knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-232 : add automation test case for ldap dynamic group support
Date Thu, 26 Dec 2013 19:10:55 GMT
Updated Branches:
  refs/heads/master 602702228 -> 08625fca6


KNOX-232 : add automation test case for ldap dynamic group support


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/08625fca
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/08625fca
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/08625fca

Branch: refs/heads/master
Commit: 08625fca674c4739c4b694d843037c6ec5da65db
Parents: 6027022
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Thu Dec 26 11:09:14 2013 -0800
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Thu Dec 26 11:09:14 2013 -0800

----------------------------------------------------------------------
 .../GatewayLdapDynamicGroupFuncTest.java        | 275 +++++++++++++++++++
 .../GatewayLdapDynamicGroupFuncTest/users.ldif  | 209 ++++++++++++++
 2 files changed, 484 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/08625fca/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest.java
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest.java
b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest.java
new file mode 100755
index 0000000..54a7901
--- /dev/null
+++ b/gateway-test/src/test/java/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest.java
@@ -0,0 +1,275 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway;
+
+import com.mycila.xmltool.XMLDoc;
+import com.mycila.xmltool.XMLTag;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
+import org.apache.hadoop.gateway.config.GatewayConfig;
+import org.apache.hadoop.gateway.security.ldap.SimpleLdapDirectoryServer;
+import org.apache.hadoop.gateway.services.DefaultGatewayServices;
+import org.apache.hadoop.gateway.services.ServiceLifecycleException;
+import org.apache.http.HttpStatus;
+import org.apache.log4j.Appender;
+import org.hamcrest.MatcherAssert;
+import org.hamcrest.Matchers;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.ServerSocket;
+import java.net.URL;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.jayway.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Functional test to verify : looking up ldap groups from directory 
+ * and using them in acl authorization checks
+ *
+ */
+public class GatewayLdapDynamicGroupFuncTest {
+
+  private static Class RESOURCE_BASE_CLASS = GatewayLdapDynamicGroupFuncTest.class;
+  private static Logger LOG = LoggerFactory.getLogger( GatewayLdapDynamicGroupFuncTest.class
);
+
+  public static Enumeration<Appender> appenders;
+  public static GatewayConfig config;
+  public static GatewayServer gateway;
+  public static String gatewayUrl;
+  public static String clusterUrl;
+  public static SimpleLdapDirectoryServer ldap;
+  public static TcpTransport ldapTransport;
+
+  @BeforeClass
+  public static void setupSuite() throws Exception {
+    //appenders = NoOpAppender.setUp();
+    int port = setupLdap();
+    setupGateway(port);
+  }
+
+  @AfterClass
+  public static void cleanupSuite() throws Exception {
+    gateway.stop();
+    ldap.stop( true );
+    //FileUtils.deleteQuietly( new File( config.getGatewayHomeDir() ) );
+    //NoOpAppender.tearDown( appenders );
+  }
+
+  public static int setupLdap() throws Exception {
+    URL usersUrl = getResourceUrl( "users.ldif" );
+    int port = findFreePort();
+    ldapTransport = new TcpTransport( port );
+    ldap = new SimpleLdapDirectoryServer( "dc=hadoop,dc=apache,dc=org", new File( usersUrl.toURI()
), ldapTransport );
+    ldap.start();
+    LOG.info( "LDAP port = " + ldapTransport.getPort() );
+    return port;
+  }
+
+  public static void setupGateway(int ldapPort) throws IOException {
+
+    System.setProperty("test-cluster.ldcSystemPassword", "guest-password");
+    
+    File targetDir = new File( System.getProperty( "user.dir" ), "target" );
+    File gatewayDir = new File( targetDir, "gateway-home-" + UUID.randomUUID() );
+    gatewayDir.mkdirs();
+
+    GatewayTestConfig testConfig = new GatewayTestConfig();
+    config = testConfig;
+    testConfig.setGatewayHomeDir( gatewayDir.getAbsolutePath() );
+    testConfig.setDeploymentDir( "clusters" );
+
+    File deployDir = new File( gatewayDir, testConfig.getDeploymentDir() );
+    deployDir.mkdirs();
+
+    File descriptor = new File( deployDir, "test-cluster.xml" );
+    FileOutputStream stream = new FileOutputStream( descriptor );
+    createTopology(ldapPort).toStream( stream );
+    stream.close();
+
+    DefaultGatewayServices srvcs = new DefaultGatewayServices();
+    Map<String,String> options = new HashMap<String,String>();
+    options.put( "persist-master", "false" );
+    options.put( "master", "password" );
+    try {
+      srvcs.init( testConfig, options );
+    } catch ( ServiceLifecycleException e ) {
+      e.printStackTrace(); // I18N not required.
+    }
+    gateway = GatewayServer.startGateway( testConfig, srvcs );
+    MatcherAssert.assertThat( "Failed to start gateway.", gateway, notNullValue() );
