use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class CredentialsCacheBeanTest method setUp.
@Before
public void setUp() throws Exception {
// With Arquillian we would normally inject this bean into the test class. However there seems to be
// an incompatibility with Arquillian and the @Singleton annotation on the bean where any method
// invoked on the bean throws a NullPointerException. Instead, we instantiate the bean manually and
// force CDI field injection. This gets everything loaded as we want for testing.
// TODO: identify and resolve the underlying issue
ccb = new CredentialsCacheBean();
BeanProvider.injectFields(ccb);
cache = CacheBuilder.newBuilder().build();
authManager.setCache(cache);
DatawaveUser u1 = new DatawaveUser(SubjectIssuerDNPair.of("user1", "issuer1"), UserType.USER, null, null, null, -1);
DatawaveUser u2 = new DatawaveUser(SubjectIssuerDNPair.of("user2", "issuer2"), UserType.USER, null, null, null, -1);
DatawaveUser s1 = new DatawaveUser(SubjectIssuerDNPair.of("server1", "issuer1"), UserType.SERVER, null, null, null, -1);
DatawavePrincipal dp1 = new DatawavePrincipal(Arrays.asList(u1, s1));
DatawavePrincipal dp2 = new DatawavePrincipal(Collections.singleton(u1));
DatawavePrincipal dp3 = new DatawavePrincipal(Arrays.asList(u2, s1));
cache.put(dp1, dp1);
cache.put(dp2, dp2);
cache.put(dp3, dp3);
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawaveCertRolesLoginModuleTest method testSuccessfulLogin.
@Test
public void testSuccessfulLogin() throws Exception {
String name = testUserCert.getSubjectDN().getName() + "<" + testUserCert.getIssuerDN().getName() + ">";
callbackHandler.name = name;
callbackHandler.credential = testUserCert;
boolean success = loginModule.login();
assertTrue("Login didn't succeed for alias in roles.properties", success);
DatawavePrincipal principal = (DatawavePrincipal) field(DatawaveCertRolesLoginModule.class, "identity").get(loginModule);
assertEquals(name.toLowerCase(), principal.getName());
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testGetRoleSets.
@Test
public void testGetRoleSets() throws Exception {
DatawaveCredential datawaveCredential = new DatawaveCredential(testUserCert, null, null);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
String[] expectedRoles = new String[] { "Role1", "Role2", "Role3" };
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, Arrays.asList("a", "b", "c"), Arrays.asList(expectedRoles), null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user));
expect(securityDomain.getKeyStore()).andReturn(keystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
Group[] roleSets = datawaveLoginModule.getRoleSets();
assertEquals(2, roleSets.length);
SimpleGroup roles = (SimpleGroup) roleSets[0];
assertEquals("Roles", roles.getName());
ArrayList<String> rolesList = new ArrayList<>();
for (Enumeration<Principal> members = roles.members(); members.hasMoreElements(); ) /* empty */
{
rolesList.add(members.nextElement().getName());
}
Collections.sort(rolesList);
assertEquals(3, rolesList.size());
assertArrayEquals(expectedRoles, rolesList.toArray());
SimpleGroup callerPrincipal = (SimpleGroup) roleSets[1];
assertEquals("CallerPrincipal", callerPrincipal.getName());
Enumeration<Principal> members = callerPrincipal.members();
assertTrue("CallerPrincipal group has no members", members.hasMoreElements());
Principal p = members.nextElement();
assertEquals(expected, p);
assertFalse("CallerPrincipal group has too many members", members.hasMoreElements());
verifyAll();
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method setUp.
@Before
public void setUp() throws Exception {
System.setProperty(NpeUtils.NPE_OU_PROPERTY, "iamnotaperson");
MockDatawaveCertVerifier.issuerSupported = true;
MockDatawaveCertVerifier.verify = true;
callbackHandler = new MockCallbackHandler("Username: ", "Credentials: ");
truststore = KeyStore.getInstance("PKCS12");
truststore.load(getClass().getResourceAsStream("/ca.pkcs12"), "secret".toCharArray());
keystore = KeyStore.getInstance("PKCS12");
keystore.load(getClass().getResourceAsStream("/testUser.pkcs12"), "secret".toCharArray());
serverKeystore = KeyStore.getInstance("PKCS12");
serverKeystore.load(getClass().getResourceAsStream("/testServer.pkcs12"), "secret".toCharArray());
testUserCert = (X509Certificate) keystore.getCertificate("testuser");
testServerCert = (X509Certificate) serverKeystore.getCertificate("testserver");
KeyManager keyManager = new X509KeyManager() {
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return null;
}
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return null;
}
@Override
public X509Certificate[] getCertificateChain(String s) {
try {
return Arrays.stream(keystore.getCertificateChain(s)).map(X509Certificate.class::cast).toArray(X509Certificate[]::new);
} catch (KeyStoreException e) {
fail(e.getMessage());
return null;
}
}
@Override
public PrivateKey getPrivateKey(String s) {
try {
return (PrivateKey) keystore.getKey(s, "secret".toCharArray());
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
fail(e.getMessage());
return null;
}
}
};
expect(securityDomain.getKeyStore()).andReturn(keystore);
expect(securityDomain.getKeyManagers()).andReturn(new KeyManager[] { keyManager });
replayAll();
HashMap<String, String> sharedState = new HashMap<>();
HashMap<String, String> options = new HashMap<>();
options.put("principalClass", "datawave.security.authorization.DatawavePrincipal");
options.put("verifier", MockDatawaveCertVerifier.class.getName());
options.put("passwordStacking", "useFirstPass");
options.put("ocspLevel", "required");
options.put("blacklistUserRole", BLACKLIST_ROLE);
options.put("requiredRoles", "AuthorizedUser:AuthorizedServer:OtherRequiredRole");
Whitebox.setInternalState(datawaveLoginModule, DatawaveUserService.class, datawaveUserService);
Whitebox.setInternalState(datawaveLoginModule, JSSESecurityDomain.class, securityDomain);
datawaveLoginModule.initialize(new Subject(), callbackHandler, sharedState, options);
verifyAll();
resetAll();
userDN = SubjectIssuerDNPair.of(testUserCert.getSubjectDN().getName(), testUserCert.getIssuerDN().getName());
DatawaveUser defaultUser = new DatawaveUser(userDN, UserType.USER, null, null, null, System.currentTimeMillis());
defaultPrincipal = new DatawavePrincipal(Lists.newArrayList(defaultUser));
}
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testGetRoleSetsLeavesRequiredRoles.
@Test
public void testGetRoleSetsLeavesRequiredRoles() throws Exception {
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
List<String> userRoles = Arrays.asList("Role1", "AuthorizedUser");
List<String> s1Roles = Arrays.asList("Role2", "AuthorizedServer");
List<String> s2Roles = Arrays.asList("Role3", "OtherRequiredRole");
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, userRoles, null, System.currentTimeMillis());
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, s1Roles, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, s2Roles, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
assertEquals(userDN, expected.getUserDN());
Group[] roleSets = datawaveLoginModule.getRoleSets();
assertEquals(2, roleSets.length);
assertEquals("Roles", roleSets[0].getName());
List<String> groupSetRoles = Collections.list(roleSets[0].members()).stream().map(Principal::getName).collect(Collectors.toList());
assertEquals(Lists.newArrayList("Role1", "AuthorizedUser"), groupSetRoles);
verifyAll();
}
Aggregations