brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From grk...@apache.org
Subject [2/4] git commit: BROOKLYN-81: Refuse to reload security provider if none set
Date Fri, 31 Oct 2014 14:36:38 GMT
BROOKLYN-81: Refuse to reload security provider if none set


Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/6324768f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/6324768f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/6324768f

Branch: refs/heads/master
Commit: 6324768f834038ab89f54e7c1fad72babf181bc3
Parents: 5b37ae0
Author: Sam Corbett <sam.corbett@cloudsoftcorp.com>
Authored: Fri Oct 17 17:49:06 2014 +0100
Committer: Sam Corbett <sam.corbett@cloudsoftcorp.com>
Committed: Mon Oct 27 21:35:31 2014 +0000

----------------------------------------------------------------------
 .../java/brooklyn/rest/BrooklynWebConfig.java   | 48 +++++++++++---------
 .../provider/DelegatingSecurityProvider.java    |  6 +++
 .../brooklyn/rest/BrooklynRestApiLauncher.java  |  4 +-
 .../main/java/brooklyn/test/HttpTestUtils.java  |  2 +-
 4 files changed, 36 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/6324768f/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java b/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
index 17867a9..67fd069 100644
--- a/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
+++ b/usage/rest-server/src/main/java/brooklyn/rest/BrooklynWebConfig.java
@@ -22,7 +22,7 @@ import brooklyn.config.ConfigKey;
 import brooklyn.config.ConfigMap;
 import brooklyn.config.ConfigPredicates;
 import brooklyn.entity.basic.ConfigKeys;
-import brooklyn.event.basic.BasicConfigKey;
+import brooklyn.rest.security.provider.DelegatingSecurityProvider;
 import brooklyn.rest.security.provider.ExplicitUsersSecurityProvider;
 
 public class BrooklynWebConfig {
@@ -30,51 +30,57 @@ public class BrooklynWebConfig {
     public final static String BASE_NAME = "brooklyn.webconsole";
     public final static String BASE_NAME_SECURITY = BASE_NAME+".security";
 
-    /** e.g. brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.AnyoneSecurityProvider
will allow anyone to log in;
-     * default is explicitly named users, using SECURITY_PROVIDER_EXPLICIT_USERS  */
-    public final static ConfigKey<String> SECURITY_PROVIDER_CLASSNAME = new BasicConfigKey<String>(String.class,

+    /**
+     * The security provider to be loaded by {@link DelegatingSecurityProvider}.
+     * e.g. <code>brooklyn.webconsole.security.provider=brooklyn.rest.security.provider.AnyoneSecurityProvider</code>
+     * will allow anyone to log in.
+     */
+    public final static ConfigKey<String> SECURITY_PROVIDER_CLASSNAME = ConfigKeys.newStringConfigKey(
             BASE_NAME_SECURITY+".provider", "class name of a Brooklyn SecurityProvider",
             ExplicitUsersSecurityProvider.class.getCanonicalName());
     
-    /** explicitly set the users/passwords, e.g. in brooklyn.properties:
+    /**
+     * Explicitly set the users/passwords, e.g. in brooklyn.properties:
      * brooklyn.webconsole.security.users=admin,bob
      * brooklyn.webconsole.security.user.admin.password=password
      * brooklyn.webconsole.security.user.bob.password=bobspass
      */
-    
-    public final static ConfigKey<String> USERS = new BasicConfigKey<String>(String.class,
-            BASE_NAME_SECURITY+".users");
+    public final static ConfigKey<String> USERS = ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY+".users");
 
     public final static ConfigKey<String> PASSWORD_FOR_USER(String user) {
-        return new BasicConfigKey<String>(String.class, BASE_NAME_SECURITY+".user."+user+".password");
+        return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".password");
     }
     
     public final static ConfigKey<String> SALT_FOR_USER(String user) {
-        return new BasicConfigKey<String>(String.class, BASE_NAME_SECURITY+".user."+user+".salt");
+        return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".salt");
     }
     
     public final static ConfigKey<String> SHA256_FOR_USER(String user) {
-        return new BasicConfigKey<String>(String.class, BASE_NAME_SECURITY+".user."+user+".sha256");
+        return ConfigKeys.newStringConfigKey(BASE_NAME_SECURITY + ".user." + user + ".sha256");
     }
     
-    public final static ConfigKey<String> LDAP_URL = new BasicConfigKey<String>(String.class,
+    public final static ConfigKey<String> LDAP_URL = ConfigKeys.newStringConfigKey(
             BASE_NAME_SECURITY+".ldap.url");
 
-    public final static ConfigKey<String> LDAP_REALM = new BasicConfigKey<String>(String.class,
+    public final static ConfigKey<String> LDAP_REALM = ConfigKeys.newStringConfigKey(
             BASE_NAME_SECURITY+".ldap.realm");
 
