GEODE-17: consolidate GeodeSecurityUtil and IntegratedSecurityService
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/ee27d73c Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/ee27d73c Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/ee27d73c Branch: refs/heads/develop Commit: ee27d73c4e87824a5dc914c83bfc913947ad989e Parents: a325d07 Author: Jinmei Liao <[email protected]> Authored: Sun Sep 11 20:49:48 2016 -0700 Committer: Jinmei Liao <[email protected]> Committed: Tue Sep 13 13:14:00 2016 -0700 ---------------------------------------------------------------------- .../cache/tier/sockets/CacheClientProxy.java | 4 +- .../internal/security/GeodeSecurityUtil.java | 549 ------------------- .../security/IntegratedSecurityService.java | 546 ++++++++++++++---- .../internal/security/SecurityService.java | 15 +- .../security/shiro/CustomAuthRealm.java | 1 + .../management/internal/ManagementAgent.java | 4 +- .../internal/cli/domain/DataCommandRequest.java | 6 +- .../cli/functions/DataCommandFunction.java | 10 +- .../apache/geode/security/PostProcessor.java | 3 +- .../security/templates/SamplePostProcessor.java | 3 +- .../security/GeodeSecurityUtilTest.java | 288 ---------- .../security/IntegratedSecurityServiceTest.java | 290 ++++++++++ .../security/SecurityConfigIntegrationTest.java | 13 +- .../GeodeSecurityUtilCustomRealmJUnitTest.java | 45 -- .../GeodeSecurityUtilWithIniFileJUnitTest.java | 143 ----- ...atedSecurityServiceCustomRealmJUnitTest.java | 44 ++ ...atedSecurityServiceWithIniFileJUnitTest.java | 147 +++++ .../security/NoShowValue1PostProcessor.java | 2 +- .../PDXGfshPostProcessorOnRemoteServerTest.java | 4 +- .../gemfire/security/PDXPostProcessor.java | 3 +- .../security/PDXPostProcessorDUnitTest.java | 10 +- .../codeAnalysis/sanctionedSerializables.txt | 4 +- .../security/CQPDXPostProcessorDUnitTest.java | 4 +- 23 files changed, 958 insertions(+), 1180 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/CacheClientProxy.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/CacheClientProxy.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/CacheClientProxy.java index e94ef35..bc7a34a 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/CacheClientProxy.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/cache/tier/sockets/CacheClientProxy.java @@ -106,10 +106,8 @@ import com.gemstone.gemfire.internal.logging.LoggingThreadGroup; import com.gemstone.gemfire.internal.logging.log4j.LocalizedMessage; import com.gemstone.gemfire.internal.logging.log4j.LogMarker; import com.gemstone.gemfire.internal.security.AuthorizeRequestPP; -import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; import com.gemstone.gemfire.internal.security.IntegratedSecurityService; import com.gemstone.gemfire.internal.security.SecurityService; -import com.gemstone.gemfire.internal.util.BlobHelper; import com.gemstone.gemfire.security.AccessControl; /** @@ -1680,7 +1678,7 @@ public class CacheClientProxy implements ClientSession { // post process if(this.securityService.needPostProcess()) { Object oldValue = clientMessage.getValue(); - Object newValue = GeodeSecurityUtil.postProcess(clientMessage.getRegionName(), clientMessage.getKeyOfInterest(), oldValue, clientMessage.valueIsObject()); + Object newValue = IntegratedSecurityService.getSecurityService().postProcess(clientMessage.getRegionName(), clientMessage.getKeyOfInterest(), oldValue, clientMessage.valueIsObject()); clientMessage.setLatestValue(newValue); } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java deleted file mode 100644 index 260121d..0000000 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtil.java +++ /dev/null @@ -1,549 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gemstone.gemfire.internal.security; - -import static com.gemstone.gemfire.distributed.ConfigurationProperties.*; - -import java.io.IOException; -import java.io.Serializable; -import java.lang.reflect.Method; -import java.security.AccessController; -import java.util.Properties; -import java.util.Set; -import java.util.concurrent.Callable; - -import org.apache.commons.lang.SerializationException; -import org.apache.commons.lang.StringUtils; -import org.apache.geode.security.PostProcessor; -import org.apache.geode.security.ResourcePermission; -import org.apache.geode.security.ResourcePermission.Operation; -import org.apache.geode.security.ResourcePermission.Resource; -import org.apache.geode.security.SecurableComponents; -import org.apache.geode.security.SecurityManager; -import org.apache.logging.log4j.Logger; -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.ShiroException; -import org.apache.shiro.config.Ini.Section; -import org.apache.shiro.config.IniSecurityManagerFactory; -import org.apache.shiro.mgt.DefaultSecurityManager; -import org.apache.shiro.realm.Realm; -import org.apache.shiro.subject.Subject; -import org.apache.shiro.subject.support.SubjectThreadState; -import org.apache.shiro.util.ThreadContext; -import org.apache.shiro.util.ThreadState; - -import com.gemstone.gemfire.GemFireIOException; -import com.gemstone.gemfire.distributed.internal.DistributionConfig; -import com.gemstone.gemfire.internal.ClassLoadUtil; -import com.gemstone.gemfire.internal.cache.EntryEventImpl; -import com.gemstone.gemfire.internal.logging.LogService; -import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; -import com.gemstone.gemfire.internal.security.shiro.GeodeAuthenticationToken; -import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal; -import com.gemstone.gemfire.internal.util.BlobHelper; -import com.gemstone.gemfire.management.internal.security.ResourceConstants; -import com.gemstone.gemfire.management.internal.security.ResourceOperation; -import com.gemstone.gemfire.security.AuthenticationFailedException; -import com.gemstone.gemfire.security.GemFireSecurityException; -import com.gemstone.gemfire.security.NotAuthorizedException; - -public class GeodeSecurityUtil { - - private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME); - - private static PostProcessor postProcessor; - private static SecurityManager securityManager; - - private static boolean isIntegratedSecurity; - - private static boolean isClientAuthenticator; // is there a SECURITY_CLIENT_AUTHENTICATOR - private static boolean isPeerAuthenticator; // is there a SECURITY_PEER_AUTHENTICATOR - - private static boolean isJmxSecurityRequired; - private static boolean isHttpSecurityRequired; - private static boolean isGatewaySecurityRequired; - private static boolean isClusterSecurityRequired; - private static boolean isServerSecurityRequired; - - /** - * It first looks the shiro subject in AccessControlContext since JMX will - * use multiple threads to process operations from the same client, then it - * looks into Shiro's thead context. - * - * @return the shiro subject, null if security is not enabled - */ - public static Subject getSubject() { - if (!isIntegratedSecurity) { - return null; - } - - Subject currentUser = null; - - // First try get the principal out of AccessControlContext instead of Shiro's Thread context - // since threads can be shared between JMX clients. - javax.security.auth.Subject jmxSubject = - javax.security.auth.Subject.getSubject(AccessController.getContext()); - - if (jmxSubject != null) { - Set<ShiroPrincipal> principals = jmxSubject.getPrincipals(ShiroPrincipal.class); - if (principals.size() > 0) { - ShiroPrincipal principal = principals.iterator().next(); - currentUser = principal.getSubject(); - ThreadContext.bind(currentUser); - return currentUser; - } - } - - // in other cases like admin rest call or pulse authorization - currentUser = SecurityUtils.getSubject(); - - if (currentUser == null || currentUser.getPrincipal() == null) { - throw new GemFireSecurityException("Error: Anonymous User"); - } - - return currentUser; - } - - /** - * convenient method for testing - * @param username - * @param password - * @return - */ - public static Subject login(String username, String password){ - if(StringUtils.isBlank(username) || StringUtils.isBlank(password)) - return null; - - Properties credentials = new Properties(); - credentials.setProperty(ResourceConstants.USER_NAME, username); - credentials.setProperty(ResourceConstants.PASSWORD, password); - return login(credentials); - } - - /** - * @return null if security is not enabled, otherwise return a shiro subject - */ - public static Subject login(Properties credentials) { - if (!isIntegratedSecurity) { - return