You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by kl...@apache.org on 2016/02/10 02:01:42 UTC
[1/4] incubator-geode git commit: Repackage security test classes in
Apache Geode
Repository: incubator-geode
Updated Branches:
refs/heads/feature/GEODE-949 820cfd632 -> 4383a7117
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/XmlAuthorization.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/XmlAuthorization.java b/gemfire-core/src/test/java/templates/security/XmlAuthorization.java
deleted file mode 100644
index 1ed0142..0000000
--- a/gemfire-core/src/test/java/templates/security/XmlAuthorization.java
+++ /dev/null
@@ -1,675 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-
-import org.w3c.dom.Attr;
-import org.w3c.dom.Document;
-import org.w3c.dom.NamedNodeMap;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.ExecuteFunctionOperationContext;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import com.gemstone.gemfire.cache.operations.QueryOperationContext;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.NotAuthorizedException;
-
-/**
- * An implementation of the <code>{@link AccessControl}</code> interface that
- * allows authorization using the permissions as specified in the given XML
- * file.
- *
- * The format of the XML file is specified in <a href="authz5_5.dtd"/>. It
- * implements a role-based authorization at the operation level for each region.
- * Each principal name may be associated with a set of roles. The name of the
- * principal is obtained using the {@link Principal#getName} method and no other
- * information of the principal is utilized. Each role can be provided
- * permissions to execute operations for each region.
- *
- * The top-level element in the XML is "acl" tag that contains the "role" and
- * "permission" tags. The "role" tag contains the list of users that have been
- * given that role. The name of the role is specified in the "role" attribute
- * and the users are contained in the "user" tags insided the "role" tag.
- *
- * The "permissions" tag contains the list of operations allowed for a
- * particular region. The role name is specified as the "role" attribute, the
- * list of comma separated region names as the optional "regions" attribute and
- * the operation names are contained in the "operation" tags inside the
- * "permissions" tag. The allowed operation names are: GET, PUT, PUTALL,
- * DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, CONTAINS_KEY, KEY_SET,
- * QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, REGION_CREATE,
- * REGION_DESTROY. These correspond to the operations in the
- * {@link OperationCode} enumeration with the same name.
- *
- * When no region name is specified then the operation is allowed for all
- * regions in the cache. Any permissions specified for regions using the
- * "regions" attribute override these permissions. This allows users to provide
- * generic permissions without any region name, and override for specific
- * regions specified using the "regions" attribute. A cache-level operation
- * (e.g. {@link OperationCode#REGION_DESTROY}) specified for a particular region
- * is ignored i.e. the cache-level operations are only applicable when no region
- * name is specified. A {@link OperationCode#QUERY} operation is permitted when
- * either the <code>QUERY</code> permission is provided at the cache-level for
- * the user or when <code>QUERY</code> permission is provided for all the
- * regions that are part of the query string.
- *
- * Any roles specified in the "user" tag that do not have a specified permission
- * set using the "permission" tags are ignored. When no {@link Principal} is
- * associated with the current connection, then empty user name is used to
- * search for the roles so an empty user name can be used to specify roles of
- * unauthenticated clients (i.e. <code>Everyone</code>).
- *
- * This sample implementation is useful only for pre-operation checks and should
- * not be used for post-operation authorization since it does nothing useful for
- * post-operation case.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class XmlAuthorization implements AccessControl {
-
- public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri";
-
- private static final String TAG_ROLE = "role";
-
- private static final String TAG_USER = "user";
-
- private static final String TAG_PERMS = "permission";
-
- private static final String TAG_OP = "operation";
-
- private static final String ATTR_ROLENAME = "name";
-
- private static final String ATTR_ROLE = "role";
-
- private static final String ATTR_REGIONS = "regions";
-
- private static final String ATTR_FUNCTION_IDS = "functionIds";
-
- private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE =
- "optimizeForWrite";
-
- private static final String ATTR_FUNCTION_KEY_SET = "keySet";
-
- private static String currentDocUri = null;
-
- private static Map<String, HashSet<String>> userRoles = null;
-
- private static Map<String, Map<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null;
-
- private static NotAuthorizedException xmlLoadFailure = null;
-
- private static final Object sync = new Object();
-
- private static final String EMPTY_VALUE = "";
-
- private final Map<String, Map<OperationCode,
- FunctionSecurityPrmsHolder>> allowedOps;
-
- protected LogWriter logger;
-
- protected LogWriter securityLogger;
-
- private XmlAuthorization() {
-
- this.allowedOps = new HashMap<String, Map<OperationCode,
- FunctionSecurityPrmsHolder>>();
- this.logger = null;
- this.securityLogger = null;
- }
-
- /**
- * Change the region name to a standard format having single '/' as separator
- * and starting with a '/' as in standard POSIX paths
- */
- public static String normalizeRegionName(String regionName) {
-
- if (regionName == null || regionName.length() == 0) {
- return EMPTY_VALUE;
- }
- char[] resultName = new char[regionName.length() + 1];
- boolean changed = false;
- boolean isPrevCharSlash = false;
- int startIndex;
- if (regionName.charAt(0) != '/') {
- changed = true;
- startIndex = 0;
- }
- else {
- isPrevCharSlash = true;
- startIndex = 1;
- }
- resultName[0] = '/';
- int resultLength = 1;
- // Replace all more than one '/'s with a single '/'
- for (int index = startIndex; index < regionName.length(); ++index) {
- char currChar = regionName.charAt(index);
- if (currChar == '/') {
- if (isPrevCharSlash) {
- changed = true;
- continue;
- }
- isPrevCharSlash = true;
- }
- else {
- isPrevCharSlash = false;
- }
- resultName[resultLength++] = currChar;
- }
- // Remove any trailing slash
- if (resultName[resultLength - 1] == '/') {
- --resultLength;
- changed = true;
- }
- if (changed) {
- return new String(resultName, 0, resultLength);
- }
- else {
- return regionName;
- }
- }
-
- /** Get the attribute value for a given attribute name of a node. */
- private static String getAttributeValue(Node node, String attrName) {
-
- NamedNodeMap attrMap = node.getAttributes();
- Node attrNode;
- if (attrMap != null && (attrNode = attrMap.getNamedItem(attrName)) != null) {
- return ((Attr)attrNode).getValue();
- }
- return EMPTY_VALUE;
- }
-
- /** Get the string contained in the first text child of the node. */
- private static String getNodeValue(Node node) {
-
- NodeList childNodes = node.getChildNodes();
- for (int index = 0; index < childNodes.getLength(); index++) {
- Node childNode = childNodes.item(index);
- if (childNode.getNodeType() == Node.TEXT_NODE) {
- return childNode.getNodeValue();
- }
- }
- return EMPTY_VALUE;
- }
-
- /**
- * Public static factory method to create an instance of
- * <code>XmlAuthorization</code>. The fully qualified name of the class
- * (<code>templates.security.XmlAuthorization.create</code>)
- * should be mentioned as the <code>security-client-accessor</code> system
- * property to enable pre-operation authorization checks as implemented in
- * this class.
- *
- * @return an object of <code>XmlAuthorization</code> class
- */
- public static AccessControl create() {
-
- return new XmlAuthorization();
- }
-
- /**
- * Cache authorization information for all users statically. This method is
- * not thread-safe and is should either be invoked only once, or the caller
- * should take the appropriate locks.
- *
- * @param cache
- * reference to the cache object for the distributed system
- */
- private static void init(Cache cache) throws NotAuthorizedException {
-
- LogWriter logger = cache.getLogger();
- String xmlDocumentUri = (String)cache.getDistributedSystem()
- .getSecurityProperties().get(DOC_URI_PROP_NAME);
- try {
- if (xmlDocumentUri == null) {
- throw new NotAuthorizedException("No ACL file defined using tag ["
- + DOC_URI_PROP_NAME + "] in system properties");
- }
- if (xmlDocumentUri.equals(XmlAuthorization.currentDocUri)) {
- if (XmlAuthorization.xmlLoadFailure != null) {
- throw XmlAuthorization.xmlLoadFailure;
- }
- return;
- }
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- factory.setIgnoringComments(true);
- factory.setIgnoringElementContentWhitespace(true);
- factory.setValidating(true);
- DocumentBuilder builder = factory.newDocumentBuilder();
- XmlErrorHandler errorHandler = new XmlErrorHandler(logger, xmlDocumentUri);
- builder.setErrorHandler(errorHandler);
- builder.setEntityResolver(new AuthzDtdResolver());
- Document xmlDocument = builder.parse(xmlDocumentUri);
-
- XmlAuthorization.userRoles = new HashMap<String, HashSet<String>>();
- XmlAuthorization.rolePermissions = new HashMap<String, Map<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>>();
- NodeList roleUserNodes = xmlDocument.getElementsByTagName(TAG_ROLE);
- for (int roleIndex = 0; roleIndex < roleUserNodes.getLength();
- roleIndex++) {
- Node roleUserNode = roleUserNodes.item(roleIndex);
- String roleName = getAttributeValue(roleUserNode, ATTR_ROLENAME);
- NodeList userNodes = roleUserNode.getChildNodes();
- for (int userIndex = 0; userIndex < userNodes.getLength();
- userIndex++) {
- Node userNode = userNodes.item(userIndex);
- if (userNode.getNodeName() == TAG_USER) {
- String userName = getNodeValue(userNode);
- HashSet<String> userRoleSet = XmlAuthorization.userRoles
- .get(userName);
- if (userRoleSet == null) {
- userRoleSet = new HashSet<String>();
- XmlAuthorization.userRoles.put(userName, userRoleSet);
- }
- userRoleSet.add(roleName);
- }
- else {
- throw new SAXParseException("Unknown tag ["
- + userNode.getNodeName() + "] as child of tag [" + TAG_ROLE
- + ']', null);
- }
- }
- }
- NodeList rolePermissionNodes = xmlDocument
- .getElementsByTagName(TAG_PERMS);
- for (int permIndex = 0; permIndex < rolePermissionNodes.getLength();
- permIndex++) {
- Node rolePermissionNode = rolePermissionNodes.item(permIndex);
- String roleName = getAttributeValue(rolePermissionNode, ATTR_ROLE);
- Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
- if (regionOperationMap == null) {
- regionOperationMap = new HashMap<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>();
- XmlAuthorization.rolePermissions.put(roleName, regionOperationMap);
- }
- NodeList operationNodes = rolePermissionNode.getChildNodes();
- HashMap<OperationCode, FunctionSecurityPrmsHolder> operationMap =
- new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
- for (int opIndex = 0; opIndex < operationNodes.getLength(); opIndex++) {
- Node operationNode = operationNodes.item(opIndex);
- if (operationNode.getNodeName() == TAG_OP) {
- String operationName = getNodeValue(operationNode);
- OperationCode code = OperationCode.parse(operationName);
- if (code == null) {
- throw new SAXParseException("Unknown operation [" + operationName
- + ']', null);
- }
- if (code != OperationCode.EXECUTE_FUNCTION) {
- operationMap.put(code, null);
- }
- else {
- String optimizeForWrite = getAttributeValue(operationNode,
- ATTR_FUNCTION_OPTIMIZE_FOR_WRITE);
- String functionAttr = getAttributeValue(operationNode,
- ATTR_FUNCTION_IDS);
- String keysAttr = getAttributeValue(operationNode,
- ATTR_FUNCTION_KEY_SET);
-
- Boolean isOptimizeForWrite;
- HashSet<String> functionIds;
- HashSet<String> keySet;
-
- if (optimizeForWrite == null || optimizeForWrite.length() == 0) {
- isOptimizeForWrite = null;
- }
- else {
- isOptimizeForWrite = Boolean.parseBoolean(optimizeForWrite);
- }
-
- if (functionAttr == null || functionAttr.length() == 0) {
- functionIds = null;
- }
- else {
- String[] functionArray = functionAttr.split(",");
- functionIds = new HashSet<String>();
- for (int strIndex = 0; strIndex < functionArray.length;
- ++strIndex) {
- functionIds.add((functionArray[strIndex]));
- }
- }
-
- if (keysAttr == null || keysAttr.length() == 0) {
- keySet = null;
- }
- else {
- String[] keySetArray = keysAttr.split(",");
- keySet = new HashSet<String>();
- for (int strIndex = 0; strIndex < keySetArray.length;
- ++strIndex) {
- keySet.add((keySetArray[strIndex]));
- }
- }
- FunctionSecurityPrmsHolder functionContext =
- new FunctionSecurityPrmsHolder(isOptimizeForWrite,
- functionIds, keySet);
- operationMap.put(code, functionContext);
- }
- }
- else {
- throw new SAXParseException("Unknown tag ["
- + operationNode.getNodeName() + "] as child of tag ["
- + TAG_PERMS + ']', null);
- }
- }
- String regionNames = getAttributeValue(rolePermissionNode, ATTR_REGIONS);
- if (regionNames == null || regionNames.length() == 0) {
- regionOperationMap.put(EMPTY_VALUE, operationMap);
- }
- else {
- String[] regionNamesSplit = regionNames.split(",");
- for (int strIndex = 0; strIndex < regionNamesSplit.length;
- ++strIndex) {
- regionOperationMap.put(
- normalizeRegionName(regionNamesSplit[strIndex]), operationMap);
- }
- }
- }
- XmlAuthorization.currentDocUri = xmlDocumentUri;
- }
- catch (Exception ex) {
- String exStr;
- if (ex instanceof NotAuthorizedException) {
- exStr = ex.getMessage();
- }
- else {
- exStr = ex.getClass().getName() + ": " + ex.getMessage();
- }
- logger.warning("XmlAuthorization.init: " + exStr);
- XmlAuthorization.xmlLoadFailure = new NotAuthorizedException(exStr, ex);
- throw XmlAuthorization.xmlLoadFailure;
- }
- }
-
- /**
- * Initialize the <code>XmlAuthorization</code> callback for a client having
- * the given principal.
- *
- * This method caches the full XML authorization file the first time it is
- * invoked and caches all the permissions for the provided
- * <code>principal</code> to speed up lookup the
- * <code>authorizeOperation</code> calls. The permissions for the principal
- * are maintained as a {@link Map} of region name to the {@link HashSet} of
- * operations allowed for that region. A global entry with region name as
- * empty string is also made for permissions provided for all the regions.
- *
- * @param principal
- * the principal associated with the authenticated client
- * @param cache
- * reference to the cache object
- * @param remoteMember
- * the {@link DistributedMember} object for the remote
- * authenticated client
- *
- * @throws NotAuthorizedException
- * if some exception condition happens during the
- * initialization while reading the XML; in such a case all
- * subsequent client operations will throw
- * <code>NotAuthorizedException</code>
- */
- public void init(Principal principal, DistributedMember remoteMember,
- Cache cache) throws NotAuthorizedException {
-
- synchronized (sync) {
- XmlAuthorization.init(cache);
- }
- this.logger = cache.getLogger();
- this.securityLogger = cache.getSecurityLogger();
-
- String name;
- if (principal != null) {
- name = principal.getName();
- }
- else {
- name = EMPTY_VALUE;
- }
- HashSet<String> roles = XmlAuthorization.userRoles.get(name);
- if (roles != null) {
- for (String roleName : roles) {
- Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
- if (regionOperationMap != null) {
- for (Map.Entry<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionEntry : regionOperationMap.entrySet()) {
- String regionName = regionEntry.getKey();
- Map<OperationCode, FunctionSecurityPrmsHolder> regionOperations =
- this.allowedOps.get(regionName);
- if (regionOperations == null) {
- regionOperations =
- new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
- this.allowedOps.put(regionName, regionOperations);
- }
- regionOperations.putAll(regionEntry.getValue());
- }
- }
- }
- }
- }
-
- /**
- * Return true if the given operation is allowed for the cache/region.
- *
- * This looks up the cached permissions of the principal in the map for the
- * provided region name. If none are found then the global permissions with
- * empty region name are looked up. The operation is allowed if it is found
- * this permission list.
- *
- * @param regionName
- * When null then it indicates a cache-level operation, else
- * the name of the region for the operation.
- * @param context
- * the data required by the operation
- *
- * @return true if the operation is authorized and false otherwise
- *
- */
- public boolean authorizeOperation(String regionName,
- final OperationContext context) {
-
- Map<OperationCode, FunctionSecurityPrmsHolder> operationMap;
- // Check GET permissions for updates from server to client
- if (context.isClientUpdate()) {
- operationMap = this.allowedOps.get(regionName);
- if (operationMap == null && regionName.length() > 0) {
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- }
- if (operationMap != null) {
- return operationMap.containsKey(OperationCode.GET);
- }
- return false;
- }
-
- OperationCode opCode = context.getOperationCode();
- if (opCode.isQuery() || opCode.isExecuteCQ() || opCode.isCloseCQ()
- || opCode.isStopCQ()) {
- // First check if cache-level permission has been provided
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- boolean globalPermission = (operationMap != null && operationMap
- .containsKey(opCode));
- Set<String> regionNames = ((QueryOperationContext)context)
- .getRegionNames();
- if (regionNames == null || regionNames.size() == 0) {
- return globalPermission;
- }
- for (String r : regionNames) {
- regionName = normalizeRegionName(r);
- operationMap = this.allowedOps.get(regionName);
- if (operationMap == null) {
- if (!globalPermission) {
- return false;
- }
- }
- else if (!operationMap.containsKey(opCode)) {
- return false;
- }
- }
- return true;
- }
-
- final String normalizedRegionName = normalizeRegionName(regionName);
- operationMap = this.allowedOps.get(normalizedRegionName);
- if (operationMap == null && normalizedRegionName.length() > 0) {
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- }
- if (operationMap != null) {
- if (context.getOperationCode() != OperationCode.EXECUTE_FUNCTION) {
- return operationMap.containsKey(context.getOperationCode());
- }else {
- if (!operationMap.containsKey(context.getOperationCode())) {
- return false;
- }
- else {
- if (!context.isPostOperation()) {
- FunctionSecurityPrmsHolder functionParameter =
- operationMap.get(
- context.getOperationCode());
- ExecuteFunctionOperationContext functionContext =
- (ExecuteFunctionOperationContext)context;
- // OnRegion execution
- if (functionContext.getRegionName() != null) {
- if (functionParameter.isOptimizeForWrite() != null
- && functionParameter.isOptimizeForWrite().booleanValue()
- != functionContext.isOptimizeForWrite()) {
- return false;
- }
- if (functionParameter.getFunctionIds() != null
- && !functionParameter.getFunctionIds().contains(
- functionContext.getFunctionId())) {
- return false;
- }
- if (functionParameter.getKeySet() != null
- && functionContext.getKeySet() != null) {
- if (functionContext.getKeySet().containsAll(
- functionParameter.getKeySet())) {
- return false;
- }
- }
- return true;
- }
- else {// On Server execution
- if (functionParameter.getFunctionIds() != null
- && !functionParameter.getFunctionIds().contains(
- functionContext.getFunctionId())) {
- return false;
- }
- return true;
- }
- }
- else {
- ExecuteFunctionOperationContext functionContext =
- (ExecuteFunctionOperationContext)context;
- FunctionSecurityPrmsHolder functionParameter = operationMap.get(
- context.getOperationCode());
- if (functionContext.getRegionName() != null) {
- if (functionContext.getResult() instanceof ArrayList
- && functionParameter.getKeySet() != null) {
- ArrayList<String> resultList = (ArrayList)functionContext
- .getResult();
- HashSet<String> nonAllowedKeys = functionParameter.getKeySet();
- if (resultList.containsAll(nonAllowedKeys)) {
- return false;
- }
- }
- return true;
- }
- else {
- ArrayList<String> resultList = (ArrayList)functionContext
- .getResult();
- final String inSecureItem = "Insecure item";
- if (resultList.contains(inSecureItem)) {
- return false;
- }
- return true;
- }
- }
- }
- }
- }
- return false;
- }
-
- /**
- * Clears the cached information for this principal.
- */
- public void close() {
-
- this.allowedOps.clear();
- }
-
- /**
- * Clear all the statically cached information.
- */
- public static void clear() {
-
- XmlAuthorization.currentDocUri = null;
- if (XmlAuthorization.userRoles != null) {
- XmlAuthorization.userRoles.clear();
- XmlAuthorization.userRoles = null;
- }
- if (XmlAuthorization.rolePermissions != null) {
- XmlAuthorization.rolePermissions.clear();
- XmlAuthorization.rolePermissions = null;
- }
- XmlAuthorization.xmlLoadFailure = null;
- }
-
- private static class AuthzDtdResolver implements EntityResolver {
- Pattern authzPattern = Pattern.compile("authz.*\\.dtd");
-
- @Override
- public InputSource resolveEntity(String publicId, String systemId)
- throws SAXException, IOException {
- try {
- Matcher matcher = authzPattern.matcher(systemId);
- if(matcher.find()) {
- String dtdName = matcher.group(0);
- InputStream stream = XmlAuthorization.class.getResourceAsStream(dtdName);
- return new InputSource(stream);
- }
- } catch(Exception e) {
- //do nothing, use the default resolver
- }
-
- return null;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/XmlErrorHandler.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/XmlErrorHandler.java b/gemfire-core/src/test/java/templates/security/XmlErrorHandler.java
deleted file mode 100644
index 5da8e09..0000000
--- a/gemfire-core/src/test/java/templates/security/XmlErrorHandler.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import org.xml.sax.ErrorHandler;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
-
-import com.gemstone.gemfire.LogWriter;
-
-/**
- * Implementation of {@link ErrorHandler} interface to handle validation errors
- * while XML parsing.
- *
- * This throws back exceptions raised for <code>error</code> and
- * <code>fatalError</code> cases while a {@link LogWriter#warning(String)} level
- * logging is done for the <code>warning</code> case.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class XmlErrorHandler implements ErrorHandler {
-
- private LogWriter logger;
-
- private String xmlFileName;
-
- public XmlErrorHandler(LogWriter logger, String xmlFileName) {
-
- this.logger = logger;
- this.xmlFileName = xmlFileName;
- }
-
- /**
- * Throws back the exception with the name of the XML file and the position
- * where the exception occurred.
- */
- public void error(SAXParseException exception) throws SAXException {
-
- throw new SAXParseException("Error while parsing XML at line "
- + exception.getLineNumber() + " column " + exception.getColumnNumber()
- + ": " + exception.getMessage(), null);
- }
-
- /**
- * Throws back the exception with the name of the XML file and the position
- * where the exception occurred.
- */
- public void fatalError(SAXParseException exception) throws SAXException {
-
- throw new SAXParseException("Fatal error while parsing XML at line "
- + exception.getLineNumber() + " column " + exception.getColumnNumber()
- + ": " + exception.getMessage(), null);
- }
-
- /**
- * Log the exception at {@link LogWriter#warning(String)} level with XML
- * filename and the position of exception in the file.
