Examples with StorageOSUserDAO com.emc.storageos.db.client.model.StorageOSUserDAO used on opensource projects

Search in sources :

Example 36 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class CustomAuthenticationManagerTest method testAuthentication.

@Test
public void testAuthentication() throws Exception {
    createADLDAPProviders();
    UsernamePasswordCredentials sanityUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "P@ssw0rd");
    Assert.assertNotNull(_authManager.authenticate(sanityUserCreds));
    UsernamePasswordCredentials ldapUserCreds = new UsernamePasswordCredentials("user@root.com", "password");
    Assert.assertNotNull(_authManager.authenticate(ldapUserCreds));
    UsernamePasswordCredentials badDomainUserCreds = new UsernamePasswordCredentials("sanity_user@baddomain", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(badDomainUserCreds));
    UsernamePasswordCredentials noDomainUserCreds = new UsernamePasswordCredentials("sanity_user", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(noDomainUserCreds));
    UsernamePasswordCredentials badUserUserCreds = new UsernamePasswordCredentials("sanity_user@root.com", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(badUserUserCreds));
    UsernamePasswordCredentials badPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "badpassword");
    Assert.assertNull(_authManager.authenticate(badPasswordUserCreds));
    UsernamePasswordCredentials emptyUsernameUserCreds = new UsernamePasswordCredentials("", "P@ssw0rd");
    Assert.assertNull(_authManager.authenticate(emptyUsernameUserCreds));
    UsernamePasswordCredentials emptyPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", "");
    Assert.assertNull(_authManager.authenticate(emptyPasswordUserCreds));
    UsernamePasswordCredentials nullPasswordUserCreds = new UsernamePasswordCredentials("sanity_user@sanity.local", null);
    Assert.assertNull(_authManager.authenticate(nullPasswordUserCreds));
    UserMapping tenantMapping = new UserMapping();
    UserMappingAttribute tenantAttr = new UserMappingAttribute();
    tenantAttr.setKey("o");
    tenantAttr.setValues(Collections.singletonList("sales"));
    tenantMapping.setAttributes(Collections.singletonList(tenantAttr));
    tenantMapping.setDomain("root.com");
    UserMapping tenantMapping2 = new UserMapping();
    tenantMapping2.setGroups(Collections.singletonList("Test Group"));
    tenantMapping2.setDomain("sanity.local");
    StringSetMap mappings = new StringSetMap();
    mappings.put(tenantMapping.getDomain(), tenantMapping.toString());
    mappings.put(tenantMapping2.getDomain(), tenantMapping2.toString());
    _subtenantId = URIUtil.createId(TenantOrg.class);
    TenantOrg subtenant = new TenantOrg();
    subtenant.setLabel("subtenant");
    subtenant.setDescription("auth subtenant");
    subtenant.setId(_subtenantId);
    subtenant.setParentTenant(new NamedURI(_rootTenantId, "subtenant"));
    subtenant.setUserMappings(mappings);
    _dbClient.persistObject(subtenant);
    StorageOSUserDAO user = _authManager.authenticate(sanityUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // this user has the o=sales attribute so should be in the subtenant
    user = _authManager.authenticate(ldapUserCreds);
    Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
    // this user is in the group Test Group so should be in the subtenant
    UsernamePasswordCredentials groupUserCreds = new UsernamePasswordCredentials("testuser@sanity.local", "P@ssw0rd");
    user = _authManager.authenticate(groupUserCreds);
    Assert.assertEquals(_subtenantId.toString(), user.getTenantId());
    // Create the a good authConfig with whitelist values
    AuthnProvider adAuthConfig = new AuthnProvider();
    adAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    adAuthConfig.setMode("ad");
    StringSet adDomains = new StringSet();
    adDomains.add("whitelist1");
    adDomains.add("whitelist2");
    adAuthConfig.setDomains(adDomains);
    adAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
    adAuthConfig.setManagerPassword(_adManagerPassword);
    StringSet adUrls = new StringSet();
