GEODE-1993: refactor tests to use rules rather than abstract classes * created ServerStarter and LocatorStarter in the rule package * refacterred LocatorServerConfigurationRule * refactor tests to use these rules
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/de621597 Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/de621597 Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/de621597 Branch: refs/heads/feature/GEODE-1930 Commit: de62159780496c3362a1b6ac840e87bba019bc62 Parents: b065993 Author: Jinmei Liao <jil...@pivotal.io> Authored: Wed Oct 12 09:30:15 2016 -0700 Committer: Jinmei Liao <jil...@pivotal.io> Committed: Fri Oct 14 14:59:26 2016 -0700 ---------------------------------------------------------------------- .../internal/web/RestSecurityDUnitTest.java | 557 ------------------- .../web/RestSecurityIntegrationTest.java | 497 +++++++++++++++++ .../security/IntegratedSecurityService.java | 2 +- .../security/AccessControlMBeanJUnitTest.java | 7 +- ...CacheServerMBeanAuthenticationJUnitTest.java | 7 +- .../CacheServerMBeanAuthorizationJUnitTest.java | 13 +- .../CacheServerMBeanShiroJUnitTest.java | 30 +- .../security/CacheServerStartupRule.java | 74 +++ .../security/CliCommandsSecurityTest.java | 9 +- .../security/DataCommandsSecurityTest.java | 11 +- .../DiskStoreMXBeanSecurityJUnitTest.java | 9 +- .../GatewayReceiverMBeanSecurityTest.java | 9 +- .../GatewaySenderMBeanSecurityTest.java | 9 +- .../security/GfshCommandsPostProcessorTest.java | 30 +- .../security/GfshCommandsSecurityTest.java | 48 +- .../security/GfshShellConnectionRule.java | 5 +- .../security/JMXConnectionConfiguration.java | 33 -- .../security/JavaRmiServerNameTest.java | 28 +- .../JsonAuthorizationCacheStartRule.java | 86 --- .../LockServiceMBeanAuthorizationJUnitTest.java | 11 +- .../security/MBeanSecurityJUnitTest.java | 10 +- .../security/MBeanServerConnectionRule.java | 130 ----- .../ManagerMBeanAuthorizationJUnitTest.java | 9 +- .../security/MemberMBeanSecurityJUnitTest.java | 13 +- .../security/ResourcePermissionTest.java | 25 +- .../internal/security/ShiroCacheStartRule.java | 64 --- .../security/AbstractSecureServerDUnitTest.java | 104 +--- .../ClusterConfigWithoutSecurityDUnitTest.java | 26 +- .../security/IntegratedClientAuthDUnitTest.java | 19 +- .../NoShowValue1PostProcessorDUnitTest.java | 8 +- .../security/PDXPostProcessorDUnitTest.java | 18 +- .../geode/security/PostProcessorDUnitTest.java | 10 +- .../SecurityClusterConfigDUnitTest.java | 46 +- .../SecurityWithoutClusterConfigDUnitTest.java | 16 +- .../security/StartServerAuthorizationTest.java | 17 +- .../dunit/rules/ConnectionConfiguration.java | 34 ++ .../rules/LocatorServerConfigurationRule.java | 148 ----- .../dunit/rules/LocatorServerStartupRule.java | 133 +++++ .../geode/test/dunit/rules/LocatorStarter.java | 74 +++ .../dunit/rules/MBeanServerConnectionRule.java | 132 +++++ .../geode/test/dunit/rules/ServerStarter.java | 99 ++++ .../geode/security/CQClientAuthDunitTest.java | 6 +- .../security/CQPDXPostProcessorDUnitTest.java | 19 +- .../security/CQPostProcessorDunitTest.java | 10 +- .../LuceneClusterConfigurationDUnitTest.java | 25 +- .../web/controllers/CommonCrudController.java | 4 +- .../web/controllers/PdxBasedCrudController.java | 4 +- .../web/security/RestSecurityService.java | 2 +- 48 files changed, 1382 insertions(+), 1298 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java deleted file mode 100644 index 59e00c8..0000000 --- a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java +++ /dev/null @@ -1,557 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.geode.rest.internal.web; - -import static org.junit.Assert.*; - -import java.io.BufferedReader; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.net.MalformedURLException; -import java.nio.charset.StandardCharsets; - -import org.apache.http.HttpEntity; -import org.apache.http.HttpHost; -import org.apache.http.HttpResponse; -import org.apache.http.auth.AuthScope; -import org.apache.http.auth.UsernamePasswordCredentials; -import org.apache.http.client.AuthCache; -import org.apache.http.client.ClientProtocolException; -import org.apache.http.client.CredentialsProvider; -import org.apache.http.client.methods.HttpDelete; -import org.apache.http.client.methods.HttpGet; -import org.apache.http.client.methods.HttpHead; -import org.apache.http.client.methods.HttpPost; -import org.apache.http.client.methods.HttpPut; -import org.apache.http.client.methods.HttpRequestBase; -import org.apache.http.client.protocol.HttpClientContext; -import org.apache.http.entity.StringEntity; -import org.apache.http.impl.auth.BasicScheme; -import org.apache.http.impl.client.BasicAuthCache; -import org.apache.http.impl.client.BasicCredentialsProvider; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClients; -import org.json.JSONArray; -import org.json.JSONObject; -import org.json.JSONTokener; -import org.junit.Test; -import org.junit.experimental.categories.Category; - -import org.apache.geode.internal.AvailablePortHelper; -import org.apache.geode.security.AbstractSecureServerDUnitTest; -import org.apache.geode.test.junit.categories.DistributedTest; -import org.apache.geode.test.junit.categories.SecurityTest; - - -@Category({ DistributedTest.class, SecurityTest.class }) -public class RestSecurityDUnitTest extends AbstractSecureServerDUnitTest { - - public final static String PROTOCOL = "http"; - public final static String HOSTNAME = "localhost"; - public final static String CONTEXT = "/geode/v1"; - - public RestSecurityDUnitTest() throws MalformedURLException { - int[] ports = AvailablePortHelper.getRandomAvailableTCPPorts(2); - this.jmxPort = ports[0]; - this.restPort = ports[1]; - } - - @Test - public void testFunctions() { - client1.invoke(() -> { - String json = "{\"@type\":\"double\",\"@value\":210}"; - - HttpResponse response = doGet("/functions", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - response = doGet("/functions", "stranger", "1234567"); - assertEquals(403, getCode(response)); - response = doGet("/functions", "dataReader", "1234567"); - assertTrue(isOK(response)); - - response = doPost("/functions/AddFreeItemsToOrder", "unknown-user", "1234567", json); - assertEquals(401, getCode(response)); - response = doPost("/functions/AddFreeItemsToOrder", "dataReader", "1234567", json); - assertEquals(403, getCode(response)); - response = doPost("/functions/AddFreeItemsToOrder?onRegion=" + REGION_NAME, "dataWriter", "1234567", json); - // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable - assertEquals(500, getCode(response)); - }); - } - - @Test - public void testQueries() { - client1.invoke(() -> { - HttpResponse response = doGet("/queries", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - response = doGet("/queries", "stranger", "1234567"); - assertEquals(403, getCode(response)); - response = doGet("/queries", "dataReader", "1234567"); - assertEquals(200, getCode(response)); - }); - } - - @Test - public void testAdhocQuery() { - client1.invoke(() -> { - HttpResponse response = doGet("/queries/adhoc?q=", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - response = doGet("/queries/adhoc?q=", "stranger", "1234567"); - assertEquals(403, getCode(response)); - response = doGet("/queries/adhoc?q=", "dataReader", "1234567"); - // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable - assertEquals(500, getCode(response)); - }); - } - - @Test - public void testPostQuery() { - client1.invoke(() -> { - HttpResponse response = doPost("/queries?id=0&q=", "unknown-user", "1234567", ""); - assertEquals(401, getCode(response)); - response = doPost("/queries?id=0&q=", "stranger", "1234567", ""); - assertEquals(403, getCode(response)); - response = doPost("/queries?id=0&q=", "dataWriter", "1234567", ""); - // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable - assertEquals(500, getCode(response)); - }); - } - - @Test - public void testPostQuery2() { - client1.invoke(() -> { - HttpResponse