/** Helper method for creating a proper {@link FilterConfigException} object */ protected FilterConfigException createFilterException(String errorid, Object... args) { return new FilterConfigException(errorid, args); }
assertEquals( AuthenticationKeyFilterConfigException.INVALID_AUTH_KEY_MAPPER_PARAMETER_$3, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("param3", ex.getArgs()[0]); LOGGER.info(ex.getMessage()); failed = true;
public void check(J2eeAuthenticationBaseFilterConfig config) throws Exception { check((PreAuthenticatedUserNameFilterConfig) config); FilterConfigValidator validator = new FilterConfigValidator(getSecurityManager()); config.setRoleSource(J2EERoleSource.J2EE); config.setRoleServiceName("blabla"); try { validator.validateFilterConfig(config); fail("unknown role service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_ROLE_SERVICE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("blabla", ex.getArgs()[0]); } config.setRoleServiceName(XMLRoleService.DEFAULT_NAME); }
validator.validateCASFilterConfig(config); } catch (FilterConfigException ex){ assertEquals(FilterConfigException.ROLE_SOURCE_NEEDED,ex.getId()); assertEquals(0,ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateCASFilterConfig(config); } catch (FilterConfigException ex){ assertEquals(FilterConfigException.USER_GROUP_SERVICE_NEEDED,ex.getId()); assertEquals(0,ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateCASFilterConfig(config); } catch (FilterConfigException ex){ assertEquals(FilterConfigException.UNKNOWN_USER_GROUP_SERVICE,ex.getId()); assertEquals(1,ex.getArgs().length); assertEquals("blabla",ex.getArgs()[0]); LOGGER.info(ex.getMessage()); failed=true; validator.validateCASFilterConfig(config); } catch (FilterConfigException ex){ assertEquals(FilterConfigException.UNKNOWN_ROLE_SERVICE,ex.getId()); assertEquals(1,ex.getArgs().length); assertEquals("blabla",ex.getArgs()[0]); LOGGER.info(ex.getMessage()); failed=true; validator.validateCASFilterConfig(config);
@Test public void testSecurityInterceptorFilterConfigValidation() throws Exception { SecurityInterceptorFilterConfig config = new SecurityInterceptorFilterConfig(); config.setClassName(GeoServerSecurityInterceptorFilter.class.getName()); config.setName("testInterceptFilter"); GeoServerSecurityManager secMgr = getSecurityManager(); FilterConfigValidator validator = new FilterConfigValidator(secMgr); try { validator.validateFilterConfig(config); fail("no metadata source should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.SECURITY_METADATA_SOURCE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); } config.setSecurityMetadataSource("unknown"); try { validator.validateFilterConfig(config); fail("unknown metadata source should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_SECURITY_METADATA_SOURCE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("unknown", ex.getArgs()[0]); } }
validator.validateFilterConfig(config); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.USER_GROUP_SERVICE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateFilterConfig(config); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_USER_GROUP_SERVICE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("blabla", ex.getArgs()[0]); LOGGER.info(ex.getMessage()); failed = true;
@Test public void testExceptionTranslationFilterConfigValidation() throws Exception { ExceptionTranslationFilterConfig config = new ExceptionTranslationFilterConfig(); config.setClassName(GeoServerExceptionTranslationFilter.class.getName()); config.setName("testEx"); FilterConfigValidator validator = new FilterConfigValidator(getSecurityManager()); config.setAuthenticationFilterName("unknown"); try { validator.validateFilterConfig(config); fail("invalid entry point should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.INVALID_ENTRY_POINT, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("unknown", ex.getArgs()[0]); } config.setAuthenticationFilterName( GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR); try { validator.validateFilterConfig(config); fail("no auth entry point should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.NO_AUTH_ENTRY_POINT, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR, ex.getArgs()[0]); } config.setAuthenticationFilterName(null); validator.validateFilterConfig(config); }
/** Validates the configuration type and content. */ @Override public void validateFilterConfig(SecurityNamedServiceConfig config) throws FilterConfigException { LOG.log(Level.FINER, "GeoServerKeycloakFilterConfigValidator.validateFilterConfig ENTRY"); if (config instanceof GeoServerKeycloakFilterConfig) { LOG.log(Level.FINE, "valid config type"); validateKeycloakConfig((GeoServerKeycloakFilterConfig) config); super.validateFilterConfig(config); } else { LOG.log(Level.FINE, "invalid config type"); throw new FilterConfigException( FilterConfigException.CLASS_WRONG_TYPE_$2, "configuration type is not appropriate for the requested filter type", config.getClass().getName(), GeoServerKeycloakFilterConfig.class.getName()); } }
validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage());
