Search in sources :

Example 1 with ValidationFailureReason

use of com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason in project coprhd-controller by CoprHD.

the class StorageOSLdapPersonAttributeDao method getStorageOSUser.

/*
     * another implementation of getStorageOSUser which throws Exception with error message instead of using failure reason.
     */
@Override
public StorageOSUserDAO getStorageOSUser(final Credentials credentials) {
    final String username = ((UsernamePasswordCredentials) credentials).getUserName();
    ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
    UserAndTenants userAndTenants = getStorageOSUserAndTenants(username, failureReason);
    if (userAndTenants == null) {
        switch(failureReason[0]) {
            case LDAP_CONNECTION_FAILED:
                throw SecurityException.fatals.communicationToLDAPResourceFailed();
            case LDAP_MANAGER_AUTH_FAILED:
                throw SecurityException.fatals.ldapManagerAuthenticationFailed();
            case USER_OR_GROUP_NOT_FOUND_FOR_TENANT:
            default:
                throw APIException.badRequests.principalSearchFailed(username);
        }
    }
    StorageOSUserDAO user = userAndTenants._user;
    Map<URI, UserMapping> tenants = userAndTenants._tenants;
    if (null == tenants || tenants.isEmpty()) {
        _log.error("User {} did not match any tenant", username);
        throw APIException.forbidden.userDoesNotMapToAnyTenancy(user.getUserName());
    }
    if (tenants.keySet().size() > 1) {
        _log.error("User {} mapped to tenants {}", username, tenants.keySet().toArray());
        throw APIException.forbidden.userBelongsToMultiTenancy(user.getUserName(), tenantName(tenants.keySet()));
    }
    user.setTenantId(tenants.keySet().iterator().next().toString());
    return user;
}
Also used : ValidationFailureReason(com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping) URI(java.net.URI) UsernamePasswordCredentials(org.apache.commons.httpclient.UsernamePasswordCredentials)

Example 2 with ValidationFailureReason

use of com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason in project coprhd-controller by CoprHD.

the class CustomAuthenticationManagerTest method testAuthentication.