- */
- public void warning(SAXParseException exception) throws SAXException {
-
- this.logger.warning("Warning while parsing XML [" + this.xmlFileName
- + "] at line " + exception.getLineNumber() + " column "
- + exception.getColumnNumber() + ": " + exception.getMessage());
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientAuthzObjectModDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientAuthzObjectModDUnitTest.java b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientAuthzObjectModDUnitTest.java
index e26db30..e0bb4e4 100644
--- a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientAuthzObjectModDUnitTest.java
+++ b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientAuthzObjectModDUnitTest.java
@@ -21,10 +21,10 @@ import java.util.List;
import java.util.Properties;
import java.util.Random;
-import security.CredentialGenerator;
-import security.DummyAuthzCredentialGenerator;
-import security.DummyCredentialGenerator;
-import templates.security.UserPasswordAuthInit;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyAuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
import com.gemstone.gemfire.DataSerializable;
import com.gemstone.gemfire.Instantiator;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientCQPostAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientCQPostAuthorizationDUnitTest.java b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientCQPostAuthorizationDUnitTest.java
index e17acc0..93ed0f8 100644
--- a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientCQPostAuthorizationDUnitTest.java
+++ b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientCQPostAuthorizationDUnitTest.java
@@ -22,8 +22,8 @@ import java.util.Map;
import java.util.Properties;
import java.util.Random;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientPostAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientPostAuthorizationDUnitTest.java b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientPostAuthorizationDUnitTest.java
index 78a45b1..e7e414f 100644
--- a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientPostAuthorizationDUnitTest.java
+++ b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/ClientPostAuthorizationDUnitTest.java
@@ -22,8 +22,8 @@ import java.util.List;
import java.util.Properties;
import java.util.Random;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
import com.gemstone.gemfire.internal.AvailablePort;
import com.gemstone.gemfire.test.dunit.Host;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserAPIDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserAPIDUnitTest.java b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserAPIDUnitTest.java
index e3931b0..cb6f0d4 100644
--- a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserAPIDUnitTest.java
+++ b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserAPIDUnitTest.java
@@ -24,7 +24,7 @@ import java.util.Properties;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
-import security.CredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.client.Pool;
@@ -41,7 +41,7 @@ import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.LogWriterUtils;
import com.gemstone.gemfire.test.dunit.VM;
-import security.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
public class MultiuserAPIDUnitTest extends ClientAuthorizationTestBase {
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserDurableCQAuthzDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserDurableCQAuthzDUnitTest.java b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserDurableCQAuthzDUnitTest.java
index 23f496d..f1776fc 100644
--- a/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserDurableCQAuthzDUnitTest.java
+++ b/gemfire-cq/src/test/java/com/gemstone/gemfire/security/MultiuserDurableCQAuthzDUnitTest.java
@@ -21,8 +21,8 @@ import java.util.Map;
import java.util.Properties;
import java.util.Random;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
[4/4] incubator-geode git commit: Repackage security test classes in
Apache Geode
Posted by kl...@apache.org.
Repackage security test classes in Apache Geode
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/4383a711
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/4383a711
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/4383a711
Branch: refs/heads/feature/GEODE-949
Commit: 4383a7117867765a5ebfaa6cc7bb87f8146294b6
Parents: 820cfd6
Author: Kirk Lund <kl...@pivotal.io>
Authored: Tue Feb 9 17:01:15 2016 -0800
Committer: Kirk Lund <kl...@pivotal.io>
Committed: Tue Feb 9 17:01:15 2016 -0800
----------------------------------------------------------------------
.../security/ClientAuthenticationDUnitTest.java | 8 +-
.../security/ClientAuthorizationDUnitTest.java | 12 +-
.../security/ClientAuthorizationTestBase.java | 12 +-
.../security/ClientMultiUserAuthzDUnitTest.java | 5 +-
.../DeltaClientAuthorizationDUnitTest.java | 5 +-
.../DeltaClientPostAuthorizationDUnitTest.java | 5 +-
.../security/P2PAuthenticationDUnitTest.java | 7 +-
.../security/templates/DummyAuthenticator.java | 81 +++
.../security/templates/DummyAuthorization.java | 129 ++++
.../templates/FunctionSecurityPrmsHolder.java | 53 ++
.../templates/LdapUserAuthenticator.java | 107 +++
.../security/templates/PKCSAuthInit.java | 126 ++++
.../security/templates/PKCSAuthenticator.java | 160 +++++
.../security/templates/PKCSPrincipal.java | 42 ++
.../templates/UserPasswordAuthInit.java | 82 +++
.../security/templates/UsernamePrincipal.java | 46 ++
.../security/templates/XmlAuthorization.java | 622 +++++++++++++++++
.../security/templates/XmlErrorHandler.java | 78 +++
.../security/util/AuthzCredentialGenerator.java | 450 +++++++++++++
.../security/util/CredentialGenerator.java | 339 ++++++++++
.../util/DummyAuthzCredentialGenerator.java | 145 ++++
.../security/util/DummyCredentialGenerator.java | 101 +++
.../util/LdapUserCredentialGenerator.java | 154 +++++
.../security/util/PKCSCredentialGenerator.java | 121 ++++
.../security/util/SSLCredentialGenerator.java | 119 ++++
.../UserPasswordWithExtraPropsAuthInit.java | 72 ++
.../util/XmlAuthzCredentialGenerator.java | 275 ++++++++
.../java/security/AuthzCredentialGenerator.java | 462 -------------
.../test/java/security/CredentialGenerator.java | 343 ----------
.../security/DummyAuthzCredentialGenerator.java | 145 ----
.../java/security/DummyCredentialGenerator.java | 94 ---
.../security/LdapUserCredentialGenerator.java | 160 -----
.../java/security/PKCSCredentialGenerator.java | 112 ---
.../java/security/SSLCredentialGenerator.java | 117 ----
.../UserPasswordWithExtraPropsAuthInit.java | 77 ---
.../security/XmlAuthzCredentialGenerator.java | 264 --------
.../templates/security/DummyAuthenticator.java | 87 ---
.../templates/security/DummyAuthorization.java | 118 ----
.../security/FunctionSecurityPrmsHolder.java | 55 --
.../security/LdapUserAuthenticator.java | 117 ----
.../java/templates/security/PKCSAuthInit.java | 133 ----
.../templates/security/PKCSAuthenticator.java | 167 -----
.../java/templates/security/PKCSPrincipal.java | 42 --
.../security/UserPasswordAuthInit.java | 84 ---
.../templates/security/UsernamePrincipal.java | 46 --
.../templates/security/XmlAuthorization.java | 675 -------------------
.../templates/security/XmlErrorHandler.java | 82 ---
.../security/ClientAuthzObjectModDUnitTest.java | 8 +-
.../ClientCQPostAuthorizationDUnitTest.java | 4 +-
.../ClientPostAuthorizationDUnitTest.java | 4 +-
.../gemfire/security/MultiuserAPIDUnitTest.java | 4 +-
.../MultiuserDurableCQAuthzDUnitTest.java | 4 +-
52 files changed, 3336 insertions(+), 3424 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
index 911454a..590f0a1 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
@@ -24,12 +24,12 @@ import java.util.Properties;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
-import security.CredentialGenerator;
-import security.CredentialGenerator.ClassCode;
-
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.distributed.internal.DistributionConfig;
import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator.ClassCode;
import com.gemstone.gemfire.test.dunit.DistributedTestCase;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.IgnoredException;
@@ -37,8 +37,6 @@ import com.gemstone.gemfire.test.dunit.LogWriterUtils;
import com.gemstone.gemfire.test.dunit.VM;
import com.gemstone.gemfire.test.dunit.Wait;
-import security.DummyCredentialGenerator;
-
/**
* Test for authentication from client to server. This tests for both valid and
* invalid credentials/modules. It also checks for authentication
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
index 2774e35..945fb26 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
@@ -26,20 +26,18 @@ import java.util.Iterator;
import java.util.List;
import java.util.Properties;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
-import security.DummyCredentialGenerator;
-import security.XmlAuthzCredentialGenerator;
-
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.util.XmlAuthzCredentialGenerator;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.IgnoredException;
import com.gemstone.gemfire.test.dunit.LogWriterUtils;
import com.gemstone.gemfire.test.dunit.VM;
-import templates.security.UserPasswordAuthInit;
-
/**
* Tests for authorization from client to server. This tests for authorization
* of all operations with both valid and invalid credentials/modules with
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
index 665867f..481b198 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
@@ -31,10 +31,6 @@ import java.util.Properties;
import java.util.Random;
import java.util.Set;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
-import security.AuthzCredentialGenerator.ClassCode;
-
import com.gemstone.gemfire.cache.DynamicRegionFactory;
import com.gemstone.gemfire.cache.InterestResultPolicy;
import com.gemstone.gemfire.cache.Operation;
@@ -59,6 +55,11 @@ import com.gemstone.gemfire.internal.AvailablePort.Keeper;
import com.gemstone.gemfire.internal.cache.AbstractRegionEntry;
import com.gemstone.gemfire.internal.cache.LocalRegion;
import com.gemstone.gemfire.internal.util.Callable;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.util.XmlAuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator.ClassCode;
import com.gemstone.gemfire.test.dunit.Assert;
import com.gemstone.gemfire.test.dunit.DistributedTestCase;
import com.gemstone.gemfire.test.dunit.LogWriterUtils;
@@ -66,9 +67,6 @@ import com.gemstone.gemfire.test.dunit.VM;
import com.gemstone.gemfire.test.dunit.Wait;
import com.gemstone.gemfire.test.dunit.WaitCriterion;
-import security.DummyCredentialGenerator;
-import security.XmlAuthzCredentialGenerator;
-
/**
* Base class for tests for authorization from client to server. It contains
* utility functions for the authorization tests from client to server.
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
index f175d98..29c4ba7 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
@@ -24,9 +24,6 @@ package com.gemstone.gemfire.security;
import java.util.Iterator;
import java.util.Properties;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
-
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.execute.Function;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
@@ -34,6 +31,8 @@ import com.gemstone.gemfire.internal.AvailablePort;
import com.gemstone.gemfire.internal.cache.GemFireCacheImpl;
import com.gemstone.gemfire.internal.cache.execute.PRClientServerTestBase;
import com.gemstone.gemfire.internal.cache.functions.TestFunction;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.LogWriterUtils;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
index 2b44631..41a722c 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
@@ -23,15 +23,14 @@ package com.gemstone.gemfire.security;
import java.util.Properties;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
-
import com.gemstone.gemfire.DeltaTestImpl;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.client.NoAvailableServersException;
import com.gemstone.gemfire.cache.client.ServerConnectivityException;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
import com.gemstone.gemfire.internal.cache.PartitionedRegionLocalMaxMemoryDUnitTest.TestObject1;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.test.dunit.Assert;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.LogWriterUtils;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
index fe3cec6..f701481 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
@@ -28,9 +28,6 @@ import java.util.Map;
import java.util.Properties;
import java.util.Random;
-import security.AuthzCredentialGenerator;
-import security.CredentialGenerator;
-
import com.gemstone.gemfire.DeltaTestImpl;
import com.gemstone.gemfire.cache.InterestResultPolicy;
import com.gemstone.gemfire.cache.Region;
@@ -40,6 +37,8 @@ import com.gemstone.gemfire.cache.query.CqException;
import com.gemstone.gemfire.cache.query.QueryInvocationTargetException;
import com.gemstone.gemfire.internal.AvailablePort;
import com.gemstone.gemfire.internal.util.Callable;
+import com.gemstone.gemfire.security.util.AuthzCredentialGenerator;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
import com.gemstone.gemfire.test.dunit.Assert;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.IgnoredException;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
index 07bd7c7..050d5da 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
@@ -26,10 +26,6 @@ import java.util.Properties;
import javax.net.ssl.SSLHandshakeException;
-import security.CredentialGenerator;
-import security.DummyCredentialGenerator;
-import security.LdapUserCredentialGenerator;
-
import com.gemstone.gemfire.LogWriter;
import com.gemstone.gemfire.distributed.DistributedSystem;
import com.gemstone.gemfire.distributed.Locator;
@@ -38,6 +34,9 @@ import com.gemstone.gemfire.distributed.internal.InternalDistributedSystem;
import com.gemstone.gemfire.distributed.internal.membership.MembershipManager;
import com.gemstone.gemfire.distributed.internal.membership.gms.MembershipManagerHelper;
import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+import com.gemstone.gemfire.security.util.DummyCredentialGenerator;
+import com.gemstone.gemfire.security.util.LdapUserCredentialGenerator;
import com.gemstone.gemfire.test.dunit.DistributedTestCase;
import com.gemstone.gemfire.test.dunit.Host;
import com.gemstone.gemfire.test.dunit.IgnoredException;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthenticator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthenticator.java
new file mode 100644
index 0000000..506d0cc
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthenticator.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.security.templates.UsernamePrincipal;
+
+/**
+ * A dummy implementation of the {@link Authenticator} interface that expects a
+ * user name and password allowing authentication depending on the format of the
+ * user name.
+ *
+ * @author Sumedh Wale
+ * @since 5.5
+ */
+public class DummyAuthenticator implements Authenticator {
+
+ public static Authenticator create() {
+ return new DummyAuthenticator();
+ }
+
+ public DummyAuthenticator() {
+ }
+
+ @Override
+ public void init(Properties systemProps, LogWriter systemLogger, LogWriter securityLogger) throws AuthenticationFailedException {
+ }
+
+ public static boolean testValidName(String userName) {
+
+ return (userName.startsWith("user") || userName.startsWith("reader")
+ || userName.startsWith("writer") || userName.equals("admin")
+ || userName.equals("root") || userName.equals("administrator"));
+ }
+
+ @Override
+ public Principal authenticate(Properties props, DistributedMember member) throws AuthenticationFailedException {
+
+ String userName = props.getProperty(UserPasswordAuthInit.USER_NAME);
+ if (userName == null) {
+ throw new AuthenticationFailedException("DummyAuthenticator: user name property [" + UserPasswordAuthInit.USER_NAME + "] not provided");
+ }
+ String password = props.getProperty(UserPasswordAuthInit.PASSWORD);
+ if (password == null) {
+ throw new AuthenticationFailedException("DummyAuthenticator: password property [" + UserPasswordAuthInit.PASSWORD + "] not provided");
+ }
+
+ if (userName.equals(password) && testValidName(userName)) {
+ return new UsernamePrincipal(userName);
+ }
+ else {
+ throw new AuthenticationFailedException("DummyAuthenticator: Invalid user name [" + userName + "], password supplied.");
+ }
+ }
+
+ @Override
+ public void close() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthorization.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthorization.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthorization.java
new file mode 100644
index 0000000..84966e6
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/DummyAuthorization.java
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+
+/**
+ * A dummy implementation of the <code>AccessControl</code> interface that
+ * allows authorization depending on the format of the <code>Principal</code>
+ * string.
+ *
+ * @author Sumedh Wale
+ * @since 5.5
+ */
+public class DummyAuthorization implements AccessControl {
+
+ private Set<OperationCode> allowedOps;
+
+ private DistributedMember remoteDistributedMember;
+
+ private LogWriter logger;
+
+ public static final OperationCode[] READER_OPS = {
+ OperationCode.GET,
+ OperationCode.QUERY,
+ OperationCode.EXECUTE_CQ,
+ OperationCode.CLOSE_CQ,
+ OperationCode.STOP_CQ,
+ OperationCode.REGISTER_INTEREST,
+ OperationCode.UNREGISTER_INTEREST,
+ OperationCode.KEY_SET,
+ OperationCode.CONTAINS_KEY,
+ OperationCode.EXECUTE_FUNCTION
+ };
+
+ public static final OperationCode[] WRITER_OPS = {
+ OperationCode.PUT,
+ OperationCode.PUTALL,
+ OperationCode.DESTROY,
+ OperationCode.INVALIDATE,
+ OperationCode.REGION_CLEAR
+ };
+
+ public DummyAuthorization() {
+ this.allowedOps = new HashSet<OperationCode>(20);
+ }
+
+ public static AccessControl create() {
+ return new DummyAuthorization();
+ }
+
+ private void addReaderOps() {
+
+ for (int index = 0; index < READER_OPS.length; index++) {
+ this.allowedOps.add(READER_OPS[index]);
+ }
+ }
+
+ private void addWriterOps() {
+
+ for (int index = 0; index < WRITER_OPS.length; index++) {
+ this.allowedOps.add(WRITER_OPS[index]);
+ }
+ }
+
+ @Override
+ public void init(Principal principal, DistributedMember remoteMember, Cache cache) throws NotAuthorizedException {
+
+ if (principal != null) {
+ String name = principal.getName().toLowerCase();
+ if (name != null) {
+ if (name.equals("root") || name.equals("admin")
+ || name.equals("administrator")) {
+ addReaderOps();
+ addWriterOps();
+ this.allowedOps.add(OperationCode.REGION_CREATE);
+ this.allowedOps.add(OperationCode.REGION_DESTROY);
+ }
+ else if (name.startsWith("writer")) {
+ addWriterOps();
+ }
+ else if (name.startsWith("reader")) {
+ addReaderOps();
+ }
+ }
+ }
+ this.remoteDistributedMember = remoteMember;
+ this.logger = cache.getSecurityLogger();
+ }
+
+ @Override
+ public boolean authorizeOperation(String regionName, OperationContext context) {
+
+ OperationCode opCode = context.getOperationCode();
+ this.logger.fine("Invoked authorize operation for [" + opCode + "] in region [" + regionName + "] for client: " + remoteDistributedMember);
+ return this.allowedOps.contains(opCode);
+ }
+
+ @Override
+ public void close() {
+
+ this.allowedOps.clear();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/FunctionSecurityPrmsHolder.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/FunctionSecurityPrmsHolder.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/FunctionSecurityPrmsHolder.java
new file mode 100755
index 0000000..d9b77a6
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/FunctionSecurityPrmsHolder.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.util.HashSet;
+
+/**
+ * This is a sample class for objects which hold information of the authorized
+ * function names and authorized value for the optimizeForWrite.
+ *
+ * @author Aneesh Karayil
+ * @since 6.0
+ */
+public class FunctionSecurityPrmsHolder {
+
+ private final Boolean isOptimizeForWrite;
+
+ private final HashSet<String> functionIds;
+
+ private final HashSet<String> keySet;
+
+ public FunctionSecurityPrmsHolder(Boolean isOptimizeForWrite, HashSet<String> functionIds, HashSet<String> keySet) {
+ this.isOptimizeForWrite = isOptimizeForWrite;
+ this.functionIds = functionIds;
+ this.keySet = keySet;
+ }
+
+ public Boolean isOptimizeForWrite() {
+ return isOptimizeForWrite;
+ }
+
+ public HashSet<String> getFunctionIds() {
+ return functionIds;
+ }
+
+ public HashSet<String> getKeySet() {
+ return keySet;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/LdapUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/LdapUserAuthenticator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/LdapUserAuthenticator.java
new file mode 100755
index 0000000..43f2595
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/LdapUserAuthenticator.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+
+import java.security.Principal;
+import java.util.Properties;
+import javax.naming.Context;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+
+/**
+ * @author Kumar Neeraj
+ * @since 5.5
+ */
+public class LdapUserAuthenticator implements Authenticator {
+
+ private String ldapServer = null;
+
+ private String basedn = null;
+
+ private String ldapUrlScheme = null;
+
+ public static final String LDAP_SERVER_NAME = "security-ldap-server";
+
+ public static final String LDAP_BASEDN_NAME = "security-ldap-basedn";
+
+ public static final String LDAP_SSL_NAME = "security-ldap-usessl";
+
+ public static Authenticator create() {
+ return new LdapUserAuthenticator();
+ }
+
+ public LdapUserAuthenticator() {
+ }
+
+ @Override
+ public void init(Properties securityProps, LogWriter systemLogger, LogWriter securityLogger) throws AuthenticationFailedException {
+ this.ldapServer = securityProps.getProperty(LDAP_SERVER_NAME);
+ if (this.ldapServer == null || this.ldapServer.length() == 0) {
+ throw new AuthenticationFailedException("LdapUserAuthenticator: LDAP server property [" + LDAP_SERVER_NAME + "] not specified");
+ }
+ this.basedn = securityProps.getProperty(LDAP_BASEDN_NAME);
+ if (this.basedn == null || this.basedn.length() == 0) {
+ throw new AuthenticationFailedException("LdapUserAuthenticator: LDAP base DN property [" + LDAP_BASEDN_NAME + "] not specified");
+ }
+ String sslStr = securityProps.getProperty(LDAP_SSL_NAME);
+ if (sslStr != null && sslStr.toLowerCase().equals("true")) {
+ this.ldapUrlScheme = "ldaps://";
+ }
+ else {
+ this.ldapUrlScheme = "ldap://";
+ }
+ }
+
+ @Override
+ public Principal authenticate(Properties props, DistributedMember member) {
+
+ String userName = props.getProperty(UserPasswordAuthInit.USER_NAME);
+ if (userName == null) {
+ throw new AuthenticationFailedException("LdapUserAuthenticator: user name property [" + UserPasswordAuthInit.USER_NAME + "] not provided");
+ }
+ String passwd = props.getProperty(UserPasswordAuthInit.PASSWORD);
+ if (passwd == null) {
+ passwd = "";
+ }
+
+ Properties env = new Properties();
+ env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, this.ldapUrlScheme + this.ldapServer + '/' + this.basedn);
+ String fullentry = "uid=" + userName + "," + this.basedn;
+ env.put(Context.SECURITY_PRINCIPAL, fullentry);
+ env.put(Context.SECURITY_CREDENTIALS, passwd);
+ try {
+ DirContext ctx = new InitialDirContext(env);
+ ctx.close();
+ }
+ catch (Exception e) {
+ //TODO:hitesh need to add getCause message
+ throw new AuthenticationFailedException("LdapUserAuthenticator: Failure with provided username, password combination for user name: " + userName);
+ }
+ return new UsernamePrincipal(userName);
+ }
+
+ @Override
+ public void close() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthInit.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthInit.java
new file mode 100755
index 0000000..8dfdbb6
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthInit.java
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.GemFireSecurityException;
+
+import java.io.FileInputStream;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.util.Properties;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the digital signature
+ * for use with PKCS scheme on server from the given set of properties.
