Repository: geode Updated Branches: refs/heads/develop 6fb2ca83f -> 33f421819
GEODE-3330: user needs CLUSTER:MANAGE:QUERY permission to create a CQ. * cq.execute() and cq.executeWithInitialResult() all would still require DATA:READ because it will send the result back to the client either initially or later. * added unit test Project: http://git-wip-us.apache.org/repos/asf/geode/repo Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/33f42181 Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/33f42181 Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/33f42181 Branch: refs/heads/develop Commit: 33f42181930ce52501738da6046df5441969ba97 Parents: 6fb2ca8 Author: YehEmily <emilyyeh1...@gmail.com> Authored: Thu Aug 3 11:45:46 2017 -0700 Committer: Jinmei Liao <jil...@pivotal.io> Committed: Tue Aug 8 20:54:50 2017 -0700 ---------------------------------------------------------------------- .../apache/geode/security/SecurityTestUtil.java | 7 +- .../dunit/rules/LocatorServerStartupRule.java | 15 ++- .../cache/tier/sockets/command/CloseCQ.java | 13 ++- .../cache/tier/sockets/command/ExecuteCQ61.java | 16 ++- .../cache/tier/sockets/command/StopCQ.java | 13 ++- .../cache/tier/sockets/command/CloseCQTest.java | 48 ++++++++ .../tier/sockets/command/ExecuteCQ61Test.java | 46 ++++++++ .../cache/tier/sockets/command/StopCQTest.java | 48 ++++++++ .../geode/security/CQClientAuthDUnitTest.java | 114 ------------------- .../security/CQPostProcessorDunitTest.java | 62 ++++++++-- .../geode/security/ClientCQAuthDUnitTest.java | 109 ++++++++++++++++++ .../security/ClientQueryAuthDUnitTest.java | 87 +------------- .../geode/test/dunit/rules/CQUnitTestRule.java | 60 ++++++++++ 13 files changed, 412 insertions(+), 226 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-core/src/test/java/org/apache/geode/security/SecurityTestUtil.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/security/SecurityTestUtil.java b/geode-core/src/test/java/org/apache/geode/security/SecurityTestUtil.java index 5d5c214..1a1e105 100644 --- a/geode-core/src/test/java/org/apache/geode/security/SecurityTestUtil.java +++ b/geode-core/src/test/java/org/apache/geode/security/SecurityTestUtil.java @@ -20,14 +20,15 @@ import static org.apache.geode.distributed.ConfigurationProperties.MCAST_PORT; import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_AUTH_INIT; import static org.assertj.core.api.Assertions.assertThatThrownBy; +import java.util.Properties; + +import org.assertj.core.api.ThrowableAssert; + import org.apache.geode.cache.Region; import org.apache.geode.cache.client.ClientCache; import org.apache.geode.cache.client.ClientCacheFactory; import org.apache.geode.cache.client.ClientRegionShortcut; import org.apache.geode.security.templates.UserPasswordAuthInit; -import org.assertj.core.api.ThrowableAssert; - -import java.util.Properties; public class SecurityTestUtil { http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-core/src/test/java/org/apache/geode/test/dunit/rules/LocatorServerStartupRule.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/test/dunit/rules/LocatorServerStartupRule.java b/geode-core/src/test/java/org/apache/geode/test/dunit/rules/LocatorServerStartupRule.java index a455aff..fc7966f 100644 --- a/geode-core/src/test/java/org/apache/geode/test/dunit/rules/LocatorServerStartupRule.java +++ b/geode-core/src/test/java/org/apache/geode/test/dunit/rules/LocatorServerStartupRule.java @@ -95,8 +95,9 @@ public class LocatorServerStartupRule extends ExternalResource implements Serial @Override protected void before() throws Throwable { restoreSystemProperties.before(); - if (useTempWorkingDir()) + if (useTempWorkingDir()) { tempWorkingDir.create(); + } members = new MemberVM[4]; } @@ -104,8 +105,9 @@ public class LocatorServerStartupRule extends ExternalResource implements Serial protected void after() { DUnitLauncher.closeAndCheckForSuspects(); Arrays.stream(members).filter(Objects::nonNull).forEach(MemberVM::stopMember); - if (useTempWorkingDir()) + if (useTempWorkingDir()) { tempWorkingDir.delete(); + } restoreSystemProperties.after(); } @@ -129,8 +131,9 @@ public class LocatorServerStartupRule extends ExternalResource implements Serial File workingDirFile = createWorkingDirForMember(name); locatorStarter.withWorkingDir(workingDirFile); } - if (logFile) + if (logFile) { locatorStarter.withLogFile(); + } locatorStarter.withProperties(properties).withAutoStart(); locatorStarter.before(); return locatorStarter; @@ -165,8 +168,9 @@ public class LocatorServerStartupRule extends ExternalResource implements Serial File workingDirFile = createWorkingDirForMember(name); serverStarter.withWorkingDir(workingDirFile); } - if (logFile) + if (logFile) { serverStarter.withLogFile(); + } serverStarter.withProperties(properties).withConnectionToLocator(locatorPort).withAutoStart(); serverStarter.before(); return serverStarter; @@ -194,8 +198,9 @@ public class LocatorServerStartupRule extends ExternalResource implements Serial File workingDirFile = createWorkingDirForMember(name); serverStarter.withWorkingDir(workingDirFile); } - if (logFile) + if (logFile) { serverStarter.withLogFile(); + } serverStarter.withEmbeddedLocator().withName(name).withJMXManager().withAutoStart(); serverStarter.before(); return serverStarter; http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQ.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQ.java b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQ.java index 6748f7d..82c4dae 100644 --- a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQ.java +++ b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQ.java @@ -14,6 +14,10 @@ */ package org.apache.geode.internal.cache.tier.sockets.command; +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + import org.apache.geode.cache.query.CqException; import org.apache.geode.cache.query.internal.cq.CqService; import org.apache.geode.cache.query.internal.cq.InternalCqQuery; @@ -28,10 +32,9 @@ import org.apache.geode.internal.cache.tier.sockets.ServerConnection; import org.apache.geode.internal.i18n.LocalizedStrings; import org.apache.geode.internal.security.AuthorizeRequest; import org.apache.geode.internal.security.SecurityService; - -import java.io.IOException; -import java.util.HashSet; -import java.util.Set; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; public class CloseCQ extends BaseCQCommand { @@ -73,7 +76,7 @@ public class CloseCQ extends BaseCQCommand { return; } - securityService.authorizeDataManage(); + securityService.authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); // Process CQ close request try { http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61.java b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61.java index 77a608c..4920694 100755 --- a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61.java +++ b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61.java @@ -14,6 +14,11 @@ */ package org.apache.geode.internal.cache.tier.sockets.command; +import java.io.IOException; +import java.util.Set; + +import org.apache.logging.log4j.Logger; + import org.apache.geode.cache.operations.ExecuteCQOperationContext; import org.apache.geode.cache.query.CqException; import org.apache.geode.cache.query.Query; @@ -40,10 +45,9 @@ import org.apache.geode.internal.i18n.LocalizedStrings; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.security.AuthorizeRequest; import org.apache.geode.internal.security.SecurityService; -import org.apache.logging.log4j.Logger; - -import java.io.IOException; -import java.util.Set; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; /** * @since GemFire 6.1 @@ -132,8 +136,10 @@ public class ExecuteCQ61 extends BaseCQCommand { } } - // test hook to trigger vMotion during CQ registration + // auth check to see if user can create CQ or not + securityService.authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); + // test hook to trigger vMotion during CQ registration if (CqServiceProvider.VMOTION_DURING_CQ_REGISTRATION_FLAG) { VMotionObserver vmo = VMotionObserverHolder.getInstance(); vmo.vMotionBeforeCQRegistration(); http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQ.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQ.java b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQ.java index a3d51ed..7046107 100644 --- a/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQ.java +++ b/geode-cq/src/main/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQ.java @@ -14,6 +14,10 @@ */ package org.apache.geode.internal.cache.tier.sockets.command; +import java.io.IOException; +import java.util.HashSet; +import java.util.Set; + import org.apache.geode.cache.query.CqException; import org.apache.geode.cache.query.internal.cq.CqService; import org.apache.geode.cache.query.internal.cq.InternalCqQuery; @@ -28,10 +32,9 @@ import org.apache.geode.internal.cache.tier.sockets.ServerConnection; import org.apache.geode.internal.i18n.LocalizedStrings; import org.apache.geode.internal.security.AuthorizeRequest; import org.apache.geode.internal.security.SecurityService; - -import java.io.IOException; -import java.util.HashSet; -import java.util.Set; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; public class StopCQ extends BaseCQCommand { @@ -86,7 +89,7 @@ public class StopCQ extends BaseCQCommand { } InternalCqQuery cqQuery = cqService.getCq(serverCqName); - securityService.authorizeDataManage(); + securityService.authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); AuthorizeRequest authzRequest = serverConnection.getAuthzRequest(); if (authzRequest != null) { http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQTest.java b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQTest.java new file mode 100644 index 0000000..b242c6e --- /dev/null +++ b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/CloseCQTest.java @@ -0,0 +1,48 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.internal.cache.tier.sockets.command; + +import static org.mockito.Mockito.doCallRealMethod; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; +import org.apache.geode.test.dunit.rules.CQUnitTestRule; +import org.apache.geode.test.junit.categories.UnitTest; + +@Category(UnitTest.class) +public class CloseCQTest { + + @Rule + public CQUnitTestRule cqRule = new CQUnitTestRule(); + + @Test + public void needClusterManageQueryToStopCQ() throws Exception { + CloseCQ closeCQ = mock(CloseCQ.class); + doCallRealMethod().when(closeCQ).cmdExecute(cqRule.message, cqRule.connection, + cqRule.securityService, 0); + + closeCQ.cmdExecute(cqRule.message, cqRule.connection, cqRule.securityService, 0); + + verify(cqRule.securityService).authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); + } +} http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61Test.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61Test.java b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61Test.java new file mode 100644 index 0000000..51f7533 --- /dev/null +++ b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/ExecuteCQ61Test.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.internal.cache.tier.sockets.command; + +import static org.mockito.Mockito.doCallRealMethod; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; +import org.apache.geode.test.dunit.rules.CQUnitTestRule; +import org.apache.geode.test.junit.categories.UnitTest; + +@Category(UnitTest.class) +public class ExecuteCQ61Test { + @Rule + public CQUnitTestRule cqRule = new CQUnitTestRule(); + + @Test + public void needClusterQueryManageToExecute() throws Exception { + ExecuteCQ61 executeCQ61 = mock(ExecuteCQ61.class); + doCallRealMethod().when(executeCQ61).cmdExecute(cqRule.message, cqRule.connection, + cqRule.securityService, 0); + + executeCQ61.cmdExecute(cqRule.message, cqRule.connection, cqRule.securityService, 0); + verify(cqRule.securityService).authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); + } +} http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQTest.java b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQTest.java new file mode 100644 index 0000000..580fc0c --- /dev/null +++ b/geode-cq/src/test/java/org/apache/geode/internal/cache/tier/sockets/command/StopCQTest.java @@ -0,0 +1,48 