/*
* JBoss, Home of Professional Open Source.
* Copyright (c) 2017, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.test.integration.security.auditing;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ALLOW_RESOURCE_SERVICE_RESTART;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.COMPOSITE;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OPERATION_HEADERS;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OP_ADDR;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.STEPS;
import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUBSYSTEM;
import static org.jboss.as.security.Constants.CODE;
import static org.jboss.as.security.Constants.FLAG;
import static org.jboss.as.security.Constants.LOGIN_MODULE;
import static org.jboss.as.security.Constants.MODULE;
import static org.jboss.as.security.Constants.SECURITY_DOMAIN;
import static org.junit.Assert.assertEquals;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.UUID;
import java.util.regex.Pattern;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHeaders;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.arquillian.container.ManagementClient;
import org.jboss.as.controller.PathAddress;
import org.jboss.as.controller.operations.common.Util;
import org.jboss.as.security.Constants;
import org.jboss.as.test.categories.CommonCriteria;
import org.jboss.as.test.integration.security.common.AbstractSecurityDomainSetup;
import org.jboss.as.test.integration.security.loginmodules.common.CustomLoginModule1;
import org.jboss.as.test.integration.security.loginmodules.common.CustomLoginModule2;
import org.jboss.as.test.integration.web.security.SecuredServlet;
import org.jboss.as.test.module.util.TestModule;
import org.jboss.dmr.ModelNode;
import org.jboss.logging.Logger;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.JavaArchive;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import io.undertow.util.FlexBase64;
/**
* Tests whether the loading of an audit provider module from a non-default JBoss module works properly.
*
* @author <a href="https://github.com/ppalaga">Peter Palaga</a>
*/
@RunWith(Arquillian.class)
@RunAsClient
@ServerSetup(CustomAuditProviderModuleTest.CustomAuditProviderModuleSecurityDomainSetup.class)
@Category(CommonCriteria.class)
public class CustomAuditProviderModuleTest {
/**
* Creates two JBoss modules that host {@link CustomLoginModule1} and {@link CustomLoginModule2} respectively and then
* creates a security domain that uses them in a chain.
*/
static class CustomAuditProviderModuleSecurityDomainSetup extends AbstractSecurityDomainSetup {
private static final Logger log = Logger.getLogger(CustomAuditProviderModuleSecurityDomainSetup.class);
private static final String SECURITY_DOMAIN_NAME = "custom-audit-module-" + RANDOM_EXECUTION_ID;
private final TestModule auditProviderJBossModule;
private final TestModule loginJBossModule;
public CustomAuditProviderModuleSecurityDomainSetup() {
final Class<?> providerModuleClass = CustomAuditProviderModule.class;
auditProviderJBossModule = new TestModule(providerModuleClass.getName()+ RANDOM_EXECUTION_ID, "org.picketbox", "javax.api",
"org.jboss.logging");
JavaArchive auditJar = auditProviderJBossModule.addResource(providerModuleClass.getSimpleName() + ".jar");
auditJar.addClass(providerModuleClass);
Class<?> loginModuleClass = CustomLoginModule1.class;
loginJBossModule = new TestModule(loginModuleClass.getName()+ RANDOM_EXECUTION_ID, "org.picketbox", "javax.api", "org.jboss.logging");
JavaArchive loginJar = loginJBossModule.addResource(loginModuleClass.getSimpleName() + ".jar");
loginJar.addClass(loginModuleClass);
}
@Override
protected String getSecurityDomainName() {
