// dynamic configuration of HTTP principals /// <exception cref="System.Exception"/> public virtual void TestDynamicPrincipalDiscoveryMissingPrincipals() { string[] keytabUsers = new string[] { "hdfs/localhost" }; string keytab = KerberosTestUtils.GetKeytabFile(); GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers); // destroy handler created in setUp() handler.Destroy(); Properties props = new Properties(); props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab); props.SetProperty(KerberosAuthenticationHandler.Principal, "*"); handler = GetNewAuthenticationHandler(); try { handler.Init(props); NUnit.Framework.Assert.Fail("init should have failed"); } catch (ServletException ex) { Assert.Equal("Principals do not exist in the keytab", ex.InnerException .Message); } catch (Exception t) { NUnit.Framework.Assert.Fail("wrong exception: " + t); } }
// dynamic configuration of HTTP principals /// <exception cref="System.Exception"/> public virtual void TestDynamicPrincipalDiscovery() { string[] keytabUsers = new string[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host" }; string keytab = KerberosTestUtils.GetKeytabFile(); GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers); // destroy handler created in setUp() handler.Destroy(); Properties props = new Properties(); props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab); props.SetProperty(KerberosAuthenticationHandler.Principal, "*"); handler = GetNewAuthenticationHandler(); handler.Init(props); Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab ()); ICollection <KerberosPrincipal> loginPrincipals = handler.GetPrincipals(); foreach (string user in keytabUsers) { Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.GetRealm ()); bool expected = user.StartsWith("HTTP/"); Assert.Equal("checking for " + user, expected, loginPrincipals .Contains(principal)); } }
/// <exception cref="System.Exception"/> public virtual void TestRequestWithAuthorization() { string token = KerberosTestUtils.DoAsClient(new _Callable_225()); HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>(); HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>(); Org.Mockito.Mockito.When(request.GetHeader(KerberosAuthenticator.Authorization)). ThenReturn(KerberosAuthenticator.Negotiate + " " + token); Org.Mockito.Mockito.When(request.GetServerName()).ThenReturn("localhost"); AuthenticationToken authToken = handler.Authenticate(request, response); if (authToken != null) { Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator .WwwAuthenticate), Org.Mockito.Mockito.Matches(KerberosAuthenticator.Negotiate + " .*")); Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk); Assert.Equal(KerberosTestUtils.GetClientPrincipal(), authToken .GetName()); Assert.True(KerberosTestUtils.GetClientPrincipal().StartsWith(authToken .GetUserName())); Assert.Equal(GetExpectedType(), authToken.GetType()); } else { Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator .WwwAuthenticate), Org.Mockito.Mockito.Matches(KerberosAuthenticator.Negotiate + " .*")); Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScUnauthorized ); } }
/// <exception cref="System.Exception"/> public string Call() { GSSManager gssManager = GSSManager.GetInstance(); GSSContext gssContext = null; try { string servicePrincipal = KerberosTestUtils.GetServerPrincipal(); Oid oid = KerberosUtil.GetOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.CreateName(servicePrincipal, oid); oid = KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID"); gssContext = gssManager.CreateContext(serviceName, oid, null, GSSContext. DefaultLifetime); gssContext.RequestCredDeleg(true); gssContext.RequestMutualAuth(true); byte[] inToken = new byte[0]; byte[] outToken = gssContext.InitSecContext(inToken, 0, inToken.Length); Base64 base64 = new Base64(0); return(base64.EncodeToString(outToken)); } finally { if (gssContext != null) { gssContext.Dispose(); } } }