null; - } - - if(credentials == null) - return null; - - // this makes sure it starts with a clean user object - ThreadContext.remove(); - - Subject currentUser = SecurityUtils.getSubject(); - GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials); - try { - logger.info("Logging in " + token.getPrincipal()); - currentUser.login(token); - } - catch (ShiroException e) { - logger.info(e.getMessage(), e); - throw new AuthenticationFailedException("Authentication error. Please check your credentials.", e); - } - - return currentUser; - } - - public static void logout() { - Subject currentUser = getSubject(); - if (currentUser == null) { - return; - } - - try { - logger.info("Logging out " + currentUser.getPrincipal()); - currentUser.logout(); - } - catch (ShiroException e) { - logger.info(e.getMessage(), e); - throw new GemFireSecurityException(e.getMessage(), e); - } - // clean out Shiro's thread local content - ThreadContext.remove(); - } - - public static Callable associateWith(Callable callable) { - Subject currentUser = getSubject(); - if (currentUser == null) { - return callable; - } - - return currentUser.associateWith(callable); - } - - /** - * this binds the passed-in subject to the executing thread, normally, you - * would do this: - * - * ThreadState state = null; - * try{ - * state = GeodeSecurityUtil.bindSubject(subject); - * //do the rest of the work as this subject - * } - * finally{ - * if(state!=null) - * state.clear(); - * } - */ - public static ThreadState bindSubject(Subject subject){ - if (subject == null) { - return null; - } - - ThreadState threadState = new SubjectThreadState(subject); - threadState.bind(); - return threadState; - } - - public static void authorize(ResourceOperation resourceOperation) { - if (resourceOperation == null) { - return; - } - - authorize(resourceOperation.resource().name(), - resourceOperation.operation().name(), - null); - } - - public static void authorizeClusterManage() { - authorize("CLUSTER", "MANAGE"); - } - - public static void authorizeClusterWrite() { - authorize("CLUSTER", "WRITE"); - } - - public static void authorizeClusterRead() { - authorize("CLUSTER", "READ"); - } - - public static void authorizeDataManage() { - authorize("DATA", "MANAGE"); - } - - public static void authorizeDataWrite() { - authorize("DATA", "WRITE"); - } - - public static void authorizeDataRead() { - authorize("DATA", "READ"); - } - - public static void authorizeRegionManage(String regionName) { - authorize("DATA", "MANAGE", regionName); - } - - public static void authorizeRegionManage(String regionName, String key) { - authorize("DATA", "MANAGE", regionName, key); - } - - public static void authorizeRegionWrite(String regionName) { - authorize("DATA", "WRITE", regionName); - } - - public static void authorizeRegionWrite(String regionName, String key) { - authorize("DATA", "WRITE", regionName, key); - } - - public static void authorizeRegionRead(String regionName) { - authorize("DATA", "READ", regionName); - } - - public static void authorizeRegionRead(String regionName, String key) { - authorize("DATA", "READ", regionName, key); - } - - public static void authorize(String resource, String operation) { - authorize(resource, operation, null); - } - - private static void authorize(String resource, String operation, String regionName){ - authorize(resource, operation, regionName, null); - } - - private static void authorize(String resource, String operation, String regionName, String key) { - regionName = StringUtils.stripStart(regionName, "/"); - authorize(new ResourcePermission(resource, operation, regionName, key)); - } - - public static void authorize(ResourcePermission context) { - Subject currentUser = getSubject(); - if (currentUser == null) { - return; - } - - if (context == null) { - return; - } - - if (context.getResource() == Resource.NULL && context.getOperation() == Operation.NULL) { - return; - } - - try { - currentUser.checkPermission(context); - } - catch (ShiroException e) { - String msg = currentUser.getPrincipal() + " not authorized for " + context; - logger.info(msg); - throw new NotAuthorizedException(msg, e); - } - } - - /** - * initialize Shiro's Security Manager and Security Utilities - */ - public static void initSecurity(Properties securityProps) { - if (securityProps == null) { - return; - } - - String enabledComponentsString = securityProps.getProperty(SECURITY_ENABLED_COMPONENTS); - if (enabledComponentsString == null) { - enabledComponentsString = DistributionConfig.DEFAULT_SECURITY_ENABLED_COMPONENTS; - } - - boolean isClusterSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.CLUSTER); - boolean isGatewaySecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.GATEWAY); - boolean isHttpSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.HTTP_SERVICE); - boolean isJmxSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.JMX); - boolean isServerSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.SERVER); - - String shiroConfig = securityProps.getProperty(SECURITY_SHIRO_INIT); - String securityConfig = securityProps.getProperty(SECURITY_MANAGER); - String clientAuthenticatorConfig = securityProps.getProperty(SECURITY_CLIENT_AUTHENTICATOR); - String peerAuthenticatorConfig = securityProps.getProperty(SECURITY_PEER_AUTHENTICATOR); - - if (!StringUtils.isBlank(shiroConfig)) { - IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:" + shiroConfig); - - // we will need to make sure that shiro uses a case sensitive permission resolver - Section main = factory.getIni().addSection("main"); - main.put("geodePermissionResolver", "com.gemstone.gemfire.internal.security.shiro.GeodePermissionResolver"); - if (!main.containsKey("iniRealm.permissionResolver")) { - main.put("iniRealm.permissionResolver", "$geodePermissionResolver"); - } - - org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance(); - SecurityUtils.setSecurityManager(securityManager); - isIntegratedSecurity = true; - } - // only set up shiro realm if user has implemented SecurityManager - else if (!StringUtils.isBlank(securityConfig)) { - securityManager = getObjectOfTypeFromClassName(securityConfig, SecurityManager.class); - securityManager.init(securityProps); - Realm realm = new CustomAuthRealm(securityManager); - org.apache.shiro.mgt.SecurityManager shiroManager = new DefaultSecurityManager(realm); - SecurityUtils.setSecurityManager(shiroManager); - isIntegratedSecurity = true; - } - else if( !StringUtils.isBlank(clientAuthenticatorConfig)) { - isClientAuthenticator = true; - } - else if (!StringUtils.isBlank(peerAuthenticatorConfig)) { - isPeerAuthenticator = true; - } - else { - isIntegratedSecurity = false; - isClientAuthenticator = false; - isPeerAuthenticator = false; - } - - isServerSecurityRequired = isClientAuthenticator || (isIntegratedSecurity && isServerSecured); - isClusterSecurityRequired = isPeerAuthenticator || (isIntegratedSecurity && isClusterSecured); - - isGatewaySecurityRequired = isClientAuthenticator || (isIntegratedSecurity && isGatewaySecured); - isHttpSecurityRequired = isIntegratedSecurity && isHttpSecured; - isJmxSecurityRequired = isIntegratedSecurity && isJmxSecured; - - // this initializes the post processor - String customPostProcessor = securityProps.getProperty(SECURITY_POST_PROCESSOR); - if( !StringUtils.isBlank(customPostProcessor)) { - postProcessor = getObjectOfTypeFromClassName(customPostProcessor, PostProcessor.class); - postProcessor.init(securityProps); - } - else{ - postProcessor = null; - } - } - - public static void close() { - if (securityManager != null) { - securityManager.close(); - securityManager = null; - } - - if (postProcessor != null) { - postProcessor.close(); - postProcessor = null; - } - ThreadContext.remove(); - isIntegratedSecurity = false; - isClientAuthenticator = false; - isPeerAuthenticator = false; - } - - /** - * postProcess call already has this logic built in, you don't need to call - * this everytime you call postProcess. But if your postProcess is pretty - * involved with preparations and you need to bypass it entirely, call this - * first. - */ - public static boolean needPostProcess(){ - return (isIntegratedSecurity && postProcessor != null); - } - - public static Object postProcess(String regionPath, Object key, Object value, boolean valueIsSerialized){ - return postProcess(null, regionPath, key, value, valueIsSerialized); - } - - public static Object postProcess(Serializable