return SECURITY_DOMAIN_NAME;
}
@Override
public void setup(final ManagementClient managementClient, final String containerId) throws IOException {
auditProviderJBossModule.create(true);
loginJBossModule.create(true);
log.debug("start of the domain creation");
final ModelNode compositeOp = new ModelNode();
compositeOp.get(OP).set(COMPOSITE);
compositeOp.get(OP_ADDR).setEmptyList();
ModelNode steps = compositeOp.get(STEPS);
PathAddress address = PathAddress.pathAddress().append(SUBSYSTEM, "security").append(SECURITY_DOMAIN,
getSecurityDomainName());
steps.add(Util.createAddOperation(address));
PathAddress authAddress = address.append(Constants.AUTHENTICATION, Constants.CLASSIC);
steps.add(Util.createAddOperation(authAddress));
final Class<?> loginModuleClass = CustomLoginModule1.class;
ModelNode loginModule1 = Util
.createAddOperation(authAddress.append(LOGIN_MODULE, loginModuleClass.getSimpleName()));
loginModule1.get(CODE).set(loginModuleClass.getName());
loginModule1.get(MODULE).set(loginJBossModule.getName());
loginModule1.get(FLAG).set("required");
loginModule1.get(OPERATION_HEADERS).get(ALLOW_RESOURCE_SERVICE_RESTART).set(true);
steps.add(loginModule1);
PathAddress auditAddress = address.append(Constants.AUDIT, Constants.CLASSIC);
steps.add(Util.createAddOperation(auditAddress));
final Class<?> auditProviderClass = CustomAuditProviderModule.class;
ModelNode auditProvider = Util
.createAddOperation(auditAddress.append(Constants.PROVIDER_MODULE, auditProviderClass.getSimpleName()));
auditProvider.get(CODE).set(auditProviderClass.getName());
auditProvider.get(MODULE).set(auditProviderJBossModule.getName());
auditProvider.get(OPERATION_HEADERS).get(ALLOW_RESOURCE_SERVICE_RESTART).set(true);
steps.add(auditProvider);
ModelNode addAuditLogOp = Util.createAddOperation(PathAddress.pathAddress().append(SUBSYSTEM, "logging")
.append("periodic-rotating-file-handler", AUDIT_HANDLER_NAME));
addAuditLogOp.get("level").set("TRACE");
addAuditLogOp.get("append").set("true");
addAuditLogOp.get("suffix").set(".yyyy-MM-dd");
ModelNode file = new ModelNode();
file.get("relative-to").set("jboss.server.log.dir");
file.get("path").set(AUDIT_LOG_FILE_NAME);
addAuditLogOp.get("file").set(file);
addAuditLogOp.get("formatter").set("%-5p %c %s%E%n");
steps.add(addAuditLogOp);
ModelNode addAuditLoggerOp = Util.createAddOperation(PathAddress.pathAddress().append(SUBSYSTEM, "logging")
.append("logger", CustomAuditProviderModule.class.getName()));
addAuditLoggerOp.get("level").set("TRACE");
addAuditLoggerOp.get("handlers").add(AUDIT_HANDLER_NAME);
steps.add(addAuditLoggerOp);
applyUpdates(managementClient.getControllerClient(), Arrays.asList(compositeOp));
log.debug("end of the domain creation");
}
@Override
public void tearDown(final ManagementClient managementClient, final String containerId) {
super.tearDown(managementClient, containerId);
auditProviderJBossModule.remove();
loginJBossModule.remove();
}
}
private static final Charset UTF_8 = Charset.forName("utf-8");
private static String RANDOM_EXECUTION_ID = String.valueOf(UUID.randomUUID().toString().replace("-", ""));
private static final String AUDIT_HANDLER_NAME;
private static final String AUDIT_LOG_FILE_NAME;
private static Path AUDIT_LOG_PATH;
static {
/*
* Let's make both the audit handler name and the audit log file specific for this class and execution so that we do not
* interfere with other test classes or multiple subsequent executions of this class against the same container
*/
AUDIT_HANDLER_NAME = "audit-" + CustomAuditProviderModuleTest.class.getSimpleName() + "-" + RANDOM_EXECUTION_ID;
AUDIT_LOG_FILE_NAME = AUDIT_HANDLER_NAME + ".log";
