Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[WFLY-9336] Extend Elytron security context propagation test coverage
- Loading branch information
Ondrej Lukas
committed
Oct 27, 2017
1 parent
535bf19
commit 217829f
Showing
45 changed files
with
3,361 additions
and
425 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
375 changes: 375 additions & 0 deletions
375
.../org/wildfly/test/manual/elytron/seccontext/AbstractAuthenticationForwardingTestCase.java
Large diffs are not rendered by default.
Oops, something went wrong.
141 changes: 141 additions & 0 deletions
141
...a/org/wildfly/test/manual/elytron/seccontext/AbstractAuthorizationForwardingTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,141 @@ | |||
/* | |||
* JBoss, Home of Professional Open Source. | |||
* Copyright 2017, Red Hat Middleware LLC, and individual contributors | |||
* as indicated by the @author tags. See the copyright.txt file in the | |||
* distribution for a full listing of individual contributors. | |||
* | |||
* This is free software; you can redistribute it and/or modify it | |||
* under the terms of the GNU Lesser General Public License as | |||
* published by the Free Software Foundation; either version 2.1 of | |||
* the License, or (at your option) any later version. | |||
* | |||
* This software is distributed in the hope that it will be useful, | |||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |||
* Lesser General Public License for more details. | |||
* | |||
* You should have received a copy of the GNU Lesser General Public | |||
* License along with this software; if not, write to the Free | |||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | |||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. | |||
*/ | |||
package org.wildfly.test.manual.elytron.seccontext; | |||
|
|||
import static org.junit.Assert.assertArrayEquals; | |||
import static org.junit.Assert.assertEquals; | |||
import static org.junit.Assert.assertNotNull; | |||
import static org.junit.Assert.assertThat; | |||
|
|||
import org.junit.Test; | |||
|
|||
/** | |||
* Authorization forwarding (credential less forwarding) for security context propagation test. | |||
* | |||
* @author Josef Cacek | |||
*/ | |||
public abstract class AbstractAuthorizationForwardingTestCase extends AbstractSecurityContextPropagationTestBase { | |||
|
|||
/** | |||
* Test the authorization forwarding (credential less propagation) works for EJB calls when {@link RunAsPrincipalPermission} | |||
* is assigned to caller server identity. | |||
* | |||
* <pre> | |||
* When: EJB client calls EntryBean as admin user and Elytron AuthenticationContext API is used to | |||
* authorization forwarding to WhoAmIBean call with "server" user used as caller server identity | |||
* Then: WhoAmIBean call is possible and returns "admin" username | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testForwardedAuthorizationPasses() throws Exception { | |||
String[] doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getDoubleWhoAmICallable(ReAuthnType.FORWARDED_AUTHORIZATION, "server", "server"), | |||
ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.doubleWhoAmI() should return not-null instance", doubleWhoAmI); | |||
assertArrayEquals("Unexpected principal names returned from doubleWhoAmI", new String[]{"admin", "admin"}, | |||
doubleWhoAmI); | |||
} | |||
|
|||
/** | |||
* Test the authorization forwarding works for EJB calls when {@link RunAsPrincipalPermission} is not assigned to the caller | |||
* identity, but the authentication identity == authorization identity (which has sufficient roles to call the EJB). | |||
* | |||
* <pre> | |||
* When: EJB client calls EntryBean as admin user and Elytron AuthenticationContext API is used to | |||
* authorization forwarding to WhoAmIBean call with "admin" user used as caller server identity. | |||
* Then: WhoAmIBean call is possible and returns "admin" username | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testSameAuthorizationIdentityPasses() throws Exception { | |||
String[] doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getDoubleWhoAmICallable(ReAuthnType.FORWARDED_AUTHORIZATION, "admin", "admin"), ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.doubleWhoAmI() should return not-null instance", doubleWhoAmI); | |||
assertArrayEquals("Unexpected principal names returned from doubleWhoAmI", new String[]{"admin", "admin"}, | |||
doubleWhoAmI); | |||
} | |||
|
|||
/** | |||
* Test the authorization forwarding fails for EJB calls when {@link RunAsPrincipalPermission} is not assigned to the caller | |||
* identity. | |||
* | |||
* <pre> | |||
* When: EJB client calls EntryBean as admin user and Elytron AuthenticationContext API is used to | |||
* authorization forwarding to WhoAmIBean call with either "server-norunas" or "whoami" users | |||
* used as caller server identity. | |||
