HADOOP-14799. Update nimbus-jose-jwt to 4.41.1. (rchiang) (cherry picked from commit 556812c179aa094c21acf610439a8d69fe6420ab)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/bfd8fb30 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/bfd8fb30 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/bfd8fb30 Branch: refs/heads/branch-2.8 Commit: bfd8fb309d61ef249f8a51e7a0fbd5bb2845e074 Parents: 486fa88 Author: Ray Chiang <rchi...@apache.org> Authored: Tue Sep 12 10:19:34 2017 -0700 Committer: Brahma Reddy Battula <bra...@apache.org> Committed: Wed Feb 14 00:08:02 2018 +0530 ---------------------------------------------------------------------- .../JWTRedirectAuthenticationHandler.java | 4 +- .../TestJWTRedirectAuthenticationHandler.java | 476 ++++++++++++++++++ .../TestJWTRedirectAuthentictionHandler.java | 481 ------------------- .../mapreduce/task/reduce/TestFetcher.java | 4 - hadoop-project/pom.xml | 2 +- 5 files changed, 480 insertions(+), 487 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/bfd8fb30/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java index 61f5b9e..884398c 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java @@ -28,6 +28,7 @@ import java.text.ParseException; import java.security.interfaces.RSAPublicKey; +import com.google.common.annotations.VisibleForTesting; import org.apache.hadoop.security.authentication.client.AuthenticationException; import org.apache.hadoop.security.authentication.util.CertificateUtil; import org.slf4j.Logger; @@ -216,7 +217,8 @@ public class JWTRedirectAuthenticationHandler extends * @param request for getting the original request URL * @return url to use as login url for redirect */ - protected String constructLoginURL(HttpServletRequest request) { + @VisibleForTesting + String constructLoginURL(HttpServletRequest request) { String delimiter = "?"; if (authenticationProviderUrl.contains("?")) { delimiter = "&"; http://git-wip-us.apache.org/repos/asf/hadoop/blob/bfd8fb30/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java new file mode 100644 index 0000000..5a2db9b --- /dev/null +++ b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthenticationHandler.java @@ -0,0 +1,476 @@ +/** + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. See accompanying LICENSE file. + */ +package org.apache.hadoop.security.authentication.server; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.util.List; +import java.util.ArrayList; +import java.util.Properties; +import java.util.Vector; +import java.util.Date; + +import javax.servlet.ServletException; +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.hadoop.minikdc.KerberosSecurityTestcase; +import org.apache.hadoop.security.authentication.KerberosTestUtils; +import org.apache.hadoop.security.authentication.client.AuthenticationException; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +import com.nimbusds.jose.*; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; +import com.nimbusds.jose.crypto.RSASSASigner; + +public class TestJWTRedirectAuthenticationHandler extends + KerberosSecurityTestcase { + private static final String SERVICE_URL = "https://localhost:8888/resource"; + private static final String REDIRECT_LOCATION = + "https://localhost:8443/authserver?originalUrl=" + SERVICE_URL; + RSAPublicKey publicKey = null; + RSAPrivateKey privateKey = null; + JWTRedirectAuthenticationHandler handler = null; + + @Test + public void testNoPublicKeyJWT() throws Exception { + try { + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + fail("alternateAuthentication should have thrown a ServletException"); + } catch (ServletException se) { + assertTrue(se.getMessage().contains( + "Public key for signature validation must be provisioned")); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testCustomCookieNameJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + props.put(JWTRedirectAuthenticationHandler.JWT_COOKIE_NAME, "jowt"); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("jowt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Assert.assertEquals("bob", token.getUserName()); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException: " + + se.getMessage()); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testNoProviderURLJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + props + .remove(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + fail("alternateAuthentication should have thrown an AuthenticationException"); + } catch (ServletException se) { + assertTrue(se.getMessage().contains( + "Authentication provider URL must not be null")); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testUnableToParseJWT() throws Exception { + try { + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); + kpg.initialize(2048); + + KeyPair kp = kpg.genKeyPair(); + RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic(); + + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", "ljm" + jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testFailedSignatureValidationJWT() throws Exception { + try { + + // Create a public key that doesn't match the one needed to + // verify the