geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hiteshkhame...@apache.org
Subject [07/15] incubator-geode git commit: GEODE-37 Renamed security related stuff
Date Tue, 13 Sep 2016 22:56:09 GMT
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationDUnitTest.java b/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationDUnitTest.java
new file mode 100644
index 0000000..79feae9
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationDUnitTest.java
@@ -0,0 +1,647 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security;
+
+import static com.gemstone.gemfire.internal.AvailablePort.*;
+import static com.gemstone.gemfire.security.SecurityTestUtils.*;
+import static com.gemstone.gemfire.test.dunit.Assert.*;
+import static com.gemstone.gemfire.test.dunit.IgnoredException.*;
+import static com.gemstone.gemfire.test.dunit.LogWriterUtils.*;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Properties;
+
+import com.gemstone.gemfire.internal.AvailablePortHelper;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.generator.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.generator.CredentialGenerator;
+import com.gemstone.gemfire.security.generator.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.generator.XmlAuthzCredentialGenerator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.test.dunit.VM;
+import com.gemstone.gemfire.test.junit.categories.DistributedTest;
+import com.gemstone.gemfire.test.junit.categories.SecurityTest;
+
+/**
+ * Tests for authorization from client to server. This tests for authorization
+ * of all operations with both valid and invalid credentials/modules with
+ * pre-operation callbacks. It also checks for authorization in case of
+ * failover.
+ *
+ * @since GemFire 5.5
+ */
+@Category({ DistributedTest.class, SecurityTest.class })
+public class ClientAuthorizationDUnitTest extends ClientAuthorizationTestCase {
+
+  @Override
+  public final void preTearDownClientAuthorizationTestBase() throws Exception {
+    closeCache();
+  }
+
+  @Test
+  public void testAllowPutsGets() {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testAllowPutsGets: Using authinit: " + authInit);
+    getLogWriter().info("testAllowPutsGets: Using authenticator: " + authenticator);
+    getLogWriter().info("testAllowPutsGets: Using accessor: " + accessor);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    int port1 = createServer1(javaProps, serverProps);
+    int port2 = createServer2(javaProps, serverProps);
+
+    // Start client1 with valid CREATE credentials
+    Properties createCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.PUT }, new String[] { regionName }, 1);
+    javaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testAllowPutsGets: For first client credentials: " + createCredentials);
+
+    createClient1NoException(javaProps, authInit, port1, port2, createCredentials);
+
+    // Start client2 with valid GET credentials
+    Properties getCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 2);
+    javaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testAllowPutsGets: For second client credentials: " + getCredentials);
+
+    createClient2NoException(javaProps, authInit, port1, port2, getCredentials);
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doPuts(2, NO_EXCEPTION));
+
+    // Verify that the gets succeed
+    client2.invoke(() -> doGets(2, NO_EXCEPTION));
+  }
+
+  @Test
+  public void testPutAllWithSecurity() {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testPutAllWithSecurity: Using authinit: " + authInit);
+    getLogWriter().info("testPutAllWithSecurity: Using authenticator: " + authenticator);
+    getLogWriter().info("testPutAllWithSecurity: Using accessor: " + accessor);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    int port1 = createServer1(javaProps, serverProps);
+    int port2 = createServer2(javaProps, serverProps);
+
+    // Start client1 with valid CREATE credentials
+    Properties createCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.PUTALL }, new String[] { regionName }, 1);
+    javaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testPutAllWithSecurity: For first client credentials: " + createCredentials);
+
+    createClient1NoException(javaProps, authInit, port1, port2, createCredentials);
+
+    // Perform some put all operations from client1
+    client1.invoke(() -> doPutAllP());
+  }
+
+  @Test
+  public void testDisallowPutsGets() {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testDisallowPutsGets: Using authinit: " + authInit);
+    getLogWriter().info("testDisallowPutsGets: Using authenticator: " + authenticator);
+    getLogWriter().info("testDisallowPutsGets: Using accessor: " + accessor);
+
+    // Check that we indeed can obtain valid credentials not allowed to do gets
+    Properties createCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.PUT }, new String[] { regionName }, 1);
+    Properties createJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testDisallowPutsGets: For first client credentials: " + createCredentials);
+
+    Properties getCredentials = gen.getDisallowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 2);
+    Properties getJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testDisallowPutsGets: For second client disallowed GET credentials: " + getCredentials);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    int port1 = createServer1(javaProps, serverProps);
+    int port2 = createServer2(javaProps, serverProps);
+
+    createClient1NoException(createJavaProps, authInit, port1, port2, createCredentials);
+
+    createClient2NoException(getJavaProps, authInit, port1, port2, getCredentials);
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doPuts(2, NO_EXCEPTION));
+
+    // Gets as normal user should throw exception
+    client2.invoke(() -> doGets(2, NOTAUTHZ_EXCEPTION));
+
+    // Try to connect client2 with reader credentials
+    getCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 5);
+    getJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testDisallowPutsGets: For second client with GET credentials: " + getCredentials);
+
+    createClient2NoException(getJavaProps, authInit, port1, port2, getCredentials);
+
+    // Verify that the gets succeed
+    client2.invoke(() -> doGets(2, NO_EXCEPTION));
+
+    // Verify that the puts throw exception
+    client2.invoke(() -> doNPuts(2, NOTAUTHZ_EXCEPTION));
+  }
+
+  @Test
+  public void testInvalidAccessor() {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testInvalidAccessor: Using authinit: " + authInit);
+    getLogWriter().info("testInvalidAccessor: Using authenticator: " + authenticator);
+
+    // Start server1 with invalid accessor
+    Properties serverProps = buildProperties(authenticator, "com.gemstone.none", false, extraAuthProps, extraAuthzProps);
+
+    int port1 = createServer1(javaProps, serverProps);
+    int port2 = getRandomAvailablePort(SOCKET);
+
+    // Client creation should throw exceptions
+    Properties createCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.PUT }, new String[] { regionName }, 3);
+    Properties createJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testInvalidAccessor: For first client CREATE credentials: " + createCredentials);
+
+    Properties getCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 7);
+    Properties getJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testInvalidAccessor: For second client GET credentials: " + getCredentials);
+
+    client1.invoke(() -> ClientAuthenticationTestUtils.createCacheClient( authInit, createCredentials, createJavaProps, port1, port2, 0, false, false, NO_EXCEPTION));
+    client1.invoke(() -> doPuts(1, AUTHFAIL_EXCEPTION));
+
+    client2.invoke(() -> ClientAuthenticationTestUtils.createCacheClient( authInit, getCredentials, getJavaProps, port1, port2, 0, false, false, NO_EXCEPTION));
+    client2.invoke(() -> doPuts(1, AUTHFAIL_EXCEPTION));
+
+    // Now start server2 that has valid accessor
+    getLogWriter().info("testInvalidAccessor: Using accessor: " + accessor);
+    serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+    createServer2(javaProps, serverProps, port2);
+    server1.invoke(() -> closeCache());
+
+    createClient1NoException(createJavaProps, authInit, port1, port2, createCredentials);
+    createClient2NoException(getJavaProps, authInit, port1, port2, getCredentials);
+
+    // Now perform some put operations from client1
+    client1.invoke(() -> doPuts(4, NO_EXCEPTION));
+
+    // Verify that the gets succeed
+    client2.invoke(() -> doGets(4, NO_EXCEPTION));
+  }
+
+  @Test
+  public void testPutsGetsWithFailover() {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testPutsGetsWithFailover: Using authinit: " + authInit);
+    getLogWriter().info("testPutsGetsWithFailover: Using authenticator: " + authenticator);
+    getLogWriter().info("testPutsGetsWithFailover: Using accessor: " + accessor);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    int port1 = createServer1(javaProps, serverProps);
+
+    // Get a port for second server but do not start it. This forces the clients to connect to the first server
+    int port2 = getRandomAvailablePort(SOCKET);
+
+    // Start client1 with valid CREATE credentials
+    Properties createCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.PUT }, new String[] { regionName }, 1);
+    Properties createJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testPutsGetsWithFailover: For first client credentials: " + createCredentials);
+
+    createClient1NoException(createJavaProps, authInit, port1, port2, createCredentials);
+
+    // Start client2 with valid GET credentials
