// dynamic configuration of HTTP principals
/// <exception cref="System.Exception"/>
public virtual void TestDynamicPrincipalDiscoveryMissingPrincipals()
{
string[] keytabUsers = new string[] { "hdfs/localhost" };
string keytab = KerberosTestUtils.GetKeytabFile();
GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers);
// destroy handler created in setUp()
handler.Destroy();
Properties props = new Properties();
props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab);
props.SetProperty(KerberosAuthenticationHandler.Principal, "*");
handler = GetNewAuthenticationHandler();
try
{
handler.Init(props);
NUnit.Framework.Assert.Fail("init should have failed");
}
catch (ServletException ex)
{
Assert.Equal("Principals do not exist in the keytab", ex.InnerException
.Message);
}
catch (Exception t)
{
NUnit.Framework.Assert.Fail("wrong exception: " + t);
}
}
// dynamic configuration of HTTP principals
/// <exception cref="System.Exception"/>
public virtual void TestDynamicPrincipalDiscovery()
{
string[] keytabUsers = new string[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1",
"XHTTP/host" };
string keytab = KerberosTestUtils.GetKeytabFile();
GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers);
// destroy handler created in setUp()
handler.Destroy();
Properties props = new Properties();
props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab);
props.SetProperty(KerberosAuthenticationHandler.Principal, "*");
handler = GetNewAuthenticationHandler();
handler.Init(props);
Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab
());
ICollection <KerberosPrincipal> loginPrincipals = handler.GetPrincipals();
foreach (string user in keytabUsers)
{
Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.GetRealm
());
bool expected = user.StartsWith("HTTP/");
Assert.Equal("checking for " + user, expected, loginPrincipals
.Contains(principal));
}
}
/// <exception cref="System.Exception"/>
public virtual void TestRequestWithAuthorization()
{
string token = KerberosTestUtils.DoAsClient(new _Callable_225());
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetHeader(KerberosAuthenticator.Authorization)).
ThenReturn(KerberosAuthenticator.Negotiate + " " + token);
Org.Mockito.Mockito.When(request.GetServerName()).ThenReturn("localhost");
AuthenticationToken authToken = handler.Authenticate(request, response);
if (authToken != null)
{
Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator
.WwwAuthenticate), Org.Mockito.Mockito.Matches(KerberosAuthenticator.Negotiate +
" .*"));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
Assert.Equal(KerberosTestUtils.GetClientPrincipal(), authToken
.GetName());
Assert.True(KerberosTestUtils.GetClientPrincipal().StartsWith(authToken
.GetUserName()));
Assert.Equal(GetExpectedType(), authToken.GetType());
}
else
{
Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator
.WwwAuthenticate), Org.Mockito.Mockito.Matches(KerberosAuthenticator.Negotiate +
" .*"));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScUnauthorized
);
}
}
/// <exception cref="System.Exception"/>
public string Call()
{
GSSManager gssManager = GSSManager.GetInstance();
GSSContext gssContext = null;
try
{
string servicePrincipal = KerberosTestUtils.GetServerPrincipal();
Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.CreateName(servicePrincipal, oid);
oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext.
