From b7a6691c8a21d801750dc2ae807017d52be7946b Mon Sep 17 00:00:00 2001
From: Susheel Kumar <susheel2777@gmail.com>
Date: Thu, 20 Oct 2016 21:49:10 -0400
Subject: [PATCH 1/2] Added tests for update & query request

---
 .../security/BasicAuthIntegrationTest.java    | 178 +++++++++++++++---
 1 file changed, 156 insertions(+), 22 deletions(-)

diff --git a/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java b/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
index 6967b279d440..67ea9368828d 100644
--- a/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
+++ b/solr/core/src/test/org/apache/solr/security/BasicAuthIntegrationTest.java
@@ -31,6 +31,7 @@
 import java.util.function.Predicate;
 
 import org.apache.http.HttpResponse;
+import org.apache.http.client.ClientProtocolException;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpPost;
@@ -38,13 +39,16 @@
 import org.apache.http.message.AbstractHttpMessage;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.util.EntityUtils;
+import org.apache.solr.client.solrj.SolrQuery;
 import org.apache.solr.client.solrj.SolrRequest;
 import org.apache.solr.client.solrj.embedded.JettySolrRunner;
 import org.apache.solr.client.solrj.impl.HttpClientUtil;
 import org.apache.solr.client.solrj.impl.HttpSolrClient;
 import org.apache.solr.client.solrj.request.CollectionAdminRequest;
 import org.apache.solr.client.solrj.request.GenericSolrRequest;
+import org.apache.solr.client.solrj.request.QueryRequest;
 import org.apache.solr.client.solrj.request.UpdateRequest;
+import org.apache.solr.client.solrj.response.QueryResponse;
 import org.apache.solr.cloud.SolrCloudTestCase;
 import org.apache.solr.common.SolrInputDocument;
 import org.apache.solr.common.cloud.DocCollection;
@@ -81,8 +85,125 @@ public static void setupCluster() throws Exception {
   }
 
