Example 1 with ProxyToken
use of com.emc.storageos.db.client.model.ProxyToken in project coprhd-controller by CoprHD.
the class TokenManagerTests method testBasicTokenKeysRotation.
/**
* Basic rotation functionality is tested here using overridden rotation interval values
*
* @throws Exception
*/
@Test
public void testBasicTokenKeysRotation() throws Exception {
TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
holder.setMaxTokenIdleTimeInMins(2);
holder.setMaxTokenLifeTimeInMins(4);
holder.setTokenIdleTimeGraceInMins(1);
holder.setKeyRotationIntervalInMSecs(5000);
CassandraTokenManager tokenManager = new CassandraTokenManager();
Base64TokenEncoder encoder = new Base64TokenEncoder();
TokenKeyGenerator tokenKeyGenerator = new TokenKeyGenerator();
DbClient dbClient = getDbClient();
CoordinatorClient coordinator = new TestCoordinator();
tokenManager.setTokenMaxLifeValuesHolder(holder);
tokenManager.setDbClient(dbClient);
tokenManager.setCoordinator(coordinator);
encoder.setCoordinator(coordinator);
tokenKeyGenerator.setTokenMaxLifeValuesHolder(holder);
encoder.setTokenKeyGenerator(tokenKeyGenerator);
encoder.managerInit();
tokenManager.setTokenEncoder(encoder);
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user1");
userDAO.setIsLocal(true);
// get a regular token
final String token = tokenManager.getToken(userDAO);
Assert.assertNotNull(token);
TokenOnWire tw1 = encoder.decode(token);
Token tokenObj = dbClient.queryObject(Token.class, tw1.getTokenId());
Assert.assertNotNull(tokenObj);
// verify token
StorageOSUserDAO gotUser = tokenManager.validateToken(token);
Assert.assertNotNull(gotUser);
// get a proxy token
final String proxyToken = tokenManager.getProxyToken(gotUser);
Assert.assertNotNull(proxyToken);
// wait 6 seconds, this next token request will triggers a rotation
Thread.sleep(6000);
final String token2 = tokenManager.getToken(userDAO);
Assert.assertNotNull(token2);
// at this point, the first token should still be usable
gotUser = tokenManager.validateToken(token);
Assert.assertNotNull(gotUser);
// wait another 6 seconds, trigger another rotation.
Thread.sleep(6000);
final String token3 = tokenManager.getToken(userDAO);
Assert.assertNotNull(token3);
// has been rotated out from the current, then previous spot. It is gone.
try {
gotUser = tokenManager.validateToken(token);
Assert.fail("The token should not be usable.");
} catch (UnauthorizedException ex) {
// this exception is an expected one.
Assert.assertTrue(true);
}
// after several rotations, proxy token should be unaffected
gotUser = tokenManager.validateToken(proxyToken);
Assert.assertNotNull(gotUser);
}
Also used :
TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder)
CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
DbClient(com.emc.storageos.db.client.DbClient)
UnauthorizedException(com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException)
CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient)
Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder)
TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator)
TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire)
SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
Token(com.emc.storageos.db.client.model.Token)
BaseToken(com.emc.storageos.db.client.model.BaseToken)
Test(org.junit.Test)
Example 2 with ProxyToken
use of com.emc.storageos.db.client.model.ProxyToken in project coprhd-controller by CoprHD.
the class TokenManagerTests method testProxyTokens.