+
+    LOG.info( "Gateway port = " + gateway.getAddresses()[ 0 ].getPort() );
+
+    gatewayUrl = "http://localhost:" + gateway.getAddresses()[0].getPort() + "/" + config.getGatewayPath();
+    clusterUrl = gatewayUrl + "/test-cluster";
+  }
+
+  private static XMLTag createTopology(int ldapPort) {
+    XMLTag xml = XMLDoc.newDocument( true )
+        .addRoot( "topology" )
+        .addTag( "gateway" )
+        
+        .addTag( "provider" )
+        .addTag( "role" ).addText( "authentication" )
+        .addTag( "name" ).addText( "ShiroProvider" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm" )
+        .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm"
)
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapGroupContextFactory" )
+        .addTag( "value" ).addText( "org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory"
)
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory" )
+        .addTag( "value" ).addText( "$ldapGroupContextFactory" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.authenticationMechanism"
)
+        .addTag( "value" ).addText( "simple" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.url" )
+        .addTag( "value" ).addText( "ldap://localhost:"  + ldapPort)
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.userDnTemplate" )
+        .addTag( "value" ).addText( "uid={0},ou=people,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.authorizationEnabled" )
+        .addTag( "value" ).addText( "true" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemAuthenticationMechanism"
)
+        .addTag( "value" ).addText( "simple" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.searchBase" )
+        .addTag( "value" ).addText( "ou=groups,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.groupObjectClass" )
+        .addTag( "value" ).addText( "groupofurls" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.memberAttribute" )
+        .addTag( "value" ).addText( "memberurl" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.memberAttributeValueTemplate" )
+        .addTag( "value" ).addText( "uid={0},ou=people,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemUsername" )
+        .addTag( "value" ).addText( "uid=guest,ou=people,dc=hadoop,dc=apache,dc=org" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "main.ldapRealm.contextFactory.systemPassword" )
+        .addTag( "value" ).addText( "${ALIAS=ldcSystemPassword}" )
+        .gotoParent().addTag( "param" )
+        .addTag( "name" ).addText( "urls./**" )
+        .addTag( "value" ).addText( "authcBasic" )
+        
+        .gotoParent().gotoParent().addTag( "provider" )
+        .addTag( "role" ).addText( "authorization" )
+        .addTag( "name" ).addText( "AclsAuthz" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "param" )
+        .addTag( "name" ).addText( "test-service-role.acl" ) // FIXME[dilli]
+        .addTag( "value" ).addText( "*;directors;*" )
+        
+        .gotoParent().gotoParent().addTag( "provider" )
+        .addTag( "role" ).addText( "identity-assertion" )
+        .addTag( "enabled" ).addText( "true" )
+        .addTag( "name" ).addText( "Pseudo" ).gotoParent()
+        
+        .gotoRoot()
+        .addTag( "service" )
+        .addTag( "role" ).addText( "test-service-role" )
+        .gotoRoot();
+         // System.out.println( "GATEWAY=" + xml.toString() );
+    return xml;
+  }
+
+  private static int findFreePort() throws IOException {
+    ServerSocket socket = new ServerSocket(0);
+    int port = socket.getLocalPort();
+    socket.close();
+    return port;
+  }
+
+  public static InputStream getResourceStream( String resource ) throws IOException {
+    return getResourceUrl( resource ).openStream();
+  }
+
+  public static URL getResourceUrl( String resource ) {
+    URL url = ClassLoader.getSystemResource( getResourceName( resource ) );
+    assertThat( "Failed to find test resource " + resource, url, Matchers.notNullValue()
);
+    return url;
+  }
+
+  public static String getResourceName( String resource ) {
+    return getResourceBaseName() + resource;
+  }
+
+  public static String getResourceBaseName() {
+    return RESOURCE_BASE_CLASS.getName().replaceAll( "\\.", "/" ) + "/";
+  }
+
+  @Ignore
+  // @Test
+  public void waitForManualTesting() throws IOException {
+    System.in.read();
+  }
+
+  @Test
+  public void testGroupMember() throws ClassNotFoundException {
+
+    String username = "bob";
+    String password = "bob-password";
+    String serviceUrl =  clusterUrl + "/test-service-path/test-service-resource";
+    given()
+        //.log().all()
+        .auth().preemptive().basic( username, password )
+        .expect()
+        //.log().all()
+        .statusCode( HttpStatus.SC_OK )
+        .contentType( "text/plain" )
+        .body( is( "test-service-response" ) )
+        .when().get( serviceUrl );
+  }
+  
+  @Test
+  public void testNonGroupMember() throws ClassNotFoundException {
+