@Test
public void testAuthentication() throws Exception {
    createADLDAPProviders();
    UsernamePasswordCredentials sanityUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "P@ssw0rd");
    Assert.assertNotNull(_authManager.authenticate(sanityUserCreds));
    UsernamePasswordCredentials ldapUserCreds = new UsernamePasswordCredentials("user@root.com", "password");
    Assert.assertNotNull(_authManager.authenticate(ldapUserCreds));
    UsernamePasswordCredentials badDomainUserCreds = new UsernamePasswordCredentials("sanity_user@baddomain", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(badDomainUserCreds));
    UsernamePasswordCredentials noDomainUserCreds = new UsernamePasswordCredentials("sanity_user", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(noDomainUserCreds));
    UsernamePasswordCredentials badUserUserCreds = new UsernamePasswordCredentials("sanity_user@root.com", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(badUserUserCreds));
    UsernamePasswordCredentials badPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "badpassword");
    Assert.assertNull(_authManager.authenticate(badPasswordUserCreds));
    UsernamePasswordCredentials emptyUsernameUserCreds = new UsernamePasswordCredentials("", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(emptyUsernameUserCreds));
    UsernamePasswordCredentials emptyPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "");
    Assert.assertNull(_authManager.authenticate(emptyPasswordUserCreds));
    UsernamePasswordCredentials nullPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", null);
    Assert.assertNull(_authManager.authenticate(nullPasswordUserCreds));
    UserMapping tenantMapping = new UserMapping();
    UserMappingAttribute tenantAttr = new UserMappingAttribute();
    tenantAttr.setKey("o");
    tenantAttr.setValues(Collections.singletonList("sales"));
    tenantMapping.setAttributes(Collections.singletonList(tenantAttr));
    tenantMapping.setDomain("root.com");
    UserMapping tenantMapping2 = new UserMapping();
    tenantMapping2.setGroups(Collections.singletonList("Test Group"));
    tenantMapping2.setDomain("sanity.local");
    StringSetMap mappings = new StringSetMap();
    mappings.put(tenantMapping.getDomain(), tenantMapping.toString());
    mappings.put(tenantMapping2.getDomain(), tenantMapping2.toString());
    _subtenantId = URIUtil.createId(TenantOrg.class);
    TenantOrg subtenant = new TenantOrg();
    subtenant.setLabel("subtenant");
    subtenant.setDescription("auth subtenant");
    subtenant.setId(_subtenantId);
    subtenant.setParentTenant(new NamedURI(_rootTenantId, "subtenant"));
    subtenant.setUserMappings(mappings);
    _dbClient.persistObject(subtenant);
    StorageOSUserDAO user = _authManager.authenticate(sanityUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // this user has the o=sales attribute so should be in the subtenant
    user = _authManager.authenticate(ldapUserCreds);
    Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
    // this user is in the group Test Group so should be in the subtenant
    UsernamePasswordCredentials groupUserCreds = new UsernamePasswordCredentials("testuser@sanity.local", "P@ssw0rd");
    user = _authManager.authenticate(groupUserCreds);
    Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
    // Create the a good authConfig with whitelist values
    AuthnProvider adAuthConfig = new AuthnProvider();
    adAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    adAuthConfig.setMode("ad");
    StringSet adDomains = new StringSet();
    adDomains.add("whitelist1");
    adDomains.add("whitelist2");
    adAuthConfig.setDomains(adDomains);
    adAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
    adAuthConfig.setManagerPassword(_adManagerPassword);
    StringSet adUrls = new StringSet();
    adUrls.add(LDAP_SERVER_2);
    adAuthConfig.setServerUrls(adUrls);
    adAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
    adAuthConfig.setSearchFilter("sAMAccountName=%U");
    adAuthConfig.setGroupAttribute("CN");
    StringSet whitelistValues = new StringSet();
    whitelistValues.add("*Users*");
    whitelistValues.add("ProjectAdmins");
    adAuthConfig.setGroupWhitelistValues(whitelistValues);
    adAuthConfig.setLastModified(System.currentTimeMillis());
    _dbClient.createObject(adAuthConfig);
    reloadConfig(true);
    // Login the user the user that is in the group "Test Group" but it is not in the whitelist in
    // the auth config so the user should end up in the root tenant
    UsernamePasswordCredentials whitelist1GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist1", "P@ssw0rd");
    user = _authManager.authenticate(whitelist1GroupUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // log the same user in to the other domain to make sure it is mapped to the same domain
    UsernamePasswordCredentials whitelist2GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist2", "P@ssw0rd");
    user = _authManager.authenticate(whitelist2GroupUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
    _authManager.validateUser("sanity_user@sanity.local", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), null);
    _authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), _rootTenantId.toString());
    _authManager.validateUser("user2@root.com", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("user2@root.com", _subtenantId.toString(), null);
    _authManager.validateUser("user2@root.com", _subtenantId.toString(), _rootTenantId.toString());
    _authManager.validateUser("user@root.com", _subtenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("user@root.com", _rootTenantId.toString(), null);
    _authManager.validateUser("testuser@sanity.local", _subtenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser@sanity.local", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser", _subtenantId.toString(), null);
    Assert.assertTrue(_authManager.isGroupValid("Test Group@sanity.local", failureReason));
    Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist1", failureReason));
    Assert.assertEquals(failureReason[0], ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT);
    Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist2", failureReason));