signature - in order to make it fail verification... + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); + kpg.initialize(2048); + + KeyPair kp = kpg.genKeyPair(); + RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic(); + + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testExpiredJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() - 1000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testNoExpirationJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("bob", null, privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Assert.assertNotNull("Token should not be null.", token); + Assert.assertEquals("bob", token.getUserName()); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testInvalidAudienceJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + props + .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "foo"); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown a AuthenticationException"); + } + } + + @Test + public void testValidAudienceJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + props + .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "bar"); + handler.init(props); + + SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Assert.assertEquals("bob", token.getUserName()); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException"); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown an AuthenticationException"); + } + } + + @Test + public void testValidJWT() throws Exception { + try { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000), + privateKey); + + Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( + SERVICE_URL); + + AuthenticationToken token = handler.alternateAuthenticate(request, + response); + Assert.assertNotNull("Token should not be null.", token); + Assert.assertEquals("alice", token.getUserName()); + } catch (ServletException se) { + fail("alternateAuthentication should NOT have thrown a ServletException."); + } catch (AuthenticationException ae) { + fail("alternateAuthentication should NOT have thrown an AuthenticationException"); + } + } + + @Test + public void testOrigURLWithQueryString() throws Exception { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + Mockito.when(request.getQueryString()).thenReturn("name=value"); + + String loginURL = handler.constructLoginURL(request); + Assert.assertNotNull("loginURL should not be null.", loginURL); + Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL); + } + + @Test + public void testOrigURLNoQueryString() throws Exception { + handler.setPublicKey(publicKey); + + Properties props = getProperties(); + handler.init(props); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getRequestURL()).thenReturn( + new StringBuffer(SERVICE_URL)); + Mockito.when(request.getQueryString()).thenReturn(null); + + String loginURL = handler.constructLoginURL(request); + Assert.assertNotNull("LoginURL should not be null.", loginURL); + Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL); + } + + @Before + public void setup() throws Exception, NoSuchAlgorithmException { + setupKerberosRequirements(); + + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); + kpg.initialize(2048); + + KeyPair kp = kpg.genKeyPair(); + publicKey = (RSAPublicKey) kp.getPublic(); + privateKey = (RSAPrivateKey) kp.getPrivate(); + + handler = new JWTRedirectAuthenticationHandler(); + } + + protected void setupKerberosRequirements() throws Exception { + String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2", + "HTTP2/host1", "XHTTP/host" }; + String keytab = KerberosTestUtils.getKeytabFile(); + getKdc().createPrincipal(new File(keytab), keytabUsers); + } + + @After + public void teardown() throws Exception { + handler.destroy(); + } + + protected Properties getProperties() { + Properties props = new Properties(); + props.setProperty( + JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL, + "https://localhost:8443/authserver"); + props.setProperty("kerberos.principal", + KerberosTestUtils.getServerPrincipal()); + props.setProperty("kerberos.keytab", KerberosTestUtils.getKeytabFile()); + return props; + } + + protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey) + throws Exception { + JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() + .subject(sub) + .issueTime(new Date(new Date().getTime())) + .issuer("https://c2id.com") + .claim("scope", "openid") + .audience("bar") + .expirationTime(expires) + .build(); + List<String> aud = new ArrayList<String>(); + aud.add("bar"); + + JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build(); + + SignedJWT signedJWT = new SignedJWT(header, claimsSet); + JWSSigner signer = new RSASSASigner(privateKey); + + signedJWT.sign(signer); + + return signedJWT; + } +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/bfd8fb30/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java b/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java deleted file mode 100644 index 97a8a9d..0000000 --- a/hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestJWTRedirectAuthentictionHandler.java +++ /dev/null @@ -1,481 +0,0 @@ -/** - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. See