ignite-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From il...@apache.org
Subject [ignite] branch master updated: IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient - Fixes #7960.
Date Thu, 09 Jul 2020 09:24:01 GMT
This is an automated email from the ASF dual-hosted git repository.

ilyak pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ignite.git


The following commit(s) were added to refs/heads/master by this push:
     new c0ed2f6  IGNITE-13180 Added subject address to AuthenticationContext when subject
is IgniteClient - Fixes #7960.
c0ed2f6 is described below

commit c0ed2f616c7d5d8caa370b77d52926f2cf1bf080
Author: Ryzhov Sergei <s.vi.ryzhov@gmail.com>
AuthorDate: Thu Jul 9 12:23:33 2020 +0300

    IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient
- Fixes #7960.
    
    Signed-off-by: Ilya Kasnacheev <ilya.kasnacheev@gmail.com>
---
 .../ClientListenerAbstractConnectionContext.java   |  11 ++-
 .../odbc/jdbc/JdbcConnectionContext.java           |   2 +-
 .../odbc/odbc/OdbcConnectionContext.java           |   2 +-
 .../platform/client/ClientConnectionContext.java   |   2 +-
 .../IgniteClientContainSubjectAddressTest.java     | 101 +++++++++++++++++++++
 .../ignite/testsuites/SecurityTestSuite.java       |   2 +
 6 files changed, 112 insertions(+), 8 deletions(-)

diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
index 7cc8859..3682596 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java
@@ -17,7 +17,6 @@
 
 package org.apache.ignite.internal.processors.odbc;
 
-import java.security.cert.Certificate;
 import java.util.Collections;
 import java.util.Map;
 import java.util.UUID;
@@ -26,6 +25,7 @@ import org.apache.ignite.internal.GridKernalContext;
 import org.apache.ignite.internal.processors.authentication.AuthorizationContext;
 import org.apache.ignite.internal.processors.authentication.IgniteAccessControlException;
 import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.internal.util.nio.GridNioSession;
 import org.apache.ignite.internal.util.typedef.F;
 import org.apache.ignite.plugin.security.AuthenticationContext;
 import org.apache.ignite.plugin.security.SecurityCredentials;
@@ -91,10 +91,10 @@ public abstract class ClientListenerAbstractConnectionContext implements
ClientL
      * @return Auth context.
      * @throws IgniteCheckedException If failed.
      */
-    protected AuthorizationContext authenticate(Certificate[] certificates, String user,
String pwd)
+    protected AuthorizationContext authenticate(GridNioSession ses, String user, String pwd)
         throws IgniteCheckedException {
         if (ctx.security().enabled())
-            authCtx = authenticateExternal(certificates, user, pwd).authorizationContext();
+            authCtx = authenticateExternal(ses, user, pwd).authorizationContext();
         else if (ctx.authentication().enabled()) {
             if (F.isEmpty(user))
                 throw new IgniteAccessControlException("Unauthenticated sessions are prohibited.");
@@ -113,7 +113,7 @@ public abstract class ClientListenerAbstractConnectionContext implements
ClientL
     /**
      * Do 3-rd party authentication.
      */
-    private AuthenticationContext authenticateExternal(Certificate[] certificates, String
user, String pwd)
+    private AuthenticationContext authenticateExternal(GridNioSession ses, String user, String
pwd)
         throws IgniteCheckedException {
         SecurityCredentials cred = new SecurityCredentials(user, pwd);
 
@@ -123,7 +123,8 @@ public abstract class ClientListenerAbstractConnectionContext implements
ClientL
         authCtx.subjectId(UUID.randomUUID());
         authCtx.nodeAttributes(F.isEmpty(userAttrs) ? Collections.emptyMap() : userAttrs);
         authCtx.credentials(cred);
-        authCtx.certificates(certificates);
+        authCtx.address(ses.remoteAddress());
+        authCtx.certificates(ses.certificates());
 
         secCtx = ctx.security().authenticate(authCtx);
 
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
index 0f8fdc1..2359e98 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java
@@ -203,7 +203,7 @@ public class JdbcConnectionContext extends ClientListenerAbstractConnectionConte
                 throw new IgniteCheckedException("Handshake error: " + e.getMessage(), e);
             }
 
-            actx = authenticate(ses.certificates(), user, passwd);
+            actx = authenticate(ses, user, passwd);
         }
 
         protoCtx = new JdbcProtocolContext(ver, features, true);
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
index 9401ce1..0cc22d1 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java
@@ -149,7 +149,7 @@ public class OdbcConnectionContext extends ClientListenerAbstractConnectionConte
             nestedTxMode = NestedTxMode.fromByte(nestedTxModeVal);
         }
 
-        AuthorizationContext actx = authenticate(ses.certificates(), user, passwd);
+        AuthorizationContext actx = authenticate(ses, user, passwd);
 
