You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2015/12/30 01:28:06 UTC
[06/33] incubator-geode git commit: GEODE-663: add aditional security
tests to the open source
GEODE-663: add aditional security tests to the open source
Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/3720666f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/3720666f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/3720666f
Branch: refs/heads/feature/GEODE-14
Commit: 3720666f0d1e7c6dedb3cb18a1a0952d7446ac31
Parents: a622d6e
Author: Jinmei Liao <ji...@pivotal.io>
Authored: Fri Dec 11 15:27:50 2015 -0800
Committer: Jens Deppe <jd...@pivotal.io>
Committed: Mon Dec 21 08:51:59 2015 -0800
----------------------------------------------------------------------
.../security/ClientAuthenticationDUnitTest.java | 6 +-
.../security/ClientAuthorizationDUnitTest.java | 8 +-
.../security/ClientAuthorizationTestBase.java | 10 +-
.../security/ClientMultiUserAuthzDUnitTest.java | 4 +-
.../DeltaClientAuthorizationDUnitTest.java | 4 +-
.../DeltaClientPostAuthorizationDUnitTest.java | 4 +-
.../security/P2PAuthenticationDUnitTest.java | 8 +-
.../java/security/AuthzCredentialGenerator.java | 465 +++++++++++++++++++
.../test/java/security/CredentialGenerator.java | 343 ++++++++++++++
.../security/DummyAuthzCredentialGenerator.java | 145 ++++++
.../java/security/DummyCredentialGenerator.java | 94 ++++
.../security/LdapUserCredentialGenerator.java | 160 +++++++
.../java/security/PKCSCredentialGenerator.java | 112 +++++
.../java/security/SSLCredentialGenerator.java | 117 +++++
.../UserPasswordWithExtraPropsAuthInit.java | 77 +++
.../security/XmlAuthzCredentialGenerator.java | 264 +++++++++++
.../security/AuthzCredentialGenerator.java | 465 -------------------
.../templates/security/CredentialGenerator.java | 343 --------------
.../security/DummyAuthzCredentialGenerator.java | 142 ------
.../security/DummyCredentialGenerator.java | 90 ----
.../security/LdapUserCredentialGenerator.java | 158 -------
.../security/PKCSCredentialGenerator.java | 110 -----
.../security/SSLCredentialGenerator.java | 116 -----
.../UserPasswordWithExtraPropsAuthInit.java | 76 ---
.../security/XmlAuthzCredentialGenerator.java | 262 -----------
25 files changed, 1799 insertions(+), 1784 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
index 2fdbc05..2bd04e0 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthenticationDUnitTest.java
@@ -26,8 +26,8 @@ import java.util.Properties;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
-import templates.security.CredentialGenerator;
-import templates.security.CredentialGenerator.ClassCode;
+import security.CredentialGenerator;
+import security.CredentialGenerator.ClassCode;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.distributed.internal.DistributionConfig;
@@ -36,7 +36,7 @@ import com.gemstone.gemfire.internal.AvailablePort;
import dunit.DistributedTestCase;
import dunit.Host;
import dunit.VM;
-import templates.security.DummyCredentialGenerator;
+import security.DummyCredentialGenerator;
/**
* Test for authentication from client to server. This tests for both valid and
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
index e89e0d3..b44ac33 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationDUnitTest.java
@@ -26,10 +26,10 @@ import java.util.Iterator;
import java.util.List;
import java.util.Properties;
-import templates.security.AuthzCredentialGenerator;
-import templates.security.CredentialGenerator;
-import templates.security.DummyCredentialGenerator;
-import templates.security.XmlAuthzCredentialGenerator;
+import security.AuthzCredentialGenerator;
+import security.CredentialGenerator;
+import security.DummyCredentialGenerator;
+import security.XmlAuthzCredentialGenerator;
import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
import com.gemstone.gemfire.internal.AvailablePort;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
index ad6526a..e49f9ff 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientAuthorizationTestBase.java
@@ -31,9 +31,9 @@ import java.util.Properties;
import java.util.Random;
import java.util.Set;
-import templates.security.AuthzCredentialGenerator;
-import templates.security.CredentialGenerator;
-import templates.security.AuthzCredentialGenerator.ClassCode;
+import security.AuthzCredentialGenerator;
+import security.CredentialGenerator;
+import security.AuthzCredentialGenerator.ClassCode;
import com.gemstone.gemfire.cache.DynamicRegionFactory;
import com.gemstone.gemfire.cache.InterestResultPolicy;
@@ -62,8 +62,8 @@ import com.gemstone.gemfire.internal.util.Callable;
import dunit.DistributedTestCase;
import dunit.VM;
-import templates.security.DummyCredentialGenerator;
-import templates.security.XmlAuthzCredentialGenerator;
+import security.DummyCredentialGenerator;
+import security.XmlAuthzCredentialGenerator;
/**
* Base class for tests for authorization from client to server. It contains
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
index ceeb989..627c415 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/ClientMultiUserAuthzDUnitTest.java
@@ -24,8 +24,8 @@ package com.gemstone.gemfire.security;
import java.util.Iterator;
import java.util.Properties;
-import templates.security.AuthzCredentialGenerator;
-import templates.security.CredentialGenerator;
+import security.AuthzCredentialGenerator;
+import security.CredentialGenerator;
import com.gemstone.gemfire.cache.Region;
import com.gemstone.gemfire.cache.execute.Function;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
index 16573c2..37b46cc 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientAuthorizationDUnitTest.java
@@ -23,8 +23,8 @@ package com.gemstone.gemfire.security;
import java.util.Properties;
-import templates.security.AuthzCredentialGenerator;
-import templates.security.CredentialGenerator;
+import security.AuthzCredentialGenerator;
+import security.CredentialGenerator;
import com.gemstone.gemfire.DeltaTestImpl;
import com.gemstone.gemfire.cache.Region;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
index 7cfa23d..0a0a0b8 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/DeltaClientPostAuthorizationDUnitTest.java
@@ -28,8 +28,8 @@ import java.util.Map;
import java.util.Properties;
import java.util.Random;
-import templates.security.AuthzCredentialGenerator;
-import templates.security.CredentialGenerator;
+import security.AuthzCredentialGenerator;
+import security.CredentialGenerator;
import com.gemstone.gemfire.DeltaTestImpl;
import com.gemstone.gemfire.cache.InterestResultPolicy;
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java b/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
index 0f83050..e4ce211 100644
--- a/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
+++ b/gemfire-core/src/test/java/com/gemstone/gemfire/security/P2PAuthenticationDUnitTest.java
@@ -26,9 +26,9 @@ import java.util.Properties;
import javax.net.ssl.SSLHandshakeException;
-import templates.security.CredentialGenerator;
-import templates.security.DummyCredentialGenerator;
-import templates.security.LdapUserCredentialGenerator;
+import security.CredentialGenerator;
+import security.DummyCredentialGenerator;
+import security.LdapUserCredentialGenerator;
import com.gemstone.gemfire.LogWriter;
import com.gemstone.gemfire.distributed.DistributedSystem;
@@ -507,7 +507,7 @@ public class P2PAuthenticationDUnitTest extends DistributedTestCase {
gen.init();
Properties extraProps = gen.getSystemProperties();
String authenticator = gen.getAuthenticator();
- String authInit = "templates.security.UserPasswordWithExtraPropsAuthInit.create";
+ String authInit = "security.UserPasswordWithExtraPropsAuthInit.create";
if (extraProps == null) {
extraProps = new Properties();
}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
new file mode 100644
index 0000000..d5e4915
--- /dev/null
+++ b/gemfire-core/src/test/java/security/AuthzCredentialGenerator.java
@@ -0,0 +1,465 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.security.AccessControl;
+
+/**
+ * Encapsulates obtaining authorized and unauthorized credentials for a given
+ * operation in a region. Implementations will be for different kinds of
+ * authorization scheme and authentication scheme combos.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+public abstract class AuthzCredentialGenerator {
+
+ /**
+ * Enumeration for various {@link AuthzCredentialGenerator} implementations.
