Merge pull request #467 from marklogic-community/feature/174-all-auth-types

DEVEXP-174: Now supporting cert/kerberos/saml auth

Author: rjrudin

src/main/java/com/marklogic/appdeployer/DefaultAppConfigFactory.java

@@ -213,7 +213,7 @@ public void initialize() {
 			config.setAppServicesSecurityContextType(SecurityContextType.valueOf(prop.toUpperCase()));
 		});
 		propertyConsumerMap.put("mlAppServicesCertFile", (config, prop) -> {
-			logger.info("App Services cert file: " + prop);
+			logger.info("App Services certificate file: " + prop);
 			config.setAppServicesCertFile(prop);
 		});
 		propertyConsumerMap.put("mlAppServicesCertPassword", (config, prop) -> {
@@ -228,7 +228,6 @@ public void initialize() {
 			config.setAppServicesExternalName(prop);
 		});
 		propertyConsumerMap.put("mlAppServicesSamlToken", (config, prop) -> {
-			logger.info("App Services SAML token: " + prop);
 			config.setAppServicesSamlToken(prop);
 		});
 
@@ -307,19 +306,17 @@ public void initialize() {
 			config.setRestSecurityContextType(SecurityContextType.valueOf(prop.toUpperCase()));
 		});
 		propertyConsumerMap.put("mlRestCertFile", (config, prop) -> {
-			logger.info("REST cert file: " + prop);
+			logger.info("REST certificate file: " + prop);
 			config.setRestCertFile(prop);
 		});
 		propertyConsumerMap.put("mlRestCertPassword", (config, prop) -> {
-			logger.info("REST cert password: " + prop);
 			config.setRestCertPassword(prop);
 		});
 		propertyConsumerMap.put("mlRestExternalName", (config, prop) -> {
 			logger.info("REST external name: " + prop);
 			config.setRestExternalName(prop);
 		});
 		propertyConsumerMap.put("mlRestSamlToken", (config, prop) -> {
-			logger.info("REST SAML token: " + prop);
 			config.setRestSamlToken(prop);
 		});
 		propertyConsumerMap.put("mlRestBasePath", (config, prop) -> {

src/main/java/com/marklogic/mgmt/DefaultManageConfigFactory.java

@@ -43,6 +43,11 @@ public void initialize() {
 		    config.setPort(Integer.parseInt(prop));
 	    });
 
+		propertyConsumerMap.put("mlManageAuthentication", (config, prop) -> {
+			logger.info("Manage authentication: " + prop);
+			config.setSecurityContextType(prop);
+		});
+
 	    propertyConsumerMap.put("mlManageUsername", (config, prop) -> {
 		    logger.info("Manage username: " + prop);
 		    config.setUsername(prop);
@@ -72,6 +77,21 @@ public void initialize() {
 		    }
 	    });
 
+		propertyConsumerMap.put("mlManageCertFile", (config, prop) -> {
+			logger.info("Manage certificate file: " + prop);
+			config.setCertFile(prop);
+		});
+		propertyConsumerMap.put("mlManageCertPassword", (config, prop) -> {
+			config.setCertPassword(prop);
+		});
+		propertyConsumerMap.put("mlManageExternalName", (config, prop) -> {
+			logger.info("Manage external name: " + prop);
+			config.setExternalName(prop);
+		});
+		propertyConsumerMap.put("mlManageSamlToken", (config, prop) -> {
+			config.setSamlToken(prop);
+		});
+
 		propertyConsumerMap.put("mlManageBasePath", (config, prop) -> {
 			logger.info("Manage base path: " + prop);
 			config.setBasePath(prop);

src/main/java/com/marklogic/mgmt/ManageClient.java

@@ -63,7 +63,10 @@ public void setManageConfig(ManageConfig config) {
 		    }
 
 			RestConfig rc = new RestConfig(config);
-			// Override settings based on the 3 "security user"-specific properties known by ManageConfig
+			// Override settings based on the 3 "security user"-specific properties known by ManageConfig.
+			// Note that in 4.5.0, with the addition of cloud/certificate/kerberos/saml auth, this will only have any
+			// impact if the user is using digest or basic auth. There's no equivalent of a separate "security" user
+			// yet for the other 4 authentication types.
 			rc.setUsername(config.getSecurityUsername());
 			rc.setPassword(config.getSecurityPassword());
 		    if (config.getSecuritySslContext() != null) {

src/main/java/com/marklogic/mgmt/admin/DefaultAdminConfigFactory.java

@@ -42,6 +42,11 @@ public void initialize() {
 		    config.setPort(Integer.parseInt(prop));
 	    });
 
+		propertyConsumerMap.put("mlAdminAuthentication", (config, prop) -> {
+			logger.info("Admin authentication: " + prop);
+			config.setSecurityContextType(prop);
+		});
+
 	    /**
 	     * The Manage API endpoints in the Admin interface still just require the manage-admin role, so the value of
 	     * mlManageUsername should work for these calls.
@@ -68,6 +73,21 @@ public void initialize() {
 		    }
 	    });
 
