use of com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason in project coprhd-controller by CoprHD.
the class StorageOSLdapPersonAttributeDao method getStorageOSUser.
/*
* another implementation of getStorageOSUser which throws Exception with error message instead of using failure reason.
*/
@Override
public StorageOSUserDAO getStorageOSUser(final Credentials credentials) {
final String username = ((UsernamePasswordCredentials) credentials).getUserName();
ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
UserAndTenants userAndTenants = getStorageOSUserAndTenants(username, failureReason);
if (userAndTenants == null) {
switch(failureReason[0]) {
case LDAP_CONNECTION_FAILED:
throw SecurityException.fatals.communicationToLDAPResourceFailed();
case LDAP_MANAGER_AUTH_FAILED:
throw SecurityException.fatals.ldapManagerAuthenticationFailed();
case USER_OR_GROUP_NOT_FOUND_FOR_TENANT:
default:
throw APIException.badRequests.principalSearchFailed(username);
}
}
StorageOSUserDAO user = userAndTenants._user;
Map<URI, UserMapping> tenants = userAndTenants._tenants;
if (null == tenants || tenants.isEmpty()) {
_log.error("User {} did not match any tenant", username);
throw APIException.forbidden.userDoesNotMapToAnyTenancy(user.getUserName());
}
if (tenants.keySet().size() > 1) {
_log.error("User {} mapped to tenants {}", username, tenants.keySet().toArray());
throw APIException.forbidden.userBelongsToMultiTenancy(user.getUserName(), tenantName(tenants.keySet()));
}
user.setTenantId(tenants.keySet().iterator().next().toString());
return user;
}
use of com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason in project coprhd-controller by CoprHD.
the class CustomAuthenticationManagerTest method testAuthentication.
@Test
public void testAuthentication() throws Exception {
createADLDAPProviders();
UsernamePasswordCredentials sanityUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "P@ssw0rd");
Assert.assertNotNull(_authManager.authenticate(sanityUserCreds));
UsernamePasswordCredentials ldapUserCreds = new UsernamePasswordCredentials("user@root.com", "password");
Assert.assertNotNull(_authManager.authenticate(ldapUserCreds));
UsernamePasswordCredentials badDomainUserCreds = new UsernamePasswordCredentials("sanity_user@baddomain", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(badDomainUserCreds));
UsernamePasswordCredentials noDomainUserCreds = new UsernamePasswordCredentials("sanity_user", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(noDomainUserCreds));
UsernamePasswordCredentials badUserUserCreds = new UsernamePasswordCredentials("sanity_user@root.com", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(badUserUserCreds));
UsernamePasswordCredentials badPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "badpassword");
Assert.assertNull(_authManager.authenticate(badPasswordUserCreds));
UsernamePasswordCredentials emptyUsernameUserCreds = new UsernamePasswordCredentials("", "P@ssw0rd");
Assert.assertNull(_authManager.authenticate(emptyUsernameUserCreds));
UsernamePasswordCredentials emptyPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "");
Assert.assertNull(_authManager.authenticate(emptyPasswordUserCreds));
UsernamePasswordCredentials nullPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", null);
Assert.assertNull(_authManager.authenticate(nullPasswordUserCreds));
UserMapping tenantMapping = new UserMapping();
UserMappingAttribute tenantAttr = new UserMappingAttribute();
tenantAttr.setKey("o");
tenantAttr.setValues(Collections.singletonList("sales"));
tenantMapping.setAttributes(Collections.singletonList(tenantAttr));
tenantMapping.setDomain("root.com");
UserMapping tenantMapping2 = new UserMapping();
tenantMapping2.setGroups(Collections.singletonList("Test Group"));
tenantMapping2.setDomain("sanity.local");
StringSetMap mappings = new StringSetMap();
mappings.put(tenantMapping.getDomain(), tenantMapping.toString());
mappings.put(tenantMapping2.getDomain(), tenantMapping2.toString());
_subtenantId = URIUtil.createId(TenantOrg.class);
TenantOrg subtenant = new TenantOrg();
subtenant.setLabel("subtenant");
