http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java b/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java deleted file mode 100644 index e835347..0000000 --- a/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java +++ /dev/null @@ -1,956 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package com.xasecure.pdp.knox; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; -import java.util.Set; - -import org.junit.Assert; -import org.junit.Test; - -import com.xasecure.pdp.model.Policy; -import com.xasecure.pdp.model.PolicyContainer; -import com.xasecure.pdp.model.RolePermission; - -public class URLBasedAuthDBTest { - - @Test - public void testPolicyEnabled() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testPolicyEnabled allowed: " + allowed); - Assert.assertTrue("Access denied while policy is enabled", allowed); - } - - @Test - public void testPolicyNotEnabled() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testPolicyNotEnabled allowed: " + allowed); - Assert.assertFalse("Access allowed while policy is disabled", allowed); - } - - @Test - public void testPolicyEnabledAuditOnTmSm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTmSm: " + auditEnabled); - Assert.assertTrue("Audit not ebabled while policy is matched", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOnTnmSm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "yxa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTnmSm auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with a non matching topology", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOnTmSnm() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "yWEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOnTmSnm auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with a non matching service", auditEnabled); - } - - @Test - public void testPolicyEnabledAuditOff() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - true, // policyEnabled - false); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyEnabledAuditOff auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy disabling audit", auditEnabled); - } - - @Test - public void testPolicyNotEnabledAuditOn() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyNotEnabledAuditOn auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy not enabled", auditEnabled); - } - - @Test - public void testPolicyNotEnabledAuditOff() { - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null, // ipAddress - false, // policyEnabled - true); // auditEnabled - pdp.setPolicyContainer(policyContainer); - - boolean auditEnabled = pdp.isAuditEnabled( - "xa", - "WEBHDFS" - ); - System.out.println("testPolicyNotEnabledAuditOff auditEnabled: " + auditEnabled); - Assert.assertFalse("Audit ebabled with policy not enabled and audit off", auditEnabled); - } - - @Test - public void testSimpleTopologyAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleTopologyAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a simple allow policy", allowed); - - } - - @Test - public void testSimpleTopologyAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "ya", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleTopologyAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allwed for a simple deny policy", allowed); - - } - - @Test - public void testWildTopologyAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "x*", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildTopologyAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a matching wild topology policy", allowed); - - } - - @Test - public void testWildTopologyAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "x*", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "ya", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildTopologyAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for non matching wild topology policy", allowed); - - } - - @Test - public void testSimpleServiceAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleServiceAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a policy matching service", allowed); - - } - - @Test - public void testSimpleServiceAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "yWEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testSimpleServiceAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a policy with no matching service", allowed); - - } - - @Test - public void testWildServiceAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEB*", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildServiceAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for policy with matching wild service", allowed); - - } - - @Test - public void testWildServiceAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEB*", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "yWEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testWildServiceAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a policy with a non matching wild service", allowed); - - } - - @Test - public void testAccessTypeAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testAccessTypeAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for a policy with matching accessTyoe", allowed); - - } - - @Test - public void testAccessTypeAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testAccessTypeAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching accessType", allowed); - - } - - @Test - public void testUserAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testUserAccessAllowed allowed: " + allowed); - Assert.assertTrue("Access denied for matching user", allowed); - - } - - @Test - public void testUserAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("yguest"), - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testUserAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching user", allowed); - - } - - @Test - public void testGroupAccessAllowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - null, - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "sam", - asSet("sales"), - "127.127.127.127"); - System.out.println("testGroupAccessAllowe