Example 61 with DatawavePrincipal
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class CredentialsCacheBeanTest method setUp.
@Before
public void setUp() throws Exception {
// With Arquillian we would normally inject this bean into the test class. However there seems to be
// an incompatibility with Arquillian and the @Singleton annotation on the bean where any method
// invoked on the bean throws a NullPointerException. Instead, we instantiate the bean manually and
// force CDI field injection. This gets everything loaded as we want for testing.
// TODO: identify and resolve the underlying issue
ccb = new CredentialsCacheBean();
BeanProvider.injectFields(ccb);
cache = CacheBuilder.newBuilder().build();
authManager.setCache(cache);
DatawaveUser u1 = new DatawaveUser(SubjectIssuerDNPair.of("user1", "issuer1"), UserType.USER, null, null, null, -1);
DatawaveUser u2 = new DatawaveUser(SubjectIssuerDNPair.of("user2", "issuer2"), UserType.USER, null, null, null, -1);
DatawaveUser s1 = new DatawaveUser(SubjectIssuerDNPair.of("server1", "issuer1"), UserType.SERVER, null, null, null, -1);
DatawavePrincipal dp1 = new DatawavePrincipal(Arrays.asList(u1, s1));
DatawavePrincipal dp2 = new DatawavePrincipal(Collections.singleton(u1));
DatawavePrincipal dp3 = new DatawavePrincipal(Arrays.asList(u2, s1));
cache.put(dp1, dp1);
cache.put(dp2, dp2);
cache.put(dp3, dp3);
}
Also used :
DatawaveUser(datawave.security.authorization.DatawaveUser)
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
Before(org.junit.Before)
Example 62 with DatawavePrincipal
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawaveCertRolesLoginModuleTest method testSuccessfulLogin.
@Test
public void testSuccessfulLogin() throws Exception {
String name = testUserCert.getSubjectDN().getName() + "<" + testUserCert.getIssuerDN().getName() + ">";
callbackHandler.name = name;
callbackHandler.credential = testUserCert;
boolean success = loginModule.login();
assertTrue("Login didn't succeed for alias in roles.properties", success);
DatawavePrincipal principal = (DatawavePrincipal) field(DatawaveCertRolesLoginModule.class, "identity").get(loginModule);
assertEquals(name.toLowerCase(), principal.getName());
}
Also used :
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
Test(org.junit.Test)
Example 63 with DatawavePrincipal
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testGetRoleSets.
@Test
public void testGetRoleSets() throws Exception {
DatawaveCredential datawaveCredential = new DatawaveCredential(testUserCert, null, null);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
String[] expectedRoles = new String[] { "Role1", "Role2", "Role3" };
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, Arrays.asList("a", "b", "c"), Arrays.asList(expectedRoles), null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user));
expect(securityDomain.getKeyStore()).andReturn(keystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
Group[] roleSets = datawaveLoginModule.getRoleSets();
assertEquals(2, roleSets.length);
SimpleGroup roles = (SimpleGroup) roleSets[0];
assertEquals("Roles", roles.getName());
ArrayList<String> rolesList = new ArrayList<>();
for (Enumeration<Principal> members = roles.members(); members.hasMoreElements(); ) /* empty */
{
rolesList.add(members.nextElement().getName());
}
Collections.sort(rolesList);
assertEquals(3, rolesList.size());
assertArrayEquals(expectedRoles, rolesList.toArray());
SimpleGroup callerPrincipal = (SimpleGroup) roleSets[1];
assertEquals("CallerPrincipal", callerPrincipal.getName());
Enumeration<Principal> members = callerPrincipal.members();
assertTrue("CallerPrincipal group has no members", members.hasMoreElements());
Principal p = members.nextElement();
assertEquals(expected, p);
assertFalse("CallerPrincipal group has too many members", members.hasMoreElements());
verifyAll();
}
Also used :
SimpleGroup(org.jboss.security.SimpleGroup)
Group(java.security.acl.Group)
DatawaveUser(datawave.security.authorization.DatawaveUser)
ArrayList(java.util.ArrayList)
SimpleGroup(org.jboss.security.SimpleGroup)
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
DatawaveCredential(datawave.security.auth.DatawaveCredential)
Principal(java.security.Principal)
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
Test(org.junit.Test)
Example 64 with DatawavePrincipal
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method setUp.
