HADOOP-16014. Fix test, checkstyle and javadoc issues in TestKerberosAuthenticationHandler. Contributed by Dinesh Chitlangia.

This commit is contained in:
Bharat Viswanadham 2018-12-21 13:30:48 -08:00
parent ea724181d6
commit 2499435d9d

View File

@ -26,11 +26,12 @@
import org.junit.After; import org.junit.After;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.Timeout;
import org.mockito.Mockito; import org.mockito.Mockito;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -38,15 +39,19 @@
import java.io.File; import java.io.File;
import java.security.Principal; import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import java.util.Properties; import java.util.Properties;
import java.util.Set; import java.util.Set;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
/**
* Tests for Kerberos Authentication Handler.
*/
public class TestKerberosAuthenticationHandler public class TestKerberosAuthenticationHandler
extends KerberosSecurityTestcase { extends KerberosSecurityTestcase {
@Rule
public Timeout globalTimeout = Timeout.millis(60000);
protected KerberosAuthenticationHandler handler; protected KerberosAuthenticationHandler handler;
protected KerberosAuthenticationHandler getNewAuthenticationHandler() { protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
@ -74,8 +79,10 @@ public void setup() throws Exception {
File keytabFile = new File(KerberosTestUtils.getKeytabFile()); File keytabFile = new File(KerberosTestUtils.getKeytabFile());
String clientPrincipal = KerberosTestUtils.getClientPrincipal(); String clientPrincipal = KerberosTestUtils.getClientPrincipal();
String serverPrincipal = KerberosTestUtils.getServerPrincipal(); String serverPrincipal = KerberosTestUtils.getServerPrincipal();
clientPrincipal = clientPrincipal.substring(0, clientPrincipal.lastIndexOf("@")); clientPrincipal = clientPrincipal.substring(0,
serverPrincipal = serverPrincipal.substring(0, serverPrincipal.lastIndexOf("@")); clientPrincipal.lastIndexOf("@"));
serverPrincipal = serverPrincipal.substring(0,
serverPrincipal.lastIndexOf("@"));
getKdc().createPrincipal(keytabFile, clientPrincipal, serverPrincipal); getKdc().createPrincipal(keytabFile, clientPrincipal, serverPrincipal);
// handler // handler
handler = getNewAuthenticationHandler(); handler = getNewAuthenticationHandler();
@ -88,7 +95,7 @@ public void setup() throws Exception {
} }
} }
@Test(timeout=60000) @Test
public void testNameRules() throws Exception { public void testNameRules() throws Exception {
KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal());
Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm());
@ -100,7 +107,8 @@ public void testNameRules() throws Exception {
handler = getNewAuthenticationHandler(); handler = getNewAuthenticationHandler();
Properties props = getDefaultProperties(); Properties props = getDefaultProperties();
props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); props.setProperty(KerberosAuthenticationHandler.NAME_RULES,
"RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
try { try {
handler.init(props); handler.init(props);
} catch (Exception ex) { } catch (Exception ex) {
@ -111,13 +119,12 @@ public void testNameRules() throws Exception {
try { try {
kn.getShortName(); kn.getShortName();
Assert.fail(); Assert.fail();
} } catch (Exception ex) {
catch (Exception ex) {
} }
} }
@Test(timeout=60000) @Test
public void testInit() throws Exception { public void testInit() {
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab()); Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
Set<KerberosPrincipal> principals = handler.getPrincipals(); Set<KerberosPrincipal> principals = handler.getPrincipals();
Principal expectedPrincipal = Principal expectedPrincipal =
@ -126,8 +133,11 @@ public void testInit() throws Exception {
Assert.assertEquals(1, principals.size()); Assert.assertEquals(1, principals.size());
} }
// dynamic configuration of HTTP principals /**
@Test(timeout=60000) * Tests dynamic configuration of HTTP principals.
* @throws Exception
*/
@Test
public void testDynamicPrincipalDiscovery() throws Exception { public void testDynamicPrincipalDiscovery() throws Exception {
String[] keytabUsers = new String[]{ String[] keytabUsers = new String[]{
"HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host"
@ -143,7 +153,8 @@ public void testDynamicPrincipalDiscovery() throws Exception {
handler = getNewAuthenticationHandler(); handler = getNewAuthenticationHandler();
handler.init(props); handler.init(props);
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab()); Assert.assertEquals(KerberosTestUtils.getKeytabFile(),
handler.getKeytab());
Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals(); Set<KerberosPrincipal> loginPrincipals = handler.getPrincipals();
for (String user : keytabUsers) { for (String user : keytabUsers) {
@ -155,9 +166,13 @@ public void testDynamicPrincipalDiscovery() throws Exception {
} }
} }
// dynamic configuration of HTTP principals /**
@Test(timeout=60000) * Tests dynamic principal discovery for missing principals.
public void testDynamicPrincipalDiscoveryMissingPrincipals() throws Exception { * @throws Exception
*/
@Test
public void testDynamicPrincipalDiscoveryMissingPrincipals()
throws Exception {
