You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/05/27 19:12:25 UTC
knox git commit: KNOX-952 - Add common tests for the two JWT filters
(Colm O hEigeartaigh via lmccay)
Repository: knox
Updated Branches:
refs/heads/master 39a552772 -> 771a2fc0d
KNOX-952 - Add common tests for the two JWT filters (Colm O hEigeartaigh via lmccay)
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/771a2fc0
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/771a2fc0
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/771a2fc0
Branch: refs/heads/master
Commit: 771a2fc0d4f1526eb5d72f62ef3f8fd6115f3269
Parents: 39a5527
Author: Larry McCay <lm...@hortonworks.com>
Authored: Sat May 27 15:12:11 2017 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Sat May 27 15:12:11 2017 -0400
----------------------------------------------------------------------
.../federation/AbstractJWTFilterTest.java | 396 +++++++++++++++++
.../federation/JWTFederationFilterTest.java | 57 +++
.../federation/SSOCookieProviderTest.java | 443 +------------------
3 files changed, 475 insertions(+), 421 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/771a2fc0/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
new file mode 100644
index 0000000..76c4e4e
--- /dev/null
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -0,0 +1,396 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Properties;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.gateway.provider.federation.jwt.filter.AbstractJWTFilter;
+import org.apache.hadoop.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter;
+import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
+import org.apache.hadoop.gateway.services.security.token.impl.JWT;
+import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
+import org.easymock.EasyMock;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.nimbusds.jose.*;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.util.Base64URL;
+
+public abstract class AbstractJWTFilterTest {
+ private static final String SERVICE_URL = "https://localhost:8888/resource";
+
+ protected AbstractJWTFilter handler = null;
+ protected RSAPublicKey publicKey = null;
+ protected RSAPrivateKey privateKey = null;
+
+ protected abstract void setTokenOnRequest(HttpServletRequest request, SignedJWT jwt);
+ protected abstract String getAudienceProperty();
+
+ @Before
+ public void setup() throws Exception, NoSuchAlgorithmException {
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+
+ KeyPair kp = kpg.genKeyPair();
+ publicKey = (RSAPublicKey) kp.getPublic();
+ privateKey = (RSAPrivateKey) kp.getPrivate();
+ }
+
+ @After
+ public void teardown() throws Exception {
+ handler.destroy();
+ }
+
+ @Test
+ public void testValidJWT() throws Exception {
+ try {
+ Properties props = getProperties();
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000), privateKey);
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(
+ new StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
+ SERVICE_URL);
+ EasyMock.replay(request);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
+ Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
+ Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
+ Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testValidAudienceJWT() throws Exception {
+ try {
+ Properties props = getProperties();
+ props.put(getAudienceProperty(), "bar");
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000), privateKey);
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(
+ new StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
+ SERVICE_URL);
+ EasyMock.replay(request);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
+ Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
+ Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
+ Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testInvalidAudienceJWT() throws Exception {
+ try {
+ Properties props = getProperties();
+ props.put(getAudienceProperty(), "foo");
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000), privateKey);
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(
+ new StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
+ SERVICE_URL);
+ EasyMock.replay(request);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == false);
+ Assert.assertTrue("No Subject should be returned.", chain.subject == null);
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testExpiredJWT() throws Exception {
+ try {
+ Properties props = getProperties();
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() - 1000), privateKey);
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(
+ new StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
+ SERVICE_URL);
+ EasyMock.replay(request);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == false);
+ Assert.assertTrue("No Subject should be returned.", chain.subject == null);
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ @Test
+ public void testValidJWTNoExpiration() throws Exception {
+ try {
+ Properties props = getProperties();
+ handler.init(new TestFilterConfig(props));
+
+ SignedJWT jwt = getJWT("alice", null, privateKey);
+
+ HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
