Repository: nifi Updated Branches: refs/heads/NIFI-655 3cf3addd8 -> 1350483d3
NIFI-655: - Disabling log in by default initially. - Restoring authorization service unit test. Project: http://git-wip-us.apache.org/repos/asf/nifi/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi/commit/bed35d81 Tree: http://git-wip-us.apache.org/repos/asf/nifi/tree/bed35d81 Diff: http://git-wip-us.apache.org/repos/asf/nifi/diff/bed35d81 Branch: refs/heads/NIFI-655 Commit: bed35d81a5e9c9a9baf0f7f1e7f3caec392d6f2e Parents: 3cf3add Author: Matt Gilman <[email protected]> Authored: Mon Nov 9 10:04:19 2015 -0500 Committer: Matt Gilman <[email protected]> Committed: Mon Nov 9 10:04:19 2015 -0500 ---------------------------------------------------------------------- nifi-assembly/pom.xml | 2 +- .../authorization/NiFiAuthorizationService.java | 2 +- .../NiFiAuthorizationServiceTest.java | 501 +++++++++---------- 3 files changed, 252 insertions(+), 253 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi/blob/bed35d81/nifi-assembly/pom.xml ---------------------------------------------------------------------- diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml index ed44ae6..254dff0 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml @@ -339,7 +339,7 @@ language governing permissions and limitations under the License. --> <nifi.security.authorizedUsers.file>./conf/authorized-users.xml</nifi.security.authorizedUsers.file> <nifi.security.user.credential.cache.duration>24 hours</nifi.security.user.credential.cache.duration> <nifi.security.user.authority.provider>file-provider</nifi.security.user.authority.provider> - <nifi.security.user.login.identity.provider>file-provider</nifi.security.user.login.identity.provider> + <nifi.security.user.login.identity.provider></nifi.security.user.login.identity.provider> <nifi.security.x509.principal.extractor /> <nifi.security.support.new.account.requests /> <nifi.security.anonymous.authorities>ROLE_MONITOR,ROLE_DFM,ROLE_ADMIN,ROLE_PROVENANCE,ROLE_NIFI</nifi.security.anonymous.authorities> http://git-wip-us.apache.org/repos/asf/nifi/blob/bed35d81/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java index c3a5e43..7fb8e5c 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/main/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationService.java @@ -111,7 +111,7 @@ public class NiFiAuthorizationService implements AuthenticationUserDetailsServic userService.createPendingUserAccount(dn, "Automatic account request generated for unknown proxy."); // propagate the exception to return the appropriate response - throw new UntrustedProxyException(String.format("An account request was generated for the proxy '%s'.", dn)); + throw new UsernameNotFoundException(String.format("An account request was generated for the proxy '%s'.", dn)); } catch (AdministrationException ae) { throw new AuthenticationServiceException(String.format("Unable to create an account request for '%s': %s", dn, ae.getMessage()), ae); } catch (IllegalArgumentException iae) { http://git-wip-us.apache.org/repos/asf/nifi/blob/bed35d81/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationServiceTest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationServiceTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationServiceTest.java index a74c75e..85e3a76 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationServiceTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/src/test/java/org/apache/nifi/web/security/authorization/NiFiAuthorizationServiceTest.java @@ -1,251 +1,250 @@ -///* -// * Licensed to the Apache Software Foundation (ASF) under one or more -// * contributor license agreements. See the NOTICE file distributed with -// * this work for additional information regarding copyright ownership. -// * The ASF licenses this file to You under the Apache License, Version 2.0 -// * (the "License"); you may not use this file except in compliance with -// * the License. You may obtain a copy of the License at -// * -// * http://www.apache.org/licenses/LICENSE-2.0 -// * -// * Unless required by applicable law or agreed to in writing, software -// * distributed under the License is distributed on an "AS IS" BASIS, -// * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// * See the License for the specific language governing permissions and -// * limitations under the License. -// */ -//package org.apache.nifi.web.security.authorization; -// -//import org.apache.nifi.admin.service.AccountDisabledException; -//import org.apache.nifi.admin.service.AccountNotFoundException; -//import org.apache.nifi.admin.service.AccountPendingException; -//import org.apache.nifi.admin.service.AdministrationException; -//import org.apache.nifi.admin.service.UserService; -//import org.apache.nifi.authorization.Authority; -//import org.apache.nifi.user.NiFiUser; -//import org.apache.nifi.util.NiFiProperties; -//import org.apache.nifi.web.security.ProxiedEntitiesUtils; -//import org.apache.nifi.web.security.UntrustedProxyException; -//import org.apache.nifi.web.security.user.NiFiUserDetails; -//import org.junit.Assert; -//import org.junit.Before; -//import org.junit.Test; -//import org.mockito.Mockito; -//import org.mockito.invocation.InvocationOnMock; -//import org.mockito.stubbing.Answer; -//import org.springframework.security.authentication.AccountStatusException; -//import org.springframework.security.authentication.AuthenticationServiceException; -//import org.springframework.security.core.userdetails.UsernameNotFoundException; -// -///** -// * Test case for NiFiAuthorizationService. -// */ -//public class NiFiAuthorizationServiceTest { -// -// private static final String USER = "user"; -// private static final String PROXY = "proxy"; -// private static final String PROXY_PROXY = "proxy-proxy"; -// private static final String USER_NOT_FOUND = "user-not-found"; -// private static final String USER_DISABLED = "user-disabled"; -// private static final String USER_PENDING = "user-pending"; -// private static final String USER_ADMIN_EXCEPTION = "user-admin-exception"; -// private static final String PROXY_NOT_FOUND = "proxy-not-found"; -// -// private NiFiAuthorizationService authorizationService; -// private UserService userService; -// -// @Before -// public void setup() throws Exception { -// // mock the web security properties -// final NiFiProperties properties = Mockito.mock(NiFiProperties.class); -// Mockito.when(properties.getSupportNewAccountRequests()).thenReturn(Boolean.TRUE); -// -// userService = Mockito.mock(UserService.class); -// Mockito.doReturn(null).when(userService).createPendingUserAccount(Mockito.anyString(), Mockito.anyString()); -// Mockito.doAnswer(new Answer() { -// @Override -// public Object answer(InvocationOnMock invocation) throws Throwable { -// Object[] args = invocation.getArguments(); -// String dn = (String) args[0]; -// -// if (null != dn) { -// switch (dn) { -// case USER_NOT_FOUND: -// case PROXY_NOT_FOUND: -// throw new AccountNotFoundException(""); -// case USER_DISABLED: -// throw new AccountDisabledException(""); -// case USER_PENDING: -// throw new AccountPendingException(""); -// case USER_ADMIN_EXCEPTION: -// throw new AdministrationException(); -// case USER: -// final NiFiUser monitor = new NiFiUser(); -// monitor.setDn(dn); -// monitor.getAuthorities().add(Authority.ROLE_MONITOR); -// return monitor; -// case PROXY: -// case PROXY_PROXY: -// final NiFiUser proxy = new NiFiUser(); -// proxy.setDn(dn); -// proxy.getAuthorities().add(Authority.ROLE_PROXY); -// return proxy; -// } -// } -// -// return null; -// } -// }).when(userService).checkAuthorization(Mockito.anyString()); -// -// // create the authorization service -// authorizationService = new NiFiAuthorizationService(); -// authorizationService.setProperties(properties); -// authorizationService.setUserService(userService); -// } -// -// /** -// * Ensures the authorization service correctly handles users invalid dn -// * chain. -// * -// * @throws Exception ex -// */ -// @Test(expected = UntrustedProxyException.class) -// public void