diff options
| author | Robert Gemmell <robbie@apache.org> | 2009-10-09 08:54:26 +0000 |
|---|---|---|
| committer | Robert Gemmell <robbie@apache.org> | 2009-10-09 08:54:26 +0000 |
| commit | 5ce4041e1878fef6d16f44f4bef64f91052054b6 (patch) | |
| tree | ec1470bf4c12ec9331956e09c21ba14e42fbadf5 /java | |
| parent | 295f7079a68250ff01610de720427bef2039a4eb (diff) | |
| download | qpid-python-5ce4041e1878fef6d16f44f4bef64f91052054b6.tar.gz | |
QPID-1872: check for existence of outer consume permissions map before proceeding to further checks, and if not present then deny immediately as it signifies a complete lack of consume rights in the ACL settigns for the user in question. Update SimpleACLTest to add a check for consumption with create but without consume right, and to allow each test to customise the ACL settings before QTC.setUp() starts the broker
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@823464 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java')
| -rwxr-xr-x | java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java | 6 | ||||
| -rw-r--r-- | java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java | 110 |
2 files changed, 99 insertions, 17 deletions
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java index f852514444..fb57ca9a59 100755 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java +++ b/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java @@ -494,6 +494,12 @@ public class PrincipalPermissions { AMQQueue queue = ((AMQQueue) parameters[0]); Map queuePermissions = (Map) _permissions.get(permission); + + if (queuePermissions == null) + { + //if the outer map is null, the user has no CONSUME rights at all + return AuthzResult.DENIED; + } List queues = (List) queuePermissions.get(CONSUME_QUEUES_KEY); diff --git a/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java b/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java index a755bbfaa7..940ccbd9f1 100644 --- a/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java +++ b/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java @@ -21,6 +21,7 @@ package org.apache.qpid.server.security.acl; +import org.apache.commons.configuration.ConfigurationException; import org.apache.qpid.AMQException; import org.apache.qpid.AMQConnectionFailureException; import org.apache.qpid.client.AMQAuthenticationException; @@ -43,11 +44,20 @@ import javax.jms.Session; import javax.jms.TextMessage; import javax.naming.NamingException; import java.io.File; +import java.io.IOException; public class SimpleACLTest extends QpidTestCase implements ConnectionListener { public void setUp() throws Exception { + //Performing setUp here would result in a broker with the default ACL test config + + //Each test now calls the private setUpACLTest to allow them to make + //individual customisations to the base ACL settings + } + + private void setUpACLTest() throws Exception + { final String QPID_HOME = System.getProperty("QPID_HOME"); if (QPID_HOME == null) @@ -67,8 +77,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener return "amqp://" + username + ":" + password + "@clientid/test?brokerlist='" + getBroker() + "?retries='0''"; } - public void testAccessAuthorized() throws AMQException, URLSyntaxException + public void testAccessAuthorized() throws AMQException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -90,6 +102,8 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener public void testAccessNoRights() throws Exception { + setUpACLTest(); + try { Connection conn = getConnection("guest", "guest"); @@ -114,8 +128,40 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientConsumeFromTempQueueValid() throws AMQException, URLSyntaxException + public void testGuestConsumeWithCreateRightsAndWithoutConsumeRights() throws NamingException, ConfigurationException, IOException, Exception + { + //Customise the ACL config to give the guest user some create (could be any, non-consume) rights to + //force creation of a PrincipalPermissions instance to perform the consume rights check against. + setConfigurationProperty("virtualhosts.virtualhost.test.security.access_control_list.create.queues.queue.users.user", "guest"); + + setUpACLTest(); + + try + { + Connection conn = getConnection("guest", "guest"); + + Session sesh = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + conn.start(); + + sesh.createConsumer(sesh.createQueue("example.RequestQueue")); + + conn.close(); + } + catch (JMSException e) + { + Throwable cause = e.getLinkedException(); + + assertNotNull("There was no liked exception", cause); + assertEquals("Wrong linked exception type", AMQAuthenticationException.class, cause.getClass()); + assertEquals("Incorrect error code received", 403, ((AMQAuthenticationException) cause).getErrorCode().getCode()); + } + } + + public void testClientConsumeFromTempQueueValid() throws AMQException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -134,8 +180,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientConsumeFromNamedQueueInvalid() throws NamingException + public void testClientConsumeFromNamedQueueInvalid() throws NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -161,8 +209,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientCreateTemporaryQueue() throws JMSException, URLSyntaxException + public void testClientCreateTemporaryQueue() throws JMSException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -183,8 +233,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientCreateNamedQueue() throws NamingException, JMSException, AMQException + public void testClientCreateNamedQueue() throws NamingException, JMSException, AMQException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -206,8 +258,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientPublishUsingTransactionSuccess() throws AMQException, URLSyntaxException + public void testClientPublishUsingTransactionSuccess() throws AMQException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -233,8 +287,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientPublishValidQueueSuccess() throws AMQException, URLSyntaxException + public void testClientPublishValidQueueSuccess() throws AMQException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -263,8 +319,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testClientPublishInvalidQueueSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException + public void testClientPublishInvalidQueueSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -308,8 +366,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerConsumeFromNamedQueueValid() throws AMQException, URLSyntaxException + public void testServerConsumeFromNamedQueueValid() throws AMQException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); @@ -328,8 +388,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerConsumeFromNamedQueueInvalid() throws AMQException, URLSyntaxException, NamingException + public void testServerConsumeFromNamedQueueInvalid() throws AMQException, URLSyntaxException, NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("client", "guest"); @@ -353,8 +415,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerConsumeFromTemporaryQueue() throws AMQException, URLSyntaxException, NamingException + public void testServerConsumeFromTemporaryQueue() throws AMQException, URLSyntaxException, NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); @@ -388,8 +452,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener return (Connection) connection; } - public void testServerCreateNamedQueueValid() throws JMSException, URLSyntaxException + public void testServerCreateNamedQueueValid() throws JMSException, URLSyntaxException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); @@ -409,8 +475,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerCreateNamedQueueInvalid() throws JMSException, URLSyntaxException, AMQException, NamingException + public void testServerCreateNamedQueueInvalid() throws JMSException, URLSyntaxException, AMQException, NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); @@ -431,8 +499,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerCreateTemporaryQueueInvalid() throws NamingException + public void testServerCreateTemporaryQueueInvalid() throws NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); @@ -456,8 +526,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerCreateAutoDeleteQueueInvalid() throws NamingException, JMSException, AMQException + public void testServerCreateAutoDeleteQueueInvalid() throws NamingException, JMSException, AMQException, Exception { + setUpACLTest(); + Connection connection = null; try { @@ -487,8 +559,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener * @throws URLSyntaxException * @throws JMSException */ - public void testServerPublishUsingTransactionSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException + public void testServerPublishUsingTransactionSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException, Exception { + setUpACLTest(); + //Set up the Server Connection serverConnection = getConnection("server", "guest"); @@ -567,8 +641,10 @@ public class SimpleACLTest extends QpidTestCase implements ConnectionListener } } - public void testServerPublishInvalidQueueSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException + public void testServerPublishInvalidQueueSuccess() throws AMQException, URLSyntaxException, JMSException, NamingException, Exception { + setUpACLTest(); + try { Connection conn = getConnection("server", "guest"); |