principal, String regionPath, Object key, Object value, boolean valueIsSerialized) { - if (!needPostProcess()) - return value; - - if (principal == null) { - Subject subject = getSubject(); - if (subject == null) - return value; - principal = (Serializable) subject.getPrincipal(); - } - - String regionName = StringUtils.stripStart(regionPath, "/"); - Object newValue = null; - - // if the data is a byte array, but the data itself is supposed to be an object, we need to desearized it before we pass - // it to the callback. - if (valueIsSerialized && value instanceof byte[]) { - try { - Object oldObj = EntryEventImpl.deserialize((byte[]) value); - Object newObj = postProcessor.processRegionValue(principal, regionName, key, oldObj); - newValue = BlobHelper.serializeToBlob(newObj); - } catch (IOException|SerializationException e) { - throw new GemFireIOException("Exception de/serializing entry value", e); - } - } - else { - newValue = postProcessor.processRegionValue(principal, regionName, key, value); - } - - return newValue; - } - - private static void checkSameClass(Object obj1, Object obj2){ - - } - - /** - * this method would never return null, it either throws an exception or - * returns an object - */ - public static <T> T getObjectOfTypeFromClassName(String className, Class<T> expectedClazz) { - Class actualClass = null; - try { - actualClass = ClassLoadUtil.classFromName(className); - } - catch (Exception ex) { - throw new GemFireSecurityException("Instance could not be obtained, "+ex.toString(), ex); - } - - if(!expectedClazz.isAssignableFrom(actualClass)){ - throw new GemFireSecurityException("Instance could not be obtained. Expecting a "+expectedClazz.getName()+" class."); - } - - T actualObject = null; - try { - actualObject = (T)actualClass.newInstance(); - } catch (Exception e) { - throw new GemFireSecurityException("Instance could not be obtained. Error instantiating "+actualClass.getName(), e); - } - return actualObject; - } - - /** - * this method would never return null, it either throws an exception or - * returns an object - */ - public static <T> T getObjectOfTypeFromFactoryMethod(String factoryMethodName, Class<T> expectedClazz){ - T actualObject = null; - try { - Method factoryMethod = ClassLoadUtil.methodFromName(factoryMethodName); - actualObject = (T)factoryMethod.invoke(null, (Object[])null); - } catch (Exception e) { - throw new GemFireSecurityException("Instance could not be obtained from "+factoryMethodName, e); - } - - if(actualObject == null){ - throw new GemFireSecurityException("Instance could not be obtained from "+factoryMethodName); - } - - return actualObject; - } - - /** - * this method would never return null, it either throws an exception or - * returns an object - * - * @return an object of type expectedClazz. This method would never return - * null. It either returns an non-null object or throws exception. - */ - public static <T> T getObjectOfType(String classOrMethod, Class<T> expectedClazz) { - T object = null; - try{ - object = getObjectOfTypeFromClassName(classOrMethod, expectedClazz); - } - catch (Exception e){ - object = getObjectOfTypeFromFactoryMethod(classOrMethod, expectedClazz); - } - return object; - } - - public static SecurityManager getSecurityManager(){ - return securityManager; - } - - public static PostProcessor getPostProcessor() { - return postProcessor; - } - - public static boolean isIntegratedSecurity(){ - return isIntegratedSecurity; - } - - public static boolean isClientSecurityRequired() { // TODO: rename as isServerSecurityRequired - return isServerSecurityRequired; - } - - public static boolean isPeerSecurityRequired() { // TODO: rename as isClusterSecurityRequired - return isClusterSecurityRequired; - } - - public static boolean isJmxSecurityRequired() { - return isJmxSecurityRequired; - } - - public static boolean isGatewaySecurityRequired() { - return isGatewaySecurityRequired; - } - - public static boolean isHttpServiceSecurityRequired() { - return isHttpSecurityRequired; - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java index d294859..0ab9d68 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/IntegratedSecurityService.java @@ -16,27 +16,52 @@ */ package com.gemstone.gemfire.internal.security; -import java.io.InvalidObjectException; -import java.io.ObjectInputStream; +import static com.gemstone.gemfire.distributed.ConfigurationProperties.*; + +import java.io.IOException; import java.io.Serializable; +import java.lang.reflect.Method; +import java.security.AccessController; import java.util.Properties; +import java.util.Set; import java.util.concurrent.Callable; +import org.apache.commons.lang.SerializationException; +import org.apache.commons.lang.StringUtils; +import org.apache.geode.security.PostProcessor; import org.apache.geode.security.ResourcePermission; +import org.apache.geode.security.ResourcePermission.Operation; +import org.apache.geode.security.ResourcePermission.Resource; +import org.apache.geode.security.SecurableComponents; import org.apache.geode.security.SecurityManager; import org.apache.logging.log4j.Logger; +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.ShiroException; +import org.apache.shiro.config.Ini.Section; +import org.apache.shiro.config.IniSecurityManagerFactory; +import org.apache.shiro.mgt.DefaultSecurityManager; +import org.apache.shiro.realm.Realm; import org.apache.shiro.subject.Subject; +import org.apache.shiro.subject.support.SubjectThreadState; +import org.apache.shiro.util.ThreadContext; import org.apache.shiro.util.ThreadState; +import com.gemstone.gemfire.GemFireIOException; +import com.gemstone.gemfire.distributed.internal.DistributionConfig; +import com.gemstone.gemfire.internal.ClassLoadUtil; +import com.gemstone.gemfire.internal.cache.EntryEventImpl; import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.internal.security.shiro.CustomAuthRealm; +import com.gemstone.gemfire.internal.security.shiro.GeodeAuthenticationToken; +import com.gemstone.gemfire.internal.security.shiro.ShiroPrincipal; +import com.gemstone.gemfire.internal.util.BlobHelper; +import com.gemstone.gemfire.management.internal.security.ResourceConstants; import com.gemstone.gemfire.management.internal.security.ResourceOperation; +import com.gemstone.gemfire.security.AuthenticationFailedException; +import com.gemstone.gemfire.security.GemFireSecurityException; +import com.gemstone.gemfire.security.NotAuthorizedException; -/** - * Default implementation of {@code SecurityService} for Integrated Security. - * - * <p>This class is serializable but always deserializes the singleton {@code defaultInstance}. - */ -public class IntegratedSecurityService implements SecurityService, Serializable { +public class IntegratedSecurityService implements SecurityService{ private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME); @@ -49,190 +74,485 @@ public class IntegratedSecurityService implements SecurityService, Serializable private IntegratedSecurityService() { } - @Override - public ThreadState bindSubject(final Subject subject) { - return GeodeSecurityUtil.bindSubject(subject); - } + private PostProcessor postProcessor; + private SecurityManager securityManager; - @Override + private boolean isIntegratedSecurity; + + private boolean isClientAuthenticator; // is there a SECURITY_CLIENT_AUTHENTICATOR + private boolean isPeerAuthenticator; // is there a SECURITY_PEER_AUTHENTICATOR + + private boolean isJmxSecurityRequired; + private boolean isHttpSecurityRequired; + private boolean isGatewaySecurityRequired; + private boolean isClusterSecurityRequired; + private boolean isServerSecurityRequired; + + /** + * It first looks the shiro subject in AccessControlContext since JMX will + * use multiple threads to process operations from the same client, then it + * looks into Shiro's thead context. + * + * @return the shiro subject, null if security is not enabled + */ public Subject getSubject() { - return GeodeSecurityUtil.getSubject(); + if (!isIntegratedSecurity) { + return null; + } + + Subject currentUser = null; + + // First try get the principal out of AccessControlContext instead of Shiro's Thread context + // since threads can be shared between JMX clients. + javax.security.auth.Subject jmxSubject = + javax.security.auth.Subject.getSubject(AccessController.getContext()); + + if (jmxSubject != null) { + Set<ShiroPrincipal> principals = jmxSubject.getPrincipals(ShiroPrincipal.class); + if (principals.size() > 