response = doPost("/queries/id", "unknown-user", "1234567", "{\"id\" : \"foo\"}"); - assertEquals(401, getCode(response)); - response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); - assertEquals(403, getCode(response)); - response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); - // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable - assertEquals(500, getCode(response)); - }); - } - - @Test - public void testPutQuery() { - client1.invoke(() -> { - HttpResponse response = doPut("/queries/id", "unknown-user", "1234567", "{\"id\" : \"foo\"}"); - assertEquals(401, getCode(response)); - response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); - assertEquals(403, getCode(response)); - response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); - // We should get a 404 because we're trying to update a query that doesn't exist - assertEquals(404, getCode(response)); - }); - } - - @Test - public void testDeleteQuery() { - client1.invoke(() -> { - HttpResponse response = doDelete("/queries/id", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - response = doDelete("/queries/id", "stranger", "1234567"); - assertEquals(403, getCode(response)); - response = doDelete("/queries/id", "dataWriter", "1234567"); - // We should get a 404 because we're trying to delete a query that doesn't exist - assertEquals(404, getCode(response)); - }); - } - - @Test - public void testServers() { - client1.invoke(() -> { - HttpResponse response = doGet("/servers", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - response = doGet("/servers", "stranger", "1234567"); - assertEquals(403, getCode(response)); - response = doGet("/servers", "super-user", "1234567"); - assertTrue(isOK(response)); - }); - } - - /** - * This test should always return an OK, whether the user is known or unknown. A phishing script should not be - * able to determine whether a user/password combination is good - */ - @Test - public void testPing() { - client1.invoke(() -> { - HttpResponse response = doHEAD("/ping", "stranger", "1234567"); - assertTrue(isOK(response)); - response = doGet("/ping", "stranger", "1234567"); - assertTrue(isOK(response)); - - response = doHEAD("/ping", "super-user", "1234567"); - assertTrue(isOK(response)); - response = doGet("/ping", "super-user", "1234567"); - assertTrue(isOK(response)); - - // TODO - invalid username/password should still respond, but doesn't - // response = doHEAD("/ping", "unknown-user", "badpassword"); - // assertTrue(isOK(response)); - // response = doGet("/ping", "unknown-user", "badpassword"); - // assertTrue(isOK(response)); - - // TODO - credentials are currently required and shouldn't be for this endpoint - // response = doHEAD("/ping", null, null); - // assertTrue(isOK(response)); - // response = doGet("/ping", null, null); - // assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on retrieving a list of regions. - */ - @Test - public void getRegions() { - client1.invoke(() -> { - HttpResponse response = doGet("", "dataReader", "1234567"); - assertEquals("A '200 - OK' was expected", 200, getCode(response)); - - assertTrue(isOK(response)); - JSONObject jsonObject = new JSONObject(getResponseBody(response)); - JSONArray regions = jsonObject.getJSONArray("regions"); - assertNotNull(regions); - assertTrue(regions.length() > 0); - JSONObject region = regions.getJSONObject(0); - assertEquals("AuthRegion", region.get("name")); - assertEquals("REPLICATE", region.get("type")); - }); - - // List regions with an unknown user - 401 - client1.invoke(() -> { - HttpResponse response = doGet("", "unknown-user", "badpassword"); - assertEquals(401, getCode(response)); - }); - - // list regions with insufficent rights - 403 - client1.invoke(() -> { - HttpResponse response = doGet("", "authRegionReader", "1234567"); - assertEquals(403, getCode(response)); - }); - } - - /** - * Test permissions on getting a region - */ - @Test - public void getRegion() { - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME, "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME, "stranger", "1234567"); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME, "super-user", "1234567"); - assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on HEAD region - */ - @Test - public void headRegion() { - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doHEAD("/" + REGION_NAME, "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doHEAD("/" + REGION_NAME, "stranger", "1234567"); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doHEAD("/" + REGION_NAME, "super-user", "1234567"); - assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on deleting a region - */ - @Test - public void deleteRegion() { - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME, "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME, "dataReader", "1234567"); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME, "super-user", "1234567"); - assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on getting a region's keys - */ - @Test - public void getRegionKeys() { - // Test an authorized user - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME + "/keys", "super-user", "1234567"); - assertTrue(isOK(response)); - }); - // Test an unauthorized user - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME + "/keys", "dataWriter", "1234567"); - assertEquals(403, getCode(response)); - }); - } - - /** - * Test permissions on retrieving a key from a region - */ - @Test - public void getRegionKey() { - // Test an authorized user - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME + "/key1", "key1User", "1234567"); - assertTrue(isOK(response)); - }); - // Test an unauthorized user - client1.invoke(() -> { - HttpResponse response = doGet("/" + REGION_NAME + "/key1", "dataWriter", "1234567"); - assertEquals(403, getCode(response)); - }); - } - - /** - * Test permissions on deleting a region's key(s) - */ - @Test - public void deleteRegionKey() { - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME + "/key1", "unknown-user", "1234567"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME + "/key1", "dataReader", "1234567"); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doDelete("/" + REGION_NAME + "/key1", "key1User", "1234567"); - assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on deleting a region's key(s) - */ - @Test - public void postRegionKey() { - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doPost("/" + REGION_NAME + "?key9", "unknown", "1234567", "{ \"key9\" : \"foo\" }"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doPost("/" + REGION_NAME + "?key9", "dataReader", "1234567", "{ \"key9\" : \"foo\" }"); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doPost("/" + REGION_NAME + "?key9", "dataWriter", "1234567", "{ \"key9\" : \"foo\" }"); - assertEquals(201, getCode(response)); - assertTrue(isOK(response)); - }); - } - - /** - * Test permissions on deleting a region's key(s) - */ - @Test - public void putRegionKey() { - - String json = "{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order for XYZ Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225}"; - String casJSON = "{\"@old\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order for XYZ Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225},\"@new \":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1013,\"description\":\"Order for New Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/25/2014\",\"contact\":\"Vanilla Bean\",\"email\":\"vanillab...