You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2014/09/07 11:45:14 UTC
[21/38] git commit: AMBARI-7163. Inactive user should not be able to
login. (mahadev)
AMBARI-7163. Inactive user should not be able to login. (mahadev)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/981adc66
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/981adc66
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/981adc66
Branch: refs/heads/branch-alerts-dev
Commit: 981adc667c3c6a5bfeca34736bba602f2a423d9b
Parents: f76e5c9
Author: Mahadev Konar <ma...@apache.org>
Authored: Fri Sep 5 10:22:04 2014 -0700
Committer: Mahadev Konar <ma...@apache.org>
Committed: Fri Sep 5 10:22:04 2014 -0700
----------------------------------------------------------------------
.../AmbariLdapAuthoritiesPopulator.java | 18 ++--
.../AmbariLocalUserDetailsService.java | 4 +-
...ariAuthorizationProviderDisableUserTest.java | 97 ++++++++++++++++++++
.../TestAmbariLdapAuthoritiesPopulator.java | 2 +
ambari-web/app/controllers/login_controller.js | 10 +-
ambari-web/app/messages.js | 1 +
ambari-web/app/router.js | 8 +-
7 files changed, 127 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
index 487e703..fc7f73a 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java
@@ -17,7 +17,11 @@
*/
package org.apache.ambari.server.security.authorization;
-import com.google.inject.Inject;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
import org.apache.ambari.server.orm.dao.MemberDAO;
import org.apache.ambari.server.orm.dao.PrivilegeDAO;
import org.apache.ambari.server.orm.dao.UserDAO;
@@ -28,13 +32,11 @@ import org.apache.ambari.server.orm.entities.UserEntity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.authentication.DisabledException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.LinkedList;
-import java.util.List;
+import com.google.inject.Inject;
/**
* Provides authorities population for LDAP user from LDAP catalog
@@ -63,12 +65,14 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
UserEntity user;
user = userDAO.findLdapUserByName(username);
-
+
if (user == null) {
log.error("Can't get authorities for user " + username + ", he is not present in local DB");
return Collections.emptyList();
}
-
+ if(!user.getActive()){
+ throw new DisabledException("User is disabled");
+ }
// get all of the privileges for the user
List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
index 55707f8..2aae8a0 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java
@@ -91,7 +91,7 @@ public class AmbariLocalUserDetailsService implements UserDetailsService {
List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
- return new User(user.getUserName(), user.getUserPassword(),
- authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
+ return new User(user.getUserName(), user.getUserPassword(), user.getActive(),
+ true, true, true, authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
new file mode 100644
index 0000000..c3e5990
--- /dev/null
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.StandardPasswordEncoder;
+
+public class AmbariAuthorizationProviderDisableUserTest {
+
+ private UserDAO userDAO;
+
+ private PasswordEncoder encoder = new StandardPasswordEncoder();
+
+ private DaoAuthenticationProvider daoProvider;
+
+ private AmbariLdapAuthoritiesPopulator ldapPopulator;
+
+ @Before
+ public void setUp() {
+ userDAO = Mockito.mock(UserDAO.class);
+
+ createUser("activeUser", true);
+ createUser("disabledUser", false);
+
+ MemberDAO memberDao = Mockito.mock(MemberDAO.class);
+ PrivilegeDAO privilegeDao = Mockito.mock(PrivilegeDAO.class);
+ AuthorizationHelper authorizationHelper = new AuthorizationHelper();
+
+ AmbariLocalUserDetailsService uds = new AmbariLocalUserDetailsService(null,null,authorizationHelper,userDAO,memberDao,privilegeDao);
+ daoProvider = new DaoAuthenticationProvider();
+ daoProvider.setUserDetailsService(uds);
+ daoProvider.setPasswordEncoder(encoder);
+
+ ldapPopulator = new AmbariLdapAuthoritiesPopulator(authorizationHelper, userDAO, memberDao, privilegeDao);
+
+ }
+
+ @Test public void testDisabledUserViaDaoProvider(){
+ try{
+ daoProvider.authenticate(new UsernamePasswordAuthenticationToken("disabledUser","pwd"));
+ Assert.fail("Disabled user passes authentication");
+ }catch(DisabledException e){
+ //expected
+ Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+ }
