Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D531E18E20 for ; Mon, 21 Dec 2015 22:19:52 +0000 (UTC) Received: (qmail 86371 invoked by uid 500); 21 Dec 2015 22:19:52 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 86335 invoked by uid 500); 21 Dec 2015 22:19:52 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 86304 invoked by uid 99); 21 Dec 2015 22:19:52 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Dec 2015 22:19:52 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 92D62E07BA; Mon, 21 Dec 2015 22:19:52 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Message-Id: <7e728fa060764a8295dde7ae6fe4a5e6@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-14450. Declaring a user for anonymous request does not work (rlevas) Date: Mon, 21 Dec 2015 22:19:52 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/trunk 5c6c719c1 -> ea195cb28 AMBARI-14450. Declaring a user for anonymous request does not work (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ea195cb2 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ea195cb2 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ea195cb2 Branch: refs/heads/trunk Commit: ea195cb28d2ca35ac18e5a21eb7a7dec1670e0e2 Parents: 5c6c719 Author: Robert Levas Authored: Mon Dec 21 17:19:46 2015 -0500 Committer: Robert Levas Committed: Mon Dec 21 17:19:46 2015 -0500 ---------------------------------------------------------------------- .../AmbariAuthorizationFilter.java | 4 +- .../security/TestAuthenticationFactory.java | 6 + .../AmbariAuthorizationFilterTest.java | 132 +++++++++++-------- 3 files changed, 82 insertions(+), 60 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java index 20ce7fa..82c03e4 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java @@ -117,7 +117,7 @@ public class AmbariAuthorizationFilter implements Filter { if (authentication == null || authentication instanceof AnonymousAuthenticationToken) { Authentication defaultAuthentication = getDefaultAuthentication(); if (defaultAuthentication != null) { - context.setAuthentication(authentication); + context.setAuthentication(defaultAuthentication); authentication = defaultAuthentication; } } @@ -221,7 +221,7 @@ public class AmbariAuthorizationFilter implements Filter { String username = configuration.getDefaultApiAuthenticatedUser(); if (!StringUtils.isEmpty(username)) { - final User user = users.getAnyUser(username); + final User user = users.getUser(username, UserType.LOCAL); if (user != null) { Principal principal = new Principal() { http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java index 3e164e0..2b2c276 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java @@ -152,6 +152,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createAdministratorPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.AMBARI)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.allOf(RoleAuthorization.class))); return permissionEntity; @@ -159,6 +160,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createClusterAdministratorPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( RoleAuthorization.CLUSTER_MANAGE_CREDENTIALS, @@ -199,6 +201,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createServiceAdministratorPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(5); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( RoleAuthorization.CLUSTER_VIEW_ALERTS, @@ -229,6 +232,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createServiceOperatorPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(6); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( RoleAuthorization.SERVICE_VIEW_CONFIGS, @@ -253,6 +257,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createClusterUserPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(PermissionEntity.CLUSTER_USER_PERMISSION); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( RoleAuthorization.SERVICE_VIEW_CONFIGS, @@ -273,6 +278,7 @@ public class TestAuthenticationFactory { private static PermissionEntity createViewUserPermission() { PermissionEntity permissionEntity = new PermissionEntity(); + permissionEntity.setId(PermissionEntity.VIEW_USER_PERMISSION); permissionEntity.setResourceType(createResourceTypeEntity(ResourceType.CLUSTER)); permissionEntity.setAuthorizations(createAuthorizations(EnumSet.of( RoleAuthorization.VIEW_USE http://git-wip-us.apache.org/repos/asf/ambari/blob/ea195cb2/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java index 4cab770..b30bff3 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java @@ -26,11 +26,9 @@ import static org.easymock.EasyMock.getCurrentArguments; import static org.easymock.EasyMock.replay; import static org.easymock.EasyMock.verify; -import java.util.ArrayList; import java.util.Collection; import java.util.Collections; -import java.util.List; - +import javax.persistence.EntityManager; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletRequest; @@ -38,16 +36,22 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import com.google.inject.AbstractModule; +import com.google.inject.Guice; +import com.google.inject.Injector; import junit.framework.Assert; +import org.apache.ambari.server.configuration.Configuration; +import org.apache.ambari.server.orm.DBAccessor; +import org.apache.ambari.server.orm.dao.UserDAO; import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.PrivilegeEntity; -import org.apache.ambari.server.orm.entities.ViewInstanceEntity.ViewInstanceVersionDTO; -import org.apache.ambari.server.security.authorization.internal.InternalAuthenticationToken; +import org.apache.ambari.server.security.TestAuthenticationFactory; +import org.apache.ambari.server.state.stack.OsFamily; import org.apache.ambari.server.view.ViewRegistry; import org.easymock.EasyMock; import org.easymock.IAnswer; -import org.junit.BeforeClass; +import org.junit.After; import org.junit.Test; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; @@ -58,14 +62,12 @@ import com.google.common.collect.HashBasedTable; import com.google.common.collect.Table; import com.google.common.collect.Table.Cell; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.crypto.password.PasswordEncoder; public class AmbariAuthorizationFilterTest { - @BeforeClass - public static void setupAuthentication() { - // Set authenticated user so that authorization checks will pass - InternalAuthenticationToken authenticationToken = new InternalAuthenticationToken("admin"); - authenticationToken.setAuthenticated(true); - SecurityContextHolder.getContext().setAuthentication(authenticationToken); + @After + public void clearAuthentication() { + SecurityContextHolder.getContext().setAuthentication(null); } @Test @@ -193,7 +195,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/any/other/URL", "GET", true); urlTests.put("/any/other/URL", "POST", true); - performGeneralDoFilterTest("admin", new int[]{PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), urlTests, false); } @Test @@ -226,7 +228,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/any/other/URL", "GET", true); urlTests.put("/any/other/URL", "POST", false); - performGeneralDoFilterTest("user1", new int[]{PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), urlTests, false); } @Test @@ -259,7 +261,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/any/other/URL", "GET", true); urlTests.put("/any/other/URL", "POST", false); - performGeneralDoFilterTest("user1", new int[] {PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION}, urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), urlTests, false); } @Test @@ -292,7 +294,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/any/other/URL", "GET", true); urlTests.put("/any/other/URL", "POST", false); - performGeneralDoFilterTest("user1", new int[] {PermissionEntity.VIEW_USER_PERMISSION}, urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(99L), urlTests, false); } @Test @@ -323,7 +325,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/any/other/URL", "GET", true); urlTests.put("/any/other/URL", "POST", false); - performGeneralDoFilterTest("user2", new int[0], urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(null), urlTests, false); } @Test @@ -332,7 +334,7 @@ public class AmbariAuthorizationFilterTest { urlTests.put("/views/SomeView/SomeVersion/SomeInstance", "GET", false); urlTests.put("/views/SomeView/SomeVersion/SomeInstance?foo=bar", "GET", false); - performGeneralDoFilterTest(null, new int[0], urlTests, true); + performGeneralDoFilterTest(null, urlTests, true); } @Test @@ -340,67 +342,81 @@ public class AmbariAuthorizationFilterTest { final Table urlTests = HashBasedTable.create(); urlTests.put("/api/v1/stacks/HDP/versions/2.3/validations", "POST", true); urlTests.put("/api/v1/stacks/HDP/versions/2.3/recommendations", "POST", true); - performGeneralDoFilterTest("user1", new int[] { PermissionEntity.CLUSTER_ADMINISTRATOR_PERMISSION}, urlTests, false); - performGeneralDoFilterTest("user2", new int[] { PermissionEntity.CLUSTER_USER_PERMISSION}, urlTests, false); - performGeneralDoFilterTest("admin", new int[] { PermissionEntity.AMBARI_ADMINISTRATOR_PERMISSION}, urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), urlTests, false); + performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), urlTests, false); + } + + @Test + public void testDoFilter_NotLoggedIn_UseDefaultUser() throws Exception { + final FilterChain chain = EasyMock.createStrictMock(FilterChain.class); + final HttpServletResponse response = createNiceMock(HttpServletResponse.class); + + final HttpServletRequest request = createNiceMock(HttpServletRequest.class); + expect(request.getRequestURI()).andReturn("/uri").anyTimes(); + expect(request.getQueryString()).andReturn(null).anyTimes(); + expect(request.getMethod()).andReturn("GET").anyTimes(); + + chain.doFilter(EasyMock.anyObject(), EasyMock.anyObject()); + EasyMock.expectLastCall().once(); + + final