Updated Branches: refs/heads/trunk 6928cf3ba -> 5bf2ec587
AMBARI-2622. ldap users cannot be elevated to be Ambari admin (Myroslav via mahadev) Project: http://git-wip-us.apache.org/repos/asf/incubator-ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ambari/commit/5bf2ec58 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ambari/tree/5bf2ec58 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ambari/diff/5bf2ec58 Branch: refs/heads/trunk Commit: 5bf2ec58783eecce746346db4b3043bba5f094f0 Parents: 6928cf3 Author: Mahadev Konar <[email protected]> Authored: Wed Jul 10 15:03:13 2013 -0700 Committer: Mahadev Konar <[email protected]> Committed: Wed Jul 10 15:03:13 2013 -0700 ---------------------------------------------------------------------- .../server/configuration/Configuration.java | 10 + .../AmbariLdapAuthoritiesPopulator.java | 64 +++-- .../authorization/AuthorizationHelper.java | 6 +- .../authorization/LdapServerProperties.java | 11 +- .../server/security/authorization/Users.java | 12 +- .../server/orm/InMemoryDefaultTestModule.java | 8 +- .../authorization/AuthorizationTestModule.java | 2 + .../TestAmbariLdapAuthoritiesPopulator.java | 265 +++++++++++++++++++ .../security/authorization/TestUsers.java | 66 ++++- 9 files changed, 407 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 7808003..42b603d 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -649,6 +649,7 @@ public class Configuration { (LDAP_BASE_DN_KEY, LDAP_BASE_DN_DEFAULT)); ldapServerProperties.setUsernameAttribute(properties. getProperty(LDAP_USERNAME_ATTRIBUTE_KEY, LDAP_USERNAME_ATTRIBUTE_DEFAULT)); + ldapServerProperties.setGroupBase(properties. getProperty(LDAP_GROUP_BASE_KEY, LDAP_GROUP_BASE_DEFAULT)); ldapServerProperties.setGroupObjectClass(properties. @@ -662,6 +663,15 @@ public class Configuration { ldapServerProperties.setGroupSearchFilter(properties.getProperty( LDAP_GROUP_SEARCH_FILTER_KEY, LDAP_GROUP_SEARCH_FILTER_DEFAULT)); + if (properties.containsKey(LDAP_GROUP_BASE_KEY) || + properties.containsKey(LDAP_GROUP_OBJECT_CLASS_KEY) || + properties.containsKey(LDAP_GROUP_MEMEBERSHIP_ATTR_KEY) || + properties.containsKey(LDAP_GROUP_NAMING_ATTR_KEY) || + properties.containsKey(LDAP_ADMIN_GROUP_MAPPING_RULES_KEY) || + properties.containsKey(LDAP_GROUP_SEARCH_FILTER_KEY)) { + ldapServerProperties.setGroupMappingEnabled(true); + } + return ldapServerProperties; } http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java index aa8f7a3..fe6d571 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java @@ -19,6 +19,7 @@ package org.apache.ambari.server.security.authorization; import com.google.inject.Inject; import com.google.inject.persist.Transactional; +import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.orm.dao.RoleDAO; import org.apache.ambari.server.orm.dao.UserDAO; @@ -55,53 +56,65 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator } @Override - @Transactional public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) { log.info("Get roles for user " + username + " from local DB"); - UserEntity user = null; + UserEntity user; user = userDAO.findLdapUserByName(username); if (user == null) { log.info("User " + username + " not present in local DB - creating"); - UserEntity newUser = new UserEntity(); - newUser.setLdapUser(true); - newUser.setUserName(username); - - //Adding a default "user" role - addRole(newUser, configuration.getConfigsMap(). - get(Configuration.USER_ROLE_NAME_KEY)); + createLdapUser(username); + user = userDAO.findLdapUserByName(username); } - user = userDAO.findLdapUserByName(username); - - //Adding an "admin" user role if user is a member of ambari administrators - // LDAP group - Boolean isAdmin = - (Boolean) userData.getObjectAttribute(AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY); - if ((isAdmin != null) && isAdmin) { - log.info("Adding admin role to LDAP user " + username); - addRole(user, configuration.getConfigsMap(). - get(Configuration.ADMIN_ROLE_NAME_KEY)); - } else { - removeRole(user, configuration.getConfigsMap(). - get(Configuration.ADMIN_ROLE_NAME_KEY)); + //don't remove admin role from user if group mapping was not configured + if (configuration.getLdapServerProperties().isGroupMappingEnabled()) { + //Adding an "admin" user role if user is a member of ambari administrators + // LDAP group + Boolean