+    Properties getCredentials = gen.getAllowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 5);
+    Properties getJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testPutsGetsWithFailover: For second client credentials: " + getCredentials);
+
+    createClient2NoException(getJavaProps, authInit, port1, port2, getCredentials);
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doPuts(2, NO_EXCEPTION));
+
+    // Verify that the puts succeeded
+    client2.invoke(() -> doGets(2, NO_EXCEPTION));
+
+    createServer2(javaProps, serverProps, port2);
+    server1.invoke(() -> closeCache());
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doNPuts(4, NO_EXCEPTION));
+
+    // Verify that the puts succeeded
+    client2.invoke(() -> doNGets(4, NO_EXCEPTION));
+
+    // Now re-connect with credentials not allowed to do gets
+    Properties noGetCredentials = gen.getDisallowedCredentials(new OperationCode[] { OperationCode.GET }, new String[] { regionName }, 9);
+    getJavaProps = cGen.getJavaProperties();
+
+    getLogWriter().info("testPutsGetsWithFailover: For second client disallowed GET credentials: " + noGetCredentials);
+
+    createClient2NoException(getJavaProps, authInit, port1, port2, noGetCredentials);
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doPuts(4, NO_EXCEPTION));
+
+    // Gets as normal user should throw exception
+    client2.invoke(() -> doGets(4, NOTAUTHZ_EXCEPTION));
+
+    // force a failover and do the drill again
+    server1.invoke(() -> ClientAuthorizationTestCase.createCacheServer( getLocatorPort(), port1, serverProps, javaProps ));
+    server2.invoke(() -> closeCache());
+
+    // Perform some put operations from client1
+    client1.invoke(() -> doNPuts(4, NO_EXCEPTION));
+
+    // Gets as normal user should throw exception
+    client2.invoke(() -> doNGets(4, NOTAUTHZ_EXCEPTION));
+
+    createClient2NoException(getJavaProps, authInit, port1, port2, getCredentials);
+
+    // Verify that the gets succeed
+    client2.invoke(() -> doNGets(4, NO_EXCEPTION));
+
+    // Verify that the puts throw exception
+    client2.invoke(() -> doPuts(4, NOTAUTHZ_EXCEPTION));
+  }
+
+  @Test
+  public void testUnregisterInterestWithFailover() throws InterruptedException {
+    OperationWithAction[] unregisterOps = unregisterOpsForTestUnregisterInterestWithFailover();
+
+    AuthzCredentialGenerator gen = new XmlAuthzCredentialGenerator();
+    CredentialGenerator cGen = new DummyCredentialGenerator();
+    cGen.init();
+    gen.init(cGen);
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+
+    getLogWriter().info("testAllOpsWithFailover: Using authinit: " + authInit);
+    getLogWriter().info("testAllOpsWithFailover: Using authenticator: " + authenticator);
+    getLogWriter().info("testAllOpsWithFailover: Using accessor: " + accessor);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    // Get ports for the servers
+    int[] randomAvailableTCPPorts = AvailablePortHelper.getRandomAvailableTCPPorts(2);
+    int port1 = randomAvailableTCPPorts[0];
+    int port2 = randomAvailableTCPPorts[1];
+
+    // Perform all the ops on the clients
+    List opBlock = new ArrayList();
+    for (int opNum = 0; opNum < unregisterOps.length; ++opNum) {
+
+      // Start client with valid credentials as specified in OperationWithAction
+      OperationWithAction currentOp = unregisterOps[opNum];
+      if (currentOp.equals(OperationWithAction.OPBLOCK_END) || currentOp.equals(OperationWithAction.OPBLOCK_NO_FAILOVER)) {
+
+        // End of current operation block; execute all the operations on the servers with/without failover
+        if (opBlock.size() > 0) {
+          // Start the first server and execute the operation block
+          server1.invoke(() -> ClientAuthorizationTestCase.createCacheServer(getLocatorPort(), port1, serverProps, javaProps));
+          server2.invoke(() -> closeCache());
+
+          executeRIOpBlock(opBlock, port1, port2, authInit, extraAuthProps, extraAuthzProps, javaProps);
+
+          if (!currentOp.equals(OperationWithAction.OPBLOCK_NO_FAILOVER)) {
+            createServer2(javaProps, serverProps, port2);
+            server1.invoke(() -> closeCache());
+
+            executeRIOpBlock(opBlock, port1, port2, authInit, extraAuthProps, extraAuthzProps, javaProps);
+          }
+          opBlock.clear();
+        }
+
+      } else {
+        currentOp.setOpNum(opNum);
+        opBlock.add(currentOp);
+      }
+    }
+  }
+
+  @Test
+  public void testAllOpsWithFailover() throws InterruptedException {
+    addIgnoredException("Read timed out");
+    runOpsWithFailOver(allOpsForAllOpsWithFailover(), "testAllOpsWithFailover");
+  }
+
+  private OperationWithAction[] unregisterOpsForTestUnregisterInterestWithFailover() {
+    return new OperationWithAction[] {
+        // Register interest in all KEYS using one key at a time
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, OperationCode.UNREGISTER_INTEREST, 3, OpFlags.NONE, 4),
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, 2),
+        // UPDATE and test with GET
+        new OperationWithAction(OperationCode.PUT),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        // Unregister interest in all KEYS using one key at a time
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 3, OpFlags.USE_OLDCONN | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 2, OpFlags.USE_OLDCONN, 4),
+        // UPDATE and test with GET for no updates
+        new OperationWithAction(OperationCode.PUT, 1, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Register interest in all KEYS using list
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, OperationCode.UNREGISTER_INTEREST, 3, OpFlags.USE_LIST, 4),
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, 1, OpFlags.USE_LIST, 4),
+        // UPDATE and test with GET
+        new OperationWithAction(OperationCode.PUT, 2),
+        new OperationWithAction(OperationCode.GET, 1, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        // Unregister interest in all KEYS using list
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 3, OpFlags.USE_OLDCONN | OpFlags.USE_LIST | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 1, OpFlags.USE_OLDCONN | OpFlags.USE_LIST, 4),
+        // UPDATE and test with GET for no updates
+        new OperationWithAction(OperationCode.PUT, 2, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 1, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Register interest in all KEYS using regular expression
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, OperationCode.UNREGISTER_INTEREST, 3, OpFlags.USE_REGEX, 4),
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, 2, OpFlags.USE_REGEX, 4),
+        // UPDATE and test with GET
+        new OperationWithAction(OperationCode.PUT),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        // Unregister interest in all KEYS using regular expression
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 3, OpFlags.USE_OLDCONN | OpFlags.USE_REGEX | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 2, OpFlags.USE_OLDCONN | OpFlags.USE_REGEX, 4),
+        // UPDATE and test with GET for no updates
+        new OperationWithAction(OperationCode.PUT, 1, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        OperationWithAction.OPBLOCK_END
+    };
+  }
+
+  private OperationWithAction[] allOpsForAllOpsWithFailover() {
+    return new OperationWithAction[] {
+        // Test CREATE and verify with a GET
+        new OperationWithAction(OperationCode.PUT, 3, OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.PUT),
+        new OperationWithAction(OperationCode.GET, 3, OpFlags.CHECK_NOKEY | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.CHECK_NOKEY, 4),
+
+        // OPBLOCK_END indicates end of an operation block; the above block of three operations will be first executed on server1 and then on server2 after failover
+        OperationWithAction.OPBLOCK_END,
+
+        // Test PUTALL and verify with GETs
+        new OperationWithAction(OperationCode.PUTALL, 3, OpFlags.USE_NEWVAL | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.PUTALL, 1, OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+        OperationWithAction.OPBLOCK_END,
+
+        // Test UPDATE and verify with a GET
+        new OperationWithAction(OperationCode.PUT, 3, OpFlags.USE_NEWVAL | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.PUT, 1, OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Test DESTROY and verify with a GET and that key should not exist
+        new OperationWithAction(OperationCode.DESTROY, 3, OpFlags.USE_NEWVAL | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.DESTROY),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.CHECK_FAIL, 4), // bruce: added check_nokey because we now bring tombstones to the client in 8.0
+        // Repopulate the region
+        new OperationWithAction(OperationCode.PUT, 1, OpFlags.USE_NEWVAL, 4),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Check CONTAINS_KEY
+        new OperationWithAction(OperationCode.CONTAINS_KEY, 3, OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.CONTAINS_KEY),
+        // Destroy the KEYS and check for failure in CONTAINS_KEY
+        new OperationWithAction(OperationCode.DESTROY, 2),
+        new OperationWithAction(OperationCode.CONTAINS_KEY, 3, OpFlags.CHECK_FAIL | OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.CONTAINS_KEY, 1, OpFlags.USE_OLDCONN | OpFlags.CHECK_FAIL, 4),
+        // Repopulate the region
+        new OperationWithAction(OperationCode.PUT),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Check KEY_SET