+ setTokenOnRequest(request, jwt);
+
+ EasyMock.expect(request.getRequestURL()).andReturn(
+ new StringBuffer(SERVICE_URL)).anyTimes();
+ EasyMock.expect(request.getQueryString()).andReturn(null);
+ HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
+ EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
+ SERVICE_URL).anyTimes();
+ EasyMock.replay(request);
+
+ TestFilterChain chain = new TestFilterChain();
+ handler.doFilter(request, response, chain);
+ Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
+ Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
+ Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
+ Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
+ } catch (ServletException se) {
+ fail("Should NOT have thrown a ServletException.");
+ }
+ }
+
+ protected Properties getProperties() {
+ Properties props = new Properties();
+ props.setProperty(
+ SSOCookieFederationFilter.SSO_AUTHENTICATION_PROVIDER_URL,
+ "https://localhost:8443/authserver");
+ return props;
+ }
+
+ protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey)
+ throws Exception {
+ List<String> aud = new ArrayList<String>();
+ aud.add("bar");
+
+ JWTClaimsSet claims = new JWTClaimsSet.Builder()
+ .issuer("KNOXSSO")
+ .subject(sub)
+ .audience(aud)
+ .expirationTime(expires)
+ .claim("scope", "openid")
+ .build();
+
+ JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
+
+ SignedJWT signedJWT = new SignedJWT(header, claims);
+ Base64URL sigInput = Base64URL.encode(signedJWT.getSigningInput());
+ JWSSigner signer = new RSASSASigner(privateKey);
+
+ signedJWT.sign(signer);
+
+ return signedJWT;
+ }
+
+ protected static class TestFilterConfig implements FilterConfig {
+ Properties props = null;
+
+ public TestFilterConfig(Properties props) {
+ this.props = props;
+ }
+
+ @Override
+ public String getFilterName() {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getServletContext()
+ */
+ @Override
+ public ServletContext getServletContext() {
+// JWTokenAuthority authority = EasyMock.createNiceMock(JWTokenAuthority.class);
+// GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
+// EasyMock.expect(services.getService("TokenService").andReturn(authority));
+// ServletContext context = EasyMock.createNiceMock(ServletContext.class);
+// EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE).andReturn(new DefaultGatewayServices()));
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
+ */
+ @Override
+ public String getInitParameter(String name) {
+ return props.getProperty(name, null);
+ }
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterConfig#getInitParameterNames()
+ */
+ @Override
+ public Enumeration<String> getInitParameterNames() {
+ return null;
+ }
+
+ }
+
+ protected static class TestJWTokenAuthority implements JWTokenAuthority {
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(javax.security.auth.Subject, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Subject subject, String algorithm)
+ throws TokenServiceException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Principal p, String algorithm)
+ throws TokenServiceException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
+ */
+ @Override
+ public JWTToken issueToken(Principal p, String audience, String algorithm)
+ throws TokenServiceException {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#verifyToken(org.apache.hadoop.gateway.services.security.token.impl.JWTToken)
+ */
+ @Override
+ public boolean verifyToken(JWTToken token) throws TokenServiceException {
+ return true;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String, long)
+ */
+ @Override
+ public JWTToken issueToken(Principal p, String audience, String algorithm,
+ long expires) throws TokenServiceException {
+ return null;
+ }
+
+ @Override
+ public JWTToken issueToken(Principal p, List<String> audiences, String algorithm,
+ long expires) throws TokenServiceException {
+ return null;
+ }
+
+ /* (non-Javadoc)
+ * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, long)
+ */
+ @Override
+ public JWT issueToken(Principal p, String audience, long l)
+ throws TokenServiceException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ }
+
+ protected static class TestFilterChain implements FilterChain {
+ boolean doFilterCalled = false;
+ Subject subject = null;
+
+ /* (non-Javadoc)
+ * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response)
+ throws IOException, ServletException {
+ doFilterCalled = true;
+
+ subject = Subject.getSubject( AccessController.getContext() );
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/771a2fc0/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTFederationFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTFederationFilterTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTFederationFilterTest.java
new file mode 100644
index 0000000..5da5d55
--- /dev/null
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/JWTFederationFilterTest.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import java.security.NoSuchAlgorithmException;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.hadoop.gateway.provider.federation.jwt.filter.JWTFederationFilter;