0) { + ShiroPrincipal principal = principals.iterator().next(); + currentUser = principal.getSubject(); + ThreadContext.bind(currentUser); + return currentUser; + } + } + + // in other cases like admin rest call or pulse authorization + currentUser = SecurityUtils.getSubject(); + + if (currentUser == null || currentUser.getPrincipal() == null) { + throw new GemFireSecurityException("Error: Anonymous User"); + } + + return currentUser; } - @Override - public Subject login(final Properties credentials) { - return GeodeSecurityUtil.login(credentials); + /** + * convenient method for testing + * @param username + * @param password + * @return + */ + public Subject login(String username, String password){ + if(StringUtils.isBlank(username) || StringUtils.isBlank(password)) + return null; + + Properties credentials = new Properties(); + credentials.setProperty(ResourceConstants.USER_NAME, username); + credentials.setProperty(ResourceConstants.PASSWORD, password); + return login(credentials); } - @Override - public Subject login(final String username, final String password) { - return GeodeSecurityUtil.login(username, password); + /** + * @return null if security is not enabled, otherwise return a shiro subject + */ + public Subject login(Properties credentials) { + if (!isIntegratedSecurity) { + return null; + } + + if(credentials == null) + return null; + + // this makes sure it starts with a clean user object + ThreadContext.remove(); + + Subject currentUser = SecurityUtils.getSubject(); + GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials); + try { + logger.info("Logging in " + token.getPrincipal()); + currentUser.login(token); + } + catch (ShiroException e) { + logger.info(e.getMessage(), e); + throw new AuthenticationFailedException("Authentication error. Please check your credentials.", e); + } + + return currentUser; } - @Override public void logout() { - GeodeSecurityUtil.logout(); + Subject currentUser = getSubject(); + if (currentUser == null) { + return; + } + + try { + logger.info("Logging out " + currentUser.getPrincipal()); + currentUser.logout(); + } + catch (ShiroException e) { + logger.info(e.getMessage(), e); + throw new GemFireSecurityException(e.getMessage(), e); + } + // clean out Shiro's thread local content + ThreadContext.remove(); + } + + public Callable associateWith(Callable callable) { + Subject currentUser = getSubject(); + if (currentUser == null) { + return callable; + } + + return currentUser.associateWith(callable); } - @Override - public Callable associateWith(final Callable callable) { - return GeodeSecurityUtil.associateWith(callable); + /** + * this binds the passed-in subject to the executing thread, normally, you + * would do this: + * + * ThreadState state = null; + * try{ + * state = IntegratedSecurityService.bindSubject(subject); + * //do the rest of the work as this subject + * } + * finally{ + * if(state!=null) + * state.clear(); + * } + */ + public ThreadState bindSubject(Subject subject){ + if (subject == null) { + return null; + } + + ThreadState threadState = new SubjectThreadState(subject); + threadState.bind(); + return threadState; } - @Override - public void authorize(final ResourceOperation resourceOperation) { - GeodeSecurityUtil.authorize(resourceOperation); + public void authorize(ResourceOperation resourceOperation) { + if (resourceOperation == null) { + return; + } + + authorize(resourceOperation.resource().name(), + resourceOperation.operation().name(), + null); } - @Override public void authorizeClusterManage() { - GeodeSecurityUtil.authorizeClusterManage(); + authorize("CLUSTER", "MANAGE"); } - @Override public void authorizeClusterWrite() { - GeodeSecurityUtil.authorizeClusterWrite(); + authorize("CLUSTER", "WRITE"); } - @Override public void authorizeClusterRead() { - GeodeSecurityUtil.authorizeClusterRead(); + authorize("CLUSTER", "READ"); } - @Override public void authorizeDataManage() { - GeodeSecurityUtil.authorizeDataManage(); + authorize("DATA", "MANAGE"); } - @Override public void authorizeDataWrite() { - GeodeSecurityUtil.authorizeDataWrite(); + authorize("DATA", "WRITE"); } - @Override public void authorizeDataRead() { - GeodeSecurityUtil.authorizeDataRead(); + authorize("DATA", "READ"); } - @Override - public void authorizeRegionManage(final String regionName) { - GeodeSecurityUtil.authorizeRegionManage(regionName); + public void authorizeRegionManage(String regionName) { + authorize("DATA", "MANAGE", regionName); } - @Override - public void authorizeRegionManage(final String regionName, final String key) { - GeodeSecurityUtil.authorizeRegionManage(regionName, key); + public void authorizeRegionManage(String regionName, String key) { + authorize("DATA", "MANAGE", regionName, key); } - @Override - public void authorizeRegionWrite(final String regionName) { - GeodeSecurityUtil.authorizeRegionWrite(regionName); + public void authorizeRegionWrite(String regionName) { + authorize("DATA", "WRITE", regionName); } - @Override - public void authorizeRegionWrite(final String regionName, final String key) { - GeodeSecurityUtil.authorizeRegionWrite(regionName, key); + public void authorizeRegionWrite(String regionName, String key) { + authorize("DATA", "WRITE", regionName, key); } - @Override - public void authorizeRegionRead(final String regionName) { - GeodeSecurityUtil.authorizeRegionRead(regionName); + public void authorizeRegionRead(String regionName) { + authorize("DATA", "READ", regionName); } - @Override - public void authorizeRegionRead(final String regionName, final String key) { - GeodeSecurityUtil.authorizeRegionRead(regionName, key); + public void authorizeRegionRead(String regionName, String key) { + authorize("DATA", "READ", regionName, key); } - @Override - public void authorize(final String resource, final String operation) { - GeodeSecurityUtil.authorize(resource, operation); + public void authorize(String resource, String operation) { + authorize(resource, operation, null); } - @Override - public void authorize(final ResourcePermission context) { - GeodeSecurityUtil.authorize(context); + private void authorize(String resource, String operation, String regionName){ + authorize(resource, operation, regionName, null); } - @Override - public void initSecurity(final Properties securityProps) { - GeodeSecurityUtil.initSecurity(securityProps); + private void authorize(String resource, String operation, String regionName, String key) { + regionName = StringUtils.stripStart(regionName, "/"); + authorize(new ResourcePermission(resource, operation, regionName, key)); } - @Override - public void close() { - GeodeSecurityUtil.close(); + public void authorize(ResourcePermission context) { + Subject currentUser = getSubject(); + if (currentUser == null) { + return; + } + + if (context == null) { + return; + } + + if (context.getResource() == Resource.NULL && context.getOperation() == Operation.NULL) { + return; + } + + try { + currentUser.checkPermission(context); + } + catch (ShiroException e) { + String msg = currentUser.getPrincipal() + " not authorized for " + context; + logger.info(msg); + throw new NotAuthorizedException(msg, e); + } } - @Override - public boolean needPostProcess() { - return GeodeSecurityUtil.needPostProcess(); + /** + * initialize Shiro's Security Manager and Security Utilities + */ + public void initSecurity(Properties securityProps) { + if (securityProps == null) { + return; + } + + String enabledComponentsString = securityProps.getProperty(SECURITY_ENABLED_COMPONENTS); + if (enabledComponentsString == null) { + enabledComponentsString = DistributionConfig.DEFAULT_SECURITY_ENABLED_COMPONENTS; + } + + boolean isClusterSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.CLUSTER); + boolean isGatewaySecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.GATEWAY); + boolean isHttpSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.HTTP_SERVICE); + boolean isJmxSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.JMX); + boolean isServerSecured = enabledComponentsString.contains(SecurableComponents.ALL) || enabledComponentsString.contains(SecurableComponents.SERVER); + + String shiroConfig = securityProps.getProperty(SECURITY_SHIRO_INIT); + String securityConfig = securityProps.getProperty(SECURITY_MANAGER); + String clientAuthenticatorConfig = securityProps.getProperty(SECURITY_CLIENT_AUTHENTICATOR); + String peerAuthenticatorConfig = securityProps.getProperty(SECURITY_PEER_AUTHENTICATOR); + + if (!StringUtils.isBlank(shiroConfig)) { + IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:" + shiroConfig); + + // we will need to make sure that shiro uses a case sensitive permission resolver + Section main = factory.getIni().addSection("main"); + main.put("geodePermissionResolver", "com.gemstone.gemfire.internal.security.shiro.GeodePermissionResolver"); + if (!main.containsKey("iniRealm.permissionResolver")) { + main.put("iniRealm.permissionResolver", "$geodePermissionResolver"); + } + + org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance(); + SecurityUtils.setSecurityManager(securityManager); + isIntegratedSecurity = true; + } + // only set up shiro realm if user has implemented SecurityManager + else if (!StringUtils.isBlank(securityConfig)) { + securityManager = getObjectOfTypeFromClassName(securityConfig, SecurityManager.class); + securityManager.init(securityProps); + Realm realm = new CustomAuthRealm(securityManager); + org.apache.shiro.mgt.SecurityManager shiroManager = new DefaultSecurityManager(realm); + SecurityUtils.setSecurityManager(shiroManager); + isIntegratedSecurity = true; + } + else if( !StringUtils.isBlank(clientAuthenticatorConfig)) { + isClientAuthenticator = true; + } + else if (!StringUtils.isBlank(peerAuthenticatorConfig)) { + isPeerAuthenticator = true; + } + else { + isIntegratedSecurity = false; + isClientAuthenticator = false; + isPeerAuthenticator = false; + } + + isServerSecurityRequired = isClientAuthenticator || (isIntegratedSecurity && isServerSecured); + isClusterSecurityRequired = isPeerAuthenticator || (isIntegratedSecurity && isClusterSecured); + + isGatewaySecurityRequired = isClientAuthenticator || (isIntegratedSecurity && isGatewaySecured); + isHttpSecurityRequired = isIntegratedSecurity && isHttpSecured; + isJmxSecurityRequired = isIntegratedSecurity && isJmxSecured; + + // this initializes the post processor + String customPostProcessor = securityProps.getProperty(SECURITY_POST_PROCESSOR); + if( !StringUtils.isBlank(customPostProcessor)) { + postProcessor = getObjectOfTypeFromClassName(customPostProcessor, PostProcessor.class); + postProcessor.init(securityProps); + } + else{ + postProcessor = null; + } } - @Override - public Object postProcess(final String regionPath, final Object key, final Object value, final boolean valueIsSerialized) { - return GeodeSecurityUtil.postProcess(regionPath, key, value, valueIsSerialized); + public void close() { + if (securityManager != null) { + securityManager.close(); + securityManager = null; + } + + if (postProcessor != null) { + postProcessor.close(); + postProcessor = null; + } + ThreadContext.remove(); + isIntegratedSecurity = false; + isClientAuthenticator = false; + isPeerAuthenticator = false; } - @Override - public Object postProcess(final Serializable principal, final String regionPath, final Object key, final Object value, final boolean valueIsSerialized) { - return GeodeSecurityUtil.postProcess(principal, regionPath, key, value, valueIsSerialized); + /** + * postProcess call already has this logic built in, you don't need to call + * this everytime you call postProcess. But if your postProcess is pretty + * involved with preparations and you need to bypass it entirely, call this + * first. + */ + public boolean needPostProcess(){ + return (isIntegratedSecurity && postProcessor != null); } - @Override - public boolean isClientSecurityRequired() { - return GeodeSecurityUtil.isClientSecurityRequired(); + public Object postProcess(String regionPath, Object key, Object value, boolean valueIsSerialized){ + return postProcess(null, regionPath, key, value, valueIsSerialized); } - @Override - public boolean isJmxSecurityRequired() { - return GeodeSecurityUtil.isJmxSecurityRequired(); + public Object postProcess(Object principal, String regionPath, Object key, Object value, boolean valueIsSerialized) { + if (!needPostProcess()) + return value; + + if (principal == null) { + Subject subject = getSubject(); + if (subject == null) + return value; + principal = (Serializable) subject.getPrincipal(); + } + + String regionName = StringUtils.stripStart(regionPath, "/"); + Object newValue = null; + + // if the data is a byte array, but the data itself is supposed to be an object, we need to desearized it before we pass + // it to the callback. + if (valueIsSerialized && value instanceof byte[]) { + try { + Object oldObj = EntryEventImpl.deserialize((byte[]) value); + Object newObj = postProcessor.processRegionValue(principal, regionName, key, oldObj); + newValue = BlobHelper.serializeToBlob(newObj); + } catch (IOException|SerializationException e) { + throw new GemFireIOException("Exception de/serializing entry value", e); + } + } + else { + newValue = postProcessor.processRegionValue(principal, regionName, key, value); + } + + return newValue; } - @Override - public boolean isGatewaySecurityRequired() { - return GeodeSecurityUtil.isGatewaySecurityRequired(); + private static void checkSameClass(Object obj1, Object obj2){ + } - @Override - public boolean isHttpSecurityRequired() { - return GeodeSecurityUtil.isHttpServiceSecurityRequired(); + /** + * this method would never return null, it either throws an exception or + * returns an object + */ + public static <T> T getObjectOfTypeFromClassName(String className, Class<T> expectedClazz) { + Class actualClass = null; + try { + actualClass = ClassLoadUtil.classFromName(className); + } + catch (Exception ex) { + throw new GemFireSecurityException("Instance could not be obtained, "+ex.toString(), ex); + } + + if(!expectedClazz.isAssignableFrom(actualClass)){ + throw new GemFireSecurityException("Instance could not be obtained. Expecting a "+expectedClazz.getName()+" class."); + } + + T actualObject = null; + try { + actualObject = (T)actualClass.newInstance(); + } catch (Exception e) { + throw new GemFireSecurityException("Instance could not be obtained. Error instantiating "+actualClass.getName(), e); + } + return actualObject; + } + + /** + * this method would never return null, it either throws an exception or + * returns an object + */ + public static <T> T getObjectOfTypeFromFactoryMethod(String factoryMethodName, Class<T> expectedClazz){ + T actualObject = null; + try { + Method factoryMethod = ClassLoadUtil.methodFromName(factoryMethodName); + actualObject = (T)factoryMethod.invoke(null, (Object[])null); + } catch (Exception e) { + throw new GemFireSecurityException("Instance could not be obtained from "+factoryMethodName, e); + } + + if(actualObject == null){ + throw new GemFireSecurityException("Instance could not be obtained from "+factoryMethodName); + } + + return actualObject; } - @Override - public boolean isPeerSecurityRequired() { - return GeodeSecurityUtil.isPeerSecurityRequired(); + /** + * this method would never return null, it either throws an exception or + * returns an object + * + * @return an object of type expectedClazz. This method would never return + * null. It either returns an non-null object or throws exception. + */ + public static <T> T getObjectOfType(String classOrMethod, Class<T> expectedClazz) { + T object = null; + try{ + object = getObjectOfTypeFromClassName(classOrMethod, expectedClazz); + } + catch (Exception e){ + object = getObjectOfTypeFromFactoryMethod(classOrMethod, expectedClazz); + } + return object; } - @Override - public boolean isIntegratedSecurity() { - return GeodeSecurityUtil.isIntegratedSecurity(); + public SecurityManager getSecurityManager(){ + return securityManager; } - @Override - public SecurityManager getSecurityManager() { - return GeodeSecurityUtil.getSecurityManager(); + public PostProcessor getPostProcessor() { + return postProcessor; } + public boolean isIntegratedSecurity(){ + return isIntegratedSecurity; + } - private void readObject(final ObjectInputStream stream) throws InvalidObjectException { - throw new InvalidObjectException("SerializationProxy required"); + public boolean isClientSecurityRequired() { // TODO: rename as isServerSecurityRequired + return isServerSecurityRequired; } - private Object writeReplace() { - return new SerializationProxy(); + public boolean isPeerSecurityRequired() { // TODO: rename as isClusterSecurityRequired + return isClusterSecurityRequired; } - /** - * Serialization proxy for {@code IntegratedSecurityService}. - */ - private static class SerializationProxy implements Serializable { + public boolean isJmxSecurityRequired() { + return