ACLTest.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.zookeeper.test;

import static org.apache.zookeeper.test.ClientBase.CONNECTION_TIMEOUT;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.KeeperException.InvalidACLException;
import org.apache.zookeeper.PortAssignment;
import org.apache.zookeeper.WatchedEvent;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.Watcher.Event.KeeperState;
import org.apache.zookeeper.ZKTestCase;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.apache.zookeeper.server.ServerCnxn;
import org.apache.zookeeper.server.ServerCnxnFactory;
import org.apache.zookeeper.server.SyncRequestProcessor;
import org.apache.zookeeper.server.ZooKeeperServer;
import org.apache.zookeeper.server.auth.IPAuthenticationProvider;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class ACLTest extends ZKTestCase implements Watcher {

    private static final Logger LOG = LoggerFactory.getLogger(ACLTest.class);
    private static final String HOSTPORT = "127.0.0.1:" + PortAssignment.unique();
    private volatile CountDownLatch startSignal;

    @Test
    public void testIPAuthenticationIsValidCIDR() throws Exception {
        IPAuthenticationProvider prov = new IPAuthenticationProvider();
        assertTrue(prov.isValid("127.0.0.1"), "testing no netmask");
        assertTrue(prov.isValid("127.0.0.1/32"), "testing single ip netmask");
        assertTrue(prov.isValid("127.0.0.1/0"), "testing lowest netmask possible");
        assertFalse(prov.isValid("127.0.0.1/33"), "testing netmask too high");
        assertFalse(prov.isValid("10.0.0.1/-1"), "testing netmask too low");
    }

    @Test
    public void testNettyIpAuthDefault(@TempDir File tmpDir) throws Exception {
        String HOSTPORT = "127.0.0.1:" + PortAssignment.unique();
        System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory");
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        SyncRequestProcessor.setSnapCount(1000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        try {
            LOG.info("starting up the zookeeper server .. waiting");
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server being up");
            ClientBase.createZKClient(HOSTPORT);
            for (ServerCnxn cnxn : f.getConnections()) {
                boolean foundID = false;
                for (Id id : cnxn.getAuthInfo()) {
                    if (id.getScheme().equals("ip")) {
                        foundID = true;
                        break;
                    }
                }
                assertTrue(foundID);
            }
        } finally {
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server down");
            System.clearProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY);
        }
    }

    @Test
    public void testDisconnectedAddAuth(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        SyncRequestProcessor.setSnapCount(1000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        try {
            LOG.info("starting up the zookeeper server .. waiting");
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server being up");
            ZooKeeper zk = ClientBase.createZKClient(HOSTPORT);
            try {
                zk.addAuthInfo("digest", "pat:test".getBytes());
                zk.setACL("/", Ids.CREATOR_ALL_ACL, -1);
            } finally {
                zk.close();
            }
        } finally {
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }
    }

    /**
     * Verify that acl optimization of storing just
     * a few acls and there references in the data
     * node is actually working.
     */
    @Test
    public void testAcls(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        SyncRequestProcessor.setSnapCount(1000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        ZooKeeper zk;
        String path;
        try {
            LOG.info("starting up the zookeeper server .. waiting");
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server being up");
            zk = ClientBase.createZKClient(HOSTPORT);
            LOG.info("starting creating acls");
            for (int i = 0; i < 100; i++) {
                path = "/" + i;
                zk.create(path, path.getBytes(), Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
            }
            int size = zks.getZKDatabase().getAclSize();
            assertTrue((2 == zks.getZKDatabase().getAclSize()), "size of the acl map ");
            for (int j = 100; j < 200; j++) {
                path = "/" + j;
                ACL acl = new ACL();
                acl.setPerms(0);
                Id id = new Id();
                id.setId("1.1.1." + j);
                id.setScheme("ip");
                acl.setId(id);
                List<ACL> list = new ArrayList<>();
                list.add(acl);
                zk.create(path, path.getBytes(), list, CreateMode.PERSISTENT);
            }
            assertTrue((102 == zks.getZKDatabase().getAclSize()), "size of the acl map ");
        } finally {
            // now shutdown the server and restart it
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server down");
        }

        zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        f = ServerCnxnFactory.createFactory(PORT, -1);

        f.startup(zks);
        try {
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server up");
            zk = ClientBase.createZKClient(HOSTPORT);
            assertTrue((102 == zks.getZKDatabase().getAclSize()), "acl map ");
            for (int j = 200; j < 205; j++) {
                path = "/" + j;
                ACL acl = new ACL();
                acl.setPerms(0);
                Id id = new Id();
                id.setId("1.1.1." + j);
                id.setScheme("ip");
                acl.setId(id);
                ArrayList<ACL> list = new ArrayList<>();
                list.add(acl);
                zk.create(path, path.getBytes(), list, CreateMode.PERSISTENT);
            }
            assertTrue((107 == zks.getZKDatabase().getAclSize()), "acl map ");

            zk.close();
        } finally {
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }

    }

    /*
     * (non-Javadoc)
     *
     * @see org.apache.zookeeper.Watcher#process(org.apache.zookeeper.WatcherEvent)
     */
    public void process(WatchedEvent event) {
        LOG.info("Event:{} {} {}", event.getState(), event.getType(), event.getPath());
        if (event.getState() == KeeperState.SyncConnected) {
            if (startSignal != null && startSignal.getCount() > 0) {
                LOG.info("startsignal.countDown()");
                startSignal.countDown();
            } else {
                LOG.warn("startsignal {}", startSignal);
            }
        }
    }

    @Test
    public void testNullACL(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        ZooKeeper zk = ClientBase.createZKClient(HOSTPORT);
        try {
            // case 1 : null ACL with create
            try {
                zk.create("/foo", "foo".getBytes(), null, CreateMode.PERSISTENT);
                fail("Expected InvalidACLException for null ACL parameter");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }

            // case 2 : null ACL with other create API
            try {
                zk.create("/foo", "foo".getBytes(), null, CreateMode.PERSISTENT, null);
                fail("Expected InvalidACLException for null ACL parameter");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }

            // case 3 : null ACL with setACL
            try {
                zk.setACL("/foo", null, 0);
                fail("Expected InvalidACLException for null ACL parameter");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }
        } finally {
            zk.close();
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }
    }

    @Test
    public void testNullValueACL(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        ZooKeeper zk = ClientBase.createZKClient(HOSTPORT);
        try {

            List<ACL> acls = new ArrayList<>();
            acls.add(null);

            // case 1 : null value in ACL list with create
            try {
                zk.create("/foo", "foo".getBytes(), acls, CreateMode.PERSISTENT);
                fail("Expected InvalidACLException for null value in ACL List");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }

            // case 2 : null value in ACL list with other create API
            try {
                zk.create("/foo", "foo".getBytes(), acls, CreateMode.PERSISTENT, null);
                fail("Expected InvalidACLException for null value in ACL List");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }

            // case 3 : null value in ACL list with setACL
            try {
                zk.setACL("/foo", acls, -1);
                fail("Expected InvalidACLException for null value in ACL List");
            } catch (InvalidACLException e) {
                // Expected. Do nothing
            }
        } finally {
            zk.close();
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }
    }

    @Test
    public void testExistACLCheck(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        String path = "/testExistACLCheck";
        String data = "/testExistACLCheck-data";
        try {
            LOG.info("starting up the zookeeper server .. waiting");
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server being up");
            ZooKeeper zk = ClientBase.createZKClient(HOSTPORT);
            try {
                Stat stat = zk.exists(path, false);
                assertNull(stat);
                zk.create(path, data.getBytes(), Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
                stat = zk.exists(path, false);
                assertNotNull(stat);
                assertEquals(data.length(), stat.getDataLength());

                zk.delete(path, -1);
                ArrayList<ACL> acls = new ArrayList<>();
                acls.add(new ACL(ZooDefs.Perms.WRITE, Ids.ANYONE_ID_UNSAFE));
                zk.create(path, data.getBytes(), acls, CreateMode.PERSISTENT);
                try {
                    stat = zk.exists(path, false);
                    fail("exists should throw NoAuthException when don't have read permission");
                } catch (KeeperException.NoAuthException e) {
                    //expected
                }

                zk.delete(path, -1);
                acls = new ArrayList<>();
                acls.add(new ACL(ZooDefs.Perms.READ, Ids.ANYONE_ID_UNSAFE));
                zk.create(path, data.getBytes(), acls, CreateMode.PERSISTENT);
                stat = zk.exists(path, false);
                assertNotNull(stat);
                assertEquals(data.length(), stat.getDataLength());
            } finally {
                zk.close();
            }
        } finally {
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }
    }

    @Test
    public void testExistACLCheckAtRootPath(@TempDir File tmpDir) throws Exception {
        ClientBase.setupTestEnv();
        ZooKeeperServer zks = new ZooKeeperServer(tmpDir, tmpDir, 3000);
        final int PORT = Integer.parseInt(HOSTPORT.split(":")[1]);
        ServerCnxnFactory f = ServerCnxnFactory.createFactory(PORT, -1);
        f.startup(zks);
        try {
            LOG.info("starting up the zookeeper server .. waiting");
            assertTrue(ClientBase.waitForServerUp(HOSTPORT, CONNECTION_TIMEOUT), "waiting for server being up");
            ZooKeeper zk = ClientBase.createZKClient(HOSTPORT);
            try {
                String data = "/testExistACLCheckAtRootPath-data";
                zk.create("/a", data.getBytes(), Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);
                ArrayList<ACL> acls = new ArrayList<>();
                acls.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
                zk.setACL("/", acls, -1);

                Stat stat = zk.exists("/a", false);
                assertNotNull(stat);
                assertEquals(data.length(), stat.getDataLength());
                try {
                    stat = zk.exists("/", false);
                    fail("exists should throw NoAuthException when removing root path's ACL permission");
                } catch (KeeperException.NoAuthException e) {
                    //expected
                }
            } finally {
                zk.close();
            }
        } finally {
            f.shutdown();
            zks.shutdown();
            assertTrue(ClientBase.waitForServerDown(HOSTPORT, ClientBase.CONNECTION_TIMEOUT), "waiting for server down");
        }
    }
}