DefaultLifetime);
gssContext.RequestCredDeleg(true);
gssContext.RequestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken = gssContext.InitSecContext(inToken, 0, inToken.Length);
Base64 base64 = new Base64(0);
return(base64.EncodeToString(outToken));
}
finally
{
if (gssContext != null)
{
gssContext.Dispose();
}
}
}
public virtual void Setup()
{
// create keytab
FilePath keytabFile = new FilePath(KerberosTestUtils.GetKeytabFile());
string clientPrincipal = KerberosTestUtils.GetClientPrincipal();
string serverPrincipal = KerberosTestUtils.GetServerPrincipal();
clientPrincipal = Runtime.Substring(clientPrincipal, 0, clientPrincipal.LastIndexOf
("@"));
serverPrincipal = Runtime.Substring(serverPrincipal, 0, serverPrincipal.LastIndexOf
("@"));
GetKdc().CreatePrincipal(keytabFile, clientPrincipal, serverPrincipal);
// handler
handler = GetNewAuthenticationHandler();
Properties props = GetDefaultProperties();
try
{
handler.Init(props);
}
catch (Exception ex)
{
handler = null;
throw;
}
}
public virtual void TestDoAs()
{
KerberosTestUtils.DoAsClient(new _Callable_319());
// this should not work
string token = GetDelegationToken("client");
string renewer = "renewer";
string body = "{\"renewer\":\"" + renewer + "\"}";
Uri url = new Uri("http://*****:*****@EXAMPLE.COM", new _Callable_374());
}
/// <exception cref="System.Exception"/>
public virtual void TestNameRules()
{
KerberosName kn = new KerberosName(KerberosTestUtils.GetServerPrincipal());
Assert.Equal(KerberosTestUtils.GetRealm(), kn.GetRealm());
//destroy handler created in setUp()
handler.Destroy();
KerberosName.SetRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");
handler = GetNewAuthenticationHandler();
Properties props = GetDefaultProperties();
props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"
);
try
{
handler.Init(props);
}
catch (Exception)
{
}
kn = new KerberosName("bar@BAR");
Assert.Equal("bar", kn.GetShortName());
kn = new KerberosName("bar@FOO");
try
{
kn.GetShortName();
NUnit.Framework.Assert.Fail();
}
catch (Exception)
{
}
}
/// <exception cref="System.Exception"/>
public virtual void TestAuthenticationHttpClientPost()
{
AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat);
AuthenticatorTestCase.SetAuthenticationHandlerConfig(GetAuthenticationHandlerConfiguration
());
KerberosTestUtils.DoAsClient(new _Callable_157(auth));
}
public virtual void TestRules()
{
CheckTranslation("omalley@" + KerberosTestUtils.GetRealm(), "omalley");
CheckTranslation("hdfs/10.0.0.1@" + KerberosTestUtils.GetRealm(), "hdfs");
CheckTranslation("*****@*****.**", "oom");
CheckTranslation("johndoe/[email protected]", "guest");
CheckTranslation("joe/[email protected]", "joe");
CheckTranslation("joe/[email protected]", "root");
}
public virtual void SetUp()
{
Runtime.SetProperty("java.security.krb5.realm", KerberosTestUtils.GetRealm());
Runtime.SetProperty("java.security.krb5.kdc", "localhost:88");
string rules = "RULE:[1:$1@$0](.*@YAHOO\\.COM)s/@.*//\n" + "RULE:[2:$1](johndoe)s/^.*$/guest/\n"
+ "RULE:[2:$1;$2](^.*;admin$)s/;admin$//\n" + "RULE:[2:$2](root)\n" + "DEFAULT";
KerberosName.SetRules(rules);
KerberosName.PrintRules();
}
/// <exception cref="System.Exception"/>
public virtual void TestInit()
{
Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab
());
ICollection <KerberosPrincipal> principals = handler.GetPrincipals();
Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.GetServerPrincipal
());
Assert.True(principals.Contains(expectedPrincipal));
Assert.Equal(1, principals.Count);
}
protected internal virtual Properties GetDefaultProperties()
{
Properties props = new Properties();
props.SetProperty(KerberosAuthenticationHandler.Principal, KerberosTestUtils.GetServerPrincipal
());
props.SetProperty(KerberosAuthenticationHandler.Keytab, KerberosTestUtils.GetKeytabFile
());
props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@" +
KerberosTestUtils.GetRealm() + ")s/@.*//\n");
return(props);
}
private Properties GetAuthenticationHandlerConfiguration()
{
Properties props = new Properties();
props.SetProperty(AuthenticationFilter.AuthType, "kerberos");
props.SetProperty(KerberosAuthenticationHandler.Principal, KerberosTestUtils.GetServerPrincipal
());
props.SetProperty(KerberosAuthenticationHandler.Keytab, KerberosTestUtils.GetKeytabFile