+ *
+ * The following schemes are supported as of now:
+ * <ul>
+ * <li><code>DummyAuthorization</code> with <code>DummyAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>DummyAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>LDAPAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> with <code>PKCSAuthenticator</code></li>
+ * <li><code>XMLAuthorization</code> when using SSL sockets</li>
+ * </ul>
+ *
+ * To add a new authorization scheme the following needs to be done:
+ * <ul>
+ * <li>Add implementation for {@link AccessControl}.</li>
+ * <li>Choose the authentication schemes that it shall work with from
+ * {@link CredentialGenerator.ClassCode}</li>
+ * <li>Add a new enumeration value for the scheme in this class. Notice the
+ * size of <code>VALUES</code> array and increase that if it is getting
+ * overflowed. Note the methods and fields for existing schemes and add for
+ * the new one in a similar manner.</li>
+ * <li>Add an implementation for {@link AuthzCredentialGenerator}. Note the
+ * {@link AuthzCredentialGenerator#init} method where different authentication
+ * schemes can be passed and initialize differently for the authentication
+ * schemes that shall be handled.</li>
+ * <li>Modify the {@link AuthzCredentialGenerator#create} method to add
+ * creation of an instance of the new implementation for the
+ * <code>ClassCode</code> enumeration value.</li>
+ * </ul>
+ * All dunit tests will automagically start testing the new implementation
+ * after this.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+ public static final class ClassCode {
+
+ private static final byte ID_DUMMY = 1;
+
+ private static final byte ID_XML = 2;
+
+ private static byte nextOrdinal = 0;
+
+ private static final ClassCode[] VALUES = new ClassCode[10];
+
+ private static final Map CodeNameMap = new HashMap();
+
+ public static final ClassCode DUMMY = new ClassCode(
+ "templates.security.DummyAuthorization.create", ID_DUMMY);
+
+ public static final ClassCode XML = new ClassCode(
+ "templates.security.XmlAuthorization.create", ID_XML);
+
+ /** The name of this class. */
+ private final String name;
+
+ /** byte used as ordinal to represent this class */
+ private final byte ordinal;
+
+ /**
+ * One of the following: ID_DUMMY, ID_LDAP, ID_PKI
+ */
+ private final byte classType;
+
+ /** Creates a new instance of class code. */
+ private ClassCode(String name, byte classType) {
+ this.name = name;
+ this.classType = classType;
+ this.ordinal = nextOrdinal++;
+ VALUES[this.ordinal] = this;
+ CodeNameMap.put(name, this);
+ }
+
+ public boolean isDummy() {
+ return (this.classType == ID_DUMMY);
+ }
+
+ public boolean isXml() {
+ return (this.classType == ID_XML);
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified ordinal.
+ */
+ public static ClassCode fromOrdinal(byte ordinal) {
+ return VALUES[ordinal];
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified string.
+ */
+ public static ClassCode parse(String operationName) {
+ return (ClassCode)CodeNameMap.get(operationName);
+ }
+
+ /**
+ * Returns all the possible values.
+ */
+ public static List getAll() {
+ List codes = new ArrayList();
+ Iterator iter = CodeNameMap.values().iterator();
+ while (iter.hasNext()) {
+ codes.add(iter.next());
+ }
+ return codes;
+ }
+
+ /**
+ * Returns the ordinal for this class code.
+ *
+ * @return the ordinal of this class code.
+ */
+ public byte toOrdinal() {
+ return this.ordinal;
+ }
+
+ /**
+ * Returns a string representation for this class code.
+ *
+ * @return the name of this class code.
+ */
+ final public String toString() {
+ return this.name;
+ }
+
+ /**
+ * Indicates whether other object is same as this one.
+ *
+ * @return true if other object is same as this one.
+ */
+ @Override
+ final public boolean equals(final Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (!(obj instanceof ClassCode)) {
+ return false;
+ }
+ final ClassCode other = (ClassCode)obj;
+ return (other.ordinal == this.ordinal);
+ }
+
+ /**
+ * Indicates whether other <code>ClassCode</code> is same as this one.
+ *
+ * @return true if other <code>ClassCode</code> is same as this one.
+ */
+ final public boolean equals(final ClassCode opCode) {
+ return (opCode != null && opCode.ordinal == this.ordinal);
+ }
+
+ /**
+ * Returns a hash code value for this <code>ClassCode</code> which is the
+ * same as its ordinal.
+ *
+ * @return the ordinal of this <code>ClassCode</code>.
+ */
+ @Override
+ final public int hashCode() {
+ return this.ordinal;
+ }
+
+ }
+
+ /**
+ * The {@link CredentialGenerator} being used.
+ */
+ protected CredentialGenerator cGen;
+
+ /**
+ * A set of system properties that should be added to the gemfire system
+ * properties before using the authorization module.
+ */
+ private Properties sysProps;
+
+ /**
+ * A factory method to create a new instance of an
+ * {@link AuthzCredentialGenerator} for the given {@link ClassCode}. Caller
+ * is supposed to invoke {@link AuthzCredentialGenerator#init} immediately
+ * after obtaining the instance.
