Move ssh tests to separate package
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/0582c878 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/0582c878 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/0582c878 Branch: refs/heads/master Commit: 0582c8783ead412fbca919394a1946d9ebeb8695 Parents: bf827f4 Author: Christian Schneider <[email protected]> Authored: Fri May 19 15:30:04 2017 +0200 Committer: Christian Schneider <[email protected]> Committed: Fri May 19 15:30:04 2017 +0200 ---------------------------------------------------------------------- .../itests/BundleSshCommandSecurityTest.java | 80 --------- .../itests/ConfigSshCommandSecurityTest.java | 135 -------------- .../itests/FeatureSshCommandSecurityTest.java | 58 ------ .../itests/JaasSshCommandSecurityTest.java | 51 ------ .../karaf/itests/KarSshCommandSecurityTest.java | 47 ----- .../karaf/itests/ShellCommandSecurityTest.java | 51 ------ .../apache/karaf/itests/SshCommandTestBase.java | 174 ------------------ .../apache/karaf/itests/SshKeyFormatTest.java | 86 --------- .../karaf/itests/SystemCommandSecurityTest.java | 64 ------- .../ssh/BundleSshCommandSecurityTest.java | 80 +++++++++ .../ssh/ConfigSshCommandSecurityTest.java | 135 ++++++++++++++ .../ssh/FeatureSshCommandSecurityTest.java | 58 ++++++ .../itests/ssh/JaasSshCommandSecurityTest.java | 51 ++++++ .../itests/ssh/KarSshCommandSecurityTest.java | 47 +++++ .../itests/ssh/ShellCommandSecurityTest.java | 51 ++++++ .../karaf/itests/ssh/SshCommandTestBase.java | 175 +++++++++++++++++++ .../karaf/itests/ssh/SshKeyFormatTest.java | 86 +++++++++ .../itests/ssh/SystemCommandSecurityTest.java | 64 +++++++ .../org/apache/karaf/itests/ssh/test.pem | 27 +++ .../resources/org/apache/karaf/itests/test.pem | 27 --- 20 files changed, 774 insertions(+), 773 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/BundleSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/BundleSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/BundleSshCommandSecurityTest.java deleted file mode 100644 index 97dbcf2..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/BundleSshCommandSecurityTest.java +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import org.junit.Test; -import org.junit.runner.RunWith; -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -/** - * This test exercises the Shell Command ACL for the bundle scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg - */ -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) -public class BundleSshCommandSecurityTest extends SshCommandTestBase { - private static int counter = 0; - - - - @Test - public void testBundleCommandSecurityViaSsh() throws Exception { - String manageruser = "man" + System.nanoTime() + "_" + counter++; - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addUsers(manageruser, vieweruser); - - assertCommand(vieweruser, "bundle:refresh 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:refresh -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:refresh 999", Result.OK); - assertCommand("karaf", "bundle:refresh -f 999", Result.OK); - assertCommand("karaf", "bundle:refresh 999", Result.OK); - - assertCommand(vieweruser, "bundle:restart 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:restart -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:restart 999", Result.OK); - assertCommand("karaf", "bundle:restart -f 999", Result.OK); - assertCommand("karaf", "bundle:restart 999", Result.OK); - - assertCommand(vieweruser, "bundle:start 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:start -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:start 999", Result.OK); - assertCommand("karaf", "bundle:start -f 999", Result.OK); - assertCommand("karaf", "bundle:start 999", Result.OK); - - assertCommand(vieweruser, "bundle:stop 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:stop -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:stop 999", Result.OK); - assertCommand("karaf", "bundle:stop -f 999", Result.OK); - assertCommand("karaf", "bundle:stop 999", Result.OK); - - assertCommand(vieweruser, "bundle:uninstall 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:uninstall -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:uninstall 999", Result.OK); - assertCommand("karaf", "bundle:uninstall -f 999", Result.OK); - assertCommand("karaf", "bundle:uninstall 999", Result.OK); - - assertCommand(vieweruser, "bundle:update 999", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:update -f 999", Result.NO_CREDENTIALS); - assertCommand(manageruser, "bundle:update 999", Result.OK); - assertCommand("karaf", "bundle:update -f 999", Result.OK); - assertCommand("karaf", "bundle:update 999", Result.OK); - - assertCommand(vieweruser, "bundle:install xyz", Result.NOT_FOUND); - assertCommand(manageruser, "bundle:install xyz", Result.NOT_FOUND); - assertCommand("karaf", "bundle:install xyz", Result.OK); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ConfigSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ConfigSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ConfigSshCommandSecurityTest.java deleted file mode 100644 index 58084d1..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/ConfigSshCommandSecurityTest.java +++ /dev/null @@ -1,135 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import java.io.IOException; - -import org.junit.Assert; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -/** - * This test exercises the Shell Command ACL for the config scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg - */ -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) -public class ConfigSshCommandSecurityTest extends SshCommandTestBase { - - private static int counter = 0; - - - - @Test - public void testConfigCommandSecurityViaSsh() throws Exception { - String manageruser = "man" + System.nanoTime() + "_" + counter++; - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addUsers(manageruser, vieweruser); - - // A viewer cannot do anything to ConfigAdmin - assertCommand(vieweruser, "config:edit cfg." + vieweruser, Result.NOT_FOUND); - assertCommand(vieweruser, "config:delete cfg." + vieweruser, Result.NOT_FOUND); - - testConfigEdits(manageruser, Result.OK, "cfg." + manageruser, false); - testConfigEdits(manageruser, Result.NO_CREDENTIALS, "jmx.acl.test_" + counter++, false); - testConfigEdits(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.command.acl.test_" + counter++, false); - testConfigEdits(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.service.acl.test_" + counter++, false); - testConfigEdits("karaf", Result.OK, "cfg.karaf_" + counter++, true); - testConfigEdits("karaf", Result.OK, "jmx.acl.test_" + counter++, true); - testConfigEdits("karaf", Result.OK, "org.apache.karaf.command.acl.test_" + counter++, true); - testConfigEdits("karaf", Result.OK, "org.apache.karaf.service.acl.test_" + counter++, true); - } - - private void testConfigEdits(String user, Result expectedEditResult, String pid, boolean isAdmin) throws Exception, IOException { - assertCommand(user, "config:edit " + pid + "\n" + - "config:property-set x y\n" + - "config:property-set a b\n" + - "config:property-append x z\n" + - "config:update", expectedEditResult); - if (expectedEditResult != Result.OK) - // If we're expecting failure, don't continue any further... - return; - - String result = assertCommand(user, "config:edit " + pid + "\n" + - "config:property-list\n" + - "config:cancel", Result.OK); - Assert.assertTrue(result.contains("x = yz")); - Assert.assertTrue(result.contains("a = b")); - String result2 = assertCommand(user, "config:edit " + pid + "\n" + - "config:property-delete a\n" + - "config:property-list\n" + - "config:update", Result.OK); - Assert.assertTrue(result2.contains("x = yz")); - Assert.assertFalse(result2.contains("a = b")); - - if (isAdmin) { - assertCommand(user, "config:delete " + pid, Result.OK); - String result3 = assertCommand(user, "config:edit " + pid + "\n" + - "config:property-list", Result.OK); - Assert.assertFalse(result3.contains("x = yz")); - Assert.assertFalse(result3.contains("a = b")); - } else { - assertCommand(user, "config:delete " + pid, Result.NOT_FOUND); - String result3 = assertCommand(user, "config:edit " + pid + "\n" + - "config:property-list", Result.OK); - Assert.assertTrue("The delete command should have had no effect", result3.contains("x = yz")); - Assert.assertFalse(result3.contains("a = b")); - } - } - - @Test - public void testConfigCommandSecurityWithoutEditSessionViaSsh() throws Exception { - String manageruser = "man" + System.nanoTime() + "_" + counter++; - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addUsers(manageruser, vieweruser); - - // Test the viewer user. Since the viewer cannot modify anything wrt Config Admin - // the commands should not even be found... - testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "cfg." + vieweruser); - testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "jmx.acl.test_" + counter++); - testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "org.apache.karaf.command.acl.test_" + counter++); - testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "org.apache.karaf.service.acl.test_" + counter++); - - // Test the manager user. The manager can modify some properties, but not the ones associated with security - // Therefore the config: commands will be found, but in some cases the manager is denied access - testConfigEditsNoSession(manageruser, Result.OK, "cfg." + manageruser); - testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "jmx.acl.test_" + counter++); - testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.command.acl.test_" + counter++); - testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.service.acl.test_" + counter++); - - // The admin user can modify everything. - testConfigEditsNoSession("karaf", Result.OK, "cfg.karaf.test_" + counter++); - testConfigEditsNoSession("karaf", Result.OK, "jmx.acl.test_" + counter++); - testConfigEditsNoSession("karaf", Result.OK, "org.apache.karaf.command.acl.test_" + counter++); - testConfigEditsNoSession("karaf", Result.OK, "org.apache.karaf.service.acl.test_" + counter++); - } - - private void testConfigEditsNoSession(String user, Result expectedResult, String pid) throws Exception, IOException { - assertCommand(user, "config:property-set -p " + pid + " a.b.c d.e.f", expectedResult); - assertCommand(user, "config:property-append -p " + pid + " a.b.c .g.h", expectedResult); - - if (expectedResult == Result.OK) { - Assert.assertTrue(assertCommand(user, "config:property-list -p " + pid, Result.OK).contains("a.b.c = d.e.f.g.h")); - } - assertCommand(user, "config:property-delete -p " + pid + " a.b.c", expectedResult); - if (expectedResult == Result.OK) { - Assert.assertFalse(assertCommand(user, "config:property-list -p " + pid, Result.OK).contains("a.b.c")); - } - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/FeatureSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/FeatureSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/FeatureSshCommandSecurityTest.java deleted file mode 100644 index 3e3fd89..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/FeatureSshCommandSecurityTest.java +++ /dev/null @@ -1,58 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import org.junit.Assert; -import org.junit.Test; - -/** - * This test exercises the Shell Command ACL for the feature scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg - */ -public class FeatureSshCommandSecurityTest extends SshCommandTestBase { - - - - @Test - public void testFeatureCommandSecurityViaSsh() throws Exception { - String vieweruser = "viewer" + System.nanoTime() + "_features"; - String feature = "wrapper"; - - addViewer(vieweruser); - - String r = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); - Assert.assertFalse("Precondition failed, this test uses the " + feature + " subsystem to test features with...", - r.contains(feature)); - - assertCommand(vieweruser, "feature:install -r " + feature, Result.NOT_FOUND); - String r2 = assertCommand("karaf", "feature:list -i --no-format", Result.OK); - Assert.assertFalse(feature + " features should not have been installed, as viewer doesn't have credentials", - r2.contains(feature)); - - assertCommand("karaf", "feature:install -r " + feature, Result.OK); - String r3 = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); - Assert.assertTrue(feature + " feature should have been installed by 'karaf' user", - r3.contains(feature)); - - assertCommand(vieweruser, "feature:uninstall -r " + feature, Result.NOT_FOUND); - String r4 = assertCommand("karaf", "feature:list -i --no-format", Result.OK); - Assert.assertTrue(feature + " feature should still be there, as viewer doesn't have credentials", - r4.contains(feature)); - - assertCommand("karaf", "feature:uninstall -r " + feature, Result.OK); - String r5 = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); - Assert.assertFalse(feature + " feature should have been uninstalled", - r5.contains(feature)); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/JaasSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/JaasSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/JaasSshCommandSecurityTest.java deleted file mode 100644 index 7573a58..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/JaasSshCommandSecurityTest.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; - -import org.junit.Test; - -/** - * This test exercises the Shell Command ACL for the jaas scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg - */ -public class JaasSshCommandSecurityTest extends SshCommandTestBase { - - - @Test - public void testJaasCommandSecurityViaSsh() throws Exception { - String vieweruser = "viewer" + System.nanoTime() + "_jaas"; - - addViewer(vieweruser); - - String userName = "XXX" + System.nanoTime(); - assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + - "jaas:user-add " + userName + " pwd;" + - "jaas:update", Result.NOT_FOUND); - String r = assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + - "jaas:user-list", Result.OK); - assertFalse("The viewer should not have the credentials to add the new user", - r.contains(userName)); - - assertCommand("karaf", "jaas:realm-manage --realm karaf;" + - "jaas:user-add " + userName + " pwd;" + - "jaas:update", Result.OK); - String r2 = assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + - "jaas:user-list", Result.OK); - assertTrue("The admin user should have the rights to add the new user", - r2.contains(userName)); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/KarSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/KarSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/KarSshCommandSecurityTest.java deleted file mode 100644 index 3a71588..