@SuppressWarnings("unchecked") private void testValidDelegationTokenQueryString() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Token<DelegationTokenIdentifier> dToken = (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken( UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getQueryString()).thenReturn( DelegationTokenAuthenticator.DELEGATION_PARAM + "=" + dToken.encodeToUrlString()); AuthenticationToken token = handler.authenticate(request, response); Assert.assertEquals(UserGroupInformation.getCurrentUser(). getShortUserName(), token.getUserName()); Assert.assertEquals(0, token.getExpires()); Assert.assertEquals(handler.getType(), token.getType()); Assert.assertTrue(token.isExpired()); }
@SuppressWarnings("unchecked") private void testValidDelegationTokenHeader() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Token<DelegationTokenIdentifier> dToken = (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken( UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getHeader(Mockito.eq( DelegationTokenAuthenticator.DELEGATION_TOKEN_HEADER))).thenReturn( dToken.encodeToUrlString()); AuthenticationToken token = handler.authenticate(request, response); Assert.assertEquals(UserGroupInformation.getCurrentUser(). getShortUserName(), token.getUserName()); Assert.assertEquals(0, token.getExpires()); Assert.assertEquals(handler.getType(), token.getType()); Assert.assertTrue(token.isExpired()); }
private void testValidDelegationToken(AuthenticationHandler handler) throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Token<DelegationTokenIdentifier> dToken = HttpFSServerWebApp.get().get(DelegationTokenManager.class).createToken( UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.DELEGATION_PARAM)). thenReturn(dToken.encodeToUrlString()); AuthenticationToken token = handler.authenticate(request, response); Assert.assertEquals(UserGroupInformation.getCurrentUser().getShortUserName(), token.getUserName()); Assert.assertEquals(0, token.getExpires()); Assert.assertEquals(HttpFSKerberosAuthenticationHandler.TYPE, token.getType()); Assert.assertTrue(token.isExpired()); }
private void testValidDelegationToken(AuthenticationHandler handler) throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Token<DelegationTokenIdentifier> dToken = HttpFSServerWebApp.get().get(DelegationTokenManager.class) .createToken(UserGroupInformation.getCurrentUser(), "user"); Mockito.when( request.getParameter(HttpFSKerberosAuthenticator.DELEGATION_PARAM)). thenReturn(dToken.encodeToUrlString()); AuthenticationToken token = handler.authenticate(request, response); Assert .assertEquals(UserGroupInformation.getCurrentUser().getShortUserName(), token.getUserName()); Assert.assertEquals(0, token.getExpires()); Assert.assertEquals(HttpFSKerberosAuthenticationHandler.TYPE, token.getType()); Assert.assertTrue(token.isExpired()); }
private void testRenewToken(AuthenticationHandler handler) throws Exception { DelegationTokenOperation op = DelegationTokenOperation.RENEWDELEGATIONTOKEN; HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)). thenReturn(op.toString()); Mockito.when(request.getMethod()). thenReturn(op.getHttpMethod()); Assert.assertFalse(handler.managementOperation(null, request, response)); Mockito.verify(response).sendError( Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.contains("equires SPNEGO authentication established")); Mockito.reset(response); AuthenticationToken token = Mockito.mock(AuthenticationToken.class); Mockito.when(token.getUserName()).thenReturn("user"); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).sendError( Mockito.eq(HttpServletResponse.SC_BAD_REQUEST), Mockito.contains("requires the parameter [token]")); Mockito.reset(response); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Mockito.when(response.getWriter()).thenReturn(pwriter); Token<DelegationTokenIdentifier> dToken = HttpFSServerWebApp.get().get(DelegationTokenManager.class).createToken( UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.TOKEN_PARAM)). thenReturn(dToken.encodeToUrlString()); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).setStatus(HttpServletResponse.SC_OK); pwriter.close(); Assert.assertTrue(writer.toString().contains("long")); HttpFSServerWebApp.get().get(DelegationTokenManager.class).verifyToken(dToken); }
