Repository: ambari Updated Branches: refs/heads/trunk edefa4858 -> 8997ce0d5
http://git-wip-us.apache.org/repos/asf/ambari/blob/8997ce0d/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java new file mode 100644 index 0000000..ae47694 --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/jwt/JwtAuthenticationFilterTest.java @@ -0,0 +1,244 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ambari.server.security.authorization.jwt; + +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.crypto.RSASSASigner; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; +import org.apache.ambari.server.security.authorization.AmbariGrantedAuthority; +import org.apache.ambari.server.security.authorization.User; +import org.apache.ambari.server.security.authorization.UserType; +import org.apache.ambari.server.security.authorization.Users; +import org.easymock.EasyMock; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.AuthenticationEntryPoint; + +import javax.servlet.FilterChain; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.util.Arrays; +import java.util.Calendar; +import java.util.Collections; +import java.util.Date; + +import static org.easymock.EasyMock.anyObject; +import static org.easymock.EasyMock.createMockBuilder; +import static org.easymock.EasyMock.createNiceMock; +import static org.easymock.EasyMock.eq; +import static org.easymock.EasyMock.expect; +import static org.easymock.EasyMock.expectLastCall; +import static org.easymock.EasyMock.replay; +import static org.easymock.EasyMock.verify; +import static org.junit.Assert.*; + +public class JwtAuthenticationFilterTest { + private static RSAPublicKey publicKey; + private static RSAPrivateKey privateKey; + private static RSAPrivateKey invalidPrivateKey; + + + @BeforeClass + public static void generateKeyPair() throws NoSuchAlgorithmException { + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); + keyPairGenerator.initialize(512); + KeyPair keyPair = keyPairGenerator.generateKeyPair(); + publicKey = (RSAPublicKey) keyPair.getPublic(); + privateKey = (RSAPrivateKey) keyPair.getPrivate(); + + keyPair = keyPairGenerator.generateKeyPair(); + invalidPrivateKey = (RSAPrivateKey) keyPair.getPrivate(); + } + + private JwtAuthenticationProperties createTestProperties() { + JwtAuthenticationProperties properties = new JwtAuthenticationProperties(); + properties.setCookieName("non-default"); + properties.setPublicKey(publicKey); + properties.setAudiences(Collections.singletonList("test-audience")); + + return properties; + } + + private SignedJWT getSignedToken() throws JOSEException { + RSASSASigner signer = new RSASSASigner(privateKey); + + Calendar calendar = Calendar.getInstance(); + calendar.setTimeInMillis(System.currentTimeMillis()); + + JWTClaimsSet claimsSet = new JWTClaimsSet(); + claimsSet.setSubject("test-user"); + claimsSet.setIssuer("unit-test"); + claimsSet.setIssueTime(calendar.getTime()); + + calendar.add(Calendar.DATE, 1); //add one day + claimsSet.setExpirationTime(calendar.getTime()); + + claimsSet.setAudience("test-audience"); + + SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet); + signedJWT.sign(signer); + + return signedJWT; + } + + private SignedJWT getInvalidToken() throws JOSEException { + RSASSASigner signer = new RSASSASigner(invalidPrivateKey); + + Calendar calendar = Calendar.getInstance(); + calendar.setTimeInMillis(System.currentTimeMillis()); + calendar.add(Calendar.DATE, -2); + + JWTClaimsSet claimsSet = new JWTClaimsSet(); + claimsSet.setSubject("test-user"); + claimsSet.setIssuer("unit-test"); + claimsSet.setIssueTime(calendar.getTime()); + + calendar.add(Calendar.DATE, 1); //add one day + claimsSet.setExpirationTime(calendar.getTime()); + + claimsSet.setAudience("test-audience-invalid"); + + SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet); + signedJWT.sign(signer); + + return signedJWT; + } + + + @Test + public void testDoFilter() throws Exception { + Users users = createNiceMock(Users.class); + AuthenticationEntryPoint entryPoint = createNiceMock(AuthenticationEntryPoint.class); + HttpServletRequest request = createNiceMock(HttpServletRequest.class); + HttpServletResponse response = createNiceMock(HttpServletResponse.class); + FilterChain chain = createNiceMock(FilterChain.class); + AmbariGrantedAuthority authority = createNiceMock(AmbariGrantedAuthority.class); + User user = createNiceMock(User.class); + + SignedJWT signedJWT = getSignedToken(); + + JwtAuthenticationProperties properties = createTestProperties(); + JwtAuthenticationFilter filter = createMockBuilder(JwtAuthenticationFilter.class). + addMockedMethod("getJWTFromCookie"). + withConstructor(properties, entryPoint, users).createNiceMock(); + + expect(filter.getJWTFromCookie(anyObject(HttpServletRequest.class))).andReturn(signedJWT.serialize()); + expect(users.getUser(eq("test-user"), eq(UserType.JWT))).andReturn(null).once(); + expect(users.getUser(eq("test-user"), eq(UserType.JWT))).andReturn(user).anyTimes(); + + users.createUser(eq("test-user"), anyObject(String.class), eq(UserType.JWT), eq(true), eq(false)); + expectLastCall(); + + expect(users.getUserAuthorities(eq("test-user"), eq(UserType.JWT))).andReturn(Collections.singletonList(authority)); + + expect(user.getUserName()).andReturn("test-user"); + expect(user.getUserType()).andReturn(UserType.JWT); + + replay(users, request, response, chain, filter, entryPoint, user, authority); + + filter.doFilter(request, response, chain); + + verify(users, request, response, chain, filter, entryPoint, user, authority); + + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + + assertEquals(true, authentication.isAuthenticated()); + + } + + @Test + public void testGetJWTFromCookie() throws Exception { + HttpServletRequest request = createNiceMock(HttpServletRequest.class); + Cookie cookie = createNiceMock(Cookie.class); + + expect(cookie.getName()).andReturn("non-default"); + expect(cookie.getValue()).andReturn("stubtokenstring"); + + expect(request.getCookies()).andReturn(new Cookie[]{cookie}); + + JwtAuthenticationProperties properties = createTestProperties(); + JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null); + + replay(request, cookie); + + String jwtFromCookie = filter.getJWTFromCookie(request); + + verify(request, cookie); + + assertEquals("stubtokenstring", jwtFromCookie); + } + + @Test + public void testValidateSignature() throws Exception { + JwtAuthenticationProperties properties = createTestProperties(); + JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null); + + boolean isValid = filter.validateSignature(getSignedToken()); + + assertEquals(true, isValid); + + isValid = filter.validateSignature(getInvalidToken()); + + assertEquals(false, isValid); + + } + + @Test + public void testValidateAudiences() throws Exception { + JwtAuthenticationProperties properties = createTestProperties(); + JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null); + + boolean isValid = filter.validateAudiences(getSignedToken()); + + assertEquals(true, isValid); + + isValid = filter.validateAudiences(getInvalidToken()); + + assertEquals(false, isValid); + } + + @Test + public void testValidateExpiration() throws Exception { + JwtAuthenticationProperties properties = createTestProperties(); + JwtAuthenticationFilter filter = new JwtAuthenticationFilter(properties, null, null); + + boolean isValid = filter.validateExpiration(getSignedToken()); + + assertEquals(true, isValid); + + isValid = filter.validateExpiration(getInvalidToken()); + + assertEquals(false, isValid); + + } +} \ No newline at end of file