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.internal.cache.tier.sockets.command; + +import static org.mockito.Mockito.doCallRealMethod; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.ResourcePermission.Target; +import org.apache.geode.test.dunit.rules.CQUnitTestRule; +import org.apache.geode.test.junit.categories.UnitTest; + +@Category(UnitTest.class) +public class StopCQTest { + + @Rule + public CQUnitTestRule cqRule = new CQUnitTestRule(); + + @Test + public void needClusterManageQueryToStopCQ() throws Exception { + StopCQ stopCQ = mock(StopCQ.class); + doCallRealMethod().when(stopCQ).cmdExecute(cqRule.message, cqRule.connection, + cqRule.securityService, 0); + + stopCQ.cmdExecute(cqRule.message, cqRule.connection, cqRule.securityService, 0); + + verify(cqRule.securityService).authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY); + } +} http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/security/CQClientAuthDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/security/CQClientAuthDUnitTest.java b/geode-cq/src/test/java/org/apache/geode/security/CQClientAuthDUnitTest.java deleted file mode 100644 index 8916725..0000000 --- a/geode-cq/src/test/java/org/apache/geode/security/CQClientAuthDUnitTest.java +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more contributor license - * agreements. See the NOTICE file distributed with this work for additional information regarding - * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance with the License. You may obtain a - * copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software distributed under the License - * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the License for the specific language governing permissions and limitations under - * the License. - */ - -package org.apache.geode.security; - -import static org.apache.geode.distributed.ConfigurationProperties.LOCATORS; -import static org.apache.geode.distributed.ConfigurationProperties.MCAST_PORT; -import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_AUTH_INIT; -import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER; -import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_POST_PROCESSOR; - -import org.apache.geode.cache.Region; -import org.apache.geode.cache.RegionShortcut; -import org.apache.geode.cache.client.ClientCache; -import org.apache.geode.cache.client.ClientCacheFactory; -import org.apache.geode.cache.client.ClientRegionShortcut; -import org.apache.geode.cache.client.Pool; -import org.apache.geode.cache.client.PoolManager; -import org.apache.geode.cache.client.internal.ProxyCache; -import org.apache.geode.cache.query.CqAttributes; -import org.apache.geode.cache.query.CqAttributesFactory; -import org.apache.geode.cache.query.CqQuery; -import org.apache.geode.cache.query.QueryService; -import org.apache.geode.security.templates.UserPasswordAuthInit; -import org.apache.geode.test.dunit.Host; -import org.apache.geode.test.dunit.VM; -import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; -import org.apache.geode.test.dunit.rules.ServerStarterRule; -import org.apache.geode.test.junit.categories.DistributedTest; -import org.apache.geode.test.junit.categories.SecurityTest; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import java.util.Properties; - -@Category({DistributedTest.class, SecurityTest.class}) -public class CQClientAuthDUnitTest extends JUnit4DistributedTestCase { - - private static String REGION_NAME = "testRegion"; - final Host host = Host.getHost(0); - final VM client1 = host.getVM(1); - - @Rule - public ServerStarterRule server = - new ServerStarterRule().withProperty(SECURITY_MANAGER, TestSecurityManager.class.getName()) - .withProperty(TestSecurityManager.SECURITY_JSON, - "org/apache/geode/management/internal/security/clientServer.json") - .withProperty(SECURITY_POST_PROCESSOR, TestPostProcessor.class.getName()).withAutoStart(); - - @Before - public void before() throws Exception { - Region region = - server.getCache().createRegionFactory(RegionShortcut.REPLICATE).create(REGION_NAME); - for (int i = 0; i < 5; i++) { - region.put("key" + i, "value" + i); - } - } - - @Test - public void testPostProcess() { - String query = "select * from /" + REGION_NAME; - client1.invoke(() -> { - Properties props = new Properties(); - props.setProperty(LOCATORS, ""); - props.setProperty(MCAST_PORT, "0"); - props.setProperty(SECURITY_CLIENT_AUTH_INIT, - UserPasswordAuthInit.class.getName() + ".create"); - ClientCacheFactory factory = new ClientCacheFactory(props); - - factory.addPoolServer("localhost", server.getPort()); - factory.setPoolThreadLocalConnections(false); - factory.setPoolMinConnections(5); - factory.setPoolSubscriptionEnabled(true); - factory.setPoolMultiuserAuthentication(true); - - - ClientCache clientCache = factory.create(); - Region region = - clientCache.createClientRegionFactory(ClientRegionShortcut.PROXY).create(REGION_NAME); - Pool pool = PoolManager.find(region); - - Properties userProps = new Properties(); - userProps.setProperty("security-username", "super-user"); - userProps.setProperty("security-password", "1234567"); - ProxyCache cache = - (ProxyCache) clientCache.createAuthenticatedView(userProps, pool.getName()); - - QueryService qs = cache.getQueryService(); - - CqAttributesFactory cqAttributesFactory = new CqAttributesFactory(); - - CqAttributes cqa = cqAttributesFactory.create(); - - // Create the CqQuery - CqQuery cq = qs.newCq("CQ1", query, cqa, true); - cq.execute(); - }); - } - -} http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/security/CQPostProcessorDunitTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/security/CQPostProcessorDunitTest.java b/geode-cq/src/test/java/org/apache/geode/security/CQPostProcessorDunitTest.java index 45f45ab..aebbb10 100644 --- a/geode-cq/src/test/java/org/apache/geode/security/CQPostProcessorDunitTest.java +++ b/geode-cq/src/test/java/org/apache/geode/security/CQPostProcessorDunitTest.java @@ -15,6 +15,9 @@ package org.apache.geode.security; +import static org.apache.geode.distributed.ConfigurationProperties.LOCATORS; +import static org.apache.geode.distributed.ConfigurationProperties.MCAST_PORT; +import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_AUTH_INIT; import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER; import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_POST_PROCESSOR; import static org.apache.geode.security.SecurityTestUtil.createClientCache; @@ -22,11 +25,21 @@ import static org.apache.geode.security.SecurityTestUtil.createProxyRegion; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; +import java.util.Properties; + +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + import org.apache.geode.cache.Region; import org.apache.geode.cache.RegionShortcut; import org.apache.geode.cache.client.ClientCache; +import org.apache.geode.cache.client.ClientCacheFactory; +import org.apache.geode.cache.client.ClientRegionShortcut; import org.apache.geode.cache.client.Pool; import org.apache.geode.cache.client.PoolManager; +import org.apache.geode.cache.client.internal.ProxyCache; import org.apache.geode.cache.query.CqAttributes; import org.apache.geode.cache.query.CqAttributesFactory; import org.apache.geode.cache.query.CqEvent; @@ -34,16 +47,13 @@ import org.apache.geode.cache.query.CqQuery; import org.apache.geode.cache.query.CqResults; import org.apache.geode.cache.query.QueryService; import org.apache.geode.cache.query.internal.cq.CqListenerImpl; +import org.apache.geode.security.templates.UserPasswordAuthInit; import org.apache.geode.test.dunit.Host; import org.apache.geode.test.dunit.VM; import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; import org.apache.geode.test.dunit.rules.ServerStarterRule; import org.apache.geode.test.junit.categories.DistributedTest; import org.apache.geode.test.junit.categories.SecurityTest; -import org.junit.Before; -import org.junit.Rule; -import org.junit.Test; -import org.junit.experimental.categories.Category; @Category({DistributedTest.class, SecurityTest.class}) public class CQPostProcessorDunitTest extends JUnit4DistributedTestCase { @@ -75,9 +85,6 @@ public class CQPostProcessorDunitTest extends JUnit4DistributedTestCase { client1.invoke(() -> { ClientCache cache = createClientCache("super-user", "1234567", server.getPort()); Region region = createProxyRegion(cache, REGION_NAME); - - - Pool pool = PoolManager.find(region); QueryService qs = pool.getQueryService(); @@ -114,4 +121,45 @@ public class CQPostProcessorDunitTest extends JUnit4DistributedTestCase { } + @Test + public void testMultiUserPostProcess() { + String query = "select * from /" + REGION_NAME; + client1.invoke(() -> { + Properties props = new Properties(); + props.setProperty(LOCATORS, ""); + props.setProperty(MCAST_PORT, "0"); + props.setProperty(SECURITY_CLIENT_AUTH_INIT, + UserPasswordAuthInit.class.getName() + ".create"); + ClientCacheFactory factory = new ClientCacheFactory(props); + + factory.addPoolServer("localhost", server.getPort()); + factory.setPoolThreadLocalConnections(false); + factory.setPoolMinConnections(5); + factory.setPoolSubscriptionEnabled(true); + factory.setPoolMultiuserAuthentication(true); + + + ClientCache clientCache = factory.create(); + Region region = + clientCache.createClientRegionFactory(ClientRegionShortcut.PROXY).create(REGION_NAME); + Pool pool = PoolManager.find(region); + + Properties userProps = new Properties(); + userProps.setProperty("security-username", "super-user"); + userProps.setProperty("security-password", "1234567"); + ProxyCache cache = + (ProxyCache) clientCache.createAuthenticatedView(userProps, pool.getName()); + + QueryService qs = cache.getQueryService(); + + CqAttributesFactory cqAttributesFactory = new CqAttributesFactory(); + + CqAttributes cqa = cqAttributesFactory.create(); + + // Create the CqQuery + CqQuery cq = qs.newCq("CQ1", query, cqa, true); + cq.execute(); + }); + } + } http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/security/ClientCQAuthDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/security/ClientCQAuthDUnitTest.java b/geode-cq/src/test/java/org/apache/geode/security/ClientCQAuthDUnitTest.java new file mode 100644 index 0000000..5f0894e --- /dev/null +++ b/geode-cq/src/test/java/org/apache/geode/security/ClientCQAuthDUnitTest.java @@ -0,0 +1,109 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.security; + +import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER; +import static org.apache.geode.security.SecurityTestUtil.assertNotAuthorized; +import static org.apache.geode.security.SecurityTestUtil.createClientCache; +import static org.apache.geode.security.SecurityTestUtil.createProxyRegion; + +import org.junit.Rule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.cache.Region; +import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.cache.client.ClientCache; +import org.apache.geode.cache.client.Pool; +import org.apache.geode.cache.client.PoolManager; +import org.apache.geode.cache.query.CqAttributes; +import org.apache.geode.cache.query.CqAttributesFactory; +import org.apache.geode.cache.query.CqQuery; +import org.apache.geode.cache.query.QueryService; +import org.apache.geode.test.dunit.VM; +import org.apache.geode.test.dunit.rules.LocatorServerStartupRule; +import org.apache.geode.test.dunit.rules.ServerStarterRule; +import org.apache.geode.test.junit.categories.DistributedTest; +import org.apache.geode.test.junit.categories.SecurityTest; + +@Category({DistributedTest.class, SecurityTest.class}) +public class ClientCQAuthDUnitTest { + + @Rule + public LocatorServerStartupRule startupRule = new LocatorServerStartupRule(); + private static String REGION_NAME = "AuthRegion"; + private final VM client1 = startupRule.getVM(1); + private final VM client2 = startupRule.getVM(2); + private final VM client3 = startupRule.getVM(3); + + @Rule + public ServerStarterRule server = new ServerStarterRule() + .withProperty(SECURITY_MANAGER, SimpleTestSecurityManager.class.getName()) + .withRegion(RegionShortcut.REPLICATE, REGION_NAME); + + @Test + public void verifyCQPermissions() { + String query = "select * from /AuthRegion"; + int serverPort = server.getPort(); + + // client has no