+import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
+import org.easymock.EasyMock;
+import org.junit.Before;
+
+import com.nimbusds.jwt.SignedJWT;
+
+public class JWTFederationFilterTest extends AbstractJWTFilterTest {
+
+ @Before
+ public void setup() throws Exception, NoSuchAlgorithmException {
+ super.setup();
+ handler = new TestJWTFederationFilter();
+ ((TestJWTFederationFilter) handler).setTokenService(new TestJWTokenAuthority());
+ }
+
+ protected void setTokenOnRequest(HttpServletRequest request, SignedJWT jwt) {
+ String token = "Bearer " + jwt.serialize();
+ EasyMock.expect(request.getHeader("Authorization")).andReturn(token);
+ }
+
+ protected String getAudienceProperty() {
+ return TestJWTFederationFilter.KNOX_TOKEN_AUDIENCES;
+ }
+
+ private static class TestJWTFederationFilter extends JWTFederationFilter {
+
+ public void setTokenService(JWTokenAuthority ts) {
+ authority = ts;
+ }
+
+ };
+
+}
http://git-wip-us.apache.org/repos/asf/knox/blob/771a2fc0/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
index 57d04c7..4006051 100644
--- a/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
+++ b/gateway-provider-security-jwt/src/test/java/org/apache/hadoop/gateway/provider/federation/SSOCookieProviderTest.java
@@ -19,28 +19,13 @@ package org.apache.hadoop.gateway.provider.federation;
import static org.junit.Assert.fail;
-import java.io.IOException;
-import java.security.AccessController;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.ArrayList;
import java.util.Properties;
import java.util.Date;
import java.util.Set;
-import javax.security.auth.Subject;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -48,29 +33,34 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter;
import org.apache.hadoop.gateway.security.PrimaryPrincipal;
import org.apache.hadoop.gateway.services.security.token.JWTokenAuthority;
-import org.apache.hadoop.gateway.services.security.token.TokenServiceException;
-import org.apache.hadoop.gateway.services.security.token.impl.JWT;
-import org.apache.hadoop.gateway.services.security.token.impl.JWTToken;
import org.easymock.EasyMock;
-import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
-import com.nimbusds.jose.*;
-import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
-import com.nimbusds.jose.crypto.RSASSASigner;
-import com.nimbusds.jose.util.Base64URL;
-public class SSOCookieProviderTest {
+public class SSOCookieProviderTest extends AbstractJWTFilterTest {
private static final String SERVICE_URL = "https://localhost:8888/resource";
private static final String REDIRECT_LOCATION =
"https://localhost:8443/authserver?originalUrl=" + SERVICE_URL;
- RSAPublicKey publicKey = null;
- RSAPrivateKey privateKey = null;
- SSOCookieFederationFilter handler = null;
-
+
+ @Before
+ public void setup() throws Exception, NoSuchAlgorithmException {
+ super.setup();
+ handler = new TestSSOCookieFederationProvider();
+ ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
+ }
+
+ protected void setTokenOnRequest(HttpServletRequest request, SignedJWT jwt) {
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
+ }
+
+ protected String getAudienceProperty() {
+ return TestSSOCookieFederationProvider.SSO_EXPECTED_AUDIENCES;
+ }
+
@Test
public void testCustomCookieNameJWT() throws Exception {
try {
@@ -92,7 +82,6 @@ public class SSOCookieProviderTest {
SERVICE_URL);
EasyMock.replay(request);
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
TestFilterChain chain = new TestFilterChain();
handler.doFilter(request, response, chain);
Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
@@ -108,55 +97,19 @@ public class SSOCookieProviderTest {
public void testNoProviderURLJWT() throws Exception {
try {
Properties props = getProperties();
- props
- .remove("sso.authentication.provider.url");
+ props.remove("sso.authentication.provider.url");
handler.init(new TestFilterConfig(props));
fail("Servlet exception should have been thrown.");
} catch (ServletException se) {
- // expected - let's ensure it mentions the missing authenticaiton provider URL
+ // expected - let's ensure it mentions the missing authentication provider URL
se.getMessage().contains("authentication provider URL is missing");
}
}
+
/*
@Test
- public void testUnableToParseJWT() throws Exception {
- try {
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- kpg.initialize(2048);
-
- KeyPair kp = kpg.genKeyPair();
- RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
-
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", "ljm" + jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
public void testFailedSignatureValidationJWT() throws Exception {
try {
@@ -195,180 +148,6 @@ public class SSOCookieProviderTest {
}
}
*/
- @Test
- public void testExpiredJWT() throws Exception {
- try {
- ((TestSSOCookieFederationProvider) handler).setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(new TestFilterConfig(props));
-
- SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() - 1000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
- EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