-    public final static ConfigKey<Boolean> HTTPS_REQUIRED = ConfigKeys.newBooleanConfigKey(BASE_NAME+".security.https.required",
+    public final static ConfigKey<Boolean> HTTPS_REQUIRED = ConfigKeys.newBooleanConfigKey(
+            BASE_NAME+".security.https.required",
             "Whether HTTPS is required", false); 
 
-    public final static ConfigKey<String> KEYSTORE_URL = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.url",
-        "Keystore from which to take the certificate to present when running HTTPS; "
-        + "note that normally the password is also required, and an alias for the certificate
if the keystore has more than one"); 
+    public final static ConfigKey<String> KEYSTORE_URL = ConfigKeys.newStringConfigKey(
+            BASE_NAME+".security.keystore.url",
+            "Keystore from which to take the certificate to present when running HTTPS; "
+            + "note that normally the password is also required, and an alias for the certificate
if the keystore has more than one");
 
-    public final static ConfigKey<String> KEYSTORE_PASSWORD = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.password",
-        "Password for the "+KEYSTORE_URL); 
+    public final static ConfigKey<String> KEYSTORE_PASSWORD = ConfigKeys.newStringConfigKey(
+            BASE_NAME+".security.keystore.password",
+            "Password for the "+KEYSTORE_URL);
 
-    public final static ConfigKey<String> KEYSTORE_CERTIFICATE_ALIAS = ConfigKeys.newStringConfigKey(BASE_NAME+".security.keystore.certificate.alias",
-        "Alias in "+KEYSTORE_URL+" for the certificate to use; defaults to the first if not
supplied"); 
+    public final static ConfigKey<String> KEYSTORE_CERTIFICATE_ALIAS = ConfigKeys.newStringConfigKey(
+            BASE_NAME+".security.keystore.certificate.alias",
+            "Alias in "+KEYSTORE_URL+" for the certificate to use; defaults to the first
if not supplied");
 
     public final static boolean hasNoSecurityOptions(ConfigMap config) {
         return config.submap(ConfigPredicates.startingWith(BASE_NAME_SECURITY)).isEmpty();

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/6324768f/usage/rest-server/src/main/java/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
index d14e582..7b49bdd 100644
--- a/usage/rest-server/src/main/java/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
+++ b/usage/rest-server/src/main/java/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
@@ -66,6 +66,12 @@ public class DelegatingSecurityProvider implements SecurityProvider {
         StringConfigMap brooklynProperties = mgmt.getConfig();
 
         String className = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME);
+
+        if (delegate != null && BrooklynWebConfig.hasNoSecurityOptions(mgmt.getConfig()))
{
+            log.debug("{} refusing to change from {}: No security provider set in reloaded
properties.",
+                    this, delegate);
+            return delegate;
+        }
         log.info("REST using security provider " + className);
 
         try {

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/6324768f/usage/rest-server/src/test/java/brooklyn/rest/BrooklynRestApiLauncher.java
----------------------------------------------------------------------
diff --git a/usage/rest-server/src/test/java/brooklyn/rest/BrooklynRestApiLauncher.java b/usage/rest-server/src/test/java/brooklyn/rest/BrooklynRestApiLauncher.java
index 7fb26b9..4d12d62 100644
--- a/usage/rest-server/src/test/java/brooklyn/rest/BrooklynRestApiLauncher.java
+++ b/usage/rest-server/src/test/java/brooklyn/rest/BrooklynRestApiLauncher.java
@@ -186,8 +186,8 @@ public class BrooklynRestApiLauncher {
         }
 
         if (securityProvider != null) {
-            ((BrooklynProperties) mgmt.getConfig()).put(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME,
-                    securityProvider.getName());
+            ((BrooklynProperties) mgmt.getConfig()).put(
+                    BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME, securityProvider.getName());
         }
 
         if (forceUseOfDefaultCatalogWithJavaClassPath) {

http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/6324768f/usage/test-support/src/main/java/brooklyn/test/HttpTestUtils.java
----------------------------------------------------------------------
diff --git a/usage/test-support/src/main/java/brooklyn/test/HttpTestUtils.java b/usage/test-support/src/main/java/brooklyn/test/HttpTestUtils.java
index 6142f78..ceee367 100644
--- a/usage/test-support/src/main/java/brooklyn/test/HttpTestUtils.java
+++ b/usage/test-support/src/main/java/brooklyn/test/HttpTestUtils.java
@@ -331,7 +331,7 @@ public class HttpTestUtils {
             throw Throwables.propagate(e);
         }
     }
-    
+
     /**
      * Schedules (with the given executor) a poller that repeatedly accesses the given url,
to confirm it always gives
      * back the expected status code.


Mime
View raw message