You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ji...@apache.org on 2016/03/31 19:40:07 UTC
incubator-geode git commit: GEODE-17: adding more command tests
Repository: incubator-geode
Updated Branches:
refs/heads/feature/GEODE-17-2 5e51d7c74 -> 8f937757c
GEODE-17: adding more command tests
GEODE-17: adding more command tests
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/8f937757
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/8f937757
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/8f937757
Branch: refs/heads/feature/GEODE-17-2
Commit: 8f937757c7828c643cad31668a09a36ce4cc5f3f
Parents: 5e51d7c
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Thu Mar 31 10:11:33 2016 -0700
Committer: Jinmei Liao <ji...@pivotal.io>
Committed: Thu Mar 31 10:39:46 2016 -0700
----------------------------------------------------------------------
.../cache/operations/OperationContext.java | 4 +
.../internal/security/CLIOperationContext.java | 2 +-
.../security/ResourceOperationContext.java | 4 -
.../security/DataCommandsSecurityTest.java | 16 +++-
.../internal/security/JSONAuthorization.java | 4 +-
.../security/MBeanSecurityJUnitTest.java | 2 +-
.../security/QueueCommandsSecurityTest.java | 65 +++++++++++++++++
.../security/ShellCommandsSecurityTest.java | 77 ++++++++++++++++++++
.../security/StatusCommandsSecurityTest.java | 61 ++++++++++++++++
.../internal/security/cacheServer.json | 9 ++-
10 files changed, 230 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
index 93c64a8..9e56632 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/cache/operations/OperationContext.java
@@ -405,4 +405,8 @@ public abstract class OperationContext {
|| opCode.isInvalidate() || opCode.isRegionCreate()
|| opCode.isRegionDestroy() || opCode.isRegionClear());
}
+
+ public String toString(){
+ return getResource() + ":"+ getOperationCode();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
index 7e125ef..3a1f44d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/CLIOperationContext.java
@@ -90,6 +90,6 @@ public class CLIOperationContext extends ResourceOperationContext {
}
public String toString(){
- return getResource() + ":"+ getOperationCode() + " commmand=" + command + " options=" + commandOptions;
+ return super.toString() + " commmand=" + command + " options=" + commandOptions;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
index 9e2b1b4..9ef458d 100644
--- a/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
+++ b/geode-core/src/main/java/com/gemstone/gemfire/management/internal/security/ResourceOperationContext.java
@@ -77,8 +77,4 @@ public class ResourceOperationContext extends OperationContext {
return this.opResult;
}
- public String toString(){
- return getResource() + ":"+ getOperationCode();
- }
-
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
index 7d1564b..bae03f8 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/DataCommandsSecurityTest.java
@@ -49,14 +49,22 @@ public class DataCommandsSecurityTest {
@JMXConnectionConfiguration(user = "dataUser", password = "1234567")
public void testDataUser() throws Exception {
bean.processCommand("locate entry --key=k1 --region=region1");
+ bean.processCommand("query --query='SELECT * FROM /region1'");
+
+ // can't operate on secureRegion
assertThatThrownBy(() -> bean.processCommand("locate entry --key=k1 --region=secureRegion")).isInstanceOf(SecurityException.class);
+ assertThatThrownBy(() -> bean.processCommand("query --query='SELECT * FROM /secureRegion")).isInstanceOf(SecurityException.class);
}
@JMXConnectionConfiguration(user = "secureDataUser", password = "1234567")
@Test
public void testSecureDataUser(){
+ // can do all these on both regions
bean.processCommand("locate entry --key=k1 --region=region1");
+ bean.processCommand("query --query='SELECT * FROM /region1'");
+
bean.processCommand("locate entry --key=k1 --region=secureRegion");
+ bean.processCommand("query --query='SELECT * FROM /secureRegion'");
}
@JMXConnectionConfiguration(user = "superuser", password = "1234567")
@@ -76,19 +84,19 @@ public class DataCommandsSecurityTest {
@Test
public void testNoAccess(){
assertThatThrownBy(() -> bean.processCommand("rebalance --include-region=region1")).isInstanceOf(SecurityException.class)
- .hasMessageStartingWith("Access Denied: Not authorized for REGION:REBALANCE");