AUDIT_LOG_PATH = new File(System.getProperty("jboss.home", null),
"standalone" + File.separator + "log" + File.separator + AUDIT_LOG_FILE_NAME).toPath();
}
private static void assertAuditLog(BufferedReader reader, String regex) throws Exception {
Pattern successPattern = Pattern.compile(regex);
// we'll be actively waiting for a given INTERVAL for the record to appear
final long deadline = 5000 + System.currentTimeMillis();
String line;
while (true) {
// some new lines were added -> go trough those and check whether our record is present
while (null != (line = reader.readLine())) {
if (successPattern.matcher(line).find()) {
return;
}
}
// record not written to log yet -> continue checking if the time has not yet expired
if (System.currentTimeMillis() > deadline) {
// time expired
throw new AssertionError(
"Login record has not been written into audit log! (time expired). Checked regex=" + regex);
}
}
}
@Deployment
public static WebArchive deployment() throws Exception {
WebArchive war = ShrinkWrap.create(WebArchive.class, CustomAuditProviderModuleTest.class.getSimpleName() + ".war");
war.addClass(SecuredServlet.class);
war.addAsWebInfResource(new StringAsset("<jboss-web>" + //
"<security-domain>" + CustomAuditProviderModuleSecurityDomainSetup.SECURITY_DOMAIN_NAME + "</security-domain>" //
+ "<disable-audit>false</disable-audit>" //
+ "</jboss-web>"), "jboss-web.xml");
war.addAsWebInfResource(new StringAsset("<web-app>" //
+ " <login-config>" //
+ " <auth-method>BASIC</auth-method>" //
+ " </login-config>" //
+ " </web-app>"), "web.xml");
return war;
}
@ArquillianResource
private URL url;
private void assertResponse(String user, String password, int expectedStatusCode) throws Exception {
try (CloseableHttpClient httpclient = HttpClients.createDefault()) {
HttpGet request = new HttpGet(url.toExternalForm() + "secured/");
if (password != null) {
request.addHeader(HttpHeaders.AUTHORIZATION,
"Basic " + FlexBase64.encodeString((user + ":" + password).getBytes("utf-8"), false));
}
HttpResponse response = httpclient.execute(request);
HttpEntity entity = response.getEntity();
StatusLine statusLine = response.getStatusLine();
assertEquals(expectedStatusCode, statusLine.getStatusCode());
if (statusLine.getStatusCode() == 200) {
String body = EntityUtils.toString(entity, "utf-8");
assertEquals("GOOD", body);
} else {
EntityUtils.consume(entity);
}
}
}
@Test
public void testBaduser1() throws Exception {
/*
* baduser1 can authenticate, because we use the correct password, but he does not have the "gooduser" role required by
* SecuredServlet and the server thus return 403 rather than 401
*/
assertResponse(CustomLoginModule1.BADUSER1_USERNAME, CustomLoginModule1.BADUSER1_PASSWORD, 403);
try (BufferedReader r = Files.newBufferedReader(AUDIT_LOG_PATH, UTF_8)) {
assertAuditLog(r, Pattern.quote("INFO " + CustomAuditProviderModule.class.getName() + " [Success]principal="
+ CustomLoginModule1.BADUSER1_USERNAME + ";"));
}
}
@Test
public void testGooduser1() throws Exception {
assertResponse(CustomLoginModule1.GOODUSER1_USERNAME, CustomLoginModule1.GOODUSER1_PASSWORD, 200);
try (BufferedReader r = Files.newBufferedReader(AUDIT_LOG_PATH, UTF_8)) {
assertAuditLog(r, Pattern.quote("INFO " + CustomAuditProviderModule.class.getName() + " [Success]principal="
+ CustomLoginModule1.GOODUSER1_USERNAME + ";"));
}
}
@Test
public void testGooduser1WithBadPassword() throws Exception {
assertResponse(CustomLoginModule1.GOODUSER1_USERNAME, "bogus", 401);
try (BufferedReader r = Files.newBufferedReader(AUDIT_LOG_PATH, UTF_8)) {
assertAuditLog(r, Pattern.quote("INFO " + CustomAuditProviderModule.class.getName() + " [Failure]"));
}
}
}