diff options
| author | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:05:55 +0000 |
|---|---|---|
| committer | Robert Gemmell <robbie@apache.org> | 2010-05-31 16:05:55 +0000 |
| commit | cbeecb0e4e6ef1200ffc6afed4e1100828312850 (patch) | |
| tree | e387711dc636d05b5f0e60ca31029a7842e8890e /java | |
| parent | 5b9f0c5168d17c2d61a114d32749f11a833eacd9 (diff) | |
| download | qpid-python-cbeecb0e4e6ef1200ffc6afed4e1100828312850.tar.gz | |
QPID-2569: Implement the SimpleXML as an OSGi plugin
Applied patch from Andrew Kennedy <andrew.international@gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@949784 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'java')
9 files changed, 575 insertions, 494 deletions
diff --git a/java/broker-plugins/simple-xml/MANIFEST.MF b/java/broker-plugins/simple-xml/MANIFEST.MF new file mode 100644 index 0000000000..04fe7518df --- /dev/null +++ b/java/broker-plugins/simple-xml/MANIFEST.MF @@ -0,0 +1,36 @@ +Manifest-Version: 1.0 +Bundle-ManifestVersion: 2 +Bundle-Name: Qpid Broker-Plugins Simple XML +Bundle-SymbolicName: broker-plugins-simple-xml +Bundle-Description: Simple XML ACL plugin for Qpid. +Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt +Bundle-DocURL: http://www.apache.org/ +Bundle-Version: 1.0.0 +Bundle-Activator: org.apache.qpid.server.security.access.plugins.SimpleXMLActivator +Bundle-RequiredExecutionEnvironment: JavaSE-1.5 +Bundle-ClassPath: . +Bundle-ActivationPolicy: lazy +Import-Package: org.apache.qpid, + org.apache.qpid.framing, + org.apache.qpid.junit.extensions.util, + org.apache.qpid.protocol, + org.apache.qpid.server.configuration, + org.apache.qpid.server.configuration.plugins, + org.apache.qpid.server.exchange, + org.apache.qpid.server.management, + org.apache.qpid.server.plugins, + org.apache.qpid.server.queue, + org.apache.qpid.server.security, + org.apache.qpid.server.security.access, + org.apache.qpid.server.virtualhost, + org.apache.qpid.util, + org.apache.commons.configuration;version=1.0.0, + org.apache.commons.lang;version=1.0.0, + org.apache.commons.lang.builder;version=1.0.0, + org.apache.log4j;version=1.0.0, + javax.management;version=1.0.0, + javax.management.openmbean;version=1.0.0, + org.osgi.util.tracker;version=1.0.0, + org.osgi.framework;version=1.3 +Private-Package: org.apache.qpid.server.security.access.config +Export-Package: org.apache.qpid.server.security.access.plugins diff --git a/java/broker-plugins/simple-xml/build.xml b/java/broker-plugins/simple-xml/build.xml new file mode 100644 index 0000000000..2c26c9129a --- /dev/null +++ b/java/broker-plugins/simple-xml/build.xml @@ -0,0 +1,29 @@ +<!-- + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + --> +<project name="Qpid Broker-Plugins Simple XML" default="build"> + <property name="module.depends" value="common management/common broker broker-plugins" /> + <property name="module.test.depends" value="junit-toolkit broker/test common/test" /> + + <property name="module.manifest" value="MANIFEST.MF" /> + <property name="module.plugin" value="true" /> + + <import file="../../module.xml" /> + + <target name="bundle" depends="bundle-tasks" /> +</project> diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/config/PrincipalPermissions.java index e7fc8effaf..d9fc292f03 100755 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java +++ b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/config/PrincipalPermissions.java @@ -18,7 +18,7 @@ * under the License. * */ -package org.apache.qpid.server.security.access; +package org.apache.qpid.server.security.access.config; import java.util.HashSet; import java.util.Iterator; @@ -27,14 +27,29 @@ import java.util.List; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.lang.StringUtils; +import org.apache.log4j.Logger; import org.apache.qpid.framing.AMQShortString; -import org.apache.qpid.server.exchange.Exchange; -import org.apache.qpid.server.queue.AMQQueue; -import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult; +import org.apache.qpid.server.security.Result; +@SuppressWarnings("unchecked") public class PrincipalPermissions { - + public enum Permission + { + CONSUME, + PUBLISH, + CREATEQUEUE, + CREATEEXCHANGE, + ACCESS, + BIND, + UNBIND, + DELETE, + PURGE + } + + private static final Logger _logger = Logger.getLogger(PrincipalPermissions.class); + private static final Object CONSUME_QUEUES_KEY = new Object(); private static final Object CONSUME_TEMPORARY_KEY = new Object(); private static final Object CONSUME_OWN_QUEUES_ONLY_KEY = new Object(); @@ -358,22 +373,22 @@ public class PrincipalPermissions * PURGE: none * UNBIND: none */ - public AuthzResult authorise(Permission permission, Object... parameters) + public Result authorise(Permission permission, String... parameters) { switch (permission) { case ACCESS://No Parameters - return AuthzResult.ALLOWED; // The existence of this user-specific PP infers some level of access is authorised - case BIND: // Parameters : QueueBindMethod , Exchange , AMQQueue, AMQShortString routingKey + return Result.ALLOWED; // The existence of this user-specific PP infers some level of access is authorised + case BIND: // Parameters : QueueBindMethod , exhangeName , queueName, routingKey return authoriseBind(parameters); - case CREATEQUEUE:// Parameters : boolean autodelete, AMQShortString name + case CREATEQUEUE:// Parameters : autoDelete, queueName return authoriseCreateQueue(permission, parameters); - case CREATEEXCHANGE: + case CREATEEXCHANGE: //Parameters: exchangeName return authoriseCreateExchange(permission, parameters); - case CONSUME: // Parameters : AMQQueue + case CONSUME: // Parameters : queueName, autoDelete, owner return authoriseConsume(permission, parameters); - case PUBLISH: // Parameters : Exchange exchange, AMQShortString routingKey + case PUBLISH: // Parameters : exchangeName, routingKey return authorisePublish(permission, parameters); /* Fall through */ case DELETE: @@ -383,34 +398,38 @@ public class PrincipalPermissions if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } else { //SimpleXML ACL