allowed: " + allowed); - Assert.assertTrue("Access denied for a matching user group", allowed); - - } - - @Test - public void testGroupAccessDenied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - null, - asList("sales"), - null); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "yallow", - "guest", - asSet("sales"), - "127.127.127.127"); - System.out.println("testGroupAccessDenied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching user group", allowed); - - } - - - - @Test - public void testSimpleIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.135")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.135"); - System.out.println("testSimpleIP4Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a matching IP4 request ip", allowed); - - } - - @Test - public void testSimpleIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.135")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.136"); - System.out.println("testSimpleIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a non matching IP4 request ip", allowed); - - } - - @Test - public void testWildIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.134.135"); - System.out.println("testWildIP4Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP4", allowed); - - } - - @Test - public void testWildIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.134.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.234.136"); - System.out.println("testWildIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wild IP4", allowed); - - } - - @Test - public void testWilderIP4Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.*.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.133.234.235"); - System.out.println("testWilderIP4Allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wilder IP4", allowed); - - } - - @Test - public void testWilderIP4Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132.133.*.*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132.233.234.136"); - System.out.println("testWilderIP4Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wilder IP4", allowed); - - } - - @Test - public void testWildIP6Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:134:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:134:135"); - System.out.println("testWildIP6Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP6", allowed); - - } - - @Test - public void testWildIP6AllowedMixedCase() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:Db8:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:dB8:135"); - System.out.println("testWildIP6AllowedMixedCase: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wild IP6 with mixed case", allowed); - - } - - @Test - public void testWildIP6Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:134:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:234:136"); - System.out.println("testWildIP6Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wild IP6", allowed); - - } - - @Test - public void testWilderIP6Allowed() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:*:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:133:234:235"); - System.out.println("testWilderIP6Allowed allowed: " + allowed); - Assert.assertTrue("Access denied for a request ip matching wilder IP6", allowed); - - } - - @Test - public void testWilderIP6Denied() { - - URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); - - PolicyContainer policyContainer = buildPolicyContainer( - "xa", - "WEBHDFS", - asList("allow"), - asList("guest"), - asList("sales"), - asList("132:133:*:*")); - pdp.setPolicyContainer(policyContainer); - - - boolean allowed = pdp.isAccessGranted( - "xa", - "WEBHDFS", - "allow", - "guest", - asSet("sales"), - "132:233:234:136"); - System.out.println("testWilderIP6Denied allowed: " + allowed); - Assert.assertFalse("Access allowed for a request ip not matching wilder IP6", allowed); - - } - - private static PolicyContainer buildPolicyContainer(String topologies, - String services, List<String> accessTypes, List<String> users, - List<String> groups, List<String> ipAddresses) { - return buildPolicyContainer( topologies, services, accessTypes, - users, groups, ipAddresses, true, true); - - } - - private static PolicyContainer buildPolicyContainer(String topologies, - String services, List<String> accessTypes, List<String> users, - List<String> groups, List<String> ipAddresses, - boolean policyEnabled, boolean auditEnabled) { - - PolicyContainer policyContainer = new PolicyContainer(); - policyContainer.setRepositoryName("knoxdev"); - - List<Policy> policies = new ArrayList<Policy>(); - - Policy policy = new Policy(); - policy.setTopologies(topologies); - policy.setServices(services); - policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled"); - policy.setAuditInd(auditEnabled ? 1 : 0); - - List<RolePermission> rolePermissions = new ArrayList<RolePermission>(); - - RolePermission rolePermission = new RolePermission(); - - rolePermissions.add(rolePermission); - rolePermission.setAccess(accessTypes); - rolePermission.setUsers(users); - rolePermission.setGroups(groups); - rolePermission.setIpAddress(ipAddresses); - - policy.setPermissions(rolePermissions); - - policies.add(policy); - - policyContainer.setAcl(policies); - - return policyContainer; - } - - private static Set<String> asSet(String... a) { - Set<String> vals = new HashSet<String>(); - for (String s : a) { - vals.add(s); - } - return vals; - } - - private static List<String> asList(String... a) { - List<String> vals = new ArrayList<String>(); - for (String s : a) { - vals.add(s); - } - return vals; - } - -}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java new file mode 100644 index 0000000..ad1f472 --- /dev/null +++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java @@ -0,0 +1,170 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.pdp.hdfs; + +import