mirror of https://github.com/apache/lucene.git
SOLR-11830: PKI authentication testcases do not check for null principal
This commit is contained in:
parent
0744fea821
commit
72e68697fc
|
@ -30,6 +30,7 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
|
||||||
|
|
||||||
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
|
||||||
static final HashSet<String> denyUsers = new HashSet<>();
|
static final HashSet<String> denyUsers = new HashSet<>();
|
||||||
|
static final HashSet<String> protectedResources = new HashSet<>();
|
||||||
static Predicate<AuthorizationContext> predicate;
|
static Predicate<AuthorizationContext> predicate;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -42,15 +43,17 @@ public class MockAuthorizationPlugin implements AuthorizationPlugin {
|
||||||
} catch (SolrException e) {
|
} catch (SolrException e) {
|
||||||
return new AuthorizationResponse(e.code());
|
return new AuthorizationResponse(e.code());
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
if (!protectedResources.contains(context.getResource())) {
|
||||||
|
return new AuthorizationResponse(200);
|
||||||
|
}
|
||||||
|
if (uname == null) uname = context.getParams().get("uname");
|
||||||
|
log.info("User request: " + uname);
|
||||||
|
if (uname == null || denyUsers.contains(uname))
|
||||||
|
return new AuthorizationResponse(403);
|
||||||
|
else
|
||||||
|
return new AuthorizationResponse(200);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if (uname == null) uname = context.getParams().get("uname");
|
|
||||||
log.info("User request: " + uname);
|
|
||||||
if (denyUsers.contains(uname))
|
|
||||||
return new AuthorizationResponse(403);
|
|
||||||
else
|
|
||||||
return new AuthorizationResponse(200);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -16,12 +16,10 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.solr.security;
|
package org.apache.solr.security;
|
||||||
|
|
||||||
import javax.servlet.ServletRequest;
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import java.lang.invoke.MethodHandles;
|
import java.lang.invoke.MethodHandles;
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
import java.util.concurrent.atomic.AtomicInteger;
|
import java.util.concurrent.atomic.AtomicInteger;
|
||||||
import java.util.function.Predicate;
|
|
||||||
|
|
||||||
import org.apache.http.client.HttpClient;
|
import org.apache.http.client.HttpClient;
|
||||||
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
import org.apache.solr.client.solrj.embedded.JettySolrRunner;
|
||||||
|
@ -77,9 +75,7 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
|
||||||
final AtomicInteger count = new AtomicInteger();
|
final AtomicInteger count = new AtomicInteger();
|
||||||
|
|
||||||
|
|
||||||
MockAuthorizationPlugin.predicate = new Predicate<AuthorizationContext>() {
|
MockAuthorizationPlugin.predicate = context -> {
|
||||||
@Override
|
|
||||||
public boolean test(AuthorizationContext context) {
|
|
||||||
if ("/select".equals(context.getResource())) {
|
if ("/select".equals(context.getResource())) {
|
||||||
Principal principal = context.getUserPrincipal();
|
Principal principal = context.getUserPrincipal();
|
||||||
log.info("principalIs : {}", principal);
|
log.info("principalIs : {}", principal);
|
||||||
|
@ -88,22 +84,19 @@ public class PKIAuthenticationIntegrationTest extends SolrCloudTestCase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
|
||||||
};
|
};
|
||||||
|
|
||||||
MockAuthenticationPlugin.predicate = new Predicate<ServletRequest>() {
|
MockAuthenticationPlugin.predicate = servletRequest -> {
|
||||||
@Override
|
|
||||||
public boolean test(ServletRequest servletRequest) {
|
|
||||||
String s = ((HttpServletRequest) servletRequest).getQueryString();
|
String s = ((HttpServletRequest) servletRequest).getQueryString();
|
||||||
if (s != null && s.contains("__user=solr") && s.contains("__pwd=SolrRocks")) {
|
if (s != null && s.contains("__user=solr") && s.contains("__pwd=SolrRocks")) {
|
||||||
servletRequest.setAttribute(Principal.class.getName(), "solr");
|
servletRequest.setAttribute(Principal.class.getName(), "solr");
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
|
||||||
};
|
};
|
||||||
QueryRequest query = new QueryRequest(params);
|
QueryRequest query = new QueryRequest(params);
|
||||||
query.process(cluster.getSolrClient(), "collection");
|
query.process(cluster.getSolrClient(), "collection");
|
||||||
assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(),count.get() > 2);
|
assertTrue("all nodes must get the user solr , no:of nodes got solr : " + count.get(), count.get() > 2);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@After
|
@After
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
package org.apache.solr.security;
|
package org.apache.solr.security;
|
||||||
|
|
||||||
import java.lang.invoke.MethodHandles;
|
import java.lang.invoke.MethodHandles;
|
||||||
|
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
@ -59,22 +58,30 @@ public class TestAuthorizationFramework extends AbstractFullDistribZkTestBase {
|
||||||
public void authorizationFrameworkTest() throws Exception {
|
public void authorizationFrameworkTest() throws Exception {
|
||||||
MockAuthorizationPlugin.denyUsers.add("user1");
|
MockAuthorizationPlugin.denyUsers.add("user1");
|
||||||
MockAuthorizationPlugin.denyUsers.add("user1");
|
MockAuthorizationPlugin.denyUsers.add("user1");
|
||||||
waitForThingsToLevelOut(10);
|
|
||||||
String baseUrl = jettys.get(0).getBaseUrl().toString();
|
|
||||||
verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
|
|
||||||
log.info("Starting test");
|
|
||||||
ModifiableSolrParams params = new ModifiableSolrParams();
|
|
||||||
params.add("q", "*:*");
|
|
||||||
// This should work fine.
|
|
||||||
cloudClient.query(params);
|
|
||||||
|
|
||||||
// This user is blacklisted in the mock. The request should return a 403.
|
|
||||||
params.add("uname", "user1");
|
|
||||||
try {
|
try {
|
||||||
|
waitForThingsToLevelOut(10);
|
||||||
|
String baseUrl = jettys.get(0).getBaseUrl().toString();
|
||||||
|
verifySecurityStatus(cloudClient.getLbClient().getHttpClient(), baseUrl + "/admin/authorization", "authorization/class", MockAuthorizationPlugin.class.getName(), 20);
|
||||||
|
log.info("Starting test");
|
||||||
|
ModifiableSolrParams params = new ModifiableSolrParams();
|
||||||
|
params.add("q", "*:*");
|
||||||
|
// This should work fine.
|
||||||
cloudClient.query(params);
|
cloudClient.query(params);
|
||||||
fail("This should have failed");
|
MockAuthorizationPlugin.protectedResources.add("/select");
|
||||||
} catch (Exception e) {}
|
|
||||||
log.info("Ending test");
|
// This user is blacklisted in the mock. The request should return a 403.
|
||||||
|
params.add("uname", "user1");
|
||||||
|
try {
|
||||||
|
cloudClient.query(params);
|
||||||
|
fail("This should have failed");
|
||||||
|
} catch (Exception e) {}
|
||||||
|
log.info("Ending test");
|
||||||
|
} finally {
|
||||||
|
MockAuthorizationPlugin.denyUsers.clear();
|
||||||
|
MockAuthorizationPlugin.protectedResources.clear();
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
Loading…
Reference in New Issue