use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.
the class TokenManagerTests method resetCoordinatorData.
/**
* Convenience function to reset the coordinator data, call init on the two involved nodes,
* and check they agree on the curent key id.
*
* @param coordinator
* @param tokenManager1
* @param tokenManager2
* @param encoder1
* @param encoder2
* @throws Exception
*/
private void resetCoordinatorData(CoordinatorClient coordinator, CassandraTokenManager tokenManager1, CassandraTokenManager tokenManager2, Base64TokenEncoder encoder1, Base64TokenEncoder encoder2, TokenKeyGenerator tokenKeyGenerator1, TokenKeyGenerator tokenKeyGenerator2) throws Exception {
final long ROTATION_INTERVAL_MSECS = 5000;
DbClient dbClient = getDbClient();
coordinator = new TestCoordinator();
// Node 1
tokenManager1 = new CassandraTokenManager();
encoder1 = new Base64TokenEncoder();
tokenKeyGenerator1 = new TokenKeyGenerator();
TokenMaxLifeValuesHolder holder1 = new TokenMaxLifeValuesHolder();
// means that once a token is created,
holder1.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
// if the next token being requested happens 5 seconds later or more, the keys will
// rotate. This is to test the built in logic that triggers rotation.
tokenManager1.setTokenMaxLifeValuesHolder(holder1);
tokenManager1.setDbClient(dbClient);
tokenManager1.setCoordinator(coordinator);
encoder1.setCoordinator(coordinator);
tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder1);
encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
encoder1.managerInit();
tokenManager1.setTokenEncoder(encoder1);
// Node 2
tokenManager2 = new CassandraTokenManager();
encoder2 = new Base64TokenEncoder();
tokenKeyGenerator2 = new TokenKeyGenerator();
TokenMaxLifeValuesHolder holder2 = new TokenMaxLifeValuesHolder();
holder2.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
tokenManager2.setTokenMaxLifeValuesHolder(holder2);
tokenManager2.setDbClient(dbClient);
tokenManager2.setCoordinator(coordinator);
encoder2.setCoordinator(coordinator);
tokenKeyGenerator2.setTokenMaxLifeValuesHolder(holder2);
encoder2.setTokenKeyGenerator(tokenKeyGenerator2);
encoder2.managerInit();
tokenManager2.setTokenEncoder(encoder2);
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user1");
// first, verify both managers are starting with the same key.
final String token1 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token1);
TokenOnWire tw1 = encoder1.decode(token1);
String key1 = tw1.getEncryptionKeyId();
final String token2 = tokenManager2.getToken(userDAO);
Assert.assertNotNull(token2);
TokenOnWire tw2 = encoder2.decode(token2);
String key2 = tw2.getEncryptionKeyId();
Assert.assertEquals(key1, key2);
}
use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.
the class TokenManagerTests method testConcurrentRotations.
/**
* Have 15 threads attempt a rotation. 14 should realize that rotation have already happen
* and not do anything. At the end, the current key id should be uniform across all 15 threads.
* Additionally, the previous key id should still be valid.
*/
@Test
public void testConcurrentRotations() throws Exception {
// For this test, we need our custom setup, with several
// tokenManagers sharing a common TestCoordinator. This will
// simulate shared zookeeper data on the cluster. And the different
// tokenManagers/KeyGenerators will simulate the different nodes.