testInvalidDnChain() throws Exception { -// authorizationService.loadUserByUsername(USER); -// } -// -// /** -// * Ensures the authorization service correctly handles account not found. -// * -// * @throws Exception ex -// */ -// @Test(expected = UsernameNotFoundException.class) -// public void testAccountNotFound() throws Exception { -// authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(USER_NOT_FOUND)); -// } -// -// /** -// * Ensures the authorization service correctly handles account disabled. -// * -// * @throws Exception ex -// */ -// @Test(expected = AccountStatusException.class) -// public void testAccountDisabled() throws Exception { -// authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(USER_DISABLED)); -// } -// -// /** -// * Ensures the authorization service correctly handles account pending. -// * -// * @throws Exception ex -// */ -// @Test(expected = AccountStatusException.class) -// public void testAccountPending() throws Exception { -// authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(USER_PENDING)); -// } -// -// /** -// * Ensures the authorization service correctly handles account -// * administration exception. -// * -// * @throws Exception ex -// */ -// @Test(expected = AuthenticationServiceException.class) -// public void testAccountAdminException() throws Exception { -// authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(USER_ADMIN_EXCEPTION)); -// } -// -// /** -// * Tests the case when there is no proxy. -// * -// * @throws Exception ex -// */ -// @Test -// public void testNoProxy() throws Exception { -// final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(USER)); -// final NiFiUser user = details.getNiFiUser(); -// -// Assert.assertEquals(USER, user.getDn()); -// Assert.assertNull(user.getChain()); -// } -// -// /** -// * Tests the case when the proxy does not have ROLE_PROXY. -// * -// * @throws Exception ex -// */ -// @Test(expected = UntrustedProxyException.class) -// public void testInvalidProxy() throws Exception { -// final String dnChain = ProxiedEntitiesUtils.formatProxyDn(USER) + ProxiedEntitiesUtils.formatProxyDn(USER); -// authorizationService.loadUserByUsername(dnChain); -// } -// -// /** -// * Ensures the authorization service correctly handles proxy not found by -// * attempting to create an account request for the proxy. -// * -// * @throws Exception ex -// */ -// @Test(expected = UsernameNotFoundException.class) -// public void testProxyNotFound() throws Exception { -// try { -// final String dnChain = ProxiedEntitiesUtils.formatProxyDn(USER) + ProxiedEntitiesUtils.formatProxyDn(PROXY_NOT_FOUND); -// authorizationService.loadUserByUsername(ProxiedEntitiesUtils.formatProxyDn(dnChain)); -// } finally { -// Mockito.verify(userService).createPendingUserAccount(Mockito.eq(PROXY_NOT_FOUND), Mockito.anyString()); -// } -// } -// -// /** -// * Tests the case when there is a proxy. -// * -// * @throws Exception ex -// */ -// @Test -// public void testProxy() throws Exception { -// final String dnChain = ProxiedEntitiesUtils.formatProxyDn(USER) + ProxiedEntitiesUtils.formatProxyDn(PROXY); -// final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserByUsername(dnChain); -// final NiFiUser user = details.getNiFiUser(); -// -// // verify the user -// Assert.assertEquals(USER, user.getDn()); -// Assert.assertNotNull(user.getChain()); -// -// // get the proxy -// final NiFiUser proxy = user.getChain(); -// -// // verify the proxy -// Assert.assertEquals(PROXY, proxy.getDn()); -// Assert.assertNull(proxy.getChain()); -// } -// -// /** -// * Tests the case when there is are multiple proxies. -// * -// * @throws Exception ex -// */ -// @Test -// public void testProxyProxy() throws Exception { -// final String dnChain = ProxiedEntitiesUtils.formatProxyDn(USER) + ProxiedEntitiesUtils.formatProxyDn(PROXY) + ProxiedEntitiesUtils.formatProxyDn(PROXY_PROXY); -// final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserByUsername(dnChain); -// final NiFiUser user = details.getNiFiUser(); -// -// // verify the user -// Assert.assertEquals(USER, user.getDn()); -// Assert.assertNotNull(user.getChain()); -// -// // get the proxy -// NiFiUser proxy = user.getChain(); -// -// // verify the proxy -// Assert.assertEquals(PROXY, proxy.getDn()); -// Assert.assertNotNull(proxy.getChain()); -// -// // get the proxies proxy -// proxy = proxy.getChain(); -// -// // verify the proxies proxy -// Assert.assertEquals(PROXY_PROXY, proxy.getDn()); -// Assert.assertNull(proxy.getChain()); -// } -//} +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.web.security.authorization; + +import java.util.Arrays; +import org.apache.nifi.admin.service.AccountDisabledException; +import org.apache.nifi.admin.service.AccountNotFoundException; +import org.apache.nifi.admin.service.AccountPendingException; +import org.apache.nifi.admin.service.AdministrationException; +import org.apache.nifi.admin.service.UserService; +import org.apache.nifi.authorization.Authority; +import org.apache.nifi.user.NiFiUser; +import org.apache.nifi.util.NiFiProperties; +import org.apache.nifi.web.security.UntrustedProxyException; +import org.apache.nifi.web.security.token.NiFiAuthenticationRequestToken; +import org.apache.nifi.web.security.user.NiFiUserDetails; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; +import org.mockito.invocation.InvocationOnMock; +import org.mockito.stubbing.Answer; +import org.springframework.security.authentication.AccountStatusException; +import org.springframework.security.authentication.AuthenticationServiceException; +import org.springframework.security.core.userdetails.UsernameNotFoundException; + +/** + * Test case for NiFiAuthorizationService. + */ +public class NiFiAuthorizationServiceTest { + + private static final String USER = "user"; + private static final String PROXY = "proxy"; + private static final String PROXY_PROXY = "proxy-proxy"; + private static final String USER_NOT_FOUND = "user-not-found"; + private static final String USER_DISABLED = "user-disabled"; + private static final String USER_PENDING = "user-pending"; + private static final String USER_ADMIN_EXCEPTION = "user-admin-exception"; + private static final String PROXY_NOT_FOUND = "proxy-not-found"; + + private NiFiAuthorizationService authorizationService; + private UserService userService; + + @Before + public void setup() throws Exception { + // mock the web security properties + final NiFiProperties properties = Mockito.mock(NiFiProperties.class); + Mockito.when(properties.getSupportNewAccountRequests()).thenReturn(Boolean.TRUE); + + userService = Mockito.mock(UserService.class); + Mockito.doReturn(null).when(userService).createPendingUserAccount(Mockito.anyString(), Mockito.anyString()); + Mockito.doAnswer(new Answer() { + @Override + public Object answer(InvocationOnMock invocation) throws Throwable { + Object[] args = invocation.getArguments(); + String identity = (String) args[0]; + + if (null != identity) { + switch (identity) { + case USER_NOT_FOUND: + case PROXY_NOT_FOUND: + throw new AccountNotFoundException(""); + case USER_DISABLED: + throw new AccountDisabledException(""); + case USER_PENDING: + throw new AccountPendingException(""); + case USER_ADMIN_EXCEPTION: + throw new AdministrationException(); + case USER: + final NiFiUser monitor = new NiFiUser(); + monitor.setIdentity(identity); + monitor.getAuthorities().add(Authority.ROLE_MONITOR); + return monitor; + case PROXY: + case PROXY_PROXY: + final NiFiUser proxy = new NiFiUser(); + proxy.setIdentity(identity); + proxy.getAuthorities().add(Authority.ROLE_PROXY); + return proxy; + } + } + + return null; + } + }).when(userService).checkAuthorization(Mockito.anyString()); + + // create the authorization service + authorizationService = new NiFiAuthorizationService(); + authorizationService.setProperties(properties); + authorizationService.setUserService(userService); + } + + private NiFiAuthenticationRequestToken createRequestAuthentication(final String... identities) { + return new NiFiAuthenticationRequestToken(Arrays.asList(identities)); + } + + /** + * Ensures