isJmxSecurityRequired; + } - SerializationProxy() { - } + public boolean isGatewaySecurityRequired() { + return isGatewaySecurityRequired; + } - private Object readResolve() { - return getSecurityService(); - } + public boolean isHttpSecurityRequired() { + return isHttpSecurityRequired; } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java index c975751..89e7d1f 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/SecurityService.java @@ -16,10 +16,10 @@ */ package com.gemstone.gemfire.internal.security; -import java.io.Serializable; import java.util.Properties; import java.util.concurrent.Callable; +import org.apache.geode.security.PostProcessor; import org.apache.geode.security.ResourcePermission; import org.apache.geode.security.SecurityManager; import org.apache.shiro.subject.Subject; @@ -54,7 +54,7 @@ public interface SecurityService { void close(); boolean needPostProcess(); Object postProcess(String regionPath, Object key, Object value, boolean valueIsSerialized); - Object postProcess(Serializable principal, String regionPath, Object key, Object value, boolean valueIsSerialized); + Object postProcess(Object principal, String regionPath, Object key, Object value, boolean valueIsSerialized); boolean isClientSecurityRequired(); boolean isJmxSecurityRequired(); boolean isGatewaySecurityRequired(); @@ -62,16 +62,21 @@ public interface SecurityService { boolean isPeerSecurityRequired(); boolean isIntegratedSecurity(); SecurityManager getSecurityManager(); + PostProcessor getPostProcessor(); static <T> T getObjectOfType(String factoryName, Class<T> clazz) { - return GeodeSecurityUtil.getObjectOfType(factoryName, clazz); + return IntegratedSecurityService.getObjectOfType(factoryName, clazz); } static <T> T getObjectOfTypeFromFactoryMethod(String factoryMethodName, Class<T> expectedClazz) { - return GeodeSecurityUtil.getObjectOfTypeFromFactoryMethod(factoryMethodName, expectedClazz); + return IntegratedSecurityService.getObjectOfTypeFromFactoryMethod(factoryMethodName, expectedClazz); } static <T> T getObjectOfTypeFromClassName(String className, Class<T> expectedClazz) { - return GeodeSecurityUtil.getObjectOfTypeFromClassName(className, expectedClazz); + return IntegratedSecurityService.getObjectOfTypeFromClassName(className, expectedClazz); + } + + static SecurityService getSecurityService(){ + return IntegratedSecurityService.getSecurityService(); } } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java index ad27ec3..f2cd030 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/internal/security/shiro/CustomAuthRealm.java @@ -46,6 +46,7 @@ public class CustomAuthRealm extends AuthorizingRealm { */ public CustomAuthRealm(SecurityManager securityManager) { this.securityManager = securityManager; + setAuthenticationTokenClass(GeodeAuthenticationToken.class); } /** http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java index a9cc0ed..bb697ab 100755 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/ManagementAgent.java @@ -56,10 +56,10 @@ import com.gemstone.gemfire.internal.GemFireVersion; import com.gemstone.gemfire.internal.cache.GemFireCacheImpl; import com.gemstone.gemfire.internal.lang.StringUtils; import com.gemstone.gemfire.internal.logging.LogService; +import com.gemstone.gemfire.internal.security.IntegratedSecurityService; import com.gemstone.gemfire.internal.net.SSLConfigurationFactory; import com.gemstone.gemfire.internal.net.SocketCreator; import com.gemstone.gemfire.internal.net.SocketCreatorFactory; -import com.gemstone.gemfire.internal.security.GeodeSecurityUtil; import com.gemstone.gemfire.internal.security.SecurableCommunicationChannel; import com.gemstone.gemfire.internal.security.shiro.JMXShiroAuthenticator; import com.gemstone.gemfire.internal.tcp.TCPConduit; @@ -496,7 +496,7 @@ public class ManagementAgent { private boolean isIntegratedSecurity() { - return GeodeSecurityUtil.isJmxSecurityRequired(); + return IntegratedSecurityService.getSecurityService().isJmxSecurityRequired(); } private static class GemFireRMIClientSocketFactory implements RMIClientSocketFactory, Serializable { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/domain/DataCommandRequest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/domain/DataCommandRequest.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/domain/DataCommandRequest.java index 76582c3..e9d667b 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/domain/DataCommandRequest.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/domain/DataCommandRequest.java @@ -46,7 +46,7 @@ public class DataCommandRequest implements /*Data*/ Serializable{ private String removeAllKeys; private String value; private String valueClass; - private Serializable principal; + private Object principal; public static final String NEW_LINE = System.getProperty("line.separator"); @@ -136,7 +136,7 @@ public class DataCommandRequest implements /*Data*/ Serializable{ public boolean isLoadOnCacheMiss() { return loadOnCacheMiss; } - public Serializable getPrincipal() { + public Object getPrincipal() { return principal; } @@ -184,7 +184,7 @@ public class DataCommandRequest implements /*Data*/ Serializable{ this.loadOnCacheMiss = loadOnCacheMiss; } - public void setPrincipal(Serializable principal){ + public void setPrincipal(Object principal){ this.principal = principal; } http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/functions/DataCommandFunction.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/functions/DataCommandFunction.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/functions/DataCommandFunction.java index 2708242..77591d0 100644 --- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/functions/DataCommandFunction.java +++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/cli/functions/DataCommandFunction.java @@ -63,7 +63,6 @@ import com.gemstone.gemfire.internal.InternalEntity; import com.gemstone.gemfire.internal.NanoTimer; import com.gemstone.gemfire.internal.cache.PartitionedRegion; import com.gemstone.gemfire.internal.logging.LogService; -import com.gemstone.gemfire.internal.security.IntegratedSecurityService; import com.gemstone.gemfire.internal.security.SecurityService; import com.gemstone.gemfire.management.cli.Result; import com.gemstone.gemfire.management.internal.cli.CliUtil; @@ -99,7 +98,8 @@ public class DataCommandFunction extends FunctionAdapter implements InternalEnt protected static final String SELECT_STEP_EXEC = "SELECT_EXEC"; private static final int NESTED_JSON_LENGTH = 20; - private SecurityService securityService = IntegratedSecurityService.getSecurityService(); + // this needs to be static so that it won't get serialized + private static SecurityService securityService = SecurityService.getSecurityService(); @Override public String getId() { @@ -223,7 +223,7 @@ public class DataCommandFunction extends FunctionAdapter implements InternalEnt } @SuppressWarnings("rawtypes") - private DataCommandResult select(Serializable principal, String queryString) { + private DataCommandResult select(Object principal, String queryString) { Cache cache = CacheFactory.getAnyInstance(); AtomicInteger nestedObjectCount = new AtomicInteger(0); @@ -423,7 +423,7 @@ public class DataCommandFunction extends FunctionAdapter implements InternalEnt } @SuppressWarnings({ "rawtypes" }) - public DataCommandResult get(Serializable principal, String key, String keyClass, String valueClass, String regionName, Boolean loadOnCacheMiss) { + public DataCommandResult get(Object principal, String key, String keyClass, String valueClass, String regionName, Boolean loadOnCacheMiss) { Cache cache = CacheFactory.getAnyInstance(); @@ -879,7 +879,7 @@ public class DataCommandFunction extends FunctionAdapter implements InternalEnt private static final long serialVersionUID = 1L; - private SecurityService securityService = IntegratedSecurityService.getSecurityService(); + private static SecurityService securityService = SecurityService.getSecurityService(); public SelectExecStep(Object[] arguments) { super(SELECT_STEP_EXEC, arguments); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/org/apache/geode/security/PostProcessor.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/security/PostProcessor.java b/geode-core/src/main/java/org/apache/geode/security/PostProcessor.java index 3c50ecc..8b259d6 100644 --- a/geode-core/src/main/java/org/apache/geode/security/PostProcessor.java +++ b/geode-core/src/main/java/org/apache/geode/security/PostProcessor.java @@ -17,7 +17,6 @@ package org.apache.geode.security; -import java.io.Serializable; import java.util.Properties; /** @@ -49,7 +48,7 @@ public interface PostProcessor { * @return * the value that will be returned to the requester */ - Object processRegionValue(Serializable principal, String regionName, Object key, Object value); + Object processRegionValue(Object principal, String regionName, Object key, Object value); /** * Give the implementation a chance to close the resources used. http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/main/java/org/apache/geode/security/templates/SamplePostProcessor.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/security/templates/SamplePostProcessor.java b/geode-core/src/main/java/org/apache/geode/security/templates/SamplePostProcessor.java index bcf40cf..5f47d7c 100644 --- a/geode-core/src/main/java/org/apache/geode/security/templates/SamplePostProcessor.java +++ b/geode-core/src/main/java/org/apache/geode/security/templates/SamplePostProcessor.java @@ -16,7 +16,6 @@ */ package org.apache.geode.security.templates; -import java.io.Serializable; import java.security.Principal; import java.util.Properties; @@ -45,7 +44,7 @@ public class SamplePostProcessor implements PostProcessor{ * @return the processed value */ @Override - public Object processRegionValue(Serializable principal, + public Object processRegionValue(Object principal, String regionName, Object key, Object value) { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/test/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtilTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtilTest.java b/geode-core/src/test/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtilTest.java deleted file mode 100644 index 6ab1d4b..0000000 --- a/geode-core/src/test/java/com/gemstone/gemfire/internal/security/GeodeSecurityUtilTest.java +++ /dev/null @@ -1,288 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.gemstone.gemfire.internal.security; - -import static com.gemstone.gemfire.distributed.ConfigurationProperties.*; -import static org.assertj.core.api.Java6Assertions.*; -import static org.junit.Assert.*; - -import java.util.Properties; - -import org.apache.geode.security.templates.SampleSecurityManager; -import org.junit.Before; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import org.apache.geode.security.SecurableComponents; -import com.gemstone.gemfire.security.GemFireSecurityException; -import com.gemstone.gemfire.test.junit.categories.UnitTest; - -@Category(UnitTest.class) -public class GeodeSecurityUtilTest { - - private Properties properties; - - @Before - public void before() { - properties = new Properties(); - GeodeSecurityUtil.initSecurity(properties); - } - - @Test - public void testGetObjectFromConstructor() { - String string = GeodeSecurityUtil.getObjectOfType(String.class.getName(), String.class); - assertNotNull(string); - - CharSequence charSequence = GeodeSecurityUtil.getObjectOfType(String.class.getName(), CharSequence.class); - assertNotNull(charSequence); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType("com.abc.testString", String.class)).isInstanceOf(GemFireSecurityException.class); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType(String.class.getName(), Boolean.class)).isInstanceOf(GemFireSecurityException.class); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType("", String.class)).isInstanceOf(GemFireSecurityException.class); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType(null, String.class)).isInstanceOf(GemFireSecurityException.class); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType(" ", String.class)).isInstanceOf(GemFireSecurityException.class); - } - - @Test - public void testGetObjectFromFactoryMethod() { - String string = GeodeSecurityUtil.getObjectOfType(Factories.class.getName()+".getString", String.class); - assertNotNull(string); - - CharSequence charSequence = GeodeSecurityUtil.getObjectOfType(Factories.class.getName()+".getString", String.class); - assertNotNull(charSequence); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType(Factories.class.getName()+".getStringNonStatic", String.class)) - .isInstanceOf(GemFireSecurityException.class); - - assertThatThrownBy(() -> GeodeSecurityUtil.getObjectOfType(Factories.class.getName()+".getNullString", String.class)) - .isInstanceOf(GemFireSecurityException.class); - } - - @Test - public void testInitialSecurityFlags() { - // initial state of GeodeSecurityUtil - assertFalse(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void testInitWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertTrue(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertTrue(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertTrue(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void testInitWithClientAuthenticator() { - properties.setProperty(SECURITY_CLIENT_AUTHENTICATOR, "org.abc.test"); - - GeodeSecurityUtil.initSecurity(properties); - - assertFalse(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertTrue(GeodeSecurityUtil.isGatewaySecurityRequired()); - - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void testInitWithPeerAuthenticator() { - properties.setProperty(SECURITY_PEER_AUTHENTICATOR, "org.abc.test"); - - GeodeSecurityUtil.initSecurity(properties); - - assertFalse(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertTrue(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void testInitWithShiroAuthenticator() { - properties.setProperty(SECURITY_SHIRO_INIT, "shiro.ini"); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertTrue(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertTrue(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertTrue(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void allEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.ALL); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertTrue(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertTrue(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertTrue(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void emptyEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS,""); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void noneEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS,"none"); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void allSecurableComponentsWithoutAnySecurity() { - properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.ALL); - - GeodeSecurityUtil.initSecurity(properties); - - assertFalse(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertFalse(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void oneSecurableComponentEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertFalse(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void twoSecurableComponentEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX + "," + SecurableComponents.SERVER); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertFalse(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - @Test - public void manySecurableComponentEnabledWithSecurityManager() { - properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); - properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); - properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX + "," + SecurableComponents.SERVER + "," + SecurableComponents.CLUSTER); - - GeodeSecurityUtil.initSecurity(properties); - - assertTrue(GeodeSecurityUtil.isIntegratedSecurity()); - - assertTrue(GeodeSecurityUtil.isClientSecurityRequired()); - assertFalse(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertFalse(GeodeSecurityUtil.isHttpServiceSecurityRequired()); - assertTrue(GeodeSecurityUtil.isJmxSecurityRequired()); - assertTrue(GeodeSecurityUtil.isPeerSecurityRequired()); - } - - private static class Factories{ - - public static String getString(){ - return new String(); - } - - public static String getNullString(){ - return null; - } - - public String getStringNonStatic(){ - return new String(); - } - - public static Boolean getBoolean(){ - return Boolean.TRUE; - } - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/test/java/com/gemstone/gemfire/internal/security/IntegratedSecurityServiceTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/internal/security/IntegratedSecurityServiceTest.java b/geode-core/src/test/java/com/gemstone/gemfire/internal/security/IntegratedSecurityServiceTest.java new file mode 100644 index 0000000..8acff9f --- /dev/null +++ b/geode-core/src/test/java/com/gemstone/gemfire/internal/security/IntegratedSecurityServiceTest.java @@ -0,0 +1,290 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.gemstone.gemfire.internal.security; + +import static com.gemstone.gemfire.distributed.ConfigurationProperties.