DbClient dbClient = getDbClient();
CoordinatorClient coordinator = new TestCoordinator();
final int ROTATION_INTERVAL_MSECS = 5000;
int numThreads = 15;
ExecutorService executor = Executors.newFixedThreadPool(numThreads);
final CountDownLatch waiter = new CountDownLatch(numThreads);
final class InitTester implements Callable {
CoordinatorClient _coordinator = null;
DbClient _client = null;
KeyIdsHolder _holder = null;
public InitTester(CoordinatorClient coord, DbClient client, KeyIdsHolder holder) {
_coordinator = coord;
_client = client;
_holder = holder;
}
@Override
public Object call() throws Exception {
// create node artifacts
CassandraTokenManager tokenManager1 = new CassandraTokenManager();
Base64TokenEncoder encoder1 = new Base64TokenEncoder();
TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
tokenManager1.setDbClient(_client);
tokenManager1.setCoordinator(_coordinator);
encoder1.setCoordinator(_coordinator);
tokenManager1.setTokenEncoder(encoder1);
TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
tokenManager1.setTokenMaxLifeValuesHolder(holder);
tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder);
encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
holder.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
encoder1.managerInit();
// synchronize all threads
waiter.countDown();
waiter.await();
// everybody gets a token using the key before the rotation
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user1");
final String token = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token);
TokenOnWire tw = encoder1.decode(token);
String previousKey = tw.getEncryptionKeyId();
// cause the rotation
Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
final String token2 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token2);
TokenOnWire tw2 = encoder1.decode(token2);
// save the new key in the set to check later that all threads agree
// this is the new key
_holder.addToSet(tw2.getEncryptionKeyId());
// validate token created with the previous key to make sure
// rotation didn't mess up the previous key
StorageOSUserDAO gotUser = tokenManager1.validateToken(token);
Assert.assertNotNull(gotUser);
return null;
}
}
KeyIdsHolder holder = new KeyIdsHolder();
for (int i = 0; i < numThreads; i++) {
executor.submit(new InitTester(coordinator, dbClient, holder));
}
executor.shutdown();
Assert.assertTrue(executor.awaitTermination(60, TimeUnit.SECONDS));
// after all is said and done, all tokens created in all 15 threads, should have been
// created with the same key id.
Assert.assertEquals(1, holder.getSetSize());
}
use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.
the class TokenManagerTests method testConcurrentIntraVDCTokenCaching.
/**
* testConcurrentIntraVDCTokenCaching
* Tests that multiple nodes in a single foreign VDC can cache the same token without collision
*
* @throws Exception
*/
@Test
public void testConcurrentIntraVDCTokenCaching() throws Exception {
// common setup and create a token
commonDefaultSetupForSingleNodeTests();
VirtualDataCenter localVdc = VdcUtil.getLocalVdc();
localVdc.setShortId("externalVDCId");
_dbClient.persistObject(localVdc);
VdcUtil.invalidateVdcUrnCache();
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user1@domain.com");
userDAO.setIsLocal(false);
String token = _tokenManager.getToken(userDAO);
Assert.assertNotNull(token);
TokenOnWire tw1 = _encoder.decode(token);
final Token tokenObj = _dbClient.queryObject(Token.class, tw1.getTokenId());
Assert.assertNotNull(tokenObj);
URI userId = tokenObj.getUserId();
Assert.assertNotNull(userId);
final StorageOSUserDAO gotUser = _tokenManager.validateToken(token);
Assert.assertNotNull(gotUser);
// because we are running this on the same "db" as opposed to 2 different VDCs,
// there will be a conflict when caching the token, since the original is already there
// with the same id. So we are changing the token id and user record id for this
// purpose.
tokenObj.setId(URIUtil.createId(Token.class));
gotUser.setId(URIUtil.createId(StorageOSUserDAO.class));
tokenObj.setUserId(gotUser.getId());
TokenOnWire tokenToBeCached = TokenOnWire.createTokenOnWire(tokenObj);
// this re-encoded alternate token is the token that will be cached and validated
// from cache.
final String newEncoded = _encoder.encode(tokenToBeCached);
final DbClient dbClient = getDbClient();
// note: the same coordinator is being used in all threads. This means that
// token keys will be present in this simulated foreign vdc eventhough we didn't
// explicitly cache them. This should normally fail since we don't have the keys
// but to focus this test on just the token validation from cache, we leave this be.