does not implement these permissions and should abstain - return AuthzResult.ABSTAIN; + return Result.ABSTAIN; } } } - private AuthzResult authoriseConsume(Permission permission, Object... parameters) + private Result authoriseConsume(Permission permission, String... parameters) { if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } - if (parameters.length == 1 && parameters[0] instanceof AMQQueue) + if (parameters.length == 3) { - AMQQueue queue = ((AMQQueue) parameters[0]); + AMQShortString queueName = new AMQShortString(parameters[0]); + Boolean autoDelete = Boolean.valueOf(parameters[1]); + AMQShortString owner = new AMQShortString(parameters[2]); Map queuePermissions = (Map) _permissions.get(permission); + _logger.error("auth consume on " + StringUtils.join(parameters, ", ")); + if (queuePermissions == null) { //we have a problem - we've never granted this type of permission ..... - return AuthzResult.DENIED; + return Result.DENIED; } List queues = (List) queuePermissions.get(CONSUME_QUEUES_KEY); @@ -420,20 +439,20 @@ public class PrincipalPermissions // If user is allowed to consume from temporary queues and this is a temp queue then allow it. - if (temporaryQueues && queue.isAutoDelete()) + if (temporaryQueues && autoDelete) { // This will allow consumption from any temporary queue including ones not owned by this user. // Of course the exclusivity will not be broken. { // if not limited to ownQueuesOnly then ok else check queue Owner. - return (!ownQueuesOnly || new AMQShortString(queue.getPrincipalHolder().getPrincipal().getName()).equals(_user)) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return (!ownQueuesOnly || owner.equals(_user)) ? Result.ALLOWED : Result.DENIED; } } //if this is a temporary queue and the user does not have permissions for temporary queues then deny - else if (!temporaryQueues && queue.isAutoDelete()) + else if (!temporaryQueues && autoDelete) { - return AuthzResult.DENIED; + return Result.DENIED; } // if queues are white listed then ensure it is ok @@ -442,38 +461,38 @@ public class PrincipalPermissions // if no queues are listed then ALL are ok othereise it must be specified. if (ownQueuesOnly) { - if ( new AMQShortString(queue.getPrincipalHolder().getPrincipal().getName()).equals(_user)) + if (owner.equals(_user)) { - return (queues.size() == 0 || queues.contains(queue.getNameShortString())) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return (queues.size() == 0 || queues.contains(queueName)) ? Result.ALLOWED : Result.DENIED; } else { - return AuthzResult.DENIED; + return Result.DENIED; } } // If we are - return (queues.size() == 0 || queues.contains(queue.getNameShortString())) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return (queues.size() == 0 || queues.contains(queueName)) ? Result.ALLOWED : Result.DENIED; } } // Can't authenticate without the right parameters - return AuthzResult.DENIED; + return Result.DENIED; } - private AuthzResult authorisePublish(Permission permission, Object... parameters) + private Result authorisePublish(Permission permission, String... parameters) { if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } Map publishRights = (Map) _permissions.get(permission); if (publishRights == null) { - return AuthzResult.DENIED; + return Result.DENIED; } Map exchanges = (Map) publishRights.get(PUBLISH_EXCHANGES_KEY); @@ -481,33 +500,32 @@ public class PrincipalPermissions // Having no exchanges listed gives full publish rights to all exchanges if (exchanges == null) { - return AuthzResult.ALLOWED; + return Result.ALLOWED; } // Otherwise exchange must be listed in the white list // If the map doesn't have the exchange then it isn't allowed - if (!exchanges.containsKey(((Exchange) parameters[0]).getNameShortString())) + AMQShortString exchangeName = new AMQShortString(parameters[0]); + if (!exchanges.containsKey(exchangeName)) { - return AuthzResult.DENIED; + return Result.DENIED; } else { - // Get valid routing keys - HashSet routingKeys = (HashSet) exchanges.get(((Exchange)parameters[0]).getNameShortString()); + HashSet routingKeys = (HashSet) exchanges.get(exchangeName); // Having no routingKeys in the map then all are allowed. if (routingKeys == null) { - return AuthzResult.ALLOWED; + return Result.ALLOWED; } else { // We have routingKeys so a match must be found to allowed binding Iterator keys = routingKeys.iterator(); - - AMQShortString publishRKey = (AMQShortString)parameters[1]; + AMQShortString publishRKey = new AMQShortString(parameters[1]); boolean matched = false; while (keys.hasNext() && !matched) @@ -523,41 +541,41 @@ public class PrincipalPermissions matched = publishRKey.equals(rkey); } } - return (matched) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return (matched) ? Result.ALLOWED : Result.DENIED; } } } - private AuthzResult authoriseCreateExchange(Permission permission, Object... parameters) + private Result authoriseCreateExchange(Permission permission, String... parameters) { if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } Map rights = (Map) _permissions.get(permission); - AMQShortString exchangeName = (AMQShortString) parameters[0]; + AMQShortString exchangeName = new AMQShortString(parameters[0]); // If the exchange list is doesn't exist then all is allowed else // check the valid exchanges if (rights == null || rights.containsKey(exchangeName)) { - return AuthzResult.ALLOWED; + return Result.ALLOWED; } else { - return AuthzResult.DENIED; + return Result.DENIED; } } - private AuthzResult authoriseCreateQueue(Permission permission, Object... parameters) + private Result authoriseCreateQueue(Permission permission, String... parameters) { if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } Map createRights = (Map) _permissions.get(permission); @@ -565,7 +583,7 @@ public class PrincipalPermissions // If there are no create rights then deny request if (createRights == null) { - return AuthzResult.DENIED; + return Result.DENIED; } //Look up the Queue Creation Rights @@ -575,47 +593,43 @@ public class PrincipalPermissions Map create_queues_queues = (Map) create_queues.get(CREATE_QUEUE_QUEUES_KEY); - AMQShortString queueName = (AMQShortString) parameters[1]; - Boolean autoDelete = (Boolean) parameters[0]; + Boolean autoDelete = Boolean.valueOf(parameters[0]); + AMQShortString queueName = new AMQShortString(parameters[1]); if (autoDelete)// we have a temporary queue { - return ((Boolean) create_queues.get(CREATE_QUEUE_TEMPORARY_KEY)) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return ((Boolean) create_queues.get(CREATE_QUEUE_TEMPORARY_KEY)) ? Result.ALLOWED : Result.DENIED; } else { // If there is a white list then check if (create_queues_queues == null || create_queues_queues.containsKey(queueName)) { - return AuthzResult.ALLOWED; + return Result.ALLOWED; } else { - return AuthzResult.DENIED; + return Result.DENIED; } } } - private AuthzResult authoriseBind(Object... parameters) + private Result authoriseBind(String... parameters) { if(_fullVHostAccess) { //user has been granted full access to the vhost - return AuthzResult.ALLOWED; + return Result.ALLOWED; } - Exchange exchange = (Exchange) parameters[1]; - - AMQQueue bind_queueName = (AMQQueue) parameters[2]; - AMQShortString routingKey = (AMQShortString) parameters[3]; + AMQShortString exchangeName = new AMQShortString(parameters[1]); + AMQShortString bind_queueName = new AMQShortString(parameters[2]); + AMQShortString routingKey = new AMQShortString(parameters[3]); //Get all Create Rights for this user Map bindCreateRights = (Map) _permissions.get(Permission.CREATEQUEUE); - //Look up the Queue Creation Rights - Map bind_create_queues = (Map) bindCreateRights.get(CREATE_QUEUES_KEY); - //Lookup the list of queues Map bind_create_queues_queues = (Map) bindCreateRights.get(CREATE_QUEUE_QUEUES_KEY); @@ -627,17 +641,17 @@ public class PrincipalPermissions if (exchangeDetails == null) //Then all queue can be bound to all exchanges. { - return AuthzResult.ALLOWED; + return Result.ALLOWED; } // Check to see if we have a white list of routingkeys to check - Map rkeys = (Map) exchangeDetails.get(exchange.getNameShortString()); + Map rkeys = (Map) exchangeDetails.get(exchangeName); // if keys is null then any rkey is allowed on this exchange if (rkeys == null) { // There is no routingkey white list - return AuthzResult.ALLOWED; + return Result.ALLOWED; } else { @@ -659,7 +673,7 @@ public class PrincipalPermissions } - return (matched) ? AuthzResult.ALLOWED : AuthzResult.DENIED; + return (matched) ? Result.ALLOWED : Result.DENIED; } @@ -667,7 +681,7 @@ public class PrincipalPermissions else { //no white list so all allowed. - return AuthzResult.ALLOWED; + return Result.ALLOWED; } } } diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java index a5bdf662af..4b3d8f02de 100644 --- a/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java +++ b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java @@ -15,77 +15,92 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - * - * */ - package org.apache.qpid.server.security.access.plugins; -import org.apache.commons.configuration.Configuration; -import org.apache.qpid.framing.AMQShortString; - -import org.apache.qpid.server.exchange.Exchange; -import org.apache.qpid.server.queue.AMQQueue; -import org.apache.qpid.server.security.access.ACLPlugin; -import org.apache.qpid.server.security.access.ACLPluginFactory; -import org.apache.qpid.server.security.access.AccessResult; -import org.apache.qpid.server.security.access.Permission; -import org.apache.qpid.server.security.access.PrincipalPermissions; -import org.apache.qpid.server.security.PrincipalHolder; -import org.apache.qpid.server.virtualhost.VirtualHost; +import static org.apache.qpid.server.security.access.ObjectProperties.Property.*; +import java.security.Principal; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.log4j.Logger; +import org.apache.qpid.framing.AMQShortString; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.security.AbstractPlugin; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.SecurityManager; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.apache.qpid.server.security.access.ObjectProperties; +import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.access.config.PrincipalPermissions; +import org.apache.qpid.server.security.access.config.PrincipalPermissions.Permission; + /** * This uses the default */ -public class SimpleXML implements ACLPlugin +public class SimpleXML extends AbstractPlugin { - public static final ACLPluginFactory FACTORY = new ACLPluginFactory() + public static final Logger _logger = Logger.getLogger(SimpleXML.class); + + private Map<String, PrincipalPermissions> _users; + + public static final SecurityPluginFactory<SimpleXML> FACTORY = new SecurityPluginFactory<SimpleXML>() { - public boolean supportsTag(String name) + public SimpleXML newInstance(ConfigurationPlugin config) throws ConfigurationException { - return name.startsWith("access_control_list"); + SimpleXML plugin = new SimpleXML(config); + plugin.configure(); + return plugin; } - public ACLPlugin newInstance(Configuration config) + public String getPluginName() { - SimpleXML plugin = new SimpleXML(); - plugin.setConfiguration(config); - return plugin; + return SimpleXML.class.getName(); } - }; - private Map<String, PrincipalPermissions> _users; - private final AccessResult GRANTED = new AccessResult(this, AccessResult.AccessStatus.GRANTED); + public Class<SimpleXML> getPluginClass() + { + return SimpleXML.class; + } + }; - public SimpleXML() + public SimpleXML(ConfigurationPlugin config) throws ConfigurationException { - _users = new ConcurrentHashMap<String, PrincipalPermissions>(); + _config = config.getConfiguration(SimpleXMLConfiguration.class); } - public void setConfiguration(Configuration config) + public void configure() throws ConfigurationException { - processConfig(config); + SimpleXMLConfiguration config = (SimpleXMLConfiguration) _config; + + if (isConfigured()) + { + _users = new ConcurrentHashMap<String, PrincipalPermissions>(); + + processConfig(config.getConfiguration()); + } } private void