+ *
+ * To use this class the <c>security-client-auth-init</c> property should be
+ * set to the fully qualified name the static <code>create</code> function
+ * viz. <code>templates.security.PKCSAuthInit.create</code>
+ *
+ * @author Kumar Neeraj
+ * @since 5.5
+ */
+public class PKCSAuthInit implements AuthInitialize {
+
+ public static final String KEYSTORE_FILE_PATH = "security-keystorepath";
+
+ public static final String KEYSTORE_ALIAS = "security-alias";
+
+ public static final String KEYSTORE_PASSWORD = "security-keystorepass";
+
+ public static final String SIGNATURE_DATA = "security-signature";
+
+ protected LogWriter securitylog;
+
+ protected LogWriter systemlog;
+
+ @Override
+ public void close() {
+ }
+
+ public static AuthInitialize create() {
+ return new PKCSAuthInit();
+ }
+
+ public PKCSAuthInit() {
+ }
+
+ @Override
+ public void init(LogWriter systemLogger, LogWriter securityLogger) throws AuthenticationFailedException {
+ this.systemlog = systemLogger;
+ this.securitylog = securityLogger;
+ }
+
+ @Override
+ public Properties getCredentials(Properties props, DistributedMember server, boolean isPeer) throws AuthenticationFailedException {
+ String keyStorePath = props.getProperty(KEYSTORE_FILE_PATH);
+ if (keyStorePath == null) {
+ throw new AuthenticationFailedException("PKCSAuthInit: key-store file path property [" + KEYSTORE_FILE_PATH + "] not set.");
+ }
+ String alias = props.getProperty(KEYSTORE_ALIAS);
+ if (alias == null) {
+ throw new AuthenticationFailedException("PKCSAuthInit: key alias name property [" + KEYSTORE_ALIAS + "] not set.");
+ }
+ String keyStorePass = props.getProperty(KEYSTORE_PASSWORD);
+
+ try {
+ KeyStore ks = KeyStore.getInstance("PKCS12");
+ char[] passPhrase = keyStorePass != null ? keyStorePass.toCharArray() : null;
+ FileInputStream certificatefile = new FileInputStream(keyStorePath);
+ try {
+ ks.load(certificatefile, passPhrase);
+ }
+ finally {
+ certificatefile.close();
+ }
+
+ Key key = ks.getKey(alias, passPhrase);
+
+ if (key instanceof PrivateKey) {
+
+ PrivateKey privKey = (PrivateKey)key;
+ X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
+ Signature sig = Signature.getInstance(cert.getSigAlgName());
+
+ sig.initSign(privKey);
+ sig.update(alias.getBytes("UTF-8"));
+ byte[] signatureBytes = sig.sign();
+
+ Properties newprops = new Properties();
+ newprops.put(KEYSTORE_ALIAS, alias);
+ newprops.put(SIGNATURE_DATA, signatureBytes);
+ return newprops;
+ }
+ else {
+ throw new AuthenticationFailedException("PKCSAuthInit: " + "Failed to load private key from the given file: " + keyStorePath);
+ }
+ }
+ catch (GemFireSecurityException ex) {
+ throw ex;
+ }
+ catch (Exception ex) {
+ throw new AuthenticationFailedException("PKCSAuthInit: Exception while getting credentials: " + ex, ex);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthenticator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthenticator.java
new file mode 100755
index 0000000..9254421
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSAuthenticator.java
@@ -0,0 +1,160 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.GemFireSecurityException;
+
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.Signature;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * @author kneeraj
+ *
+ */
+public class PKCSAuthenticator implements Authenticator {
+
+ public static final String PUBLIC_KEY_FILE = "security-publickey-filepath";
+
+ public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass";
+
+ private String pubKeyFilePath;
+
+ private String pubKeyPass;
+
+ private Map<Object, Certificate> aliasCertificateMap;
+
+ protected LogWriter systemlog;
+
+ protected LogWriter securitylog;
+
+ public static Authenticator create() {
+ return new PKCSAuthenticator();
+ }
+
+ public PKCSAuthenticator() {
+ }
+
+ private void populateMap() {
+ try {
+ KeyStore ks = KeyStore.getInstance("JKS");
+ char[] passPhrase = (pubKeyPass != null ? pubKeyPass.toCharArray() : null);
+ FileInputStream keystorefile = new FileInputStream(this.pubKeyFilePath);
+ try {
+ ks.load(keystorefile, passPhrase);
+ }
+ finally {
+ keystorefile.close();
+ }
+ for (Enumeration<String> e = ks.aliases(); e.hasMoreElements();) {
+ Object alias = e.nextElement();
+ Certificate cert = ks.getCertificate((String)alias);
+ if (cert instanceof X509Certificate) {
+ this.aliasCertificateMap.put(alias, cert);
+ }
+ }
+ }
+ catch (Exception e) {
+ throw new AuthenticationFailedException("Exception while getting public keys: " + e.getMessage());
+ }
+ }
+
+ @Override
+ public void init(Properties systemProps, LogWriter systemLogger, LogWriter securityLogger) throws AuthenticationFailedException {
+ this.systemlog = systemLogger;
+ this.securitylog = securityLogger;
+ this.pubKeyFilePath = systemProps.getProperty(PUBLIC_KEY_FILE);
+ if (this.pubKeyFilePath == null) {
+ throw new AuthenticationFailedException("PKCSAuthenticator: property " + PUBLIC_KEY_FILE + " not specified as the public key file.");
+ }
+ this.pubKeyPass = systemProps.getProperty(PUBLIC_KEYSTORE_PASSWORD);
+ this.aliasCertificateMap = new HashMap<Object, Certificate>();
+ populateMap();
+ }
+
+ private AuthenticationFailedException getException(String exStr, Exception cause) {
+
+ String exMsg = "PKCSAuthenticator: Authentication of client failed due to: " + exStr;
+ if (cause != null) {
+ return new AuthenticationFailedException(exMsg, cause);
+ }
+ else {
+ return new AuthenticationFailedException(exMsg);
+ }
+ }
+
+ private AuthenticationFailedException getException(String exStr) {
+ return getException(exStr, null);
+ }
+
+ private X509Certificate getCertificate(String alias) throws NoSuchAlgorithmException, InvalidKeySpecException {
+ if (this.aliasCertificateMap.containsKey(alias)) {
+ return (X509Certificate)this.aliasCertificateMap.get(alias);
+ }
+ return null;
+ }
+
+ @Override
+ public Principal authenticate(Properties props, DistributedMember member) throws AuthenticationFailedException {
+ String alias = (String)props.get(PKCSAuthInit.KEYSTORE_ALIAS);
+ if (alias == null || alias.length() <= 0) {
+ throw new AuthenticationFailedException("No alias received");
+ }
+ try {
+ X509Certificate cert = getCertificate(alias);
+ if (cert == null) {
+ throw getException("No certificate found for alias:" + alias);
+ }
+ byte[] signatureBytes = (byte[])props.get(PKCSAuthInit.SIGNATURE_DATA);
+ if (signatureBytes == null) {
+ throw getException("signature data property [" + PKCSAuthInit.SIGNATURE_DATA + "] not provided");
+ }
+ Signature sig = Signature.getInstance(cert.getSigAlgName());
+ sig.initVerify(cert);
+ sig.update(alias.getBytes("UTF-8"));
+
+ if (!sig.verify(signatureBytes)) {
+ throw getException("verification of client signature failed");
+ }
+ return new PKCSPrincipal(alias);
+ }
+ catch (GemFireSecurityException ex) {
+ throw ex;
+ }
+ catch (Exception ex) {
+ throw getException(ex.toString(), ex);
+ }
+ }
+
+ @Override
+ public void close() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSPrincipal.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSPrincipal.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSPrincipal.java
new file mode 100755
index 0000000..3e97aa0
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/PKCSPrincipal.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.security.Principal;
+
+/**
+ * @author kneeraj
+ *
+ */
+public class PKCSPrincipal implements Principal {
+
+ private String alias;
+
+ public PKCSPrincipal(String alias) {
+ this.alias = alias;
+ }
+
+ @Override
+ public String getName() {
+ return this.alias;
+ }
+
+ @Override
+ public String toString() {
+ return this.alias;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UserPasswordAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UserPasswordAuthInit.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UserPasswordAuthInit.java
new file mode 100644
index 0000000..2c7407a
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UserPasswordAuthInit.java
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.util.Properties;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the user name and
+ * password as the credentials from the given set of properties.
+ *
+ * To use this class the <c>security-client-auth-init</c> property should be
+ * set to the fully qualified name the static <code>create</code> function
+ * viz. <code>templates.security.UserPasswordAuthInit.create</code>
+ *
+ * @author Sumedh Wale
+ * @since 5.5
+ */
+public class UserPasswordAuthInit implements AuthInitialize {
+
+ public static final String USER_NAME = "security-username";
+
+ public static final String PASSWORD = "security-password";
+
+ protected LogWriter securitylog;
+
+ protected LogWriter systemlog;
+
+ public static AuthInitialize create() {
+ return new UserPasswordAuthInit();
+ }
+
+ @Override
+ public void init(LogWriter systemLogger, LogWriter securityLogger) throws AuthenticationFailedException {
+ this.systemlog = systemLogger;
+ this.securitylog = securityLogger;
+ }
+
+ public UserPasswordAuthInit() {
+ }
+
+ @Override
+ public Properties getCredentials(Properties props, DistributedMember server, boolean isPeer) throws AuthenticationFailedException {
+
+ Properties newProps = new Properties();
+ String userName = props.getProperty(USER_NAME);
+ if (userName == null) {
+ throw new AuthenticationFailedException("UserPasswordAuthInit: user name property [" + USER_NAME + "] not set.");
+ }
+ newProps.setProperty(USER_NAME, userName);
+ String passwd = props.getProperty(PASSWORD);
+ // If password is not provided then use empty string as the password.
+ if (passwd == null) {
+ passwd = "";
+ }
+ newProps.setProperty(PASSWORD, passwd);
+ return newProps;
+ }
+
+ @Override
+ public void close() {
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UsernamePrincipal.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UsernamePrincipal.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UsernamePrincipal.java
new file mode 100644
index 0000000..02bed53
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/UsernamePrincipal.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+/**
+ * An implementation of {@link Principal} class for a simple user name.
+ *
+ * @author Kumar Neeraj
+ * @since 5.5
+ */
+public class UsernamePrincipal implements Principal, Serializable {
+
+ private final String userName;
+
+ public UsernamePrincipal(String userName) {
+ this.userName = userName;
+ }
+
+ @Override
+ public String getName() {
+ return this.userName;
+ }
+
+ @Override
+ public String toString() {
+ return this.userName;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlAuthorization.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlAuthorization.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlAuthorization.java
new file mode 100644
index 0000000..17583fa
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlAuthorization.java
@@ -0,0 +1,622 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Attr;
+import org.w3c.dom.Document;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+import com.gemstone.gemfire.LogWriter;
+import com.gemstone.gemfire.cache.Cache;
+import com.gemstone.gemfire.cache.operations.ExecuteFunctionOperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext;
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.cache.operations.QueryOperationContext;
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.NotAuthorizedException;
+
+/**
+ * An implementation of the <code>{@link AccessControl}</code> interface that
+ * allows authorization using the permissions as specified in the given XML
+ * file.
+ *
+ * The format of the XML file is specified in <a href="authz5_5.dtd"/>. It
+ * implements a role-based authorization at the operation level for each region.
+ * Each principal name may be associated with a set of roles. The name of the
+ * principal is obtained using the {@link Principal#getName} method and no other
+ * information of the principal is utilized. Each role can be provided
+ * permissions to execute operations for each region.
+ *
+ * The top-level element in the XML is "acl" tag that contains the "role" and
+ * "permission" tags. The "role" tag contains the list of users that have been
+ * given that role. The name of the role is specified in the "role" attribute
+ * and the users are contained in the "user" tags insided the "role" tag.
+ *
+ * The "permissions" tag contains the list of operations allowed for a
+ * particular region. The role name is specified as the "role" attribute, the
+ * list of comma separated region names as the optional "regions" attribute and
+ * the operation names are contained in the "operation" tags inside the
+ * "permissions" tag. The allowed operation names are: GET, PUT, PUTALL,
+ * DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, CONTAINS_KEY, KEY_SET,
+ * QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, REGION_CREATE,
+ * REGION_DESTROY. These correspond to the operations in the
+ * {@link OperationCode} enumeration with the same name.
+ *
+ * When no region name is specified then the operation is allowed for all
+ * regions in the cache. Any permissions specified for regions using the
+ * "regions" attribute override these permissions. This allows users to provide
+ * generic permissions without any region name, and override for specific
+ * regions specified using the "regions" attribute. A cache-level operation
+ * (e.g. {@link OperationCode#REGION_DESTROY}) specified for a particular region
+ * is ignored i.e. the cache-level operations are only applicable when no region
+ * name is specified. A {@link OperationCode#QUERY} operation is permitted when
+ * either the <code>QUERY</code> permission is provided at the cache-level for
+ * the user or when <code>QUERY</code> permission is provided for all the
+ * regions that are part of the query string.
+ *
+ * Any roles specified in the "user" tag that do not have a specified permission
+ * set using the "permission" tags are ignored. When no {@link Principal} is
+ * associated with the current connection, then empty user name is used to
+ * search for the roles so an empty user name can be used to specify roles of
+ * unauthenticated clients (i.e. <code>Everyone</code>).
+ *
+ * This sample implementation is useful only for pre-operation checks and should
+ * not be used for post-operation authorization since it does nothing useful for
+ * post-operation case.
+ *
+ * @author Sumedh Wale
+ * @since 5.5
+ */
+public class XmlAuthorization implements AccessControl {
+
+ public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri";
+
+ private static final String TAG_ROLE = "role";
+
+ private static final String TAG_USER = "user";
+
+ private static final String TAG_PERMS = "permission";
+
+ private static final String TAG_OP = "operation";
+
+ private static final String ATTR_ROLENAME = "name";
+
+ private static final String ATTR_ROLE = "role";
+
+ private static final String ATTR_REGIONS = "regions";
+
+ private static final String ATTR_FUNCTION_IDS = "functionIds";
+
+ private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE = "optimizeForWrite";
+
+ private static final String ATTR_FUNCTION_KEY_SET = "keySet";
+
+ private static String currentDocUri = null;
+
+ private static Map<String, HashSet<String>> userRoles = null;
+
+ private static Map<String, Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null;
+
+ private static NotAuthorizedException xmlLoadFailure = null;
+
+ private static final Object sync = new Object();
+
+ private static final String EMPTY_VALUE = "";
+
+ private final Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> allowedOps;
+
+ protected LogWriter logger;
+
+ protected LogWriter securityLogger;
+
+ private XmlAuthorization() {
+
+ this.allowedOps = new HashMap<String, Map<OperationCode, FunctionSecurityPrmsHolder>>();
+ this.logger = null;
+ this.securityLogger = null;
+ }
+
+ /**
+ * Change the region name to a standard format having single '/' as separator
+ * and starting with a '/' as in standard POSIX paths
+ */
+ public static String normalizeRegionName(String regionName) {
+
+ if (regionName == null || regionName.length() == 0) {
+ return EMPTY_VALUE;
+ }
+ char[] resultName = new char[regionName.length() + 1];
+ boolean changed = false;
+ boolean isPrevCharSlash = false;
+ int startIndex;
+ if (regionName.charAt(0) != '/') {
+ changed = true;
+ startIndex = 0;
+ }
+ else {
+ isPrevCharSlash = true;
+ startIndex = 1;
+ }
+ resultName[0] = '/';
+ int resultLength = 1;
+ // Replace all more than one '/'s with a single '/'
+ for (int index = startIndex; index < regionName.length(); ++index) {
+ char currChar = regionName.charAt(index);
+ if (currChar == '/') {
+ if (isPrevCharSlash) {
+ changed = true;
+ continue;
+ }
+ isPrevCharSlash = true;
+ }
+ else {
+ isPrevCharSlash = false;
+ }
+ resultName[resultLength++] = currChar;
+ }
+ // Remove any trailing slash
+ if (resultName[resultLength - 1] == '/') {
+ --resultLength;
+ changed = true;
+ }
+ if (changed) {
+ return new String(resultName, 0, resultLength);
+ }
+ else {
+ return regionName;
+ }
+ }
+
+ /** Get the attribute value for a given attribute name of a node. */
+ private static String getAttributeValue(Node node, String attrName) {
+
+ NamedNodeMap attrMap = node.getAttributes();
+ Node attrNode;
+ if (attrMap != null && (attrNode = attrMap.getNamedItem(attrName)) != null) {
+ return ((Attr)attrNode).getValue();
+ }
+ return EMPTY_VALUE;
+ }
+
+ /** Get the string contained in the first text child of the node. */
+ private static String getNodeValue(Node node) {
+
+ NodeList childNodes = node.getChildNodes();
+ for (int index = 0; index < childNodes.getLength(); index++) {
+ Node childNode = childNodes.item(index);
+ if (childNode.getNodeType() == Node.TEXT_NODE) {
+ return childNode.getNodeValue();
+ }
+ }
+ return EMPTY_VALUE;
+ }
+
+ /**
+ * Public static factory method to create an instance of
+ * <code>XmlAuthorization</code>. The fully qualified name of the class
+ * (<code>templates.security.XmlAuthorization.create</code>)
+ * should be mentioned as the <code>security-client-accessor</code> system
+ * property to enable pre-operation authorization checks as implemented in
+ * this class.
+ *
+ * @return an object of <code>XmlAuthorization</code> class
+ */
+ public static AccessControl create() {
+
+ return new XmlAuthorization();
+ }
+
+ /**
+ * Cache authorization information for all users statically. This method is
+ * not thread-safe and is should either be invoked only once, or the caller
+ * should take the appropriate locks.
+ *
+ * @param cache
+ * reference to the cache object for the distributed system
+ */
+ private static void init(Cache cache) throws NotAuthorizedException {
+
+ LogWriter logger = cache.getLogger();
+ String xmlDocumentUri = (String)cache.getDistributedSystem().getSecurityProperties().get(DOC_URI_PROP_NAME);
+ try {
+ if (xmlDocumentUri == null) {
+ throw new NotAuthorizedException("No ACL file defined using tag [" + DOC_URI_PROP_NAME + "] in system properties");
+ }
+ if (xmlDocumentUri.equals(XmlAuthorization.currentDocUri)) {
+ if (XmlAuthorization.xmlLoadFailure != null) {
+ throw XmlAuthorization.xmlLoadFailure;
+ }
+ return;
+ }
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setIgnoringComments(true);
+ factory.setIgnoringElementContentWhitespace(true);
+ factory.setValidating(true);
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ XmlErrorHandler errorHandler = new XmlErrorHandler(logger, xmlDocumentUri);
+ builder.setErrorHandler(errorHandler);
+ builder.setEntityResolver(new AuthzDtdResolver());
+ Document xmlDocument = builder.parse(xmlDocumentUri);
+
+ XmlAuthorization.userRoles = new HashMap<String, HashSet<String>>();
+ XmlAuthorization.rolePermissions = new HashMap<String, Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>>();
+ NodeList roleUserNodes = xmlDocument.getElementsByTagName(TAG_ROLE);
+ for (int roleIndex = 0; roleIndex < roleUserNodes.getLength(); roleIndex++) {
+ Node roleUserNode = roleUserNodes.item(roleIndex);
+ String roleName = getAttributeValue(roleUserNode, ATTR_ROLENAME);
+ NodeList userNodes = roleUserNode.getChildNodes();
+ for (int userIndex = 0; userIndex < userNodes.getLength(); userIndex++) {
+ Node userNode = userNodes.item(userIndex);
+ if (userNode.getNodeName() == TAG_USER) {
+ String userName = getNodeValue(userNode);
+ HashSet<String> userRoleSet = XmlAuthorization.userRoles.get(userName);
+ if (userRoleSet == null) {
+ userRoleSet = new HashSet<String>();
+ XmlAuthorization.userRoles.put(userName, userRoleSet);
+ }
+ userRoleSet.add(roleName);
+ }
+ else {
+ throw new SAXParseException("Unknown tag [" + userNode.getNodeName() + "] as child of tag [" + TAG_ROLE + ']', null);
+ }
+ }
+ }
+ NodeList rolePermissionNodes = xmlDocument.getElementsByTagName(TAG_PERMS);
+ for (int permIndex = 0; permIndex < rolePermissionNodes.getLength(); permIndex++) {
+ Node rolePermissionNode = rolePermissionNodes.item(permIndex);
+ String roleName = getAttributeValue(rolePermissionNode, ATTR_ROLE);
+ Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
+ if (regionOperationMap == null) {
+ regionOperationMap = new HashMap<String, Map<OperationCode, FunctionSecurityPrmsHolder>>();
+ XmlAuthorization.rolePermissions.put(roleName, regionOperationMap);
+ }
+ NodeList operationNodes = rolePermissionNode.getChildNodes();
+ HashMap<OperationCode, FunctionSecurityPrmsHolder> operationMap = new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
+ for (int opIndex = 0; opIndex < operationNodes.getLength(); opIndex++) {
+ Node operationNode = operationNodes.item(opIndex);
+ if (operationNode.getNodeName() == TAG_OP) {
+ String operationName = getNodeValue(operationNode);
+ OperationCode code = OperationCode.parse(operationName);
+ if (code == null) {
+ throw new SAXParseException("Unknown operation [" + operationName + ']', null);
+ }
+ if (code != OperationCode.EXECUTE_FUNCTION) {
+ operationMap.put(code, null);
+ }
+ else {
+ String optimizeForWrite = getAttributeValue(operationNode, ATTR_FUNCTION_OPTIMIZE_FOR_WRITE);
+ String functionAttr = getAttributeValue(operationNode, ATTR_FUNCTION_IDS);
+ String keysAttr = getAttributeValue(operationNode, ATTR_FUNCTION_KEY_SET);
+
+ Boolean isOptimizeForWrite;
+ HashSet<String> functionIds;
+ HashSet<String> keySet;
+
+ if (optimizeForWrite == null || optimizeForWrite.length() == 0) {
+ isOptimizeForWrite = null;
+ }
+ else {
+ isOptimizeForWrite = Boolean.parseBoolean(optimizeForWrite);
+ }
+
+ if (functionAttr == null || functionAttr.length() == 0) {
+ functionIds = null;
+ }
+ else {
+ String[] functionArray = functionAttr.split(",");
+ functionIds = new HashSet<String>();
+ for (int strIndex = 0; strIndex < functionArray.length; ++strIndex) {
+ functionIds.add((functionArray[strIndex]));
+ }
+ }
+
+ if (keysAttr == null || keysAttr.length() == 0) {
+ keySet = null;
+ }
+ else {
+ String[] keySetArray = keysAttr.split(",");
+ keySet = new HashSet<String>();
+ for (int strIndex = 0; strIndex < keySetArray.length; ++strIndex) {
+ keySet.add((keySetArray[strIndex]));
+ }
+ }
+ FunctionSecurityPrmsHolder functionContext = new FunctionSecurityPrmsHolder(isOptimizeForWrite, functionIds, keySet);
+ operationMap.put(code, functionContext);
+ }
+ }
+ else {
+ throw new SAXParseException("Unknown tag [" + operationNode.getNodeName() + "] as child of tag [" + TAG_PERMS + ']', null);
+ }
+ }
+ String regionNames = getAttributeValue(rolePermissionNode, ATTR_REGIONS);
+ if (regionNames == null || regionNames.length() == 0) {
+ regionOperationMap.put(EMPTY_VALUE, operationMap);
+ }
+ else {
+ String[] regionNamesSplit = regionNames.split(",");
+ for (int strIndex = 0; strIndex < regionNamesSplit.length; ++strIndex) {
+ regionOperationMap.put(normalizeRegionName(regionNamesSplit[strIndex]), operationMap);
+ }
+ }
+ }
+ XmlAuthorization.currentDocUri = xmlDocumentUri;
+ }
+ catch (Exception ex) {
+ String exStr;
+ if (ex instanceof NotAuthorizedException) {
+ exStr = ex.getMessage();
+ }
+ else {
+ exStr = ex.getClass().getName() + ": " + ex.getMessage();
+ }
+ logger.warning("XmlAuthorization.init: " + exStr);
+ XmlAuthorization.xmlLoadFailure = new NotAuthorizedException(exStr, ex);
+ throw XmlAuthorization.xmlLoadFailure;
+ }
+ }
+
+ /**
+ * Initialize the <code>XmlAuthorization</code> callback for a client having
+ * the given principal.
+ *
+ * This method caches the full XML authorization file the first time it is
+ * invoked and caches all the permissions for the provided
+ * <code>principal</code> to speed up lookup the
+ * <code>authorizeOperation</code> calls. The permissions for the principal
+ * are maintained as a {@link Map} of region name to the {@link HashSet} of
+ * operations allowed for that region. A global entry with region name as
+ * empty string is also made for permissions provided for all the regions.
