Beispiel #1
0
        /// <exception cref="System.Exception"/>
        private void TestGetToken(string renewer, Text expectedTokenKind)
        {
            DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                       .Getdelegationtoken;
            HttpServletRequest  request  = Org.Mockito.Mockito.Mock <HttpServletRequest>();
            HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();

            Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
                                                                          .OpParam + "=" + op.ToString());
            Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
            AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();

            Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
            Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(new PrintWriter(new StringWriter
                                                                                          ()));
            NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
                                                                       ));
            Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
                                                                          .OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.RenewerParam
                                                                          + "=" + renewer);
            Org.Mockito.Mockito.Reset(response);
            Org.Mockito.Mockito.Reset(token);
            Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
            StringWriter writer  = new StringWriter();
            PrintWriter  pwriter = new PrintWriter(writer);

            Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
            NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
                                                                       ));
            if (renewer == null)
            {
                Org.Mockito.Mockito.Verify(token).GetUserName();
            }
            else
            {
                Org.Mockito.Mockito.Verify(token).GetUserName();
            }
            Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
            Org.Mockito.Mockito.Verify(response).SetContentType(MediaType.ApplicationJson);
            pwriter.Close();
            string responseOutput = writer.ToString();
            string tokenLabel     = DelegationTokenAuthenticator.DelegationTokenJson;

            Assert.True(responseOutput.Contains(tokenLabel));
            Assert.True(responseOutput.Contains(DelegationTokenAuthenticator
                                                .DelegationTokenUrlStringJson));
            ObjectMapper jsonMapper = new ObjectMapper();
            IDictionary  json       = jsonMapper.ReadValue <IDictionary>(responseOutput);

            json = (IDictionary)json[tokenLabel];
            string tokenStr;

            tokenStr = (string)json[DelegationTokenAuthenticator.DelegationTokenUrlStringJson
                       ];
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token
                                                                                    <DelegationTokenIdentifier>();
            dt.DecodeFromUrlString(tokenStr);
            handler.GetTokenManager().VerifyToken(dt);
            Assert.Equal(expectedTokenKind, dt.GetKind());
        }
Beispiel #2
0
        /// <exception cref="System.Exception"/>
        private void TestValidDelegationTokenHeader()
        {
            HttpServletRequest  request  = Org.Mockito.Mockito.Mock <HttpServletRequest>();
            HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();

            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token
                                                                                         <DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
                                                                                                                                                           .GetCurrentUser(), "user");
            Org.Mockito.Mockito.When(request.GetHeader(Org.Mockito.Mockito.Eq(DelegationTokenAuthenticator
                                                                              .DelegationTokenHeader))).ThenReturn(dToken.EncodeToUrlString());
            AuthenticationToken token = handler.Authenticate(request, response);

            Assert.Equal(UserGroupInformation.GetCurrentUser().GetShortUserName
                             (), token.GetUserName());
            Assert.Equal(0, token.GetExpires());
            Assert.Equal(handler.GetType(), token.GetType());
            Assert.True(token.IsExpired());
        }
Beispiel #3
0
        /// <exception cref="System.Exception"/>
        private void TestRenewToken()
        {
            DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                       .Renewdelegationtoken;
            HttpServletRequest  request  = Org.Mockito.Mockito.Mock <HttpServletRequest>();
            HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();

            Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
                                                                          .OpParam + "=" + op.ToString());
            Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
            NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
                                                                       ));
            Org.Mockito.Mockito.Verify(response).SetStatus(Org.Mockito.Mockito.Eq(HttpServletResponse
                                                                                  .ScUnauthorized));
            Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator
                                                                                  .WwwAuthenticate), Org.Mockito.Mockito.Eq("mock"));
            Org.Mockito.Mockito.Reset(response);
            AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();

            Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
            NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
                                                                       ));
            Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse
                                                                                  .ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]"));
            Org.Mockito.Mockito.Reset(response);
            StringWriter writer  = new StringWriter();
            PrintWriter  pwriter = new PrintWriter(writer);

            Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token
                                                                                         <DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
                                                                                                                                                           .GetCurrentUser(), "user");
            Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
                                                                          .OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam +
                                                                          "=" + dToken.EncodeToUrlString());
            NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
                                                                       ));
            Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
            pwriter.Close();
            Assert.True(writer.ToString().Contains("long"));
            handler.GetTokenManager().VerifyToken(dToken);
        }
Beispiel #4
0
        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
        ///     "/>
        public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
                                                 request, HttpServletResponse response)
        {
            bool   requestContinues = true;
            string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                  .OpParam);

            op = (op != null) ? StringUtils.ToUpperCase(op) : null;
            if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
            {
                DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
                                                                             .ValueOf(op);
                if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
                {
                    bool doManagement;
                    if (dtOp.RequiresKerberosCredentials() && token == null)
                    {
                        token = Authenticate(request, response);
                        if (token == null)
                        {
                            requestContinues = false;
                            doManagement     = false;
                        }
                        else
                        {
                            doManagement = true;
                        }
                    }
                    else
                    {
                        doManagement = true;
                    }
                    if (doManagement)
                    {
                        UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
                                                              (token.GetUserName()) : null;
                        // Create the proxy user if doAsUser exists
                        string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
                        if (requestUgi != null && doAsUser != null)
                        {
                            requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
                            try
                            {
                                ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
                            }
                            catch (AuthorizationException ex)
                            {
                                HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
                                                                                  , ex);
                                return(false);
                            }
                        }
                        IDictionary map = null;
                        switch (dtOp)
                        {
                        case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                       .RenewerParam);
                            try
                            {
                                Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
                                    requestUgi, renewer);
                                map = DelegationTokenToJSON(dToken);
                            }
                            catch (IOException ex)
                            {
                                throw new AuthenticationException(ex.ToString(), ex);
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
                        {
                            if (requestUgi == null)
                            {
                                throw new InvalidOperationException("request UGI cannot be NULL");
                            }
                            string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                            .TokenParam);
                            if (tokenToRenew == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToRenew);
                                    long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
                                    map         = new Hashtable();
                                    map["long"] = expirationTime;
                                }
                                catch (IOException ex)
                                {
                                    throw new AuthenticationException(ex.ToString(), ex);
                                }
                            }
                            break;
                        }

                        case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
                        {
                            string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
                                                                             .TokenParam);
                            if (tokenToCancel == null)
                            {
                                response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
                                                                                                          , dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
                                requestContinues = false;
                            }
                            else
                            {
                                Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
                                                                                                                Org.Apache.Hadoop.Security.Token.Token();
                                try
                                {
                                    dt.DecodeFromUrlString(tokenToCancel);
                                    tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
                                                                                         : null);
                                }
                                catch (IOException)
                                {
                                    response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
                                                       );
                                    requestContinues = false;
                                }
                            }
                            break;
                        }
                        }
                        if (requestContinues)
                        {
                            response.SetStatus(HttpServletResponse.ScOk);
                            if (map != null)
                            {
                                response.SetContentType(MediaType.ApplicationJson);
                                TextWriter   writer     = response.GetWriter();
                                ObjectMapper jsonMapper = new ObjectMapper();
                                jsonMapper.WriteValue(writer, map);
                                writer.Write(Enter);
                                writer.Flush();
                            }
                            requestContinues = false;
                        }
                    }
                }
                else
                {
                    response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
                                                                                              + "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
                    requestContinues = false;
                }
            }
            return(requestContinues);
        }