diff options
| author | Robert Godfrey <rgodfrey@apache.org> | 2014-04-04 22:34:26 +0000 |
|---|---|---|
| committer | Robert Godfrey <rgodfrey@apache.org> | 2014-04-04 22:34:26 +0000 |
| commit | 7344c8879c319c4ca6ab57963e6147d878a4e154 (patch) | |
| tree | 230bbd0d3b9aa28b0a6298ae5156a40c996ddcdb /qpid/java/broker-plugins/access-control/src | |
| parent | db86d03af2ce0f704398c2a9392e91e9637154ec (diff) | |
| download | qpid-python-7344c8879c319c4ca6ab57963e6147d878a4e154.tar.gz | |
QPID-5615 : [Java Broker] Migrate broker config store to use same API as VirtualHost config store
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1584931 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker-plugins/access-control/src')
6 files changed, 344 insertions, 93 deletions
diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java new file mode 100644 index 0000000000..7772925382 --- /dev/null +++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProvider.java @@ -0,0 +1,245 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import java.security.AccessControlException; +import java.util.Collection; +import java.util.Collections; +import java.util.Map; +import java.util.concurrent.atomic.AtomicReference; + +import org.apache.log4j.Logger; +import org.apache.qpid.server.model.*; +import org.apache.qpid.server.model.AbstractConfiguredObject; +import org.apache.qpid.server.plugin.AccessControlProviderFactory; +import org.apache.qpid.server.security.AccessControl; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.util.MapValueConverter; + +@ManagedObject( category = false, type="AclFile" ) +public class ACLFileAccessControlProvider + extends AbstractConfiguredObject<ACLFileAccessControlProvider> + implements AccessControlProvider<ACLFileAccessControlProvider> +{ + private static final Logger LOGGER = Logger.getLogger(ACLFileAccessControlProvider.class); + + protected DefaultAccessControl _accessControl; + protected final Broker _broker; + + protected Map<String, AccessControlProviderFactory> _factories; + private AtomicReference<State> _state; + + @ManagedAttributeField + private String _path; + + @ManagedAttributeField + private String _type; + + public ACLFileAccessControlProvider(Broker broker, + Map<String, Object> attributes) + { + super(Collections.<Class<? extends ConfiguredObject>,ConfiguredObject<?>>singletonMap(Broker.class, broker), + Collections.<String,Object>emptyMap(), attributes, broker.getTaskExecutor()); + + + _accessControl = new DefaultAccessControl(getPath(), broker); + _broker = broker; + + State state = MapValueConverter.getEnumAttribute(State.class, STATE, attributes, State.INITIALISING); + _state = new AtomicReference<State>(state); + + } + + @ManagedAttribute( automate = true, mandatory = true ) + public String getPath() + { + return _path; + } + + @ManagedAttribute( automate = true ) + public String getType() + { + return _type; + } + + @Override + public String setName(String currentName, String desiredName) throws IllegalStateException, AccessControlException + { + return null; + } + + @Override + public State getState() + { + return _state.get(); + } + + @Override + public boolean isDurable() + { + return true; + } + + @Override + public void setDurable(boolean durable) + throws IllegalStateException, AccessControlException, IllegalArgumentException + { + } + + @Override + public LifetimePolicy getLifetimePolicy() + { + return LifetimePolicy.PERMANENT; + } + + @Override + public LifetimePolicy setLifetimePolicy(LifetimePolicy expected, LifetimePolicy desired) + throws IllegalStateException, AccessControlException, IllegalArgumentException + { + return null; + } + + @Override + public Collection<String> getAttributeNames() + { + return getAttributeNames(getClass()); + } + + @Override + public Object getAttribute(String name) + { + if(DURABLE.equals(name)) + { + return true; + } + else if(LIFETIME_POLICY.equals(name)) + { + return LifetimePolicy.PERMANENT; + } + else if(STATE.equals(name)) + { + return getState(); + } + return super.getAttribute(name); + } + + @Override + public <C extends ConfiguredObject> Collection<C> getChildren(Class<C> clazz) + { + return Collections.emptySet(); + } + + @Override + public boolean setState(State currentState, State desiredState) + throws IllegalStateTransitionException, AccessControlException + { + State state = _state.get(); + + if(desiredState == State.DELETED) + { + return _state.compareAndSet(state, State.DELETED); + } + else if (desiredState == State.QUIESCED) + { + return _state.compareAndSet(state, State.QUIESCED); + } + else if(desiredState == State.ACTIVE) + { + if ((state == State.INITIALISING || state == State.QUIESCED) && _state.compareAndSet(state, State.ACTIVE)) + { + try + { + _accessControl.open(); + return true; + } + catch(RuntimeException e) + { + _state.compareAndSet(State.ACTIVE, State.ERRORED); + if (_broker.isManagementMode()) + { + LOGGER.warn("Failed to activate ACL provider: " + getName(), e); + } + else + { + throw e; + } + } + } + else + { + throw new IllegalStateException("Can't activate access control provider in " + state + " state"); + } + } + else if(desiredState == State.STOPPED) + { + if(_state.compareAndSet(state, State.STOPPED)) + { + _accessControl.close(); + return true; + } + + return false; + } + return false; + } + + + @Override + protected void changeAttributes(Map<String, Object> attributes) + { + throw new UnsupportedOperationException("Changing attributes on AccessControlProvider is not supported"); + } + + @Override + protected void authoriseSetDesiredState(State currentState, State desiredState) throws AccessControlException + { + if(desiredState == State.DELETED) + { + if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.DELETE)) + { + throw new AccessControlException("Deletion of AccessControlProvider is denied"); + } + } + } + + @Override + protected void authoriseSetAttribute(String name, Object expected, Object desired) throws AccessControlException + { + if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.UPDATE)) + { + throw new AccessControlException("Setting of AccessControlProvider attributes is denied"); + } + } + + @Override + protected void authoriseSetAttributes(Map<String, Object> attributes) throws AccessControlException + { + if (!