http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSAuthInit.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/PKCSAuthInit.java b/geode-core/src/test/java/templates/security/PKCSAuthInit.java deleted file mode 100755 index f4004f3..0000000 --- a/geode-core/src/test/java/templates/security/PKCSAuthInit.java +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.LogWriter; -import com.gemstone.gemfire.distributed.DistributedMember; -import com.gemstone.gemfire.internal.logging.LogService; -import com.gemstone.gemfire.security.AuthInitialize; -import com.gemstone.gemfire.security.AuthenticationFailedException; -import com.gemstone.gemfire.security.GemFireSecurityException; -import org.apache.logging.log4j.Logger; - -import java.io.FileInputStream; -import java.security.Key; -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.Signature; -import java.security.cert.X509Certificate; -import java.util.Properties; - -/** - * An {@link AuthInitialize} implementation that obtains the digital signature - * for use with PKCS scheme on server from the given set of properties. - * - * To use this class the <c>security-client-auth-init</c> property should be - * set to the fully qualified name the static <code>create</code> function - * viz. <code>templates.security.PKCSAuthInit.create</code> - * - * @author Kumar Neeraj - * @since 5.5 - */ -public class PKCSAuthInit implements AuthInitialize { - private static final Logger logger = LogService.getLogger(); - - public static final String KEYSTORE_FILE_PATH = "security-keystorepath"; - - public static final String KEYSTORE_ALIAS = "security-alias"; - - public static final String KEYSTORE_PASSWORD = "security-keystorepass"; - - public static final String SIGNATURE_DATA = "security-signature"; - - protected LogWriter securitylog; - - protected LogWriter systemlog; - - public void close() { - } - - public static AuthInitialize create() { - return new PKCSAuthInit(); - } - - public PKCSAuthInit() { - } - - public void init(LogWriter systemLogger, LogWriter securityLogger) - throws AuthenticationFailedException { - this.systemlog = systemLogger; - this.securitylog = securityLogger; - } - - public Properties getCredentials(Properties props, DistributedMember server, - boolean isPeer) throws AuthenticationFailedException { - String keyStorePath = props.getProperty(KEYSTORE_FILE_PATH); - if (keyStorePath == null) { - throw new AuthenticationFailedException( - "PKCSAuthInit: key-store file path property [" + KEYSTORE_FILE_PATH - + "] not set."); - } - String alias = props.getProperty(KEYSTORE_ALIAS); - if (alias == null) { - throw new AuthenticationFailedException( - "PKCSAuthInit: key alias name property [" + KEYSTORE_ALIAS - + "] not set."); - } - String keyStorePass = props.getProperty(KEYSTORE_PASSWORD); - - try { - KeyStore ks = KeyStore.getInstance("PKCS12"); - char[] passPhrase = (keyStorePass != null ? keyStorePass.toCharArray() - : null); - FileInputStream certificatefile = new FileInputStream(keyStorePath); - try { - ks.load(certificatefile, passPhrase); - } - finally { - certificatefile.close(); - } - - Key key = ks.getKey(alias, passPhrase); - - if (key instanceof PrivateKey) { - - PrivateKey privKey = (PrivateKey)key; - X509Certificate cert = (X509Certificate)ks.getCertificate(alias); - Signature sig = Signature.getInstance(cert.getSigAlgName()); - - sig.initSign(privKey); - sig.update(alias.getBytes("UTF-8")); - byte[] signatureBytes = sig.sign(); - - Properties newprops = new Properties(); - newprops.put(KEYSTORE_ALIAS, alias); - newprops.put(SIGNATURE_DATA, signatureBytes); - return newprops; - } - else { - throw new AuthenticationFailedException("PKCSAuthInit: " - + "Failed to load private key from the given file: " + keyStorePath); - } - } - catch (Exception ex) { - throw new AuthenticationFailedException( - "PKCSAuthInit: Exception while getting credentials: " + ex, ex); - } - } -}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSAuthenticator.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/PKCSAuthenticator.java b/geode-core/src/test/java/templates/security/PKCSAuthenticator.java deleted file mode 100755 index 7af7312..0000000 --- a/geode-core/src/test/java/templates/security/PKCSAuthenticator.java +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.LogWriter; -import com.gemstone.gemfire.distributed.DistributedMember; -import com.gemstone.gemfire.internal.logging.LogService; -import com.gemstone.gemfire.security.AuthenticationFailedException; -import com.gemstone.gemfire.security.Authenticator; -import com.gemstone.gemfire.security.GemFireSecurityException; -import org.apache.logging.log4j.Logger; - -import java.io.FileInputStream; -import java.security.KeyStore; -import java.security.NoSuchAlgorithmException; -import java.security.Principal; -import java.security.Signature; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.security.spec.InvalidKeySpecException; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; -import java.util.Properties; - -/** - * @author kneeraj - * - */ -public class PKCSAuthenticator implements Authenticator { - private static final Logger logger = LogService.getLogger(); - - public static final String PUBLIC_KEY_FILE = "security-publickey-filepath"; - - public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass"; - - private String pubKeyFilePath; - - private String pubKeyPass; - - private Map aliasCertificateMap; - - protected LogWriter systemlog; - - protected LogWriter securitylog; - - public static Authenticator create() { - return new PKCSAuthenticator(); - } - - public PKCSAuthenticator() { - } - - private void populateMap() { - try { - KeyStore ks = KeyStore.getInstance("JKS"); - char[] passPhrase = (pubKeyPass != null ? pubKeyPass.toCharArray() : null); - FileInputStream keystorefile = new FileInputStream(this.pubKeyFilePath); - try { - ks.load(keystorefile, passPhrase); - } - finally { - keystorefile.close(); - } - Enumeration e = ks.aliases(); - while (e.hasMoreElements()) { - Object alias = e.nextElement(); - Certificate cert = ks.getCertificate((String)alias); - if (cert instanceof X509Certificate) { - this.aliasCertificateMap.put(alias, cert); - } - } - } - catch (Exception e) { - throw new AuthenticationFailedException( - "Exception while getting public keys: " + e.getMessage(), e); - } - } - - public void init(Properties systemProps, LogWriter systemLogger, - LogWriter securityLogger) throws AuthenticationFailedException { - this.systemlog = systemLogger; - this.securitylog = securityLogger; - this.pubKeyFilePath = systemProps.getProperty(PUBLIC_KEY_FILE); - if (this.pubKeyFilePath == null) { - throw new AuthenticationFailedException("PKCSAuthenticator: property " - + PUBLIC_KEY_FILE + " not specified as the public key file."); - } - this.pubKeyPass = systemProps.getProperty(PUBLIC_KEYSTORE_PASSWORD); - this.aliasCertificateMap = new HashMap(); - populateMap(); - } - - private AuthenticationFailedException getException(String exStr, - Exception cause) { - - String exMsg = "PKCSAuthenticator: Authentication of client failed due to: " - + exStr; - if (cause != null) { - return new AuthenticationFailedException(exMsg, cause); - } - else { - return new AuthenticationFailedException(exMsg); - } - } - - private AuthenticationFailedException getException(String exStr) { - return getException(exStr, null); - } - - private X509Certificate getCertificate(String alias) - throws NoSuchAlgorithmException, InvalidKeySpecException { - if (this.aliasCertificateMap.containsKey(alias)) { - return (X509Certificate)this.aliasCertificateMap.get(alias); - } - return null; - } - - public Principal authenticate(Properties props, DistributedMember member) - throws AuthenticationFailedException { - String alias = (String)props.get(PKCSAuthInit.KEYSTORE_ALIAS); - if (alias == null || alias.length() <= 0) { - throw new AuthenticationFailedException("No alias received"); - } - try { - X509Certificate cert = getCertificate(alias); - if (cert == null) { - throw getException("No certificate found for alias:" + alias); - } - byte[] signatureBytes = (byte[])props.get(PKCSAuthInit.SIGNATURE_DATA); - if (signatureBytes == null) { - throw getException("signature data property [" - + PKCSAuthInit.SIGNATURE_DATA + "] not provided"); - } - Signature sig = Signature.getInstance(cert.getSigAlgName()); - sig.initVerify(cert); - sig.update(alias.getBytes("UTF-8")); - - if (!sig.verify(signatureBytes)) { - throw getException("verification of client signature failed"); - } - return new PKCSPrincipal(alias); - } - catch (Exception ex) { - throw getException(ex.toString(), ex); - } - } - - public void close() { - } - -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSPrincipal.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/PKCSPrincipal.java b/geode-core/src/test/java/templates/security/PKCSPrincipal.java deleted file mode 100755 index bc3049f..0000000 --- a/geode-core/src/test/java/templates/security/PKCSPrincipal.java +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package templates.security; - -import java.io.Serializable; -import java.security.Principal; - -/** - * @author kneeraj - * - */ -public class PKCSPrincipal implements Principal, Serializable { - - private String alias; - - public PKCSPrincipal(String alias) { - this.alias = alias; - } - - public String getName() { - return this.alias; - } - - @Override - public String toString() { - return this.alias; - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java b/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java deleted file mode 100644 index fc8454c..0000000 --- a/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.test.junit.categories.UnitTest; -import org.apache.commons.lang.SerializationUtils; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import java.io.Serializable; - -import static org.assertj.core.api.Assertions.assertThat; - -/** - * Unit tests for {@link PKCSPrincipal} - */ -@Category(UnitTest.class) -public class PKCSPrincipalTest { - - @Test - public void isSerializable() throws Exception { - assertThat(PKCSPrincipal.class).isInstanceOf(Serializable.class); - } - - @Test - public void canBeSerialized() throws Exception { - String name = "jsmith"; - PKCSPrincipal instance = new PKCSPrincipal(name); - - PKCSPrincipal cloned = (PKCSPrincipal) SerializationUtils.clone(instance); - - assertThat(cloned.getName()).isEqualTo(name); - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java b/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java deleted file mode 100755 index 1c48773..0000000 --- a/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.LogWriter; -import com.gemstone.gemfire.distributed.DistributedMember; -import com.gemstone.gemfire.security.AuthInitialize; -import com.gemstone.gemfire.security.AuthenticationFailedException; - -import java.util.Properties; - -/** - * An {@link AuthInitialize} implementation that obtains the user name and - * password as the credentials from the given set of properties. - * - * To use this class the <c>security-client-auth-init</c> property should be - * set to the fully qualified name the static <code>create</code> function - * viz. <code>templates.security.UserPasswordAuthInit.create</code> - * - * @author Sumedh Wale - * @since 5.5 - */ -public class UserPasswordAuthInit implements AuthInitialize { - - public static final String USER_NAME = "security-username"; - - public static final String PASSWORD = "security-password"; - - protected LogWriter securitylog; - - protected LogWriter systemlog; - - public static AuthInitialize create() { - return new UserPasswordAuthInit(); - } - - public void init(LogWriter systemLogger, LogWriter securityLogger) - throws AuthenticationFailedException { - this.systemlog = systemLogger; - this.securitylog = securityLogger; - } - - public UserPasswordAuthInit() { - } - - public Properties getCredentials(Properties props, DistributedMember server, - boolean isPeer) throws AuthenticationFailedException { - - Properties newProps = new Properties(); - String userName = props.getProperty(USER_NAME); - if (userName == null) { - throw new AuthenticationFailedException( - "UserPasswordAuthInit: user name property [" + USER_NAME - + "] not set."); - } - newProps.setProperty(USER_NAME, userName); - String passwd = props.getProperty(PASSWORD); - // If password is not provided then use empty string as the password. - if (passwd == null) { - passwd = ""; - } - newProps.setProperty(PASSWORD, passwd); - return newProps; - } - - public void close() { - } - -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UsernamePrincipal.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/UsernamePrincipal.java b/geode-core/src/test/java/templates/security/UsernamePrincipal.java deleted file mode 100755 index 781dd5a..0000000 --- a/geode-core/src/test/java/templates/security/UsernamePrincipal.