processConfig(Configuration config) { processPublish(config); - processConsume(config); - processCreate(config); - processAccess(config); } + /** + * @param config XML Configuration + */ private void processAccess(Configuration config) { - Configuration accessConfig = config.subset("access_control_list.access"); + Configuration accessConfig = config.subset("access"); - if(accessConfig.isEmpty()) + if (accessConfig.isEmpty()) { //there is no access configuration to process return; @@ -93,7 +108,7 @@ public class SimpleXML implements ACLPlugin // Process users that have full access permission String[] users = accessConfig.getStringArray("users.user"); - + for (String user : users) { grant(Permission.ACCESS, user); @@ -101,14 +116,13 @@ public class SimpleXML implements ACLPlugin } /** - * Publish format takes Exchange + Routing Key Pairs + * Publish format takes Exchange + Routing Key Pairs * - * @param config - * XML Configuration + * @param config XML Configuration */ private void processPublish(Configuration config) { - Configuration publishConfig = config.subset("access_control_list.publish"); + Configuration publishConfig = config.subset("publish"); // Process users that have full publish permission String[] users = publishConfig.getStringArray("users.user"); @@ -177,11 +191,14 @@ public class SimpleXML implements ACLPlugin permissions.grant(permission, parameters); } + /** + * @param config XML Configuration + */ private void processConsume(Configuration config) { boolean temporary = false; Configuration tempConfig = null; - Configuration consumeConfig = config.subset("access_control_list.consume"); + Configuration consumeConfig = config.subset("consume"); tempConfig = consumeConfig.subset("queues.temporary(0)"); if (tempConfig != null) @@ -233,12 +250,15 @@ public class SimpleXML implements ACLPlugin } } + /** + * @param config XML Configuration + */ private void processCreate(Configuration config) { boolean temporary = false; Configuration tempConfig = null; - Configuration createConfig = config.subset("access_control_list.create"); + Configuration createConfig = config.subset("create"); tempConfig = createConfig.subset("queues.temporary(0)"); if (tempConfig != null) @@ -333,151 +353,73 @@ public class SimpleXML implements ACLPlugin grant(Permission.CREATEEXCHANGE, user); grant(Permission.CREATEQUEUE, user); } - - } - - public String getPluginName() - { - return "Simple"; } - public AuthzResult authoriseBind(PrincipalHolder session, Exchange exch, AMQQueue queue, AMQShortString routingKey) + public Result access(ObjectType objectType, Object instance) { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else + Principal principal = SecurityManager.getThreadPrincipal(); + if (principal == null) { - return principalPermissions.authorise(Permission.BIND, null, exch, queue, routingKey); + return getDefault(); // Default if there is no user associated with the thread } - } - - public AuthzResult authoriseConnect(PrincipalHolder session, VirtualHost virtualHost) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); + PrincipalPermissions principalPermissions = _users.get(principal.getName()); if (principalPermissions == null) { - return AuthzResult.DENIED; + return Result.DENIED; } - else + + // Authorise object access + if (objectType == ObjectType.BROKER || objectType == ObjectType.VIRTUALHOST) { return principalPermissions.authorise(Permission.ACCESS); } + + // Default + return getDefault(); } - public AuthzResult authoriseConsume(PrincipalHolder session, boolean noAck, AMQQueue queue) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { - return principalPermissions.authorise(Permission.CONSUME, queue); - } - } - - public AuthzResult authoriseConsume(PrincipalHolder session, boolean exclusive, boolean noAck, boolean noLocal, - boolean nowait, AMQQueue queue) - { - return authoriseConsume(session, noAck, queue); - } - - public AuthzResult authoriseCreateExchange(PrincipalHolder session, boolean autoDelete, boolean durable, - AMQShortString exchangeName, boolean internal, boolean nowait, boolean passive, AMQShortString exchangeType) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { - return principalPermissions.authorise(Permission.CREATEEXCHANGE, exchangeName); - } - } - - public AuthzResult authoriseCreateQueue(PrincipalHolder session, boolean autoDelete, boolean durable, boolean exclusive, - boolean nowait, boolean passive, AMQShortString queue) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { - return principalPermissions.authorise(Permission.CREATEQUEUE, autoDelete, queue); - } - } - - public AuthzResult authoriseDelete(PrincipalHolder session, AMQQueue queue) + public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties) { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else + Principal principal = SecurityManager.getThreadPrincipal(); + if (principal == null) { - return principalPermissions.authorise(Permission.DELETE); + return getDefault(); // Default if there is no user associated with the thread } - } - - public AuthzResult authoriseDelete(PrincipalHolder session, Exchange exchange) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); + PrincipalPermissions principalPermissions = _users.get(principal.getName()); if (principalPermissions == null) { - return AuthzResult.DENIED; + return Result.DENIED; } - else - { + + // Authorise operation + switch (operation) + { + case CONSUME: + return principalPermissions.authorise(Permission.CONSUME, properties.get(NAME), properties.get(AUTO_DELETE), properties.get(OWNER)); + case PUBLISH: + return principalPermissions.authorise(Permission.PUBLISH, properties.get(NAME), properties.get(ROUTING_KEY)); + case CREATE: + if (objectType == ObjectType.EXCHANGE) + { + return principalPermissions.authorise(Permission.CREATEEXCHANGE, properties.get(NAME)); + } + else if (objectType == ObjectType.QUEUE) + { + return principalPermissions.authorise(Permission.CREATEQUEUE, properties.get(AUTO_DELETE), properties.get(NAME)); + } + case ACCESS: + return principalPermissions.authorise(Permission.ACCESS); + case