| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.hadoop.gateway; |
| |
| import com.mycila.xmltool.XMLDoc; |
| import com.mycila.xmltool.XMLTag; |
| import org.apache.directory.server.protocol.shared.transport.TcpTransport; |
| import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer; |
| import org.apache.hadoop.gateway.services.DefaultGatewayServices; |
| import org.apache.hadoop.gateway.services.ServiceLifecycleException; |
| import org.apache.hadoop.gateway.util.KnoxCLI; |
| import org.apache.hadoop.test.TestUtils; |
| import org.apache.hadoop.test.log.NoOpAppender; |
| import org.apache.log4j.Appender; |
| import org.hamcrest.Matchers; |
| import org.junit.AfterClass; |
| import org.junit.BeforeClass; |
| import org.junit.Test; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import java.io.ByteArrayOutputStream; |
| import java.io.PrintStream; |
| import java.io.File; |
| import java.io.FileOutputStream; |
| import java.io.IOException; |
| import java.io.InputStream; |
| import java.net.ServerSocket; |
| import java.net.URL; |
| import java.util.Enumeration; |
| import java.util.HashMap; |
| import java.util.Map; |
| import java.util.UUID; |
| |
| import static org.apache.hadoop.test.TestUtils.LOG_ENTER; |
| import static org.apache.hadoop.test.TestUtils.LOG_EXIT; |
| import static org.hamcrest.CoreMatchers.containsString; |
| import static org.junit.Assert.assertThat; |
| |
| public class KnoxCliSysBindTest { |
| |
| private static Class RESOURCE_BASE_CLASS = KnoxCliSysBindTest.class; |
| private static Logger LOG = LoggerFactory.getLogger( KnoxCliSysBindTest.class ); |
| |
| public static Enumeration<Appender> appenders; |
| public static GatewayTestConfig config; |
| public static GatewayServer gateway; |
| public static String gatewayUrl; |
| public static String clusterUrl; |
| public static SimpleLdapDirectoryServer ldap; |
| public static TcpTransport ldapTransport; |
| |
| private static final ByteArrayOutputStream outContent = new ByteArrayOutputStream(); |
| private static final ByteArrayOutputStream errContent = new ByteArrayOutputStream(); |
| private static final String uuid = UUID.randomUUID().toString(); |
| |
| @BeforeClass |
| public static void setupSuite() throws Exception { |
| LOG_ENTER(); |
| System.setOut(new PrintStream(outContent)); |
| System.setErr(new PrintStream(errContent)); |
| setupLdap(); |
| setupGateway(); |
| LOG_EXIT(); |
| } |
| |
| @AfterClass |
| public static void cleanupSuite() throws Exception { |
| LOG_ENTER(); |
| ldap.stop( true ); |
| |
| //FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) ); |
| //NoOpAppender.tearDown( appenders ); |
| LOG_EXIT(); |
| } |
| |
| public static void setupLdap( ) throws Exception { |
| URL usersUrl = getResourceUrl( "users.ldif" ); |
| ldapTransport = new TcpTransport( 0 ); |
| ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI() ), ldapTransport ); |
| ldap.start(); |
| LOG.info( "LDAP port = " + ldapTransport.getAcceptor().getLocalAddress().getPort() ); |
| } |
| |
| public static void setupGateway() throws Exception { |
| |
| File targetDir = new File( System.getProperty( "user.dir" ), "target" ); |
| File gatewayDir = new File( targetDir, "gateway-home-" + uuid ); |
| gatewayDir.mkdirs(); |
| |
| GatewayTestConfig testConfig = new GatewayTestConfig(); |
| config = testConfig; |
| testConfig.setGatewayHomeDir( gatewayDir.getAbsolutePath() ); |
| |
| File topoDir = new File( testConfig.getGatewayTopologyDir() ); |
| topoDir.mkdirs(); |
| |
| File deployDir = new File( testConfig.getGatewayDeploymentDir() ); |
| deployDir.mkdirs(); |
| |
| writeTopology(topoDir, "test-cluster-1.xml", "guest", "guest-password", true); |
| writeTopology(topoDir, "test-cluster-2.xml", "sam", "sam-password", true); |
| writeTopology(topoDir, "test-cluster-3.xml", "admin", "admin-password", true); |
| writeTopology(topoDir, "test-cluster-4.xml", "", "", false); |
| |
| |
| DefaultGatewayServices srvcs = new DefaultGatewayServices(); |
