/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedUserName(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId
, "evilOrc");
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
public ClientToAMTokenIdentifierForTest(ClientToAMTokenIdentifier tokenIdentifier
, string message)
{
YarnSecurityTestClientAMTokenProtos.ClientToAMTokenIdentifierForTestProto.Builder
builder = YarnSecurityTestClientAMTokenProtos.ClientToAMTokenIdentifierForTestProto
.NewBuilder();
builder.SetAppAttemptId(tokenIdentifier.GetProto().GetAppAttemptId());
builder.SetClientName(tokenIdentifier.GetProto().GetClientName());
builder.SetMessage(message);
proto = ((YarnSecurityTestClientAMTokenProtos.ClientToAMTokenIdentifierForTestProto
)builder.Build());
}
/// <exception cref="System.IO.IOException"/>
private void VerifyTokenWithTamperedID(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token)
{
// Malicious user, messes with appId
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("me");
ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils
.NewApplicationAttemptId(BuilderUtils.NewApplicationId(am.appAttemptId.GetApplicationId
().GetClusterTimestamp(), 42), 43), UserGroupInformation.GetCurrentUser().GetShortUserName
());
VerifyTamperedToken(conf, am, token, ugi, maliciousID);
}
public virtual void TestClientToAMTokenIdentifier()
{
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(ApplicationId
.NewInstance(1, 1), 1);
string clientName = "user";
ClientToAMTokenIdentifier token = new ClientToAMTokenIdentifier(appAttemptId, clientName
);
ClientToAMTokenIdentifier anotherToken = new ClientToAMTokenIdentifier();
byte[] tokenContent = token.GetBytes();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenContent, tokenContent.Length);
anotherToken.ReadFields(dib);
// verify the whole record equals with original record
NUnit.Framework.Assert.AreEqual("Token is not the same after serialization " + "and deserialization."
, token, anotherToken);
NUnit.Framework.Assert.AreEqual("ApplicationAttemptId from proto is not the same with original token"
, anotherToken.GetApplicationAttemptID(), appAttemptId);
NUnit.Framework.Assert.AreEqual("clientName from proto is not the same with original token"
, anotherToken.GetClientName(), clientName);
}
private void VerifyTamperedToken(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, UserGroupInformation
ugi, ClientToAMTokenIdentifier maliciousID)
{
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> maliciousToken =
new Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(maliciousID
.GetBytes(), token.GetPassword(), token.GetKind(), token.GetService());
ugi.AddToken(maliciousToken);
try
{
ugi.DoAs(new _PrivilegedExceptionAction_338(am, conf));
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(RemoteException).FullName, e.GetType().FullName
);
e = ((RemoteException)e).UnwrapRemoteException();
NUnit.Framework.Assert.AreEqual(typeof(SaslException).GetCanonicalName(), e.GetType
().GetCanonicalName());
NUnit.Framework.Assert.IsTrue(e.Message.Contains("DIGEST-MD5: digest response format violation. "
+ "Mismatched response."));
NUnit.Framework.Assert.IsFalse(am.pinged);
}
}
