QPID-2184: add additional testing against static firewall configurations

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@884634 13f79535-47bb-0310-9956-ffa450edef68

3 files changed, 356 insertions, 0 deletions

diff --git a/java/systests/etc/config-systests-firewall-2.xml b/java/systests/etc/config-systests-firewall-2.xml
new file mode 100644
index 0000000000..1c560d751d
--- /dev/null
+++ b/java/systests/etc/config-systests-firewall-2.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+    <prefix>${QPID_HOME}</prefix>
+    <work>${QPID_WORK}</work>
+    <conf>${prefix}/etc</conf>
+    <connector>
+        <!-- To enable SSL edit the keystorePath and keystorePassword
+	     and set enabled to true. 
+             To disasble Non-SSL port set sslOnly to true -->
+        <ssl>
+            <enabled>false</enabled>
+            <sslOnly>false</sslOnly>
+            <keystorePath>/path/to/keystore.ks</keystorePath>
+            <keystorePassword>keystorepass</keystorePassword>
+        </ssl>
+        <qpidnio>false</qpidnio>
+        <protectio>
+            <enabled>false</enabled>
+            <readBufferLimitSize>262144</readBufferLimitSize>
+            <writeBufferLimitSize>262144</writeBufferLimitSize>	    
+        </protectio>
+        <transport>nio</transport>
+        <port>5672</port>
+        <sslport>8672</sslport>
+        <socketReceiveBuffer>32768</socketReceiveBuffer>
+        <socketSendBuffer>32768</socketSendBuffer>
+    </connector>
+    <management>
+        <enabled>false</enabled>
+        <jmxport>8999</jmxport>
+        <ssl>
+            <enabled>false</enabled>
+            <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
+            <keyStorePath>${prefix}/../test-profiles/test_resources/ssl/keystore.jks</keyStorePath>
+            <keyStorePassword>password</keyStorePassword>
+        </ssl>
+    </management>
+    <advanced>
+        <filterchain enableExecutorPool="true"/>
+        <enablePooledAllocator>false</enablePooledAllocator>
+        <enableDirectBuffers>false</enableDirectBuffers>
+        <framesize>65535</framesize>
+        <compressBufferOnQueue>false</compressBufferOnQueue>
+        <enableJMSXUserID>false</enableJMSXUserID>
+        <locale>en_US</locale>	
+    </advanced>
+
+    <security>
+        <principal-databases>
+            <!-- Example use of Base64 encoded MD5 hashes for authentication via CRAM-MD5-Hashed -->
+            <principal-database>
+                <name>passwordfile</name>
+                <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
+                <attributes>
+                    <attribute>
+                        <name>passwordFile</name>
+                        <value>${conf}/passwd</value>
+                    </attribute>
+                </attributes>
+            </principal-database>
+        </principal-databases>
+
+        <access>
+            <class>org.apache.qpid.server.security.access.plugins.AllowAll</class>
+        </access>
+        
+        <msg-auth>false</msg-auth>
+        
+        <jmx>
+            <access>${conf}/jmxremote.access</access>
+            <principal-database>passwordfile</principal-database>
+        </jmx>
+
+        <firewall default-action="allow">
+            <rule access="deny" network="127.0.0.1"/>
+        </firewall>
+    </security>
+
+    <virtualhosts>
+        <default>test</default>
+
+        <virtualhost>
+            <name>test</name>
+            <test>
+                <store>
+                    <class>org.apache.qpid.server.store.MemoryMessageStore
+                    </class>
+                </store>
+                <security>
+                    <firewall default-action="allow"/>
+		</security>
+            </test>
+        </virtualhost>
+ 
+        <virtualhost>
+            <name>test2</name>
+            <test2>
+                <store>
+                    <class>org.apache.qpid.server.store.MemoryMessageStore
+                    </class>
+                </store>
+            </test2>
+        </virtualhost>
+    </virtualhosts>
+    <heartbeat>
+        <delay>0</delay>
+        <timeoutFactor>2.0</timeoutFactor>
+    </heartbeat>
+    <queue>
+        <auto_register>true</auto_register>
+    </queue>
+
+    <status-updates>ON</status-updates>
+
+</broker>
+
+
diff --git a/java/systests/etc/config-systests-firewall-3.xml b/java/systests/etc/config-systests-firewall-3.xml
new file mode 100644
index 0000000000..05c4df6069
--- /dev/null
+++ b/java/systests/etc/config-systests-firewall-3.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+    <prefix>${QPID_HOME}</prefix>
+    <work>${QPID_WORK}</work>
+    <conf>${prefix}/etc</conf>
+    <connector>
+        <!-- To enable SSL edit the keystorePath and keystorePassword
+	     and set enabled to true. 
+             To disasble Non-SSL port set sslOnly to true -->
+        <ssl>
+            <enabled>false</enabled>
+            <sslOnly>false</sslOnly>
+            <keystorePath>/path/to/keystore.ks</keystorePath>
+            <keystorePassword>keystorepass</keystorePassword>
+        </ssl>
+        <qpidnio>false</qpidnio>
+        <protectio>
+            <enabled>false</enabled>
+            <readBufferLimitSize>262144</readBufferLimitSize>
+            <writeBufferLimitSize>262144</writeBufferLimitSize>	    
+        </protectio>
+        <transport>nio</transport>
+        <port>5672</port>
+        <sslport>8672</sslport>
+        <socketReceiveBuffer>32768</socketReceiveBuffer>
+        <socketSendBuffer>32768</socketSendBuffer>
+    </connector>
+    <management>
+        <enabled>false</enabled>
+        <jmxport>8999</jmxport>
+        <ssl>
+            <enabled>false</enabled>
+            <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
+            <keyStorePath>${prefix}/../test-profiles/test_resources/ssl/keystore.jks</keyStorePath>
+            <keyStorePassword>password</keyStorePassword>
+        </ssl>
+    </management>
+    <advanced>
+        <filterchain enableExecutorPool="true"/>
+        <enablePooledAllocator>false</enablePooledAllocator>
+        <enableDirectBuffers>false</enableDirectBuffers>
+        <framesize>65535</framesize>
+        <compressBufferOnQueue>false</compressBufferOnQueue>
+        <enableJMSXUserID>false</enableJMSXUserID>
+        <locale>en_US</locale>	
+    </advanced>
+
+    <security>
+        <principal-databases>
+            <!-- Example use of Base64 encoded MD5 hashes for authentication via CRAM-MD5-Hashed -->
+            <principal-database>
+                <name>passwordfile</name>
+                <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
+                <attributes>
+                    <attribute>
+                        <name>passwordFile</name>
+                        <value>${conf}/passwd</value>
+                    </attribute>
+                </attributes>
+            </principal-database>
+        </principal-databases>
+
+        <access>
+            <class>org.apache.qpid.server.security.access.plugins.AllowAll</class>
+        </access>
+        
+        <msg-auth>false</msg-auth>
+        
+        <jmx>
+            <access>${conf}/jmxremote.access</access>
+            <principal-database>passwordfile</principal-database>
+        </jmx>
+
+        <firewall default-action="deny">
+            <rule access="allow" network="127.0.0.1"/>
+        </firewall>
+    </security>
+
+    <virtualhosts>
+        <default>test</default>
+
+        <virtualhost>
+            <name>test</name>
+            <test>
+                <store>
+                    <class>org.apache.qpid.server.store.MemoryMessageStore
+                    </class>
+                </store>
+            </test>
+        </virtualhost>
+ 
+        <virtualhost>
+            <name>test2</name>
+            <test2>
+                <store>
+                    <class>org.apache.qpid.server.store.MemoryMessageStore
+                    </class>
+                </store>
+                <security>
+	            <firewall default-action="deny"/>
+	        </security>
+            </test2>
+        </virtualhost>
+    </virtualhosts>
+    <heartbeat>
+        <delay>0</delay>
+        <timeoutFactor>2.0</timeoutFactor>
+    </heartbeat>
+    <queue>
+        <auto_register>true</auto_register>
+    </queue>
+
+    <status-updates>ON</status-updates>
+
+</broker>
+
+
diff --git a/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java b/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
index 94bacea2f4..b0415b67c0 100644
--- a/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
+++ b/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
@@ -7,6 +7,7 @@ import java.io.IOException;
 import javax.jms.Connection;
 import javax.jms.JMSException;
 