+ *
+ * @param classCode
+ * the <code>ClassCode</code> of the
+ * <code>AuthzCredentialGenerator</code> implementation
+ *
+ * @return an instance of <code>AuthzCredentialGenerator</code> for the
+ * given class code
+ */
+ public static AuthzCredentialGenerator create(ClassCode classCode) {
+ switch (classCode.classType) {
+ case ClassCode.ID_DUMMY:
+ return new DummyAuthzCredentialGenerator();
+ case ClassCode.ID_XML:
+ return new XmlAuthzCredentialGenerator();
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Initialize the authorized credential generator.
+ *
+ * @param cGen
+ * an instance of {@link CredentialGenerator} of the credential
+ * implementation for which to obtain authorized/unauthorized
+ * credentials.
+ *
+ * @return false when the given {@link CredentialGenerator} is incompatible
+ * with this authorization module.
+ */
+ public boolean init(CredentialGenerator cGen) {
+ this.cGen = cGen;
+ try {
+ this.sysProps = init();
+ }
+ catch (IllegalArgumentException ex) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getSystemProperties() {
+ return this.sysProps;
+ }
+
+ /**
+ * Get the {@link CredentialGenerator} being used by this instance.
+ */
+ public CredentialGenerator getCredentialGenerator() {
+ return this.cGen;
+ }
+
+ /**
+ * The {@link ClassCode} of the particular implementation.
+ *
+ * @return the <code>ClassCode</code>
+ */
+ public abstract ClassCode classCode();
+
+ /**
+ * The name of the {@link AccessControl} factory function that should be used
+ * as the authorization module on the server side.
+ *
+ * @return name of the <code>AccessControl</code> factory function
+ */
+ public abstract String getAuthorizationCallback();
+
+ /**
+ * Get a set of credentials generated using the given index allowed to perform
+ * the given {@link OperationCode}s for the given regions.
+ *
+ * @param opCodes
+ * the list of {@link OperationCode}s of the operations
+ * requiring authorization; should not be null
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ * @param index
+ * used to generate multiple such credentials by passing
+ * different values for this
+ *
+ * @return the set of credentials authorized to perform the given operation in
+ * the given regions
+ */
+ public Properties getAllowedCredentials(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ int numTries = getNumPrincipalTries(opCodes, regionNames);
+ if (numTries <= 0) {
+ numTries = 1;
+ }
+ for (int tries = 0; tries < numTries; tries++) {
+ Principal principal = getAllowedPrincipal(opCodes, regionNames,
+ (index + tries) % numTries);
+ try {
+ return this.cGen.getValidCredentials(principal);
+ }
+ catch (IllegalArgumentException ex) {
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get a set of credentials generated using the given index not allowed to
+ * perform the given {@link OperationCode}s for the given regions. The
+ * credentials are required to be valid for authentication.
+ *
+ * @param opCode
+ * the {@link OperationCode}s of the operations requiring
+ * authorization failure; should not be null
+ * @param regionNames
+ * list of the region names requiring authorization failure; a
+ * value of null indicates all regions
+ * @param index
+ * used to generate multiple such credentials by passing
+ * different values for this
+ *
+ * @return the set of credentials that are not authorized to perform the given
+ * operation in the given region
+ */
+ public Properties getDisallowedCredentials(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ // This may not be very correct since we use the value of
+ // getNumPrincipalTries() but is used to avoid adding another method.
+ // Also something like getNumDisallowedPrincipals() will be normally always
+ // infinite, and the number here is just to perform some number of tries
+ // before giving up.
+ int numTries = getNumPrincipalTries(opCodes, regionNames);
+ if (numTries <= 0) {
+ numTries = 1;
+ }
+ for (int tries = 0; tries < numTries; tries++) {
+ Principal principal = getDisallowedPrincipal(opCodes, regionNames,
+ (index + tries) % numTries);
+ try {
+ return this.cGen.getValidCredentials(principal);
+ }
+ catch (IllegalArgumentException ex) {
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Initialize the authorized credential generator.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ *
+ * @throws IllegalArgumentException
+ * when the {@link CredentialGenerator} is incompatible with
+ * this authorization module.
+ */
+ protected abstract Properties init() throws IllegalArgumentException;
+
+ /**
+ * Get the number of tries to be done for obtaining valid credentials for the
+ * given operations in the given region. It is required that
+ * {@link #getAllowedPrincipal} method returns valid principals for values of
+ * <code>index</code> from 0 through (n-1) where <code>n</code> is the
+ * value returned by this method. It is recommended that the principals so
+ * returned be unique for efficiency.
+ *
+ * This will be used by {@link #getAllowedCredentials} to step through
+ * different principals and obtain a set of valid credentials.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ * @param index
+ * used to generate multiple such credentials by passing
+ * different values for this
+ *
+ * @return the number of principals allowed to perform the given operation in
+ * the given region
+ */
+ protected abstract int getNumPrincipalTries(OperationCode[] opCodes,
+ String[] regionNames);
+
+ /**
+ * Get a {@link Principal} generated using the given index allowed to perform
+ * the given {@link OperationCode}s for the given region.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization
+ * @param regionNames
+ * list of the region names requiring authorization; a value of
+ * null indicates all regions
+ * @param index
+ * used to generate multiple such principals by passing
+ * different values for this
+ *
+ * @return the {@link Principal} authorized to perform the given operation in
+ * the given region
+ */
+ protected abstract Principal getAllowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index);
+
+ /**
+ * Get a {@link Principal} generated using the given index not allowed to
+ * perform the given {@link OperationCode}s for the given region.
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @param opCodes
+ * the {@link OperationCode}s of the operations requiring
+ * authorization failure
+ * @param regionNames
+ * list of the region names requiring authorization failure; a
+ * value of null indicates all regions
+ * @param index
+ * used to generate multiple such principals by passing
+ * different values for this
+ *
+ * @return a {@link Principal} not authorized to perform the given operation
+ * in the given region
+ */
+ protected abstract Principal getDisallowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index);
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/CredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/CredentialGenerator.java b/gemfire-core/src/test/java/security/CredentialGenerator.java
new file mode 100644
index 0000000..c16a8a1
--- /dev/null
+++ b/gemfire-core/src/test/java/security/CredentialGenerator.java
@@ -0,0 +1,343 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.Authenticator;
+
+/**
+ * Encapsulates obtaining valid and invalid credentials. Implementations will be
+ * for different kinds of authentication schemes.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+public abstract class CredentialGenerator {
+
+ /**
+ * Enumeration for various {@link CredentialGenerator} implementations.
+ *
+ * The following schemes are supported as of now:
+ * <code>DummyAuthenticator</code>, <code>LdapUserAuthenticator</code>,
+ * <code>PKCSAuthenticator</code>. In addition SSL socket mode with mutual
+ * authentication is also supported.