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/KarSshCommandSecurityTest.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import org.junit.Test; -import org.junit.runner.RunWith; - -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -/** - * This test exercises the Shell Command ACL for the kar scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg - */ -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) - -public class KarSshCommandSecurityTest extends SshCommandTestBase { - private static int counter = 0; - - @Test - public void testKarCommandSecurityViaSsh() throws Exception { - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addViewer(vieweruser); - - assertCommand(vieweruser, "kar:list", Result.OK); - assertCommand(vieweruser, "kar:install", Result.NOT_FOUND); - assertCommand(vieweruser, "kar:uninstall", Result.NOT_FOUND); - - assertCommand("karaf", "kar:list", Result.OK); - assertCommand("karaf", "kar:install", Result.OK); - assertCommand("karaf", "kar:uninstall", Result.OK); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ShellCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ShellCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ShellCommandSecurityTest.java deleted file mode 100644 index 0aed5d3..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/ShellCommandSecurityTest.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import org.junit.Test; -import org.junit.runner.RunWith; -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -import static org.jline.keymap.KeyMap.ctrl; - -/** - * This test exercises the Shell Command ACL for the shell scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg - */ -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) -public class ShellCommandSecurityTest extends SshCommandTestBase { - private static int counter = 0; - - @Test - public void testShellCommandSecurityViaSsh() throws Exception { - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addViewer(vieweruser); - - assertCommand(vieweruser, "shell:date", Result.OK); - assertCommand(vieweruser, "shell:nano", Result.NOT_FOUND); - assertCommand(vieweruser, "shell:exec", Result.NOT_FOUND); - assertCommand(vieweruser, "shell:new", Result.NOT_FOUND); - assertCommand(vieweruser, "shell:java", Result.NOT_FOUND); - - assertCommand("karaf", "shell:date", Result.OK); - assertCommand("karaf", "shell:nano\n" + ctrl('X'), Result.OK); - assertCommand("karaf", "shell:exec", Result.OK); - assertCommand("karaf", "shell:new", Result.OK); - assertCommand("karaf", "shell:java", Result.OK); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java b/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java deleted file mode 100644 index f7a44f0..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/SshCommandTestBase.java +++ /dev/null @@ -1,174 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.io.PipedInputStream; -import java.io.PipedOutputStream; -import java.util.Arrays; -import java.util.EnumSet; -import java.util.HashSet; -import java.util.Set; - -import org.apache.karaf.features.Feature; -import org.apache.sshd.client.SshClient; -import org.apache.sshd.client.channel.ClientChannel; -import org.apache.sshd.client.channel.ClientChannelEvent; -import org.apache.sshd.client.future.ConnectFuture; -import org.apache.sshd.client.session.ClientSession; -import org.apache.sshd.client.session.ClientSession.ClientSessionEvent; -import org.junit.After; -import org.junit.Before; -import org.junit.Assert; -import org.junit.runner.RunWith; -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) -public class SshCommandTestBase extends KarafTestSupport { - - enum Result { OK, NOT_FOUND, NO_CREDENTIALS }; - - private SshClient client; - private ClientChannel channel; - private ClientSession session; - private HashSet<Feature> featuresBefore; - - @Before - public void installSshFeature() throws Exception { - featuresBefore = new HashSet<Feature>(Arrays.asList(featureService.listInstalledFeatures())); - installAndAssertFeature("ssh"); - } - - @After - public void uninstallSshFeature() throws Exception { - uninstallNewFeatures(featuresBefore); - } - - void addUsers(String manageruser, String vieweruser) throws Exception { - ByteArrayOutputStream out = new ByteArrayOutputStream(); - OutputStream pipe = openSshChannel("karaf", "karaf", out); - pipe.write(("jaas:realm-manage --realm=karaf" - + ";jaas:user-add " + manageruser + " " + manageruser - + ";jaas:role-add " + manageruser + " manager" - + ";jaas:role-add " + manageruser + " viewer" - + ";jaas:user-add " + vieweruser + " " + vieweruser - + ";jaas:role-add " + vieweruser + " viewer" - + ";jaas:update;jaas:realm-manage --realm=karaf;jaas:user-list\n").getBytes()); - pipe.flush(); - closeSshChannel(pipe); - System.out.println(new String(out.toByteArray())); - } - - void addViewer(String vieweruser) throws Exception { - ByteArrayOutputStream out = new ByteArrayOutputStream(); - OutputStream pipe = openSshChannel("karaf", "karaf", out); - pipe.write(("jaas:realm-manage --realm=karaf" - + ";jaas:user-add " + vieweruser + " " + vieweruser - + ";jaas:role-add " + vieweruser + " viewer" - + ";jaas:update;jaas:realm-manage --realm=karaf;jaas:user-list\n").getBytes()); - pipe.flush(); - closeSshChannel(pipe); - System.out.println(new String(out.toByteArray())); - } - - String assertCommand(String user, String command, Result result) throws Exception, IOException { - if (!command.endsWith("\n")) - command += "\n"; - - ByteArrayOutputStream out = new ByteArrayOutputStream(); - OutputStream pipe = openSshChannel(user, user, out, out); - pipe.write(command.getBytes()); - pipe.flush(); - - closeSshChannel(pipe); - String output = new String(out.toByteArray()); - - switch(result) { - case OK: - Assert.assertFalse("Should not contain 'Insufficient credentials' or 'Command not found': " + output, - output.contains("Insufficient credentials") || output.contains("Command not found")); - break; - case NOT_FOUND: - Assert.assertTrue("Should contain 'Command not found': " + output, - output.contains("Command not found")); - break; - case NO_CREDENTIALS: - Assert.assertTrue("Should contain 'Insufficient credentials': " + output, - output.contains("Insufficient credentials")); - break; - default: - Assert.fail("Unexpected enum value: " + result); - } - return output; - } - - private OutputStream openSshChannel(String username, String password, OutputStream ... outputs) throws Exception { - client = SshClient.setUpDefaultClient(); - client.start(); - String sshPort = getSshPort(); - ConnectFuture future = client.connect(username, "localhost", Integer.parseInt(sshPort)); - future.await(); - session = future.getSession(); - - Set<ClientSessionEvent> ret = EnumSet.of(ClientSessionEvent.WAIT_AUTH); - while (ret.contains(ClientSessionEvent.WAIT_AUTH)) { - session.addPasswordIdentity(password); - session.auth().verify(); - ret = session.waitFor(EnumSet.of(ClientSessionEvent.WAIT_AUTH, ClientSessionEvent.CLOSED, ClientSessionEvent.AUTHED), 0); - } - if (ret.contains(ClientSessionEvent.CLOSED)) { - throw new Exception("Could not open SSH channel"); - } - channel = session.createChannel("shell"); - PipedOutputStream pipe = new PipedOutputStream(); - channel.setIn(new PipedInputStream(pipe)); - - OutputStream out; - if (outputs.length >= 1) { - out = outputs[0]; - } else { - out = new ByteArrayOutputStream(); - } - channel.setOut(out); - - OutputStream err; - if (outputs.length >= 2) { - err = outputs[1]; - } else { - err = new ByteArrayOutputStream(); - } - channel.setErr(err); - channel.open(); - - return pipe; - } - - private void closeSshChannel(OutputStream pipe) throws IOException { - pipe.write("logout\n".getBytes()); - pipe.flush(); - - channel.waitFor(EnumSet.of(ClientChannelEvent.CLOSED), 0); - session.close(true); - client.stop(); - - client = null; - channel = null; - session = null; - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/SshKeyFormatTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/SshKeyFormatTest.java b/itests/src/test/java/org/apache/karaf/itests/SshKeyFormatTest.java deleted file mode 100644 index 81cbb97..