*; +import static org.assertj.core.api.Java6Assertions.*; +import static org.junit.Assert.*; + +import java.util.Properties; + +import org.apache.geode.security.templates.SampleSecurityManager; +import org.junit.Before; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.security.SecurableComponents; +import com.gemstone.gemfire.security.GemFireSecurityException; +import com.gemstone.gemfire.test.junit.categories.UnitTest; + +@Category(UnitTest.class) +public class IntegratedSecurityServiceTest { + + private Properties properties; + private SecurityService securityService; + + @Before + public void before() { + properties = new Properties(); + securityService = SecurityService.getSecurityService(); + securityService.initSecurity(properties); + } + + @Test + public void testGetObjectFromConstructor() { + String string = IntegratedSecurityService.getObjectOfType(String.class.getName(), String.class); + assertNotNull(string); + + CharSequence charSequence = IntegratedSecurityService.getObjectOfType(String.class.getName(), CharSequence.class); + assertNotNull(charSequence); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType("com.abc.testString", String.class)).isInstanceOf(GemFireSecurityException.class); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType(String.class.getName(), Boolean.class)).isInstanceOf(GemFireSecurityException.class); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType("", String.class)).isInstanceOf(GemFireSecurityException.class); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType(null, String.class)).isInstanceOf(GemFireSecurityException.class); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType(" ", String.class)).isInstanceOf(GemFireSecurityException.class); + } + + @Test + public void testGetObjectFromFactoryMethod() { + String string = IntegratedSecurityService.getObjectOfType(Factories.class.getName() + ".getString", String.class); + assertNotNull(string); + + CharSequence charSequence = IntegratedSecurityService.getObjectOfType(Factories.class.getName() + ".getString", String.class); + assertNotNull(charSequence); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType(Factories.class.getName() + ".getStringNonStatic", String.class)) + .isInstanceOf(GemFireSecurityException.class); + + assertThatThrownBy(() -> IntegratedSecurityService.getObjectOfType(Factories.class.getName() + ".getNullString", String.class)) + .isInstanceOf(GemFireSecurityException.class); + } + + @Test + public void testInitialSecurityFlags() { + // initial state of IntegratedSecurityService + assertFalse(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void testInitWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertTrue(securityService.isGatewaySecurityRequired()); + assertTrue(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertTrue(securityService.isPeerSecurityRequired()); + } + + @Test + public void testInitWithClientAuthenticator() { + properties.setProperty(SECURITY_CLIENT_AUTHENTICATOR, "org.abc.test"); + + securityService.initSecurity(properties); + + assertFalse(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertTrue(securityService.isGatewaySecurityRequired()); + + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void testInitWithPeerAuthenticator() { + properties.setProperty(SECURITY_PEER_AUTHENTICATOR, "org.abc.test"); + + securityService.initSecurity(properties); + + assertFalse(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertTrue(securityService.isPeerSecurityRequired()); + } + + @Test + public void testInitWithShiroAuthenticator() { + properties.setProperty(SECURITY_SHIRO_INIT, "shiro.ini"); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertTrue(securityService.isGatewaySecurityRequired()); + assertTrue(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertTrue(securityService.isPeerSecurityRequired()); + } + + @Test + public void allEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.ALL); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertTrue(securityService.isGatewaySecurityRequired()); + assertTrue(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertTrue(securityService.isPeerSecurityRequired()); + } + + @Test + public void emptyEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS,""); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void noneEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS,"none"); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void allSecurableComponentsWithoutAnySecurity() { + properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.ALL); + + securityService.initSecurity(properties); + + assertFalse(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertFalse(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void oneSecurableComponentEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertFalse(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void twoSecurableComponentEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX + "," + SecurableComponents.SERVER); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertFalse(securityService.isPeerSecurityRequired()); + } + + @Test + public void manySecurableComponentEnabledWithSecurityManager() { + properties.setProperty(SECURITY_MANAGER, "org.apache.geode.security.templates.SampleSecurityManager"); + properties.setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); + properties.setProperty(SECURITY_ENABLED_COMPONENTS, SecurableComponents.JMX + "," + SecurableComponents.SERVER + "," + SecurableComponents.CLUSTER); + + securityService.initSecurity(properties); + + assertTrue(securityService.isIntegratedSecurity()); + + assertTrue(securityService.isClientSecurityRequired()); + assertFalse(securityService.isGatewaySecurityRequired()); + assertFalse(securityService.isHttpSecurityRequired()); + assertTrue(securityService.isJmxSecurityRequired()); + assertTrue(securityService.isPeerSecurityRequired()); + } + + private static class Factories{ + + public static String getString(){ + return new String(); + } + + public static String getNullString(){ + return null; + } + + public String getStringNonStatic(){ + return new String(); + } + + public static Boolean getBoolean(){ + return Boolean.TRUE; + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/ee27d73c/geode-core/src/test/java/com/gemstone/gemfire/internal/security/SecurityConfigIntegrationTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/com/gemstone/gemfire/internal/security/SecurityConfigIntegrationTest.java b/geode-core/src/test/java/com/gemstone/gemfire/internal/security/SecurityConfigIntegrationTest.java index d0a2130..68aaa3c 100644 --- a/geode-core/src/test/java/com/gemstone/gemfire/internal/security/SecurityConfigIntegrationTest.java +++ b/geode-core/src/test/java/com/gemstone/gemfire/internal/security/SecurityConfigIntegrationTest.java @@ -35,6 +35,7 @@ public class SecurityConfigIntegrationTest { @Test public void securityEnabledComponentsDefaultShouldBeAll() throws Exception { + SecurityService securityService = SecurityService.getSecurityService(); Properties props = new Properties(); props.put(SECURITY_MANAGER, SampleSecurityManager.class.getName()); props.put(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/security/templates/security.json"); @@ -45,12 +46,12 @@ public class SecurityConfigIntegrationTest { assertThat(securityProps).containsKeys(SECURITY_MANAGER, SECURITY_ENABLED_COMPONENTS); assertThat(securityProps.getProperty(SECURITY_ENABLED_COMPONENTS)).isEqualTo(SecurableComponents.ALL); - GeodeSecurityUtil.initSecurity(securityProps); + securityService.initSecurity(securityProps); - assertThat(GeodeSecurityUtil.isClientSecurityRequired()); - assertThat(GeodeSecurityUtil.isGatewaySecurityRequired()); - assertThat(GeodeSecurityUtil.isPeerSecurityRequired()); - assertThat(GeodeSecurityUtil.isJmxSecurityRequired()); - assertThat(GeodeSecurityUtil.isHttpServiceSecurityRequired()); + assertThat(securityService.isClientSecurityRequired()); + assertThat(securityService.isGatewaySecurityRequired()); + assertThat(securityService.isPeerSecurityRequired()); + assertThat(securityService.isJmxSecurityRequired()); + assertThat(securityService.isHttpSecurityRequired()); } }