+        new OperationWithAction(OperationCode.KEY_SET, 3, OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.KEY_SET, 2),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Check QUERY
+        new OperationWithAction(OperationCode.QUERY, 3, OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.QUERY),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Register interest in all KEYS using one key at a time
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, 3, OpFlags.CHECK_NOTAUTHZ, 4),
+        new OperationWithAction(OperationCode.REGISTER_INTEREST, 2),
+        // UPDATE and test with GET
+        new OperationWithAction(OperationCode.PUT),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        // Unregister interest in all KEYS using one key at a time
+        new OperationWithAction(OperationCode.UNREGISTER_INTEREST, 2, OpFlags.USE_OLDCONN, 4),
+        // UPDATE and test with GET for no updates
+        new OperationWithAction(OperationCode.PUT, 1, OpFlags.USE_OLDCONN | OpFlags.USE_NEWVAL, 4),
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_OLDCONN | OpFlags.LOCAL_OP, 4),
+
+        OperationWithAction.OPBLOCK_END,
+
+        // Test GET_ENTRY inside a TX, see #49951
+        new OperationWithAction(OperationCode.GET, 2, OpFlags.USE_GET_ENTRY_IN_TX | OpFlags.CHECK_FAIL, 4),
+
+        OperationWithAction.OPBLOCK_END };
+  }
+
+  private Properties getUserPassword(final String userName) {
+    Properties props = new Properties();
+    props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+    props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+    return props;
+  }
+
+  private void executeRIOpBlock(final List<OperationWithAction> opBlock, final int port1, final int port2, final String authInit, final Properties extraAuthProps, final Properties extraAuthzProps, final Properties javaProps) throws InterruptedException {
+    for (Iterator opIter = opBlock.iterator(); opIter.hasNext();) {
+      // Start client with valid credentials as specified in OperationWithAction
+      OperationWithAction currentOp = (OperationWithAction)opIter.next();
+      OperationCode opCode = currentOp.getOperationCode();
+      int opFlags = currentOp.getFlags();
+      int clientNum = currentOp.getClientNum();
+      VM clientVM = null;
+      boolean useThisVM = false;
+
+      switch (clientNum) {
+        case 1:
+          clientVM = client1;
+          break;
+        case 2:
+          clientVM = client2;
+          break;
+        case 3:
+          useThisVM = true;
+          break;
+        default:
+          fail("executeRIOpBlock: Unknown client number " + clientNum);
+          break;
+      }
+
+      getLogWriter().info( "executeRIOpBlock: performing operation number [" + currentOp.getOpNum() + "]: " + currentOp);
+      if ((opFlags & OpFlags.USE_OLDCONN) == 0) {
+        Properties opCredentials = null;
+        String currentRegionName = '/' + regionName;
+        if ((opFlags & OpFlags.USE_SUBREGION) > 0) {
+          currentRegionName += ('/' + SUBREGION_NAME);
+        }
+        String credentialsTypeStr;
+        OperationCode authOpCode = currentOp.getAuthzOperationCode();
+
+        if ((opFlags & OpFlags.CHECK_NOTAUTHZ) > 0 || (opFlags & OpFlags.USE_NOTAUTHZ) > 0 || !authOpCode.equals(opCode)) {
+          credentialsTypeStr = " unauthorized " + authOpCode;
+          if (authOpCode.isRegisterInterest()) {
+            opCredentials = getUserPassword("reader7");
+          } else if (authOpCode.isUnregisterInterest()) {
+            opCredentials = getUserPassword("reader6");
+          } else {
+            fail("executeRIOpBlock: cannot determine credentials for" + credentialsTypeStr);
+          }
+
+        } else {
+          credentialsTypeStr = " authorized " + authOpCode;
+          if (authOpCode.isRegisterInterest() || authOpCode.isUnregisterInterest()) {
+            opCredentials = getUserPassword("reader5");
+          } else if (authOpCode.isPut()) {
+            opCredentials = getUserPassword("writer1");
+          } else if (authOpCode.isGet()) {
+            opCredentials = getUserPassword("reader1");
+          } else {
+            fail("executeRIOpBlock: cannot determine credentials for" + credentialsTypeStr);
+          }
+        }
+
+        Properties clientProps = concatProperties(new Properties[] { opCredentials, extraAuthProps, extraAuthzProps });
+
+        // Start the client with valid credentials but allowed or disallowed to perform an operation
+        getLogWriter().info("executeRIOpBlock: For client" + clientNum + credentialsTypeStr + " credentials: " + opCredentials);
+        if (useThisVM) {
+          createCacheClientWithDynamicRegion(authInit, clientProps, javaProps, new int[] { port1, port2 }, 0, false, NO_EXCEPTION);
+        } else {
+          clientVM.invoke(() -> createCacheClient(authInit, clientProps, javaProps, new int[] { port1, port2 }, 0, false, NO_EXCEPTION));
+        }
+
+      }
+
+      int expectedResult;
+      if ((opFlags & OpFlags.CHECK_NOTAUTHZ) > 0) {
+        expectedResult = NOTAUTHZ_EXCEPTION;
+      } else if ((opFlags & OpFlags.CHECK_EXCEPTION) > 0) {
+        expectedResult = OTHER_EXCEPTION;
+      } else {
+        expectedResult = NO_EXCEPTION;
+      }
+
+      // Perform the operation from selected client
+      if (useThisVM) {
+        doOp(opCode, currentOp.getIndices(), opFlags, expectedResult);
+
+      } else {
+        int[] indices = currentOp.getIndices();
+        clientVM.invoke(() -> ClientAuthorizationTestCase.doOp(opCode, indices, opFlags, expectedResult));
+      }
+    }
+  }
+
+  private void createClient2NoException(final Properties javaProps, final String authInit, final int port1, final int port2, final Properties getCredentials) {
+    client2.invoke(() -> ClientAuthenticationTestUtils.createCacheClient(authInit, getCredentials, javaProps, port1, port2, 0, NO_EXCEPTION));
+  }
+
+  private void createClient1NoException(final Properties javaProps, final String authInit, final int port1, final int port2, final Properties createCredentials) {
+    client1.invoke(() -> ClientAuthenticationTestUtils.createCacheClient(authInit, createCredentials, javaProps, port1, port2, 0, NO_EXCEPTION));
+  }
+
+  private int createServer2(final Properties javaProps, final Properties serverProps) {
+    return server2.invoke(() -> ClientAuthorizationTestCase.createCacheServer(getLocatorPort(), serverProps, javaProps));
+  }
+
+  private int createServer1(final Properties javaProps, final Properties serverProps) {
+    return server1.invoke(() -> ClientAuthorizationTestCase.createCacheServer(getLocatorPort(), serverProps, javaProps));
+  }
+
+  private void createServer2(Properties javaProps, Properties serverProps, int port2) {
+    server2.invoke(() -> ClientAuthorizationTestCase.createCacheServer(getLocatorPort(), port2, serverProps, javaProps));
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/9d7a6960/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationTestCase.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationTestCase.java b/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationTestCase.java
new file mode 100644
index 0000000..c222e6c
--- /dev/null
+++ b/geode-core/src/test/java/org/apache/geode/security/ClientAuthorizationTestCase.java
@@ -0,0 +1,1325 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security;
+
+import static com.gemstone.gemfire.distributed.ConfigurationProperties.*;
+import static com.gemstone.gemfire.internal.AvailablePort.*;
+import static com.gemstone.gemfire.security.SecurityTestUtils.*;
+import static com.gemstone.gemfire.test.dunit.Assert.*;
+import static com.gemstone.gemfire.test.dunit.Host.*;
+import static com.gemstone.gemfire.test.dunit.Wait.*;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Random;
+import java.util.Set;
+import java.util.concurrent.Callable;
+
+import com.gemstone.gemfire.cache.DynamicRegionFactory;
+import com.gemstone.gemfire.cache.InterestResultPolicy;
+import com.gemstone.gemfire.cache.Operation;
+import com.gemstone.gemfire.cache.Region;
+import com.gemstone.gemfire.cache.Region.Entry;
+import com.gemstone.gemfire.cache.RegionDestroyedException;
+import com.gemstone.gemfire.cache.client.ServerConnectivityException;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.cache.query.CqAttributes;
+import com.gemstone.gemfire.cache.query.CqAttributesFactory;
+import com.gemstone.gemfire.cache.query.CqEvent;
+import com.gemstone.gemfire.cache.query.CqException;
+import com.gemstone.gemfire.cache.query.CqListener;
+import com.gemstone.gemfire.cache.query.CqQuery;
+import com.gemstone.gemfire.cache.query.QueryInvocationTargetException;
+import com.gemstone.gemfire.cache.query.QueryService;
+import com.gemstone.gemfire.cache.query.SelectResults;
+import com.gemstone.gemfire.cache.query.Struct;
+import com.gemstone.gemfire.internal.AvailablePort.*;
+import com.gemstone.gemfire.internal.AvailablePortHelper;
+import com.gemstone.gemfire.internal.cache.AbstractRegionEntry;
+import com.gemstone.gemfire.internal.cache.LocalRegion;
+import com.gemstone.gemfire.security.generator.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.generator.AuthzCredentialGenerator.ClassCode;
+import com.gemstone.gemfire.security.generator.CredentialGenerator;
+import com.gemstone.gemfire.security.generator.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.generator.XmlAuthzCredentialGenerator;
+import com.gemstone.gemfire.test.dunit.VM;
+import com.gemstone.gemfire.test.dunit.WaitCriterion;
+import com.gemstone.gemfire.test.dunit.internal.JUnit4DistributedTestCase;
+
+/**
+ * Base class for tests for authorization from client to server. It contains
+ * utility functions for the authorization tests from client to server.
