You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2014/12/12 02:30:21 UTC
[38/51] [partial] incubator-ranger git commit: RANGER-194: Rename
packages from xasecure to apache ranger
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java b/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java
deleted file mode 100644
index e835347..0000000
--- a/agents-impl/src/test/java/com/xasecure/pdp/knox/URLBasedAuthDBTest.java
+++ /dev/null
@@ -1,956 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.xasecure.pdp.knox;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.junit.Assert;
-import org.junit.Test;
-
-import com.xasecure.pdp.model.Policy;
-import com.xasecure.pdp.model.PolicyContainer;
-import com.xasecure.pdp.model.RolePermission;
-
-public class URLBasedAuthDBTest {
-
- @Test
- public void testPolicyEnabled() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- true, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testPolicyEnabled allowed: " + allowed);
- Assert.assertTrue("Access denied while policy is enabled", allowed);
- }
-
- @Test
- public void testPolicyNotEnabled() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- false, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testPolicyNotEnabled allowed: " + allowed);
- Assert.assertFalse("Access allowed while policy is disabled", allowed);
- }
-
- @Test
- public void testPolicyEnabledAuditOnTmSm() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- true, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "xa",
- "WEBHDFS"
- );
- System.out.println("testPolicyEnabledAuditOnTmSm: " + auditEnabled);
- Assert.assertTrue("Audit not ebabled while policy is matched", auditEnabled);
- }
-
- @Test
- public void testPolicyEnabledAuditOnTnmSm() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- true, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "yxa",
- "WEBHDFS"
- );
- System.out.println("testPolicyEnabledAuditOnTnmSm auditEnabled: " + auditEnabled);
- Assert.assertFalse("Audit ebabled with a non matching topology", auditEnabled);
- }
-
- @Test
- public void testPolicyEnabledAuditOnTmSnm() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- true, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "xa",
- "yWEBHDFS"
- );
- System.out.println("testPolicyEnabledAuditOnTmSnm auditEnabled: " + auditEnabled);
- Assert.assertFalse("Audit ebabled with a non matching service", auditEnabled);
- }
-
- @Test
- public void testPolicyEnabledAuditOff() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- true, // policyEnabled
- false); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "xa",
- "WEBHDFS"
- );
- System.out.println("testPolicyEnabledAuditOff auditEnabled: " + auditEnabled);
- Assert.assertFalse("Audit ebabled with policy disabling audit", auditEnabled);
- }
-
- @Test
- public void testPolicyNotEnabledAuditOn() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- false, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "xa",
- "WEBHDFS"
- );
- System.out.println("testPolicyNotEnabledAuditOn auditEnabled: " + auditEnabled);
- Assert.assertFalse("Audit ebabled with policy not enabled", auditEnabled);
- }
-
- @Test
- public void testPolicyNotEnabledAuditOff() {
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null, // ipAddress
- false, // policyEnabled
- true); // auditEnabled
- pdp.setPolicyContainer(policyContainer);
-
- boolean auditEnabled = pdp.isAuditEnabled(
- "xa",
- "WEBHDFS"
- );
- System.out.println("testPolicyNotEnabledAuditOff auditEnabled: " + auditEnabled);
- Assert.assertFalse("Audit ebabled with policy not enabled and audit off", auditEnabled);
- }
-
- @Test
- public void testSimpleTopologyAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testSimpleTopologyAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a simple allow policy", allowed);
-
- }
-
- @Test
- public void testSimpleTopologyAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "ya",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testSimpleTopologyAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allwed for a simple deny policy", allowed);
-
- }
-
- @Test
- public void testWildTopologyAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "x*",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testWildTopologyAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a matching wild topology policy", allowed);
-
- }
-
- @Test
- public void testWildTopologyAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "x*",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "ya",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testWildTopologyAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for non matching wild topology policy", allowed);
-
- }
-
- @Test
- public void testSimpleServiceAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testSimpleServiceAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a policy matching service", allowed);
-
- }
-
- @Test
- public void testSimpleServiceAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "yWEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testSimpleServiceAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a policy with no matching service", allowed);
-
- }
-
- @Test
- public void testWildServiceAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEB*",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testWildServiceAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for policy with matching wild service", allowed);
-
- }
-
- @Test
- public void testWildServiceAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEB*",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "yWEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testWildServiceAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a policy with a non matching wild service", allowed);
-
- }
-
- @Test
- public void testAccessTypeAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testAccessTypeAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a policy with matching accessTyoe", allowed);
-
- }
-
- @Test
- public void testAccessTypeAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "yallow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testAccessTypeAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a non matching accessType", allowed);