+ Authentication auth = daoProvider.authenticate(new UsernamePasswordAuthenticationToken("activeUser","pwd"));
+ Assert.assertNotNull(auth);
+ Assert.assertTrue(auth.isAuthenticated());
+ }
+
+ @Test public void testDisabledUserViaLdapProvider(){
+ try{
+ ldapPopulator.getGrantedAuthorities(null, "disabledUser");
+ Assert.fail("Disabled user passes authentication");
+ }catch(DisabledException e){
+ //expected
+ Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+ }
+ }
+
+ private void createUser(String login, boolean isActive) {
+ UserEntity activeUser = new UserEntity();
+ activeUser.setActive(isActive);
+ activeUser.setUserName(login);
+ activeUser.setUserPassword(encoder.encode("pwd"));
+ Mockito.when(userDAO.findLocalUserByName(login)).thenReturn(activeUser);
+ Mockito.when(userDAO.findLdapUserByName(login)).thenReturn(activeUser);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
index bb178d6..7c72f4c 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java
@@ -63,6 +63,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
.withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
expect(userEntity.getPrincipal()).andReturn(principalEntity);
+ expect(userEntity.getActive()).andReturn(true);
expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity));
expect(memberEntity.getGroup()).andReturn(groupEntity);
expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity);
@@ -87,6 +88,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
.withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+ expect(userEntity.getActive()).andReturn(true);
expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity)).anyTimes();
expect(memberEntity.getGroup()).andReturn(groupEntity).anyTimes();
expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity).anyTimes();
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/controllers/login_controller.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/controllers/login_controller.js b/ambari-web/app/controllers/login_controller.js
index 4f92dd2..46160ee 100644
--- a/ambari-web/app/controllers/login_controller.js
+++ b/ambari-web/app/controllers/login_controller.js
@@ -35,13 +35,19 @@ App.LoginController = Em.Object.extend({
App.get('router').login();
},
- postLogin: function (isConnected, isAuthenticated) {
+ postLogin: function (isConnected, isAuthenticated, responseText) {
if (!isConnected) {
console.log('Failed to connect to Ambari Server');
this.set('errorMessage', Em.I18n.t('login.error.bad.connection'));
} else if (!isAuthenticated) {
console.log('Failed to login as: ' + this.get('loginName'));
- this.set('errorMessage', Em.I18n.t('login.error.bad.credentials'));
+ var errorMessage = "";
+ if( responseText === "User is disabled" ){
+ errorMessage = Em.I18n.t('login.error.disabled');
+ } else {
+ errorMessage = Em.I18n.t('login.error.bad.credentials');
+ }
+ this.set('errorMessage', errorMessage);
}
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/messages.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/messages.js b/ambari-web/app/messages.js
index af64135..d6829f0 100644
--- a/ambari-web/app/messages.js
+++ b/ambari-web/app/messages.js
@@ -281,6 +281,7 @@ Em.I18n.translations = {
'login.username':'Username',
'login.loginButton':'Sign in',
'login.error.bad.credentials':'Unable to sign in. Invalid username/password combination.',
+ 'login.error.disabled':'Unable to sign in. Invalid username/password combination.',
'login.error.bad.connection':'Unable to connect to Ambari Server. Confirm Ambari Server is running and you can reach Ambari Server from this machine.',
'graphs.noData.title': 'No Data',
http://git-wip-us.apache.org/repos/asf/ambari/blob/981adc66/ambari-web/app/router.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/router.js b/ambari-web/app/router.js
index e9a965f..18203f2 100644
--- a/ambari-web/app/router.js
+++ b/ambari-web/app/router.js
@@ -242,9 +242,13 @@ App.Router = Em.Router.extend({
console.log("login error: " + error);
this.setAuthenticated(false);
if (request.status == 403) {
- controller.postLogin(true, false);
+ var responseMessage = request.responseText;
+ try{
+ responseMessage = JSON.parse(request.responseText).message;
+ }catch(e){}
+ controller.postLogin(true, false, responseMessage);
} else {
- controller.postLogin(false, false);
+ controller.postLogin(false, false, null);
}
},