|
@@ -26,11 +26,12 @@ import org.ietf.jgss.GSSName;
|
|
|
import org.junit.After;
|
|
import org.junit.After;
|
|
|
import org.junit.Assert;
|
|
import org.junit.Assert;
|
|
|
import org.junit.Before;
|
|
import org.junit.Before;
|
|
|
|
|
+import org.junit.Rule;
|
|
|
import org.junit.Test;
|
|
import org.junit.Test;
|
|
|
|
|
+import org.junit.rules.Timeout;
|
|
|
import org.mockito.Mockito;
|
|
import org.mockito.Mockito;
|
|
|
import org.ietf.jgss.Oid;
|
|
import org.ietf.jgss.Oid;
|
|
|
|
|
|
|
|
-import javax.security.auth.Subject;
|
|
|
|
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
|
|
import javax.servlet.ServletException;
|
|
import javax.servlet.ServletException;
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
@@ -38,15 +39,19 @@ import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
|
|
import java.io.File;
|
|
import java.io.File;
|
|
|
import java.security.Principal;
|
|
import java.security.Principal;
|
|
|
-import java.util.Arrays;
|
|
|
|
|
-import java.util.List;
|
|
|
|
|
import java.util.Properties;
|
|
import java.util.Properties;
|
|
|
import java.util.Set;
|
|
import java.util.Set;
|
|
|
import java.util.concurrent.Callable;
|
|
import java.util.concurrent.Callable;
|
|
|
|
|
|
|
|
|
|
+/**
|
|
|
|
|
+ * Tests for Kerberos Authentication Handler.
|
|
|
|
|
+ */
|
|
|
public class TestKerberosAuthenticationHandler
|
|
public class TestKerberosAuthenticationHandler
|
|
|
extends KerberosSecurityTestcase {
|
|
extends KerberosSecurityTestcase {
|
|
|
|
|
|
|
|
|
|
+ @Rule
|
|
|
|
|
+ public Timeout globalTimeout = Timeout.millis(60000);
|
|
|
|
|
+
|
|
|
protected KerberosAuthenticationHandler handler;
|
|
protected KerberosAuthenticationHandler handler;
|
|
|
|
|
|
|
|
protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
|
|
protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
|
|
@@ -74,8 +79,10 @@ public class TestKerberosAuthenticationHandler
|
|
|
File keytabFile = new File(KerberosTestUtils.getKeytabFile());
|
|
File keytabFile = new File(KerberosTestUtils.getKeytabFile());
|
|
|
String clientPrincipal = KerberosTestUtils.getClientPrincipal();
|
|
String clientPrincipal = KerberosTestUtils.getClientPrincipal();
|
|
|
String serverPrincipal = KerberosTestUtils.getServerPrincipal();
|
|
String serverPrincipal = KerberosTestUtils.getServerPrincipal();
|
|
|
- clientPrincipal = clientPrincipal.substring(0, clientPrincipal.lastIndexOf("@"));
|
|
|
|
|
- serverPrincipal = serverPrincipal.substring(0, serverPrincipal.lastIndexOf("@"));
|
|
|
|
|
|
|
+ clientPrincipal = clientPrincipal.substring(0,
|
|
|
|
|
+ clientPrincipal.lastIndexOf("@"));
|
|
|
|
|
+ serverPrincipal = serverPrincipal.substring(0,
|
|
|
|
|
+ serverPrincipal.lastIndexOf("@"));
|
|
|
getKdc().createPrincipal(keytabFile, clientPrincipal, serverPrincipal);
|
|
getKdc().createPrincipal(keytabFile, clientPrincipal, serverPrincipal);
|
|
|
// handler
|
|
// handler
|
|
|
handler = getNewAuthenticationHandler();
|
|
handler = getNewAuthenticationHandler();
|
|
@@ -88,7 +95,7 @@ public class TestKerberosAuthenticationHandler
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
|
|
+ @Test
|
|
|
public void testNameRules() throws Exception {
|
|
public void testNameRules() throws Exception {
|
|
|
KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
|
|
KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
|
|
|
Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());
|
|
Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());
|
|
@@ -100,7 +107,8 @@ public class TestKerberosAuthenticationHandler
|
|
|
|
|
|
|
|
handler = getNewAuthenticationHandler();
|
|
handler = getNewAuthenticationHandler();
|
|
|
Properties props = getDefaultProperties();
|
|
Properties props = getDefaultProperties();
|
|
|
- props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
|
|
|
|
|
|
|
+ props.setProperty(KerberosAuthenticationHandler.NAME_RULES,
|
|
|
|
|
+ "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
|
|
|
try {
|
|
try {
|
|
|
handler.init(props);
|
|
handler.init(props);
|
|
|
} catch (Exception ex) {
|
|
} catch (Exception ex) {
|
|
@@ -111,13 +119,12 @@ public class TestKerberosAuthenticationHandler
|
|
|
try {
|
|
try {
|
|
|
kn.getShortName();
|
|
kn.getShortName();
|
|
|
Assert.fail();
|
|
Assert.fail();
|
|
|
- }
|
|
|
|
|
- catch (Exception ex) {
|
|
|
|
|
|
|
+ } catch (Exception ex) {
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
- public void testInit() throws Exception {
|
|
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void testInit() {
|
|
|
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
|
|
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
|
|
|
Set<KerberosPrincipal> principals = handler.getPrincipals();
|
|
Set<KerberosPrincipal> principals = handler.getPrincipals();
|
|
|
Principal expectedPrincipal =
|
|
Principal expectedPrincipal =
|
|
@@ -126,8 +133,11 @@ public class TestKerberosAuthenticationHandler
|
|
|
Assert.assertEquals(1, principals.size());
|
|
Assert.assertEquals(1, principals.size());
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- // dynamic configuration of HTTP principals
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
|
|
+ /**
|
|
|
|
|
+ * Tests dynamic configuration of HTTP principals.