BIND: + return principalPermissions.authorise(Permission.BIND, null, properties.get(NAME), properties.get(QUEUE_NAME), properties.get(ROUTING_KEY)); + case UNBIND: + return principalPermissions.authorise(Permission.UNBIND); + case DELETE: return principalPermissions.authorise(Permission.DELETE); - } - } - - public AuthzResult authorisePublish(PrincipalHolder session, boolean immediate, boolean mandatory, - AMQShortString routingKey, Exchange e) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { - return principalPermissions.authorise(Permission.PUBLISH, e, routingKey); - } - } - - public AuthzResult authorisePurge(PrincipalHolder session, AMQQueue queue) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { + case PURGE: return principalPermissions.authorise(Permission.PURGE); } + + // Default + return getDefault(); } - - public AuthzResult authoriseUnbind(PrincipalHolder session, Exchange exch, AMQShortString routingKey, AMQQueue queue) - { - PrincipalPermissions principalPermissions = _users.get(session.getPrincipal().getName()); - if (principalPermissions == null) - { - return AuthzResult.DENIED; - } - else - { - return principalPermissions.authorise(Permission.UNBIND); - } - } - } diff --git a/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLActivator.java b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLActivator.java new file mode 100644 index 0000000000..e5bae0669a --- /dev/null +++ b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLActivator.java @@ -0,0 +1,22 @@ +package org.apache.qpid.server.security.access.plugins; + +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; +import org.apache.qpid.server.security.SecurityPluginActivator; +import org.apache.qpid.server.security.SecurityPluginFactory; +import org.osgi.framework.BundleActivator; + +/** + * The OSGi {@link BundleActivator} for {@link SimpleXML}. + */ +public class SimpleXMLActivator extends SecurityPluginActivator +{ + public SecurityPluginFactory getFactory() + { + return SimpleXML.FACTORY; + } + + public ConfigurationPluginFactory getConfigurationFactory() + { + return SimpleXMLConfiguration.FACTORY; + } +} diff --git a/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLConfiguration.java b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLConfiguration.java new file mode 100644 index 0000000000..b73ab97080 --- /dev/null +++ b/java/broker-plugins/simple-xml/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXMLConfiguration.java @@ -0,0 +1,57 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.util.Arrays; +import java.util.List; + +import org.apache.commons.configuration.Configuration; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin; +import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory; + +public class SimpleXMLConfiguration extends ConfigurationPlugin +{ + public static final ConfigurationPluginFactory FACTORY = new ConfigurationPluginFactory() + { + public ConfigurationPlugin newInstance(String path, Configuration config) throws ConfigurationException + { + ConfigurationPlugin instance = new SimpleXMLConfiguration(); + instance.setConfiguration(path, config); + return instance; + } + + public List<String> getParentPaths() + { + return Arrays.asList("security", "virtualhosts.virtualhost.security"); + } + }; + + public String[] getElementsProcessed() + { + return new String[] { "access_control_list" }; + } + + public Configuration getConfiguration() + { + return _configuration.subset("access_control_list"); + } +} diff --git a/java/broker-plugins/simple-xml/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java b/java/broker-plugins/simple-xml/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java new file mode 100644 index 0000000000..3cbad83369 --- /dev/null +++ b/java/broker-plugins/simple-xml/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java @@ -0,0 +1,240 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +package org.apache.qpid.server.security.access; + +import junit.framework.TestCase; + +import org.apache.qpid.framing.AMQShortString; +import org.apache.qpid.framing.FieldTable; +import org.apache.qpid.server.exchange.DirectExchange; +import org.apache.qpid.server.queue.AMQQueueFactory; +import org.apache.qpid.server.registry.ApplicationRegistry; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.access.config.PrincipalPermissions; +import org.apache.qpid.server.security.access.config.PrincipalPermissions.Permission; +import org.apache.qpid.server.virtualhost.VirtualHost; + +public class PrincipalPermissionsTest extends TestCase +{ + private String _user = "user"; + private PrincipalPermissions _perms; + + // Common things that are passed to frame constructors + private AMQShortString _queueName = new AMQShortString(this.getClass().getName() + "queue"); + private AMQShortString _tempQueueName = new AMQShortString(this.getClass().getName() + "tempqueue"); + private AMQShortString _exchangeName = new AMQShortString("amq.direct"); + private AMQShortString _routingKey = new AMQShortString(this.getClass().getName() + "route"); + private int _ticket = 1; + private FieldTable _arguments = null; + private boolean _durable = false; + private boolean _autoDelete = false; + private AMQShortString _exchangeType = new AMQShortString("direct"); + private DirectExchange _exchange; + private VirtualHost _virtualHost; + private AMQShortString _owner = new AMQShortString(this.getClass().getName() + "owner"); + private Boolean _temporary = false; + private Boolean _ownQueue = false; + + @Override + public void setUp() + { + //Highlight that this test will cause a new AR to be created + ApplicationRegistry.getInstance(); + + _perms = new PrincipalPermissions(_user); + try + { + _virtualHost = ApplicationRegistry.getInstance().getVirtualHostRegistry().getVirtualHost("test"); + _exchange = DirectExchange.TYPE.newInstance(_virtualHost, _exchangeName, _durable, _ticket, _autoDelete); + AMQQueueFactory.createAMQQueueImpl(_queueName, false, _owner , false, false, _virtualHost, _arguments); + AMQQueueFactory.createAMQQueueImpl(_tempQueueName, false, _owner , true, false, _virtualHost, _arguments); + } + catch (Exception e) + { + fail(e.getMessage()); + } + } + + @Override + protected void tearDown() throws Exception + { + //Ensure we close the opened Registry + ApplicationRegistry.remove(); + } + + + public void testPrincipalPermissions() + { + assertNotNull(_perms); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.ACCESS, (String[]) null)); + } + + // FIXME: test has been disabled since the permissions assume that the user has tried to create + // the queue first. QPID-1597 + public void disableTestBind() throws Exception + { + String[] args = new String[]{null, _exchangeName.asString(), _queueName.asString(), _routingKey.asString()}; + + assertEquals(Result.DENIED, _perms.authorise(Permission.BIND, args)); + _perms.grant(Permission.BIND, (Object[]) null); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.BIND, args)); + } + + public void testQueueCreate() + { + Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, _routingKey}; + String[] authArgs = new String[]{Boolean.toString(_autoDelete), _queueName.asString()}; + + assertEquals(Result.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); + _perms.grant(Permission.CREATEQUEUE, grantArgs); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); + } + + public void testQueueCreateWithNullRoutingKey() + { + Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, null}; + String[] authArgs = new String[]{Boolean.toString(_autoDelete), _queueName.asString()}; + + assertEquals(Result.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); + _perms.grant(Permission.CREATEQUEUE, grantArgs); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); + } + + // FIXME disabled, this fails due to grant putting the grant into the wrong map QPID-1598 + public void disableTestExchangeCreate() + { + String[] authArgs = new String[]{_exchangeName.asString()}; + Object[] grantArgs = new Object[]{_exchangeName, _exchangeType}; + + assertEquals(Result.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs)); + _perms.grant(Permission.CREATEEXCHANGE, grantArgs); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs)); + } + + public void testConsume() + { + String[] authArgs = new String[]{_queueName.asString(), Boolean.toString(_autoDelete), _user}; + Object[] grantArgs = new Object[]{_queueName, _ownQueue}; + + // FIXME: This throws a null pointer exception QPID-1599 + // assertFalse(_perms.authorise(Permission.CONSUME, authArgs)); + _perms.grant(Permission.CONSUME, grantArgs); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authArgs)); + } + + public void testPublish() + { + String[] authArgs = new String[]{_exchangeName.asString(), _routingKey.asString()}; + Object[] grantArgs = new Object[]{_exchange.getNameShortString(), _routingKey}; + + assertEquals(Result.DENIED, _perms.authorise(Permission.PUBLISH, authArgs)); + _perms.grant(Permission.PUBLISH, grantArgs); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgs)); + } + + public void testVhostAccess() + { + //Tests that granting a user Virtualhost level access allows all authorisation requests + //where previously they would be denied + + //QPID-2133 createExchange rights currently allow all exchange creation unless rights for creating some + //specific exchanges are granted. Grant a specific exchange creation to cause all others to be denied. + Object[] createArgsCreateExchange = new Object[]{new AMQShortString("madeup"), _exchangeType}; + String[] authArgsCreateExchange = new String[]{_exchangeName.asString()}; + assertEquals("Exchange creation was not allowed", Result.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + _perms.grant(Permission.CREATEEXCHANGE, createArgsCreateExchange); + + String[] authArgsPublish = new String[]{_exchangeName.asString(), _routingKey.asString()}; + String[] authArgsConsume = new String[]{_queueName.asString(), Boolean.toString(_autoDelete), _user}; + String[] authArgsCreateQueue = new String[]{Boolean.toString(_autoDelete), _queueName.asString()}; +// QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments); + String[] authArgsBind = new String[]{ null, _exchangeName.asString(), _queueName.asString(), _routingKey.asString()}; + + assertEquals("Exchange creation was not denied", Result.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + assertEquals("Publish was not denied", Result.DENIED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); + assertEquals("Consume creation was not denied", Result.DENIED, _perms.authorise(Permission.CONSUME, authArgsConsume)); + assertEquals("Queue creation was not denied", Result.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); + //BIND pre-grant authorise check disabled due to QPID-1597 + //assertEquals("Binding creation was not denied", Result.DENIED, _perms.authorise(Permission.BIND, authArgsBind)); + + _perms.grant(Permission.ACCESS); + + assertEquals("Exchange creation was not allowed", Result.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + assertEquals("Publish was not allowed", Result.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); + assertEquals("Consume creation was not allowed", Result.ALLOWED, _perms.authorise(Permission.CONSUME, authArgsConsume)); + assertEquals("Queue creation was not allowed", Result.