Search in sources :

Example 6 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenManagerTests method testBasicTokenKeysRotation.

/**
 * Basic rotation functionality is tested here using overridden rotation interval values
 *
 * @throws Exception
 */
@Test
public void testBasicTokenKeysRotation() throws Exception {
    TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
    holder.setMaxTokenIdleTimeInMins(2);
    holder.setMaxTokenLifeTimeInMins(4);
    holder.setTokenIdleTimeGraceInMins(1);
    holder.setKeyRotationIntervalInMSecs(5000);
    CassandraTokenManager tokenManager = new CassandraTokenManager();
    Base64TokenEncoder encoder = new Base64TokenEncoder();
    TokenKeyGenerator tokenKeyGenerator = new TokenKeyGenerator();
    DbClient dbClient = getDbClient();
    CoordinatorClient coordinator = new TestCoordinator();
    tokenManager.setTokenMaxLifeValuesHolder(holder);
    tokenManager.setDbClient(dbClient);
    tokenManager.setCoordinator(coordinator);
    encoder.setCoordinator(coordinator);
    tokenKeyGenerator.setTokenMaxLifeValuesHolder(holder);
    encoder.setTokenKeyGenerator(tokenKeyGenerator);
    encoder.managerInit();
    tokenManager.setTokenEncoder(encoder);
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    userDAO.setIsLocal(true);
    // get a regular token
    final String token = tokenManager.getToken(userDAO);
    Assert.assertNotNull(token);
    TokenOnWire tw1 = encoder.decode(token);
    Token tokenObj = dbClient.queryObject(Token.class, tw1.getTokenId());
    Assert.assertNotNull(tokenObj);
    // verify token
    StorageOSUserDAO gotUser = tokenManager.validateToken(token);
    Assert.assertNotNull(gotUser);
    // get a proxy token
    final String proxyToken = tokenManager.getProxyToken(gotUser);
    Assert.assertNotNull(proxyToken);
    // wait 6 seconds, this next token request will triggers a rotation
    Thread.sleep(6000);
    final String token2 = tokenManager.getToken(userDAO);
    Assert.assertNotNull(token2);
    // at this point, the first token should still be usable
    gotUser = tokenManager.validateToken(token);
    Assert.assertNotNull(gotUser);
    // wait another 6 seconds, trigger another rotation.
    Thread.sleep(6000);
    final String token3 = tokenManager.getToken(userDAO);
    Assert.assertNotNull(token3);
    // has been rotated out from the current, then previous spot. It is gone.
    try {
        gotUser = tokenManager.validateToken(token);
        Assert.fail("The token should not be usable.");
    } catch (UnauthorizedException ex) {
        // this exception is an expected one.
        Assert.assertTrue(true);
    }
    // after several rotations, proxy token should be unaffected
    gotUser = tokenManager.validateToken(proxyToken);
    Assert.assertNotNull(gotUser);
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) DbClient(com.emc.storageos.db.client.DbClient) UnauthorizedException(com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException) CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) Token(com.emc.storageos.db.client.model.Token) BaseToken(com.emc.storageos.db.client.model.BaseToken) Test(org.junit.Test)

Example 7 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenManagerTests method testCrossVDCTokenValidation.

/**
 * testCrossVDCTokenValidation
 * Tests that a token from VDC2 and VDC3 can both be validated in VDC1
 * given that VDC1's cache has these tokens and keys available.
