[Kerberos] Move tests based on SimpleKdc to evil-tests (#33492)

We have a test dependency on Apache Mina when using SimpleKdcServer
for testing Kerberos. When checking for LDAP backend connectivity,
the code checks for deadlocks which require additional security
permissions accessClassInPackage.sun.reflect. As this is only for
test and we do not want to add security permissions to production,
this commit moves these tests and related classes to
x-pack evil-tests where they can run with security manager disabled.
The plan is to handle the security manager exception in the upstream issue
DIRMINA-1093
and then once the release is available to run these tests with security
manager enabled.

Closes #32739
This commit is contained in:
Yogesh Gaikwad 2018-09-14 10:07:19 +10:00 committed by GitHub
parent 3914a980f7
commit d3e27ff2f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 65 additions and 61 deletions

View File

@ -102,8 +102,8 @@ public class KerberosRealmCacheTests extends KerberosRealmTestCase {
public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDisabled() public void testAuthenticateWithValidTicketSucessAuthnWithUserDetailsWhenCacheDisabled()
throws LoginException, GSSException, IOException { throws LoginException, GSSException, IOException {
// if cache.ttl <= 0 then the cache is disabled // if cache.ttl <= 0 then the cache is disabled
settings = KerberosTestCase.buildKerberosRealmSettings( settings = buildKerberosRealmSettings(
KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true, writeKeyTab(dir.resolve("key.keytab"), randomAlphaOfLength(4)).toString(), 100, "0m", true,
randomBoolean()); randomBoolean());
final String username = randomPrincipalName(); final String username = randomPrincipalName();
final String outToken = randomAlphaOfLength(10); final String outToken = randomAlphaOfLength(10);

View File

@ -27,12 +27,12 @@ public class KerberosRealmSettingsTests extends ESTestCase {
configDir = Files.createDirectory(configDir); configDir = Files.createDirectory(configDir);
} }
final String keytabPathConfig = "config" + dir.getFileSystem().getSeparator() + "http.keytab"; final String keytabPathConfig = "config" + dir.getFileSystem().getSeparator() + "http.keytab";
KerberosTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null); KerberosRealmTestCase.writeKeyTab(dir.resolve(keytabPathConfig), null);
final Integer maxUsers = randomInt(); final Integer maxUsers = randomInt();
final String cacheTTL = randomLongBetween(10L, 100L) + "m"; final String cacheTTL = randomLongBetween(10L, 100L) + "m";
final boolean enableDebugLogs = randomBoolean(); final boolean enableDebugLogs = randomBoolean();
final boolean removeRealmName = randomBoolean(); final boolean removeRealmName = randomBoolean();
final Settings settings = KerberosTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs, final Settings settings = KerberosRealmTestCase.buildKerberosRealmSettings(keytabPathConfig, maxUsers, cacheTTL, enableDebugLogs,
removeRealmName); removeRealmName);
assertThat(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings), equalTo(keytabPathConfig)); assertThat(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings), equalTo(keytabPathConfig));

View File

@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authc.kerberos;
import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.ActionListener;
import org.elasticsearch.client.Client; import org.elasticsearch.client.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple; import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
@ -30,6 +31,10 @@ import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import java.io.BufferedWriter;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
@ -71,7 +76,7 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool); resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
dir = createTempDir(); dir = createTempDir();
globalSettings = Settings.builder().put("path.home", dir).build(); globalSettings = Settings.builder().put("path.home", dir).build();
settings = KerberosTestCase.buildKerberosRealmSettings(KerberosTestCase.writeKeyTab(dir.resolve("key.keytab"), "asa").toString(), settings = buildKerberosRealmSettings(writeKeyTab(dir.resolve("key.keytab"), "asa").toString(),
100, "10m", true, randomBoolean()); 100, "10m", true, randomBoolean());
licenseState = mock(XPackLicenseState.class); licenseState = mock(XPackLicenseState.class);
when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true); when(licenseState.isAuthorizationRealmAllowed()).thenReturn(true);
@ -177,4 +182,49 @@ public abstract class KerberosRealmTestCase extends ESTestCase {
} }
return principalName; return principalName;
} }
/**
* Write content to provided keytab file.
*
* @param keytabPath {@link Path} to keytab file.
* @param content Content for keytab
* @return key tab path
* @throws IOException if I/O error occurs while writing keytab file
*/
public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
}
return keytabPath;
}
/**
* Build kerberos realm settings with default config and given keytab
*
* @param keytabPath key tab file path
* @return {@link Settings} for kerberos realm
*/
public static Settings buildKerberosRealmSettings(final String keytabPath) {
return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
}
/**
* Build kerberos realm settings
*
* @param keytabPath key tab file path
* @param maxUsersInCache max users to be maintained in cache
* @param cacheTTL time to live for cached entries
* @param enableDebugging for krb5 logs
* @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
* @return {@link Settings} for kerberos realm
*/
public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
final boolean enableDebugging, final boolean removeRealmName) {
final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
.put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
.put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
.put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
.put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
return builder.build();
}
} }

