You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2017/03/19 14:55:30 UTC
lucene-solr:jira/solr-6736: SOLR-6736: Adding tests for authz
Repository: lucene-solr
Updated Branches:
refs/heads/jira/solr-6736 a3328b770 -> bf921935d
SOLR-6736: Adding tests for authz
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/bf921935
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/bf921935
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/bf921935
Branch: refs/heads/jira/solr-6736
Commit: bf921935d3d8f1ca127a95808d270095363f0b6b
Parents: a3328b7
Author: Ishan Chattopadhyaya <is...@apache.org>
Authored: Sun Mar 19 20:25:11 2017 +0530
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sun Mar 19 20:25:11 2017 +0530
----------------------------------------------------------------------
.../solr/handler/admin/ConfigSetsHandler.java | 5 +-
.../solr/security/PermissionNameProvider.java | 2 +-
.../apache/solr/cloud/TestConfigSetsAPI.java | 85 +++++++++++++-------
3 files changed, 62 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/bf921935/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
index 5d78af0..88f9c5c 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
@@ -198,7 +198,10 @@ public class ConfigSetsHandler extends RequestHandlerBase implements PermissionN
AuthorizationResponse authzResponse = req.getHttpSolrCall().getAuthorizationResponse();
System.out.println("Authz plugin: "+authzPlugin);
- System.out.println("Authz permission: "+authzResponse.getPermission());
+ System.out.println("Authz response: "+authzResponse);
+ if (authzResponse != null) {
+ System.out.println("Authz permission: "+authzResponse.getPermission());
+ }
if (authzPlugin != null) {
if (authzPlugin instanceof RuleBasedAuthorizationPlugin) {
if (authzResponse.getPermission() == null) { // this request was permitted since this endpoint was not protected
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/bf921935/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
index f2cf749..2109dee 100644
--- a/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
+++ b/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java
@@ -40,7 +40,7 @@ public interface PermissionNameProvider {
CORE_EDIT_PERM("core-admin-edit", null),
READ_PERM("read", "*"),
UPDATE_PERM("update", "*"),
- CONFIG_EDIT_PERM("config-edit", "*"),
+ CONFIG_EDIT_PERM("config-edit", unmodifiableSet(new HashSet<>(asList("*", null)))),
CONFIG_READ_PERM("config-read", "*"),
SCHEMA_READ_PERM("schema-read", "*"),
SCHEMA_EDIT_PERM("schema-edit", "*"),
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/bf921935/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
index d1cf036..76fa283 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
@@ -50,6 +50,7 @@ import org.apache.http.HttpEntity;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.message.BasicHeader;
import org.apache.http.util.EntityUtils;
import org.apache.lucene.util.TestUtil;
import org.apache.solr.SolrTestCaseJ4;
@@ -79,6 +80,7 @@ import org.apache.solr.common.params.ConfigSetParams;
import org.apache.solr.common.params.ConfigSetParams.ConfigSetAction;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.util.Base64;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.Utils;
import org.apache.solr.core.ConfigSetProperties;
@@ -285,7 +287,7 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
//Checking error when no configuration name is specified in request
Map map = postDataAndGetResponse(solrCluster.getSolrClient(),
solrCluster.getJettySolrRunners().get(0).getBaseUrl().toString()
- + "/admin/configs?action=UPLOAD&wt=json", emptyData);
+ + "/admin/configs?action=UPLOAD&wt=json", emptyData, null, null);
assertNotNull(map);
long statusCode = (long) getObjectByPath(map, false,
Arrays.asList("responseHeader", "status"));
@@ -304,7 +306,7 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
//Checking error when configuration name specified already exists
map = postDataAndGetResponse(solrCluster.getSolrClient(),
solrCluster.getJettySolrRunners().get(0).getBaseUrl().toString()
- + "/admin/configs?action=UPLOAD&wt=json&name=myconf", emptyData);
+ + "/admin/configs?action=UPLOAD&wt=json&name=myconf", emptyData, null, null);
assertNotNull(map);
statusCode = (long) getObjectByPath(map, false,
Arrays.asList("responseHeader", "status"));
@@ -320,10 +322,11 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
@Test
public void testUpload() throws Exception {
- uploadConfigSet("regular");
- // try to create a collection with the uploaded configset
- createCollection("newcollection", "regular", 1, 1, solrCluster.getSolrClient());
- xsltRequest("newcollection");
+ String suffix = "-untrusted";
+ uploadConfigSet("regular", suffix, null, null);
+ // try to create a collection with the uploaded configset
+ createCollection("newcollection" + suffix, "regular", 1, 1, solrCluster.getSolrClient());
+ xsltRequest("newcollection");
}
protected SolrZkClient zkClient() {
@@ -333,8 +336,7 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
return solrCluster.getSolrClient().getZkStateReader().getZkClient();
}
- @Test
- public void testUploadWithScriptUpdateProcessor() throws Exception {
+ private void protectConfigsHandler() throws Exception {
String authcPrefix = "/admin/authentication";
String authzPrefix = "/admin/authorization";
@@ -354,27 +356,45 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
String baseUrl = randomJetty.getBaseUrl().toString();
zkClient().setData("/security.json", securityJson.replaceAll("'", "\"").getBytes(UTF_8), true);
- BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 20);
- BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authzPrefix, "authorization/class", "solr.RuleBasedAuthorizationPlugin", 20);
+ BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 50);
+ BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authzPrefix, "authorization/class", "solr.RuleBasedAuthorizationPlugin", 50);
} finally {
if (cl != null) {
HttpClientUtil.close(cl);
}
}
-
- uploadConfigSet("with-script-processor");
+ }
+
+ @Test
+ public void testUploadWithScriptUpdateProcessor() throws Exception {
+ for (boolean withAuthorization: Arrays.asList(false, true)) {
+ String suffix;
+ if (withAuthorization) {
+ suffix = "-trusted";
+ protectConfigsHandler();
+ Thread.sleep(1000);
+ uploadConfigSet("with-script-processor", suffix, "solr", "SolrRocks");
+ } else {
+ suffix = "-untrusted";
+ uploadConfigSet("with-script-processor", suffix, null, null);
+ }
// try to create a collection with the uploaded configset
- CollectionAdminResponse resp = createCollection("newcollection2", "with-script-processor",
+ CollectionAdminResponse resp = createCollection("newcollection2", "with-script-processor"+suffix,
1, 1, solrCluster.getSolrClient());
- System.out.println("Client saw errors: "+resp.getErrorMessages());
- assertTrue(resp.getErrorMessages() != null && resp.getErrorMessages().size() > 0);
- assertTrue(resp.getErrorMessages().getVal(0).