+ .hasMessageContaining("REGION:REBALANCE");
assertThatThrownBy(() -> bean.processCommand("export data --region=region1 --file=foo.txt --member=value")).isInstanceOf(SecurityException.class);
assertThatThrownBy(() -> bean.processCommand("import data --region=region1 --file=foo.txt --member=value")).isInstanceOf(SecurityException.class);
assertThatThrownBy(() -> bean.processCommand("put --key=key1 --value=value1 --region=region1")).isInstanceOf(SecurityException.class)
- .hasMessageStartingWith("Access Denied: Not authorized for REGION:PUT");
+ .hasMessageContaining("REGION:PUT");
assertThatThrownBy(() -> bean.processCommand("get --key=key1 --region=region1")).isInstanceOf(SecurityException.class)
- .hasMessageStartingWith("Access Denied: Not authorized for REGION:GET");
+ .hasMessageContaining("REGION:GET");
assertThatThrownBy(() -> bean.processCommand("query --query='SELECT * FROM /region1'")).isInstanceOf(SecurityException.class)
- .hasMessageStartingWith("Access Denied: Not authorized for QUERY:EXECUTE");
+ .hasMessageContaining("QUERY:EXECUTE");
}
// dataUser has all the permissions granted, but not to region2 (only to region1)
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
index 95e0133..90f664e 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/JSONAuthorization.java
@@ -196,7 +196,6 @@ public class JSONAuthorization implements AccessControl, Authenticator {
if(user == null)
return false; // this user is not authorized to do anything
- LogService.getLogger().info("Context received " + context);
LogService.getLogger().info("Checking for permission " + context.getResource() + ":" + context.getOperationCode());
// check if the user has this permission defined in the context
@@ -212,6 +211,7 @@ public class JSONAuthorization implements AccessControl, Authenticator {
// If this is a Command operation context, we need to further check if the region is allowed in this role
CLIOperationContext ctx = (CLIOperationContext) context;
+
String region = ctx.getCommandOptions().get("region");
if(region==null) {
region = ctx.getCommandOptions().get("include-region");
@@ -233,7 +233,7 @@ public class JSONAuthorization implements AccessControl, Authenticator {
}
}
- LogService.getLogger().info("Did not find code " + context.getOperationCode());
+ LogService.getLogger().info("Did not find code " + context);
return false;
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
index 319fd8a..c0969ad 100644
--- a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/MBeanSecurityJUnitTest.java
@@ -109,7 +109,7 @@ public class MBeanSecurityJUnitTest {
@Test
@JMXConnectionConfiguration(user = "stranger", password = "1234567")
public void testServerSideCalls(){
- // calls through ManagementService is not using the MBeanServerWrapper.
+ // calls through ManagementService is not going through authorization checks
ManagementService service = ManagementService.getManagementService(serverRule.getCache());
MemberMXBean bean = service.getMemberMXBean();
bean.compactAllDiskStores();
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
new file mode 100644
index 0000000..e9baa41
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/QueueCommandsSecurityTest.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class QueueCommandsSecurityTest {
+ private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+ private MemberMXBean bean;
+
+ @ClassRule
+ public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+ jmxManagerPort, "cacheServer.json");
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+ @Before
+ public void setUp() throws Exception {
+ bean = connectionRule.getProxyMBean(MemberMXBean.class);
+ }
+
+ @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+ @Test
+ public void testAllAccess(){
+ bean.processCommand("create async-event-queue --id=myAEQ --listener=myApp.myListener");
+ bean.processCommand("list async-event-queues");
+ }
+
+ // stranger has no permission granted
+ @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+ @Test
+ public void testNoAccess(){
+ assertThatThrownBy(() -> bean.processCommand("create async-event-queue --id=myAEQ --listener=myApp.myListener"))
+ .isInstanceOf(SecurityException.class).hasMessageContaining("ASYNC_EVENT_QUEUE:CREATE");
+ assertThatThrownBy(() -> bean.processCommand("list async-event-queues"))
+ .isInstanceOf(SecurityException.class).hasMessageContaining("ASYNC_EVENT_QUEUE:LIST");