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":12345,\"description\":\"part 123\",\"quantity\":12,\"unitPrice\":29.99,\"totalPrice\":149.95}],\"totalPrice\":149.95}}"; - // Test an unknown user - 401 error - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", "unknown-user", "1234567", "{ \"key9\" : \"foo\" }"); - assertEquals(401, getCode(response)); - }); - - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=CAS", "unknown-user", "1234567", "{ \"key9\" : \"foo\" }"); - assertEquals(401, getCode(response)); - }); - - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "unknown-user", "1234567", "{ \"@old\" : \"value1\", \"@new\" : \"CASvalue\" }"); - assertEquals(401, getCode(response)); - }); - - // Test a user with insufficient rights - 403 - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", "dataReader", "1234567", "{ \"key1\" : \"foo\" }"); - assertEquals(403, getCode(response)); - }); - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "dataReader", "1234567", "{ \"key1\" : \"foo\" }"); - assertEquals(403, getCode(response)); - }); - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=CAS", "dataReader", "1234567", casJSON); - assertEquals(403, getCode(response)); - }); - - // Test an authorized user - 200 - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", "key1User", "1234567", "{ \"key1\" : \"foo\" }"); - assertEquals(200, getCode(response)); - assertTrue(isOK(response)); - }); - client1.invoke(() -> { - HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "key1User", "1234567", json); - assertEquals(200, getCode(response)); - assertTrue(isOK(response)); - }); - } - - protected HttpResponse doHEAD(String query, String username, String password) throws MalformedURLException { - HttpHead httpHead = new HttpHead(CONTEXT + query); - return doRequest(httpHead, username, password); - } - - - protected HttpResponse doPost(String query, String username, String password, String body) throws MalformedURLException { - HttpPost httpPost = new HttpPost(CONTEXT + query); - httpPost.addHeader("content-type", "application/json"); - httpPost.setEntity(new StringEntity(body, StandardCharsets.UTF_8)); - return doRequest(httpPost, username, password); - } - - - protected HttpResponse doPut(String query, String username, String password, String body) throws MalformedURLException { - HttpPut httpPut = new HttpPut(CONTEXT + query); - httpPut.addHeader("content-type", "application/json"); - httpPut.setEntity(new StringEntity(body, StandardCharsets.UTF_8)); - return doRequest(httpPut, username, password); - } - - protected HttpResponse doGet(String uri, String username, String password) throws MalformedURLException { - HttpGet getRequest = new HttpGet(CONTEXT + uri); - return doRequest(getRequest, username, password); - } - - protected HttpResponse doDelete(String uri, String username, String password) throws MalformedURLException { - HttpDelete httpDelete = new HttpDelete(CONTEXT + uri); - return doRequest(httpDelete, username, password); - } - - /** - * Check the HTTP status of the response and return if it's within the OK range - * @param response The HttpResponse message received from the server - * - * @return true if the status code is a 2XX-type code (200-299), otherwise false - */ - protected boolean isOK(HttpResponse response) { - int returnCode = response.getStatusLine().getStatusCode(); - return (returnCode < 300 && returnCode >= 200); - } - - /** - * Check the HTTP status of the response and return true if a 401 - * @param response The HttpResponse message received from the server - * - * @return true if the status code is 401, otherwise false - */ - protected boolean isUnauthorized(HttpResponse response) { - int returnCode = response.getStatusLine().getStatusCode(); - return returnCode == 401; - } - - /** - * Retrieve the status code of the HttpResponse - * @param response The HttpResponse message received from the server - * - * @return a numeric value - */ - protected int getCode(HttpResponse response) { - return response.getStatusLine().getStatusCode(); - } - - protected JSONTokener getResponseBody(HttpResponse response) throws IOException { - HttpEntity entity = response.getEntity(); - InputStream content = entity.getContent(); - BufferedReader reader = new BufferedReader(new InputStreamReader( - content)); - String line; - StringBuilder str = new StringBuilder(); - while ((line = reader.readLine()) != null) { - str.append(line); - } - return new JSONTokener(str.toString()); - } - - private HttpResponse doRequest(HttpRequestBase request, String username, String password) throws MalformedURLException { - HttpHost targetHost = new HttpHost(HOSTNAME, this.restPort, PROTOCOL); - CloseableHttpClient httpclient = HttpClients.custom().build(); - HttpClientContext clientContext = HttpClientContext.create(); - // if username is null, do not put in authentication - if (username != null) { - CredentialsProvider credsProvider = new BasicCredentialsProvider(); - credsProvider.setCredentials(new AuthScope(targetHost.getHostName(), targetHost.getPort()), new UsernamePasswordCredentials(username, password)); - httpclient = HttpClients.custom().setDefaultCredentialsProvider(credsProvider).build(); - AuthCache authCache = new BasicAuthCache(); - BasicScheme basicAuth = new BasicScheme(); - authCache.put(targetHost, basicAuth); - clientContext.setCredentialsProvider(credsProvider); - clientContext.setAuthCache(authCache); - } - - try { - return httpclient.execute(targetHost, request, clientContext); - } catch (ClientProtocolException e) { - e.printStackTrace(); - fail("Rest GET should not have thrown ClientProtocolException!"); - } catch (IOException e) { - e.printStackTrace(); - fail("Rest GET Request should not have thrown IOException!"); - } - return null; - } -} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java ---------------------------------------------------------------------- diff --git a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java new file mode 100644 index 0000000..ef019a4 --- /dev/null +++ b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java @@ -0,0 +1,497 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.geode.rest.internal.web; + +import static org.apache.geode.distributed.ConfigurationProperties.*; +import static org.junit.Assert.*; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.net.MalformedURLException; +import java.nio.charset.StandardCharsets; +import java.util.Properties; + +import org.apache.http.HttpEntity; +import org.apache.http.HttpHost; +import org.apache.http.HttpResponse; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.http.client.AuthCache; +import org.apache.http.client.ClientProtocolException; +import org.apache.http.client.CredentialsProvider; +import org.apache.http.client.methods.HttpDelete; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.client.methods.HttpHead; +import org.apache.http.client.methods.HttpPost; +import org.apache.http.client.methods.HttpPut; +import org.apache.http.client.methods.HttpRequestBase; +import org.apache.http.client.protocol.HttpClientContext; +import org.apache.http.entity.StringEntity; +import org.apache.http.impl.auth.BasicScheme; +import org.apache.http.impl.client.BasicAuthCache; +import org.apache.http.impl.client.BasicCredentialsProvider; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClients; +import org.json.JSONArray; +import org.json.JSONObject; +import org.json.JSONTokener; +import org.junit.BeforeClass; +import org.junit.ClassRule; +import org.junit.Test; +import org.junit.experimental.categories.Category; + +import org.apache.geode.cache.RegionShortcut; +import org.apache.geode.internal.AvailablePortHelper; +import org.apache.geode.security.templates.SampleSecurityManager; +import org.apache.geode.test.dunit.rules.ServerStarter; +import org.apache.geode.test.junit.categories.IntegrationTest; +import org.apache.geode.test.junit.categories.SecurityTest; + + +@Category({ IntegrationTest.class, SecurityTest.class }) +public class RestSecurityIntegrationTest { + + protected static final String REGION_NAME = "AuthRegion"; + + public final static String PROTOCOL = "http"; + public final static String HOSTNAME = "localhost"; + public final static String CONTEXT = "/geode/v1"; + + private static int restPort = AvailablePortHelper.getRandomAvailableTCPPort(); + static Properties properties = new Properties() {{ + setProperty(SampleSecurityManager.SECURITY_JSON, "org/apache/geode/management/internal/security/clientServer.json"); + setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName()); + setProperty(START_DEV_REST_API, "true"); + setProperty(HTTP_SERVICE_BIND_ADDRESS, "localhost"); + setProperty(HTTP_SERVICE_PORT, restPort + ""); + }}; + + @ClassRule + public static ServerStarter serverStarter = new ServerStarter(properties); + + @BeforeClass + public static void before() throws Exception { + serverStarter.startServer(); + serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create(REGION_NAME); + } + + @Test + public void testFunctions() throws Exception { + String json = "{\"@type\":\"double\",\"@value\":210}"; + + HttpResponse response = doGet("/functions", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + response = doGet("/functions", "stranger", "1234567"); + assertEquals(403, getCode(response)); + response = doGet("/functions", "dataReader", "1234567"); + assertTrue(isOK(response)); + + response = doPost("/functions/AddFreeItemsToOrder", "unknown-user", "1234567", json); + assertEquals(401, getCode(response)); + response = doPost("/functions/AddFreeItemsToOrder", "dataReader", "1234567", json); + assertEquals(403, getCode(response)); + response = doPost("/functions/AddFreeItemsToOrder?onRegion=" + REGION_NAME, "dataWriter", "1234567", json); + // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable + assertEquals(500, getCode(response)); + } + + @Test + public void testQueries() throws Exception { + HttpResponse response = doGet("/queries", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + response = doGet("/queries", "stranger", "1234567"); + assertEquals(403, getCode(response)); + response = doGet("/queries", "dataReader", "1234567"); + assertEquals(200, getCode(response)); + } + + @Test + public void testAdhocQuery() throws Exception { + HttpResponse response = doGet("/queries/adhoc?q=", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + response = doGet("/queries/adhoc?q=", "stranger", "1234567"); + assertEquals(403, getCode(response)); + response = doGet("/queries/adhoc?q=", "dataReader", "1234567"); + // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable + assertEquals(500, getCode(response)); + } + + @Test + public void testPostQuery() throws Exception { + HttpResponse response = doPost("/queries?id=0&q=", "unknown-user", "1234567", ""); + assertEquals(401, getCode(response)); + response = doPost("/queries?id=0&q=", "stranger", "1234567", ""); + assertEquals(403, getCode(response)); + response = doPost("/queries?id=0&q=", "dataWriter", "1234567", ""); + // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable + assertEquals(500, getCode(response)); + } + + @Test + public void testPostQuery2() throws Exception { + HttpResponse response = doPost("/queries/id", "unknown-user", "1234567", "{\"id\" : \"foo\"}"); + assertEquals(401, getCode(response)); + response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); + assertEquals(403, getCode(response)); + response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); + // because we're only testing the security of the endpoint, not the endpoint functionality, a 500 is acceptable + assertEquals(500, getCode(response)); + } + + @Test + public void testPutQuery() throws Exception { + HttpResponse response = doPut("/queries/id", "unknown-user", "1234567", "{\"id\" : \"foo\"}"); + assertEquals(401, getCode(response)); + response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : \"foo\"}"); + assertEquals(403, getCode(response)); + response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : \"foo\"}"); + // We should get a 404 because we're trying to update a query that doesn't exist + assertEquals(404, getCode(response)); + } + + @Test + public void testDeleteQuery() throws Exception { + HttpResponse response = doDelete("/queries/id", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + response = doDelete("/queries/id", "stranger", "1234567"); + assertEquals(403, getCode(response)); + response = doDelete("/queries/id", "dataWriter", "1234567"); + // We should get a 404 because we're trying to delete a query that doesn't exist + assertEquals(404, getCode(response)); + } + + @Test + public void testServers() throws Exception { + HttpResponse response = doGet("/servers", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + response = doGet("/servers", "stranger", "1234567"); + assertEquals(403, getCode(response)); + response = doGet("/servers", "super-user", "1234567"); + assertTrue(isOK(response)); + } + + /** + * This test should always return an OK, whether the user is known or unknown. A phishing script should not be + * able to determine whether a user/password combination is good + */ + @Test + public void testPing() throws Exception { + HttpResponse response = doHEAD("/ping", "stranger", "1234567"); + assertTrue(isOK(response)); + response = doGet("/ping", "stranger", "1234567"); + assertTrue(isOK(response)); + + response = doHEAD("/ping", "super-user", "1234567"); + assertTrue(isOK(response)); + response = doGet("/ping", "super-user", "1234567"); + assertTrue(isOK(response)); + + // TODO - invalid username/password should still respond, but doesn't + // response = doHEAD("/ping", "unknown-user", "badpassword"); + // assertTrue(isOK(response)); + // response = doGet("/ping", "unknown-user", "badpassword"); + // assertTrue(isOK(response)); + + // TODO - credentials are currently required and shouldn't be for this endpoint + // response = doHEAD("/ping", null, null); + // assertTrue(isOK(response)); + // response = doGet("/ping", null, null); + // assertTrue(isOK(response)); + } + + /** + * Test permissions on retrieving a list of regions. + */ + @Test + public void getRegions() throws Exception { + HttpResponse response = doGet("", "dataReader", "1234567"); + assertEquals("A '200 - OK' was expected", 200, getCode(response)); + + assertTrue(isOK(response)); + JSONObject jsonObject = new JSONObject(getResponseBody(response)); + JSONArray regions = jsonObject.getJSONArray("regions"); + assertNotNull(regions); + assertTrue(regions.length() > 0); + JSONObject region = regions.getJSONObject(0); + assertEquals("AuthRegion", region.get("name")); + assertEquals("REPLICATE", region.get("type")); + + // List regions with an unknown user - 401 + response = doGet("", "unknown-user", "badpassword"); + assertEquals(401, getCode(response)); + + // list regions with insufficent rights - 403 + response = doGet("", "authRegionReader", "1234567"); + assertEquals(403, getCode(response)); + } + + /** + * Test permissions on getting a region + */ + @Test + public void getRegion() throws Exception { + // Test an unknown user - 401 error + HttpResponse response = doGet("/" + REGION_NAME, "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + + // Test a user with insufficient rights - 403 + response = doGet("/" + REGION_NAME, "stranger", "1234567"); + assertEquals(403, getCode(response)); + + // Test an authorized user - 200 + response = doGet("/" + REGION_NAME, "super-user", "1234567"); + assertTrue(isOK(response)); + } + + /** + * Test permissions on HEAD region + */ + @Test + public void headRegion() throws Exception { + // Test an unknown user - 401 error + HttpResponse response = doHEAD("/" + REGION_NAME, "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + + // Test a user with insufficient rights - 403 + response = doHEAD("/" + REGION_NAME, "stranger", "1234567"); + assertEquals(403, getCode(response)); + + // Test an authorized user - 200 + response = doHEAD("/" + REGION_NAME, "super-user", "1234567"); + assertTrue(isOK(response)); + } + + /** + * Test permissions on deleting a region + */ + @Test + public void deleteRegion() throws Exception { + // Test an unknown user - 401 error + HttpResponse response = doDelete("/" + REGION_NAME, "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + + // Test a user with insufficient rights - 403 + response = doDelete("/" + REGION_NAME, "dataReader", "1234567"); + assertEquals(403, getCode(response)); + } + + /** + * Test permissions on getting a region's keys + */ + @Test + public void getRegionKeys() throws Exception { + // Test an authorized user + HttpResponse response = doGet("/" + REGION_NAME + "/keys", "super-user", "1234567"); + assertTrue(isOK(response)); + // Test an unauthorized user + response = doGet("/" + REGION_NAME + "/keys", "dataWriter", "1234567"); + assertEquals(403, getCode(response)); + } + + /** + * Test permissions on retrieving a key from a region + */ + @Test + public void getRegionKey() throws Exception { + // Test an authorized user + HttpResponse response = doGet("/" + REGION_NAME + "/key1", "key1User", "1234567"); + assertTrue(isOK(response)); + // Test an unauthorized user + response = doGet("/" + REGION_NAME + "/key1", "dataWriter", "1234567"); + assertEquals(403, getCode(response)); + } + + /** + * Test permissions on deleting a region's key(s) + */ + @Test + public void deleteRegionKey() throws Exception { + // Test an unknown user - 401 error + HttpResponse response = doDelete("/" + REGION_NAME + "/key1", "unknown-user", "1234567"); + assertEquals(401, getCode(response)); + + // Test a user with insufficient rights - 403 + response = doDelete("/" + REGION_NAME + "/key1", "dataReader", "1234567"); + assertEquals(403, getCode(response)); + + // Test an authorized user - 200 + response = doDelete("/" + REGION_NAME + "/key1", "key1User", "1234567"); + assertTrue(isOK(response)); + } + + /** + * Test permissions on deleting a region's key(s) + */ + @Test + public void postRegionKey() throws Exception { + // Test an unknown user - 401 error + HttpResponse response = doPost("/" + REGION_NAME + "?key9", "unknown", "1234567", "{ \"key9\" : \"foo\" }"); + assertEquals(401, getCode(response)); + + // Test a user with insufficient rights - 403 + response = doPost("/" + REGION_NAME + "?key9", "dataReader", "1234567", "{ \"key9\" : \"foo\" }"); + assertEquals(403, getCode(response)); + + // Test an authorized user - 200 + response = doPost("/" + REGION_NAME + "?key9", "dataWriter", "1234567", "{ \"key9\" : \"foo\" }"); + assertEquals(201, getCode(response)); + assertTrue(isOK(response)); + } + + /** + * Test permissions on deleting a region's key(s) + */ + @Test + public void putRegionKey() throws Exception { + + String json = "{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order for XYZ Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225}"; + String casJSON = "{\"@old\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order for XYZ Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225},\"@new \":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1013,\"description\":\"Order for New Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/25/2014\",\"contact\":\"Vanilla Bean\",\"email\":\"vanillab...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":12345,\"description\":\"part 123\",\"quantity\":12,\"unitPrice\":29.99,\"totalPrice\":149.95}],\"totalPrice\":149.95}}"; + // Test an unknown user - 401 error + HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", "unknown-user", "1234567", "{ \"key9\" : \"foo\" }"); + assertEquals(401, getCode(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=CAS", "unknown-user", "1234567", "{ \"key9\" : \"foo\" }"); + assertEquals(401, getCode(response)); + response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "unknown-user", "1234567", "{ \"@old\" : \"value1\", \"@new\" : \"CASvalue\" }"); + assertEquals(401, getCode(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=PUT", "dataReader", "1234567", "{ \"key1\" : \"foo\" }"); + assertEquals(403, getCode(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "dataReader", "1234567", "{ \"key1\" : \"foo\" }"); + assertEquals(403, getCode(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=CAS", "dataReader", "1234567", casJSON); + assertEquals(403, getCode(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=PUT", "key1User", "1234567", "{ \"key1\" : \"foo\" }"); + assertEquals(200, getCode(response)); + assertTrue(isOK(response)); + + response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "key1User", "1234567", json); + assertEquals(200, getCode(response)); + assertTrue(isOK(response)); + } + + protected HttpResponse doHEAD(String query, String username, String password) throws MalformedURLException { + HttpHead httpHead = new HttpHead(CONTEXT + query); + return doRequest(httpHead, username, password); + } + + + protected HttpResponse doPost(String query, String username, String password, String body) throws MalformedURLException { + HttpPost httpPost = new HttpPost(CONTEXT + query); + httpPost.addHeader("content-type", "application/json"); + httpPost.setEntity(new StringEntity(body, StandardCharsets.UTF_8)); + return doRequest(httpPost, username, password); + } + + + protected HttpResponse doPut(String query, String username, String password, String body) throws MalformedURLException { + HttpPut httpPut = new HttpPut(CONTEXT + query); + httpPut.addHeader("content-type", "application/json"); + httpPut.setEntity(new StringEntity(body, StandardCharsets.UTF_8)); + return doRequest(httpPut, username, password); + } + + protected HttpResponse doGet(String uri, String username, String password) throws MalformedURLException { + HttpGet getRequest = new HttpGet(CONTEXT + uri); + return doRequest(getRequest, username, password); + } + + protected HttpResponse doDelete(String uri, String username, String password) throws MalformedURLException { + HttpDelete httpDelete = new HttpDelete(CONTEXT + uri); + return doRequest(httpDelete, username, password); + } + + /** + * Check the HTTP status of the response and return if it's within the OK range + * + * @param response The HttpResponse message received from the server + * + * @return true if the status code is a 2XX-type code (200-299), otherwise false + */ + protected boolean isOK(HttpResponse response) { + int returnCode = response.getStatusLine().getStatusCode(); + return (returnCode < 300 && returnCode >= 200); + } + + /** + * Check the HTTP status of the response and return true if a 401 + * + * @param response The HttpResponse message received from the server + * + * @return true if the status code is 401, otherwise false + */ + protected boolean isUnauthorized(HttpResponse response) { + int returnCode = response.getStatusLine().getStatusCode(); + return returnCode == 401; + } + + /** + * Retrieve the status code of the HttpResponse + * + * @param response The HttpResponse message received from the server + * + * @return a numeric value + */ + protected int getCode(HttpResponse response) { + return response.getStatusLine().getStatusCode(); + } + + protected JSONTokener getResponseBody(HttpResponse response) throws IOException { + HttpEntity entity = response.getEntity(); + InputStream content = entity.getContent(); + BufferedReader reader = new BufferedReader(new InputStreamReader(content)); + String line; + StringBuilder str = new StringBuilder(); + while ((line = reader.readLine()) != null) { + str.append(line); + } + return new JSONTokener(str.toString()); + } + + private HttpResponse doRequest(HttpRequestBase request, String username, String password) throws MalformedURLException { + HttpHost targetHost = new HttpHost(HOSTNAME, this.restPort, PROTOCOL); + CloseableHttpClient httpclient = HttpClients.custom().build(); + HttpClientContext clientContext = HttpClientContext.create(); + // if username is null, do not put in authentication + if (username != null) { + CredentialsProvider credsProvider = new BasicCredentialsProvider(); + credsProvider.setCredentials(new AuthScope(targetHost.getHostName(), targetHost.getPort()), new UsernamePasswordCredentials(username, password)); + httpclient = HttpClients.custom().setDefaultCredentialsProvider(credsProvider).build(); + AuthCache authCache = new BasicAuthCache(); + BasicScheme basicAuth = new