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/SshKeyFormatTest.java +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - -package org.apache.karaf.itests; - -import com.google.common.io.ByteSource; -import com.google.common.io.Resources; -import org.apache.commons.ssl.PKCS8Key; -import org.apache.sshd.client.SshClient; -import org.apache.sshd.client.future.ConnectFuture; -import org.apache.sshd.client.keyverifier.RequiredServerKeyVerifier; -import org.apache.sshd.client.session.ClientSession; -import org.apache.sshd.client.session.ClientSession.ClientSessionEvent; -import org.junit.Test; -import org.ops4j.pax.exam.Configuration; -import org.ops4j.pax.exam.Option; - -import java.io.File; -import java.net.URL; -import java.util.EnumSet; -import java.util.Set; - -import static org.ops4j.pax.exam.CoreOptions.*; -import static org.ops4j.pax.exam.karaf.options.KarafDistributionOption.editConfigurationFilePut; - -/** - * Test use of PEM keys. - */ -public class SshKeyFormatTest extends SshCommandTestBase { - - @Configuration - public Option[] config() { - File keyFile = new File("src/test/resources/org/apache/karaf/itests/test.pem"); - return options(composite(super.config()), - editConfigurationFilePut("etc/org.apache.karaf.shell.cfg", "hostKey", keyFile.getAbsolutePath()), - editConfigurationFilePut("etc/org.apache.karaf.shell.cfg", "hostKeyFormat", "PEM"), - bundle("mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.not-yet-commons-ssl/0.3.11_1"), - bundle("mvn:com.google.guava/guava/16.0.1") - ); - } - - - @Test - public void usePemKey() throws Exception { - SshClient client = SshClient.setUpDefaultClient(); - URL testPemURL = Resources.getResource(SshKeyFormatTest.class, "test.pem"); - ByteSource source = Resources.asByteSource(testPemURL); - PKCS8Key pkcs8 = new PKCS8Key(source.openStream(), null); - - String sshPort = getSshPort(); - - client.setServerKeyVerifier(new RequiredServerKeyVerifier(pkcs8.getPublicKey())); - client.start(); - ConnectFuture future = client.connect("karaf", "localhost", Integer.parseInt(sshPort)); - future.await(); - ClientSession session = future.getSession(); - - Set<ClientSessionEvent> ret = EnumSet.of(ClientSessionEvent.WAIT_AUTH); - while (ret.contains(ClientSessionEvent.WAIT_AUTH)) { - session.addPasswordIdentity("karaf"); - session.auth().verify(); - ret = session.waitFor(EnumSet.of(ClientSessionEvent.WAIT_AUTH, ClientSessionEvent.CLOSED, ClientSessionEvent.AUTHED), 0); - } - if (ret.contains(ClientSessionEvent.CLOSED)) { - throw new Exception("Could not open SSH channel"); - } - session.close(true); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/SystemCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/SystemCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/SystemCommandSecurityTest.java deleted file mode 100644 index 5cd9159..0000000 --- a/itests/src/test/java/org/apache/karaf/itests/SystemCommandSecurityTest.java +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.karaf.itests; - -import org.junit.Assert; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.ops4j.pax.exam.junit.PaxExam; -import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; -import org.ops4j.pax.exam.spi.reactors.PerClass; - -/** - * This test exercises the Shell Command ACL for the system scope commands as defined in - * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg - */ -@RunWith(PaxExam.class) -@ExamReactorStrategy(PerClass.class) -public class SystemCommandSecurityTest extends SshCommandTestBase { - private static int counter = 0; - - @Test - public void testSystemCommandSecurityViaSsh() throws Exception { - String manageruser = "man" + System.nanoTime() + "_" + counter++; - String vieweruser = "view" + System.nanoTime() + "_" + counter++; - - addUsers(manageruser, vieweruser); - - - assertCommand(vieweruser, "system:name", Result.OK); - assertCommand(vieweruser, "system:start-level", Result.OK); - assertCommand(vieweruser, "system:start-level 150", Result.NO_CREDENTIALS); - assertCommand(vieweruser, "system:property", Result.NOT_FOUND); - assertCommand(vieweruser, "system:shutdown", Result.NOT_FOUND); - - assertCommand(manageruser, "system:name", Result.OK); - assertCommand(manageruser, "system:start-level", Result.OK); - assertCommand(manageruser, "system:start-level 0", Result.NO_CREDENTIALS); - assertCommand(manageruser, "system:start-level 1 ", Result.NO_CREDENTIALS); - assertCommand(manageruser, "system:start-level 99", Result.NO_CREDENTIALS); - assertCommand(manageruser, "system:start-level 105", Result.OK); - assertCommand(manageruser, "system:property", Result.NOT_FOUND); - assertCommand(manageruser, "system:shutdown", Result.NOT_FOUND); - - assertCommand("karaf", "system:name", Result.OK); - assertCommand("karaf", "system:start-level", Result.OK); - assertCommand("karaf", "system:start-level 99", Result.OK); - Assert.assertTrue(assertCommand("karaf", "system:start-level", Result.OK).contains("99")); - assertCommand("karaf", "system:start-level 100", Result.OK); - assertCommand("karaf", "system:property vieweruser " + vieweruser, Result.OK); - Assert.assertTrue(assertCommand("karaf", "system:property vieweruser", Result.OK).contains(vieweruser)); - assertCommand("karaf", "system:shutdown --help", Result.OK); - } -} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/BundleSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/BundleSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/BundleSshCommandSecurityTest.java new file mode 100644 index 0000000..be2474a --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/BundleSshCommandSecurityTest.java @@ -0,0 +1,80 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +/** + * This test exercises the Shell Command ACL for the bundle scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.bundle.cfg + */ +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) +public class BundleSshCommandSecurityTest extends SshCommandTestBase { + private static int counter = 0; + + + + @Test + public void testBundleCommandSecurityViaSsh() throws Exception { + String manageruser = "man" + System.nanoTime() + "_" + counter++; + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addUsers(manageruser, vieweruser); + + assertCommand(vieweruser, "bundle:refresh 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:refresh -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:refresh 999", Result.OK); + assertCommand("karaf", "bundle:refresh -f 999", Result.OK); + assertCommand("karaf", "bundle:refresh 999", Result.OK); + + assertCommand(vieweruser, "bundle:restart 