/**
* Basic tests for proxy tokens
*/
@Test
public void testProxyTokens() throws Exception {
commonDefaultSetupForSingleNodeTests();
// Create a regular token
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user111");
userDAO.setIsLocal(true);
userDAO.addAttribute("attr1=val1");
userDAO.addGroup("group1");
userDAO.setId((URIUtil.createId(StorageOSUserDAO.class)));
_dbClient.persistObject(userDAO);
final String token = _tokenManager.getToken(userDAO);
Assert.assertNotNull(token);
TokenOnWire tw = _encoder.decode(token);
Token tokenObj = _dbClient.queryObject(Token.class, tw.getTokenId());
Assert.assertNotNull(tokenObj);
// Check that the system knows it as a non-proxy token
Assert.assertFalse(BaseToken.isProxyToken(tokenObj));
// Do the same with a proxy token
final String proxyToken = _tokenManager.getProxyToken(userDAO);
Assert.assertNotNull(proxyToken);
TokenOnWire ptw = _encoder.decode(proxyToken);
ProxyToken proxyTokenObj = _dbClient.queryObject(ProxyToken.class, ptw.getTokenId());
Assert.assertNotNull(proxyTokenObj);
Assert.assertTrue(BaseToken.isProxyToken(proxyTokenObj));
Assert.assertTrue(ptw.isProxyToken());
Assert.assertNotNull(proxyTokenObj.getLastKnownIds());
// Check that user fetched from the id in the proxy token
// matches the user's properties of the userDAO that created the proxytoken
URI userId = proxyTokenObj.peekLastKnownId();
StorageOSUserDAO userFromProxyToken = _dbClient.queryObject(StorageOSUserDAO.class, userId);
Assert.assertNotNull(userFromProxyToken);
Assert.assertEquals(userFromProxyToken.getUserName(), userDAO.getUserName());
Assert.assertEquals(userFromProxyToken.getAttributes().size(), userDAO.getAttributes().size());
Assert.assertTrue(userFromProxyToken.getAttributes().containsAll(userDAO.getAttributes()));
Assert.assertEquals(userFromProxyToken.getGroups().size(), userDAO.getGroups().size());
Assert.assertTrue(userFromProxyToken.getGroups().containsAll(userDAO.getGroups()));
StorageOSUserDAO userFromProxyTokenValidation = _tokenManager.validateToken(proxyToken);
Assert.assertNotNull(userFromProxyTokenValidation);
Assert.assertEquals(userFromProxyTokenValidation.getUserName(), userDAO.getUserName());
Assert.assertEquals(userFromProxyTokenValidation.getAttributes().size(), userDAO.getAttributes().size());
Assert.assertTrue(userFromProxyTokenValidation.getAttributes().containsAll(userDAO.getAttributes()));
Assert.assertEquals(userFromProxyTokenValidation.getGroups().size(), userDAO.getGroups().size());
Assert.assertTrue(userFromProxyTokenValidation.getGroups().containsAll(userDAO.getGroups()));
// Make sure that once a proxy token is created for a user, it gets reused from then on
final String proxyToken2 = _tokenManager.getProxyToken(userDAO);
Assert.assertNotNull(proxyToken2);
Assert.assertEquals(proxyToken2, proxyToken);
// simulate logout by deleting the authtoken that we created earlier
_tokenManager.deleteToken(token.toString());
StorageOSUserDAO deletedUser = _tokenManager.validateToken(token);
Assert.assertNull(deletedUser);
StorageOSUserDAO userIsStillThere = _tokenManager.validateToken(proxyToken2);
Assert.assertNotNull(userIsStillThere);
Assert.assertEquals(userIsStillThere.getUserName(), userDAO.getUserName());
Assert.assertFalse(userIsStillThere.getInactive());
// Relogin. Get new auth and proxy tokens. Force expiration of auth token.
// Test that proxy token still works.
StorageOSUserDAO userDAO2 = new StorageOSUserDAO();
userDAO2.setUserName("user222");
userDAO2.setIsLocal(true);
userDAO2.setId((URIUtil.createId(StorageOSUserDAO.class)));
_dbClient.persistObject(userDAO2);
final String shortLivedTokenRaw = _tokenManager.getToken(userDAO2);
Assert.assertNotNull(shortLivedTokenRaw);
TokenOnWire sltw = _encoder.decode(shortLivedTokenRaw);
final String proxyToken3 = _tokenManager.getProxyToken(userDAO2);
Assert.assertNotNull(proxyToken3);
Token shortLivedToken = _dbClient.queryObject(Token.class, sltw.getTokenId());
Assert.assertNotNull(shortLivedToken);
shortLivedToken.setLastAccessTime((System.currentTimeMillis() / (60 * 1000)) - 3);
_dbClient.persistObject(shortLivedToken);
// validate that auth token is gone
deletedUser = _tokenManager.validateToken(shortLivedTokenRaw);
Assert.assertNull(deletedUser);
// validate that proxy token still works.