@Override protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException { AuthenticationToken token = null; String tokenStr = null; Cookie[] cookies = request.getCookies(); if (cookies != null) { for (Cookie cookie : cookies) { if (cookie.getName().equals(AuthenticatedURL.AUTH_COOKIE)) { tokenStr = cookie.getValue(); try { tokenStr = this.signer.verifyAndExtract(tokenStr); } catch (SignerException ex) { throw new AuthenticationException(ex); } } } } if (tokenStr != null) { token = AuthenticationToken.parse(tokenStr); if (token != null) { AuthenticationHandler authHandler = getAuthenticationHandler(); if (!token.getType().equals(authHandler.getType())) { throw new AuthenticationException("Invalid AuthenticationToken type"); } if (token.isExpired()) { throw new AuthenticationException("AuthenticationToken expired"); } } } return token; }
private void testRenewToken(AuthenticationHandler handler) throws Exception { DelegationTokenOperation op = DelegationTokenOperation.RENEWDELEGATIONTOKEN; HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(request.getParameter(HttpFSFileSystem.OP_PARAM)). thenReturn(op.toString()); Mockito.when(request.getMethod()). thenReturn(op.getHttpMethod()); Assert.assertFalse(handler.managementOperation(null, request, response)); Mockito.verify(response) .sendError(Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED), Mockito.contains("equires SPNEGO authentication established")); Mockito.reset(response); AuthenticationToken token = Mockito.mock(AuthenticationToken.class); Mockito.when(token.getUserName()).thenReturn("user"); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response) .sendError(Mockito.eq(HttpServletResponse.SC_BAD_REQUEST), Mockito.contains("requires the parameter [token]")); Mockito.reset(response); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Mockito.when(response.getWriter()).thenReturn(pwriter); Token<DelegationTokenIdentifier> dToken = HttpFSServerWebApp.get().get(DelegationTokenManager.class) .createToken(UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getParameter(HttpFSKerberosAuthenticator.TOKEN_PARAM)). thenReturn(dToken.encodeToUrlString()); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).setStatus(HttpServletResponse.SC_OK); pwriter.close(); Assert.assertTrue(writer.toString().contains("long")); HttpFSServerWebApp.get().get(DelegationTokenManager.class) .verifyToken(dToken); }
private AuthenticatedURL.Token getEncryptedAuthToken(Signer signer, String user) throws Exception { AuthenticationToken token = new AuthenticationToken(user, user, "kerberos"); token.setExpires(System.currentTimeMillis() + TIMEOUT); return new AuthenticatedURL.Token(signer.sign(token.toString())); }
@Override public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException { return false; }
@Override public boolean managementOperation(AuthenticationToken token, HttpServletRequest request, HttpServletResponse response) throws IOException, AuthenticationException { return false; }
@SuppressWarnings("unchecked") private void testRenewToken() throws Exception { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation. RENEWDELEGATIONTOKEN; HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(request.getQueryString()). thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString()); Mockito.when(request.getMethod()). thenReturn(op.getHttpMethod()); Assert.assertFalse(handler.managementOperation(null, request, response)); Mockito.verify(response).setStatus( Mockito.eq(HttpServletResponse.SC_UNAUTHORIZED)); Mockito.verify(response).setHeader(Mockito.eq( KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.eq("mock") ); Mockito.reset(response); AuthenticationToken token = Mockito.mock(AuthenticationToken.class); Mockito.when(token.getUserName()).thenReturn("user"); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).sendError( Mockito.eq(HttpServletResponse.SC_BAD_REQUEST), Mockito.contains("requires the parameter [token]")); Mockito.reset(response); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Mockito.when(response.getWriter()).thenReturn(pwriter); Token<DelegationTokenIdentifier> dToken = (Token<DelegationTokenIdentifier>) handler.getTokenManager().createToken( UserGroupInformation.getCurrentUser(), "user"); Mockito.when(request.getQueryString()). thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" + DelegationTokenAuthenticator.TOKEN_PARAM + "=" + dToken.encodeToUrlString()); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.verify(response).setStatus(HttpServletResponse.SC_OK); pwriter.close(); Assert.assertTrue(writer.toString().contains("long")); handler.getTokenManager().verifyToken(dToken); }
