broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.java - qpid-broker-j - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.qpid.server.security.auth.manager;

 import static org.apache.qpid.server.test.KerberosUtilities.ACCEPT_SCOPE;
 import static org.apache.qpid.server.test.KerberosUtilities.HOST_NAME;
 import static org.apache.qpid.server.test.KerberosUtilities.REALM;
 import static org.apache.qpid.server.test.KerberosUtilities.SERVICE_PRINCIPAL_NAME;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;

 import java.io.File;
 import java.security.Principal;
 import java.util.Base64;
 import java.util.Map;

 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.ClassRule;
 import org.junit.Test;

 import org.apache.qpid.server.security.TokenCarryingPrincipal;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
 import org.apache.qpid.server.test.EmbeddedKdcResource;
 import org.apache.qpid.server.test.KerberosUtilities;
 import org.apache.qpid.test.utils.SystemPropertySetter;
 import org.apache.qpid.test.utils.UnitTestBase;

 public class SpnegoAuthenticatorTest extends UnitTestBase
 {
     private static final String ANOTHER_SERVICE = "foo/" + HOST_NAME;
     private static final String ANOTHER_SERVICE_FULL_NAME = ANOTHER_SERVICE + "@" + REALM;
     private static final KerberosUtilities UTILS = new KerberosUtilities();

     @ClassRule
     public static final EmbeddedKdcResource KDC = new EmbeddedKdcResource(HOST_NAME, 0, "QpidTestKerberosServer", REALM);

     @ClassRule
     public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();
     private static File _clientKeyTab;

     private SpnegoAuthenticator _spnegoAuthenticator;
     private KerberosAuthenticationManager _kerberosAuthenticationManager;

     @BeforeClass
     public static void createKeyTabs() throws Exception
     {
         KDC.createPrincipal("another.keytab", ANOTHER_SERVICE_FULL_NAME);
         UTILS.prepareConfiguration(HOST_NAME, SYSTEM_PROPERTY_SETTER);
         _clientKeyTab = UTILS.prepareKeyTabs(KDC);
     }

     @Before
     public void setUp()
     {
         _kerberosAuthenticationManager = mock(KerberosAuthenticationManager.class);
         when(_kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn(ACCEPT_SCOPE);
         when(_kerberosAuthenticationManager.isStripRealmFromPrincipalName()).thenReturn(true);

         _spnegoAuthenticator = new SpnegoAuthenticator(_kerberosAuthenticationManager);
     }

     @Test
     public void testAuthenticate() throws Exception
     {
         final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
         final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

         final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);

         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, result.getStatus());
         final Principal principal = result.getMainPrincipal();
         assertTrue(principal instanceof TokenCarryingPrincipal);
         assertEquals(KerberosUtilities.CLIENT_PRINCIPAL_NAME, principal.getName());

         final Map<String, String> tokens = ((TokenCarryingPrincipal)principal).getTokens();
         assertNotNull(tokens);
         assertTrue(tokens.containsKey(SpnegoAuthenticator.RESPONSE_AUTH_HEADER_NAME));
     }

     @Test
     public void testAuthenticateNoAuthenticationHeader()
     {
         final AuthenticationResult result = _spnegoAuthenticator.authenticate((String) null);
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     @Test
     public void testAuthenticateNoNegotiatePrefix() throws Exception
     {
         final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
         final AuthenticationResult result = _spnegoAuthenticator.authenticate(token);
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     @Test
     public void testAuthenticateEmptyToken()
     {
         final AuthenticationResult result =
                 _spnegoAuthenticator.authenticate(SpnegoAuthenticator.NEGOTIATE_PREFIX + "");
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     @Test
     public void testAuthenticateInvalidToken()
     {
         final AuthenticationResult result =
                 _spnegoAuthenticator.authenticate(SpnegoAuthenticator.NEGOTIATE_PREFIX + "Zm9v");
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     @Test
     public void testAuthenticateWrongConfigName() throws Exception
     {
         when(_kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn("foo");
         final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
         final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

         final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     @Test
     public void testAuthenticateWrongServer() throws Exception
     {
         final String token = Base64.getEncoder().encodeToString(buildToken(ANOTHER_SERVICE));
         final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

         final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);
         assertNotNull(result);
         assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
     }

     private byte[] buildToken(final String anotherService) throws Exception
     {
         return UTILS.buildToken(KerberosUtilities.CLIENT_PRINCIPAL_NAME, _clientKeyTab, anotherService);
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.qpid.server.security.auth.manager;

