diff --git a/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb b/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb index aec5594dbc..a6cf494f75 100644 --- a/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb +++ b/lib/java_buildpack/container/tomcat/tomcat_geode_store.rb @@ -38,9 +38,9 @@ def compile def release return unless supports? credentials = @application.services.find_service(FILTER, KEY_LOCATORS, KEY_USERS)['credentials'] - user = credentials[KEY_USERS].find { |u| u['username'] == 'cluster_operator' } + user = credentials[KEY_USERS].find { |u| cluster_operator?(u) } - @droplet.java_opts.add_system_property 'gemfire.security-username', 'cluster_operator' + @droplet.java_opts.add_system_property 'gemfire.security-username', user['username'] @droplet.java_opts.add_system_property 'gemfire.security-password', user['password'] @droplet.java_opts.add_system_property 'gemfire.security-client-auth-init', 'io.pivotal.cloudcache.ClientAuthInitialize.create' @@ -78,6 +78,10 @@ def supports? :CACHE_CLIENT_LISTENER_CLASS_NAME, :SCHEMA_URL, :SCHEMA_INSTANCE_URL, :SCHEMA_LOCATION, :LOCATOR_REGEXP, :FUNCTION_SERVICE_CLASS_NAMES + def cluster_operator?(user) + user['username'] == 'cluster_operator' || user['roles'] && (user['roles'].include? 'cluster_operator') + end + def add_client_cache(document) client_cache = document.add_element 'client-cache', 'xmlns' => SCHEMA_URL, diff --git a/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb b/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb index f70f763b27..4a062eb3eb 100644 --- a/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb +++ b/spec/java_buildpack/container/tomcat/tomcat_geode_store_spec.rb @@ -41,8 +41,11 @@ 'locators' => ['some-locator[some-port]', 'some-other-locator[some-other-port]'], 'users' => [ - { 'password' => 'fake-password', - 'username' => 'cluster_operator' } + { + 'password' => 'some-password', + 'username' => 'some-username', + 'roles' => ['cluster_operator'] + } ] } ) @@ -102,9 +105,40 @@ expect(java_opts).to include( '-Dgemfire.security-client-auth-init=io.pivotal.cloudcache.ClientAuthInitialize.create' ) - expect(java_opts).to include('-Dgemfire.security-username=cluster_operator') - expect(java_opts).to include('-Dgemfire.security-password=fake-password') + expect(java_opts).to include('-Dgemfire.security-username=some-username') + expect(java_opts).to include('-Dgemfire.security-password=some-password') end + end + context 'when there is session replication service and service credentials do not include roles' do + before do + allow(services).to receive(:one_service?).with(/session-replication/, 'locators', 'users') + .and_return(true) + allow(services).to receive(:find_service).and_return( + 'credentials' => { + 'locators' => ['some-locator[some-port]', 'some-other-locator[some-other-port]'], + 'users' => + [ + { + 'password' => 'some-password', + 'username' => 'cluster_operator' + } + ] + } + ) + end + + it 'assumes usernames represent roles and passes security properties to the release', + app_fixture: 'container_tomcat_geode_store', + cache_fixture: 'stub-geode-store.tar' do + + component.release + + expect(java_opts).to include( + '-Dgemfire.security-client-auth-init=io.pivotal.cloudcache.ClientAuthInitialize.create' + ) + expect(java_opts).to include('-Dgemfire.security-username=cluster_operator') + expect(java_opts).to include('-Dgemfire.security-password=some-password') + end end end