 *
 * @throws Exception
 */
@Test
public void testCrossVDCTokenValidation() throws Exception {
    commonDefaultSetupForSingleNodeTests();
    TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
    // VDC1 (validator)
    CoordinatorClient coordinatorVDC1 = new TestCoordinator();
    InterVDCTokenCacheHelper cacheHelperVDC1 = new InterVDCTokenCacheHelper();
    cacheHelperVDC1.setCoordinator(coordinatorVDC1);
    cacheHelperVDC1.setDbClient(_dbClient);
    cacheHelperVDC1.setMaxLifeValuesHolder(holder);
    TokenKeyGenerator tokenKeyGeneratorVDC1 = new TokenKeyGenerator();
    tokenKeyGeneratorVDC1.setTokenMaxLifeValuesHolder(holder);
    Base64TokenEncoder encoderVDC1 = new Base64TokenEncoder();
    encoderVDC1.setCoordinator(coordinatorVDC1);
    encoderVDC1.setInterVDCTokenCacheHelper(cacheHelperVDC1);
    encoderVDC1.setTokenKeyGenerator(tokenKeyGeneratorVDC1);
    encoderVDC1.managerInit();
    CassandraTokenManager tokenManagerVDC1 = new CassandraTokenManager();
    tokenManagerVDC1.setDbClient(_dbClient);
    tokenManagerVDC1.setCoordinator(coordinatorVDC1);
    tokenManagerVDC1.setInterVDCTokenCacheHelper(cacheHelperVDC1);
    tokenManagerVDC1.setTokenEncoder(encoderVDC1);
    tokenManagerVDC1.setTokenMaxLifeValuesHolder(holder);
    // VDC2 (creator of token)
    CoordinatorClient coordinatorVDC2 = new TestCoordinator();
    TokenKeyGenerator tokenKeyGeneratorVDC2 = new TokenKeyGenerator();
    tokenKeyGeneratorVDC2.setTokenMaxLifeValuesHolder(holder);
    Base64TokenEncoder encoderVDC2 = new Base64TokenEncoder();
    encoderVDC2.setCoordinator(coordinatorVDC2);
    encoderVDC2.setTokenKeyGenerator(tokenKeyGeneratorVDC2);
    encoderVDC2.managerInit();
    CassandraTokenManager tokenManagerVDC2 = new CassandraTokenManager();
    tokenManagerVDC2.setDbClient(_dbClient);
    tokenManagerVDC2.setCoordinator(coordinatorVDC2);
    tokenManagerVDC2.setTokenEncoder(encoderVDC2);
    tokenManagerVDC2.setTokenMaxLifeValuesHolder(holder);
    // VDC3 (creator of token)
    CoordinatorClient coordinatorVDC3 = new TestCoordinator();
    TokenKeyGenerator tokenKeyGeneratorVDC3 = new TokenKeyGenerator();
    tokenKeyGeneratorVDC3.setTokenMaxLifeValuesHolder(holder);
    Base64TokenEncoder encoderVDC3 = new Base64TokenEncoder();
    encoderVDC3.setCoordinator(coordinatorVDC3);
    encoderVDC3.setTokenKeyGenerator(tokenKeyGeneratorVDC3);
    encoderVDC3.managerInit();
    CassandraTokenManager tokenManagerVDC3 = new CassandraTokenManager();
    tokenManagerVDC3.setDbClient(_dbClient);
    tokenManagerVDC3.setCoordinator(coordinatorVDC3);
    tokenManagerVDC3.setTokenEncoder(encoderVDC3);
    tokenManagerVDC3.setTokenMaxLifeValuesHolder(holder);
    // VDC2 create a token
    // set VdcUtil localvdcid to vdc2 to resulting token is identified as such
    VirtualDataCenter localVdc = VdcUtil.getLocalVdc();
    localVdc.setShortId("vdc2");
    _dbClient.persistObject(localVdc);
    VdcUtil.invalidateVdcUrnCache();
    StorageOSUserDAO userDAOVDC2 = new StorageOSUserDAO();
    userDAOVDC2.setUserName("user1@domain.com");
    userDAOVDC2.setIsLocal(false);
    String tokenVDC2 = tokenManagerVDC2.getToken(userDAOVDC2);
    Assert.assertNotNull(tokenVDC2);
    TokenOnWire twVDC2 = encoderVDC2.decode(tokenVDC2);
    final Token tokenObjVDC2 = _dbClient.queryObject(Token.class, twVDC2.getTokenId());
    Assert.assertNotNull(tokenObjVDC2);
    URI userIdVDC2 = tokenObjVDC2.getUserId();
    Assert.assertNotNull(userIdVDC2);
    final StorageOSUserDAO gotUserVDC2 = tokenManagerVDC2.validateToken(tokenVDC2);
    Assert.assertNotNull(gotUserVDC2);
    // because we are running this on the same "db" as opposed to 2 different VDCs,
    // there will be a conflict when caching the token, since the original is already there
    // with the same id. So we are changing the token id and user record id for this
    // purpose.
    tokenObjVDC2.setId(URIUtil.createId(Token.class));
    gotUserVDC2.setId(URIUtil.createId(StorageOSUserDAO.class));
    tokenObjVDC2.setUserId(gotUserVDC2.getId());
    TokenOnWire tokenToBeCachedVDC2 = TokenOnWire.createTokenOnWire(tokenObjVDC2);
    // this re-encoded alternate token is the token that will be cached and validated
    // from cache.
