honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Config file parsing: Improved parsing for edge cases 

Created some tests to improve parsing of files, most importantly fixed an endless loop
in YAML parsing and made the non-yaml parsers a bit more error resistant.

Closes elastic/elasticsearch#40

Original commit: elastic/x-pack-elasticsearch@8873138d0c
This commit is contained in:
Alexander Reelsen 2014-08-26 10:49:48 +02:00
parent 9cd397727f
commit b887fad51a
8 changed files with 160 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
View File

@ -100,7 +100,9 @@ public class FileUserPasswdStore extends AbstractComponent implements UserPasswd
lineNr++; lineNr++;
int i = line.indexOf(":"); int i = line.indexOf(":");
if (i <= 0 || i == line.length() - 1) { if (i <= 0 || i == line.length() - 1) {
logger.error("Invalid entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping..."); if (logger != null) {
logger.error("Invalid entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping...");
}
continue; continue;
} }
String username = line.substring(0, i).trim(); String username = line.substring(0, i).trim();

22
src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
View File

@ -93,12 +93,32 @@ public class FileUserRolesStore extends AbstractComponent implements UserRolesSt
lineNr++; lineNr++;
int i = line.indexOf(":"); int i = line.indexOf(":");
if (i <= 0 || i == line.length() - 1) { if (i <= 0 || i == line.length() - 1) {
logger.error("Invalid entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping..."); if (logger != null) {
logger.error("Invalid entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping...");
}
continue; continue;
} }
String username = line.substring(0, i).trim(); String username = line.substring(0, i).trim();
if (Strings.isEmpty(username)) {
if (logger != null) {
logger.error("Invalid username entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping...");
}
continue;
}
String rolesStr = line.substring(i + 1).trim(); String rolesStr = line.substring(i + 1).trim();
if (Strings.isEmpty(rolesStr)) {
if (logger != null) {
logger.error("Invalid roles entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping...");
}
continue;
}
String[] roles = ROLES_DELIM.split(rolesStr); String[] roles = ROLES_DELIM.split(rolesStr);
if (roles.length == 0) {
if (logger != null) {
logger.error("Invalid roles entry in users file [" + path.toAbsolutePath() + "], line [" + lineNr + "]. Skipping...");
}
continue;
}
usersRoles.put(username, roles); usersRoles.put(username, roles);
} }

6
src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
View File

@ -11,6 +11,8 @@ import org.elasticsearch.common.collect.ImmutableMap;
import org.elasticsearch.common.collect.ImmutableSet; import org.elasticsearch.common.collect.ImmutableSet;
import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.jackson.dataformat.yaml.snakeyaml.error.YAMLException;
import org.elasticsearch.common.jackson.dataformat.yaml.snakeyaml.scanner.ScannerException;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentBuilder; import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentFactory; import org.elasticsearch.common.xcontent.XContentFactory;
@ -86,7 +88,7 @@ public class FileRolesStore extends AbstractComponent implements RolesStore {
XContentParser parser = YamlXContent.yamlXContent.createParser(input); XContentParser parser = YamlXContent.yamlXContent.createParser(input);
XContentParser.Token token; XContentParser.Token token;
String currentFieldName = null; String currentFieldName = null;
while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT) { while ((token = parser.nextToken()) != XContentParser.Token.END_OBJECT && token != null) {
if (token == XContentParser.Token.FIELD_NAME) { if (token == XContentParser.Token.FIELD_NAME) {
currentFieldName = parser.currentName(); currentFieldName = parser.currentName();
} else if (token == XContentParser.Token.START_OBJECT && currentFieldName != null) { } else if (token == XContentParser.Token.START_OBJECT && currentFieldName != null) {
@ -160,7 +162,7 @@ public class FileRolesStore extends AbstractComponent implements RolesStore {
return roles.build(); return roles.build();
} catch (IOException ioe) { } catch (YAMLException|IOException ioe) {
throw new ElasticsearchException("Failed to read roles file [" + path.toAbsolutePath() + "]", ioe); throw new ElasticsearchException("Failed to read roles file [" + path.toAbsolutePath() + "]", ioe);
} }
} }

5
src/main/java/org/elasticsearch/shield/n2n/IPFilteringN2NAuthenticator.java
View File

