geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prhomb...@apache.org
Subject [geode] branch develop updated: GEODE-3974: Improve permissions for geode-lucene functions
Date Thu, 11 Jan 2018 20:03:16 GMT
This is an automated email from the ASF dual-hosted git repository.

prhomberg pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
     new 740289c  GEODE-3974: Improve permissions for geode-lucene functions
740289c is described below

commit 740289c61d60256c6270756bc84b9e24b76e4913
Author: Patrick Rhomberg <PurelyApplied@users.noreply.github.com>
AuthorDate: Thu Jan 11 12:03:13 2018 -0800

    GEODE-3974: Improve permissions for geode-lucene functions
---
 .../cli/functions/LuceneCreateIndexFunction.java   |  14 +-
 .../cli/functions/LuceneDescribeIndexFunction.java |  13 +
 .../cli/functions/LuceneDestroyIndexFunction.java  |  16 +-
 .../cli/functions/LuceneListIndexFunction.java     |  12 +
 .../cli/functions/LuceneSearchIndexFunction.java   |  12 +-
 .../internal/directory/DumpDirectoryFiles.java     |  13 +
 .../internal/distributed/LuceneQueryFunction.java  |   1 -
 .../distributed/WaitUntilFlushedFunction.java      |   1 -
 .../internal/results/LuceneGetPageFunction.java    |   1 -
 .../lucene/test/LuceneFunctionSecurityTest.java    | 485 +++++++++++++++++++++
 10 files changed, 560 insertions(+), 8 deletions(-)

diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
index b1b974d..df8bf30 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneCreateIndexFunction.java
@@ -18,6 +18,9 @@ package org.apache.geode.cache.lucene.internal.cli.functions;
 import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.INDEX_NAME;
 import static org.apache.geode.cache.lucene.internal.LuceneServiceImpl.validateCommandParameters.REGION_PATH;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.commons.lang.StringUtils;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.standard.StandardAnalyzer;
@@ -33,11 +36,15 @@ import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
 import org.apache.geode.cache.lucene.internal.cli.LuceneCliStrings;
 import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
 import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.management.internal.cli.CliUtil;
 import org.apache.geode.management.internal.cli.functions.CliFunctionResult;
 import org.apache.geode.management.internal.cli.i18n.CliStrings;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 
 /**
@@ -110,6 +117,12 @@ public class LuceneCreateIndexFunction implements InternalEntity, Function
{
     }
   }
 
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(
+        new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET));
+  }
+
   private LuceneSerializer toSerializer(String serializerName)
       throws InstantiationException, IllegalAccessException, ClassNotFoundException {
     String trimmedName = StringUtils.trim(serializerName);
@@ -136,5 +149,4 @@ public class LuceneCreateIndexFunction implements InternalEntity, Function
{
         CliUtil.forName(className, LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER);
     return CliUtil.newInstance(clazz, LuceneCliStrings.LUCENE_CREATE_INDEX__ANALYZER);
   }
-
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
index dd90116..8f9bac3 100755
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDescribeIndexFunction.java
@@ -15,6 +15,9 @@
 
 package org.apache.geode.cache.lucene.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.geode.cache.Cache;
 import org.apache.geode.cache.execute.Function;
 import org.apache.geode.cache.execute.FunctionContext;
@@ -25,7 +28,11 @@ import org.apache.geode.cache.lucene.internal.LuceneIndexImpl;
 import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
 import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
 import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
 import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 /**
  * The LuceneDescribeIndexFunction class is a function used to collect the information on
a
@@ -66,4 +73,10 @@ public class LuceneDescribeIndexFunction implements InternalEntity, Function
{
     }
     context.getResultSender().lastResult(result);
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(
+        new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET));
+  }
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
index 9803192..1a12894 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneDestroyIndexFunction.java
@@ -14,6 +14,9 @@
  */
 package org.apache.geode.cache.lucene.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import org.apache.commons.lang.StringUtils;
 
