Integration test for SASL EXTERNAL mech

client/hotrod-client/src/main/java/org/infinispan/client/hotrod/security/VoidCallbackHandler.java

@@ -0,0 +1,20 @@
+package org.infinispan.client.hotrod.security;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ *
+ * No-op {@link javax.security.auth.callback.CallbackHandler}. Convenient CollbackHandler which comes handy when
+ * no auth. callback is needed. This applies namely to SASL EXTERNAL auth. mechanism when auth. information is obtained
+ * from external channel, like TLS certificate.
+ *
+ * @author vjuranek
+ * @since 9.0
+ */
+public class VoidCallbackHandler implements CallbackHandler {
+    @Override
+    public void handle(Callback[] callbacks) {
+        // NO-OP
+    }
+}

server/integration/testsuite/build-testsuite.xml

@@ -327,7 +327,13 @@
                    addSecRealm="${other.parts}/ldap-authz-security-realm.xml"
                    addConnection="${other.parts}/ldap-connection.xml"
                    addKrbOpts="${other.parts}/kerberos-properties.xml"
-                   addKrbSecDomain="${other.parts}/kerberos-security-domain.xml"/>    	
+                   addKrbSecDomain="${other.parts}/kerberos-security-domain.xml"/>
+        <transform in="clustered.xml" out="testsuite/hotrod-auth-external-ssl.xml"
+                   modifyInfinispan="${infinispan.parts}/clustered-secured-external.xml"
+                   hotrodAuth="${infinispan.parts}/hotrod-auth-external.xml"
+                   hotrodEncrypt="${infinispan.parts}/hotrod-ssl-external-realm.xml"
+                   addSecRealm="${other.parts}/sasl-external-realm.xml"
+                   addVault="${other.parts}/vault.xml" />
         <transform in="clustered.xml" out="testsuite/clustered-with-sasl-md5-0.xml"  
     	           modifyInfinispan="${infinispan.parts}/default-repl.xml"
     	           addJGroupsSasl="${other.parts}/jgroups-sasl-md5-0.xml"

server/integration/testsuite/src/test/java/org/infinispan/server/test/security/cache/ClusteredCacheAuthExteranlIT.java

@@ -0,0 +1,93 @@
+package org.infinispan.server.test.security.cache;
+
+import org.infinispan.arquillian.core.InfinispanResource;
+import org.infinispan.arquillian.core.RemoteInfinispanServer;
+import org.infinispan.arquillian.core.RunningServer;
+import org.infinispan.arquillian.core.WithRunningServer;
+import org.infinispan.client.hotrod.RemoteCache;
+import org.infinispan.client.hotrod.RemoteCacheManager;
+import org.infinispan.server.test.category.Security;
+import org.infinispan.server.test.util.security.SaslConfigurationBuilder;
+import org.jboss.arquillian.container.test.api.ContainerController;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+
+import java.security.PrivilegedActionException;
+import javax.security.auth.login.LoginException;
+
+import static org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testGetNonExistent;
+import static org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testPut;
+import static org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.*;
+
+/**
+ *
+ * ClusteredCacheAuthExternalIT test authentication and authorization with distributed cache and state transfer.
+ * Test scenario is as follows:
+ * 1. Start ISPN server
+ * 2. Start second ISPN server and form cluster
+ * 3. Authenticate via HR client to the first server via SSL and EXTERNAL SASL auth
+ * 4. Shut down first server
+ * 5. Do operation on remote cache via HR and verify it authorization works as expected. This remote operation
+ *    happens on the second server.
+ *
+ * @author vjuranek
+ * @since 9.0
+ */
+@RunWith(Arquillian.class)
+@Category({ Security.class })
+@WithRunningServer({@RunningServer(name="hotrodAuthExternalClustered-2")})
+public class ClusteredCacheAuthExteranlIT {
+
+    private static final String SASL_MECH = "EXTERNAL";
+    private static final String ARQ_NODE_1_ID = "hotrodAuthExternalClustered";
+
+    @ArquillianResource
+    public ContainerController controller;
+
+    @InfinispanResource("hotrodAuthExternalClustered")
+    RemoteInfinispanServer server1;
+
+    @InfinispanResource("hotrodAuthExternalClustered-2")
+    RemoteInfinispanServer server2;
+
+    private static RemoteCacheManager rcm;
+    private static boolean isInitialized = false; //Arquillian is not able to inject to static fields, so the ISPN server cannot be used in @BeforeClass method
+
+    public void initRCM() {
+        controller.start(ARQ_NODE_1_ID);
+        final SaslConfigurationBuilder cb = new SaslConfigurationBuilder(SASL_MECH).forIspnServer(server1).withServerName(TEST_SERVER_NAME).withDefaultSsl();
+        rcm = new RemoteCacheManager(cb.forExternalAuth().build(), true);
+        controller.stop(ARQ_NODE_1_ID);
+        isInitialized = true;
+    }
+
+    @AfterClass
+    public static void release() {
+        if(rcm != null) {
+            rcm.stop();
+        }
+    }
+
+    private synchronized RemoteCache<String, String> getRemoteCacheFor(String login) {
+        if(!isInitialized) {
+            initRCM();
+        }
+        return rcm.getCache(TEST_CACHE_NAME);
+    }
+
+    @Test
+    public void testReaderRead() throws PrivilegedActionException, LoginException {
+        RemoteCache<String, String> cache = getRemoteCacheFor(READER_LOGIN);
+        testGetNonExistent(cache);
+    }
+
+    @Test(expected = org.infinispan.client.hotrod.exceptions.HotRodClientException.class)
+    public void testReaderWrite() throws PrivilegedActionException, LoginException {
+        RemoteCache<String, String> cache = getRemoteCacheFor(READER_LOGIN);
+        testPut(cache);
+    }
+}

server/integration/testsuite/src/test/java/org/infinispan/server/test/util/security/SaslConfigurationBuilder.java