+ *
+ * @since GemFire 5.5
+ */
+public abstract class ClientAuthorizationTestCase extends JUnit4DistributedTestCase {
+
+  private static final int PAUSE = 5 * 1000;
+
+  protected static VM server1 = null;
+  protected static VM server2 = null;
+  protected static VM client1 = null;
+  protected static VM client2 = null;
+
+  protected static final String regionName = REGION_NAME; // TODO: remove
+  protected static final String SUBREGION_NAME = "AuthSubregion";
+
+  private static final String[] serverIgnoredExceptions = {
+      "Connection refused",
+      AuthenticationRequiredException.class.getName(),
+      AuthenticationFailedException.class.getName(),
+      NotAuthorizedException.class.getName(),
+      GemFireSecurityException.class.getName(),
+      RegionDestroyedException.class.getName(),
+      ClassNotFoundException.class.getName()
+  };
+
+  private static final String[] clientIgnoredExceptions = {
+      AuthenticationFailedException.class.getName(),
+      NotAuthorizedException.class.getName(),
+      RegionDestroyedException.class.getName()
+  };
+
+  @Override
+  public final void preSetUp() throws Exception {
+  }
+
+  @Override
+  public final void postSetUp() throws Exception {
+    preSetUpClientAuthorizationTestBase();
+    setUpClientAuthorizationTestBase();
+    postSetUpClientAuthorizationTestBase();
+  }
+
+  private final void setUpClientAuthorizationTestBase() throws Exception {
+    server1 = getHost(0).getVM(0);
+    server2 = getHost(0).getVM(1);
+    client1 = getHost(0).getVM(2);
+    client2 = getHost(0).getVM(3);
+    setUpIgnoredExceptions();
+  }
+
+  private final void setUpIgnoredExceptions() {
+    Set<String> serverExceptions = new HashSet<>();
+    serverExceptions.addAll(Arrays.asList(serverIgnoredExceptions()));
+    if (serverExceptions.isEmpty()) {
+      serverExceptions.addAll(Arrays.asList(serverIgnoredExceptions));
+    }
+
+    String[] serverExceptionsArray = serverExceptions.toArray(new String[serverExceptions.size()]);
+    server1.invoke(() -> registerExpectedExceptions(serverExceptionsArray));
+    server2.invoke(() -> registerExpectedExceptions(serverExceptionsArray));
+
+    Set<String> clientExceptions = new HashSet<>();
+    clientExceptions.addAll(Arrays.asList(clientIgnoredExceptions()));
+    if (clientExceptions.isEmpty()) {
+      clientExceptions.addAll(Arrays.asList(clientIgnoredExceptions));
+    }
+
+    String[] clientExceptionsArray = serverExceptions.toArray(new String[clientExceptions.size()]);
+    client2.invoke(() -> registerExpectedExceptions(clientExceptionsArray));
+    registerExpectedExceptions(clientExceptionsArray);
+  }
+
+  protected String[] serverIgnoredExceptions() {
+    return new String[]{};
+  }
+
+  protected String[] clientIgnoredExceptions() {
+    return new String[]{};
+  }
+
+  protected void preSetUpClientAuthorizationTestBase() throws Exception {
+  }
+
+  protected void postSetUpClientAuthorizationTestBase() throws Exception {
+  }
+
+  @Override
+  public final void preTearDown() throws Exception {
+    preTearDownClientAuthorizationTestBase();
+    tearDownClientAuthorizationTestBase();
+    postTearDownClientAuthorizationTestBase();
+  }
+
+  @Override
+  public final void postTearDown() throws Exception {
+  }
+
+  private final void tearDownClientAuthorizationTestBase() throws Exception {
+    // close the clients first
+    client1.invoke(() -> closeCache());
+    client2.invoke(() -> closeCache());
+    // then close the servers
+    server1.invoke(() -> closeCache());
+    server2.invoke(() -> closeCache());
+  }
+
+  protected void preTearDownClientAuthorizationTestBase() throws Exception {
+  }
+
+  protected void postTearDownClientAuthorizationTestBase() throws Exception {
+  }
+
+  protected static Properties buildProperties(final String authenticator, final String accessor, final boolean isAccessorPP, final Properties extraAuthProps, final Properties extraAuthzProps) {
+    Properties authProps = new Properties();
+    if (authenticator != null) {
+      authProps.setProperty(SECURITY_CLIENT_AUTHENTICATOR, authenticator);
+    }
+    if (accessor != null) {
+      if (isAccessorPP) {
+        authProps.setProperty(SECURITY_CLIENT_ACCESSOR_PP, accessor);
+      } else {
+        authProps.setProperty(SECURITY_CLIENT_ACCESSOR, accessor);
+      }
+    }
+    return concatProperties(new Properties[] { authProps, extraAuthProps, extraAuthzProps });
+  }
+
+  protected static Integer createCacheServer(int locatorPort, final Properties authProps, final Properties javaProps) {
+    if (locatorPort == 0) {
+      locatorPort = getRandomAvailablePort(SOCKET);
+    }
+    return SecurityTestUtils.createCacheServer(authProps, javaProps, locatorPort, null, 0, true, NO_EXCEPTION);
+  }
+
+  protected static int createCacheServer(int locatorPort, final int serverPort, final Properties authProps, final Properties javaProps) {
+    if (locatorPort == 0) {
+      locatorPort = getRandomAvailablePort(SOCKET);
+    }
+    return SecurityTestUtils.createCacheServer(authProps, javaProps, locatorPort, null, serverPort, true, NO_EXCEPTION);
+  }
+
+  protected static Region getRegion() {
+    return getCache().getRegion(regionName);
+  }
+
+  protected static Region getSubregion() {
+    return getCache().getRegion(regionName + '/' + SUBREGION_NAME);
+  }
+
+  private static Region createSubregion(final Region region) {
+    Region subregion = getSubregion();
+    if (subregion == null) {
+      subregion = region.createSubregion(SUBREGION_NAME, region.getAttributes());
+    }
+    return subregion;
+  }
+
+  protected static String indicesToString(final int[] indices) {
+    String str = "";
+    if (indices != null && indices.length > 0) {
+      str += indices[0];
+      for (int index = 1; index < indices.length; ++index) {
+        str += ",";
+        str += indices[index];
+      }
+    }
+    return str;
+  }
+
+  protected static void doOp(OperationCode op, final int[] indices, final int flagsI, final int expectedResult) throws InterruptedException {
+    boolean operationOmitted = false;
+    final int flags = flagsI;
+    Region region = getRegion();
+
+    if ((flags & OpFlags.USE_SUBREGION) > 0) {
+      assertNotNull(region);
+      Region subregion = null;
+
+      if ((flags & OpFlags.NO_CREATE_SUBREGION) > 0) {
+        if ((flags & OpFlags.CHECK_NOREGION) > 0) {
+          // Wait for some time for DRF update to come
+          waitForCondition(() -> getSubregion() == null);
+          subregion = getSubregion();
+          assertNull(subregion);
+          return;
+
+        } else {
+          // Wait for some time for DRF update to come
+          waitForCondition(() -> getSubregion() != null);
+          subregion = getSubregion();
+          assertNotNull(subregion);
+        }
+
+      } else {
+        subregion = createSubregion(region);
+      }
+
+      assertNotNull(subregion);
+      region = subregion;
+
+    } else if ((flags & OpFlags.CHECK_NOREGION) > 0) {
+      // Wait for some time for region destroy update to come
+      waitForCondition(() -> getRegion() == null);
+      region = getRegion();
+      assertNull(region);
+      return;
+
+    } else {
+      assertNotNull(region);
+    }
+
+    final String[] keys = KEYS;
+    final String[] vals;
+    if ((flags & OpFlags.USE_NEWVAL) > 0) {
+      vals = NVALUES;
+    }
+    else {
+      vals = VALUES;
+    }
+
+    InterestResultPolicy policy = InterestResultPolicy.KEYS_VALUES;
+    if ((flags & OpFlags.REGISTER_POLICY_NONE) > 0) {
+      policy = InterestResultPolicy.NONE;
+    }
+
+    final int numOps = indices.length;
+    System.out.println("Got doOp for op: " + op.toString() + ", numOps: " + numOps + ", indices: " + indicesToString(indices) + ", expect: " + expectedResult);
+    boolean exceptionOccured = false;
+    boolean breakLoop = false;
+
+    if (op.isGet() || op.isContainsKey() || op.isKeySet() || op.isQuery() || op.isExecuteCQ()) {
+      Thread.sleep(PAUSE);
+    }
+
+    for (int indexIndex = 0; indexIndex < numOps; ++indexIndex) {
+      if (breakLoop) {
+        break;
+      }
+      int index = indices[indexIndex];
+
+      try {
+        final Object key = keys[index];
+        final Object expectedVal = vals[index];
+
+        if (op.isGet()) {
+          Object value = null;
+          // this is the case for testing GET_ALL
+          if ((flags & OpFlags.USE_ALL_KEYS) > 0) {
+            breakLoop = true;
+            List keyList = new ArrayList(numOps);
+            Object searchKey;
+
+            for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+              int keyNum = indices[keyNumIndex];
+              searchKey = keys[keyNum];
+              keyList.add(searchKey);
+
+              // local invalidate some KEYS to force fetch of those KEYS from server
+              if ((flags & OpFlags.CHECK_NOKEY) > 0) {
+                AbstractRegionEntry entry = (AbstractRegionEntry)((LocalRegion)region).getRegionEntry(searchKey);
+                System.out.println(""+keyNum+": key is " + searchKey + " and entry is " + entry);