@Before
public void setUp() throws Exception {
System.setProperty(NpeUtils.NPE_OU_PROPERTY, "iamnotaperson");
MockDatawaveCertVerifier.issuerSupported = true;
MockDatawaveCertVerifier.verify = true;
callbackHandler = new MockCallbackHandler("Username: ", "Credentials: ");
truststore = KeyStore.getInstance("PKCS12");
truststore.load(getClass().getResourceAsStream("/ca.pkcs12"), "secret".toCharArray());
keystore = KeyStore.getInstance("PKCS12");
keystore.load(getClass().getResourceAsStream("/testUser.pkcs12"), "secret".toCharArray());
serverKeystore = KeyStore.getInstance("PKCS12");
serverKeystore.load(getClass().getResourceAsStream("/testServer.pkcs12"), "secret".toCharArray());
testUserCert = (X509Certificate) keystore.getCertificate("testuser");
testServerCert = (X509Certificate) serverKeystore.getCertificate("testserver");
KeyManager keyManager = new X509KeyManager() {
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return null;
}
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return null;
}
@Override
public X509Certificate[] getCertificateChain(String s) {
try {
return Arrays.stream(keystore.getCertificateChain(s)).map(X509Certificate.class::cast).toArray(X509Certificate[]::new);
} catch (KeyStoreException e) {
fail(e.getMessage());
return null;
}
}
@Override
public PrivateKey getPrivateKey(String s) {
try {
return (PrivateKey) keystore.getKey(s, "secret".toCharArray());
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
fail(e.getMessage());
return null;
}
}
};
expect(securityDomain.getKeyStore()).andReturn(keystore);
expect(securityDomain.getKeyManagers()).andReturn(new KeyManager[] { keyManager });
replayAll();
HashMap<String, String> sharedState = new HashMap<>();
HashMap<String, String> options = new HashMap<>();
options.put("principalClass", "datawave.security.authorization.DatawavePrincipal");
options.put("verifier", MockDatawaveCertVerifier.class.getName());
options.put("passwordStacking", "useFirstPass");
options.put("ocspLevel", "required");
options.put("blacklistUserRole", BLACKLIST_ROLE);
options.put("requiredRoles", "AuthorizedUser:AuthorizedServer:OtherRequiredRole");
Whitebox.setInternalState(datawaveLoginModule, DatawaveUserService.class, datawaveUserService);
Whitebox.setInternalState(datawaveLoginModule, JSSESecurityDomain.class, securityDomain);
datawaveLoginModule.initialize(new Subject(), callbackHandler, sharedState, options);
verifyAll();
resetAll();
userDN = SubjectIssuerDNPair.of(testUserCert.getSubjectDN().getName(), testUserCert.getIssuerDN().getName());
DatawaveUser defaultUser = new DatawaveUser(userDN, UserType.USER, null, null, null, System.currentTimeMillis());
defaultPrincipal = new DatawavePrincipal(Lists.newArrayList(defaultUser));
}
Also used :
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
DatawaveUser(datawave.security.authorization.DatawaveUser)
MockCallbackHandler(datawave.security.util.MockCallbackHandler)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
MockDatawaveCertVerifier(datawave.security.util.MockDatawaveCertVerifier)
X509Certificate(java.security.cert.X509Certificate)
TestSubject(org.easymock.TestSubject)
Subject(javax.security.auth.Subject)
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
X509KeyManager(javax.net.ssl.X509KeyManager)
X509KeyManager(javax.net.ssl.X509KeyManager)
KeyManager(javax.net.ssl.KeyManager)
Socket(java.net.Socket)
Before(org.junit.Before)
Example 65 with DatawavePrincipal
use of datawave.security.authorization.DatawavePrincipal in project datawave by NationalSecurityAgency.
the class DatawavePrincipalLoginModuleTest method testGetRoleSetsLeavesRequiredRoles.
@Test
public void testGetRoleSetsLeavesRequiredRoles() throws Exception {
// Proxied entities has the original user DN, plus it came through a server and
// the request is being made by a second server. Make sure that the resulting
// principal has all 3 server DNs in its list, and the user DN is not one of the
// server DNs.
