mirror of https://github.com/apache/lucene.git
SOLR-11830: PKI authentication testcases do not check for null principal
This commit is contained in:
parent
0744fea821
commit
72e68697fc
|
@ -30,6 +30,7 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
|
|||
|
||||
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
||||
static final HashSet<String> denyUsers = new HashSet<>();
|
||||
static final HashSet<String> protectedResources = new HashSet<>();
|
||||
static Predicate<AuthorizationContext> predicate;
|
||||
|
||||
@Override
|
||||
|
@ -42,15 +43,17 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
|
|||
} catch (SolrException e) {
|
||||
return new AuthorizationResponse(e.code());
|
||||
}
|
||||
} else {
|
||||
if (!protectedResources.contains(context.getResource())) {
|
||||
return new AuthorizationResponse(200);
|
||||
}
|
||||
if (uname == null) uname = context.getParams().get("uname");
|
||||
log.info("User request: " + uname);
|
||||
if (uname == null || denyUsers.contains(uname))
|
||||
return new AuthorizationResponse(403);
|
||||
else
|
||||
return new AuthorizationResponse(200);
|
||||
}
|
||||
|
||||
|
||||
if (uname == null) uname = context.getParams().get("uname");
|
||||
log.info("User request: " + uname);
|
||||
if (denyUsers.contains(uname))
|
||||
return new AuthorizationResponse(403);
|
||||
else
|
||||
return new AuthorizationResponse(200);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -16,12 +16,10 @@
|
|||
*/
|
||||
package org.apache.solr.security;
|
||||
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.lang.invoke.MethodHandles;
|
||||
import java.security.Principal;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
||||
|
@ -77,9 +75,7 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
|
|||
final AtomicInteger count = new AtomicInteger();
|
||||
|
||||
|
||||
MockAuthorizationPlugin.predicate = new Predicate<AuthorizationContext>() {
|
||||
@Override
|
||||
public boolean test(AuthorizationContext context) {
|
||||
MockAuthorizationPlugin.predicate = context -> {
|
||||
if ("/select".equals(context.getResource())) {
|
||||
Principal principal = context.getUserPrincipal();
|
||||
log.info("principalIs : {}", principal);
|
||||
|
@ -88,22 +84,19 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
|
|||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
};
|
||||
|
||||
MockAuthenticationPlugin.predicate = new Predicate<ServletRequest>() {
|
||||
@Override
|
||||
public boolean test(ServletRequest servletRequest) {
|
||||
MockAuthenticationPlugin.predicate = servletRequest -> {
|
||||
String s = ((HttpServletRequest) servletRequest).getQueryString();
|
||||
if (s != null && s.contains("__user=solr") && s.contains("__pwd=SolrRocks")) {
|
||||
servletRequest.setAttribute(Principal.class.getName(), "solr");
|
||||
}
|
||||
return true;
|
||||
}
|
||||
};
|
||||
QueryRequest query = new QueryRequest(params);
|
||||
query.process(cluster.getSolrClient(), "collection");
|
||||
assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(),count.get() > 2);
|
||||
assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(), count.get() > 2);
|
||||
|
||||
}
|
||||
|
||||
@After
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
package org.apache.solr.security;
|
||||
|
||||
import java.lang.invoke.MethodHandles;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
@ -59,22 +58,30 @@ public class TestAuthorizationFramework extends AbstractFullDistribZkTestBase {
|
|||
public void authorizationFrameworkTest() throws Exception {
|
||||
MockAuthorizationPlugin.denyUsers.add("user1");
|
||||
MockAuthorizationPlugin.denyUsers.add("user1");
|
||||
waitForThingsToLevelOut(10);
|
||||
String baseUrl = jettys.get(0).getBaseUrl().toString();
|
||||
verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
|
||||
log.info("Starting test");
|
||||
ModifiableSolrParams params = new ModifiableSolrParams();
|
||||
params.add("q", "*:*");
|
||||
// This should work fine.
|
||||
cloudClient.query(params);
|
||||
|
||||
// This user is blacklisted in the mock. The request should return a 403.
|
||||
params.add("uname", "user1");
|
||||
try {
|
||||
waitForThingsToLevelOut(10);
|
||||
String baseUrl = jettys.get(0).getBaseUrl().toString();
|
||||
verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
|
||||
log.info("Starting test");
|
||||
ModifiableSolrParams params = new ModifiableSolrParams();
|
||||
params.add("q", "*:*");
|
||||
// This should work fine.
|
||||
cloudClient.query(params);
|
||||
fail("This should have failed");
|
||||
} catch (Exception e) {}
|
||||
log.info("Ending test");
|
||||
MockAuthorizationPlugin.protectedResources.add("/select");
|
||||
|
||||
// This user is blacklisted in the mock. The request should return a 403.
|
||||
params.add("uname", "user1");
|
||||
try {
|
||||
cloudClient.query(params);
|
||||
fail("This should have failed");
|
||||
} catch (Exception e) {}
|
||||
log.info("Ending test");
|
||||
} finally {
|
||||
MockAuthorizationPlugin.denyUsers.clear();
|
||||
MockAuthorizationPlugin.protectedResources.clear();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
Loading…
Reference in New Issue