QPID-2654: Add Actor logging to the ACL plugin

Applied patch from Andrew Kennedy <andrew.international@gmail.com> git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@955642 13f79535-47bb-0310-9956-ffa450edef68
author: Robert Gemmell <robbie@apache.org> 2010-06-17 15:32:12 +0000
committer: Robert Gemmell <robbie@apache.org> 2010-06-17 15:32:12 +0000
commit: 02a9968ed318e240a8865f7ade91aa9dc5cf9f0f (patch)
tree: 9dfff4a2ddfd828129102325b3fc228465ff796e /qpid/java/broker-plugins/access-control/src/main
parent: 3a720a9bb841f97f3684543827e79ba1a79c9b58 (diff)
download: qpid-python-02a9968ed318e240a8865f7ade91aa9dc5cf9f0f.tar.gz
3 files changed, 54 insertions, 11 deletions
diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index 3c471f2f55..ebc73440ed 100644
--- a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -33,11 +33,13 @@ import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 import org.apache.qpid.exchange.ExchangeDefaults;
+import org.apache.qpid.server.logging.actors.CurrentActor;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.security.access.Permission;
+import org.apache.qpid.server.security.access.logging.AccessControlMessages;
 
 /**
  * Models the rule configuration for the access control plugin.
@@ -183,6 +185,20 @@ public class RuleSet
 		}
 		return false;
     }
+    
+    private Permission noLog(Permission permission)
+    {
+        switch (permission)
+        {
+            case ALLOW:
+            case ALLOW_LOG:
+                return Permission.ALLOW;
+            case DENY:
+            case DENY_LOG:
+            default:
+                return Permission.DENY;
+        }
+    }
 
     // TODO make this work when group membership is not known at file parse time
     public void addRule(Integer number, String identity, Permission permission, Action action)
@@ -201,7 +217,7 @@ public class RuleSet
         {
             if (action.getOperation() == Operation.CREATE && action.getObjectType() == ObjectType.TOPIC)
             {
-                addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE,
+                addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE,
                         new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME))));
                 ObjectProperties topicProperties = new ObjectProperties();
                 topicProperties.put(ObjectProperties.Property.DURABLE, true);
@@ -210,7 +226,7 @@ public class RuleSet
             }
             if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.TOPIC)
             {
-                addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE,
+                addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE,
                         new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME))));
                 ObjectProperties topicProperties = new ObjectProperties();
                 topicProperties.put(ObjectProperties.Property.DURABLE, true);
@@ -227,10 +243,10 @@ public class RuleSet
                 ObjectProperties exchProperties = new ObjectProperties(action.getProperties());
                 exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME);
                 exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME));
-                addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties));
+                addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties));
 				if (action.getProperties().isSet(ObjectProperties.Property.AUTO_DELETE))
 				{
-					addRule(null, identity, permission, new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties()));
+					addRule(null, identity, noLog(permission), new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties()));
 				}
             }
             else if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.QUEUE)
@@ -238,11 +254,11 @@ public class RuleSet
                 ObjectProperties exchProperties = new ObjectProperties(action.getProperties());
                 exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME);
                 exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME));
-                addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties));
+                addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties));
             }
             else if (action.getOperation() != Operation.ACCESS && action.getObjectType() != ObjectType.VIRTUALHOST)
             {
-                addRule(null, identity, permission, new Action(Operation.ACCESS, ObjectType.VIRTUALHOST));
+                addRule(null, identity, noLog(permission), new Action(Operation.ACCESS, ObjectType.VIRTUALHOST));
             }
         }
         
@@ -409,11 +425,13 @@ public class RuleSet
                 switch (permission)
                 {
                     case ALLOW_LOG:
-                        _logger.info("ALLOWED " + action);
+                        CurrentActor.get().message(AccessControlMessages.ALLOWED(
+                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
                     case ALLOW:
                         return Result.ALLOWED;
                     case DENY_LOG:
-                        _logger.info("DENIED " + action);
+                        CurrentActor.get().message(AccessControlMessages.DENIED(
+                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
                     case DENY:
                         return Result.DENIED;
                 }
diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
new file mode 100644
index 0000000000..bf80df3722
--- /dev/null
+++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# org.apache.qpid.server.security.access.logging.AccessControl
+
+# Access Control logging message i18n strings.
+
+# 'accept-log' rule message
+ALLOWED = ACL-1001 : Allowed : {0} {1} {2}
+
+# 'deny-log' rule message
+DENIED = ACL-1002 : Denied : {0} {1} {2}
+\ No newline at end of file
diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
index e6e0059902..69cfa173bd 100644
--- a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
+++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
@@ -20,7 +20,6 @@
  */
 package org.apache.qpid.server.security.access.plugins;
 
-import java.io.File;
 import java.security.Principal;
 
 import org.apache.commons.configuration.ConfigurationException;
@@ -33,8 +32,6 @@ import org.apache.qpid.server.security.SecurityPluginFactory;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.security.access.config.ConfigurationFile;
-import org.apache.qpid.server.security.access.config.PlainConfiguration;
 import org.apache.qpid.server.security.access.config.RuleSet;
 
 /**
author	Robert Gemmell <robbie@apache.org>	2010-06-17 15:32:12 +0000
committer	Robert Gemmell <robbie@apache.org>	2010-06-17 15:32:12 +0000
commit	02a9968ed318e240a8865f7ade91aa9dc5cf9f0f (patch)
tree	9dfff4a2ddfd828129102325b3fc228465ff796e /qpid/java/broker-plugins/access-control/src/main
parent	3a720a9bb841f97f3684543827e79ba1a79c9b58 (diff)
download	qpid-python-02a9968ed318e240a8865f7ade91aa9dc5cf9f0f.tar.gz