+ *
+ * @param principal
+ * the principal associated with the authenticated client
+ * @param cache
+ * reference to the cache object
+ * @param remoteMember
+ * the {@link DistributedMember} object for the remote
+ * authenticated client
+ *
+ * @throws NotAuthorizedException
+ * if some exception condition happens during the
+ * initialization while reading the XML; in such a case all
+ * subsequent client operations will throw
+ * <code>NotAuthorizedException</code>
+ */
+ @Override
+ public void init(Principal principal, DistributedMember remoteMember, Cache cache) throws NotAuthorizedException {
+
+ synchronized (sync) {
+ XmlAuthorization.init(cache);
+ }
+ this.logger = cache.getLogger();
+ this.securityLogger = cache.getSecurityLogger();
+
+ String name;
+ if (principal != null) {
+ name = principal.getName();
+ }
+ else {
+ name = EMPTY_VALUE;
+ }
+ HashSet<String> roles = XmlAuthorization.userRoles.get(name);
+ if (roles != null) {
+ for (String roleName : roles) {
+ Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
+ if (regionOperationMap != null) {
+ for (Map.Entry<String, Map<OperationCode, FunctionSecurityPrmsHolder>> regionEntry : regionOperationMap.entrySet()) {
+ String regionName = regionEntry.getKey();
+ Map<OperationCode, FunctionSecurityPrmsHolder> regionOperations = this.allowedOps.get(regionName);
+ if (regionOperations == null) {
+ regionOperations = new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
+ this.allowedOps.put(regionName, regionOperations);
+ }
+ regionOperations.putAll(regionEntry.getValue());
+ }
+ }
+ }
+ }
+ }
+
+ /**
+ * Return true if the given operation is allowed for the cache/region.
+ *
+ * This looks up the cached permissions of the principal in the map for the
+ * provided region name. If none are found then the global permissions with
+ * empty region name are looked up. The operation is allowed if it is found
+ * this permission list.
+ *
+ * @param regionName
+ * When null then it indicates a cache-level operation, else
+ * the name of the region for the operation.
+ * @param context
+ * the data required by the operation
+ *
+ * @return true if the operation is authorized and false otherwise
+ *
+ */
+ @Override
+ public boolean authorizeOperation(String regionName, final OperationContext context) {
+
+ Map<OperationCode, FunctionSecurityPrmsHolder> operationMap;
+ // Check GET permissions for updates from server to client
+ if (context.isClientUpdate()) {
+ operationMap = this.allowedOps.get(regionName);
+ if (operationMap == null && regionName.length() > 0) {
+ operationMap = this.allowedOps.get(EMPTY_VALUE);
+ }
+ if (operationMap != null) {
+ return operationMap.containsKey(OperationCode.GET);
+ }
+ return false;
+ }
+
+ OperationCode opCode = context.getOperationCode();
+ if (opCode.isQuery() || opCode.isExecuteCQ() || opCode.isCloseCQ() || opCode.isStopCQ()) {
+ // First check if cache-level permission has been provided
+ operationMap = this.allowedOps.get(EMPTY_VALUE);
+ boolean globalPermission = (operationMap != null && operationMap.containsKey(opCode));
+ Set<String> regionNames = ((QueryOperationContext)context).getRegionNames();
+ if (regionNames == null || regionNames.size() == 0) {
+ return globalPermission;
+ }
+ for (String r : regionNames) {
+ regionName = normalizeRegionName(r);
+ operationMap = this.allowedOps.get(regionName);
+ if (operationMap == null) {
+ if (!globalPermission) {
+ return false;
+ }
+ }
+ else if (!operationMap.containsKey(opCode)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ final String normalizedRegionName = normalizeRegionName(regionName);
+ operationMap = this.allowedOps.get(normalizedRegionName);
+ if (operationMap == null && normalizedRegionName.length() > 0) {
+ operationMap = this.allowedOps.get(EMPTY_VALUE);
+ }
+ if (operationMap != null) {
+ if (context.getOperationCode() != OperationCode.EXECUTE_FUNCTION) {
+ return operationMap.containsKey(context.getOperationCode());
+ } else {
+ if (!operationMap.containsKey(context.getOperationCode())) {
+ return false;
+ }
+ else {
+ if (!context.isPostOperation()) {
+ FunctionSecurityPrmsHolder functionParameter = operationMap.get(context.getOperationCode());
+ ExecuteFunctionOperationContext functionContext = (ExecuteFunctionOperationContext)context;
+ // OnRegion execution
+ if (functionContext.getRegionName() != null) {
+ if (functionParameter.isOptimizeForWrite() != null && functionParameter.isOptimizeForWrite().booleanValue() != functionContext.isOptimizeForWrite()) {
+ return false;
+ }
+ if (functionParameter.getFunctionIds() != null && !functionParameter.getFunctionIds().contains(functionContext.getFunctionId())) {
+ return false;
+ }
+ if (functionParameter.getKeySet() != null && functionContext.getKeySet() != null) {
+ if (functionContext.getKeySet().containsAll(functionParameter.getKeySet())) {
+ return false;
+ }
+ }
+ return true;
+ }
+ else {// On Server execution
+ if (functionParameter.getFunctionIds() != null && !functionParameter.getFunctionIds().contains(functionContext.getFunctionId())) {
+ return false;
+ }
+ return true;
+ }
+ }
+ else {
+ ExecuteFunctionOperationContext functionContext = (ExecuteFunctionOperationContext)context;
+ FunctionSecurityPrmsHolder functionParameter = operationMap.get(context.getOperationCode());
+ if (functionContext.getRegionName() != null) {
+ if (functionContext.getResult() instanceof ArrayList && functionParameter.getKeySet() != null) {
+ ArrayList<String> resultList = (ArrayList)functionContext.getResult();
+ HashSet<String> nonAllowedKeys = functionParameter.getKeySet();
+ if (resultList.containsAll(nonAllowedKeys)) {
+ return false;
+ }
+ }
+ return true;
+ }
+ else {
+ ArrayList<String> resultList = (ArrayList)functionContext.getResult();
+ final String inSecureItem = "Insecure item";
+ if (resultList.contains(inSecureItem)) {
+ return false;
+ }
+ return true;
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Clears the cached information for this principal.
+ */
+ @Override
+ public void close() {
+
+ this.allowedOps.clear();
+ }
+
+ /**
+ * Clear all the statically cached information.
+ */
+ public static void clear() {
+
+ XmlAuthorization.currentDocUri = null;
+ if (XmlAuthorization.userRoles != null) {
+ XmlAuthorization.userRoles.clear();
+ XmlAuthorization.userRoles = null;
+ }
+ if (XmlAuthorization.rolePermissions != null) {
+ XmlAuthorization.rolePermissions.clear();
+ XmlAuthorization.rolePermissions = null;
+ }
+ XmlAuthorization.xmlLoadFailure = null;
+ }
+
+ private static class AuthzDtdResolver implements EntityResolver {
+ Pattern authzPattern = Pattern.compile("authz.*\\.dtd");
+
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+ try {
+ Matcher matcher = authzPattern.matcher(systemId);
+ if (matcher.find()) {
+ String dtdName = matcher.group(0);
+ InputStream stream = XmlAuthorization.class.getResourceAsStream(dtdName);
+ return new InputSource(stream);
+ }
+ } catch(Exception e) {
+ //do nothing, use the default resolver
+ }
+
+ return null;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlErrorHandler.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlErrorHandler.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlErrorHandler.java
new file mode 100644
index 0000000..6402c28
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/templates/XmlErrorHandler.java
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.security.templates;
+
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+import com.gemstone.gemfire.LogWriter;
+
+/**
+ * Implementation of {@link ErrorHandler} interface to handle validation errors
+ * while XML parsing.
+ *
+ * This throws back exceptions raised for <code>error</code> and
+ * <code>fatalError</code> cases while a {@link LogWriter#warning(String)} level
+ * logging is done for the <code>warning</code> case.
+ *
+ * @author Sumedh Wale
+ * @since 5.5
+ */
+public class XmlErrorHandler implements ErrorHandler {
+
+ private LogWriter logger;
+
+ private String xmlFileName;
+
+ public XmlErrorHandler(LogWriter logger, String xmlFileName) {
+
+ this.logger = logger;
+ this.xmlFileName = xmlFileName;
+ }
+
+ /**
+ * Throws back the exception with the name of the XML file and the position
+ * where the exception occurred.
+ */
+ @Override
+ public void error(SAXParseException exception) throws SAXException {
+
+ throw new SAXParseException("Error while parsing XML at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage(), null);
+ }
+
+ /**
+ * Throws back the exception with the name of the XML file and the position
+ * where the exception occurred.
+ */
+ @Override
+ public void fatalError(SAXParseException exception) throws SAXException {
+
+ throw new SAXParseException("Fatal error while parsing XML at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage(), null);
+ }
+
+ /**
+ * Log the exception at {@link LogWriter#warning(String)} level with XML
+ * filename and the position of exception in the file.
+ */
+ @Override
+ public void warning(SAXParseException exception) throws SAXException {
+
+ this.logger.warning("Warning while parsing XML [" + this.xmlFileName + "] at line " + exception.getLineNumber() + " column " + exception.getColumnNumber() + ": " + exception.getMessage());
+ }
+
+}
[2/4] incubator-geode git commit: Repackage security test classes in
Apache Geode
Posted by kl...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/CredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/CredentialGenerator.java b/gemfire-core/src/test/java/security/CredentialGenerator.java
deleted file mode 100644
index 7a430f1..0000000
--- a/gemfire-core/src/test/java/security/CredentialGenerator.java
+++ /dev/null
@@ -1,343 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.Authenticator;
-
-/**
- * Encapsulates obtaining valid and invalid credentials. Implementations will be
- * for different kinds of authentication schemes.
- *
- * @author sumedh
- * @since 5.5
- */
-public abstract class CredentialGenerator {
-
- /**
- * Enumeration for various {@link CredentialGenerator} implementations.
- *
- * The following schemes are supported as of now:
- * <code>DummyAuthenticator</code>, <code>LdapUserAuthenticator</code>,
- * <code>PKCSAuthenticator</code>. In addition SSL socket mode with mutual
- * authentication is also supported.
- *
- * To add a new authentication scheme the following needs to be done:
- * <ul>
- * <li>Add implementations for {@link AuthInitialize} and
- * {@link Authenticator} classes for clients/peers.</li>
- * <li>Add a new enumeration value for the scheme in this class. Notice the
- * size of <code>VALUES</code> array and increase that if it is getting
- * overflowed. Note the methods and fields for existing schemes and add for
- * the new one in a similar manner.</li>
- * <li>Add an implementation for {@link CredentialGenerator}.</li>
- * <li>Modify the CredentialGenerator.Factory#create [no such Factory exists] method to add
- * creation of an instance of the new implementation for the
- * <code>ClassCode</code> enumeration value.</li>
- * </ul>
- * All security dunit tests will automagically start testing the new
- * implementation after this.
- *
- * @author sumedh
- * @since 5.5
- */
- public static final class ClassCode {
-
- private static final byte ID_DUMMY = 1;
-
- private static final byte ID_LDAP = 2;
-
- private static final byte ID_PKCS = 3;
-
- private static final byte ID_SSL = 4;
-
- private static byte nextOrdinal = 0;
-
- private static final ClassCode[] VALUES = new ClassCode[10];
-
- private static final Map CodeNameMap = new HashMap();
-
- public static final ClassCode DUMMY = new ClassCode(
- "templates.security.DummyAuthenticator.create", ID_DUMMY);
-
- public static final ClassCode LDAP = new ClassCode(
- "templates.security.LdapUserAuthenticator.create", ID_LDAP);
-
- public static final ClassCode PKCS = new ClassCode(
- "templates.security.PKCSAuthenticator.create", ID_PKCS);
-
- public static final ClassCode SSL = new ClassCode("SSL", ID_SSL);
-
- /** The name of this class. */
- private final String name;
-
- /** byte used as ordinal to represent this class */
- private final byte ordinal;
-
- /**
- * One of the following: ID_DUMMY, ID_LDAP, ID_PKCS
- */
- private final byte classType;
-
- /** Creates a new instance of class code. */
- private ClassCode(String name, byte classType) {
- this.name = name;
- this.classType = classType;
- this.ordinal = nextOrdinal++;
- VALUES[this.ordinal] = this;
- CodeNameMap.put(name, this);
- }
-
- public boolean isDummy() {
- return (this.classType == ID_DUMMY);
- }
-
- public boolean isLDAP() {
- return (this.classType == ID_LDAP);
- }
-
- public boolean isPKCS() {
- return (this.classType == ID_PKCS);
- }
-
- public boolean isSSL() {
- return (this.classType == ID_SSL);
- }
-
- /**
- * Returns the <code>ClassCode</code> represented by specified ordinal.
- */
- public static ClassCode fromOrdinal(byte ordinal) {
- return VALUES[ordinal];
- }
-
- /**
- * Returns the <code>ClassCode</code> represented by specified string.
- */
- public static ClassCode parse(String operationName) {
- return (ClassCode)CodeNameMap.get(operationName);
- }
-
- /**
- * Returns all the possible values.
- */
- public static List getAll() {
- List codes = new ArrayList();
- Iterator iter = CodeNameMap.values().iterator();
- while (iter.hasNext()) {
- codes.add(iter.next());
- }
- return codes;
- }
-
- /**
- * Returns the ordinal for this operation code.
- *
- * @return the ordinal of this operation.
- */
- public byte toOrdinal() {
- return this.ordinal;
- }
-
- /**
- * Returns a string representation for this operation.
- *
- * @return the name of this operation.
- */
- final public String toString() {
- return this.name;
- }
-
- /**
- * Indicates whether other object is same as this one.
- *
- * @return true if other object is same as this one.
- */
- @Override
- final public boolean equals(final Object obj) {
- if (obj == this) {
- return true;
- }
- if (!(obj instanceof ClassCode)) {
- return false;
- }
- final ClassCode other = (ClassCode)obj;
- return (other.ordinal == this.ordinal);
- }
-
- /**
- * Indicates whether other <code>ClassCode</code> is same as this one.
- *
- * @return true if other <code>ClassCode</code> is same as this one.
- */
- final public boolean equals(final ClassCode opCode) {
- return (opCode != null && opCode.ordinal == this.ordinal);
- }
-
- /**
- * Returns a hash code value for this <code>ClassCode</code> which is the
- * same as its ordinal.
- *
- * @return the ordinal of this operation.
- */
- @Override
- final public int hashCode() {
- return this.ordinal;
- }
-
- }
-
- /**
- * A set of properties that should be added to the Gemfire system properties
- * before using the authentication module.
- */
- private Properties sysProps = null;
-
- /**
- * A set of properties that should be added to the java system properties
- * before using the authentication module.
- */
- protected Properties javaProps = null;
-
- /**
- * A factory method to create a new instance of an {@link CredentialGenerator}
- * for the given {@link ClassCode}. Caller is supposed to invoke
- * {@link CredentialGenerator#init} immediately after obtaining the instance.
- *
- * @param classCode
- * the <code>ClassCode</code> of the
- * <code>CredentialGenerator</code> implementation
- *
- * @return an instance of <code>CredentialGenerator</code> for the given
- * class code
- */
- public static CredentialGenerator create(ClassCode classCode) {
- switch (classCode.classType) {
- // Removing dummy one to reduce test run times
- // case ClassCode.ID_DUMMY:
- // return new DummyCredentialGenerator();
- case ClassCode.ID_LDAP:
- return new LdapUserCredentialGenerator();
- // case ClassCode.ID_SSL:ΓΈ
- // return new SSLCredentialGenerator();
- case ClassCode.ID_PKCS:
- return new PKCSCredentialGenerator();
- default:
- return null;
- }
- }
-
- /**
- * Initialize the credential generator.
- *
- * @throws IllegalArgumentException
- * when there is a problem during initialization
- */
- public void init() throws IllegalArgumentException {
- this.sysProps = initialize();
- }
-
- /**
- * Initialize the credential generator. This is provided separately from the
- * {@link #init} method for convenience of implementations so that they do not
- * need to store in {@link #sysProps}. The latter is convenient for the users
- * who do not need to store these properties rather can obtain it later by
- * invoking {@link #getSystemProperties}
- *
- * Required to be implemented by concrete classes that implement this abstract
- * class.
- *
- * @return A set of extra properties that should be added to Gemfire system
- * properties when not null.
- *
- * @throws IllegalArgumentException
- * when there is a problem during initialization
- */
- protected abstract Properties initialize() throws IllegalArgumentException;
-
- /**
- *
- * @return A set of extra properties that should be added to Gemfire system
- * properties when not null.
- */
- public Properties getSystemProperties() {
- return this.sysProps;
- }
-
- /**
- *
- * @return A set of extra properties that should be added to Gemfire system
- * properties when not null.
- */
- public Properties getJavaProperties() {
- return this.javaProps;
- }
-
- /**
- * The {@link ClassCode} of this particular implementation.
- *
- * @return the <code>ClassCode</code>
- */
- public abstract ClassCode classCode();
-
- /**
- * The name of the {@link AuthInitialize} factory function that should be used
- * in conjunction with the credentials generated by this generator.
- *
- * @return name of the <code>AuthInitialize</code> factory function
- */
- public abstract String getAuthInit();
-
- /**
- * The name of the {@link Authenticator} factory function that should be used
- * in conjunction with the credentials generated by this generator.
- *
- * @return name of the <code>Authenticator</code> factory function
- */
- public abstract String getAuthenticator();
-
- /**
- * Get a set of valid credentials generated using the given index.
- */
- public abstract Properties getValidCredentials(int index);
-
- /**
- * Get a set of valid credentials for the given {@link Principal}.
- *
- * @return credentials for the given <code>Principal</code> or null if none
- * possible.
- */
- public abstract Properties getValidCredentials(Principal principal);
-
- /**
- * Get a set of invalid credentials generated using the given index.
- */
- public abstract Properties getInvalidCredentials(int index);
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
deleted file mode 100644
index 7e40d13..0000000
--- a/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
+++ /dev/null
@@ -1,145 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Properties;
-import java.util.Set;
-
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import security.AuthzCredentialGenerator;
-import templates.security.DummyAuthorization;
-import templates.security.UsernamePrincipal;
-
-public class DummyAuthzCredentialGenerator extends AuthzCredentialGenerator {
-
- public static final byte READER_ROLE = 1;
-
- public static final byte WRITER_ROLE = 2;
-
- public static final byte ADMIN_ROLE = 3;
-
- private static Set readerOpsSet;
-
- private static Set writerOpsSet;
-
- static {
-
- readerOpsSet = new HashSet();
- for (int index = 0; index < DummyAuthorization.READER_OPS.length; index++) {
- readerOpsSet.add(DummyAuthorization.READER_OPS[index]);
- }
- writerOpsSet = new HashSet();
- for (int index = 0; index < DummyAuthorization.WRITER_OPS.length; index++) {
- writerOpsSet.add(DummyAuthorization.WRITER_OPS[index]);
- }
- }
-
- public DummyAuthzCredentialGenerator() {
- }
-
- protected Properties init() throws IllegalArgumentException {
-
- if (!this.cGen.classCode().isDummy()) {
- throw new IllegalArgumentException(
- "DummyAuthorization module only works with DummyAuthenticator");
- }
- return null;
- }
-
- public ClassCode classCode() {
- return ClassCode.DUMMY;
- }
-
- public String getAuthorizationCallback() {
- return "templates.security.DummyAuthorization.create";
- }
-
- public static byte getRequiredRole(OperationCode[] opCodes) {
-
- byte roleType = ADMIN_ROLE;
- boolean requiresReader = true;
- boolean requiresWriter = true;
-
- for (int opNum = 0; opNum < opCodes.length; opNum++) {
- if (requiresReader && !readerOpsSet.contains(opCodes[opNum])) {
- requiresReader = false;
- }
- if (requiresWriter && !writerOpsSet.contains(opCodes[opNum])) {
- requiresWriter = false;
- }
- }
- if (requiresReader) {
- roleType = READER_ROLE;
- }
- else if (requiresWriter) {
- roleType = WRITER_ROLE;
- }
- return roleType;
- }
-
- private Principal getPrincipal(byte roleType, int index) {
-
- String[] admins = new String[] { "root", "admin", "administrator" };
- switch (roleType) {
- case READER_ROLE:
- return new UsernamePrincipal("reader" + index);
- case WRITER_ROLE:
- return new UsernamePrincipal("writer" + index);
- default:
- return new UsernamePrincipal(admins[index % admins.length]);
- }
- }
-
- protected Principal getAllowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- byte roleType = getRequiredRole(opCodes);
- return getPrincipal(roleType, index);
- }
-
- protected Principal getDisallowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- byte roleType = getRequiredRole(opCodes);
- byte disallowedRoleType;
- switch (roleType) {
- case READER_ROLE:
- disallowedRoleType = WRITER_ROLE;
- break;
- case WRITER_ROLE:
- disallowedRoleType = READER_ROLE;
- break;
- default:
- disallowedRoleType = READER_ROLE;
- break;
- }
- return getPrincipal(disallowedRoleType, index);
- }
-
- protected int getNumPrincipalTries(OperationCode[] opCodes,
- String[] regionNames) {
- return 5;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/DummyCredentialGenerator.java b/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
deleted file mode 100644
index 86b26a7..0000000
--- a/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
+++ /dev/null
@@ -1,94 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import security.CredentialGenerator;
-import templates.security.DummyAuthenticator;
-import templates.security.UserPasswordAuthInit;
-
-import java.security.Principal;
-import java.util.Properties;
-
-public class DummyCredentialGenerator extends CredentialGenerator {
-
- public DummyCredentialGenerator() {
- }
-
- protected Properties initialize() throws IllegalArgumentException {
- return null;
- }
-
- public ClassCode classCode() {
- return ClassCode.DUMMY;
- }
-
- public String getAuthInit() {
- return "templates.security.UserPasswordAuthInit.create";
- }
-
- public String getAuthenticator() {
- return "templates.security.DummyAuthenticator.create";
- }
-
- public Properties getValidCredentials(int index) {
-
- String[] validGroups = new String[] { "admin", "user", "reader", "writer" };
- String[] admins = new String[] { "root", "admin", "administrator" };
-
- Properties props = new Properties();
- int groupNum = (index % validGroups.length);
- String userName;
- if (groupNum == 0) {
- userName = admins[index % admins.length];
- }
- else {
- userName = validGroups[groupNum] + (index / validGroups.length);
- }
- props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
- props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
- return props;
- }
-
- public Properties getValidCredentials(Principal principal) {
-
- String userName = principal.getName();
- if (DummyAuthenticator.testValidName(userName)) {
- Properties props = new Properties();
- props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
- props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
- return props;
- }
- else {
- throw new IllegalArgumentException("Dummy: [" + userName
- + "] is not a valid user");
- }
- }
-
- public Properties getInvalidCredentials(int index) {
-
- Properties props = new Properties();
- props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
- props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
- return props;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java b/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
deleted file mode 100644
index 12bcb62..0000000
--- a/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
+++ /dev/null
@@ -1,160 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.util.Properties;
-
-import com.gemstone.gemfire.distributed.internal.DistributionConfig;
-import com.gemstone.gemfire.internal.cache.tier.sockets.HandShake;
-import com.gemstone.gemfire.util.test.TestUtil;
-import templates.security.LdapUserAuthenticator;
-import templates.security.UserPasswordAuthInit;
-
-import java.util.Random;
-
-public class LdapUserCredentialGenerator extends CredentialGenerator {
-
- private static final String USER_PREFIX = "gemfire";
-
- private static boolean enableServerAuthentication = false;
-
- private boolean serverAuthEnabled = false;
-
- private static final Random prng = new Random();
-
- private static final String[] algos = new String[] { "", "DESede", "AES:128",
- "Blowfish:128" };
-
- public LdapUserCredentialGenerator() {
- // Toggle server authentication enabled for each test
- // This is done instead of running all the tests with both
- // server auth enabled/disabled to reduce test run time.