- contains("The configset for this collection was uploaded without any authorization"));
- //scriptRequest("newcollection2");
+
+ if (withAuthorization) {
+ scriptRequest("newcollection2");
+ } else {
+ System.out.println("Client saw errors: "+resp.getErrorMessages());
+ assertTrue(resp.getErrorMessages() != null && resp.getErrorMessages().size() > 0);
+ assertTrue(resp.getErrorMessages().getVal(0).
+ contains("The configset for this collection was uploaded without any authorization"));
+ }
+ }
}
- private void uploadConfigSet(String configSetName) throws Exception {
+ private void uploadConfigSet(String configSetName, String suffix, String username, String password) throws Exception {
// Read zipped sample config
ByteBuffer sampleZippedConfig = TestDynamicLoading
.getFileContent(
@@ -384,27 +404,27 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
AbstractZkTestCase.TIMEOUT, 45000, null);
try {
ZkConfigManager configManager = new ZkConfigManager(zkClient);
- assertFalse(configManager.configExists(configSetName));
+ assertFalse(configManager.configExists(configSetName+suffix));
Map map = postDataAndGetResponse(solrCluster.getSolrClient(),
- solrCluster.getJettySolrRunners().get(0).getBaseUrl().toString() + "/admin/configs?action=UPLOAD&wt=json&name="+configSetName,
- sampleZippedConfig);
+ solrCluster.getJettySolrRunners().get(0).getBaseUrl().toString() + "/admin/configs?action=UPLOAD&wt=json&name="+configSetName+suffix,
+ sampleZippedConfig, username, password);
assertNotNull(map);
long statusCode = (long) getObjectByPath(map, false, Arrays.asList("responseHeader", "status"));
assertEquals(0l, statusCode);
assertTrue("managed-schema file should have been uploaded",
- zkClient.exists("/configs/"+configSetName+"/managed-schema", true));
+ zkClient.exists("/configs/"+configSetName+suffix+"/managed-schema", true));
assertTrue("managed-schema file contents on zookeeper are not exactly same as that of the file uploaded in config",
- Arrays.equals(zkClient.getData("/configs/"+configSetName+"/managed-schema", null, null, true),
+ Arrays.equals(zkClient.getData("/configs/"+configSetName+suffix+"/managed-schema", null, null, true),
readFile("solr/configsets/upload/"+configSetName+"/managed-schema")));
assertTrue("solrconfig.xml file should have been uploaded",
- zkClient.exists("/configs/"+configSetName+"/solrconfig.xml", true));
- byte data[] = zkClient.getData("/configs/"+configSetName, null, null, true);
+ zkClient.exists("/configs/"+configSetName+suffix+"/solrconfig.xml", true));
+ byte data[] = zkClient.getData("/configs/"+configSetName+suffix, null, null, true);
//assertEquals("{\"trusted\": false}", new String(data, StandardCharsets.UTF_8));
assertTrue("solrconfig.xml file contents on zookeeper are not exactly same as that of the file uploaded in config",
- Arrays.equals(zkClient.getData("/configs/"+configSetName+"/solrconfig.xml", null, null, true),
+ Arrays.equals(zkClient.getData("/configs/"+configSetName+suffix+"/solrconfig.xml", null, null, true),
readFile("solr/configsets/upload/"+configSetName+"/solrconfig.xml")));
} finally {
zkClient.close();
@@ -525,13 +545,22 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
}
public static Map postDataAndGetResponse(CloudSolrClient cloudClient,
- String uri, ByteBuffer bytarr) throws IOException {
+ String uri, ByteBuffer bytarr, String username, String password) throws IOException {
HttpPost httpPost = null;
HttpEntity entity;
String response = null;
Map m = null;
+
try {
httpPost = new HttpPost(uri);
+
+ if (username != null) {
+ String userPass = username + ":" + password;
+ String encoded = Base64.byteArrayToBase64(userPass.getBytes(UTF_8));
+ BasicHeader header = new BasicHeader("Authorization", "Basic " + encoded);
+ httpPost.setHeader(header);
+ }
+
httpPost.setHeader("Content-Type", "application/octet-stream");
httpPost.setEntity(new ByteArrayEntity(bytarr.array(), bytarr
.arrayOffset(), bytarr.limit()));