@Test public void testRoleFilterConfigValidation() throws Exception { RoleFilterConfig config = new RoleFilterConfig(); config.setClassName(GeoServerRoleFilter.class.getName()); config.setName("testRoleFilter"); GeoServerSecurityManager secMgr = getSecurityManager(); FilterConfigValidator validator = new FilterConfigValidator(secMgr); try { validator.validateFilterConfig(config); fail("no header attribute should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.HEADER_ATTRIBUTE_NAME_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); } config.setHttpResponseHeaderAttrForIncludedRoles("roles"); config.setRoleConverterName("unknown"); try { validator.validateFilterConfig(config); fail("unkonwn role converter should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_ROLE_CONVERTER, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("unknown", ex.getArgs()[0]); } config.setRoleConverterName(null); validator.validateFilterConfig(config); }
/** * Validates the configuration content. This builds a dummy deployment, and recasts and * exceptions so that GeoServer can process them as security-related. * * @param config the configuration to validate * @throws FilterConfigException if the configuration is invalid */ public void validateKeycloakConfig(GeoServerKeycloakFilterConfig config) throws FilterConfigException { try { KeycloakDeploymentBuilder.build(config.readAdapterConfig()); LOG.log(Level.FINE, "valid Keycloak config"); } catch (RuntimeException | IOException e) { LOG.log(Level.FINE, "invalid Keycloak config", e); throw new FilterConfigException(null, e.getLocalizedMessage()); } } }
validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage());
fail("no role source should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.ROLE_SOURCE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); fail("no user group service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.USER_GROUP_SERVICE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); fail("unknown group service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_USER_GROUP_SERVICE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("blabla", ex.getArgs()[0]); fail("unknown role service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_ROLE_SERVICE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("blabla", ex.getArgs()[0]); fail("no roles header attribute should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.ROLES_HEADER_ATTRIBUTE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); fail("unknown role converter should fail"); } catch (FilterConfigException ex) {
validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); validator.validateOAuth2FilterConfig(config); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage()); } catch (FilterConfigException ex) { assertEquals(OAuth2FilterConfigException.OAUTH2_CLIENT_ID_REQUIRED, ex.getId()); assertEquals(0, ex.getArgs().length); LOGGER.info(ex.getMessage());
fail("no user group service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.USER_GROUP_SERVICE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); fail("unknown user group service should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.UNKNOWN_USER_GROUP_SERVICE, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("blabla", ex.getArgs()[0]); fail("invalid nonce should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.INVALID_SECONDS, ex.getId()); assertEquals(0, ex.getArgs().length);
@Test public void testUsernamePasswordFilterConfigValidation() throws Exception { UsernamePasswordAuthenticationFilterConfig config = new UsernamePasswordAuthenticationFilterConfig(); config.setClassName(GeoServerUserNamePasswordAuthenticationFilter.class.getName()); config.setName("testUsernamePassword"); FilterConfigValidator validator = new FilterConfigValidator(getSecurityManager()); try { validator.validateFilterConfig(config); fail("no user should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.USER_PARAMETER_NAME_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); } config.setUsernameParameterName("user"); try { validator.validateFilterConfig(config); fail("no password should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.PASSWORD_PARAMETER_NAME_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); } config.setPasswordParameterName("password"); validator.validateFilterConfig(config); }
@Test public void testRequestHeaderFilterConfigValidation() throws Exception { RequestHeaderAuthenticationFilterConfig config = new RequestHeaderAuthenticationFilterConfig(); config.setClassName(GeoServerRequestHeaderAuthenticationFilter.class.getName()); config.setName("testRequestHeader"); FilterConfigValidator validator = new FilterConfigValidator(getSecurityManager()); try { validator.validateFilterConfig(config); fail("no principal header attribute should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.PRINCIPAL_HEADER_ATTRIBUTE_NEEDED, ex.getId()); assertEquals(0, ex.getArgs().length); } config.setPrincipalHeaderAttribute("user"); check((PreAuthenticatedUserNameFilterConfig) config); } }