Repository: incubator-usergrid Updated Branches: refs/heads/master 61b492bb3 -> 2e90f39ce
Ensure that when external token validation is enabled, Admin Users cannot be created, activated or confirmed; plus a test. Project: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/commit/11709e05 Tree: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/tree/11709e05 Diff: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/diff/11709e05 Branch: refs/heads/master Commit: 11709e05cc74abcadde0f817734ef04562237b41 Parents: 25d0077 Author: Dave Johnson <[email protected]> Authored: Fri Apr 17 18:23:00 2015 -0400 Committer: Dave Johnson <[email protected]> Committed: Fri Apr 17 18:23:00 2015 -0400 ---------------------------------------------------------------------- .../organizations/OrganizationsResource.java | 18 +++- .../rest/management/users/UserResource.java | 42 ++++++++ .../rest/management/users/UsersResource.java | 16 ++- .../rest/management/ManagementResourceIT.java | 22 ++-- .../rest/management/users/MUUserResourceIT.java | 102 +++++++++++++++++-- 5 files changed, 179 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/11709e05/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java index 67c273f..e4e9eda 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/organizations/OrganizationsResource.java @@ -33,6 +33,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.UriInfo; import org.apache.usergrid.rest.RootResource; +import org.apache.usergrid.rest.management.ManagementResource; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -111,9 +112,9 @@ public class OrganizationsResource extends AbstractContextResource { String name = ( String ) json.remove( "name" ); String email = ( String ) json.remove( "email" ); String password = ( String ) json.remove( "password" ); - Map<String, Object> properties = ( Map<String, Object> ) json.remove( ORGANIZATION_PROPERTIES ); + Map<String, Object> orgProperties = ( Map<String, Object> ) json.remove( ORGANIZATION_PROPERTIES ); - return newOrganization( ui, organizationName, username, name, email, password, json, properties, callback ); + return newOrganization( ui, organizationName, username, name, email, password, json, orgProperties, callback ); } @@ -146,7 +147,16 @@ public class OrganizationsResource extends AbstractContextResource { /** Create a new organization */ private JSONWithPadding newOrganization( @Context UriInfo ui, String organizationName, String username, String name, String email, String password, Map<String, Object> userProperties, - Map<String, Object> properties, String callback ) throws Exception { + Map<String, Object> orgProperties, String callback ) throws Exception { + + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Organization / Admin Users must be created via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + Preconditions .checkArgument( StringUtils.isNotBlank( organizationName ), "The organization parameter was missing" ); @@ -157,7 +167,7 @@ public class OrganizationsResource extends AbstractContextResource { OrganizationOwnerInfo organizationOwner = management .createOwnerAndOrganization( organizationName, username, name, email, password, false, false, - userProperties, properties ); + userProperties, orgProperties ); if ( organizationOwner == null ) { logger.info( "organizationOwner is null, returning. organization: {}", organizationName ); http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/11709e05/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java index 49b0037..de3928d 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UserResource.java @@ -33,6 +33,8 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.UriInfo; +import org.apache.commons.lang.StringUtils; +import org.apache.usergrid.rest.management.ManagementResource; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.annotation.Scope; @@ -205,6 +207,14 @@ public class UserResource extends AbstractContextResource { @Produces( MediaType.TEXT_HTML ) public Viewable showPasswordResetForm( @Context UriInfo ui, @QueryParam( "token" ) String token ) { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must reset passwords via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + try { this.token = token; @@ -234,6 +244,14 @@ public class UserResource extends AbstractContextResource { @FormParam( "recaptcha_challenge_field" ) String challenge, @FormParam( "recaptcha_response_field" ) String uresponse ) { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must reset passwords via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + try { this.token = token; @@ -309,6 +327,14 @@ public class UserResource extends AbstractContextResource { @Produces( MediaType.TEXT_HTML ) public Viewable activate( @Context UriInfo ui, @QueryParam( "token" ) String token ) { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must activate via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + try { management.handleActivationTokenForAdminUser( user.getUuid(), token ); return handleViewable( "activate", this ); @@ -330,6 +356,14 @@ public class UserResource extends AbstractContextResource { @Produces( MediaType.TEXT_HTML ) public Viewable confirm( @Context UriInfo ui, @QueryParam( "token" ) String token ) { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must confirm via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + try { ActivationState state = management.handleConfirmationTokenForAdminUser( user.getUuid(), token ); if ( state == ActivationState.CONFIRMED_AWAITING_ACTIVATION ) { @@ -355,6 +389,14 @@ public class UserResource extends AbstractContextResource { @QueryParam( "callback" ) @DefaultValue( "callback" ) String callback ) throws Exception { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must reactiveate via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + logger.info( "Send activation email for user: {}" , user.getUuid() ); ApiResponse response = createApiResponse(); http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/11709e05/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java index 144a6de..d907632 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/users/UsersResource.java @@ -34,8 +34,10 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.UriInfo; +import org.apache.commons.lang.StringUtils; import org.apache.usergrid.management.exceptions.ManagementException; import org.apache.usergrid.rest.RootResource; +import org.apache.usergrid.rest.management.ManagementResource; import org.apache.usergrid.services.exceptions.ServiceResourceNotFoundException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -78,7 +80,7 @@ public class UsersResource extends AbstractContextResource { @Path(RootResource.USER_ID_PATH) public UserResource getUserById( @Context UriInfo ui, @PathParam( "userId" ) String userIdStr ) throws Exception { - return getUserResource(management.getAdminUserByUuid(UUID.fromString(userIdStr)), "user id", userIdStr); + return getUserResource(management.getAdminUserByUuid( UUID.fromString( userIdStr ) ), "user id", userIdStr); } @@ -101,14 +103,14 @@ public class UsersResource extends AbstractContextResource { if (user == null) { throw new ManagementException("Could not find organization for " + type + " : " + value); } - return getSubResource(UserResource.class).init(user); + return getSubResource(UserResource.class).init( user ); } @Path(RootResource.EMAIL_PATH) public UserResource getUserByEmail( @Context UriInfo ui, @PathParam( "email" ) String email ) throws Exception { - return getUserResource(management.getAdminUserByEmail(email), "email", email); + return getUserResource(management.getAdminUserByEmail( email ), "email", email); } @@ -120,6 +122,14 @@ public class UsersResource extends AbstractContextResource { @QueryParam( "callback" ) @DefaultValue( "callback" ) String callback ) throws Exception { + final boolean externalTokensEnabled = + !StringUtils.isEmpty( properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + + if ( externalTokensEnabled ) { + throw new IllegalArgumentException( "Admin Users must signup via " + + properties.getProperty( ManagementResource.USERGRID_CENTRAL_URL ) ); + } + logger.info( "Create user: " + username ); ApiResponse response = createApiResponse(); http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/11709e05/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java index d6b507e..2cec9ac 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/management/ManagementResourceIT.java @@ -669,7 +669,7 @@ public class ManagementResourceIT extends AbstractRestIT { String suToken = superAdminToken(); Map<String, String> props = new HashMap<String, String>(); - props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm()); + props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm() ); resource().path( "/testproperties" ) .queryParam( "access_token", suToken) .accept( MediaType.APPLICATION_JSON ) @@ -722,7 +722,7 @@ public class ManagementResourceIT extends AbstractRestIT { // create an org and an admin user - String rand = RandomStringUtils.randomAlphanumeric(10); + String rand = RandomStringUtils.randomAlphanumeric( 10 ); final String username = "user_" + rand; OrganizationOwnerInfo orgInfo = setup.getMgmtSvc().createOwnerAndOrganization( username, username, "Test User", username + "@example.com", "password" ); @@ -743,17 +743,23 @@ public class ManagementResourceIT extends AbstractRestIT { try { Map<String, Object> loginInfo = new HashMap<String, Object>() {{ - put("username", username ); - put("password", "password"); - put("grant_type", "password"); - }}; + put("username", username ); + put("password", "password"); + put("grant_type", "password"); + }}; JsonNode accessInfoNode = resource().path("/management/token") .type( MediaType.APPLICATION_JSON_TYPE ) .post( JsonNode.class, loginInfo ); fail("Login as Admin User must fail when validate external tokens is enabled"); - } catch ( Exception actual ) { - logger.debug( "error", actual ); + } catch ( UniformInterfaceException actual ) { + assertEquals( 400, actual.getResponse().getStatus() ); + String errorMsg = actual.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString(); + logger.error( "ERROR: " + errorMsg ); + assertTrue( errorMsg.contains( "Admin Users must login via" )); + + } catch ( Exception e ) { + fail( "We expected a UniformInterfaceException" ); } // login as superuser must succeed http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/11709e05/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java index a75a401..65d6d50 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/management/users/MUUserResourceIT.java @@ -25,9 +25,14 @@ import java.util.Map; import javax.mail.Message; import javax.mail.MessagingException; import javax.mail.internet.MimeMultipart; +import javax.ws.rs.DefaultValue; +import javax.ws.rs.FormParam; +import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; +import org.apache.commons.lang.RandomStringUtils; import org.codehaus.jackson.JsonNode; +import org.jclouds.json.Json; import org.junit.Ignore; import org.junit.Rule; import org.junit.Test; @@ -55,6 +60,7 @@ import org.apache.commons.lang.StringUtils; import com.sun.jersey.api.client.UniformInterfaceException; import com.sun.jersey.api.representation.Form; +import static org.apache.usergrid.rest.management.ManagementResource.USERGRID_CENTRAL_URL; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; @@ -71,7 +77,7 @@ import static org.apache.usergrid.utils.MapUtils.hashMap; /** @author zznate */ public class MUUserResourceIT extends AbstractRestIT { - private Logger LOG = LoggerFactory.getLogger( MUUserResourceIT.class ); + private Logger logger = LoggerFactory.getLogger( MUUserResourceIT.class ); @Rule @@ -87,7 +93,7 @@ public class MUUserResourceIT extends AbstractRestIT { @Test // @Ignore( "aok - check this please" ) public void testCaseSensitivityAdminUser() throws Exception { - LOG.info( "Starting testCaseSensitivityAdminUser()" ); + logger.info( "Starting testCaseSensitivityAdminUser()" ); UserInfo mixcaseUser = setup.getMgmtSvc() .createAdminUser( "AKarasulu", "Alex Karasulu", "[email protected]", "test", true, false ); @@ -157,7 +163,7 @@ public class MUUserResourceIT extends AbstractRestIT { assertEquals( "invalid_grant", node.get( "error" ).getTextValue() ); assertEquals( "User must be confirmed to authenticate", node.get( "error_description" ).getTextValue() ); - LOG.info( "Unconfirmed user was not authorized to authenticate!" ); + logger.info( "Unconfirmed user was not authorized to authenticate!" ); } // Confirm the getting account confirmation email for unconfirmed user @@ -174,7 +180,7 @@ public class MUUserResourceIT extends