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import java.io.Serializable; -import java.security.Principal; - -/** - * An implementation of {@link Principal} class for a simple user name. - * - * @author Kumar Neeraj - * @since 5.5 - */ -public class UsernamePrincipal implements Principal, Serializable { - - private final String userName; - - public UsernamePrincipal(String userName) { - this.userName = userName; - } - - public String getName() { - return this.userName; - } - - @Override - public String toString() { - return this.userName; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java b/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java deleted file mode 100644 index 023c214..0000000 --- a/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.test.junit.categories.UnitTest; -import org.apache.commons.lang.SerializationUtils; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import java.io.Serializable; - -import static org.assertj.core.api.Assertions.assertThat; - -/** - * Unit tests for {@link UsernamePrincipal} - */ -@Category(UnitTest.class) -public class UsernamePrincipalTest { - - @Test - public void isSerializable() throws Exception { - assertThat(UsernamePrincipal.class).isInstanceOf(Serializable.class); - } - - @Test - public void canBeSerialized() throws Exception { - String name = "jsmith"; - UsernamePrincipal instance = new UsernamePrincipal(name); - - UsernamePrincipal cloned = (UsernamePrincipal) SerializationUtils.clone(instance); - - assertThat(cloned.getName()).isEqualTo(name); - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/XmlAuthorization.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/XmlAuthorization.java b/geode-core/src/test/java/templates/security/XmlAuthorization.java deleted file mode 100755 index 29d94de..0000000 --- a/geode-core/src/test/java/templates/security/XmlAuthorization.java +++ /dev/null @@ -1,672 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.LogWriter; -import com.gemstone.gemfire.cache.Cache; -import com.gemstone.gemfire.cache.operations.ExecuteFunctionOperationContext; -import com.gemstone.gemfire.cache.operations.OperationContext; -import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode; -import com.gemstone.gemfire.cache.operations.QueryOperationContext; -import com.gemstone.gemfire.distributed.DistributedMember; -import com.gemstone.gemfire.security.AccessControl; -import com.gemstone.gemfire.security.NotAuthorizedException; -import org.w3c.dom.Attr; -import org.w3c.dom.Document; -import org.w3c.dom.NamedNodeMap; -import org.w3c.dom.Node; -import org.w3c.dom.NodeList; -import org.xml.sax.EntityResolver; -import org.xml.sax.InputSource; -import org.xml.sax.SAXException; -import org.xml.sax.SAXParseException; - -import java.io.IOException; -import java.io.InputStream; -import java.security.Principal; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; - -/** - * An implementation of the <code>{@link AccessControl}</code> interface that - * allows authorization using the permissions as specified in the given XML - * file. - * - * The format of the XML file is specified in <a href="authz5_5.dtd"/>. It - * implements a role-based authorization at the operation level for each region. - * Each principal name may be associated with a set of roles. The name of the - * principal is obtained using the {@link Principal#getName} method and no other - * information of the principal is utilized. Each role can be provided - * permissions to execute operations for each region. - * - * The top-level element in the XML is "acl" tag that contains the "role" and - * "permission" tags. The "role" tag contains the list of users that have been - * given that role. The name of the role is specified in the "role" attribute - * and the users are contained in the "user" tags insided the "role" tag. - * - * The "permissions" tag contains the list of operations allowed for a - * particular region. The role name is specified as the "role" attribute, the - * list of comma separated region names as the optional "regions" attribute and - * the operation names are contained in the "operation" tags inside the - * "permissions" tag. The allowed operation names are: GET, PUT, PUTALL, - * DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, CONTAINS_KEY, KEY_SET, - * QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, REGION_CREATE, - * REGION_DESTROY. These correspond to the operations in the - * {@link OperationCode} enumeration with the same name. - * - * When no region name is specified then the operation is allowed for all - * regions in the cache. Any permissions specified for regions using the - * "regions" attribute override these permissions. This allows users to provide - * generic permissions without any region name, and override for specific - * regions specified using the "regions" attribute. A cache-level operation - * (e.g. {@link OperationCode#REGION_DESTROY}) specified for a particular region - * is ignored i.e. the cache-level operations are only applicable when no region - * name is specified. A {@link OperationCode#QUERY} operation is permitted when - * either the <code>QUERY</code> permission is provided at the cache-level for - * the user or when <code>QUERY</code> permission is provided for all the - * regions that are part of the query string. - * - * Any roles specified in the "user" tag that do not have a specified permission - * set using the "permission" tags are ignored. When no {@link Principal} is - * associated with the current connection, then empty user name is used to - * search for the roles so an empty user name can be used to specify roles of - * unauthenticated clients (i.e. <code>Everyone</code>). - * - * This sample implementation is useful only for pre-operation checks and should - * not be used for post-operation authorization since it does nothing useful for - * post-operation case. - * - * @author Sumedh Wale - * @since 5.5 - */ -public class XmlAuthorization implements AccessControl { - - public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri"; - - private static final String TAG_ROLE = "role"; - - private static final String TAG_USER = "user"; - - private static final String TAG_PERMS = "permission"; - - private static final String TAG_OP = "operation"; - - private static final String ATTR_ROLENAME = "name"; - - private static final String ATTR_ROLE = "role"; - - private static final String ATTR_REGIONS = "regions"; - - private static final String ATTR_FUNCTION_IDS = "functionIds"; - - private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE = - "optimizeForWrite"; - - private static final String ATTR_FUNCTION_KEY_SET = "keySet"; - - private static String currentDocUri = null; - - private static