BasicScheme(); + authCache.put(targetHost, basicAuth); + clientContext.setCredentialsProvider(credsProvider); + clientContext.setAuthCache(authCache); + } + + try { + return httpclient.execute(targetHost, request, clientContext); + } catch (ClientProtocolException e) { + e.printStackTrace(); + fail("Rest GET should not have thrown ClientProtocolException!"); + } catch (IOException e) { + e.printStackTrace(); + fail("Rest GET Request should not have thrown IOException!"); + } + return null; + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java ---------------------------------------------------------------------- diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java index 79b70f8..ac1be0d 100644 --- a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java +++ b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java @@ -107,7 +107,7 @@ public class IntegratedSecurityService implements SecurityService{ } } - // in other cases like admin rest call or pulse authorization + // in other cases like rest call, client operations, we get it from the current thread currentUser = SecurityUtils.getSubject(); if (currentUser == null || currentUser.getPrincipal() == null) { http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java index c22fff3..db4767e 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java @@ -25,6 +25,8 @@ import org.junit.Test; import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -36,8 +38,7 @@ public class AccessControlMBeanJUnitTest { private AccessControlMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -51,7 +52,7 @@ public class AccessControlMBeanJUnitTest { * Test that any authenticated user can access this method */ @Test - @JMXConnectionConfiguration(user = "stranger", password = "1234567") + @ConnectionConfiguration(user = "stranger", password = "1234567") public void testAnyAccess() throws Exception { assertThat(bean.authorize("DATA", "READ")).isEqualTo(false); assertThat(bean.authorize("CLUSTER", "READ")).isEqualTo(false); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java index 3880948..0dd512d 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java @@ -24,6 +24,8 @@ import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.CacheServerMXBean; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; @Category(IntegrationTest.class) @@ -34,8 +36,7 @@ public class CacheServerMBeanAuthenticationJUnitTest { private CacheServerMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -46,7 +47,7 @@ public class CacheServerMBeanAuthenticationJUnitTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testAllAccess() throws Exception { bean.removeIndex("foo"); bean.fetchLoadProbe(); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java index 7bbfbcc..03b41a9 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java @@ -26,6 +26,8 @@ import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.CacheServerMXBean; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.FlakyTest; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -38,8 +40,7 @@ public class CacheServerMBeanAuthorizationJUnitTest { private CacheServerMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -50,7 +51,7 @@ public class CacheServerMBeanAuthorizationJUnitTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testDataAdmin() throws Exception { bean.removeIndex("foo"); assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString()); @@ -63,7 +64,7 @@ public class CacheServerMBeanAuthorizationJUnitTest { } @Test - @JMXConnectionConfiguration(user = "cluster-admin", password = "1234567") + @ConnectionConfiguration(user = "cluster-admin", password = "1234567") public void testClusterAdmin() throws Exception { assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString()); @@ -72,7 +73,7 @@ public class CacheServerMBeanAuthorizationJUnitTest { @Test - @JMXConnectionConfiguration(user = "data-user", password = "1234567") + @ConnectionConfiguration(user = "data-user", password = "1234567") public void testDataUser() throws Exception { assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); bean.executeContinuousQuery("bar"); @@ -80,7 +81,7 @@ public class CacheServerMBeanAuthorizationJUnitTest { } @Test - @JMXConnectionConfiguration(user = "stranger", password = "1234567") + @ConnectionConfiguration(user = "stranger", password = "1234567") public void testNoAccess() throws Exception { assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java index 721a431..d0df150 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java @@ -16,28 +16,40 @@ */ package org.apache.geode.management.internal.security; +import static org.apache.geode.distributed.ConfigurationProperties.*; import static org.assertj.core.api.Assertions.*; +import java.util.Properties; + import org.junit.Before; -import org.junit.ClassRule; +import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.CacheServerMXBean; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; +import org.apache.geode.test.dunit.rules.ServerStarter; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @Category({ IntegrationTest.class, SecurityTest.class }) public class CacheServerMBeanShiroJUnitTest { - - private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET); + static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET); + static Properties properties = new Properties(){{ + setProperty(JMX_MANAGER_PORT, jmxManagerPort+""); + setProperty(SECURITY_SHIRO_INIT, "shiro.ini"); + }}; private CacheServerMXBean bean; - @ClassRule - public static ShiroCacheStartRule serverRule = new ShiroCacheStartRule(jmxManagerPort, "shiro.ini"); + @BeforeClass + public static void before() throws Exception { + ServerStarter serverStarter = new ServerStarter(properties); + serverStarter.startServer(); + } @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -48,7 +60,7 @@ public class CacheServerMBeanShiroJUnitTest { } @Test - @JMXConnectionConfiguration(user = "root", password = "secret") + @ConnectionConfiguration(user = "root", password = "secret") public void testAllAccess() throws Exception { bean.removeIndex("foo"); bean.executeContinuousQuery("bar"); @@ -61,7 +73,7 @@ public class CacheServerMBeanShiroJUnitTest { } @Test - @JMXConnectionConfiguration(user = "guest", password = "guest") + @ConnectionConfiguration(user = "guest", password = "guest") public void testNoAccess() throws Exception { assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString()); @@ -74,7 +86,7 @@ public class CacheServerMBeanShiroJUnitTest { } @Test - @JMXConnectionConfiguration(user = "regionAReader", password = "password") + @ConnectionConfiguration(user = "regionAReader", password = "password") public void testRegionAccess() throws Exception{ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString()); @@ -84,7 +96,7 @@ public class CacheServerMBeanShiroJUnitTest { } @Test - @JMXConnectionConfiguration(user = "dataReader", password = "12345") + @ConnectionConfiguration(user = "dataReader", password = "12345") public void testDataRead() throws Exception{ assertThatThrownBy(() -> bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java new file mode 100644 index 0000000..b99d8e1 --- /dev/null +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.geode.management.internal.security; + +import static org.apache.geode.distributed.ConfigurationProperties.*; + +import java.io.Serializable; +import java.util.Properties; + +import org.junit.After; +import org.junit.Before; +import org.junit.rules.ExternalResource; + +import org.apache.geode.cache.Cache; +import org.apache.geode.security.templates.SampleSecurityManager; +import org.apache.geode.test.dunit.rules.ServerStarter; + +/** + * this rule would help you start up a cache server with the given properties in the current VM + */ +public class CacheServerStartupRule extends ExternalResource implements Serializable { + + private ServerStarter serverStarter; + + public static CacheServerStartupRule withDefaultSecurityJson(int jmxManagerPort) { + return new CacheServerStartupRule(jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + } + + public CacheServerStartupRule(int jmxManagerPort, String jsonFile) { + Properties properties = new Properties(); + if(jmxManagerPort>0){ + properties.put(JMX_MANAGER_PORT, String.valueOf(jmxManagerPort)); + } + if(jsonFile!