private void testGetToken(String renewer, Text expectedTokenKind) throws Exception { DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation. GETDELEGATIONTOKEN; HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(request.getQueryString()). thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString()); Mockito.when(request.getMethod()).thenReturn(op.getHttpMethod()); AuthenticationToken token = Mockito.mock(AuthenticationToken.class); Mockito.when(token.getUserName()).thenReturn("user"); Mockito.when(response.getWriter()).thenReturn(new PrintWriter( new StringWriter())); Assert.assertFalse(handler.managementOperation(token, request, response)); Mockito.when(request.getQueryString()). thenReturn(DelegationTokenAuthenticator.OP_PARAM + "=" + op.toString() + "&" + DelegationTokenAuthenticator.RENEWER_PARAM + "=" + renewer); Mockito.reset(response); Mockito.reset(token); Mockito.when(token.getUserName()).thenReturn("user"); StringWriter writer = new StringWriter(); PrintWriter pwriter = new PrintWriter(writer); Mockito.when(response.getWriter()).thenReturn(pwriter); Assert.assertFalse(handler.managementOperation(token, request, response)); if (renewer == null) { Mockito.verify(token).getUserName(); } else { Mockito.verify(token).getUserName(); } Mockito.verify(response).setStatus(HttpServletResponse.SC_OK); Mockito.verify(response).setContentType(MediaType.APPLICATION_JSON); pwriter.close(); String responseOutput = writer.toString(); String tokenLabel = DelegationTokenAuthenticator. DELEGATION_TOKEN_JSON; Assert.assertTrue(responseOutput.contains(tokenLabel)); Assert.assertTrue(responseOutput.contains( DelegationTokenAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON)); ObjectMapper jsonMapper = new ObjectMapper(); Map json = jsonMapper.readValue(responseOutput, Map.class); json = (Map) json.get(tokenLabel); String tokenStr; tokenStr = (String) json.get(DelegationTokenAuthenticator. DELEGATION_TOKEN_URL_STRING_JSON); Token<DelegationTokenIdentifier> dt = new Token<DelegationTokenIdentifier>(); dt.decodeFromUrlString(tokenStr); handler.getTokenManager().verifyToken(dt); Assert.assertEquals(expectedTokenKind, dt.getKind()); }
@Override public boolean managementOperation(AuthenticationToken token, HttpServletRequest request, HttpServletResponse response) { return true; }
/** * Resolves the effective user that will be used to request a FileSystemAccess filesystem. * <p/> * If the doAs-user is NULL or the same as the user, it returns the user. * <p/> * Otherwise it uses proxyuser rules (see {@link ProxyUser} to determine if the * current user can impersonate the doAs-user. * <p/> * If the current user cannot impersonate the doAs-user an * <code>AccessControlException</code> will be thrown. * * @param user principal for whom the filesystem instance is. * @param doAs do-as user, if any. * * @return the effective user. * * @throws IOException thrown if an IO error occurrs. * @throws AccessControlException thrown if the current user cannot impersonate * the doAs-user. */ private String getEffectiveUser(Principal user, String doAs) throws IOException { String effectiveUser = user.getName(); if (doAs != null && !doAs.equals(user.getName())) { ProxyUser proxyUser = HttpFSServerWebApp.get().get(ProxyUser.class); String proxyUserName; if (user instanceof AuthenticationToken) { proxyUserName = ((AuthenticationToken)user).getUserName(); } else { proxyUserName = user.getName(); } proxyUser.validate(proxyUserName, HostnameFilter.get(), doAs); effectiveUser = doAs; AUDIT_LOG.info("Proxy user [{}] DoAs user [{}]", proxyUserName, doAs); } return effectiveUser; }
