knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject knox git commit: KNOX-861 - Support for pluggable validator for Header pre authentication provider (Mohammad Kamrul Islam via Sandeep More)
Date Tue, 07 Feb 2017 17:58:21 GMT
Repository: knox
Updated Branches:
  refs/heads/master 1957648c3 -> 2bdc70394


KNOX-861 - Support for pluggable validator for Header pre authentication provider (Mohammad
Kamrul Islam via Sandeep More)


Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/2bdc7039
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/2bdc7039
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/2bdc7039

Branch: refs/heads/master
Commit: 2bdc703945a3c0645f39dbb35f7165308a8cff80
Parents: 1957648
Author: Sandeep More <more@apache.org>
Authored: Tue Feb 7 12:57:48 2017 -0500
Committer: Sandeep More <more@apache.org>
Committed: Tue Feb 7 12:57:48 2017 -0500

----------------------------------------------------------------------
 gateway-provider-security-preauth/pom.xml       |  11 ++
 .../filter/AbstractPreAuthFederationFilter.java |  39 ++----
 .../preauth/filter/DefaultValidator.java        |  56 ++++++++
 .../gateway/preauth/filter/IPValidator.java     |  36 +++--
 .../preauth/filter/PreAuthFederationFilter.java |  87 ++++--------
 .../gateway/preauth/filter/PreAuthService.java  |  80 +++++++++++
 .../preauth/filter/PreAuthValidator.java        |  17 ++-
 ...doop.gateway.preauth.filter.PreAuthValidator |  20 +++
 .../federation/DefaultValidatorTest.java        |  43 ++++++
 .../HeaderPreAuthFederationFilterTest.java      | 134 +++++++++++++++++++
 .../provider/federation/IPValidatorTest.java    |  61 +++++++++
 .../provider/federation/PreAuthServiceTest.java |  73 ++++++++++
 ...doop.gateway.preauth.filter.PreAuthValidator |  19 +++
 pom.xml                                         |   6 +
 14 files changed, 580 insertions(+), 102 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/pom.xml
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/pom.xml b/gateway-provider-security-preauth/pom.xml
index 2256001..2f8abbd 100644
--- a/gateway-provider-security-preauth/pom.xml
+++ b/gateway-provider-security-preauth/pom.xml
@@ -62,6 +62,17 @@
             <scope>test</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.knox</groupId>
+            <artifactId>gateway-server</artifactId>
+        </dependency>
+
     </dependencies>
 
 </project>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
index 63855d9..b40de0a 100644
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/AbstractPreAuthFederationFilter.java
@@ -33,6 +33,7 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 /**
@@ -40,10 +41,8 @@ import org.apache.hadoop.gateway.security.PrimaryPrincipal;
  */
 public abstract class AbstractPreAuthFederationFilter implements Filter {
 
-  private static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
-  private static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
-  private static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
   private PreAuthValidator validator = null;
+  private FilterConfig filterConfig;
 
   /**
    * 
@@ -54,18 +53,13 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
-    String validationMethod = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
-    if (validationMethod != null) {
-      if (IP_VALIDATION_METHOD_VALUE.equals(validationMethod)) {
-        validator = new IPValidator(filterConfig.getInitParameter(IP_ADDRESSES_PARAM));
-      }
-    }
-    else {
-      validator = new DefaultValidator();
-      // TODO: log the fact that there is no verification going on to validate
-      // who is asserting the identity with the a header. Without some validation
-      // we are assuming the network security is the primary protection method.
-    }
+    this.filterConfig = filterConfig;
+    validator = PreAuthService.getValidator(filterConfig);
+  }
+
+  @VisibleForTesting
+  public PreAuthValidator getValidator() {
+    return validator;
   }
 
   @Override
@@ -74,7 +68,7 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
     HttpServletRequest httpRequest = (HttpServletRequest)request;
     String principal = getPrimaryPrincipal(httpRequest);
     if (principal != null) {
-      if (isValid(httpRequest)) { 
+      if (isValid(httpRequest)) {
         Subject subject = new Subject();
         subject.getPrincipals().add(new PrimaryPrincipal(principal));
         addGroupPrincipals(httpRequest, subject.getPrincipals());
@@ -95,7 +89,7 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
    */
   private boolean isValid(HttpServletRequest httpRequest) {
     try {
-      return validator.validate(httpRequest);
+      return validator.validate(httpRequest, filterConfig);
     } catch (PreAuthValidationException e) {
       // TODO log exception
       return false;
@@ -142,15 +136,4 @@ public abstract class AbstractPreAuthFederationFilter implements Filter
{
    * @param principals
    */
   abstract protected void addGroupPrincipals(HttpServletRequest request, Set<Principal>
principals);
-  
-  class DefaultValidator implements PreAuthValidator {
-    /* (non-Javadoc)
-     * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String,
java.lang.String)
-     */
-    @Override
-    public boolean validate(HttpServletRequest request)
-        throws PreAuthValidationException {
-      return true;
-    }
-  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
new file mode 100644
index 0000000..fe1cec5
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/DefaultValidator.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @since 0.12
+ * This class implements the default Validator where really no validation is performed.
+ * TODO: log the fact that there is no verification going on to validate
+ * +  who is asserting the identity with the a header. Without some validation
+ * +  we are assuming the network security is the primary protection method.
+ */
+public class DefaultValidator implements PreAuthValidator {
+  public static final String DEFAULT_VALIDATION_METHOD_VALUE = "preauth.default.validation";
+
+  public DefaultValidator() {
+  }
+
+  /**
+   * @param httpRequest
+   * @param filterConfig
+   * @return true if validated, otherwise false
+   * @throws PreAuthValidationException
+   */
+  @Override
+  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws
PreAuthValidationException {
+    return true;
+  }
+
+  /**
+   * Return unique validator name
+   *
+   * @return name of validator
+   */
+  @Override
+  public String getName() {
+    return DEFAULT_VALIDATION_METHOD_VALUE;
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
index d19ee58..9df23b5 100644
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/IPValidator.java
@@ -17,6 +17,7 @@
  */
 package org.apache.hadoop.gateway.preauth.filter;
 
+import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.hadoop.gateway.util.IpAddressValidator;
@@ -24,23 +25,34 @@ import org.apache.hadoop.gateway.util.IpAddressValidator;
 /**
  *
  */
-class IPValidator implements PreAuthValidator {
-  private IpAddressValidator ipv = null;
-  
+public class IPValidator implements PreAuthValidator {
+  public static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
+  public static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
+
+  public IPValidator() {
+  }
+
   /**
-   * @param initParameter
+   * @param httpRequest
+   * @param filterConfig
+   * @return true if validated, otherwise false
+   * @throws PreAuthValidationException
    */
-  public IPValidator(String ipParam) {
-    ipv = new IpAddressValidator(ipParam);
+  @Override
+  public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
+      throws PreAuthValidationException {
+    String ipParam = filterConfig.getInitParameter(IP_ADDRESSES_PARAM);
+    IpAddressValidator ipv = new IpAddressValidator(ipParam);
+    return ipv.validateIpAddress(httpRequest.getRemoteAddr());
   }
 
-  /* (non-Javadoc)
-   * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String,
java.lang.String)
+  /**
+   * Return unique validator name
+   *
+   * @return name of validator
    */
   @Override
-  public boolean validate(HttpServletRequest request)
-      throws PreAuthValidationException {
-    
-    return ipv.validateIpAddress(request.getRemoteAddr());
+  public String getName() {
+    return IP_VALIDATION_METHOD_VALUE;
   }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
index 4c0bb10..63eb411 100644
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthFederationFilter.java
@@ -37,48 +37,34 @@ import org.apache.hadoop.gateway.security.PrimaryPrincipal;
 