    Assert.assertTrue(_authManager.isGroupValid("Domain Users@whitelist2", failureReason));
    Assert.assertTrue(_authManager.isGroupValid("ProjectAdmins@whitelist1", failureReason));
    Assert.assertFalse(_authManager.isGroupValid("Test Group", failureReason));
    // Create the a good authConfig with the sid group attribute
    AuthnProvider sidAuthConfig = new AuthnProvider();
    sidAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    sidAuthConfig.setMode("ad");
    StringSet sidDomains = new StringSet();
    sidDomains.add("sidtest");
    sidAuthConfig.setDomains(sidDomains);
    sidAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
    sidAuthConfig.setManagerPassword(_adManagerPassword);
    StringSet sidUrls = new StringSet();
    sidUrls.add(LDAP_SERVER_2);
    sidAuthConfig.setServerUrls(sidUrls);
    sidAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
    sidAuthConfig.setSearchFilter("sAMAccountName=%U");
    sidAuthConfig.setGroupAttribute("objectSid");
    StringSet sidWhitelistValues = new StringSet();
    // Domain users ends in -513
    sidWhitelistValues.add("*-513");
    // Test group SID
    sidWhitelistValues.add("S-1-5-21-2759885641-1951973838-595118951-1135");
    sidAuthConfig.setGroupWhitelistValues(sidWhitelistValues);
    sidAuthConfig.setLastModified(System.currentTimeMillis());
    _dbClient.createObject(sidAuthConfig);
    reloadConfig(true);
    // Create a subtenant using the sid of Domain users from '@sidtest'
    // for mapping
    UserMapping sidGroupMapping = new UserMapping();
    sidGroupMapping.setDomain("sidtest");
    sidGroupMapping.setGroups(Collections.singletonList("S-1-5-21-2759885641-1951973838-595118951-513"));
    StringSetMap sidTestMappings = new StringSetMap();
    sidTestMappings.put(sidGroupMapping.getDomain(), sidGroupMapping.toString());
    URI subtenant2Id = URIUtil.createId(TenantOrg.class);
    TenantOrg subtenant2 = new TenantOrg();
    subtenant2.setLabel("subtenant2");
    subtenant2.setDescription("auth subtenant2");
    subtenant2.setId(subtenant2Id);
    subtenant2.setParentTenant(new NamedURI(_rootTenantId, "subtenant2"));
    subtenant2.setUserMappings(sidTestMappings);
    _dbClient.persistObject(subtenant2);
    // login the sanity_user (sanity_user@sanity.local) and verify that the user is in the
    // root tenant still despite being in 'Domain Users' group because it is a different domain
    user = _authManager.authenticate(sanityUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // Now try sanity_user@sidtest and the user should be in subtenant2
    UsernamePasswordCredentials sidTestUserCreds = new UsernamePasswordCredentials("sanity_user@sidtest", "P@ssw0rd");
    user = _authManager.authenticate(sidTestUserCreds);
    Assert.assertEquals(subtenant2Id.toString(), user.getTenantId());
    _authManager.validateUser("sanity_user@sidtest", subtenant2Id.toString(), null);
    _authManager.validateUser("testuser@sidtest", subtenant2Id.toString(), null);
    _authManager.validateUser("baduser@sidtest", subtenant2Id.toString(), null);
    // Test group
    Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1135@sidtest", failureReason));
    // Domain Users
    Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
    // non-existent group
    Assert.assertFalse(_authManager.isGroupValid("S-2-2-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
    // non-whitelist group (ProjectAdmins)
    Assert.assertFalse(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1111@sidtest", failureReason));
    // Create an config with a bad URL
    AuthnProvider ldapAuthConfig = new AuthnProvider();
    ldapAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    ldapAuthConfig.setMode("ldap");
    StringSet ldapDomains = new StringSet();
    ldapDomains.add("badurl.com");
    ldapAuthConfig.setDomains(ldapDomains);
    ldapAuthConfig.setManagerDN("cn=Manager,dc=root,dc=com");
    ldapAuthConfig.setManagerPassword("secret");
    StringSet ldapURLs = new StringSet();
    ldapURLs.add("ldap://xxx");
    ldapAuthConfig.setServerUrls(ldapURLs);
    ldapAuthConfig.setSearchBase("ou=People,dc=root,dc=com");
    ldapAuthConfig.setSearchFilter("(uid=%U)");
    _dbClient.createObject(ldapAuthConfig);
    UsernamePasswordCredentials badURLUserCreds = new UsernamePasswordCredentials("user@badurl.com", "password");
    // Check that authentication and validation operations fail
    // but do not throw connection exceptions
    user = _authManager.authenticate(badURLUserCreds);
    Assert.assertNull(user);
    thrown.expect(APIException.class);
    _authManager.validateUser("user@badurl.com", subtenant2Id.toString(), null);
    Assert.assertFalse(_authManager.isGroupValid("group@badurl.com", failureReason));
    cleanupProviders();
}
Also used : StringSetMap(com.emc.storageos.db.client.model.StringSetMap) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) ValidationFailureReason(com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason) UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping) NamedURI(com.emc.storageos.db.client.model.NamedURI) AuthnProvider(com.emc.storageos.db.client.model.AuthnProvider) UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute) TenantOrg(com.emc.storageos.db.client.model.TenantOrg) StringSet(com.emc.storageos.db.client.model.StringSet) NamedURI(com.emc.storageos.db.client.model.NamedURI) URI(java.net.URI) UsernamePasswordCredentials(org.apache.commons.httpclient.UsernamePasswordCredentials)

Aggregations

ValidationFailureReason (com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason)2 StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)2 UserMapping (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)2 URI (java.net.URI)2 UsernamePasswordCredentials (org.apache.commons.httpclient.UsernamePasswordCredentials)2 AuthnProvider (com.emc.storageos.db.client.model.AuthnProvider)1 NamedURI (com.emc.storageos.db.client.model.NamedURI)1 StringSet (com.emc.storageos.db.client.model.StringSet)1 StringSetMap (com.emc.storageos.db.client.model.StringSetMap)1 TenantOrg (com.emc.storageos.db.client.model.TenantOrg)1 UserMappingAttribute (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)1