   @Test
+  public void testBasicAuthForQueryRequest() throws Exception
+  {
+    String authcPrefix = "/admin/authentication";
+    
+    NamedList<Object> rsp;
+    HttpClient cl = null;
+    try {
+    
+      cl = HttpClientUtil.createClient(null);
+      JettySolrRunner randomJetty = cluster.getRandomJetty(random());
+      String baseUrl = randomJetty.getBaseUrl().toString();
+      verifySecurityStatus(cl, baseUrl + authcPrefix, "/errorMessages", null, 20);
+      zkClient().setData("/security.json", STD_CONF.replaceAll("'", "\"").getBytes(UTF_8), true);
+     // verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 20);
+      SolrQuery query = new SolrQuery("kumar");
+      query.add("routingRule","ip_4:192");
+      query.add("routingRule","ip_3:168");
+      query.add("routingRule","cores:>2");
+      
+      SolrRequest<QueryResponse> req = new QueryRequest(query);
+      String userName = "solruser";
+      String password = "Salt256";
+  //  req.setBasicAuthCredentials(userName, password);    
+    
+    
+      req.setBasicAuthCredentials(userName, password);  
+    //  QueryResponse response = req.process(cluster.getSolrClient(), COLLECTION);
+      HttpSolrClient.RemoteSolrException exp = expectThrows(HttpSolrClient.RemoteSolrException.class, () -> {
+        req.process(cluster.getSolrClient(), COLLECTION);
+      });
+      assertEquals(401, exp.code());
+    }
+      finally {
+        if (cl != null) {
+          HttpClientUtil.close(cl);
+        }
+      }
+      
+  }
+  
+  @Test
+  public void testBasicAuthForDeleteRequest() throws Exception
+  {
+    String authcPrefix = "/admin/authentication";
+    
+    NamedList<Object> rsp;
+    HttpClient cl = null;
+    try {
+    
+      cl = HttpClientUtil.createClient(null);
+      JettySolrRunner randomJetty = cluster.getRandomJetty(random());
+      String baseUrl = randomJetty.getBaseUrl().toString();
+      verifySecurityStatus(cl, baseUrl + authcPrefix, "/errorMessages", null, 20);
+      zkClient().setData("/security.json", STD_CONF.replaceAll("'", "\"").getBytes(UTF_8), true);
+     // verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 20);
+      String id="1";
+      SolrInputDocument doc = new SolrInputDocument();
+      doc.addField("id",id);
+      UpdateRequest update = new UpdateRequest();
+      update.setBasicAuthCredentials("harry1","HarryIsUberCool1");
+      update.deleteById(id);
+      update.setCommitWithin(-1);
+      
+     
+    //  QueryResponse response = req.process(cluster.getSolrClient(), COLLECTION);
+      HttpSolrClient.RemoteSolrException exp = expectThrows(HttpSolrClient.RemoteSolrException.class, () -> {
+        update.process(cluster.getSolrClient(), COLLECTION);
+      });
+      assertEquals(401, exp.code());
+    }
+      finally {
+        if (cl != null) {
+          HttpClientUtil.close(cl);
+        }
+      }
+      
+  }
+  
+  
+  @Test
+  public void testBasicAuthForUpdateRequest() throws Exception
+  {
+    String authcPrefix = "/admin/authentication";
+    
+    NamedList<Object> rsp;
+    HttpClient cl = null;
+    try {
+    
+      cl = HttpClientUtil.createClient(null);
+      JettySolrRunner randomJetty = cluster.getRandomJetty(random());
+      String baseUrl = randomJetty.getBaseUrl().toString();
+      verifySecurityStatus(cl, baseUrl + authcPrefix, "/errorMessages", null, 20);
+      zkClient().setData("/security.json", STD_CONF.replaceAll("'", "\"").getBytes(UTF_8), true);
+     // verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 20);
+      SolrInputDocument doc = new SolrInputDocument();
+      doc.addField("id","1");
+      UpdateRequest update = new UpdateRequest();
+      update.setBasicAuthCredentials("harry1","HarryIsUberCool1");
+      update.add(doc);
+      update.setCommitWithin(-1);
+      
+     
+    //  QueryResponse response = req.process(cluster.getSolrClient(), COLLECTION);
+      HttpSolrClient.RemoteSolrException exp = expectThrows(HttpSolrClient.RemoteSolrException.class, () -> {
+        update.process(cluster.getSolrClient(), COLLECTION);
+      });
+      assertEquals(401, exp.code());
+    }
+      finally {
+        if (cl != null) {
+          HttpClientUtil.close(cl);
+        }
+      }
+      
+  }
+  
+ 
   public void testBasicAuth() throws Exception {
-
+    
     String authcPrefix = "/admin/authentication";
     String authzPrefix = "/admin/authorization";
 
@@ -118,17 +239,12 @@ public void testBasicAuth() throws Exception {
           "'set-user': {'harry':'HarryIsUberCool'}\n" +
           "}";
 
-      HttpPost httpPost = new HttpPost(baseUrl + authcPrefix);
-      setBasicAuthHeader(httpPost, "solr", "SolrRocks");
-      httpPost.setEntity(new ByteArrayEntity(command.getBytes(UTF_8)));
-      httpPost.addHeader("Content-Type", "application/json; charset=UTF-8");
-      verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication.enabled", "true", 20);
-      HttpResponse r = cl.execute(httpPost);
-      int statusCode = r.getStatusLine().getStatusCode();
-      Utils.consumeFully(r.getEntity());
-      assertEquals("proper_cred sent, but access denied", 200, statusCode);
-
-      baseUrl = cluster.getRandomJetty(random()).getBaseUrl().toString();
+      //positive test
+      executeCommand(baseUrl + authcPrefix,  cl, command, "solr", "SolrRocks","proper_cred sent, but access denied", 200);
+      
+      //negative test
+      executeCommand(baseUrl + authcPrefix,  cl, command, "solr", "IRock","wrong_cred sent, and access should be denied", 401);
+   //   baseUrl = cluster.getRandomJetty(random()).getBaseUrl().toString();
 
       verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/credentials/harry", NOT_NULL_PREDICATE, 20);
       command = "{\n" +
@@ -181,18 +297,22 @@ public void testBasicAuth() throws Exception {
 
       executeCommand(baseUrl + authzPrefix, cl,"{set-permission : { name : update , role : admin}}", "harry", "HarryIsUberCool");
 
