Search in sources :

Example 6 with TokenKeyGenerator

use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.

the class TokenManagerTests method resetCoordinatorData.

/**
 * Convenience function to reset the coordinator data, call init on the two involved nodes,
 * and check they agree on the curent key id.
 *
 * @param coordinator
 * @param tokenManager1
 * @param tokenManager2
 * @param encoder1
 * @param encoder2
 * @throws Exception
 */
private void resetCoordinatorData(CoordinatorClient coordinator, CassandraTokenManager tokenManager1, CassandraTokenManager tokenManager2, Base64TokenEncoder encoder1, Base64TokenEncoder encoder2, TokenKeyGenerator tokenKeyGenerator1, TokenKeyGenerator tokenKeyGenerator2) throws Exception {
    final long ROTATION_INTERVAL_MSECS = 5000;
    DbClient dbClient = getDbClient();
    coordinator = new TestCoordinator();
    // Node 1
    tokenManager1 = new CassandraTokenManager();
    encoder1 = new Base64TokenEncoder();
    tokenKeyGenerator1 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder1 = new TokenMaxLifeValuesHolder();
    // means that once a token is created,
    holder1.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    // if the next token being requested happens 5 seconds later or more, the keys will
    // rotate. This is to test the built in logic that triggers rotation.
    tokenManager1.setTokenMaxLifeValuesHolder(holder1);
    tokenManager1.setDbClient(dbClient);
    tokenManager1.setCoordinator(coordinator);
    encoder1.setCoordinator(coordinator);
    tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder1);
    encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
    encoder1.managerInit();
    tokenManager1.setTokenEncoder(encoder1);
    // Node 2
    tokenManager2 = new CassandraTokenManager();
    encoder2 = new Base64TokenEncoder();
    tokenKeyGenerator2 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder2 = new TokenMaxLifeValuesHolder();
    holder2.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    tokenManager2.setTokenMaxLifeValuesHolder(holder2);
    tokenManager2.setDbClient(dbClient);
    tokenManager2.setCoordinator(coordinator);
    encoder2.setCoordinator(coordinator);
    tokenKeyGenerator2.setTokenMaxLifeValuesHolder(holder2);
    encoder2.setTokenKeyGenerator(tokenKeyGenerator2);
    encoder2.managerInit();
    tokenManager2.setTokenEncoder(encoder2);
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    // first, verify both managers are starting with the same key.
    final String token1 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token1);
    TokenOnWire tw1 = encoder1.decode(token1);
    String key1 = tw1.getEncryptionKeyId();
    final String token2 = tokenManager2.getToken(userDAO);
    Assert.assertNotNull(token2);
    TokenOnWire tw2 = encoder2.decode(token2);
    String key2 = tw2.getEncryptionKeyId();
    Assert.assertEquals(key1, key2);
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) DbClient(com.emc.storageos.db.client.DbClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire)

Example 7 with TokenKeyGenerator

use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.

the class TokenManagerTests method testConcurrentRotations.

/**
 * Have 15 threads attempt a rotation. 14 should realize that rotation have already happen
 * and not do anything. At the end, the current key id should be uniform across all 15 threads.
 * Additionally, the previous key id should still be valid.
 */
@Test
public void testConcurrentRotations() throws Exception {
    // For this test, we need our custom setup, with several
    // tokenManagers sharing a common TestCoordinator. This will
    // simulate shared zookeeper data on the cluster. And the different
    // tokenManagers/KeyGenerators will simulate the different nodes.
    DbClient dbClient = getDbClient();
    CoordinatorClient coordinator = new TestCoordinator();
    final int ROTATION_INTERVAL_MSECS = 5000;
    int numThreads = 15;
    ExecutorService executor = Executors.newFixedThreadPool(numThreads);
    final CountDownLatch waiter = new CountDownLatch(numThreads);
    final class InitTester implements Callable {

        CoordinatorClient _coordinator = null;

        DbClient _client = null;