* Then: WhoAmIBean call fails in both cases as the server identity don't have RunAsPrincipalPermission | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testForwardedAuthorizationIdentityWithoutRunAsFails() throws Exception { | |||
String[] doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getDoubleWhoAmICallable(ReAuthnType.FORWARDED_AUTHORIZATION, "server-norunas", "server-norunas"), | |||
ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.doubleWhoAmI() should return not-null instance", doubleWhoAmI); | |||
assertThat(doubleWhoAmI[1], isEjbAuthenticationError()); | |||
|
|||
doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getDoubleWhoAmICallable(ReAuthnType.FORWARDED_AUTHORIZATION, "whoami", "whoami"), | |||
ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.doubleWhoAmI() should return not-null instance", doubleWhoAmI); | |||
assertThat(doubleWhoAmI[1], isEjbAuthenticationError()); | |||
} | |||
|
|||
/** | |||
* Test propagation of RuntimeException back to server1 during a call using the authorization forwarding. | |||
* | |||
* <pre> | |||
* When: EJB client calls EntryBean as admin user and Elytron AuthenticationContext API is used to | |||
* authorization forwarding to WhoAmIBean call with "server" user used as caller server identity | |||
* Then: WhoAmIBean.throwIllegalStateException call should result in expected IllegalStateException. | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testIllegalStateExceptionFromForwardedAuthz() throws Exception { | |||
String[] doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getWhoAmIAndIllegalStateExceptionCallable(ReAuthnType.FORWARDED_AUTHORIZATION, "server", "server"), | |||
ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.whoAmIAndIllegalStateException() should return not-null instance", doubleWhoAmI); | |||
assertEquals("admin", doubleWhoAmI[0]); | |||
assertThat(doubleWhoAmI[1], isExpectedIllegalStateException()); | |||
} | |||
|
|||
/** | |||
* Test propagation of Server2Exception (unknown on server1) back to server1 during a call using the authorization | |||
* forwarding. | |||
* | |||
* <pre> | |||
* When: EJB client calls EntryBean as admin user and Elytron AuthenticationContext API is used to | |||
* authorization forwarding to WhoAmIBean call with "server" user used as caller server identity | |||
* Then: WhoAmIBean.throwServer2Exception call should result in expected ClassNotFoundException. | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testServer2ExceptionFromForwardedAuthz() throws Exception { | |||
String[] doubleWhoAmI = SeccontextUtil.switchIdentity("admin", "admin", | |||
getWhoAmIAndServer2ExceptionCallable(ReAuthnType.FORWARDED_AUTHORIZATION, "server", "server"), | |||
ReAuthnType.AC_AUTHENTICATION); | |||
assertNotNull("The entryBean.whoAmIAndServer2Exception() should return not-null instance", doubleWhoAmI); | |||
assertEquals("admin", doubleWhoAmI[0]); | |||
assertThat(doubleWhoAmI[1], isClassNotFoundException_Server2Exception()); | |||
} | |||
} |
138 changes: 138 additions & 0 deletions
138
...org/wildfly/test/manual/elytron/seccontext/AbstractHAAuthorizationForwardingTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,138 @@ | |||
/* | |||
* JBoss, Home of Professional Open Source. | |||
* Copyright 2017, Red Hat Middleware LLC, and individual contributors | |||
* as indicated by the @author tags. See the copyright.txt file in the | |||
* distribution for a full listing of individual contributors. | |||
* | |||
* This is free software; you can redistribute it and/or modify it | |||
* under the terms of the GNU Lesser General Public License as | |||
* published by the Free Software Foundation; either version 2.1 of | |||
* the License, or (at your option) any later version. | |||
* | |||
* This software is distributed in the hope that it will be useful, | |||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |||
* Lesser General Public License for more details. | |||
* | |||
* You should have received a copy of the GNU Lesser General Public | |||
* License along with this software; if not, write to the Free | |||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | |||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org. | |||
*/ | |||
package org.wildfly.test.manual.elytron.seccontext; | |||
|
|||
import static javax.servlet.http.HttpServletResponse.SC_OK; | |||
import static org.jboss.as.test.integration.security.common.Utils.REDIRECT_STRATEGY; | |||
import static org.junit.Assert.assertEquals; | |||
import static org.wildfly.test.manual.elytron.seccontext.AbstractSecurityContextPropagationTestBase.server1; | |||
import static org.wildfly.test.manual.elytron.seccontext.SeccontextUtil.SERVER1_BACKUP; | |||
import static org.wildfly.test.manual.elytron.seccontext.SeccontextUtil.WAR_ENTRY_SERVLET_FORM; | |||
|
|||
import java.io.IOException; | |||
import java.net.URL; | |||
