private static SignerSecretProvider getMockedServletContextWithStringSigner( FilterConfig config) throws Exception { Properties secretProviderProps = new Properties(); secretProviderProps.setProperty(AuthenticationFilter.SIGNATURE_SECRET, "secret"); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); ServletContext context = Mockito.mock(ServletContext.class); Mockito.when(context.getAttribute( AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE)) .thenReturn(secretProvider); Mockito.when(config.getServletContext()).thenReturn(context); return secretProvider; }
private static void verifyAuthorized(AuthenticationFilter filter, HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws Exception { final Map<String, String> cookieMap = new HashMap<>(); Mockito.doAnswer(new Answer<Object>() { @Override public Object answer(InvocationOnMock invocation) throws Throwable { String cookieHeader = (String) invocation.getArguments()[1]; parseCookieMap(cookieHeader, cookieMap); return null; } }).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString()); filter.doFilter(request, response, chain); String v = cookieMap.get(AuthenticatedURL.AUTH_COOKIE); Assert.assertNotNull("cookie missing", v); Assert.assertTrue(v.contains("u=") && v.contains("p=") && v.contains ("t=") && v.contains("i=") && v.contains("e=") && v.contains("s=")); Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class), Mockito.any(ServletResponse.class)); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String value = signer.verifyAndExtract(v); AuthenticationToken token = AuthenticationToken.parse(value); assertThat(token.getMaxInactives(), not(0L)); assertThat(token.getExpires(), not(0L)); Assert.assertFalse("Token is expired.", token.isExpired()); }
private Signer getSignerToEncrypt() throws Exception { SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, SECRET_STR); secretProvider.init(secretProviderProps, null, TIMEOUT); return new Signer(secretProvider); }
@Test public void testGetTokenExpired() throws Exception { AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")).thenReturn("true"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret"); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); boolean failed = false; try { filter.getToken(request); } catch (AuthenticationException ex) { Assert.assertEquals("AuthenticationToken expired", ex.getMessage()); failed = true; } finally { Assert.assertTrue("token not expired", failed); } } finally { filter.destroy(); } }
@Test public void testGetTokenInvalidType() throws Exception { AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("true"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn("secret"); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype"); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); boolean failed = false; try { filter.getToken(request); } catch (AuthenticationException ex) { Assert.assertEquals("Invalid AuthenticationToken type", ex.getMessage()); failed = true; } finally { Assert.assertTrue("token not invalid type", failed); } } finally { filter.destroy(); } }
@Test public void testDoFilterAuthenticatedExpired() throws Exception { String secret = "secret"; AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("true"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn( secret); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar")); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); token.setExpires(System.currentTimeMillis() - TOKEN_VALIDITY_SEC); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, secret); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(response.containsHeader("WWW-Authenticate")).thenReturn(true); FilterChain chain = Mockito.mock(FilterChain.class); verifyUnauthorized(filter, request, response, chain); } finally { filter.destroy(); } }
@Test public void testDoFilterAuthenticatedInvalidType() throws Exception { String secret = "secret"; AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("true"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter(AuthenticationFilter.SIGNATURE_SECRET)).thenReturn( secret); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getRequestURL()).thenReturn(new StringBuffer("http://foo:8080/bar")); AuthenticationToken token = new AuthenticationToken("u", "p", "invalidtype"); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, secret); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(response.containsHeader("WWW-Authenticate")).thenReturn(true); FilterChain chain = Mockito.mock(FilterChain.class); verifyUnauthorized(filter, request, response, chain); } finally { filter.destroy(); } }
@Test public void testManagementOperation() throws Exception { AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("false"); Mockito.when(config.getInitParameter(AuthenticationFilter.AUTH_TYPE)). thenReturn(DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getRequestURL()). thenReturn(new StringBuffer("http://foo:8080/bar")); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); FilterChain chain = Mockito.mock(FilterChain.class); filter.doFilter(request, response, chain); Mockito.verify(response).setStatus(HttpServletResponse.SC_ACCEPTED); Mockito.verifyNoMoreInteractions(response); Mockito.reset(request); Mockito.reset(response); AuthenticationToken token = new AuthenticationToken("u", "p", "t"); token.setExpires(System.currentTimeMillis() + TOKEN_VALIDITY_SEC); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); filter.doFilter(request, response, chain); Mockito.verify(response).setStatus(HttpServletResponse.SC_ACCEPTED); Mockito.verifyNoMoreInteractions(response); } finally { filter.destroy(); } }
private void _testDoFilterAuthenticationMaxInactiveInterval(long maxInactives, long expires, boolean authorized) throws Exception { String secret = "secret"; AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("true"); Mockito.when(config.getInitParameter( AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter( AuthenticationFilter.SIGNATURE_SECRET)).thenReturn(secret); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getRequestURL()).thenReturn( new StringBuffer("http://foo:8080/bar")); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); token.setMaxInactives(maxInactives); token.setExpires(expires); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, secret); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(response.containsHeader("WWW-Authenticate")) .thenReturn(true); FilterChain chain = Mockito.mock(FilterChain.class); if (authorized) { verifyAuthorized(filter, request, response, chain); } else { verifyUnauthorized(filter, request, response, chain); } } finally { filter.destroy(); } }