View File

@ -155,7 +155,7 @@ public class KerberosRealmTests extends KerberosRealmTestCase {
} }
private void assertKerberosRealmConstructorFails(final String keytabPath, final String expectedErrorMessage) { private void assertKerberosRealmConstructorFails(final String keytabPath, final String expectedErrorMessage) {
settings = KerberosTestCase.buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean()); settings = buildKerberosRealmSettings(keytabPath, 100, "10m", true, randomBoolean());
config = new RealmConfig("test-kerb-realm", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings), config = new RealmConfig("test-kerb-realm", settings, globalSettings, TestEnvironment.newEnvironment(globalSettings),
new ThreadContext(globalSettings)); new ThreadContext(globalSettings));
mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user")); mockNativeRoleMappingStore = roleMappingStore(Arrays.asList("user"));

View File

@ -1,9 +1,11 @@
apply plugin: 'elasticsearch.standalone-test' apply plugin: 'elasticsearch.standalone-test'
dependencies { dependencies {
testCompile "org.elasticsearch.plugin:x-pack-core:${version}" testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
} }
test { test {
systemProperty 'tests.security.manager', 'false' systemProperty 'tests.security.manager', 'false'
include '**/*Tests.class'
} }

View File

@ -9,20 +9,15 @@ package org.elasticsearch.xpack.security.authc.kerberos;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper; import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.Randomness; import org.elasticsearch.common.Randomness;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
import org.junit.After; import org.junit.After;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import java.io.BufferedWriter;
import java.io.IOException; import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.AccessController; import java.security.AccessController;
import java.security.PrivilegedActionException; import java.security.PrivilegedActionException;
@ -130,12 +125,14 @@ public abstract class KerberosTestCase extends ESTestCase {
throw ExceptionsHelper.convertToRuntime(e); throw ExceptionsHelper.convertToRuntime(e);
} }
}); });
settings = buildKerberosRealmSettings(ktabPathForService.toString()); settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPathForService.toString());
} }
@After @After
public void tearDownMiniKdc() throws IOException, PrivilegedActionException { public void tearDownMiniKdc() throws IOException, PrivilegedActionException {
simpleKdcLdapServer.stop(); if (simpleKdcLdapServer != null) {
simpleKdcLdapServer.stop();
}
} }
/** /**
@ -186,49 +183,4 @@ public abstract class KerberosTestCase extends ESTestCase {
return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> Subject.doAs(subject, action)); return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> Subject.doAs(subject, action));
} }
/**
* Write content to provided keytab file.
*
* @param keytabPath {@link Path} to keytab file.
* @param content Content for keytab
* @return key tab path
* @throws IOException if I/O error occurs while writing keytab file
*/
public static Path writeKeyTab(final Path keytabPath, final String content) throws IOException {
try (BufferedWriter bufferedWriter = Files.newBufferedWriter(keytabPath, StandardCharsets.US_ASCII)) {
bufferedWriter.write(Strings.isNullOrEmpty(content) ? "test-content" : content);
}
return keytabPath;
}
/**
* Build kerberos realm settings with default config and given keytab
*
* @param keytabPath key tab file path
* @return {@link Settings} for kerberos realm
*/
public static Settings buildKerberosRealmSettings(final String keytabPath) {
return buildKerberosRealmSettings(keytabPath, 100, "10m", true, false);
}
/**
* Build kerberos realm settings
*
* @param keytabPath key tab file path
* @param maxUsersInCache max users to be maintained in cache
* @param cacheTTL time to live for cached entries
* @param enableDebugging for krb5 logs
* @param removeRealmName {@code true} if we want to remove realm name from the username of form 'user@REALM'
* @return {@link Settings} for kerberos realm
*/
public static Settings buildKerberosRealmSettings(final String keytabPath, final int maxUsersInCache, final String cacheTTL,
final boolean enableDebugging, final boolean removeRealmName) {
final Settings.Builder builder = Settings.builder().put(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.getKey(), keytabPath)
.put(KerberosRealmSettings.CACHE_MAX_USERS_SETTING.getKey(), maxUsersInCache)
.put(KerberosRealmSettings.CACHE_TTL_SETTING.getKey(), cacheTTL)
.put(KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.getKey(), enableDebugging)
.put(KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.getKey(), removeRealmName);
return builder.build();
}
} }

View File

@ -86,8 +86,8 @@ public class KerberosTicketValidatorTests extends KerberosTestCase {
final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader(); final String base64KerbToken = spnegoClient.getBase64EncodedTokenForSpnegoHeader();
assertThat(base64KerbToken, is(notNullValue())); assertThat(base64KerbToken, is(notNullValue()));
final Path ktabPath = writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab"); final Path ktabPath = KerberosRealmTestCase.writeKeyTab(workDir.resolve("invalid.keytab"), "not - a - valid - key - tab");
settings = buildKerberosRealmSettings(ktabPath.toString()); settings = KerberosRealmTestCase.buildKerberosRealmSettings(ktabPath.toString());
final Environment env = TestEnvironment.newEnvironment(globalSettings); final Environment env = TestEnvironment.newEnvironment(globalSettings);
final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings)); final Path keytabPath = env.configFile().resolve(KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(settings));
final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>(); final PlainActionFuture<Tuple<String, String>> future = new PlainActionFuture<>();