java.io.BufferedReader; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.pdp.config.ConfigWatcher; +import org.apache.ranger.pdp.config.PolicyRefresher; +import org.apache.ranger.pdp.hdfs.URLBasedAuthDB; +import org.apache.ranger.pdp.model.Policy; +import org.apache.ranger.pdp.model.PolicyContainer; +import org.apache.ranger.pdp.model.RolePermission; +import org.junit.Before; +import org.junit.After; +import org.junit.Test; + +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.when; + + +public class PolicyCacheStoreTest { + URLBasedAuthDB authDB = null; + ConfigWatcher watcherDaemon = null; + PolicyRefresher pr = null; + PolicyContainer policyContainer=null; + String url=null; + String sslConfigFileName=null; + String lastStoredFileName=null; + Long refreshInterval =0L; + private static final Log LOG = LogFactory.getLog(PolicyCacheStoreTest.class); + @Before + public void setup(){ + authDB = URLBasedAuthDB.getInstance(); + + } + + @After + public void teardown(){ + authDB = null; + PolicyRefresher pr = null; + } + + @Test + public void testHdfsPolicyCacheStore(){ + //Check if the policy cache gets created when agent get created; + url="dummyurl"; + refreshInterval=10L; + sslConfigFileName = "dummyConfigFileName.xml"; + lastStoredFileName = System.getProperty("user.home") +"/"+ "haooopPolicyCache.json"; + policyContainer = buildPolicyContainer( + "/demo/data", + 1, + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + true); // auditEnabled + authDB.OnPolicyChange(policyContainer); + pr = spy(new PolicyRefresher(url,refreshInterval,sslConfigFileName,lastStoredFileName)); + pr.setPolicyContainer(policyContainer); + pr.setPolicyChangeListener(authDB); + PolicyContainer newPr = readPolicyCache(lastStoredFileName); + assertEquals(policyToString(policyContainer),policyToString(newPr)); + } + + private static PolicyContainer buildPolicyContainer(String resource, + int recursiveInd, List<String> accessTypes, List<String> users, + List<String> groups, List<String> ipAddresses, + boolean policyEnabled, boolean auditEnabled) { + + PolicyContainer policyContainer = new PolicyContainer(); + policyContainer.setRepositoryName("hadoopdev"); + + List<Policy> policies = new ArrayList<Policy>(); + + Policy policy = new Policy(); + policy.setResource(resource); + policy.setRecursiveInd(recursiveInd); + policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled"); + policy.setAuditInd(auditEnabled ? 1 : 0); + + List<RolePermission> rolePermissions = new ArrayList<RolePermission>(); + + RolePermission rolePermission = new RolePermission(); + + rolePermissions.add(rolePermission); + rolePermission.setAccess(accessTypes); + rolePermission.setUsers(users); + rolePermission.setGroups(groups); + rolePermission.setIpAddress(ipAddresses); + + policy.setPermissions(rolePermissions); + + policies.add(policy); + + policyContainer.setAcl(policies); + + return policyContainer; + } + + private static Set<String> asSet(String... a) { + Set<String> vals = new HashSet<String>(); + for (String s : a) { + vals.add(s); + } + return vals; + } + + private static List<String> asList(String... a) { + List<String> vals = new ArrayList<String>(); + for (String s : a) { + vals.add(s); + } + return vals; + } + + + private PolicyContainer readPolicyCache(String lastStoreFileName) { + BufferedReader jsonString = null; + try { + jsonString = new BufferedReader(new FileReader(lastStoredFileName)); + } catch (FileNotFoundException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + Gson gson = new GsonBuilder().create(); + PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class); + return newPolicyContainer; + } + + private String policyToString(PolicyContainer pc) { + Gson gson = new GsonBuilder().create() ; + String policyAsJson = gson.toJson(policyContainer) ; + return policyAsJson; + } + + +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java new file mode 100644 index 0000000..19023b6 --- /dev/null +++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.pdp.hdfs; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.when; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.ranger.pdp.hdfs.URLBasedAuthDB; +import org.apache.ranger.pdp.model.Policy; +import org.apache.ranger.pdp.model.PolicyContainer; +import org.apache.ranger.pdp.model.ResourcePath; +import org.junit.Test; + +public class URLBasedAuthDBTest { + + @Test + public void testIsAuditLogEnabledByACL_emptyPolicyContainer() { + + // audit can't be enabled if authdb isn't initialized + assertFalse(mAuthDB.isAuditLogEnabledByACL("blah")); + + // or if the policy container in is null! + URLBasedAuthDB spy = spy(mAuthDB); + when(spy.getPolicyContainer()).thenReturn(null); + assertFalse(mAuthDB.isAuditLogEnabledByACL("blah")); + + // of if policy container is empty, i.e. has no policies! + List<Policy> policies = new ArrayList<Policy>(); + PolicyContainer policyContainer = mock(PolicyContainer.class); + when(policyContainer.getAcl()).thenReturn(policies); + when(spy.getPolicyContainer()).thenReturn(policyContainer); + assertFalse(mAuthDB.isAuditLogEnabledByACL("blah")); + + // or if all policies are empty, i.e. no acls! + Policy aPolicy = mock(Policy.class); + when(aPolicy.getResourceList()).thenReturn(new ArrayList<ResourcePath>()); + policies.add(aPolicy); + when(policyContainer.getAcl()).thenReturn(policies); + when(spy.getPolicyContainer()).thenReturn(policyContainer); + assertFalse(spy.isAuditLogEnabledByACL("blah")); + } + + private final URLBasedAuthDB mAuthDB = URLBasedAuthDB.getInstance(); +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java new file mode 100644 index 0000000..d2dfe96 --- /dev/null +++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java @@ -0,0 +1,340 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.pdp.hdfs; + +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; +import static org.mockito.Mockito.when; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.pdp.hdfs.URLBasedAuthDB; +import org.apache.ranger.pdp.model.Policy; +import