Map<String, HashSet<String>> userRoles = null; - - private static Map<String, Map<String, - Map<OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null; - - private static NotAuthorizedException xmlLoadFailure = null; - - private static final Object sync = new Object(); - - private static final String EMPTY_VALUE = ""; - - private final Map<String, Map<OperationCode, - FunctionSecurityPrmsHolder>> allowedOps; - - protected LogWriter logger; - - protected LogWriter securityLogger; - - private XmlAuthorization() { - - this.allowedOps = new HashMap<String, Map<OperationCode, - FunctionSecurityPrmsHolder>>(); - this.logger = null; - this.securityLogger = null; - } - - /** - * Change the region name to a standard format having single '/' as separator - * and starting with a '/' as in standard POSIX paths - */ - public static String normalizeRegionName(String regionName) { - - if (regionName == null || regionName.length() == 0) { - return EMPTY_VALUE; - } - char[] resultName = new char[regionName.length() + 1]; - boolean changed = false; - boolean isPrevCharSlash = false; - int startIndex; - if (regionName.charAt(0) != '/') { - changed = true; - startIndex = 0; - } - else { - isPrevCharSlash = true; - startIndex = 1; - } - resultName[0] = '/'; - int resultLength = 1; - // Replace all more than one '/'s with a single '/' - for (int index = startIndex; index < regionName.length(); ++index) { - char currChar = regionName.charAt(index); - if (currChar == '/') { - if (isPrevCharSlash) { - changed = true; - continue; - } - isPrevCharSlash = true; - } - else { - isPrevCharSlash = false; - } - resultName[resultLength++] = currChar; - } - // Remove any trailing slash - if (resultName[resultLength - 1] == '/') { - --resultLength; - changed = true; - } - if (changed) { - return new String(resultName, 0, resultLength); - } - else { - return regionName; - } - } - - /** Get the attribute value for a given attribute name of a node. */ - private static String getAttributeValue(Node node, String attrName) { - - NamedNodeMap attrMap = node.getAttributes(); - Node attrNode; - if (attrMap != null && (attrNode = attrMap.getNamedItem(attrName)) != null) { - return ((Attr)attrNode).getValue(); - } - return EMPTY_VALUE; - } - - /** Get the string contained in the first text child of the node. */ - private static String getNodeValue(Node node) { - - NodeList childNodes = node.getChildNodes(); - for (int index = 0; index < childNodes.getLength(); index++) { - Node childNode = childNodes.item(index); - if (childNode.getNodeType() == Node.TEXT_NODE) { - return childNode.getNodeValue(); - } - } - return EMPTY_VALUE; - } - - /** - * Public static factory method to create an instance of - * <code>XmlAuthorization</code>. The fully qualified name of the class - * (<code>templates.security.XmlAuthorization.create</code>) - * should be mentioned as the <code>security-client-accessor</code> system - * property to enable pre-operation authorization checks as implemented in - * this class. - * - * @return an object of <code>XmlAuthorization</code> class - */ - public static AccessControl create() { - - return new XmlAuthorization(); - } - - /** - * Cache authorization information for all users statically. This method is - * not thread-safe and is should either be invoked only once, or the caller - * should take the appropriate locks. - * - * @param cache - * reference to the cache object for the distributed system - */ - private static void init(Cache cache) throws NotAuthorizedException { - - LogWriter logger = cache.getLogger(); - String xmlDocumentUri = (String)cache.getDistributedSystem() - .getSecurityProperties().get(DOC_URI_PROP_NAME); - try { - if (xmlDocumentUri == null) { - throw new NotAuthorizedException("No ACL file defined using tag [" - + DOC_URI_PROP_NAME + "] in system properties"); - } - if (xmlDocumentUri.equals(XmlAuthorization.currentDocUri)) { - if (XmlAuthorization.xmlLoadFailure != null) { - throw XmlAuthorization.xmlLoadFailure; - } - return; - } - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setIgnoringComments(true); - factory.setIgnoringElementContentWhitespace(true); - factory.setValidating(true); - DocumentBuilder builder = factory.newDocumentBuilder(); - XmlErrorHandler errorHandler = new XmlErrorHandler(logger, xmlDocumentUri); - builder.setErrorHandler(errorHandler); - builder.setEntityResolver(new AuthzDtdResolver()); - Document xmlDocument = builder.parse(xmlDocumentUri); - - XmlAuthorization.userRoles = new HashMap<String, HashSet<String>>(); - XmlAuthorization.rolePermissions = new HashMap<String, Map<String, - Map<OperationCode, FunctionSecurityPrmsHolder>>>(); - NodeList roleUserNodes = xmlDocument.getElementsByTagName(TAG_ROLE); - for (int roleIndex = 0; roleIndex < roleUserNodes.getLength(); - roleIndex++) { - Node roleUserNode = roleUserNodes.item(roleIndex); - String roleName = getAttributeValue(roleUserNode, ATTR_ROLENAME); - NodeList userNodes = roleUserNode.getChildNodes(); - for (int userIndex = 0; userIndex < userNodes.getLength(); - userIndex++) { - Node userNode = userNodes.item(userIndex); - if (userNode.getNodeName() == TAG_USER) { - String userName = getNodeValue(userNode); - HashSet<String> userRoleSet = XmlAuthorization.userRoles - .get(userName); - if (userRoleSet == null) { - userRoleSet = new HashSet<String>(); - XmlAuthorization.userRoles.put(userName, userRoleSet); - } - userRoleSet.add(roleName); - } - else { - throw new SAXParseException("Unknown tag [" - + userNode.getNodeName() + "] as child of tag [" + TAG_ROLE - + ']', null); - } - } - } - NodeList rolePermissionNodes = xmlDocument - .getElementsByTagName(TAG_PERMS); - for (int permIndex = 0; permIndex < rolePermissionNodes.getLength(); - permIndex++) { - Node rolePermissionNode = rolePermissionNodes.item(permIndex); - String roleName = getAttributeValue(rolePermissionNode, ATTR_ROLE); - Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> - regionOperationMap = XmlAuthorization.rolePermissions.get(roleName); - if (regionOperationMap == null) { - regionOperationMap = new HashMap<String, - Map<OperationCode, FunctionSecurityPrmsHolder>>(); - XmlAuthorization.rolePermissions.put(roleName, regionOperationMap); - } - NodeList operationNodes = rolePermissionNode.getChildNodes(); - HashMap<OperationCode, FunctionSecurityPrmsHolder> operationMap = - new HashMap<OperationCode, FunctionSecurityPrmsHolder>(); - for (int opIndex = 0; opIndex < operationNodes.getLength(); opIndex++) { - Node operationNode = operationNodes.item(opIndex); - if (operationNode.getNodeName() == TAG_OP) { - String operationName = getNodeValue(operationNode); - OperationCode code = OperationCode.parse(operationName); - if (code == null) { - throw new SAXParseException("Unknown operation [" + operationName - + ']', null); - } - if (code != OperationCode.EXECUTE_FUNCTION) { - operationMap.put(code, null); - } - else { - String optimizeForWrite = getAttributeValue(operationNode, - ATTR_FUNCTION_OPTIMIZE_FOR_WRITE); - String functionAttr = getAttributeValue(operationNode, - ATTR_FUNCTION_IDS); - String keysAttr = getAttributeValue(operationNode, - ATTR_FUNCTION_KEY_SET); - - Boolean isOptimizeForWrite; - HashSet<String> functionIds; - HashSet<String> keySet; - - if (optimizeForWrite == null || optimizeForWrite.length() == 0) { - isOptimizeForWrite = null; - } - else { - isOptimizeForWrite = Boolean.parseBoolean(optimizeForWrite); - } - - if (functionAttr == null || functionAttr.length() == 0) { - functionIds = null; - } - else { - String[] functionArray = functionAttr.split(","); - functionIds = new HashSet<String>(); - for (int strIndex = 0; strIndex < functionArray.length; - ++strIndex) { - functionIds.add((functionArray[strIndex])); - } - } - - if (keysAttr == null || keysAttr.length() == 0) { - keySet = null; - } - else { - String[] keySetArray = keysAttr.split(","); - keySet = new HashSet<String>(); - for (int strIndex = 0; strIndex < keySetArray.length; - ++strIndex) { - keySet.add((keySetArray[strIndex])); - } - } - FunctionSecurityPrmsHolder functionContext = - new FunctionSecurityPrmsHolder(isOptimizeForWrite, - functionIds, keySet); - operationMap.put(code, functionContext); - } - } - else { - throw new SAXParseException("Unknown tag [" - + operationNode.getNodeName() + "] as child of tag [" - + TAG_PERMS + ']', null); - } - } - String regionNames = getAttributeValue(rolePermissionNode, ATTR_REGIONS); - if (regionNames == null || regionNames.length() == 0) { - regionOperationMap.put(EMPTY_VALUE, operationMap); - } - else { - String[] regionNamesSplit = regionNames.split(","); - for (int strIndex = 0; strIndex < regionNamesSplit.length; - ++strIndex) { - regionOperationMap.put( - normalizeRegionName(regionNamesSplit[strIndex]), operationMap); - } - } - } - XmlAuthorization.currentDocUri = xmlDocumentUri; - } - catch (Exception ex) { - String exStr; - if (ex instanceof NotAuthorizedException) { - exStr = ex.getMessage(); - } - else { - exStr = ex.getClass().getName() + ": " + ex.getMessage(); - } - logger.warning("XmlAuthorization.init: " + exStr); - XmlAuthorization.xmlLoadFailure = new NotAuthorizedException(exStr, ex); - throw XmlAuthorization.xmlLoadFailure; - } - } - - /** - * Initialize the <code>XmlAuthorization</code> callback for a client having - * the given principal. - * - * This method caches the full XML authorization file the first time it is - * invoked and caches all the permissions for the provided - * <code>principal</code> to speed up lookup the - * <code>authorizeOperation</code> calls. The permissions for the principal - * are maintained as a {@link Map} of region name to the {@link HashSet} of - * operations allowed for that region. A global entry with region name as - * empty string is also made for permissions provided for all the regions. - * - * @param principal - * the principal associated with the authenticated client - * @param cache - * reference to the cache object - * @param remoteMember - * the {@link DistributedMember} object for the remote - * authenticated client - * - * @throws NotAuthorizedException - * if some exception condition happens during the - * initialization while reading the XML; in such a case all - * subsequent client operations will throw - * <code>NotAuthorizedException</code> - */ - public void init(Principal principal, DistributedMember remoteMember, - Cache cache) throws NotAuthorizedException { - - synchronized (sync) { - XmlAuthorization.init(cache); - } - this.logger = cache.getLogger(); - this.securityLogger = cache.getSecurityLogger(); - - String name; - if (principal != null) { - name = principal.getName(); - } - else { - name = EMPTY_VALUE; - } - HashSet<String> roles = XmlAuthorization.userRoles.get(name); - if (roles != null) { - for (String roleName : roles) { - Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> - regionOperationMap = XmlAuthorization.rolePermissions.get(roleName); - if (regionOperationMap != null) { - for (Map.Entry<String, Map<OperationCode, FunctionSecurityPrmsHolder>> - regionEntry : regionOperationMap.entrySet()) { - String regionName = regionEntry.getKey(); - Map<OperationCode, FunctionSecurityPrmsHolder> regionOperations = - this.allowedOps.get(regionName); - if (regionOperations == null) { - regionOperations = - new HashMap<OperationCode, FunctionSecurityPrmsHolder>(); - this.allowedOps.put(regionName, regionOperations); - } - regionOperations.putAll(regionEntry.getValue()); - } - } - } - } - } - - /** - * Return true if the given operation is allowed for the cache/region. - * - * This looks up the cached permissions of the principal in the map for the - * provided region name. If none are found then the global permissions with - * empty region name are looked up. The operation is allowed if it is found - * this permission list. - * - * @param regionName - * When null then it indicates a cache-level operation, else - * the name of the region for the operation. - * @param context - * the data required by the operation - * - * @return true if the operation is authorized and false otherwise - * - */ - public boolean authorizeOperation(String regionName, - final OperationContext context) { - - Map<OperationCode, FunctionSecurityPrmsHolder> operationMap; - // Check GET permissions for updates from server to client - if (context.isClientUpdate()) { - operationMap = this.allowedOps.get(regionName); - if (operationMap == null && regionName.length() > 0) { - operationMap = this.allowedOps.get(EMPTY_VALUE); - } - if (operationMap != null) { - return operationMap.containsKey(OperationCode.GET); - } - return false; - } - - OperationCode opCode = context.getOperationCode(); - if (opCode.isQuery() || opCode.isExecuteCQ() || opCode.isCloseCQ() - || opCode.isStopCQ()) { - // First check if cache-level permission has been provided - operationMap = this.allowedOps.get(EMPTY_VALUE); - boolean globalPermission = (operationMap != null && operationMap - .containsKey(opCode)); - Set<String> regionNames = ((QueryOperationContext)context) - .getRegionNames(); - if (regionNames == null || regionNames.size() == 