ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maha...@apache.org
Subject git commit: AMBARI-7163. Inactive user should not be able to login. (mahadev)
Date Fri, 05 Sep 2014 17:22:14 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk f76e5c9f3 -> 981adc667


AMBARI-7163. Inactive user should not be able to login. (mahadev)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/981adc66
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/981adc66
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/981adc66

Branch: refs/heads/trunk
Commit: 981adc667c3c6a5bfeca34736bba602f2a423d9b
Parents: f76e5c9
Author: Mahadev Konar <mahadev@apache.org>
Authored: Fri Sep 5 10:22:04 2014 -0700
Committer: Mahadev Konar <mahadev@apache.org>
Committed: Fri Sep 5 10:22:04 2014 -0700

----------------------------------------------------------------------
 .../AmbariLdapAuthoritiesPopulator.java         | 18 ++--
 .../AmbariLocalUserDetailsService.java          |  4 +-
 ...ariAuthorizationProviderDisableUserTest.java | 97 ++++++++++++++++++++
 .../TestAmbariLdapAuthoritiesPopulator.java     |  2 +
 ambari-web/app/controllers/login_controller.js  | 10 +-
 ambari-web/app/messages.js                      |  1 +
 ambari-web/app/router.js                        |  8 +-
 7 files changed, 127 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
index 487e703..fc7f73a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
@@ -17,7 +17,11 @@
  */
 package org.apache.ambari.server.security.authorization;
 
-import com.google.inject.Inject;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
 import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
@@ -28,13 +32,11 @@ import org.apache.ambari.server.orm.entities.UserEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.LinkedList;
-import java.util.List;
+import com.google.inject.Inject;
 
 /**
  * Provides authorities population for LDAP user from LDAP catalog
@@ -63,12 +65,14 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
     UserEntity user;
 
     user = userDAO.findLdapUserByName(username);
-
+    
     if (user == null) {
       log.error("Can't get authorities for user " + username + ", he is not present in local
DB");
       return Collections.emptyList();
     }
-
+    if(!user.getActive()){
+      throw new DisabledException("User is disabled");
+    }
     // get all of the privileges for the user
     List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
index 55707f8..2aae8a0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
@@ -91,7 +91,7 @@ public class AmbariLocalUserDetailsService implements UserDetailsService
{
 
     List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
 
-    return new User(user.getUserName(), user.getUserPassword(),
-        authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
+    return new User(user.getUserName(), user.getUserPassword(), user.getActive(), 
+        true, true, true, authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
   }
 }

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
new file mode 100644
index 0000000..c3e5990
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.StandardPasswordEncoder;
+
+public class AmbariAuthorizationProviderDisableUserTest {
+
+  private UserDAO userDAO;
+  
+  private PasswordEncoder encoder = new StandardPasswordEncoder();
+  
+  private DaoAuthenticationProvider daoProvider;
+
+  private AmbariLdapAuthoritiesPopulator ldapPopulator;
+
+  @Before
+  public void setUp() {
+    userDAO = Mockito.mock(UserDAO.class);
+    
+    createUser("activeUser", true);
+    createUser("disabledUser", false);
+    
+    MemberDAO memberDao = Mockito.mock(MemberDAO.class);
+    PrivilegeDAO privilegeDao = Mockito.mock(PrivilegeDAO.class);
+    AuthorizationHelper authorizationHelper = new AuthorizationHelper();
+    
+    AmbariLocalUserDetailsService uds = new AmbariLocalUserDetailsService(null,null,authorizationHelper,userDAO,memberDao,privilegeDao);
+    daoProvider = new DaoAuthenticationProvider();
+    daoProvider.setUserDetailsService(uds);
+    daoProvider.setPasswordEncoder(encoder);
+    
+    ldapPopulator = new AmbariLdapAuthoritiesPopulator(authorizationHelper, userDAO, memberDao,
privilegeDao);
+    
+  }
+  
+  @Test public void testDisabledUserViaDaoProvider(){
+    try{
+      daoProvider.authenticate(new UsernamePasswordAuthenticationToken("disabledUser","pwd"));
+      Assert.fail("Disabled user passes authentication");
+    }catch(DisabledException e){
+      //expected
+      Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+    }
+    Authentication auth = daoProvider.authenticate(new UsernamePasswordAuthenticationToken("activeUser","pwd"));
+    Assert.assertNotNull(auth);
+    Assert.assertTrue(auth.isAuthenticated());
+  }
+
+  @Test public void testDisabledUserViaLdapProvider(){
+    try{
+      ldapPopulator.getGrantedAuthorities(null, "disabledUser");
+      Assert.fail("Disabled user passes authentication");
+    }catch(DisabledException e){
+      //expected
+      Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+    }
+  }
+  
+  private void createUser(String login, boolean isActive) {
+    UserEntity activeUser = new UserEntity();
+    activeUser.setActive(isActive);
+    activeUser.setUserName(login);
+    activeUser.setUserPassword(encoder.encode("pwd"));
+    Mockito.when(userDAO.findLocalUserByName(login)).thenReturn(activeUser);
+    Mockito.when(userDAO.findLdapUserByName(login)).thenReturn(activeUser);
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
index bb178d6..7c72f4c 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
@@ -63,6 +63,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport
{
         .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity);
+    expect(userEntity.getActive()).andReturn(true);
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity));
     expect(memberEntity.getGroup()).andReturn(groupEntity);
     expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity);
@@ -87,6 +88,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport
{
         .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+    expect(userEntity.getActive()).andReturn(true);
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity)).anyTimes();
     expect(memberEntity.getGroup()).andReturn(groupEntity).anyTimes();
     expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity).anyTimes();

