Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ISPN-9599 DefaultCacheManager.getGlobalComponentRegistry
should require ADMIN permission
- Loading branch information
1 parent
3be911e
commit 877b619
Showing
3 changed files
with
128 additions
and
78 deletions.
There are no files selected for viewing
85 changes: 85 additions & 0 deletions
85
core/src/test/java/org/infinispan/security/BaseAuthorizationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
package org.infinispan.security; | ||
|
||
import java.security.PrivilegedAction; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import org.infinispan.configuration.cache.AuthorizationConfigurationBuilder; | ||
import org.infinispan.configuration.cache.ConfigurationBuilder; | ||
import org.infinispan.configuration.global.GlobalAuthorizationConfigurationBuilder; | ||
import org.infinispan.configuration.global.GlobalConfigurationBuilder; | ||
import org.infinispan.manager.EmbeddedCacheManager; | ||
import org.infinispan.security.impl.IdentityRoleMapper; | ||
import org.infinispan.test.SingleCacheManagerTest; | ||
import org.infinispan.test.TestingUtil; | ||
import org.infinispan.test.fwk.TestCacheManagerFactory; | ||
import org.infinispan.transaction.LockingMode; | ||
import org.infinispan.util.logging.Log; | ||
import org.infinispan.util.logging.LogFactory; | ||
|
||
public abstract class BaseAuthorizationTest extends SingleCacheManagerTest { | ||
|
||
static final Log log = LogFactory.getLog(CacheAuthorizationTest.class); | ||
static final Subject ADMIN; | ||
static final Map<AuthorizationPermission, Subject> SUBJECTS; | ||
|
||
static { | ||
// Initialize one subject per permission | ||
SUBJECTS = new HashMap<>(AuthorizationPermission.values().length); | ||
for (AuthorizationPermission perm : AuthorizationPermission.values()) { | ||
SUBJECTS.put(perm, TestingUtil.makeSubject(perm.toString() + "_user", perm.toString())); | ||
} | ||
ADMIN = SUBJECTS.get(AuthorizationPermission.ALL); | ||
} | ||
|
||
@Override | ||
protected EmbeddedCacheManager createCacheManager() throws Exception { | ||
final GlobalConfigurationBuilder global = new GlobalConfigurationBuilder(); | ||
GlobalAuthorizationConfigurationBuilder globalRoles = global.security().authorization().enable() | ||
.principalRoleMapper(new IdentityRoleMapper()); | ||
final ConfigurationBuilder config = TestCacheManagerFactory.getDefaultCacheConfiguration(true); | ||
config.transaction().lockingMode(LockingMode.PESSIMISTIC); | ||
config.invocationBatching().enable(); | ||
AuthorizationConfigurationBuilder authConfig = config.security().authorization().enable(); | ||
|
||
for (AuthorizationPermission perm : AuthorizationPermission.values()) { | ||
globalRoles.role(perm.toString()).permission(perm); | ||
authConfig.role(perm.toString()); | ||
} | ||
return Security.doAs(ADMIN, new PrivilegedAction<EmbeddedCacheManager>() { | ||
@Override | ||
public EmbeddedCacheManager run() { | ||
return TestCacheManagerFactory.createCacheManager(global, config); | ||
} | ||
}); | ||
} | ||
|
||
@Override | ||
protected void setup() throws Exception { | ||
cacheManager = createCacheManager(); | ||
} | ||
|
||
@Override | ||
protected void teardown() { | ||
Security.doAs(ADMIN, new PrivilegedAction<Void>() { | ||
@Override | ||
public Void run() { | ||
BaseAuthorizationTest.super.teardown(); | ||
return null; | ||
} | ||
}); | ||
} | ||
|
||
@Override | ||
protected void clearContent() { | ||
Security.doAs(ADMIN, new PrivilegedAction<Void>() { | ||
@Override | ||
public Void run() { | ||
cacheManager.getCache().clear(); | ||
return null; | ||
} | ||
}); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
42 changes: 42 additions & 0 deletions
42
core/src/test/java/org/infinispan/security/CacheManagerAuthorizationTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
package org.infinispan.security; | ||
|
||
import static org.testng.Assert.assertTrue; | ||
|
||
import java.security.PrivilegedActionException; | ||
import java.security.PrivilegedExceptionAction; | ||
import java.util.Arrays; | ||
import java.util.List; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import org.infinispan.test.Exceptions; | ||
import org.testng.annotations.Test; | ||
|
||
@Test(groups = {"functional", "smoke"}, testName = "security.CacheManagerAuthorizationTest") | ||
public class CacheManagerAuthorizationTest extends BaseAuthorizationTest { | ||
|
||
public void testAdminCombinations() throws Exception { | ||
List<Runnable> calls = Arrays.asList( | ||
() -> cacheManager.getGlobalComponentRegistry(), | ||
() -> cacheManager.getCacheManagerConfiguration()); | ||
|
||
for (final AuthorizationPermission perm : AuthorizationPermission.values()) { | ||
for (Runnable fn : calls) { | ||
|
||
PrivilegedExceptionAction<Boolean> action = () -> { | ||
fn.run(); | ||
return true; | ||
}; | ||
|
||
// only admin must work | ||
Subject subject = SUBJECTS.get(perm); | ||
if (perm.implies(AuthorizationPermission.ADMIN)) { | ||
assertTrue(Security.doAs(subject, action)); | ||
} else { | ||
Exceptions.expectException(PrivilegedActionException.class, SecurityException.class, | ||
() -> Security.doAs(subject, action)); | ||
} | ||
} | ||
} | ||
} | ||
} |