accompanying LICENSE file. - */ -package org.apache.hadoop.security.authentication.server; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import java.io.File; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; -import java.util.List; -import java.util.ArrayList; -import java.util.Properties; -import java.util.Vector; -import java.util.Date; - -import javax.servlet.ServletException; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.apache.hadoop.minikdc.KerberosSecurityTestcase; -import org.apache.hadoop.security.authentication.KerberosTestUtils; -import org.apache.hadoop.security.authentication.client.AuthenticationException; -import org.junit.After; -import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; -import org.mockito.Mockito; - -import com.nimbusds.jose.*; -import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.SignedJWT; -import com.nimbusds.jose.crypto.RSASSASigner; - -public class TestJWTRedirectAuthentictionHandler extends - KerberosSecurityTestcase { - private static final String SERVICE_URL = "https://localhost:8888/resource"; - private static final String REDIRECT_LOCATION = - "https://localhost:8443/authserver?originalUrl=" + SERVICE_URL; - RSAPublicKey publicKey = null; - RSAPrivateKey privateKey = null; - JWTRedirectAuthenticationHandler handler = null; - - @Test - public void testNoPublicKeyJWT() throws Exception { - try { - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - fail("alternateAuthentication should have thrown a ServletException"); - } catch (ServletException se) { - assertTrue(se.getMessage().contains( - "Public key for signature validation must be provisioned")); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testCustomCookieNameJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - props.put(JWTRedirectAuthenticationHandler.JWT_COOKIE_NAME, "jowt"); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("jowt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Assert.assertEquals("bob", token.getUserName()); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException: " - + se.getMessage()); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testNoProviderURLJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - props - .remove(JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - fail("alternateAuthentication should have thrown an AuthenticationException"); - } catch (ServletException se) { - assertTrue(se.getMessage().contains( - "Authentication provider URL must not be null")); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testUnableToParseJWT() throws Exception { - try { - KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); - kpg.initialize(2048); - - KeyPair kp = kpg.genKeyPair(); - RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic(); - - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", "ljm" + jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testFailedSignatureValidationJWT() throws Exception { - try { - - // Create a public key that doesn't match the one needed to - // verify the signature - in order to make it fail verification... - KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); - kpg.initialize(2048); - - KeyPair kp = kpg.genKeyPair(); - RSAPublicKey publicKey = (RSAPublicKey) kp.getPublic(); - - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testExpiredJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() - 1000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testNoExpirationJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("bob", null, privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Assert.assertNotNull("Token should not be null.", token); - Assert.assertEquals("bob", token.getUserName()); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testInvalidAudienceJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - props - .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "foo"); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Mockito.verify(response).sendRedirect(REDIRECT_LOCATION); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown a AuthenticationException"); - } - } - - @Test - public void testValidAudienceJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - props - .put(JWTRedirectAuthenticationHandler.EXPECTED_JWT_AUDIENCES, "bar"); - handler.init(props); - - SignedJWT jwt = getJWT("bob", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Assert.assertEquals("bob", token.getUserName()); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException"); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown an AuthenticationException"); - } - } - - @Test - public void testValidJWT() throws Exception { - try { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - SignedJWT jwt = getJWT("alice", new Date(new Date().getTime() + 5000), - privateKey); - - Cookie cookie = new Cookie("hadoop-jwt", jwt.serialize()); - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getCookies()).thenReturn(new Cookie[] { cookie }); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - HttpServletResponse response = Mockito.mock(HttpServletResponse.class); - Mockito.when(response.encodeRedirectURL(SERVICE_URL)).thenReturn( - SERVICE_URL); - - AuthenticationToken token = handler.alternateAuthenticate(request, - response); - Assert.assertNotNull("Token should not be null.", token); - Assert.assertEquals("alice", token.getUserName()); - } catch (ServletException se) { - fail("alternateAuthentication should NOT have thrown a ServletException."); - } catch (AuthenticationException ae) { - fail("alternateAuthentication should NOT have thrown an AuthenticationException"); - } - } - - @Test - public void testOrigURLWithQueryString() throws Exception { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - Mockito.when(request.getQueryString()).thenReturn("name=value"); - - String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request); - Assert.assertNotNull("loginURL should not be null.", loginURL); - Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL + "?name=value", loginURL); - } - - @Test - public void testOrigURLNoQueryString() throws Exception { - handler.setPublicKey(publicKey); - - Properties props = getProperties(); - handler.init(props); - - HttpServletRequest request = Mockito.mock(HttpServletRequest.class); - Mockito.when(request.getRequestURL()).thenReturn( - new StringBuffer(SERVICE_URL)); - Mockito.when(request.getQueryString()).thenReturn(null); - - String loginURL = ((TestJWTRedirectAuthenticationHandler)handler).testConstructLoginURL(request); - Assert.assertNotNull("LoginURL should not be null.", loginURL); - Assert.assertEquals("https://localhost:8443/authserver?originalUrl=" + SERVICE_URL, loginURL); - } - - @Before - public void setup() throws Exception, NoSuchAlgorithmException { - setupKerberosRequirements(); - - KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); - kpg.initialize(2048); - - KeyPair kp = kpg.genKeyPair(); - publicKey = (RSAPublicKey) kp.getPublic(); - privateKey = (RSAPrivateKey) kp.getPrivate(); - - handler = new TestJWTRedirectAuthenticationHandler(); - } - - protected void setupKerberosRequirements() throws Exception { - String[] keytabUsers = new String[] { "HTTP/host1", "HTTP/host2", - "HTTP2/host1", "XHTTP/host" }; - String keytab = KerberosTestUtils.getKeytabFile(); - getKdc().createPrincipal(new File(keytab), keytabUsers); - } - - @After - public void teardown() throws Exception { - handler.destroy(); - } - - protected Properties getProperties() { - Properties props = new Properties(); - props.setProperty( - JWTRedirectAuthenticationHandler.AUTHENTICATION_PROVIDER_URL, - "https://localhost:8443/authserver"); - props.setProperty("kerberos.principal", - KerberosTestUtils.getServerPrincipal()); - props.setProperty("kerberos.keytab", KerberosTestUtils.getKeytabFile()); - return props; - } - - protected SignedJWT getJWT(String sub, Date expires, RSAPrivateKey privateKey) - throws Exception { - JWTClaimsSet claimsSet = new JWTClaimsSet(); - claimsSet.setSubject(sub); - claimsSet.setIssueTime(new Date(new Date().getTime())); - claimsSet.setIssuer("https://c2id.com"); - claimsSet.setCustomClaim("scope", "openid"); - claimsSet.setExpirationTime(expires); - List<String> aud = new ArrayList<String>(); - aud.add("bar"); - claimsSet.setAudience("bar"); - - JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).build(); - - SignedJWT signedJWT = new SignedJWT(header, claimsSet); - JWSSigner signer = new RSASSASigner(privateKey); - - signedJWT.sign(signer); - - return signedJWT; - } - - class TestJWTRedirectAuthenticationHandler extends JWTRedirectAuthenticationHandler { - public String testConstructLoginURL(HttpServletRequest req) { - return constructLoginURL(req); - } - }; -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/bfd8fb30/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java ---------------------------------------------------------------------- diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java index c76a994..0234865 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/test/java/org/apache/hadoop/mapreduce/task/reduce/TestFetcher.java @@ -25,9 +25,7 @@ import java.net.HttpURLConnection; import org.apache.hadoop.fs.ChecksumException; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; -import org.apache.hadoop.mapred.MapOutputFile; import org.apache.hadoop.mapreduce.MRJobConfig; -import org.apache.hadoop.mapreduce.TaskID; import org.junit.After; import org.junit.Before; import org.junit.Rule; @@ -65,8 +63,6 @@ import org.junit.Test; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; -import com.nimbusds.jose.util.StringUtils; - /** * Test that the Fetcher does what we expect it to. */ http://git-wip-us.apache.org/repos/asf/hadoop/blob/bfd8fb30/hadoop-project/pom.xml ---------------------------------------------------------------------- diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index 5fcccca..c377870 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -1000,7 +1000,7 @@ <dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> - <version>3.9</version> + <version>4.41.1</version> <scope>compile</scope> <exclusions> <exclusion> --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org