// test valid User, but invalid ip @Test public void testAuthenticateValidAuthButInvalidIp() throws Exception { UserObjectifyDAOImpl userDAO = new UserObjectifyDAOImpl(); User dbuser = new User(); dbuser.setLogin("bob"); dbuser.setToken("smith"); dbuser.setPermissions(Permission.LIST_ALL_JOBS); ArrayList<String> allowedIps = new ArrayList<String>(); allowedIps.add("192.168.1.2"); dbuser.setAllowedIpAddresses(allowedIps); dbuser = userDAO.insert(dbuser); AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("192.168.1.1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("bob:smith")); User u = auth.authenticate(request); assertTrue(u.getLogin() == null); assertTrue(u.getToken() == null); assertTrue(u.getPermissions() == Permission.NONE); assertTrue(u.getIpAddress().equals("192.168.1.1")); verify(request).getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER); }
@Test public void testAuthenticateValidAuthInHeaderAndUserInDataStoreButNotAuthorizedToRunAsAnotherUser() throws Exception { UserObjectifyDAOImpl userDAO = new UserObjectifyDAOImpl(); User dbuser = new User(); dbuser.setLogin("bob"); dbuser.setToken("smith"); dbuser.setPermissions(Permission.LIST_ALL_JOBS); dbuser = userDAO.insert(dbuser); AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("192.168.1.1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("bob:smith")); when(request.getParameter(Constants.USER_LOGIN_TO_RUN_AS_PARAM)).thenReturn("joe"); try { auth.authenticate(request); } catch (Exception ex) { assertTrue(ex.getMessage().equals("User does not have permission to run as another user")); } }
@Test public void testAuthenticateValidAuthInHeaderAndUserInDataStore() throws Exception { UserObjectifyDAOImpl userDAO = new UserObjectifyDAOImpl(); User dbuser = new User(); dbuser.setLogin("bob"); dbuser.setToken("smith"); dbuser.setPermissions(Permission.LIST_ALL_JOBS); dbuser = userDAO.insert(dbuser); AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("192.168.1.1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("bob:smith")); User u = auth.authenticate(request); assertTrue(u != null); assertTrue(u.getLogin().equals("bob")); assertTrue(u.getToken().equals("smith")); assertTrue(u.getPermissions() == Permission.LIST_ALL_JOBS); assertTrue(u.getIpAddress().equals("192.168.1.1")); assertTrue(u.getId() == dbuser.getId().longValue()); verify(request).getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER); }
@Test public void testAuthenticateNullRequest() { try { AuthenticatorImpl auth = new AuthenticatorImpl(); auth.authenticate(null); fail("Expected Exception cause request is null"); } catch (Exception ex) { assertTrue(ex.getMessage().startsWith("Request is null")); } }
// test Authenticate invalid decode of authString no colon @Test public void testAuthenticateInvalidAuthNoColon() throws Exception { AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("192.168.1.1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("ha")); User u = auth.authenticate(request); assertTrue(u != null); assertTrue(u.getPermissions() == Permission.NONE); assertTrue(u.getIpAddress().equals("192.168.1.1")); verify(request).getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER); }
@Test public void testAuthenticateUserFromLocalipv6ip() throws Exception { AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("0:0:0:0:0:0:0:1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("bob:smith")); User u = auth.authenticate(request); assertTrue(u != null); assertTrue(u.getLogin().equals("bob")); assertTrue(u.getToken().equals("smith")); assertTrue(u.getPermissions() == Permission.ALL); assertTrue(u.getIpAddress().equals("0:0:0:0:0:0:0:1")); verify(request).getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER); }
/** * HTTP POST Request Handler * * @param request HTTP Request * @param response HTTP Response */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Check CR Monitor if (waitUntilFirstRequest) { logger.debug("First request triggers CardRangeMonitor initialization."); AuthenticatorServlet.waitUntilFirstRequest = false; initCRMonitor(); } // Initialize XML String String reqXmlStr = null; String resXmlStr = null; // Initialize IO Stream BufferedReader requestInputStream = null; OutputStreamWriter responseOutputStream = null; // Read the serialized XML request string from the input stream try { // Initial input stream requestInputStream = new BufferedReader(new InputStreamReader(request.getInputStream())); String reqStr = requestInputStream.readLine(); String line; while ((line = requestInputStream.readLine()) != null) { reqStr += line; } reqXmlStr = URLDecoder.decode(reqStr); // Authenticate request resXmlStr = AuthenticatorImpl.authenticate(reqXmlStr); this.logger.debug("Response message received from Authenticator: " + resXmlStr); // Get output stream responseOutputStream = new OutputStreamWriter(response.getOutputStream()); responseOutputStream.write(URLEncoder.encode(resXmlStr)); responseOutputStream.flush(); } catch (IOException ioe) { this.logger.error("Fail to read/write object from/to InputStream/OutputStream.", ioe); respondError(response, AuthenticatorCodes.IO_ERROR, AuthenticatorCodes.IO_ERROR_MSG); } catch (Exception e) { this.logger.error("Unexpected exception caught.", e); respondError( response, AuthenticatorCodes.UNEXPECTED_ERROR, AuthenticatorCodes.UNEXPECTED_ERROR_MSG); } finally { // Clean-up try { if (requestInputStream != null) requestInputStream.close(); if (responseOutputStream != null) responseOutputStream.close(); } catch (Exception e) { this.logger.error("Fail to close IO stream.", e); } } }
// test Authenticate null getHeader and no such user @Test public void testAuthenticateWithNullHeaderAndNoQueryParametersAndNullIp() throws Exception { AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getParameter(AuthenticatorImpl.AUTHORIZATION_HEADER)).thenReturn(null); when(request.getParameter(Constants.USER_LOGIN_PARAM)).thenReturn(null); when(request.getParameter(Constants.USER_TOKEN_PARAM)).thenReturn(null); when(request.getParameter(Constants.USER_LOGIN_TO_RUN_AS_PARAM)).thenReturn(null); User u = auth.authenticate(request); assertTrue(u != null); assertTrue(u.getPermissions() == Permission.NONE); assertTrue(u.getIpAddress() == null); verify(request).getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER); verify(request).getParameter(Constants.USER_LOGIN_PARAM); verify(request).getParameter(Constants.USER_TOKEN_PARAM); verify(request).getParameter(Constants.USER_LOGIN_TO_RUN_AS_PARAM); }
@Test public void testAuthenticateValidAuthInHeaderAndUserInDataStoreWithRunAsPerm() throws Exception { UserObjectifyDAOImpl userDAO = new UserObjectifyDAOImpl(); User dbuser = new User(); dbuser.setLogin("bob"); dbuser.setToken("smith"); dbuser.setPermissions(Permission.LIST_ALL_JOBS | Permission.RUN_AS_ANOTHER_USER); dbuser = userDAO.insert(dbuser); AuthenticatorImpl auth = new AuthenticatorImpl(); HttpServletRequest request = mock(HttpServletRequest.class); when(request.getRemoteAddr()).thenReturn("192.168.1.1"); when(request.getHeader(AuthenticatorImpl.AUTHORIZATION_HEADER)) .thenReturn("Basic " + encodeString("bob:smith")); when(request.getParameter(Constants.USER_LOGIN_TO_RUN_AS_PARAM)).thenReturn("joe"); User u = auth.authenticate(request); assertTrue(u.getLogin().equals("bob")); assertTrue(u.getLoginToRunJobAs().equals("joe")); }