        KeyIdsHolder _holder = null;

        public InitTester(CoordinatorClient coord, DbClient client, KeyIdsHolder holder) {
            _coordinator = coord;
            _client = client;
            _holder = holder;
        }

        @Override
        public Object call() throws Exception {
            // create node artifacts
            CassandraTokenManager tokenManager1 = new CassandraTokenManager();
            Base64TokenEncoder encoder1 = new Base64TokenEncoder();
            TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
            tokenManager1.setDbClient(_client);
            tokenManager1.setCoordinator(_coordinator);
            encoder1.setCoordinator(_coordinator);
            tokenManager1.setTokenEncoder(encoder1);
            TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
            tokenManager1.setTokenMaxLifeValuesHolder(holder);
            tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder);
            encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
            holder.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
            encoder1.managerInit();
            // synchronize all threads
            waiter.countDown();
            waiter.await();
            // everybody gets a token using the key before the rotation
            StorageOSUserDAO userDAO = new StorageOSUserDAO();
            userDAO.setUserName("user1");
            final String token = tokenManager1.getToken(userDAO);
            Assert.assertNotNull(token);
            TokenOnWire tw = encoder1.decode(token);
            String previousKey = tw.getEncryptionKeyId();
            // cause the rotation
            Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
            final String token2 = tokenManager1.getToken(userDAO);
            Assert.assertNotNull(token2);
            TokenOnWire tw2 = encoder1.decode(token2);
            // save the new key in the set to check later that all threads agree
            // this is the new key
            _holder.addToSet(tw2.getEncryptionKeyId());
            // validate token created with the previous key to make sure
            // rotation didn't mess up the previous key
            StorageOSUserDAO gotUser = tokenManager1.validateToken(token);
            Assert.assertNotNull(gotUser);
            return null;
        }
    }
    KeyIdsHolder holder = new KeyIdsHolder();
    for (int i = 0; i < numThreads; i++) {
        executor.submit(new InitTester(coordinator, dbClient, holder));
    }
    executor.shutdown();
    Assert.assertTrue(executor.awaitTermination(60, TimeUnit.SECONDS));
    // after all is said and done, all tokens created in all 15 threads, should have been
    // created with the same key id.
    Assert.assertEquals(1, holder.getSetSize());
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) DbClient(com.emc.storageos.db.client.DbClient) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) ContainmentConstraint(com.emc.storageos.db.client.constraint.ContainmentConstraint) AlternateIdConstraint(com.emc.storageos.db.client.constraint.AlternateIdConstraint) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) Test(org.junit.Test)

Example 8 with TokenKeyGenerator

use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.

the class TokenManagerTests method testConcurrentIntraVDCTokenCaching.

