You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by as...@apache.org on 2017/09/12 20:41:57 UTC
[42/50] [abbrv] hadoop git commit: HADOOP-14799. Update
nimbus-jose-jwt to 4.41.1. (rchiang)
HADOOP-14799. Update nimbus-jose-jwt to 4.41.1. (rchiang)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/556812c1
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/556812c1
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/556812c1
Branch: refs/heads/YARN-5972
Commit: 556812c179aa094c21acf610439a8d69fe6420ab
Parents: ad74691
Author: Ray Chiang <rc...@apache.org>
Authored: Tue Sep 12 10:19:34 2017 -0700
Committer: Ray Chiang <rc...@apache.org>
Committed: Tue Sep 12 10:19:34 2017 -0700
----------------------------------------------------------------------
.../JWTRedirectAuthenticationHandler.java | 4 +-
.../TestJWTRedirectAuthenticationHandler.java | 476 ++++++++++++++++++
.../TestJWTRedirectAuthentictionHandler.java | 481 -------------------
.../mapreduce/task/reduce/TestFetcher.java | 4 -
hadoop-project/pom.xml | 2 +-
5 files changed, 480 insertions(+), 487 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/556812c1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
index 61f5b9e..884398c 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
@@ -28,6 +28,7 @@ import java.text.ParseException;
import java.security.interfaces.RSAPublicKey;
+import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.CertificateUtil;
import org.slf4j.Logger;
@@ -216,7 +217,8 @@ public class JWTRedirectAuthenticationHandler extends
* @param request for getting the original request URL
* @return url to use as login url for redirect
*/
- protected String constructLoginURL(HttpServletRequest request) {
+ @VisibleForTesting
+ String constructLoginURL(HttpServletRequest request) {
String delimiter = "?";
if (authenticationProviderUrl.contains("?")) {
delimiter = "&";
http://git-wip-us.apache.org/repos/asf/hadoop/blob/556812c1/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java
new file mode 100644
index 0000000..5a2db9b
--- /dev/null
+++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java
@@ -0,0 +1,476 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.hadoop.security.authentication.server;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Properties;
+import java.util.Vector;
+import java.util.Date;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
+import org.apache.hadoop.security.authentication.KerberosTestUtils;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.nimbusds.jose.*;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jose.crypto.RSASSASigner;
+
+public class TestJWTRedirectAuthenticationHandler extends
+ KerberosSecurityTestcase {
+ private static final String SERVICE_URL = "https://localhost:8888/resource";
+ private static final String REDIRECT_LOCATION =
+ "https://localhost:8443/authserver?originalUrl=" + SERVICE_URL;
+ RSAPublicKey publicKey = null;
+ RSAPrivateKey privateKey = null;
+ JWTRedirectAuthenticationHandler handler = null;
+
+ @Test
+ public void testNoPublicKeyJWT() throws Exception {
+ try {
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ fail("alternateAuthentication should have thrown a ServletException");
+ } catch (ServletException se) {
+ assertTrue(se.getMessage().contains(
+ "Public key for signature validation must be provisioned"));
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testCustomCookieNameJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ props.put(JWTRedirectAuthenticationHandler.JWT_COOKIE_NAME, "jowt");
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("jowt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Assert.assertEquals("bob", token.getUserName());
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException: "
+ + se.getMessage());
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testNoProviderURLJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ props
+ .remove(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL);
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ fail("alternateAuthentication should have thrown an AuthenticationException");
+ } catch (ServletException se) {
+ assertTrue(se.getMessage().contains(
+ "Authentication provider URL must not be null"));
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testUnableToParseJWT() throws Exception {
+ try {
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+
+ KeyPair kp = kpg.genKeyPair();
+ RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
+
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", "ljm" + jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testFailedSignatureValidationJWT() throws Exception {
+ try {
+
+ // Create a public key that doesn't match the one needed to
+ // verify the signature - in order to make it fail verification...