+      executeCommand(baseUrl + authcPrefix, cl, "{set-property : { blockUnknown: true}}", "harry", "HarryIsUberCool");
+      verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/blockUnknown", "true", 20, "harry", "HarryIsUberCool");
+      verifySecurityStatus(cl, baseUrl + PKIAuthenticationPlugin.PATH + "?wt=json", "key", NOT_NULL_PREDICATE, 20);
+      
+      cluster.getZkServer().getZkAddress();
+      
       SolrInputDocument doc = new SolrInputDocument();
-      doc.setField("id","4");
+      doc.addField("id","1");
       UpdateRequest update = new UpdateRequest();
-      update.setBasicAuthCredentials("harry","HarryIsUberCool");
+      update.setBasicAuthCredentials("harry1","HarryIsUberCool1");
       update.add(doc);
-      update.setCommitWithin(100);
-      cluster.getSolrClient().request(update, COLLECTION);
+      update.setCommitWithin(-1);
+      update.process(cluster.getSolrClient(), COLLECTION);
+     
 
-
-      executeCommand(baseUrl + authcPrefix, cl, "{set-property : { blockUnknown: true}}", "harry", "HarryIsUberCool");
-      verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/blockUnknown", "true", 20, "harry", "HarryIsUberCool");
-      verifySecurityStatus(cl, baseUrl + PKIAuthenticationPlugin.PATH + "?wt=json", "key", NOT_NULL_PREDICATE, 20);
+  
 
       String[] toolArgs = new String[]{
           "status", "-solr", baseUrl};
@@ -219,8 +339,23 @@ public void testBasicAuth() throws Exception {
     }
   }
 
+  private void executeCommand(String url, HttpClient cl, String payload, String user, String pwd,
+      String message, long expected) throws ClientProtocolException, IOException {
+    HttpResponse r = httpPost(url, cl, payload, user, pwd);
+    assertEquals(message, expected, r.getStatusLine().getStatusCode());
+    Utils.consumeFully(r.getEntity());
+  }
+
+
   public static void executeCommand(String url, HttpClient cl, String payload, String user, String pwd)
       throws IOException {
+    HttpResponse r = httpPost(url, cl, payload, user, pwd);
+    assertEquals(200, r.getStatusLine().getStatusCode());
+    Utils.consumeFully(r.getEntity());
+  }
+  
+  private static HttpResponse httpPost(String url, HttpClient cl, String payload, String user, String pwd)
+      throws IOException, ClientProtocolException {
     HttpPost httpPost;
     HttpResponse r;
     httpPost = new HttpPost(url);
@@ -228,8 +363,7 @@ public static void executeCommand(String url, HttpClient cl, String payload, Str
     httpPost.setEntity(new ByteArrayEntity(payload.getBytes(UTF_8)));
     httpPost.addHeader("Content-Type", "application/json; charset=UTF-8");
     r = cl.execute(httpPost);
-    assertEquals(200, r.getStatusLine().getStatusCode());
-    Utils.consumeFully(r.getEntity());
+    return r;
   }
 
   public static void verifySecurityStatus(HttpClient cl, String url, String objPath,

From bf12f708630a60a7aef413ff41b9f0ab0d9c047d Mon Sep 17 00:00:00 2001
From: Susheel Kumar <susheel2777@gmail.com>
Date: Thu, 20 Oct 2016 22:13:09 -0400
Subject: [PATCH 2/2] set auth for delete request

---
 .../java/org/apache/solr/client/solrj/request/UpdateRequest.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/request/UpdateRequest.java b/solr/solrj/src/java/org/apache/solr/client/solrj/request/UpdateRequest.java
index aec6e22e41a8..b1aa70f871aa 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/request/UpdateRequest.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/request/UpdateRequest.java
@@ -321,6 +321,7 @@ public Map<String,LBHttpSolrClient.Req> getRoutes(DocRouter router,
           urequest.setParams(params);
           urequest.deleteById(deleteId, version);
           urequest.setCommitWithin(getCommitWithin());
+          urequest.setBasicAuthCredentials(getBasicAuthUser(), getBasicAuthPassword());
           request = new LBHttpSolrClient.Req(urequest, urls);
           routes.put(leaderUrl, request);
         }