Merge branch 'USERGRID-575' of https://github.com/apache/incubator-usergrid
diff --git a/stack/config/src/main/resources/usergrid-default.properties b/stack/config/src/main/resources/usergrid-default.properties
index fe7a945..b895310 100644
--- a/stack/config/src/main/resources/usergrid-default.properties
+++ b/stack/config/src/main/resources/usergrid-default.properties
@@ -31,13 +31,16 @@
# URL for local testing Cassandra cluster
cassandra.url=localhost:9160
-#The number of thrift connections to open per cassandra node.
+# The number of thrift connections to open per cassandra node.
cassandra.connections=50
-
# Name of Cassandra cluster
cassandra.cluster=Test Cluster
+# Keyspace names to be used (see also the locks keyspace below)
+cassandra.system.keyspace=Usergrid
+cassandra.application.keyspace=Usergrid_Applications
+
cassandra.keyspace.strategy=org.apache.cassandra.locator.SimpleStrategy
#cassandra.keyspace.strategy=org.apache.cassandra.locator.NetworkTopologyStrategy
@@ -49,18 +52,19 @@
cassandra.username=
cassandra.password=
-#Read consistency level for the cassandra cluster
+# Read consistency level for the cassandra cluster
cassandra.readcl=QUORUM
-#Write consistency level for the cassandra cluster
+# Write consistency level for the cassandra cluster
cassandra.writecl=QUORUM
-#The maximum number of pending mutations allowed in ram before it is flushed to cassandra
+# The maximum number of pending mutations allowed in ram before it is flushed to cassandra
cassandra.mutation.flushsize=2000
-#Keyspace to use for locking
-#Note that if this is deployed in a production cluster, the RF on the keyspace MUST be updated to use an odd number for it's replication Factor.
-#Even numbers for RF can potentially case the locks to fail, via "split brain" when read at QUORUM on lock verification
+# Keyspace to use for locking - Used by Hector lock manager:
+# Note that if this is deployed in a production cluster, the RF on the keyspace MUST
+# be updated to use an odd number for it's replication Factor. Even numbers for RF can
+# potentially case the locks to fail, via "split brain" when read at QUORUM on lock verification
cassandra.lock.keyspace=Locks
# false to disable test features
@@ -111,9 +115,10 @@
usergrid.sysadmin.approve.users=false
usergrid.sysadmin.approve.organizations=false
-# Base URL of central Usergrid SSO server
-# Setting this will enable external token validation.
-# See also: https://issues.apache.org/jira/browse/USERGRID-567
+# Base URL of central Usergrid SSO server:
+# Setting this will enable External Token Validation for Admin Users and will configure
+# this Usergrid instance delegate all Admin User authentication to the central Usegrid SSO
+# server. See also: https://issues.apache.org/jira/browse/USERGRID-567
usergrid.central.url=
# Where to store temporary files
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
index 67c273f..e4e9eda 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java
@@ -33,6 +33,7 @@
import javax.ws.rs.core.UriInfo;
import org.apache.usergrid.rest.RootResource;
+import org.apache.usergrid.rest.management.ManagementResource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -111,9 +112,9 @@
String name = ( String ) json.remove( "name" );
String email = ( String ) json.remove( "email" );
String password = ( String ) json.remove( "password" );
- Map<String, Object> properties = ( Map<String, Object> ) json.remove( ORGANIZATION_PROPERTIES );
+ Map<String, Object> orgProperties = ( Map<String, Object> ) json.remove( ORGANIZATION_PROPERTIES );
- return newOrganization( ui, organizationName, username, name, email, password, json, properties, callback );
+ return newOrganization( ui, organizationName, username, name, email, password, json, orgProperties, callback );
}
@@ -146,7 +147,16 @@
/** Create a new organization */
private JSONWithPadding newOrganization( @Context UriInfo ui, String organizationName, String username, String name,
String email, String password, Map<String, Object> userProperties,
- Map<String, Object> properties, String callback ) throws Exception {
+ Map<String, Object> orgProperties, String callback ) throws Exception {
+
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Organization / Admin Users must be created via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
Preconditions