 import org.apache.geode.cache.execute.Function;
@@ -22,16 +25,19 @@ import org.apache.geode.cache.lucene.LuceneService;
 import org.apache.geode.cache.lucene.LuceneServiceProvider;
 import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
 import org.apache.geode.cache.lucene.internal.cli.LuceneDestroyIndexInfo;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
 import org.apache.geode.cache.lucene.internal.xml.LuceneXmlConstants;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.xmlcache.CacheXml;
 import org.apache.geode.management.internal.cli.functions.CliFunctionResult;
 import org.apache.geode.management.internal.configuration.domain.XmlEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 public class LuceneDestroyIndexFunction implements Function, InternalEntity {
-
   public void execute(final FunctionContext context) {
-    CliFunctionResult result = null;
+    CliFunctionResult result;
     String memberId = context.getCache().getDistributedSystem().getDistributedMember().getId();
     try {
       LuceneDestroyIndexInfo indexInfo = (LuceneDestroyIndexInfo) context.getArguments();
@@ -66,4 +72,10 @@ public class LuceneDestroyIndexFunction implements Function, InternalEntity
{
     return new XmlEntity(CacheXml.REGION, "name", regionName, LuceneXmlConstants.PREFIX,
         LuceneXmlConstants.NAMESPACE, LuceneXmlConstants.INDEX, "name", indexName);
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(
+        new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET));
+  }
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
index 34d445b..31c8122 100755
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneListIndexFunction.java
@@ -15,6 +15,8 @@
 
 package org.apache.geode.cache.lucene.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -27,7 +29,11 @@ import org.apache.geode.cache.lucene.internal.LuceneIndexCreationProfile;
 import org.apache.geode.cache.lucene.internal.LuceneIndexImpl;
 import org.apache.geode.cache.lucene.internal.LuceneServiceImpl;
 import org.apache.geode.cache.lucene.internal.cli.LuceneIndexDetails;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
 import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 /**
  * The LuceneListIndexFunction class is a function used to collect the information on all
lucene
@@ -64,4 +70,10 @@ public class LuceneListIndexFunction implements InternalEntity, Function
{
     }
     context.getResultSender().lastResult(indexDetailsSet);
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(
+        new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET));
+  }
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
index 0a6cc3e..c043388 100755
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/cli/functions/LuceneSearchIndexFunction.java
@@ -15,14 +15,14 @@
 
 package org.apache.geode.cache.lucene.internal.cli.functions;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
 import org.apache.geode.cache.Cache;
-import org.apache.geode.cache.CacheFactory;
 import org.apache.geode.cache.execute.Function;
-import org.apache.geode.cache.execute.FunctionAdapter;
 import org.apache.geode.cache.execute.FunctionContext;
 import org.apache.geode.cache.lucene.LuceneQuery;
 import org.apache.geode.cache.lucene.LuceneQueryException;
@@ -35,6 +35,9 @@ import org.apache.geode.cache.lucene.internal.cli.LuceneIndexInfo;
 import org.apache.geode.cache.lucene.internal.cli.LuceneQueryInfo;
 import org.apache.geode.cache.lucene.internal.cli.LuceneSearchResults;
 import org.apache.geode.internal.InternalEntity;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 /**
  * The LuceneSearchIndexFunction class is a function used to collect the information on a
particular
@@ -95,4 +98,9 @@ public class LuceneSearchIndexFunction<K, V> implements InternalEntity,
Function
       context.getResultSender().lastResult(result);
     }
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    return Collections.singleton(new ResourcePermission(Resource.DATA, Operation.READ, regionName));
+  }
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
index 910f50f..4d720da 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/directory/DumpDirectoryFiles.java
@@ -17,6 +17,8 @@ package org.apache.geode.cache.lucene.internal.directory;
 
 import java.io.File;
 import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.index.IndexWriter;
@@ -35,6 +37,9 @@ import org.apache.geode.cache.lucene.internal.repository.RepositoryManager;
 import org.apache.geode.internal.InternalEntity;
 import org.apache.geode.internal.cache.BucketNotFoundException;
 import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
 
 public class DumpDirectoryFiles implements Function, InternalEntity {
   private static final long serialVersionUID = 1L;
@@ -96,4 +101,12 @@ public class DumpDirectoryFiles implements Function, InternalEntity {
   public boolean optimizeForWrite() {
     return true;
   }
+
+  @Override
+  public Collection<ResourcePermission> getRequiredPermissions(String regionName) {
+    Set<ResourcePermission> required = new HashSet<>();
+    required.add(new ResourcePermission(Resource.DATA, Operation.READ, regionName));
+    required.add(new ResourcePermission(Resource.CLUSTER, Operation.MANAGE));
+    return required;
+  }
 }
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
index 0b104a3..bc5ced6 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/LuceneQueryFunction.java
@@ -19,7 +19,6 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.Optional;
 