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+
+ KeyPair kp = kpg.genKeyPair();
+ RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
+
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testExpiredJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() - 1000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testNoExpirationJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", null, privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Assert.assertNotNull("Token should not be null.", token);
+ Assert.assertEquals("bob", token.getUserName());
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testInvalidAudienceJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ props
+ .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "foo");
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown a AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testValidAudienceJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ props
+ .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "bar");
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Assert.assertEquals("bob", token.getUserName());
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown an AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testValidJWT() throws Exception {
+ try {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000),
+ privateKey);
+
+ Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+ Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
+ SERVICE_URL);
+
+ AuthenticationToken token = handler.alternateAuthenticate(request,
+ response);
+ Assert.assertNotNull("Token should not be null.", token);
+ Assert.assertEquals("alice", token.getUserName());
+ } catch (ServletException se) {
+ fail("alternateAuthentication should NOT have thrown a ServletException.");
+ } catch (AuthenticationException ae) {
+ fail("alternateAuthentication should NOT have thrown an AuthenticationException");
+ }
+ }
+
+ @Test
+ public void testOrigURLWithQueryString() throws Exception {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ Mockito.when(request.getQueryString()).thenReturn("name=value");
+
+ String loginURL = handler.constructLoginURL(request);
+ Assert.assertNotNull("loginURL should not be null.", loginURL);
+ Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL);
+ }
+
+ @Test
+ public void testOrigURLNoQueryString() throws Exception {
+ handler.setPublicKey(publicKey);
+
+ Properties props = getProperties();
+ handler.init(props);
+
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(request.getRequestURL()).thenReturn(
+ new StringBuffer(SERVICE_URL));
+ Mockito.when(request.getQueryString()).thenReturn(null);
+
+ String loginURL = handler.constructLoginURL(request);
+ Assert.assertNotNull("LoginURL should not be null.", loginURL);
+ Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL);
+ }
+
+ @Before
+ public void setup() throws Exception, NoSuchAlgorithmException {
+ setupKerberosRequirements();
+
+ KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+ kpg.initialize(2048);
+
+ KeyPair kp = kpg.genKeyPair();
+ publicKey = (RSAPublicKey) kp.getPublic();
+ privateKey = (RSAPrivateKey) kp.getPrivate();
+
+ handler = new JWTRedirectAuthenticationHandler();
+ }
+
+ protected void setupKerberosRequirements() throws Exception {
+ String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2",
+ "HTTP2/host1", "XHTTP/host" };
+ String keytab = KerberosTestUtils.getKeytabFile();
+ getKdc().createPrincipal(new File(keytab), keytabUsers);
+ }
+
+ @After
+ public void teardown() throws Exception {
+ handler.destroy();
+ }
+
+ protected Properties getProperties() {
+ Properties props = new Properties();
+ props.setProperty(
+ JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL,
+ "https://localhost:8443/authserver");
+ props.setProperty("kerberos.principal",
+ KerberosTestUtils.getServerPrincipal());
+ props.setProperty("kerberos.keytab", KerberosTestUtils.getKeytabFile());
+ return props;
+ }
+
+ protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey)
+ throws Exception {
+ JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
+ .subject(sub)
+ .issueTime(new Date(new Date().getTime()))
+ .issuer("https://c2id.com")
+ .claim("scope", "openid")
+ .audience("bar")
+ .expirationTime(expires)
+ .build();
+ List<String> aud = new ArrayList<String>();
+ aud.add("bar");
+
+ JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
+
+ SignedJWT signedJWT = new SignedJWT(header, claimsSet);
+ JWSSigner signer = new RSASSASigner(privateKey);
+
+ signedJWT.sign(signer);
+
+ return signedJWT;
+ }
+}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/556812c1/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
deleted file mode 100644
index 97a8a9d..0000000
--- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java
+++ /dev/null
@@ -1,481 +0,0 @@
-/**
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License. See accompanying LICENSE file.
- */
-package org.apache.hadoop.security.authentication.server;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Properties;
-import java.util.Vector;
-import java.util.Date;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
-import org.apache.hadoop.security.authentication.KerberosTestUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.Mockito;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
-import com.nimbusds.jose.crypto.RSASSASigner;
-
-public class TestJWTRedirectAuthentictionHandler extends
- KerberosSecurityTestcase {
- private static final String SERVICE_URL = "https://localhost:8888/resource";
- private static final String REDIRECT_LOCATION =
- "https://localhost:8443/authserver?originalUrl=" + SERVICE_URL;
- RSAPublicKey publicKey = null;
- RSAPrivateKey privateKey = null;
- JWTRedirectAuthenticationHandler handler = null;
-
- @Test
- public void testNoPublicKeyJWT() throws Exception {
- try {
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- fail("alternateAuthentication should have thrown a ServletException");
- } catch (ServletException se) {
- assertTrue(se.getMessage().contains(
- "Public key for signature validation must be provisioned"));
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testCustomCookieNameJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- props.put(JWTRedirectAuthenticationHandler.JWT_COOKIE_NAME, "jowt");
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("jowt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Assert.assertEquals("bob", token.getUserName());
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException: "
- + se.getMessage());
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testNoProviderURLJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- props
- .remove(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL);
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- fail("alternateAuthentication should have thrown an AuthenticationException");
- } catch (ServletException se) {
- assertTrue(se.getMessage().contains(
- "Authentication provider URL must not be null"));
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testUnableToParseJWT() throws Exception {
- try {
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- kpg.initialize(2048);
-
- KeyPair kp = kpg.genKeyPair();
- RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
-
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", "ljm" + jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testFailedSignatureValidationJWT() throws Exception {
- try {
-
- // Create a public key that doesn't match the one needed to
- // verify the signature - in order to make it fail verification...
