Return-Path: <commits-return-11441-archive-asf-public=cust-asf.ponee.io@geode.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id DE58D200B51
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon,  1 Aug 2016 21:15:19 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id DCC05160A6C; Mon,  1 Aug 2016 19:15:19 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id D8408160A66
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  1 Aug 2016 21:15:18 +0200 (CEST)
Received: (qmail 98055 invoked by uid 500); 1 Aug 2016 19:15:18 -0000
Mailing-List: contact commits-help@geode.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@geode.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@geode.incubator.apache.org>
List-Post: <mailto:commits@geode.incubator.apache.org>
List-Id: <commits.geode.incubator.apache.org>
Reply-To: dev@geode.incubator.apache.org
Delivered-To: mailing list commits@geode.incubator.apache.org
Received: (qmail 98046 invoked by uid 99); 1 Aug 2016 19:15:18 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Aug 2016 19:15:18 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A29DC1A02FA
	for <commits@geode.apache.org>; Mon,  1 Aug 2016 19:15:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -4.646
X-Spam-Level: 
X-Spam-Status: No, score=-4.646 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-1.426] autolearn=disabled
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id fNZvecBlqCOt for <commits@geode.apache.org>;
	Mon,  1 Aug 2016 19:15:14 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with SMTP id A4AE25F613
	for <commits@geode.incubator.apache.org>; Mon,  1 Aug 2016 19:15:13 +0000 (UTC)
Received: (qmail 98015 invoked by uid 99); 1 Aug 2016 19:15:13 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Aug 2016 19:15:13 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 07D34E058E; Mon,  1 Aug 2016 19:15:12 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: jinmeiliao@apache.org
To: commits@geode.incubator.apache.org
Message-Id: <32a22ff45dff44e8966b480c3eb2d2d0@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: incubator-geode git commit: GEODE-1643: make sure the security
 manager works on Gateway communication
Date: Mon,  1 Aug 2016 19:15:12 +0000 (UTC)
archived-at: Mon, 01 Aug 2016 19:15:20 -0000

Repository: incubator-geode
Updated Branches:
  refs/heads/develop f6fb4e36f -> d9bec3178


GEODE-1643: make sure the security manager works on Gateway communication


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/d9bec317
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/d9bec317
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/d9bec317

Branch: refs/heads/develop
Commit: d9bec3178bf67117c0e240fe67a2b0f22759027b
Parents: f6fb4e3
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Mon Aug 1 12:03:07 2016 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Mon Aug 1 12:14:46 2016 -0700

----------------------------------------------------------------------
 .../cache/tier/sockets/ServerConnection.java    |   2 +-
 .../wan/misc/NewWanAuthenticationDUnitTest.java | 164 ++++++++++++++++++-
 2 files changed, 163 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d9bec317/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
index 682e55b..bdbef09 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/ServerConnection.java
@@ -772,7 +772,7 @@ public class ServerConnection implements Runnable {
         }
 
         // if a subject exists for this uniqueId, binds the subject to this thread so that we can do authorization later
-        if(AcceptorImpl.isIntegratedSecurity() && !isInternalMessage()) {
+        if(AcceptorImpl.isIntegratedSecurity() && !isInternalMessage() && this.communicationMode != Acceptor.GATEWAY_TO_GATEWAY) {
           long uniqueId = getUniqueId();
           Subject subject = this.clientUserAuths.getSubject(uniqueId);
           if(subject!=null) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/d9bec317/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java b/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
index 338f253..76940ea 100644
--- a/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
+++ b/geode-wan/src/test/java/com/gemstone/gemfire/internal/cache/wan/misc/NewWanAuthenticationDUnitTest.java
@@ -20,12 +20,16 @@ import static com.gemstone.gemfire.distributed.ConfigurationProperties.*;
 import static com.gemstone.gemfire.test.dunit.Assert.*;
 
 import java.util.Properties;
+import java.util.concurrent.TimeUnit;
 