    final String newEncodedVDC2 = encoderVDC2.encode(tokenToBeCachedVDC2);
    // VDC3 create a token
    // set VdcUtil localvdcid to vdc3 to resulting token is identified as such
    localVdc.setShortId("vdc3");
    _dbClient.persistObject(localVdc);
    VdcUtil.invalidateVdcUrnCache();
    StorageOSUserDAO userDAOVDC3 = new StorageOSUserDAO();
    userDAOVDC3.setUserName("user2@domain.com");
    userDAOVDC3.setIsLocal(false);
    String tokenVDC3 = tokenManagerVDC3.getToken(userDAOVDC3);
    Assert.assertNotNull(tokenVDC3);
    TokenOnWire twVDC3 = encoderVDC3.decode(tokenVDC3);
    final Token tokenObjVDC3 = _dbClient.queryObject(Token.class, twVDC3.getTokenId());
    Assert.assertNotNull(tokenObjVDC3);
    URI userIdVDC3 = tokenObjVDC3.getUserId();
    Assert.assertNotNull(userIdVDC3);
    final StorageOSUserDAO gotUserVDC3 = tokenManagerVDC3.validateToken(tokenVDC3);
    Assert.assertNotNull(gotUserVDC3);
    tokenObjVDC3.setId(URIUtil.createId(Token.class));
    gotUserVDC3.setId(URIUtil.createId(StorageOSUserDAO.class));
    tokenObjVDC3.setUserId(gotUserVDC3.getId());
    TokenOnWire tokenToBeCachedVDC3 = TokenOnWire.createTokenOnWire(tokenObjVDC3);
    // this re-encoded alternate token is the token that will be cached and validated
    // from cache.
    final String newEncodedVDC3 = encoderVDC3.encode(tokenToBeCachedVDC3);
    // Cache VDC2 &3's tokens and keys in VDC1.cache
    TokenKeysBundle bundleVDC2 = tokenKeyGeneratorVDC2.readBundle();
    TokenKeysBundle bundleVDC3 = tokenKeyGeneratorVDC3.readBundle();
    TokenResponseArtifacts artifactsVDC2 = new TokenResponseArtifacts(gotUserVDC2, tokenObjVDC2, bundleVDC2);
    TokenResponseArtifacts artifactsVDC3 = new TokenResponseArtifacts(gotUserVDC3, tokenObjVDC3, bundleVDC3);
    cacheHelperVDC1.cacheForeignTokenAndKeys(artifactsVDC2, "vdc2");
    cacheHelperVDC1.cacheForeignTokenAndKeys(artifactsVDC3, "vdc3");
    Assert.assertEquals(2, cacheHelperVDC1.getAllCachedBundles().size());
    // Validate both tokens using VDC1
    // set VdcUtil localvdcid to vdc1 to resulting token is identified as such
    localVdc.setShortId("vdc1");
    _dbClient.persistObject(localVdc);
    VdcUtil.invalidateVdcUrnCache();
    StorageOSUserDAO userValidate = tokenManagerVDC1.validateToken(newEncodedVDC2);
    Assert.assertNotNull(userValidate);
    Assert.assertEquals(userValidate.getUserName(), userDAOVDC2.getUserName());
    StorageOSUserDAO userValidate2 = tokenManagerVDC1.validateToken(newEncodedVDC3);
    Assert.assertNotNull(userValidate2);
    Assert.assertEquals(userValidate2.getUserName(), userDAOVDC3.getUserName());
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) TokenKeysBundle(com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) Token(com.emc.storageos.db.client.model.Token) BaseToken(com.emc.storageos.db.client.model.BaseToken) URI(java.net.URI) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) InterVDCTokenCacheHelper(com.emc.storageos.security.geo.InterVDCTokenCacheHelper) VirtualDataCenter(com.emc.storageos.db.client.model.VirtualDataCenter) CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) TokenResponseArtifacts(com.emc.storageos.security.geo.TokenResponseBuilder.TokenResponseArtifacts) Test(org.junit.Test)

Example 8 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenManagerTests method resetCoordinatorData.

/**
 * Convenience function to reset the coordinator data, call init on the two involved nodes,
 * and check they agree on the curent key id.