|
|
|
|
|
+ * @throws Exception
|
|
|
|
|
+ */
|
|
|
|
|
+ @Test
|
|
|
public void testDynamicPrincipalDiscovery() throws Exception {
|
|
public void testDynamicPrincipalDiscovery() throws Exception {
|
|
|
String[] keytabUsers = new String[]{
|
|
String[] keytabUsers = new String[]{
|
|
|
"HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host"
|
|
"HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host"
|
|
@@ -143,7 +153,8 @@ public class TestKerberosAuthenticationHandler
|
|
|
handler = getNewAuthenticationHandler();
|
|
handler = getNewAuthenticationHandler();
|
|
|
handler.init(props);
|
|
handler.init(props);
|
|
|
|
|
|
|
|
- Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
|
|
|
|
|
|
|
+ Assert.assertEquals(KerberosTestUtils.getKeytabFile(),
|
|
|
|
|
+ handler.getKeytab());
|
|
|
|
|
|
|
|
Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
|
|
Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
|
|
|
for (String user : keytabUsers) {
|
|
for (String user : keytabUsers) {
|
|
@@ -155,9 +166,13 @@ public class TestKerberosAuthenticationHandler
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- // dynamic configuration of HTTP principals
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
- public void testDynamicPrincipalDiscoveryMissingPrincipals() throws Exception {
|
|
|
|
|
|
|
+ /**
|
|
|
|
|
+ * Tests dynamic principal discovery for missing principals.
|
|
|
|
|
+ * @throws Exception
|
|
|
|
|
+ */
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void testDynamicPrincipalDiscoveryMissingPrincipals()
|
|
|
|
|
+ throws Exception {
|
|
|
String[] keytabUsers = new String[]{"hdfs/localhost"};
|
|
String[] keytabUsers = new String[]{"hdfs/localhost"};
|
|
|
String keytab = KerberosTestUtils.getKeytabFile();
|
|
String keytab = KerberosTestUtils.getKeytabFile();
|
|
|
getKdc().createPrincipal(new File(keytab), keytabUsers);
|
|
getKdc().createPrincipal(new File(keytab), keytabUsers);
|
|
@@ -179,32 +194,37 @@ public class TestKerberosAuthenticationHandler
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
- public void testType() throws Exception {
|
|
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void testType() {
|
|
|
Assert.assertEquals(getExpectedType(), handler.getType());
|
|
Assert.assertEquals(getExpectedType(), handler.getType());
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ @Test
|
|
|
public void testRequestWithoutAuthorization() throws Exception {
|
|
public void testRequestWithoutAuthorization() throws Exception {
|
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
|
|
|
|
|
|
Assert.assertNull(handler.authenticate(request, response));
|
|
Assert.assertNull(handler.authenticate(request, response));
|
|
|
- Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
|
|
|
|
|
|
|
+ Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE,
|
|
|
|
|
+ KerberosAuthenticator.NEGOTIATE);
|
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ @Test
|
|
|
public void testRequestWithInvalidAuthorization() throws Exception {
|
|
public void testRequestWithInvalidAuthorization() throws Exception {
|
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
|
|
|
|
|
|
- Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn("invalid");
|
|
|
|
|
|
|
+ Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
|
|
|
|
|
+ .thenReturn("invalid");
|
|
|
Assert.assertNull(handler.authenticate(request, response));
|
|
Assert.assertNull(handler.authenticate(request, response));
|
|
|
- Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
|
|
|
|
|
|
|
+ Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE,
|
|
|
|
|
+ KerberosAuthenticator.NEGOTIATE);
|
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- @Test(timeout=60000)
|
|
|
|
|
- public void testRequestWithIncompleteAuthorization() throws Exception {
|
|
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void testRequestWithIncompleteAuthorization() {
|
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
|
|
|
|
|
@@ -220,6 +240,7 @@ public class TestKerberosAuthenticationHandler