permission whatsoever + client1.invoke(() -> { + ClientCache cache = createClientCache("test", "test", serverPort); + final Region region = createProxyRegion(cache, REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + CqAttributes cqa = new CqAttributesFactory().create(); + + // Create the CqQuery (this is on the client side) + CqQuery cq = qs.newCq("CQ1", query, cqa); + + assertNotAuthorized(cq::execute, "CLUSTER:MANAGE:QUERY"); + assertNotAuthorized(cq::executeWithInitialResults, "CLUSTER:MANAGE:QUERY"); + assertNotAuthorized(cq::close, "CLUSTER:MANAGE:QUERY"); + assertNotAuthorized(qs::getAllDurableCqsFromServer, "CLUSTER:READ"); + }); + + // client2 has part of the permission + client2.invoke(() -> { + ClientCache cache = createClientCache("clusterManageQuery", "clusterManageQuery", serverPort); + final Region region = createProxyRegion(cache, REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + CqAttributes cqa = new CqAttributesFactory().create(); + + // Create the CqQuery (this is on the client side) + CqQuery cq = qs.newCq("CQ1", query, cqa); + assertNotAuthorized(cq::execute, "DATA:READ:AuthRegion"); + assertNotAuthorized(cq::executeWithInitialResults, "DATA:READ:AuthRegion"); + cq.close(); + }); + + // client3 has all the permissions + client3.invoke(() -> { + ClientCache cache = createClientCache("clusterManageQuery,dataRead", + "clusterManageQuery,dataRead", serverPort); + Region region = createProxyRegion(cache, REGION_NAME); + Pool pool = PoolManager.find(region); + QueryService qs = pool.getQueryService(); + CqAttributes cqa = new CqAttributesFactory().create(); + + // Create the CqQuery + CqQuery cq = qs.newCq("CQ1", query, cqa); + cq.execute(); + cq.stop(); + }); + } +} http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/security/ClientQueryAuthDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/security/ClientQueryAuthDUnitTest.java b/geode-cq/src/test/java/org/apache/geode/security/ClientQueryAuthDUnitTest.java index cc5dde4..9be1790 100644 --- a/geode-cq/src/test/java/org/apache/geode/security/ClientQueryAuthDUnitTest.java +++ b/geode-cq/src/test/java/org/apache/geode/security/ClientQueryAuthDUnitTest.java @@ -19,25 +19,19 @@ import static org.apache.geode.security.SecurityTestUtil.assertNotAuthorized; import static org.apache.geode.security.SecurityTestUtil.createClientCache; import static org.apache.geode.security.SecurityTestUtil.createProxyRegion; -import org.apache.geode.cache.RegionShortcut; -import org.apache.geode.test.dunit.Host; -import org.apache.geode.test.dunit.VM; -import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; -import org.apache.geode.test.dunit.rules.ServerStarterRule; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; import org.apache.geode.cache.Region; +import org.apache.geode.cache.RegionShortcut; import org.apache.geode.cache.client.ClientCache; import org.apache.geode.cache.client.Pool; import org.apache.geode.cache.client.PoolManager; -import org.apache.geode.cache.query.CqAttributes; -import org.apache.geode.cache.query.CqAttributesFactory; -import org.apache.geode.cache.query.CqEvent; -import org.apache.geode.cache.query.CqListener; -import org.apache.geode.cache.query.CqQuery; -import org.apache.geode.cache.query.QueryService; +import org.apache.geode.test.dunit.Host; +import org.apache.geode.test.dunit.VM; +import org.apache.geode.test.dunit.internal.JUnit4DistributedTestCase; +import org.apache.geode.test.dunit.rules.ServerStarterRule; import org.apache.geode.test.junit.categories.DistributedTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -71,75 +65,4 @@ public class ClientQueryAuthDUnitTest extends JUnit4DistributedTestCase { "DATA:READ:AuthRegion"); }); } - - @Test - public void testCQ() { - String query = "select * from /AuthRegion"; - client1.invoke(() -> { - ClientCache cache = createClientCache("stranger", "1234567", server.getPort()); - Region region = createProxyRegion(cache, REGION_NAME); - Pool pool = PoolManager.find(region); - QueryService qs = pool.getQueryService(); - - CqAttributes cqa = new