- enableServerAuthentication = !enableServerAuthentication;
- serverAuthEnabled = enableServerAuthentication;
- }
-
- @Override
- protected Properties initialize() throws IllegalArgumentException {
-
- Properties extraProps = new Properties();
- String ldapServer = System.getProperty("gf.ldap.server", "ldap");
- String ldapBaseDN = System.getProperty("gf.ldap.basedn", "ou=ldapTesting,dc=pune,dc=gemstone,dc=com");
- String ldapUseSSL = System.getProperty("gf.ldap.usessl");
- extraProps.setProperty(LdapUserAuthenticator.LDAP_SERVER_NAME, ldapServer);
- extraProps.setProperty(LdapUserAuthenticator.LDAP_BASEDN_NAME, ldapBaseDN);
- if (ldapUseSSL != null && ldapUseSSL.length() > 0) {
- extraProps.setProperty(LdapUserAuthenticator.LDAP_SSL_NAME, ldapUseSSL);
- }
- if (serverAuthEnabled) {
- String keyStoreFile = TestUtil.getResourcePath(LdapUserCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/gemfire1.keystore");
- extraProps.setProperty(HandShake.PRIVATE_KEY_FILE_PROP, keyStoreFile);
- extraProps.setProperty(HandShake.PRIVATE_KEY_ALIAS_PROP, "gemfire1");
- extraProps.setProperty(HandShake.PRIVATE_KEY_PASSWD_PROP, "gemfire");
- }
- return extraProps;
- }
-
- @Override
- public ClassCode classCode() {
- return ClassCode.LDAP;
- }
-
- @Override
- public String getAuthInit() {
- return "templates.security.UserPasswordAuthInit.create";
- }
-
- @Override
- public String getAuthenticator() {
- return "templates.security.LdapUserAuthenticator.create";
- }
-
- @Override
- public Properties getValidCredentials(int index) {
-
- Properties props = new Properties();
- props.setProperty(UserPasswordAuthInit.USER_NAME, USER_PREFIX
- + ((index % 10) + 1));
- props.setProperty(UserPasswordAuthInit.PASSWORD, USER_PREFIX
- + ((index % 10) + 1));
- props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
- algos[prng.nextInt(algos.length)]);
- if (serverAuthEnabled) {
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
- props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
- props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
- }
- return props;
- }
-
- @Override
- public Properties getValidCredentials(Principal principal) {
-
- Properties props = null;
- String userName = principal.getName();
- if (userName != null && userName.startsWith(USER_PREFIX)) {
- boolean isValid;
- try {
- int suffix = Integer.parseInt(userName.substring(USER_PREFIX.length()));
- isValid = (suffix >= 1 && suffix <= 10);
- }
- catch (Exception ex) {
- isValid = false;
- }
- if (isValid) {
- props = new Properties();
- props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
- props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
- }
- }
- if (props == null) {
- throw new IllegalArgumentException("LDAP: [" + userName
- + "] not a valid user");
- }
- props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
- algos[prng.nextInt(algos.length)]);
- if (serverAuthEnabled) {
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
- props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
- props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
- }
- return props;
- }
-
- @Override
- public Properties getInvalidCredentials(int index) {
-
- Properties props = new Properties();
- props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
- props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
- props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
- algos[prng.nextInt(algos.length)]);
- if (serverAuthEnabled) {
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
- props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
- props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
- }
- return props;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java b/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
deleted file mode 100644
index 24c0100..0000000
--- a/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
+++ /dev/null
@@ -1,112 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.security.Provider;
-import java.security.Security;
-import java.util.Properties;
-
-import com.gemstone.gemfire.util.test.TestUtil;
-import templates.security.PKCSAuthInit;
-import templates.security.PKCSAuthenticator;
-
-/**
- * @author kneeraj
- *
- */
-public class PKCSCredentialGenerator extends CredentialGenerator {
-
- public static String keyStoreDir = getKeyStoreDir();
-
- public static boolean usesIBMJSSE;
-
- // Checks if the current JVM uses only IBM JSSE providers.
- private static boolean usesIBMProviders() {
- Provider[] providers = Security.getProviders();
- for (int index = 0; index < providers.length; ++index) {
- if (!providers[index].getName().toLowerCase().startsWith("ibm")) {
- return false;
- }
- }
- return true;
- }
-
- private static String getKeyStoreDir() {
- usesIBMJSSE = usesIBMProviders();
- if (usesIBMJSSE) {
- return "/lib/keys/ibm";
- }
- else {
- return "/lib/keys";
- }
- }
-
- public ClassCode classCode() {
- return ClassCode.PKCS;
- }
-
- public String getAuthInit() {
- return "templates.security.PKCSAuthInit.create";
- }
-
- public String getAuthenticator() {
- return "templates.security.PKCSAuthenticator.create";
- }
-
- public Properties getInvalidCredentials(int index) {
- Properties props = new Properties();
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire11.keystore");
- props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
- props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire11");
- props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
- return props;
- }
-
- public Properties getValidCredentials(int index) {
- Properties props = new Properties();
- int aliasnum = (index % 10) + 1;
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire" + aliasnum + ".keystore");
- props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
- props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire" + aliasnum);
- props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
- return props;
- }
-
- public Properties getValidCredentials(Principal principal) {
- Properties props = new Properties();
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + principal.getName() + ".keystore");
- props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
- props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, principal.getName());
- props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
- return props;
- }
-
- protected Properties initialize() throws IllegalArgumentException {
- Properties props = new Properties();
- String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/publickeyfile");
- props.setProperty(PKCSAuthenticator.PUBLIC_KEY_FILE, keyStoreFile);
- props.setProperty(PKCSAuthenticator.PUBLIC_KEYSTORE_PASSWORD, "gemfire");
- return props;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/SSLCredentialGenerator.java b/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
deleted file mode 100644
index 29a1a30..0000000
--- a/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
+++ /dev/null
@@ -1,117 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.io.File;
-import java.io.IOException;
-import java.security.Principal;
-import java.util.Properties;
-
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import security.CredentialGenerator;
-
-public class SSLCredentialGenerator extends CredentialGenerator {
-
- private File findTrustedJKS() {
- File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
- return new File(ssldir, "trusted.keystore");
- }
-
- private File findUntrustedJKS() {
- File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
- return new File(ssldir, "untrusted.keystore");
- }
-
- private Properties getValidJavaSSLProperties() {
- File jks = findTrustedJKS();
- try {
- Properties props = new Properties();
- props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
- props.setProperty("javax.net.ssl.trustStorePassword", "password");
- props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
- props.setProperty("javax.net.ssl.keyStorePassword", "password");
- return props;
- }
- catch (IOException ex) {
- throw new AuthenticationFailedException(
- "SSL: Exception while opening the key store: " + ex);
- }
- }
-
- private Properties getInvalidJavaSSLProperties() {
- File jks = findUntrustedJKS();
- try {
- Properties props = new Properties();
- props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
- props.setProperty("javax.net.ssl.trustStorePassword", "password");
- props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
- props.setProperty("javax.net.ssl.keyStorePassword", "password");
- return props;
- }
- catch (IOException ex) {
- throw new AuthenticationFailedException(
- "SSL: Exception while opening the key store: " + ex);
- }
- }
-
- private Properties getSSLProperties() {
- Properties props = new Properties();
- props.setProperty("ssl-enabled", "true");
- props.setProperty("ssl-require-authentication", "true");
- props.setProperty("ssl-ciphers", "SSL_RSA_WITH_RC4_128_MD5");
- props.setProperty("ssl-protocols", "TLSv1");
- return props;
- }
-
- protected Properties initialize() throws IllegalArgumentException {
- this.javaProps = getValidJavaSSLProperties();
- return getSSLProperties();
- }
-
- public ClassCode classCode() {
- return ClassCode.SSL;
- }
-
- public String getAuthInit() {
- return null;
- }
-
- public String getAuthenticator() {
- return null;
- }
-
- public Properties getValidCredentials(int index) {
- this.javaProps = getValidJavaSSLProperties();
- return getSSLProperties();
- }
-
- public Properties getValidCredentials(Principal principal) {
- this.javaProps = getValidJavaSSLProperties();
- return getSSLProperties();
- }
-
- public Properties getInvalidCredentials(int index) {
- this.javaProps = getInvalidJavaSSLProperties();
- return getSSLProperties();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java b/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
deleted file mode 100644
index a41f73a..0000000
--- a/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
+++ /dev/null
@@ -1,77 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.util.Properties;
-import java.util.Iterator;
-
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import templates.security.UserPasswordAuthInit;
-
-/**
- * An {@link AuthInitialize} implementation that obtains the user name and
- * password as the credentials from the given set of properties. If
- * keep-extra-props property exits, it will copy rest of the
- * properties provided in getCredential props argument will also be
- * copied as new credentials.
- *
- * @author Soubhik
- * @since 5.5
- */
-public class UserPasswordWithExtraPropsAuthInit extends UserPasswordAuthInit {
-
- public static final String EXTRA_PROPS = "security-keep-extra-props";
-
- public static final String SECURITY_PREFIX = "security-";
-
- public static AuthInitialize create() {
- return new UserPasswordWithExtraPropsAuthInit();
- }
-
- public UserPasswordWithExtraPropsAuthInit() {
- super();
- }
-
- public Properties getCredentials(Properties props, DistributedMember server,
- boolean isPeer) throws AuthenticationFailedException {
-
- Properties newProps = super.getCredentials(props, server, isPeer);
- String extraProps = props.getProperty(EXTRA_PROPS);
- if(extraProps != null) {
- for(Iterator it = props.keySet().iterator(); it.hasNext();) {
- String key = (String)it.next();
- if( key.startsWith(SECURITY_PREFIX) &&
- key.equalsIgnoreCase(USER_NAME) == false &&
- key.equalsIgnoreCase(PASSWORD) == false &&
- key.equalsIgnoreCase(EXTRA_PROPS) == false) {
- newProps.setProperty(key, props.getProperty(key));
- }
- }
- this.securitylog.fine("got everything and now have: "
- + newProps.keySet().toString());
- }
- return newProps;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
deleted file mode 100644
index 929eafb..0000000
--- a/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
+++ /dev/null
@@ -1,264 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Properties;
-import java.util.Set;
-
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import com.gemstone.gemfire.util.test.TestUtil;
-import templates.security.UsernamePrincipal;
-import templates.security.XmlAuthorization;
-
-public class XmlAuthzCredentialGenerator extends AuthzCredentialGenerator {
-
- private static final String dummyXml = "authz-dummy.xml";
-
- private static final String ldapXml = "authz-ldap.xml";
-
- private static final String pkcsXml = "authz-pkcs.xml";
-
- private static final String sslXml = "authz-ssl.xml";
-
- private static final String[] QUERY_REGIONS = { "/Portfolios", "/Positions",
- "/AuthRegion" };
-
- public static OperationCode[] READER_OPS = { OperationCode.GET,
- OperationCode.REGISTER_INTEREST, OperationCode.UNREGISTER_INTEREST,
- OperationCode.KEY_SET, OperationCode.CONTAINS_KEY, OperationCode.EXECUTE_FUNCTION };
-
- public static OperationCode[] WRITER_OPS = { OperationCode.PUT,
- OperationCode.DESTROY, OperationCode.INVALIDATE, OperationCode.REGION_CLEAR };
-
- public static OperationCode[] QUERY_OPS = { OperationCode.QUERY,
- OperationCode.EXECUTE_CQ, OperationCode.STOP_CQ, OperationCode.CLOSE_CQ };
-
- private static final byte READER_ROLE = 1;
-
- private static final byte WRITER_ROLE = 2;
-
- private static final byte QUERY_ROLE = 3;
-
- private static final byte ADMIN_ROLE = 4;
-
- private static Set readerOpsSet;
-
- private static Set writerOpsSet;
-
- private static Set queryOpsSet;
-
- private static Set queryRegionSet;
-
- static {
-
- readerOpsSet = new HashSet();
- for (int index = 0; index < READER_OPS.length; index++) {
- readerOpsSet.add(READER_OPS[index]);
- }
- writerOpsSet = new HashSet();
- for (int index = 0; index < WRITER_OPS.length; index++) {
- writerOpsSet.add(WRITER_OPS[index]);
- }
- queryOpsSet = new HashSet();
- for (int index = 0; index < QUERY_OPS.length; index++) {
- queryOpsSet.add(QUERY_OPS[index]);
- }
- queryRegionSet = new HashSet();
- for (int index = 0; index < QUERY_REGIONS.length; index++) {
- queryRegionSet.add(QUERY_REGIONS[index]);
- }
- }
-
- public XmlAuthzCredentialGenerator() {
- }
-
- protected Properties init() throws IllegalArgumentException {
-
- Properties sysProps = new Properties();
- String dirName = "/lib/";
- if (this.cGen.classCode().isDummy()) {
- String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + dummyXml);
- sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
- }
- else if (this.cGen.classCode().isLDAP()) {
- String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + ldapXml);
- sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
- }
- // else if (this.cGen.classCode().isPKCS()) {
- // sysProps
- // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + pkcsXml);
- // }
- // else if (this.cGen.classCode().isSSL()) {
- // sysProps
- // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + sslXml);
- // }
- else {
- throw new IllegalArgumentException(
- "No XML defined for XmlAuthorization module to work with "
- + this.cGen.getAuthenticator());
- }
- return sysProps;
- }
-
- public ClassCode classCode() {
- return ClassCode.XML;
- }
-
- public String getAuthorizationCallback() {
- return "templates.security.XmlAuthorization.create";
- }
-
- private Principal getDummyPrincipal(byte roleType, int index) {
-
- String[] admins = new String[] { "root", "admin", "administrator" };
- int numReaders = 3;
- int numWriters = 3;
-
- switch (roleType) {
- case READER_ROLE:
- return new UsernamePrincipal("reader" + (index % numReaders));
- case WRITER_ROLE:
- return new UsernamePrincipal("writer" + (index % numWriters));
- case QUERY_ROLE:
- return new UsernamePrincipal("reader" + ((index % 2) + 3));
- default:
- return new UsernamePrincipal(admins[index % admins.length]);
- }
- }
-
- private Principal getLdapPrincipal(byte roleType, int index) {
-
- final String userPrefix = "gemfire";
- final int[] readerIndices = { 3, 4, 5 };
- final int[] writerIndices = { 6, 7, 8 };
- final int[] queryIndices = { 9, 10 };
- final int[] adminIndices = { 1, 2 };
-
- switch (roleType) {
- case READER_ROLE:
- int readerIndex = readerIndices[index % readerIndices.length];
- return new UsernamePrincipal(userPrefix + readerIndex);
- case WRITER_ROLE:
- int writerIndex = writerIndices[index % writerIndices.length];
- return new UsernamePrincipal(userPrefix + writerIndex);
- case QUERY_ROLE:
- int queryIndex = queryIndices[index % queryIndices.length];
- return new UsernamePrincipal(userPrefix + queryIndex);
- default:
- int adminIndex = adminIndices[index % adminIndices.length];
- return new UsernamePrincipal(userPrefix + adminIndex);
- }
- }
-
- private byte getRequiredRole(OperationCode[] opCodes, String[] regionNames) {
-
- byte roleType = ADMIN_ROLE;
- boolean requiresReader = true;
- boolean requiresWriter = true;
- boolean requiresQuery = true;
-
- for (int opNum = 0; opNum < opCodes.length; opNum++) {
- OperationCode opCode = opCodes[opNum];
- if (requiresReader && !readerOpsSet.contains(opCode)) {
- requiresReader = false;
- }
- if (requiresWriter && !writerOpsSet.contains(opCode)) {
- requiresWriter = false;
- }
- if (requiresQuery && !queryOpsSet.contains(opCode)) {
- requiresQuery = false;
- }
- }
- if (requiresReader) {
- roleType = READER_ROLE;
- }
- else if (requiresWriter) {
- roleType = WRITER_ROLE;
- }
- else if (requiresQuery) {
- if (regionNames != null && regionNames.length > 0) {
- for (int index = 0; index < regionNames.length; index++) {
- String regionName = XmlAuthorization
- .normalizeRegionName(regionNames[index]);
- if (requiresQuery && !queryRegionSet.contains(regionName)) {
- requiresQuery = false;
- break;
- }
- }
- if (requiresQuery) {
- roleType = QUERY_ROLE;
- }
- }
- }
- return roleType;
- }
-
- protected Principal getAllowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- if (this.cGen.classCode().isDummy()) {
- byte roleType = getRequiredRole(opCodes, regionNames);
- return getDummyPrincipal(roleType, index);
- }
- else if (this.cGen.classCode().isLDAP()) {
- byte roleType = getRequiredRole(opCodes, regionNames);
- return getLdapPrincipal(roleType, index);
- }
- return null;
- }
-
- protected Principal getDisallowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- byte roleType = getRequiredRole(opCodes, regionNames);
- byte disallowedRoleType = READER_ROLE;
- switch (roleType) {
- case READER_ROLE:
- disallowedRoleType = WRITER_ROLE;
- break;
- case WRITER_ROLE:
- disallowedRoleType = READER_ROLE;
- break;
- case QUERY_ROLE:
- disallowedRoleType = READER_ROLE;
- break;
- case ADMIN_ROLE:
- disallowedRoleType = READER_ROLE;
- break;
- }
- if (this.cGen.classCode().isDummy()) {
- return getDummyPrincipal(disallowedRoleType, index);
- }
- else if (this.cGen.classCode().isLDAP()) {
- return getLdapPrincipal(disallowedRoleType, index);
- }
- return null;
- }
-
- protected int getNumPrincipalTries(OperationCode[] opCodes,
- String[] regionNames) {
- return 5;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/DummyAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/DummyAuthenticator.java b/gemfire-core/src/test/java/templates/security/DummyAuthenticator.java
deleted file mode 100644
index 5d33f22..0000000
--- a/gemfire-core/src/test/java/templates/security/DummyAuthenticator.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.security.Principal;
-import java.util.Properties;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import templates.security.UserPasswordAuthInit;
-import templates.security.UsernamePrincipal;
-
-/**
- * A dummy implementation of the {@link Authenticator} interface that expects a
- * user name and password allowing authentication depending on the format of the
- * user name.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class DummyAuthenticator implements Authenticator {
-
- public static Authenticator create() {
- return new DummyAuthenticator();
- }
-
- public DummyAuthenticator() {
- }
-
- public void init(Properties systemProps, LogWriter systemLogger,
- LogWriter securityLogger) throws AuthenticationFailedException {
- }
-
- public static boolean testValidName(String userName) {
-
- return (userName.startsWith("user") || userName.startsWith("reader")
- || userName.startsWith("writer") || userName.equals("admin")
- || userName.equals("root") || userName.equals("administrator"));
- }
-
- public Principal authenticate(Properties props, DistributedMember member)
- throws AuthenticationFailedException {
-
- String userName = props.getProperty(UserPasswordAuthInit.USER_NAME);
- if (userName == null) {
- throw new AuthenticationFailedException(
- "DummyAuthenticator: user name property ["
- + UserPasswordAuthInit.USER_NAME + "] not provided");
- }
- String password = props.getProperty(UserPasswordAuthInit.PASSWORD);
- if (password == null) {
- throw new AuthenticationFailedException(
- "DummyAuthenticator: password property ["
- + UserPasswordAuthInit.PASSWORD + "] not provided");
- }
-
- if (userName.equals(password) && testValidName(userName)) {
- return new UsernamePrincipal(userName);
- }
- else {
- throw new AuthenticationFailedException(
- "DummyAuthenticator: Invalid user name [" + userName
- + "], password supplied.");
- }
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/DummyAuthorization.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/DummyAuthorization.java b/gemfire-core/src/test/java/templates/security/DummyAuthorization.java
deleted file mode 100644
index fe8e908..0000000
--- a/gemfire-core/src/test/java/templates/security/DummyAuthorization.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.Set;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.NotAuthorizedException;
-
-/**
- * A dummy implementation of the <code>AccessControl</code> interface that
- * allows authorization depending on the format of the <code>Principal</code>
- * string.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class DummyAuthorization implements AccessControl {
-
- private Set allowedOps;
-
- private DistributedMember remoteDistributedMember;
-
- private LogWriter logger;
-
- public static final OperationCode[] READER_OPS = { OperationCode.GET,
- OperationCode.QUERY, OperationCode.EXECUTE_CQ, OperationCode.CLOSE_CQ,
- OperationCode.STOP_CQ, OperationCode.REGISTER_INTEREST,
- OperationCode.UNREGISTER_INTEREST, OperationCode.KEY_SET,
- OperationCode.CONTAINS_KEY, OperationCode.EXECUTE_FUNCTION };
-
- public static final OperationCode[] WRITER_OPS = { OperationCode.PUT, OperationCode.PUTALL,
- OperationCode.DESTROY, OperationCode.INVALIDATE, OperationCode.REGION_CLEAR };
-
- public DummyAuthorization() {
- this.allowedOps = new HashSet(20);
- }
-
- public static AccessControl create() {
- return new DummyAuthorization();
- }
-
- private void addReaderOps() {
-
- for (int index = 0; index < READER_OPS.length; index++) {
- this.allowedOps.add(READER_OPS[index]);
- }
- }
-
- private void addWriterOps() {
-
- for (int index = 0; index < WRITER_OPS.length; index++) {
- this.allowedOps.add(WRITER_OPS[index]);
- }
- }
-
- public void init(Principal principal,
- DistributedMember remoteMember,
- Cache cache) throws NotAuthorizedException {
-
- if (principal != null) {
- String name = principal.getName().toLowerCase();
- if (name != null) {
- if (name.equals("root") || name.equals("admin")
- || name.equals("administrator")) {
- addReaderOps();
- addWriterOps();
- this.allowedOps.add(OperationCode.REGION_CREATE);
- this.allowedOps.add(OperationCode.REGION_DESTROY);
- }
- else if (name.startsWith("writer")) {
- addWriterOps();
- }
- else if (name.startsWith("reader")) {
- addReaderOps();
- }
- }
- }
- this.remoteDistributedMember = remoteMember;
- this.logger = cache.getSecurityLogger();
- }
-
- public boolean authorizeOperation(String regionName, OperationContext context) {
-
- OperationCode opCode = context.getOperationCode();
- this.logger.fine("Invoked authorize operation for [" + opCode
- + "] in region [" + regionName + "] for client: " + remoteDistributedMember);
- return this.allowedOps.contains(opCode);
- }
-
- public void close() {
-
- this.allowedOps.clear();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/FunctionSecurityPrmsHolder.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/FunctionSecurityPrmsHolder.java b/gemfire-core/src/test/java/templates/security/FunctionSecurityPrmsHolder.java
deleted file mode 100755
index 76827bb..0000000
--- a/gemfire-core/src/test/java/templates/security/FunctionSecurityPrmsHolder.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.util.HashSet;
-
-/**
- * This is a sample class for objects which hold information of the authorized
- * function names and authorized value for the optimizeForWrite.