@ -11,6 +11,7 @@ import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings; import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject; import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.jackson.dataformat.yaml.snakeyaml.error.YAMLException;
import org.elasticsearch.common.net.InetAddresses; import org.elasticsearch.common.net.InetAddresses;
import org.elasticsearch.common.netty.handler.ipfilter.IpFilterRule; import org.elasticsearch.common.netty.handler.ipfilter.IpFilterRule;
import org.elasticsearch.common.netty.handler.ipfilter.IpSubnetFilterRule; import org.elasticsearch.common.netty.handler.ipfilter.IpSubnetFilterRule;
@ -103,8 +104,8 @@ public class IPFilteringN2NAuthenticator extends AbstractComponent implements N2
} }
} }
} catch (IOException ioe) { } catch (YAMLException|IOException ioe) {
throw new ElasticsearchException("Failed to read & parse host access file [" + path.toAbsolutePath() + "]", ioe); throw new ElasticsearchParseException("Failed to read & parse host access file [" + path.toAbsolutePath() + "]", ioe);
} }
if (rules.size() == 0) { if (rules.size() == 0) {

16
src/test/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStoreTests.java
View File

@ -10,12 +10,17 @@ import org.elasticsearch.common.settings.ImmutableSettings;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.shield.authc.support.Hasher; import org.elasticsearch.shield.authc.support.Hasher;
import org.elasticsearch.shield.authz.Permission;
import org.elasticsearch.shield.authz.store.FileRolesStore;
import org.elasticsearch.test.ElasticsearchTestCase; import org.elasticsearch.test.ElasticsearchTestCase;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.watcher.ResourceWatcherService;
import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import java.io.BufferedWriter; import java.io.BufferedWriter;
import java.io.File;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
@ -31,6 +36,9 @@ import static org.hamcrest.Matchers.*;
*/ */
public class FileUserPasswdStoreTests extends ElasticsearchTestCase { public class FileUserPasswdStoreTests extends ElasticsearchTestCase {
@Rule
public TemporaryFolder tempFolder = new TemporaryFolder();
@Test @Test
public void testParseFile() throws Exception { public void testParseFile() throws Exception {
Path path = Paths.get(getClass().getResource("users").toURI()); Path path = Paths.get(getClass().getResource("users").toURI());
@ -99,6 +107,14 @@ public class FileUserPasswdStoreTests extends ElasticsearchTestCase {
threadPool.shutdownNow(); threadPool.shutdownNow();
} }
} }
}
@Test
public void testThatInvalidLineDoesNotResultInLoggerNPE() throws Exception {
File file = tempFolder.newFile();
com.google.common.io.Files.write("NotValidUsername=Password\nuser:pass".getBytes(org.elasticsearch.common.base.Charsets.UTF_8), file);
Map<String, char[]> users = FileUserPasswdStore.parseFile(file.toPath(), null);
assertThat(users, notNullValue());
assertThat(users.keySet(), hasSize(1));
} }
} }

34
src/test/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStoreTests.java
View File

@ -9,16 +9,22 @@ import com.carrotsearch.ant.tasks.junit4.dependencies.com.google.common.base.Cha
import org.elasticsearch.common.settings.ImmutableSettings; import org.elasticsearch.common.settings.ImmutableSettings;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment; import org.elasticsearch.env.Environment;
import org.elasticsearch.shield.authz.Permission;
import org.elasticsearch.shield.authz.store.FileRolesStore;
import org.elasticsearch.test.ElasticsearchTestCase; import org.elasticsearch.test.ElasticsearchTestCase;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.watcher.ResourceWatcherService;
import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import java.io.BufferedWriter; import java.io.BufferedWriter;
import java.io.File;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.nio.file.StandardOpenOption; import java.nio.file.StandardOpenOption;
import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.concurrent.CountDownLatch; import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -30,6 +36,9 @@ import static org.hamcrest.Matchers.*;
*/ */
public class FileUserRolesStoreTests extends ElasticsearchTestCase { public class FileUserRolesStoreTests extends ElasticsearchTestCase {
@Rule
public TemporaryFolder tempFolder = new TemporaryFolder();
@Test @Test
public void testParseFile() throws Exception { public void testParseFile() throws Exception {
Path path = Paths.get(getClass().getResource("users_roles").toURI()); Path path = Paths.get(getClass().getResource("users_roles").toURI());
@ -102,6 +111,31 @@ public class FileUserRolesStoreTests extends ElasticsearchTestCase {
threadPool.shutdownNow(); threadPool.shutdownNow();
} }
} }
}
@Test
public void testThatEmptyFileIsParsed() throws Exception {
assertInvalidInputIsSilentlyIngored("");
assertInvalidInputIsSilentlyIngored("#");
}
@Test
public void testThatEmptyUserNameDoesNotThrowException() throws Exception {
assertInvalidInputIsSilentlyIngored(":role1,role2");
assertInvalidInputIsSilentlyIngored(" :role1,role2");
}
@Test
public void testThatEmptyRoleDoesNotThrowException() throws Exception {
assertInvalidInputIsSilentlyIngored("user:");
assertInvalidInputIsSilentlyIngored("user: ");
assertInvalidInputIsSilentlyIngored("user: , ");
}
private void assertInvalidInputIsSilentlyIngored(String input) throws Exception {
File file = tempFolder.newFile();
com.google.common.io.Files.write(input.getBytes(Charsets.UTF_8), file);
Map<String, String[]> usersRoles = FileUserRolesStore.parseFile(file.toPath(), null);
assertThat(String.format(Locale.ROOT, "Expected userRoles to be empty, but was %s", usersRoles.keySet()), usersRoles.keySet(), hasSize(0));
} }
} }