- EasyMock.expect(request.getRequestURL()).andReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- EasyMock.expect(request.getQueryString()).andReturn(null);
- HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
- EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
- SERVICE_URL);
- EasyMock.replay(request);
-
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
- TestFilterChain chain = new TestFilterChain();
- handler.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == false);
-// Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
-// Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
-// Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
-// Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
-
- @Test
- public void testInvalidAudienceJWT() throws Exception {
- try {
- Properties props = getProperties();
- props
- .put("sso.expected.audiences", "foo");
- handler.init(new TestFilterConfig(props));
-
- SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
- EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
- EasyMock.expect(request.getRequestURL()).andReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- EasyMock.expect(request.getQueryString()).andReturn(null);
- HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
- EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
- SERVICE_URL);
- EasyMock.replay(request);
-
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
- TestFilterChain chain = new TestFilterChain();
- handler.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == false);
- Assert.assertTrue("No Subject should be returned.", chain.subject == null);
-// Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
-// Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
- @Test
- public void testValidAudienceJWT() throws Exception {
- try {
- Properties props = getProperties();
- props
- .put("sso.expected.audiences", "bar");
- handler.init(new TestFilterConfig(props));
-
- SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
- EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
- EasyMock.expect(request.getRequestURL()).andReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- EasyMock.expect(request.getQueryString()).andReturn(null);
- HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
- EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
- SERVICE_URL);
- EasyMock.replay(request);
-
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
- TestFilterChain chain = new TestFilterChain();
- handler.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
- Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
- Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
- Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
-// Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
- @Test
- public void testValidJWT() throws Exception {
- try {
- ((TestSSOCookieFederationProvider) handler).setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(new TestFilterConfig(props));
-
- SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
- EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
- EasyMock.expect(request.getRequestURL()).andReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- EasyMock.expect(request.getQueryString()).andReturn(null);
- HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
- EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
- SERVICE_URL).anyTimes();
- EasyMock.replay(request);
-
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
- TestFilterChain chain = new TestFilterChain();
- handler.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
- Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
- Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
- Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
-// Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
-
- @Test
- public void testValidJWTNoExpiration() throws Exception {
- try {
- ((TestSSOCookieFederationProvider) handler).setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(new TestFilterConfig(props));
-
- SignedJWT jwt = getJWT("alice", null,
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = EasyMock.createNiceMock(HttpServletRequest.class);
- EasyMock.expect(request.getCookies()).andReturn(new Cookie[] { cookie });
- EasyMock.expect(request.getRequestURL()).andReturn(
- new StringBuffer(SERVICE_URL)).anyTimes();
- EasyMock.expect(request.getQueryString()).andReturn(null);
- HttpServletResponse response = EasyMock.createNiceMock(HttpServletResponse.class);
- EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(
- SERVICE_URL).anyTimes();
- EasyMock.replay(request);
-
- ((TestSSOCookieFederationProvider) handler).setTokenService(new TestJWTokenAuthority());
- TestFilterChain chain = new TestFilterChain();
- handler.doFilter(request, response, chain);
- Assert.assertTrue("doFilterCalled should not be false.", chain.doFilterCalled == true);
- Set<PrimaryPrincipal> principals = chain.subject.getPrincipals(PrimaryPrincipal.class);
- Assert.assertTrue("No PrimaryPrincipal", principals.size() > 0);
- Assert.assertEquals("Not the expected principal", "alice", ((Principal)principals.toArray()[0]).getName());
-// Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("Should NOT have thrown a ServletException.");