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/controllers/login_controller.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/controllers/login_controller.js b/ambari-web/app/controllers/login_controller.js
index 4f92dd2..46160ee 100644
--- a/ambari-web/app/controllers/login_controller.js
+++ b/ambari-web/app/controllers/login_controller.js
@@ -35,13 +35,19 @@ App.LoginController = Em.Object.extend({
     App.get('router').login();
   },
 
-  postLogin: function (isConnected, isAuthenticated) {
+  postLogin: function (isConnected, isAuthenticated, responseText) {
     if (!isConnected) {
       console.log('Failed to connect to Ambari Server');
       this.set('errorMessage', Em.I18n.t('login.error.bad.connection'));
     } else if (!isAuthenticated) {
       console.log('Failed to login as: ' + this.get('loginName'));
-      this.set('errorMessage', Em.I18n.t('login.error.bad.credentials'));
+      var errorMessage = "";
+      if( responseText === "User is disabled" ){
+        errorMessage = Em.I18n.t('login.error.disabled');
+      } else {
+        errorMessage = Em.I18n.t('login.error.bad.credentials');
+      }
+      this.set('errorMessage', errorMessage);
     }
   }
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/messages.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/messages.js b/ambari-web/app/messages.js
index af64135..d6829f0 100644
--- a/ambari-web/app/messages.js
+++ b/ambari-web/app/messages.js
@@ -281,6 +281,7 @@ Em.I18n.translations = {
   'login.username':'Username',
   'login.loginButton':'Sign in',
   'login.error.bad.credentials':'Unable to sign in. Invalid username/password combination.',
+  'login.error.disabled':'Unable to sign in. Invalid username/password combination.',
   'login.error.bad.connection':'Unable to connect to Ambari Server. Confirm Ambari Server
is running and you can reach Ambari Server from this machine.',
 
   'graphs.noData.title': 'No Data',

http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/router.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/router.js b/ambari-web/app/router.js
index e9a965f..18203f2 100644
--- a/ambari-web/app/router.js
+++ b/ambari-web/app/router.js
@@ -242,9 +242,13 @@ App.Router = Em.Router.extend({
     console.log("login error: " + error);
     this.setAuthenticated(false);
     if (request.status == 403) {
-      controller.postLogin(true, false);
+      var responseMessage = request.responseText;
+      try{
+        responseMessage = JSON.parse(request.responseText).message;
+      }catch(e){}
+      controller.postLogin(true, false, responseMessage);
     } else {
-      controller.postLogin(false, false);
+      controller.postLogin(false, false, null);
     }
 
   },


Mime
View raw message