org.apache.ranger.pdp.model.PolicyContainer; +import org.apache.ranger.pdp.model.ResourcePath; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +import org.junit.runners.Parameterized.Parameters; + +@RunWith(Parameterized.class) +public class URLBasedAuthDB_IsAuditLogEnabledByACL_PTest { + + static class PolicyIs { + static final boolean wildcard = true; + static final boolean audited = true; + static final boolean recursive = true; + + static final boolean notWildcard = false; + static final boolean notAudited = false; + static final boolean notRecursive = false; + } + + static final class PolicyPath { + static final String path1 = "aPath"; + static final String path1Child1 = PolicyPath.path1 + "/" + "child1"; + static final String path1Child2 = PolicyPath.path1 + "/" + "child2"; + + static final String path2 = "anotherPath"; + } + static final class TestPath { + static final String path1 = PolicyPath.path1; + static final String beginsWithPath1 = PolicyPath.path1 + "_"; + static final String path1Child1 = PolicyPath.path1Child1; + static final String path1Child2 = PolicyPath.path1Child2; + static final String path1GrandChild1 = String.format("%s/%s/%s", path1, path1Child1, "grandChild1"); + static final String path1GrandChild2 = String.format("%s/%s/%s", path1, path1Child1, "grandChild2"); + + static final String path2 = PolicyPath.path2; + static final String beginsWithPath2 = PolicyPath.path2 + "_"; + static final String path2Child1 = PolicyPath.path2 + "/" + "child1"; + static final String path2Child2 = PolicyPath.path2 + "/" + "child2"; + } + + static class ExpectedResult { + static final class AuditEnabled { + static final boolean yes = true; + static final boolean no = false; + } + } + + static class TestDataIndex { + static final int ExpectedResult = 6; + static final int Audited = 3; + public static final int TestName = 0; + public static final int wildCard = 2; + } + + + /** + * ASSUMPTION: set of tests passed as such that they require wildcard flag to be set for them to return audit enabled. + * So turn wildcard flag of them off to assert that they no-longer work. Of course, those that don't work even with wildcard + * should also continue to not work when wildcard is turned off! + */ + private static List<Object[]> turnWildcardOffForTestsThatRequireWildcard(List<Object[]> tests) { + + // in the worse case we would generate one test for each existing test + List<Object[]> newTests = new ArrayList<Object[]>(tests.size()); + for (Object[] aTest: tests) { + boolean isPolicyWildcard = (Boolean) aTest[TestDataIndex.wildCard]; + if (isPolicyWildcard == PolicyIs.wildcard) { + Object[] newTest = Arrays.copyOf(aTest, aTest.length); + // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result + newTest[TestDataIndex.wildCard] = PolicyIs.notWildcard; + newTest[TestDataIndex.ExpectedResult] = ExpectedResult.AuditEnabled.no; + // for debugging purposes alter the test description, too + String testName = (String) newTest[TestDataIndex.TestName]; + newTest[TestDataIndex.TestName] = "[Wildcard-ed base test with wildcard flag turned off] " + testName; + newTests.add(newTest); + } + } + return newTests; + } + + /** + * wildcard - policy flag says wildcard by the policy path itself does not have any wildcards worth expanding. + * This should work exactly the same as if wildcard was turned off! + */ + private static List<Object[]> turnWildcardOnForNonWildcardTests(List<Object[]> tests) { + + // in the worse case we would generate one test for each existing test + List<Object[]> newTests = new ArrayList<Object[]>(tests.size()); + /* + * If a test currently does not have wildcard set on it, then expectation is changing wildcard flag + * true shouldn't change the result. ASSUMPTION here, of course, is that "base tests" don't use any + * wild-card characters in their resource paths that would make an otherwise disabled audit to return enabled. + */ + for (Object[] aTest: tests) { + boolean isPolicyWildcard = (Boolean) aTest[TestDataIndex.wildCard]; + if (isPolicyWildcard == PolicyIs.notWildcard) { + Object[] newTest = Arrays.copyOf(aTest, aTest.length); + // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result + newTest[TestDataIndex.wildCard] = PolicyIs.wildcard; + // for debugging purposes alter the test description, too + String testName = (String) newTest[TestDataIndex.TestName]; + newTest[TestDataIndex.TestName] = "[Base test with wildcard enabled] " + testName; + newTests.add(newTest); + } + } + return newTests; + } + + /** + * Disabled audit on every test that expects result to be yes to ensure that no matter what answer should be false if policy says that audit is disabled! + */ + private static List<Object[]> disableAuditForBaseTests(List<Object[]> tests) { + + List<Object[]> newTests = new ArrayList<Object[]>(tests.size()); + + for (Object[] aTest : tests) { + boolean expectedResult = (Boolean) aTest[TestDataIndex.ExpectedResult]; + boolean isPolicyAuditEnabled = (Boolean) aTest[TestDataIndex.Audited]; + + if (expectedResult == ExpectedResult.AuditEnabled.yes + && isPolicyAuditEnabled == PolicyIs.audited) { + Object[] newTest = Arrays.copyOf(aTest, aTest.length); + // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result + newTest[TestDataIndex.Audited] = PolicyIs.notAudited; + newTest[TestDataIndex.ExpectedResult] = ExpectedResult.AuditEnabled.no; + // for debugging purposes alter the test description, too + String testName = (String) newTest[TestDataIndex.TestName]; + newTest[TestDataIndex.TestName] = "[Base tests with audit disabled] " + testName; + newTests.add(newTest); + } + } + + return newTests; + } + + @Parameters + public static Collection<Object[]> data() { + Object[][] baseTestData = new Object[][] { + + // no-recursive paths - return true if paths match + {"policypath(path1) == testpath(path1) => yes", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path1, ExpectedResult.AuditEnabled.yes}, + {"policypath(path2) == testpath(path2) => yes", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path2, ExpectedResult.AuditEnabled.yes}, + + // no-recursive