 *
 * @param coordinator
 * @param tokenManager1
 * @param tokenManager2
 * @param encoder1
 * @param encoder2
 * @throws Exception
 */
private void resetCoordinatorData(CoordinatorClient coordinator, CassandraTokenManager tokenManager1, CassandraTokenManager tokenManager2, Base64TokenEncoder encoder1, Base64TokenEncoder encoder2, TokenKeyGenerator tokenKeyGenerator1, TokenKeyGenerator tokenKeyGenerator2) throws Exception {
    final long ROTATION_INTERVAL_MSECS = 5000;
    DbClient dbClient = getDbClient();
    coordinator = new TestCoordinator();
    // Node 1
    tokenManager1 = new CassandraTokenManager();
    encoder1 = new Base64TokenEncoder();
    tokenKeyGenerator1 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder1 = new TokenMaxLifeValuesHolder();
    // means that once a token is created,
    holder1.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    // if the next token being requested happens 5 seconds later or more, the keys will
    // rotate. This is to test the built in logic that triggers rotation.
    tokenManager1.setTokenMaxLifeValuesHolder(holder1);
    tokenManager1.setDbClient(dbClient);
    tokenManager1.setCoordinator(coordinator);
    encoder1.setCoordinator(coordinator);
    tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder1);
    encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
    encoder1.managerInit();
    tokenManager1.setTokenEncoder(encoder1);
    // Node 2
    tokenManager2 = new CassandraTokenManager();
    encoder2 = new Base64TokenEncoder();
    tokenKeyGenerator2 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder2 = new TokenMaxLifeValuesHolder();
    holder2.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    tokenManager2.setTokenMaxLifeValuesHolder(holder2);
    tokenManager2.setDbClient(dbClient);
    tokenManager2.setCoordinator(coordinator);
    encoder2.setCoordinator(coordinator);
    tokenKeyGenerator2.setTokenMaxLifeValuesHolder(holder2);
    encoder2.setTokenKeyGenerator(tokenKeyGenerator2);
    encoder2.managerInit();
    tokenManager2.setTokenEncoder(encoder2);
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    // first, verify both managers are starting with the same key.
    final String token1 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token1);
    TokenOnWire tw1 = encoder1.decode(token1);
    String key1 = tw1.getEncryptionKeyId();
    final String token2 = tokenManager2.getToken(userDAO);
    Assert.assertNotNull(token2);
    TokenOnWire tw2 = encoder2.decode(token2);
    String key2 = tw2.getEncryptionKeyId();
    Assert.assertEquals(key1, key2);
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) DbClient(com.emc.storageos.db.client.DbClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire)

Example 9 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenManagerTests method testProxyTokens.

/**
 * Basic tests for proxy tokens
 */
@Test
public void testProxyTokens() throws Exception {
    commonDefaultSetupForSingleNodeTests();
    // Create a regular token
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user111");
    userDAO.setIsLocal(true);
    userDAO.addAttribute("attr1=val1");
    userDAO.addGroup("group1");
    userDAO.setId((URIUtil.createId(StorageOSUserDAO.class)));
    _dbClient.persistObject(userDAO);
    final String token = _tokenManager.getToken(userDAO);
    Assert.assertNotNull(token);
    TokenOnWire tw = _encoder.decode(token);
    Token tokenObj = _dbClient.queryObject(Token.class, tw.getTokenId());
    Assert.assertNotNull(tokenObj);
    // Check that the system knows it as a non-proxy token
    Assert.assertFalse(BaseToken.isProxyToken(tokenObj));
    // Do the same with a proxy token
    final String proxyToken = _tokenManager.getProxyToken(userDAO);
    Assert.assertNotNull(proxyToken);
    TokenOnWire ptw = _encoder.decode(proxyToken);
    ProxyToken proxyTokenObj = _dbClient.queryObject(ProxyToken.class, ptw.getTokenId());
    Assert.assertNotNull(proxyTokenObj);
    Assert.assertTrue(BaseToken.isProxyToken(proxyTokenObj));
    Assert.assertTrue(ptw.isProxyToken());
    Assert.assertNotNull(proxyTokenObj.getLastKnownIds());
    // Check that user fetched from the id in the proxy token
    // matches the user's properties of the userDAO that created the proxytoken
    URI userId = proxyTokenObj.peekLastKnownId();
    StorageOSUserDAO userFromProxyToken = _dbClient.queryObject(StorageOSUserDAO.class, userId);
    Assert.assertNotNull(userFromProxyToken);
    Assert.assertEquals(userFromProxyToken.getUserName(), userDAO.getUserName());
    Assert.assertEquals(userFromProxyToken.getAttributes().size(), userDAO.getAttributes().size());
    Assert.assertTrue(userFromProxyToken.getAttributes().containsAll(userDAO.getAttributes()));
    Assert.assertEquals(userFromProxyToken.getGroups().size(), userDAO.getGroups().size());
    Assert.assertTrue(userFromProxyToken.getGroups().containsAll(userDAO.getGroups()));
    StorageOSUserDAO userFromProxyTokenValidation = _tokenManager.validateToken(proxyToken);
    Assert.assertNotNull(userFromProxyTokenValidation);