Configuration configuration = EasyMock.createMock(Configuration.class); + expect(configuration.getDefaultApiAuthenticatedUser()).andReturn("user1").once(); + + User user = EasyMock.createMock(User.class); + expect(user.getUserName()).andReturn("user1").anyTimes(); + expect(user.getUserType()).andReturn(UserType.LOCAL).anyTimes(); + + final Users users = EasyMock.createMock(Users.class); + expect(users.getUser("user1", UserType.LOCAL)).andReturn(user).once(); + expect(users.getUserAuthorities("user1", UserType.LOCAL)).andReturn(Collections.emptyList()).once(); + + replay(request, response, chain, configuration, users, user); + + Injector injector = Guice.createInjector(new AbstractModule() { + @Override + protected void configure() { + bind(Configuration.class).toInstance(configuration); + bind(Users.class).toInstance(users); + bind(EntityManager.class).toInstance(EasyMock.createMock(EntityManager.class)); + bind(UserDAO.class).toInstance(EasyMock.createMock(UserDAO.class)); + bind(DBAccessor.class).toInstance(EasyMock.createMock(DBAccessor.class)); + bind(PasswordEncoder.class).toInstance(EasyMock.createMock(PasswordEncoder.class)); + bind(OsFamily.class).toInstance(EasyMock.createMock(OsFamily.class)); + } + }); + + AmbariAuthorizationFilter filter = new AmbariAuthorizationFilter(); + injector.injectMembers(filter); + + filter.doFilter(request, response, chain); + + Assert.assertEquals("user1", SecurityContextHolder.getContext().getAuthentication().getName()); } /** * Creates mocks with given permissions and performs all given url tests. * - * @param username user name - * @param permissionsGranted array of user permissions + * @param authentication the authentication to use * @param urlTests map of triples: url - http method - is allowed * @param expectRedirect true if the requests should redirect to login * @throws Exception */ - private void performGeneralDoFilterTest(String username, final int[] permissionsGranted, Table urlTests, boolean expectRedirect) throws Exception { + private void performGeneralDoFilterTest(Authentication authentication, Table urlTests, boolean expectRedirect) throws Exception { final SecurityContext securityContext = createNiceMock(SecurityContext.class); - final Authentication authentication = createNiceMock(Authentication.class); final FilterConfig filterConfig = createNiceMock(FilterConfig.class); final AmbariAuthorizationFilter filter = createMockBuilder(AmbariAuthorizationFilter.class) .addMockedMethod("getSecurityContext").addMockedMethod("getViewRegistry").withConstructor().createMock(); - final List authorities = new ArrayList(); final ViewRegistry viewRegistry = createNiceMock(ViewRegistry.class); - for (int permissionGranted: permissionsGranted) { - final AmbariGrantedAuthority authority = createNiceMock(AmbariGrantedAuthority.class); - final PrivilegeEntity privilegeEntity = createNiceMock(PrivilegeEntity.class); - final PermissionEntity permission = createNiceMock(PermissionEntity.class); - - expect(authority.getPrivilegeEntity()).andReturn(privilegeEntity).anyTimes(); - expect(privilegeEntity.getPermission()).andReturn(permission).anyTimes(); - expect(permission.getId()).andReturn(permissionGranted).anyTimes(); - - replay(authority, privilegeEntity, permission); - authorities.add(authority); - } - - EasyMock.>expect(authentication.getAuthorities()).andReturn(authorities).anyTimes(); expect(filterConfig.getInitParameter("realm")).andReturn("AuthFilter").anyTimes(); - if (username == null) { - expect(authentication.isAuthenticated()).andReturn(false).anyTimes(); - } else { - expect(authentication.isAuthenticated()).andReturn(true).anyTimes(); - expect(authentication.getName()).andReturn(username).anyTimes(); - } + expect(filter.getSecurityContext()).andReturn(securityContext).anyTimes(); expect(filter.getViewRegistry()).andReturn(viewRegistry).anyTimes(); expect(securityContext.getAuthentication()).andReturn(authentication).anyTimes(); - expect(viewRegistry.checkPermission(EasyMock.eq("AllowedView"), EasyMock.anyObject(), EasyMock.anyObject(), EasyMock.anyBoolean())).andAnswer(new IAnswer() { - @Override - public Boolean answer() throws Throwable { - for (int permissionGranted: permissionsGranted) { - if (permissionGranted == PermissionEntity.VIEW_USER_PERMISSION) { - return true; - } - } - return false; - } - }).anyTimes(); expect(viewRegistry.checkPermission(EasyMock.eq("DeniedView"), EasyMock.anyObject(), EasyMock.anyObject(), EasyMock.anyBoolean())).andReturn(false).anyTimes(); - replay(authentication, filterConfig, filter, securityContext, viewRegistry); + replay(filterConfig, filter, securityContext, viewRegistry); for (final Cell urlTest: urlTests.cellSet()) { final FilterChain chain = EasyMock.createStrictMock(FilterChain.class);