paths - return false if paths don't match! + {"policypath(path1) != testPath(path2) => no", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path2, ExpectedResult.AuditEnabled.no}, + {"policypath(path2) != testPath(path1) => no", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path1, ExpectedResult.AuditEnabled.no}, + + // recursive path policy - should work at least as well as non-recursive, i.e. match when same and not otherwise! + {"recursive, policypath(path1) == testpath(path1)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path2) == testpath(path2)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path1) == testpath(path2)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2, ExpectedResult.AuditEnabled.no}, + {"recursive, policypath(path1) == testpath(path2)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1, ExpectedResult.AuditEnabled.no}, + + // recursive path policy - should match children + {"recursive, policypath(path1) == testpath(path1/child1)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child1, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path1) == testpath(path1/child2)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child2, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path1) == testpath(path1/child1)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child1, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path1) == testpath(path1/child2)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child2, ExpectedResult.AuditEnabled.yes}, + + // recursive path policy - should match grand children, too! + {"recursive, policypath(path1) == testpath(path1/child1/grandChild1)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1GrandChild1, ExpectedResult.AuditEnabled.yes}, + {"recursive, policypath(path1) == testpath(path1/child1/grandChild2)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1GrandChild2, ExpectedResult.AuditEnabled.yes}, + + // recursive path policy - shouldn't match child in some other directory + {"recursive, policypath(path1) == testpath(path1/child1)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child1, ExpectedResult.AuditEnabled.no}, + {"recursive, policypath(path1) == testpath(path1/child2)", + PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child2, ExpectedResult.AuditEnabled.no}, + {"recursive, policypath(path1) == testpath(path1/child1)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child1, ExpectedResult.AuditEnabled.no}, + {"recursive, policypath(path1) == testpath(path1/child2)", + PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child2, ExpectedResult.AuditEnabled.no}, + + }; + + Object[][] wildCardTestData = new Object[][] { + // Pattern contains exact substring + {"Wildcard, Pattern contains substring of tested path - 1", + "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern contains substring of tested path - 2", + "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern contains substring of tested path - 3", + "aPa*th", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern contains substring of tested path - 4", + "aP*at*h", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes}, + + // Pattern should match + {"Wildcard, Pattern should match - 1", + "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath_", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 2", + "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath_longSuffix", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 3", + "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "_aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 4", + "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "longPrefix_aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 5", + "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "_aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 6", + "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "longPrefix_aPath", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 5", + "a*Path", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "a___Path", ExpectedResult.AuditEnabled.yes}, + {"Wildcard, Pattern should match - 6", + "a*Path", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aMiddlePath", ExpectedResult.AuditEnabled.yes}, + }; + + // in the worst case all tests have a corresponding audit disabled test + List<Object[]> baseTests = Arrays.asList(baseTestData); + List<Object[]> result = new ArrayList<Object[]>(baseTests); + + // answer is false no matter what if policy is set to not audit + List<Object[]> additionalTests = disableAuditForBaseTests(baseTests); + result.addAll(additionalTests); + + // turning wildcard flag on when policy path itself does not have wildcard characters in it shouldn't change the result! + additionalTests = turnWildcardOnForNonWildcardTests(baseTests); + result.addAll(additionalTests); + + List<Object[]> wildcardBaseTests = Arrays.asList(wildCardTestData); + result.addAll(wildcardBaseTests); + + additionalTests = turnWildcardOffForTestsThatRequireWildcard(wildcardBaseTests); + result.addAll(additionalTests); + return result; + } + + public URLBasedAuthDB_IsAuditLogEnabledByACL_PTest(String testName, String policyPath, boolean wildCard, boolean audited, boolean recursive, String testPath, boolean expectedResult) { + _testName = testName; + _policyPath = policyPath; + _policyPathWildcard = wildCard; + _policyAudited = audited; + _policyRecursive = recursive; + _testPath = testPath; + _expectedResult = expectedResult; + } + + private final String _testName; + private final String _policyPath; + private final boolean _policyPathWildcard; + private final boolean _policyAudited; + private final boolean _policyRecursive; + private final String _testPath; + private final boolean _expectedResult; + + @Test + public void testIsAuditLogEnabledByACL() { + + if (LOG.isDebugEnabled()) { + LOG.debug(String.format("Test: %sPolicy Path: %s, isWildcard: %b, isAudited: %b, isRecursive: %b, TestPath: %s", + _testName, _policyPath, _policyPathWildcard, _policyAudited, _policyRecursive, _testPath)); + } + + // A policy can have several paths, so let's first stuff our path into a collection + ResourcePath path = mock(ResourcePath.class); + when(path.getPath()).thenReturn(_policyPath); + when(path.isWildcardPath()).thenReturn(_policyPathWildcard); + List<ResourcePath> resourcePaths = new ArrayList<ResourcePath>(); + resourcePaths.add(path); + + // wire it into the policy and set other aspects of the policy + Policy aPolicy = mock(Policy.class); + when(aPolicy.getResourceList()).thenReturn(resourcePaths); + + int recursiveIndicator = _policyRecursive ? 