    Assert.assertEquals(userFromProxyTokenValidation.getUserName(), userDAO.getUserName());
    Assert.assertEquals(userFromProxyTokenValidation.getAttributes().size(), userDAO.getAttributes().size());
    Assert.assertTrue(userFromProxyTokenValidation.getAttributes().containsAll(userDAO.getAttributes()));
    Assert.assertEquals(userFromProxyTokenValidation.getGroups().size(), userDAO.getGroups().size());
    Assert.assertTrue(userFromProxyTokenValidation.getGroups().containsAll(userDAO.getGroups()));
    // Make sure that once a proxy token is created for a user, it gets reused from then on
    final String proxyToken2 = _tokenManager.getProxyToken(userDAO);
    Assert.assertNotNull(proxyToken2);
    Assert.assertEquals(proxyToken2, proxyToken);
    // simulate logout by deleting the authtoken that we created earlier
    _tokenManager.deleteToken(token.toString());
    StorageOSUserDAO deletedUser = _tokenManager.validateToken(token);
    Assert.assertNull(deletedUser);
    StorageOSUserDAO userIsStillThere = _tokenManager.validateToken(proxyToken2);
    Assert.assertNotNull(userIsStillThere);
    Assert.assertEquals(userIsStillThere.getUserName(), userDAO.getUserName());
    Assert.assertFalse(userIsStillThere.getInactive());
    // Relogin. Get new auth and proxy tokens. Force expiration of auth token.
    // Test that proxy token still works.
    StorageOSUserDAO userDAO2 = new StorageOSUserDAO();
    userDAO2.setUserName("user222");
    userDAO2.setIsLocal(true);
    userDAO2.setId((URIUtil.createId(StorageOSUserDAO.class)));
    _dbClient.persistObject(userDAO2);
    final String shortLivedTokenRaw = _tokenManager.getToken(userDAO2);
    Assert.assertNotNull(shortLivedTokenRaw);
    TokenOnWire sltw = _encoder.decode(shortLivedTokenRaw);
    final String proxyToken3 = _tokenManager.getProxyToken(userDAO2);
    Assert.assertNotNull(proxyToken3);
    Token shortLivedToken = _dbClient.queryObject(Token.class, sltw.getTokenId());
    Assert.assertNotNull(shortLivedToken);
    shortLivedToken.setLastAccessTime((System.currentTimeMillis() / (60 * 1000)) - 3);
    _dbClient.persistObject(shortLivedToken);
    // validate that auth token is gone
    deletedUser = _tokenManager.validateToken(shortLivedTokenRaw);
    Assert.assertNull(deletedUser);
    // validate that proxy token still works.
    userIsStillThere = _tokenManager.validateToken(proxyToken3);
    Assert.assertNotNull(userIsStillThere);
    Assert.assertEquals(userIsStillThere.getUserName(), userDAO2.getUserName());
    Assert.assertFalse(userIsStillThere.getInactive());
    // Test that after proxy token gets deleted, the userDao is gone or marked inactive
    // (its auth token has been expired above so proxy token was the last token)
    _tokenManager.deleteAllTokensForUser(userDAO2.getUserName(), true);
    StorageOSUserDAO inactiveUser = _dbClient.queryObject(StorageOSUserDAO.class, userDAO2.getId());
    Assert.assertTrue(inactiveUser == null || inactiveUser.getInactive() == true);
    // case sensitive username and proxy token optional deletion tests
    StorageOSUserDAO userDAOBlah = new StorageOSUserDAO();
    userDAOBlah.setUserName("user-blah");
    userDAOBlah.setIsLocal(true);
    final String blahToken = _tokenManager.getToken(userDAOBlah);
    Assert.assertNotNull(blahToken);
    TokenOnWire decoded = _encoder.decode(blahToken);
    final String blahProxyToken = _tokenManager.getProxyToken(userDAOBlah);
    Assert.assertNotNull(blahProxyToken);
    userDAOBlah = new StorageOSUserDAO();
    userDAOBlah.setUserName("User-Blah");
    userDAOBlah.setIsLocal(true);
    final String blahToken2 = _tokenManager.getToken(userDAOBlah);
    Assert.assertNotNull(blahToken2);
    TokenOnWire decoded2 = _encoder.decode(blahToken2);
    final String blahProxyToken2 = _tokenManager.getProxyToken(userDAOBlah);
    Assert.assertNotNull(blahProxyToken2);
    Token blahTokenObj = _dbClient.queryObject(Token.class, decoded.getTokenId());
    Token blahTokenObj2 = _dbClient.queryObject(Token.class, decoded2.getTokenId());
    Assert.assertEquals(blahTokenObj.getUserId(), blahTokenObj2.getUserId());
    Assert.assertEquals(blahProxyToken, blahProxyToken2);
    _tokenManager.deleteAllTokensForUser("user-BLAH", false);
    blahTokenObj = _dbClient.queryObject(Token.class, decoded.getTokenId());
    blahTokenObj2 = _dbClient.queryObject(Token.class, decoded2.getTokenId());
    Assert.assertNull(blahTokenObj);
    Assert.assertNull(blahTokenObj2);
    Assert.assertNull(_tokenManager.validateToken(blahToken));
    Assert.assertNotNull(_tokenManager.validateToken(blahProxyToken));
    _tokenManager.deleteAllTokensForUser("user-BLAH", true);
    Assert.assertNull(_tokenManager.validateToken(blahProxyToken));
}
Also used : StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) Token(com.emc.storageos.db.client.model.Token) BaseToken(com.emc.storageos.db.client.model.BaseToken) URI(java.net.URI) Test(org.junit.Test)

Example 10 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenManagerTests method testTokens.