/**
 * testConcurrentIntraVDCTokenCaching
 * Tests that multiple nodes in a single foreign VDC can cache the same token without collision
 *
 * @throws Exception
 */
@Test
public void testConcurrentIntraVDCTokenCaching() throws Exception {
    // common setup and create a token
    commonDefaultSetupForSingleNodeTests();
    VirtualDataCenter localVdc = VdcUtil.getLocalVdc();
    localVdc.setShortId("externalVDCId");
    _dbClient.persistObject(localVdc);
    VdcUtil.invalidateVdcUrnCache();
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1@domain.com");
    userDAO.setIsLocal(false);
    String token = _tokenManager.getToken(userDAO);
    Assert.assertNotNull(token);
    TokenOnWire tw1 = _encoder.decode(token);
    final Token tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
    Assert.assertNotNull(tokenObj);
    URI userId = tokenObj.getUserId();
    Assert.assertNotNull(userId);
    final StorageOSUserDAO gotUser = _tokenManager.validateToken(token);
    Assert.assertNotNull(gotUser);
    // because we are running this on the same "db" as opposed to 2 different VDCs,
    // there will be a conflict when caching the token, since the original is already there
    // with the same id. So we are changing the token id and user record id for this
    // purpose.
    tokenObj.setId(URIUtil.createId(Token.class));
    gotUser.setId(URIUtil.createId(StorageOSUserDAO.class));
    tokenObj.setUserId(gotUser.getId());
    TokenOnWire tokenToBeCached = TokenOnWire.createTokenOnWire(tokenObj);
    // this re-encoded alternate token is the token that will be cached and validated
    // from cache.
    final String newEncoded = _encoder.encode(tokenToBeCached);
    final DbClient dbClient = getDbClient();
    // note: the same coordinator is being used in all threads. This means that
    // token keys will be present in this simulated foreign vdc eventhough we didn't
    // explicitly cache them. This should normally fail since we don't have the keys
    // but to focus this test on just the token validation from cache, we leave this be.
    // A separate test will deal with multiple TestCoordinator() representing different
    // zk, in other words true multiple VDCs.
    final CoordinatorClient coordinator = new TestCoordinator();
    // change it back to vdc1, so that it will not match the vdcid in the token
    // created earlier and therefore will be considered a foreign token.
    localVdc.setShortId("vdc1");
    _dbClient.persistObject(localVdc);
    VdcUtil.invalidateVdcUrnCache();
    int numThreads = 5;
    ExecutorService executor = Executors.newFixedThreadPool(numThreads);
    final CountDownLatch waiter = new CountDownLatch(numThreads);
    final class InitTester implements Callable {

        @Override
        public Object call() throws Exception {
            // create node artifacts
            TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
            holder.setForeignTokenCacheExpirationInMins(1);
            InterVDCTokenCacheHelper cacheHelper = new InterVDCTokenCacheHelper();
            cacheHelper.setCoordinator(coordinator);
            cacheHelper.setDbClient(dbClient);
            cacheHelper.setMaxLifeValuesHolder(holder);
            TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
            tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder);
            Base64TokenEncoder encoder1 = new Base64TokenEncoder();
            encoder1.setCoordinator(coordinator);
            encoder1.setInterVDCTokenCacheHelper(cacheHelper);
            encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
            encoder1.managerInit();
            CassandraTokenManager tokenManager1 = new CassandraTokenManager();
            tokenManager1.setDbClient(dbClient);
            tokenManager1.setCoordinator(coordinator);
            tokenManager1.setTokenMaxLifeValuesHolder(holder);
            tokenManager1.setInterVDCTokenCacheHelper(cacheHelper);
            tokenManager1.setTokenEncoder(encoder1);
            TokenResponseArtifacts artifacts = new TokenResponseArtifacts(gotUser, tokenObj, null);
            // synchronize all threads
            waiter.countDown();
            waiter.await();
            // Cache the token artifacts. Each thread will try at the same time
            // End result is, the token/user values will all be the same anyway
            // but the important is there is no concurrency issue between the first
            // thread that will try to add to the cache, and the others that will simply
            // update it.
            cacheHelper.cacheForeignTokenAndKeys(artifacts, null);
            // First validation should work. It validates from the cache.
            StorageOSUserDAO userFromDB = tokenManager1.validateToken(newEncoded);
            Assert.assertNotNull(userFromDB);
            Assert.assertEquals(userFromDB.getUserName(), gotUser.getUserName());
            // wait longer than cache expiration (longer than 1 minute in our case)
            // token's cache expiration should be expired
            Thread.sleep((holder.getForeignTokenCacheExpirationInMins() + 1) * 60000);
            userFromDB = tokenManager1.validateToken(newEncoded);
            Assert.assertNull(userFromDB);
            return null;
        }
    }
    for (int i = 0; i < numThreads; i++) {
        executor.submit(new InitTester());
    }
    executor.shutdown();
    Assert.assertTrue(executor.awaitTermination(180, TimeUnit.SECONDS));
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) DbClient(com.emc.storageos.db.client.DbClient) SignedToken(com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken) ProxyToken(com.emc.storageos.db.client.model.ProxyToken) Token(com.emc.storageos.db.client.model.Token) BaseToken(com.emc.storageos.db.client.model.BaseToken) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) URI(java.net.URI) ContainmentConstraint(com.emc.storageos.db.client.constraint.ContainmentConstraint) AlternateIdConstraint(com.emc.storageos.db.client.constraint.AlternateIdConstraint) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) InterVDCTokenCacheHelper(com.emc.storageos.security.geo.InterVDCTokenCacheHelper) VirtualDataCenter(com.emc.storageos.db.client.model.VirtualDataCenter) CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenResponseArtifacts(com.emc.storageos.security.geo.TokenResponseBuilder.TokenResponseArtifacts) Test(org.junit.Test)

