Check for Roles when retrieving operator credentials

ekcasey · nebhale · commit 0fc33ece2eda · 2017-11-30T13:13:35.000-08:00
Previously, the implementation hard-coded the expected username of 'cluster- operator' for connections. Changes to the service are coming that will allow alternate usernames to be used. This change updates the code to properly handle those alternate usernames so long as they have the cluster-operator role. [resolves cloudfoundry#523][#151847755] Signed-off-by: Rebecca Chin <rchin@pivotal.io> Signed-off-by: Emily Casey <ecasey@pivotal.io> Signed-off-by: Gavin Enns <genns@pivotal.io>
diff --git a/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb b/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb
@@ -38,9 +38,9 @@ def compile
       def release
         return unless supports?
         credentials = @application.services.find_service(FILTER, KEY_LOCATORS, KEY_USERS)['credentials']
-        user = credentials[KEY_USERS].find { |u| u['username'] == 'cluster_operator' }
+        user = credentials[KEY_USERS].find { |u| cluster_operator?(u) }
 
-        @droplet.java_opts.add_system_property 'gemfire.security-username', 'cluster_operator'
+        @droplet.java_opts.add_system_property 'gemfire.security-username', user['username']
         @droplet.java_opts.add_system_property 'gemfire.security-password', user['password']
         @droplet.java_opts.add_system_property 'gemfire.security-client-auth-init',
                                                'io.pivotal.cloudcache.ClientAuthInitialize.create'
@@ -78,6 +78,10 @@ def supports?
                        :CACHE_CLIENT_LISTENER_CLASS_NAME, :SCHEMA_URL, :SCHEMA_INSTANCE_URL, :SCHEMA_LOCATION,
                        :LOCATOR_REGEXP, :FUNCTION_SERVICE_CLASS_NAMES
 
+      def cluster_operator?(user)
+        user['username'] == 'cluster_operator' || user['roles'] && (user['roles'].include? 'cluster_operator')
+      end
+
       def add_client_cache(document)
         client_cache = document.add_element 'client-cache',
                                             'xmlns' => SCHEMA_URL,
diff --git a/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb b/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb
@@ -41,8 +41,11 @@
           'locators' => ['some-locator[some-port]', 'some-other-locator[some-other-port]'],
           'users' =>
               [
-                { 'password' => 'fake-password',
-                  'username' => 'cluster_operator' }
+                {
+                  'password' => 'some-password',
+                  'username' => 'some-username',
+                  'roles' => ['cluster_operator']
+                }
               ]
         }
       )
@@ -102,9 +105,40 @@
       expect(java_opts).to include(
         '-Dgemfire.security-client-auth-init=io.pivotal.cloudcache.ClientAuthInitialize.create'
       )
-      expect(java_opts).to include('-Dgemfire.security-username=cluster_operator')
-      expect(java_opts).to include('-Dgemfire.security-password=fake-password')
+      expect(java_opts).to include('-Dgemfire.security-username=some-username')
+      expect(java_opts).to include('-Dgemfire.security-password=some-password')
     end
+  end
 
+  context 'when there is session replication service and service credentials do not include roles' do
+    before do
+      allow(services).to receive(:one_service?).with(/session-replication/, 'locators', 'users')
+                                               .and_return(true)
+      allow(services).to receive(:find_service).and_return(
+        'credentials' => {
+          'locators' => ['some-locator[some-port]', 'some-other-locator[some-other-port]'],
+          'users' =>
+              [
+                {
+                  'password' => 'some-password',
+                  'username' => 'cluster_operator'
+                }
+              ]
+        }
+      )
+    end
+
+    it 'assumes usernames represent roles and passes security properties to the release',
+       app_fixture:   'container_tomcat_geode_store',
+       cache_fixture: 'stub-geode-store.tar' do
+
+      component.release
+
+      expect(java_opts).to include(
+        '-Dgemfire.security-client-auth-init=io.pivotal.cloudcache.ClientAuthInitialize.create'
+      )
+      expect(java_opts).to include('-Dgemfire.security-username=cluster_operator')
+      expect(java_opts).to include('-Dgemfire.security-password=some-password')
+    end
   end
 end