+import com.jayway.awaitility.Awaitility;
+import org.apache.geode.security.templates.SampleSecurityManager;
 import org.apache.logging.log4j.Logger;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
 import com.gemstone.gemfire.cache.CacheFactory;
+import com.gemstone.gemfire.cache.Region;
 import com.gemstone.gemfire.distributed.DistributedMember;
 import com.gemstone.gemfire.distributed.DistributedSystem;
 import com.gemstone.gemfire.internal.Assert;
@@ -72,7 +76,8 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     }
     Properties javaProps1 = gen.getJavaProperties();
 
-    Properties credentials2 = gen.getValidCredentials(2);
+    // vm3's invalid credentials
+    Properties credentials2 = gen.getInvalidCredentials(1);
     if (extraProps != null) {
       credentials2.putAll(extraProps);
     }
@@ -80,6 +85,8 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
 
     Properties props1 = buildProperties(clientauthenticator, clientauthInit,
       null, credentials1, null);
+
+    // have vm 3 start a cache with invalid credentails
     Properties props2 = buildProperties(clientauthenticator, clientauthInit,
       null, credentials2, null);
 
@@ -105,8 +112,61 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       getTestMethodName() + "_RR", null, isOffHeap()  ));
     logger.info("Created RR in vm3");
 
+    // this tests verifies that even though vm3 has invalid credentials, vm2 can still send data to vm3 because
+    // vm2 has valid credentials
+    vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+    vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+
+    vm2.invoke(() -> WANTestBase.doPuts(getTestMethodName() + "_RR", 1));
+    vm3.invoke(() -> {
+      Region r = cache.getRegion(Region.SEPARATOR + getTestMethodName() + "_RR");
+      Awaitility.waitAtMost(20, TimeUnit.SECONDS).until(() -> assertTrue(r.size() > 0));
+    });
+    logger.info("Done successfully.");
+  }
+
+  @Test
+  public void testWanIntegratedSecurityWithValidCredentials() {
+    Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId( 1 ));
+    logger.info("Created locator on local site");
+
+    Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator( 2, lnPort ));
+    logger.info("Created locator on remote site");
+
+
+    Properties props1 = buildSecurityProperties("admin", "secret");
+    Properties props2 = buildSecurityProperties("guest", "guest");
+
+    vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props1, null, lnPort ));
+    logger.info("Created secured cache in vm2");
+
+    vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props2, null, nyPort ));
+    logger.info("Created secured cache in vm3");
+
+    vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+      false, 100, 10, false, false, null, true ));
+    logger.info("Created sender in vm2");
+
+    vm3.invoke(() -> createReceiverInSecuredCache());
+    logger.info("Created receiver in vm3");
+
+    vm2.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", "ln", isOffHeap()  ));
+    logger.info("Created RR in vm2");
+    vm3.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", null, isOffHeap()  ));
+    logger.info("Created RR in vm3");
+
     vm2.invoke(() -> WANTestBase.startSender( "ln" ));
     vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+    vm2.invoke(() -> WANTestBase.doPuts(getTestMethodName() + "_RR", 1));
+    vm3.invoke(() -> {
+      Region r = cache.getRegion(Region.SEPARATOR + getTestMethodName() + "_RR");
+      Awaitility.waitAtMost(20, TimeUnit.SECONDS).until(() -> assertTrue(r.size() > 0));
+
+    });
     logger.info("Done successfully.");
   }
 
@@ -182,6 +242,56 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     }
   }
 