String issuerDN = DnUtils.normalizeDN(testServerCert.getIssuerDN().getName());
String serverDN = DnUtils.normalizeDN("CN=testServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server1 = SubjectIssuerDNPair.of(serverDN, issuerDN);
String otherServerDN = DnUtils.normalizeDN("CN=otherServer.example.com, OU=iamnotaperson, OU=acme");
SubjectIssuerDNPair server2 = SubjectIssuerDNPair.of(otherServerDN, issuerDN);
String proxiedSubjects = "<" + serverDN + "><" + otherServerDN + "><" + userDN.subjectDN() + ">";
String proxiedIssuers = "<" + issuerDN + "><" + issuerDN + "><" + userDN.issuerDN() + ">";
DatawaveCredential datawaveCredential = new DatawaveCredential(testServerCert, proxiedSubjects, proxiedIssuers);
callbackHandler.name = datawaveCredential.getUserName();
callbackHandler.credential = datawaveCredential;
List<String> userRoles = Arrays.asList("Role1", "AuthorizedUser");
List<String> s1Roles = Arrays.asList("Role2", "AuthorizedServer");
List<String> s2Roles = Arrays.asList("Role3", "OtherRequiredRole");
DatawaveUser user = new DatawaveUser(userDN, UserType.USER, null, userRoles, null, System.currentTimeMillis());
DatawaveUser s1 = new DatawaveUser(server1, UserType.SERVER, null, s1Roles, null, System.currentTimeMillis());
DatawaveUser s2 = new DatawaveUser(server2, UserType.SERVER, null, s2Roles, null, System.currentTimeMillis());
DatawavePrincipal expected = new DatawavePrincipal(Lists.newArrayList(user, s1, s2));
expect(securityDomain.getKeyStore()).andReturn(serverKeystore);
expect(securityDomain.getTrustStore()).andReturn(truststore);
expect(datawaveUserService.lookup(datawaveCredential.getEntities())).andReturn(expected.getProxiedUsers());
replayAll();
boolean success = datawaveLoginModule.login();
assertTrue("Login did not succeed.", success);
assertEquals(userDN, expected.getUserDN());
Group[] roleSets = datawaveLoginModule.getRoleSets();
assertEquals(2, roleSets.length);
assertEquals("Roles", roleSets[0].getName());
List<String> groupSetRoles = Collections.list(roleSets[0].members()).stream().map(Principal::getName).collect(Collectors.toList());
assertEquals(Lists.newArrayList("Role1", "AuthorizedUser"), groupSetRoles);
verifyAll();
}
Also used :
SimpleGroup(org.jboss.security.SimpleGroup)
Group(java.security.acl.Group)
DatawaveCredential(datawave.security.auth.DatawaveCredential)
SubjectIssuerDNPair(datawave.security.authorization.SubjectIssuerDNPair)
DatawaveUser(datawave.security.authorization.DatawaveUser)
DatawavePrincipal(datawave.security.authorization.DatawavePrincipal)
Test(org.junit.Test)
Aggregations
DatawavePrincipal (datawave.security.authorization.DatawavePrincipal)93
DatawaveUser (datawave.security.authorization.DatawaveUser)41
Principal (java.security.Principal)37
HashSet (java.util.HashSet)33
Test (org.junit.Test)29
QueryException (datawave.webservice.query.exception.QueryException)24
Connector (org.apache.accumulo.core.client.Connector)23
IOException (java.io.IOException)19
DatawaveWebApplicationException (datawave.webservice.common.exception.DatawaveWebApplicationException)18
NotFoundQueryException (datawave.webservice.query.exception.NotFoundQueryException)18
Authorizations (org.apache.accumulo.core.security.Authorizations)17
Query (datawave.webservice.query.Query)16
UnauthorizedQueryException (datawave.webservice.query.exception.UnauthorizedQueryException)15
NoResultsException (datawave.webservice.common.exception.NoResultsException)13
ArrayList (java.util.ArrayList)13
Path (javax.ws.rs.Path)13
Produces (javax.ws.rs.Produces)13
SubjectIssuerDNPair (datawave.security.authorization.SubjectIssuerDNPair)12
WebApplicationException (javax.ws.rs.WebApplicationException)12
BadRequestException (datawave.webservice.common.exception.BadRequestException)11