    adUrls.add(LDAP_SERVER_2);
    adAuthConfig.setServerUrls(adUrls);
    adAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
    adAuthConfig.setSearchFilter("sAMAccountName=%U");
    adAuthConfig.setGroupAttribute("CN");
    StringSet whitelistValues = new StringSet();
    whitelistValues.add("*Users*");
    whitelistValues.add("ProjectAdmins");
    adAuthConfig.setGroupWhitelistValues(whitelistValues);
    adAuthConfig.setLastModified(System.currentTimeMillis());
    _dbClient.createObject(adAuthConfig);
    reloadConfig(true);
    // Login the user the user that is in the group "Test Group" but it is not in the whitelist in
    // the auth config so the user should end up in the root tenant
    UsernamePasswordCredentials whitelist1GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist1", "P@ssw0rd");
    user = _authManager.authenticate(whitelist1GroupUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // log the same user in to the other domain to make sure it is mapped to the same domain
    UsernamePasswordCredentials whitelist2GroupUserCreds = new UsernamePasswordCredentials("testuser@whitelist2", "P@ssw0rd");
    user = _authManager.authenticate(whitelist2GroupUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    ValidationFailureReason[] failureReason = new ValidationFailureReason[1];
    _authManager.validateUser("sanity_user@sanity.local", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), null);
    _authManager.validateUser("sanity_user@sanity.local", _subtenantId.toString(), _rootTenantId.toString());
    _authManager.validateUser("user2@root.com", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("user2@root.com", _subtenantId.toString(), null);
    _authManager.validateUser("user2@root.com", _subtenantId.toString(), _rootTenantId.toString());
    _authManager.validateUser("user@root.com", _subtenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("user@root.com", _rootTenantId.toString(), null);
    _authManager.validateUser("testuser@sanity.local", _subtenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser@sanity.local", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser", _rootTenantId.toString(), null);
    thrown.expect(APIException.class);
    _authManager.validateUser("testuser", _subtenantId.toString(), null);
    Assert.assertTrue(_authManager.isGroupValid("Test Group@sanity.local", failureReason));
    Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist1", failureReason));
    Assert.assertEquals(failureReason[0], ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT);
    Assert.assertFalse(_authManager.isGroupValid("Test Group@whitelist2", failureReason));
    Assert.assertTrue(_authManager.isGroupValid("Domain Users@whitelist2", failureReason));
    Assert.assertTrue(_authManager.isGroupValid("ProjectAdmins@whitelist1", failureReason));
    Assert.assertFalse(_authManager.isGroupValid("Test Group", failureReason));
    // Create the a good authConfig with the sid group attribute
    AuthnProvider sidAuthConfig = new AuthnProvider();
    sidAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    sidAuthConfig.setMode("ad");
    StringSet sidDomains = new StringSet();
    sidDomains.add("sidtest");
    sidAuthConfig.setDomains(sidDomains);
    sidAuthConfig.setManagerDN("CN=Administrator,CN=Users,DC=sanity,DC=local");
    sidAuthConfig.setManagerPassword(_adManagerPassword);
    StringSet sidUrls = new StringSet();
    sidUrls.add(LDAP_SERVER_2);
    sidAuthConfig.setServerUrls(sidUrls);
    sidAuthConfig.setSearchBase("CN=Users,DC=sanity,DC=local");
    sidAuthConfig.setSearchFilter("sAMAccountName=%U");
    sidAuthConfig.setGroupAttribute("objectSid");
    StringSet sidWhitelistValues = new StringSet();
    // Domain users ends in -513
    sidWhitelistValues.add("*-513");
    // Test group SID
    sidWhitelistValues.add("S-1-5-21-2759885641-1951973838-595118951-1135");
    sidAuthConfig.setGroupWhitelistValues(sidWhitelistValues);
    sidAuthConfig.setLastModified(System.currentTimeMillis());
    _dbClient.createObject(sidAuthConfig);
    reloadConfig(true);
    // Create a subtenant using the sid of Domain users from '@sidtest'
