/// <exception cref="System.Exception"/>
private void TestGetToken(string renewer, Text expectedTokenKind)
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Getdelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(new PrintWriter(new StringWriter
()));
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.RenewerParam
+ "=" + renewer);
Org.Mockito.Mockito.Reset(response);
Org.Mockito.Mockito.Reset(token);
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
StringWriter writer = new StringWriter();
PrintWriter pwriter = new PrintWriter(writer);
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
if (renewer == null)
{
Org.Mockito.Mockito.Verify(token).GetUserName();
}
else
{
Org.Mockito.Mockito.Verify(token).GetUserName();
}
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
Org.Mockito.Mockito.Verify(response).SetContentType(MediaType.ApplicationJson);
pwriter.Close();
string responseOutput = writer.ToString();
string tokenLabel = DelegationTokenAuthenticator.DelegationTokenJson;
Assert.True(responseOutput.Contains(tokenLabel));
Assert.True(responseOutput.Contains(DelegationTokenAuthenticator
.DelegationTokenUrlStringJson));
ObjectMapper jsonMapper = new ObjectMapper();
IDictionary json = jsonMapper.ReadValue <IDictionary>(responseOutput);
json = (IDictionary)json[tokenLabel];
string tokenStr;
tokenStr = (string)json[DelegationTokenAuthenticator.DelegationTokenUrlStringJson
];
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>();
dt.DecodeFromUrlString(tokenStr);
handler.GetTokenManager().VerifyToken(dt);
Assert.Equal(expectedTokenKind, dt.GetKind());
}
/// <exception cref="System.Exception"/>
private void TestRenewToken()
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Renewdelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScUnauthorized));
Org.Mockito.Mockito.Verify(response).SetHeader(Org.Mockito.Mockito.Eq(KerberosAuthenticator
.WwwAuthenticate), Org.Mockito.Mockito.Eq("mock"));
Org.Mockito.Mockito.Reset(response);
AuthenticationToken token = Org.Mockito.Mockito.Mock <AuthenticationToken>();
Org.Mockito.Mockito.When(token.GetUserName()).ThenReturn("user");
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]"));
Org.Mockito.Mockito.Reset(response);
StringWriter writer = new StringWriter();
PrintWriter pwriter = new PrintWriter(writer);
Org.Mockito.Mockito.When(response.GetWriter()).ThenReturn(pwriter);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> dToken = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
.GetCurrentUser(), "user");
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam +
"=" + dToken.EncodeToUrlString());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(token, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
pwriter.Close();
Assert.True(writer.ToString().Contains("long"));
handler.GetTokenManager().VerifyToken(dToken);
}
/// <exception cref="System.Exception"/>
private void TestCancelToken()
{
DelegationTokenAuthenticator.DelegationTokenOperation op = DelegationTokenAuthenticator.DelegationTokenOperation
.Canceldelegationtoken;
HttpServletRequest request = Org.Mockito.Mockito.Mock <HttpServletRequest>();
HttpServletResponse response = Org.Mockito.Mockito.Mock <HttpServletResponse>();
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString());
Org.Mockito.Mockito.When(request.GetMethod()).ThenReturn(op.GetHttpMethod());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SendError(Org.Mockito.Mockito.Eq(HttpServletResponse
.ScBadRequest), Org.Mockito.Mockito.Contains("requires the parameter [token]"));
Org.Mockito.Mockito.Reset(response);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = (Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>)handler.GetTokenManager().CreateToken(UserGroupInformation
.GetCurrentUser(), "foo");
Org.Mockito.Mockito.When(request.GetQueryString()).ThenReturn(DelegationTokenAuthenticator
.OpParam + "=" + op.ToString() + "&" + DelegationTokenAuthenticator.TokenParam +
"=" + token.EncodeToUrlString());
NUnit.Framework.Assert.IsFalse(handler.ManagementOperation(null, request, response
));
Org.Mockito.Mockito.Verify(response).SetStatus(HttpServletResponse.ScOk);
try
{
handler.GetTokenManager().VerifyToken(token);
NUnit.Framework.Assert.Fail();
}
catch (SecretManager.InvalidToken)
{
}
catch
{
//NOP
NUnit.Framework.Assert.Fail();
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
private IDictionary DoDelegationTokenOperation <_T0>(Uri url, AuthenticatedURL.Token
token, DelegationTokenAuthenticator.DelegationTokenOperation operation, string
renewer, Org.Apache.Hadoop.Security.Token.Token <_T0> dToken, bool hasResponse, string
doAsUser)
where _T0 : TokenIdentifier
{
IDictionary ret = null;
IDictionary <string, string> @params = new Dictionary <string, string>();
@params[OpParam] = operation.ToString();
if (renewer != null)
{
@params[RenewerParam] = renewer;
}
if (dToken != null)
{
@params[TokenParam] = dToken.EncodeToUrlString();
}
// proxyuser
if (doAsUser != null)
{
@params[DelegationTokenAuthenticatedURL.DoAs] = URLEncoder.Encode(doAsUser, "UTF-8"
);
}
string urlStr = url.ToExternalForm();
StringBuilder sb = new StringBuilder(urlStr);
string separator = (urlStr.Contains("?")) ? "&" : "?";
foreach (KeyValuePair <string, string> entry in @params)
{
sb.Append(separator).Append(entry.Key).Append("=").Append(URLEncoder.Encode(entry
.Value, "UTF8"));
separator = "&";
}
url = new Uri(sb.ToString());
AuthenticatedURL aUrl = new AuthenticatedURL(this, connConfigurator);
HttpURLConnection conn = aUrl.OpenConnection(url, token);
conn.SetRequestMethod(operation.GetHttpMethod());
HttpExceptionUtils.ValidateResponse(conn, HttpURLConnection.HttpOk);
if (hasResponse)
{
string contentType = conn.GetHeaderField(ContentType);
contentType = (contentType != null) ? StringUtils.ToLowerCase(contentType) : null;
if (contentType != null && contentType.Contains(ApplicationJsonMime))
{
try
{
ObjectMapper mapper = new ObjectMapper();
ret = mapper.ReadValue <IDictionary>(conn.GetInputStream());
}
catch (Exception ex)
{
throw new AuthenticationException(string.Format("'%s' did not handle the '%s' delegation token operation: %s"
, url.GetAuthority(), operation, ex.Message), ex);
}
}
else
{
throw new AuthenticationException(string.Format("'%s' did not " + "respond with JSON to the '%s' delegation token operation"
, url.GetAuthority(), operation));
}
}
return(ret);
}
