NO-JIRA: Merge changes from trunk.

Command was: svn merge https://svn.apache.org/repos/asf/qpid/trunk git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/java-broker-bdb-ha2@1581428 13f79535-47bb-0310-9956-ffa450edef68
author: Keith Wall <kwall@apache.org> 2014-03-25 17:54:10 +0000
committer: Keith Wall <kwall@apache.org> 2014-03-25 17:54:10 +0000
commit: cd6130384dc5f27ad494eabf8a2b15ca79280aa1 (patch)
tree: 77d7b1f0ced2cea6b031327fcb5c8143d763cf9d /qpid/java/broker-plugins/access-control/src/test
parent: fcc3f654b60b7dd2180afe73e8809545725b41af (diff)
parent: 809061e0024b74f89afdeff8ba83d6514589f417 (diff)
download: qpid-python-cd6130384dc5f27ad494eabf8a2b15ca79280aa1.tar.gz
2 files changed, 104 insertions, 17 deletions
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
index 3a36ddef2c..072bd6a87f 100644
--- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
@@ -20,7 +20,9 @@
  */
 package org.apache.qpid.server.security.access.plugins;
 
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -181,7 +183,7 @@ public class DefaultAccessControlTest extends TestCase
         final RuleSet rs = new RuleSet(mock(EventLoggerProvider.class));
 
         // grant user4 access right on any method in any component
-        rs.grant(1, "user4", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, new ObjectProperties(ObjectProperties.STAR));
+        rs.grant(1, "user4", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, new ObjectProperties(ObjectProperties.WILD_CARD));
         configureAccessControl(rs);
         Subject.doAs(TestPrincipalUtils.createTestSubject("user4"), new PrivilegedAction<Object>()
         {
@@ -207,7 +209,7 @@ public class DefaultAccessControlTest extends TestCase
         final RuleSet rs = new RuleSet(mock(EventLoggerProvider.class));
 
         // grant user5 access right on any methods in "Test" component
-        ObjectProperties ruleProperties = new ObjectProperties(ObjectProperties.STAR);
+        ObjectProperties ruleProperties = new ObjectProperties(ObjectProperties.WILD_CARD);
         ruleProperties.put(ObjectProperties.Property.COMPONENT, "Test");
         rs.grant(1, "user5", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, ruleProperties);
         configureAccessControl(rs);
@@ -234,6 +236,7 @@ public class DefaultAccessControlTest extends TestCase
     public void testAccess() throws Exception
     {
         final Subject subject = TestPrincipalUtils.createTestSubject("user1");
+        final String testVirtualHost = getName();
         final InetAddress inetAddress = InetAddress.getLocalHost();
         final InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, 1);
 
@@ -249,13 +252,12 @@ public class DefaultAccessControlTest extends TestCase
             {
                 RuleSet mockRuleSet = mock(RuleSet.class);
 
-
-
                 DefaultAccessControl accessControl = new DefaultAccessControl(mockRuleSet);
 
-                accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+                ObjectProperties properties = new ObjectProperties(testVirtualHost);
+                accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, properties);
 
-                verify(mockRuleSet).check(subject, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY, inetAddress);
+                verify(mockRuleSet).check(subject, Operation.ACCESS, ObjectType.VIRTUALHOST, properties, inetAddress);
                 return null;
             }
         });
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
index caf9b2fb61..32037807cd 100644
--- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
@@ -21,24 +21,26 @@
 
 package org.apache.qpid.server.security.access.plugins;
 
-import java.security.Principal;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 import javax.security.auth.Subject;
 
-import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.exchange.ExchangeImpl;
 import org.apache.qpid.server.logging.EventLoggerProvider;
+import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.queue.AMQQueue;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.security.access.Permission;
+import org.apache.qpid.server.security.access.ObjectProperties.Property;
 import org.apache.qpid.server.security.access.config.Rule;
 import org.apache.qpid.server.security.access.config.RuleSet;
 import org.apache.qpid.server.security.auth.TestPrincipalUtils;
 import org.apache.qpid.test.utils.QpidTestCase;
 
-import static org.mockito.Mockito.mock;
-
 /**
  * This test checks that the {@link RuleSet} object which forms the core of the access control plugin performs correctly.
  *
@@ -51,6 +53,9 @@ import static org.mockito.Mockito.mock;
  */
 public class RuleSetTest extends QpidTestCase
 {
+    private static final String DENIED_VH = "deniedVH";
+    private static final String ALLOWED_VH = "allowedVH";
+
     private RuleSet _ruleSet; // Object under test
 
     private static final String TEST_USER = "user";
@@ -60,6 +65,8 @@ public class RuleSetTest extends QpidTestCase
     private String _exchangeName = "amq.direct";
     private String _exchangeType = "direct";
     private Subject _testSubject = TestPrincipalUtils.createTestSubject(TEST_USER);
+    private AMQQueue<?> _queue;
+    private VirtualHost<?> _virtualHost;
 
