QPID-1626: Add per-virtualhost authorization plugins.

PluginManager: add support for getting ACLPluginFactories from OSGi and the ones we already know about. *ApplicationRegistry*: return an ACLManager, not an ACLPlugin from getAccessManager. ACLManager: use PluginManager to get all the available plugins. When being asked to authorize a particular request, hold a vote amongst all the plugins as to whether to allow or deny access. ACLPlugin: return a ALLOWED/DENIED/ABSTAIN vote result. Fix typo in method name. ACLPluginFactory: Factory class for ACLPlugins. AccessResult: just use class SimpleName instead of getPluginName PrincipalPermissions: return AuthzResult instead of boolean. Might want to maek use of Abstain for things it doesn't actually acare about instead of defaulting to Allowed. AllowAll, DenyAll, BasicACLPlugin, SimpleXML: add Factory, return AuthzResult instead of boolean. VirtualHost: get a new ACLManager and configure it with the virtualhost security section. Ensure that old config files which have the access_control_list outside of the main security.access section continue to work. MockPluginManager: add mock class for tests PluginTest: not having any plugins now returns an empty set, not null MockAMQQueue: support name attribute ACLManagerTest: tests for ACLManager class ExchangeDenier, QueueDenier: new test classes for ACLManagerTest PrincipalPermissionsTest: check for correct return result, not true/false anymore Move plugin configuration to <security> section, not <security><access> git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@742626 13f79535-47bb-0310-9956-ffa450edef68
author: Aidan Skinner <aidan@apache.org> 2009-02-09 17:03:57 +0000
committer: Aidan Skinner <aidan@apache.org> 2009-02-09 17:03:57 +0000
commit: c9a654925355a4dd128d5111af862e8be89e0a45 (patch)
tree: a0f2c06331ec3b41630f171315fc0f8d38c5671f /java/broker/src/test
parent: f53cc284b3045462d751084acf8311a96b4769b7 (diff)
download: qpid-python-c9a654925355a4dd128d5111af862e8be89e0a45.tar.gz
8 files changed, 306 insertions, 16 deletions
diff --git a/java/broker/src/test/java/org/apache/qpid/server/plugins/MockPluginManager.java b/java/broker/src/test/java/org/apache/qpid/server/plugins/MockPluginManager.java
new file mode 100644
index 0000000000..9599848dde
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/plugins/MockPluginManager.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.plugins;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.qpid.server.exchange.ExchangeType;
+import org.apache.qpid.server.security.access.ACLPlugin;
+import org.apache.qpid.server.security.access.ACLPluginFactory;
+import org.apache.qpid.server.security.access.QueueDenier;
+
+public class MockPluginManager extends PluginManager
+{
+
+    private Map<String, ACLPluginFactory> _securityPlugins = new HashMap<String, ACLPluginFactory>();
+
+    public MockPluginManager(String plugindir) throws Exception
+    {
+        super(plugindir);
+        _securityPlugins.put("org.apache.qpid.server.security.access.QueueDenier", QueueDenier.FACTORY);
+    }
+
+    @Override
+    public Map<String, ExchangeType<?>> getExchanges()
+    {
+       return null;
+    }
+
+    @Override
+    public Map<String, ACLPluginFactory> getSecurityPlugins()
+    {
+        return _securityPlugins;
+    }
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java b/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java
index 0762a7a561..11d6105704 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/plugins/PluginTest.java
@@ -48,7 +48,6 @@ public class PluginTest extends TestCase
     {
         PluginManager manager = new PluginManager("/path/to/nowhere");
         Map<String, ExchangeType<?>> exchanges = manager.getExchanges();
-        assertNull("Exchanges found", exchanges);
-    } 
-    
+        assertEquals("Exchanges found", 0, exchanges.size());
+    }
 }
diff --git a/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java b/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
index cecb430574..3fc26a6f08 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
@@ -40,10 +40,21 @@ import java.util.LinkedList;
 public class MockAMQQueue implements AMQQueue
 {
     private boolean _deleted = false;
+    private AMQShortString _name;
+
+    public MockAMQQueue(String name)
+    {
+       _name = new AMQShortString(name);
+    }
+
+    public MockAMQQueue()
+    {
+       
+    }
 
     public AMQShortString getName()
     {
-        return null;  //To change body of implemented methods use File | Settings | File Templates.
+        return _name;
     }
 
