| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.hadoop.gateway; |
| |
| import com.mycila.xmltool.XMLDoc; |
| import com.mycila.xmltool.XMLTag; |
| import org.apache.directory.server.protocol.shared.transport.TcpTransport; |
| import org.apache.hadoop.gateway.config.GatewayConfig; |
| import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer; |
| import org.apache.hadoop.gateway.services.DefaultGatewayServices; |
| import org.apache.hadoop.gateway.services.GatewayServices; |
| import org.apache.hadoop.gateway.services.ServiceLifecycleException; |
| import org.apache.hadoop.gateway.services.security.AliasService; |
| import org.apache.hadoop.test.TestUtils; |
| import org.apache.hadoop.test.category.ReleaseTest; |
| import org.apache.http.HttpStatus; |
| import org.apache.log4j.Appender; |
| import org.hamcrest.MatcherAssert; |
| import org.hamcrest.Matchers; |
| import org.junit.AfterClass; |
| import org.junit.BeforeClass; |
| import org.junit.Ignore; |
| import org.junit.Test; |
| import org.junit.experimental.categories.Category; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import java.io.File; |
| import java.io.FileOutputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.io.OutputStream; |
| import java.net.InetSocketAddress; |
| import java.net.ServerSocket; |
| import java.net.URL; |
| import java.util.Enumeration; |
| import java.util.HashMap; |
| import java.util.Map; |
| import java.util.UUID; |
| |
| import static com.jayway.restassured.RestAssured.given; |
| import static org.apache.hadoop.test.TestUtils.LOG_ENTER; |
| import static org.apache.hadoop.test.TestUtils.LOG_EXIT; |
| import static org.hamcrest.CoreMatchers.is; |
| import static org.hamcrest.CoreMatchers.notNullValue; |
| import static org.junit.Assert.assertThat; |
| import static org.junit.Assert.fail; |
| |
| /** |
| * Functional test to verify : looking up ldap groups from directory |
| * and using them in acl authorization checks |
| * |
| */ |
| @Category(ReleaseTest.class) |
| public class GatewayLdapPosixGroupFuncTest { |
| |
| private static Class RESOURCE_BASE_CLASS = GatewayLdapPosixGroupFuncTest.class; |
| private static Logger LOG = LoggerFactory.getLogger( GatewayLdapPosixGroupFuncTest.class ); |
| |
| public static Enumeration<Appender> appenders; |
| public static GatewayConfig config; |
| public static GatewayServer gateway; |
| public static String gatewayUrl; |
| public static String clusterUrl; |
| public static String serviceUrl; |
| public static SimpleLdapDirectoryServer ldap; |
| public static TcpTransport ldapTransport; |
| |
| @BeforeClass |
| public static void setupSuite() throws Exception { |
| LOG_ENTER(); |
| //appenders = NoOpAppender.setUp(); |
| int port = setupLdap(); |
| setupGateway(port); |
| TestUtils.awaitPortOpen( new InetSocketAddress( "localhost", port ), 10000, 100 ); |
| TestUtils.awaitNon404HttpStatus( new URL( serviceUrl ), 10000, 100 ); |
| LOG_EXIT(); |
| } |
| |
| @AfterClass |
| public static void cleanupSuite() throws Exception { |
| LOG_ENTER(); |
| gateway.stop(); |
| ldap.stop( true ); |
| //FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) ); |
| //NoOpAppender.tearDown( appenders ); |
| LOG_EXIT(); |
| } |
| |
| public static int setupLdap() throws Exception { |
| URL usersUrl = getResourceUrl( "users.ldif" ); |
| ldapTransport = new TcpTransport( 0 ); |
| ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI() ), ldapTransport ); |
| ldap.start(); |
| LOG.info( "LDAP port = " + ldapTransport.getAcceptor().getLocalAddress().getPort() ); |
| return ldapTransport.getAcceptor().getLocalAddress().getPort(); |
| } |
| |
| public static void setupGateway(int ldapPort) throws Exception { |
| |
| File targetDir = new File( System.getProperty( "user.dir" ), "target" ); |
| File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() ); |
| gatewayDir.mkdirs(); |
| |
| GatewayTestConfig testConfig = new GatewayTestConfig(); |
| config = testConfig; |
| testConfig.setGatewayHomeDir( gatewayDir.getAbsolutePath() ); |
| |
| File topoDir = new File( testConfig.getGatewayTopologyDir() ); |
| topoDir.mkdirs(); |
| |
| File deployDir = new File( testConfig.getGatewayDeploymentDir() ); |
| deployDir.mkdirs(); |
| |
| DefaultGatewayServices srvcs = new DefaultGatewayServices(); |
| Map<String,String> options = new HashMap<String,String>(); |
| options.put( "persist-master", "true" ); |
| options.put( "master", "hadoop" ); |
| |
| try { |
| srvcs.init( testConfig, options ); |
| } catch ( ServiceLifecycleException e ) { |
| e.printStackTrace(); // I18N not required. |
| } |
| |
| gateway = GatewayServer.startGateway( testConfig, srvcs ); |
| MatcherAssert.assertThat( "Failed to start gateway.", gateway, notNullValue() ); |
| |
| LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() ); |
| |
| gatewayUrl = "http://localhost:" + gateway.getAddresses()[0].getPort() + "/" + config.getGatewayPath(); |
| clusterUrl = gatewayUrl + "/test-cluster"; |
| serviceUrl = clusterUrl + "/test-service-path/test-service-resource"; |
| |
| GatewayServices services = GatewayServer.getGatewayServices(); |
