geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jinmeil...@apache.org
Subject incubator-geode git commit: GEODE-17: adding more command tests
Date Thu, 31 Mar 2016 17:40:07 GMT
Repository: incubator-geode
Updated Branches:
  refs/heads/feature/GEODE-17-2 5e51d7c74 -> 8f937757c


GEODE-17: adding more command tests

GEODE-17: adding more command tests


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/8f937757
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/8f937757
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/8f937757

Branch: refs/heads/feature/GEODE-17-2
Commit: 8f937757c7828c643cad31668a09a36ce4cc5f3f
Parents: 5e51d7c
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Thu Mar 31 10:11:33 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Thu Mar 31 10:39:46 2016 -0700

----------------------------------------------------------------------
 .../cache/operations/OperationContext.java      |  4 +
 .../internal/security/CLIOperationContext.java  |  2 +-
 .../security/ResourceOperationContext.java      |  4 -
 .../security/DataCommandsSecurityTest.java      | 16 +++-
 .../internal/security/JSONAuthorization.java    |  4 +-
 .../security/MBeanSecurityJUnitTest.java        |  2 +-
 .../security/QueueCommandsSecurityTest.java     | 65 +++++++++++++++++
 .../security/ShellCommandsSecurityTest.java     | 77 ++++++++++++++++++++
 .../security/StatusCommandsSecurityTest.java    | 61 ++++++++++++++++
 .../internal/security/cacheServer.json          |  9 ++-
 10 files changed, 230 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
index 93c64a8..9e56632 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
@@ -405,4 +405,8 @@ public abstract class OperationContext {
         || opCode.isInvalidate() || opCode.isRegionCreate()
         || opCode.isRegionDestroy() || opCode.isRegionClear());
   }
+
+  public String toString(){
+    return getResource() + ":"+ getOperationCode();
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
index 7e125ef..3a1f44d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
@@ -90,6 +90,6 @@ public class CLIOperationContext extends ResourceOperationContext {
 	}
 	
 	public String toString(){
-	  return getResource() + ":"+ getOperationCode() + " commmand=" + command + " options="
+ commandOptions;
+	  return super.toString() + " commmand=" + command + " options=" + commandOptions;
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 9e2b1b4..9ef458d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -77,8 +77,4 @@ public class ResourceOperationContext extends OperationContext {
     return this.opResult;
   }
 
-  public String toString(){
-    return getResource() + ":"+ getOperationCode();
-  }
-
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
index 7d1564b..bae03f8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
@@ -49,14 +49,22 @@ public class DataCommandsSecurityTest {
   @JMXConnectionConfiguration(user = "dataUser", password = "1234567")
   public void testDataUser() throws Exception {
     bean.processCommand("locate entry --key=k1 --region=region1");
+    bean.processCommand("query --query='SELECT * FROM /region1'");
+
+    // can't operate on secureRegion
     assertThatThrownBy(() -> bean.processCommand("locate entry --key=k1 --region=secureRegion")).isInstanceOf(SecurityException.class);
+    assertThatThrownBy(() -> bean.processCommand("query --query='SELECT * FROM /secureRegion")).isInstanceOf(SecurityException.class);
   }
 
   @JMXConnectionConfiguration(user = "secureDataUser", password = "1234567")
   @Test
   public void testSecureDataUser(){
+    // can do all these on both regions
     bean.processCommand("locate entry --key=k1 --region=region1");
+    bean.processCommand("query --query='SELECT * FROM /region1'");
+
     bean.processCommand("locate entry --key=k1 --region=secureRegion");
+    bean.processCommand("query --query='SELECT * FROM /secureRegion'");
   }
 
   @JMXConnectionConfiguration(user = "superuser", password = "1234567")
@@ -76,19 +84,19 @@ public class DataCommandsSecurityTest {
   @Test
   public void testNoAccess(){
     assertThatThrownBy(() -> bean.processCommand("rebalance --include-region=region1")).isInstanceOf(SecurityException.class)
-    .hasMessageStartingWith("Access Denied: Not authorized for REGION:REBALANCE");
+        .hasMessageContaining("REGION:REBALANCE");
 
     assertThatThrownBy(() -> bean.processCommand("export data --region=region1 --file=foo.txt
--member=value")).isInstanceOf(SecurityException.class);
     assertThatThrownBy(() -> bean.processCommand("import data --region=region1 --file=foo.txt
--member=value")).isInstanceOf(SecurityException.class);
 
     assertThatThrownBy(() -> bean.processCommand("put --key=key1 --value=value1 --region=region1")).isInstanceOf(SecurityException.class)
-        .hasMessageStartingWith("Access Denied: Not authorized for REGION:PUT");
+        .hasMessageContaining("REGION:PUT");
 
     assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region1")).isInstanceOf(SecurityException.class)
-        .hasMessageStartingWith("Access Denied: Not authorized for REGION:GET");
+        .hasMessageContaining("REGION:GET");
 
     assertThatThrownBy(() -> bean.processCommand("query --query='SELECT * FROM /region1'")).isInstanceOf(SecurityException.class)
-        .hasMessageStartingWith("Access Denied: Not authorized for QUERY:EXECUTE");
+        .hasMessageContaining("QUERY:EXECUTE");
   }
 
   // dataUser has all the permissions granted, but not to region2 (only to region1)

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
index 95e0133..90f664e 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
@@ -196,7 +196,6 @@ public class JSONAuthorization implements AccessControl, Authenticator
{
     if(user == null)
       return false; // this user is not authorized to do anything
 