     public boolean isDurable()
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/ACLManagerTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/ACLManagerTest.java
new file mode 100644
index 0000000000..d12a0b1f1b
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/access/ACLManagerTest.java
@@ -0,0 +1,97 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ *
+ */
+package org.apache.qpid.server.security.access;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+
+import junit.framework.TestCase;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.commons.configuration.PropertiesConfiguration;
+import org.apache.commons.configuration.XMLConfiguration;
+import org.apache.qpid.server.exchange.Exchange;
+import org.apache.qpid.server.plugins.MockPluginManager;
+import org.apache.qpid.server.plugins.PluginManager;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.queue.MockAMQQueue;
+import org.apache.qpid.server.queue.MockProtocolSession;
+import org.apache.qpid.server.store.TestableMemoryMessageStore;
+
+public class ACLManagerTest extends TestCase
+{
+
+    private ACLManager _authzManager;
+    private AMQProtocolSession _session;
+    private XMLConfiguration _conf;
+    private PluginManager _pluginManager;
+
+    @Override
+    public void setUp() throws Exception
+    {
+        File tmpFile = File.createTempFile(getClass().getName(), "testconfig");
+        tmpFile.deleteOnExit();
+        BufferedWriter out = new BufferedWriter(new FileWriter(tmpFile));
+        out.write("<broker><security><queueDenier>notyet</queueDenier><exchangeDenier>yes</exchangeDenier></security></broker>");
+        out.close();
+        
+        _conf = new XMLConfiguration(tmpFile);
+        
+        // Create ACLManager
+        
+        _pluginManager = new MockPluginManager("");
+        _authzManager = new ACLManager(_conf, _pluginManager);
+        
+        _session = new MockProtocolSession(new TestableMemoryMessageStore());
+    }
+    
+    public void testACLManagerConfigurationPluginManager() throws Exception
+    {
+        AMQQueue queue = new MockAMQQueue("notyet");
+        AMQQueue otherQueue = new MockAMQQueue("other");
+        
+        assertFalse(_authzManager.authoriseDelete(_session, queue));
+        
+        // This should only be denied if the config hasn't been correctly passed in
+        assertTrue(_authzManager.authoriseDelete(_session, otherQueue));
+        assertTrue(_authzManager.authorisePurge(_session, queue));
+    }
+
+    public void testACLManagerConfigurationPluginManagerACLPlugin()
+    {
+        _authzManager = new ACLManager(_conf, _pluginManager, ExchangeDenier.FACTORY);
+        
+        Exchange exchange = null;
+        assertFalse(_authzManager.authoriseDelete(_session, exchange));
+    }
+    
+    public void testConfigurePlugins()
+    {
+        Configuration hostConfig = new PropertiesConfiguration();
+        hostConfig.setProperty("security.queueDenier", "thisoneneither");
+        _authzManager.configureHostPlugins(hostConfig);
+        AMQQueue queue = new MockAMQQueue("thisoneneither");
+        assertFalse(_authzManager.authoriseDelete(_session, queue));
+    }
+
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/ExchangeDenier.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/ExchangeDenier.java
new file mode 100644
index 0000000000..f62b0c6241
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/access/ExchangeDenier.java
@@ -0,0 +1,62 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.    
+ *
+ * 
+ */
+package org.apache.qpid.server.security.access;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.qpid.server.exchange.Exchange;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.security.access.plugins.AllowAll;
+
+public class ExchangeDenier extends AllowAll
+{
+
+    public static final ACLPluginFactory FACTORY = new ACLPluginFactory()
+    {
+        public boolean supportsTag(String name)
+        {
+            return name.startsWith("exchangeDenier");
+        }
+
+        public ACLPlugin newInstance(Configuration config)
+        {
+            return new ExchangeDenier();
+        }
+    };
+    
+    @Override
+    public AuthzResult authoriseDelete(AMQProtocolSession session, Exchange exchange)
+    {
+        return AuthzResult.DENIED;
+    }
+
+    @Override
+    public String getPluginName()
+    {
+        return getClass().getSimpleName();
+    }
+
+    @Override
+    public boolean supportsTag(String name)
+    {
+        return name.equals("exchangeDenier");
+    }
+
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
index df41ac9dc2..1e47f764df 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java
@@ -31,6 +31,7 @@ import org.apache.qpid.framing.amqp_8_0.QueueBindBodyImpl;
 import org.apache.qpid.server.exchange.DirectExchange;
 import org.apache.qpid.server.queue.AMQQueue;
 import org.apache.qpid.server.queue.AMQQueueFactory;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
 import org.apache.qpid.server.store.SkeletonMessageStore;
 import org.apache.qpid.server.virtualhost.VirtualHost;
 
@@ -79,7 +80,7 @@ public class PrincipalPermissionsTest extends TestCase
     public void testPrincipalPermissions()
     {
         assertNotNull(_perms);
-        assertTrue(_perms.authorise(Permission.ACCESS, (Object[]) null));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.ACCESS, (Object[]) null));
     }
 
     // FIXME: test has been disabled since the permissions assume that the user has tried to create
@@ -89,9 +90,9 @@ public class PrincipalPermissionsTest extends TestCase
         QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments);
         Object[] args = new Object[]{bind, _exchange, _queue, _routingKey};
         
-        assertFalse(_perms.authorise(Permission.BIND, args));
+        assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.BIND, args));
         _perms.grant(Permission.BIND, (Object[]) null);
-        assertTrue(_perms.authorise(Permission.BIND, args));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.BIND, args));
     }
 
     public void testQueueCreate()
@@ -99,9 +100,9 @@ public class PrincipalPermissionsTest extends TestCase
         Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, _routingKey};
         Object[] authArgs = new Object[]{_autoDelete, _queueName};
         