isAdmin = + (Boolean) userData.getObjectAttribute(AMBARI_ADMIN_LDAP_ATTRIBUTE_KEY); + if ((isAdmin != null) && isAdmin) { + log.info("Adding admin role to LDAP user " + username); + addRole(user, configuration.getConfigsMap(). + get(Configuration.ADMIN_ROLE_NAME_KEY)); + } else { + removeRole(user, configuration.getConfigsMap(). + get(Configuration.ADMIN_ROLE_NAME_KEY)); + } } - user = userDAO.findLdapUserByName(username); return authorizationHelper.convertRolesToAuthorities(user.getRoleEntities()); } /** + * Creates record in local DB for LDAP user + * @param username - name of user to create + */ + @Transactional + void createLdapUser(String username) { + UserEntity newUser = new UserEntity(); + newUser.setLdapUser(true); + newUser.setUserName(username); + + userDAO.create(newUser); + + //Adding a default "user" role + addRole(newUser, configuration.getConfigsMap(). + get(Configuration.USER_ROLE_NAME_KEY)); + } + + /** * Adds role to user's role entities * Adds user to roleName's user entities * * @param user - the user entity to be modified * @param roleName - the role to add to user's roleEntities */ - private void addRole(UserEntity user, String roleName) { + @Transactional + void addRole(UserEntity user, String roleName) { log.info("Using default role name " + roleName); RoleEntity roleEntity = roleDAO.findByName(roleName); @@ -133,7 +146,8 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator * @param user * @param roleName */ - private void removeRole(UserEntity user, String roleName) { + @Transactional + void removeRole(UserEntity user, String roleName) { UserEntity userEntity = userDAO.findByPK(user.getUserId()); RoleEntity roleEntity = roleDAO.findByName(roleName); http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java index f63c673..b67a843 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java @@ -25,9 +25,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; -import java.util.ArrayList; -import java.util.Collection; -import java.util.List; +import java.util.*; @Singleton /** @@ -39,7 +37,7 @@ public class AuthorizationHelper { * Converts collection of RoleEntities to collection of GrantedAuthorities */ public Collection<GrantedAuthority> convertRolesToAuthorities(Collection<RoleEntity> roleEntities) { - List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(roleEntities.size()); + Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(roleEntities.size()); for (RoleEntity roleEntity : roleEntities) { authorities.add(new SimpleGrantedAuthority(roleEntity.getRoleName().toUpperCase())); http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java index 2c55dc6..8f9eb81 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/LdapServerProperties.java @@ -44,8 +44,9 @@ public class LdapServerProperties { private String groupMembershipAttr; private String groupNamingAttr; private String adminGroupMappingRules; - private String groupSearchFilter; + private boolean groupMappingEnabled; + private String groupSearchFilter; private static final String userSearchFilter = "({attribute}={0})"; public List<String> getLdapUrls() { @@ -187,6 +188,14 @@ public class LdapServerProperties { this.groupSearchFilter = groupSearchFilter; } + public boolean isGroupMappingEnabled() { + return groupMappingEnabled; + } + + public void setGroupMappingEnabled(boolean groupMappingEnabled) { + this.groupMappingEnabled = groupMappingEnabled; + } + @Override public boolean equals(Object obj) { if (this == obj) return true; http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java index 2b39d43..90ee80c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/Users.java @@ -205,10 +205,12 @@ public class Users { public synchronized void addRoleToUser(User user, String role) throws AmbariException { - if (userDAO.findLdapUserByName(user.getUserName()) != null) { + if (configuration.getLdapServerProperties().isGroupMappingEnabled() && + userDAO.findLdapUserByName(user.getUserName()) != null) { LOG.warn("Trying to add a role to the LDAP user" + ", user=" + user.getUserName()); - throw new AmbariException("Roles are not editable for LDAP users"); + throw new AmbariException("Ldap group mapping is enabled, " + + "roles for LDAP users should be managed on LDAP server"); } UserEntity userEntity = userDAO.findByPK(user.getUserId()); @@ -239,10 +241,12 @@ public