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ @Test
|
|
|
public void testRequestWithAuthorization() throws Exception {
|
|
public void testRequestWithAuthorization() throws Exception {
|
|
|
String token = KerberosTestUtils.doAsClient(new Callable<String>() {
|
|
String token = KerberosTestUtils.doAsClient(new Callable<String>() {
|
|
|
@Override
|
|
@Override
|
|
@@ -228,7 +249,8 @@ public class TestKerberosAuthenticationHandler
|
|
|
GSSContext gssContext = null;
|
|
GSSContext gssContext = null;
|
|
|
try {
|
|
try {
|
|
|
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
|
|
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
|
|
|
- Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
|
|
|
|
|
|
|
+ Oid oid =
|
|
|
|
|
+ KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
|
|
|
GSSName serviceName = gssManager.createName(servicePrincipal,
|
|
GSSName serviceName = gssManager.createName(servicePrincipal,
|
|
|
oid);
|
|
oid);
|
|
|
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
|
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
|
|
@@ -238,7 +260,8 @@ public class TestKerberosAuthenticationHandler
|
|
|
gssContext.requestMutualAuth(true);
|
|
gssContext.requestMutualAuth(true);
|
|
|
|
|
|
|
|
byte[] inToken = new byte[0];
|
|
byte[] inToken = new byte[0];
|
|
|
- byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
|
|
|
|
|
|
|
+ byte[] outToken =
|
|
|
|
|
+ gssContext.initSecContext(inToken, 0, inToken.length);
|
|
|
Base64 base64 = new Base64(0);
|
|
Base64 base64 = new Base64(0);
|
|
|
return base64.encodeToString(outToken);
|
|
return base64.encodeToString(outToken);
|
|
|
|
|
|
|
@@ -260,29 +283,34 @@ public class TestKerberosAuthenticationHandler
|
|
|
AuthenticationToken authToken = handler.authenticate(request, response);
|
|
AuthenticationToken authToken = handler.authenticate(request, response);
|
|
|
|
|
|
|
|
if (authToken != null) {
|
|
if (authToken != null) {
|
|
|
- Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
|
|
|
|
|
- Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
|
|
|
|
|
|
|
+ Mockito.verify(response)
|
|
|
|
|
+ .setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
|
|
|
|
|
+ Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
|
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
|
|
|
|
|
|
|
|
- Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName());
|
|
|
|
|
- Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName()));
|
|
|
|
|
|
|
+ Assert.assertEquals(KerberosTestUtils.getClientPrincipal(),
|
|
|
|
|
+ authToken.getName());
|
|
|
|
|
+ Assert.assertTrue(KerberosTestUtils.getClientPrincipal()
|
|
|
|
|
+ .startsWith(authToken.getUserName()));
|
|
|
Assert.assertEquals(getExpectedType(), authToken.getType());
|
|
Assert.assertEquals(getExpectedType(), authToken.getType());
|
|
|
} else {
|
|
} else {
|
|
|
- Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
|
|
|
|
|
- Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
|
|
|
|
|
|
|
+ Mockito.verify(response).setHeader(
|
|
|
|
|
+ Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
|
|
|
|
|
+ Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
|
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- public void testRequestWithInvalidKerberosAuthorization() throws Exception {
|
|
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void testRequestWithInvalidKerberosAuthorization() {
|
|
|
|
|
|
|
|
String token = new Base64(0).encodeToString(new byte[]{0, 1, 2});
|
|
String token = new Base64(0).encodeToString(new byte[]{0, 1, 2});
|
|
|
|
|
|
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
|
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
|
|
|
|
|
|
|
|
- Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn(
|
|
|
|
|
- KerberosAuthenticator.NEGOTIATE + token);
|
|
|
|
|
|
|
+ Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
|
|
|
|
|
+ .thenReturn(KerberosAuthenticator.NEGOTIATE + token);
|
|
|
|
|
|
|
|
try {
|
|
try {
|
|
|
handler.authenticate(request, response);
|
|
handler.authenticate(request, response);
|
Bharat Viswanadham