/**
 * main set of tests for tokens
 */
@Test
public void testTokens() throws Exception {
    commonDefaultSetupForSingleNodeTests();
    // Test - new ticket issue
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    userDAO.setIsLocal(true);
    long now = System.currentTimeMillis() / (60 * 1000);
    final String token = _tokenManager.getToken(userDAO);
    Assert.assertNotNull(token);
    TokenOnWire tw1 = _encoder.decode(token);
    Token tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
    Assert.assertNotNull(tokenObj);
    Assert.assertNotNull(tokenObj.getUserId());
    Assert.assertTrue(tokenObj.getExpirationTime() >= (now + 4));
    final URI userId = tokenObj.getUserId();
    // verify token
    StorageOSUserDAO gotUser = _tokenManager.validateToken(token);
    Assert.assertNotNull(gotUser);
    Assert.assertEquals(userId, gotUser.getId());
    // Test - update user info, reuse token
    StringSet groups = new StringSet();
    groups.add("gr1");
    groups.add("gr2");
    userDAO.setGroups(groups);
    StringSet attributes = new StringSet();
    attributes.add("atrr1");
    attributes.add("attr2");
    userDAO.setAttributes(attributes);
    String token2 = _tokenManager.getToken(userDAO);
    // different tokens for same user record
    Assert.assertFalse(token.equals(token2));
    TokenOnWire tw2 = _encoder.decode(token2);
    Assert.assertFalse(tw1.getTokenId().equals(tw2.getTokenId()));
    tokenObj = _dbClient.queryObject(Token.class, tw2.getTokenId());
    Assert.assertNotNull(tokenObj);
    Assert.assertNotNull(tokenObj.getUserId());
    Assert.assertEquals(userId, tokenObj.getUserId());
    StorageOSUserDAO userInfo = _dbClient.queryObject(StorageOSUserDAO.class, userId);
    Assert.assertNotNull(userInfo);
    Assert.assertEquals(userId, userInfo.getId());
    Assert.assertFalse(userInfo.getInactive());
    Assert.assertEquals(groups.size(), userInfo.getGroups().size());
    Assert.assertEquals(attributes.size(), userInfo.getAttributes().size());
    Assert.assertTrue(userInfo.getIsLocal());
    // verify token
    gotUser = _tokenManager.validateToken(token2);
    Assert.assertNotNull(gotUser);
    Assert.assertEquals(userId, gotUser.getId());
    // Test - update user info, new token
    userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    groups = new StringSet();
    groups.add("gr1");
    userDAO.setGroups(groups);
    attributes = new StringSet();
    attributes.add("atrr1");
    attributes.add("attr2");
    attributes.add("attr3");
    userDAO.setAttributes(attributes);
    // new token
    final String token3 = _tokenManager.getToken(userDAO);
    Assert.assertFalse(token2.equals(token3));
    TokenOnWire tw3 = _encoder.decode(token3);
    tokenObj = _dbClient.queryObject(Token.class, tw3.getTokenId());
    Assert.assertNotNull(tokenObj);
    Assert.assertNotNull(tokenObj.getUserId());
    Assert.assertEquals(userId, tokenObj.getUserId());
    userInfo = _dbClient.queryObject(StorageOSUserDAO.class, userId);
    Assert.assertNotNull(userInfo);
    Assert.assertEquals(userId, userInfo.getId());
    Assert.assertFalse(userInfo.getInactive());
    Assert.assertEquals(groups.size(), userInfo.getGroups().size());
    Assert.assertEquals(attributes.size(), userInfo.getAttributes().size());
    Assert.assertTrue(userInfo.getIsLocal());
    // verify token
    gotUser = _tokenManager.validateToken(token3);
    Assert.assertNotNull(gotUser);
    Assert.assertEquals(userId, gotUser.getId());
    // Test - idle time timeout
    tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
    // extend expiration by 10min, so that will not happen
    now = (System.currentTimeMillis() / (60 * 1000));
    tokenObj.setLastAccessTime(now);
    tokenObj.setExpirationTime(now + 5);
    _dbClient.persistObject(tokenObj);
    int count = 8;
    while (count-- > 0) {
        // validate every 30 sec, for the next 4 min
        Thread.sleep(30 * 1000);
        gotUser = _tokenManager.validateToken(token);
