KNOX-1119 - Add missing tests for valid and invalid id attributes Project: http://git-wip-us.apache.org/repos/asf/knox/repo Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/a8fbf800 Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/a8fbf800 Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/a8fbf800
Branch: refs/heads/KNOX-998-Package_Restructuring Commit: a8fbf80096f5fc6363fc7e5e182d29f2d57af080 Parents: 844506f Author: Larry McCay <[email protected]> Authored: Fri Dec 1 08:54:18 2017 -0500 Committer: Larry McCay <[email protected]> Committed: Fri Dec 1 08:54:18 2017 -0500 ---------------------------------------------------------------------- .../hadoop/gateway/pac4j/Pac4jProviderTest.java | 185 +++++++++++++++++++ 1 file changed, 185 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/knox/blob/a8fbf800/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java ---------------------------------------------------------------------- diff --git a/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java b/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java index 0da156f..39e5531 100644 --- a/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java +++ b/gateway-provider-security-pac4j/src/test/java/org/apache/hadoop/gateway/pac4j/Pac4jProviderTest.java @@ -76,6 +76,98 @@ public class Pac4jProviderTest { when(config.getServletContext()).thenReturn(context); when(config.getInitParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_URL)).thenReturn(PAC4J_CALLBACK_URL); when(config.getInitParameter("clientName")).thenReturn(Pac4jDispatcherFilter.TEST_BASIC_AUTH); + + final Pac4jDispatcherFilter dispatcher = new Pac4jDispatcherFilter(); + dispatcher.init(config); + final Pac4jIdentityAdapter adapter = new Pac4jIdentityAdapter(); + adapter.init(config); + Pac4jIdentityAdapter.setAuditor(mock(Auditor.class)); + final AuditService auditService = mock(AuditService.class); + when(auditService.getContext()).thenReturn(mock(AuditContext.class)); + Pac4jIdentityAdapter.setAuditService(auditService); + + // step 1: call the KnoxSSO service with an original url pointing to an Hadoop service (redirected by the SSOCookieProvider) + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRequestURL(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL); + request.setCookies(new Cookie[0]); + request.setServerName(LOCALHOST); + MockHttpServletResponse response = new MockHttpServletResponse(); + FilterChain filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + // it should be a redirection to the idp topology + assertEquals(302, response.getStatus()); + assertEquals(PAC4J_CALLBACK_URL + "?" + Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER + "=true&" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + CLIENT_CLASS, response.getHeaders().get("Location")); + // we should have one cookie for the saved requested url + List<Cookie> cookies = response.getCookies(); + assertEquals(1, cookies.size()); + final Cookie requestedUrlCookie = cookies.get(0); + assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.REQUESTED_URL, requestedUrlCookie.getName()); + + // step 2: send credentials to the callback url (callback from the identity provider) + request = new MockHttpServletRequest(); + request.setCookies(new Cookie[]{requestedUrlCookie}); + request.setRequestURL(PAC4J_CALLBACK_URL + "?" + Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER + "=true&" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + CLIENT_CLASS); + request.addParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER, "true"); + request.addParameter(Clients.DEFAULT_CLIENT_NAME_PARAMETER, CLIENT_CLASS); + request.addHeader("Authorization", "Basic amxlbGV1OmpsZWxldQ=="); + request.setServerName(LOCALHOST); + response = new MockHttpServletResponse(); + filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + // it should be a redirection to the original url + assertEquals(302, response.getStatus()); + assertEquals(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL, response.getHeaders().get("Location")); + // we should have 3 cookies among with the user profile + cookies = response.getCookies(); + Map<String, String> mapCookies = new HashMap<>(); + assertEquals(3, cookies.size()); + for (final Cookie cookie : cookies) { + mapCookies.put(cookie.getName(), cookie.getValue()); + } + assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + CLIENT_CLASS + "$attemptedAuthentication")); + assertNotNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES)); + assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.REQUESTED_URL)); + + // step 3: turn pac4j identity into KnoxSSO identity + request = new MockHttpServletRequest(); + request.setCookies(cookies.toArray(new Cookie[cookies.size()])); + request.setRequestURL(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL); + request.setServerName(LOCALHOST); + response = new MockHttpServletResponse(); + filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + assertEquals(0, response.getStatus()); + adapter.doFilter(request, response, filterChain); + cookies = response.getCookies(); + assertEquals(1, cookies.size()); + final Cookie userProfileCookie = cookies.get(0); + // the user profile has been cleaned + assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES, userProfileCookie.getName()); + assertNull(userProfileCookie.getValue()); + assertEquals(USERNAME, adapter.getTestIdentifier()); + } + + @Test + public void testValidIdAttribute() throws Exception { + final AliasService aliasService = mock(AliasService.class); + when(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, KnoxSessionStore.PAC4J_PASSWORD, true)).thenReturn(PAC4J_PASSWORD.toCharArray()); + when(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, KnoxSessionStore.PAC4J_PASSWORD)).thenReturn(PAC4J_PASSWORD.toCharArray()); + + final DefaultCryptoService cryptoService = new DefaultCryptoService(); + cryptoService.setAliasService(aliasService); + + final GatewayServices services = mock(GatewayServices.class); + when(services.getService(GatewayServices.CRYPTO_SERVICE)).thenReturn(cryptoService); + when(services.getService(GatewayServices.ALIAS_SERVICE)).thenReturn(aliasService); + + final ServletContext context = mock(ServletContext.class); + when(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).thenReturn(services); + when(context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE)).thenReturn(CLUSTER_NAME); + + final FilterConfig config = mock(FilterConfig.class); + when(config.getServletContext()).thenReturn(context); + when(config.getInitParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_URL)).thenReturn(PAC4J_CALLBACK_URL); + when(config.getInitParameter("clientName")).thenReturn(Pac4jDispatcherFilter.TEST_BASIC_AUTH); when(config.getInitParameter(Pac4jIdentityAdapter.PAC4J_ID_ATTRIBUTE)).thenReturn("username"); final Pac4jDispatcherFilter dispatcher = new Pac4jDispatcherFilter(); @@ -147,4 +239,97 @@ public class Pac4jProviderTest { assertNull(userProfileCookie.getValue()); assertEquals(USERNAME, adapter.getTestIdentifier()); } + @Test + public void testInvalidIdAttribute() throws Exception { + final AliasService aliasService = mock(AliasService.class); + when(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, KnoxSessionStore.PAC4J_PASSWORD, true)).thenReturn(PAC4J_PASSWORD.toCharArray()); + when(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, KnoxSessionStore.PAC4J_PASSWORD)).thenReturn(PAC4J_PASSWORD.toCharArray()); + + final DefaultCryptoService cryptoService = new DefaultCryptoService(); + cryptoService.setAliasService(aliasService); + + final GatewayServices services = mock(GatewayServices.class); + when(services.getService(GatewayServices.CRYPTO_SERVICE)).thenReturn(cryptoService); + when(services.getService(GatewayServices.ALIAS_SERVICE)).thenReturn(aliasService); + + final ServletContext context = mock(ServletContext.class); + when(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE)).thenReturn(services); + when(context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE)).thenReturn(CLUSTER_NAME); + + final FilterConfig config = mock(FilterConfig.class); + when(config.getServletContext()).thenReturn(context); + when(config.getInitParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_URL)).thenReturn(PAC4J_CALLBACK_URL); + when(config.getInitParameter("clientName")).thenReturn(Pac4jDispatcherFilter.TEST_BASIC_AUTH); + when(config.getInitParameter(Pac4jIdentityAdapter.PAC4J_ID_ATTRIBUTE)).thenReturn("larry"); + + final Pac4jDispatcherFilter dispatcher = new Pac4jDispatcherFilter(); + dispatcher.init(config); + final Pac4jIdentityAdapter adapter = new Pac4jIdentityAdapter(); + adapter.init(config); + Pac4jIdentityAdapter.setAuditor(mock(Auditor.class)); + final AuditService auditService = mock(AuditService.class); + when(auditService.getContext()).thenReturn(mock(AuditContext.class)); + Pac4jIdentityAdapter.setAuditService(auditService); + + // step 1: call the KnoxSSO service with an original url pointing to an Hadoop service (redirected by the SSOCookieProvider) + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRequestURL(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL); + request.setCookies(new Cookie[0]); + request.setServerName(LOCALHOST); + MockHttpServletResponse response = new MockHttpServletResponse(); + FilterChain filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + // it should be a redirection to the idp topology + assertEquals(302, response.getStatus()); + assertEquals(PAC4J_CALLBACK_URL + "?" + Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER + "=true&" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + CLIENT_CLASS, response.getHeaders().get("Location")); + // we should have one cookie for the saved requested url + List<Cookie> cookies = response.getCookies(); + assertEquals(1, cookies.size()); + final Cookie requestedUrlCookie = cookies.get(0); + assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.REQUESTED_URL, requestedUrlCookie.getName()); + + // step 2: send credentials to the callback url (callback from the identity provider) + request = new MockHttpServletRequest(); + request.setCookies(new Cookie[]{requestedUrlCookie}); + request.setRequestURL(PAC4J_CALLBACK_URL + "?" + Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER + "=true&" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + Clients.DEFAULT_CLIENT_NAME_PARAMETER + "=" + CLIENT_CLASS); + request.addParameter(Pac4jDispatcherFilter.PAC4J_CALLBACK_PARAMETER, "true"); + request.addParameter(Clients.DEFAULT_CLIENT_NAME_PARAMETER, CLIENT_CLASS); + request.addHeader("Authorization", "Basic amxlbGV1OmpsZWxldQ=="); + request.setServerName(LOCALHOST); + response = new MockHttpServletResponse(); + filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + // it should be a redirection to the original url + assertEquals(302, response.getStatus()); + assertEquals(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL, response.getHeaders().get("Location")); + // we should have 3 cookies among with the user profile + cookies = response.getCookies(); + Map<String, String> mapCookies = new HashMap<>(); + assertEquals(3, cookies.size()); + for (final Cookie cookie : cookies) { + mapCookies.put(cookie.getName(), cookie.getValue()); + } + assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + CLIENT_CLASS + "$attemptedAuthentication")); + assertNotNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES)); + assertNull(mapCookies.get(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.REQUESTED_URL)); + + // step 3: turn pac4j identity into KnoxSSO identity + request = new MockHttpServletRequest(); + request.setCookies(cookies.toArray(new Cookie[cookies.size()])); + request.setRequestURL(KNOXSSO_SERVICE_URL + "?" + ORIGINAL_URL + "=" + HADOOP_SERVICE_URL); + request.setServerName(LOCALHOST); + response = new MockHttpServletResponse(); + filterChain = mock(FilterChain.class); + dispatcher.doFilter(request, response, filterChain); + assertEquals(0, response.getStatus()); + adapter.doFilter(request, response, filterChain); + cookies = response.getCookies(); + assertEquals(1, cookies.size()); + final Cookie userProfileCookie = cookies.get(0); + // the user profile has been cleaned + assertEquals(KnoxSessionStore.PAC4J_SESSION_PREFIX + Pac4jConstants.USER_PROFILES, userProfileCookie.getName()); + assertNull(userProfileCookie.getValue()); + assertEquals(USERNAME, adapter.getTestIdentifier()); + } + }
