def test_jwt_auth_protocol_strict_hs2(self, vector):
	"""Asserts that JWT auth does not work when strict hs2 is enabled."""
	result = run_impala_shell_cmd(vector, ['-j', '--protocol=hs2-http',
	'--strict_hs2_protocol'],
	expect_success=False)
	assert "JWT authentication is not supported when using strict hs2." in result.stderr

	def test_multiple_auth_ldap_jwt(self, vector):
	"""Asserts that ldap and jwt auth cannot both be enabled."""
	result = run_impala_shell_cmd(vector, ['-l', '-j'], expect_success=False)
	assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
	in result.stderr

	def test_multiple_auth_ldap_kerberos(self, vector):
	"""Asserts that ldap and kerberos auth cannot both be enabled."""
	result = run_impala_shell_cmd(vector, ['-l', '-k'], expect_success=False)
	assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
	in result.stderr

	def test_multiple_auth_jwt_kerberos(self, vector):
	"""Asserts that jwt and kerberos auth cannot both be enabled."""
	result = run_impala_shell_cmd(vector, ['-j', '-k'], expect_success=False)
	assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
	in result.stderr

	def test_multiple_auth_ldap_jwt_kerberos(self, vector):
	"""Asserts ldap, jwt, and kerberos auth cannot all be enabled."""
	result = run_impala_shell_cmd(vector, ['-l', '-j', '-k'], expect_success=False)
	assert "Please specify at most one authentication mechanism (-k, -l, -j, or -a)" \
	in result.stderr