This is an automated email from the ASF dual-hosted git repository. ilyak pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ignite.git
The following commit(s) were added to refs/heads/master by this push: new c0ed2f6 IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient - Fixes #7960. c0ed2f6 is described below commit c0ed2f616c7d5d8caa370b77d52926f2cf1bf080 Author: Ryzhov Sergei <s.vi.ryz...@gmail.com> AuthorDate: Thu Jul 9 12:23:33 2020 +0300 IGNITE-13180 Added subject address to AuthenticationContext when subject is IgniteClient - Fixes #7960. Signed-off-by: Ilya Kasnacheev <ilya.kasnach...@gmail.com> --- .../ClientListenerAbstractConnectionContext.java | 11 ++- .../odbc/jdbc/JdbcConnectionContext.java | 2 +- .../odbc/odbc/OdbcConnectionContext.java | 2 +- .../platform/client/ClientConnectionContext.java | 2 +- .../IgniteClientContainSubjectAddressTest.java | 101 +++++++++++++++++++++ .../ignite/testsuites/SecurityTestSuite.java | 2 + 6 files changed, 112 insertions(+), 8 deletions(-) diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java index 7cc8859..3682596 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/ClientListenerAbstractConnectionContext.java @@ -17,7 +17,6 @@ package org.apache.ignite.internal.processors.odbc; -import java.security.cert.Certificate; import java.util.Collections; import java.util.Map; import java.util.UUID; @@ -26,6 +25,7 @@ import org.apache.ignite.internal.GridKernalContext; import org.apache.ignite.internal.processors.authentication.AuthorizationContext; import org.apache.ignite.internal.processors.authentication.IgniteAccessControlException; import org.apache.ignite.internal.processors.security.SecurityContext; +import org.apache.ignite.internal.util.nio.GridNioSession; import org.apache.ignite.internal.util.typedef.F; import org.apache.ignite.plugin.security.AuthenticationContext; import org.apache.ignite.plugin.security.SecurityCredentials; @@ -91,10 +91,10 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL * @return Auth context. * @throws IgniteCheckedException If failed. */ - protected AuthorizationContext authenticate(Certificate[] certificates, String user, String pwd) + protected AuthorizationContext authenticate(GridNioSession ses, String user, String pwd) throws IgniteCheckedException { if (ctx.security().enabled()) - authCtx = authenticateExternal(certificates, user, pwd).authorizationContext(); + authCtx = authenticateExternal(ses, user, pwd).authorizationContext(); else if (ctx.authentication().enabled()) { if (F.isEmpty(user)) throw new IgniteAccessControlException("Unauthenticated sessions are prohibited."); @@ -113,7 +113,7 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL /** * Do 3-rd party authentication. */ - private AuthenticationContext authenticateExternal(Certificate[] certificates, String user, String pwd) + private AuthenticationContext authenticateExternal(GridNioSession ses, String user, String pwd) throws IgniteCheckedException { SecurityCredentials cred = new SecurityCredentials(user, pwd); @@ -123,7 +123,8 @@ public abstract class ClientListenerAbstractConnectionContext implements ClientL authCtx.subjectId(UUID.randomUUID()); authCtx.nodeAttributes(F.isEmpty(userAttrs) ? Collections.emptyMap() : userAttrs); authCtx.credentials(cred); - authCtx.certificates(certificates); + authCtx.address(ses.remoteAddress()); + authCtx.certificates(ses.certificates()); secCtx = ctx.security().authenticate(authCtx); diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java index 0f8fdc1..2359e98 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/jdbc/JdbcConnectionContext.java @@ -203,7 +203,7 @@ public class JdbcConnectionContext extends ClientListenerAbstractConnectionConte throw new IgniteCheckedException("Handshake error: " + e.getMessage(), e); } - actx = authenticate(ses.certificates(), user, passwd); + actx = authenticate(ses, user, passwd); } protoCtx = new JdbcProtocolContext(ver, features, true); diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java index 9401ce1..0cc22d1 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/odbc/odbc/OdbcConnectionContext.java @@ -149,7 +149,7 @@ public class OdbcConnectionContext extends ClientListenerAbstractConnectionConte nestedTxMode = NestedTxMode.fromByte(nestedTxModeVal); } - AuthorizationContext actx = authenticate(ses.certificates(), user, passwd); + AuthorizationContext actx = authenticate(ses, user, passwd); ClientListenerResponseSender sender = new ClientListenerResponseSender() { @Override public void send(ClientListenerResponse resp) { diff --git a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java index a9d38c4..aea4a7c 100644 --- a/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java +++ b/modules/core/src/main/java/org/apache/ignite/internal/processors/platform/client/ClientConnectionContext.java @@ -214,7 +214,7 @@ public class ClientConnectionContext extends ClientListenerAbstractConnectionCon } } - AuthorizationContext authCtx = authenticate(ses.certificates(), user, pwd); + AuthorizationContext authCtx = authenticate(ses, user, pwd); handler = new ClientRequestHandler(this, authCtx, currentProtocolContext); parser = new ClientMessageParser(this, currentProtocolContext); diff --git a/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java new file mode 100644 index 0000000..cc40e12 --- /dev/null +++ b/modules/core/src/test/java/org/apache/ignite/internal/processors/security/client/IgniteClientContainSubjectAddressTest.java @@ -0,0 +1,101 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ignite.internal.processors.security.client; + +import java.security.Permissions; +import java.util.Arrays; +import java.util.Collection; +import org.apache.ignite.IgniteCheckedException; +import org.apache.ignite.Ignition; +import org.apache.ignite.client.IgniteClient; +import org.apache.ignite.internal.GridKernalContext; +import org.apache.ignite.internal.processors.security.GridSecurityProcessor; +import org.apache.ignite.internal.processors.security.SecurityContext; +import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityPluginProvider; +import org.apache.ignite.internal.processors.security.impl.TestAdditionalSecurityProcessor; +import org.apache.ignite.internal.processors.security.impl.TestSecurityData; +import org.apache.ignite.plugin.PluginProvider; +import org.apache.ignite.plugin.security.AuthenticationContext; +import org.apache.ignite.plugin.security.SecurityPermissionSet; +import org.junit.Assert; +import org.junit.Test; + +import static org.apache.ignite.cluster.ClusterState.ACTIVE; +import static org.apache.ignite.plugin.security.SecurityPermissionSetBuilder.ALLOW_ALL; + +/** + * Test AuthenticationContext contain subject address when subject is IgniteClient. + */ +public class IgniteClientContainSubjectAddressTest extends CommonSecurityCheckTest { + /** */ + private boolean containsAddr = false; + + /** */ + @Test + public void testAuthenticate() throws Exception { + startGrid(); + + try (IgniteClient client = Ignition.startClient(getClientConfiguration())) { + client.cluster().state(ACTIVE); + } + + Assert.assertTrue(containsAddr); + } + + /** {@inheritDoc} */ + @Override protected PluginProvider<?> getPluginProvider(String name) { + return new TestSubjectAddressSecurityPluginProvider(name, null, ALLOW_ALL, + globalAuth, true, clientData()); + } + + /** */ + private class TestSubjectAddressSecurityPluginProvider extends TestAdditionalSecurityPluginProvider { + /** */ + public TestSubjectAddressSecurityPluginProvider(String login, String pwd, + SecurityPermissionSet perms, boolean globalAuth, boolean checkAddPass, + TestSecurityData... clientData) { + super(login, pwd, perms, globalAuth, checkAddPass, clientData); + } + + /** {@inheritDoc} */ + @Override protected GridSecurityProcessor securityProcessor(GridKernalContext ctx) { + return new TestSubjectAddressSecurityProcessor(ctx, + new TestSecurityData(login, pwd, perms, new Permissions()), + Arrays.asList(clientData), globalAuth, checkAddPass); + } + } + + /** */ + private class TestSubjectAddressSecurityProcessor extends TestAdditionalSecurityProcessor { + /** */ + public TestSubjectAddressSecurityProcessor(GridKernalContext ctx, + TestSecurityData nodeSecData, + Collection<TestSecurityData> predefinedAuthData, boolean globalAuth, boolean checkSslCerts) { + super(ctx, nodeSecData, predefinedAuthData, globalAuth, checkSslCerts); + } + + /** {@inheritDoc} */ + @Override public SecurityContext authenticate(AuthenticationContext authCtx) throws IgniteCheckedException { + SecurityContext secCtx = super.authenticate(authCtx); + + containsAddr = secCtx.subject().address() != null; + + return secCtx; + } + } +} diff --git a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java index ccd009c..2f20f89 100644 --- a/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java +++ b/modules/core/src/test/java/org/apache/ignite/testsuites/SecurityTestSuite.java @@ -32,6 +32,7 @@ import org.apache.ignite.internal.processors.security.cache.closure.ScanQueryRem import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckTest; import org.apache.ignite.internal.processors.security.client.AdditionalSecurityCheckWithGlobalAuthTest; import org.apache.ignite.internal.processors.security.client.AttributeSecurityCheckTest; +import org.apache.ignite.internal.processors.security.client.IgniteClientContainSubjectAddressTest; import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckSecurityTest; import org.apache.ignite.internal.processors.security.client.ThinClientPermissionCheckTest; import org.apache.ignite.internal.processors.security.client.ThinClientSecurityContextOnRemoteNodeTest; @@ -73,6 +74,7 @@ import org.junit.runners.Suite; ThinClientPermissionCheckTest.class, ThinClientPermissionCheckSecurityTest.class, ContinuousQueryPermissionCheckTest.class, + IgniteClientContainSubjectAddressTest.class, DistributedClosureRemoteSecurityContextCheckTest.class, ComputeTaskRemoteSecurityContextCheckTest.class,