+ *
+ * To add a new authentication scheme the following needs to be done:
+ * <ul>
+ * <li>Add implementations for {@link AuthInitialize} and
+ * {@link Authenticator} classes for clients/peers.</li>
+ * <li>Add a new enumeration value for the scheme in this class. Notice the
+ * size of <code>VALUES</code> array and increase that if it is getting
+ * overflowed. Note the methods and fields for existing schemes and add for
+ * the new one in a similar manner.</li>
+ * <li>Add an implementation for {@link CredentialGenerator}.</li>
+ * <li>Modify the {@link CredentialGenerator.Factory#create} method to add
+ * creation of an instance of the new implementation for the
+ * <code>ClassCode</code> enumeration value.</li>
+ * </ul>
+ * All security dunit tests will automagically start testing the new
+ * implementation after this.
+ *
+ * @author sumedh
+ * @since 5.5
+ */
+ public static final class ClassCode {
+
+ private static final byte ID_DUMMY = 1;
+
+ private static final byte ID_LDAP = 2;
+
+ private static final byte ID_PKCS = 3;
+
+ private static final byte ID_SSL = 4;
+
+ private static byte nextOrdinal = 0;
+
+ private static final ClassCode[] VALUES = new ClassCode[10];
+
+ private static final Map CodeNameMap = new HashMap();
+
+ public static final ClassCode DUMMY = new ClassCode(
+ "templates.security.DummyAuthenticator.create", ID_DUMMY);
+
+ public static final ClassCode LDAP = new ClassCode(
+ "templates.security.LdapUserAuthenticator.create", ID_LDAP);
+
+ public static final ClassCode PKCS = new ClassCode(
+ "templates.security.PKCSAuthenticator.create", ID_PKCS);
+
+ public static final ClassCode SSL = new ClassCode("SSL", ID_SSL);
+
+ /** The name of this class. */
+ private final String name;
+
+ /** byte used as ordinal to represent this class */
+ private final byte ordinal;
+
+ /**
+ * One of the following: ID_DUMMY, ID_LDAP, ID_PKCS
+ */
+ private final byte classType;
+
+ /** Creates a new instance of class code. */
+ private ClassCode(String name, byte classType) {
+ this.name = name;
+ this.classType = classType;
+ this.ordinal = nextOrdinal++;
+ VALUES[this.ordinal] = this;
+ CodeNameMap.put(name, this);
+ }
+
+ public boolean isDummy() {
+ return (this.classType == ID_DUMMY);
+ }
+
+ public boolean isLDAP() {
+ return (this.classType == ID_LDAP);
+ }
+
+ public boolean isPKCS() {
+ return (this.classType == ID_PKCS);
+ }
+
+ public boolean isSSL() {
+ return (this.classType == ID_SSL);
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified ordinal.
+ */
+ public static ClassCode fromOrdinal(byte ordinal) {
+ return VALUES[ordinal];
+ }
+
+ /**
+ * Returns the <code>ClassCode</code> represented by specified string.
+ */
+ public static ClassCode parse(String operationName) {
+ return (ClassCode)CodeNameMap.get(operationName);
+ }
+
+ /**
+ * Returns all the possible values.
+ */
+ public static List getAll() {
+ List codes = new ArrayList();
+ Iterator iter = CodeNameMap.values().iterator();
+ while (iter.hasNext()) {
+ codes.add(iter.next());
+ }
+ return codes;
+ }
+
+ /**
+ * Returns the ordinal for this operation code.
+ *
+ * @return the ordinal of this operation.
+ */
+ public byte toOrdinal() {
+ return this.ordinal;
+ }
+
+ /**
+ * Returns a string representation for this operation.
+ *
+ * @return the name of this operation.
+ */
+ final public String toString() {
+ return this.name;
+ }
+
+ /**
+ * Indicates whether other object is same as this one.
+ *
+ * @return true if other object is same as this one.
+ */
+ @Override
+ final public boolean equals(final Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (!(obj instanceof ClassCode)) {
+ return false;
+ }
+ final ClassCode other = (ClassCode)obj;
+ return (other.ordinal == this.ordinal);
+ }
+
+ /**
+ * Indicates whether other <code>ClassCode</code> is same as this one.
+ *
+ * @return true if other <code>ClassCode</code> is same as this one.
+ */
+ final public boolean equals(final ClassCode opCode) {
+ return (opCode != null && opCode.ordinal == this.ordinal);
+ }
+
+ /**
+ * Returns a hash code value for this <code>ClassCode</code> which is the
+ * same as its ordinal.
+ *
+ * @return the ordinal of this operation.
+ */
+ @Override
+ final public int hashCode() {
+ return this.ordinal;
+ }
+
+ }
+
+ /**
+ * A set of properties that should be added to the Gemfire system properties
+ * before using the authentication module.
+ */
+ private Properties sysProps = null;
+
+ /**
+ * A set of properties that should be added to the java system properties
+ * before using the authentication module.
+ */
+ protected Properties javaProps = null;
+
+ /**
+ * A factory method to create a new instance of an {@link CredentialGenerator}
+ * for the given {@link ClassCode}. Caller is supposed to invoke
+ * {@link CredentialGenerator#init} immediately after obtaining the instance.
+ *
+ * @param classCode
+ * the <code>ClassCode</code> of the
+ * <code>CredentialGenerator</code> implementation
+ *
+ * @return an instance of <code>CredentialGenerator</code> for the given
+ * class code
+ */
+ public static CredentialGenerator create(ClassCode classCode) {
+ switch (classCode.classType) {
+ // Removing dummy one to reduce test run times
+ // case ClassCode.ID_DUMMY:
+ // return new DummyCredentialGenerator();
+ case ClassCode.ID_LDAP:
+ return new LdapUserCredentialGenerator();
+ // case ClassCode.ID_SSL:ΓΈ
+ // return new SSLCredentialGenerator();
+ case ClassCode.ID_PKCS:
+ return new PKCSCredentialGenerator();
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Initialize the credential generator.
+ *
+ * @throws IllegalArgumentException
+ * when there is a problem during initialization
+ */
+ public void init() throws IllegalArgumentException {
+ this.sysProps = initialize();
+ }
+
+ /**
+ * Initialize the credential generator. This is provided separately from the
+ * {@link #init} method for convenience of implementations so that they do not
+ * need to store in {@link #sysProps}. The latter is convenient for the users
+ * who do not need to store these properties rather can obtain it later by
+ * invoking {@link #getSystemProperties}
+ *
+ * Required to be implemented by concrete classes that implement this abstract
+ * class.
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ *
+ * @throws IllegalArgumentException
+ * when there is a problem during initialization
+ */
+ protected abstract Properties initialize() throws IllegalArgumentException;
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getSystemProperties() {
+ return this.sysProps;
+ }
+
+ /**
+ *
+ * @return A set of extra properties that should be added to Gemfire system
+ * properties when not null.