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
new file mode 100644
index 0000000..4d08d1a
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/ShellCommandsSecurityTest.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class ShellCommandsSecurityTest {
+ private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+ private MemberMXBean bean;
+
+ @ClassRule
+ public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+ jmxManagerPort, "cacheServer.json");
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+ @Before
+ public void setUp() throws Exception {
+ bean = connectionRule.getProxyMBean(MemberMXBean.class);
+ }
+
+ @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+ @Test
+ public void testAllAccess(){
+ bean.processCommand("connect");
+ bean.processCommand("debug --state=on");
+ bean.processCommand("describe connection");
+ bean.processCommand("echo --string=\"Hello World!\"");
+ bean.processCommand("encrypt password --password=value");
+ bean.processCommand("version");
+ bean.processCommand("sleep");
+ bean.processCommand("sh ls");
+ bean.processCommand("disconnect");
+ }
+
+ // stranger has no permission granted
+ @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+ @Test
+ public void testNoAccess(){
+ assertThatThrownBy(() -> bean.processCommand("connect")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("debug --state=on")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("describe connection")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("disconnect")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("echo --string=\"Hello World!\"")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("encrypt password --password=value")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("version")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("sleep")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ assertThatThrownBy(() -> bean.processCommand("sh ls")).isInstanceOf(SecurityException.class).hasMessageContaining("DISTRIBUTED_SYSTEM:ALL");
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
new file mode 100644
index 0000000..10101dd
--- /dev/null
+++ b/geode-core/src/test/java/com/gemstone/gemfire/management/internal/security/StatusCommandsSecurityTest.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.gemstone.gemfire.management.internal.security;
+
+import com.gemstone.gemfire.internal.AvailablePort;
+import com.gemstone.gemfire.management.MemberMXBean;
+import com.gemstone.gemfire.test.junit.categories.IntegrationTest;
+import org.junit.Before;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+@Category(IntegrationTest.class)
+public class StatusCommandsSecurityTest {
+ private static int jmxManagerPort = AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+
+ private MemberMXBean bean;
+
+ @ClassRule
+ public static JsonAuthorizationCacheStartRule serverRule = new JsonAuthorizationCacheStartRule(
+ jmxManagerPort, "cacheServer.json");
+
+ @Rule
+ public MBeanServerConnectionRule connectionRule = new MBeanServerConnectionRule(jmxManagerPort);
+
+ @Before
+ public void setUp() throws Exception {
+ bean = connectionRule.getProxyMBean(MemberMXBean.class);
+ }
+
+ @JMXConnectionConfiguration(user = "superuser", password = "1234567")
+ @Test
+ public void testAllAccess(){
+ bean.processCommand("status cluster-config-service");
+ }
+
+ // stranger has no permission granted
+ @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+ @Test
+ public void testNoAccess(){
+ assertThatThrownBy(() -> bean.processCommand("status cluster-config-service")).isInstanceOf(SecurityException.class).hasMessageContaining("CLUSTER_CONFIGURTION:STATUS");
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8f937757/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
index 5dd08af..60052ac 100644
--- a/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/management/internal/security/cacheServer.json
@@ -53,7 +53,11 @@
"GATEWAY_RECEIVER:STOP",
"MANAGER:SET_PULSE_URL",
"MANAGER:START",
- "MANAGER:STOP"
+ "MANAGER:STOP",
+ "CLUSTER_CONFIGURTION:STATUS",
+ "DISTRIBUTED_SYSTEM:ALL",
+ "ASYNC_EVENT_QUEUE:CREATE",
+ "ASYNC_EVENT_QUEUE:LIST"
]
},
{
@@ -86,7 +90,8 @@
{
"name": "secureDataUsers",
"operationsAllowed": [
- "REGION:GET"
+ "REGION:GET",
+ "QUERY:EXECUTE"
],
"regions": ["region1", "secureRegion"]
}