+                assertFalse(region.containsKey(searchKey));
+              } else {
+                if (keyNumIndex % 2 == 1) {
+                  assertTrue(region.containsKey(searchKey));
+                  region.localInvalidate(searchKey);
+                }
+              }
+            }
+
+            Map entries = region.getAll(keyList);
+
+            for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+              int keyNum = indices[keyNumIndex];
+              searchKey = keys[keyNum];
+              if ((flags & OpFlags.CHECK_FAIL) > 0) {
+                assertFalse(entries.containsKey(searchKey));
+              } else {
+                assertTrue(entries.containsKey(searchKey));
+                value = entries.get(searchKey);
+                assertEquals(vals[keyNum], value);
+              }
+            }
+
+            break;
+          }
+
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            Callable<Boolean> condition = new Callable<Boolean>() {
+              private Region region;
+
+              @Override
+              public Boolean call() throws Exception {
+                Object value = getLocalValue(region, key);
+                return (flags & OpFlags.CHECK_FAIL) > 0 ? !expectedVal.equals(value) : expectedVal.equals(value);
+              }
+
+              public Callable<Boolean> init(Region region) {
+                this.region = region;
+                return this;
+              }
+            }.init(region);
+            waitForCondition(condition);
+
+            value = getLocalValue(region, key);
+
+          } else if ((flags & OpFlags.USE_GET_ENTRY_IN_TX) > 0) {
+            getCache().getCacheTransactionManager().begin();
+            Entry e = region.getEntry(key);
+
+            // Also, check getAll()
+            ArrayList a = new ArrayList();
+            a.addAll(a);
+            region.getAll(a);
+
+            getCache().getCacheTransactionManager().commit();
+            value = e.getValue();
+
+          } else {
+            if ((flags & OpFlags.CHECK_NOKEY) > 0) {
+              assertFalse(region.containsKey(key));
+            } else {
+              assertTrue(region.containsKey(key) || ((LocalRegion)region).getRegionEntry(key).isTombstone());
+              region.localInvalidate(key);
+            }
+            value = region.get(key);
+          }
+
+          if ((flags & OpFlags.CHECK_FAIL) > 0) {
+            assertFalse(expectedVal.equals(value));
+          } else {
+            assertNotNull(value);
+            assertEquals(expectedVal, value);
+          }
+
+        } else if (op.isPut()) {
+          region.put(key, expectedVal);
+
+        } else if (op.isPutAll()) {
+          HashMap map = new HashMap();
+          for (int i=0; i<indices.length; i++) {
+            map.put(keys[indices[i]], vals[indices[i]]);
+          }
+          region.putAll(map);
+          breakLoop = true;
+
+        } else if (op.isDestroy()) {
+          // if (!region.containsKey(key)) {
+          // // Since DESTROY will fail unless the value is present
+          // // in the local cache, this is a workaround for two cases:
+          // // 1. When the operation is supposed to succeed then in
+          // // the current AuthzCredentialGenerators the clients having
+          // // DESTROY permission also has CREATE/UPDATE permission
+          // // so that calling region.put() will work for that case.
+          // // 2. When the operation is supposed to fail with
+          // // NotAuthorizedException then in the current
+          // // AuthzCredentialGenerators the clients not
+          // // having DESTROY permission are those with reader role that have
+          // // GET permission.
+          // //
+          // // If either of these assumptions fails, then this has to be
+          // // adjusted or reworked accordingly.
+          // if ((flags & OpFlags.CHECK_NOTAUTHZ) > 0) {
+          // Object value = region.get(key);
+          // assertNotNull(value);
+          // assertIndexDetailsEquals(vals[index], value);
+          // }
+          // else {
+          // region.put(key, vals[index]);
+          // }
+          // }
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            region.localDestroy(key);
+          }
+          else {
+            region.destroy(key);
+          }
+
+        } else if (op.isInvalidate()) {
+          if (region.containsKey(key)) {
+            if ((flags & OpFlags.LOCAL_OP) > 0) {
+              region.localInvalidate(key);
+            } else {
+              region.invalidate(key);
+            }
+          }
+
+        } else if (op.isContainsKey()) {
+          boolean result;
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            result = region.containsKey(key);
+          } else {
+            result = region.containsKeyOnServer(key);
+          }
+          if ((flags & OpFlags.CHECK_FAIL) > 0) {
+            assertFalse(result);
+          } else {
+            assertTrue(result);
+          }
+
+        } else if (op.isRegisterInterest()) {
+          if ((flags & OpFlags.USE_LIST) > 0) {
+            breakLoop = true;
+            // Register interest list in this case
+            List keyList = new ArrayList(numOps);
+            for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+              int keyNum = indices[keyNumIndex];
+              keyList.add(keys[keyNum]);
+            }
+            region.registerInterest(keyList, policy);
+
+          } else if ((flags & OpFlags.USE_REGEX) > 0) {
+            breakLoop = true;
+            region.registerInterestRegex("key[1-" + numOps + ']', policy);
+
+          } else if ((flags & OpFlags.USE_ALL_KEYS) > 0) {
+            breakLoop = true;
+            region.registerInterest("ALL_KEYS", policy);
+
+          } else {
+            region.registerInterest(key, policy);
+          }
+
+        } else if (op.isUnregisterInterest()) {
+          if ((flags & OpFlags.USE_LIST) > 0) {
+            breakLoop = true;
+            // Register interest list in this case
+            List keyList = new ArrayList(numOps);
+            for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+              int keyNum = indices[keyNumIndex];
+              keyList.add(keys[keyNum]);
+            }
+            region.unregisterInterest(keyList);
+
+          } else if ((flags & OpFlags.USE_REGEX) > 0) {
+            breakLoop = true;
+            region.unregisterInterestRegex("key[1-" + numOps + ']');
+
+          } else if ((flags & OpFlags.USE_ALL_KEYS) > 0) {
+            breakLoop = true;
+            region.unregisterInterest("ALL_KEYS");
+
+          } else {
+            region.unregisterInterest(key);
+          }
+
+        } else if (op.isKeySet()) {
+          breakLoop = true;
+          Set keySet;
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            keySet = region.keySet();
+          } else {
+            keySet = region.keySetOnServer();
+          }
+
+          assertNotNull(keySet);
+          if ((flags & OpFlags.CHECK_FAIL) == 0) {
+            assertEquals(numOps, keySet.size());
+          }
+          for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+            int keyNum = indices[keyNumIndex];
+            if ((flags & OpFlags.CHECK_FAIL) > 0) {
+              assertFalse(keySet.contains(keys[keyNum]));
+            } else {
+              assertTrue(keySet.contains(keys[keyNum]));
+            }
+          }
+
+        } else if (op.isQuery()) {
+          breakLoop = true;
+          SelectResults queryResults = region.query("SELECT DISTINCT * FROM " + region.getFullPath());
+          assertNotNull(queryResults);
+          Set queryResultSet = queryResults.asSet();
+          if ((flags & OpFlags.CHECK_FAIL) == 0) {
+            assertEquals(numOps, queryResultSet.size());
+          }
+          for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+            int keyNum = indices[keyNumIndex];
+            if ((flags & OpFlags.CHECK_FAIL) > 0) {
+              assertFalse(queryResultSet.contains(vals[keyNum]));
+            } else {
+              assertTrue(queryResultSet.contains(vals[keyNum]));
+            }
+          }
+
+        } else if (op.isExecuteCQ()) {
+          breakLoop = true;
+          QueryService queryService = getCache().getQueryService();
+          CqQuery cqQuery;
+          if ((cqQuery = queryService.getCq("cq1")) == null) {
+            CqAttributesFactory cqFact = new CqAttributesFactory();
+            cqFact.addCqListener(new AuthzCqListener());
+            CqAttributes cqAttrs = cqFact.create();
+            cqQuery = queryService.newCq("cq1", "SELECT * FROM " + region.getFullPath(), cqAttrs);
+          }
+
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            // Interpret this as testing results using CqListener
+            final AuthzCqListener listener = (AuthzCqListener)cqQuery.getCqAttributes().getCqListener();
+            WaitCriterion ev = new WaitCriterion() {
+              @Override