-
- }
-
- @Test
- public void testUserAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testUserAccessAllowed allowed: " + allowed);
- Assert.assertTrue("Access denied for matching user", allowed);
-
- }
-
- @Test
- public void testUserAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("yguest"),
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "yallow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testUserAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a non matching user", allowed);
-
- }
-
- @Test
- public void testGroupAccessAllowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- null,
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "sam",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testGroupAccessAllowe allowed: " + allowed);
- Assert.assertTrue("Access denied for a matching user group", allowed);
-
- }
-
- @Test
- public void testGroupAccessDenied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- null,
- asList("sales"),
- null);
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "yallow",
- "guest",
- asSet("sales"),
- "127.127.127.127");
- System.out.println("testGroupAccessDenied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a non matching user group", allowed);
-
- }
-
-
-
- @Test
- public void testSimpleIP4Allowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.134.135"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.133.134.135");
- System.out.println("testSimpleIP4Allowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a matching IP4 request ip", allowed);
-
- }
-
- @Test
- public void testSimpleIP4Denied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.134.135"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.133.134.136");
- System.out.println("testSimpleIP4Denied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a non matching IP4 request ip", allowed);
-
- }
-
- @Test
- public void testWildIP4Allowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.134.*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.133.134.135");
- System.out.println("testWildIP4Allowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a request ip matching wild IP4", allowed);
-
- }
-
- @Test
- public void testWildIP4Denied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.134.*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.133.234.136");
- System.out.println("testWildIP4Denied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a request ip not matching wild IP4", allowed);
-
- }
-
- @Test
- public void testWilderIP4Allowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.*.*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.133.234.235");
- System.out.println("testWilderIP4Allowed: " + allowed);
- Assert.assertTrue("Access denied for a request ip matching wilder IP4", allowed);
-
- }
-
- @Test
- public void testWilderIP4Denied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132.133.*.*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132.233.234.136");
- System.out.println("testWilderIP4Denied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a request ip not matching wilder IP4", allowed);
-
- }
-
- @Test
- public void testWildIP6Allowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132:133:134:*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132:133:134:135");
- System.out.println("testWildIP6Allowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a request ip matching wild IP6", allowed);
-
- }
-
- @Test
- public void testWildIP6AllowedMixedCase() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132:133:Db8:*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132:133:dB8:135");
- System.out.println("testWildIP6AllowedMixedCase: " + allowed);
- Assert.assertTrue("Access denied for a request ip matching wild IP6 with mixed case", allowed);
-
- }
-
- @Test
- public void testWildIP6Denied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132:133:134:*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132:133:234:136");
- System.out.println("testWildIP6Denied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a request ip not matching wild IP6", allowed);
-
- }
-
- @Test
- public void testWilderIP6Allowed() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132:133:*:*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132:133:234:235");
- System.out.println("testWilderIP6Allowed allowed: " + allowed);
- Assert.assertTrue("Access denied for a request ip matching wilder IP6", allowed);
-
- }
-
- @Test
- public void testWilderIP6Denied() {
-
- URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
-
- PolicyContainer policyContainer = buildPolicyContainer(
- "xa",
- "WEBHDFS",
- asList("allow"),
- asList("guest"),
- asList("sales"),
- asList("132:133:*:*"));
- pdp.setPolicyContainer(policyContainer);
-
-
- boolean allowed = pdp.isAccessGranted(
- "xa",
- "WEBHDFS",
- "allow",
- "guest",
- asSet("sales"),
- "132:233:234:136");
- System.out.println("testWilderIP6Denied allowed: " + allowed);
- Assert.assertFalse("Access allowed for a request ip not matching wilder IP6", allowed);
-
- }
-
- private static PolicyContainer buildPolicyContainer(String topologies,
- String services, List<String> accessTypes, List<String> users,
- List<String> groups, List<String> ipAddresses) {
- return buildPolicyContainer( topologies, services, accessTypes,
- users, groups, ipAddresses, true, true);
-
- }
-
- private static PolicyContainer buildPolicyContainer(String topologies,
- String services, List<String> accessTypes, List<String> users,
- List<String> groups, List<String> ipAddresses,
- boolean policyEnabled, boolean auditEnabled) {
-
- PolicyContainer policyContainer = new PolicyContainer();
- policyContainer.setRepositoryName("knoxdev");
-
- List<Policy> policies = new ArrayList<Policy>();
-
- Policy policy = new Policy();
- policy.setTopologies(topologies);
- policy.setServices(services);
- policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled");
- policy.setAuditInd(auditEnabled ? 1 : 0);
-
- List<RolePermission> rolePermissions = new ArrayList<RolePermission>();