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- kpg.initialize(2048);
-
- KeyPair kp = kpg.genKeyPair();
- RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic();
-
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testExpiredJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() - 1000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testNoExpirationJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", null, privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Assert.assertNotNull("Token should not be null.", token);
- Assert.assertEquals("bob", token.getUserName());
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testInvalidAudienceJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- props
- .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "foo");
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Mockito.verify(response).sendRedirect(REDIRECT_LOCATION);
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown a AuthenticationException");
- }
- }
-
- @Test
- public void testValidAudienceJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- props
- .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "bar");
- handler.init(props);
-
- SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Assert.assertEquals("bob", token.getUserName());
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown an AuthenticationException");
- }
- }
-
- @Test
- public void testValidJWT() throws Exception {
- try {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000),
- privateKey);
-
- Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize());
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie });
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
- Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn(
- SERVICE_URL);
-
- AuthenticationToken token = handler.alternateAuthenticate(request,
- response);
- Assert.assertNotNull("Token should not be null.", token);
- Assert.assertEquals("alice", token.getUserName());
- } catch (ServletException se) {
- fail("alternateAuthentication should NOT have thrown a ServletException.");
- } catch (AuthenticationException ae) {
- fail("alternateAuthentication should NOT have thrown an AuthenticationException");
- }
- }
-
- @Test
- public void testOrigURLWithQueryString() throws Exception {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- Mockito.when(request.getQueryString()).thenReturn("name=value");
-
- String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
- Assert.assertNotNull("loginURL should not be null.", loginURL);
- Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL);
- }
-
- @Test
- public void testOrigURLNoQueryString() throws Exception {
- handler.setPublicKey(publicKey);
-
- Properties props = getProperties();
- handler.init(props);
-
- HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
- Mockito.when(request.getRequestURL()).thenReturn(
- new StringBuffer(SERVICE_URL));
- Mockito.when(request.getQueryString()).thenReturn(null);
-
- String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request);
- Assert.assertNotNull("LoginURL should not be null.", loginURL);
- Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL);
- }
-
- @Before
- public void setup() throws Exception, NoSuchAlgorithmException {
- setupKerberosRequirements();
-
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- kpg.initialize(2048);
-
- KeyPair kp = kpg.genKeyPair();
- publicKey = (RSAPublicKey) kp.getPublic();
- privateKey = (RSAPrivateKey) kp.getPrivate();
-
- handler = new TestJWTRedirectAuthenticationHandler();
- }
-
- protected void setupKerberosRequirements() throws Exception {
- String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2",
- "HTTP2/host1", "XHTTP/host" };
- String keytab = KerberosTestUtils.getKeytabFile();
- getKdc().createPrincipal(new File(keytab), keytabUsers);
- }
-
- @After
- public void teardown() throws Exception {
- handler.destroy();
- }
-
- protected Properties getProperties() {
- Properties props = new Properties();
- props.setProperty(
- JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL,
- "https://localhost:8443/authserver");
- props.setProperty("kerberos.principal",
- KerberosTestUtils.getServerPrincipal());
- props.setProperty("kerberos.keytab", KerberosTestUtils.getKeytabFile());
- return props;
- }
-
- protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey)
- throws Exception {
- JWTClaimsSet claimsSet = new JWTClaimsSet();
- claimsSet.setSubject(sub);
- claimsSet.setIssueTime(new Date(new Date().getTime()));
- claimsSet.setIssuer("https://c2id.com");
- claimsSet.setCustomClaim("scope", "openid");
- claimsSet.setExpirationTime(expires);
- List<String> aud = new ArrayList<String>();
- aud.add("bar");
- claimsSet.setAudience("bar");
-
- JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build();
-
- SignedJWT signedJWT = new SignedJWT(header, claimsSet);
- JWSSigner signer = new RSASSASigner(privateKey);
-
- signedJWT.sign(signer);
-
- return signedJWT;
- }
-
- class TestJWTRedirectAuthenticationHandler extends JWTRedirectAuthenticationHandler {
- public String testConstructLoginURL(HttpServletRequest req) {
- return constructLoginURL(req);
- }
- };
-}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/556812c1/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java
----------------------------------------------------------------------
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java
index 01e51e9..8f9434d 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java
@@ -25,9 +25,7 @@ import java.net.HttpURLConnection;
import org.apache.hadoop.fs.ChecksumException;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.mapred.MapOutputFile;
import org.apache.hadoop.mapreduce.MRJobConfig;
-import org.apache.hadoop.mapreduce.TaskID;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -66,8 +64,6 @@ import org.junit.Test;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
-import com.nimbusds.jose.util.StringUtils;
-
/**
* Test that the Fetcher does what we expect it to.
*/
http://git-wip-us.apache.org/repos/asf/hadoop/blob/556812c1/hadoop-project/pom.xml
----------------------------------------------------------------------
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 24c779c..ee08754 100755
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -1200,7 +1200,7 @@
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
- <version>3.9</version>
+ <version>4.41.1</version>
<scope>compile</scope>
<exclusions>
<exclusion>
---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org