geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From u..@apache.org
Subject [04/50] [abbrv] incubator-geode git commit: GEODE-1643: make sure the security manager works on Gateway communication
Date Wed, 10 Aug 2016 19:40:50 GMT
GEODE-1643: make sure the security manager works on Gateway communication


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/d9bec317
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/d9bec317
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/d9bec317

Branch: refs/heads/feature/GEODE-420
Commit: d9bec3178bf67117c0e240fe67a2b0f22759027b
Parents: f6fb4e3
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Mon Aug 1 12:03:07 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Mon Aug 1 12:14:46 2016 -0700

----------------------------------------------------------------------
 .../cache/tier/sockets/ServerConnection.java    |   2 +-
 .../wan/misc/NewWanAuthenticationDUnitTest.java | 164 ++++++++++++++++++-
 2 files changed, 163 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d9bec317/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
index 682e55b..bdbef09 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
@@ -772,7 +772,7 @@ public class ServerConnection implements Runnable {
         }
 
         // if a subject exists for this uniqueId, binds the subject to this thread so that
we can do authorization later
-        if(AcceptorImpl.isIntegratedSecurity() && !isInternalMessage()) {
+        if(AcceptorImpl.isIntegratedSecurity() && !isInternalMessage() &&
this.communicationMode != Acceptor.GATEWAY_TO_GATEWAY) {
           long uniqueId = getUniqueId();
           Subject subject = this.clientUserAuths.getSubject(uniqueId);
           if(subject!=null) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d9bec317/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
b/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
index 338f253..76940ea 100644
--- a/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
+++ b/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
@@ -20,12 +20,16 @@ import static com.gemstone.gemfire.distributed.ConfigurationProperties.*;
 import static com.gemstone.gemfire.test.dunit.Assert.*;
 
 import java.util.Properties;
+import java.util.concurrent.TimeUnit;
 
+import com.jayway.awaitility.Awaitility;
+import org.apache.geode.security.templates.SampleSecurityManager;
 import org.apache.logging.log4j.Logger;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
 import com.gemstone.gemfire.cache.CacheFactory;
+import com.gemstone.gemfire.cache.Region;
 import com.gemstone.gemfire.distributed.DistributedMember;
 import com.gemstone.gemfire.distributed.DistributedSystem;
 import com.gemstone.gemfire.internal.Assert;
@@ -72,7 +76,8 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     }
     Properties javaProps1 = gen.getJavaProperties();
 
-    Properties credentials2 = gen.getValidCredentials(2);
+    // vm3's invalid credentials
+    Properties credentials2 = gen.getInvalidCredentials(1);
     if (extraProps != null) {
       credentials2.putAll(extraProps);
     }
@@ -80,6 +85,8 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
 
     Properties props1 = buildProperties(clientauthenticator, clientauthInit,
       null, credentials1, null);
+
+    // have vm 3 start a cache with invalid credentails
     Properties props2 = buildProperties(clientauthenticator, clientauthInit,
       null, credentials2, null);
 
@@ -105,8 +112,61 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       getTestMethodName() + "_RR", null, isOffHeap()  ));
     logger.info("Created RR in vm3");
 
+    // this tests verifies that even though vm3 has invalid credentials, vm2 can still send
data to vm3 because
+    // vm2 has valid credentials
+    vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+    vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+
+    vm2.invoke(() -> WANTestBase.doPuts(getTestMethodName() + "_RR", 1));
+    vm3.invoke(() -> {
+      Region r = cache.getRegion(Region.SEPARATOR + getTestMethodName() + "_RR");
+      Awaitility.waitAtMost(20, TimeUnit.SECONDS).until(() -> assertTrue(r.size() >
0));
+    });
+    logger.info("Done successfully.");
+  }
+
+  @Test
+  public void testWanIntegratedSecurityWithValidCredentials() {
+    Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId(
1 ));
+    logger.info("Created locator on local site");
+
+    Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator( 2,
lnPort ));
+    logger.info("Created locator on remote site");
+
+
+    Properties props1 = buildSecurityProperties("admin", "secret");
+    Properties props2 = buildSecurityProperties("guest", "guest");
+
+    vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props1, null, lnPort ));
+    logger.info("Created secured cache in vm2");
+
+    vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props2, null, nyPort ));
+    logger.info("Created secured cache in vm3");
+
+    vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+      false, 100, 10, false, false, null, true ));
+    logger.info("Created sender in vm2");
+
+    vm3.invoke(() -> createReceiverInSecuredCache());
+    logger.info("Created receiver in vm3");
+
+    vm2.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", "ln", isOffHeap()  ));
+    logger.info("Created RR in vm2");
+    vm3.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", null, isOffHeap()  ));
+    logger.info("Created RR in vm3");
+
     vm2.invoke(() -> WANTestBase.startSender( "ln" ));
     vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+    vm2.invoke(() -> WANTestBase.doPuts(getTestMethodName() + "_RR", 1));
+    vm3.invoke(() -> {
+      Region r = cache.getRegion(Region.SEPARATOR + getTestMethodName() + "_RR");
+      Awaitility.waitAtMost(20, TimeUnit.SECONDS).until(() -> assertTrue(r.size() >
0));
+
+    });
     logger.info("Done successfully.");
   }
 