| Map<String,String> options = new HashMap<String,String>(); |
| options.put( "persist-master", "false" ); |
| options.put( "master", "password" ); |
| try { |
| srvcs.init( testConfig, options ); |
| } catch ( ServiceLifecycleException e ) { |
| e.printStackTrace(); // I18N not required. |
| } |
| } |
| |
| private static void writeTopology(File topoDir, String name, String user, String pass, boolean goodTopology) throws Exception { |
| File descriptor = new File(topoDir, name); |
| |
| if(descriptor.exists()){ |
| descriptor.delete(); |
| descriptor = new File(topoDir, name); |
| } |
| |
| FileOutputStream stream = new FileOutputStream( descriptor, false ); |
| |
| if(goodTopology) { |
| createTopology(user, pass).toStream( stream ); |
| } else { |
| createBadTopology().toStream( stream ); |
| } |
| |
| stream.close(); |
| |
| } |
| |
| public static InputStream getResourceStream( String resource ) throws IOException { |
| return getResourceUrl( resource ).openStream(); |
| } |
| |
| public static URL getResourceUrl( String resource ) { |
| URL url = ClassLoader.getSystemResource( getResourceName( resource ) ); |
| assertThat( "Failed to find test resource " + resource, url, Matchers.notNullValue() ); |
| return url; |
| } |
| |
| public static String getResourceName( String resource ) { |
| return getResourceBaseName() + resource; |
| } |
| |
| public static String getResourceBaseName() { |
| return RESOURCE_BASE_CLASS.getName().replaceAll( "\\.", "/" ) + "/"; |
| } |
| |
| private static XMLTag createBadTopology(){ |
| XMLTag xml = XMLDoc.newDocument(true) |
| .addRoot("topology") |
| .addTag( "gateway" ) |
| .addTag("provider") |
| .addTag("role").addText("authentication") |
| .addTag("name").addText("ShiroProvider") |
| .addTag("enabled").addText("true") |
| .addTag( "param" ) |
| .addTag("name").addText("main.ldapRealm") |
| .addTag("value").addText("org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm").gotoParent() |
| .addTag( "param" ) |
| .addTag("name").addText("main.ldapRealm.userDnTemplate") |
| .addTag("value").addText("uid={0},ou=people,dc=hadoop,dc=apache,dc=org").gotoParent() |
| .addTag( "param" ) |
| .addTag("name").addText("main.ldapRealm.contextFactory.url") |
| .addTag("value").addText("ldap://localhost:" + ldapTransport.getAcceptor().getLocalAddress().getPort()).gotoParent() |
| .addTag( "param" ) |
| .addTag("name").addText("main.ldapRealm.contextFactory.authenticationMechanism") |
| .addTag("value").addText("simple").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.authorizationEnabled") |
| .addTag("value").addText("true").gotoParent() |
| .addTag("param") |
| .addTag( "name").addText( "urls./**") |
| .addTag("value").addText( "authcBasic" ).gotoParent().gotoParent() |
| .addTag( "provider" ) |
| .addTag( "role" ).addText( "identity-assertion" ) |
| .addTag( "enabled" ).addText( "true" ) |
| .addTag( "name" ).addText( "Default" ).gotoParent() |
| .gotoRoot() |
| .addTag( "service") |
| .addTag("role").addText( "KNOX" ) |
| .gotoRoot(); |
| // System.out.println( "GATEWAY=" + xml.toString() ); |
| return xml; |
| } |
| |
| private static XMLTag createTopology(String username, String password) { |
| |
| XMLTag xml = XMLDoc.newDocument(true) |
| .addRoot("topology") |
| .addTag("gateway") |
| .addTag("provider") |
| .addTag("role").addText("authentication") |
| .addTag("name").addText("ShiroProvider") |
| .addTag("enabled").addText("true") |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm") |
| .addTag("value").addText("org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm").gotoParent() |
| .addTag("param" ) |
| .addTag("name").addText("main.ldapGroupContextFactory") |
| .addTag("value").addText("org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.searchBase") |
| .addTag("value").addText("ou=groups,dc=hadoop,dc=apache,dc=org").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.groupObjectClass") |
| .addTag("value").addText("groupOfNames").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.memberAttributeValueTemplate") |
