You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by no...@apache.org on 2018/01/08 10:43:42 UTC
lucene-solr:master: SOLR-11830: PKI authentication testcases do not
check for null principal
Repository: lucene-solr
Updated Branches:
refs/heads/master 0744fea82 -> 72e68697f
SOLR-11830: PKI authentication testcases do not check for null principal
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/72e68697
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/72e68697
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/72e68697
Branch: refs/heads/master
Commit: 72e68697fc304ff0c42f6d422660146e7195f4b9
Parents: 0744fea
Author: Noble Paul <no...@apache.org>
Authored: Mon Jan 8 21:43:30 2018 +1100
Committer: Noble Paul <no...@apache.org>
Committed: Mon Jan 8 21:43:30 2018 +1100
----------------------------------------------------------------------
.../solr/security/MockAuthorizationPlugin.java | 19 ++++++-----
.../PKIAuthenticationIntegrationTest.java | 15 +++------
.../security/TestAuthorizationFramework.java | 35 ++++++++++++--------
3 files changed, 36 insertions(+), 33 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/72e68697/solr/core/src/test/org/apache/solr/security/MockAuthorizationPlugin.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/MockAuthorizationPlugin.java b/solr/core/src/test/org/apache/solr/security/MockAuthorizationPlugin.java
index 17091ab..8eb93c8 100644
--- a/solr/core/src/test/org/apache/solr/security/MockAuthorizationPlugin.java
+++ b/solr/core/src/test/org/apache/solr/security/MockAuthorizationPlugin.java
@@ -30,6 +30,7 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
static final HashSet<String> denyUsers = new HashSet<>();
+ static final HashSet<String> protectedResources = new HashSet<>();
static Predicate<AuthorizationContext> predicate;
@Override
@@ -42,15 +43,17 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
} catch (SolrException e) {
return new AuthorizationResponse(e.code());
}
+ } else {
+ if (!protectedResources.contains(context.getResource())) {
+ return new AuthorizationResponse(200);
+ }
+ if (uname == null) uname = context.getParams().get("uname");
+ log.info("User request: " + uname);
+ if (uname == null || denyUsers.contains(uname))
+ return new AuthorizationResponse(403);
+ else
+ return new AuthorizationResponse(200);
}
-
-
- if (uname == null) uname = context.getParams().get("uname");
- log.info("User request: " + uname);
- if (denyUsers.contains(uname))
- return new AuthorizationResponse(403);
- else
- return new AuthorizationResponse(200);
}
@Override
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/72e68697/solr/core/src/test/org/apache/solr/security/PKIAuthenticationIntegrationTest.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/PKIAuthenticationIntegrationTest.java b/solr/core/src/test/org/apache/solr/security/PKIAuthenticationIntegrationTest.java
index bc4f4e5..1f85f3a 100644
--- a/solr/core/src/test/org/apache/solr/security/PKIAuthenticationIntegrationTest.java
+++ b/solr/core/src/test/org/apache/solr/security/PKIAuthenticationIntegrationTest.java
@@ -16,12 +16,10 @@
*/
package org.apache.solr.security;
-import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import java.lang.invoke.MethodHandles;
import java.security.Principal;
import java.util.concurrent.atomic.AtomicInteger;
-import java.util.function.Predicate;
import org.apache.http.client.HttpClient;
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
@@ -77,9 +75,7 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
final AtomicInteger count = new AtomicInteger();
- MockAuthorizationPlugin.predicate = new Predicate<AuthorizationContext>() {
- @Override
- public boolean test(AuthorizationContext context) {
+ MockAuthorizationPlugin.predicate = context -> {
if ("/select".equals(context.getResource())) {
Principal principal = context.getUserPrincipal();
log.info("principalIs : {}", principal);
@@ -88,22 +84,19 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
}
}
return true;
- }
};
- MockAuthenticationPlugin.predicate = new Predicate<ServletRequest>() {
- @Override
- public boolean test(ServletRequest servletRequest) {
+ MockAuthenticationPlugin.predicate = servletRequest -> {
String s = ((HttpServletRequest) servletRequest).getQueryString();
if (s != null && s.contains("__user=solr") && s.contains("__pwd=SolrRocks")) {
servletRequest.setAttribute(Principal.class.getName(), "solr");
}
return true;
- }
};
QueryRequest query = new QueryRequest(params);
query.process(cluster.getSolrClient(), "collection");
- assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(),count.get() > 2);
+ assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(), count.get() > 2);
+
}
@After
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/72e68697/solr/core/src/test/org/apache/solr/security/TestAuthorizationFramework.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/security/TestAuthorizationFramework.java b/solr/core/src/test/org/apache/solr/security/TestAuthorizationFramework.java
index acdf578..c3d6f60 100644
--- a/solr/core/src/test/org/apache/solr/security/TestAuthorizationFramework.java
+++ b/solr/core/src/test/org/apache/solr/security/TestAuthorizationFramework.java
@@ -17,7 +17,6 @@
package org.apache.solr.security;
import java.lang.invoke.MethodHandles;
-
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
@@ -59,22 +58,30 @@ public class TestAuthorizationFramework extends AbstractFullDistribZkTestBase {
public void authorizationFrameworkTest() throws Exception {
MockAuthorizationPlugin.denyUsers.add("user1");
MockAuthorizationPlugin.denyUsers.add("user1");
- waitForThingsToLevelOut(10);
- String baseUrl = jettys.get(0).getBaseUrl().toString();
- verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
- log.info("Starting test");
- ModifiableSolrParams params = new ModifiableSolrParams();
- params.add("q", "*:*");
- // This should work fine.
- cloudClient.query(params);
- // This user is blacklisted in the mock. The request should return a 403.
- params.add("uname", "user1");
try {
+ waitForThingsToLevelOut(10);
+ String baseUrl = jettys.get(0).getBaseUrl().toString();
+ verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
+ log.info("Starting test");
+ ModifiableSolrParams params = new ModifiableSolrParams();
+ params.add("q", "*:*");
+ // This should work fine.
cloudClient.query(params);
- fail("This should have failed");
- } catch (Exception e) {}
- log.info("Ending test");
+ MockAuthorizationPlugin.protectedResources.add("/select");
+
+ // This user is blacklisted in the mock. The request should return a 403.
+ params.add("uname", "user1");
+ try {
+ cloudClient.query(params);
+ fail("This should have failed");
+ } catch (Exception e) {}
+ log.info("Ending test");
+ } finally {
+ MockAuthorizationPlugin.denyUsers.clear();
+ MockAuthorizationPlugin.protectedResources.clear();
+
+ }
}
@Override