+              public boolean done() {
+                if ((flags & OpFlags.CHECK_FAIL) > 0) {
+                  return 0 == listener.getNumUpdates();
+                } else {
+                  return numOps == listener.getNumUpdates();
+                }
+              }
+              @Override
+              public String description() {
+                return null;
+              }
+            };
+            waitForCriterion(ev, 3 * 1000, 200, true);
+
+            if ((flags & OpFlags.CHECK_FAIL) > 0) {
+              assertEquals(0, listener.getNumUpdates());
+            } else {
+              assertEquals(numOps, listener.getNumUpdates());
+              listener.checkPuts(vals, indices);
+            }
+
+            assertEquals(0, listener.getNumCreates());
+            assertEquals(0, listener.getNumDestroys());
+            assertEquals(0, listener.getNumOtherOps());
+            assertEquals(0, listener.getNumErrors());
+
+          } else {
+            SelectResults cqResults = cqQuery.executeWithInitialResults();
+            assertNotNull(cqResults);
+            Set cqResultValues = new HashSet();
+            for (Object o : cqResults.asList()) {
+              Struct s = (Struct)o;
+              cqResultValues.add(s.get("value"));
+            }
+
+            Set cqResultSet = cqResults.asSet();
+            if ((flags & OpFlags.CHECK_FAIL) == 0) {
+              assertEquals(numOps, cqResultSet.size());
+            }
+
+            for (int keyNumIndex = 0; keyNumIndex < numOps; ++keyNumIndex) {
+              int keyNum = indices[keyNumIndex];
+              if ((flags & OpFlags.CHECK_FAIL) > 0) {
+                assertFalse(cqResultValues.contains(vals[keyNum]));
+              } else {
+                assertTrue(cqResultValues.contains(vals[keyNum]));
+              }
+            }
+          }
+
+        } else if (op.isStopCQ()) {
+          breakLoop = true;
+          CqQuery cqQuery = getCache().getQueryService().getCq("cq1");
+          ((AuthzCqListener)cqQuery.getCqAttributes().getCqListener()).reset();
+          cqQuery.stop();
+
+        } else if (op.isCloseCQ()) {
+          breakLoop = true;
+          CqQuery cqQuery = getCache().getQueryService().getCq("cq1");
+          ((AuthzCqListener)cqQuery.getCqAttributes().getCqListener()).reset();
+          cqQuery.close();
+
+        } else if (op.isRegionClear()) {
+          breakLoop = true;
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            region.localClear();
+          } else {
+            region.clear();
+          }
+
+        } else if (op.isRegionCreate()) {
+          breakLoop = true;
+          // Region subregion = createSubregion(region);
+          // subregion.createRegionOnServer();
+          // Create region on server using the DynamicRegionFactory
+          // Assume it has been already initialized
+          DynamicRegionFactory drf = DynamicRegionFactory.get();
+          Region subregion = drf.createDynamicRegion(regionName, SUBREGION_NAME);
+          assertEquals('/' + regionName + '/' + SUBREGION_NAME, subregion.getFullPath());
+
+        } else if (op.isRegionDestroy()) {
+          breakLoop = true;
+          if ((flags & OpFlags.LOCAL_OP) > 0) {
+            region.localDestroyRegion();
+
+          } else {
+            if ((flags & OpFlags.USE_SUBREGION) > 0) {
+              try {
+                DynamicRegionFactory.get().destroyDynamicRegion(region.getFullPath());
+              } catch (RegionDestroyedException ex) {
+                // harmless to ignore this
+                System.out.println("doOp: sub-region " + region.getFullPath() + " already destroyed");
+                operationOmitted = true;
+              }
+            } else {
+              region.destroyRegion();
+            }
+          }
+
+        } else {
+          fail("doOp: Unhandled operation " + op);
+        }
+
+        if (expectedResult != NO_EXCEPTION) {
+          if (!operationOmitted && !op.isUnregisterInterest()) {
+            fail("Expected an exception while performing operation op =" + op + "flags = " + OpFlags.description(flags));
+          }
+        }
+
+      } catch (Exception ex) {
+        exceptionOccured = true;
+        if ((ex instanceof ServerConnectivityException || ex instanceof QueryInvocationTargetException || ex instanceof CqException)
+            && (expectedResult == NOTAUTHZ_EXCEPTION) && (ex.getCause() instanceof NotAuthorizedException)) {
+          System.out.println("doOp: Got expected NotAuthorizedException when doing operation [" + op + "] with flags " + OpFlags.description(flags) + ": " + ex.getCause());
+          continue;
+        } else if (expectedResult == OTHER_EXCEPTION) {
+          System.out.println("doOp: Got expected exception when doing operation: " + ex.toString());
+          continue;
+        } else {
+          fail("doOp: Got unexpected exception when doing operation. Policy = " + policy + " flags = " + OpFlags.description(flags), ex);
+        }
+      }
+    }
+    if (!exceptionOccured && !operationOmitted && expectedResult != NO_EXCEPTION) {
+      fail("Expected an exception while performing operation: " + op + " flags = " + OpFlags.description(flags));
+    }
+  }
+
+  protected void executeOpBlock(final List<OperationWithAction> opBlock, final int port1, final int port2, final String authInit, final Properties extraAuthProps, final Properties extraAuthzProps, final TestCredentialGenerator credentialGenerator, final Random random) throws InterruptedException {
+    for (Iterator<OperationWithAction> opIter = opBlock.iterator(); opIter.hasNext();) {
+      // Start client with valid credentials as specified in OperationWithAction
+      OperationWithAction currentOp = opIter.next();
+      OperationCode opCode = currentOp.getOperationCode();
+      int opFlags = currentOp.getFlags();
+      int clientNum = currentOp.getClientNum();
+      VM clientVM = null;
+      boolean useThisVM = false;
+
+      switch (clientNum) {
+        case 1:
+          clientVM = client1;
+          break;
+        case 2:
+          clientVM = client2;
+          break;
+        case 3:
+          useThisVM = true;
+          break;
+        default:
+          fail("executeOpBlock: Unknown client number " + clientNum);
+          break;
+      }
+
+      System.out.println("executeOpBlock: performing operation number [" + currentOp.getOpNum() + "]: " + currentOp);
+      if ((opFlags & OpFlags.USE_OLDCONN) == 0) {
+        Properties opCredentials;
+        int newRnd = random.nextInt(100) + 1;
+        String currentRegionName = '/' + regionName;
+        if ((opFlags & OpFlags.USE_SUBREGION) > 0) {
+          currentRegionName += ('/' + SUBREGION_NAME);
+        }
+
+        String credentialsTypeStr;
+        OperationCode authOpCode = currentOp.getAuthzOperationCode();
+        int[] indices = currentOp.getIndices();
+        CredentialGenerator cGen = credentialGenerator.getCredentialGenerator();
+        final Properties javaProps = cGen == null ? null : cGen.getJavaProperties();
+
+        if ((opFlags & OpFlags.CHECK_NOTAUTHZ) > 0 || (opFlags & OpFlags.USE_NOTAUTHZ) > 0) {
+          opCredentials = credentialGenerator.getDisallowedCredentials(new OperationCode[] { authOpCode }, new String[] { currentRegionName }, indices, newRnd);
+          credentialsTypeStr = " unauthorized " + authOpCode;
+        } else {
+          opCredentials = credentialGenerator.getAllowedCredentials(new OperationCode[] { opCode, authOpCode }, new String[] { currentRegionName }, indices, newRnd);
+          credentialsTypeStr = " authorized " + authOpCode;
+        }
+
+        Properties clientProps = concatProperties(new Properties[] { opCredentials, extraAuthProps, extraAuthzProps });
+        // Start the client with valid credentials but allowed or disallowed to perform an operation
+        System.out.println("executeOpBlock: For client" + clientNum + credentialsTypeStr + " credentials: " + opCredentials);
+        boolean setupDynamicRegionFactory = (opFlags & OpFlags.ENABLE_DRF) > 0;
+
+        if (useThisVM) {
+          SecurityTestUtils.createCacheClientWithDynamicRegion(authInit, clientProps, javaProps, new int[] { port1, port2 }, 0, setupDynamicRegionFactory, NO_EXCEPTION);
+        } else {
+          clientVM.invoke("SecurityTestUtils.createCacheClientWithDynamicRegion",
+              () -> SecurityTestUtils.createCacheClientWithDynamicRegion(authInit, clientProps, javaProps, new int[] { port1, port2 }, 0, setupDynamicRegionFactory, NO_EXCEPTION));
+        }
+      }
+
+      int expectedResult;
+      if ((opFlags & OpFlags.CHECK_NOTAUTHZ) > 0) {
+        expectedResult = NOTAUTHZ_EXCEPTION;
+      } else if ((opFlags & OpFlags.CHECK_EXCEPTION) > 0) {
+        expectedResult = OTHER_EXCEPTION;
+      } else {
+        expectedResult = NO_EXCEPTION;
+      }
+
+      // Perform the operation from selected client
+      if (useThisVM) {
+        doOp(opCode, currentOp.getIndices(), new Integer(opFlags), new Integer(expectedResult));
+      } else {
