ISPN-4502 KrbLdapAuthenticationIT fails on all environments

integrationtests/security-it/pom.xml

@@ -50,6 +50,17 @@
              </exclusion>
          </exclusions>
       </dependency>
+      <dependency>
+         <groupId>org.wildfly.core</groupId>
+         <artifactId>wildfly-core-testsuite-shared</artifactId>
+         <scope>test</scope>
+      </dependency>
+      <dependency>
+         <groupId>org.jboss.security</groupId>
+         <artifactId>jboss-negotiation-extras</artifactId>
+         <scope>test</scope>
+      </dependency>
+
    </dependencies>
 
    <build>
@@ -73,7 +84,7 @@
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-failsafe-plugin</artifactId>
             <configuration>
-               
+
                <testNGArtifactName>none:none</testNGArtifactName>
                <forkCount>1</forkCount>
                <reuseForks>false</reuseForks>
@@ -143,63 +154,6 @@
                </execution>
             </executions>
          </plugin>
-
-         <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-resources-plugin</artifactId>
-            <executions>
-
-               <execution>
-                  <id>configure-as-testnode</id>
-                  <phase>pre-integration-test</phase>
-                  <goals>
-                     <goal>copy-resources</goal>
-                  </goals>
-                  <configuration>
-                     <outputDirectory>${project.build.directory}/testnode/wildfly-${version.wildfly}</outputDirectory>
-                     <overwrite>true</overwrite>
-                     <resources>
-                        <resource>
-                           <directory>${project.build.directory}/test-classes/as-config</directory>
-                        </resource>
-                     </resources>
-                  </configuration>
-               </execution>
-               <execution>
-                  <id>configure-as-node0</id>
-                  <phase>pre-integration-test</phase>
-                  <goals>
-                     <goal>copy-resources</goal>
-                  </goals>
-                  <configuration>
-                     <outputDirectory>${project.build.directory}/node0/wildfly-${version.wildfly}</outputDirectory>
-                     <overwrite>true</overwrite>
-                     <resources>
-                        <resource>
-                           <directory>${project.build.directory}/test-classes/as-config</directory>
-                        </resource>
-                     </resources>
-                  </configuration>
-               </execution>
-               <execution>
-                  <id>configure-as-node1</id>
-                  <phase>pre-integration-test</phase>
-                  <goals>
-                     <goal>copy-resources</goal>
-                  </goals>
-                  <configuration>
-                     <outputDirectory>${project.build.directory}/node1/wildfly-${version.wildfly}</outputDirectory>
-                     <overwrite>true</overwrite>
-                     <resources>
-                        <resource>
-                           <directory>${project.build.directory}/test-classes/as-config</directory>
-                        </resource>
-                     </resources>
-                  </configuration>
-               </execution>
-            </executions>
-         </plugin>
-
       </plugins>
    </build>
 

integrationtests/security-it/src/test/java/org/infinispan/test/integration/security/embedded/AbstractAuthentication.java

@@ -28,7 +28,7 @@
 import org.junit.Test;
 
 /**
- * @author vjuranek
+ * @author <a href="mailto:vjuranek@redhat.com">Vojtech Juranek</a>
  * @since 7.0
  */
 public abstract class AbstractAuthentication {

integrationtests/security-it/src/test/java/org/infinispan/test/integration/security/embedded/AbstractNodeAuthentication.java

@@ -1,15 +1,17 @@
 package org.infinispan.test.integration.security.embedded;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
 import org.infinispan.Cache;
 import org.infinispan.configuration.cache.CacheMode;
 import org.infinispan.configuration.cache.ConfigurationBuilder;
 import org.infinispan.configuration.global.GlobalConfigurationBuilder;
 import org.infinispan.manager.DefaultCacheManager;
 import org.infinispan.manager.EmbeddedCacheManager;
+import org.infinispan.test.integration.security.tasks.AbstractKrb5ConfServerSetupTask;
+import org.infinispan.test.integration.security.tasks.AbstractSecurityDomainsServerSetupTask;
+import org.infinispan.test.integration.security.tasks.AbstractSystemPropertiesServerSetupTask;
+import org.infinispan.test.integration.security.tasks.AbstractTraceLoggingServerSetupTask;
+import org.infinispan.test.integration.security.utils.ApacheDsKrbLdap;
+import org.infinispan.test.integration.security.utils.Utils;
 import org.infinispan.transaction.LockingMode;
 import org.infinispan.util.logging.Log;
 import org.infinispan.util.logging.LogFactory;
@@ -18,10 +20,25 @@
 import org.jboss.arquillian.container.test.api.OperateOnDeployment;
 import org.jboss.arquillian.junit.InSequence;
 import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.as.arquillian.api.ServerSetupTask;
+import org.jboss.as.arquillian.container.ManagementClient;
+import org.jboss.as.test.integration.security.common.config.SecurityDomain;
+import org.jboss.as.test.integration.security.common.config.SecurityModule;
+import org.jboss.security.SecurityConstants;
 import org.junit.Test;
 