@Test @TestDir @TestJetty @TestHdfs public void testDelegationTokenOperations() throws Exception { createHttpFSServer(true); URL url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY"); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode()); AuthenticationToken token = new AuthenticationToken("u", "p", HttpFSKerberosAuthenticationHandlerForTesting.TYPE); token.setExpires(System.currentTimeMillis() + 100000000); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty(AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, -1); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY"); conn = (HttpURLConnection) url.openConnection(); conn.setRequestProperty("Cookie", AuthenticatedURL.AUTH_COOKIE + "=" + tokenSigned); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETDELEGATIONTOKEN"); conn = (HttpURLConnection) url.openConnection(); conn.setRequestProperty("Cookie", AuthenticatedURL.AUTH_COOKIE + "=" + tokenSigned); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); JSONObject json = (JSONObject) new JSONParser() .parse(new InputStreamReader(conn.getInputStream())); json = (JSONObject) json .get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_JSON); String tokenStr = (String) json .get(HttpFSKerberosAuthenticator.DELEGATION_TOKEN_URL_STRING_JSON); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY&delegation=" + tokenStr); conn = (HttpURLConnection) url.openConnection(); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=RENEWDELEGATIONTOKEN&token=" + tokenStr); conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("PUT"); Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=RENEWDELEGATIONTOKEN&token=" + tokenStr); conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("PUT"); conn.setRequestProperty("Cookie", AuthenticatedURL.AUTH_COOKIE + "=" + tokenSigned); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=CANCELDELEGATIONTOKEN&token=" + tokenStr); conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("PUT"); Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode()); url = new URL(TestJettyHelper.getJettyURL(), "/webhdfs/v1/?op=GETHOMEDIRECTORY&delegation=" + tokenStr); conn = (HttpURLConnection) url.openConnection(); Assert .assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode()); }
private void _testDoFilterAuthenticationMaxInactiveInterval(long maxInactivesInToken, long maxInactivesOnServer, long expires, boolean authorized, boolean newCookie) throws Exception { String secret = "secret"; AuthenticationFilter filter = new AuthenticationFilter(); try { FilterConfig config = Mockito.mock(FilterConfig.class); Mockito.when(config.getInitParameter("management.operation.return")). thenReturn("true"); Mockito.when(config.getInitParameter( AuthenticationFilter.AUTH_TYPE)).thenReturn( DummyAuthenticationHandler.class.getName()); Mockito.when(config.getInitParameter( AuthenticationFilter.SIGNATURE_SECRET)).thenReturn(secret); Mockito.when(config.getInitParameter( AuthenticationFilter.AUTH_TOKEN_MAX_INACTIVE_INTERVAL)).thenReturn( Long.toString(maxInactivesOnServer)); Mockito.when(config.getInitParameterNames()).thenReturn( new Vector<String>( Arrays.asList(AuthenticationFilter.AUTH_TYPE, AuthenticationFilter.SIGNATURE_SECRET, AuthenticationFilter.AUTH_TOKEN_MAX_INACTIVE_INTERVAL, "management.operation.return")).elements()); getMockedServletContextWithStringSigner(config); filter.init(config); HttpServletRequest request = Mockito.mock(HttpServletRequest.class); Mockito.when(request.getRequestURL()).thenReturn( new StringBuffer("http://foo:8080/bar")); AuthenticationToken token = new AuthenticationToken("u", "p", DummyAuthenticationHandler.TYPE); token.setMaxInactives(maxInactivesInToken); token.setExpires(expires); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, secret); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String tokenSigned = signer.sign(token.toString()); Cookie cookie = new Cookie(AuthenticatedURL.AUTH_COOKIE, tokenSigned); Mockito.when(request.getCookies()).thenReturn(new Cookie[]{cookie}); HttpServletResponse response = Mockito.mock(HttpServletResponse.class); Mockito.when(response.containsHeader("WWW-Authenticate")) .thenReturn(true); FilterChain chain = Mockito.mock(FilterChain.class); if (authorized) { verifyAuthorized(filter, request, response, chain, newCookie); } else { verifyUnauthorized(filter, request, response, chain); } } finally { filter.destroy(); } }
private static void verifyAuthorized(AuthenticationFilter filter, HttpServletRequest request, HttpServletResponse response, FilterChain chain, boolean newCookie) throws Exception { final Map<String, String> cookieMap = new HashMap<>(); Mockito.doAnswer(new Answer<Object>() { @Override public Object answer(InvocationOnMock invocation) throws Throwable { String cookieHeader = (String) invocation.getArguments()[1]; parseCookieMap(cookieHeader, cookieMap); return null; } }).when(response).addHeader(Mockito.eq("Set-Cookie"), Mockito.anyString()); filter.doFilter(request, response, chain); if (newCookie) { // a new cookie should be dropped when maxInactiveInterval is enabled String v = cookieMap.get(AuthenticatedURL.AUTH_COOKIE); Assert.assertNotNull("cookie missing", v); Assert.assertTrue(v.contains("u=") && v.contains("p=") && v.contains ("t=") && v.contains("i=") && v.contains("e=") && v.contains("s=")); Mockito.verify(chain).doFilter(Mockito.any(ServletRequest.class), Mockito.any(ServletResponse.class)); SignerSecretProvider secretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider(); Properties secretProviderProps = new Properties(); secretProviderProps.setProperty( AuthenticationFilter.SIGNATURE_SECRET, "secret"); secretProvider.init(secretProviderProps, null, TOKEN_VALIDITY_SEC); Signer signer = new Signer(secretProvider); String value = signer.verifyAndExtract(v); AuthenticationToken token = AuthenticationToken.parse(value); assertThat(token.getMaxInactives(), not(0L)); assertThat(token.getExpires(), not(0L)); Assert.assertFalse("Token is expired.", token.isExpired()); } else { //make sure that no auth cookie is dropped. //For unauthorized response, auth cookie is dropped with empty value Assert.assertTrue("cookie is present", !cookieMap.containsKey(AuthenticatedURL.AUTH_COOKIE)); } }