+        int[] indices = currentOp.getIndices();
+        clientVM.invoke("ClientAuthorizationTestCase.doOp",
+            () -> ClientAuthorizationTestCase.doOp( opCode, indices, new Integer(opFlags), new Integer(expectedResult) ));
+      }
+    }
+  }
+
+  protected AuthzCredentialGenerator getXmlAuthzGenerator(){
+    AuthzCredentialGenerator authzGen = new XmlAuthzCredentialGenerator();
+    CredentialGenerator cGen = new DummyCredentialGenerator();
+    cGen.init();
+    authzGen.init(cGen);
+    return authzGen;
+  }
+
+  protected List<AuthzCredentialGenerator> getDummyGeneratorCombos() {
+    List<AuthzCredentialGenerator> generators = new ArrayList<>();
+    Iterator authzCodeIter = AuthzCredentialGenerator.ClassCode.getAll().iterator();
+
+    while (authzCodeIter.hasNext()) {
+      ClassCode authzClassCode = (ClassCode) authzCodeIter.next();
+      AuthzCredentialGenerator authzGen = AuthzCredentialGenerator.create(authzClassCode);
+
+      if (authzGen != null) {
+        CredentialGenerator cGen = new DummyCredentialGenerator();
+        cGen.init();
+        if (authzGen.init(cGen)) {
+          generators.add(authzGen);
+        }
+      }
+    }
+
+    assertTrue(generators.size() > 0);
+    return generators;
+  }
+
+  protected void runOpsWithFailOver(final OperationWithAction[] opCodes, final String testName) throws InterruptedException {
+    AuthzCredentialGenerator gen = getXmlAuthzGenerator();
+    CredentialGenerator cGen = gen.getCredentialGenerator();
+    Properties extraAuthProps = cGen.getSystemProperties();
+    Properties javaProps = cGen.getJavaProperties();
+    Properties extraAuthzProps = gen.getSystemProperties();
+    String authenticator = cGen.getAuthenticator();
+    String authInit = cGen.getAuthInit();
+    String accessor = gen.getAuthorizationCallback();
+    TestAuthzCredentialGenerator tgen = new TestAuthzCredentialGenerator(gen);
+
+    System.out.println(testName + ": Using authinit: " + authInit);
+    System.out.println(testName + ": Using authenticator: " + authenticator);
+    System.out.println(testName + ": Using accessor: " + accessor);
+
+    // Start servers with all required properties
+    Properties serverProps = buildProperties(authenticator, accessor, false, extraAuthProps, extraAuthzProps);
+
+    // Get ports for the servers
+    List<Keeper> randomAvailableTCPPortKeepers = AvailablePortHelper.getRandomAvailableTCPPortKeepers(4);
+    Keeper locator1PortKeeper = randomAvailableTCPPortKeepers.get(0);
+    Keeper locator2PortKeeper = randomAvailableTCPPortKeepers.get(1);
+    Keeper port1Keeper = randomAvailableTCPPortKeepers.get(2);
+    Keeper port2Keeper = randomAvailableTCPPortKeepers.get(3);
+    int locator1Port = locator1PortKeeper.getPort();
+    int locator2Port = locator2PortKeeper.getPort();
+    int port1 = port1Keeper.getPort();
+    int port2 = port2Keeper.getPort();
+
+    // Perform all the ops on the clients
+    List opBlock = new ArrayList();
+    Random rnd = new Random();
+
+    for (int opNum = 0; opNum < opCodes.length; ++opNum) {
+      // Start client with valid credentials as specified in OperationWithAction
+      OperationWithAction currentOp = opCodes[opNum];
+
+      if (currentOp.equals(OperationWithAction.OPBLOCK_END) || currentOp.equals(OperationWithAction.OPBLOCK_NO_FAILOVER)) {
+        // End of current operation block; execute all the operations on the servers with/without failover
+        if (opBlock.size() > 0) {
+          locator1PortKeeper.release();
+          port1Keeper.release();
+
+          // Start the first server and execute the operation block
+          server1.invoke("createCacheServer", () -> ClientAuthorizationTestCase.createCacheServer(locator1Port, port1, serverProps, javaProps ));
+          server2.invoke("closeCache", () -> closeCache());
+
+          executeOpBlock(opBlock, port1, port2, authInit, extraAuthProps, extraAuthzProps, tgen, rnd);
+
+          if (!currentOp.equals(OperationWithAction.OPBLOCK_NO_FAILOVER)) {
+            // Failover to the second server and run the block again
+            locator2PortKeeper.release();
+            port2Keeper.release();
+
+            server2.invoke("createCacheServer", () -> ClientAuthorizationTestCase.createCacheServer(locator2Port, port2, serverProps, javaProps ));
+            server1.invoke("closeCache", () -> closeCache());
+
+            executeOpBlock(opBlock, port1, port2, authInit, extraAuthProps, extraAuthzProps, tgen, rnd);
+          }
+          opBlock.clear();
+        }
+
+      } else {
+        currentOp.setOpNum(opNum);
+        opBlock.add(currentOp);
+      }
+    }
+  }
+
+  /**
+   * Implements the {@link CqListener} interface and counts the number of
+   * different operations and also queues up the received updates to precise
+   * checking of each update.
+   *
+   * @since GemFire 5.5
+   */
+  private static class AuthzCqListener implements CqListener {
+
+    private List<CqEvent> eventList;
+    private int numCreates;
+    private int numUpdates;
+    private int numDestroys;
+    private int numOtherOps;
+    private int numErrors;
+
+    public AuthzCqListener() {
+      this.eventList = new ArrayList<>();
+      reset();
+    }
+
+    public void reset() {
+      this.eventList.clear();
+      this.numCreates = 0;
+      this.numUpdates = 0;
+      this.numErrors = 0;
+    }
+
+    public void onEvent(final CqEvent aCqEvent) {
+      Operation op = aCqEvent.getBaseOperation();
+      if (op.isCreate()) {
+        ++this.numCreates;
+      } else if (op.isUpdate()) {
+        ++this.numUpdates;
+      } else if (op.isDestroy()) {
+        ++this.numDestroys;
+      } else {
+        ++this.numOtherOps;
+      }
+      eventList.add(aCqEvent);
+    }
+
+    public void onError(final CqEvent aCqEvent) {
+      ++this.numErrors;
+    }
+
+    public void close() {
+      this.eventList.clear();
+    }
+
+    public int getNumCreates() {
+      return this.numCreates;
+    }
+
+    public int getNumUpdates() {
+      return this.numUpdates;
+    }
+
+    public int getNumDestroys() {
+      return this.numDestroys;
+    }
+
+    public int getNumOtherOps() {
+      return this.numOtherOps;
+    }
+
+    public int getNumErrors() {
+      return this.numErrors;
+    }
+
+    public void checkPuts(final String[] vals, final int[] indices) {
+      for (int indexIndex = 0; indexIndex < indices.length; ++indexIndex) {
+        int index = indices[indexIndex];
+        boolean foundKey = false;
+
+        for (Iterator<CqEvent> eventIter = this.eventList.iterator(); eventIter.hasNext();) {
+          CqEvent event = (CqEvent)eventIter.next();
+          if (KEYS[index].equals(event.getKey())) {
+            assertEquals(vals[index], event.getNewValue());
+            foundKey = true;
+            break;
+          }
+        }
+
+        assertTrue(foundKey);
+      }
+    }
+  }
+
+  /**
+   * This class specifies flags that can be used to alter the behaviour of
+   * operations being performed by the <code>doOp</code> function.
+   *
+   * @since GemFire 5.5
+   */
+  protected static class OpFlags {
+
+    /**
+     * Default behaviour.
+     */
+    public static final int NONE = 0x0;
+
+    /**
+     * Check that the operation should fail.
+     */
+    public static final int CHECK_FAIL = 0x1;
+
+    /**
+     * Check that the operation should throw <code>NotAuthorizedException</code>.
+     */
+    public static final int CHECK_NOTAUTHZ = 0x2;
+
+    /**
+     * Check that the region should not be available.
+     */
+    public static final int CHECK_NOREGION = 0x4;
+
+    /**
+     * Check that the operation should throw an exception other than the
+     * <code>NotAuthorizedException</code>.
+     */
+    public static final int CHECK_EXCEPTION = 0x8;
+
+    /**
+     * Check for nvalues[] instead of values[].
+     */
+    public static final int USE_NEWVAL = 0x10;
+
+    /**
+     * Register all KEYS. For GET operations indicates using getAll().
+     */
+    public static final int USE_ALL_KEYS = 0x20;
+
+    /**
+     * Register a regular expression.
+     */
+    public static final int USE_REGEX = 0x40;
+
+    /**
+     * Register a list of KEYS.
+     */
+    public static final int USE_LIST = 0x80;
+
+    /**
+     * Perform the local version of the operation.
+     */
+    public static final int LOCAL_OP = 0x100;
+
+    /**
+     * Check that the key for the operation should not be present.
+     */
+    public static final int CHECK_NOKEY = 0x200;
+
+    /**
+     * Use the sub-region for performing the operation.
+     */
+    public static final int USE_SUBREGION = 0x400;
+
+    /**
+     * Do not try to create the sub-region.
+     */
+    public static final int NO_CREATE_SUBREGION = 0x800;
+
+    /**
+     * Do not re-connect using new credentials rather use the previous
+     * connection.
+     */
+    public static final int USE_OLDCONN = 0x1000;
+
+    /**
+     * Do the connection with unauthorized credentials but do not check that the
+     * operation throws <code>NotAuthorizedException</code>.