String[] keytabUsers = new String[]{"hdfs/localhost"}; String[] keytabUsers = new String[]{"hdfs/localhost"};
String keytab = KerberosTestUtils.getKeytabFile(); String keytab = KerberosTestUtils.getKeytabFile();
getKdc().createPrincipal(new File(keytab), keytabUsers); getKdc().createPrincipal(new File(keytab), keytabUsers);
@ -179,32 +194,37 @@ public void testDynamicPrincipalDiscoveryMissingPrincipals() throws Exception {
} }
} }
@Test(timeout=60000) @Test
public void testType() throws Exception { public void testType() {
Assert.assertEquals(getExpectedType(), handler.getType()); Assert.assertEquals(getExpectedType(), handler.getType());
} }
@Test
public void testRequestWithoutAuthorization() throws Exception { public void testRequestWithoutAuthorization() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
Assert.assertNull(handler.authenticate(request, response)); Assert.assertNull(handler.authenticate(request, response));
Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE,
KerberosAuthenticator.NEGOTIATE);
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
@Test
public void testRequestWithInvalidAuthorization() throws Exception { public void testRequestWithInvalidAuthorization() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn("invalid"); Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
.thenReturn("invalid");
Assert.assertNull(handler.authenticate(request, response)); Assert.assertNull(handler.authenticate(request, response));
Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); Mockito.verify(response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE,
KerberosAuthenticator.NEGOTIATE);
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
@Test(timeout=60000) @Test
public void testRequestWithIncompleteAuthorization() throws Exception { public void testRequestWithIncompleteAuthorization() {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
@ -220,6 +240,7 @@ public void testRequestWithIncompleteAuthorization() throws Exception {
} }
} }
@Test
public void testRequestWithAuthorization() throws Exception { public void testRequestWithAuthorization() throws Exception {
String token = KerberosTestUtils.doAsClient(new Callable<String>() { String token = KerberosTestUtils.doAsClient(new Callable<String>() {
@Override @Override
@ -228,7 +249,8 @@ public String call() throws Exception {
GSSContext gssContext = null; GSSContext gssContext = null;
try { try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal(); String servicePrincipal = KerberosTestUtils.getServerPrincipal();
Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); Oid oid =
KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, GSSName serviceName = gssManager.createName(servicePrincipal,
oid); oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
@ -238,7 +260,8 @@ public String call() throws Exception {
gssContext.requestMutualAuth(true); gssContext.requestMutualAuth(true);
byte[] inToken = new byte[0]; byte[] inToken = new byte[0];
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); byte[] outToken =
gssContext.initSecContext(inToken, 0, inToken.length);
Base64 base64 = new Base64(0); Base64 base64 = new Base64(0);
return base64.encodeToString(outToken); return base64.encodeToString(outToken);
@ -260,29 +283,34 @@ public String call() throws Exception {
AuthenticationToken authToken = handler.authenticate(request, response); AuthenticationToken authToken = handler.authenticate(request, response);
if (authToken != null) { if (authToken != null) {
Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.verify(response)
Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*")); .setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
Mockito.verify(response).setStatus(HttpServletResponse.SC_OK); Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName()); Assert.assertEquals(KerberosTestUtils.getClientPrincipal(),
Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName())); authToken.getName());
Assert.assertTrue(KerberosTestUtils.getClientPrincipal()
.startsWith(authToken.getUserName()));
Assert.assertEquals(getExpectedType(), authToken.getType()); Assert.assertEquals(getExpectedType(), authToken.getType());
} else { } else {
Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.verify(response).setHeader(
Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*")); Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE),
Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED); Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
} }
public void testRequestWithInvalidKerberosAuthorization() throws Exception { @Test
public void testRequestWithInvalidKerberosAuthorization() {
String token = new Base64(0).encodeToString(new byte[]{0, 1, 2}); String token = new Base64(0).encodeToString(new byte[]{0, 1, 2});
HttpServletRequest request = Mockito.mock(HttpServletRequest.class); HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class); HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn( Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION))
KerberosAuthenticator.NEGOTIATE + token); .thenReturn(KerberosAuthenticator.NEGOTIATE + token);
try { try {
handler.authenticate(request, response); handler.authenticate(request, response);