=null){ + properties.put(SECURITY_MANAGER, SampleSecurityManager.class.getName()); + properties.put(SampleSecurityManager.SECURITY_JSON, jsonFile); + } + serverStarter = new ServerStarter(properties); + } + + @Before + public void before() throws Throwable { + serverStarter.startServer(); + serverStarter.cache.createRegionFactory().create("region1"); + } + + @After + public void after(){ + serverStarter.after(); + } + + public Cache getCache() { + return serverStarter.cache; + } + + public int getServerPort(){ + return serverStarter.server.getPort(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java index 84155a9..403e2ab 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java @@ -30,6 +30,8 @@ import org.apache.geode.internal.AvailablePort; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.MemberMXBean; import org.apache.geode.security.NotAuthorizedException; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -43,8 +45,7 @@ public class CliCommandsSecurityTest { private List<TestCommand> commands = TestCommand.getCommands(); @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -55,7 +56,7 @@ public class CliCommandsSecurityTest { } @Test - @JMXConnectionConfiguration(user = "stranger", password = "1234567") + @ConnectionConfiguration(user = "stranger", password = "1234567") public void testNoAccess(){ for (TestCommand command:commands) { // skip query commands since query commands are only available in client shell @@ -77,7 +78,7 @@ public class CliCommandsSecurityTest { } @Test - @JMXConnectionConfiguration(user = "super-user", password = "1234567") + @ConnectionConfiguration(user = "super-user", password = "1234567") public void testAdminUser() throws Exception { for (TestCommand command:commands) { LogService.getLogger().info("processing: "+command.getCommand()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java index 0084cb8..1b2a7ce 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java @@ -27,6 +27,8 @@ import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.MemberMXBean; import org.apache.geode.security.GemFireSecurityException; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -38,8 +40,7 @@ public class DataCommandsSecurityTest { private MemberMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -50,7 +51,7 @@ public class DataCommandsSecurityTest { } @Test - @JMXConnectionConfiguration(user = "region1-user", password = "1234567") + @ConnectionConfiguration(user = "region1-user", password = "1234567") public void testDataUser() throws Exception { bean.processCommand("locate entry --key=k1 --region=region1"); @@ -58,7 +59,7 @@ public class DataCommandsSecurityTest { assertThatThrownBy(() -> bean.processCommand("locate entry --key=k1 --region=secureRegion")).isInstanceOf(GemFireSecurityException.class); } - @JMXConnectionConfiguration(user = "secure-user", password = "1234567") + @ConnectionConfiguration(user = "secure-user", password = "1234567") @Test public void testSecureDataUser(){ // can do all these on both regions @@ -67,7 +68,7 @@ public class DataCommandsSecurityTest { } // dataUser has all the permissions granted, but not to region2 (only to region1) - @JMXConnectionConfiguration(user = "region1-user", password = "1234567") + @ConnectionConfiguration(user = "region1-user", password = "1234567") @Test public void testRegionAccess(){ assertThatThrownBy(() -> bean.processCommand("rebalance --include-region=region2")).isInstanceOf(GemFireSecurityException.class) http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java index 750ce2a..8e556a7 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java @@ -27,6 +27,8 @@ import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.DiskStoreMXBean; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -38,8 +40,7 @@ public class DiskStoreMXBeanSecurityJUnitTest { private DiskStoreMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -55,7 +56,7 @@ public class DiskStoreMXBeanSecurityJUnitTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testAllAccess() throws Exception { bean.flush(); bean.forceCompaction(); @@ -70,7 +71,7 @@ public class DiskStoreMXBeanSecurityJUnitTest { } @Test - @JMXConnectionConfiguration(user = "data-user", password = "1234567") + @ConnectionConfiguration(user = "data-user", password = "1234567") public void testNoAccess() throws Exception { assertThatThrownBy(() -> bean.flush()).hasMessageContaining(TestCommand.dataManage.toString()); assertThatThrownBy(() -> bean.forceCompaction()).hasMessageContaining(TestCommand.dataManage.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java index b64a6f7..b799cbd 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java @@ -32,6 +32,8 @@ import org.junit.experimental.categories.Category; import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.GatewayReceiverMXBean; import org.apache.geode.management.ManagementService; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -47,8 +49,7 @@ public class GatewayReceiverMBeanSecurityTest { private GatewayReceiverMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -72,7 +73,7 @@ public class GatewayReceiverMBeanSecurityTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testAllAccess() throws Exception { bean.getAverageBatchProcessingTime(); bean.getBindAddress(); @@ -83,7 +84,7 @@ public class GatewayReceiverMBeanSecurityTest { } @Test - @JMXConnectionConfiguration(user = "data-user", password = "1234567") + @ConnectionConfiguration(user = "data-user", password = "1234567") public void testNoAccess() throws Exception { assertThatThrownBy(() -> bean.getTotalConnectionsTimedOut()).hasMessageContaining(TestCommand.clusterRead.toString()); assertThatThrownBy(() -> bean.start()).hasMessageContaining(TestCommand.dataManage.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java index 9acf8db..a800064 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java @@ -33,6 +33,8 @@ import org.apache.geode.internal.AvailablePort; import org.apache.geode.management.GatewaySenderMXBean; import org.apache.geode.management.ManagementService; import org.apache.geode.management.internal.beans.GatewaySenderMBean; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -48,8 +50,7 @@ public class GatewaySenderMBeanSecurityTest { private GatewaySenderMXBean bean; @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxManagerPort, "org/apache/geode/management/internal/security/cacheServer.json"); + public static CacheServerStartupRule serverRule = CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort); @Rule public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort); @@ -73,7 +74,7 @@ public class GatewaySenderMBeanSecurityTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testAllAccess() throws Exception { bean.getAlertThreshold(); bean.getAverageDistributionTimePerBatch(); @@ -90,7 +91,7 @@ public class GatewaySenderMBeanSecurityTest { } @Test - @JMXConnectionConfiguration(user = "stranger", password = "1234567") + @ConnectionConfiguration(user = "stranger", password = "1234567") public void testNoAccess() throws Exception { assertThatThrownBy(() -> bean.getAlertThreshold()).hasMessageContaining(TestCommand.clusterRead.toString()); assertThatThrownBy(() -> bean.getAverageDistributionTimePerBatch()).hasMessageContaining(TestCommand.clusterRead.toString()); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java index 34fd5a9..6eba91c 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java @@ -16,30 +16,46 @@ */ package org.apache.geode.management.internal.security; +import static org.apache.geode.distributed.ConfigurationProperties.*; import static org.apache.geode.internal.Assert.