+     */
+    public static final int USE_NOTAUTHZ = 0x2000;
+
+    /**
+     * Enable {@link DynamicRegionFactory} on the client.
+     */
+    public static final int ENABLE_DRF = 0x4000;
+
+    /**
+     * Use the {@link InterestResultPolicy#NONE} for register interest.
+     */
+    public static final int REGISTER_POLICY_NONE = 0x8000;
+    
+    /**
+     * Use the {@link LocalRegion#getEntry} under transaction.
+     */
+    public static final int USE_GET_ENTRY_IN_TX = 0x10000;
+
+    public static String description(int f) {
+      StringBuffer sb = new StringBuffer();
+      sb.append("[");
+      if ((f & CHECK_FAIL) != 0) {
+        sb.append("CHECK_FAIL,");
+      }
+      if ((f & CHECK_NOTAUTHZ) != 0) {
+        sb.append("CHECK_NOTAUTHZ,");
+      }
+      if ((f & CHECK_NOREGION) != 0) {
+        sb.append("CHECK_NOREGION,");
+      }
+      if ((f & CHECK_EXCEPTION) != 0) {
+        sb.append("CHECK_EXCEPTION,");
+      }
+      if ((f & USE_NEWVAL) != 0) {
+        sb.append("USE_NEWVAL,");
+      }
+      if ((f & USE_ALL_KEYS) != 0) {
+        sb.append("USE_ALL_KEYS,");
+      }
+      if ((f & USE_REGEX) != 0) {
+        sb.append("USE_REGEX,");
+      }
+      if ((f & USE_LIST) != 0) {
+        sb.append("USE_LIST,");
+      }
+      if ((f & LOCAL_OP) != 0) {
+        sb.append("LOCAL_OP,");
+      }
+      if ((f & CHECK_NOKEY) != 0) {
+        sb.append("CHECK_NOKEY,");
+      }
+      if ((f & USE_SUBREGION) != 0) {
+        sb.append("USE_SUBREGION,");
+      }
+      if ((f & NO_CREATE_SUBREGION) != 0) {
+        sb.append("NO_CREATE_SUBREGION,");
+      }
+      if ((f & USE_OLDCONN) != 0) {
+        sb.append("USE_OLDCONN,");
+      }
+      if ((f & USE_NOTAUTHZ) != 0) {
+        sb.append("USE_NOTAUTHZ");
+      }
+      if ((f & ENABLE_DRF) != 0) {
+        sb.append("ENABLE_DRF,");
+      }
+      if ((f & REGISTER_POLICY_NONE) != 0) {
+        sb.append("REGISTER_POLICY_NONE,");
+      }
+      sb.append("]");
+      return sb.toString();
+    }
+  }
+
+  /**
+   * This class encapsulates an {@link OperationCode} with associated flags, the
+   * client to perform the operation, and the number of operations to perform.
+   *
+   * @since GemFire 5.5
+   */
+  protected static class OperationWithAction {
+
+    /**
+     * The operation to be performed.
+     */
+    private OperationCode opCode;
+
+    /**
+     * The operation for which authorized or unauthorized credentials have to be
+     * generated. This is the same as {@link #opCode} when not specified.
+     */
+    private OperationCode authzOpCode;
+
+    /**
+     * The client number on which the operation has to be performed.
+     */
+    private int clientNum;
+
+    /**
+     * Bitwise or'd {@link OpFlags} integer to change/specify the behaviour of the operations.
+     */
+    private int flags;
+
+    /**
+     * Indices of the KEYS array to be used for operations.
+     */
+    private int[] indices;
+
+    /**
+     * An index for the operation used for logging.
+     */
+    private int opNum;
+
+    /**
+     * Indicates end of an operation block which can be used for testing with failover
+     */
+    public static final OperationWithAction OPBLOCK_END = new OperationWithAction(null, 4);
+
+    /**
+     * Indicates end of an operation block which should not be used for testing with failover
+     */
+    public static final OperationWithAction OPBLOCK_NO_FAILOVER = new OperationWithAction(null, 5);
+
+    private void setIndices(int numOps) {
+      this.indices = new int[numOps];
+      for (int index = 0; index < numOps; ++index) {
+        this.indices[index] = index;
+      }
+    }
+
+    public OperationWithAction(final OperationCode opCode) {
+      this.opCode = opCode;
+      this.authzOpCode = opCode;
+      this.clientNum = 1;
+      this.flags = OpFlags.NONE;
+      setIndices(4);
+      this.opNum = 0;
+    }
+
+    public OperationWithAction(final OperationCode opCode, final int clientNum) {
+      this.opCode = opCode;
+      this.authzOpCode = opCode;
+      this.clientNum = clientNum;
+      this.flags = OpFlags.NONE;
+      setIndices(4);
+      this.opNum = 0;
+    }
+
+    public OperationWithAction(final OperationCode opCode, final int clientNum, final int flags, final int numOps) {
+      this.opCode = opCode;
+      this.authzOpCode = opCode;
+      this.clientNum = clientNum;
+      this.flags = flags;
+      setIndices(numOps);
+      this.opNum = 0;
+    }
+
+    public OperationWithAction(final OperationCode opCode, final OperationCode deniedOpCode, final int clientNum, final int flags, final int numOps) {
+      this.opCode = opCode;
+      this.authzOpCode = deniedOpCode;
+      this.clientNum = clientNum;
+      this.flags = flags;
+      setIndices(numOps);
+      this.opNum = 0;
+    }
+
+    public OperationWithAction(final OperationCode opCode, final int clientNum, final int flags, final int[] indices) {
+      this.opCode = opCode;
+      this.authzOpCode = opCode;
+      this.clientNum = clientNum;
+      this.flags = flags;
+      this.indices = indices;
+      this.opNum = 0;
+    }
+
+    public OperationWithAction(final OperationCode opCode, final OperationCode deniedOpCode, final int clientNum, final int flags, final int[] indices) {
+      this.opCode = opCode;
+      this.authzOpCode = deniedOpCode;
+      this.clientNum = clientNum;
+      this.flags = flags;
+      this.indices = indices;
+      this.opNum = 0;
+    }
+
+    public OperationCode getOperationCode() {
+      return this.opCode;
+    }
+
+    public OperationCode getAuthzOperationCode() {
+      return this.authzOpCode;
+    }
+
+    public int getClientNum() {
+      return this.clientNum;
+    }
+
+    public int getFlags() {
+      return this.flags;
+    }
+
+    public int[] getIndices() {
+      return this.indices;
+    }
+
+    public int getOpNum() {
+      return this.opNum;
+    }
+
+    public void setOpNum(int opNum) {
+      this.opNum = opNum;
+    }
+
+    @Override
+    public String toString() {
+      return "opCode:" + this.opCode + ",authOpCode:" + this.authzOpCode + ",clientNum:" + this.clientNum + ",flags:" + this.flags + ",numOps:" + this.indices.length + ",indices:" + indicesToString(this.indices);
+    }
+  }
+
+  /**
+   * Simple interface to generate credentials with authorization based on key
+   * indices also. This is utilized by the post-operation authorization tests
+   * where authorization is based on key indices.
+   *
+   * @since GemFire 5.5
+   */
+  protected interface TestCredentialGenerator {
+
+    /**
+     * Get allowed credentials for the given set of operations in the given
+     * regions and indices of KEYS in the <code>KEYS</code> array
+     */
+    public Properties getAllowedCredentials(OperationCode[] opCodes, String[] regionNames, int[] keyIndices, int num);
+
+    /**
+     * Get disallowed credentials for the given set of operations in the given
+     * regions and indices of KEYS in the <code>KEYS</code> array
+     */
+    public Properties getDisallowedCredentials(OperationCode[] opCodes, String[] regionNames, int[] keyIndices, int num);
+
+    /**
+     * Get the {@link CredentialGenerator} if any.
+     */
+    public CredentialGenerator getCredentialGenerator();
+  }
+
+  /**
+   * Contains a {@link AuthzCredentialGenerator} and implements the
+   * {@link TestCredentialGenerator} interface.
+   *
+   * @since GemFire 5.5
+   */
+  protected static class TestAuthzCredentialGenerator implements TestCredentialGenerator {
+
+    private AuthzCredentialGenerator authzGen;
+
+    public TestAuthzCredentialGenerator(final AuthzCredentialGenerator authzGen) {
+      this.authzGen = authzGen;
+    }
+
+    public Properties getAllowedCredentials(final OperationCode[] opCodes, final String[] regionNames, final int[] keyIndices, final int num) {
+      return this.authzGen.getAllowedCredentials(opCodes, regionNames, num);
+    }
+
+    public Properties getDisallowedCredentials(final OperationCode[] opCodes, final String[] regionNames, final int[] keyIndices, final int num) {
+      return this.authzGen.getDisallowedCredentials(opCodes, regionNames, num);
+    }
+
+    public CredentialGenerator getCredentialGenerator() {
+      return authzGen.getCredentialGenerator();
+    }
+  }
+}


Mime
View raw message