0) { - return globalPermission; - } - for (String r : regionNames) { - regionName = normalizeRegionName(r); - operationMap = this.allowedOps.get(regionName); - if (operationMap == null) { - if (!globalPermission) { - return false; - } - } - else if (!operationMap.containsKey(opCode)) { - return false; - } - } - return true; - } - - final String normalizedRegionName = normalizeRegionName(regionName); - operationMap = this.allowedOps.get(normalizedRegionName); - if (operationMap == null && normalizedRegionName.length() > 0) { - operationMap = this.allowedOps.get(EMPTY_VALUE); - } - if (operationMap != null) { - if (context.getOperationCode() != OperationCode.EXECUTE_FUNCTION) { - return operationMap.containsKey(context.getOperationCode()); - }else { - if (!operationMap.containsKey(context.getOperationCode())) { - return false; - } - else { - if (!context.isPostOperation()) { - FunctionSecurityPrmsHolder functionParameter = - operationMap.get( - context.getOperationCode()); - ExecuteFunctionOperationContext functionContext = - (ExecuteFunctionOperationContext)context; - // OnRegion execution - if (functionContext.getRegionName() != null) { - if (functionParameter.isOptimizeForWrite() != null - && functionParameter.isOptimizeForWrite().booleanValue() - != functionContext.isOptimizeForWrite()) { - return false; - } - if (functionParameter.getFunctionIds() != null - && !functionParameter.getFunctionIds().contains( - functionContext.getFunctionId())) { - return false; - } - if (functionParameter.getKeySet() != null - && functionContext.getKeySet() != null) { - if (functionContext.getKeySet().containsAll( - functionParameter.getKeySet())) { - return false; - } - } - return true; - } - else {// On Server execution - if (functionParameter.getFunctionIds() != null - && !functionParameter.getFunctionIds().contains( - functionContext.getFunctionId())) { - return false; - } - return true; - } - } - else { - ExecuteFunctionOperationContext functionContext = - (ExecuteFunctionOperationContext)context; - FunctionSecurityPrmsHolder functionParameter = operationMap.get( - context.getOperationCode()); - if (functionContext.getRegionName() != null) { - if (functionContext.getResult() instanceof ArrayList - && functionParameter.getKeySet() != null) { - ArrayList<String> resultList = (ArrayList)functionContext - .getResult(); - HashSet<String> nonAllowedKeys = functionParameter.getKeySet(); - if (resultList.containsAll(nonAllowedKeys)) { - return false; - } - } - return true; - } - else { - ArrayList<String> resultList = (ArrayList)functionContext - .getResult(); - final String inSecureItem = "Insecure item"; - if (resultList.contains(inSecureItem)) { - return false; - } - return true; - } - } - } - } - } - return false; - } - - /** - * Clears the cached information for this principal. - */ - public void close() { - - this.allowedOps.clear(); - } - - /** - * Clear all the statically cached information. - */ - public static void clear() { - - XmlAuthorization.currentDocUri = null; - if (XmlAuthorization.userRoles != null) { - XmlAuthorization.userRoles.clear(); - XmlAuthorization.userRoles = null; - } - if (XmlAuthorization.rolePermissions != null) { - XmlAuthorization.rolePermissions.clear(); - XmlAuthorization.rolePermissions = null; - } - XmlAuthorization.xmlLoadFailure = null; - } - - private static class AuthzDtdResolver implements EntityResolver { - Pattern authzPattern = Pattern.compile("authz.*\\.dtd"); - - @Override - public InputSource resolveEntity(String publicId, String systemId) - throws SAXException, IOException { - try { - Matcher matcher = authzPattern.matcher(systemId); - if(matcher.find()) { - String dtdName = matcher.group(0); - InputStream stream = XmlAuthorization.class.getResourceAsStream(dtdName); - return new InputSource(stream); - } - } catch(Exception e) { - //do nothing, use the default resolver - } - - return null; - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/XmlErrorHandler.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/templates/security/XmlErrorHandler.java b/geode-core/src/test/java/templates/security/XmlErrorHandler.java deleted file mode 100755 index 1326548..0000000 --- a/geode-core/src/test/java/templates/security/XmlErrorHandler.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package templates.security; - -import com.gemstone.gemfire.LogWriter; -import com.gemstone.gemfire.internal.logging.LogService; -import org.apache.logging.log4j.Logger; -import org.xml.sax.ErrorHandler; -import org.xml.sax.SAXException; -import org.xml.sax.SAXParseException; - -/** - * Implementation of {@link ErrorHandler} interface to handle validation errors - * while XML parsing. - * - * This throws back exceptions raised for <code>error</code> and - * <code>fatalError</code> cases while a {@link LogWriter#warning(String)} level - * logging is done for the <code>warning</code> case. - * - * @author Sumedh Wale - * @since 5.5 - */ -public class XmlErrorHandler implements ErrorHandler { - private static final Logger logger = LogService.getLogger(); - - private LogWriter logWriter; - - private String xmlFileName; - - public XmlErrorHandler(LogWriter logWriter, String xmlFileName) { - - this.logWriter = logWriter; - this.xmlFileName = xmlFileName; - } - - /** - * Throws back the exception with the name of the XML file and the position - * where the exception occurred. - */ - public void error(SAXParseException exception) throws SAXException { - throw new SAXParseException("Error while parsing XML at line " - + exception.getLineNumber() + " column " + exception.getColumnNumber() - + ": " + exception.getMessage(), null, exception); - } - - /** - * Throws back the exception with the name of the XML file and the position - * where the exception occurred. - */ - public void fatalError(SAXParseException exception) throws SAXException { - throw new SAXParseException("Fatal error while parsing XML at line " - + exception.getLineNumber() + " column " + exception.getColumnNumber() - + ": " + exception.getMessage(), null, exception); - } - - /** - * Log the exception at {@link LogWriter#warning(String)} level with XML - * filename and the position of exception in the file. - */ - public void warning(SAXParseException exception) throws SAXException { - this.logWriter.warning("Warning while parsing XML [" + this.xmlFileName - + "] at line " + exception.getLineNumber() + " column " - + exception.getColumnNumber() + ": " + exception.getMessage(), exception); - } - - -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml new file