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); + assertEquals("Binding creation was not allowed", Result.ALLOWED, _perms.authorise(Permission.BIND, authArgsBind)); + } + + /** + * If the consume permission for temporary queues is for an unnamed queue then is should + * be global for any temporary queue but not for any non-temporary queue + */ + public void testTemporaryUnnamedQueueConsume() + { + String[] authNonTempQArgs = new String[]{_queueName.asString(), Boolean.toString(_autoDelete), _user}; + String[] authTempQArgs = new String[]{_tempQueueName.asString(), Boolean.TRUE.toString(), _user}; + Object[] grantArgs = new Object[]{true}; + + _perms.grant(Permission.CONSUME, grantArgs); + + //Next line shows up bug - non temp queue should be denied + assertEquals(Result.DENIED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); + } + + /** + * Test that temporary queue permissions before queue perms in the ACL config work correctly + */ + public void testTemporaryQueueFirstConsume() + { + String[] authNonTempQArgs = new String[]{_queueName.asString(), Boolean.toString(_autoDelete), _user}; + String[] authTempQArgs = new String[]{_tempQueueName.asString(), Boolean.TRUE.toString(), _user}; + Object[] grantArgs = new Object[]{true}; + Object[] grantNonTempQArgs = new Object[]{_queueName, _ownQueue}; + + //should not matter if the temporary permission is processed first or last + _perms.grant(Permission.CONSUME, grantNonTempQArgs); + _perms.grant(Permission.CONSUME, grantArgs); + + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); + } + + /** + * Test that temporary queue permissions after queue perms in the ACL config work correctly + */ + public void testTemporaryQueueLastConsume() + { + String[] authNonTempQArgs = new String[]{_queueName.asString(), Boolean.toString(_autoDelete), _user}; + String[] authTempQArgs = new String[]{_tempQueueName.asString(), Boolean.TRUE.toString(), _user}; + Object[] grantArgs = new Object[]{true}; + Object[] grantNonTempQArgs = new Object[]{_queueName, _ownQueue}; + + //should not matter if the temporary permission is processed first or last + _perms.grant(Permission.CONSUME, grantArgs); + _perms.grant(Permission.CONSUME, grantNonTempQArgs); + + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); + assertEquals(Result.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); + } +} diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java deleted file mode 100644 index 8704f58e55..0000000000 --- a/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java +++ /dev/null @@ -1,254 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ - -package org.apache.qpid.server.security.access; - -import junit.framework.TestCase; - -import org.apache.qpid.framing.AMQShortString; -import org.apache.qpid.framing.FieldTable; -import org.apache.qpid.framing.amqp_0_9.ExchangeDeclareBodyImpl; -import org.apache.qpid.framing.amqp_8_0.QueueBindBodyImpl; -import org.apache.qpid.server.exchange.DirectExchange; -import org.apache.qpid.server.queue.AMQQueue; -import org.apache.qpid.server.queue.AMQQueueFactory; -import org.apache.qpid.server.registry.ApplicationRegistry; -import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult; -import org.apache.qpid.server.virtualhost.VirtualHost; - -public class PrincipalPermissionsTest extends TestCase -{ - - private String _user = "user"; - private PrincipalPermissions _perms; - - // Common things that are passed to frame constructors - private AMQShortString _queueName = new AMQShortString(this.getClass().getName()+"queue"); - private AMQShortString _tempQueueName = new AMQShortString(this.getClass().getName()+"tempqueue"); - private AMQShortString _exchangeName = new AMQShortString("amq.direct"); - private AMQShortString _routingKey = new AMQShortString(this.getClass().getName()+"route"); - private int _ticket = 1; - private FieldTable _arguments = null; - private boolean _nowait = false; - private boolean _passive = false; - private boolean _durable = false; - private boolean _autoDelete = false; - private AMQShortString _exchangeType = new AMQShortString("direct"); - private boolean _internal = false; - - private DirectExchange _exchange; - private VirtualHost _virtualHost; - private AMQShortString _owner = new AMQShortString(this.getClass().getName()+"owner"); - private AMQQueue _queue; - private AMQQueue _temporaryQueue; - private Boolean _temporary = false; - private Boolean _ownQueue = false; - - @Override - public void setUp() - { - //Highlight that this test will cause a new AR to be created - ApplicationRegistry.getInstance(); - - _perms = new PrincipalPermissions(_user); - try - { - _virtualHost = ApplicationRegistry.getInstance().getVirtualHostRegistry().getVirtualHost("test"); - _exchange = DirectExchange.TYPE.newInstance(_virtualHost, _exchangeName, _durable, _ticket, _autoDelete); - _queue = AMQQueueFactory.createAMQQueueImpl(_queueName, false, _owner , false, false, _virtualHost, _arguments); - _temporaryQueue = AMQQueueFactory.createAMQQueueImpl(_tempQueueName, false, _owner , true, false, _virtualHost, _arguments); - } - catch (Exception e) - { - fail(e.getMessage()); - } - } - - @Override - protected void tearDown() throws Exception - { - //Ensure we close the opened Registry - ApplicationRegistry.remove(); - } - - - public void testPrincipalPermissions() - { - assertNotNull(_perms); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.ACCESS, (Object[]) null)); - } - - // FIXME: test has been disabled since the permissions assume that the user has tried to create - // the queue first. QPID-1597 - public void disableTestBind() throws Exception - { - QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments); - Object[] args = new Object[]{bind, _exchange, _queue, _routingKey}; - - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.BIND, args)); - _perms.grant(Permission.BIND, (Object[]) null); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.BIND, args)); - } - - public void testQueueCreate() - { - Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, _routingKey}; - Object[] authArgs = new Object[]{_autoDelete, _queueName}; - - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); - _perms.grant(Permission.CREATEQUEUE, grantArgs); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); - } - - public void testQueueCreateWithNullRoutingKey() - { - Object[] grantArgs = new Object[]{_temporary , _queueName, _exchangeName, null}; - Object[] authArgs = new Object[]{_autoDelete, _queueName}; - - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); - _perms.grant(Permission.CREATEQUEUE, grantArgs); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgs)); - } - - // FIXME disabled, this fails due to grant putting the grant into the wrong map QPID-1598 - public void disableTestExchangeCreate() - { - ExchangeDeclareBodyImpl exchangeDeclare = - new ExchangeDeclareBodyImpl(_ticket, _exchangeName, _exchangeType, _passive, _durable, - _autoDelete, _internal, _nowait, _arguments); - Object[] authArgs = new Object[]{exchangeDeclare}; - Object[] grantArgs = new Object[]{_exchangeName, _exchangeType}; - - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs)); - _perms.grant(Permission.CREATEEXCHANGE, grantArgs); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgs)); - } - - public void testConsume() - { - Object[] authArgs = new Object[]{_queue}; - Object[] grantArgs = new Object[]{_queueName, _ownQueue}; - - /* FIXME: This throws a null pointer exception QPID-1599 - * assertFalse(_perms.authorise(Permission.CONSUME, authArgs)); - */ - _perms.grant(Permission.CONSUME, grantArgs); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authArgs)); - } - - public void testPublish() - { - Object[] authArgs = new Object[]{_exchange, _routingKey}; - Object[] grantArgs = new Object[]{_exchange.getNameShortString(), _routingKey}; - - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.PUBLISH, authArgs)); - _perms.grant(Permission.PUBLISH, grantArgs); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgs)); - } - - public void testVhostAccess() - { - //Tests that granting a user Virtualhost level access allows all authorisation requests - //where previously they would be denied - - //QPID-2133 createExchange rights currently allow all exchange creation unless rights for creating some - //specific exchanges are granted. Grant a specific exchange creation to cause all others to be denied. - Object[] createArgsCreateExchange = new Object[]{new AMQShortString("madeup"), _exchangeType}; - Object[] authArgsCreateExchange = new Object[]{_exchangeName,_exchangeType}; - assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); - _perms.grant(Permission.CREATEEXCHANGE, createArgsCreateExchange); - - Object[] authArgsPublish = new Object[]{_exchange, _routingKey}; - Object[] authArgsConsume = new Object[]{_queue}; - Object[] authArgsCreateQueue = new Object[]{_autoDelete, _queueName}; - QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments); - Object[] authArgsBind = new Object[]{bind, _exchange, _queue, _routingKey}; - - assertEquals("Exchange creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); - assertEquals("Publish was not denied", AuthzResult.DENIED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); - assertEquals("Consume creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CONSUME, authArgsConsume)); - assertEquals("Queue creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); - //BIND pre-grant authorise check disabled due to QPID-1597 - //assertEquals("Binding creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.BIND, authArgsBind)); - - _perms.grant(Permission.ACCESS); - - assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); - assertEquals("Publish was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); - assertEquals("Consume creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authArgsConsume)); - assertEquals("Queue creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); - assertEquals("Binding creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.BIND, authArgsBind)); - } - - /** - * If the consume permission for temporary queues is for an unnamed queue then is should - * be global for any temporary queue but not for any non-temporary queue - */ - public void testTemporaryUnnamedQueueConsume() - { - Object[] authNonTempQArgs = new Object[]{_queue}; - Object[] authTempQArgs = new Object[]{_temporaryQueue}; - Object[] grantArgs = new Object[]{true}; - - _perms.grant(Permission.CONSUME, grantArgs); - - //Next line shows up bug - non temp queue should be denied - assertEquals(AuthzResult.DENIED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); - } - - /** - * Test that temporary queue permissions before queue perms in the ACL config work correctly - */ - public void testTemporaryQueueFirstConsume() - { - Object[] authNonTempQArgs = new Object[]{_queue}; - Object[] authTempQArgs = new Object[]{_temporaryQueue}; - Object[] grantArgs = new Object[]{true}; - Object[] grantNonTempQArgs = new Object[]{_queueName, _ownQueue}; - - //should not matter if the temporary permission is processed first or last - _perms.grant(Permission.CONSUME, grantNonTempQArgs); - _perms.grant(Permission.CONSUME, grantArgs); - - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); - } - - /** - * Test that temporary queue permissions after queue perms in the ACL config work correctly - */ - public void testTemporaryQueueLastConsume() - { - Object[] authNonTempQArgs = new Object[]{_queue}; - Object[] authTempQArgs = new Object[]{_temporaryQueue}; - Object[] grantArgs = new Object[]{true}; - Object[] grantNonTempQArgs = new Object[]{_queueName, _ownQueue}; - - //should not matter if the temporary permission is processed first or last - _perms.grant(Permission.CONSUME, grantArgs); - _perms.grant(Permission.CONSUME, grantNonTempQArgs); - - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authNonTempQArgs)); - assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authTempQArgs)); - } - -} diff --git a/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java b/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java index fc9b07eadd..ee2938f2fe 100644 --- a/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java +++ b/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java @@ -88,13 +88,8 @@ public class SimpleACLTest extends AbstractACLTestCase try { //get a connection to the 'test2' vhost using the guest user and perform various actions. - Connection conn = getConnection(new AMQConnectionURL( - "amqp://username:password@clientid/test2?brokerlist='" + getBroker() + "'")); - - ((AMQConnection) conn).setConnectionListener(this); - - Session sesh = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - + Connection conn = getConnection("test2", "guest", "guest"); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); conn.start(); //create Queues and consumers for each |