class Users { public synchronized void removeRoleFromUser(User user, String role) throws AmbariException { - if (userDAO.findLdapUserByName(user.getUserName()) != null) { + if (configuration.getLdapServerProperties().isGroupMappingEnabled() && + userDAO.findLdapUserByName(user.getUserName()) != null) { LOG.warn("Trying to add a role to the LDAP user" + ", user=" + user.getUserName()); - throw new AmbariException("Roles are not editable for LDAP users"); + throw new AmbariException("Ldap group mapping is enabled, " + + "roles for LDAP users should be managed on LDAP server"); } UserEntity userEntity = userDAO.findByPK(user.getUserId()); http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java b/ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java index 141d647..de8e454 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/orm/InMemoryDefaultTestModule.java @@ -25,9 +25,11 @@ import org.apache.ambari.server.controller.ControllerModule; import java.util.Properties; public class InMemoryDefaultTestModule extends AbstractModule { + Properties properties = new Properties(); + + @Override protected void configure() { - Properties properties = new Properties(); properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "in-memory"); // properties.setProperty(Configuration.SERVER_PERSISTENCE_TYPE_KEY, "local"); properties.setProperty(Configuration.METADETA_DIR_PATH, @@ -42,4 +44,8 @@ public class InMemoryDefaultTestModule extends AbstractModule { throw new RuntimeException(e); } } + + public Properties getProperties() { + return properties; + } } http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java index 38c9d2c..2781f59 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AuthorizationTestModule.java @@ -38,6 +38,8 @@ public class AuthorizationTestModule extends AbstractModule { "target/version"); properties.setProperty(Configuration.OS_VERSION_KEY, "centos5"); + //make ambari detect active configuration + properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=groups,dc=ambari,dc=apache,dc=org"); try { install(new ControllerModule(properties)); http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java new file mode 100644 index 0000000..a287268 --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java @@ -0,0 +1,265 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ambari.server.security.authorization; + +import org.apache.ambari.server.configuration.Configuration; +import org.apache.ambari.server.orm.dao.RoleDAO; +import org.apache.ambari.server.orm.dao.UserDAO; +import org.apache.ambari.server.orm.entities.RoleEntity; +import org.apache.ambari.server.orm.entities.UserEntity; +import org.easymock.Capture; +import org.easymock.EasyMockSupport; +import org.junit.Before; +import org.junit.Test; +import org.springframework.ldap.core.DirContextOperations; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import static org.easymock.EasyMock.*; +import static org.easymock.EasyMock.createMock; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport { + + AuthorizationHelper helper = new AuthorizationHelper(); + Configuration configuration = createMock(Configuration.class); + UserDAO userDAO = createMock(UserDAO.class); + RoleDAO roleDAO = createMock(RoleDAO.class); + LdapServerProperties ldapServerProperties = createMock(LdapServerProperties.class); + DirContextOperations userData = createMock(DirContextOperations.class); + UserEntity userEntity = createMock(UserEntity.class); + + Set<RoleEntity> roleSetStub = new HashSet<RoleEntity>(); + String username = "user"; + String adminRole = "role"; + String userRole = "userRole"; + Map<String, String> configs = new HashMap<String, String>(); + + public TestAmbariLdapAuthoritiesPopulator() { + configs.put(Configuration.ADMIN_ROLE_NAME_KEY, adminRole); + configs.put(Configuration.USER_ROLE_NAME_KEY, userRole); + + } + + @Before + public void setUp() throws Exception { + resetAll(); + + expect(configuration.getConfigsMap()).andReturn(configs).anyTimes(); + } + + @Test + public void testGetGrantedAuthorities_mappingDisabled() throws Exception { + String username = "user"; + + AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class) + .addMockedMethod("createLdapUser") + .withConstructor( + configuration, helper, userDAO, roleDAO + ).createMock(); + + + expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(false).atLeastOnce(); + + expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce(); + + expect(userEntity.getRoleEntities()).andReturn(roleSetStub); + + populator.createLdapUser(username); + expectLastCall(); + + expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity); + replayAll(); + + + populator.getGrantedAuthorities(userData, username); + + verifyAll(); + + } + + @Test + public void testGetGrantedAuthorities_mappingEnabled() throws Exception { + + + AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class) + .addMockedMethod("createLdapUser") + .addMockedMethod("addRole") + .addMockedMethod("removeRole") + .withConstructor( + configuration, helper, userDAO, roleDAO + ).createMock(); + + expect(userData.getObjectAttribute("ambari_admin")).andReturn(Boolean.TRUE).andReturn(Boolean.FALSE); + + expect(ldapServerProperties.isGroupMappingEnabled()).andReturn(true).atLeastOnce(); + + expect(configuration.getLdapServerProperties()).andReturn(ldapServerProperties).atLeastOnce(); + + + + expect(userEntity.getRoleEntities()).andReturn(roleSetStub).times(2); + + expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity).times(2); + + populator.createLdapUser(username); + expectLastCall(); + populator.addRole(userEntity, adminRole); + expectLastCall(); + populator.removeRole(userEntity, adminRole); + expectLastCall(); + + replayAll(); + + //test with admin user + populator.getGrantedAuthorities(userData, username); + //test with non-admin + populator.getGrantedAuthorities(userData, username); + + verifyAll(); + } + + @Test + public void testCreateLdapUser() throws Exception { + AmbariLdapAuthoritiesPopulator populator = createMockBuilder(AmbariLdapAuthoritiesPopulator.class) + .addMockedMethod("addRole") + .addMockedMethod("removeRole") + .withConstructor( + configuration, helper, userDAO, roleDAO + ).createMock(); + + Capture<UserEntity> createEntity = new Capture<UserEntity>(); + Capture<UserEntity> addRoleEntity = new Capture<UserEntity>(); + + userDAO.create(capture(createEntity)); + expectLastCall(); + + populator.addRole(capture(addRoleEntity), eq(userRole)); + expectLastCall(); + + replayAll(); + + populator.createLdapUser(username); + + verifyAll(); + + UserEntity capturedCreateEntity = createEntity.getValue(); + UserEntity capturedAddRoleEntity = addRoleEntity.getValue(); + + assertTrue(capturedCreateEntity.getLdapUser()); + assertEquals(username, capturedCreateEntity.getUserName()); + + assertEquals(capturedCreateEntity,capturedAddRoleEntity); + + } + + + @Test + public void testAddRole() throws Exception { + AmbariLdapAuthoritiesPopulator populator = + new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO); + + RoleEntity roleEntity = createMock(RoleEntity.class); + Set<UserEntity> userEntities = createMock(Set.class); + Set<RoleEntity> roleEntities = createMock(Set.class); + + Capture<RoleEntity> createdRole = new Capture<RoleEntity>(); + + expect(roleDAO.findByName(adminRole)).andReturn(null).andReturn(roleEntity); + expect(roleDAO.findByName(adminRole)).andReturn(roleEntity); + + roleDAO.create(capture(createdRole)); + expectLastCall(); + + expect(userEntity.getUserName()).andReturn(username).anyTimes(); + expect(userEntity.getRoleEntities()).andReturn(roleEntities).anyTimes(); + + expect(roleEntity.getUserEntities()).andReturn(userEntities).anyTimes(); + + expect(roleEntities.contains(roleEntity)).andReturn(false); + expect(roleEntities.contains(roleEntity)).andReturn(true); + + expect(userEntities.add(userEntity)).andReturn(true); + expect(roleEntities.add(roleEntity)).andReturn(true); + + userDAO.merge(userEntity); + expectLastCall().andReturn(userEntity); + roleDAO.merge(roleEntity); + expectLastCall().andReturn(roleEntity); + + expect(userDAO.findLdapUserByName(username)).andReturn(null).andReturn(userEntity); + expect(userDAO.findLdapUserByName(username)).andReturn(userEntity); + + userDAO.create(userEntity); + expectLastCall(); + + replayAll(); + + populator.addRole(userEntity, adminRole); + populator.addRole(userEntity, adminRole); + + verifyAll(); + + assertEquals(adminRole, createdRole.getValue().getRoleName()); + + } + + + @Test + public void testRemoveRole() throws Exception { + int userId = 123; + + AmbariLdapAuthoritiesPopulator populator = + new