1 : 0; + when(aPolicy.getRecursiveInd()).thenReturn(recursiveIndicator); + + int auditedIndicator = _policyAudited ? 1 : 0; + when(aPolicy.getAuditInd()).thenReturn(auditedIndicator); + + // a container can have several policies to first we stuff our policy into a container + List<Policy> policies = new ArrayList<Policy>(); + policies.add(aPolicy); + // now wire the policy into the container + PolicyContainer policyContainer = mock(PolicyContainer.class); + when(policyContainer.getAcl()).thenReturn(policies); + + // finally wire the policy container into the authdb + URLBasedAuthDB spy = spy(mAuthDB); + when(spy.getPolicyContainer()).thenReturn(policyContainer); + + // assert the result + boolean result = spy.isAuditLogEnabledByACL(_testPath); + assertThat(_testName, result, is(_expectedResult)); + if (LOG.isDebugEnabled()) { + LOG.debug(String.format(", Expected Result (Audit enabled?): %b Result: %b\n", _expectedResult, result)); + } + } + + private final URLBasedAuthDB mAuthDB = URLBasedAuthDB.getInstance(); + private static final Log LOG = LogFactory.getLog(URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.class) ; +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java ---------------------------------------------------------------------- diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java new file mode 100644 index 0000000..3e0724d --- /dev/null +++ b/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java @@ -0,0 +1,956 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.pdp.knox; + +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.ranger.pdp.knox.URLBasedAuthDB; +import org.apache.ranger.pdp.model.Policy; +import org.apache.ranger.pdp.model.PolicyContainer; +import org.apache.ranger.pdp.model.RolePermission; +import org.junit.Assert; +import org.junit.Test; + +public class URLBasedAuthDBTest { + + @Test + public void testPolicyEnabled() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testPolicyEnabled allowed: " + allowed); + Assert.assertTrue("Access denied while policy is enabled", allowed); + } + + @Test + public void testPolicyNotEnabled() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + false, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testPolicyNotEnabled allowed: " + allowed); + Assert.assertFalse("Access allowed while policy is disabled", allowed); + } + + @Test + public void testPolicyEnabledAuditOnTmSm() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "xa", + "WEBHDFS" + ); + System.out.println("testPolicyEnabledAuditOnTmSm: " + auditEnabled); + Assert.assertTrue("Audit not ebabled while policy is matched", auditEnabled); + } + + @Test + public void testPolicyEnabledAuditOnTnmSm() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "yxa", + "WEBHDFS" + ); + System.out.println("testPolicyEnabledAuditOnTnmSm auditEnabled: " + auditEnabled); + Assert.assertFalse("Audit ebabled with a non matching topology", auditEnabled); + } + + @Test + public void testPolicyEnabledAuditOnTmSnm() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "xa", + "yWEBHDFS" + ); + System.out.println("testPolicyEnabledAuditOnTmSnm auditEnabled: " + auditEnabled); + Assert.assertFalse("Audit ebabled with a non matching service", auditEnabled); + } + + @Test + public void testPolicyEnabledAuditOff() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + true, // policyEnabled + false); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "xa", + "WEBHDFS" + ); + System.out.println("testPolicyEnabledAuditOff auditEnabled: " + auditEnabled); + Assert.assertFalse("Audit ebabled with policy disabling audit", auditEnabled); + } + + @Test + public void testPolicyNotEnabledAuditOn() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + false, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "xa", + "WEBHDFS" + ); + System.out.println("testPolicyNotEnabledAuditOn auditEnabled: " + auditEnabled); + Assert.assertFalse("Audit ebabled with policy not enabled", auditEnabled); + } + + @Test + public void testPolicyNotEnabledAuditOff() { + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null, // ipAddress + false, // policyEnabled + true); // auditEnabled + pdp.setPolicyContainer(policyContainer); + + boolean auditEnabled = pdp.isAuditEnabled( + "xa", + "WEBHDFS" + ); + System.out.println("testPolicyNotEnabledAuditOff auditEnabled: " + auditEnabled); + Assert.assertFalse("Audit ebabled with policy not enabled and audit off", auditEnabled); + } + + @Test + public void testSimpleTopologyAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testSimpleTopologyAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for a simple allow policy", allowed); + + } + + @Test + public void testSimpleTopologyAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "ya", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testSimpleTopologyAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allwed for a simple deny policy", allowed); + + } + + @Test + public void testWildTopologyAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "x*", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testWildTopologyAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for a matching wild topology policy", allowed); + + } + + @Test + public void testWildTopologyAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "x*", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "ya", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testWildTopologyAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for non matching wild topology policy", allowed); + + } + + @Test + public void testSimpleServiceAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testSimpleServiceAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for a policy matching service", allowed); + + } + + @Test + public void testSimpleServiceAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "yWEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testSimpleServiceAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for a policy with no matching service", allowed); + + } + + @Test + public void testWildServiceAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEB*", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testWildServiceAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for policy with matching wild service", allowed); + + } + + @Test + public void testWildServiceAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEB*", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "yWEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testWildServiceAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for a policy with a non matching wild service", allowed); + + } + + @Test + public void testAccessTypeAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testAccessTypeAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for a policy with matching accessTyoe", allowed); + + } + + @Test + public void testAccessTypeAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "yallow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testAccessTypeAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for a non matching accessType", allowed); + + } + + @Test + public void testUserAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testUserAccessAllowed allowed: " + allowed); + Assert.assertTrue("Access denied for matching user", allowed); + + } + + @Test + public void testUserAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("yguest"), + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "yallow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testUserAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for a non matching user", allowed); + + } + + @Test + public void testGroupAccessAllowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + null, + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "sam", + asSet("sales"), + "127.127.127.127"); + System.out.println("testGroupAccessAllowe allowed: " + allowed); + Assert.assertTrue("Access denied for a matching user group", allowed); + + } + + @Test + public void testGroupAccessDenied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + null, + asList("sales"), + null); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "yallow", + "guest", + asSet("sales"), + "127.127.127.127"); + System.out.println("testGroupAccessDenied allowed: " + allowed); + Assert.assertFalse("Access allowed for a non matching user group", allowed); + + } + + + + @Test + public void testSimpleIP4Allowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.134.135")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.133.134.135"); + System.out.println("testSimpleIP4Allowed allowed: " + allowed); + Assert.assertTrue("Access denied for a matching IP4 request ip", allowed); + + } + + @Test + public void testSimpleIP4Denied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.134.135")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.133.134.136"); + System.out.println("testSimpleIP4Denied allowed: " + allowed); + Assert.assertFalse("Access allowed for a non matching IP4 request ip", allowed); + + } + + @Test + public void testWildIP4Allowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.134.*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.133.134.135"); + System.out.println("testWildIP4Allowed allowed: " + allowed); + Assert.assertTrue("Access denied for a request ip matching wild IP4", allowed); + + } + + @Test + public void testWildIP4Denied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.134.*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.133.234.136"); + System.out.println("testWildIP4Denied allowed: " + allowed); + Assert.assertFalse("Access allowed for a request ip not matching wild IP4", allowed); + + } + + @Test + public void testWilderIP4Allowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.*.*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.133.234.235"); + System.out.println("testWilderIP4Allowed: " + allowed); + Assert.assertTrue("Access denied for a request ip matching wilder IP4", allowed); + + } + + @Test + public void testWilderIP4Denied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132.133.*.*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132.233.234.136"); + System.out.println("testWilderIP4Denied allowed: " + allowed); + Assert.assertFalse("Access allowed for a request ip not matching wilder IP4", allowed); + + } + + @Test + public void testWildIP6Allowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132:133:134:*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132:133:134:135"); + System.out.println("testWildIP6Allowed allowed: " + allowed); + Assert.assertTrue("Access denied for a request ip matching wild IP6", allowed); + + } + + @Test + public void testWildIP6AllowedMixedCase() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132:133:Db8:*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132:133:dB8:135"); + System.out.println("testWildIP6AllowedMixedCase: " + allowed); + Assert.assertTrue("Access denied for a request ip matching wild IP6 with mixed case", allowed); + + } + + @Test + public void testWildIP6Denied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132:133:134:*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132:133:234:136"); + System.out.println("testWildIP6Denied