[jboss-cvs] JBossAS SVN: r114671 - branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Jan 20 08:40:41 EST 2014
Author: jmartisk
Date: 2014-01-20 08:40:41 -0500 (Mon, 20 Jan 2014)
New Revision: 114671
Modified:
branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/RolesAuthorizationTestCase.java
branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/jmx-security-roles.xml
Log:
[JBQA-8619] refactor and enhance tests for secure JMX invoker
Modified: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/RolesAuthorizationTestCase.java
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/RolesAuthorizationTestCase.java 2014-01-20 12:56:16 UTC (rev 114670)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/RolesAuthorizationTestCase.java 2014-01-20 13:40:41 UTC (rev 114671)
@@ -27,6 +27,7 @@
import java.io.InputStream;
import java.security.Principal;
import java.security.acl.Group;
+import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
@@ -38,8 +39,7 @@
import org.jboss.test.JBossTestCase;
/**
- * @author baranowb
- *
+ * @author baranowb, jmartisk
*/
public class RolesAuthorizationTestCase extends JBossTestCase {
private RolesAuthorization authorization;
@@ -71,130 +71,66 @@
super.tearDown();
}
- public void testAuthorization() throws Exception {
- final String objectName = "jboss:service=JNDIView";
- final String opName = "list";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
+ public void tryInvocation(String objectName, String opName, String callerPrincipal, Set<String> callerRoles, boolean shouldSucceed) {
+ final Principal caller = new SimplePrincipal(callerPrincipal);
final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("Tester"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- authorization.authorize(caller, subject, objectName, opName);
- }
-
- public void testWildarcMatch() throws Exception {
- final String objectName = "jboss:service=NO_BOOM";
- final String opName = "list";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("Tester"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- try {
- authorization.authorize(caller, subject, objectName, opName);
- } catch (SecurityException se) {
- fail("Did not expect exception");
+ for(String role : callerRoles) {
+ group.addMember(new SimplePrincipal(role));
}
- }
- public void testWildarcMatch_2() throws Exception {
- //this is ! to testNoRule_3
- final String objectName = "jboss:type=NO_BOOM";
- final String opName = "getSomeThingThatDoesNotExist";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("Tester"));
- final Set callers = new HashSet();
+ final Set<Principal> callers = new HashSet<Principal>();
callers.add(caller);
callers.add(group);
final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
try {
authorization.authorize(caller, subject, objectName, opName);
- } catch (SecurityException se) {
- fail("Did not expect exception");
+ if(!shouldSucceed) {
+ fail("Expected SecurityException!");
+ }
+ } catch(SecurityException ex) {
+ if(shouldSucceed)
+ throw ex;
}
}
- public void testNoRule() throws Exception {
- final String objectName = "jboss:service=BOOM";
- final String opName = "list";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("JBossAdmin"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- try {
- authorization.authorize(caller, subject, objectName, opName);
- fail("Expected SecurityException since there is no rule!");
- } catch (SecurityException se) {
- //
- }
+
+ public void testAuthorization() {
+ tryInvocation("jboss:service=JNDIView", "list", "test", Collections.singleton("Tester"), true);
}
+ public void testWildcardMatch() {
+ tryInvocation("jboss:service=NO_BOOM", "list", "test", Collections.singleton("Tester"), true);
+ }
- public void testNoRule_2() throws Exception {
- final String objectName = "wicked_domain:service=BOOM";
- final String opName = "list";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("JBossAdmin"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- try {
- authorization.authorize(caller, subject, objectName, opName);
- fail("Expected SecurityException since there is no rule!");
- } catch (SecurityException se) {
- //
- }
+ public void testWildcardMatch2() {
+ tryInvocation("jboss:service=NO_BOOM", "getSomeThingThatDoesNotExist", "test", Collections.singleton("Tester"), true);
}
- public void testNoRule_3() throws Exception {
- //test if first rule op def will match - it has only Tester role.
- //second rule should never be triggered
- final String objectName = "jboss:type=NO_BOOM";
- final String opName = "getSomeThingThatDoesNotExist";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("JBossAdmin"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- try {
- authorization.authorize(caller, subject, objectName, opName);
- fail("Expected SecurityException since there is no rule!");
- } catch (SecurityException se) {
- //
- }
+ // two conflicting operation-rules in a single objectname-rule
+ public void testFirstRulePrecedenceInSingleObjectName() {
+ tryInvocation("jboss:service=NO_BOOM", "getSomeThingThatDoesNotExist", "test", Collections.singleton("JBossAdmin"), false);
}
- public void testAuthorizationFailure() throws Exception {
- final String objectName = "jboss:service=JNDIView";
- final String opName = "list";
- final Principal caller = new SimplePrincipal("test");
- // yeah, this is stupid
- final Group group = new SimpleGroup("Roles");
- group.addMember(new SimplePrincipal("IWillBoom"));
- final Set callers = new HashSet();
- callers.add(caller);
- callers.add(group);
- final Subject subject = new Subject(false, callers, new HashSet(), new HashSet());
- try {
- authorization.authorize(caller, subject, objectName, opName);
- fail("Expected SecurityException since there is no role!");
- } catch (SecurityException se) {
- //
- }
+ // two conflicting operation-rules, located in two objectname-rules
+ public void testFirstRulePrecedenceInMultipleObjectNames() {
+ tryInvocation("jboss:service=JNDIView", "queryNames", "test", Collections.singleton("JBossAdmin"), true);
}
+
+ // two conflicting operation-rules, located in two objectname-rules, the second one would allow invocation, but the first denies it
+ public void testFirstRulePrecedenceInMultipleObjectNames2() {
+ tryInvocation("jboss:service=JNDIView", "queryNames", "test", Collections.singleton("Superman"), false);
+ }
+
+ public void testMethodMatch() {
+ tryInvocation("jboss:type=NO_BOOM", "list", "test", Collections.singleton("JBossAdmin"), false);
+ }
+
+ public void testNoRuleForDomain() {
+ tryInvocation("wicked_domain:service=BOOM", "list", "test", Collections.singleton("JBossAdmin"), false);
+ }
+
+ public void testNoRuleForOperation() {
+ tryInvocation("otherdomain:type=NO_BOOM", "list", "test", Collections.singleton("JBossAdmin"), false);
+ }
+
+ public void testUnauthorized() {
+ tryInvocation("jboss:service=JNDIView", "list", "test", Collections.singleton("IWillBoom"), false);
+ }
}
Modified: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/jmx-security-roles.xml
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/jmx-security-roles.xml 2014-01-20 12:56:16 UTC (rev 114670)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/jmx/invoker/authorization/jmx-security-roles.xml 2014-01-20 13:40:41 UTC (rev 114671)
@@ -42,6 +42,12 @@
<name>jboss:*</name>
<operations>
<operation>
+ <name>query.+</name>
+ <roles>
+ <role>Superman</role>
+ </roles>
+ </operation>
+ <operation>
<!-- regex require . ... without it - dangling meta -->
<name>.*</name>
<roles>
@@ -57,4 +63,15 @@
</operation>
</operations>
</authorization-target>
+ <authorization-target>
+ <name>otherdomain:*</name>
+ <operations>
+ <operation>
+ <name>frunubucate</name>
+ <roles>
+ <role>JBossAdmin</role>
+ </roles>
+ </operation>
+ </operations>
+ </authorization-target>
</authorization-rules>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list