-
- RolePermission rolePermission = new RolePermission();
-
- rolePermissions.add(rolePermission);
- rolePermission.setAccess(accessTypes);
- rolePermission.setUsers(users);
- rolePermission.setGroups(groups);
- rolePermission.setIpAddress(ipAddresses);
-
- policy.setPermissions(rolePermissions);
-
- policies.add(policy);
-
- policyContainer.setAcl(policies);
-
- return policyContainer;
- }
-
- private static Set<String> asSet(String... a) {
- Set<String> vals = new HashSet<String>();
- for (String s : a) {
- vals.add(s);
- }
- return vals;
- }
-
- private static List<String> asList(String... a) {
- List<String> vals = new ArrayList<String>();
- for (String s : a) {
- vals.add(s);
- }
- return vals;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java
new file mode 100644
index 0000000..ad1f472
--- /dev/null
+++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/PolicyCacheStoreTest.java
@@ -0,0 +1,170 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.pdp.hdfs;
+
+import java.io.BufferedReader;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.pdp.config.ConfigWatcher;
+import org.apache.ranger.pdp.config.PolicyRefresher;
+import org.apache.ranger.pdp.hdfs.URLBasedAuthDB;
+import org.apache.ranger.pdp.model.Policy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+import org.apache.ranger.pdp.model.RolePermission;
+import org.junit.Before;
+import org.junit.After;
+import org.junit.Test;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
+
+
+public class PolicyCacheStoreTest {
+ URLBasedAuthDB authDB = null;
+ ConfigWatcher watcherDaemon = null;
+ PolicyRefresher pr = null;
+ PolicyContainer policyContainer=null;
+ String url=null;
+ String sslConfigFileName=null;
+ String lastStoredFileName=null;
+ Long refreshInterval =0L;
+ private static final Log LOG = LogFactory.getLog(PolicyCacheStoreTest.class);
+ @Before
+ public void setup(){
+ authDB = URLBasedAuthDB.getInstance();
+
+ }
+
+ @After
+ public void teardown(){
+ authDB = null;
+ PolicyRefresher pr = null;
+ }
+
+ @Test
+ public void testHdfsPolicyCacheStore(){
+ //Check if the policy cache gets created when agent get created;
+ url="dummyurl";
+ refreshInterval=10L;
+ sslConfigFileName = "dummyConfigFileName.xml";
+ lastStoredFileName = System.getProperty("user.home") +"/"+ "haooopPolicyCache.json";
+ policyContainer = buildPolicyContainer(
+ "/demo/data",
+ 1,
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ true); // auditEnabled
+ authDB.OnPolicyChange(policyContainer);
+ pr = spy(new PolicyRefresher(url,refreshInterval,sslConfigFileName,lastStoredFileName));
+ pr.setPolicyContainer(policyContainer);
+ pr.setPolicyChangeListener(authDB);
+ PolicyContainer newPr = readPolicyCache(lastStoredFileName);
+ assertEquals(policyToString(policyContainer),policyToString(newPr));
+ }
+
+ private static PolicyContainer buildPolicyContainer(String resource,
+ int recursiveInd, List<String> accessTypes, List<String> users,
+ List<String> groups, List<String> ipAddresses,
+ boolean policyEnabled, boolean auditEnabled) {
+
+ PolicyContainer policyContainer = new PolicyContainer();
+ policyContainer.setRepositoryName("hadoopdev");
+
+ List<Policy> policies = new ArrayList<Policy>();
+
+ Policy policy = new Policy();
+ policy.setResource(resource);
+ policy.setRecursiveInd(recursiveInd);
+ policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled");
+ policy.setAuditInd(auditEnabled ? 1 : 0);
+
+ List<RolePermission> rolePermissions = new ArrayList<RolePermission>();
+
+ RolePermission rolePermission = new RolePermission();
+
+ rolePermissions.add(rolePermission);
+ rolePermission.setAccess(accessTypes);
+ rolePermission.setUsers(users);
+ rolePermission.setGroups(groups);
+ rolePermission.setIpAddress(ipAddresses);
+
+ policy.setPermissions(rolePermissions);
+
+ policies.add(policy);
+
+ policyContainer.setAcl(policies);
+
+ return policyContainer;
+ }
+
+ private static Set<String> asSet(String... a) {
+ Set<String> vals = new HashSet<String>();
+ for (String s : a) {
+ vals.add(s);
+ }
+ return vals;
+ }
+
+ private static List<String> asList(String... a) {
+ List<String> vals = new ArrayList<String>();
+ for (String s : a) {
+ vals.add(s);
+ }
+ return vals;
+ }
+
+
+ private PolicyContainer readPolicyCache(String lastStoreFileName) {
+ BufferedReader jsonString = null;
+ try {
+ jsonString = new BufferedReader(new FileReader(lastStoredFileName));
+ } catch (FileNotFoundException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ Gson gson = new GsonBuilder().create();
+ PolicyContainer newPolicyContainer = gson.fromJson(jsonString, PolicyContainer.class);
+ return newPolicyContainer;
+ }
+
+ private String policyToString(PolicyContainer pc) {
+ Gson gson = new GsonBuilder().create() ;
+ String policyAsJson = gson.toJson(policyContainer) ;
+ return policyAsJson;
+ }
+
+
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java
new file mode 100644
index 0000000..19023b6
--- /dev/null
+++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDBTest.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.pdp.hdfs;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ranger.pdp.hdfs.URLBasedAuthDB;
+import org.apache.ranger.pdp.model.Policy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+import org.apache.ranger.pdp.model.ResourcePath;
+import org.junit.Test;
+
+public class URLBasedAuthDBTest {
+
+ @Test
+ public void testIsAuditLogEnabledByACL_emptyPolicyContainer() {
+
+ // audit can't be enabled if authdb isn't initialized
+ assertFalse(mAuthDB.isAuditLogEnabledByACL("blah"));
+
+ // or if the policy container in is null!
+ URLBasedAuthDB spy = spy(mAuthDB);
+ when(spy.getPolicyContainer()).thenReturn(null);
+ assertFalse(mAuthDB.isAuditLogEnabledByACL("blah"));
+
+ // of if policy container is empty, i.e. has no policies!
+ List<Policy> policies = new ArrayList<Policy>();
+ PolicyContainer policyContainer = mock(PolicyContainer.class);
+ when(policyContainer.getAcl()).thenReturn(policies);
+ when(spy.getPolicyContainer()).thenReturn(policyContainer);
+ assertFalse(mAuthDB.isAuditLogEnabledByACL("blah"));
+
+ // or if all policies are empty, i.e. no acls!