allowed: " + allowed); + Assert.assertFalse("Access allowed for a request ip not matching wild IP6", allowed); + + } + + @Test + public void testWilderIP6Allowed() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132:133:*:*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132:133:234:235"); + System.out.println("testWilderIP6Allowed allowed: " + allowed); + Assert.assertTrue("Access denied for a request ip matching wilder IP6", allowed); + + } + + @Test + public void testWilderIP6Denied() { + + URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked(); + + PolicyContainer policyContainer = buildPolicyContainer( + "xa", + "WEBHDFS", + asList("allow"), + asList("guest"), + asList("sales"), + asList("132:133:*:*")); + pdp.setPolicyContainer(policyContainer); + + + boolean allowed = pdp.isAccessGranted( + "xa", + "WEBHDFS", + "allow", + "guest", + asSet("sales"), + "132:233:234:136"); + System.out.println("testWilderIP6Denied allowed: " + allowed); + Assert.assertFalse("Access allowed for a request ip not matching wilder IP6", allowed); + + } + + private static PolicyContainer buildPolicyContainer(String topologies, + String services, List<String> accessTypes, List<String> users, + List<String> groups, List<String> ipAddresses) { + return buildPolicyContainer( topologies, services, accessTypes, + users, groups, ipAddresses, true, true); + + } + + private static PolicyContainer buildPolicyContainer(String topologies, + String services, List<String> accessTypes, List<String> users, + List<String> groups, List<String> ipAddresses, + boolean policyEnabled, boolean auditEnabled) { + + PolicyContainer policyContainer = new PolicyContainer(); + policyContainer.setRepositoryName("knoxdev"); + + List<Policy> policies = new ArrayList<Policy>(); + + Policy policy = new Policy(); + policy.setTopologies(topologies); + policy.setServices(services); + policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled"); + policy.setAuditInd(auditEnabled ? 1 : 0); + + List<RolePermission> rolePermissions = new ArrayList<RolePermission>(); + + RolePermission rolePermission = new RolePermission(); + + rolePermissions.add(rolePermission); + rolePermission.setAccess(accessTypes); + rolePermission.setUsers(users); + rolePermission.setGroups(groups); + rolePermission.setIpAddress(ipAddresses); + + policy.setPermissions(rolePermissions); + + policies.add(policy); + + policyContainer.setAcl(policies); + + return policyContainer; + } + + private static Set<String> asSet(String... a) { + Set<String> vals = new HashSet<String>(); + for (String s : a) { + vals.add(s); + } + return vals; + } + + private static List<String> asList(String... a) { + List<String> vals = new ArrayList<String>(); + for (String s : a) { + vals.add(s); + } + return vals; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java ---------------------------------------------------------------------- diff --git a/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java b/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java deleted file mode 100644 index 8d84223..0000000 --- a/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java +++ /dev/null @@ -1,141 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package com.xasecure.utils.install; - -import java.util.ArrayList; -import java.util.Random; - -public class PasswordGenerator { - - - private int minimumPasswordLength = 8 ; - - private int maximumPasswordLength = 12 ; - - private boolean isExpectedNumberic = true ; - - private boolean isExpectedBothCase = true ; - - private static final ArrayList<Character> alphaLetters = new ArrayList<Character>() ; - - private static final ArrayList<Character> alphaUpperLetters = new ArrayList<Character>() ; - - private static final ArrayList<Character> numericLetters = new ArrayList<Character>() ; - - - static { - for(int x = 'a' ; x <= 'z' ; x++) { - char v = (char)x ; - alphaLetters.add(Character.toLowerCase(v)) ; - alphaUpperLetters.add(Character.toUpperCase(v)) ; - } - for(int i = 0 ; i < 10 ; i++) { - numericLetters.add(Character.forDigit(i,10)) ; - } - } - - - - public static void main(String[] args) { - PasswordGenerator pg = new PasswordGenerator() ; - System.out.println(pg.generatorPassword()) ; - } - - - private int getPasswordLength() { - int ret = 0; - - if (minimumPasswordLength == maximumPasswordLength) { - ret = minimumPasswordLength ; - } - else { - - int diff = Math.abs(maximumPasswordLength - minimumPasswordLength) + 1 ; - ret = minimumPasswordLength + new Random().nextInt(diff) ; - } - return (ret) ; - } - - - public String generatorPassword() { - - String password = null ; - - ArrayList<Character> all = new ArrayList<Character>() ; - - all.addAll(alphaLetters) ; - all.addAll(alphaUpperLetters) ; - all.addAll(numericLetters) ; - - int len = getPasswordLength() ; - - Random random = new Random() ; - - int setSz = all.size(); - - do - { - StringBuilder sb = new StringBuilder(); - - for(int i = 0 ; i < len ; i++) { - int index = random.nextInt(setSz) ; - Character c = all.get(index) ; - while ((i == 0) && Character.isDigit(c)) { - index = random.nextInt(setSz) ; - c = all.get(index) ; - } - sb.append(all.get(index)) ; - } - password = sb.toString() ; - } while (! isValidPassword(password)) ; - - - return password ; - - } - - private boolean isValidPassword(String pass) { - boolean ret = true ; - - if (isExpectedNumberic || isExpectedBothCase) { - boolean lowerCaseFound = false ; - boolean digitFound = false ; - boolean upperCaseFound = false ; - for(char c : pass.toCharArray()) { - if (!digitFound && Character.isDigit(c)) { - digitFound = true ; - } - else if (!lowerCaseFound && Character.isLowerCase(c)) { - lowerCaseFound = true ; - } - else if (!upperCaseFound && Character.isUpperCase(c) ) { - upperCaseFound = true ; - } - } - - if (isExpectedNumberic && !digitFound) { - ret = false ; - } - - if (isExpectedBothCase && (!lowerCaseFound || !upperCaseFound)) { - ret = false ; - } - } - - return ret ; - } -}
