com.hortonworks.registries.auth.server.TestKerberosAuthenticationHandler.java Source code

Java tutorial

Introduction

Here is the source code for com.hortonworks.registries.auth.server.TestKerberosAuthenticationHandler.java

Source

/**
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License. See accompanying LICENSE file.
 */
package com.hortonworks.registries.auth.server;

import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import com.hortonworks.registries.auth.KerberosTestUtils;
import com.hortonworks.registries.auth.client.AuthenticationException;
import com.hortonworks.registries.auth.client.KerberosAuthenticator;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import com.hortonworks.registries.auth.util.KerberosName;
import com.hortonworks.registries.auth.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.mockito.Mockito;
import org.ietf.jgss.Oid;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import java.io.File;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.Callable;

@Ignore
public class TestKerberosAuthenticationHandler extends KerberosSecurityTestcase {

    protected KerberosAuthenticationHandler handler;

    protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
        return new KerberosAuthenticationHandler();
    }

    protected String getExpectedType() {
        return KerberosAuthenticationHandler.TYPE;
    }

    protected Properties getDefaultProperties() {
        Properties props = new Properties();
        props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, KerberosTestUtils.getServerPrincipal());
        props.setProperty(KerberosAuthenticationHandler.KEYTAB, KerberosTestUtils.getKeytabFile());
        props.setProperty(KerberosAuthenticationHandler.NAME_RULES,
                "RULE:[1:$1@$0](.*@" + KerberosTestUtils.getRealm() + ")s/@.*//\n");
        return props;
    }

    @Before
    public void setup() throws Exception {
        // create keytab
        File keytabFile = new File(KerberosTestUtils.getKeytabFile());
        String clientPrincipal = KerberosTestUtils.getClientPrincipal();
        String serverPrincipal = KerberosTestUtils.getServerPrincipal();
        clientPrincipal = clientPrincipal.substring(0, clientPrincipal.lastIndexOf("@"));
        serverPrincipal = serverPrincipal.substring(0, serverPrincipal.lastIndexOf("@"));
        getKdc().createPrincipal(keytabFile, clientPrincipal, serverPrincipal);
        // handler
        handler = getNewAuthenticationHandler();
        Properties props = getDefaultProperties();
        try {
            handler.init(props);
        } catch (Exception ex) {
            handler = null;
            throw ex;
        }
    }

    @Test(timeout = 60000)
    public void testNameRules() throws Exception {
        KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
        Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());

        //destroy handler created in setUp()
        handler.destroy();

        KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");

        handler = getNewAuthenticationHandler();
        Properties props = getDefaultProperties();
        props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
        try {
            handler.init(props);
        } catch (Exception ex) {
        }
        kn = new KerberosName("bar@BAR");
        Assert.assertEquals("bar", kn.getShortName());
        kn = new KerberosName("bar@FOO");
        try {
            kn.getShortName();
            Assert.fail();
        } catch (Exception ex) {
        }
    }

    @Test(timeout = 60000)
    public void testInit() throws Exception {
        Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
        Set<KerberosPrincipal> principals = handler.getPrincipals();
        Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.getServerPrincipal());
        Assert.assertTrue(principals.contains(expectedPrincipal));
        Assert.assertEquals(1, principals.size());
    }

    // dynamic configuration of HTTP principals
    @Test(timeout = 60000)
    public void testDynamicPrincipalDiscovery() throws Exception {
        String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" };
        String keytab = KerberosTestUtils.getKeytabFile();
        getKdc().createPrincipal(new File(keytab), keytabUsers);

        // destroy handler created in setUp()
        handler.destroy();
        Properties props = new Properties();
        props.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab);
        props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "*");
        handler = getNewAuthenticationHandler();
        handler.init(props);

        Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());

        Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
        for (String user : keytabUsers) {
            Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.getRealm());
            boolean expected = user.startsWith("HTTP/");
            Assert.assertEquals("checking for " + user, expected, loginPrincipals.contains(principal));
        }
    }

