QPID-2654: Add Actor logging to the ACL plugin

Applied patch from Andrew Kennedy <andrew.international@gmail.com> git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@955642 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Gemmell <robbie@apache.org> 2010-06-17 15:32:12 +0000
committer: Robert Gemmell <robbie@apache.org> 2010-06-17 15:32:12 +0000
commit: 557c5d9e5d3bea0d199cc508e43dc650c92741b8 (patch)
tree: 670a83f65eb61213b00bd19e96514804389f6443 /java/broker-plugins
parent: 097f6a0e13ac6a650b574329fc3b20bfe5553cdd (diff)
download: qpid-python-557c5d9e5d3bea0d199cc508e43dc650c92741b8.tar.gz
5 files changed, 65 insertions, 15 deletions
diff --git a/java/broker-plugins/access-control/MANIFEST.MF b/java/broker-plugins/access-control/MANIFEST.MF
index ea8b709a70..1cd285ba20 100644
--- a/java/broker-plugins/access-control/MANIFEST.MF
+++ b/java/broker-plugins/access-control/MANIFEST.MF
@@ -4,13 +4,13 @@ Bundle-Name: Qpid Broker-Plugins Access Control
 Bundle-SymbolicName: broker-plugins-access-control
 Bundle-Description: Access control plugin for Qpid.
 Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt
-Bundle-DocURL: http://www.apache.org/
+Bundle-DocURL: http://qpid.apache.org/acl.html
 Bundle-Version: 1.0.0
 Bundle-Activator: org.apache.qpid.server.security.access.plugins.AccessControlActivator
 Bundle-RequiredExecutionEnvironment: JavaSE-1.5
 Bundle-ClassPath: .
 Bundle-ActivationPolicy: lazy
-Import-Package:  org.apache.qpid,
+Import-Package: org.apache.qpid,
  org.apache.qpid.exchange,
  org.apache.qpid.framing,
  org.apache.qpid.junit.extensions.util,
@@ -19,8 +19,12 @@ Import-Package:  org.apache.qpid,
  org.apache.qpid.server.configuration.plugins,
  org.apache.qpid.server.exchange,
  org.apache.qpid.server.management,
+ org.apache.qpid.server.logging,
+ org.apache.qpid.server.logging.actors,
+ org.apache.qpid.server.logging.subjects,
  org.apache.qpid.server.plugins,
  org.apache.qpid.server.queue,
+ org.apache.qpid.server.registry,
  org.apache.qpid.server.security,
  org.apache.qpid.server.security.access,
  org.apache.qpid.server.virtualhost,
@@ -33,5 +37,6 @@ Import-Package:  org.apache.qpid,
  javax.management.openmbean;version=1.0.0,
  org.osgi.util.tracker;version=1.0.0,
  org.osgi.framework;version=1.3
-Private-Package: org.apache.qpid.server.security.access.config
+Private-Package: org.apache.qpid.server.security.access.config,
+ org.apache.qpid.server.security.access.logging
 Export-Package: org.apache.qpid.server.security.access.plugins
diff --git a/java/broker-plugins/access-control/build.xml b/java/broker-plugins/access-control/build.xml
index f3f7e4de74..89f8240fd5 100644
--- a/java/broker-plugins/access-control/build.xml
+++ b/java/broker-plugins/access-control/build.xml
@@ -25,5 +25,7 @@
 
     <import file="../../module.xml" />
 
-    <target name="bundle" depends="bundle-tasks" />
+    <target name="bundle" depends="bundle-tasks"/>
+
+    <target name="precompile" depends="gen_logging"/>
 </project>
diff --git a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index 3c471f2f55..ebc73440ed 100644
--- a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -33,11 +33,13 @@ import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.apache.qpid.exchange.ExchangeDefaults;
+import org.apache.qpid.server.logging.actors.CurrentActor;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.security.access.Permission;
+import org.apache.qpid.server.security.access.logging.AccessControlMessages;
 
 /**
  * Models the rule configuration for the access control plugin.
@@ -183,6 +185,20 @@ public class RuleSet
 		}
 		return false;
     }
+    
+    private Permission noLog(Permission permission)
+    {
+        switch (permission)
+        {
+            case ALLOW:
+            case ALLOW_LOG:
+                return Permission.ALLOW;
+            case DENY:
+            case DENY_LOG:
+            default:
+                return Permission.DENY;
+        }
+    }
 
