Examples with AliasService org.apache.knox.gateway.services.security.AliasService used on opensource projects

Example 31 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class ShiroDeploymentContributorTest method testDeployment.

@Test
public void testDeployment() throws IOException {
    WebArchive webArchive = ShrinkWrap.create(WebArchive.class, "test-archive");
    Map<String, String> providerParams = new HashMap<>();
    Provider provider = new Provider();
    provider.setEnabled(true);
    provider.setName("shiro");
    provider.setParams(providerParams);
    Topology topology = new Topology();
    topology.setName("Sample");
    DeploymentContext context = EasyMock.createNiceMock(DeploymentContext.class);
    EasyMock.expect(context.getWebArchive()).andReturn(webArchive).anyTimes();
    EasyMock.expect(context.getWebAppDescriptor()).andReturn(Descriptors.create(WebAppDescriptor.class)).anyTimes();
    EasyMock.expect(context.getTopology()).andReturn(topology).anyTimes();
    EasyMock.replay(context);
    AliasService as = EasyMock.createNiceMock(AliasService.class);
    CryptoService cryptoService = new DefaultCryptoService();
    ((DefaultCryptoService) cryptoService).setAliasService(as);
    GatewayServices gatewayServices = EasyMock.createNiceMock(GatewayServices.class);
    EasyMock.expect(gatewayServices.getService(GatewayServices.CRYPTO_SERVICE)).andReturn(cryptoService).anyTimes();
    ShiroDeploymentContributor contributor = new ShiroDeploymentContributor();
    assertThat(contributor.getRole(), is("authentication"));
    assertThat(contributor.getName(), is("ShiroProvider"));
    // Just make sure it doesn't blow up.
    contributor.initializeContribution(context);
    contributor.contributeProvider(context, provider);
    // Just make sure it doesn't blow up.
    contributor.finalizeContribution(context);
    assertThat(context.getWebAppDescriptor().getOrCreateSessionConfig().getOrCreateCookieConfig().isHttpOnly(), is(true));
    assertThat(context.getWebAppDescriptor().getOrCreateSessionConfig().getOrCreateCookieConfig().isSecure(), is(true));
}

Example 32 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class DefaultTokenAuthorityServiceTest method testTokenCreationSignatureAlgorithm.

@Test
public void testTokenCreationSignatureAlgorithm() throws Exception {
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
    GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
    String basedir = System.getProperty("basedir");
    if (basedir == null) {
        basedir = new File(".").getCanonicalPath();
    }
    EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
    EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
    EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
    MasterService ms = EasyMock.createNiceMock(MasterService.class);
    EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
    AliasService as = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
    EasyMock.replay(principal, config, ms, as);
    KeystoreService ks = new DefaultKeystoreService();
    ((DefaultKeystoreService) ks).setMasterService(ms);
    ((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
    JWTokenAuthority ta = new DefaultTokenAuthorityService();
    ((DefaultTokenAuthorityService) ta).setAliasService(as);
    ((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
    ((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
    JWT token = ta.issueToken(principal, "RS512");
    assertEquals("KNOXSSO", token.getIssuer());
    assertEquals("john.doe@example.com", token.getSubject());
    assertTrue(token.getHeader().contains("RS512"));
    assertTrue(ta.verifyToken(token));
}

Example 33 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class DefaultTokenAuthorityServiceTest method testTokenCreationBadSignatureAlgorithm.

@Test
public void testTokenCreationBadSignatureAlgorithm() throws Exception {
    Principal principal = EasyMock.createNiceMock(Principal.class);
    EasyMock.expect(principal.getName()).andReturn("john.doe@example.com");
    GatewayConfig config = EasyMock.createNiceMock(GatewayConfig.class);
    String basedir = System.getProperty("basedir");
    if (basedir == null) {
        basedir = new File(".").getCanonicalPath();
    }
    EasyMock.expect(config.getGatewaySecurityDir()).andReturn(basedir + "/target/test-classes");
    EasyMock.expect(config.getSigningKeystoreName()).andReturn("server-keystore.jks");
    EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
    MasterService ms = EasyMock.createNiceMock(MasterService.class);
    EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
    AliasService as = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(as.getGatewayIdentityPassphrase()).andReturn("horton".toCharArray());
    EasyMock.replay(principal, config, ms, as);
    KeystoreService ks = new DefaultKeystoreService();
    ((DefaultKeystoreService) ks).setMasterService(ms);
    ((DefaultKeystoreService) ks).init(config, new HashMap<String, String>());
    JWTokenAuthority ta = new DefaultTokenAuthorityService();
    ((DefaultTokenAuthorityService) ta).setAliasService(as);
    ((DefaultTokenAuthorityService) ta).setKeystoreService(ks);
    ((DefaultTokenAuthorityService) ta).init(config, new HashMap<String, String>());
    try {
        ta.issueToken(principal, "none");
        fail("Failure expected on a bad signature algorithm");
    } catch (TokenServiceException ex) {
    // expected
    }
}