    // for mapping
    UserMapping sidGroupMapping = new UserMapping();
    sidGroupMapping.setDomain("sidtest");
    sidGroupMapping.setGroups(Collections.singletonList("S-1-5-21-2759885641-1951973838-595118951-513"));
    StringSetMap sidTestMappings = new StringSetMap();
    sidTestMappings.put(sidGroupMapping.getDomain(), sidGroupMapping.toString());
    URI subtenant2Id = URIUtil.createId(TenantOrg.class);
    TenantOrg subtenant2 = new TenantOrg();
    subtenant2.setLabel("subtenant2");
    subtenant2.setDescription("auth subtenant2");
    subtenant2.setId(subtenant2Id);
    subtenant2.setParentTenant(new NamedURI(_rootTenantId, "subtenant2"));
    subtenant2.setUserMappings(sidTestMappings);
    _dbClient.persistObject(subtenant2);
    // login the sanity_user (sanity_user@sanity.local) and verify that the user is in the
    // root tenant still despite being in 'Domain Users' group because it is a different domain
    user = _authManager.authenticate(sanityUserCreds);
    Assert.assertEquals(_rootTenantId.toString(), user.getTenantId());
    // Now try sanity_user@sidtest and the user should be in subtenant2
    UsernamePasswordCredentials sidTestUserCreds = new UsernamePasswordCredentials("sanity_user@sidtest", "P@ssw0rd");
    user = _authManager.authenticate(sidTestUserCreds);
    Assert.assertEquals(subtenant2Id.toString(), user.getTenantId());
    _authManager.validateUser("sanity_user@sidtest", subtenant2Id.toString(), null);
    _authManager.validateUser("testuser@sidtest", subtenant2Id.toString(), null);
    _authManager.validateUser("baduser@sidtest", subtenant2Id.toString(), null);
    // Test group
    Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1135@sidtest", failureReason));
    // Domain Users
    Assert.assertTrue(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
    // non-existent group
    Assert.assertFalse(_authManager.isGroupValid("S-2-2-21-2759885641-1951973838-595118951-513@sidtest", failureReason));
    // non-whitelist group (ProjectAdmins)
    Assert.assertFalse(_authManager.isGroupValid("S-1-5-21-2759885641-1951973838-595118951-1111@sidtest", failureReason));
    // Create an config with a bad URL
    AuthnProvider ldapAuthConfig = new AuthnProvider();
    ldapAuthConfig.setId(URIUtil.createId(AuthnProvider.class));
    ldapAuthConfig.setMode("ldap");
    StringSet ldapDomains = new StringSet();
    ldapDomains.add("badurl.com");
    ldapAuthConfig.setDomains(ldapDomains);
    ldapAuthConfig.setManagerDN("cn=Manager,dc=root,dc=com");
    ldapAuthConfig.setManagerPassword("secret");
    StringSet ldapURLs = new StringSet();
    ldapURLs.add("ldap://xxx");
    ldapAuthConfig.setServerUrls(ldapURLs);
    ldapAuthConfig.setSearchBase("ou=People,dc=root,dc=com");
    ldapAuthConfig.setSearchFilter("(uid=%U)");
    _dbClient.createObject(ldapAuthConfig);
    UsernamePasswordCredentials badURLUserCreds = new UsernamePasswordCredentials("user@badurl.com", "password");
    // Check that authentication and validation operations fail
    // but do not throw connection exceptions
    user = _authManager.authenticate(badURLUserCreds);
    Assert.assertNull(user);
    thrown.expect(APIException.class);
    _authManager.validateUser("user@badurl.com", subtenant2Id.toString(), null);
    Assert.assertFalse(_authManager.isGroupValid("group@badurl.com", failureReason));
    cleanupProviders();
}
Also used : StringSetMap(com.emc.storageos.db.client.model.StringSetMap) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) ValidationFailureReason(com.emc.storageos.auth.AuthenticationManager.ValidationFailureReason) UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping) NamedURI(com.emc.storageos.db.client.model.NamedURI) AuthnProvider(com.emc.storageos.db.client.model.AuthnProvider) UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute) TenantOrg(com.emc.storageos.db.client.model.TenantOrg) StringSet(com.emc.storageos.db.client.model.StringSet) NamedURI(com.emc.storageos.db.client.model.NamedURI) URI(java.net.URI) UsernamePasswordCredentials(org.apache.commons.httpclient.UsernamePasswordCredentials)