+import java.io.File;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
 /**
- * @author vjuranek
+ * @author <a href="mailto:vjuranek@redhat.com">Vojtech Juranek</a>
  * @since 7.0
  */
 public abstract class AbstractNodeAuthentication {
@@ -37,7 +54,8 @@ public abstract class AbstractNodeAuthentication {
    protected static final String CACHE_NAME = "replicatedCache";
    protected static final String TEST_ITEM_KEY = "test_key";
    protected static final String TEST_ITEM_VALUE = "test_value";
-
+
+   private static final String TRUE = Boolean.TRUE.toString(); // TRUE
    private static final Log LOG = LogFactory.getLog(AbstractNodeAuthentication.class);
 
    @ArquillianResource
@@ -51,7 +69,7 @@ public abstract class AbstractNodeAuthentication {
    protected abstract String getJoiningNodeName();
 
    protected abstract String getJoiningNodeConfig();
-   
+
    protected Cache<String, String> getReplicatedCache(EmbeddedCacheManager manager) throws Exception {
       ConfigurationBuilder cacheConfig = new ConfigurationBuilder();
       cacheConfig.transaction().lockingMode(LockingMode.PESSIMISTIC);
@@ -61,7 +79,7 @@ protected Cache<String, String> getReplicatedCache(EmbeddedCacheManager manager)
 
       manager.defineConfiguration(CACHE_NAME, cacheConfig.build());
       Cache<String, String> replicatedCache = manager.getCache(CACHE_NAME);
-      
+
       return replicatedCache;
    }
 
@@ -70,10 +88,10 @@ protected EmbeddedCacheManager getCacheManager(String jgrousConfigFile) {
       globalConfig.globalJmxStatistics().disable();
       globalConfig.globalJmxStatistics().mBeanServerLookup(null); //TODO remove once WFLY-3124 is fixed, for now fail JMX registration
       globalConfig.transport().defaultTransport().addProperty("configurationFile", jgrousConfigFile);
-      EmbeddedCacheManager manager = new DefaultCacheManager(globalConfig.build()); 
+      EmbeddedCacheManager manager = new DefaultCacheManager(globalConfig.build());
       return manager;
    }
-   
+
    @Test
    @InSequence(1)
    public void startNodes() throws Exception {
@@ -98,7 +116,7 @@ public void testCreateItemOnCoordinator() throws Exception {
    @InSequence(3)
    //Needs to be overwritten in test class, which should add annotation @OperateOnDeployment(getJoiningNodeName())
    public void testReadItemOnJoiningNode() throws Exception {
-      EmbeddedCacheManager manager = getCacheManager(getJoiningNodeConfig());  
+      EmbeddedCacheManager manager = getCacheManager(getJoiningNodeConfig());
       Cache<String, String> cache = getReplicatedCache(manager);
       assertEquals("Insufficient number of cluster members", 2, manager.getMembers().size());
       assertEquals(TEST_ITEM_VALUE, cache.get(TEST_ITEM_KEY));
@@ -111,18 +129,193 @@ public void stopJoiningNodes() throws Exception {
       deployer.undeploy(COORDINATOR_NODE);
       try {
          controller.stop(getJoiningNodeName());
-      } catch(Exception e) {
+      } catch (Exception e) {
          LOG.warn("Joining node stop failed with %s", e.getCause());
          controller.kill(getJoiningNodeName());
       }
       try {
          controller.stop(COORDINATOR_NODE);
-      } catch(Exception e) {
+      } catch (Exception e) {
          LOG.warn("Coordinator node stop failed with %s", e.getCause());
          controller.kill(COORDINATOR_NODE);
       }
       assertFalse(controller.isStarted(getJoiningNodeName()));
       assertFalse(controller.isStarted(COORDINATOR_NODE));
    }
 