- }
- }
@Test
public void testOrigURLWithQueryString() throws Exception {
@@ -402,192 +181,14 @@ public class SSOCookieProviderTest {
Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL);
}
- @Before
- public void setup() throws Exception, NoSuchAlgorithmException {
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- kpg.initialize(2048);
-
- KeyPair kp = kpg.genKeyPair();
- publicKey = (RSAPublicKey) kp.getPublic();
- privateKey = (RSAPrivateKey) kp.getPrivate();
-
- handler = new TestSSOCookieFederationProvider();
- }
-
- @After
- public void teardown() throws Exception {
- handler.destroy();
- }
-
- protected Properties getProperties() {
- Properties props = new Properties();
- props.setProperty(
- TestSSOCookieFederationProvider.SSO_AUTHENTICATION_PROVIDER_URL,
- "https://localhost:8443/authserver");
- return props;
- }
-
- protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey)
- throws Exception {
- List<String> aud = new ArrayList<String>();
- aud.add("bar");
-
- JWTClaimsSet claims = new JWTClaimsSet.Builder()
- .issuer("KNOXSSO")
- .subject(sub)
- .audience(aud)
- .expirationTime(expires)
- .claim("scope", "openid")
- .build();
-
- JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
-
- SignedJWT signedJWT = new SignedJWT(header, claims);
- Base64URL sigInput = Base64URL.encode(signedJWT.getSigningInput());
- JWSSigner signer = new RSASSASigner(privateKey);
-
- signedJWT.sign(signer);
-
- return signedJWT;
- }
-
- class TestSSOCookieFederationProvider extends SSOCookieFederationFilter {
+ private static class TestSSOCookieFederationProvider extends SSOCookieFederationFilter {
public String testConstructLoginURL(HttpServletRequest req) {
return constructLoginURL(req);
}
- public void setPublicKey(RSAPublicKey key) {
- publicKey = key;
- }
-
public void setTokenService(JWTokenAuthority ts) {
authority = ts;
}
};
- class TestFilterConfig implements FilterConfig {
- Properties props = null;
-
- public TestFilterConfig(Properties props) {
- this.props = props;
- }
-
- @Override
- public String getFilterName() {
- return null;
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getServletContext()
- */
- @Override
- public ServletContext getServletContext() {
-// JWTokenAuthority authority = EasyMock.createNiceMock(JWTokenAuthority.class);
-// GatewayServices services = EasyMock.createNiceMock(GatewayServices.class);
-// EasyMock.expect(services.getService("TokenService").andReturn(authority));
-// ServletContext context = EasyMock.createNiceMock(ServletContext.class);
-// EasyMock.expect(context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE).andReturn(new DefaultGatewayServices()));
- return null;
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getInitParameter(java.lang.String)
- */
- @Override
- public String getInitParameter(String name) {
- return props.getProperty(name, null);
- }
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterConfig#getInitParameterNames()
- */
- @Override
- public Enumeration<String> getInitParameterNames() {
- return null;
- }
-
- }
-
- class TestJWTokenAuthority implements JWTokenAuthority {
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(javax.security.auth.Subject, java.lang.String)
- */
- @Override
- public JWTToken issueToken(Subject subject, String algorithm)
- throws TokenServiceException {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String)
- */
- @Override
- public JWTToken issueToken(Principal p, String algorithm)
- throws TokenServiceException {
- // TODO Auto-generated method stub
- return null;
- }
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
- */
- @Override
- public JWTToken issueToken(Principal p, String audience, String algorithm)
- throws TokenServiceException {
- return null;
- }
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#verifyToken(org.apache.hadoop.gateway.services.security.token.impl.JWTToken)
- */
- @Override
- public boolean verifyToken(JWTToken token) throws TokenServiceException {
- return true;
- }
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String, long)
- */
- @Override
- public JWTToken issueToken(Principal p, String audience, String algorithm,
- long expires) throws TokenServiceException {
- return null;
- }
-
- @Override
- public JWTToken issueToken(Principal p, List<String> audiences, String algorithm,
- long expires) throws TokenServiceException {
- return null;
- }
-
- /* (non-Javadoc)
- * @see org.apache.hadoop.gateway.services.security.token.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, long)
- */
- @Override
- public JWT issueToken(Principal p, String audience, long l)
- throws TokenServiceException {
- // TODO Auto-generated method stub
- return null;
- }
-
- }
-
- class TestFilterChain implements FilterChain {
- boolean doFilterCalled = false;
- Subject subject = null;
-
- /* (non-Javadoc)
- * @see javax.servlet.FilterChain#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse)
- */
- @Override
- public void doFilter(ServletRequest request, ServletResponse response)
- throws IOException, ServletException {
- doFilterCalled = true;
-
- subject = Subject.getSubject( AccessController.getContext() );
- }
-
- }
}