| AliasService aliasService = (AliasService)services.getService(GatewayServices.ALIAS_SERVICE); |
| aliasService.addAliasForCluster("test-cluster", "ldcSystemPassword", "guest-password"); |
| |
| char[] password1 = aliasService.getPasswordFromAliasForCluster( "test-cluster", "ldcSystemPassword"); |
| |
| File descriptor = new File( topoDir, "test-cluster.xml" ); |
| OutputStream stream = new FileOutputStream( descriptor ); |
| createTopology(ldapPort).toStream( stream ); |
| stream.close(); |
| |
| } |
| |
| private static XMLTag createTopology(int ldapPort) { |
| XMLTag xml = XMLDoc.newDocument( true ) |
| .addRoot( "topology" ) |
| .addTag( "gateway" ) |
| |
| .addTag( "provider" ) |
| .addTag( "role" ).addText( "authentication" ) |
| .addTag( "name" ).addText( "ShiroProvider" ) |
| .addTag( "enabled" ).addText( "true" ) |
| .addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm" ) |
| .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapGroupContextFactory" ) |
| .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory" ) |
| .addTag( "value" ).addText( "$ldapGroupContextFactory" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.authenticationMechanism" ) |
| .addTag( "value" ).addText( "simple" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.url" ) |
| .addTag( "value" ).addText( "ldap://localhost:" + ldapPort ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.userDnTemplate" ) |
| .addTag( "value" ).addText( "uid={0},ou=people,dc=hadoop,dc=apache,dc=org" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.authorizationEnabled" ) |
| .addTag( "value" ).addText( "true" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemAuthenticationMechanism" ) |
| .addTag( "value" ).addText( "simple" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.searchBase" ) |
| .addTag( "value" ).addText( "ou=groups,dc=hadoop,dc=apache,dc=org" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.groupObjectClass" ) |
| .addTag( "value" ).addText( "posixGroup" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.memberAttribute" ) |
| .addTag( "value" ).addText( "memberUid" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.memberAttributeValueTemplate" ) |
| .addTag( "value" ).addText( "uid={0}" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.clusterName" ) |
| .addTag( "value" ).addText( "test-cluster" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemUsername" ) |
| .addTag( "value" ).addText( "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemPassword" ) |
| .addTag( "value" ).addText( "S{ALIAS=ldcSystemPassword}" ) |
| .gotoParent().addTag( "param" ) |
| .addTag( "name" ).addText( "urls./**" ) |
| .addTag( "value" ).addText( "authcBasic" ) |
| |
| .gotoParent().gotoParent().addTag( "provider" ) |
| .addTag( "role" ).addText( "authorization" ) |
| .addTag( "name" ).addText( "AclsAuthz" ) |
| .addTag( "enabled" ).addText( "true" ) |
| .addTag( "param" ) |
| .addTag( "name" ).addText( "test-service-role.acl" ) |
| .addTag( "value" ).addText( "*;analyst;*" ) |
| |
| .gotoParent().gotoParent().addTag( "provider" ) |
| .addTag( "role" ).addText( "identity-assertion" ) |
| .addTag( "enabled" ).addText( "true" ) |
| .addTag( "name" ).addText( "Default" ).gotoParent() |
| |
| .gotoRoot() |
| .addTag( "service" ) |
| .addTag( "role" ).addText( "test-service-role" ) |
| .gotoRoot(); |
| |
| return xml; |
| } |
| |
| public static InputStream getResourceStream( String resource ) throws IOException { |
| return getResourceUrl( resource ).openStream(); |
| } |
| |
| public static URL getResourceUrl( String resource ) { |
| URL url = ClassLoader.getSystemResource( getResourceName( resource ) ); |
| assertThat( "Failed to find test resource " + resource, url, Matchers.notNullValue() ); |
| return url; |
| } |
| |
| public static String getResourceName( String resource ) { |
| return getResourceBaseName() + resource; |
| } |
| |
| public static String getResourceBaseName() { |
| return RESOURCE_BASE_CLASS.getName().replaceAll( "\\.", "/" ) + "/"; |
| } |
| |
| @Ignore |
| // @Test |
| public void waitForManualTesting() throws IOException { |
| System.in.read(); |
| } |
| |
| @Test( timeout = TestUtils.MEDIUM_TIMEOUT ) |
| public void testGroupMember() throws ClassNotFoundException, Exception { |
| LOG_ENTER(); |
| String username = "sam"; |
| String password = "sam-password"; |
| given() |
| //.log().all() |
| .auth().preemptive().basic( username, password ) |
| .expect() |
| //.log().all() |
| .statusCode( HttpStatus.SC_OK ) |
| .contentType( "text/plain" ) |
| .body( is( "test-service-response" ) ) |
| .when().get( serviceUrl ); |
| LOG_EXIT(); |
| } |
| |
| @Test( timeout = TestUtils.MEDIUM_TIMEOUT ) |
| public void testNonGroupMember() throws ClassNotFoundException { |
| LOG_ENTER(); |
| String username = "guest"; |
| String password = "guest-password"; |
| given() |
| //.log().all() |
| .auth().preemptive().basic( username, password ) |
| .expect() |
| //.log().all() |
| .statusCode( HttpStatus.SC_FORBIDDEN ) |
| .when().get( serviceUrl ); |
| LOG_EXIT(); |
| } |
| |
| } |
