Search in sources :

Example 61 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class CredentialsCacheBeanTest method setUp.

@Before
public void setUp() throws Exception {
    // With Arquillian we would normally inject this bean into the test class. However there seems to be
    // an incompatibility with Arquillian and the @Singleton annotation on the bean where any method
    // invoked on the bean throws a NullPointerException. Instead, we instantiate the bean manually and
    // force CDI field injection. This gets everything loaded as we want for testing.
    // TODO: identify and resolve the underlying issue
    ccb = new CredentialsCacheBean();
    BeanProvider.injectFields(ccb);
    cache = CacheBuilder.newBuilder().build();
    authManager.setCache(cache);
    DatawaveUser u1 = new DatawaveUser(SubjectIssuerDNPair.of("user1", "issuer1"), UserType.USER, null, null, null, -1);
    DatawaveUser u2 = new DatawaveUser(SubjectIssuerDNPair.of("user2", "issuer2"), UserType.USER, null, null, null, -1);
    DatawaveUser s1 = new DatawaveUser(SubjectIssuerDNPair.of("server1", "issuer1"), UserType.SERVER, null, null, null, -1);
    DatawavePrincipal dp1 = new DatawavePrincipal(Arrays.asList(u1, s1));
    DatawavePrincipal dp2 = new DatawavePrincipal(Collections.singleton(u1));
    DatawavePrincipal dp3 = new DatawavePrincipal(Arrays.asList(u2, s1));
    cache.put(dp1, dp1);
    cache.put(dp2, dp2);
    cache.put(dp3, dp3);
}
Also used : DatawaveUser(datawave.security.authorization.DatawaveUser) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Before(org.junit.Before)

Example 62 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawaveCertRolesLoginModuleTest method testSuccessfulLogin.

@Test
public void testSuccessfulLogin() throws Exception {
    String name = testUserCert.getSubjectDN().getName() + "<" + testUserCert.getIssuerDN().getName() + ">";
    callbackHandler.name = name;
    callbackHandler.credential = testUserCert;
    boolean success = loginModule.login();
    assertTrue("Login didn't succeed for alias in roles.properties", success);
    DatawavePrincipal principal = (DatawavePrincipal) field(DatawaveCertRolesLoginModule.class, "identity").get(loginModule);
    assertEquals(name.toLowerCase(), principal.getName());
}
Also used : DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Example 63 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testGetRoleSets.

@Test
public void testGetRoleSets() throws Exception {
    DatawaveCredential datawaveCredential = new DatawaveCredential(testUserCert, null, null);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    String[] expectedRoles = new String[] { "Role1", "Role2", "Role3" };
    DatawaveUser user = new DatawaveUser(userDN, UserType.USER, Arrays.asList("a", "b", "c"), Arrays.asList(expectedRoles), null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user));
    expect(securityDomain.getKeyStore()).andReturn(keystore);
    expect(securityDomain.getTrustStore()).andReturn(truststore);
    expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertTrue("Login did not succeed.", success);
    Group[] roleSets = datawaveLoginModule.getRoleSets();
    assertEquals(2, roleSets.length);
    SimpleGroup roles = (SimpleGroup) roleSets[0];
    assertEquals("Roles", roles.getName());
    ArrayList<String> rolesList = new ArrayList<>();
    for (Enumeration<Principal> members = roles.members(); members.hasMoreElements(); ) /* empty */
    {
        rolesList.add(members.nextElement().getName());
    }
    Collections.sort(rolesList);
    assertEquals(3, rolesList.size());
    assertArrayEquals(expectedRoles, rolesList.toArray());
    SimpleGroup callerPrincipal = (SimpleGroup) roleSets[1];
    assertEquals("CallerPrincipal", callerPrincipal.getName());
    Enumeration<Principal> members = callerPrincipal.members();
    assertTrue("CallerPrincipal group has no members", members.hasMoreElements());
    Principal p = members.nextElement();
    assertEquals(expected, p);
    assertFalse("CallerPrincipal group has too many members", members.hasMoreElements());
    verifyAll();
}
Also used : SimpleGroup(org.jboss.security.SimpleGroup) Group(java.security.acl.Group) DatawaveUser(datawave.security.authorization.DatawaveUser) ArrayList(java.util.ArrayList) SimpleGroup(org.jboss.security.SimpleGroup) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) DatawaveCredential(datawave.security.auth.DatawaveCredential) Principal(java.security.Principal) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Example 64 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method setUp.