Example 9 with TokenKeyGenerator

use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.

the class TokenManagerTests method testMultiNodesCacheUpdates.

/**
 * Tests out of sync cache behavior with multiple nodes.
 *
 * @throws Exception
 */
@Test
public void testMultiNodesCacheUpdates() throws Exception {
    // For this test, we need our custom setup, with several
    // tokenManagers sharing a common TestCoordinator. This will
    // simulate shared zookeeper data on the cluster. And the different
    // tokenManagers/KeyGenerators will simulate the different nodes with
    // out of sync caches.
    final long ROTATION_INTERVAL_MSECS = 5000;
    DbClient dbClient = getDbClient();
    CoordinatorClient coordinator = new TestCoordinator();
    // Node 1
    CassandraTokenManager tokenManager1 = new CassandraTokenManager();
    Base64TokenEncoder encoder1 = new Base64TokenEncoder();
    TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder1 = new TokenMaxLifeValuesHolder();
    // means that once a token is created,
    holder1.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    // if the next token being requested happens 5 seconds later or more, the keys will
    // rotate. This is to test the built in logic that triggers rotation.
    tokenManager1.setTokenMaxLifeValuesHolder(holder1);
    tokenManager1.setDbClient(dbClient);
    tokenManager1.setCoordinator(coordinator);
    encoder1.setCoordinator(coordinator);
    tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder1);
    encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
    encoder1.managerInit();
    tokenManager1.setTokenEncoder(encoder1);
    // Node 2
    CassandraTokenManager tokenManager2 = new CassandraTokenManager();
    Base64TokenEncoder encoder2 = new Base64TokenEncoder();
    TokenKeyGenerator tokenKeyGenerator2 = new TokenKeyGenerator();
    TokenMaxLifeValuesHolder holder2 = new TokenMaxLifeValuesHolder();
    holder2.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
    tokenManager2.setTokenMaxLifeValuesHolder(holder2);
    tokenManager2.setDbClient(dbClient);
    tokenManager2.setCoordinator(coordinator);
    encoder2.setCoordinator(coordinator);
    tokenKeyGenerator2.setTokenMaxLifeValuesHolder(holder2);
    encoder2.setTokenKeyGenerator(tokenKeyGenerator2);
    encoder2.managerInit();
    tokenManager2.setTokenEncoder(encoder2);
    // We do not need to use multi threads for these tests. We are using
    // a determined sequence of events to cause caches to be out of sync and
    // see how the keyGenerators react.
    // SCENARIO 1 -----------------------------------------------------------------
    // Cause a rotation on node1, then go with that token to node 2 to validate the
    // token. Node2 should update the cache automatically to find the new key and
    // validate the token successfully.
    resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
    // cause the rotation
    Thread.sleep((ROTATION_INTERVAL_MSECS) + 1000);
    StorageOSUserDAO userDAO = new StorageOSUserDAO();
    userDAO.setUserName("user1");
    // get a new token from node 1 (it will be encoded with a new key)
    final String token3 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token3);
    // validate it on node 2
    StorageOSUserDAO gotUser = tokenManager2.validateToken(token3);
    Assert.assertNotNull(gotUser);
    // SCENARIO 2 -----------------------------------------------------------------
    // Create a token with the current key on node 1. Cause 2 rotations on node1, then go with that
    // token to node 2 to validate. At that point, node 2 still has the token's key in cache. But
    // that key is now 2 rotations old and should not be accepted. We want to test that node 2
    // appropriately updates its cache, then refuses the key, rejects the token.
    // reset coordinator data, start from scratch with fresh keys.
    resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
    final String token4 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token4);
    Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
    final String token5 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token5);
    Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
    final String token6 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token6);
    try {
        gotUser = tokenManager2.validateToken(token4);
        Assert.fail("The token validation should fail because of the token rotation.");
    } catch (UnauthorizedException ex) {
        // This exception is an expected one.
        Assert.assertTrue(true);
    }
    // SCENARIO 3 -----------------------------------------------------------------
    // Cause a rotation on node 1. Then go to node 2 to get a new token. Node 2 should realize
    // that the key it is about to use for signing is not the latest and refresh its cache. It should
    // not however cause a rotation, because it already just happened.
    resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
    // cause a rotation
    Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
    final String token7 = tokenManager1.getToken(userDAO);
    Assert.assertNotNull(token7);
    TokenOnWire tw7 = encoder1.decode(token7);
    String key7 = tw7.getEncryptionKeyId();
    final String token8 = tokenManager2.getToken(userDAO);
    Assert.assertNotNull(token8);
    TokenOnWire tw8 = encoder1.decode(token8);
    String key8 = tw8.getEncryptionKeyId();
    // see that the key id that was used to encode both tokens are the same.
    Assert.assertEquals(key7, key8);
}
Also used : TokenMaxLifeValuesHolder(com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder) CassandraTokenManager(com.emc.storageos.auth.impl.CassandraTokenManager) StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO) DbClient(com.emc.storageos.db.client.DbClient) UnauthorizedException(com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException) CoordinatorClient(com.emc.storageos.coordinator.client.service.CoordinatorClient) Base64TokenEncoder(com.emc.storageos.security.authentication.Base64TokenEncoder) TokenKeyGenerator(com.emc.storageos.security.authentication.TokenKeyGenerator) TokenOnWire(com.emc.storageos.security.authentication.TokenOnWire) Test(org.junit.Test)