- *
- * @author Aneesh Karayil
- * @since 6.0
- */
-public class FunctionSecurityPrmsHolder {
-
- private final Boolean isOptimizeForWrite;
-
- private final HashSet<String> functionIds;
-
- private final HashSet<String> keySet;
-
- public FunctionSecurityPrmsHolder(Boolean isOptimizeForWrite,
- HashSet<String> functionIds, HashSet<String> keySet) {
- this.isOptimizeForWrite = isOptimizeForWrite;
- this.functionIds = functionIds;
- this.keySet = keySet;
- }
-
- public Boolean isOptimizeForWrite() {
- return isOptimizeForWrite;
- }
-
- public HashSet<String> getFunctionIds() {
- return functionIds;
- }
-
- public HashSet<String> getKeySet() {
- return keySet;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/LdapUserAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/LdapUserAuthenticator.java b/gemfire-core/src/test/java/templates/security/LdapUserAuthenticator.java
deleted file mode 100755
index db55219..0000000
--- a/gemfire-core/src/test/java/templates/security/LdapUserAuthenticator.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-
-import java.security.Principal;
-import java.util.Properties;
-import javax.naming.Context;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.InitialDirContext;
-
-/**
- * @author Kumar Neeraj
- * @since 5.5
- */
-public class LdapUserAuthenticator implements Authenticator {
-
- private String ldapServer = null;
-
- private String basedn = null;
-
- private String ldapUrlScheme = null;
-
- public static final String LDAP_SERVER_NAME = "security-ldap-server";
-
- public static final String LDAP_BASEDN_NAME = "security-ldap-basedn";
-
- public static final String LDAP_SSL_NAME = "security-ldap-usessl";
-
- public static Authenticator create() {
- return new LdapUserAuthenticator();
- }
-
- public LdapUserAuthenticator() {
- }
-
- public void init(Properties securityProps, LogWriter systemLogger,
- LogWriter securityLogger) throws AuthenticationFailedException {
- this.ldapServer = securityProps.getProperty(LDAP_SERVER_NAME);
- if (this.ldapServer == null || this.ldapServer.length() == 0) {
- throw new AuthenticationFailedException(
- "LdapUserAuthenticator: LDAP server property [" + LDAP_SERVER_NAME
- + "] not specified");
- }
- this.basedn = securityProps.getProperty(LDAP_BASEDN_NAME);
- if (this.basedn == null || this.basedn.length() == 0) {
- throw new AuthenticationFailedException(
- "LdapUserAuthenticator: LDAP base DN property [" + LDAP_BASEDN_NAME
- + "] not specified");
- }
- String sslStr = securityProps.getProperty(LDAP_SSL_NAME);
- if (sslStr != null && sslStr.toLowerCase().equals("true")) {
- this.ldapUrlScheme = "ldaps://";
- }
- else {
- this.ldapUrlScheme = "ldap://";
- }
- }
-
- public Principal authenticate(Properties props, DistributedMember member) {
-
- String userName = props.getProperty(UserPasswordAuthInit.USER_NAME);
- if (userName == null) {
- throw new AuthenticationFailedException(
- "LdapUserAuthenticator: user name property ["
- + UserPasswordAuthInit.USER_NAME + "] not provided");
- }
- String passwd = props.getProperty(UserPasswordAuthInit.PASSWORD);
- if (passwd == null) {
- passwd = "";
- }
-
- Properties env = new Properties();
- env
- .put(Context.INITIAL_CONTEXT_FACTORY,
- "com.sun.jndi.ldap.LdapCtxFactory");
- env.put(Context.PROVIDER_URL, this.ldapUrlScheme + this.ldapServer + '/'
- + this.basedn);
- String fullentry = "uid=" + userName + "," + this.basedn;
- env.put(Context.SECURITY_PRINCIPAL, fullentry);
- env.put(Context.SECURITY_CREDENTIALS, passwd);
- try {
- DirContext ctx = new InitialDirContext(env);
- ctx.close();
- }
- catch (Exception e) {
- //TODO:hitesh need to add getCause message
- throw new AuthenticationFailedException(
- "LdapUserAuthenticator: Failure with provided username, password "
- + "combination for user name: " + userName);
- }
- return new UsernamePrincipal(userName);
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/PKCSAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/PKCSAuthInit.java b/gemfire-core/src/test/java/templates/security/PKCSAuthInit.java
deleted file mode 100755
index d43b78e..0000000
--- a/gemfire-core/src/test/java/templates/security/PKCSAuthInit.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.GemFireSecurityException;
-
-import java.io.FileInputStream;
-import java.security.Key;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.cert.X509Certificate;
-import java.util.Properties;
-
-/**
- * An {@link AuthInitialize} implementation that obtains the digital signature
- * for use with PKCS scheme on server from the given set of properties.
- *
- * To use this class the <c>security-client-auth-init</c> property should be
- * set to the fully qualified name the static <code>create</code> function
- * viz. <code>templates.security.PKCSAuthInit.create</code>
- *
- * @author Kumar Neeraj
- * @since 5.5
- */
-public class PKCSAuthInit implements AuthInitialize {
-
- public static final String KEYSTORE_FILE_PATH = "security-keystorepath";
-
- public static final String KEYSTORE_ALIAS = "security-alias";
-
- public static final String KEYSTORE_PASSWORD = "security-keystorepass";
-
- public static final String SIGNATURE_DATA = "security-signature";
-
- protected LogWriter securitylog;
-
- protected LogWriter systemlog;
-
- public void close() {
- }
-
- public static AuthInitialize create() {
- return new PKCSAuthInit();
- }
-
- public PKCSAuthInit() {
- }
-
- public void init(LogWriter systemLogger, LogWriter securityLogger)
- throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- }
-
- public Properties getCredentials(Properties props, DistributedMember server,
- boolean isPeer) throws AuthenticationFailedException {
- String keyStorePath = props.getProperty(KEYSTORE_FILE_PATH);
- if (keyStorePath == null) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: key-store file path property [" + KEYSTORE_FILE_PATH
- + "] not set.");
- }
- String alias = props.getProperty(KEYSTORE_ALIAS);
- if (alias == null) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: key alias name property [" + KEYSTORE_ALIAS
- + "] not set.");
- }
- String keyStorePass = props.getProperty(KEYSTORE_PASSWORD);
-
- try {
- KeyStore ks = KeyStore.getInstance("PKCS12");
- char[] passPhrase = (keyStorePass != null ? keyStorePass.toCharArray()
- : null);
- FileInputStream certificatefile = new FileInputStream(keyStorePath);
- try {
- ks.load(certificatefile, passPhrase);
- }
- finally {
- certificatefile.close();
- }
-
- Key key = ks.getKey(alias, passPhrase);
-
- if (key instanceof PrivateKey) {
-
- PrivateKey privKey = (PrivateKey)key;
- X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
- Signature sig = Signature.getInstance(cert.getSigAlgName());
-
- sig.initSign(privKey);
- sig.update(alias.getBytes("UTF-8"));
- byte[] signatureBytes = sig.sign();
-
- Properties newprops = new Properties();
- newprops.put(KEYSTORE_ALIAS, alias);
- newprops.put(SIGNATURE_DATA, signatureBytes);
- return newprops;
- }
- else {
- throw new AuthenticationFailedException("PKCSAuthInit: "
- + "Failed to load private key from the given file: " + keyStorePath);
- }
- }
- catch (GemFireSecurityException ex) {
- throw ex;
- }
- catch (Exception ex) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: Exception while getting credentials: " + ex, ex);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/PKCSAuthenticator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/PKCSAuthenticator.java b/gemfire-core/src/test/java/templates/security/PKCSAuthenticator.java
deleted file mode 100755
index d3610c4..0000000
--- a/gemfire-core/src/test/java/templates/security/PKCSAuthenticator.java
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.GemFireSecurityException;
-
-import java.io.FileInputStream;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Signature;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
-
-/**
- * @author kneeraj
- *
- */
-public class PKCSAuthenticator implements Authenticator {
-
- public static final String PUBLIC_KEY_FILE = "security-publickey-filepath";
-
- public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass";
-
- private String pubKeyFilePath;
-
- private String pubKeyPass;
-
- private Map aliasCertificateMap;
-
- protected LogWriter systemlog;
-
- protected LogWriter securitylog;
-
- public static Authenticator create() {
- return new PKCSAuthenticator();
- }
-
- public PKCSAuthenticator() {
- }
-
- private void populateMap() {
- try {
- KeyStore ks = KeyStore.getInstance("JKS");
- char[] passPhrase = (pubKeyPass != null ? pubKeyPass.toCharArray() : null);
- FileInputStream keystorefile = new FileInputStream(this.pubKeyFilePath);
- try {
- ks.load(keystorefile, passPhrase);
- }
- finally {
- keystorefile.close();
- }
- Enumeration e = ks.aliases();
- while (e.hasMoreElements()) {
- Object alias = e.nextElement();
- Certificate cert = ks.getCertificate((String)alias);
- if (cert instanceof X509Certificate) {
- this.aliasCertificateMap.put(alias, cert);
- }
- }
- }
- catch (Exception e) {
- throw new AuthenticationFailedException(
- "Exception while getting public keys: " + e.getMessage());
- }
- }
-
- public void init(Properties systemProps, LogWriter systemLogger,
- LogWriter securityLogger) throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- this.pubKeyFilePath = systemProps.getProperty(PUBLIC_KEY_FILE);
- if (this.pubKeyFilePath == null) {
- throw new AuthenticationFailedException("PKCSAuthenticator: property "
- + PUBLIC_KEY_FILE + " not specified as the public key file.");
- }
- this.pubKeyPass = systemProps.getProperty(PUBLIC_KEYSTORE_PASSWORD);
- this.aliasCertificateMap = new HashMap();
- populateMap();
- }
-
- private AuthenticationFailedException getException(String exStr,
- Exception cause) {
-
- String exMsg = "PKCSAuthenticator: Authentication of client failed due to: "
- + exStr;
- if (cause != null) {
- return new AuthenticationFailedException(exMsg, cause);
- }
- else {
- return new AuthenticationFailedException(exMsg);
- }
- }
-
- private AuthenticationFailedException getException(String exStr) {
- return getException(exStr, null);
- }
-
- private X509Certificate getCertificate(String alias)
- throws NoSuchAlgorithmException, InvalidKeySpecException {
- if (this.aliasCertificateMap.containsKey(alias)) {
- return (X509Certificate)this.aliasCertificateMap.get(alias);
- }
- return null;
- }
-
- public Principal authenticate(Properties props, DistributedMember member)
- throws AuthenticationFailedException {
- String alias = (String)props.get(PKCSAuthInit.KEYSTORE_ALIAS);
- if (alias == null || alias.length() <= 0) {
- throw new AuthenticationFailedException("No alias received");
- }
- try {
- X509Certificate cert = getCertificate(alias);
- if (cert == null) {
- throw getException("No certificate found for alias:" + alias);
- }
- byte[] signatureBytes = (byte[])props.get(PKCSAuthInit.SIGNATURE_DATA);
- if (signatureBytes == null) {
- throw getException("signature data property ["
- + PKCSAuthInit.SIGNATURE_DATA + "] not provided");
- }
- Signature sig = Signature.getInstance(cert.getSigAlgName());
- sig.initVerify(cert);
- sig.update(alias.getBytes("UTF-8"));
-
- if (!sig.verify(signatureBytes)) {
- throw getException("verification of client signature failed");
- }
- return new PKCSPrincipal(alias);
- }
- catch (GemFireSecurityException ex) {
- throw ex;
- }
- catch (Exception ex) {
- throw getException(ex.toString(), ex);
- }
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/PKCSPrincipal.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/PKCSPrincipal.java b/gemfire-core/src/test/java/templates/security/PKCSPrincipal.java
deleted file mode 100755
index 563689b..0000000
--- a/gemfire-core/src/test/java/templates/security/PKCSPrincipal.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.security.Principal;
-
-/**
- * @author kneeraj
- *
- */
-public class PKCSPrincipal implements Principal {
-
- private String alias;
-
- public PKCSPrincipal(String alias) {
- this.alias = alias;
- }
-
- public String getName() {
- return this.alias;
- }
-
- @Override
- public String toString() {
- return this.alias;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/UserPasswordAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/UserPasswordAuthInit.java b/gemfire-core/src/test/java/templates/security/UserPasswordAuthInit.java
deleted file mode 100644
index f4b6eec..0000000
--- a/gemfire-core/src/test/java/templates/security/UserPasswordAuthInit.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.util.Properties;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-
-/**
- * An {@link AuthInitialize} implementation that obtains the user name and
- * password as the credentials from the given set of properties.
- *
- * To use this class the <c>security-client-auth-init</c> property should be
- * set to the fully qualified name the static <code>create</code> function
- * viz. <code>templates.security.UserPasswordAuthInit.create</code>
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class UserPasswordAuthInit implements AuthInitialize {
-
- public static final String USER_NAME = "security-username";
-
- public static final String PASSWORD = "security-password";
-
- protected LogWriter securitylog;
-
- protected LogWriter systemlog;
-
- public static AuthInitialize create() {
- return new UserPasswordAuthInit();
- }
-
- public void init(LogWriter systemLogger, LogWriter securityLogger)
- throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- }
-
- public UserPasswordAuthInit() {
- }
-
- public Properties getCredentials(Properties props, DistributedMember server,
- boolean isPeer) throws AuthenticationFailedException {
-
- Properties newProps = new Properties();
- String userName = props.getProperty(USER_NAME);
- if (userName == null) {
- throw new AuthenticationFailedException(
- "UserPasswordAuthInit: user name property [" + USER_NAME
- + "] not set.");
- }
- newProps.setProperty(USER_NAME, userName);
- String passwd = props.getProperty(PASSWORD);
- // If password is not provided then use empty string as the password.
- if (passwd == null) {
- passwd = "";
- }
- newProps.setProperty(PASSWORD, passwd);
- return newProps;
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/templates/security/UsernamePrincipal.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/templates/security/UsernamePrincipal.java b/gemfire-core/src/test/java/templates/security/UsernamePrincipal.java
deleted file mode 100644
index 739dd52..0000000
--- a/gemfire-core/src/test/java/templates/security/UsernamePrincipal.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.io.Serializable;
-import java.security.Principal;
-
-/**
- * An implementation of {@link Principal} class for a simple user name.
- *
- * @author Kumar Neeraj
- * @since 5.5
- */
-public class UsernamePrincipal implements Principal, Serializable {
-
- private final String userName;
-
- public UsernamePrincipal(String userName) {
- this.userName = userName;
- }
-
- public String getName() {
- return this.userName;
- }
-
- @Override
- public String toString() {
- return this.userName;
- }
-
-}
[3/4] incubator-geode git commit: Repackage security test classes in
Apache Geode
Posted by kl...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/AuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/AuthzCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/AuthzCredentialGenerator.java
new file mode 100644
index 0000000..119ca38
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/AuthzCredentialGenerator.java
@@ -0,0 +1,450 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.AccessControl;
+import com.gemstone.gemfire.security.templates.DummyAuthorization;
+import com.gemstone.gemfire.security.templates.XmlAuthorization;
+
+/**
+ * Encapsulates obtaining authorized and unauthorized credentials for a given
+ * operation in a region. Implementations will be for different kinds of
+ * authorization scheme and authentication scheme combos.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+public abstract class AuthzCredentialGenerator {
+
+ /**
+ * Enumeration for various {@link AuthzCredentialGenerator} implementations.
+ *
+ * The following schemes are supported as of now:
+ * <ul>
+ * <li><code>DummyAuthorization</code> with <code>DummyAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>DummyAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>LDAPAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>PKCSAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> when using SSL sockets</li>
+ * </ul>
+ *
+ * To add a new authorization scheme the following needs to be done:
+ * <ul>
+ * <li>Add implementation for {@link AccessControl}.</li>
+ * <li>Choose the authentication schemes that it shall work with from
+ * {@link CredentialGenerator.ClassCode}</li>
+ * <li>Add a new enumeration value for the scheme in this class. Notice the
+ * size of <code>VALUES</code> array and increase that if it is getting
+ * overflowed. Note the methods and fields for existing schemes and add for
+ * the new one in a similar manner.</li>
+ * <li>Add an implementation for {@link AuthzCredentialGenerator}. Note the
+ * {@link AuthzCredentialGenerator#init} method where different authentication
+ * schemes can be passed and initialize differently for the authentication
+ * schemes that shall be handled.</li>
+ * <li>Modify the {@link AuthzCredentialGenerator#create} method to add
+ * creation of an instance of the new implementation for the
+ * <code>ClassCode</code> enumeration value.</li>
+ * </ul>
+ * All dunit tests will automagically start testing the new implementation
+ * after this.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+ public static final class ClassCode {
+
+ private static final byte ID_DUMMY = 1;
+
+ private static final byte ID_XML = 2;
+
+ private static byte nextOrdinal = 0;
+
+ private static final ClassCode[] VALUES = new ClassCode[10];
+
+ private static final Map<String, ClassCode> nameToClassCodeMap = new HashMap<String, ClassCode>();
+
+ public static final ClassCode DUMMY = new ClassCode(DummyAuthorization.class.getName() + ".create", ID_DUMMY);
+
+ public static final ClassCode XML = new ClassCode(XmlAuthorization.class.getName() + ".create", ID_XML);
+
+ /** The name of this class. */
+ private final String name;
+
+ /** byte used as ordinal to represent this class */
+ private final byte ordinal;
+
+ /**
+ * One of the following: ID_DUMMY, ID_LDAP, ID_PKI
+ */
+ private final byte classType;
+
+ /** Creates a new instance of class code. */
+ private ClassCode(String name, byte classType) {
+ this.name = name;
+ this.classType = classType;
+ this.ordinal = nextOrdinal++;
+ VALUES[this.ordinal] = this; // TODO: ctor instance leak
+ nameToClassCodeMap.put(name, this); // TODO: ctor instance leak
+ }
+
+ public boolean isDummy() {
+ return this.classType == ID_DUMMY;
+ }
+
+ public boolean isXml() {
+ return this.classType == ID_XML;
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified ordinal.
+ */
+ public static ClassCode fromOrdinal(byte ordinal) {
+ return VALUES[ordinal];
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified string.
+ */
+ public static ClassCode parse(String operationName) {
+ return nameToClassCodeMap.get(operationName);
+ }
+
+ /**
+ * Returns all the possible values.
+ */
+ public static List<ClassCode> getAll() {
+ List<ClassCode> codes = new ArrayList<ClassCode>();
+ for (ClassCode classCode : nameToClassCodeMap.values()) {
+ codes.add(classCode);
+ }
+ return codes;
+ }
+
+ /**
+ * Returns the ordinal for this class code.
+ *
+ * @return the ordinal of this class code.
+ */
+ public byte toOrdinal() {
+ return this.ordinal;
+ }
+
+ /**
+ * Returns a string representation for this class code.
+ *
+ * @return the name of this class code.
+ */
+ @Override
+ public final String toString() {
+ return this.name;
+ }
+
+ /**
+ * Indicates whether other object is same as this one.
+ *
+ * @return true if other object is same as this one.
+ */
+ @Override
+ public final boolean equals(final Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (!(obj instanceof ClassCode)) {
+ return false;
+ }
+ final ClassCode other = (ClassCode)obj;
+ return (other.ordinal == this.ordinal);
+ }
+
+ /**
+ * Indicates whether other <code>ClassCode</code> is same as this one.
+ *
+ * @return true if other <code>ClassCode</code> is same as this one.
+ */
+ public final boolean equals(final ClassCode opCode) {
+ return (opCode != null && opCode.ordinal == this.ordinal);
+ }
+
+ /**
+ * Returns a hash code value for this <code>ClassCode</code> which is the
+ * same as its ordinal.
+ *
+ * @return the ordinal of this <code>ClassCode</code>.
+ */
+ @Override
+ public final int hashCode() {
+ return this.ordinal;
+ }
+
+ }
+
+ /**
+ * The {@link CredentialGenerator} being used.
+ */
+ protected CredentialGenerator cGen;
+
+ /**
+ * A set of system properties that should be added to the gemfire system
+ * properties before using the authorization module.
+ */
+ private Properties sysProps;
+
+ /**
+ * A factory method to create a new instance of an
+ * {@link AuthzCredentialGenerator} for the given {@link ClassCode}. Caller
+ * is supposed to invoke {@link AuthzCredentialGenerator#init} immediately
+ * after obtaining the instance.
+ *
+ * @param classCode
+ * the <code>ClassCode</code> of the
+ * <code>AuthzCredentialGenerator</code> implementation
+ *
+ * @return an instance of <code>AuthzCredentialGenerator</code> for the
+ * given class code
+ */
+ public static AuthzCredentialGenerator create(ClassCode classCode) {
+ switch (classCode.classType) {
+ case ClassCode.ID_DUMMY:
+ return new DummyAuthzCredentialGenerator();
+ case ClassCode.ID_XML:
+ return new XmlAuthzCredentialGenerator();
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Initialize the authorized credential generator.
+ *
+ * @param cGen
+ * an instance of {@link CredentialGenerator} of the credential
+ * implementation for which to obtain authorized/unauthorized
+ * credentials.
+ *
+ * @return false when the given {@link CredentialGenerator} is incompatible
+ * with this authorization module.
+ */
+ public boolean init(CredentialGenerator cGen) {
+ this.cGen = cGen;
+ try {
+ this.sysProps = init();
+ }
+ catch (IllegalArgumentException ex) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getSystemProperties() {
+ return this.sysProps;
+ }
+
+ /**
+ * Get the {@link CredentialGenerator} being used by this instance.
+ */
+ public CredentialGenerator getCredentialGenerator() {
+ return this.cGen;
+ }
+
+ /**
+ * The {@link ClassCode} of the particular implementation.
+ *
+ * @return the <code>ClassCode</code>
+ */
+ public abstract ClassCode classCode();
+
+ /**
+ * The name of the {@link AccessControl} factory function that should be used
+ * as the authorization module on the server side.
+ *
+ * @return name of the <code>AccessControl</code> factory function
+ */
+ public abstract String getAuthorizationCallback();
+
+ /**
+ * Get a set of credentials generated using the given index allowed to perform
+ * the given {@link OperationCode}s for the given regions.
+ *
+ * @param opCodes
+ * the list of {@link OperationCode}s of the operations
+ * requiring authorization; should not be null
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ * @param index
+ * used to generate multiple such credentials by passing
+ * different values for this
+ *
+ * @return the set of credentials authorized to perform the given operation in
+ * the given regions
+ */
+ public Properties getAllowedCredentials(OperationCode[] opCodes, String[] regionNames, int index) {
+ int numTries = getNumPrincipalTries(opCodes, regionNames);
+ if (numTries <= 0) {
+ numTries = 1;
+ }
+ for (int tries = 0; tries < numTries; tries++) {
+ Principal principal = getAllowedPrincipal(opCodes, regionNames, (index + tries) % numTries);
+ try {
+ return this.cGen.getValidCredentials(principal);
+ }
+ catch (IllegalArgumentException ex) {
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get a set of credentials generated using the given index not allowed to
+ * perform the given {@link OperationCode}s for the given regions. The
+ * credentials are required to be valid for authentication.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization failure; should not be null
+ * @param regionNames
+ * list of the region names requiring authorization failure; a
+ * value of null indicates all regions
+ * @param index
+ * used to generate multiple such credentials by passing
+ * different values for this
+ *
+ * @return the set of credentials that are not authorized to perform the given
+ * operation in the given region
+ */
+ public Properties getDisallowedCredentials(OperationCode[] opCodes, String[] regionNames, int index) {
+
+ // This may not be very correct since we use the value of
+ // getNumPrincipalTries() but is used to avoid adding another method.