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.Query;
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
index c9e10d9..f0c88a4 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/distributed/WaitUntilFlushedFunction.java
@@ -17,7 +17,6 @@ package org.apache.geode.cache.lucene.internal.distributed;
 
 import java.util.Collection;
 import java.util.Collections;
-import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 import org.apache.geode.cache.Cache;
diff --git a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
index 07dc1ad..8e2bfcc 100644
--- a/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
+++ b/geode-lucene/src/main/java/org/apache/geode/cache/lucene/internal/results/LuceneGetPageFunction.java
@@ -18,7 +18,6 @@ package org.apache.geode.cache.lucene.internal.results;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
-import java.util.Optional;
 import java.util.Set;
 
 import org.apache.logging.log4j.Logger;
diff --git a/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
new file mode 100644
index 0000000..2fa054e
--- /dev/null
+++ b/geode-lucene/src/test/java/org/apache/geode/cache/lucene/test/LuceneFunctionSecurityTest.java
@@ -0,0 +1,485 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information
regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version
2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain
a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
express
+ * or implied. See the License for the specific language governing permissions and limitations
under
+ * the License.
+ */
+
+package org.apache.geode.cache.lucene.test;
+
+import static org.apache.geode.management.internal.security.ResourcePermissions.CLUSTER_MANAGE;
+import static org.apache.geode.management.internal.security.ResourcePermissions.DATA_READ;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+
+import java.util.function.Predicate;
+
+import org.assertj.core.api.Condition;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.mockito.Mockito;
+
+import org.apache.geode.cache.RegionShortcut;
+import org.apache.geode.cache.execute.Function;
+import org.apache.geode.cache.execute.FunctionService;
+import org.apache.geode.cache.lucene.internal.cli.functions.LuceneCreateIndexFunction;
+import org.apache.geode.cache.lucene.internal.cli.functions.LuceneDescribeIndexFunction;
+import org.apache.geode.cache.lucene.internal.cli.functions.LuceneDestroyIndexFunction;
+import org.apache.geode.cache.lucene.internal.cli.functions.LuceneListIndexFunction;
+import org.apache.geode.cache.lucene.internal.cli.functions.LuceneSearchIndexFunction;
+import org.apache.geode.cache.lucene.internal.directory.DumpDirectoryFiles;
+import org.apache.geode.cache.lucene.internal.distributed.LuceneQueryFunction;
+import org.apache.geode.cache.lucene.internal.distributed.WaitUntilFlushedFunction;
+import org.apache.geode.cache.lucene.internal.results.LuceneGetPageFunction;
+import org.apache.geode.cache.lucene.internal.security.LucenePermission;
+import org.apache.geode.examples.SimpleSecurityManager;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
+import org.apache.geode.test.junit.categories.IntegrationTest;
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.apache.geode.test.junit.rules.ConnectionConfiguration;
+import org.apache.geode.test.junit.rules.GfshCommandRule;
+import org.apache.geode.test.junit.rules.ServerStarterRule;
+
+@Category({IntegrationTest.class, SecurityTest.class})
+public class LuceneFunctionSecurityTest {
+  // Note: this region name is embedded below in several @ConnectionConfiguration inputs,
+  // which is itself case-sensitive in parsing.
+  private static String regionName = "this_test_region";
+
+  private static ResourcePermission CLUSTER_MANAGE_LUCENE =
+      new ResourcePermission(Resource.CLUSTER, Operation.MANAGE, LucenePermission.TARGET);
+  private static ResourcePermission CLUSTER_READ_LUCENE =
+      new ResourcePermission(Resource.CLUSTER, Operation.READ, LucenePermission.TARGET);
+  private static ResourcePermission DATA_READ_REGION =
+      new ResourcePermission(Resource.DATA, Operation.READ, regionName);
+
+  private static Function luceneCreateIndexFunction = Mockito.spy(new LuceneCreateIndexFunction());
+  private static Function luceneDescribeIndexFunction =
+      Mockito.spy(new LuceneDescribeIndexFunction());
+  private static Function luceneDestroyIndexFunction =
+      Mockito.spy(new LuceneDestroyIndexFunction());
+  private static Function luceneListIndexFunction = Mockito.spy(new LuceneListIndexFunction());
+  private static Function luceneSearchIndexFunction = Mockito.spy(new LuceneSearchIndexFunction());
+  private static Function dumpDirectoryFiles = Mockito.spy(new DumpDirectoryFiles());
+  private static Function luceneQueryFunction = Mockito.spy(new LuceneQueryFunction());
+  private static Function waitUntilFlushedFunction = Mockito.spy(new WaitUntilFlushedFunction());
+  private static Function luceneGetPageFunction = Mockito.spy(new LuceneGetPageFunction());
+
+  static {
+    Mockito.doNothing().when(luceneCreateIndexFunction).execute(any());
+    Mockito.doNothing().when(luceneDescribeIndexFunction).execute(any());