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:restart -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:restart 999", Result.OK); + assertCommand("karaf", "bundle:restart -f 999", Result.OK); + assertCommand("karaf", "bundle:restart 999", Result.OK); + + assertCommand(vieweruser, "bundle:start 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:start -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:start 999", Result.OK); + assertCommand("karaf", "bundle:start -f 999", Result.OK); + assertCommand("karaf", "bundle:start 999", Result.OK); + + assertCommand(vieweruser, "bundle:stop 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:stop -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:stop 999", Result.OK); + assertCommand("karaf", "bundle:stop -f 999", Result.OK); + assertCommand("karaf", "bundle:stop 999", Result.OK); + + assertCommand(vieweruser, "bundle:uninstall 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:uninstall -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:uninstall 999", Result.OK); + assertCommand("karaf", "bundle:uninstall -f 999", Result.OK); + assertCommand("karaf", "bundle:uninstall 999", Result.OK); + + assertCommand(vieweruser, "bundle:update 999", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:update -f 999", Result.NO_CREDENTIALS); + assertCommand(manageruser, "bundle:update 999", Result.OK); + assertCommand("karaf", "bundle:update -f 999", Result.OK); + assertCommand("karaf", "bundle:update 999", Result.OK); + + assertCommand(vieweruser, "bundle:install xyz", Result.NOT_FOUND); + assertCommand(manageruser, "bundle:install xyz", Result.NOT_FOUND); + assertCommand("karaf", "bundle:install xyz", Result.OK); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/ConfigSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/ConfigSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/ConfigSshCommandSecurityTest.java new file mode 100644 index 0000000..b742851 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/ConfigSshCommandSecurityTest.java @@ -0,0 +1,135 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import java.io.IOException; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +/** + * This test exercises the Shell Command ACL for the config scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.config.cfg + */ +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) +public class ConfigSshCommandSecurityTest extends SshCommandTestBase { + + private static int counter = 0; + + + + @Test + public void testConfigCommandSecurityViaSsh() throws Exception { + String manageruser = "man" + System.nanoTime() + "_" + counter++; + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addUsers(manageruser, vieweruser); + + // A viewer cannot do anything to ConfigAdmin + assertCommand(vieweruser, "config:edit cfg." + vieweruser, Result.NOT_FOUND); + assertCommand(vieweruser, "config:delete cfg." + vieweruser, Result.NOT_FOUND); + + testConfigEdits(manageruser, Result.OK, "cfg." + manageruser, false); + testConfigEdits(manageruser, Result.NO_CREDENTIALS, "jmx.acl.test_" + counter++, false); + testConfigEdits(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.command.acl.test_" + counter++, false); + testConfigEdits(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.service.acl.test_" + counter++, false); + testConfigEdits("karaf", Result.OK, "cfg.karaf_" + counter++, true); + testConfigEdits("karaf", Result.OK, "jmx.acl.test_" + counter++, true); + testConfigEdits("karaf", Result.OK, "org.apache.karaf.command.acl.test_" + counter++, true); + testConfigEdits("karaf", Result.OK, "org.apache.karaf.service.acl.test_" + counter++, true); + } + + private void testConfigEdits(String user, Result expectedEditResult, String pid, boolean isAdmin) throws Exception, IOException { + assertCommand(user, "config:edit " + pid + "\n" + + "config:property-set x y\n" + + "config:property-set a b\n" + + "config:property-append x z\n" + + "config:update", expectedEditResult); + if (expectedEditResult != Result.OK) + // If we're expecting failure, don't continue any further... + return; + + String result = assertCommand(user, "config:edit " + pid + "\n" + + "config:property-list\n" + + "config:cancel", Result.OK); + Assert.assertTrue(result.contains("x = yz")); + Assert.assertTrue(result.contains("a = b")); + String result2 = assertCommand(user, "config:edit " + pid + "\n" + + "config:property-delete a\n" + + "config:property-list\n" + + "config:update", Result.OK); + Assert.assertTrue(result2.contains("x = yz")); + Assert.assertFalse(result2.contains("a = b")); + + if (isAdmin) { + assertCommand(user, "config:delete " + pid, Result.OK); + String result3 = assertCommand(user, "config:edit " + pid + "\n" + + "config:property-list", Result.OK); + Assert.assertFalse(result3.contains("x = yz")); + Assert.assertFalse(result3.contains("a = b")); + } else { + assertCommand(user, "config:delete " + pid, Result.NOT_FOUND); + String result3 = assertCommand(user, "config:edit " + pid + "\n" + + "config:property-list", Result.OK); + Assert.assertTrue("The delete command should have had no effect", result3.contains("x = yz")); + Assert.assertFalse(result3.contains("a = b")); + } + } + + @Test + public void testConfigCommandSecurityWithoutEditSessionViaSsh() throws Exception { + String manageruser = "man" + System.nanoTime() + "_" + counter++; + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addUsers(manageruser, vieweruser); + + // Test the viewer user. Since the viewer cannot modify anything wrt Config Admin + // the commands should not even be found... + testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "cfg." + vieweruser); + testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "jmx.acl.test_" + counter++); + testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "org.apache.karaf.command.acl.test_" + counter++); + testConfigEditsNoSession(vieweruser, Result.NOT_FOUND, "org.apache.karaf.service.acl.test_" + counter++); + + // Test the manager user. The manager can modify some properties, but not the ones associated with security + // Therefore the config: commands will be found, but in some cases the manager is denied access + testConfigEditsNoSession(manageruser, Result.OK, "cfg." + manageruser); + testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "jmx.acl.test_" + counter++); + testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.command.acl.test_" + counter++); + testConfigEditsNoSession(manageruser, Result.NO_CREDENTIALS, "org.apache.karaf.service.acl.test_" + counter++); + + // The admin user can modify everything. + testConfigEditsNoSession("karaf", Result.OK, "cfg.karaf.test_" + counter++); + testConfigEditsNoSession("karaf", Result.OK, "jmx.acl.test_" + counter++); + testConfigEditsNoSession("karaf", Result.OK, "org.apache.karaf.command.acl.test_" + counter++); + testConfigEditsNoSession("karaf", Result.OK, "org.apache.karaf.service.acl.test_" + counter++); + } + + private void testConfigEditsNoSession(String user, Result expectedResult, String pid) throws Exception, IOException { + assertCommand(user, "config:property-set -p " + pid + " a.b.c d.e.f", expectedResult); + assertCommand(user, "config:property-append -p " + pid + " a.b.c .g.h", expectedResult); + + if (expectedResult == Result.OK) { + Assert.assertTrue(assertCommand(user, "config:property-list -p " + pid, Result.OK).contains("a.b.c = d.e.f.g.h")); + } + assertCommand(user, "config:property-delete -p " + pid + " a.b.c", expectedResult); + if (expectedResult == Result.OK) { + Assert.assertFalse(assertCommand(user, "config:property-list -p " + pid, Result.OK).contains("a.b.c")); + } + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/FeatureSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/FeatureSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/FeatureSshCommandSecurityTest.java new file mode 100644 index 0000000..662b7c1 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/FeatureSshCommandSecurityTest.java @@ -0,0 +1,58 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import org.junit.Assert; +import org.junit.Test; + +/** + * This test exercises the Shell Command ACL for the feature scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.feature.cfg + */ +public class FeatureSshCommandSecurityTest extends SshCommandTestBase { + + + + @Test + public void testFeatureCommandSecurityViaSsh() throws Exception { + String vieweruser = "viewer" + System.nanoTime() + "_features"; + String feature = "wrapper"; + + addViewer(vieweruser); + + String r = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); + Assert.assertFalse("Precondition failed, this test uses the " + feature + " subsystem to test features with...", + r.contains(feature)); + + assertCommand(vieweruser, "feature:install -r " + feature, Result.NOT_FOUND); + String r2 = assertCommand("karaf", "feature:list -i --no-format", Result.OK); + Assert.assertFalse(feature + " features should not have been installed, as viewer doesn't have credentials", + r2.contains(feature)); + + assertCommand("karaf", "feature:install -r " + feature, Result.OK); + String r3 = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); + Assert.assertTrue(feature + " feature should have been installed by 'karaf' user", + r3.contains(feature)); + + assertCommand(vieweruser, "feature:uninstall -r " + feature, Result.NOT_FOUND); + String r4 = assertCommand("karaf", "feature:list -i --no-format", Result.OK); + Assert.assertTrue(feature + " feature should still be there, as viewer doesn't have credentials", + r4.contains(feature)); + + assertCommand("karaf", "feature:uninstall -r " + feature, Result.OK); + String r5 = assertCommand(vieweruser, "feature:list -i --no-format", Result.OK); + Assert.assertFalse(feature + " feature should have been uninstalled", + r5.contains(feature)); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/JaasSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/JaasSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/JaasSshCommandSecurityTest.java new file mode 100644 index 0000000..65f59e3 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/JaasSshCommandSecurityTest.java @@ -0,0 +1,51 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import org.junit.Test; + +/** + * This test exercises the Shell Command ACL for the jaas scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.jaas.cfg + */ +public class JaasSshCommandSecurityTest extends SshCommandTestBase { + + + @Test + public void testJaasCommandSecurityViaSsh() throws Exception { + String vieweruser = "viewer" + System.nanoTime() + "_jaas"; + + addViewer(vieweruser); + + String userName = "XXX" + System.nanoTime(); + assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + + "jaas:user-add " + userName + " pwd;" + + "jaas:update", Result.NOT_FOUND); + String r = assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + + "jaas:user-list", Result.OK); + assertFalse("The viewer should not have the credentials to add the new user", + r.contains(userName)); + + assertCommand("karaf", "jaas:realm-manage --realm karaf;" + + "jaas:user-add " + userName + " pwd;" + + "jaas:update", Result.OK); + String r2 = assertCommand(vieweruser, "jaas:realm-manage --realm karaf;" + + "jaas:user-list", Result.OK); + assertTrue("The admin user should have the rights to add the new user", + r2.contains(userName)); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/KarSshCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/KarSshCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/KarSshCommandSecurityTest.java new file mode 100644 index 0000000..f5967fd --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/KarSshCommandSecurityTest.java @@ -0,0 +1,47 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +/** + * This test exercises the Shell Command ACL for the kar scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.kar.cfg + */ +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) + +public class KarSshCommandSecurityTest extends SshCommandTestBase { + private static int counter = 0; + + @Test + public void testKarCommandSecurityViaSsh() throws Exception { + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addViewer(vieweruser); + + assertCommand(vieweruser, "kar:list", Result.OK); + assertCommand(vieweruser, "kar:install", Result.NOT_FOUND); + assertCommand(vieweruser, "kar:uninstall", Result.NOT_FOUND); + + assertCommand("karaf", "kar:list", Result.OK); + assertCommand("karaf", "kar:install", Result.OK); + assertCommand("karaf", "kar:uninstall", Result.OK); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/ShellCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/ShellCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/ShellCommandSecurityTest.java new file mode 100644 index 0000000..adc65d3 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/ShellCommandSecurityTest.java @@ -0,0 +1,51 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +import static org.jline.keymap.KeyMap.ctrl; + +/** + * This test exercises the Shell Command ACL for the shell scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.shell.cfg + */ +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) +public class ShellCommandSecurityTest extends SshCommandTestBase { + private static int counter = 0; + + @Test + public void testShellCommandSecurityViaSsh() throws Exception { + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addViewer(vieweruser); + + assertCommand(vieweruser, "shell:date", Result.OK); + assertCommand(vieweruser, "shell:nano", Result.NOT_FOUND); + assertCommand(vieweruser, "shell:exec", Result.NOT_FOUND); + assertCommand(vieweruser, "shell:new", Result.NOT_FOUND); + assertCommand(vieweruser, "shell:java", Result.NOT_FOUND); + + assertCommand("karaf", "shell:date", Result.OK); + assertCommand("karaf", "shell:nano\n" + ctrl('X'), Result.OK); + assertCommand("karaf", "shell:exec", Result.OK); + assertCommand("karaf", "shell:new", Result.OK); + assertCommand("karaf", "shell:java", Result.OK); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/SshCommandTestBase.