mode 100644 index 0000000..de0cd17 --- /dev/null +++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml @@ -0,0 +1,124 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" + "com/gemstone/gemfire/security/templates/authz6_0.dtd" > +<acl> + + <role name="reader"> + <user>reader0</user> + <user>reader1</user> + <user>reader2</user> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="writer"> + <user>writer0</user> + <user>writer1</user> + <user>writer2</user> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="cacheOps"> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="queryRegions"> + <user>reader3</user> + <user>reader4</user> + </role> + + <role name="registerInterest"> + <user>reader5</user> + <user>reader6</user> + </role> + + <role name="unregisterInterest"> + <user>reader5</user> + <user>reader7</user> + </role> + + <role name="onRegionFunctionExecutor"> + <user>reader8</user> + </role> + + <role name="onServerFunctionExecutor"> + <user>reader9</user> + </role> + + <permission role="cacheOps"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + <operation>REGION_CREATE</operation> + <operation>REGION_DESTROY</operation> + </permission> + + <permission role="reader"> + <operation>GET</operation> + <operation>REGISTER_INTEREST</operation> + <operation>UNREGISTER_INTEREST</operation> + <operation>KEY_SET</operation> + <operation>CONTAINS_KEY</operation> + <operation>EXECUTE_FUNCTION</operation> + </permission> + + <permission role="writer"> + <operation>PUT</operation> + <operation>PUTALL</operation> + <operation>DESTROY</operation> + <operation>INVALIDATE</operation> + <operation>REGION_CLEAR</operation> + </permission> + + <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + + <permission role="onRegionFunctionExecutor" regions="secureRegion,Positions"> + <operation>PUT</operation> + <operation functionIds="SecureFunction,OptimizationFunction" optimizeForWrite="false" keySet="KEY-0,KEY-1">EXECUTE_FUNCTION</operation> + </permission> + + <permission role="onServerFunctionExecutor" > + <operation>PUT</operation> + <operation functionIds="SecureFunction,OptimizationFunction">EXECUTE_FUNCTION</operation> + </permission> + + <permission role="registerInterest"> + <operation>REGISTER_INTEREST</operation> + <operation>GET</operation> + </permission> + + <permission role="unregisterInterest"> + <operation>UNREGISTER_INTEREST</operation> + <operation>GET</operation> + </permission> + +</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml new file mode 100644 index 0000000..cdfd478 --- /dev/null +++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml @@ -0,0 +1,83 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" + "com/gemstone/gemfire/security/templates/authz5_5.dtd" > +<acl> + + <role name="reader"> + <user>gemfire1</user> + <user>gemfire2</user> + <user>gemfire3</user> + <user>gemfire4</user> + <user>gemfire5</user> + </role> + + <role name="writer"> + <user>gemfire1</user> + <user>gemfire2</user> + <user>gemfire6</user> + <user>gemfire7</user> + <user>gemfire8</user> + </role> + + <role name="cacheOps"> + <user>gemfire1</user> + <user>gemfire2</user> + </role> + + <role name="queryRegions"> + <user>gemfire9</user> + <user>gemfire10</user> + </role> + + <permission role="cacheOps"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + <operation>REGION_CREATE</operation> + <operation>REGION_DESTROY</operation> + </permission> + + <permission role="reader"> + <operation>GET</operation> + <operation>REGISTER_INTEREST</operation> + <operation>UNREGISTER_INTEREST</operation> + <operation>KEY_SET</operation> + <operation>CONTAINS_KEY</operation> + <operation>EXECUTE_FUNCTION</operation> + </permission> + + <permission role="writer"> + <operation>PUT</operation> + <operation>PUTALL</operation> + <operation>DESTROY</operation> + <operation>INVALIDATE</operation> + <operation>REGION_CLEAR</operation> + </permission> + + <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + +</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml new file mode 100644 index 0000000..f64eb2e --- /dev/null +++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml @@ -0,0 +1,104 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" + "com/gemstone/gemfire/security/templates/authz6_0.dtd" > +<acl> + + <role name="reader"> + <user>user1</user> + <user>user2</user> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="writer"> + <user>user3</user> + <user>user4</user> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="cacheOps"> + <user>user1</user> + <user>user2</user> + <user>root</user> + <user>admin</user> + <user>administrator</user> + </role> + + <role name="queryRegions"> + <user>user5</user> + <user>user6</user> + </role> + + <role name="registerInterest"> + <user>user7</user> + <user>user8</user> + </role> + + <role name="unregisterInterest"> + <user>user5</user> + <user>user7</user> + </role> + + <permission role="cacheOps"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + + <permission role="reader"> + <operation>GET</operation> + <operation>REGISTER_INTEREST</operation> + <operation>UNREGISTER_INTEREST</operation> + <operation>KEY_SET</operation> + <operation>CONTAINS_KEY</operation> + <operation>EXECUTE_FUNCTION</operation> + </permission> + + <permission role="writer"> + <operation>PUT</operation> + <operation>PUTALL</operation> + <operation>DESTROY</operation> + <operation>INVALIDATE</operation> + <operation>REGION_CLEAR</operation> + </permission> + + <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + + <permission role="registerInterest"> + <operation>REGISTER_INTEREST</operation> + <operation>GET</operation> + </permission> + + <permission role="unregisterInterest"> + <operation>UNREGISTER_INTEREST</operation> + <operation>GET</operation> + </permission> + +</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml new file mode 100644 index 0000000..5469972 --- /dev/null +++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml @@ -0,0 +1,81 @@ +<?xml version="1.0" encoding="UTF-8"?