	import static org.apache.qpid.server.test.KerberosUtilities.ACCEPT_SCOPE;
	import static org.apache.qpid.server.test.KerberosUtilities.HOST_NAME;
	import static org.apache.qpid.server.test.KerberosUtilities.REALM;
	import static org.apache.qpid.server.test.KerberosUtilities.SERVICE_PRINCIPAL_NAME;
	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertNotNull;
	import static org.junit.Assert.assertTrue;
	import static org.mockito.Mockito.mock;
	import static org.mockito.Mockito.when;

	import java.io.File;
	import java.security.Principal;
	import java.util.Base64;
	import java.util.Map;

	import org.junit.Before;
	import org.junit.BeforeClass;
	import org.junit.ClassRule;
	import org.junit.Test;

	import org.apache.qpid.server.security.TokenCarryingPrincipal;
	import org.apache.qpid.server.security.auth.AuthenticationResult;
	import org.apache.qpid.server.test.EmbeddedKdcResource;
	import org.apache.qpid.server.test.KerberosUtilities;
	import org.apache.qpid.test.utils.SystemPropertySetter;
	import org.apache.qpid.test.utils.UnitTestBase;

	public class SpnegoAuthenticatorTest extends UnitTestBase
	{
	private static final String ANOTHER_SERVICE = "foo/" + HOST_NAME;
	private static final String ANOTHER_SERVICE_FULL_NAME = ANOTHER_SERVICE + "@" + REALM;
	private static final KerberosUtilities UTILS = new KerberosUtilities();

	@ClassRule
	public static final EmbeddedKdcResource KDC = new EmbeddedKdcResource(HOST_NAME, 0, "QpidTestKerberosServer", REALM);

	@ClassRule
	public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();
	private static File _clientKeyTab;

	private SpnegoAuthenticator _spnegoAuthenticator;
	private KerberosAuthenticationManager _kerberosAuthenticationManager;

	@BeforeClass
	public static void createKeyTabs() throws Exception
	{
	KDC.createPrincipal("another.keytab", ANOTHER_SERVICE_FULL_NAME);
	UTILS.prepareConfiguration(HOST_NAME, SYSTEM_PROPERTY_SETTER);
	_clientKeyTab = UTILS.prepareKeyTabs(KDC);
	}

	@Before
	public void setUp()
	{
	_kerberosAuthenticationManager = mock(KerberosAuthenticationManager.class);
	when(_kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn(ACCEPT_SCOPE);
	when(_kerberosAuthenticationManager.isStripRealmFromPrincipalName()).thenReturn(true);

	_spnegoAuthenticator = new SpnegoAuthenticator(_kerberosAuthenticationManager);
	}

	@Test
	public void testAuthenticate() throws Exception
	{
	final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
	final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

	final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);

	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, result.getStatus());
	final Principal principal = result.getMainPrincipal();
	assertTrue(principal instanceof TokenCarryingPrincipal);
	assertEquals(KerberosUtilities.CLIENT_PRINCIPAL_NAME, principal.getName());

	final Map<String, String> tokens = ((TokenCarryingPrincipal)principal).getTokens();
	assertNotNull(tokens);
	assertTrue(tokens.containsKey(SpnegoAuthenticator.RESPONSE_AUTH_HEADER_NAME));
	}

	@Test
	public void testAuthenticateNoAuthenticationHeader()
	{
	final AuthenticationResult result = _spnegoAuthenticator.authenticate((String) null);
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	@Test
	public void testAuthenticateNoNegotiatePrefix() throws Exception
	{
	final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
	final AuthenticationResult result = _spnegoAuthenticator.authenticate(token);
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	@Test
	public void testAuthenticateEmptyToken()
	{
	final AuthenticationResult result =
	_spnegoAuthenticator.authenticate(SpnegoAuthenticator.NEGOTIATE_PREFIX + "");
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	@Test
	public void testAuthenticateInvalidToken()
	{
	final AuthenticationResult result =
	_spnegoAuthenticator.authenticate(SpnegoAuthenticator.NEGOTIATE_PREFIX + "Zm9v");
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	@Test
	public void testAuthenticateWrongConfigName() throws Exception
	{
	when(_kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn("foo");
	final String token = Base64.getEncoder().encodeToString(buildToken(SERVICE_PRINCIPAL_NAME));
	final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

	final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	@Test
	public void testAuthenticateWrongServer() throws Exception
	{
	final String token = Base64.getEncoder().encodeToString(buildToken(ANOTHER_SERVICE));
	final String authenticationHeader = SpnegoAuthenticator.NEGOTIATE_PREFIX + token;

	final AuthenticationResult result = _spnegoAuthenticator.authenticate(authenticationHeader);
	assertNotNull(result);
	assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, result.getStatus());
	}

	private byte[] buildToken(final String anotherService) throws Exception
	{
	return UTILS.buildToken(KerberosUtilities.CLIENT_PRINCIPAL_NAME, _clientKeyTab, anotherService);
	}
	}