     @Override
     public void setUp() throws Exception
@@ -67,6 +74,11 @@ public class RuleSetTest extends QpidTestCase
         super.setUp();
 
         _ruleSet = new RuleSet(mock(EventLoggerProvider.class));
+
+        _virtualHost = mock(VirtualHost.class);
+        _queue = mock(AMQQueue.class);
+        when(_queue.getName()).thenReturn(_queueName);
+        when(_queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
     }
 
     @Override
@@ -83,10 +95,8 @@ public class RuleSetTest extends QpidTestCase
 
     public void assertDenyGrantAllow(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
     {
-        final Principal identity = subject.getPrincipals().iterator().next();
-
         assertEquals(Result.DENIED, _ruleSet.check(subject, operation, objectType, properties));
-        _ruleSet.grant(0, identity.getName(), Permission.ALLOW, operation, objectType, properties);
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, operation, objectType, properties);
         assertEquals(1, _ruleSet.getRuleCount());
         assertEquals(Result.ALLOWED, _ruleSet.check(subject, operation, objectType, properties));
     }
@@ -98,17 +108,77 @@ public class RuleSetTest extends QpidTestCase
         assertEquals(_ruleSet.getDefault(), _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY));
     }
 
-    public void testVirtualHostAccess() throws Exception
+    public void testVirtualHostAccessAllowPermissionWithVirtualHostName() throws Exception
     {
-        assertDenyGrantAllow(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST);
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
     }
 
+    public void testVirtualHostAccessAllowPermissionWithNameSetToWildCard() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ObjectProperties.WILD_CARD));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowPermissionWithNoName() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessDenyPermissionWithNoName() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessDenyPermissionWithNameSetToWildCard() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ObjectProperties.WILD_CARD));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowDenyPermissions() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH));
+        _ruleSet.grant(1, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowPermissionWithVirtualHostNameOtherPredicate() throws Exception
+    {
+        ObjectProperties properties = new ObjectProperties();
+        properties.put(Property.VIRTUALHOST_NAME, ALLOWED_VH);
+
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, properties);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, properties));
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+
     public void testQueueCreateNamed() throws Exception
     {
         assertDenyGrantAllow(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queueName));
     }
 
-    public void testQueueCreatenamedNullRoutingKey()
+    public void testQueueCreateNamedVirtualHost() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(Property.VIRTUALHOST_NAME, ALLOWED_VH));
+
+        when(_virtualHost.getName()).thenReturn(ALLOWED_VH);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queue)));
+
+        when(_virtualHost.getName()).thenReturn(DENIED_VH);
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queue)));
+    }
+
+    public void testQueueCreateNamedNullRoutingKey()
     {
         ObjectProperties properties = new ObjectProperties(_queueName);
         properties.put(ObjectProperties.Property.ROUTING_KEY, (String) null);
@@ -116,6 +186,21 @@ public class RuleSetTest extends QpidTestCase
         assertDenyGrantAllow(_testSubject, Operation.CREATE, ObjectType.QUEUE, properties);
     }
 
+    public void testExchangeCreateNamedVirtualHost()
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(Property.VIRTUALHOST_NAME, ALLOWED_VH));
+
+        ExchangeImpl<?> exchange = mock(ExchangeImpl.class);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
+        when(exchange.getTypeName()).thenReturn(_exchangeType);
+        when(_virtualHost.getName()).thenReturn(ALLOWED_VH);
+
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(exchange)));
+
+        when(_virtualHost.getName()).thenReturn(DENIED_VH);
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(exchange)));
+    }
+
     public void testExchangeCreate()
     {
         ObjectProperties properties = new ObjectProperties(_exchangeName);
author	Keith Wall <kwall@apache.org>	2014-03-25 17:54:10 +0000
committer	Keith Wall <kwall@apache.org>	2014-03-25 17:54:10 +0000
commit	cd6130384dc5f27ad494eabf8a2b15ca79280aa1 (patch)
tree	77d7b1f0ced2cea6b031327fcb5c8143d763cf9d /qpid/java/broker-plugins/access-control/src/test
parent	fcc3f654b60b7dd2180afe73e8809545725b41af (diff)
parent	809061e0024b74f89afdeff8ba83d6514589f417 (diff)
download	qpid-python-cd6130384dc5f27ad494eabf8a2b15ca79280aa1.tar.gz