16
src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
View File

@ -5,6 +5,7 @@
*/ */
package org.elasticsearch.shield.authz.store; package org.elasticsearch.shield.authz.store;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.base.Charsets; import org.elasticsearch.common.base.Charsets;
import org.elasticsearch.common.settings.ImmutableSettings; import org.elasticsearch.common.settings.ImmutableSettings;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
@ -19,6 +20,7 @@ import org.junit.Test;
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
import java.io.BufferedWriter; import java.io.BufferedWriter;
import java.io.File;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
@ -147,6 +149,20 @@ public class FileRolesStoreTests extends ElasticsearchTestCase {
threadPool.shutdownNow(); threadPool.shutdownNow();
} }
} }
}
@Test
public void testThatEmptyFileDoesNotResultInLoop() throws Exception {
File file = tempFolder.newFile();
com.google.common.io.Files.write("#".getBytes(Charsets.UTF_8), file);
Map<String, Permission.Global> roles = FileRolesStore.parseFile(file.toPath());
assertThat(roles.keySet(), is(empty()));
}
@Test(expected = ElasticsearchException.class)
public void testThatInvalidYAMLThrowsElasticsearchException() throws Exception {
File file = tempFolder.newFile();
com.google.common.io.Files.write("user: cluster: ALL indices: '.*': ALL".getBytes(Charsets.UTF_8), file);
FileRolesStore.parseFile(file.toPath());
} }
} }

