AMBARI-15316. Kerberos: Provide SHA256 or SHA512 options for template principal digest (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/1986078f Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/1986078f Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/1986078f Branch: refs/heads/AMBARI-13364 Commit: 1986078f78e545eefc64f5315304ccebbb6dbae8 Parents: be7bafe Author: Robert Levas <[email protected]> Authored: Tue Mar 8 12:44:24 2016 -0500 Committer: Robert Levas <[email protected]> Committed: Tue Mar 8 12:44:24 2016 -0500 ---------------------------------------------------------------------- .../kerberos/ADKerberosOperationHandler.java | 2 + .../ADKerberosOperationHandlerTest.java | 72 ++++++++++++++++++-- 2 files changed, 70 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/1986078f/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java index a1e1544..deea158 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandler.java @@ -269,6 +269,8 @@ public class ADKerberosOperationHandler extends KerberosOperationHandler { context.put("is_service", service); context.put("container_dn", this.principalContainerDn); context.put("principal_digest", DigestUtils.sha1Hex(deconstructedPrincipal.getNormalizedPrincipal())); + context.put("principal_digest_256", DigestUtils.sha256Hex(deconstructedPrincipal.getNormalizedPrincipal())); + context.put("principal_digest_512", DigestUtils.sha512Hex(deconstructedPrincipal.getNormalizedPrincipal())); Map<String, Object> data = processCreateTemplate(context); http://git-wip-us.apache.org/repos/asf/ambari/blob/1986078f/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java index 0622807..52cd372 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/kerberos/ADKerberosOperationHandlerTest.java @@ -200,6 +200,7 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest .andAnswer(new IAnswer<NamingEnumeration<SearchResult>>() { @Override public NamingEnumeration<SearchResult> answer() throws Throwable { + @SuppressWarnings("unchecked") NamingEnumeration<SearchResult> result = createNiceMock(NamingEnumeration.class); expect(result.hasMore()).andReturn(false).once(); replay(result); @@ -238,14 +239,15 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest } }; - Capture<Name> capturedName = new Capture<Name>(CaptureType.ALL); - Capture<Attributes> capturedAttributes = new Capture<Attributes>(CaptureType.ALL); + Capture<Name> capturedName = newCapture(CaptureType.ALL); + Capture<Attributes> capturedAttributes = newCapture(CaptureType.ALL); ADKerberosOperationHandler handler = createMockBuilder(ADKerberosOperationHandler.class) .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext", Properties.class, Control[].class)) .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls")) .createNiceMock(); + @SuppressWarnings("unchecked") NamingEnumeration<SearchResult> searchResult = createNiceMock(NamingEnumeration.class); expect(searchResult.hasMore()).andReturn(false).once(); @@ -366,14 +368,15 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest } }; - Capture<Name> capturedName = new Capture<Name>(); - Capture<Attributes> capturedAttributes = new Capture<Attributes>(); + Capture<Name> capturedName = newCapture(); + Capture<Attributes> capturedAttributes = newCapture(); ADKerberosOperationHandler handler = createMockBuilder(ADKerberosOperationHandler.class) .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext", Properties.class, Control[].class)) .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls")) .createNiceMock(); + @SuppressWarnings("unchecked") NamingEnumeration<SearchResult> searchResult = createNiceMock(NamingEnumeration.class); expect(searchResult.hasMore()).andReturn(false).once(); @@ -438,7 +441,68 @@ public class ADKerberosOperationHandlerTest extends KerberosOperationHandlerTest Assert.assertNotNull(attributes.get("userAccountControl")); Assert.assertEquals("66048", attributes.get("userAccountControl").get()); + } + + @Test + public void testDigests() throws Exception { + PrincipalKeyCredential kc = new PrincipalKeyCredential(DEFAULT_ADMIN_PRINCIPAL, DEFAULT_ADMIN_PASSWORD); + Map<String, String> kerberosEnvMap = new HashMap<String, String>(); + kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_LDAP_URL, DEFAULT_LDAP_URL); + kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_PRINCIPAL_CONTAINER_DN, DEFAULT_PRINCIPAL_CONTAINER_DN); + kerberosEnvMap.put(ADKerberosOperationHandler.KERBEROS_ENV_AD_CREATE_ATTRIBUTES_TEMPLATE, "" + + "{" + + "\"principal_digest\": \"$principal_digest\"," + + "\"principal_digest_256\": \"$principal_digest_256\"," + + "\"principal_digest_512\": \"$principal_digest_512\"" + + "}" + ); + + Capture<Attributes> capturedAttributes = newCapture(); + + ADKerberosOperationHandler handler = createMockBuilder(ADKerberosOperationHandler.class) + .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createInitialLdapContext", Properties.class, Control[].class)) + .addMockedMethod(ADKerberosOperationHandler.class.getDeclaredMethod("createSearchControls")) + .createNiceMock(); + + @SuppressWarnings("unchecked") + NamingEnumeration<SearchResult> searchResult = createNiceMock(NamingEnumeration.class); + expect(searchResult.hasMore()).andReturn(false).once(); + + LdapContext ldapContext = createNiceMock(LdapContext.class); + expect(ldapContext.search(anyObject(String.class), anyObject(String.class), anyObject(SearchControls.class))) + .andReturn(searchResult) + .once(); + + expect(ldapContext.createSubcontext(anyObject(Name.class), capture(capturedAttributes))) + .andReturn(createNiceMock(DirContext.class)) + .once(); + + expect(handler.createInitialLdapContext(anyObject(Properties.class), anyObject(Control[].class))) + .andReturn(ldapContext) + .once(); + + expect(handler.createSearchControls()).andAnswer(new IAnswer<SearchControls>() { + @Override + public SearchControls answer() throws Throwable { + SearchControls searchControls = createNiceMock(SearchControls.class); + replay(searchControls); + return searchControls; + } + }).once(); + + replayAll(); + + handler.open(kc, DEFAULT_REALM, kerberosEnvMap); + handler.createPrincipal("nn/c6501.ambari.apache.org", "secret", true); + handler.close(); + + Attributes attributes = capturedAttributes.getValue(); + + Assert.assertNotNull(attributes); + Assert.assertEquals("995e1580db28198e7fda1417ab5d894c877937d2", attributes.get("principal_digest").get()); + Assert.assertEquals("b65bc066d11ac8b1beb31dc84035d9c204736f823decf8dfedda05a30e4ae410", attributes.get("principal_digest_256").get()); + Assert.assertEquals("f48de28bc0467d764f5b04dbf04d35ff329a80277614be35eda0d0deed7f1c074cc5b0e0dc361130fdb078e09eb0ca545b9c653388192508ef382af89bd3a80c", attributes.get("principal_digest_512").get()); } /**