import org.apache.http.impl.client.CloseableHttpClient; | |||
import org.apache.http.impl.client.HttpClientBuilder; | |||
import org.jboss.arquillian.container.test.api.Deployment; | |||
import org.jboss.arquillian.container.test.api.TargetsContainer; | |||
import org.jboss.as.cli.CommandLineException; | |||
import org.jboss.as.test.integration.management.util.MgmtOperationException; | |||
import org.jboss.as.test.shared.TestSuiteEnvironment; | |||
import org.jboss.shrinkwrap.api.Archive; | |||
import org.junit.AfterClass; | |||
import org.junit.Before; | |||
import org.junit.Test; | |||
|
|||
/** | |||
* Tests authorization forwarding within a cluster. | |||
* | |||
* <h3>Given</h3> | |||
* See the superclass for common implementation details. | |||
* <pre> | |||
* Additional started and configured servers: | |||
* - seccontext-server1-backup (standalone-ha.xml - creates cluster with seccontext-server1) - | |||
* * entry-servlet-form.war | |||
* </pre> | |||
* @author Josef Cacek | |||
*/ | |||
public abstract class AbstractHAAuthorizationForwardingTestCase extends AbstractSecurityContextPropagationTestBase { | |||
|
|||
private static final ServerHolder server1backup = new ServerHolder(SERVER1_BACKUP, TestSuiteEnvironment.getServerAddress(), | |||
2000); | |||
|
|||
/** | |||
* Creates deployment with Entry servlet and FORM authentication. | |||
*/ | |||
@Deployment(name = WAR_ENTRY_SERVLET_FORM + "backup", managed = false, testable = false) | |||
@TargetsContainer(SERVER1_BACKUP) | |||
public static Archive<?> createDeploymentForBackup() { | |||
return createEntryServletFormAuthnDeployment(); | |||
} | |||
|
|||
/** | |||
* Start server1backup. | |||
*/ | |||
@Before | |||
public void startServer1backup() throws CommandLineException, IOException, MgmtOperationException { | |||
server1backup.resetContainerConfiguration(new ServerConfigurationBuilder() | |||
.withDeployments(WAR_ENTRY_SERVLET_FORM + "backup") | |||
.build()); | |||
} | |||
|
|||
/** | |||
* Shut down server1backup. | |||
*/ | |||
@AfterClass | |||
public static void shutdownServer1backup() throws IOException { | |||
server1backup.shutDown(); | |||
} | |||
|
|||
/** | |||
* Verifies, the distributable web-app with FORM authentication supports session replication out of the box. | |||
* | |||
* <pre> | |||
* When: HTTP client calls WhoAmIServlet as "admin" (using FORM authn) on first cluster node and then | |||
* it calls WhoAmIServlet (without authentication needed) on the second cluster node | |||
* Then: the call to WhoAmIServlet on second node (without authentication) passes and returns "admin" | |||
* (i.e. SSO works with FORM authentication) | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testServletSso() throws Exception { | |||
final URL whoamiUrl = new URL( | |||
server1.getApplicationHttpUrl() + "/" + WAR_ENTRY_SERVLET_FORM + WhoAmIServlet.SERVLET_PATH); | |||
final URL whoamiBackupUrl = new URL( | |||
server1backup.getApplicationHttpUrl() + "/" + WAR_ENTRY_SERVLET_FORM + WhoAmIServlet.SERVLET_PATH); | |||
|
|||
try (final CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(REDIRECT_STRATEGY).build()) { | |||
assertEquals("Unexpected result from WhoAmIServlet", "admin", | |||
doHttpRequestFormAuthn(httpClient, whoamiUrl, true, "admin", "admin", SC_OK)); | |||
assertEquals("Unexpected result from WhoAmIServlet (backup-server)", "admin", | |||
doHttpRequest(httpClient, whoamiBackupUrl, SC_OK)); | |||
} | |||
} | |||
|
|||
/** | |||
* Verifies, the authorization forwarding works within cluster (FORM authn). This simulates failover on | |||
* distributed web application (e.g. when load balancer is used). | |||
* | |||
* <pre> | |||
* When: HTTP client calls WhoAmIServlet as "admin" (using FORM authn) on second cluster node and then | |||
* it calls EntryServlet (without authentication needed) on the first cluster node; | |||
* the EntryServlet uses Elytron API to forward authz name to call remote WhoAmIBean | |||
* Then: the calls pass and WhoAmIBean returns "admin" username | |||
* </pre> | |||
*/ | |||
@Test | |||
public void testServletSsoPropagation() throws Exception { | |||
final URL entryServletUrl = getEntryServletUrl(WAR_ENTRY_SERVLET_FORM, "server", "server", | |||
ReAuthnType.FORWARDED_AUTHORIZATION); | |||
final URL whoamiUrl = new URL( | |||
server1backup.getApplicationHttpUrl() + "/" + WAR_ENTRY_SERVLET_FORM + WhoAmIServlet.SERVLET_PATH); | |||
|
|||
try (final CloseableHttpClient httpClient = HttpClientBuilder.create().setRedirectStrategy(REDIRECT_STRATEGY).build()) { | |||
assertEquals("Unexpected result from WhoAmIServlet (backup-server)", "admin", | |||
doHttpRequestFormAuthn(httpClient, whoamiUrl, true, "admin", "admin", SC_OK)); | |||
assertEquals("Unexpected result from EntryServlet", "admin", doHttpRequest(httpClient, entryServletUrl, SC_OK)); | |||
} | |||
} | |||
} |
Oops, something went wrong.