| .addTag("value").addText("uid={0},ou=people,dc=hadoop,dc=apache,dc=org").gotoParent() |
| .addTag("param" ) |
| .addTag("name").addText("main.ldapRealm.memberAttribute") |
| .addTag("value").addText("member").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.authorizationEnabled") |
| .addTag("value").addText("true").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.contextFactory.systemUsername") |
| .addTag("value").addText("uid=" + username + ",ou=people,dc=hadoop,dc=apache,dc=org").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.contextFactory.systemPassword") |
| .addTag( "value").addText(password).gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.userDnTemplate") |
| .addTag("value").addText("uid={0},ou=people,dc=hadoop,dc=apache,dc=org").gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.contextFactory.url") |
| .addTag("value").addText("ldap://localhost:" + ldapTransport.getAcceptor().getLocalAddress().getPort()).gotoParent() |
| .addTag("param") |
| .addTag("name").addText("main.ldapRealm.contextFactory.authenticationMechanism") |
| .addTag("value").addText("simple").gotoParent() |
| .addTag("param") |
| .addTag("name" ).addText("urls./**") |
| .addTag("value").addText("authcBasic").gotoParent().gotoParent() |
| .addTag("provider" ) |
| .addTag("role").addText( "identity-assertion" ) |
| .addTag( "enabled").addText( "true" ) |
| .addTag("name").addText( "Default" ).gotoParent() |
| .gotoRoot() |
| .addTag( "service" ) |
| .addTag( "role" ).addText( "test-service-role" ) |
| .gotoRoot(); |
| // System.out.println( "GATEWAY=" + xml.toString() ); |
| return xml; |
| } |
| |
| @Test( timeout = TestUtils.MEDIUM_TIMEOUT ) |
| public void testLDAPAuth() throws Exception { |
| LOG_ENTER(); |
| |
| // Test 1: Make sure authentication is successful |
| outContent.reset(); |
| String args[] = { "system-user-auth-test", "--master", "knox", "--cluster", "test-cluster-1", "--d" }; |
| KnoxCLI cli = new KnoxCLI(); |
| cli.setConf(config); |
| cli.run(args); |
| assertThat(outContent.toString(), containsString("System LDAP Bind successful")); |
| |
| // Test 2: Make sure authentication fails |
| outContent.reset(); |
| String args2[] = { "system-user-auth-test", "--master", "knox", "--cluster", "test-cluster-2", "--d" }; |
| cli = new KnoxCLI(); |
| cli.setConf(config); |
| cli.run(args2); |
| assertThat(outContent.toString(), containsString("System LDAP Bind successful")); |
| |
| |
| // Test 3: Make sure authentication is successful |
| outContent.reset(); |
| String args3[] = { "system-user-auth-test", "--master", "knox", "--cluster", "test-cluster-3", "--d" }; |
| cli = new KnoxCLI(); |
| cli.setConf(config); |
| Enumeration<Appender> before = NoOpAppender.setUp(); |
| try { |
| cli.run( args3 ); |
| } finally { |
| NoOpAppender.tearDown( before ); |
| } |
| assertThat(outContent.toString(), containsString("LDAP authentication failed")); |
| assertThat(outContent.toString(), containsString("Unable to successfully bind to LDAP server with topology credentials")); |
| |
| // Test 4: Assert that we get a username/password not present error is printed |
| outContent.reset(); |
| String args4[] = { "system-user-auth-test", "--master", "knox", "--cluster", "test-cluster-4" }; |
| cli = new KnoxCLI(); |
| cli.setConf(config); |
| cli.run(args4); |
| assertThat(outContent.toString(), containsString("Warn: main.ldapRealm.contextFactory.systemUsername is not present")); |
| assertThat(outContent.toString(), containsString("Warn: main.ldapRealm.contextFactory.systemPassword is not present")); |
| |
| |
| // Test 5: Assert that we get a username/password not present error is printed |
| outContent.reset(); |
| String args5[] = { "system-user-auth-test", "--master", "knox", "--cluster", "not-a-cluster" }; |
| cli = new KnoxCLI(); |
| cli.setConf(config); |
| cli.run(args5); |
| assertThat(outContent.toString(), containsString("Topology not-a-cluster does not exist")); |
| |
| LOG_EXIT(); |
| } |
| |
| |
| } |