QPID-416 Update to Access control to allow simply read/write permissions per Virtual host.

access - updated file to have examples of access control. Changed AMQProtocolSession to record an authorized Principal not just a String. - Required Added AccessRights files needed for VirtualHostAccess control. Updated ConnectionOpenMethodHandler to allow Principals with any access to connect not just read. UsernamePrincipal - Added a toString git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/branches/M2@526117 13f79535-47bb-0310-9956-ffa450edef68
author: Martin Ritchie <ritchiem@apache.org> 2007-04-06 10:42:11 +0000
committer: Martin Ritchie <ritchiem@apache.org> 2007-04-06 10:42:11 +0000
commit: 01500ceda39acfe9fdc212e06e66eafebc18b35e (patch)
tree: cc5a57ee0ff443f226d781415da93d29f10537a6 /java/broker/src
parent: c5eccf65c15aedc1d737ad5df0043c54e594d265 (diff)
download: qpid-python-01500ceda39acfe9fdc212e06e66eafebc18b35e.tar.gz
10 files changed, 164 insertions, 20 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java
index 4f91dd53a5..30a40c5a75 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionOpenMethodHandler.java
@@ -33,6 +33,7 @@ import org.apache.qpid.server.state.AMQStateManager;
 import org.apache.qpid.server.state.StateAwareMethodListener;
 import org.apache.qpid.server.virtualhost.VirtualHost;
 import org.apache.qpid.server.security.access.AccessResult;
+import org.apache.qpid.server.security.access.AccessRights;
 import org.apache.log4j.Logger;
 
 public class ConnectionOpenMethodHandler implements StateAwareMethodListener<ConnectionOpenBody>
@@ -75,23 +76,26 @@ public class ConnectionOpenMethodHandler implements StateAwareMethodListener<Con
 
         if (virtualHost == null)
         {
-            throw body.getConnectionException(AMQConstant.NOT_FOUND, "Unknown virtual host: '" + virtualHostName+"'");
+            throw body.getConnectionException(AMQConstant.NOT_FOUND, "Unknown virtual host: '" + virtualHostName + "'");
         }
         else
         {
             session.setVirtualHost(virtualHost);
 
-            AccessResult result = virtualHost.getAccessManager().isAuthorized(virtualHost, session.getAuthorizedID());
+            AccessResult result = virtualHost.getAccessManager().isAuthorized(virtualHost, session.getAuthorizedID(), AccessRights.Rights.ANY);
 
             switch (result.getStatus())
             {
                 default:
                 case REFUSED:
-                    throw body.getConnectionException(AMQConstant.ACCESS_REFUSED,
-                                                      "Access denied to vHost '" + virtualHostName + "' by "
-                                                      + result.getAuthorizer());
+                    String error = "Any access denied to vHost '" + virtualHostName + "' by "
+                                   + result.getAuthorizer();
+                    
+                    _logger.warn(error);
+
+                    throw body.getConnectionException(AMQConstant.ACCESS_REFUSED, error);
                 case GRANTED:
-                    _logger.info("Granted access to vHost '" + virtualHostName + "' for " + session.getAuthorizedID()
+                    _logger.info("Granted any access to vHost '" + virtualHostName + "' for " + session.getAuthorizedID()
                                  + " by '" + result.getAuthorizer() + "'");
             }
 