    // dynamic configuration of HTTP principals
    @Test(timeout = 60000)
    public void testDynamicPrincipalDiscoveryMissingPrincipals() throws Exception {
        String[] keytabUsers = new String[] { "hdfs/localhost" };
        String keytab = KerberosTestUtils.getKeytabFile();
        getKdc().createPrincipal(new File(keytab), keytabUsers);

        // destroy handler created in setUp()
        handler.destroy();
        Properties props = new Properties();
        props.setProperty(KerberosAuthenticationHandler.KEYTAB, keytab);
        props.setProperty(KerberosAuthenticationHandler.PRINCIPAL, "*");
        handler = getNewAuthenticationHandler();
        try {
            handler.init(props);
            Assert.fail("init should have failed");
        } catch (ServletException ex) {
            Assert.assertEquals("Principals do not exist in the keytab", ex.getCause().getMessage());
        } catch (Throwable t) {
            Assert.fail("wrong exception: " + t);
        }
    }

    @Test(timeout = 60000)
    public void testType() throws Exception {
        Assert.assertEquals(getExpectedType(), handler.getType());
    }

    public void testRequestWithoutAuthorization() throws Exception {
        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);

        Assert.assertNull(handler.authenticate(request, response));
        Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
        Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }

    public void testRequestWithInvalidAuthorization() throws Exception {
        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);

        Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn("invalid");
        Assert.assertNull(handler.authenticate(request, response));
        Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
        Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }

    @Test(timeout = 60000)
    public void testRequestWithIncompleteAuthorization() throws Exception {
        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);

        Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
                .thenReturn(KerberosAuthenticator.NEGOTIATE);
        try {
            handler.authenticate(request, response);
            Assert.fail();
        } catch (AuthenticationException ex) {
            // Expected
        } catch (Exception ex) {
            Assert.fail();
        }
    }

    public void testRequestWithAuthorization() throws Exception {
        String token = KerberosTestUtils.doAsClient(new Callable<String>() {
            @Override
            public String call() throws Exception {
                GSSManager gssManager = GSSManager.getInstance();
                GSSContext gssContext = null;
                try {
                    String servicePrincipal = KerberosTestUtils.getServerPrincipal();
                    Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
                    GSSName serviceName = gssManager.createName(servicePrincipal, oid);
                    oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
                    gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
                    gssContext.requestCredDeleg(true);
                    gssContext.requestMutualAuth(true);

                    byte[] inToken = new byte[0];
                    byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
                    Base64 base64 = new Base64(0);
                    return base64.encodeToString(outToken);

                } finally {
                    if (gssContext != null) {
                        gssContext.dispose();
                    }
                }
            }
        });

        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);

        Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
                .thenReturn(KerberosAuthenticator.NEGOTIATE + " " + token);
        Mockito.when(request.getServerName()).thenReturn("localhost");

        AuthenticationToken authToken = handler.authenticate(request, response);

        if (authToken != null) {
            Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
                    Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
            Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);

            Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName());
            Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName()));
            Assert.assertEquals(getExpectedType(), authToken.getType());
        } else {
            Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
                    Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
            Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        }
    }

    public void testRequestWithInvalidKerberosAuthorization() throws Exception {

        String token = new Base64(0).encodeToString(new byte[] { 0, 1, 2 });

        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
        HttpServletResponse response = Mockito.mock(HttpServletResponse.class);

        Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
                .thenReturn(KerberosAuthenticator.NEGOTIATE + token);

        try {
            handler.authenticate(request, response);
            Assert.fail();
        } catch (AuthenticationException ex) {
            // Expected
        } catch (Exception ex) {
            Assert.fail();
        }
    }

    @After
    public void tearDown() throws Exception {
        if (handler != null) {
            handler.destroy();
            handler = null;
        }
    }
}