+ */
+ public Properties getJavaProperties() {
+ return this.javaProps;
+ }
+
+ /**
+ * The {@link ClassCode} of this particular implementation.
+ *
+ * @return the <code>ClassCode</code>
+ */
+ public abstract ClassCode classCode();
+
+ /**
+ * The name of the {@link AuthInitialize} factory function that should be used
+ * in conjunction with the credentials generated by this generator.
+ *
+ * @return name of the <code>AuthInitialize</code> factory function
+ */
+ public abstract String getAuthInit();
+
+ /**
+ * The name of the {@link Authenticator} factory function that should be used
+ * in conjunction with the credentials generated by this generator.
+ *
+ * @return name of the <code>Authenticator</code> factory function
+ */
+ public abstract String getAuthenticator();
+
+ /**
+ * Get a set of valid credentials generated using the given index.
+ */
+ public abstract Properties getValidCredentials(int index);
+
+ /**
+ * Get a set of valid credentials for the given {@link Principal}.
+ *
+ * @return credentials for the given <code>Principal</code> or null if none
+ * possible.
+ */
+ public abstract Properties getValidCredentials(Principal principal);
+
+ /**
+ * Get a set of invalid credentials generated using the given index.
+ */
+ public abstract Properties getInvalidCredentials(int index);
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
new file mode 100644
index 0000000..7e40d13
--- /dev/null
+++ b/gemfire-core/src/test/java/security/DummyAuthzCredentialGenerator.java
@@ -0,0 +1,145 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import security.AuthzCredentialGenerator;
+import templates.security.DummyAuthorization;
+import templates.security.UsernamePrincipal;
+
+public class DummyAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+ public static final byte READER_ROLE = 1;
+
+ public static final byte WRITER_ROLE = 2;
+
+ public static final byte ADMIN_ROLE = 3;
+
+ private static Set readerOpsSet;
+
+ private static Set writerOpsSet;
+
+ static {
+
+ readerOpsSet = new HashSet();
+ for (int index = 0; index < DummyAuthorization.READER_OPS.length; index++) {
+ readerOpsSet.add(DummyAuthorization.READER_OPS[index]);
+ }
+ writerOpsSet = new HashSet();
+ for (int index = 0; index < DummyAuthorization.WRITER_OPS.length; index++) {
+ writerOpsSet.add(DummyAuthorization.WRITER_OPS[index]);
+ }
+ }
+
+ public DummyAuthzCredentialGenerator() {
+ }
+
+ protected Properties init() throws IllegalArgumentException {
+
+ if (!this.cGen.classCode().isDummy()) {
+ throw new IllegalArgumentException(
+ "DummyAuthorization module only works with DummyAuthenticator");
+ }
+ return null;
+ }
+
+ public ClassCode classCode() {
+ return ClassCode.DUMMY;
+ }
+
+ public String getAuthorizationCallback() {
+ return "templates.security.DummyAuthorization.create";
+ }
+
+ public static byte getRequiredRole(OperationCode[] opCodes) {
+
+ byte roleType = ADMIN_ROLE;
+ boolean requiresReader = true;
+ boolean requiresWriter = true;
+
+ for (int opNum = 0; opNum < opCodes.length; opNum++) {
+ if (requiresReader && !readerOpsSet.contains(opCodes[opNum])) {
+ requiresReader = false;
+ }
+ if (requiresWriter && !writerOpsSet.contains(opCodes[opNum])) {
+ requiresWriter = false;
+ }
+ }
+ if (requiresReader) {
+ roleType = READER_ROLE;
+ }
+ else if (requiresWriter) {
+ roleType = WRITER_ROLE;
+ }
+ return roleType;
+ }
+
+ private Principal getPrincipal(byte roleType, int index) {
+
+ String[] admins = new String[] { "root", "admin", "administrator" };
+ switch (roleType) {
+ case READER_ROLE:
+ return new UsernamePrincipal("reader" + index);
+ case WRITER_ROLE:
+ return new UsernamePrincipal("writer" + index);
+ default:
+ return new UsernamePrincipal(admins[index % admins.length]);
+ }
+ }
+
+ protected Principal getAllowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes);
+ return getPrincipal(roleType, index);
+ }
+
+ protected Principal getDisallowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes);
+ byte disallowedRoleType;
+ switch (roleType) {
+ case READER_ROLE:
+ disallowedRoleType = WRITER_ROLE;
+ break;
+ case WRITER_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ default:
+ disallowedRoleType = READER_ROLE;
+ break;
+ }
+ return getPrincipal(disallowedRoleType, index);
+ }
+
+ protected int getNumPrincipalTries(OperationCode[] opCodes,
+ String[] regionNames) {
+ return 5;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/DummyCredentialGenerator.java b/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
new file mode 100644
index 0000000..86b26a7
--- /dev/null
+++ b/gemfire-core/src/test/java/security/DummyCredentialGenerator.java
@@ -0,0 +1,94 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import security.CredentialGenerator;
+import templates.security.DummyAuthenticator;
+import templates.security.UserPasswordAuthInit;
+
+import java.security.Principal;
+import java.util.Properties;
+
+public class DummyCredentialGenerator extends CredentialGenerator {
+
+ public DummyCredentialGenerator() {
+ }
+
+ protected Properties initialize() throws IllegalArgumentException {
+ return null;
+ }
+
+ public ClassCode classCode() {
+ return ClassCode.DUMMY;
+ }
+
+ public String getAuthInit() {
+ return "templates.security.UserPasswordAuthInit.create";
+ }
+
+ public String getAuthenticator() {
+ return "templates.security.DummyAuthenticator.create";
+ }
+
+ public Properties getValidCredentials(int index) {
+
+ String[] validGroups = new String[] { "admin", "user", "reader", "writer" };
+ String[] admins = new String[] { "root", "admin", "administrator" };
+
+ Properties props = new Properties();
+ int groupNum = (index % validGroups.length);
+ String userName;
+ if (groupNum == 0) {
+ userName = admins[index % admins.length];
+ }
+ else {
+ userName = validGroups[groupNum] + (index / validGroups.length);
+ }
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ return props;
+ }
+
+ public Properties getValidCredentials(Principal principal) {
+
+ String userName = principal.getName();
+ if (DummyAuthenticator.testValidName(userName)) {
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ return props;
+ }
+ else {
+ throw new IllegalArgumentException("Dummy: [" + userName
+ + "] is not a valid user");
+ }
+ }
+
+ public Properties getInvalidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java b/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
new file mode 100644
index 0000000..12bcb62
--- /dev/null
+++ b/gemfire-core/src/test/java/security/LdapUserCredentialGenerator.java
@@ -0,0 +1,160 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.distributed.internal.DistributionConfig;
+import com.gemstone.gemfire.internal.cache.tier.sockets.HandShake;
+import com.gemstone.gemfire.util.test.TestUtil;
+import templates.security.LdapUserAuthenticator;
+import templates.security.UserPasswordAuthInit;
+
+import java.util.Random;
+
+public class LdapUserCredentialGenerator extends CredentialGenerator {
+
+ private static final String USER_PREFIX = "gemfire";
+
+ private static boolean enableServerAuthentication = false;
+
+ private boolean serverAuthEnabled = false;
+
+ private static final Random prng = new Random();
+
+ private static final String[] algos = new String[] { "", "DESede", "AES:128",
+ "Blowfish:128" };
+
+ public LdapUserCredentialGenerator() {
+ // Toggle server authentication enabled for each test
+ // This is done instead of running all the tests with both
+ // server auth enabled/disabled to reduce test run time.