+ // Also something like getNumDisallowedPrincipals() will be normally always
+ // infinite, and the number here is just to perform some number of tries
+ // before giving up.
+ int numTries = getNumPrincipalTries(opCodes, regionNames);
+ if (numTries <= 0) {
+ numTries = 1;
+ }
+ for (int tries = 0; tries < numTries; tries++) {
+ Principal principal = getDisallowedPrincipal(opCodes, regionNames, (index + tries) % numTries);
+ try {
+ return this.cGen.getValidCredentials(principal);
+ }
+ catch (IllegalArgumentException ex) {
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Initialize the authorized credential generator.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ *
+ * @throws IllegalArgumentException
+ * when the {@link CredentialGenerator} is incompatible with
+ * this authorization module.
+ */
+ protected abstract Properties init() throws IllegalArgumentException;
+
+ /**
+ * Get the number of tries to be done for obtaining valid credentials for the
+ * given operations in the given region. It is required that
+ * {@link #getAllowedPrincipal} method returns valid principals for values of
+ * <code>index</code> from 0 through (n-1) where <code>n</code> is the
+ * value returned by this method. It is recommended that the principals so
+ * returned be unique for efficiency.
+ *
+ * This will be used by {@link #getAllowedCredentials} to step through
+ * different principals and obtain a set of valid credentials.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ *
+ * @return the number of principals allowed to perform the given operation in
+ * the given region
+ */
+ protected abstract int getNumPrincipalTries(OperationCode[] opCodes, String[] regionNames);
+
+ /**
+ * Get a {@link Principal} generated using the given index allowed to perform
+ * the given {@link OperationCode}s for the given region.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ * @param index
+ * used to generate multiple such principals by passing
+ * different values for this
+ *
+ * @return the {@link Principal} authorized to perform the given operation in
+ * the given region
+ */
+ protected abstract Principal getAllowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index);
+
+ /**
+ * Get a {@link Principal} generated using the given index not allowed to
+ * perform the given {@link OperationCode}s for the given region.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization failure
+ * @param regionNames
+ * list of the region names requiring authorization failure; a
+ * value of null indicates all regions
+ * @param index
+ * used to generate multiple such principals by passing
+ * different values for this
+ *
+ * @return a {@link Principal} not authorized to perform the given operation
+ * in the given region
+ */
+ protected abstract Principal getDisallowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index);
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/CredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/CredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/CredentialGenerator.java
new file mode 100644
index 0000000..621c3ca
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/CredentialGenerator.java
@@ -0,0 +1,339 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.Authenticator;
+import com.gemstone.gemfire.security.templates.DummyAuthenticator;
+import com.gemstone.gemfire.security.templates.LdapUserAuthenticator;
+import com.gemstone.gemfire.security.templates.PKCSAuthenticator;
+
+/**
+ * Encapsulates obtaining valid and invalid credentials. Implementations will be
+ * for different kinds of authentication schemes.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+public abstract class CredentialGenerator {
+
+ /**
+ * Enumeration for various {@link CredentialGenerator} implementations.
+ *
+ * The following schemes are supported as of now:
+ * <code>DummyAuthenticator</code>, <code>LdapUserAuthenticator</code>,
+ * <code>PKCSAuthenticator</code>. In addition SSL socket mode with mutual
+ * authentication is also supported.
+ *
+ * To add a new authentication scheme the following needs to be done:
+ * <ul>
+ * <li>Add implementations for {@link AuthInitialize} and
+ * {@link Authenticator} classes for clients/peers.</li>
+ * <li>Add a new enumeration value for the scheme in this class. Notice the
+ * size of <code>VALUES</code> array and increase that if it is getting
+ * overflowed. Note the methods and fields for existing schemes and add for
+ * the new one in a similar manner.</li>
+ * <li>Add an implementation for {@link CredentialGenerator}.</li>
+ * <li>Modify the CredentialGenerator.Factory#create [no such Factory exists] method to add
+ * creation of an instance of the new implementation for the
+ * <code>ClassCode</code> enumeration value.</li>
+ * </ul>
+ * All security dunit tests will automagically start testing the new
+ * implementation after this.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+ public static final class ClassCode {
+
+ private static final byte ID_DUMMY = 1;
+
+ private static final byte ID_LDAP = 2;
+
+ private static final byte ID_PKCS = 3;
+
+ private static final byte ID_SSL = 4;
+
+ private static byte nextOrdinal = 0;
+
+ private static final ClassCode[] VALUES = new ClassCode[10];
+
+ private static final Map<String, ClassCode> nameToClassCodeMap = new HashMap<String, ClassCode>();
+
+ public static final ClassCode DUMMY = new ClassCode(DummyAuthenticator.class.getName() + ".create", ID_DUMMY);
+
+ public static final ClassCode LDAP = new ClassCode(LdapUserAuthenticator.class.getName() + ".create", ID_LDAP);
+
+ public static final ClassCode PKCS = new ClassCode(PKCSAuthenticator.class.getName() + ".create", ID_PKCS);
+
+ public static final ClassCode SSL = new ClassCode("SSL", ID_SSL);
+
+ /** The name of this class. */
+ private final String name;
+
+ /** byte used as ordinal to represent this class */
+ private final byte ordinal;
+
+ /**
+ * One of the following: ID_DUMMY, ID_LDAP, ID_PKCS
+ */
+ private final byte classType;
+
+ /** Creates a new instance of class code. */
+ private ClassCode(String name, byte classType) {
+ this.name = name;
+ this.classType = classType;
+ this.ordinal = nextOrdinal++;
+ VALUES[this.ordinal] = this; // TODO: ctor instance leak
+ nameToClassCodeMap.put(name, this); // TODO: ctor instance leak
+ }
+
+ public boolean isDummy() {
+ return this.classType == ID_DUMMY;
+ }
+
+ public boolean isLDAP() {
+ return this.classType == ID_LDAP;
+ }
+
+ public boolean isPKCS() {
+ return this.classType == ID_PKCS;
+ }
+
+ public boolean isSSL() {
+ return this.classType == ID_SSL;
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified ordinal.
+ */
+ public static ClassCode fromOrdinal(byte ordinal) {
+ return VALUES[ordinal];
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified string.
+ */
+ public static ClassCode parse(String operationName) {
+ return nameToClassCodeMap.get(operationName);
+ }
+
+ /**
+ * Returns all the possible values.
+ */
+ public static List<ClassCode> getAll() {
+ List<ClassCode> codes = new ArrayList<ClassCode>();
+ for (ClassCode classCode : nameToClassCodeMap.values()) {
+ codes.add(classCode);
+ }
+ return codes;
+ }
+
+ /**
+ * Returns the ordinal for this operation code.
+ *
+ * @return the ordinal of this operation.
+ */
+ public byte toOrdinal() {
+ return this.ordinal;
+ }
+
+ /**
+ * Returns a string representation for this operation.
+ *
+ * @return the name of this operation.
+ */
+ @Override
+ public final String toString() {
+ return this.name;
+ }
+
+ /**
+ * Indicates whether other object is same as this one.
+ *
+ * @return true if other object is same as this one.
+ */
+ @Override
+ public final boolean equals(final Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (!(obj instanceof ClassCode)) {
+ return false;
+ }
+ final ClassCode other = (ClassCode)obj;
+ return (other.ordinal == this.ordinal);
+ }
+
+ /**
+ * Indicates whether other <code>ClassCode</code> is same as this one.
+ *
+ * @return true if other <code>ClassCode</code> is same as this one.
+ */
+ public final boolean equals(final ClassCode opCode) {
+ return opCode != null && opCode.ordinal == this.ordinal;
+ }
+
+ /**
+ * Returns a hash code value for this <code>ClassCode</code> which is the
+ * same as its ordinal.
+ *
+ * @return the ordinal of this operation.
+ */
+ @Override
+ public final int hashCode() {
+ return this.ordinal;
+ }
+
+ }
+
+ /**
+ * A set of properties that should be added to the Gemfire system properties
+ * before using the authentication module.
+ */
+ private Properties sysProps = null;
+
+ /**
+ * A set of properties that should be added to the java system properties
+ * before using the authentication module.
+ */
+ protected Properties javaProps = null;
+
+ /**
+ * A factory method to create a new instance of an {@link CredentialGenerator}
+ * for the given {@link ClassCode}. Caller is supposed to invoke
+ * {@link CredentialGenerator#init} immediately after obtaining the instance.
+ *
+ * @param classCode
+ * the <code>ClassCode</code> of the
+ * <code>CredentialGenerator</code> implementation
+ *
+ * @return an instance of <code>CredentialGenerator</code> for the given
+ * class code
+ */
+ public static CredentialGenerator create(ClassCode classCode) {
+ switch (classCode.classType) {
+ // Removing dummy one to reduce test run times
+ // case ClassCode.ID_DUMMY:
+ // return new DummyCredentialGenerator();
+ case ClassCode.ID_LDAP:
+ return new LdapUserCredentialGenerator();
+ // case ClassCode.ID_SSL:ΓΈ
+ // return new SSLCredentialGenerator();
+ case ClassCode.ID_PKCS:
+ return new PKCSCredentialGenerator();
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Initialize the credential generator.
+ *
+ * @throws IllegalArgumentException
+ * when there is a problem during initialization
+ */
+ public void init() throws IllegalArgumentException {
+ this.sysProps = initialize();
+ }
+
+ /**
+ * Initialize the credential generator. This is provided separately from the
+ * {@link #init} method for convenience of implementations so that they do not
+ * need to store in {@link #sysProps}. The latter is convenient for the users
+ * who do not need to store these properties rather can obtain it later by
+ * invoking {@link #getSystemProperties}
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ *
+ * @throws IllegalArgumentException
+ * when there is a problem during initialization
+ */
+ protected abstract Properties initialize() throws IllegalArgumentException;
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getSystemProperties() {
+ return this.sysProps;
+ }
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getJavaProperties() {
+ return this.javaProps;
+ }
+
+ /**
+ * The {@link ClassCode} of this particular implementation.
+ *
+ * @return the <code>ClassCode</code>
+ */
+ public abstract ClassCode classCode();
+
+ /**
+ * The name of the {@link AuthInitialize} factory function that should be used
+ * in conjunction with the credentials generated by this generator.
+ *
+ * @return name of the <code>AuthInitialize</code> factory function
+ */
+ public abstract String getAuthInit();
+
+ /**
+ * The name of the {@link Authenticator} factory function that should be used
+ * in conjunction with the credentials generated by this generator.
+ *
+ * @return name of the <code>Authenticator</code> factory function
+ */
+ public abstract String getAuthenticator();
+
+ /**
+ * Get a set of valid credentials generated using the given index.
+ */
+ public abstract Properties getValidCredentials(int index);
+
+ /**
+ * Get a set of valid credentials for the given {@link Principal}.
+ *
+ * @return credentials for the given <code>Principal</code> or null if none
+ * possible.
+ */
+ public abstract Properties getValidCredentials(Principal principal);
+
+ /**
+ * Get a set of invalid credentials generated using the given index.
+ */
+ public abstract Properties getInvalidCredentials(int index);
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyAuthzCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyAuthzCredentialGenerator.java
new file mode 100644
index 0000000..c8b6986
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyAuthzCredentialGenerator.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.templates.DummyAuthorization;
+import com.gemstone.gemfire.security.templates.UsernamePrincipal;
+
+public class DummyAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+ public static final byte READER_ROLE = 1;
+
+ public static final byte WRITER_ROLE = 2;
+
+ public static final byte ADMIN_ROLE = 3;
+
+ private static final String DUMMY_AUTHORIZATION_CREATE_NAME = DummyAuthorization.class.getName() + ".create";
+
+ private static Set<OperationCode> readerOpsSet;
+
+ private static Set<OperationCode> writerOpsSet;
+
+ static {
+
+ readerOpsSet = new HashSet<OperationCode>();
+ for (int index = 0; index < DummyAuthorization.READER_OPS.length; index++) {
+ readerOpsSet.add(DummyAuthorization.READER_OPS[index]);
+ }
+ writerOpsSet = new HashSet<OperationCode>();
+ for (int index = 0; index < DummyAuthorization.WRITER_OPS.length; index++) {
+ writerOpsSet.add(DummyAuthorization.WRITER_OPS[index]);
+ }
+ }
+
+ public DummyAuthzCredentialGenerator() {
+ }
+
+ @Override
+ protected Properties init() throws IllegalArgumentException {
+
+ if (!this.cGen.classCode().isDummy()) {
+ throw new IllegalArgumentException("DummyAuthorization module only works with DummyAuthenticator");
+ }
+ return null;
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.DUMMY;
+ }
+
+ @Override
+ public String getAuthorizationCallback() {
+ return DUMMY_AUTHORIZATION_CREATE_NAME;
+ }
+
+ public static byte getRequiredRole(OperationCode[] opCodes) {
+
+ byte roleType = ADMIN_ROLE;
+ boolean requiresReader = true;
+ boolean requiresWriter = true;
+
+ for (int opNum = 0; opNum < opCodes.length; opNum++) {
+ if (requiresReader && !readerOpsSet.contains(opCodes[opNum])) {
+ requiresReader = false;
+ }
+ if (requiresWriter && !writerOpsSet.contains(opCodes[opNum])) {
+ requiresWriter = false;
+ }
+ }
+ if (requiresReader) {
+ roleType = READER_ROLE;
+ }
+ else if (requiresWriter) {
+ roleType = WRITER_ROLE;
+ }
+ return roleType;
+ }
+
+ private Principal getPrincipal(byte roleType, int index) {
+
+ String[] admins = new String[] { "root", "admin", "administrator" };
+ switch (roleType) {
+ case READER_ROLE:
+ return new UsernamePrincipal("reader" + index);
+ case WRITER_ROLE:
+ return new UsernamePrincipal("writer" + index);
+ default:
+ return new UsernamePrincipal(admins[index % admins.length]);
+ }
+ }
+
+ @Override
+ protected Principal getAllowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes);
+ return getPrincipal(roleType, index);
+ }
+
+ @Override
+ protected Principal getDisallowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes);
+ byte disallowedRoleType;
+ switch (roleType) {
+ case READER_ROLE:
+ disallowedRoleType = WRITER_ROLE;
+ break;
+ case WRITER_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ default:
+ disallowedRoleType = READER_ROLE;
+ break;
+ }
+ return getPrincipal(disallowedRoleType, index);
+ }
+
+ @Override
+ protected int getNumPrincipalTries(OperationCode[] opCodes, String[] regionNames) {
+ return 5;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyCredentialGenerator.java
new file mode 100644
index 0000000..5d25a99
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/DummyCredentialGenerator.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.templates.DummyAuthenticator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+
+public class DummyCredentialGenerator extends CredentialGenerator {
+
+ private static final String DUMMY_AUTHENTICATOR_CREATE_NAME = DummyAuthenticator.class.getName() + ".create";
+
+ private static final String USER_PASSWORD_AUTH_INIT_CREATE_NAME = UserPasswordAuthInit.class.getName() + ".create";
+
+ public DummyCredentialGenerator() {
+ }
+
+ @Override
+ protected Properties initialize() throws IllegalArgumentException {
+ return null;
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.DUMMY;
+ }
+
+ @Override
+ public String getAuthInit() {
+ return USER_PASSWORD_AUTH_INIT_CREATE_NAME;
+ }
+
+ @Override
+ public String getAuthenticator() {
+ return DUMMY_AUTHENTICATOR_CREATE_NAME;
+ }
+
+ @Override
+ public Properties getValidCredentials(int index) {
+
+ String[] validGroups = new String[] { "admin", "user", "reader", "writer" };
+ String[] admins = new String[] { "root", "admin", "administrator" };
+
+ Properties props = new Properties();
+ int groupNum = (index % validGroups.length);
+ String userName;
+ if (groupNum == 0) {
+ userName = admins[index % admins.length];
+ }
+ else {
+ userName = validGroups[groupNum] + (index / validGroups.length);
+ }
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ return props;
+ }
+
+ @Override
+ public Properties getValidCredentials(Principal principal) {
+
+ String userName = principal.getName();
+ if (DummyAuthenticator.testValidName(userName)) {
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ return props;
+ }
+ else {
+ throw new IllegalArgumentException("Dummy: [" + userName + "] is not a valid user");
+ }
+ }
+
+ @Override
+ public Properties getInvalidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/LdapUserCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/LdapUserCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/LdapUserCredentialGenerator.java
new file mode 100644
index 0000000..e017636
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/LdapUserCredentialGenerator.java
@@ -0,0 +1,154 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.cache.tier.sockets.HandShake;
+import com.gemstone.gemfire.security.templates.LdapUserAuthenticator;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+import java.util.Random;
+
+public class LdapUserCredentialGenerator extends CredentialGenerator {
+
+ private static final String USER_PREFIX = "gemfire";
+
+ private static boolean enableServerAuthentication = false;
+
+ private boolean serverAuthEnabled = false;
+
+ private static final Random prng = new Random();
+
+ private static final String[] algos = new String[] { "", "DESede", "AES:128", "Blowfish:128" };
+
+ private static final String USER_PASSWORD_AUTH_INIT_CREATE_NAME = UserPasswordAuthInit.class.getName() + ".create";
+
+ private static final String LDAP_USER_AUTHENTICATOR_CREATE_NAME = LdapUserAuthenticator.class.getName() + ".create";
+
+ public LdapUserCredentialGenerator() {
+ // Toggle server authentication enabled for each test
+ // This is done instead of running all the tests with both
+ // server auth enabled/disabled to reduce test run time.
+ enableServerAuthentication = !enableServerAuthentication;
+ serverAuthEnabled = enableServerAuthentication;
+ }
+
+ @Override
+ protected Properties initialize() throws IllegalArgumentException {
+
+ Properties extraProps = new Properties();
+ String ldapServer = System.getProperty("gf.ldap.server", "ldap");
+ String ldapBaseDN = System.getProperty("gf.ldap.basedn", "ou=ldapTesting,dc=pune,dc=gemstone,dc=com");
+ String ldapUseSSL = System.getProperty("gf.ldap.usessl");
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_SERVER_NAME, ldapServer);
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_BASEDN_NAME, ldapBaseDN);
+ if (ldapUseSSL != null && ldapUseSSL.length() > 0) {
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_SSL_NAME, ldapUseSSL);
+ }
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(LdapUserCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/gemfire1.keystore");
+ extraProps.setProperty(HandShake.PRIVATE_KEY_FILE_PROP, keyStoreFile);
+ extraProps.setProperty(HandShake.PRIVATE_KEY_ALIAS_PROP, "gemfire1");
+ extraProps.setProperty(HandShake.PRIVATE_KEY_PASSWD_PROP, "gemfire");
+ }
+ return extraProps;
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.LDAP;
+ }
+
+ @Override
+ public String getAuthInit() {
+ return USER_PASSWORD_AUTH_INIT_CREATE_NAME;
+ }
+
+ @Override
+ public String getAuthenticator() {
+ return LDAP_USER_AUTHENTICATOR_CREATE_NAME;
+ }
+
+ @Override
+ public Properties getValidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, USER_PREFIX + ((index % 10) + 1));
+ props.setProperty(UserPasswordAuthInit.PASSWORD, USER_PREFIX + ((index % 10) + 1));
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME, algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+ @Override
+ public Properties getValidCredentials(Principal principal) {
+
+ Properties props = null;
+ String userName = principal.getName();
+ if (userName != null && userName.startsWith(USER_PREFIX)) {
+ boolean isValid;
+ try {
+ int suffix = Integer.parseInt(userName.substring(USER_PREFIX.length()));
+ isValid = (suffix >= 1 && suffix <= 10);
+ }
+ catch (Exception ex) {
+ isValid = false;
+ }
+ if (isValid) {
+ props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ }
+ }
+ if (props == null) {
+ throw new IllegalArgumentException("LDAP: [" + userName + "] not a valid user");
+ }
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME, algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+ @Override
+ public Properties getInvalidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME, algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/PKCSCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/PKCSCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/PKCSCredentialGenerator.java
new file mode 100644
index 0000000..0ead2ee
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/PKCSCredentialGenerator.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.templates.PKCSAuthInit;
+import com.gemstone.gemfire.security.templates.PKCSAuthenticator;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+/**
+ * @author kneeraj
+ *
+ */
+public class PKCSCredentialGenerator extends CredentialGenerator {
+
+ public static String keyStoreDir = getKeyStoreDir();
+
+ public static boolean usesIBMJSSE;
+
+ private static final String PKCS_AUTH_INIT_CREATE_NAME = PKCSAuthInit.class.getName() + ".create";
+
+ private static final String PKCS_AUTHENTICATOR_CREATE_NAME = PKCSAuthenticator.class.getName() + ".create";
+
+ // Checks if the current JVM uses only IBM JSSE providers.
+ private static boolean usesIBMProviders() {
+ Provider[] providers = Security.getProviders();
+ for (int index = 0; index < providers.length; ++index) {
+ if (!providers[index].getName().toLowerCase().startsWith("ibm")) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ private static String getKeyStoreDir() {
+ usesIBMJSSE = usesIBMProviders();
+ if (usesIBMJSSE) {
+ return "/lib/keys/ibm";
+ }
+ else {
+ return "/lib/keys";
+ }
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.PKCS;
+ }
+
+
+ @Override
+ public String getAuthInit() {
+ return PKCS_AUTH_INIT_CREATE_NAME;
+ }
+
+ @Override
+ public String getAuthenticator() {
+ return PKCS_AUTHENTICATOR_CREATE_NAME;
+ }
+
+ @Override
+ public Properties getInvalidCredentials(int index) {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire11.keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire11");
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ @Override
+ public Properties getValidCredentials(int index) {
+ Properties props = new Properties();
+ int aliasnum = (index % 10) + 1;
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire" + aliasnum + ".keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire" + aliasnum);
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ @Override
+ public Properties getValidCredentials(Principal principal) {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + principal.getName() + ".keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, principal.getName());
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ @Override
+ protected Properties initialize() throws IllegalArgumentException {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/publickeyfile");
+ props.setProperty(PKCSAuthenticator.PUBLIC_KEY_FILE, keyStoreFile);
+ props.setProperty(PKCSAuthenticator.PUBLIC_KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/SSLCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/SSLCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/SSLCredentialGenerator.java
new file mode 100644
index 0000000..f17a732
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/SSLCredentialGenerator.java
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.util.CredentialGenerator;
+
+public class SSLCredentialGenerator extends CredentialGenerator {
+
+ private File findTrustedJKS() {
+ File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+ return new File(ssldir, "trusted.keystore");
+ }
+
+ private File findUntrustedJKS() {
+ File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+ return new File(ssldir, "untrusted.keystore");
+ }
+
+ private Properties getValidJavaSSLProperties() {
+ File jks = findTrustedJKS();
+ try {
+ Properties props = new Properties();
+ props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.trustStorePassword", "password");
+ props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.keyStorePassword", "password");
+ return props;
+ }
+ catch (IOException ex) {
+ throw new AuthenticationFailedException("SSL: Exception while opening the key store: " + ex);
+ }
+ }
+
+ private Properties getInvalidJavaSSLProperties() {
+ File jks = findUntrustedJKS();
+ try {
+ Properties props = new Properties();
+ props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.trustStorePassword", "password");
+ props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.keyStorePassword", "password");
+ return props;
+ }
+ catch (IOException ex) {
+ throw new AuthenticationFailedException("SSL: Exception while opening the key store: " + ex);
+ }
+ }
+
+ private Properties getSSLProperties() {
+ Properties props = new Properties();
+ props.setProperty("ssl-enabled", "true");
+ props.setProperty("ssl-require-authentication", "true");
+ props.setProperty("ssl-ciphers", "SSL_RSA_WITH_RC4_128_MD5");
+ props.setProperty("ssl-protocols", "TLSv1");
+ return props;
+ }
+
+ @Override
+ protected Properties initialize() throws IllegalArgumentException {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.SSL;
+ }
+
+ @Override
+ public String getAuthInit() {
+ return null;
+ }
+
+ @Override
+ public String getAuthenticator() {
+ return null;
+ }
+
+ @Override
+ public Properties getValidCredentials(int index) {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ @Override
+ public Properties getValidCredentials(Principal principal) {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ @Override
+ public Properties getInvalidCredentials(int index) {
+ this.javaProps = getInvalidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/UserPasswordWithExtraPropsAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/UserPasswordWithExtraPropsAuthInit.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/UserPasswordWithExtraPropsAuthInit.java
new file mode 100644
index 0000000..49ddaf7
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/UserPasswordWithExtraPropsAuthInit.java
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.util.Properties;
+
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import com.gemstone.gemfire.security.templates.UserPasswordAuthInit;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the user name and
+ * password as the credentials from the given set of properties. If
+ * keep-extra-props property exits, it will copy rest of the
+ * properties provided in getCredential props argument will also be
+ * copied as new credentials.