userIsStillThere = _tokenManager.validateToken(proxyToken3);
Assert.assertNotNull(userIsStillThere);
Assert.assertEquals(userIsStillThere.getUserName(), userDAO2.getUserName());
Assert.assertFalse(userIsStillThere.getInactive());
// Test that after proxy token gets deleted, the userDao is gone or marked inactive
// (its auth token has been expired above so proxy token was the last token)
_tokenManager.deleteAllTokensForUser(userDAO2.getUserName(), true);
StorageOSUserDAO inactiveUser = _dbClient.queryObject(StorageOSUserDAO.class, userDAO2.getId());
Assert.assertTrue(inactiveUser == null || inactiveUser.getInactive() == true);
// case sensitive username and proxy token optional deletion tests
StorageOSUserDAO userDAOBlah = new StorageOSUserDAO();
userDAOBlah.setUserName("user-blah");
userDAOBlah.setIsLocal(true);
final String blahToken = _tokenManager.getToken(userDAOBlah);
Assert.assertNotNull(blahToken);
TokenOnWire decoded = _encoder.decode(blahToken);
final String blahProxyToken = _tokenManager.getProxyToken(userDAOBlah);
Assert.assertNotNull(blahProxyToken);
userDAOBlah = new StorageOSUserDAO();
userDAOBlah.setUserName("User-Blah");
userDAOBlah.setIsLocal(true);
final String blahToken2 = _tokenManager.getToken(userDAOBlah);
Assert.assertNotNull(blahToken2);
TokenOnWire decoded2 = _encoder.decode(blahToken2);
final String blahProxyToken2 = _tokenManager.getProxyToken(userDAOBlah);
Assert.assertNotNull(blahProxyToken2);
Token blahTokenObj = _dbClient.queryObject(Token.class, decoded.getTokenId());
Token blahTokenObj2 = _dbClient.queryObject(Token.class, decoded2.getTokenId());
Assert.assertEquals(blahTokenObj.getUserId(), blahTokenObj2.getUserId());
Assert.assertEquals(blahProxyToken, blahProxyToken2);
_tokenManager.deleteAllTokensForUser("user-BLAH", false);
blahTokenObj = _dbClient.queryObject(Token.class, decoded.getTokenId());
blahTokenObj2 = _dbClient.queryObject(Token.class, decoded2.getTokenId());
Assert.assertNull(blahTokenObj);
Assert.assertNull(blahTokenObj2);
Assert.assertNull(_tokenManager.validateToken(blahToken));
Assert.assertNotNull(_tokenManager.validateToken(blahProxyToken));
_tokenManager.deleteAllTokensForUser("user-BLAH", true);
Assert.assertNull(_tokenManager.validateToken(blahProxyToken));
}
Also used :
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire)
SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
Token(com.emc.storageos.db.client.model.Token)
BaseToken(com.emc.storageos.db.client.model.BaseToken)
URI(java.net.URI)
Test(org.junit.Test)
Example 3 with ProxyToken
use of com.emc.storageos.db.client.model.ProxyToken in project coprhd-controller by CoprHD.
the class CassandraTokenValidator method resolveUser.
/**
* Gets a userDAO record from a token or proxytoken
*/
@Override
public StorageOSUserDAO resolveUser(BaseToken token) {
if (token == null) {
return null;
}
URI userId = null;
// Skip expiration verification for proxy tokens.