-    LogService.getLogger().info("Context received " + context);
     LogService.getLogger().info("Checking for permission " + context.getResource() + ":"
+ context.getOperationCode());
 
     // check if the user has this permission defined in the context
@@ -212,6 +211,7 @@ public class JSONAuthorization implements AccessControl, Authenticator
{
 
           // If this is a Command operation context, we need to further check if the region
is allowed in this role
           CLIOperationContext ctx = (CLIOperationContext) context;
+
           String region = ctx.getCommandOptions().get("region");
           if(region==null) {
             region = ctx.getCommandOptions().get("include-region");
@@ -233,7 +233,7 @@ public class JSONAuthorization implements AccessControl, Authenticator
{
       }
     }
 
-    LogService.getLogger().info("Did not find code " + context.getOperationCode());
+    LogService.getLogger().info("Did not find code " + context);
     return false;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
index 319fd8a..c0969ad 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
@@ -109,7 +109,7 @@ public class MBeanSecurityJUnitTest {
   @Test
   @JMXConnectionConfiguration(user = "stranger", password = "1234567")
   public void testServerSideCalls(){
-    // calls through ManagementService is not using the MBeanServerWrapper.
+    // calls through ManagementService is not going through authorization checks
     ManagementService service = ManagementService.getManagementService(serverRule.getCache());
     MemberMXBean bean = service.getMemberMXBean();
     bean.compactAllDiskStores();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
new file mode 100644
index 0000000..e9baa41
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class QueueCommandsSecurityTest {
+  private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+  private MemberMXBean bean;
+
+  @ClassRule
+  public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+      jmxManagerPort, "cacheServer.json");
+
+  @Rule
+  public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+  @Before
+  public void setUp() throws Exception {
+    bean = connectionRule.getProxyMBean(MemberMXBean.class);
+  }
+
+  @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+  @Test
+  public void testAllAccess(){
+    bean.processCommand("create async-event-queue --id=myAEQ --listener=myApp.myListener");
+    bean.processCommand("list async-event-queues");
+  }
+
+  // stranger has no permission granted
+  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @Test
+  public void testNoAccess(){
+    assertThatThrownBy(() -> bean.processCommand("create async-event-queue --id=myAEQ
--listener=myApp.myListener"))
+        .isInstanceOf(SecurityException.class).hasMessageContaining("ASYNC_EVENT_QUEUE:CREATE");
+    assertThatThrownBy(() -> bean.processCommand("list async-event-queues"))
+        .isInstanceOf(SecurityException.class).hasMessageContaining("ASYNC_EVENT_QUEUE:LIST");
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
new file mode 100644
index 0000000..4d08d1a
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class ShellCommandsSecurityTest {
+  private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+  private MemberMXBean bean;
+
+  @ClassRule
+  public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+      jmxManagerPort, "cacheServer.json");
+
+  @Rule
+  public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+  @Before
+  public void setUp() throws Exception {
+    bean = connectionRule.getProxyMBean(MemberMXBean.class);
+  }
+
+  @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+  @Test
+  public void testAllAccess(){
+    bean.processCommand("connect");
+    bean.processCommand("debug --state=on");
+    bean.processCommand("describe connection");
+    bean.processCommand("echo --string=\"Hello World!\"");
+    bean.processCommand("encrypt password --password=value");
+    bean.processCommand("version");
+    bean.processCommand("sleep");
+    bean.processCommand("sh ls");
+    bean.processCommand("disconnect");
+  }
+
+  // stranger has no permission granted
+  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @Test
+  public void testNoAccess(){
+    assertThatThrownBy(() -> bean.processCommand("connect")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("debug --state=on")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("describe connection")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("disconnect")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("echo --string=\"Hello World!\"")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("encrypt password --password=value")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("version")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("sleep")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+    assertThatThrownBy(() -> bean.processCommand("sh ls")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
new file mode 100644
index 0000000..10101dd
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class StatusCommandsSecurityTest {
+  private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+  private MemberMXBean bean;
+
+  @ClassRule
+  public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+      jmxManagerPort, "cacheServer.json");
+
+  @Rule
+  public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+  @Before
+  public void setUp() throws Exception {
+    bean = connectionRule.getProxyMBean(MemberMXBean.class);
+  }
+
+  @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+  @Test
+  public void testAllAccess(){
+    bean.processCommand("status cluster-config-service");
+  }
+
+  // stranger has no permission granted
+  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @Test
+  public void testNoAccess(){
+    assertThatThrownBy(() -> bean.processCommand("status cluster-config-service")).isInstanceOf(SecurityException.class).hasMessageContaining("CLUSTER_CONFIGURTION:STATUS");
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
index 5dd08af..60052ac 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
@@ -53,7 +53,11 @@
         "GATEWAY_RECEIVER:STOP",
         "MANAGER:SET_PULSE_URL",
         "MANAGER:START",
-        "MANAGER:STOP"
+        "MANAGER:STOP",
+        "CLUSTER_CONFIGURTION:STATUS",
+        "DISTRIBUTED_SYSTEM:ALL",
+        "ASYNC_EVENT_QUEUE:CREATE",
+        "ASYNC_EVENT_QUEUE:LIST"
       ]
     },
     {
@@ -86,7 +90,8 @@
     {
       "name": "secureDataUsers",
       "operationsAllowed": [
-        "REGION:GET"
+        "REGION:GET",
+        "QUERY:EXECUTE"
       ],
       "regions": ["region1", "secureRegion"]
     }


Mime
View raw message