125
src/test/java/org/elasticsearch/shield/n2n/IPFilteringN2NAuthenticatorTests.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.shield.n2n; package org.elasticsearch.shield.n2n;
import com.google.common.io.Files; import com.google.common.io.Files;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.common.base.Charsets; import org.elasticsearch.common.base.Charsets;
import org.elasticsearch.common.net.InetAddresses; import org.elasticsearch.common.net.InetAddresses;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
@ -14,13 +15,16 @@ import org.elasticsearch.env.Environment;
import org.elasticsearch.test.ElasticsearchTestCase; import org.elasticsearch.test.ElasticsearchTestCase;
import org.elasticsearch.threadpool.ThreadPool; import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService; import org.elasticsearch.watcher.ResourceWatcherService;
import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.TemporaryFolder; import org.junit.rules.TemporaryFolder;
import java.io.File; import java.io.File;
import java.io.IOException;
import java.security.Principal; import java.security.Principal;
import java.util.Locale;
import static org.elasticsearch.common.settings.ImmutableSettings.settingsBuilder; import static org.elasticsearch.common.settings.ImmutableSettings.settingsBuilder;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
@ -42,122 +46,119 @@ public class IPFilteringN2NAuthenticatorTests extends ElasticsearchTestCase {
private ResourceWatcherService resourceWatcherService; private ResourceWatcherService resourceWatcherService;
private File configFile; private File configFile;
private Settings settings;
private IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator;
@Before @Before
public void init() throws Exception { public void init() throws Exception {
configFile = temporaryFolder.newFile(); configFile = temporaryFolder.newFile();
Settings settings = settingsBuilder().put("watcher.interval.medium", TimeValue.timeValueMillis(200)).build(); Settings resourceWatcherServiceSettings = settingsBuilder().put("watcher.interval.medium", TimeValue.timeValueMillis(200)).build();
resourceWatcherService = new ResourceWatcherService(settings, new ThreadPool("resourceWatcher")).start(); resourceWatcherService = new ResourceWatcherService(resourceWatcherServiceSettings, new ThreadPool("resourceWatcher")).start();
settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build();
}
@After
public void shutdown() {
resourceWatcherService.stop();
} }
@Test @Test
public void testThatIpV4AddressesCanBeProcessed() throws Exception { public void testThatIpV4AddressesCanBeProcessed() throws Exception {
String testData = "allow: 127.0.0.1\ndeny: 10.0.0.0/8"; writeConfigFile("allow: 127.0.0.1\ndeny: 10.0.0.0/8");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); assertAddressIsDenied(ipFilteringN2NAuthenticator, "10.2.3.4");
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("10.2.3.4"), 1024), is(false));
} }
@Test @Test
public void testThatIpV6AddressesCanBeProcessed() throws Exception { public void testThatIpV6AddressesCanBeProcessed() throws Exception {
String testData = "allow: 2001:0db8:1234::/48\ndeny: 1234:0db8:85a3:0000:0000:8a2e:0370:7334"; writeConfigFile("allow: 2001:0db8:1234::/48\ndeny: 1234:0db8:85a3:0000:0000:8a2e:0370:7334");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "2001:0db8:1234:0000:0000:8a2e:0370:7334");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); assertAddressIsDenied(ipFilteringN2NAuthenticator, "1234:0db8:85a3:0000:0000:8a2e:0370:7334");
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("2001:0db8:1234:0000:0000:8a2e:0370:7334"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("1234:0db8:85a3:0000:0000:8a2e:0370:7334"), 1024), is(false));
} }
@Test @Test
public void testThatHostnamesCanBeProcessed() throws Exception { public void testThatHostnamesCanBeProcessed() throws Exception {
String testData = "allow: localhost\ndeny: '*.google.com'"; writeConfigFile("allow: localhost\ndeny: '*.google.com'");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); assertAddressIsDenied(ipFilteringN2NAuthenticator, "173.194.70.100");
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("173.194.70.100"), 1024), is(false));
} }
@Test @Test
public void testThatFileDeletionResultsInAllowingAll() throws Exception { public void testThatFileDeletionResultsInAllowingAll() throws Exception {
String testData = "allow: 127.0.0.1"; writeConfigFile("allow: 127.0.0.1");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService);
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
configFile.delete(); configFile.delete();
assertThat(configFile.exists(), is(false)); assertThat(configFile.exists(), is(false));
sleep(250); sleep(250);
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(false)); assertAddressIsDenied(ipFilteringN2NAuthenticator, "127.0.0.1");
} }
@Test @Test
public void testThatAnAllowAllAuthenticatorWorks() throws Exception { public void testThatAnAllowAllAuthenticatorWorks() throws Exception {
String testData = "allow: all"; writeConfigFile("allow: all");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "173.194.70.100");
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("173.194.70.100"), 1024), is(true));
} }
@Test @Test
public void testThatCommaSeparatedValuesWork() throws Exception { public void testThatCommaSeparatedValuesWork() throws Exception {
String testData = "allow: 192.168.23.0/24, localhost\ndeny: all"; writeConfigFile("allow: 192.168.23.0/24, localhost\ndeny: all");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "192.168.23.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
assertAddressIsDenied(ipFilteringN2NAuthenticator, "10.1.2.3");
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("192.168.23.1"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("10.1.2.3"), 1024), is(false));
} }
@Test @Test
public void testThatOrderIsImportant() throws Exception { public void testThatOrderIsImportant() throws Exception {
String testData = "deny: localhost\nallow: localhost"; writeConfigFile("deny: localhost\nallow: localhost");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsDenied(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService);
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(false));
} }
@Test @Test
public void testThatOrderIsImportantViceVersa() throws Exception { public void testThatOrderIsImportantViceVersa() throws Exception {
String testData = "allow: localhost\ndeny: localhost"; writeConfigFile("allow: localhost\ndeny: localhost");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsAllowed(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService);
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(true));
} }
@Test @Test
public void testThatEmptyFileDoesNotLeadIntoLoop() throws Exception { public void testThatEmptyFileDoesNotLeadIntoLoop() throws Exception {
String testData = "# \n\n"; writeConfigFile("# \n\n");
Files.write(testData.getBytes(Charsets.UTF_8), configFile);
Settings settings = settingsBuilder().put("shield.n2n.file", configFile.getPath()).build(); assertAddressIsDenied(ipFilteringN2NAuthenticator, "127.0.0.1");
IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService); }
assertThat(ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString("127.0.0.1"), 1024), is(false)); @Test(expected = ElasticsearchParseException.class)
public void testThatInvalidFileThrowsCorrectException() throws Exception {
writeConfigFile("deny: all allow: all \n\n");
IPFilteringN2NAuthenticator.parseFile(configFile.toPath());
}
private void writeConfigFile(String data) throws IOException {
Files.write(data.getBytes(Charsets.UTF_8), configFile);
ipFilteringN2NAuthenticator = new IPFilteringN2NAuthenticator(settings, new Environment(), resourceWatcherService);
}
private void assertAddressIsAllowed(IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator, String ... inetAddresses) {
for (String inetAddress : inetAddresses) {
String message = String.format(Locale.ROOT, "Expected address %s to be allowed", inetAddress);
assertThat(message, ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString(inetAddress), 1024), is(true));
}
}
private void assertAddressIsDenied(IPFilteringN2NAuthenticator ipFilteringN2NAuthenticator, String ... inetAddresses) {
for (String inetAddress : inetAddresses) {
String message = String.format(Locale.ROOT, "Expected address %s to be denied", inetAddress);
assertThat(message, ipFilteringN2NAuthenticator.authenticate(NULL_PRINCIPAL, InetAddresses.forString(inetAddress), 1024), is(false));
}
} }
} }