/// <exception cref="System.Exception"/>
public virtual void TestDecryptWithKeyVersionNameKeyMismatch()
{
Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
);
KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
>();
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1");
UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2");
UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3");
UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo");
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
.CreateKeyProviderCryptoExtension(kp), mock);
sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt));
}
// This method first checks if "key.acl.name" attribute is present as an
// attribute in the provider Options. If yes, use the aclName for any
// subsequent access checks, else use the keyName as the aclName and set it
// as the value of the "key.acl.name" in the key's metadata.
/// <exception cref="System.IO.IOException"/>
private void AuthorizeCreateKey(string keyName, KeyProvider.Options options, UserGroupInformation
ugi)
{
Preconditions.CheckNotNull(ugi, "UserGroupInformation cannot be null");
IDictionary <string, string> attributes = options.GetAttributes();
string aclName = attributes[KeyAclName];
bool success = false;
if (Strings.IsNullOrEmpty(aclName))
{
if (acls.IsACLPresent(keyName, KeyAuthorizationKeyProvider.KeyOpType.Management))
{
options.SetAttributes(ImmutableMap.Builder <string, string>().PutAll(attributes).Put
(KeyAclName, keyName).Build());
success = acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType
.Management) || acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType
.All);
}
else
{
success = false;
}
}
else
{
success = acls.IsACLPresent(aclName, KeyAuthorizationKeyProvider.KeyOpType.Management
) && (acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.Management
) || acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.All
));
}
if (!success)
{
throw new AuthorizationException(string.Format("User [%s] is not" + " authorized to create key !!"
, ugi.GetShortUserName()));
}
}
public virtual void TestCreateKey()
{
Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
);
KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
>();
Org.Mockito.Mockito.When(mock.IsACLPresent("foo", KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1");
Org.Mockito.Mockito.When(mock.HasAccessToKey("foo", u1, KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
.CreateKeyProviderCryptoExtension(kp), mock);
u1.DoAs(new _PrivilegedExceptionAction_62(kpExt, conf));
// "bar" key not configured
// Ignore
// Unauthorized User
UserGroupInformation.CreateRemoteUser("badGuy").DoAs(new _PrivilegedExceptionAction_87
(kpExt, conf));
}