Example 37 with StorageOSUserDAO

use of com.emc.storageos.db.client.model.StorageOSUserDAO in project coprhd-controller by CoprHD.

the class TokenService method getToken.

/**
 * Retrieves Token and UserDAO records from a passed in auth token (header)
 * TokenKeysRequest can also contain key ids to look at. If they don't match the local
 * TokenKeysBundle, send the updated bundle in the response
 *
 * @param httpRequest
 * @return TokenResponse with token and userDAO records populated.
 */
@POST
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public TokenResponse getToken(@Context HttpServletRequest httpRequest, TokenKeysRequest req) {
    String rawToken = httpRequest.getHeader(RequestProcessingUtils.AUTH_TOKEN_HEADER);
    String firstKey = req.getFirstKeyId();
    String secondKey = req.getSecondKeyId();
    Token token = null;
    StorageOSUserDAO user = null;
    TokenKeysBundle updatedBundle = null;
    // validate token if provided
    if (StringUtils.isNotBlank(rawToken)) {
        token = (Token) tokenValidator.verifyToken(rawToken);
        if (token != null) {
            user = tokenValidator.resolveUser(token);
        }
        if (user == null || token == null) {
            throw APIException.unauthorized.noTokenFoundForUserFromForeignVDC();
        }
        if (user.getIsLocal()) {
            throw APIException.forbidden.localUsersNotAllowedForSingleSignOn(user.getUserName());
        }
    }
    // not has been a rotation yet.
    if (StringUtils.isNotBlank(firstKey)) {
        try {
            updatedBundle = tokenKeyGenerator.readBundle();
        } catch (Exception ex) {
            log.error("Could not look at local token keys bundle");
        }
        if (updatedBundle != null) {
            // if we found a bundle
            log.debug("Read the local key bundle");
            // look at its key ids
            List<String> keyIds = updatedBundle.getKeyEntries();
            if ((firstKey.equals(keyIds.get(0)) && secondKey == null && keyIds.size() == 1) || (firstKey.equals(keyIds.get(0)) && secondKey != null && secondKey.equals(keyIds.get(1)))) {
                log.info("Key id match.  Not returning a bundle");
                // if they both match what was passed in, make the bundle null and
                // return that. Caller has updated keys and does not need them.
                updatedBundle = null;
            } else {
                log.info("Key ids do not match.  Returning updated bundle");
            }
        }
    }
    if (token != null) {
        tokenMapHelper.addOrRemoveRequestingVDC(Operation.ADD_VDC, token.getId().toString(), req.getRequestingVDC());
        // update idle time on original token. Since it is being borrowed by another vdc,
        // it just got accessed.
        token.setLastAccessTime(CassandraTokenValidator.getCurrentTimeInMins());
        try {
            dbClient.persistObject(token);
        } catch (DatabaseException ex) {
            log.error("failed updating last access time for borrowed token {}", token.getId());
        }
    }
    return TokenResponseBuilder.buildTokenResponse(token, user, updatedBundle);
}
Also used : StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) TokenKeysBundle(com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle) Token(com.emc.storageos.db.client.model.Token) DatabaseException(com.emc.storageos.db.exceptions.DatabaseException) APIException(com.emc.storageos.svcs.errorhandling.resources.APIException) DatabaseException(com.emc.storageos.db.exceptions.DatabaseException) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Aggregations

StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)37 Token (com.emc.storageos.db.client.model.Token)15 ProxyToken (com.emc.storageos.db.client.model.ProxyToken)12 Test (org.junit.Test)12 TokenOnWire (com.emc.storageos.security.authentication.TokenOnWire)11 URI (java.net.URI)10 BaseToken (com.emc.storageos.db.client.model.BaseToken)9 UsernamePasswordCredentials (org.apache.commons.httpclient.UsernamePasswordCredentials)9 SignedToken (com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)8 CassandraTokenManager (com.emc.storageos.auth.impl.CassandraTokenManager)7 Base64TokenEncoder (com.emc.storageos.security.authentication.Base64TokenEncoder)7 TokenKeyGenerator (com.emc.storageos.security.authentication.TokenKeyGenerator)7 TokenMaxLifeValuesHolder (com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder)7 CoordinatorClient (com.emc.storageos.coordinator.client.service.CoordinatorClient)6 DbClient (com.emc.storageos.db.client.DbClient)6 AlternateIdConstraint (com.emc.storageos.db.client.constraint.AlternateIdConstraint)5 ContainmentConstraint (com.emc.storageos.db.client.constraint.ContainmentConstraint)5 UnauthorizedException (com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException)5 StringSet (com.emc.storageos.db.client.model.StringSet)4 DatabaseException (com.emc.storageos.db.exceptions.DatabaseException)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial