/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.ambari.server.security.authentication;
import static org.easymock.EasyMock.expect;
import static org.easymock.EasyMock.expectLastCall;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.ambari.server.audit.AuditLogger;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.security.AmbariEntryPoint;
import org.apache.ambari.server.security.authorization.PermissionHelper;
import org.apache.ambari.server.security.authorization.User;
import org.apache.ambari.server.security.authorization.UserType;
import org.apache.ambari.server.security.authorization.Users;
import org.apache.ambari.server.security.authorization.jwt.JwtAuthenticationProperties;
import org.easymock.EasyMockSupport;
import org.junit.BeforeClass;
import org.junit.Test;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
public class AmbariJWTAuthenticationFilterTest extends EasyMockSupport {
private static RSAPublicKey publicKey;
private static RSAPrivateKey privateKey;
@BeforeClass
public static void generateKeyPair() throws NoSuchAlgorithmException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(512);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
publicKey = (RSAPublicKey) keyPair.getPublic();
privateKey = (RSAPrivateKey) keyPair.getPrivate();
}
@Test
public void testDoFilterSuccess() throws Exception {
SignedJWT token = getSignedToken("foobar");
AmbariEntryPoint entryPoint = createMock(AmbariEntryPoint.class);
JwtAuthenticationProperties properties = createMock(JwtAuthenticationProperties.class);
expect(properties.getAuthenticationProviderUrl()).andReturn("some url").once();
expect(properties.getPublicKey()).andReturn(publicKey).once();
expect(properties.getAudiences()).andReturn(Collections.singletonList("foobar")).once();
expect(properties.getCookieName()).andReturn("chocolate chip").once();
expect(properties.getOriginalUrlQueryParam()).andReturn("question").once();
Configuration configuration = createMock(Configuration.class);
expect(configuration.getJwtProperties()).andReturn(properties).once();
User user = createMock(User.class);
expect(user.getUserName()).andReturn("test-user").once();
expect(user.getUserType()).andReturn(UserType.JWT).once();
Users users = createMock(Users.class);
expect(users.getUser("test-user", UserType.JWT)).andReturn(user).once();
expect(users.getUserAuthorities("test-user", UserType.JWT)).andReturn(null).once();
AuditLogger auditLogger = createMock(AuditLogger.class);
expect(auditLogger.isEnabled()).andReturn(false).times(2);
PermissionHelper permissionHelper = createMock(PermissionHelper.class);
Cookie cookie = createMock(Cookie.class);
expect(cookie.getName()).andReturn("chocolate chip").once();
expect(cookie.getValue()).andReturn(token.serialize()).once();
HttpServletRequest servletRequest = createMock(HttpServletRequest.class);
expect(servletRequest.getCookies()).andReturn(new Cookie[]{cookie}).once();
HttpServletResponse servletResponse = createMock(HttpServletResponse.class);
FilterChain filterChain = createMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
expectLastCall().once();
replayAll();
AmbariJWTAuthenticationFilter filter = new AmbariJWTAuthenticationFilter(entryPoint, configuration, users, auditLogger, permissionHelper);
filter.doFilter(servletRequest, servletResponse, filterChain);
verifyAll();
}
@Test
public void testDoFilterFailure() throws Exception {
AmbariEntryPoint entryPoint = createMock(AmbariEntryPoint.class);
JwtAuthenticationProperties properties = createMock(JwtAuthenticationProperties.class);
expect(properties.getAuthenticationProviderUrl()).andReturn("some url").once();
expect(properties.getPublicKey()).andReturn(publicKey).once();
expect(properties.getAudiences()).andReturn(Collections.singletonList("foobar")).once();
expect(properties.getCookieName()).andReturn("chocolate chip").once();
expect(properties.getOriginalUrlQueryParam()).andReturn("question").once();
Configuration configuration = createMock(Configuration.class);
expect(configuration.getJwtProperties()).andReturn(properties).once();
Users users = createMock(Users.class);
AuditLogger auditLogger = createMock(AuditLogger.class);
expect(auditLogger.isEnabled()).andReturn(false).times(2);
PermissionHelper permissionHelper = createMock(PermissionHelper.class);
Cookie cookie = createMock(Cookie.class);
expect(cookie.getName()).andReturn("chocolate chip").once();
expect(cookie.getValue()).andReturn("invalid token").once();
HttpServletRequest servletRequest = createMock(HttpServletRequest.class);
expect(servletRequest.getCookies()).andReturn(new Cookie[]{cookie}).once();
HttpServletResponse servletResponse = createMock(HttpServletResponse.class);
FilterChain filterChain = createMock(FilterChain.class);
filterChain.doFilter(servletRequest, servletResponse);
expectLastCall().once();
replayAll();
AmbariJWTAuthenticationFilter filter = new AmbariJWTAuthenticationFilter(entryPoint, configuration, users, auditLogger, permissionHelper);
filter.doFilter(servletRequest, servletResponse, filterChain);
verifyAll();
}
private SignedJWT getSignedToken(String audience) throws JOSEException {
Calendar calendar = Calendar.getInstance();
calendar.setTimeInMillis(System.currentTimeMillis());
calendar.add(Calendar.DATE, 1); //add one day
return getSignedToken(calendar.getTime(), audience);
}
private SignedJWT getSignedToken(Date expirationTime, String audience) throws JOSEException {
RSASSASigner signer = new RSASSASigner(privateKey);
Calendar calendar = Calendar.getInstance();
calendar.setTimeInMillis(System.currentTimeMillis());
JWTClaimsSet claimsSet = new JWTClaimsSet();
claimsSet.setSubject("test-user");
claimsSet.setIssuer("unit-test");
claimsSet.setIssueTime(calendar.getTime());
claimsSet.setExpirationTime(expirationTime);
claimsSet.setAudience(audience);
SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
signedJWT.sign(signer);
return signedJWT;
}
}