+    String username = "guest";
+    String password = "guest-password";
+    String serviceUrl =  clusterUrl + "/test-service-path/test-service-resource";
+    given()
+        //.log().all()
+        .auth().preemptive().basic( username, password )
+        .expect()
+        //.log().all()
+        .statusCode( HttpStatus.SC_UNAUTHORIZED )
+        .when().get( serviceUrl );
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/08625fca/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest/users.ldif
----------------------------------------------------------------------
diff --git a/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest/users.ldif
b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest/users.ldif
new file mode 100755
index 0000000..1df40ce
--- /dev/null
+++ b/gateway-test/src/test/resources/org/apache/hadoop/gateway/GatewayLdapDynamicGroupFuncTest/users.ldif
@@ -0,0 +1,209 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# this ldif file is provided as a template to illustrate
+# use of ldapgroup(s)
+
+version: 1
+
+# add schema to support dynamicgroup
+# Generated by Apache Directory Studio on December 19, 2013 11:33:41 AM
+
+# SCHEMA "DYNAMICGROUP"
+dn: cn=dynamicgroup, ou=schema
+objectclass: metaSchema
+objectclass: top
+cn: dynamicgroup
+m-dependencies: system
+
+dn: ou=attributetypes, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: attributetypes
+
+dn: m-oid=2.16.840.1.113730.3.1.198, ou=attributetypes, cn=dynamicgroup, ou=schema
+objectclass: metaAttributeType
+objectclass: metaTop
+objectclass: top
+m-oid: 2.16.840.1.113730.3.1.198
+m-name: memberURL
+m-description: Identifies an URL associated with each member of a group. Any typ
+ e of labeled URL can be used
+m-supAttributeType: labeledURI
+m-equality: caseIgnoreMatch
+m-syntax: 1.3.6.1.4.1.1466.115.121.1.44
+
+dn: ou=comparators, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: comparators
+
+dn: ou=ditcontentrules, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: ditcontentrules
+
+dn: ou=ditstructurerules, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: ditstructurerules
+
+dn: ou=matchingrules, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: matchingrules
+
+dn: ou=matchingruleuse, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: matchingruleuse
+
+dn: ou=nameforms, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: nameforms
+
+dn: ou=normalizers, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: normalizers
+
+dn: ou=objectclasses, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: objectClasses
+
+dn: m-oid=2.16.840.1.113730.3.1.2.33, ou=objectclasses, cn=dynamicgroup, ou=schema
+objectclass: metaObjectClass
+objectclass: metaTop
+objectclass: top
+m-oid: 2.16.840.1.113730.3.1.2.33
+m-name: groupOfURLs
+m-supObjectClass: top
+m-must: cn
+m-may: memberURL
+
+dn: ou=syntaxcheckers, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: syntaxcheckers
+
+dn: ou=syntaxes, cn=dynamicgroup, ou=schema
+objectclass: organizationalUnit
+objectclass: top
+ou: syntaxes
+
+# end fo schema added to support dynamic group
+
+# Please replace with site specific values
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop
+dc: hadoop
+
+# entry for a sample people container
+# please replace with site specific values
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# entry for a sample end user
+# please replace with site specific values
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Guest
+sn: User
+uid: guest
+userPassword:guest-password
+
+# entry for sample user sam
+dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: sam
+sn: sam
+uid: sam
+userPassword:sam-password
+
+# entry for sample user tom
+dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: tom
+sn: tom
+uid: tom
+userPassword:tom-password
+
+# entry for sample user bob with title: director 
+# would be a member of a dynamic group based on title: director
+dn: uid=bob,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: bob
+sn: bob
+uid: bob
+userPassword:bob-password
+title: director
+
+# create FIRST Level groups branch
+dn: ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: groups
+description: generic groups branch
+
+# create dynamic group directors under groups
+dn: cn=directors,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: directors
+description: directors group
+
+# create the analyst group under groups
+dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: analyst
+description:analyst  group
+member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+
+
+# create the scientist group under groups
+dn: cn=scientist1,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: scientist1
+description: scientist group
+member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+
+# create the directors group under groups
+dn: cn=directors,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupOfurls
+cn: directors
+memberurl: ldap:///dc=hadoop,dc=apache,dc=org??sub?(title=director)


Mime
View raw message