+import org.apache.qpid.client.AMQConnectionURL;
 import org.apache.qpid.test.utils.QpidTestCase;
 
 public class FirewallConfigTest extends QpidTestCase 
@@ -50,6 +51,87 @@ public class FirewallConfigTest extends QpidTestCase
         out.write("</broker>");
         out.close();
     }
+    
+    public void testVhostAllowBrokerDeny() throws Exception
+    {
+        if (_broker.equals(VM))
+        {
+            //No point running this test with an InVM broker as the
+            //firewall plugin only functions for TCP connections.
+            return;
+        }
+
+        _configFile = new File(System.getProperty("QPID_HOME"), "etc/config-systests-firewall-2.xml");
+        
+        super.setUp();
+        
+        Connection conn = null;
+        try 
+        {
+            //Try to get a connection to the 'test2' vhost
+            //This is expected to fail as it is denied at the broker level
+            conn = getConnection(new AMQConnectionURL(
+                    "amqp://username:password@clientid/test2?brokerlist='" + getBroker() + "'"));
+            fail("We expected the connection to fail");
+        } 
+        catch (JMSException e)
+        {
+            //ignore
+        }
+        
+        conn = null;
+        try 
+        {
+            //Try to get a connection to the 'test' vhost
+            //This is expected to succeed as it is allowed at the vhost level
+            conn = getConnection();
+        } 
+        catch (JMSException e)
+        {
+            e.getLinkedException().printStackTrace();
+            fail("The connection was expected to succeed: " + e.getMessage());
+        }
+    }
+    
+    public void testVhostDenyBrokerAllow() throws Exception
+    {
+        if (_broker.equals(VM))
+        {
+            //No point running this test with an InVM broker as the
+            //firewall plugin only functions for TCP connections.
+            return;
+        }
+        
+        _configFile = new File(System.getProperty("QPID_HOME"), "etc/config-systests-firewall-3.xml");
+        
+        super.setUp();
+        
+        Connection conn = null;
+        try 
+        {
+            //Try to get a connection to the 'test2' vhost
+            //This is expected to fail as it is denied at the vhost level
+            conn = getConnection(new AMQConnectionURL(
+                    "amqp://username:password@clientid/test2?brokerlist='" + getBroker() + "'"));
+        } 
+        catch (JMSException e)
+        {
+            //ignore
+        }
+
+        conn = null;
+        try 
+        {
+            //Try to get a connection to the 'test' vhost
+            //This is expected to succeed as it is allowed at the broker level
+            conn = getConnection();
+        } 
+        catch (JMSException e)
+        {
+            e.getLinkedException().printStackTrace();
+            fail("The connection was expected to succeed: " + e.getMessage());
+        }
+    }
  
     public void testDenyOnRestart() throws Exception
     {