@@ -182,6 +242,56 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     }
   }
 
+  /**
+   * Test authentication with new WAN with invalid credentials. Although,
+   * nothing related to authentication has been changed in new WAN, this test
+   * case is added on request from QA for defect 44650.
+   */
+  @Test
+  public void testWanSecurityManagerWithInvalidCredentials() {
+    Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId(
1 ));
+    logger.info("Created locator on local site");
+
+    Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator( 2,
lnPort ));
+    logger.info("Created locator on remote site");
+
+    Properties props1 = buildSecurityProperties("admin", "wrongPswd");
+    Properties props2 = buildSecurityProperties("guest", "wrongPswd");
+
+    logger.info("Done building auth properties");
+
+    vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props1, null, lnPort ));
+    logger.info("Created secured cache in vm2");
+
+    vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props2, null, nyPort ));
+    logger.info("Created secured cache in vm3");
+
+    vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+      false, 100, 10, false, false, null, true ));
+    logger.info("Created sender in vm2");
+
+    vm3.invoke(() -> createReceiverInSecuredCache());
+    logger.info("Created receiver in vm3");
+
+    vm2.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", "ln", isOffHeap()  ));
+    logger.info("Created RR in vm2");
+    vm3.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", null, isOffHeap()  ));
+    logger.info("Created RR in vm3");
+
+    try {
+      vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+      fail("Authentication Failed: While starting the sender, an exception should have been
thrown");
+    } catch (Exception e) {
+      if (!(e.getCause().getCause() instanceof AuthenticationFailedException)) {
+        fail("Authentication is not working as expected", e);
+      }
+    }
+  }
+
   private static Properties buildProperties(String clientauthenticator,
                                             String clientAuthInit, String accessor, Properties
extraAuthProps,
                                             Properties extraAuthzProps) {
@@ -207,6 +317,16 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     return authProps;
   }
 
+  private static Properties buildSecurityProperties(String username, String password){
+    Properties props = new Properties();
+    props.put(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+    props.put("security-json", "org/apache/geode/security/templates/security.json");
+    props.put(SECURITY_CLIENT_AUTH_INIT, UserPasswdAI.class.getName());
+    props.put("security-username", username);
+    props.put("security-password", password);
+    return props;
+  }
+
   public static void createSecuredCache(Properties authProps, Object javaProps, Integer locPort)
{
     authProps.setProperty(MCAST_PORT, "0");
     authProps.setProperty(LOCATORS, "localhost[" + locPort + "]");
@@ -273,7 +393,7 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       }
       Properties javaProps1 = gen.getJavaProperties();
 
-      Properties credentials2 = gen.getValidCredentials(2);
+      Properties credentials2 = gen.getInvalidCredentials(2);
       if (extraProps != null) {
         credentials2.putAll(extraProps);
       }
@@ -306,4 +426,44 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       vm3.invoke(() -> verifyDifferentServerInGetCredentialCall());
     }
   }
+
+  @Test
+  public void testWanSecurityManagerAuthValidCredentialsWithServer() {
+    disconnectAllFromDS();
+    {
+      Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId(
1 ));
+      logger.info("Created locator on local site");
+
+      Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator(
2, lnPort ));
+      logger.info("Created locator on remote site");
+
+      Properties props1 = buildSecurityProperties("admin", "secret");
+      Properties props2 = buildSecurityProperties("guest", "guest");
+
+      vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+        props1, null, lnPort ));
+      logger.info("Created secured cache in vm2");
+
+      vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+        props2, null, nyPort ));
+      logger.info("Created secured cache in vm3");
+
+      vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+        false, 100, 10, false, false, null, true ));
+      logger.info("Created sender in vm2");
+
+      vm3.invoke(() -> createReceiverInSecuredCache());
+      logger.info("Created receiver in vm3");
+
+      vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+      vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+
+      vm2.invoke(() -> verifyDifferentServerInGetCredentialCall());
+
+      // this would fail for now because for integrated security, we are not sending the
receiver's credentials back
+      // to the sender. Because in the old security implementation, even though the receiver's
credentials are sent back to the sender
+      // the sender is not checking it.
+      //vm3.invoke(() -> verifyDifferentServerInGetCredentialCall());
+    }
+  }
 }


Mime
View raw message