@Before
public void setUp() throws Exception {
    System.setProperty(NpeUtils.NPE_OU_PROPERTY, "iamnotaperson");
    MockDatawaveCertVerifier.issuerSupported = true;
    MockDatawaveCertVerifier.verify = true;
    callbackHandler = new MockCallbackHandler("Username: ", "Credentials: ");
    truststore = KeyStore.getInstance("PKCS12");
    truststore.load(getClass().getResourceAsStream("/ca.pkcs12"), "secret".toCharArray());
    keystore = KeyStore.getInstance("PKCS12");
    keystore.load(getClass().getResourceAsStream("/testUser.pkcs12"), "secret".toCharArray());
    serverKeystore = KeyStore.getInstance("PKCS12");
    serverKeystore.load(getClass().getResourceAsStream("/testServer.pkcs12"), "secret".toCharArray());
    testUserCert = (X509Certificate) keystore.getCertificate("testuser");
    testServerCert = (X509Certificate) serverKeystore.getCertificate("testserver");
    KeyManager keyManager = new X509KeyManager() {

        @Override
        public String[] getClientAliases(String s, Principal[] principals) {
            return new String[0];
        }

        @Override
        public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
            return null;
        }

        @Override
        public String[] getServerAliases(String s, Principal[] principals) {
            return new String[0];
        }

        @Override
        public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
            return null;
        }

        @Override
        public X509Certificate[] getCertificateChain(String s) {
            try {
                return Arrays.stream(keystore.getCertificateChain(s)).map(X509Certificate.class::cast).toArray(X509Certificate[]::new);
            } catch (KeyStoreException e) {
                fail(e.getMessage());
                return null;
            }
        }

        @Override
        public PrivateKey getPrivateKey(String s) {
            try {
                return (PrivateKey) keystore.getKey(s, "secret".toCharArray());
            } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
                fail(e.getMessage());
                return null;
            }
        }
    };
    expect(securityDomain.getKeyStore()).andReturn(keystore);
    expect(securityDomain.getKeyManagers()).andReturn(new KeyManager[] { keyManager });
    replayAll();
    HashMap<String, String> sharedState = new HashMap<>();
    HashMap<String, String> options = new HashMap<>();
    options.put("principalClass", "datawave.security.authorization.DatawavePrincipal");
    options.put("verifier", MockDatawaveCertVerifier.class.getName());
    options.put("passwordStacking", "useFirstPass");
    options.put("ocspLevel", "required");
    options.put("blacklistUserRole", BLACKLIST_ROLE);
    options.put("requiredRoles", "AuthorizedUser:AuthorizedServer:OtherRequiredRole");
    Whitebox.setInternalState(datawaveLoginModule, DatawaveUserService.class, datawaveUserService);
    Whitebox.setInternalState(datawaveLoginModule, JSSESecurityDomain.class, securityDomain);
    datawaveLoginModule.initialize(new Subject(), callbackHandler, sharedState, options);
    verifyAll();
    resetAll();
    userDN = SubjectIssuerDNPair.of(testUserCert.getSubjectDN().getName(), testUserCert.getIssuerDN().getName());
    DatawaveUser defaultUser = new DatawaveUser(userDN, UserType.USER, null, null, null, System.currentTimeMillis());
    defaultPrincipal = new DatawavePrincipal(Lists.newArrayList(defaultUser));
}
Also used : PrivateKey(java.security.PrivateKey) HashMap(java.util.HashMap) DatawaveUser(datawave.security.authorization.DatawaveUser) MockCallbackHandler(datawave.security.util.MockCallbackHandler) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) MockDatawaveCertVerifier(datawave.security.util.MockDatawaveCertVerifier) X509Certificate(java.security.cert.X509Certificate) TestSubject(org.easymock.TestSubject) Subject(javax.security.auth.Subject) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) UnrecoverableKeyException(java.security.UnrecoverableKeyException) X509KeyManager(javax.net.ssl.X509KeyManager) X509KeyManager(javax.net.ssl.X509KeyManager) KeyManager(javax.net.ssl.KeyManager) Socket(java.net.Socket) Before(org.junit.Before)