+ Policy aPolicy = mock(Policy.class);
+ when(aPolicy.getResourceList()).thenReturn(new ArrayList<ResourcePath>());
+ policies.add(aPolicy);
+ when(policyContainer.getAcl()).thenReturn(policies);
+ when(spy.getPolicyContainer()).thenReturn(policyContainer);
+ assertFalse(spy.isAuditLogEnabledByACL("blah"));
+ }
+
+ private final URLBasedAuthDB mAuthDB = URLBasedAuthDB.getInstance();
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java
new file mode 100644
index 0000000..d2dfe96
--- /dev/null
+++ b/agents-impl/src/test/java/org/apache/ranger/pdp/hdfs/URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.java
@@ -0,0 +1,340 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.pdp.hdfs;
+
+import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.pdp.hdfs.URLBasedAuthDB;
+import org.apache.ranger.pdp.model.Policy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+import org.apache.ranger.pdp.model.ResourcePath;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+
+@RunWith(Parameterized.class)
+public class URLBasedAuthDB_IsAuditLogEnabledByACL_PTest {
+
+ static class PolicyIs {
+ static final boolean wildcard = true;
+ static final boolean audited = true;
+ static final boolean recursive = true;
+
+ static final boolean notWildcard = false;
+ static final boolean notAudited = false;
+ static final boolean notRecursive = false;
+ }
+
+ static final class PolicyPath {
+ static final String path1 = "aPath";
+ static final String path1Child1 = PolicyPath.path1 + "/" + "child1";
+ static final String path1Child2 = PolicyPath.path1 + "/" + "child2";
+
+ static final String path2 = "anotherPath";
+ }
+ static final class TestPath {
+ static final String path1 = PolicyPath.path1;
+ static final String beginsWithPath1 = PolicyPath.path1 + "_";
+ static final String path1Child1 = PolicyPath.path1Child1;
+ static final String path1Child2 = PolicyPath.path1Child2;
+ static final String path1GrandChild1 = String.format("%s/%s/%s", path1, path1Child1, "grandChild1");
+ static final String path1GrandChild2 = String.format("%s/%s/%s", path1, path1Child1, "grandChild2");
+
+ static final String path2 = PolicyPath.path2;
+ static final String beginsWithPath2 = PolicyPath.path2 + "_";
+ static final String path2Child1 = PolicyPath.path2 + "/" + "child1";
+ static final String path2Child2 = PolicyPath.path2 + "/" + "child2";
+ }
+
+ static class ExpectedResult {
+ static final class AuditEnabled {
+ static final boolean yes = true;
+ static final boolean no = false;
+ }
+ }
+
+ static class TestDataIndex {
+ static final int ExpectedResult = 6;
+ static final int Audited = 3;
+ public static final int TestName = 0;
+ public static final int wildCard = 2;
+ }
+
+
+ /**
+ * ASSUMPTION: set of tests passed as such that they require wildcard flag to be set for them to return audit enabled.
+ * So turn wildcard flag of them off to assert that they no-longer work. Of course, those that don't work even with wildcard
+ * should also continue to not work when wildcard is turned off!
+ */
+ private static List<Object[]> turnWildcardOffForTestsThatRequireWildcard(List<Object[]> tests) {
+
+ // in the worse case we would generate one test for each existing test
+ List<Object[]> newTests = new ArrayList<Object[]>(tests.size());
+ for (Object[] aTest: tests) {
+ boolean isPolicyWildcard = (Boolean) aTest[TestDataIndex.wildCard];
+ if (isPolicyWildcard == PolicyIs.wildcard) {
+ Object[] newTest = Arrays.copyOf(aTest, aTest.length);
+ // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result
+ newTest[TestDataIndex.wildCard] = PolicyIs.notWildcard;
+ newTest[TestDataIndex.ExpectedResult] = ExpectedResult.AuditEnabled.no;
+ // for debugging purposes alter the test description, too
+ String testName = (String) newTest[TestDataIndex.TestName];
+ newTest[TestDataIndex.TestName] = "[Wildcard-ed base test with wildcard flag turned off] " + testName;
+ newTests.add(newTest);
+ }
+ }
+ return newTests;
+ }
+
+ /**
+ * wildcard - policy flag says wildcard by the policy path itself does not have any wildcards worth expanding.
+ * This should work exactly the same as if wildcard was turned off!
+ */
+ private static List<Object[]> turnWildcardOnForNonWildcardTests(List<Object[]> tests) {
+
+ // in the worse case we would generate one test for each existing test
+ List<Object[]> newTests = new ArrayList<Object[]>(tests.size());
+ /*
+ * If a test currently does not have wildcard set on it, then expectation is changing wildcard flag
+ * true shouldn't change the result. ASSUMPTION here, of course, is that "base tests" don't use any
+ * wild-card characters in their resource paths that would make an otherwise disabled audit to return enabled.
+ */
+ for (Object[] aTest: tests) {
+ boolean isPolicyWildcard = (Boolean) aTest[TestDataIndex.wildCard];
+ if (isPolicyWildcard == PolicyIs.notWildcard) {
+ Object[] newTest = Arrays.copyOf(aTest, aTest.length);
+ // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result
+ newTest[TestDataIndex.wildCard] = PolicyIs.wildcard;
+ // for debugging purposes alter the test description, too
+ String testName = (String) newTest[TestDataIndex.TestName];
+ newTest[TestDataIndex.TestName] = "[Base test with wildcard enabled] " + testName;
+ newTests.add(newTest);
+ }
+ }
+ return newTests;
+ }
+
+ /**
+ * Disabled audit on every test that expects result to be yes to ensure that no matter what answer should be false if policy says that audit is disabled!