Aggregations

Base64TokenEncoder (com.emc.storageos.security.authentication.Base64TokenEncoder)9 TokenKeyGenerator (com.emc.storageos.security.authentication.TokenKeyGenerator)9 TokenMaxLifeValuesHolder (com.emc.storageos.security.authentication.TokenMaxLifeValuesHolder)9 CoordinatorClient (com.emc.storageos.coordinator.client.service.CoordinatorClient)8 Test (org.junit.Test)8 CassandraTokenManager (com.emc.storageos.auth.impl.CassandraTokenManager)7 DbClient (com.emc.storageos.db.client.DbClient)7 StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)7 TokenOnWire (com.emc.storageos.security.authentication.TokenOnWire)7 AlternateIdConstraint (com.emc.storageos.db.client.constraint.AlternateIdConstraint)4 ContainmentConstraint (com.emc.storageos.db.client.constraint.ContainmentConstraint)4 InterVDCTokenCacheHelper (com.emc.storageos.security.geo.InterVDCTokenCacheHelper)4 BaseToken (com.emc.storageos.db.client.model.BaseToken)3 ProxyToken (com.emc.storageos.db.client.model.ProxyToken)3 Token (com.emc.storageos.db.client.model.Token)3 SignedToken (com.emc.storageos.security.authentication.Base64TokenEncoder.SignedToken)3 TokenKeysBundle (com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle)3 TokenResponseArtifacts (com.emc.storageos.security.geo.TokenResponseBuilder.TokenResponseArtifacts)3 VirtualDataCenter (com.emc.storageos.db.client.model.VirtualDataCenter)2 UnauthorizedException (com.emc.storageos.svcs.errorhandling.resources.UnauthorizedException)2