CqAttributesFactory().create(); - - // Create the CqQuery - CqQuery cq = qs.newCq("CQ1", query, cqa); - - assertNotAuthorized(() -> cq.executeWithInitialResults(), "DATA:READ:AuthRegion"); - assertNotAuthorized(() -> cq.execute(), "DATA:READ:AuthRegion"); - - assertNotAuthorized(() -> cq.close(), "DATA:MANAGE"); - }); - - client2.invoke(() -> { - ClientCache cache = createClientCache("authRegionReader", "1234567", server.getPort()); - Region region = createProxyRegion(cache, REGION_NAME); - Pool pool = PoolManager.find(region); - QueryService qs = pool.getQueryService(); - - CqAttributes cqa = new CqAttributesFactory().create(); - // Create the CqQuery - CqQuery cq = qs.newCq("CQ1", query, cqa); - cq.execute(); - - assertNotAuthorized(() -> cq.stop(), "DATA:MANAGE"); - assertNotAuthorized(() -> qs.getAllDurableCqsFromServer(), "CLUSTER:READ"); - }); - - client3.invoke(() -> { - ClientCache cache = createClientCache("super-user", "1234567", server.getPort()); - Region region = createProxyRegion(cache, REGION_NAME); - Pool pool = PoolManager.find(region); - QueryService qs = pool.getQueryService(); - - CqAttributesFactory factory = new CqAttributesFactory(); - factory.addCqListener(new CqListener() { - @Override - public void onEvent(final CqEvent aCqEvent) { - System.out.println(aCqEvent); - } - - @Override - public void onError(final CqEvent aCqEvent) { - - } - - @Override - public void close() { - - } - }); - - - CqAttributes cqa = factory.create(); - - // Create the CqQuery - CqQuery cq = qs.newCq("CQ1", query, cqa); - System.out.println("query result: " + cq.executeWithInitialResults()); - - cq.stop(); - }); - } - } http://git-wip-us.apache.org/repos/asf/geode/blob/33f42181/geode-cq/src/test/java/org/apache/geode/test/dunit/rules/CQUnitTestRule.java ---------------------------------------------------------------------- diff --git a/geode-cq/src/test/java/org/apache/geode/test/dunit/rules/CQUnitTestRule.java b/geode-cq/src/test/java/org/apache/geode/test/dunit/rules/CQUnitTestRule.java new file mode 100644 index 0000000..5a6294b --- /dev/null +++ b/geode-cq/src/test/java/org/apache/geode/test/dunit/rules/CQUnitTestRule.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.test.dunit.rules; + +import static org.mockito.ArgumentMatchers.anyInt; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import org.junit.rules.ExternalResource; + +import org.apache.geode.cache.query.internal.cq.CqService; +import org.apache.geode.internal.cache.InternalCache; +import org.apache.geode.internal.cache.tier.CachedRegionHelper; +import org.apache.geode.internal.cache.tier.sockets.AcceptorImpl; +import org.apache.geode.internal.cache.tier.sockets.CacheServerStats; +import org.apache.geode.internal.cache.tier.sockets.ChunkedMessage; +import org.apache.geode.internal.cache.tier.sockets.Message; +import org.apache.geode.internal.cache.tier.sockets.Part; +import org.apache.geode.internal.cache.tier.sockets.ServerConnection; +import org.apache.geode.internal.security.SecurityService; + +public class CQUnitTestRule extends ExternalResource { + public SecurityService securityService; + public Message message; + public ServerConnection connection; + public InternalCache cache; + + protected void before() throws Throwable { + securityService = mock(SecurityService.class); + message = mock(Message.class); + connection = mock(ServerConnection.class); + cache = mock(InternalCache.class); + Part part = mock(Part.class); + CachedRegionHelper crHelper = mock(CachedRegionHelper.class); + + when(connection.getCachedRegionHelper()).thenReturn(crHelper); + when(connection.getCacheServerStats()).thenReturn(mock(CacheServerStats.class)); + when(connection.getAcceptor()).thenReturn(mock(AcceptorImpl.class)); + when(connection.getChunkedResponseMessage()).thenReturn(mock(ChunkedMessage.class)); + when(message.getPart(anyInt())).thenReturn(part); + when(part.getString()).thenReturn("CQ"); + when(part.getInt()).thenReturn(10); + when(crHelper.getCache()).thenReturn(cache); + when(cache.getCqService()).thenReturn(mock(CqService.class)); + } + +}