*; -import org.apache.geode.security.templates.SamplePostProcessor; +import java.util.Properties; + import org.junit.Before; -import org.junit.ClassRule; +import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; +import org.apache.geode.cache.RegionShortcut; import org.apache.geode.internal.AvailablePortHelper; import org.apache.geode.management.internal.cli.HeadlessGfsh; +import org.apache.geode.security.templates.SamplePostProcessor; +import org.apache.geode.security.templates.SampleSecurityManager; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.ServerStarter; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @Category({ IntegrationTest.class, SecurityTest.class }) public class GfshCommandsPostProcessorTest { - protected static int jmxPort = AvailablePortHelper.getRandomAvailableTCPPort(); + protected static int jmxPort = AvailablePortHelper.getRandomAvailableTCPPort(); + static Properties properties = new Properties(){{ + setProperty(JMX_MANAGER_PORT, jmxPort+""); + setProperty(SECURITY_POST_PROCESSOR, SamplePostProcessor.class.getName()); + setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName()); + setProperty("security-json", "org/apache/geode/management/internal/security/cacheServer.json"); + }}; private HeadlessGfsh gfsh = null; - @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxPort, "org/apache/geode/management/internal/security/cacheServer.json", SamplePostProcessor.class); + @BeforeClass + public static void beforeClass() throws Exception { + ServerStarter serverStarter = new ServerStarter(properties); + serverStarter.startServer(); + serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create("region1"); + } @Rule public GfshShellConnectionRule gfshConnection = new GfshShellConnectionRule(jmxPort); @@ -50,7 +66,7 @@ public class GfshCommandsPostProcessorTest { } @Test - @JMXConnectionConfiguration(user = "data-user", password = "1234567") + @ConnectionConfiguration(user = "data-user", password = "1234567") public void testGetPostProcess() throws Exception { gfsh.executeCommand("put --region=region1 --key=key1 --value=value1"); gfsh.executeCommand("put --region=region1 --key=key2 --value=value2"); http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java ---------------------------------------------------------------------- diff --git a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java index def1792..960d13d 100644 --- a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java +++ b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java @@ -16,17 +16,20 @@ */ package org.apache.geode.management.internal.security; +import static org.apache.geode.distributed.ConfigurationProperties.*; import static org.junit.Assert.*; import java.util.List; +import java.util.Properties; import org.apache.shiro.authz.permission.WildcardPermission; import org.junit.Before; -import org.junit.ClassRule; +import org.junit.BeforeClass; import org.junit.Rule; import org.junit.Test; import org.junit.experimental.categories.Category; +import org.apache.geode.cache.RegionShortcut; import org.apache.geode.internal.AvailablePortHelper; import org.apache.geode.internal.logging.LogService; import org.apache.geode.management.cli.Result; @@ -34,6 +37,9 @@ import org.apache.geode.management.internal.cli.HeadlessGfsh; import org.apache.geode.management.internal.cli.result.CommandResult; import org.apache.geode.management.internal.cli.result.ErrorResultData; import org.apache.geode.management.internal.cli.result.ResultBuilder; +import org.apache.geode.security.templates.SampleSecurityManager; +import org.apache.geode.test.dunit.rules.ConnectionConfiguration; +import org.apache.geode.test.dunit.rules.ServerStarter; import org.apache.geode.test.junit.categories.IntegrationTest; import org.apache.geode.test.junit.categories.SecurityTest; @@ -44,11 +50,21 @@ public class GfshCommandsSecurityTest { protected static int jmxPort = ports[0]; protected static int httpPort = ports[1]; + static Properties properties = new Properties(){{ + setProperty(JMX_MANAGER_PORT, jmxPort+""); + setProperty(HTTP_SERVICE_PORT, httpPort+""); + setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName()); + setProperty("security-json", "org/apache/geode/management/internal/security/cacheServer.json"); + }}; + private HeadlessGfsh gfsh = null; - @ClassRule - public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule( - jmxPort, httpPort, "org/apache/geode/management/internal/security/cacheServer.json"); + @BeforeClass + public static void beforeClass() throws Exception { + ServerStarter serverStarter = new ServerStarter(properties); + serverStarter.startServer(); + serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create("region1"); + } @Rule public GfshShellConnectionRule gfshConnection = new GfshShellConnectionRule(jmxPort, httpPort, false); @@ -59,67 +75,67 @@ public class GfshCommandsSecurityTest { } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "wrongPwd") + @ConnectionConfiguration(user = "data-admin", password = "wrongPwd") public void testInvalidCredentials() throws Exception { assertFalse(gfshConnection.isAuthenticated()); } @Test - @JMXConnectionConfiguration(user = "data-admin", password = "1234567") + @ConnectionConfiguration(user = "data-admin", password = "1234567") public void testValidCredentials() throws Exception{ assertTrue(gfshConnection.isAuthenticated()); } @Test - @JMXConnectionConfiguration(user = "cluster-reader", password = "1234567") + @ConnectionConfiguration(user = "cluster-reader", password = "1234567") public void testClusterReader() throws Exception{ runCommandsWithAndWithout("CLUSTER:READ"); } @Test - @JMXConnectionConfiguration(user = "cluster-writer", password = "1234567") + @ConnectionConfiguration(user = "cluster-writer", password = "1234567") public void testClusterWriter() throws Exception{ runCommandsWithAndWithout("CLUSTER:WRITE"); } @Test - @JMXConnectionConfiguration(user = "cluster-manager", password = "1234567") + @ConnectionConfiguration(user = "cluster-manager", password = "1234567") public void testClusterManager() throws Exception{ runCommandsWithAndWithout("CLUSTER:MANAGE"); } @Test - @JMXConnectionConfiguration(user = "data-reader", password = "1234567") + @ConnectionConfiguration(user = "data-reader", password = "1234567") public void testDataReader() throws Exception{ runCommandsWithAndWithout("DATA:READ"); } @Test - @JMXConnectionConfiguration(user = "data-writer", password = "1234567") + @ConnectionConfiguration(user = "data-writer", password = "1234567") public void testDataWriter() throws Exception{ runCommandsWithAndWithout("DATA:WRITE"); } @Test - @JMXConnectionConfiguration(user = "data-manager", password = "1234567") + @ConnectionConfiguration(user = "data-manager", password = "1234567") public void testDataManager() throws Exception{ runCommandsWithAndWithout("DATA:MANAGE"); } @Test - @JMXConnectionConfiguration(user = "regionA-reader", password = "1234567") + @ConnectionConfiguration(user = "regionA-reader", password = "1234567") public void testRegionAReader() throws Exception{ runCommandsWithAndWithout("DATA:READ:RegionA"); } @Test - @JMXConnectionConfiguration(user = "regionA-writer", password = "1234567") + @ConnectionConfiguration(user = "regionA-writer", password = "1234567") public void testRegionAWriter() throws Exception{ runCommandsWithAndWithout("DATA:WRITE:RegionA"); } @Test - @JMXConnectionConfiguration(user = "regionA-manager", password = "1234567") + @ConnectionConfiguration(user = "regionA-manager", password = "1234567") public void testRegionAManager() throws Exception{ runCommandsWithAndWithout("DATA:MANAGE:RegionA"); } @@ -168,7 +184,7 @@ public class GfshCommandsSecurityTest { } @Test - @JMXConnectionConfiguration(user = "data-user", password = "1234567") + @ConnectionConfiguration(user = "data-user", password = "1234567") public void testGetPostProcess() throws Exception { gfsh.executeCommand("put --region=region1 --key=key2 --value=value2"); gfsh.executeCommand("put --region=region1 --key=key2 --value=value2");