diff --git a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java
index 6029a023e5..fef00942a0 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionSecureOkMethodHandler.java
@@ -37,6 +37,7 @@ import org.apache.qpid.server.protocol.HeartbeatConfig;
 import org.apache.qpid.server.registry.ApplicationRegistry;
 import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 import org.apache.qpid.server.state.AMQState;
 import org.apache.qpid.server.state.AMQStateManager;
 import org.apache.qpid.server.state.StateAwareMethodListener;
@@ -106,7 +107,7 @@ public class ConnectionSecureOkMethodHandler implements StateAwareMethodListener
                     ConnectionStartOkMethodHandler.getConfiguredFrameSize(),	// frameMax
                     HeartbeatConfig.getInstance().getDelay());	// heartbeat
                 session.writeFrame(tune);
-                session.setAuthorizedID(ss.getAuthorizationID());                
+                session.setAuthorizedID(new UsernamePrincipal(ss.getAuthorizationID()));                
                 disposeSaslServer(session);
                 break;
             case CONTINUE:
diff --git a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java
index 6c14aae7ed..4734143497 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/handler/ConnectionStartOkMethodHandler.java
@@ -37,6 +37,7 @@ import org.apache.qpid.server.protocol.HeartbeatConfig;
 import org.apache.qpid.server.registry.ApplicationRegistry;
 import org.apache.qpid.server.security.auth.manager.AuthenticationManager;
 import org.apache.qpid.server.security.auth.AuthenticationResult;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
 import org.apache.qpid.server.state.AMQState;
 import org.apache.qpid.server.state.AMQStateManager;
 import org.apache.qpid.server.state.StateAwareMethodListener;
@@ -95,7 +96,7 @@ public class ConnectionStartOkMethodHandler implements StateAwareMethodListener<
                     throw new AMQException("Authentication failed");
                 case SUCCESS:
                     _logger.info("Connected as: " + ss.getAuthorizationID());
-                    session.setAuthorizedID(ss.getAuthorizationID());
+                    session.setAuthorizedID(new UsernamePrincipal(ss.getAuthorizationID()));                
 
                     stateManager.changeState(AMQState.CONNECTION_NOT_TUNED);
                     // AMQP version change: Hardwire the version to 0-8 (major=8, minor=0)
diff --git a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java
index fd8fb2d5cb..2e62c2f1e4 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQMinaProtocolSession.java
@@ -28,6 +28,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CopyOnWriteArraySet;
+import java.security.Principal;
 
 import javax.management.JMException;
 import javax.security.sasl.SaslServer;
@@ -108,7 +109,7 @@ public class AMQMinaProtocolSession implements AMQProtocolSession,
     private VersionSpecificRegistry _registry = MainRegistry.getVersionSpecificRegistry(_protocolVersion);
     private List<Integer> _closingChannelsList = new ArrayList<Integer>();
     private ProtocolOutputConverter _protocolOutputConverter;
-    private String _authorizedID;
+    private Principal _authorizedID;
 
 
     public ManagedObject getManagedObject()
@@ -745,12 +746,12 @@ public class AMQMinaProtocolSession implements AMQProtocolSession,
         return _protocolOutputConverter;
     }
 
-    public void setAuthorizedID(String authorizedID)
+    public void setAuthorizedID(Principal authorizedID)
     {
         _authorizedID = authorizedID;
     }
 
-    public String getAuthorizedID()
+    public Principal getAuthorizedID()
     {
         return _authorizedID;
     }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java
index 79421dd497..390117acf6 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSession.java
@@ -31,6 +31,8 @@ import org.apache.qpid.server.AMQChannel;
 import org.apache.qpid.server.output.ProtocolOutputConverter;
 import org.apache.qpid.server.virtualhost.VirtualHost;
 
+import java.security.Principal;
+
 
 public interface AMQProtocolSession extends AMQVersionAwareProtocolSession
 {
@@ -165,9 +167,9 @@ public interface AMQProtocolSession extends AMQVersionAwareProtocolSession
 
     public ProtocolOutputConverter getProtocolOutputConverter();
 
-    void setAuthorizedID(String authorizedID);
+    void setAuthorizedID(Principal authorizedID);
 
-    /** @return a username string that was used to authorized this session */    
-    String getAuthorizedID();
+    /** @return a Principal that was used to authorized this session */
+    Principal getAuthorizedID();
 
 }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java
index 5eebd4c524..b112979a9a 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/protocol/AMQProtocolSessionMBean.java
@@ -19,6 +19,7 @@ package org.apache.qpid.server.protocol;
 
 import java.util.Date;
 import java.util.List;
+import java.security.Principal;
 
 import javax.management.JMException;
 import javax.management.MBeanException;
@@ -106,7 +107,7 @@ public class AMQProtocolSessionMBean extends AMQManagedObject implements Managed
         return _session.getContextKey() == null ? null : _session.getContextKey().toString();
     }
 
-    public String getAuthorizedId()
+    public Principal getAuthorizedId()
     {
         return _session.getAuthorizedID();
     }
diff --git a/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java b/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java
index 990c4c0794..5e7575203d 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/protocol/ManagedConnection.java
@@ -23,6 +23,7 @@ package org.apache.qpid.server.protocol;
 
 import java.io.IOException;
 import java.util.Date;
+import java.security.Principal;
 
 import javax.management.JMException;
 import javax.management.MBeanOperationInfo;
@@ -45,7 +46,7 @@ public interface ManagedConnection
     String getClientId();
 