        Assert.assertNotNull(gotUser);
    }
    // set last access time back
    tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
    tokenObj.setLastAccessTime((System.currentTimeMillis() / (60 * 1000)) - 3);
    _dbClient.persistObject(tokenObj);
    // validate token on the old token - should fail
    gotUser = _tokenManager.validateToken(token);
    Assert.assertNull(gotUser);
    // token object should be deleted from db,
    // but user info should not be effected because we have another token pointing to it
    tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
    Assert.assertNull(tokenObj);
    userInfo = _dbClient.queryObject(StorageOSUserDAO.class, userId);
    Assert.assertNotNull(userInfo);
    Assert.assertFalse(userInfo.getInactive());
    // Test - deletion of token
    // should set userinfo inactive - because this is the last token pointing to it
    _tokenManager.deleteToken(token2);
    _tokenManager.deleteToken(token3);
    userInfo = _dbClient.queryObject(StorageOSUserDAO.class, userId);
    Assert.assertNotNull(userInfo);
    Assert.assertTrue(userInfo.getInactive());
    // Test - with inactive user info - new token request
    // new token and new user info created - with possible race condition to create more than one each
    int numThreads = 5;
    final List<String> tokens = Collections.synchronizedList(new ArrayList<String>());
    final List<URI> userIds = Collections.synchronizedList(new ArrayList<URI>());
    ExecutorService executor = Executors.newFixedThreadPool(numThreads);
    final CountDownLatch wait = new CountDownLatch(numThreads);
    for (int index = 0; index < numThreads; index++) {
        executor.submit(new Callable<Object>() {

            @Override
            public Object call() throws Exception {
                wait.countDown();
                wait.await();
                StorageOSUserDAO userDAO = new StorageOSUserDAO();
                userDAO.setUserName("user1");
                String token4 = _tokenManager.getToken(userDAO);
                TokenOnWire tw4 = _encoder.decode(token4);
                Assert.assertFalse(token3.equals(token4));
                Assert.assertFalse(token.equals(token4));
                Token tokenObj = _dbClient.queryObject(Token.class, tw4.getTokenId());
                Assert.assertNotNull(tokenObj);
                Assert.assertNotNull(tokenObj.getUserId());
                Assert.assertFalse(userId.equals(tokenObj.getUserId()));
                StorageOSUserDAO userInfo = _dbClient.queryObject(StorageOSUserDAO.class, tokenObj.getUserId());
                Assert.assertNotNull(userInfo);
                Assert.assertEquals(userDAO.getUserName(), userInfo.getUserName());
                Assert.assertFalse(userInfo.getInactive());
                Assert.assertFalse(userInfo.getIsLocal());
                tokens.add(token4);
                userIds.add(userInfo.getId());
                return null;
            }
        });
    }
    executor.shutdown();
    Assert.assertTrue(executor.awaitTermination(60, TimeUnit.SECONDS));
    Assert.assertTrue(!tokens.isEmpty());
    Assert.assertTrue(!userIds.isEmpty());
    // Test - delete all tokens
    _tokenManager.deleteAllTokensForUser(userDAO.getUserName(), true);
    List<URI> tokensURIs = new ArrayList<URI>();
    for (String rawToken : tokens) {
        tokensURIs.add(_encoder.decode(rawToken).getTokenId());
    }
    List<Token> allTokens = _dbClient.queryObject(Token.class, tokensURIs);
    Assert.assertTrue(allTokens.isEmpty());
    List<StorageOSUserDAO> users = _dbClient.queryObject(StorageOSUserDAO.class, userIds);
    for (StorageOSUserDAO user : users) {
        Assert.assertTrue(user.getInactive());
        URIQueryResultList tokensForUser = new URIQueryResultList();
        _dbClient.queryByConstraint(ContainmentConstraint.Factory.getUserIdTokenConstraint(userId), tokensForUser);
        Assert.assertFalse(tokensForUser.iterator().hasNext());
    }