the authorization service correctly handles users invalid identity chain. + * + * @throws Exception ex + */ + @Test(expected = UntrustedProxyException.class) + public void testInvalidDnChain() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication()); + } + + /** + * Ensures the authorization service correctly handles account not found. + * + * @throws Exception ex + */ + @Test(expected = UsernameNotFoundException.class) + public void testAccountNotFound() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication(USER_NOT_FOUND)); + } + + /** + * Ensures the authorization service correctly handles account disabled. + * + * @throws Exception ex + */ + @Test(expected = AccountStatusException.class) + public void testAccountDisabled() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication(USER_DISABLED)); + } + + /** + * Ensures the authorization service correctly handles account pending. + * + * @throws Exception ex + */ + @Test(expected = AccountStatusException.class) + public void testAccountPending() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication(USER_PENDING)); + } + + /** + * Ensures the authorization service correctly handles account administration exception. + * + * @throws Exception ex + */ + @Test(expected = AuthenticationServiceException.class) + public void testAccountAdminException() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication(USER_ADMIN_EXCEPTION)); + } + + /** + * Tests the case when there is no proxy. + * + * @throws Exception ex + */ + @Test + public void testNoProxy() throws Exception { + final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserDetails(createRequestAuthentication(USER)); + final NiFiUser user = details.getNiFiUser(); + + Assert.assertEquals(USER, user.getIdentity()); + Assert.assertNull(user.getChain()); + } + + /** + * Tests the case when the proxy does not have ROLE_PROXY. + * + * @throws Exception ex + */ + @Test(expected = UntrustedProxyException.class) + public void testInvalidProxy() throws Exception { + authorizationService.loadUserDetails(createRequestAuthentication(USER, USER)); + } + + /** + * Ensures the authorization service correctly handles proxy not found by + * attempting to create an account request for the proxy. + * + * @throws Exception ex + */ + @Test(expected = UsernameNotFoundException.class) + public void testProxyNotFound() throws Exception { + try { + authorizationService.loadUserDetails(createRequestAuthentication(USER, PROXY_NOT_FOUND)); + } finally { + Mockito.verify(userService).createPendingUserAccount(Mockito.eq(PROXY_NOT_FOUND), Mockito.anyString()); + } + } + + /** + * Tests the case when there is a proxy. + * + * @throws Exception ex + */ + @Test + public void testProxy() throws Exception { + final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserDetails(createRequestAuthentication(USER, PROXY)); + final NiFiUser user = details.getNiFiUser(); + + // verify the user + Assert.assertEquals(USER, user.getIdentity()); + Assert.assertNotNull(user.getChain()); + + // get the proxy + final NiFiUser proxy = user.getChain(); + + // verify the proxy + Assert.assertEquals(PROXY, proxy.getIdentity()); + Assert.assertNull(proxy.getChain()); + } + + /** + * Tests the case when there is are multiple proxies. + * + * @throws Exception ex + */ + @Test + public void testProxyProxy() throws Exception { + final NiFiUserDetails details = (NiFiUserDetails) authorizationService.loadUserDetails(createRequestAuthentication(USER, PROXY, PROXY_PROXY)); + final NiFiUser user = details.getNiFiUser(); + + // verify the user + Assert.assertEquals(USER, user.getIdentity()); + Assert.assertNotNull(user.getChain()); + + // get the proxy + NiFiUser proxy = user.getChain(); + + // verify the proxy + Assert.assertEquals(PROXY, proxy.getIdentity()); + Assert.assertNotNull(proxy.getChain()); + + // get the proxies proxy + proxy = proxy.getChain(); + + // verify the proxies proxy + Assert.assertEquals(PROXY_PROXY, proxy.getIdentity()); + Assert.assertNull(proxy.getChain()); + } +}
