pivotal-jbarrett commented on a change in pull request #6721: URL: https://github.com/apache/geode/pull/6721#discussion_r678555262
########## File path: geode-junit/src/main/java/org/apache/geode/security/ExpirableSecurityManager.java ########## @@ -0,0 +1,51 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more contributor license + * agreements. See the NOTICE file distributed with this work for additional information regarding + * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. You may obtain a + * copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package org.apache.geode.security; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.geode.examples.SimpleSecurityManager; + +/** + * this is a test security manager that will authenticate credentials when username matches the + * password. It will authorize all operations. It keeps a list of expired users, and will throw + * AuthenticationExpiredException if the user is in that list. This security manager is usually used + * with NewCredentialAuthInitialize. + * + * make sure to call reset after each test to clean things up. + */ + +public class ExpirableSecurityManager extends SimpleSecurityManager { + private static List<String> EXPIRED_USERS = new ArrayList<>(); + + @Override + public boolean authorize(Object principal, ResourcePermission permission) { + if (EXPIRED_USERS.contains(principal)) { + throw new AuthenticationExpiredException("User authentication expired."); + } + // always authorized + return true; + } + + public static void addExpiredUser(String user) { + ExpirableSecurityManager.EXPIRED_USERS.add(user); Review comment: Assuming this value is mutated by some other thread this member should be of some thread safe and synchronized type. Also the class name is redundant here. ########## File path: geode-old-client-support/src/main/java/com/gemstone/gemfire/OldClientSupportProvider.java ########## @@ -121,11 +123,21 @@ public Throwable getThrowable(Throwable theThrowable, KnownVersion clientVersion if (theThrowable == null) { return theThrowable; } + + String className = theThrowable.getClass().getName(); + + // GEODE-9452, backward compatibility for authentication expiration + if (clientVersion.isOlderThan(KnownVersion.GEODE_1_14_0)) { + if (className.equals(AuthenticationExpiredException.class.getName())) { + return new AuthenticationRequiredException("User authorization attributes not found."); Review comment: To preserver consistency with the `AuthenticationRequiredException` perhaps they should both use the constant string here. ########## File path: geode-old-client-support/src/main/java/com/gemstone/gemfire/OldClientSupportProvider.java ########## @@ -121,11 +123,21 @@ public Throwable getThrowable(Throwable theThrowable, KnownVersion clientVersion if (theThrowable == null) { return theThrowable; } + + String className = theThrowable.getClass().getName(); + + // GEODE-9452, backward compatibility for authentication expiration + if (clientVersion.isOlderThan(KnownVersion.GEODE_1_14_0)) { Review comment: The current version in develop is 1.15. Unless this is back ported in the future to older versions then 1.15 should be used in this check. ########## File path: geode-old-client-support/src/main/java/com/gemstone/gemfire/OldClientSupportProvider.java ########## @@ -121,11 +123,21 @@ public Throwable getThrowable(Throwable theThrowable, KnownVersion clientVersion if (theThrowable == null) { return theThrowable; } + + String className = theThrowable.getClass().getName(); + + // GEODE-9452, backward compatibility for authentication expiration Review comment: Do not use ticket numbers in comments. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