Example 34 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class GatewayLdapPosixGroupFuncTest method setupGateway.

public static void setupGateway() throws Exception {
    File targetDir = new File(System.getProperty("user.dir"), "target");
    File gatewayDir = new File(targetDir, "gateway-home-" + UUID.randomUUID());
    gatewayDir.mkdirs();
    GatewayTestConfig testConfig = new GatewayTestConfig();
    config = testConfig;
    testConfig.setGatewayHomeDir(gatewayDir.getAbsolutePath());
    File topoDir = new File(testConfig.getGatewayTopologyDir());
    topoDir.mkdirs();
    File deployDir = new File(testConfig.getGatewayDeploymentDir());
    deployDir.mkdirs();
    DefaultGatewayServices srvcs = new DefaultGatewayServices();
    Map<String, String> options = new HashMap<>();
    options.put("persist-master", "true");
    options.put("master", "hadoop");
    try {
        srvcs.init(testConfig, options);
    } catch (ServiceLifecycleException e) {
        // I18N not required.
        e.printStackTrace();
    }
    gateway = GatewayServer.startGateway(testConfig, srvcs);
    MatcherAssert.assertThat("Failed to start gateway.", gateway, notNullValue());
    LOG.info("Gateway port = " + gateway.getAddresses()[0].getPort());
    gatewayUrl = "http://localhost:" + gateway.getAddresses()[0].getPort() + "/" + config.getGatewayPath();
    clusterUrl = gatewayUrl + "/test-cluster";
    serviceUrl = clusterUrl + "/test-service-path/test-service-resource";
    GatewayServices services = GatewayServer.getGatewayServices();
    AliasService aliasService = (AliasService) services.getService(GatewayServices.ALIAS_SERVICE);
    aliasService.addAliasForCluster("test-cluster", "ldcSystemPassword", "guest-password");
    char[] password1 = aliasService.getPasswordFromAliasForCluster("test-cluster", "ldcSystemPassword");
    File descriptor = new File(topoDir, "test-cluster.xml");
    OutputStream stream = new FileOutputStream(descriptor);
    createTopology().toStream(stream);
    stream.close();
}

Example 35 with AliasService

use of org.apache.knox.gateway.services.security.AliasService in project knox by apache.

the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLNodesExistWithAcceptableACL.

@Test
public void testZooKeeperConfigMonitorSASLNodesExistWithAcceptableACL() throws Exception {
    final String configMonitorName = "zkConfigClient";
    final String alias = "zkPass";
    // Setup the base GatewayConfig mock
    GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
    EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
    EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
    final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
    EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
    EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
    EasyMock.replay(gc);
    AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
    EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
    EasyMock.replay(aliasService);
    RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
    clientService.setAliasService(aliasService);
    clientService.init(gc, Collections.emptyMap());
    clientService.start();
    RemoteConfigurationMonitorFactory.setClientService(clientService);
    RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
    assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
    List<ACL> acls = Arrays.asList(ANY_AUTHENTICATED_USER_ALL);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_CONFIG);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_PROVIDERS);
    client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_DESCRIPTORS);
    // Check that the config nodes really do exist (the monitor will NOT create them if they're present)
    assertNotNull(client.checkExists().forPath(PATH_KNOX));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
    assertNotNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
    try {
        cm.start();
    } catch (Exception e) {
        fail("Failed to start monitor: " + e.getMessage());
    }
    // Test auth violation
    clientService.get(configMonitorName).createEntry("/auth_test/child_node/test1");
    assertNull("Creation should have been prevented since write access is not granted to the test client.", client.checkExists().forPath("/auth_test/child_node/test1"));
    assertTrue("Creation should have been prevented since write access is not granted to the test client.", client.getChildren().forPath("/auth_test/child_node").isEmpty());
    // Validate the expected ACLs on the Knox config znodes (make sure the monitor didn't change them)
    List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
    validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
}