// A separate test will deal with multiple TestCoordinator() representing different
// zk, in other words true multiple VDCs.
final CoordinatorClient coordinator = new TestCoordinator();
// change it back to vdc1, so that it will not match the vdcid in the token
// created earlier and therefore will be considered a foreign token.
localVdc.setShortId("vdc1");
_dbClient.persistObject(localVdc);
VdcUtil.invalidateVdcUrnCache();
int numThreads = 5;
ExecutorService executor = Executors.newFixedThreadPool(numThreads);
final CountDownLatch waiter = new CountDownLatch(numThreads);
final class InitTester implements Callable {
@Override
public Object call() throws Exception {
// create node artifacts
TokenMaxLifeValuesHolder holder = new TokenMaxLifeValuesHolder();
holder.setForeignTokenCacheExpirationInMins(1);
InterVDCTokenCacheHelper cacheHelper = new InterVDCTokenCacheHelper();
cacheHelper.setCoordinator(coordinator);
cacheHelper.setDbClient(dbClient);
cacheHelper.setMaxLifeValuesHolder(holder);
TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder);
Base64TokenEncoder encoder1 = new Base64TokenEncoder();
encoder1.setCoordinator(coordinator);
encoder1.setInterVDCTokenCacheHelper(cacheHelper);
encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
encoder1.managerInit();
CassandraTokenManager tokenManager1 = new CassandraTokenManager();
tokenManager1.setDbClient(dbClient);
tokenManager1.setCoordinator(coordinator);
tokenManager1.setTokenMaxLifeValuesHolder(holder);
tokenManager1.setInterVDCTokenCacheHelper(cacheHelper);
tokenManager1.setTokenEncoder(encoder1);
TokenResponseArtifacts artifacts = new TokenResponseArtifacts(gotUser, tokenObj, null);
// synchronize all threads
waiter.countDown();
waiter.await();
// Cache the token artifacts. Each thread will try at the same time
// End result is, the token/user values will all be the same anyway
// but the important is there is no concurrency issue between the first
// thread that will try to add to the cache, and the others that will simply
// update it.
cacheHelper.cacheForeignTokenAndKeys(artifacts, null);
// First validation should work. It validates from the cache.
StorageOSUserDAO userFromDB = tokenManager1.validateToken(newEncoded);
Assert.assertNotNull(userFromDB);
Assert.assertEquals(userFromDB.getUserName(), gotUser.getUserName());
// wait longer than cache expiration (longer than 1 minute in our case)
// token's cache expiration should be expired
Thread.sleep((holder.getForeignTokenCacheExpirationInMins() + 1) * 60000);
userFromDB = tokenManager1.validateToken(newEncoded);
Assert.assertNull(userFromDB);
return null;
}
}
for (int i = 0; i < numThreads; i++) {
executor.submit(new InitTester());
}
executor.shutdown();
Assert.assertTrue(executor.awaitTermination(180, TimeUnit.SECONDS));
}
use of com.emc.storageos.security.authentication.TokenKeyGenerator in project coprhd-controller by CoprHD.
the class TokenManagerTests method testMultiNodesCacheUpdates.
/**
* Tests out of sync cache behavior with multiple nodes.
*
* @throws Exception
*/
@Test
public void testMultiNodesCacheUpdates() throws Exception {
// For this test, we need our custom setup, with several
// tokenManagers sharing a common TestCoordinator. This will
// simulate shared zookeeper data on the cluster. And the different
// tokenManagers/KeyGenerators will simulate the different nodes with
// out of sync caches.
final long ROTATION_INTERVAL_MSECS = 5000;
DbClient dbClient = getDbClient();
CoordinatorClient coordinator = new TestCoordinator();
// Node 1
CassandraTokenManager tokenManager1 = new CassandraTokenManager();
Base64TokenEncoder encoder1 = new Base64TokenEncoder();
TokenKeyGenerator tokenKeyGenerator1 = new TokenKeyGenerator();
TokenMaxLifeValuesHolder holder1 = new TokenMaxLifeValuesHolder();
// means that once a token is created,
holder1.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
// if the next token being requested happens 5 seconds later or more, the keys will
// rotate. This is to test the built in logic that triggers rotation.