+ enableServerAuthentication = !enableServerAuthentication;
+ serverAuthEnabled = enableServerAuthentication;
+ }
+
+ @Override
+ protected Properties initialize() throws IllegalArgumentException {
+
+ Properties extraProps = new Properties();
+ String ldapServer = System.getProperty("gf.ldap.server", "ldap");
+ String ldapBaseDN = System.getProperty("gf.ldap.basedn", "ou=ldapTesting,dc=pune,dc=gemstone,dc=com");
+ String ldapUseSSL = System.getProperty("gf.ldap.usessl");
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_SERVER_NAME, ldapServer);
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_BASEDN_NAME, ldapBaseDN);
+ if (ldapUseSSL != null && ldapUseSSL.length() > 0) {
+ extraProps.setProperty(LdapUserAuthenticator.LDAP_SSL_NAME, ldapUseSSL);
+ }
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(LdapUserCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/gemfire1.keystore");
+ extraProps.setProperty(HandShake.PRIVATE_KEY_FILE_PROP, keyStoreFile);
+ extraProps.setProperty(HandShake.PRIVATE_KEY_ALIAS_PROP, "gemfire1");
+ extraProps.setProperty(HandShake.PRIVATE_KEY_PASSWD_PROP, "gemfire");
+ }
+ return extraProps;
+ }
+
+ @Override
+ public ClassCode classCode() {
+ return ClassCode.LDAP;
+ }
+
+ @Override
+ public String getAuthInit() {
+ return "templates.security.UserPasswordAuthInit.create";
+ }
+
+ @Override
+ public String getAuthenticator() {
+ return "templates.security.LdapUserAuthenticator.create";
+ }
+
+ @Override
+ public Properties getValidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, USER_PREFIX
+ + ((index % 10) + 1));
+ props.setProperty(UserPasswordAuthInit.PASSWORD, USER_PREFIX
+ + ((index % 10) + 1));
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
+ algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+ @Override
+ public Properties getValidCredentials(Principal principal) {
+
+ Properties props = null;
+ String userName = principal.getName();
+ if (userName != null && userName.startsWith(USER_PREFIX)) {
+ boolean isValid;
+ try {
+ int suffix = Integer.parseInt(userName.substring(USER_PREFIX.length()));
+ isValid = (suffix >= 1 && suffix <= 10);
+ }
+ catch (Exception ex) {
+ isValid = false;
+ }
+ if (isValid) {
+ props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, userName);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, userName);
+ }
+ }
+ if (props == null) {
+ throw new IllegalArgumentException("LDAP: [" + userName
+ + "] not a valid user");
+ }
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
+ algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+ @Override
+ public Properties getInvalidCredentials(int index) {
+
+ Properties props = new Properties();
+ props.setProperty(UserPasswordAuthInit.USER_NAME, "invalid" + index);
+ props.setProperty(UserPasswordAuthInit.PASSWORD, "none");
+ props.setProperty(DistributionConfig.SECURITY_CLIENT_DHALGO_NAME,
+ algos[prng.nextInt(algos.length)]);
+ if (serverAuthEnabled) {
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, PKCSCredentialGenerator.keyStoreDir + "/publickeyfile");
+ props.setProperty(HandShake.PUBLIC_KEY_FILE_PROP, keyStoreFile);
+ props.setProperty(HandShake.PUBLIC_KEY_PASSWD_PROP, "gemfire");
+ }
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java b/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
new file mode 100644
index 0000000..24c0100
--- /dev/null
+++ b/gemfire-core/src/test/java/security/PKCSCredentialGenerator.java
@@ -0,0 +1,112 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Properties;
+
+import com.gemstone.gemfire.util.test.TestUtil;
+import templates.security.PKCSAuthInit;
+import templates.security.PKCSAuthenticator;
+
+/**
+ * @author kneeraj
+ *
+ */
+public class PKCSCredentialGenerator extends CredentialGenerator {
+
+ public static String keyStoreDir = getKeyStoreDir();
+
+ public static boolean usesIBMJSSE;
+
+ // Checks if the current JVM uses only IBM JSSE providers.