> + +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to You under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" + "com/gemstone/gemfire/security/templates/authz5_5.dtd" > +<acl> + + <role name="reader"> + <user>gemfire1</user> + <user>gemfire2</user> + <user>gemfire3</user> + <user>gemfire4</user> + <user>gemfire5</user> + </role> + + <role name="writer"> + <user>gemfire1</user> + <user>gemfire2</user> + <user>gemfire6</user> + <user>gemfire7</user> + <user>gemfire8</user> + </role> + + <role name="cacheOps"> + <user>gemfire1</user> + <user>gemfire2</user> + </role> + + <role name="queryRegions"> + <user>gemfire9</user> + <user>gemfire10</user> + </role> + + <permission role="cacheOps"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + + <permission role="reader"> + <operation>GET</operation> + <operation>REGISTER_INTEREST</operation> + <operation>UNREGISTER_INTEREST</operation> + <operation>KEY_SET</operation> + <operation>CONTAINS_KEY</operation> + <operation>EXECUTE_FUNCTION</operation> + </permission> + + <permission role="writer"> + <operation>PUT</operation> + <operation>PUTALL</operation> + <operation>DESTROY</operation> + <operation>INVALIDATE</operation> + <operation>REGION_CLEAR</operation> + </permission> + + <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion"> + <operation>QUERY</operation> + <operation>EXECUTE_CQ</operation> + <operation>STOP_CQ</operation> + <operation>CLOSE_CQ</operation> + </permission> + +</acl> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore new file mode 100644 index 0000000..15270bb Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore new file mode 100644 index 0000000..bb6f827 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore new file mode 100644 index 0000000..6839c74 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore new file mode 100644 index 0000000..fcb7ab8 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore new file mode 100644 index 0000000..19afc4b Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore new file mode 100644 index 0000000..c65916a Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore new file mode 100644 index 0000000..d738cca Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore new file mode 100644 index 0000000..1fea2d3 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore new file mode 100644 index 0000000..7a3187c Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore new file mode 100644 index 0000000..a3bb886 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore new file mode 100644 index 0000000..674b4e6 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore new file mode 100644 index 0000000..4f9120c Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore new file mode 100644 index 0000000..0bd97d7 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore new file mode 100644 index 0000000..62ae3c7 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore new file mode 100644 index 0000000..c65bc81 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore new file mode 100644 index 0000000..b0796e0 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore new file mode 100644 index 0000000..9c94018 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore new file mode 100644 index 0000000..33f6937 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore new file mode 100644 index 0000000..568f674 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore new file mode 100644 index 0000000..80e2d80 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore new file mode 100644 index 0000000..a15def5 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore new file mode 100644 index 0000000..72087f3 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile new file mode 100644 index 0000000..1b13872 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile new file mode 100644 index 0000000..9c2daa3 Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile differ http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd ---------------------------------------------------------------------- diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd new file mode 100644 index 0000000..7080c0e --- /dev/null +++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<!-- + +This is the XML DTD for the GemFire sample XML based authorization callback +in com.gemstone.gemfire.security.templates.XmlAuthorization. + +All XMLs must include a DOCTYPE of the following form: + + <!DOCTYPE acl PUBLIC + "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN" + "http://www.gemstone.com/dtd/authz5_5.dtd";> + +The contents of a declarative XML file correspond to APIs found in the + + com.gemstone.gemfire.security.AccessControl + +package. The sample implementation may be used to specify access control +policies. + +--> + +<!-- + +The following conventions apply to all GemFire sample authorization +XML file elements unless indicated otherwise. + +- In elements that contain PCDATA, leading and trailing whitespace in + the data may be ignored. + +- In elements whose value is an "enumerated type", the value is case + sensitive. + +--> + + +<!-- +The "acl" element is the root element of the authorization file. +This element contains the role to user mappings and role to permissions +mapping on a per region per operation basis. +--> + +<!ELEMENT acl (role+,permission+)> + +<!-- +The "role" element contains the set of users that have the permissions of +given role. A user can be present in more than one "role" elements in +which case the union of the permissions to all those roles determines +the full set of permissions to be given to the user. +--> + +<!ELEMENT role (user*)> +<!ATTLIST role + name CDATA #REQUIRED +> + +<!-- +The "user" element is contained within the "role" element and contains +the name of a user having the permissions of that role. +--> + +<!ELEMENT user (#PCDATA)> + +<!-- +The "permission" element specifies the list of operations that are allowed +for a particular role in the given regions as provided in the optional +"regions" attribute. The value of "regions" attribute should be a comma +separated list of region names for which permissions are to be provided. +If no "regions" attribute is provided then those permissions are provided +for all the other regions (i.e. other than those that have been explicitly +specified). Permissions for cache level operations REGION_DESTROY, +REGION_CREATE, QUERY and CQ operations should be specified with no "regions" +attribute. If cache-level permission is not provided for QUERY or CQ operations +then the permission for all the region names in the query string is checked. +--> + +<!ELEMENT permission (operation*)> +<!ATTLIST permission + role CDATA #REQUIRED + regions CDATA #IMPLIED +> + + +<!-- +The operation should be one of the following strings: + GET, PUT, PUTALL, DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, + CONTAINS_KEY, KEY_SET, QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, + REGION_CREATE, REGION_DESTROY +--> +<!ELEMENT operation (#PCDATA)>