+ */
+ private static List<Object[]> disableAuditForBaseTests(List<Object[]> tests) {
+
+ List<Object[]> newTests = new ArrayList<Object[]>(tests.size());
+
+ for (Object[] aTest : tests) {
+ boolean expectedResult = (Boolean) aTest[TestDataIndex.ExpectedResult];
+ boolean isPolicyAuditEnabled = (Boolean) aTest[TestDataIndex.Audited];
+
+ if (expectedResult == ExpectedResult.AuditEnabled.yes
+ && isPolicyAuditEnabled == PolicyIs.audited) {
+ Object[] newTest = Arrays.copyOf(aTest, aTest.length);
+ // Change the policy of this test so that Audit is disabled at policy level and accordingly change the expected result
+ newTest[TestDataIndex.Audited] = PolicyIs.notAudited;
+ newTest[TestDataIndex.ExpectedResult] = ExpectedResult.AuditEnabled.no;
+ // for debugging purposes alter the test description, too
+ String testName = (String) newTest[TestDataIndex.TestName];
+ newTest[TestDataIndex.TestName] = "[Base tests with audit disabled] " + testName;
+ newTests.add(newTest);
+ }
+ }
+
+ return newTests;
+ }
+
+ @Parameters
+ public static Collection<Object[]> data() {
+ Object[][] baseTestData = new Object[][] {
+
+ // no-recursive paths - return true if paths match
+ {"policypath(path1) == testpath(path1) => yes",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path1, ExpectedResult.AuditEnabled.yes},
+ {"policypath(path2) == testpath(path2) => yes",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path2, ExpectedResult.AuditEnabled.yes},
+
+ // no-recursive paths - return false if paths don't match!
+ {"policypath(path1) != testPath(path2) => no",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path2, ExpectedResult.AuditEnabled.no},
+ {"policypath(path2) != testPath(path1) => no",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.notRecursive, TestPath.path1, ExpectedResult.AuditEnabled.no},
+
+ // recursive path policy - should work at least as well as non-recursive, i.e. match when same and not otherwise!
+ {"recursive, policypath(path1) == testpath(path1)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path2) == testpath(path2)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path1) == testpath(path2)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2, ExpectedResult.AuditEnabled.no},
+ {"recursive, policypath(path1) == testpath(path2)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1, ExpectedResult.AuditEnabled.no},
+
+ // recursive path policy - should match children
+ {"recursive, policypath(path1) == testpath(path1/child1)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child1, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path1) == testpath(path1/child2)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child2, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path1) == testpath(path1/child1)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child1, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path1) == testpath(path1/child2)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child2, ExpectedResult.AuditEnabled.yes},
+
+ // recursive path policy - should match grand children, too!
+ {"recursive, policypath(path1) == testpath(path1/child1/grandChild1)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1GrandChild1, ExpectedResult.AuditEnabled.yes},
+ {"recursive, policypath(path1) == testpath(path1/child1/grandChild2)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1GrandChild2, ExpectedResult.AuditEnabled.yes},
+
+ // recursive path policy - shouldn't match child in some other directory
+ {"recursive, policypath(path1) == testpath(path1/child1)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child1, ExpectedResult.AuditEnabled.no},
+ {"recursive, policypath(path1) == testpath(path1/child2)",
+ PolicyPath.path1, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path2Child2, ExpectedResult.AuditEnabled.no},
+ {"recursive, policypath(path1) == testpath(path1/child1)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child1, ExpectedResult.AuditEnabled.no},
+ {"recursive, policypath(path1) == testpath(path1/child2)",
+ PolicyPath.path2, PolicyIs.notWildcard, PolicyIs.audited, PolicyIs.recursive, TestPath.path1Child2, ExpectedResult.AuditEnabled.no},
+
+ };
+
+ Object[][] wildCardTestData = new Object[][] {
+ // Pattern contains exact substring
+ {"Wildcard, Pattern contains substring of tested path - 1",
+ "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern contains substring of tested path - 2",
+ "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern contains substring of tested path - 3",
+ "aPa*th", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern contains substring of tested path - 4",
+ "aP*at*h", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath", ExpectedResult.AuditEnabled.yes},
+
+ // Pattern should match
+ {"Wildcard, Pattern should match - 1",
+ "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath_", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 2",
+ "aPath*", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aPath_longSuffix", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 3",
+ "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "_aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 4",
+ "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "longPrefix_aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 5",
+ "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "_aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 6",
+ "*aPath", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "longPrefix_aPath", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 5",
+ "a*Path", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "a___Path", ExpectedResult.AuditEnabled.yes},
+ {"Wildcard, Pattern should match - 6",
+ "a*Path", PolicyIs.wildcard, PolicyIs.audited, PolicyIs.recursive, "aMiddlePath", ExpectedResult.AuditEnabled.yes},
+ };
+
+ // in the worst case all tests have a corresponding audit disabled test
+ List<Object[]> baseTests = Arrays.asList(baseTestData);
+ List<Object[]> result = new ArrayList<Object[]>(baseTests);
+
+ // answer is false no matter what if policy is set to not audit
+ List<Object[]> additionalTests = disableAuditForBaseTests(baseTests);
+ result.addAll(additionalTests);
+
+ // turning wildcard flag on when policy path itself does not have wildcard characters in it shouldn't change the result!