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/SshCommandTestBase.java b/itests/src/test/java/org/apache/karaf/itests/ssh/SshCommandTestBase.java new file mode 100644 index 0000000..e5bd6f0 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/SshCommandTestBase.java @@ -0,0 +1,175 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.io.PipedInputStream; +import java.io.PipedOutputStream; +import java.util.Arrays; +import java.util.EnumSet; +import java.util.HashSet; +import java.util.Set; + +import org.apache.karaf.features.Feature; +import org.apache.karaf.itests.KarafTestSupport; +import org.apache.sshd.client.SshClient; +import org.apache.sshd.client.channel.ClientChannel; +import org.apache.sshd.client.channel.ClientChannelEvent; +import org.apache.sshd.client.future.ConnectFuture; +import org.apache.sshd.client.session.ClientSession; +import org.apache.sshd.client.session.ClientSession.ClientSessionEvent; +import org.junit.After; +import org.junit.Before; +import org.junit.Assert; +import org.junit.runner.RunWith; +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) +public class SshCommandTestBase extends KarafTestSupport { + + enum Result { OK, NOT_FOUND, NO_CREDENTIALS }; + + private SshClient client; + private ClientChannel channel; + private ClientSession session; + private HashSet<Feature> featuresBefore; + + @Before + public void installSshFeature() throws Exception { + featuresBefore = new HashSet<Feature>(Arrays.asList(featureService.listInstalledFeatures())); + installAndAssertFeature("ssh"); + } + + @After + public void uninstallSshFeature() throws Exception { + uninstallNewFeatures(featuresBefore); + } + + void addUsers(String manageruser, String vieweruser) throws Exception { + ByteArrayOutputStream out = new ByteArrayOutputStream(); + OutputStream pipe = openSshChannel("karaf", "karaf", out); + pipe.write(("jaas:realm-manage --realm=karaf" + + ";jaas:user-add " + manageruser + " " + manageruser + + ";jaas:role-add " + manageruser + " manager" + + ";jaas:role-add " + manageruser + " viewer" + + ";jaas:user-add " + vieweruser + " " + vieweruser + + ";jaas:role-add " + vieweruser + " viewer" + + ";jaas:update;jaas:realm-manage --realm=karaf;jaas:user-list\n").getBytes()); + pipe.flush(); + closeSshChannel(pipe); + System.out.println(new String(out.toByteArray())); + } + + void addViewer(String vieweruser) throws Exception { + ByteArrayOutputStream out = new ByteArrayOutputStream(); + OutputStream pipe = openSshChannel("karaf", "karaf", out); + pipe.write(("jaas:realm-manage --realm=karaf" + + ";jaas:user-add " + vieweruser + " " + vieweruser + + ";jaas:role-add " + vieweruser + " viewer" + + ";jaas:update;jaas:realm-manage --realm=karaf;jaas:user-list\n").getBytes()); + pipe.flush(); + closeSshChannel(pipe); + System.out.println(new String(out.toByteArray())); + } + + String assertCommand(String user, String command, Result result) throws Exception, IOException { + if (!command.endsWith("\n")) + command += "\n"; + + ByteArrayOutputStream out = new ByteArrayOutputStream(); + OutputStream pipe = openSshChannel(user, user, out, out); + pipe.write(command.getBytes()); + pipe.flush(); + + closeSshChannel(pipe); + String output = new String(out.toByteArray()); + + switch(result) { + case OK: + Assert.assertFalse("Should not contain 'Insufficient credentials' or 'Command not found': " + output, + output.contains("Insufficient credentials") || output.contains("Command not found")); + break; + case NOT_FOUND: + Assert.assertTrue("Should contain 'Command not found': " + output, + output.contains("Command not found")); + break; + case NO_CREDENTIALS: + Assert.assertTrue("Should contain 'Insufficient credentials': " + output, + output.contains("Insufficient credentials")); + break; + default: + Assert.fail("Unexpected enum value: " + result); + } + return output; + } + + private OutputStream openSshChannel(String username, String password, OutputStream ... outputs) throws Exception { + client = SshClient.setUpDefaultClient(); + client.start(); + String sshPort = getSshPort(); + ConnectFuture future = client.connect(username, "localhost", Integer.parseInt(sshPort)); + future.await(); + session = future.getSession(); + + Set<ClientSessionEvent> ret = EnumSet.of(ClientSessionEvent.WAIT_AUTH); + while (ret.contains(ClientSessionEvent.WAIT_AUTH)) { + session.addPasswordIdentity(password); + session.auth().verify(); + ret = session.waitFor(EnumSet.of(ClientSessionEvent.WAIT_AUTH, ClientSessionEvent.CLOSED, ClientSessionEvent.AUTHED), 0); + } + if (ret.contains(ClientSessionEvent.CLOSED)) { + throw new Exception("Could not open SSH channel"); + } + channel = session.createChannel("shell"); + PipedOutputStream pipe = new PipedOutputStream(); + channel.setIn(new PipedInputStream(pipe)); + + OutputStream out; + if (outputs.length >= 1) { + out = outputs[0]; + } else { + out = new ByteArrayOutputStream(); + } + channel.setOut(out); + + OutputStream err; + if (outputs.length >= 2) { + err = outputs[1]; + } else { + err = new ByteArrayOutputStream(); + } + channel.setErr(err); + channel.open(); + + return pipe; + } + + private void closeSshChannel(OutputStream pipe) throws IOException { + pipe.write("logout\n".getBytes()); + pipe.flush(); + + channel.waitFor(EnumSet.of(ClientChannelEvent.CLOSED), 0); + session.close(true); + client.stop(); + + client = null; + channel = null; + session = null; + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/SshKeyFormatTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/SshKeyFormatTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/SshKeyFormatTest.java new file mode 100644 index 0000000..a07b567 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/SshKeyFormatTest.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +package org.apache.karaf.itests.ssh; + +import com.google.common.io.ByteSource; +import com.google.common.io.Resources; +import org.apache.commons.ssl.PKCS8Key; +import org.apache.sshd.client.SshClient; +import org.apache.sshd.client.future.ConnectFuture; +import org.apache.sshd.client.keyverifier.RequiredServerKeyVerifier; +import org.apache.sshd.client.session.ClientSession; +import org.apache.sshd.client.session.ClientSession.ClientSessionEvent; +import org.junit.Test; +import org.ops4j.pax.exam.Configuration; +import org.ops4j.pax.exam.Option; + +import java.io.File; +import java.net.URL; +import java.util.EnumSet; +import java.util.Set; + +import static org.ops4j.pax.exam.CoreOptions.*; +import static org.ops4j.pax.exam.karaf.options.KarafDistributionOption.editConfigurationFilePut; + +/** + * Test use of PEM keys. + */ +public class SshKeyFormatTest extends SshCommandTestBase { + + @Configuration + public Option[] config() { + File keyFile = new File("src/test/resources/org/apache/karaf/itests/ssh/test.pem"); + return options(composite(super.config()), + editConfigurationFilePut("etc/org.apache.karaf.shell.cfg", "hostKey", keyFile.getAbsolutePath()), + editConfigurationFilePut("etc/org.apache.karaf.shell.cfg", "hostKeyFormat", "PEM"), + bundle("mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.not-yet-commons-ssl/0.3.11_1"), + bundle("mvn:com.google.guava/guava/16.0.1") + ); + } + + + @Test + public void usePemKey() throws Exception { + SshClient client = SshClient.setUpDefaultClient(); + URL testPemURL = Resources.getResource(SshKeyFormatTest.class, "test.pem"); + ByteSource source = Resources.asByteSource(testPemURL); + PKCS8Key pkcs8 = new PKCS8Key(source.openStream(), null); + + String sshPort = getSshPort(); + + client.setServerKeyVerifier(new RequiredServerKeyVerifier(pkcs8.getPublicKey())); + client.start(); + ConnectFuture future = client.connect("karaf", "localhost", Integer.parseInt(sshPort)); + future.await(); + ClientSession session = future.getSession(); + + Set<ClientSessionEvent> ret = EnumSet.of(ClientSessionEvent.WAIT_AUTH); + while (ret.contains(ClientSessionEvent.WAIT_AUTH)) { + session.addPasswordIdentity("karaf"); + session.auth().verify(); + ret = session.waitFor(EnumSet.of(ClientSessionEvent.WAIT_AUTH, ClientSessionEvent.CLOSED, ClientSessionEvent.AUTHED), 0); + } + if (ret.contains(ClientSessionEvent.CLOSED)) { + throw new Exception("Could not open SSH channel"); + } + session.close(true); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/java/org/apache/karaf/itests/ssh/SystemCommandSecurityTest.java ---------------------------------------------------------------------- diff --git a/itests/src/test/java/org/apache/karaf/itests/ssh/SystemCommandSecurityTest.java b/itests/src/test/java/org/apache/karaf/itests/ssh/SystemCommandSecurityTest.java new file mode 100644 index 0000000..4a6d554 --- /dev/null +++ b/itests/src/test/java/org/apache/karaf/itests/ssh/SystemCommandSecurityTest.java @@ -0,0 +1,64 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.karaf.itests.ssh; + +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.ops4j.pax.exam.junit.PaxExam; +import org.ops4j.pax.exam.spi.reactors.ExamReactorStrategy; +import org.ops4j.pax.exam.spi.reactors.PerClass; + +/** + * This test exercises the Shell Command ACL for the system scope commands as defined in + * /framework/src/main/resources/resources/etc/org.apache.karaf.command.acl.system.cfg + */ +@RunWith(PaxExam.class) +@ExamReactorStrategy(PerClass.class) +public class SystemCommandSecurityTest extends SshCommandTestBase { + private static int counter = 0; + + @Test + public void testSystemCommandSecurityViaSsh() throws Exception { + String manageruser = "man" + System.nanoTime() + "_" + counter++; + String vieweruser = "view" + System.nanoTime() + "_" + counter++; + + addUsers(manageruser, vieweruser); + + + assertCommand(vieweruser, "system:name", Result.OK); + assertCommand(vieweruser, "system:start-level", Result.OK); + assertCommand(vieweruser, "system:start-level 150", Result.NO_CREDENTIALS); + assertCommand(vieweruser, "system:property", Result.NOT_FOUND); + assertCommand(vieweruser, "system:shutdown", Result.NOT_FOUND); + + assertCommand(manageruser, "system:name", Result.OK); + assertCommand(manageruser, "system:start-level", Result.OK); + assertCommand(manageruser, "system:start-level 0", Result.NO_CREDENTIALS); + assertCommand(manageruser, "system:start-level 1 ", Result.NO_CREDENTIALS); + assertCommand(manageruser, "system:start-level 99", Result.NO_CREDENTIALS); + assertCommand(manageruser, "system:start-level 105", Result.OK); + assertCommand(manageruser, "system:property", Result.NOT_FOUND); + assertCommand(manageruser, "system:shutdown", Result.NOT_FOUND); + + assertCommand("karaf", "system:name", Result.OK); + assertCommand("karaf", "system:start-level", Result.OK); + assertCommand("karaf", "system:start-level 99", Result.OK); + Assert.assertTrue(assertCommand("karaf", "system:start-level", Result.OK).contains("99")); + assertCommand("karaf", "system:start-level 100", Result.OK); + assertCommand("karaf", "system:property vieweruser " + vieweruser, Result.OK); + Assert.assertTrue(assertCommand("karaf", "system:property vieweruser", Result.OK).contains(vieweruser)); + assertCommand("karaf", "system:shutdown --help", Result.OK); + } +} http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/resources/org/apache/karaf/itests/ssh/test.pem ---------------------------------------------------------------------- diff --git a/itests/src/test/resources/org/apache/karaf/itests/ssh/test.pem b/itests/src/test/resources/org/apache/karaf/itests/ssh/test.pem new file mode 100644 index 0000000..64c6eb4 --- /dev/null +++ b/itests/src/test/resources/org/apache/karaf/itests/ssh/test.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvHFgGEKjSgg5382ZMw4DUafHmWeQYp7nnvao9ME9O16czyAD +BsdmyTH9rfKdZ14CkzC40LEAQ5kv/ZeDD4/8LsVfUpExhuh9g86hyG4zK9q3GfGg +IeV26GlUeDlBV9W5xJRdJbbj4Cp0OzkxX0+BmgS+f0qUDxUGnTljOlZlnVLgJcbD +YZ5nxHnQ4gtxHtkmmkkIwz4sMiWOdcIoDIV1OQ6dqZoRqwOkpfc+jdsEEnQJZzPx +4BLkD9fcNW5g3uaJupD4idHDTtLhYeTx9c8KvPVurNoF8T2hvWZz9etAez0fmT6f +tvp/9TProfrJQTC3JJeTHBuIfljfkSJ8ecJwTQIDAQABAoIBAQCAdEBvCS3KD2V0 +G/BsjwbQKLC075XKxEtbXwS5IuicidgWkNm/SznTuFIWuyV1Cu5ya2nwSFfHvKqs +ERX0C9B6CWz7GaJLNjwpFzfNKuGS6VqbQsxHjuXJc9NyyIS0XSpuyDves5cOfaIR +pOD0+Xt9A/LfTnUy+sAxeKcdYzuNS35Whi+VmYJZ+UgXc91O9YK0W9bNOQaHtxbW +TO3kZxMwd5MmoiU817Fr3Xo1LFMytQrG2E0l3774NdHs7WALV3gA3uehGND/4UcO +3PTJQpdJXc11sS+bB9qIp0sd/e7LJgUdXDBQhqewO43vlO/1r+u27IF7YYCxN9Wn +h5/jbac5AoGBAPGWa8PG6JoRHioBYBOJyOzSBtTBHuO/kHbUqMlO4U75NbkbdmlU +D3xpH6hS1poP5YvXjwKLiHryrbVCtmh4HSfolFLJXOOeINn8BnFi3RkD+oGzhk0V +DIoI6XoEVHKSmH7oL6sxpkH1ozPmdjmDbcUrTEArJL6dpY4yr8i7/CGzAoGBAMev +UQ+yUCtcfLo1MW4AOop6gWFCy+g0+5VHEHmzTzoo0W8ajLVDBJ/1syQckBW1uNRj +iXOwqFGHIHGuA96iLeiY7gg2KA0slcup1OZsyMA/HHd7DFY3OmDbP+cszREV90Ui +g06fHy1rv4i8lxLE4R0M1Wmz/KUG8TCSXqBJSiX/AoGBAMDlQhaH86FQma0ge/4d +vfiZmiq2KFvg0RCQrFRQT0YnZeXvL5TaMaM8rLJRslhA6R/HdcCqeMbyjhB0vACe +J2l+IzAW57w2vjRPLzXJopAexR5aoZlafTCZ/RIX8vWoZ2qtKaKfegiggTcnhK5X +aoZMFA4IZMZuSYpInmLA9ohRAoGADSHUfOnHJ/LfKQfShl9xeiXwWEsiSdUiLoEL +7lUCgtqoW1wtoMYViceIznkqaKMY0q7xHTCjASmX0qIVExErX76e+N9G5wblmw1C +OR0yXqJH5vuqpgjfx/rjSvrBSbxeFKfeZs9EJ6KMaBuu+8cC3vw3FMqHdPrt5bna +i0QGolUCgYAi7fZAo3BhS8GgAMAcg/Uu9rxNuupW+GHiQNaP53Quq+I9T2RyCvEn +gUiOSRyqW+y7P7nqrL4NQe+PHSJQqWZypQZIoDdNvvIZvpHERjcOKKxPuPhdi0/j +fPJkMBCIbjoRJoQDbiqZoQ7v2YCpYhT85MXX8PMtCeW1OWRKwpepMA== +-----END RSA PRIVATE KEY----- http://git-wip-us.apache.org/repos/asf/karaf/blob/0582c878/itests/src/test/resources/org/apache/karaf/itests/test.pem ---------------------------------------------------------------------- diff --git a/itests/src/test/resources/org/apache/karaf/itests/test.pem b/itests/src/test/resources/org/apache/karaf/itests/test.pem deleted file mode 100644 index 64c6eb4..0000000 --- a/itests/src/test/resources/org/apache/karaf/itests/test.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAvHFgGEKjSgg5382ZMw4DUafHmWeQYp7nnvao9ME9O16czyAD -BsdmyTH9rfKdZ14CkzC40LEAQ5kv/ZeDD4/8LsVfUpExhuh9g86hyG4zK9q3GfGg -IeV26GlUeDlBV9W5xJRdJbbj4Cp0OzkxX0+BmgS+f0qUDxUGnTljOlZlnVLgJcbD -YZ5nxHnQ4gtxHtkmmkkIwz4sMiWOdcIoDIV1OQ6dqZoRqwOkpfc+jdsEEnQJZzPx -4BLkD9fcNW5g3uaJupD4idHDTtLhYeTx9c8KvPVurNoF8T2hvWZz9etAez0fmT6f -tvp/9TProfrJQTC3JJeTHBuIfljfkSJ8ecJwTQIDAQABAoIBAQCAdEBvCS3KD2V0 -G/BsjwbQKLC075XKxEtbXwS5IuicidgWkNm/SznTuFIWuyV1Cu5ya2nwSFfHvKqs -ERX0C9B6CWz7GaJLNjwpFzfNKuGS6VqbQsxHjuXJc9NyyIS0XSpuyDves5cOfaIR -pOD0+Xt9A/LfTnUy+sAxeKcdYzuNS35Whi+VmYJZ+UgXc91O9YK0W9bNOQaHtxbW -TO3kZxMwd5MmoiU817Fr3Xo1LFMytQrG2E0l3774NdHs7WALV3gA3uehGND/4UcO -3PTJQpdJXc11sS+bB9qIp0sd/e7LJgUdXDBQhqewO43vlO/1r+u27IF7YYCxN9Wn -h5/jbac5AoGBAPGWa8PG6JoRHioBYBOJyOzSBtTBHuO/kHbUqMlO4U75NbkbdmlU -D3xpH6hS1poP5YvXjwKLiHryrbVCtmh4HSfolFLJXOOeINn8BnFi3RkD+oGzhk0V -DIoI6XoEVHKSmH7oL6sxpkH1ozPmdjmDbcUrTEArJL6dpY4yr8i7/CGzAoGBAMev -UQ+yUCtcfLo1MW4AOop6gWFCy+g0+5VHEHmzTzoo0W8ajLVDBJ/1syQckBW1uNRj -iXOwqFGHIHGuA96iLeiY7gg2KA0slcup1OZsyMA/HHd7DFY3OmDbP+cszREV90Ui -g06fHy1rv4i8lxLE4R0M1Wmz/KUG8TCSXqBJSiX/AoGBAMDlQhaH86FQma0ge/4d -vfiZmiq2KFvg0RCQrFRQT0YnZeXvL5TaMaM8rLJRslhA6R/HdcCqeMbyjhB0vACe -J2l+IzAW57w2vjRPLzXJopAexR5aoZlafTCZ/RIX8vWoZ2qtKaKfegiggTcnhK5X -aoZMFA4IZMZuSYpInmLA9ohRAoGADSHUfOnHJ/LfKQfShl9xeiXwWEsiSdUiLoEL -7lUCgtqoW1wtoMYViceIznkqaKMY0q7xHTCjASmX0qIVExErX76e+N9G5wblmw1C -OR0yXqJH5vuqpgjfx/rjSvrBSbxeFKfeZs9EJ6KMaBuu+8cC3vw3FMqHdPrt5bna -i0QGolUCgYAi7fZAo3BhS8GgAMAcg/Uu9rxNuupW+GHiQNaP53Quq+I9T2RyCvEn -gUiOSRyqW+y7P7nqrL4NQe+PHSJQqWZypQZIoDdNvvIZvpHERjcOKKxPuPhdi0/j -fPJkMBCIbjoRJoQDbiqZoQ7v2YCpYhT85MXX8PMtCeW1OWRKwpepMA== ------END RSA PRIVATE KEY-----
