Skip to content

Commit

Permalink
added KerberosAuth test
Browse files Browse the repository at this point in the history
  • Loading branch information
Bilal Al committed Sep 4, 2024
1 parent 03e2750 commit bf9f600
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 6 deletions.
16 changes: 10 additions & 6 deletions client/src/main/java/io/split/service/HTTPKerberosAuthInterceptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,20 +80,24 @@ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
*
* @throws LoginException
*/
private void buildSubjectCredentials() throws LoginException {
protected void buildSubjectCredentials() throws LoginException {
Subject subject = new Subject();
/**
* We are not getting the TGT from KDC here. The actual TGT is got from the
* KDC using kinit or equivalent but we use the cached TGT in order to build
* the LoginContext and populate the TGT inside the Subject using
* Krb5LoginModule
*/
LoginContext lc = new LoginContext("Krb5LoginContext", subject, null,
(krbOptions != null) ? new KerberosLoginConfiguration(krbOptions) : new KerberosLoginConfiguration());

LoginContext lc = getLoginContext(subject);
lc.login();
loginContext = lc;
}

protected LoginContext getLoginContext(Subject subject) throws LoginException {
return new LoginContext("Krb5LoginContext", subject, null,
(krbOptions != null) ? new KerberosLoginConfiguration(krbOptions) : new KerberosLoginConfiguration());
}
/**
* This method is responsible for getting the client principal name from the
* subject's principal set
Expand All @@ -102,15 +106,15 @@ private void buildSubjectCredentials() throws LoginException {
* @throws IllegalStateException if there is more than 0 or more than 1
* principal is present
*/
private String getClientPrincipalName() {
protected String getClientPrincipalName() {
final Set<Principal> principalSet = getContextSubject().getPrincipals();
if (principalSet.size() != 1)
throw new IllegalStateException(
"Only one principal is expected. Found 0 or more than one principals :" + principalSet);
return principalSet.iterator().next().getName();
}

private Subject getContextSubject() {
protected Subject getContextSubject() {
Subject subject = loginContext.getSubject();
if (subject == null)
throw new IllegalStateException("Kerberos login context without subject");
Expand All @@ -127,7 +131,7 @@ private Subject getContextSubject() {
* need to authenticate
* @return the HTTP Authorization header token
*/
private String buildAuthorizationHeader(String serverPrincipalName) throws LoginException, PrivilegedActionException {
protected String buildAuthorizationHeader(String serverPrincipalName) throws LoginException, PrivilegedActionException {
/*
* Get the principal from the Subject's private credentials and populate the
* client and server principal name for the GSS API
Expand Down
61 changes: 61 additions & 0 deletions client/src/test/java/io/split/service/HTTPKerberosAuthIntercepterTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
package io.split.service;

import org.glassfish.grizzly.http.server.Request;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.core.Is.is;
import static org.hamcrest.core.IsEqual.equalTo;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.verify;
import static org.mockito.internal.verification.VerificationModeFactory.times;
import static org.powermock.api.mockito.PowerMockito.*;

import java.util.Arrays;


@RunWith(PowerMockRunner.class)
@PrepareForTest(HTTPKerberosAuthInterceptor.class)
public class HTTPKerberosAuthIntercepterTest {

@Test
public void testBasicFlow() throws Exception {
HTTPKerberosAuthInterceptor kerberosAuthInterceptor = mock(HTTPKerberosAuthInterceptor.class);
LoginContext loginContext = PowerMockito.mock(LoginContext.class);
when(kerberosAuthInterceptor.getLoginContext(any())).thenReturn((loginContext));

doCallRealMethod().when(kerberosAuthInterceptor).buildSubjectCredentials();
kerberosAuthInterceptor.buildSubjectCredentials();
verify(loginContext, times(1)).login();

Subject subject = new Subject();
when(loginContext.getSubject()).thenReturn(subject);
doCallRealMethod().when(kerberosAuthInterceptor).getContextSubject();
kerberosAuthInterceptor.getContextSubject();
verify(loginContext, times(1)).getSubject();

subject.getPrincipals().add(new KerberosPrincipal("bilal"));
subject.getPublicCredentials().add(new KerberosPrincipal("name"));
subject.getPrivateCredentials().add(new KerberosPrincipal("name"));

doCallRealMethod().when(kerberosAuthInterceptor).getClientPrincipalName();
assertThat(kerberosAuthInterceptor.getClientPrincipalName(), is(equalTo("[email protected]"))) ;
verify(loginContext, times(2)).getSubject();

when(kerberosAuthInterceptor.buildAuthorizationHeader(any())).thenReturn("secured-token");
okhttp3.Request originalRequest = new okhttp3.Request.Builder().url("http://somthing").build();
okhttp3.Response response = new okhttp3.Response.Builder().code(200).request(originalRequest).
protocol(okhttp3.Protocol.HTTP_1_1).message("ok").build();
doCallRealMethod().when(kerberosAuthInterceptor).authenticate(null, response);
okhttp3.Request request = kerberosAuthInterceptor.authenticate(null, response);
assertThat(request.headers("Proxy-authorization"), is(equalTo(Arrays.asList("Negotiate secured-token"))));
}
}

0 comments on commit bf9f600

Please sign in to comment.