+ *
+ * @author Soubhik
+ * @since 5.5
+ */
+public class UserPasswordWithExtraPropsAuthInit extends UserPasswordAuthInit {
+
+ public static final String EXTRA_PROPS = "security-keep-extra-props";
+
+ public static final String SECURITY_PREFIX = "security-";
+
+ public static AuthInitialize create() {
+ return new UserPasswordWithExtraPropsAuthInit();
+ }
+
+ public UserPasswordWithExtraPropsAuthInit() {
+ super();
+ }
+
+ @Override
+ public Properties getCredentials(Properties props, DistributedMember server, boolean isPeer) throws AuthenticationFailedException {
+
+ Properties newProps = super.getCredentials(props, server, isPeer);
+ String extraProps = props.getProperty(EXTRA_PROPS);
+ if (extraProps != null) {
+ for (Object keyObject : props.keySet()) {
+ String key = (String)keyObject;
+ if (key.startsWith(SECURITY_PREFIX) &&
+ key.equalsIgnoreCase(USER_NAME) == false &&
+ key.equalsIgnoreCase(PASSWORD) == false &&
+ key.equalsIgnoreCase(EXTRA_PROPS) == false) {
+ newProps.setProperty(key, props.getProperty(key));
+ }
+ }
+ this.securitylog.fine("got everything and now have: " + newProps.keySet().toString());
+ }
+ return newProps;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/XmlAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/XmlAuthzCredentialGenerator.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/XmlAuthzCredentialGenerator.java
new file mode 100644
index 0000000..1808598
--- /dev/null
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/util/XmlAuthzCredentialGenerator.java
@@ -0,0 +1,275 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.gemstone.gemfire.security.util;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.templates.UsernamePrincipal;
+import com.gemstone.gemfire.security.templates.XmlAuthorization;
+import com.gemstone.gemfire.util.test.TestUtil;
+
+public class XmlAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+ private static final String dummyXml = "authz-dummy.xml";
+
+ private static final String ldapXml = "authz-ldap.xml";
+
+ private static final String pkcsXml = "authz-pkcs.xml";
+
+ private static final String sslXml = "authz-ssl.xml";
+
+ private static final String[] QUERY_REGIONS = { "/Portfolios", "/Positions", "/AuthRegion" };
+
+ private static final String XML_AUTHORIZATION_CREATE_NAME = XmlAuthorization.class.getName() + ".create";
+
+ public static OperationCode[] READER_OPS = {
+ OperationCode.GET,
+ OperationCode.REGISTER_INTEREST,
+ OperationCode.UNREGISTER_INTEREST,
+ OperationCode.KEY_SET,
+ OperationCode.CONTAINS_KEY,
+ OperationCode.EXECUTE_FUNCTION
+ };
+
+ public static OperationCode[] WRITER_OPS = {
+ OperationCode.PUT,
+ OperationCode.DESTROY,
+ OperationCode.INVALIDATE,
+ OperationCode.REGION_CLEAR
+ };
+
+ public static OperationCode[] QUERY_OPS = {
+ OperationCode.QUERY,
+ OperationCode.EXECUTE_CQ,
+ OperationCode.STOP_CQ,
+ OperationCode.CLOSE_CQ
+ };
+
+ private static final byte READER_ROLE = 1;
+
+ private static final byte WRITER_ROLE = 2;
+
+ private static final byte QUERY_ROLE = 3;
+
+ private static final byte ADMIN_ROLE = 4;
+
+ private static Set<OperationCode> readerOpsSet;
+
+ private static Set<OperationCode> writerOpsSet;
+
+ private static Set<OperationCode> queryOpsSet;
+
+ private static Set<String> queryRegionSet;
+
+ static {
+
+ readerOpsSet = new HashSet<OperationCode>();
+ for (int index = 0; index < READER_OPS.length; index++) {
+ readerOpsSet.add(READER_OPS[index]);
+ }
+ writerOpsSet = new HashSet<OperationCode>();
+ for (int index = 0; index < WRITER_OPS.length; index++) {
+ writerOpsSet.add(WRITER_OPS[index]);
+ }
+ queryOpsSet = new HashSet<OperationCode>();
+ for (int index = 0; index < QUERY_OPS.length; index++) {
+ queryOpsSet.add(QUERY_OPS[index]);
+ }
+ queryRegionSet = new HashSet<String>();
+ for (int index = 0; index < QUERY_REGIONS.length; index++) {
+ queryRegionSet.add(QUERY_REGIONS[index]);
+ }
+ }
+
+ public XmlAuthzCredentialGenerator() {
+ }
+
+ @Override
+ protected Properties init() throws IllegalArgumentException {
+
+ Properties sysProps = new Properties();
+ String dirName = "/lib/";
+ if (this.cGen.classCode().isDummy()) {
+ String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + dummyXml);
+ sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + ldapXml);
+ sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+ }
+ // else if (this.cGen.classCode().isPKCS()) {
+ // sysProps
+ // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + pkcsXml);
+ // }
+ // else if (this.cGen.classCode().isSSL()) {
+ // sysProps
+ // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + sslXml);
+ // }
+ else {
+ throw new IllegalArgumentException("No XML defined for XmlAuthorization module to work with " + this.cGen.getAuthenticator());
+ }
+ return sysProps;
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.XML;
+ }
+
+ @Override
+ public String getAuthorizationCallback() {
+ return XML_AUTHORIZATION_CREATE_NAME;
+ }
+
+ private Principal getDummyPrincipal(byte roleType, int index) {
+
+ String[] admins = new String[] { "root", "admin", "administrator" };
+ int numReaders = 3;
+ int numWriters = 3;
+
+ switch (roleType) {
+ case READER_ROLE:
+ return new UsernamePrincipal("reader" + (index % numReaders));
+ case WRITER_ROLE:
+ return new UsernamePrincipal("writer" + (index % numWriters));
+ case QUERY_ROLE:
+ return new UsernamePrincipal("reader" + ((index % 2) + 3));
+ default:
+ return new UsernamePrincipal(admins[index % admins.length]);
+ }
+ }
+
+ private Principal getLdapPrincipal(byte roleType, int index) {
+
+ final String userPrefix = "gemfire";
+ final int[] readerIndices = { 3, 4, 5 };
+ final int[] writerIndices = { 6, 7, 8 };
+ final int[] queryIndices = { 9, 10 };
+ final int[] adminIndices = { 1, 2 };
+
+ switch (roleType) {
+ case READER_ROLE:
+ int readerIndex = readerIndices[index % readerIndices.length];
+ return new UsernamePrincipal(userPrefix + readerIndex);
+ case WRITER_ROLE:
+ int writerIndex = writerIndices[index % writerIndices.length];
+ return new UsernamePrincipal(userPrefix + writerIndex);
+ case QUERY_ROLE:
+ int queryIndex = queryIndices[index % queryIndices.length];
+ return new UsernamePrincipal(userPrefix + queryIndex);
+ default:
+ int adminIndex = adminIndices[index % adminIndices.length];
+ return new UsernamePrincipal(userPrefix + adminIndex);
+ }
+ }
+
+ private byte getRequiredRole(OperationCode[] opCodes, String[] regionNames) {
+
+ byte roleType = ADMIN_ROLE;
+ boolean requiresReader = true;
+ boolean requiresWriter = true;
+ boolean requiresQuery = true;
+
+ for (int opNum = 0; opNum < opCodes.length; opNum++) {
+ OperationCode opCode = opCodes[opNum];
+ if (requiresReader && !readerOpsSet.contains(opCode)) {
+ requiresReader = false;
+ }
+ if (requiresWriter && !writerOpsSet.contains(opCode)) {
+ requiresWriter = false;
+ }
+ if (requiresQuery && !queryOpsSet.contains(opCode)) {
+ requiresQuery = false;
+ }
+ }
+ if (requiresReader) {
+ roleType = READER_ROLE;
+ }
+ else if (requiresWriter) {
+ roleType = WRITER_ROLE;
+ }
+ else if (requiresQuery) {
+ if (regionNames != null && regionNames.length > 0) {
+ for (int index = 0; index < regionNames.length; index++) {
+ String regionName = XmlAuthorization.normalizeRegionName(regionNames[index]);
+ if (requiresQuery && !queryRegionSet.contains(regionName)) {
+ requiresQuery = false;
+ break;
+ }
+ }
+ if (requiresQuery) {
+ roleType = QUERY_ROLE;
+ }
+ }
+ }
+ return roleType;
+ }
+
+ @Override
+ protected Principal getAllowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index) {
+
+ if (this.cGen.classCode().isDummy()) {
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ return getDummyPrincipal(roleType, index);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ return getLdapPrincipal(roleType, index);
+ }
+ return null;
+ }
+
+ @Override
+ protected Principal getDisallowedPrincipal(OperationCode[] opCodes, String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ byte disallowedRoleType = READER_ROLE;
+ switch (roleType) {
+ case READER_ROLE:
+ disallowedRoleType = WRITER_ROLE;
+ break;
+ case WRITER_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ case QUERY_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ case ADMIN_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ }
+ if (this.cGen.classCode().isDummy()) {
+ return getDummyPrincipal(disallowedRoleType, index);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ return getLdapPrincipal(disallowedRoleType, index);
+ }
+ return null;
+ }
+
+ @Override
+ protected int getNumPrincipalTries(OperationCode[] opCodes, String[] regionNames) {
+ return 5;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/4383a711/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
deleted file mode 100644
index e15a60a..0000000
--- a/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
+++ /dev/null
@@ -1,462 +0,0 @@
-
-package security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import com.gemstone.gemfire.security.AccessControl;
-
-/**
- * Encapsulates obtaining authorized and unauthorized credentials for a given
- * operation in a region. Implementations will be for different kinds of
- * authorization scheme and authentication scheme combos.
- *
- * @author sumedh
- * @since 5.5
- */
-public abstract class AuthzCredentialGenerator {
-
- /**
- * Enumeration for various {@link AuthzCredentialGenerator} implementations.
- *
- * The following schemes are supported as of now:
- * <ul>
- * <li><code>DummyAuthorization</code> with <code>DummyAuthenticator</code></li>
- * <li><code>XMLAuthorization</code> with <code>DummyAuthenticator</code></li>
- * <li><code>XMLAuthorization</code> with <code>LDAPAuthenticator</code></li>
- * <li><code>XMLAuthorization</code> with <code>PKCSAuthenticator</code></li>
- * <li><code>XMLAuthorization</code> when using SSL sockets</li>
- * </ul>
- *
- * To add a new authorization scheme the following needs to be done:
- * <ul>
- * <li>Add implementation for {@link AccessControl}.</li>
- * <li>Choose the authentication schemes that it shall work with from
- * {@link CredentialGenerator.ClassCode}</li>
- * <li>Add a new enumeration value for the scheme in this class. Notice the
- * size of <code>VALUES</code> array and increase that if it is getting
- * overflowed. Note the methods and fields for existing schemes and add for
- * the new one in a similar manner.</li>
- * <li>Add an implementation for {@link AuthzCredentialGenerator}. Note the
- * {@link AuthzCredentialGenerator#init} method where different authentication
- * schemes can be passed and initialize differently for the authentication
- * schemes that shall be handled.</li>
- * <li>Modify the {@link AuthzCredentialGenerator#create} method to add
- * creation of an instance of the new implementation for the
- * <code>ClassCode</code> enumeration value.</li>
- * </ul>
- * All dunit tests will automagically start testing the new implementation
- * after this.
- *
- * @author sumedh
- * @since 5.5
- */
- public static final class ClassCode {
-
- private static final byte ID_DUMMY = 1;
-
- private static final byte ID_XML = 2;
-
- private static byte nextOrdinal = 0;
-
- private static final ClassCode[] VALUES = new ClassCode[10];
-
- private static final Map CodeNameMap = new HashMap();
-
- public static final ClassCode DUMMY = new ClassCode(
- "templates.security.DummyAuthorization.create", ID_DUMMY);
-
- public static final ClassCode XML = new ClassCode(
- "templates.security.XmlAuthorization.create", ID_XML);
-
- /** The name of this class. */
- private final String name;
-
- /** byte used as ordinal to represent this class */
- private final byte ordinal;
-
- /**
- * One of the following: ID_DUMMY, ID_LDAP, ID_PKI
- */
- private final byte classType;
-
- /** Creates a new instance of class code. */
- private ClassCode(String name, byte classType) {
- this.name = name;
- this.classType = classType;
- this.ordinal = nextOrdinal++;
- VALUES[this.ordinal] = this;
- CodeNameMap.put(name, this);
- }
-
- public boolean isDummy() {
- return (this.classType == ID_DUMMY);
- }
-
- public boolean isXml() {
- return (this.classType == ID_XML);
- }
-
- /**
- * Returns the <code>ClassCode</code> represented by specified ordinal.
- */
- public static ClassCode fromOrdinal(byte ordinal) {
- return VALUES[ordinal];
- }
-
- /**
- * Returns the <code>ClassCode</code> represented by specified string.
- */
- public static ClassCode parse(String operationName) {
- return (ClassCode)CodeNameMap.get(operationName);
- }
-
- /**
- * Returns all the possible values.
- */
- public static List getAll() {
- List codes = new ArrayList();
- Iterator iter = CodeNameMap.values().iterator();
- while (iter.hasNext()) {
- codes.add(iter.next());
- }
- return codes;
- }
-
- /**
- * Returns the ordinal for this class code.
- *
- * @return the ordinal of this class code.
- */
- public byte toOrdinal() {
- return this.ordinal;
- }
-
- /**
- * Returns a string representation for this class code.
- *
- * @return the name of this class code.
- */
- final public String toString() {
- return this.name;
- }
-
- /**
- * Indicates whether other object is same as this one.
- *
- * @return true if other object is same as this one.
- */
- @Override
- final public boolean equals(final Object obj) {
- if (obj == this) {
- return true;
- }
- if (!(obj instanceof ClassCode)) {
- return false;
- }
- final ClassCode other = (ClassCode)obj;
- return (other.ordinal == this.ordinal);
- }
-
- /**
- * Indicates whether other <code>ClassCode</code> is same as this one.
- *
- * @return true if other <code>ClassCode</code> is same as this one.
- */
- final public boolean equals(final ClassCode opCode) {
- return (opCode != null && opCode.ordinal == this.ordinal);
- }
-
- /**
- * Returns a hash code value for this <code>ClassCode</code> which is the
- * same as its ordinal.
- *
- * @return the ordinal of this <code>ClassCode</code>.
- */
- @Override
- final public int hashCode() {
- return this.ordinal;
- }
-
- }
-
- /**
- * The {@link CredentialGenerator} being used.
- */
- protected CredentialGenerator cGen;
-
- /**
- * A set of system properties that should be added to the gemfire system
- * properties before using the authorization module.
- */
- private Properties sysProps;
-
- /**
- * A factory method to create a new instance of an
- * {@link AuthzCredentialGenerator} for the given {@link ClassCode}. Caller
- * is supposed to invoke {@link AuthzCredentialGenerator#init} immediately
- * after obtaining the instance.
- *
- * @param classCode
- * the <code>ClassCode</code> of the
- * <code>AuthzCredentialGenerator</code> implementation
- *
- * @return an instance of <code>AuthzCredentialGenerator</code> for the
- * given class code
- */
- public static AuthzCredentialGenerator create(ClassCode classCode) {
- switch (classCode.classType) {
- case ClassCode.ID_DUMMY:
- return new DummyAuthzCredentialGenerator();
- case ClassCode.ID_XML:
- return new XmlAuthzCredentialGenerator();
- default:
- return null;
- }
- }
-
- /**
- * Initialize the authorized credential generator.
- *
- * @param cGen
- * an instance of {@link CredentialGenerator} of the credential
- * implementation for which to obtain authorized/unauthorized
- * credentials.
- *
- * @return false when the given {@link CredentialGenerator} is incompatible
- * with this authorization module.
- */
- public boolean init(CredentialGenerator cGen) {
- this.cGen = cGen;
- try {
- this.sysProps = init();
- }
- catch (IllegalArgumentException ex) {
- return false;
- }
- return true;
- }
-
- /**
- *
- * @return A set of extra properties that should be added to Gemfire system
- * properties when not null.
- */
- public Properties getSystemProperties() {
- return this.sysProps;
- }
-
- /**
- * Get the {@link CredentialGenerator} being used by this instance.
- */
- public CredentialGenerator getCredentialGenerator() {
- return this.cGen;
- }
-
- /**
- * The {@link ClassCode} of the particular implementation.
- *
- * @return the <code>ClassCode</code>
- */
- public abstract ClassCode classCode();
-
- /**
- * The name of the {@link AccessControl} factory function that should be used
- * as the authorization module on the server side.
- *
- * @return name of the <code>AccessControl</code> factory function
- */
- public abstract String getAuthorizationCallback();
-
- /**
- * Get a set of credentials generated using the given index allowed to perform
- * the given {@link OperationCode}s for the given regions.
- *
- * @param opCodes
- * the list of {@link OperationCode}s of the operations
- * requiring authorization; should not be null
- * @param regionNames
- * list of the region names requiring authorization; a value of
- * null indicates all regions
- * @param index
- * used to generate multiple such credentials by passing
- * different values for this
- *
- * @return the set of credentials authorized to perform the given operation in
- * the given regions
- */
- public Properties getAllowedCredentials(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- int numTries = getNumPrincipalTries(opCodes, regionNames);
- if (numTries <= 0) {
- numTries = 1;
- }
- for (int tries = 0; tries < numTries; tries++) {
- Principal principal = getAllowedPrincipal(opCodes, regionNames,
- (index + tries) % numTries);
- try {
- return this.cGen.getValidCredentials(principal);
- }
- catch (IllegalArgumentException ex) {
- }
- }
- return null;
- }
-
- /**
- * Get a set of credentials generated using the given index not allowed to
- * perform the given {@link OperationCode}s for the given regions. The
- * credentials are required to be valid for authentication.
- *
- * @param opCodes
- * the {@link OperationCode}s of the operations requiring
- * authorization failure; should not be null
- * @param regionNames
- * list of the region names requiring authorization failure; a
- * value of null indicates all regions
- * @param index
- * used to generate multiple such credentials by passing
- * different values for this
- *
- * @return the set of credentials that are not authorized to perform the given
- * operation in the given region
- */
- public Properties getDisallowedCredentials(OperationCode[] opCodes,
- String[] regionNames, int index) {
-
- // This may not be very correct since we use the value of
- // getNumPrincipalTries() but is used to avoid adding another method.
- // Also something like getNumDisallowedPrincipals() will be normally always
- // infinite, and the number here is just to perform some number of tries
- // before giving up.
- int numTries = getNumPrincipalTries(opCodes, regionNames);
- if (numTries <= 0) {
- numTries = 1;
- }
- for (int tries = 0; tries < numTries; tries++) {
- Principal principal = getDisallowedPrincipal(opCodes, regionNames,
- (index + tries) % numTries);
- try {
- return this.cGen.getValidCredentials(principal);
- }
- catch (IllegalArgumentException ex) {
- }
- }
- return null;
- }
-
- /**
- * Initialize the authorized credential generator.
- *
- * Required to be implemented by concrete classes that implement this abstract
- * class.
- *
- * @return A set of extra properties that should be added to Gemfire system
- * properties when not null.
- *
- * @throws IllegalArgumentException
- * when the {@link CredentialGenerator} is incompatible with
- * this authorization module.
- */
- protected abstract Properties init() throws IllegalArgumentException;
-
- /**
- * Get the number of tries to be done for obtaining valid credentials for the
- * given operations in the given region. It is required that
- * {@link #getAllowedPrincipal} method returns valid principals for values of
- * <code>index</code> from 0 through (n-1) where <code>n</code> is the
- * value returned by this method. It is recommended that the principals so
- * returned be unique for efficiency.
- *
- * This will be used by {@link #getAllowedCredentials} to step through
- * different principals and obtain a set of valid credentials.
- *
- * Required to be implemented by concrete classes that implement this abstract
- * class.
- *
- * @param opCodes
- * the {@link OperationCode}s of the operations requiring
- * authorization
- * @param regionNames
- * list of the region names requiring authorization; a value of
- * null indicates all regions
- *
- * @return the number of principals allowed to perform the given operation in
- * the given region
- */
- protected abstract int getNumPrincipalTries(OperationCode[] opCodes,
- String[] regionNames);
-
- /**
- * Get a {@link Principal} generated using the given index allowed to perform
- * the given {@link OperationCode}s for the given region.
- *
- * Required to be implemented by concrete classes that implement this abstract
- * class.
- *
- * @param opCodes
- * the {@link OperationCode}s of the operations requiring
- * authorization
- * @param regionNames
- * list of the region names requiring authorization; a value of
- * null indicates all regions
- * @param index
- * used to generate multiple such principals by passing
- * different values for this
- *
- * @return the {@link Principal} authorized to perform the given operation in
- * the given region
- */
- protected abstract Principal getAllowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index);
-
- /**
- * Get a {@link Principal} generated using the given index not allowed to
- * perform the given {@link OperationCode}s for the given region.
- *
- * Required to be implemented by concrete classes that implement this abstract
- * class.
- *
- * @param opCodes
- * the {@link OperationCode}s of the operations requiring
- * authorization failure
- * @param regionNames
- * list of the region names requiring authorization failure; a
- * value of null indicates all regions
- * @param index
- * used to generate multiple such principals by passing
- * different values for this
- *
- * @return a {@link Principal} not authorized to perform the given operation
- * in the given region
- */
- protected abstract Principal getDisallowedPrincipal(OperationCode[] opCodes,
- String[] regionNames, int index);
-}