Loading projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java +12 −6 Original line number Diff line number Diff line Loading @@ -234,7 +234,7 @@ public class LoginServlet extends HttpServlet // at this point so in order to make the calls to check their group // membership we need to create corresponding subjects and run the // get groups command in the corresponding subject context. AuthenticatorImpl ai = new AuthenticatorImpl(); AuthenticatorImpl ai = getAuthenticatorImpl(); Subject proxySubject = new Subject(); proxySubject.getPrincipals().add(new HttpPrincipal(proxyUser)); ai.augmentSubject(proxySubject); Loading Loading @@ -265,7 +265,8 @@ public class LoginServlet extends HttpServlet Subject.doAs(userSubject, new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception public Object run() throws Exception { if (gp.getGroups(new HttpPrincipal(userID), Role.MEMBER, nonImpersonGroup).size() != 0) Loading Loading @@ -308,4 +309,9 @@ public class LoginServlet extends HttpServlet }); return gp; } protected AuthenticatorImpl getAuthenticatorImpl() { return new AuthenticatorImpl(); } } projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/UserLoginServletTest.java +44 −1 Original line number Diff line number Diff line package ca.nrc.cadc.ac.server.web; import static org.easymock.EasyMock.expectLastCall; import static org.easymock.EasyMock.replay; import static org.easymock.EasyMock.verify; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; Loading @@ -7,6 +10,7 @@ import java.security.AccessControlException; import java.util.Collection; import java.util.HashSet; import ca.nrc.cadc.auth.AuthenticatorImpl; import org.easymock.EasyMock; import org.junit.Test; Loading @@ -16,11 +20,38 @@ import ca.nrc.cadc.ac.server.GroupDetailSelector; import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence; import ca.nrc.cadc.auth.HttpPrincipal; import javax.security.auth.Subject; public class UserLoginServletTest { @Test public void getCheckCanImpersonate() throws Throwable { final AuthenticatorImpl mockAuthenticatorImpl = EasyMock.createMock(AuthenticatorImpl.class); Subject userSubject = new Subject(); userSubject.getPrincipals().add(new HttpPrincipal("user")); mockAuthenticatorImpl.augmentSubject(userSubject); expectLastCall().once(); Subject proxyUserSubject = new Subject(); proxyUserSubject.getPrincipals().add(new HttpPrincipal("proxyUser")); mockAuthenticatorImpl.augmentSubject(proxyUserSubject); expectLastCall().times(2); Subject nonProxyUserSubject = new Subject(); nonProxyUserSubject.getPrincipals().add(new HttpPrincipal("nonProxyUser")); mockAuthenticatorImpl.augmentSubject(nonProxyUserSubject); expectLastCall().times(2); Subject niUser = new Subject(); niUser.getPrincipals().add(new HttpPrincipal("niUser")); mockAuthenticatorImpl.augmentSubject(niUser); expectLastCall().once(); replay(mockAuthenticatorImpl); LoginServlet ls = new LoginServlet() { /** Loading @@ -28,6 +59,12 @@ public class UserLoginServletTest */ private static final long serialVersionUID = 1L; @Override protected AuthenticatorImpl getAuthenticatorImpl() { return mockAuthenticatorImpl; } @Override protected LdapGroupPersistence<HttpPrincipal> getLdapGroupPersistence() { Loading Loading @@ -68,7 +105,7 @@ public class UserLoginServletTest mockGp.getGroups(new HttpPrincipal("niUser"), Role.MEMBER, nonImpersonGroup)).andReturn( niGroups); EasyMock.replay(mockGp); replay(mockGp); } catch (Exception e) { throw new RuntimeException(e); Loading @@ -76,8 +113,10 @@ public class UserLoginServletTest return mockGp; } }; // proxyUser can impersonate user ls.checkCanImpersonate("user", "proxyUser"); // nonProxyUser cannot impersonate try { Loading @@ -87,6 +126,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("not allowed to impersonate")); } // niUser cannot be impersonated try { Loading @@ -96,6 +136,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("non impersonable")); } // nonProxyUser cannot impersonate and niUser cannot be impersonated try { Loading @@ -105,5 +146,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("not allowed to impersonate")); } verify(mockAuthenticatorImpl); } } Loading