+  /**
+   * Test authentication with new WAN with invalid credentials. Although,
+   * nothing related to authentication has been changed in new WAN, this test
+   * case is added on request from QA for defect 44650.
+   */
+  @Test
+  public void testWanSecurityManagerWithInvalidCredentials() {
+    Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId( 1 ));
+    logger.info("Created locator on local site");
+
+    Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator( 2, lnPort ));
+    logger.info("Created locator on remote site");
+
+    Properties props1 = buildSecurityProperties("admin", "wrongPswd");
+    Properties props2 = buildSecurityProperties("guest", "wrongPswd");
+
+    logger.info("Done building auth properties");
+
+    vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props1, null, lnPort ));
+    logger.info("Created secured cache in vm2");
+
+    vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+      props2, null, nyPort ));
+    logger.info("Created secured cache in vm3");
+
+    vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+      false, 100, 10, false, false, null, true ));
+    logger.info("Created sender in vm2");
+
+    vm3.invoke(() -> createReceiverInSecuredCache());
+    logger.info("Created receiver in vm3");
+
+    vm2.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", "ln", isOffHeap()  ));
+    logger.info("Created RR in vm2");
+    vm3.invoke(() -> WANTestBase.createReplicatedRegion(
+      getTestMethodName() + "_RR", null, isOffHeap()  ));
+    logger.info("Created RR in vm3");
+
+    try {
+      vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+      fail("Authentication Failed: While starting the sender, an exception should have been thrown");
+    } catch (Exception e) {
+      if (!(e.getCause().getCause() instanceof AuthenticationFailedException)) {
+        fail("Authentication is not working as expected", e);
+      }
+    }
+  }
+
   private static Properties buildProperties(String clientauthenticator,
                                             String clientAuthInit, String accessor, Properties extraAuthProps,
                                             Properties extraAuthzProps) {
@@ -207,6 +317,16 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
     return authProps;
   }
 
+  private static Properties buildSecurityProperties(String username, String password){
+    Properties props = new Properties();
+    props.put(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+    props.put("security-json", "org/apache/geode/security/templates/security.json");
+    props.put(SECURITY_CLIENT_AUTH_INIT, UserPasswdAI.class.getName());
+    props.put("security-username", username);
+    props.put("security-password", password);
+    return props;
+  }
+
   public static void createSecuredCache(Properties authProps, Object javaProps, Integer locPort) {
     authProps.setProperty(MCAST_PORT, "0");
     authProps.setProperty(LOCATORS, "localhost[" + locPort + "]");
@@ -273,7 +393,7 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       }
       Properties javaProps1 = gen.getJavaProperties();
 
-      Properties credentials2 = gen.getValidCredentials(2);
+      Properties credentials2 = gen.getInvalidCredentials(2);
       if (extraProps != null) {
         credentials2.putAll(extraProps);
       }
@@ -306,4 +426,44 @@ public class NewWanAuthenticationDUnitTest extends WANTestBase {
       vm3.invoke(() -> verifyDifferentServerInGetCredentialCall());
     }
   }
+
+  @Test
+  public void testWanSecurityManagerAuthValidCredentialsWithServer() {
+    disconnectAllFromDS();
+    {
+      Integer lnPort = (Integer)vm0.invoke(() -> WANTestBase.createFirstLocatorWithDSId( 1 ));
+      logger.info("Created locator on local site");
+
+      Integer nyPort = (Integer)vm1.invoke(() -> WANTestBase.createFirstRemoteLocator( 2, lnPort ));
+      logger.info("Created locator on remote site");
+
+      Properties props1 = buildSecurityProperties("admin", "secret");
+      Properties props2 = buildSecurityProperties("guest", "guest");
+
+      vm2.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+        props1, null, lnPort ));
+      logger.info("Created secured cache in vm2");
+
+      vm3.invoke(() -> NewWanAuthenticationDUnitTest.createSecuredCache(
+        props2, null, nyPort ));
+      logger.info("Created secured cache in vm3");
+
+      vm2.invoke(() -> WANTestBase.createSender( "ln", 2,
+        false, 100, 10, false, false, null, true ));
+      logger.info("Created sender in vm2");
+
+      vm3.invoke(() -> createReceiverInSecuredCache());
+      logger.info("Created receiver in vm3");
+
+      vm2.invoke(() -> WANTestBase.startSender( "ln" ));
+      vm2.invoke(() -> WANTestBase.waitForSenderRunningState( "ln" ));
+
+      vm2.invoke(() -> verifyDifferentServerInGetCredentialCall());
+
+      // this would fail for now because for integrated security, we are not sending the receiver's credentials back
+      // to the sender. Because in the old security implementation, even though the receiver's credentials are sent back to the sender
+      // the sender is not checking it.
+      //vm3.invoke(() -> verifyDifferentServerInGetCredentialCall());
+    }
+  }
 }