         ClientListenerResponseSender sender = new ClientListenerResponseSender() {
             @Override public void send(ClientListenerResponse resp) {
diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
index a9d38c4..aea4a7c 100644
--- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
+++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java
@@ -214,7 +214,7 @@ public class ClientConnectionContext extends ClientListenerAbstractConnectionCon
             }
         }
 
-        AuthorizationContext authCtx = authenticate(ses.certificates(), user, pwd);
+        AuthorizationContext authCtx = authenticate(ses, user, pwd);
 
         handler = new ClientRequestHandler(this, authCtx, currentProtocolContext);
         parser = new ClientMessageParser(this, currentProtocolContext);
diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java
b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java
new file mode 100644
index 0000000..cc40e12
--- /dev/null
+++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ignite.internal.processors.security.client;
+
+import java.security.Permissions;
+import java.util.Arrays;
+import java.util.Collection;
+import org.apache.ignite.IgniteCheckedException;
+import org.apache.ignite.Ignition;
+import org.apache.ignite.client.IgniteClient;
+import org.apache.ignite.internal.GridKernalContext;
+import org.apache.ignite.internal.processors.security.GridSecurityProcessor;
+import org.apache.ignite.internal.processors.security.SecurityContext;
+import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityPluginProvider;
+import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor;
+import org.apache.ignite.internal.processors.security.impl.TestSecurityData;
+import org.apache.ignite.plugin.PluginProvider;
+import org.apache.ignite.plugin.security.AuthenticationContext;
+import org.apache.ignite.plugin.security.SecurityPermissionSet;
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.ignite.cluster.ClusterState.ACTIVE;
+import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALLOW_ALL;
+
+/**
+ * Test AuthenticationContext contain subject address when subject is IgniteClient.
+ */
+public class IgniteClientContainSubjectAddressTest extends CommonSecurityCheckTest {
+    /** */
+    private boolean containsAddr = false;
+
+    /** */
+    @Test
+    public void testAuthenticate() throws Exception {
+        startGrid();
+
+        try (IgniteClient client = Ignition.startClient(getClientConfiguration())) {
+            client.cluster().state(ACTIVE);
+        }
+
+        Assert.assertTrue(containsAddr);
+    }
+
+    /** {@inheritDoc} */
+    @Override protected PluginProvider<?> getPluginProvider(String name) {
+        return new TestSubjectAddressSecurityPluginProvider(name, null, ALLOW_ALL,
+            globalAuth, true, clientData());
+    }
+
+    /** */
+    private class TestSubjectAddressSecurityPluginProvider extends TestAdditionalSecurityPluginProvider
{
+        /** */
+        public TestSubjectAddressSecurityPluginProvider(String login, String pwd,
+            SecurityPermissionSet perms, boolean globalAuth, boolean checkAddPass,
+            TestSecurityData... clientData) {
+            super(login, pwd, perms, globalAuth, checkAddPass, clientData);
+        }
+
+        /** {@inheritDoc} */
+        @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx)
{
+            return new TestSubjectAddressSecurityProcessor(ctx,
+                new TestSecurityData(login, pwd, perms, new Permissions()),
+                Arrays.asList(clientData), globalAuth, checkAddPass);
+        }
+    }
+
+    /** */
+    private class TestSubjectAddressSecurityProcessor extends TestAdditionalSecurityProcessor
{
+        /** */
+        public TestSubjectAddressSecurityProcessor(GridKernalContext ctx,
+            TestSecurityData nodeSecData,
+            Collection<TestSecurityData> predefinedAuthData, boolean globalAuth, boolean
checkSslCerts) {
+            super(ctx, nodeSecData, predefinedAuthData, globalAuth, checkSslCerts);
+        }
+
+        /** {@inheritDoc} */
+        @Override public SecurityContext authenticate(AuthenticationContext authCtx) throws
IgniteCheckedException {
+            SecurityContext secCtx = super.authenticate(authCtx);
+
+            containsAddr = secCtx.subject().address() != null;
+
+            return secCtx;
+        }
+    }
+}
diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
index ccd009c..2f20f89 100644
--- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
+++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java
@@ -32,6 +32,7 @@ import org.apache.ignite.internal.processors.security.cache.closure.ScanQueryRem
 import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckTest;
 import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckWithGlobalAuthTest;
 import org.apache.ignite.internal.processors.security.client.AttributeSecurityCheckTest;
+import org.apache.ignite.internal.processors.security.client.IgniteClientContainSubjectAddressTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckSecurityTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest;
 import org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest;
@@ -73,6 +74,7 @@ import org.junit.runners.Suite;
     ThinClientPermissionCheckTest.class,
     ThinClientPermissionCheckSecurityTest.class,
     ContinuousQueryPermissionCheckTest.class,
+    IgniteClientContainSubjectAddressTest.class,
 
     DistributedClosureRemoteSecurityContextCheckTest.class,
     ComputeTaskRemoteSecurityContextCheckTest.class,


Mime
View raw message