+ private static boolean usesIBMProviders() {
+ Provider[] providers = Security.getProviders();
+ for (int index = 0; index < providers.length; ++index) {
+ if (!providers[index].getName().toLowerCase().startsWith("ibm")) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ private static String getKeyStoreDir() {
+ usesIBMJSSE = usesIBMProviders();
+ if (usesIBMJSSE) {
+ return "/lib/keys/ibm";
+ }
+ else {
+ return "/lib/keys";
+ }
+ }
+
+ public ClassCode classCode() {
+ return ClassCode.PKCS;
+ }
+
+ public String getAuthInit() {
+ return "templates.security.PKCSAuthInit.create";
+ }
+
+ public String getAuthenticator() {
+ return "templates.security.PKCSAuthenticator.create";
+ }
+
+ public Properties getInvalidCredentials(int index) {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire11.keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire11");
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ public Properties getValidCredentials(int index) {
+ Properties props = new Properties();
+ int aliasnum = (index % 10) + 1;
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/gemfire" + aliasnum + ".keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, "gemfire" + aliasnum);
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ public Properties getValidCredentials(Principal principal) {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + principal.getName() + ".keystore");
+ props.setProperty(PKCSAuthInit.KEYSTORE_FILE_PATH, keyStoreFile);
+ props.setProperty(PKCSAuthInit.KEYSTORE_ALIAS, principal.getName());
+ props.setProperty(PKCSAuthInit.KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+ protected Properties initialize() throws IllegalArgumentException {
+ Properties props = new Properties();
+ String keyStoreFile = TestUtil.getResourcePath(PKCSCredentialGenerator.class, keyStoreDir + "/publickeyfile");
+ props.setProperty(PKCSAuthenticator.PUBLIC_KEY_FILE, keyStoreFile);
+ props.setProperty(PKCSAuthenticator.PUBLIC_KEYSTORE_PASSWORD, "gemfire");
+ return props;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/SSLCredentialGenerator.java b/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
new file mode 100644
index 0000000..29a1a30
--- /dev/null
+++ b/gemfire-core/src/test/java/security/SSLCredentialGenerator.java
@@ -0,0 +1,117 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.io.File;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Properties;
+
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import security.CredentialGenerator;
+
+public class SSLCredentialGenerator extends CredentialGenerator {
+
+ private File findTrustedJKS() {
+ File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+ return new File(ssldir, "trusted.keystore");
+ }
+
+ private File findUntrustedJKS() {
+ File ssldir = new File(System.getProperty("JTESTS") + "/ssl");
+ return new File(ssldir, "untrusted.keystore");
+ }
+
+ private Properties getValidJavaSSLProperties() {
+ File jks = findTrustedJKS();
+ try {
+ Properties props = new Properties();
+ props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.trustStorePassword", "password");
+ props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.keyStorePassword", "password");
+ return props;
+ }
+ catch (IOException ex) {
+ throw new AuthenticationFailedException(
+ "SSL: Exception while opening the key store: " + ex);
+ }
+ }
+
+ private Properties getInvalidJavaSSLProperties() {
+ File jks = findUntrustedJKS();
+ try {
+ Properties props = new Properties();
+ props.setProperty("javax.net.ssl.trustStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.trustStorePassword", "password");
+ props.setProperty("javax.net.ssl.keyStore", jks.getCanonicalPath());
+ props.setProperty("javax.net.ssl.keyStorePassword", "password");
+ return props;
+ }
+ catch (IOException ex) {
+ throw new AuthenticationFailedException(
+ "SSL: Exception while opening the key store: " + ex);
+ }
+ }
+
+ private Properties getSSLProperties() {
+ Properties props = new Properties();
+ props.setProperty("ssl-enabled", "true");
+ props.setProperty("ssl-require-authentication", "true");
+ props.setProperty("ssl-ciphers", "SSL_RSA_WITH_RC4_128_MD5");
+ props.setProperty("ssl-protocols", "TLSv1");
+ return props;
+ }
+
+ protected Properties initialize() throws IllegalArgumentException {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ public ClassCode classCode() {
+ return ClassCode.SSL;
+ }
+
+ public String getAuthInit() {
+ return null;
+ }
+
+ public String getAuthenticator() {
+ return null;
+ }
+
+ public Properties getValidCredentials(int index) {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ public Properties getValidCredentials(Principal principal) {
+ this.javaProps = getValidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+ public Properties getInvalidCredentials(int index) {
+ this.javaProps = getInvalidJavaSSLProperties();
+ return getSSLProperties();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java b/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
new file mode 100644
index 0000000..a41f73a
--- /dev/null
+++ b/gemfire-core/src/test/java/security/UserPasswordWithExtraPropsAuthInit.java
@@ -0,0 +1,77 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.util.Properties;
+import java.util.Iterator;
+
+import com.gemstone.gemfire.distributed.DistributedMember;
+import com.gemstone.gemfire.security.AuthInitialize;
+import com.gemstone.gemfire.security.AuthenticationFailedException;
+import templates.security.UserPasswordAuthInit;
+
+/**
+ * An {@link AuthInitialize} implementation that obtains the user name and
+ * password as the credentials from the given set of properties. If
+ * keep-extra-props property exits, it will copy rest of the
+ * properties provided in getCredential props argument will also be
+ * copied as new credentials.
+ *
+ * @author Soubhik
+ * @since 5.5
+ */
+public class UserPasswordWithExtraPropsAuthInit extends UserPasswordAuthInit {
+
+ public static final String EXTRA_PROPS = "security-keep-extra-props";
+
+ public static final String SECURITY_PREFIX = "security-";
+
+ public static AuthInitialize create() {
+ return new UserPasswordWithExtraPropsAuthInit();
+ }
+
+ public UserPasswordWithExtraPropsAuthInit() {
+ super();
+ }
+
+ public Properties getCredentials(Properties props, DistributedMember server,
+ boolean isPeer) throws AuthenticationFailedException {
+
+ Properties newProps = super.getCredentials(props, server, isPeer);
+ String extraProps = props.getProperty(EXTRA_PROPS);
+ if(extraProps != null) {
+ for(Iterator it = props.keySet().iterator(); it.hasNext();) {
+ String key = (String)it.next();
+ if( key.startsWith(SECURITY_PREFIX) &&
+ key.equalsIgnoreCase(USER_NAME) == false &&
+ key.equalsIgnoreCase(PASSWORD) == false &&
+ key.equalsIgnoreCase(EXTRA_PROPS) == false) {
+ newProps.setProperty(key, props.getProperty(key));
+ }
+ }
+ this.securitylog.fine("got everything and now have: "
+ + newProps.keySet().toString());
+ }
+ return newProps;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/3720666f/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
----------------------------------------------------------------------