.checkArgument( StringUtils.isNotBlank( organizationName ), "The organization parameter was missing" );
@@ -157,7 +167,7 @@
OrganizationOwnerInfo organizationOwner = management
.createOwnerAndOrganization( organizationName, username, name, email, password, false, false,
- userProperties, properties );
+ userProperties, orgProperties );
if ( organizationOwner == null ) {
logger.info( "organizationOwner is null, returning. organization: {}", organizationName );
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java
index 49b0037..3c755f8 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java
@@ -33,6 +33,8 @@
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriInfo;
+import org.apache.commons.lang.StringUtils;
+import org.apache.usergrid.rest.management.ManagementResource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Scope;
@@ -205,6 +207,14 @@
@Produces( MediaType.TEXT_HTML )
public Viewable showPasswordResetForm( @Context UriInfo ui, @QueryParam( "token" ) String token ) {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must reset passwords via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
try {
this.token = token;
@@ -234,6 +244,14 @@
@FormParam( "recaptcha_challenge_field" ) String challenge,
@FormParam( "recaptcha_response_field" ) String uresponse ) {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must reset passwords via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
try {
this.token = token;
@@ -309,6 +327,14 @@
@Produces( MediaType.TEXT_HTML )
public Viewable activate( @Context UriInfo ui, @QueryParam( "token" ) String token ) {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must activate via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
try {
management.handleActivationTokenForAdminUser( user.getUuid(), token );
return handleViewable( "activate", this );
@@ -330,6 +356,14 @@
@Produces( MediaType.TEXT_HTML )
public Viewable confirm( @Context UriInfo ui, @QueryParam( "token" ) String token ) {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must confirm via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
try {
ActivationState state = management.handleConfirmationTokenForAdminUser( user.getUuid(), token );
if ( state == ActivationState.CONFIRMED_AWAITING_ACTIVATION ) {
@@ -355,6 +389,14 @@
@QueryParam( "callback" ) @DefaultValue( "callback" ) String callback )
throws Exception {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must reactivate via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
logger.info( "Send activation email for user: {}" , user.getUuid() );
ApiResponse response = createApiResponse();
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java
index 144a6de..d907632 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java
@@ -34,8 +34,10 @@
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriInfo;
+import org.apache.commons.lang.StringUtils;
import org.apache.usergrid.management.exceptions.ManagementException;
import org.apache.usergrid.rest.RootResource;
+import org.apache.usergrid.rest.management.ManagementResource;
import org.apache.usergrid.services.exceptions.ServiceResourceNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -78,7 +80,7 @@
@Path(RootResource.USER_ID_PATH)
public UserResource getUserById( @Context UriInfo ui, @PathParam( "userId" ) String userIdStr ) throws Exception {
- return getUserResource(management.getAdminUserByUuid(UUID.fromString(userIdStr)), "user id", userIdStr);
+ return getUserResource(management.getAdminUserByUuid( UUID.fromString( userIdStr ) ), "user id", userIdStr);
}
@@ -101,14 +103,14 @@
if (user == null) {
throw new ManagementException("Could not find organization for " + type + " : " + value);
}
- return getSubResource(UserResource.class).init(user);
+ return getSubResource(UserResource.class).init( user );
}
@Path(RootResource.EMAIL_PATH)
public UserResource getUserByEmail( @Context UriInfo ui, @PathParam( "email" ) String email ) throws Exception {
- return getUserResource(management.getAdminUserByEmail(email), "email", email);
+ return getUserResource(management.getAdminUserByEmail( email ), "email", email);
}
@@ -120,6 +122,14 @@
@QueryParam( "callback" ) @DefaultValue( "callback" ) String callback )
throws Exception {
+ final boolean externalTokensEnabled =
+ !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+
+ if ( externalTokensEnabled ) {