+    Mockito.doNothing().when(luceneDestroyIndexFunction).execute(any());
+    Mockito.doNothing().when(luceneListIndexFunction).execute(any());
+    Mockito.doNothing().when(luceneSearchIndexFunction).execute(any());
+    Mockito.doNothing().when(dumpDirectoryFiles).execute(any());
+    Mockito.doNothing().when(luceneQueryFunction).execute(any());
+    Mockito.doNothing().when(waitUntilFlushedFunction).execute(any());
+    Mockito.doNothing().when(luceneGetPageFunction).execute(any());
+  }
+
+  @ClassRule
+  public static ServerStarterRule server =
+      new ServerStarterRule().withJMXManager().withSecurityManager(SimpleSecurityManager.class)
+          .withRegion(RegionShortcut.PARTITION, regionName).withAutoStart();
+
+  @Rule
+  public GfshCommandRule gfsh =
+      new GfshCommandRule(server::getJmxPort, GfshCommandRule.PortType.jmxManager);
+
+  @BeforeClass
+  public static void setupClass() {
+    FunctionService.registerFunction(luceneCreateIndexFunction);
+    FunctionService.registerFunction(luceneDescribeIndexFunction);
+    FunctionService.registerFunction(luceneDestroyIndexFunction);
+    FunctionService.registerFunction(luceneListIndexFunction);
+    FunctionService.registerFunction(luceneSearchIndexFunction);
+    FunctionService.registerFunction(dumpDirectoryFiles);
+    FunctionService.registerFunction(luceneQueryFunction);
+    FunctionService.registerFunction(waitUntilFlushedFunction);
+    FunctionService.registerFunction(luceneGetPageFunction);
+  }
+
+  /* Command authorized tests */
+  @Test
+  @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene")
+  public void testValidPermissionsForLuceneCreateIndexFunction() throws Exception {
+    Function thisFunction = luceneCreateIndexFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene")
+  public void testValidPermissionsForLuceneDescribeIndexFunction() throws Exception {
+    Function thisFunction = luceneDescribeIndexFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "clusterManageLucene", password = "clusterManageLucene")
+  public void testValidPermissionsForLuceneDestroyIndexFunction() throws Exception {
+    Function thisFunction = luceneDestroyIndexFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "clusterReadLucene", password = "clusterReadLucene")
+  public void testValidPermissionsForLuceneListIndexFunction() throws Exception {
+    Function thisFunction = luceneListIndexFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region,clusterManage",
+      password = "dataReadThis_test_region,clusterManage")
+  public void testValidPermissionsForDumpDirectoryFilesWithRegionParameter() throws Exception
{
+    Function thisFunction = dumpDirectoryFiles;
+
+    gfsh.executeAndAssertThat(
+        "execute function  --region=" + regionName + " --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead,clusterManage", password = "dataRead,clusterManage")
+  public void testValidPermissionsForDumpDirectoryFilesWithoutRegionParameter() throws Exception
{
+    Function thisFunction = dumpDirectoryFiles;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+  public void testValidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneSearchIndexFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region")
+  public void testValidPermissionsForLuceneSearchIndexFunctionWithRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneSearchIndexFunction;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+  public void testValidPermissionsForLuceneQueryFunctionWithoutRegionParameter() throws Exception
{
+    Function thisFunction = luceneQueryFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region")
+  public void testValidPermissionsForLuceneQueryFunctionWithRegionParameter() throws Exception
{
+    Function thisFunction = luceneQueryFunction;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+  public void testValidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = waitUntilFlushedFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region")
+  public void testValidPermissionsForWaitUntilFlushedFunctionWithRegionParameter()
+      throws Exception {
+    Function thisFunction = waitUntilFlushedFunction;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+  public void testValidPermissionsForLuceneGetPageFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneGetPageFunction;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region")
+  public void testValidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws Exception
{
+    Function thisFunction = luceneGetPageFunction;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .doesNotContainOutput("not authorized for").statusIsSuccess();
+  }
+
+
+  /* Command refused tests */
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneCreateIndexFunction() throws Exception {
+    Function thisFunction = luceneCreateIndexFunction;
+    ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneDescribeIndexFunction() throws Exception {
+    Function thisFunction = luceneDescribeIndexFunction;
+    ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneDestroyIndexFunction() throws Exception {
+    Function thisFunction = luceneDestroyIndexFunction;