AbstractRestIT { // Extract the token to confirm the user // ------------------------------------------- String token = getTokenFromMessage( confirmation ); - LOG.info( token ); + logger.info( token ); ActivationState state = setup.getMgmtSvc().handleConfirmationTokenForAdminUser( orgOwner.getOwner().getUuid(), token ); @@ -194,7 +200,7 @@ public class MUUserResourceIT extends AbstractRestIT { .accept( MediaType.APPLICATION_JSON ).get( JsonNode.class ); assertNotNull( node ); - LOG.info( "Authentication succeeded after confirmation: {}.", node.toString() ); + logger.info( "Authentication succeeded after confirmation: {}.", node.toString() ); } finally { setTestProperties( originalProperties ); @@ -305,7 +311,7 @@ public class MUUserResourceIT extends AbstractRestIT { logNode( node ); payload = hashMap( "company", "Usergrid" ); - LOG.info( "sending PUT for company update" ); + logger.info( "sending PUT for company update" ); node = resource().path( String.format( "/management/users/%s", userId ) ).queryParam( "access_token", token ) .type( MediaType.APPLICATION_JSON_TYPE ).put( JsonNode.class, payload ); assertNotNull( node ); @@ -602,4 +608,88 @@ public class MUUserResourceIT extends AbstractRestIT { assertEquals( context.getActiveUser().getEmail(), adminNode.get( "email" ).asText() ); assertEquals( context.getActiveUser().getUser(), adminNode.get( "username" ).asText() ); } + + + @Test + public void testNoAdminUserSignupWhenValidateExternalTokensEnabled() throws Exception { + + // turn on validate external tokens by setting the usergrid.central.url + + String suToken = superAdminToken(); + Map<String, String> props = new HashMap<String, String>(); + props.put( USERGRID_CENTRAL_URL, getBaseURI().toURL().toExternalForm()); + resource().path( "/testproperties" ) + .queryParam( "access_token", suToken) + .accept( MediaType.APPLICATION_JSON ) + .type( MediaType.APPLICATION_JSON_TYPE ) + .post( props ); + + // create an admin user must fail + + try { + + // create an admin user + + final String rand = RandomStringUtils.randomAlphanumeric( 10 ); + Map<String, String> payload = new HashMap<String, String>() {{ + put( "username", "user_" + rand ); + put( "name", "Joe Userperson" ); + put( "email", "joe_" + rand + "@example.com" ); + put( "password", "wigglestone" ); + }}; + JsonNode node = resource().path( "/management/users") + .accept( MediaType.APPLICATION_JSON ) + .type( MediaType.APPLICATION_JSON ) + .post( JsonNode.class, payload ); + + fail( "Create admin user should fail" ); + + } catch ( UniformInterfaceException actual ) { + assertEquals( 400, actual.getResponse().getStatus() ); + String errorMsg = actual.getResponse().getEntity( JsonNode.class ).get( "error_description" ).toString(); + assertTrue( errorMsg.startsWith( "Admin Users must signup via http://localhost:"; ) ); + + } catch ( Exception e ) { + fail("We expected a UniformInterfaceException"); + } + + + try { + + // create an org and an admin user + + final String rand = RandomStringUtils.randomAlphanumeric( 10 ); + Map<String, String> payload = new HashMap<String, String>() {{ + put( "organization", "org_" + rand ); + put( "username", "user_" + rand ); + put( "name", "Joe Userperson" ); + put( "email", "joe_" + rand + "@example.com" ); + put( "password", "wigglestone" ); + }}; + JsonNode node = resource().path( "/management/organizations/") + .accept( MediaType.APPLICATION_JSON ) + .type( MediaType.APPLICATION_JSON ) + .post( JsonNode.class, payload ); + + fail( "Create org and admin user should fail" ); + + } catch ( UniformInterfaceException actual ) { + assertEquals( 400, actual.getResponse().getStatus() ); + assertTrue( actual.getResponse().getEntity( JsonNode.class ).get( "error_description" ) + .toString().startsWith( "Organization / Admin Users must be created via http://localhost:"; )); + + } catch ( Exception e ) { + fail("We expected a UniformInterfaceException"); + } + + + // turn off validate external tokens by un-setting the usergrid.central.url + + props.put( USERGRID_CENTRAL_URL, "" ); + resource().path( "/testproperties" ) + .queryParam( "access_token", suToken) + .accept( MediaType.APPLICATION_JSON ) + .type( MediaType.APPLICATION_JSON_TYPE ) + .post( props ); + } }