public virtual void Setup() { // create keytab FilePath keytabFile = new FilePath(KerberosTestUtils.GetKeytabFile()); string clientPrincipal = KerberosTestUtils.GetClientPrincipal(); string serverPrincipal = KerberosTestUtils.GetServerPrincipal(); clientPrincipal = Runtime.Substring(clientPrincipal, 0, clientPrincipal.LastIndexOf ("@")); serverPrincipal = Runtime.Substring(serverPrincipal, 0, serverPrincipal.LastIndexOf ("@")); GetKdc().CreatePrincipal(keytabFile, clientPrincipal, serverPrincipal); // handler handler = GetNewAuthenticationHandler(); Properties props = GetDefaultProperties(); try { handler.Init(props); } catch (Exception ex) { handler = null; throw; } }
public virtual void TestDoAs() { KerberosTestUtils.DoAsClient(new _Callable_319()); // this should not work string token = GetDelegationToken("client"); string renewer = "renewer"; string body = "{\"renewer\":\"" + renewer + "\"}"; Uri url = new Uri("http://*****:*****@EXAMPLE.COM", new _Callable_374()); }
/// <exception cref="System.Exception"/> public virtual void TestNameRules() { KerberosName kn = new KerberosName(KerberosTestUtils.GetServerPrincipal()); Assert.Equal(KerberosTestUtils.GetRealm(), kn.GetRealm()); //destroy handler created in setUp() handler.Destroy(); KerberosName.SetRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = GetNewAuthenticationHandler(); Properties props = GetDefaultProperties(); props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT" ); try { handler.Init(props); } catch (Exception) { } kn = new KerberosName("bar@BAR"); Assert.Equal("bar", kn.GetShortName()); kn = new KerberosName("bar@FOO"); try { kn.GetShortName(); NUnit.Framework.Assert.Fail(); } catch (Exception) { } }
/// <exception cref="System.Exception"/> public virtual void TestAuthenticationHttpClientPost() { AuthenticatorTestCase auth = new AuthenticatorTestCase(useTomcat); AuthenticatorTestCase.SetAuthenticationHandlerConfig(GetAuthenticationHandlerConfiguration ()); KerberosTestUtils.DoAsClient(new _Callable_157(auth)); }
public virtual void TestRules() { CheckTranslation("omalley@" + KerberosTestUtils.GetRealm(), "omalley"); CheckTranslation("hdfs/10.0.0.1@" + KerberosTestUtils.GetRealm(), "hdfs"); CheckTranslation("*****@*****.**", "oom"); CheckTranslation("johndoe/[email protected]", "guest"); CheckTranslation("joe/[email protected]", "joe"); CheckTranslation("joe/[email protected]", "root"); }
public virtual void SetUp() { Runtime.SetProperty("java.security.krb5.realm", KerberosTestUtils.GetRealm()); Runtime.SetProperty("java.security.krb5.kdc", "localhost:88"); string rules = "RULE:[1:$1@$0](.*@YAHOO\\.COM)s/@.*//\n" + "RULE:[2:$1](johndoe)s/^.*$/guest/\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$//\n" + "RULE:[2:$2](root)\n" + "DEFAULT"; KerberosName.SetRules(rules); KerberosName.PrintRules(); }
/// <exception cref="System.Exception"/> public virtual void TestInit() { Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab ()); ICollection <KerberosPrincipal> principals = handler.GetPrincipals(); Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.GetServerPrincipal ()); Assert.True(principals.Contains(expectedPrincipal)); Assert.Equal(1, principals.Count); }
protected internal virtual Properties GetDefaultProperties() { Properties props = new Properties(); props.SetProperty(KerberosAuthenticationHandler.Principal, KerberosTestUtils.GetServerPrincipal ()); props.SetProperty(KerberosAuthenticationHandler.Keytab, KerberosTestUtils.GetKeytabFile ()); props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@" + KerberosTestUtils.GetRealm() + ")s/@.*//\n"); return(props); }
private Properties GetAuthenticationHandlerConfiguration() { Properties props = new Properties(); props.SetProperty(AuthenticationFilter.AuthType, "kerberos"); props.SetProperty(KerberosAuthenticationHandler.Principal, KerberosTestUtils.GetServerPrincipal ()); props.SetProperty(KerberosAuthenticationHandler.Keytab, KerberosTestUtils.GetKeytabFile ()); props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@" + KerberosTestUtils.GetRealm() + ")s/@.*//\n"); return(props); }
public virtual void Setup() { // create keytab FilePath keytabFile = new FilePath(KerberosTestUtils.GetKeytabFile()); string clientPrincipal = KerberosTestUtils.GetClientPrincipal(); string serverPrincipal = KerberosTestUtils.GetServerPrincipal(); clientPrincipal = Runtime.Substring(clientPrincipal, 0, clientPrincipal.LastIndexOf ("@")); serverPrincipal = Runtime.Substring(serverPrincipal, 0, serverPrincipal.LastIndexOf ("@")); GetKdc().CreatePrincipal(keytabFile, clientPrincipal, serverPrincipal); }