+		propertyConsumerMap.put("mlAdminCertFile", (config, prop) -> {
+			logger.info("Admin certificate file: " + prop);
+			config.setCertFile(prop);
+		});
+		propertyConsumerMap.put("mlAdminCertPassword", (config, prop) -> {
+			config.setCertPassword(prop);
+		});
+		propertyConsumerMap.put("mlAdminExternalName", (config, prop) -> {
+			logger.info("Admin external name: " + prop);
+			config.setExternalName(prop);
+		});
+		propertyConsumerMap.put("mlAdminSamlToken", (config, prop) -> {
+			config.setSamlToken(prop);
+		});
+
 		propertyConsumerMap.put("mlAdminBasePath", (config, prop) -> {
 			logger.info("Admin base path: " + prop);
 			config.setBasePath(prop);

src/main/java/com/marklogic/mgmt/api/API.java

@@ -88,11 +88,9 @@ public void connect(String host, ManageConfig mc) {
 	    if (logger.isInfoEnabled()) {
 		    logger.info("Connecting to host: " + host);
 	    }
-	    SimplePropertySource sps = new SimplePropertySource("mlHost", host, "mlManageUsername", mc.getUsername(),
-		    "mlManagePassword", mc.getPassword(), "mlManageSimpleSsl", mc.isConfigureSimpleSsl() + "",
-		    "mlManageScheme", mc.getScheme(), "mlManagePort", mc.getPort() + "",
-		    "mlSecurityUsername", mc.getSecurityUsername(), "mlSecurityPassword", mc.getSecurityPassword());
-	    this.manageClient = new ManageClient(new DefaultManageConfigFactory(sps).newManageConfig());
+		ManageConfig newConfig = new ManageConfig(mc);
+		newConfig.setHost(host);
+	    this.manageClient = new ManageClient(newConfig);
 	    if (logger.isInfoEnabled()) {
 		    logger.info("Connected to host: " + host);
 	    }

src/main/java/com/marklogic/rest/util/RestConfig.java

@@ -16,9 +16,16 @@ public class RestConfig {
 
 	private String host;
 	private int port;
+	// Defaulting this for backwards-compatibility reasons in 4.5.0
+	private String securityContextType = "digest";
 	private String username;
 	private String password;
 	private String cloudApiKey;
+	private String certFile;
+	private String certPassword;
+	private String externalName;
+	private String samlToken;
+
 	private String basePath;
 	private String scheme = "http";
 
@@ -64,11 +71,14 @@ public DatabaseClientBuilder newDatabaseClientBuilder() {
 			.withHost(getHost())
 			.withPort(getPort())
 			.withBasePath(getBasePath())
-			// TODO Will support all types before the 4.5.0 release
-			.withSecurityContextType(StringUtils.hasText(getCloudApiKey()) ? "cloud" : "digest")
+			.withSecurityContextType(getSecurityContextType())
 			.withUsername(getUsername())
 			.withPassword(getPassword())
-			.withCloudApiKey(getCloudApiKey());
+			.withCloudApiKey(getCloudApiKey())
+			.withCertificateFile(getCertFile())
+			.withCertificatePassword(getCertPassword())
+			.withKerberosPrincipal(getExternalName())
+			.withSAMLToken(getSamlToken());
 
 		if (getSslContext() != null) {
 			builder.withSSLContext(getSslContext());
@@ -246,4 +256,44 @@ public String getBasePath() {
 	public void setBasePath(String basePath) {
 		this.basePath = basePath;
 	}
+
+	public String getSecurityContextType() {
+		return securityContextType;
+	}
+
+	public void setSecurityContextType(String securityContextType) {
+		this.securityContextType = securityContextType;
+	}
+
+	public String getCertFile() {
+		return certFile;
+	}
+
+	public void setCertFile(String certFile) {
+		this.certFile = certFile;
+	}
+
+	public String getCertPassword() {
+		return certPassword;
+	}
+
+	public void setCertPassword(String certPassword) {
+		this.certPassword = certPassword;
+	}
+
+	public String getExternalName() {
+		return externalName;
+	}
+
+	public void setExternalName(String externalName) {
+		this.externalName = externalName;
+	}
+
+	public String getSamlToken() {
+		return samlToken;
+	}
+
+	public void setSamlToken(String samlToken) {
+		this.samlToken = samlToken;
+	}
 }

src/test/java/com/marklogic/mgmt/DefaultManageConfigFactoryTest.java

@@ -1,5 +1,7 @@
 package com.marklogic.mgmt;
 
+import com.marklogic.client.DatabaseClientFactory;
+import com.marklogic.mgmt.admin.AdminConfig;
 import com.marklogic.mgmt.util.SimplePropertySource;
 import org.junit.jupiter.api.Test;
 