());
props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@" +
KerberosTestUtils.GetRealm() + ")s/@.*//\n");
return(props);
}
public virtual void Setup()
{
// create keytab
FilePath keytabFile = new FilePath(KerberosTestUtils.GetKeytabFile());
string clientPrincipal = KerberosTestUtils.GetClientPrincipal();
string serverPrincipal = KerberosTestUtils.GetServerPrincipal();
clientPrincipal = Runtime.Substring(clientPrincipal, 0, clientPrincipal.LastIndexOf
("@"));
serverPrincipal = Runtime.Substring(serverPrincipal, 0, serverPrincipal.LastIndexOf
("@"));
GetKdc().CreatePrincipal(keytabFile, clientPrincipal, serverPrincipal);
}
public virtual void TestPutTimelineEntities()
{
KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_178(this));
}
public virtual void TestDelegationTokenOperations()
{
TimelineClient httpUserClient = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_221(this));
UserGroupInformation httpUser = KerberosTestUtils.DoAs(HttpUser + "/localhost", new
_Callable_228());
// Let HTTP user to get the delegation for itself
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> token =
httpUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
TimelineDelegationTokenIdentifier tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetOwner());
// Renew token
NUnit.Framework.Assert.IsFalse(token.GetService().ToString().IsEmpty());
// Renew the token from the token service address
long renewTime1 = httpUserClient.RenewDelegationToken(token);
Sharpen.Thread.Sleep(100);
token.SetService(new Text());
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be renewed
// from the configured address
long renewTime2 = httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty());
// If the token service address is not avaiable, it still can be canceled
// from the configured address
httpUserClient.CancelDelegationToken(token);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(token);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for FOO user
UserGroupInformation fooUgi = UserGroupInformation.CreateProxyUser(FooUser, httpUser
);
TimelineClient fooUserClient = fooUgi.DoAs(new _PrivilegedExceptionAction_272(this
));
token = fooUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.IsNotNull(token);
tDT = token.DecodeIdentifier();
NUnit.Framework.Assert.IsNotNull(tDT);
NUnit.Framework.Assert.AreEqual(new Text(FooUser), tDT.GetOwner());
NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetRealUser());
// Renew token as the renewer
Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> tokenToRenew
= token;
renewTime1 = httpUserClient.RenewDelegationToken(tokenToRenew);
renewTime2 = httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2);
// Cancel token
NUnit.Framework.Assert.IsFalse(tokenToRenew.GetService().ToString().IsEmpty());
// Cancel the token from the token service address
fooUserClient.CancelDelegationToken(tokenToRenew);
// Renew should not be successful because the token is canceled
try
{
httpUserClient.RenewDelegationToken(tokenToRenew);
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token"
));
}
// Let HTTP user to get the delegation token for BAR user
UserGroupInformation barUgi = UserGroupInformation.CreateProxyUser(BarUser, httpUser
);
TimelineClient barUserClient = barUgi.DoAs(new _PrivilegedExceptionAction_309(this
));
try
{
barUserClient.GetDelegationToken(httpUser.GetShortUserName());
NUnit.Framework.Assert.Fail();
}
catch (Exception e)
{
NUnit.Framework.Assert.IsTrue(e.InnerException is AuthorizationException || e.InnerException
is AuthenticationException);
}
}
public virtual void TestDelegationTokenHttpFSAccess()
{
CreateHttpFSServer();
KerberosTestUtils.DoAsClient(new _Callable_155());
}
public virtual void TestValidHttpFSAccess()
{
CreateHttpFSServer();
KerberosTestUtils.DoAsClient(new _Callable_120());
}
public virtual void TestPutDomains()
{
KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_200(this));
}
/// <exception cref="System.Exception"/>
private void CancelDelegationToken(string tokenString)
{
KerberosTestUtils.DoAsClient(new _Callable_432(tokenString));
}
/// <exception cref="System.Exception"/>
private string GetDelegationToken(string renewer)
{
return(KerberosTestUtils.DoAsClient(new _Callable_398(renewer)));
}