diff --git a/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java b/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
new file mode 100644
index 0000000..929eafb
--- /dev/null
+++ b/gemfire-core/src/test/java/security/XmlAuthzCredentialGenerator.java
@@ -0,0 +1,264 @@
+
+package security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+
+import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
+import com.gemstone.gemfire.util.test.TestUtil;
+import templates.security.UsernamePrincipal;
+import templates.security.XmlAuthorization;
+
+public class XmlAuthzCredentialGenerator extends AuthzCredentialGenerator {
+
+ private static final String dummyXml = "authz-dummy.xml";
+
+ private static final String ldapXml = "authz-ldap.xml";
+
+ private static final String pkcsXml = "authz-pkcs.xml";
+
+ private static final String sslXml = "authz-ssl.xml";
+
+ private static final String[] QUERY_REGIONS = { "/Portfolios", "/Positions",
+ "/AuthRegion" };
+
+ public static OperationCode[] READER_OPS = { OperationCode.GET,
+ OperationCode.REGISTER_INTEREST, OperationCode.UNREGISTER_INTEREST,
+ OperationCode.KEY_SET, OperationCode.CONTAINS_KEY, OperationCode.EXECUTE_FUNCTION };
+
+ public static OperationCode[] WRITER_OPS = { OperationCode.PUT,
+ OperationCode.DESTROY, OperationCode.INVALIDATE, OperationCode.REGION_CLEAR };
+
+ public static OperationCode[] QUERY_OPS = { OperationCode.QUERY,
+ OperationCode.EXECUTE_CQ, OperationCode.STOP_CQ, OperationCode.CLOSE_CQ };
+
+ private static final byte READER_ROLE = 1;
+
+ private static final byte WRITER_ROLE = 2;
+
+ private static final byte QUERY_ROLE = 3;
+
+ private static final byte ADMIN_ROLE = 4;
+
+ private static Set readerOpsSet;
+
+ private static Set writerOpsSet;
+
+ private static Set queryOpsSet;
+
+ private static Set queryRegionSet;
+
+ static {
+
+ readerOpsSet = new HashSet();
+ for (int index = 0; index < READER_OPS.length; index++) {
+ readerOpsSet.add(READER_OPS[index]);
+ }
+ writerOpsSet = new HashSet();
+ for (int index = 0; index < WRITER_OPS.length; index++) {
+ writerOpsSet.add(WRITER_OPS[index]);
+ }
+ queryOpsSet = new HashSet();
+ for (int index = 0; index < QUERY_OPS.length; index++) {
+ queryOpsSet.add(QUERY_OPS[index]);
+ }
+ queryRegionSet = new HashSet();
+ for (int index = 0; index < QUERY_REGIONS.length; index++) {
+ queryRegionSet.add(QUERY_REGIONS[index]);
+ }
+ }
+
+ public XmlAuthzCredentialGenerator() {
+ }
+
+ protected Properties init() throws IllegalArgumentException {
+
+ Properties sysProps = new Properties();
+ String dirName = "/lib/";
+ if (this.cGen.classCode().isDummy()) {
+ String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + dummyXml);
+ sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ String xmlFilename = TestUtil.getResourcePath(XmlAuthzCredentialGenerator.class, dirName + ldapXml);
+ sysProps.setProperty(XmlAuthorization.DOC_URI_PROP_NAME, xmlFilename);
+ }
+ // else if (this.cGen.classCode().isPKCS()) {
+ // sysProps
+ // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + pkcsXml);
+ // }
+ // else if (this.cGen.classCode().isSSL()) {
+ // sysProps
+ // .setProperty(XmlAuthorization.DOC_URI_PROP_NAME, dirName + sslXml);
+ // }
+ else {
+ throw new IllegalArgumentException(
+ "No XML defined for XmlAuthorization module to work with "
+ + this.cGen.getAuthenticator());
+ }
+ return sysProps;
+ }
+
+ public ClassCode classCode() {
+ return ClassCode.XML;
+ }
+
+ public String getAuthorizationCallback() {
+ return "templates.security.XmlAuthorization.create";
+ }
+
+ private Principal getDummyPrincipal(byte roleType, int index) {
+
+ String[] admins = new String[] { "root", "admin", "administrator" };
+ int numReaders = 3;
+ int numWriters = 3;
+
+ switch (roleType) {
+ case READER_ROLE:
+ return new UsernamePrincipal("reader" + (index % numReaders));
+ case WRITER_ROLE:
+ return new UsernamePrincipal("writer" + (index % numWriters));
+ case QUERY_ROLE:
+ return new UsernamePrincipal("reader" + ((index % 2) + 3));
+ default:
+ return new UsernamePrincipal(admins[index % admins.length]);
+ }
+ }
+
+ private Principal getLdapPrincipal(byte roleType, int index) {
+
+ final String userPrefix = "gemfire";
+ final int[] readerIndices = { 3, 4, 5 };
+ final int[] writerIndices = { 6, 7, 8 };
+ final int[] queryIndices = { 9, 10 };
+ final int[] adminIndices = { 1, 2 };
+
+ switch (roleType) {
+ case READER_ROLE:
+ int readerIndex = readerIndices[index % readerIndices.length];
+ return new UsernamePrincipal(userPrefix + readerIndex);
+ case WRITER_ROLE:
+ int writerIndex = writerIndices[index % writerIndices.length];
+ return new UsernamePrincipal(userPrefix + writerIndex);
+ case QUERY_ROLE:
+ int queryIndex = queryIndices[index % queryIndices.length];
+ return new UsernamePrincipal(userPrefix + queryIndex);
+ default:
+ int adminIndex = adminIndices[index % adminIndices.length];
+ return new UsernamePrincipal(userPrefix + adminIndex);
+ }
+ }
+
+ private byte getRequiredRole(OperationCode[] opCodes, String[] regionNames) {
+
+ byte roleType = ADMIN_ROLE;
+ boolean requiresReader = true;
+ boolean requiresWriter = true;
+ boolean requiresQuery = true;
+
+ for (int opNum = 0; opNum < opCodes.length; opNum++) {
+ OperationCode opCode = opCodes[opNum];
+ if (requiresReader && !readerOpsSet.contains(opCode)) {
+ requiresReader = false;
+ }
+ if (requiresWriter && !writerOpsSet.contains(opCode)) {
+ requiresWriter = false;
+ }
+ if (requiresQuery && !queryOpsSet.contains(opCode)) {
+ requiresQuery = false;
+ }
+ }
+ if (requiresReader) {
+ roleType = READER_ROLE;
+ }
+ else if (requiresWriter) {
+ roleType = WRITER_ROLE;
+ }
+ else if (requiresQuery) {
+ if (regionNames != null && regionNames.length > 0) {
+ for (int index = 0; index < regionNames.length; index++) {
+ String regionName = XmlAuthorization
+ .normalizeRegionName(regionNames[index]);
+ if (requiresQuery && !queryRegionSet.contains(regionName)) {
+ requiresQuery = false;
+ break;
+ }
+ }
+ if (requiresQuery) {
+ roleType = QUERY_ROLE;
+ }
+ }
+ }
+ return roleType;
+ }
+
+ protected Principal getAllowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ if (this.cGen.classCode().isDummy()) {
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ return getDummyPrincipal(roleType, index);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ return getLdapPrincipal(roleType, index);
+ }
+ return null;
+ }
+
+ protected Principal getDisallowedPrincipal(OperationCode[] opCodes,
+ String[] regionNames, int index) {
+
+ byte roleType = getRequiredRole(opCodes, regionNames);
+ byte disallowedRoleType = READER_ROLE;
+ switch (roleType) {
+ case READER_ROLE:
+ disallowedRoleType = WRITER_ROLE;
+ break;
+ case WRITER_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ case QUERY_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ case ADMIN_ROLE:
+ disallowedRoleType = READER_ROLE;
+ break;
+ }
+ if (this.cGen.classCode().isDummy()) {
+ return getDummyPrincipal(disallowedRoleType, index);
+ }
+ else if (this.cGen.classCode().isLDAP()) {
+ return getLdapPrincipal(disallowedRoleType, index);
+ }
+ return null;
+ }
+
+ protected int getNumPrincipalTries(OperationCode[] opCodes,
+ String[] regionNames) {
+ return 5;
+ }
+
+}