+ throw new IllegalArgumentException( "Admin Users must signup via " +
+ properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) );
+ }
+
logger.info( "Create user: " + username );
ApiResponse response = createApiResponse();
diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java
index d6b507e..cec172d 100644
--- a/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java
+++ b/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java
@@ -669,7 +669,7 @@
String suToken = superAdminToken();
Map<String, String> props = new HashMap<String, String>();
- props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm());
+ props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm() );
resource().path( "/testproperties" )
.queryParam( "access_token", suToken)
.accept( MediaType.APPLICATION_JSON )
@@ -695,8 +695,11 @@
.queryParam( "ttl", "1000" )
.get( JsonNode.class );
fail("Validation should have failed");
- } catch ( Exception actual ) {
- logger.debug( "error", actual );
+ } catch ( UniformInterfaceException actual ) {
+ assertEquals( 404, actual.getResponse().getStatus() );
+ String errorMsg = actual.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString();
+ logger.error( "ERROR: " + errorMsg );
+ assertTrue( errorMsg.contains( "Cannot find Admin User" ) );
}
@@ -722,7 +725,7 @@
// create an org and an admin user
- String rand = RandomStringUtils.randomAlphanumeric(10);
+ String rand = RandomStringUtils.randomAlphanumeric( 10 );
final String username = "user_" + rand;
OrganizationOwnerInfo orgInfo = setup.getMgmtSvc().createOwnerAndOrganization(
username, username, "Test User", username + "@example.com", "password" );
@@ -743,17 +746,23 @@
try {
Map<String, Object> loginInfo = new HashMap<String, Object>() {{
- put("username", username );
- put("password", "password");
- put("grant_type", "password");
- }};
+ put("username", username );
+ put("password", "password");
+ put("grant_type", "password");
+ }};
JsonNode accessInfoNode = resource().path("/management/token")
.type( MediaType.APPLICATION_JSON_TYPE )
.post( JsonNode.class, loginInfo );
fail("Login as Admin User must fail when validate external tokens is enabled");
- } catch ( Exception actual ) {
- logger.debug( "error", actual );
+ } catch ( UniformInterfaceException actual ) {
+ assertEquals( 400, actual.getResponse().getStatus() );
+ String errorMsg = actual.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString();
+ logger.error( "ERROR: " + errorMsg );
+ assertTrue( errorMsg.contains( "Admin Users must login via" ));
+
+ } catch ( Exception e ) {
+ fail( "We expected a UniformInterfaceException" );
}
// login as superuser must succeed
diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java
index a75a401..a1e31c4 100644
--- a/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java
+++ b/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java
@@ -25,9 +25,16 @@
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.internet.MimeMultipart;
+import javax.ws.rs.DefaultValue;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import com.sun.jersey.core.util.MultivaluedMapImpl;
+import org.apache.commons.lang.RandomStringUtils;
import org.codehaus.jackson.JsonNode;
+import org.jclouds.json.Json;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
@@ -55,6 +62,7 @@
import com.sun.jersey.api.client.UniformInterfaceException;
import com.sun.jersey.api.representation.Form;
+import static org.apache.usergrid.rest.management.ManagementResource.USERGRID_CENTRAL_URL;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
@@ -71,7 +79,7 @@
/** @author zznate */
public class MUUserResourceIT extends AbstractRestIT {
- private Logger LOG = LoggerFactory.getLogger( MUUserResourceIT.class );
+ private Logger logger = LoggerFactory.getLogger( MUUserResourceIT.class );
@Rule
@@ -87,7 +95,7 @@
@Test
// @Ignore( "aok - check this please" )
public void testCaseSensitivityAdminUser() throws Exception {
- LOG.info( "Starting testCaseSensitivityAdminUser()" );
+ logger.info( "Starting testCaseSensitivityAdminUser()" );
UserInfo mixcaseUser = setup.getMgmtSvc()
.createAdminUser( "AKarasulu", "Alex Karasulu", "AKarasulu@Apache.org", "test",
true, false );
@@ -157,7 +165,7 @@
assertEquals( "invalid_grant", node.get( "error" ).getTextValue() );
assertEquals( "User must be confirmed to authenticate",