// verify it is still valid, if not remove it from db and send back null
boolean isProxy = token instanceof ProxyToken;
if (isProxy) {
userId = ((ProxyToken) token).peekLastKnownId();
} else {
userId = ((Token) token).getUserId();
}
StorageOSUserDAO userDAO = _dbClient.queryObject(StorageOSUserDAO.class, userId);
if (userDAO == null) {
_log.error("No user record found or userId: {}", userId.toString());
return null;
}
return userDAO;
}
Also used :
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
URI(java.net.URI)
Example 4 with ProxyToken
use of com.emc.storageos.db.client.model.ProxyToken in project coprhd-controller by CoprHD.
the class CassandraTokenValidator method getProxyTokenForUserName.
/**
* Get proxy tokens based on a username
*
* @param username
* @return the proxy token for that user if it exists.
*/
protected ProxyToken getProxyTokenForUserName(String username) {
URIQueryResultList tokens = new URIQueryResultList();
_dbClient.queryByConstraint(AlternateIdConstraint.Factory.getProxyTokenUserNameConstraint(username), tokens);
List<URI> uris = new ArrayList<URI>();
for (Iterator<URI> it = tokens.iterator(); it.hasNext(); ) {
uris.add(it.next());
}
List<ProxyToken> toReturn = _dbClient.queryObject(ProxyToken.class, uris);
if (CollectionUtils.isEmpty(toReturn)) {
_log.info("No proxy token found for user {}", username);
return null;
}
return toReturn.get(0);
}
Also used :
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
ArrayList(java.util.ArrayList)
URI(java.net.URI)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
Example 5 with ProxyToken
use of com.emc.storageos.db.client.model.ProxyToken in project coprhd-controller by CoprHD.
the class CassandraTokenValidator method deleteTokenInternal.
/**
* Delete the given token from db, if this is last token referring the userDAO,
* and there are no proxy token associated, mark the userDAO for deletion
*
* @param token
*/
protected void deleteTokenInternal(Token token) {
URI userId = token.getUserId();
_dbClient.removeObject(token);
List<Token> tokens = getTokensForUserId(userId);
List<ProxyToken> pTokens = getProxyTokensForUserId(userId);
if (CollectionUtils.isEmpty(tokens) && CollectionUtils.isEmpty(pTokens)) {
_log.info("There are no more tokens referring to the user id {}, marking it inactive");
StorageOSUserDAO userDAO = _dbClient.queryObject(StorageOSUserDAO.class, userId);
_dbClient.markForDeletion(userDAO);
}
}
Also used :
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
ProxyToken(com.emc.storageos.db.client.model.ProxyToken)
Token(com.emc.storageos.db.client.model.Token)
BaseToken(com.emc.storageos.db.client.model.BaseToken)
URI(java.net.URI)
Aggregations
ProxyToken (com.emc.storageos.db.client.model.ProxyToken)9
URI (java.net.URI)6
StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)5
Token (com.emc.storageos.db.client.model.Token)5
BaseToken (com.emc.storageos.db.client.model.BaseToken)4
URIQueryResultList (com.emc.storageos.db.client.constraint.URIQueryResultList)2
DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)2
SignedToken (com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)2
TokenOnWire (com.emc.storageos.security.authentication.TokenOnWire)2
Test (org.junit.Test)2
CassandraTokenManager (com.emc.storageos.auth.impl.CassandraTokenManager)1
CoordinatorClient (com.emc.storageos.coordinator.client.service.CoordinatorClient)1
DbClient (com.emc.storageos.db.client.DbClient)1
Base64TokenEncoder (com.emc.storageos.security.authentication.Base64TokenEncoder)1
TokenKeyGenerator (com.emc.storageos.security.authentication.TokenKeyGenerator)1
TokenMaxLifeValuesHolder (com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder)1
SecurityException (com.emc.storageos.security.exceptions.SecurityException)1
APIException (com.emc.storageos.svcs.errorhandling.resources.APIException)1
UnauthorizedException (com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException)1
ArrayList (java.util.ArrayList)1
