use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.
the class AclsAuthorizationFilter method enforceAclAuthorizationPolicy.
private boolean enforceAclAuthorizationPolicy(ServletRequest request, ServletResponse response, FilterChain chain) {
HttpServletRequest req = (HttpServletRequest) request;
// which would mean that there are no restrictions
if (parser.users.size() == 0 && parser.groups.size() == 0 && parser.ipv.getIPAddresses().size() == 0) {
return true;
}
boolean userAccess = false;
boolean groupAccess = false;
boolean ipAddrAccess = false;
Subject subject = Subject.getSubject(AccessController.getContext());
Principal primaryPrincipal = (Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
log.primaryPrincipal(primaryPrincipal.getName());
Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
if (impersonations.length > 0) {
log.impersonatedPrincipal(((Principal) impersonations[0]).getName());
userAccess = checkUserAcls((Principal) impersonations[0]);
log.impersonatedPrincipalHasAccess(userAccess);
} else {
userAccess = checkUserAcls(primaryPrincipal);
log.primaryPrincipalHasAccess(userAccess);
}
Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
if (groups.length > 0) {
// System.out.println("GroupPrincipal: " + ((Principal)groups[0]).getName());
groupAccess = checkGroupAcls(groups);
log.groupPrincipalHasAccess(groupAccess);
} else {
// make it pass
if (parser.anyGroup && "AND".equals(aclProcessingMode)) {
groupAccess = true;
}
}
log.remoteIPAddress(req.getRemoteAddr());
ipAddrAccess = checkRemoteIpAcls(req.getRemoteAddr());
log.remoteIPAddressHasAccess(ipAddrAccess);
if ("OR".equals(aclProcessingMode)) {
// so, let's set each one that contains '*' to false.
if (parser.anyUser)
userAccess = false;
if (parser.anyGroup)
groupAccess = false;
if (parser.ipv.allowsAnyIP())
ipAddrAccess = false;
return (userAccess || groupAccess || ipAddrAccess);
} else if ("AND".equals(aclProcessingMode)) {
return (userAccess && groupAccess && ipAddrAccess);
}
return false;
}
use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.
the class CommonIdentityAssertionFilterTest method testSimpleFilter.
@Test
public void testSimpleFilter() throws ServletException, IOException, URISyntaxException {
FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.replay(config);
final HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
EasyMock.replay(request);
final HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
EasyMock.replay(response);
final FilterChain chain = new FilterChain() {
@Override
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException {
}
};
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal("larry"));
subject.getPrincipals().add(new GroupPrincipal("users"));
subject.getPrincipals().add(new GroupPrincipal("admin"));
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Object>() {
public Object run() throws Exception {
filter.doFilter(request, response, chain);
return null;
}
});
} catch (PrivilegedActionException e) {
Throwable t = e.getCause();
if (t instanceof IOException) {
throw (IOException) t;
} else if (t instanceof ServletException) {
throw (ServletException) t;
} else {
throw new ServletException(t);
}
}
assertEquals("LARRY", username);
assertEquals(mappedGroups.length, 2);
assertTrue(mappedGroups[0].equals("USERS") || mappedGroups[0].equals("ADMIN"));
assertTrue(mappedGroups[1], mappedGroups[1].equals("USERS") || mappedGroups[1].equals("ADMIN"));
}
use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.
the class RegexIdentityAssertionFilterTest method testExtractUsernameFromEmail.
@Test
public void testExtractUsernameFromEmail() throws Exception {
FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
EasyMock.replay(config);
EasyMock.replay(context);
RegexIdentityAssertionFilter filter = new RegexIdentityAssertionFilter();
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal("member@us.apache.org"));
subject.getPrincipals().add(new GroupPrincipal("user"));
subject.getPrincipals().add(new GroupPrincipal("admin"));
// First test is with no config. Since the output template is the empty string that should be the result.
filter.init(config);
String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
String[] groups = filter.mapGroupPrincipals(actual, subject);
assertThat(actual, is(""));
// means for the caller to use the existing subject groups
assertThat(groups, is(nullValue()));
// Test what is effectively a static mapping
config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
EasyMock.expect(config.getInitParameter("output")).andReturn("test-output").anyTimes();
EasyMock.replay(config);
EasyMock.replay(context);
filter.init(config);
actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
assertEquals(actual, "test-output");
// Test username extraction.
config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.expect(config.getInitParameter("principal.mapping")).andReturn("").anyTimes();
context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
EasyMock.expect(config.getInitParameter("input")).andReturn("(.*)@.*").anyTimes();
EasyMock.expect(config.getInitParameter("output")).andReturn("prefix_{1}_suffix").anyTimes();
EasyMock.replay(config);
EasyMock.replay(context);
filter.init(config);
actual = filter.mapUserPrincipal("member@us.apache.org");
assertEquals(actual, "prefix_member_suffix");
}
use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.
the class SwitchCaseIdentityAssertionFilterTest method testDefaultGroupsConfFromUsers.
@Test
public void testDefaultGroupsConfFromUsers() throws Exception {
FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.expect(config.getInitParameter("principal.case")).andReturn("UPPER").anyTimes();
EasyMock.expect(config.getInitParameter("group.principal.case")).andReturn(null).anyTimes();
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
EasyMock.replay(config);
EasyMock.replay(context);
SwitchCaseIdentityAssertionFilter filter = new SwitchCaseIdentityAssertionFilter();
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal("Member@us.apache.org"));
subject.getPrincipals().add(new GroupPrincipal("users"));
subject.getPrincipals().add(new GroupPrincipal("Admin"));
filter.init(config);
String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
String[] groups = filter.mapGroupPrincipals(actual, subject);
assertThat(actual, is("MEMBER@US.APACHE.ORG"));
assertThat(groups, is(arrayContainingInAnyOrder("ADMIN", "USERS")));
}
use of org.apache.knox.gateway.security.GroupPrincipal in project knox by apache.
the class SwitchCaseIdentityAssertionFilterTest method testNone.
@Test
public void testNone() throws Exception {
FilterConfig config = EasyMock.createNiceMock(FilterConfig.class);
EasyMock.expect(config.getInitParameter("principal.case")).andReturn("none").anyTimes();
EasyMock.expect(config.getInitParameter("group.principal.case")).andReturn("none").anyTimes();
ServletContext context = EasyMock.createNiceMock(ServletContext.class);
EasyMock.expect(config.getServletContext()).andReturn(context).anyTimes();
EasyMock.expect(context.getInitParameter("principal.mapping")).andReturn("").anyTimes();
EasyMock.replay(config);
EasyMock.replay(context);
SwitchCaseIdentityAssertionFilter filter = new SwitchCaseIdentityAssertionFilter();
Subject subject = new Subject();
subject.getPrincipals().add(new PrimaryPrincipal("Member@us.apache.org"));
subject.getPrincipals().add(new GroupPrincipal("users"));
subject.getPrincipals().add(new GroupPrincipal("Admin"));
filter.init(config);
String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName());
String[] groups = filter.mapGroupPrincipals(actual, subject);
assertThat(actual, is("Member@us.apache.org"));
assertThat(groups, is(nullValue()));
}
Aggregations