+    ResourcePermission thisRequiredPermission = CLUSTER_MANAGE_LUCENE;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneListIndexFunction() throws Exception {
+    Function thisFunction = luceneListIndexFunction;
+    ResourcePermission thisRequiredPermission = CLUSTER_READ_LUCENE;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_noPermission()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+
+    Predicate<String> notAuthForDataRead =
+        s -> s.contains("not authorized for " + DATA_READ.toString());
+    Predicate<String> notAuthForClusterManage =
+        s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString());
+    Predicate<String> notAuthForSomePermission =
+        s -> notAuthForDataRead.test(s) || notAuthForClusterManage.test(s);
+
+    String output = gfsh.execute("execute function --id=" + thisFunction.getId());
+
+    Condition<String> containsSomeAuthFailure = new Condition<>(notAuthForSomePermission,
+        "not authorized for for [DATA:MANAGE|CLUSTER:MANAGE]", output);
+    assertThat(output).has(containsSomeAuthFailure);
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataRead", password = "dataRead")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withDataRead()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+    ResourcePermission thisMissingPermission = CLUSTER_MANAGE;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "clusterManage", password = "clusterManage")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithoutRegionParameter_withClusterManage()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+    ResourcePermission thisMissingPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_noPermission()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+
+    Predicate<String> notAuthForDataReadRegion =
+        s -> s.contains("not authorized for " + DATA_READ_REGION.toString());
+    Predicate<String> notAuthForClusterManage =
+        s -> s.contains("not authorized for " + CLUSTER_MANAGE.toString());
+    Predicate<String> notAuthForSomePermission =
+        s -> notAuthForDataReadRegion.test(s) || notAuthForClusterManage.test(s);
+
+    String output =
+        gfsh.execute("execute function --region=" + regionName + " --id=" + thisFunction.getId());
+
+    Condition<String> containsSomeAuthFailure =
+        new Condition<>(notAuthForSomePermission, "D:R or C:M:L auth failure", output);
+    assertThat(output).has(containsSomeAuthFailure);
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "dataReadThis_test_region", password = "dataReadThis_test_region")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withDataReadRegion()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+    ResourcePermission thisMissingPermission = CLUSTER_MANAGE;
+
+    gfsh.executeAndAssertThat(
+        "execute function  --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "clusterManage", password = "clusterManage")
+  public void testInvalidPermissionsForDumpDirectoryFilesWithRegionParameter_withClusterManage()
+      throws Exception {
+    Function thisFunction = dumpDirectoryFiles;
+    ResourcePermission thisMissingPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat(
+        "execute function  --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisMissingPermission.toString()).statusIsSuccess();
+  }
+
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneSearchIndexFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneSearchIndexFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneSearchIndexFunctionWithRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneSearchIndexFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneQueryFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneQueryFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneQueryFunctionWithRegionParameter() throws Exception
{
+    Function thisFunction = luceneQueryFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForWaitUntilFlushedFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = waitUntilFlushedFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForWaitUntilFlushedFunctionWithRegionParameter()
+      throws Exception {
+    Function thisFunction = waitUntilFlushedFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneGetPageFunctionWithoutRegionParameter()
+      throws Exception {
+    Function thisFunction = luceneGetPageFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ;
+
+    gfsh.executeAndAssertThat("execute function --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+
+  @Test
+  @ConnectionConfiguration(user = "noPermissions", password = "noPermissions")
+  public void testInvalidPermissionsForLuceneGetPageFunctionWithRegionParameter() throws
Exception {
+    Function thisFunction = luceneGetPageFunction;
+    ResourcePermission thisRequiredPermission = DATA_READ_REGION;
+
+    gfsh.executeAndAssertThat(
+        "execute function --region=" + regionName + " --id=" + thisFunction.getId())
+        .containsOutput("not authorized for " + thisRequiredPermission.toString())
+        .statusIsSuccess();
+  }
+}

-- 
To stop receiving notification emails like this one, please contact
['"commits@geode.apache.org" <commits@geode.apache.org>'].

Mime
View raw message