     @MBeanAttribute(name = "AuthorizedId", description = "User Name")
-    String getAuthorizedId();
+    Principal getAuthorizedId();
 
     @MBeanAttribute(name = "Version", description = "Client Version")
     String getVersion();
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java
new file mode 100644
index 0000000000..1b79a5a0e0
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/AccessRights.java
@@ -0,0 +1,63 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.    
+ *
+ * 
+ */
+package org.apache.qpid.server.security.access;
+
+public class AccessRights
+{
+    public enum Rights
+    {
+        ANY,
+        READ,
+        WRITE,
+        READWRITE
+    }
+
+    Rights _right;
+
+    public AccessRights(Rights right)
+    {
+        _right = right;
+    }
+
+    public boolean allows(Rights rights)
+    {
+        switch (_right)
+        {
+            case ANY:
+                return (rights.equals(Rights.WRITE)
+                        || rights.equals(Rights.READ)
+                        || rights.equals(Rights.READWRITE)
+                        || rights.equals(Rights.ANY));
+            case READ:
+                return rights.equals(Rights.READ) || rights.equals(Rights.ANY);
+            case WRITE:
+                return rights.equals(Rights.WRITE) || rights.equals(Rights.ANY);
+            case READWRITE:
+                return true;
+        }
+        return false;
+    }
+
+    public Rights getRights()
+    {
+        return _right;
+    }
+}
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java
new file mode 100644
index 0000000000..13151a66b8
--- /dev/null
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/VirtualHostAccess.java
@@ -0,0 +1,68 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.    
+ *
+ * 
+ */
+package org.apache.qpid.server.security.access;
+
+public class VirtualHostAccess
+{
+    private String _vhost;
+    private AccessRights _rights;
+
+    public VirtualHostAccess(String vhostaccess)
+    {
+        //format <vhost>(<rights>)
+        int hostend = vhostaccess.indexOf('(');
+
+        if (hostend == -1)
+        {
+            throw new IllegalArgumentException("VirtualHostAccess format string contains no access _rights");
+        }
+
+        _vhost = vhostaccess.substring(0, hostend);
+
+        String rights = vhostaccess.substring(hostend);
+
+        if (rights.indexOf('r') != -1)
+        {
+            if (rights.indexOf('w') != -1)
+            {
+                _rights = new AccessRights(AccessRights.Rights.READWRITE);
+            }
+            else
+            {
+                _rights = new AccessRights(AccessRights.Rights.READ);
+            }
+        }
+        else if (rights.indexOf('w') != -1)
+        {
+            _rights = new AccessRights(AccessRights.Rights.WRITE);
+        }
+    }
+
+    public AccessRights getAccessRights()
+    {
+        return _rights;
+    }
+
+    public String getVirtualHost()
+    {
+        return _vhost;
+    }
+}
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java
index f9aaabd15a..d7c8383690 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/UsernamePrincipal.java
@@ -22,10 +22,7 @@ package org.apache.qpid.server.security.auth.sasl;
 
 import java.security.Principal;
 
-/**
- * A principal that is just a wrapper for a simple username.
- *
- */
+/** A principal that is just a wrapper for a simple username. */
 public class UsernamePrincipal implements Principal
 {
     private String _name;
@@ -39,4 +36,9 @@ public class UsernamePrincipal implements Principal
     {
         return _name;
     }
+
+    public String toString()
+    {
+        return _name;
+    }
 }
author	Martin Ritchie <ritchiem@apache.org>	2007-04-06 10:42:11 +0000
committer	Martin Ritchie <ritchiem@apache.org>	2007-04-06 10:42:11 +0000
commit	01500ceda39acfe9fdc212e06e66eafebc18b35e (patch)
tree	cc5a57ee0ff443f226d781415da93d29f10537a6 /java/broker/src
parent	c5eccf65c15aedc1d737ad5df0043c54e594d265 (diff)
download	qpid-python-01500ceda39acfe9fdc212e06e66eafebc18b35e.tar.gz