+ additionalTests = turnWildcardOnForNonWildcardTests(baseTests);
+ result.addAll(additionalTests);
+
+ List<Object[]> wildcardBaseTests = Arrays.asList(wildCardTestData);
+ result.addAll(wildcardBaseTests);
+
+ additionalTests = turnWildcardOffForTestsThatRequireWildcard(wildcardBaseTests);
+ result.addAll(additionalTests);
+ return result;
+ }
+
+ public URLBasedAuthDB_IsAuditLogEnabledByACL_PTest(String testName, String policyPath, boolean wildCard, boolean audited, boolean recursive, String testPath, boolean expectedResult) {
+ _testName = testName;
+ _policyPath = policyPath;
+ _policyPathWildcard = wildCard;
+ _policyAudited = audited;
+ _policyRecursive = recursive;
+ _testPath = testPath;
+ _expectedResult = expectedResult;
+ }
+
+ private final String _testName;
+ private final String _policyPath;
+ private final boolean _policyPathWildcard;
+ private final boolean _policyAudited;
+ private final boolean _policyRecursive;
+ private final String _testPath;
+ private final boolean _expectedResult;
+
+ @Test
+ public void testIsAuditLogEnabledByACL() {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format("Test: %sPolicy Path: %s, isWildcard: %b, isAudited: %b, isRecursive: %b, TestPath: %s",
+ _testName, _policyPath, _policyPathWildcard, _policyAudited, _policyRecursive, _testPath));
+ }
+
+ // A policy can have several paths, so let's first stuff our path into a collection
+ ResourcePath path = mock(ResourcePath.class);
+ when(path.getPath()).thenReturn(_policyPath);
+ when(path.isWildcardPath()).thenReturn(_policyPathWildcard);
+ List<ResourcePath> resourcePaths = new ArrayList<ResourcePath>();
+ resourcePaths.add(path);
+
+ // wire it into the policy and set other aspects of the policy
+ Policy aPolicy = mock(Policy.class);
+ when(aPolicy.getResourceList()).thenReturn(resourcePaths);
+
+ int recursiveIndicator = _policyRecursive ? 1 : 0;
+ when(aPolicy.getRecursiveInd()).thenReturn(recursiveIndicator);
+
+ int auditedIndicator = _policyAudited ? 1 : 0;
+ when(aPolicy.getAuditInd()).thenReturn(auditedIndicator);
+
+ // a container can have several policies to first we stuff our policy into a container
+ List<Policy> policies = new ArrayList<Policy>();
+ policies.add(aPolicy);
+ // now wire the policy into the container
+ PolicyContainer policyContainer = mock(PolicyContainer.class);
+ when(policyContainer.getAcl()).thenReturn(policies);
+
+ // finally wire the policy container into the authdb
+ URLBasedAuthDB spy = spy(mAuthDB);
+ when(spy.getPolicyContainer()).thenReturn(policyContainer);
+
+ // assert the result
+ boolean result = spy.isAuditLogEnabledByACL(_testPath);
+ assertThat(_testName, result, is(_expectedResult));
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format(", Expected Result (Audit enabled?): %b Result: %b\n", _expectedResult, result));
+ }
+ }
+
+ private final URLBasedAuthDB mAuthDB = URLBasedAuthDB.getInstance();
+ private static final Log LOG = LogFactory.getLog(URLBasedAuthDB_IsAuditLogEnabledByACL_PTest.class) ;
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java
----------------------------------------------------------------------
diff --git a/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java b/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java
new file mode 100644
index 0000000..3e0724d
--- /dev/null
+++ b/agents-impl/src/test/java/org/apache/ranger/pdp/knox/URLBasedAuthDBTest.java
@@ -0,0 +1,956 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.pdp.knox;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.ranger.pdp.knox.URLBasedAuthDB;
+import org.apache.ranger.pdp.model.Policy;
+import org.apache.ranger.pdp.model.PolicyContainer;
+import org.apache.ranger.pdp.model.RolePermission;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class URLBasedAuthDBTest {
+
+ @Test
+ public void testPolicyEnabled() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testPolicyEnabled allowed: " + allowed);
+ Assert.assertTrue("Access denied while policy is enabled", allowed);
+ }
+
+ @Test
+ public void testPolicyNotEnabled() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ false, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testPolicyNotEnabled allowed: " + allowed);
+ Assert.assertFalse("Access allowed while policy is disabled", allowed);
+ }
+
+ @Test
+ public void testPolicyEnabledAuditOnTmSm() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "xa",
+ "WEBHDFS"
+ );
+ System.out.println("testPolicyEnabledAuditOnTmSm: " + auditEnabled);
+ Assert.assertTrue("Audit not ebabled while policy is matched", auditEnabled);
+ }
+
+ @Test
+ public void testPolicyEnabledAuditOnTnmSm() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "yxa",
+ "WEBHDFS"
+ );
+ System.out.println("testPolicyEnabledAuditOnTnmSm auditEnabled: " + auditEnabled);
+ Assert.assertFalse("Audit ebabled with a non matching topology", auditEnabled);
+ }
+
+ @Test
+ public void testPolicyEnabledAuditOnTmSnm() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "xa",
+ "yWEBHDFS"
+ );
+ System.out.println("testPolicyEnabledAuditOnTmSnm auditEnabled: " + auditEnabled);
+ Assert.assertFalse("Audit ebabled with a non matching service", auditEnabled);
+ }
+
+ @Test
+ public void testPolicyEnabledAuditOff() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ true, // policyEnabled
+ false); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "xa",
+ "WEBHDFS"
+ );
+ System.out.println("testPolicyEnabledAuditOff auditEnabled: " + auditEnabled);
+ Assert.assertFalse("Audit ebabled with policy disabling audit", auditEnabled);
+ }
+
+ @Test
+ public void testPolicyNotEnabledAuditOn() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ false, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "xa",
+ "WEBHDFS"
+ );
+ System.out.println("testPolicyNotEnabledAuditOn auditEnabled: " + auditEnabled);
+ Assert.assertFalse("Audit ebabled with policy not enabled", auditEnabled);
+ }
+
+ @Test
+ public void testPolicyNotEnabledAuditOff() {
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null, // ipAddress
+ false, // policyEnabled
+ true); // auditEnabled
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean auditEnabled = pdp.isAuditEnabled(
+ "xa",
+ "WEBHDFS"
+ );
+ System.out.println("testPolicyNotEnabledAuditOff auditEnabled: " + auditEnabled);