-}
+   /**
+    * A Kerberos system-properties server setup task. Sets path to a <code>krb5.conf</code> file and enables Kerberos
+    * debug messages.
+    *
+    * @author <a href="mailto:jcacek@redhat.com">Josef Cacek</a>
+    * @author <a href="mailto:vchepeli@redhat.com">Vitalii Chepeliuk</a>
+    */
+   static class KerberosSystemPropertiesSetupTask extends AbstractSystemPropertiesServerSetupTask {
+
+//      @Override
+//      public void tearDown(ManagementClient managementClient, String containerId) throws Exception {
+//         // noop, workaround for AssertionError in ActiveOperationSupport:151
+//      }
+
+      /**
+       * Returns "java.security.krb5.conf" and "sun.security.krb5.debug" properties.
+       *
+       * @return Kerberos properties
+       */
+      @Override
+      protected SystemProperty[] getSystemProperties() {
+         final Map<String, String> map = new HashMap<>();
+         map.put("java.security.krb5.conf", "${java.io.tmpdir}" + File.separator + "krb5.conf");
+         map.put("java.security.krb5.debug", TRUE);
+         map.put(SecurityConstants.DISABLE_SECDOMAIN_OPTION, TRUE);
+         return mapToSystemProperties(map);
+      }
+   }
+
+   /**
+    * A Trace logging server setup task. Sets trace logging for specified packages
+    *
+    * @author <a href="mailto:jcacek@redhat.com">Josef Cacek</a>
+    * @author <a href="mailto:vchepeli@redhat.com">Vitalii Chepeliuk</a>
+    */
+   static class SecurityTraceLoggingServerSetupTask extends AbstractTraceLoggingServerSetupTask {
+
+      @Override
+      protected Collection<String> getCategories(ManagementClient managementClient, String containerId) {
+         return Arrays.asList("javax.security", "org.jboss.security", "org.picketbox");
+      }
+
+//      @Override
+//      public void tearDown(ManagementClient managementClient, String containerId) throws Exception {
+//         // noop, workaround for AssertionError in ActiveOperationSupport:151
+//      }
+   }
+
+   /**
+    * A {@link ServerSetupTask} instance which creates security domains for this test case.
+    *
+    * @author jcacek@redhat,com
+    * @author vchepeli@redhat,com
+    */
+   static class SecurityDomainsSetupTask extends AbstractSecurityDomainsServerSetupTask {
+
+      public static final String SECURITY_DOMAIN_PREFIX = "krb-";
+      private static final String KEYTABS_DIR = "${java.io.tmpdir}" + File.separator + "keytabs" + File.separator;
+
+//      @Override
+//      public void tearDown(ManagementClient managementClient, String containerId) throws Exception {
+//         // noop, workaround for AssertionError in ActiveOperationSupport:151
+//      }
+
+      /**
+       * Returns SecurityDomains configuration for this testcase.
+       */
+      @Override
+      protected SecurityDomain[] getSecurityDomains() {
+
+         final SecurityDomain krbNode0 = getKrbSecurityDomain("node0", KEYTABS_DIR + "jgroups_node0_clustered.keytab", "jgroups/node0/clustered@INFINISPAN.ORG");
+         final SecurityDomain krbNode1 = getKrbSecurityDomain("node1", KEYTABS_DIR + "jgroups_node1_clustered.keytab", "jgroups/node1/clustered@INFINISPAN.ORG");
+         final SecurityDomain krbFail = getKrbSecurityDomain("node1-fail", KEYTABS_DIR + "jgroups_node0_fail_clustered.keytab", "jgroups/node1/clustered2@INFINISPAN.ORG");
+
+         return new SecurityDomain[]{krbNode0, krbNode1, krbFail};
+      }
+
+      private SecurityDomain getKrbSecurityDomain(String name, String path, String principal) {
+         SecurityModule.Builder smBuilder = new SecurityModule.Builder();
+         if (Utils.IBM_JDK) {
+            smBuilder.name("com.ibm.security.auth.module.Krb5LoginModule").flag("required")
+                  .putOption("useKeytab", path)
+                  .putOption("credsType", "both") //