subtenant.setDescription("auth subtenant");
subtenant.setId(_subtenantId);
subtenant.setParentTenant(new NamedURI(_rootTenantId, "subtenant"));
subtenant.setUserMappings(mappings);
_dbClient.persistObject(subtenant);
StorageOSUserDAO user = _authManager.authenticate(sanityUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// this user has the o=sales attribute so should be in the subtenant
user = _authManager.authenticate(ldapUserCreds);
Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
// this user is in the group Test Group so should be in the subtenant
UsernamePasswordCredentials groupUserCreds = new UsernamePasswordCredentials("testuser@sanity.local", "P@ssw0rd");
user = _authManager.authenticate(groupUserCreds);
Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
// Create the a good authConfig with whitelist values
AuthnProvider adAuthConfig = new AuthnProvider();
adAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
adAuthConfig.setMode("ad");
StringSet adDomains = new StringSet();
adDomains.add("whitelist1");
adDomains.add("whitelist2");
adAuthConfig.setDomains(adDomains);
adAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
adAuthConfig.setManagerPassword(_adManagerPassword);
StringSet adUrls = new StringSet();
adUrls.add(LDAP_SERVER_2);
adAuthConfig.setServerUrls(adUrls);
adAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
adAuthConfig.setSearchFilter("sAMAccountName=%U");
adAuthConfig.setGroupAttribute("CN");
StringSet whitelistValues = new StringSet();
whitelistValues.add("*Users*");
whitelistValues.add("ProjectAdmins");
adAuthConfig.setGroupWhitelistValues(whitelistValues);
adAuthConfig.setLastModified(System.currentTimeMillis());
_dbClient.createObject(adAuthConfig);
reloadConfig(true);
// Login the user the user that is in the group "Test Group" but it is not in the whitelist in
// the auth config so the user should end up in the root tenant
UsernamePasswordCredentials whitelist1GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist1", "P@ssw0rd");
user = _authManager.authenticate(whitelist1GroupUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// log the same user in to the other domain to make sure it is mapped to the same domain
UsernamePasswordCredentials whitelist2GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist2", "P@ssw0rd");
user = _authManager.authenticate(whitelist2GroupUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
_authManager.validateUser("sanity_user@sanity.local", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), null);
_authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), _rootTenantId.toString());
_authManager.validateUser("user2@root.com", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("user2@root.com", _subtenantId.toString(), null);
_authManager.validateUser("user2@root.com", _subtenantId.toString(), _rootTenantId.toString());
_authManager.validateUser("user@root.com", _subtenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("user@root.com", _rootTenantId.toString(), null);
_authManager.validateUser("testuser@sanity.local", _subtenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser@sanity.local", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser", _rootTenantId.toString(), null);
thrown.expect(APIException.class);
_authManager.validateUser("testuser", _subtenantId.toString(), null);
Assert.assertTrue(_authManager.isGroupValid("Test Group@sanity.local", failureReason));
Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist1", failureReason));
Assert.assertEquals(failureReason[0], ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT);
Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist2", failureReason));
Assert.assertTrue(_authManager.isGroupValid("Domain Users@whitelist2", failureReason));
Assert.assertTrue(_authManager.isGroupValid("ProjectAdmins@whitelist1", failureReason));
Assert.assertFalse(_authManager.isGroupValid("Test Group", failureReason));
// Create the a good authConfig with the sid group attribute
AuthnProvider sidAuthConfig = new AuthnProvider();
sidAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
sidAuthConfig.setMode("ad");
StringSet sidDomains = new StringSet();
sidDomains.add("sidtest");
sidAuthConfig.setDomains(sidDomains);
sidAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
sidAuthConfig.setManagerPassword(_adManagerPassword);
StringSet sidUrls = new StringSet();
sidUrls.add(LDAP_SERVER_2);
sidAuthConfig.setServerUrls(sidUrls);
sidAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
sidAuthConfig.setSearchFilter("sAMAccountName=%U");
sidAuthConfig.setGroupAttribute("objectSid");
StringSet sidWhitelistValues = new StringSet();
// Domain users ends in -513
sidWhitelistValues.add("*-513");
// Test group SID
sidWhitelistValues.add("S-1-5-21-2759885641-1951973838-595118951-1135");
sidAuthConfig.setGroupWhitelistValues(sidWhitelistValues);
sidAuthConfig.setLastModified(System.currentTimeMillis());
_dbClient.createObject(sidAuthConfig);
reloadConfig(true);
// Create a subtenant using the sid of Domain users from '@sidtest'
// for mapping
UserMapping sidGroupMapping = new UserMapping();
sidGroupMapping.setDomain("sidtest");
sidGroupMapping.setGroups(Collections.singletonList("S-1-5-21-2759885641-1951973838-595118951-513"));
StringSetMap sidTestMappings = new StringSetMap();
sidTestMappings.put(sidGroupMapping.getDomain(), sidGroupMapping.toString());
URI subtenant2Id = URIUtil.createId(TenantOrg.class);
TenantOrg subtenant2 = new TenantOrg();
subtenant2.setLabel("subtenant2");
subtenant2.setDescription("auth subtenant2");
subtenant2.setId(subtenant2Id);
subtenant2.setParentTenant(new NamedURI(_rootTenantId, "subtenant2"));
subtenant2.setUserMappings(sidTestMappings);
_dbClient.persistObject(subtenant2);
// login the sanity_user (sanity_user@sanity.local) and verify that the user is in the
// root tenant still despite being in 'Domain Users' group because it is a different domain
user = _authManager.authenticate(sanityUserCreds);
Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
// Now try sanity_user@sidtest and the user should be in subtenant2
UsernamePasswordCredentials sidTestUserCreds = new UsernamePasswordCredentials("sanity_user@sidtest", "P@ssw0rd");
user = _authManager.authenticate(sidTestUserCreds);
Assert.assertEquals(subtenant2Id.toString(), user.getTenantId());
_authManager.validateUser("sanity_user@sidtest", subtenant2Id.toString(), null);
_authManager.validateUser("testuser@sidtest", subtenant2Id.toString(), null);
_authManager.validateUser("baduser@sidtest", subtenant2Id.toString(), null);
// Test group
Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1135@sidtest", failureReason));
// Domain Users
Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
// non-existent group
Assert.assertFalse(_authManager.isGroupValid("S-2-2-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
// non-whitelist group (ProjectAdmins)
Assert.assertFalse(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1111@sidtest", failureReason));
// Create an config with a bad URL
AuthnProvider ldapAuthConfig = new AuthnProvider();
ldapAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
ldapAuthConfig.setMode("ldap");
StringSet ldapDomains = new StringSet();
ldapDomains.add("badurl.com");
ldapAuthConfig.setDomains(ldapDomains);
ldapAuthConfig.setManagerDN("cn=Manager,dc=root,dc=com");
ldapAuthConfig.setManagerPassword("secret");
StringSet ldapURLs = new StringSet();
ldapURLs.add("ldap://xxx");
ldapAuthConfig.setServerUrls(ldapURLs);
ldapAuthConfig.setSearchBase("ou=People,dc=root,dc=com");
ldapAuthConfig.setSearchFilter("(uid=%U)");
_dbClient.createObject(ldapAuthConfig);
UsernamePasswordCredentials badURLUserCreds = new UsernamePasswordCredentials("user@badurl.com", "password");
// Check that authentication and validation operations fail
// but do not throw connection exceptions
user = _authManager.authenticate(badURLUserCreds);
Assert.assertNull(user);
thrown.expect(APIException.class);
_authManager.validateUser("user@badurl.com", subtenant2Id.toString(), null);
Assert.assertFalse(_authManager.isGroupValid("group@badurl.com", failureReason));
cleanupProviders();
}
Aggregations