+ Assert.assertFalse("Audit ebabled with policy not enabled and audit off", auditEnabled);
+ }
+
+ @Test
+ public void testSimpleTopologyAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testSimpleTopologyAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a simple allow policy", allowed);
+
+ }
+
+ @Test
+ public void testSimpleTopologyAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "ya",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testSimpleTopologyAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allwed for a simple deny policy", allowed);
+
+ }
+
+ @Test
+ public void testWildTopologyAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "x*",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testWildTopologyAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a matching wild topology policy", allowed);
+
+ }
+
+ @Test
+ public void testWildTopologyAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "x*",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "ya",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testWildTopologyAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for non matching wild topology policy", allowed);
+
+ }
+
+ @Test
+ public void testSimpleServiceAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testSimpleServiceAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a policy matching service", allowed);
+
+ }
+
+ @Test
+ public void testSimpleServiceAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "yWEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testSimpleServiceAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a policy with no matching service", allowed);
+
+ }
+
+ @Test
+ public void testWildServiceAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEB*",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testWildServiceAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for policy with matching wild service", allowed);
+
+ }
+
+ @Test
+ public void testWildServiceAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEB*",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "yWEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testWildServiceAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a policy with a non matching wild service", allowed);
+
+ }
+
+ @Test
+ public void testAccessTypeAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testAccessTypeAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a policy with matching accessTyoe", allowed);
+
+ }
+
+ @Test
+ public void testAccessTypeAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "yallow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testAccessTypeAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a non matching accessType", allowed);
+
+ }
+
+ @Test
+ public void testUserAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testUserAccessAllowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for matching user", allowed);
+
+ }
+
+ @Test
+ public void testUserAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("yguest"),
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "yallow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testUserAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a non matching user", allowed);
+
+ }
+
+ @Test
+ public void testGroupAccessAllowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ null,
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "sam",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testGroupAccessAllowe allowed: " + allowed);
+ Assert.assertTrue("Access denied for a matching user group", allowed);
+
+ }
+
+ @Test
+ public void testGroupAccessDenied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ null,
+ asList("sales"),
+ null);
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "yallow",
+ "guest",
+ asSet("sales"),
+ "127.127.127.127");
+ System.out.println("testGroupAccessDenied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a non matching user group", allowed);
+
+ }
+
+
+
+ @Test
+ public void testSimpleIP4Allowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.134.135"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.133.134.135");
+ System.out.println("testSimpleIP4Allowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a matching IP4 request ip", allowed);
+
+ }
+
+ @Test
+ public void testSimpleIP4Denied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.134.135"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.133.134.136");
+ System.out.println("testSimpleIP4Denied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a non matching IP4 request ip", allowed);
+
+ }
+
+ @Test
+ public void testWildIP4Allowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.134.*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.133.134.135");
+ System.out.println("testWildIP4Allowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a request ip matching wild IP4", allowed);
+
+ }
+
+ @Test
+ public void testWildIP4Denied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.134.*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.133.234.136");
+ System.out.println("testWildIP4Denied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a request ip not matching wild IP4", allowed);
+
+ }
+
+ @Test
+ public void testWilderIP4Allowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.*.*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.133.234.235");
+ System.out.println("testWilderIP4Allowed: " + allowed);
+ Assert.assertTrue("Access denied for a request ip matching wilder IP4", allowed);
+
+ }
+
+ @Test
+ public void testWilderIP4Denied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132.133.*.*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132.233.234.136");
+ System.out.println("testWilderIP4Denied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a request ip not matching wilder IP4", allowed);
+
+ }
+
+ @Test
+ public void testWildIP6Allowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132:133:134:*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132:133:134:135");
+ System.out.println("testWildIP6Allowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a request ip matching wild IP6", allowed);
+
+ }
+
+ @Test
+ public void testWildIP6AllowedMixedCase() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132:133:Db8:*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132:133:dB8:135");