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/LoginServlet.java +12 −6 Original line number Diff line number Diff line Loading @@ -234,7 +234,7 @@ public class LoginServlet extends HttpServlet // at this point so in order to make the calls to check their group // membership we need to create corresponding subjects and run the // get groups command in the corresponding subject context. AuthenticatorImpl ai = new AuthenticatorImpl(); AuthenticatorImpl ai = getAuthenticatorImpl(); Subject proxySubject = new Subject(); proxySubject.getPrincipals().add(new HttpPrincipal(proxyUser)); ai.augmentSubject(proxySubject); Loading Loading @@ -265,7 +265,8 @@ public class LoginServlet extends HttpServlet Subject.doAs(userSubject, new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception public Object run() throws Exception { if (gp.getGroups(new HttpPrincipal(userID), Role.MEMBER, nonImpersonGroup).size() != 0) Loading Loading @@ -308,4 +309,9 @@ public class LoginServlet extends HttpServlet }); return gp; } protected AuthenticatorImpl getAuthenticatorImpl() { return new AuthenticatorImpl(); } }
projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/web/UserLoginServletTest.java +44 −1 Original line number Diff line number Diff line package ca.nrc.cadc.ac.server.web; import static org.easymock.EasyMock.expectLastCall; import static org.easymock.EasyMock.replay; import static org.easymock.EasyMock.verify; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; Loading @@ -7,6 +10,7 @@ import java.security.AccessControlException; import java.util.Collection; import java.util.HashSet; import ca.nrc.cadc.auth.AuthenticatorImpl; import org.easymock.EasyMock; import org.junit.Test; Loading @@ -16,11 +20,38 @@ import ca.nrc.cadc.ac.server.GroupDetailSelector; import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence; import ca.nrc.cadc.auth.HttpPrincipal; import javax.security.auth.Subject; public class UserLoginServletTest { @Test public void getCheckCanImpersonate() throws Throwable { final AuthenticatorImpl mockAuthenticatorImpl = EasyMock.createMock(AuthenticatorImpl.class); Subject userSubject = new Subject(); userSubject.getPrincipals().add(new HttpPrincipal("user")); mockAuthenticatorImpl.augmentSubject(userSubject); expectLastCall().once(); Subject proxyUserSubject = new Subject(); proxyUserSubject.getPrincipals().add(new HttpPrincipal("proxyUser")); mockAuthenticatorImpl.augmentSubject(proxyUserSubject); expectLastCall().times(2); Subject nonProxyUserSubject = new Subject(); nonProxyUserSubject.getPrincipals().add(new HttpPrincipal("nonProxyUser")); mockAuthenticatorImpl.augmentSubject(nonProxyUserSubject); expectLastCall().times(2); Subject niUser = new Subject(); niUser.getPrincipals().add(new HttpPrincipal("niUser")); mockAuthenticatorImpl.augmentSubject(niUser); expectLastCall().once(); replay(mockAuthenticatorImpl); LoginServlet ls = new LoginServlet() { /** Loading @@ -28,6 +59,12 @@ public class UserLoginServletTest */ private static final long serialVersionUID = 1L; @Override protected AuthenticatorImpl getAuthenticatorImpl() { return mockAuthenticatorImpl; } @Override protected LdapGroupPersistence<HttpPrincipal> getLdapGroupPersistence() { Loading Loading @@ -68,7 +105,7 @@ public class UserLoginServletTest mockGp.getGroups(new HttpPrincipal("niUser"), Role.MEMBER, nonImpersonGroup)).andReturn( niGroups); EasyMock.replay(mockGp); replay(mockGp); } catch (Exception e) { throw new RuntimeException(e); Loading @@ -76,8 +113,10 @@ public class UserLoginServletTest return mockGp; } }; // proxyUser can impersonate user ls.checkCanImpersonate("user", "proxyUser"); // nonProxyUser cannot impersonate try { Loading @@ -87,6 +126,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("not allowed to impersonate")); } // niUser cannot be impersonated try { Loading @@ -96,6 +136,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("non impersonable")); } // nonProxyUser cannot impersonate and niUser cannot be impersonated try { Loading @@ -105,5 +146,7 @@ public class UserLoginServletTest { assertTrue(ex.getMessage().contains("not allowed to impersonate")); } verify(mockAuthenticatorImpl); } }