AmbariLdapAuthoritiesPopulator(configuration, helper, userDAO, roleDAO); + + RoleEntity roleEntity = createMock(RoleEntity.class); + Set<UserEntity> userEntities = createMock(Set.class); + Set<RoleEntity> roleEntities = createMock(Set.class); + + expect(userEntity.getUserId()).andReturn(userId); + + expect(userDAO.findByPK(userId)).andReturn(userEntity); + + expect(roleDAO.findByName(adminRole)).andReturn(roleEntity); + + expect(userEntity.getRoleEntities()).andReturn(roleEntities); + + expect(roleEntities.contains(roleEntity)).andReturn(true); + + expect(userEntity.getUserName()).andReturn(username); + + expect(userEntity.getRoleEntities()).andReturn(roleEntities); + expect(roleEntity.getUserEntities()).andReturn(userEntities); + + expect(userEntities.remove(userEntity)).andReturn(true); + expect(roleEntities.remove(roleEntity)).andReturn(true); + + expect(userDAO.merge(userEntity)).andReturn(userEntity); + expect(roleDAO.merge(roleEntity)).andReturn(roleEntity); + + replayAll(); + + populator.removeRole(userEntity, adminRole); + + verifyAll(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-ambari/blob/5bf2ec58/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java index 897beeb..1d660b5 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestUsers.java @@ -17,15 +17,18 @@ */ package org.apache.ambari.server.security.authorization; +import com.google.inject.AbstractModule; import com.google.inject.Guice; import com.google.inject.Inject; import com.google.inject.Injector; import com.google.inject.persist.PersistService; import org.apache.ambari.server.AmbariException; +import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.orm.GuiceJpaInitializer; import org.apache.ambari.server.orm.InMemoryDefaultTestModule; import org.apache.ambari.server.orm.dao.RoleDAO; import org.apache.ambari.server.orm.dao.UserDAO; +import org.apache.ambari.server.orm.entities.RoleEntity; import org.apache.ambari.server.orm.entities.UserEntity; import org.junit.After; import org.junit.Before; @@ -36,6 +39,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.crypto.password.PasswordEncoder; import java.util.List; +import java.util.Properties; import static org.junit.Assert.*; @@ -50,14 +54,17 @@ public class TestUsers { protected RoleDAO roleDAO; @Inject protected PasswordEncoder passwordEncoder; + private Properties properties; @Before public void setup() throws AmbariException { - injector = Guice.createInjector(new InMemoryDefaultTestModule()); + InMemoryDefaultTestModule module = new InMemoryDefaultTestModule(); + properties = module.getProperties(); + injector = Guice.createInjector(module); injector.getInstance(GuiceJpaInitializer.class); injector.injectMembers(this); users.createDefaultRoles(); - Authentication auth = new UsernamePasswordAuthenticationToken("admin",null); + Authentication auth = new UsernamePasswordAuthenticationToken("admin", null); SecurityContextHolder.getContext().setAuthentication(auth); } @@ -125,4 +132,59 @@ public class TestUsers { assertFalse(user.getRoles().contains(users.getAdminRole())); } + + @Test + public void testPromoteLdapUser() throws Exception { + createLdapUser(); + + User ldapUser = users.getLdapUser("ldapUser"); + + users.promoteToAdmin(ldapUser); + + ldapUser = users.getLdapUser("ldapUser"); + assertTrue(ldapUser.getRoles().contains(users.getAdminRole())); + + users.demoteAdmin(ldapUser); + + ldapUser = users.getLdapUser("ldapUser"); + assertFalse(ldapUser.getRoles().contains(users.getAdminRole())); + + users.removeUser(ldapUser); + + //toggle group mapping + properties.setProperty(Configuration.LDAP_GROUP_BASE_KEY, "ou=groups,dc=ambari,dc=apache,dc=org"); + createLdapUser(); + + try { + users.promoteToAdmin(ldapUser); + fail("Not allowed with mapping on"); + } catch (AmbariException e) { + } + + try { + users.demoteAdmin(ldapUser); + fail("Not allowed with mapping on"); + } catch (AmbariException e) { + } + + + } + + private void createLdapUser() { + RoleEntity role = roleDAO.findByName(users.getUserRole()); + UserEntity ldapUser = new UserEntity(); + + ldapUser.setUserName("ldapUser"); + ldapUser.setLdapUser(true); + + userDAO.create(ldapUser); + + UserEntity userEntity = userDAO.findLdapUserByName("ldapUser"); + + userEntity.getRoleEntities().add(role); + role.getUserEntities().add(ldapUser); + + userDAO.merge(ldapUser); + roleDAO.merge(role); + } }