node.get( "error_description" ).getTextValue() );
- LOG.info( "Unconfirmed user was not authorized to authenticate!" );
+ logger.info( "Unconfirmed user was not authorized to authenticate!" );
}
// Confirm the getting account confirmation email for unconfirmed user
@@ -174,7 +182,7 @@
// Extract the token to confirm the user
// -------------------------------------------
String token = getTokenFromMessage( confirmation );
- LOG.info( token );
+ logger.info( token );
ActivationState state =
setup.getMgmtSvc().handleConfirmationTokenForAdminUser( orgOwner.getOwner().getUuid(), token );
@@ -194,7 +202,7 @@
.accept( MediaType.APPLICATION_JSON ).get( JsonNode.class );
assertNotNull( node );
- LOG.info( "Authentication succeeded after confirmation: {}.", node.toString() );
+ logger.info( "Authentication succeeded after confirmation: {}.", node.toString() );
}
finally {
setTestProperties( originalProperties );
@@ -305,7 +313,7 @@
logNode( node );
payload = hashMap( "company", "Usergrid" );
- LOG.info( "sending PUT for company update" );
+ logger.info( "sending PUT for company update" );
node = resource().path( String.format( "/management/users/%s", userId ) ).queryParam( "access_token", token )
.type( MediaType.APPLICATION_JSON_TYPE ).put( JsonNode.class, payload );
assertNotNull( node );
@@ -602,4 +610,85 @@
assertEquals( context.getActiveUser().getEmail(), adminNode.get( "email" ).asText() );
assertEquals( context.getActiveUser().getUser(), adminNode.get( "username" ).asText() );
}
+
+
+ @Test
+ public void testNoAdminUserSignupWhenValidateExternalTokensEnabled() throws Exception {
+
+ // turn on validate external tokens by setting the usergrid.central.url
+
+ String suToken = superAdminToken();
+ Map<String, String> props = new HashMap<String, String>();
+ props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm());
+ resource().path( "/testproperties" )
+ .queryParam( "access_token", suToken)
+ .accept( MediaType.APPLICATION_JSON )
+ .type( MediaType.APPLICATION_JSON_TYPE )
+ .post( props );
+
+ // create an admin user must fail
+
+ try {
+
+ // create an admin user
+
+ final String rand = RandomStringUtils.randomAlphanumeric( 10 );
+ MultivaluedMap<String, String> payload = new MultivaluedMapImpl() {{
+ putSingle( "username", "user_" + rand );
+ putSingle( "name", "Joe Userperson" );
+ putSingle( "email", "joe_" + rand + "@example.com" );
+ putSingle( "password", "wigglestone" );
+ }};
+ JsonNode node = resource().path( "/management/users")
+ .accept( MediaType.APPLICATION_JSON )
+ .type( MediaType.APPLICATION_FORM_URLENCODED )
+ .post( JsonNode.class, payload );
+
+ fail( "Create admin user should fail" );
+
+ } catch ( Exception actual ) {
+ assertTrue( actual instanceof UniformInterfaceException );
+ UniformInterfaceException uie = (UniformInterfaceException)actual;
+ assertEquals( 400, uie.getResponse().getStatus() );
+ String errorMsg = uie.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString();
+ assertTrue( errorMsg.contains( "Admin Users must signup via" ) );
+ }
+
+
+ try {
+
+ // create an org and an admin user
+
+ final String rand = RandomStringUtils.randomAlphanumeric( 10 );
+ Map<String, String> payload = new HashMap<String, String>() {{
+ put( "organization", "org_" + rand );
+ put( "username", "user_" + rand );
+ put( "name", "Joe Userperson" );
+ put( "email", "joe_" + rand + "@example.com" );
+ put( "password", "wigglestone" );
+ }};
+ JsonNode node = resource().path( "/management/organizations/")
+ .accept( MediaType.APPLICATION_JSON )
+ .type( MediaType.APPLICATION_JSON )
+ .post( JsonNode.class, payload );
+
+ fail( "Create org and admin user should fail" );
+
+ } catch ( Exception actual ) {
+ assertTrue( actual instanceof UniformInterfaceException );
+ UniformInterfaceException uie = (UniformInterfaceException)actual;
+ assertEquals( 400, uie.getResponse().getStatus() );
+ String errorMsg = uie.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString();
+ assertTrue( errorMsg.contains( "Organization / Admin Users must be created via" ) );
+ }
+
+ // turn off validate external tokens by un-setting the usergrid.central.url
+
+ props.put( USERGRID_CENTRAL_URL, "" );
+ resource().path( "/testproperties" )
+ .queryParam( "access_token", suToken)
+ .accept( MediaType.APPLICATION_JSON )
+ .type( MediaType.APPLICATION_JSON_TYPE )
+ .post( props );
+ }
}