@@ -1,15 +1,15 @@
 package org.infinispan.server.test.util.security;
 
-import java.io.File;
-
-import javax.security.auth.Subject;
-
 import org.infinispan.arquillian.core.RemoteInfinispanServer;
 import org.infinispan.client.hotrod.configuration.ConfigurationBuilder;
 import org.infinispan.client.hotrod.configuration.SaslQop;
 import org.infinispan.client.hotrod.configuration.SaslStrength;
+import org.infinispan.client.hotrod.security.VoidCallbackHandler;
 import org.infinispan.server.test.util.ITestUtils;
 
+import java.io.File;
+import javax.security.auth.Subject;
+
 /**
  * 
  * SaslConfigurationBuilder is a convenient class for various security tests which provides remote
@@ -50,6 +50,11 @@ public SaslConfigurationBuilder forSubject(Subject subj) {
       return this;
    }
 
+   public SaslConfigurationBuilder forExternalAuth() {
+      this.security().authentication().callbackHandler(new VoidCallbackHandler());
+      return this;
+   }
+
    public SaslConfigurationBuilder withDefaultSsl() {
       this.security().ssl().enable()
             .keyStoreFileName(DEFAULT_KEYSTORE_PATH)

server/integration/testsuite/src/test/resources/arquillian.xml

@@ -835,6 +835,36 @@
                 <property name="jmxDomain">${server.jmx.domain}</property>
             </configuration>
         </container>
+        <container qualifier="hotrodAuthExternalClustered" mode="manual">
+            <configuration>
+                <property name="javaHome">${server.jvm}</property>
+                <property name="jbossHome">${server1.dist}</property>
+                <property name="managementAddress">${node0.ip}</property>
+                <property name="serverConfig">testsuite/hotrod-auth-external-ssl.xml</property>
+                <property name="javaVmArguments">${server.jvm.args} -Djboss.node.name=node0
+                    -Djboss.bind.address.management=${node0.ip} -Djboss.bind.address=${node0.ip}
+                    -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Djgroups.join_timeout=2000
+                </property>
+                <property name="managementPort">9990</property>
+                <property name="jmxDomain">${server.jmx.domain}</property>
+            </configuration>
+        </container>
+        <container qualifier="hotrodAuthExternalClustered-2" mode="manual">
+            <configuration>
+                <property name="javaHome">${server.jvm}</property>
+                <property name="jbossHome">${server2.dist}</property>
+                <property name="managementAddress">${node1.ip}</property>
+                <property name="serverConfig">testsuite/hotrod-auth-external-ssl.xml</property>
+                <property name="javaVmArguments">${server.jvm.args} -Djboss.node.name=node1
+                    -Djboss.bind.address.management=${node1.ip} -Djboss.bind.address=${node1.ip}
+                    -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
+                    -Djboss.socket.binding.port-offset=100 -Djgroups.join_timeout=2000
+                </property>
+                <property name="managementPort">10090</property>
+                <property name="waitForPorts">11311 11322 8180</property>
+                <property name="jmxDomain">${server.jmx.domain}</property>
+            </configuration>
+        </container>
         <container qualifier="hotrodAuthKrb" mode="manual">
             <configuration>
                 <property name="javaHome">${server.jvm}</property>

server/integration/testsuite/src/test/resources/config/infinispan/clustered-secured-external.xml

@@ -0,0 +1,18 @@
+        <subsystem xmlns="urn:infinispan:server:core:9.0" >
+            <cache-container name="clustered" default-cache="testcache">
+                <security>
+                    <authorization>
+                        <common-name-role-mapper />
+                        <role name="HotRod" permissions="READ" />
+                    </authorization>
+                </security>
+                <distributed-cache name="testcache" mode="SYNC" segments="20" owners="2" remote-timeout="30000" start="EAGER">
+                    <transaction mode="NONE" />
+                    <security>
+                        <authorization roles="HotRod" enabled="true" />
+                    </security>
+                </distributed-cache>
+                <transport lock-timeout="240000"/>
+            </cache-container>
+            <cache-container name="security"/>
+        </subsystem>

server/integration/testsuite/src/test/resources/config/infinispan/hotrod-auth-external.xml

@@ -0,0 +1,8 @@
+                <authentication security-realm="SaslExteramlRealm">
+                    <sasl server-name="node0" mechanisms="EXTERNAL" qop="auth" strength="high medium low">
+                        <policy>
+                            <no-anonymous value="true" />
+                        </policy>
+                        <property name="com.sun.security.sasl.digest.utf8">true</property>
+                    </sasl>
+                </authentication>

server/integration/testsuite/src/test/resources/config/infinispan/hotrod-ssl-external-realm.xml

@@ -0,0 +1 @@
+                <encryption security-realm="SaslExteramlRealm" require-ssl-client-auth="true" />

server/integration/testsuite/src/test/resources/config/parts/sasl-external-realm.xml

@@ -0,0 +1,10 @@
+            <security-realm name="SaslExteramlRealm">
+                <authentication>
+                    <truststore path="truststore_server.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
+                </authentication>
+                <server-identities>
+                  <ssl>
+                    <keystore path="keystore_server.jks" relative-to="jboss.server.config.dir" keystore-password="secret"/>
+                  </ssl>
+                </server-identities>
+            </security-realm>