    // Test - expired token deleting
    userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    String dt1 = _tokenManager.getToken(userDAO);
    TokenOnWire twdt1 = _encoder.decode(dt1);
    tokenObj = _dbClient.queryObject(Token.class, twdt1.getTokenId());
    Assert.assertNotNull(tokenObj);
    Assert.assertNotNull(tokenObj.getUserId());
    URI du1 = tokenObj.getUserId();
    userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user2");
    String dt2 = _tokenManager.getToken(userDAO);
    TokenOnWire twdt2 = _encoder.decode(dt2);
    tokenObj = _dbClient.queryObject(Token.class, twdt2.getTokenId());
    Assert.assertNotNull(tokenObj);
    Assert.assertNotNull(tokenObj.getUserId());
    URI du2 = tokenObj.getUserId();
    Thread.sleep(3 * 60 * 1000);
    _tokenManager.runCleanupNow();
    tokenObj = _dbClient.queryObject(Token.class, twdt1.getTokenId());
    Assert.assertNull(tokenObj);
    tokenObj = _dbClient.queryObject(Token.class, twdt2.getTokenId());
    Assert.assertNull(tokenObj);
    userDAO = _dbClient.queryObject(StorageOSUserDAO.class, du1);
    Assert.assertTrue(userDAO.getInactive());
    userDAO = _dbClient.queryObject(StorageOSUserDAO.class, du2);
    Assert.assertTrue(userDAO.getInactive());
    // test limits
    userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    for (int i = 0; i < 100; i++) {
        dt1 = _tokenManager.getToken(userDAO);
        twdt1 = _encoder.decode(dt1);
        tokenObj = _dbClient.queryObject(Token.class, twdt1.getTokenId());
        Assert.assertNotNull(tokenObj);
        Assert.assertNotNull(tokenObj.getUserId());
    }
    // next get, will throw limit exception
    try {
        dt1 = _tokenManager.getToken(userDAO);
        Assert.fail("The token limit is exceeded. The token for user1 should not be generated.");
    } catch (UnauthorizedException ex) {
        // this exception is an expected one.
        Assert.assertTrue(true);
    }
}
Also used : SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) Token(com.emc.storageos.db.client.model.Token) BaseToken(com.emc.storageos.db.client.model.BaseToken) URI(java.net.URI) ContainmentConstraint(com.emc.storageos.db.client.constraint.ContainmentConstraint) AlternateIdConstraint(com.emc.storageos.db.client.constraint.AlternateIdConstraint) UnauthorizedException(com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException) IOException(java.io.IOException) URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) StringSet(com.emc.storageos.db.client.model.StringSet) UnauthorizedException(com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) Test(org.junit.Test)

Aggregations

StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)37 Token (com.emc.storageos.db.client.model.Token)15 ProxyToken (com.emc.storageos.db.client.model.ProxyToken)12 Test (org.junit.Test)12 TokenOnWire (com.emc.storageos.security.authentication.TokenOnWire)11 URI (java.net.URI)10 BaseToken (com.emc.storageos.db.client.model.BaseToken)9 UsernamePasswordCredentials (org.apache.commons.httpclient.UsernamePasswordCredentials)9 SignedToken (com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)8 CassandraTokenManager (com.emc.storageos.auth.impl.CassandraTokenManager)7 Base64TokenEncoder (com.emc.storageos.security.authentication.Base64TokenEncoder)7 TokenKeyGenerator (com.emc.storageos.security.authentication.TokenKeyGenerator)7 TokenMaxLifeValuesHolder (com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder)7 CoordinatorClient (com.emc.storageos.coordinator.client.service.CoordinatorClient)6 DbClient (com.emc.storageos.db.client.DbClient)6 AlternateIdConstraint (com.emc.storageos.db.client.constraint.AlternateIdConstraint)5 ContainmentConstraint (com.emc.storageos.db.client.constraint.ContainmentConstraint)5 UnauthorizedException (com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException)5 StringSet (com.emc.storageos.db.client.model.StringSet)4 DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)4