public virtual void TestPutTimelineEntities() { KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_178(this)); }
public virtual void TestDelegationTokenOperations() { TimelineClient httpUserClient = KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_221(this)); UserGroupInformation httpUser = KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_228()); // Let HTTP user to get the delegation for itself Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> token = httpUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.IsNotNull(token); TimelineDelegationTokenIdentifier tDT = token.DecodeIdentifier(); NUnit.Framework.Assert.IsNotNull(tDT); NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetOwner()); // Renew token NUnit.Framework.Assert.IsFalse(token.GetService().ToString().IsEmpty()); // Renew the token from the token service address long renewTime1 = httpUserClient.RenewDelegationToken(token); Sharpen.Thread.Sleep(100); token.SetService(new Text()); NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty()); // If the token service address is not avaiable, it still can be renewed // from the configured address long renewTime2 = httpUserClient.RenewDelegationToken(token); NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2); // Cancel token NUnit.Framework.Assert.IsTrue(token.GetService().ToString().IsEmpty()); // If the token service address is not avaiable, it still can be canceled // from the configured address httpUserClient.CancelDelegationToken(token); // Renew should not be successful because the token is canceled try { httpUserClient.RenewDelegationToken(token); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token" )); } // Let HTTP user to get the delegation token for FOO user UserGroupInformation fooUgi = UserGroupInformation.CreateProxyUser(FooUser, httpUser ); TimelineClient fooUserClient = fooUgi.DoAs(new _PrivilegedExceptionAction_272(this )); token = fooUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.IsNotNull(token); tDT = token.DecodeIdentifier(); NUnit.Framework.Assert.IsNotNull(tDT); NUnit.Framework.Assert.AreEqual(new Text(FooUser), tDT.GetOwner()); NUnit.Framework.Assert.AreEqual(new Text(HttpUser), tDT.GetRealUser()); // Renew token as the renewer Org.Apache.Hadoop.Security.Token.Token <TimelineDelegationTokenIdentifier> tokenToRenew = token; renewTime1 = httpUserClient.RenewDelegationToken(tokenToRenew); renewTime2 = httpUserClient.RenewDelegationToken(tokenToRenew); NUnit.Framework.Assert.IsTrue(renewTime1 < renewTime2); // Cancel token NUnit.Framework.Assert.IsFalse(tokenToRenew.GetService().ToString().IsEmpty()); // Cancel the token from the token service address fooUserClient.CancelDelegationToken(tokenToRenew); // Renew should not be successful because the token is canceled try { httpUserClient.RenewDelegationToken(tokenToRenew); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.Message.Contains("Renewal request for unknown token" )); } // Let HTTP user to get the delegation token for BAR user UserGroupInformation barUgi = UserGroupInformation.CreateProxyUser(BarUser, httpUser ); TimelineClient barUserClient = barUgi.DoAs(new _PrivilegedExceptionAction_309(this )); try { barUserClient.GetDelegationToken(httpUser.GetShortUserName()); NUnit.Framework.Assert.Fail(); } catch (Exception e) { NUnit.Framework.Assert.IsTrue(e.InnerException is AuthorizationException || e.InnerException is AuthenticationException); } }
public virtual void TestDelegationTokenHttpFSAccess() { CreateHttpFSServer(); KerberosTestUtils.DoAsClient(new _Callable_155()); }
public virtual void TestValidHttpFSAccess() { CreateHttpFSServer(); KerberosTestUtils.DoAsClient(new _Callable_120()); }
public virtual void TestPutDomains() { KerberosTestUtils.DoAs(HttpUser + "/localhost", new _Callable_200(this)); }
/// <exception cref="System.Exception"/> private void CancelDelegationToken(string tokenString) { KerberosTestUtils.DoAsClient(new _Callable_432(tokenString)); }
/// <exception cref="System.Exception"/> private string GetDelegationToken(string renewer) { return(KerberosTestUtils.DoAsClient(new _Callable_398(renewer))); }