 public class PreAuthFederationFilter implements Filter {
   private static final String CUSTOM_HEADER_PARAM = "preauth.customHeader";
-  private static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
-  private static final String IP_VALIDATION_METHOD_VALUE = "preauth.ip.validation";
-  private static final String IP_ADDRESSES_PARAM = "preauth.ip.addresses";
   private PreAuthValidator validator = null;
-  private String  headerName = "SM_USER";
-  
+  private FilterConfig filterConfig;
+  private String headerName = "SM_USER";
+
   @Override
-  public void init( FilterConfig filterConfig ) throws ServletException {
+  public void init(FilterConfig filterConfig) throws ServletException {
     String customHeader = filterConfig.getInitParameter(CUSTOM_HEADER_PARAM);
     if (customHeader != null) {
       headerName = customHeader;
     }
-    String validationMethod = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
-    if (validationMethod != null) {
-      if (IP_VALIDATION_METHOD_VALUE.equals(validationMethod)) {
-        validator = new IPValidator(filterConfig.getInitParameter(IP_ADDRESSES_PARAM));
-      }
-    }
-    else {
-      validator = new DefaultValidator();
-      // TODO: log the fact that there is no verification going on to validate
-      // who is asserting the identity with the a header. Without some validation
-      // we are assuming the network security is the primary protection method.
-    }
+    this.filterConfig = filterConfig;
+    validator = PreAuthService.getValidator(filterConfig);
   }
-  
+
   @Override
   public void doFilter(ServletRequest request, ServletResponse response,
-      FilterChain chain) throws IOException, ServletException {
-    HttpServletRequest httpRequest = (HttpServletRequest)request;
+                       FilterChain chain) throws IOException, ServletException {
+    HttpServletRequest httpRequest = (HttpServletRequest) request;
     if (httpRequest.getHeader(headerName) != null) {
-      if (isValid(httpRequest)) { 
+      if (isValid(httpRequest)) {
         // TODO: continue as subject
         chain.doFilter(request, response);
-      }
-      else {
+      } else {
         // TODO: log preauthenticated SSO validation failure
-        ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing
Required Header for SSO Validation");
+        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing
Required Header for SSO Validation");
       }
-    } 
-    else {
-      ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing
Required Header for PreAuth SSO Federation");
+    } else {
+      ((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing
Required Header for PreAuth SSO Federation");
     }
   }
 
@@ -87,7 +73,7 @@ public class PreAuthFederationFilter implements Filter {
    */
   private boolean isValid(HttpServletRequest httpRequest) {
     try {
-      return validator.validate(httpRequest);
+      return validator.validate(httpRequest, filterConfig);
     } catch (PreAuthValidationException e) {
       // TODO log exception
       return false;
@@ -100,26 +86,26 @@ public class PreAuthFederationFilter implements Filter {
   @Override
   public void destroy() {
     // TODO Auto-generated method stub
-    
+
   }
-  
+
   /**
    * Recreate the current Subject based upon the provided mappedPrincipal
    * and look for the groups that should be associated with the new Subject.
    * Upon finding groups mapped to the principal - add them to the new Subject.
    * @param mappedPrincipalName
-   * @throws ServletException 
-   * @throws IOException 
+   * @throws ServletException
+   * @throws IOException
    */
-  protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse
response, 
-      final FilterChain chain, String principal) throws IOException, ServletException {
+  protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse
response,
+                                          final FilterChain chain, String principal) throws
IOException, ServletException {
     Subject subject = null;
     Principal primaryPrincipal = null;
-    
+
     // do some check to ensure that the extracted identity matches any existing security
context
     // if not, there is may be someone tampering with the request - consult config to determine
     // how we are to handle it
-    
+
     // TODO: make sure that this makes sense with existing sessions or lack thereof
     Subject currentSubject = Subject.getSubject(AccessController.getContext());
     if (currentSubject != null) {
@@ -129,14 +115,14 @@ public class PreAuthFederationFilter implements Filter {
         }
       }
     }
-    
+
     subject = new Subject();
     subject.getPrincipals().add(primaryPrincipal);
     doAs(request, response, chain, subject);
   }
 
   private void doAs(final ServletRequest request,
-      final ServletResponse response, final FilterChain chain, Subject subject)
+                    final ServletResponse response, final FilterChain chain, Subject subject)
       throws IOException, ServletException {
     try {
       Subject.doAs(
@@ -147,17 +133,14 @@ public class PreAuthFederationFilter implements Filter {
               return null;
             }
           }
-          );
-    }
-    catch (PrivilegedActionException e) {
+      );
+    } catch (PrivilegedActionException e) {
       Throwable t = e.getCause();
       if (t instanceof IOException) {
         throw (IOException) t;
-      }
-      else if (t instanceof ServletException) {
+      } else if (t instanceof ServletException) {
         throw (ServletException) t;
-      }
-      else {
+      } else {
         throw new ServletException(t);
       }
     }
@@ -166,17 +149,5 @@ public class PreAuthFederationFilter implements Filter {
   private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException {
     chain.doFilter(request, response);
   }
-  
-  class DefaultValidator implements PreAuthValidator {
-    /* (non-Javadoc)
-     * @see org.apache.hadoop.gateway.preauth.filter.PreAuthValidator#validate(java.lang.String,
java.lang.String)
-     */
-    @Override
-    public boolean validate(HttpServletRequest request)
-        throws PreAuthValidationException {
-      return true;
-    }
-    
-  }
 
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
new file mode 100644
index 0000000..778ee9d
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthService.java
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.preauth.filter;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Strings;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import java.util.Set;
+import java.util.Collections;
+import java.util.ServiceLoader;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * This class manages few utility methods used across different classes of pre-auth module
+ * @since 0.12
+ */
+public class PreAuthService {
+
+  public static final String VALIDATION_METHOD_PARAM = "preauth.validation.method";
+  private static ConcurrentHashMap<String, PreAuthValidator> validatorMap;
+
+  static {
+    initializeValidators();
+  }
+
+
+  private static void initializeValidators() {
+    ServiceLoader<PreAuthValidator> servLoader = ServiceLoader.load(PreAuthValidator.class);
+    validatorMap = new ConcurrentHashMap<>();
+    for (Iterator<PreAuthValidator> iterator = servLoader.iterator(); iterator.hasNext();
) {
+      PreAuthValidator validator = iterator.next();
+      validatorMap.put(validator.getName(), validator);
+    }
+  }
+
+  @VisibleForTesting
+  public static Map<String, PreAuthValidator> getValidatorMap() {
+    return Collections.unmodifiableMap(validatorMap);
+  }
+
+  /**
+   * This method returns appropriate pre-auth Validator as defined in config
+   *
+   * @since 0.12
+   * @param filterConfig
+   * @return PreAuthValidator
+   * @throws ServletException
+   */
+  public static PreAuthValidator getValidator(FilterConfig filterConfig) throws ServletException
{
+    String validationMethod = filterConfig.getInitParameter(VALIDATION_METHOD_PARAM);
+    if (Strings.isNullOrEmpty(validationMethod)) {
+      validationMethod = DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE;
+    }
+    if (validatorMap.containsKey(validationMethod)) {
+      return validatorMap.get(validationMethod);
+    } else {
+      throw new ServletException(String.format("Unable to find validator with name '%s'",
validationMethod));
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
index 7013259..5819801 100644
--- a/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
+++ b/gateway-provider-security-preauth/src/main/java/org/apache/hadoop/gateway/preauth/filter/PreAuthValidator.java
@@ -17,17 +17,26 @@
  */
 package org.apache.hadoop.gateway.preauth.filter;
 
+import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 
 /**
  *
  */
 public interface PreAuthValidator {
-
   /**
    * @param httpRequest
-   * @return
-   * @throws PreAuthValidationException 
+   * @param filterConfig
+   * @return true if validated, otherwise false
+   * @throws PreAuthValidationException
+   */
+  public abstract boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig)
throws
+      PreAuthValidationException;
+
+  /**
+   * Return unique validator name
+   *
+   * @return name of validator
    */
-  boolean validate(HttpServletRequest httpRequest) throws PreAuthValidationException;
+  public abstract String getName();
 }

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
new file mode 100644
index 0000000..808dbe8
--- /dev/null
+++ b/gateway-provider-security-preauth/src/main/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
@@ -0,0 +1,20 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.preauth.filter.IPValidator
+org.apache.hadoop.gateway.preauth.filter.DefaultValidator
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/DefaultValidatorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/DefaultValidatorTest.java
b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/DefaultValidatorTest.java
new file mode 100644
index 0000000..4096b48
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/DefaultValidatorTest.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+import org.apache.hadoop.gateway.preauth.filter.DefaultValidator;
+import org.junit.Test;
+
+import static org.mockito.Mockito.mock;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+public class DefaultValidatorTest extends TestCase {
+  @Test
+  public void testDefault() throws Exception {
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    DefaultValidator dv = new DefaultValidator();
+    assertTrue(dv.validate(request, filterConfig));
+  }
+
+  @Test
+  public void testName() {
+    DefaultValidator dv = new DefaultValidator();
+    assertEquals(dv.getName(), DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/HeaderPreAuthFederationFilterTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/HeaderPreAuthFederationFilterTest.java
b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/HeaderPreAuthFederationFilterTest.java
new file mode 100644
index 0000000..28d7eeb
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/HeaderPreAuthFederationFilterTest.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+import org.apache.hadoop.gateway.preauth.filter.*;
+import org.junit.Test;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class HeaderPreAuthFederationFilterTest extends TestCase {
+
+  @Test
+  public void testDefaultValidator() throws ServletException, PreAuthValidationException
{
+    HeaderPreAuthFederationFilter hpaff = new HeaderPreAuthFederationFilter();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn
+        (DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+    hpaff.init(filterConfig);
+    PreAuthValidator validator = hpaff.getValidator();
+    assertEquals(validator.getName(), DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+    assertTrue(validator.validate(request, filterConfig));
+  }
+
+  @Test
+  public void testIPValidator() throws ServletException, PreAuthValidationException {
+    HeaderPreAuthFederationFilter hpaff = new HeaderPreAuthFederationFilter();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    when(request.getRemoteAddr()).thenReturn("10.1.23.42");
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(IPValidator.IP_ADDRESSES_PARAM)).thenReturn("5.4.3.2,10.1.23.42");
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn(IPValidator
+        .IP_VALIDATION_METHOD_VALUE);
+    hpaff.init(filterConfig);
+    PreAuthValidator validator = hpaff.getValidator();
+    assertEquals(validator.getName(), IPValidator.IP_VALIDATION_METHOD_VALUE);
+    assertTrue(validator.validate(request, filterConfig));
+    //Negative testing
+    when(request.getRemoteAddr()).thenReturn("10.10.22.33");
+    assertFalse(validator.validate(request, filterConfig));
+  }
+
+  @Test
+  public void testCustomValidatorPositive() throws ServletException, PreAuthValidationException
{
+    HeaderPreAuthFederationFilter hpaff = new HeaderPreAuthFederationFilter();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn
+        (DummyValidator.NAME);
+
+    hpaff.init(filterConfig);
+    PreAuthValidator validator = hpaff.getValidator();
+    assertEquals(validator.getName(), DummyValidator.NAME);
+    //Positive test
+    when(request.getHeader("CUSTOM_TOKEN")).thenReturn("HelloWorld");
+    assertTrue(validator.validate(request, filterConfig));
+
+  }
+
+  @Test
+  public void testCustomValidatorNegative() throws ServletException, PreAuthValidationException
{
+    HeaderPreAuthFederationFilter hpaff = new HeaderPreAuthFederationFilter();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn
+        (DummyValidator.NAME);
+
+    hpaff.init(filterConfig);
+    PreAuthValidator validator = hpaff.getValidator();
+    assertEquals(validator.getName(), DummyValidator.NAME);
+
+    when(request.getHeader("CUSTOM_TOKEN")).thenReturn("NOTHelloWorld");
+    assertFalse(validator.validate(request, filterConfig));
+
+  }
+
+
+  public static class DummyValidator implements PreAuthValidator {
+    public static String NAME = "DummyValidator";
+
+    public DummyValidator() {
+
+    }
+
+    /**
+     * @param httpRequest
+     * @param filterConfig
+     * @return true if validated, otherwise false
+     * @throws PreAuthValidationException
+     */
+    @Override
+    public boolean validate(HttpServletRequest httpRequest, FilterConfig filterConfig) throws
+        PreAuthValidationException {
+      String token = httpRequest.getHeader("CUSTOM_TOKEN");
+      if (token.equalsIgnoreCase("HelloWorld")) {
+        return true;
+      } else {
+        return false;
+      }
+    }
+
+    /**
+     * Return unique validator name
+     *
+     * @return name of validator
+     */
+    @Override
+    public String getName() {
+      return NAME;
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/IPValidatorTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/IPValidatorTest.java
b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/IPValidatorTest.java
new file mode 100644
index 0000000..23c0096
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/IPValidatorTest.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+import org.apache.hadoop.gateway.preauth.filter.IPValidator;
+import org.apache.hadoop.gateway.preauth.filter.PreAuthValidationException;
+import org.junit.Test;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class IPValidatorTest extends TestCase {
+
+  @Test
+  public void testName() {
+    IPValidator ipv = new IPValidator();
+    assertEquals(ipv.getName(), IPValidator.IP_VALIDATION_METHOD_VALUE);
+  }
+
+
+  @Test
+  public void testIPAddressPositive() throws PreAuthValidationException {
+    IPValidator ipv = new IPValidator();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    when(request.getRemoteAddr()).thenReturn("10.1.23.42");
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(IPValidator.IP_ADDRESSES_PARAM)).thenReturn("5.4.3.2,10.1.23.42");
+    assertTrue(ipv.validate(request, filterConfig));
+  }
+
+  @Test
+  public void testIPAddressNegative() throws PreAuthValidationException {
+    IPValidator ipv = new IPValidator();
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    when(request.getRemoteAddr()).thenReturn("10.1.23.42");
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(IPValidator.IP_ADDRESSES_PARAM)).thenReturn("10.22.34.56");
+    assertFalse(ipv.validate(request, filterConfig));
+  }
+
+
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthServiceTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthServiceTest.java
b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthServiceTest.java
new file mode 100644
index 0000000..8186189
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/java/org/apache/hadoop/gateway/provider/federation/PreAuthServiceTest.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.provider.federation;
+
+import junit.framework.TestCase;
+import org.apache.hadoop.gateway.preauth.filter.*;
+import org.junit.Test;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+
+import java.util.Map;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class PreAuthServiceTest extends TestCase {
+
+  @Test
+  public void testValidatorMap() {
+    Map<String, PreAuthValidator> valMap = PreAuthService.getValidatorMap();
+    assertNotNull(valMap.get(IPValidator.IP_VALIDATION_METHOD_VALUE));
+    assertEquals(valMap.get(IPValidator.IP_VALIDATION_METHOD_VALUE).getName(), IPValidator.IP_VALIDATION_METHOD_VALUE);
+    assertNotNull(valMap.get(DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE));
+    assertEquals(valMap.get(DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE).getName(),
DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+
+    //Negative test
+    assertNull(valMap.get("NonExists"));
+  }
+
+  @Test
+  public void testDefaultValidator() throws ServletException, PreAuthValidationException
{
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn
+        (DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+    PreAuthValidator validator = PreAuthService.getValidator(filterConfig);
+    assertEquals(validator.getName(), DefaultValidator.DEFAULT_VALIDATION_METHOD_VALUE);
+    assertTrue(validator.validate(request, filterConfig));
+  }
+
+  @Test
+  public void testIPValidator() throws ServletException, PreAuthValidationException {
+    final HttpServletRequest request = mock(HttpServletRequest.class);
+    when(request.getRemoteAddr()).thenReturn("10.1.23.42");
+    final FilterConfig filterConfig = mock(FilterConfig.class);
+    when(filterConfig.getInitParameter(IPValidator.IP_ADDRESSES_PARAM)).thenReturn("5.4.3.2,10.1.23.42");
+    when(filterConfig.getInitParameter(PreAuthService.VALIDATION_METHOD_PARAM)).thenReturn(IPValidator
+        .IP_VALIDATION_METHOD_VALUE);
+    PreAuthValidator validator = PreAuthService.getValidator(filterConfig);
+    assertEquals(validator.getName(), IPValidator.IP_VALIDATION_METHOD_VALUE);
+    assertTrue(validator.validate(request, filterConfig));
+    //Negative testing
+    when(request.getRemoteAddr()).thenReturn("10.10.22.33");
+    assertFalse(validator.validate(request, filterConfig));
+  }
+}

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/gateway-provider-security-preauth/src/test/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
----------------------------------------------------------------------
diff --git a/gateway-provider-security-preauth/src/test/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
b/gateway-provider-security-preauth/src/test/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
new file mode 100644
index 0000000..911bd0f
--- /dev/null
+++ b/gateway-provider-security-preauth/src/test/resources/META-INF/services/org.apache.hadoop.gateway.preauth.filter.PreAuthValidator
@@ -0,0 +1,19 @@
+##########################################################################
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+org.apache.hadoop.gateway.provider.federation.HeaderPreAuthFederationFilterTest$DummyValidator
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/knox/blob/2bdc7039/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1e1e830..a5393ea 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1264,6 +1264,12 @@
                 <version>3.3</version>
                 <scope>test</scope>
             </dependency>
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-core</artifactId>
+                <version>1.10.19</version>
+                <scope>test</scope>
+            </dependency>
 
             <dependency>
                 <groupId>org.xmlmatchers</groupId>


Mime
View raw message