     // TODO make this work when group membership is not known at file parse time
     public void addRule(Integer number, String identity, Permission permission, Action action)
@@ -201,7 +217,7 @@ public class RuleSet
         {
             if (action.getOperation() == Operation.CREATE && action.getObjectType() == ObjectType.TOPIC)
             {
-                addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE,
+                addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE,
                         new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME))));
                 ObjectProperties topicProperties = new ObjectProperties();
                 topicProperties.put(ObjectProperties.Property.DURABLE, true);
@@ -210,7 +226,7 @@ public class RuleSet
             }
             if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.TOPIC)
             {
-                addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE,
+                addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE,
                         new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME))));
                 ObjectProperties topicProperties = new ObjectProperties();
                 topicProperties.put(ObjectProperties.Property.DURABLE, true);
@@ -227,10 +243,10 @@ public class RuleSet
                 ObjectProperties exchProperties = new ObjectProperties(action.getProperties());
                 exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME);
                 exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME));
-                addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties));
+                addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties));
 				if (action.getProperties().isSet(ObjectProperties.Property.AUTO_DELETE))
 				{
-					addRule(null, identity, permission, new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties()));
+					addRule(null, identity, noLog(permission), new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties()));
 				}
             }
             else if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.QUEUE)
@@ -238,11 +254,11 @@ public class RuleSet
                 ObjectProperties exchProperties = new ObjectProperties(action.getProperties());
                 exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME);
                 exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME));
-                addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties));
+                addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties));
             }
             else if (action.getOperation() != Operation.ACCESS && action.getObjectType() != ObjectType.VIRTUALHOST)
             {
-                addRule(null, identity, permission, new Action(Operation.ACCESS, ObjectType.VIRTUALHOST));
+                addRule(null, identity, noLog(permission), new Action(Operation.ACCESS, ObjectType.VIRTUALHOST));
             }
         }
         
@@ -409,11 +425,13 @@ public class RuleSet
                 switch (permission)
                 {
                     case ALLOW_LOG:
-                        _logger.info("ALLOWED " + action);
+                        CurrentActor.get().message(AccessControlMessages.ALLOWED(
+                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
                     case ALLOW:
                         return Result.ALLOWED;
                     case DENY_LOG:
-                        _logger.info("DENIED " + action);
+                        CurrentActor.get().message(AccessControlMessages.DENIED(
+                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
                     case DENY:
                         return Result.DENIED;
                 }
diff --git a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
new file mode 100644
index 0000000000..bf80df3722
--- /dev/null
+++ b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# org.apache.qpid.server.security.access.logging.AccessControl
+
+# Access Control logging message i18n strings.
+
+# 'accept-log' rule message
+ALLOWED = ACL-1001 : Allowed : {0} {1} {2}
+
+# 'deny-log' rule message
+DENIED = ACL-1002 : Denied : {0} {1} {2}
+\ No newline at end of file
diff --git a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
index e6e0059902..69cfa173bd 100644
--- a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
+++ b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
@@ -20,7 +20,6 @@
  */
 package org.apache.qpid.server.security.access.plugins;
 
-import java.io.File;
 import java.security.Principal;
 
 import org.apache.commons.configuration.ConfigurationException;
@@ -33,8 +32,6 @@ import org.apache.qpid.server.security.SecurityPluginFactory;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.security.access.config.ConfigurationFile;
-import org.apache.qpid.server.security.access.config.PlainConfiguration;
 import org.apache.qpid.server.security.access.config.RuleSet;
 
 /**
author	Robert Gemmell <robbie@apache.org>	2010-06-17 15:32:12 +0000
committer	Robert Gemmell <robbie@apache.org>	2010-06-17 15:32:12 +0000
commit	557c5d9e5d3bea0d199cc508e43dc650c92741b8 (patch)
tree	670a83f65eb61213b00bd19e96514804389f6443 /java/broker-plugins
parent	097f6a0e13ac6a650b574329fc3b20bfe5553cdd (diff)
download	qpid-python-557c5d9e5d3bea0d199cc508e43dc650c92741b8.tar.gz