Example 65 with DatawavePrincipal

use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.

the class DatawavePrincipalLoginModuleTest method testGetRoleSetsLeavesRequiredRoles.

@Test
public void testGetRoleSetsLeavesRequiredRoles() throws Exception {
    // Proxied entities has the original user DN, plus it came through a server and
    // the request is being made by a second server. Make sure that the resulting
    // principal has all 3 server DNs in its list, and the user DN is not one of the
    // server DNs.
    String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
    String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
    String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
    SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
    String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
    String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
    DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
    callbackHandler.name = datawaveCredential.getUserName();
    callbackHandler.credential = datawaveCredential;
    List<String> userRoles = Arrays.asList("Role1", "AuthorizedUser");
    List<String> s1Roles = Arrays.asList("Role2", "AuthorizedServer");
    List<String> s2Roles = Arrays.asList("Role3", "OtherRequiredRole");
    DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, userRoles, null, System.currentTimeMillis());
    DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, s1Roles, null, System.currentTimeMillis());
    DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, s2Roles, null, System.currentTimeMillis());
    DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
    expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
    expect(securityDomain.getTrustStore()).andReturn(truststore);
    expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
    replayAll();
    boolean success = datawaveLoginModule.login();
    assertTrue("Login did not succeed.", success);
    assertEquals(userDN, expected.getUserDN());
    Group[] roleSets = datawaveLoginModule.getRoleSets();
    assertEquals(2, roleSets.length);
    assertEquals("Roles", roleSets[0].getName());
    List<String> groupSetRoles = Collections.list(roleSets[0].members()).stream().map(Principal::getName).collect(Collectors.toList());
    assertEquals(Lists.newArrayList("Role1", "AuthorizedUser"), groupSetRoles);
    verifyAll();
}
Also used : SimpleGroup(org.jboss.security.SimpleGroup) Group(java.security.acl.Group) DatawaveCredential(datawave.security.auth.DatawaveCredential) SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair) DatawaveUser(datawave.security.authorization.DatawaveUser) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) Test(org.junit.Test)

Aggregations

DatawavePrincipal (datawave.security.authorization.DatawavePrincipal)93 DatawaveUser (datawave.security.authorization.DatawaveUser)41 Principal (java.security.Principal)37 HashSet (java.util.HashSet)33 Test (org.junit.Test)29 QueryException (datawave.webservice.query.exception.QueryException)24 Connector (org.apache.accumulo.core.client.Connector)23 IOException (java.io.IOException)19 DatawaveWebApplicationException (datawave.webservice.common.exception.DatawaveWebApplicationException)18 NotFoundQueryException (datawave.webservice.query.exception.NotFoundQueryException)18 Authorizations (org.apache.accumulo.core.security.Authorizations)17 Query (datawave.webservice.query.Query)16 UnauthorizedQueryException (datawave.webservice.query.exception.UnauthorizedQueryException)15 NoResultsException (datawave.webservice.common.exception.NoResultsException)13 ArrayList (java.util.ArrayList)13 Path (javax.ws.rs.Path)13 Produces (javax.ws.rs.Produces)13 SubjectIssuerDNPair (datawave.security.authorization.SubjectIssuerDNPair)12 WebApplicationException (javax.ws.rs.WebApplicationException)12 BadRequestException (datawave.webservice.common.exception.BadRequestException)11