-        assertFalse(_perms.authorise(Permission.CREATEQUEUE, authArgs));
+        assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs));
         _perms.grant(Permission.CREATEQUEUE, grantArgs);
-        assertTrue(_perms.authorise(Permission.CREATEQUEUE, authArgs));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs));
     }
     
     
@@ -114,9 +115,9 @@ public class PrincipalPermissionsTest extends TestCase
         Object[] authArgs = new Object[]{exchangeDeclare};
         Object[] grantArgs = new Object[]{_exchangeName, _exchangeType};
         
-        assertFalse(_perms.authorise(Permission.CREATEEXCHANGE, authArgs));
+        assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs));
         _perms.grant(Permission.CREATEEXCHANGE, grantArgs);
-        assertTrue(_perms.authorise(Permission.CREATEEXCHANGE, authArgs));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs));
     }
     
     public void testConsume()
@@ -128,7 +129,7 @@ public class PrincipalPermissionsTest extends TestCase
          * assertFalse(_perms.authorise(Permission.CONSUME, authArgs));
          */
         _perms.grant(Permission.CONSUME, grantArgs);
-        assertTrue(_perms.authorise(Permission.CONSUME, authArgs));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authArgs));
     }
     
     public void testPublish()
@@ -136,9 +137,9 @@ public class PrincipalPermissionsTest extends TestCase
         Object[] authArgs = new Object[]{_exchange, _routingKey};
         Object[] grantArgs = new Object[]{_exchange.getName(), _routingKey};
         
-        assertFalse(_perms.authorise(Permission.PUBLISH, authArgs));
+        assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.PUBLISH, authArgs));
         _perms.grant(Permission.PUBLISH, grantArgs);
-        assertTrue(_perms.authorise(Permission.PUBLISH, authArgs));
+        assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgs));
     }
     
 }
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/QueueDenier.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/QueueDenier.java
new file mode 100644
index 0000000000..5497f0ae44
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/access/QueueDenier.java
@@ -0,0 +1,68 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.    
+ *
+ * 
+ */
+package org.apache.qpid.server.security.access;
+
+import org.apache.commons.configuration.Configuration;
+import org.apache.qpid.server.protocol.AMQProtocolSession;
+import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult;
+import org.apache.qpid.server.security.access.plugins.AllowAll;
+
+public class QueueDenier extends AllowAll
+{
+    
+    public static final ACLPluginFactory FACTORY = new ACLPluginFactory()
+    {
+        public boolean supportsTag(String name)
+        {
+            return name.equals("queueDenier");
+        }
+
+        public ACLPlugin newInstance(Configuration config)
+        {
+            QueueDenier plugin = new QueueDenier();
+            plugin.setConfiguration(config);
+            return plugin;
+        }
+    };
+    
+    private String _queueName = "";
+
+    
+    @Override
+    public AuthzResult authoriseDelete(AMQProtocolSession session, AMQQueue queue)
+    {
+        if (!(queue.getName().toString().equals(_queueName)))
+        {
+            return AuthzResult.ALLOWED;
+        } 
+        else 
+        {
+            return AuthzResult.DENIED;
+        }
+    }
+
+    @Override
+    public void setConfiguration(Configuration config)
+    {
+        _queueName = config.getString("queueDenier");
+    }
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java b/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java
index 15449dc613..b6d42e6068 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/util/TestApplicationRegistry.java
@@ -26,6 +26,7 @@ import org.apache.qpid.server.exchange.ExchangeRegistry;
 import org.apache.qpid.server.management.NoopManagedObjectRegistry;
 import org.apache.qpid.server.queue.QueueRegistry;
 import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.access.ACLManager;
 import org.apache.qpid.server.security.access.ACLPlugin;
 import org.apache.qpid.server.security.access.plugins.AllowAll;
 import org.apache.qpid.server.security.auth.database.PropertiesPrincipalDatabaseManager;
@@ -66,7 +67,7 @@ public class TestApplicationRegistry extends ApplicationRegistry
 
         _databaseManager = new PropertiesPrincipalDatabaseManager("default", users);
 
-        _accessManager = new AllowAll();
+        _accessManager = new ACLManager(_configuration, _pluginManager, AllowAll.FACTORY);
 
         _authenticationManager = new PrincipalDatabaseAuthenticationManager(null, null);
 
@@ -108,7 +109,7 @@ public class TestApplicationRegistry extends ApplicationRegistry
         return Arrays.asList(hosts);
     }
 
-    public void setAccessManager(ACLPlugin newManager)
+    public void setAccessManager(ACLManager newManager)
     {
         _accessManager = newManager;
     }
author	Aidan Skinner <aidan@apache.org>	2009-02-09 17:03:57 +0000
committer	Aidan Skinner <aidan@apache.org>	2009-02-09 17:03:57 +0000
commit	c9a654925355a4dd128d5111af862e8be89e0a45 (patch)
tree	a0f2c06331ec3b41630f171315fc0f8d38c5671f /java/broker/src/test
parent	f53cc284b3045462d751084acf8311a96b4769b7 (diff)
download	qpid-python-c9a654925355a4dd128d5111af862e8be89e0a45.tar.gz