+ System.out.println("testWildIP6AllowedMixedCase: " + allowed);
+ Assert.assertTrue("Access denied for a request ip matching wild IP6 with mixed case", allowed);
+
+ }
+
+ @Test
+ public void testWildIP6Denied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132:133:134:*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132:133:234:136");
+ System.out.println("testWildIP6Denied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a request ip not matching wild IP6", allowed);
+
+ }
+
+ @Test
+ public void testWilderIP6Allowed() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132:133:*:*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132:133:234:235");
+ System.out.println("testWilderIP6Allowed allowed: " + allowed);
+ Assert.assertTrue("Access denied for a request ip matching wilder IP6", allowed);
+
+ }
+
+ @Test
+ public void testWilderIP6Denied() {
+
+ URLBasedAuthDB pdp = URLBasedAuthDB.getInstanceWithBackEndMocked();
+
+ PolicyContainer policyContainer = buildPolicyContainer(
+ "xa",
+ "WEBHDFS",
+ asList("allow"),
+ asList("guest"),
+ asList("sales"),
+ asList("132:133:*:*"));
+ pdp.setPolicyContainer(policyContainer);
+
+
+ boolean allowed = pdp.isAccessGranted(
+ "xa",
+ "WEBHDFS",
+ "allow",
+ "guest",
+ asSet("sales"),
+ "132:233:234:136");
+ System.out.println("testWilderIP6Denied allowed: " + allowed);
+ Assert.assertFalse("Access allowed for a request ip not matching wilder IP6", allowed);
+
+ }
+
+ private static PolicyContainer buildPolicyContainer(String topologies,
+ String services, List<String> accessTypes, List<String> users,
+ List<String> groups, List<String> ipAddresses) {
+ return buildPolicyContainer( topologies, services, accessTypes,
+ users, groups, ipAddresses, true, true);
+
+ }
+
+ private static PolicyContainer buildPolicyContainer(String topologies,
+ String services, List<String> accessTypes, List<String> users,
+ List<String> groups, List<String> ipAddresses,
+ boolean policyEnabled, boolean auditEnabled) {
+
+ PolicyContainer policyContainer = new PolicyContainer();
+ policyContainer.setRepositoryName("knoxdev");
+
+ List<Policy> policies = new ArrayList<Policy>();
+
+ Policy policy = new Policy();
+ policy.setTopologies(topologies);
+ policy.setServices(services);
+ policy.setPolicyStatus(policyEnabled ? "Enabled" : "NotEnabled");
+ policy.setAuditInd(auditEnabled ? 1 : 0);
+
+ List<RolePermission> rolePermissions = new ArrayList<RolePermission>();
+
+ RolePermission rolePermission = new RolePermission();
+
+ rolePermissions.add(rolePermission);
+ rolePermission.setAccess(accessTypes);
+ rolePermission.setUsers(users);
+ rolePermission.setGroups(groups);
+ rolePermission.setIpAddress(ipAddresses);
+
+ policy.setPermissions(rolePermissions);
+
+ policies.add(policy);
+
+ policyContainer.setAcl(policies);
+
+ return policyContainer;
+ }
+
+ private static Set<String> asSet(String... a) {
+ Set<String> vals = new HashSet<String>();
+ for (String s : a) {
+ vals.add(s);
+ }
+ return vals;
+ }
+
+ private static List<String> asList(String... a) {
+ List<String> vals = new ArrayList<String>();
+ for (String s : a) {
+ vals.add(s);
+ }
+ return vals;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java
----------------------------------------------------------------------
diff --git a/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java b/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java
deleted file mode 100644
index 8d84223..0000000
--- a/agents-installer/src/main/java/com/xasecure/utils/install/PasswordGenerator.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.xasecure.utils.install;
-
-import java.util.ArrayList;
-import java.util.Random;
-
-public class PasswordGenerator {
-
-
- private int minimumPasswordLength = 8 ;
-
- private int maximumPasswordLength = 12 ;
-
- private boolean isExpectedNumberic = true ;
-
- private boolean isExpectedBothCase = true ;
-
- private static final ArrayList<Character> alphaLetters = new ArrayList<Character>() ;
-
- private static final ArrayList<Character> alphaUpperLetters = new ArrayList<Character>() ;
-
- private static final ArrayList<Character> numericLetters = new ArrayList<Character>() ;
-
-
- static {
- for(int x = 'a' ; x <= 'z' ; x++) {
- char v = (char)x ;
- alphaLetters.add(Character.toLowerCase(v)) ;
- alphaUpperLetters.add(Character.toUpperCase(v)) ;
- }
- for(int i = 0 ; i < 10 ; i++) {
- numericLetters.add(Character.forDigit(i,10)) ;
- }
- }
-
-
-
- public static void main(String[] args) {
- PasswordGenerator pg = new PasswordGenerator() ;
- System.out.println(pg.generatorPassword()) ;
- }
-
-
- private int getPasswordLength() {
- int ret = 0;
-
- if (minimumPasswordLength == maximumPasswordLength) {
- ret = minimumPasswordLength ;
- }
- else {
-
- int diff = Math.abs(maximumPasswordLength - minimumPasswordLength) + 1 ;
- ret = minimumPasswordLength + new Random().nextInt(diff) ;
- }
- return (ret) ;
- }
-
-
- public String generatorPassword() {
-
- String password = null ;
-
- ArrayList<Character> all = new ArrayList<Character>() ;
-
- all.addAll(alphaLetters) ;
- all.addAll(alphaUpperLetters) ;
- all.addAll(numericLetters) ;
-
- int len = getPasswordLength() ;
-
- Random random = new Random() ;
-
- int setSz = all.size();
-
- do
- {
- StringBuilder sb = new StringBuilder();
-
- for(int i = 0 ; i < len ; i++) {
- int index = random.nextInt(setSz) ;
- Character c = all.get(index) ;
- while ((i == 0) && Character.isDigit(c)) {
- index = random.nextInt(setSz) ;
- c = all.get(index) ;
- }
- sb.append(all.get(index)) ;
- }
- password = sb.toString() ;
- } while (! isValidPassword(password)) ;
-
-
- return password ;
-
- }
-
- private boolean isValidPassword(String pass) {
- boolean ret = true ;
-
- if (isExpectedNumberic || isExpectedBothCase) {
- boolean lowerCaseFound = false ;
- boolean digitFound = false ;
- boolean upperCaseFound = false ;
- for(char c : pass.toCharArray()) {
- if (!digitFound && Character.isDigit(c)) {
- digitFound = true ;
- }
- else if (!lowerCaseFound && Character.isLowerCase(c)) {
- lowerCaseFound = true ;
- }
- else if (!upperCaseFound && Character.isUpperCase(c) ) {
- upperCaseFound = true ;
- }
- }
-
- if (isExpectedNumberic && !digitFound) {
- ret = false ;
- }
-
- if (isExpectedBothCase && (!lowerCaseFound || !upperCaseFound)) {
- ret = false ;
- }
- }
-
- return ret ;
- }
-}