tokenManager1.setTokenMaxLifeValuesHolder(holder1);
tokenManager1.setDbClient(dbClient);
tokenManager1.setCoordinator(coordinator);
encoder1.setCoordinator(coordinator);
tokenKeyGenerator1.setTokenMaxLifeValuesHolder(holder1);
encoder1.setTokenKeyGenerator(tokenKeyGenerator1);
encoder1.managerInit();
tokenManager1.setTokenEncoder(encoder1);
// Node 2
CassandraTokenManager tokenManager2 = new CassandraTokenManager();
Base64TokenEncoder encoder2 = new Base64TokenEncoder();
TokenKeyGenerator tokenKeyGenerator2 = new TokenKeyGenerator();
TokenMaxLifeValuesHolder holder2 = new TokenMaxLifeValuesHolder();
holder2.setKeyRotationIntervalInMSecs(ROTATION_INTERVAL_MSECS);
tokenManager2.setTokenMaxLifeValuesHolder(holder2);
tokenManager2.setDbClient(dbClient);
tokenManager2.setCoordinator(coordinator);
encoder2.setCoordinator(coordinator);
tokenKeyGenerator2.setTokenMaxLifeValuesHolder(holder2);
encoder2.setTokenKeyGenerator(tokenKeyGenerator2);
encoder2.managerInit();
tokenManager2.setTokenEncoder(encoder2);
// We do not need to use multi threads for these tests. We are using
// a determined sequence of events to cause caches to be out of sync and
// see how the keyGenerators react.
// SCENARIO 1 -----------------------------------------------------------------
// Cause a rotation on node1, then go with that token to node 2 to validate the
// token. Node2 should update the cache automatically to find the new key and
// validate the token successfully.
resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
// cause the rotation
Thread.sleep((ROTATION_INTERVAL_MSECS) + 1000);
StorageOSUserDAO userDAO = new StorageOSUserDAO();
userDAO.setUserName("user1");
// get a new token from node 1 (it will be encoded with a new key)
final String token3 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token3);
// validate it on node 2
StorageOSUserDAO gotUser = tokenManager2.validateToken(token3);
Assert.assertNotNull(gotUser);
// SCENARIO 2 -----------------------------------------------------------------
// Create a token with the current key on node 1. Cause 2 rotations on node1, then go with that
// token to node 2 to validate. At that point, node 2 still has the token's key in cache. But
// that key is now 2 rotations old and should not be accepted. We want to test that node 2
// appropriately updates its cache, then refuses the key, rejects the token.
// reset coordinator data, start from scratch with fresh keys.
resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
final String token4 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token4);
Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
final String token5 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token5);
Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
final String token6 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token6);
try {
gotUser = tokenManager2.validateToken(token4);
Assert.fail("The token validation should fail because of the token rotation.");
} catch (UnauthorizedException ex) {
// This exception is an expected one.
Assert.assertTrue(true);
}
// SCENARIO 3 -----------------------------------------------------------------
// Cause a rotation on node 1. Then go to node 2 to get a new token. Node 2 should realize
// that the key it is about to use for signing is not the latest and refresh its cache. It should
// not however cause a rotation, because it already just happened.
resetCoordinatorData(coordinator, tokenManager1, tokenManager2, encoder1, encoder2, tokenKeyGenerator1, tokenKeyGenerator2);
// cause a rotation
Thread.sleep((ROTATION_INTERVAL_MSECS + 1000));
final String token7 = tokenManager1.getToken(userDAO);
Assert.assertNotNull(token7);
TokenOnWire tw7 = encoder1.decode(token7);
String key7 = tw7.getEncryptionKeyId();
final String token8 = tokenManager2.getToken(userDAO);
Assert.assertNotNull(token8);
TokenOnWire tw8 = encoder1.decode(token8);
String key8 = tw8.getEncryptionKeyId();
// see that the key id that was used to encode both tokens are the same.
Assert.assertEquals(key7, key8);
}
Aggregations