@@ -103,6 +105,7 @@ public void mlManageHost() {
 	void cloudApiKeyAndBasePath() {
 		ManageConfig config = configure(
 			"mlCloudApiKey", "my-key",
+			"mlManageAuthentication", "cloud",
 			"mlManageBasePath", "/manage/path",
 			"mlManagePort", "8002",
 			"mlManageScheme", "http"
@@ -113,6 +116,53 @@ void cloudApiKeyAndBasePath() {
 		assertEquals(443, config.getPort(), "When a cloud API key is provided, the mlManagePort and mlManageScheme " +
 			"options should be overridden since https/443 are guaranteed to be the correct values");
 		assertEquals("https", config.getScheme());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.MarkLogicCloudAuthContext);
+		assertEquals("my-key", ((DatabaseClientFactory.MarkLogicCloudAuthContext)bean.getSecurityContext()).getKey());
+	}
+
+	@Test
+	void certificateAuth() {
+		ManageConfig config = configure(
+			"mlManageAuthentication", "certificate",
+			"mlManageCertFile", "my-file.crt",
+			"mlManageCertPassword", "passwd"
+		);
+
+		assertEquals("certificate", config.getSecurityContextType());
+		assertEquals("my-file.crt", config.getCertFile());
+		assertEquals("passwd", config.getCertPassword());
+	}
+
+	@Test
+	void kerberosAuth() {
+		ManageConfig config = configure(
+			"mlManageAuthentication", "kerberos",
+			"mlManageExternalName", "my-name"
+		);
+
+		assertEquals("kerberos", config.getSecurityContextType());
+		assertEquals("my-name", config.getExternalName());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.KerberosAuthContext);
+		assertEquals("my-name", ((DatabaseClientFactory.KerberosAuthContext)bean.getSecurityContext()).getKrbOptions().get("principal"));
+	}
+
+	@Test
+	void samlAuth() {
+		ManageConfig config = configure(
+			"mlManageAuthentication", "saml",
+			"mlManageSamlToken", "my-token"
+		);
+
+		assertEquals("saml", config.getSecurityContextType());
+		assertEquals("my-token", config.getSamlToken());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.SAMLAuthContext);
+		assertEquals("my-token", ((DatabaseClientFactory.SAMLAuthContext)bean.getSecurityContext()).getToken());
 	}
 
 	private ManageConfig configure(String... properties) {

src/test/java/com/marklogic/mgmt/admin/DefaultAdminConfigFactoryTest.java

@@ -1,9 +1,12 @@
 package com.marklogic.mgmt.admin;
 
+import com.marklogic.client.DatabaseClientFactory;
 import com.marklogic.mgmt.util.SimplePropertySource;
+import com.marklogic.rest.util.RestTemplateUtil;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 public class DefaultAdminConfigFactoryTest  {
@@ -59,17 +62,65 @@ public void sslProperties() {
 
 	@Test
 	void cloudApiKeyAndBasePath() {
-		AdminConfig config = new DefaultAdminConfigFactory(new SimplePropertySource(
+		AdminConfig config = configure(
 			"mlCloudApiKey", "my-key",
+			"mlAdminAuthentication", "cloud",
 			"mlAdminBasePath", "/admin/path",
 			"mlAdminPort", "8001",
 			"mlAdminScheme", "http"
-		)).newAdminConfig();
+		);
 
 		assertEquals("my-key", config.getCloudApiKey());
 		assertEquals("/admin/path", config.getBasePath());
 		assertEquals(443, config.getPort(), "When a cloud API key is provided, https and 443 should be assumed");
 		assertEquals("https", config.getScheme());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.MarkLogicCloudAuthContext);
+		assertEquals("my-key", ((DatabaseClientFactory.MarkLogicCloudAuthContext)bean.getSecurityContext()).getKey());
+	}
+
+	@Test
+	void certificateAuth() {
+		AdminConfig config = configure(
+			"mlAdminAuthentication", "certificate",
+			"mlAdminCertFile", "my-file.crt",
+			"mlAdminCertPassword", "passwd"
+		);
+
+		assertEquals("certificate", config.getSecurityContextType());
+		assertEquals("my-file.crt", config.getCertFile());
+		assertEquals("passwd", config.getCertPassword());
+	}
+
+	@Test
+	void kerberosAuth() {
+		AdminConfig config = configure(
+			"mlAdminAuthentication", "kerberos",
+			"mlAdminExternalName", "my-name"
+		);
+
+		assertEquals("kerberos", config.getSecurityContextType());
+		assertEquals("my-name", config.getExternalName());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.KerberosAuthContext);
+		assertEquals("my-name", ((DatabaseClientFactory.KerberosAuthContext)bean.getSecurityContext()).getKrbOptions().get("principal"));
+	}
+
+	@Test
+	void samlAuth() {
+		AdminConfig config = configure(
+			"mlAdminAuthentication", "saml",
+			"mlAdminSamlToken", "my-token"
+		);
+
+		assertEquals("saml", config.getSecurityContextType());
+		assertEquals("my-token", config.getSamlToken());
+
+		DatabaseClientFactory.Bean bean = config.newDatabaseClientBuilder().buildBean();
+		assertTrue(bean.getSecurityContext() instanceof DatabaseClientFactory.SAMLAuthContext);
+		assertEquals("my-token", ((DatabaseClientFactory.SAMLAuthContext)bean.getSecurityContext()).getToken());
 	}
 
 	private AdminConfig configure(String... properties) {