+                  .putOption("forwardable", TRUE) //
+                  .putOption("proxiable", TRUE) //
+                  .putOption("noAddress", TRUE);
+         } else {
+            smBuilder.name("Kerberos").flag("required") //
+                  .putOption("storeKey", "true")
+                  .putOption("useKeyTab", "true")
+                  .putOption("refreshKrb5Config", "true")
+                  .putOption("doNotPrompt", "true")
+                  .putOption("keyTab", path); //
+         }
+
+         smBuilder
+               .putOption("principal", principal + "@INFINISPAN.ORG")
+               .putOption("debug", TRUE);
+
+         return new SecurityDomain.Builder()
+               .name(SECURITY_DOMAIN_PREFIX + name).cacheType("default")
+               .loginModules(
+                     smBuilder.build()
+               ).build();
+      }
+   }
+
+   /**
+    * A Kerberos/Ldap server setup task. Starts Kerberos/Ldap server
+    *
+    * @author <a href="mailto:jcacek@redhat.com">Josef Cacek</a>
+    * @author <a href="mailto:vchepeli@redhat.com">Vitalii Chepeliuk</a>
+    */
+   static class KrbLdapServerSetupTask implements ServerSetupTask {
+      private static ApacheDsKrbLdap krbLdapServer;
+      private static boolean krbStarted = false;
+
+      @Override
+      public void setup(ManagementClient managementClient, String s) throws Exception {
+         final String hostname = Utils.getCannonicalHost(managementClient);
+         System.setProperty("java.security.krb5.conf", System.getProperty("java.io.tmpdir") + File.separator + "krb5.conf");
+         if (!krbStarted) {
+            krbLdapServer = new ApacheDsKrbLdap(hostname);
+            krbLdapServer.start();
+            krbStarted = true;
+         }
+      }
+
+      @Override
+      public void tearDown(ManagementClient managementClient, String s) throws Exception {
+         if (krbStarted) {
+            krbLdapServer.stop();
+            krbStarted = false;
+         }
+      }
+   }
+
+   /**
+    * Generate kerberos keytabs for infinispan users and ldap service
+    *
+    * @author <a href="mailto:jcacek@redhat.com">Josef Cacek</a>
+    * @author <a href="mailto:vchepeli@redhat.com">Vitalii Chepeliuk</a>
+    */
+   static class Krb5ConfServerSetupTask extends AbstractKrb5ConfServerSetupTask {
+
+      public static final File NODE0_KEYTAB_FILE = new File(KEYTABS_DIR, "jgroups_node0_clustered.keytab");
+      public static final File NODE1_KEYTAB_FILE = new File(KEYTABS_DIR, "jgroups_node1_clustered.keytab");
+      public static final File NODE1_FAIL_KEYTAB_FILE = new File(KEYTABS_DIR, "jgroups_node0_fail_clustered.keytab");
+      private static boolean keytabsGenerated = false;
+
+      @Override
+      public void setup(ManagementClient managementClient, String containerId) throws Exception {
+         if (!keytabsGenerated) {
+            super.setup(managementClient, containerId);
+            keytabsGenerated = true;
+         }
+      }
+
+      @Override
+      public void tearDown(ManagementClient managementClient, String containerId) throws Exception {
+         if (keytabsGenerated) {
+            super.tearDown(managementClient, containerId);
+            keytabsGenerated = false;
+         }
+      }
+
+      @Override
+      protected List<UserForKeyTab> kerberosUsers() {
+         List<UserForKeyTab> users = new ArrayList<>();
+         users.add(new UserForKeyTab("jgroups/node0/clustered@INFINISPAN.ORG", "node0password", NODE0_KEYTAB_FILE));
+         users.add(new UserForKeyTab("jgroups/node1/clustered@INFINISPAN.ORG", "node1password", NODE1_KEYTAB_FILE));
+         users.add(new UserForKeyTab("jgroups/node1/fail/clustered@INFINISPAN.ORG", "failpassword", NODE1_FAIL_KEYTAB_FILE));
+         return users;
+      }
+   }
+}