_broker.getSecurityManager().authoriseConfiguringBroker(getName(), AccessControlProvider.class, Operation.UPDATE)) + { + throw new AccessControlException("Setting of AccessControlProvider attributes is denied"); + } + } + + public AccessControl getAccessControl() + { + return _accessControl; + } +} diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java new file mode 100644 index 0000000000..e9de449804 --- /dev/null +++ b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactory.java @@ -0,0 +1,53 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.plugins; + +import org.apache.qpid.server.model.AbstractConfiguredObjectTypeFactory; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.plugin.AccessControlProviderFactory; +import org.apache.qpid.server.util.ResourceBundleLoader; + +import java.util.Map; + +public class ACLFileAccessControlProviderFactory extends AbstractConfiguredObjectTypeFactory<ACLFileAccessControlProvider> implements AccessControlProviderFactory<ACLFileAccessControlProvider> +{ + public static final String RESOURCE_BUNDLE = "org.apache.qpid.server.security.access.plugins.FileAccessControlProviderAttributeDescriptions"; + + public ACLFileAccessControlProviderFactory() + { + super(ACLFileAccessControlProvider.class); + } + + @Override + public Map<String, String> getAttributeDescriptions() + { + return ResourceBundleLoader.getResources(RESOURCE_BUNDLE); + } + + @Override + public ACLFileAccessControlProvider createInstance(final Map<String, Object> attributes, + final ConfiguredObject<?>... parents) + { + return new ACLFileAccessControlProvider(getParent(Broker.class,parents), attributes); + } + +} diff --git a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlFactory.java b/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlFactory.java deleted file mode 100644 index 0d4734df88..0000000000 --- a/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlFactory.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.server.security.access.plugins; - -import static org.apache.qpid.server.security.access.FileAccessControlProviderConstants.ACL_FILE_PROVIDER_TYPE; -import static org.apache.qpid.server.security.access.FileAccessControlProviderConstants.PATH; -import static org.apache.qpid.server.util.MapValueConverter.getStringAttribute; - -import java.util.Arrays; -import java.util.Collection; -import java.util.Collections; -import java.util.Map; - -import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.logging.EventLogger; -import org.apache.qpid.server.logging.EventLoggerProvider; -import org.apache.qpid.server.plugin.AccessControlFactory; -import org.apache.qpid.server.security.AccessControl; -import org.apache.qpid.server.util.ResourceBundleLoader; - -public class DefaultAccessControlFactory implements AccessControlFactory -{ - public static final String RESOURCE_BUNDLE = "org.apache.qpid.server.security.access.plugins.FileAccessControlProviderAttributeDescriptions"; - - public static final Collection<String> ATTRIBUTES = Collections.<String> unmodifiableList(Arrays.asList( - ATTRIBUTE_TYPE, - PATH - )); - - public AccessControl createInstance(Map<String, Object> attributes, final EventLoggerProvider eventLogger) - { - if(attributes == null || !ACL_FILE_PROVIDER_TYPE.equals(attributes.get(ATTRIBUTE_TYPE))) - { - return null; - } - - String path = getStringAttribute(PATH, attributes, null); - if (path == null || "".equals(path.trim())) - { - throw new IllegalConfigurationException("Path to ACL was not specified!"); - } - - return new DefaultAccessControl(path, eventLogger); - } - - @Override - public String getType() - { - return ACL_FILE_PROVIDER_TYPE; - } - - @Override - public Collection<String> getAttributeNames() - { - return ATTRIBUTES; - } - - @Override - public Map<String, String> getAttributeDescriptions() - { - return ResourceBundleLoader.getResources(RESOURCE_BUNDLE); - } -} diff --git a/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.AccessControlFactory b/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.AccessControlProviderFactory index b6c429baab..2c5a643ab1 100644 --- a/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.AccessControlFactory +++ b/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.AccessControlProviderFactory @@ -16,4 +16,4 @@ # specific language governing permissions and limitations # under the License. # -org.apache.qpid.server.security.access.plugins.DefaultAccessControlFactory +org.apache.qpid.server.security.access.plugins.ACLFileAccessControlProviderFactory diff --git a/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.ConfiguredObjectTypeFactory b/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.ConfiguredObjectTypeFactory new file mode 100644 index 0000000000..2c5a643ab1 --- /dev/null +++ b/qpid/java/broker-plugins/access-control/src/main/resources/META-INF/services/org.apache.qpid.server.plugin.ConfiguredObjectTypeFactory @@ -0,0 +1,19 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.qpid.server.security.access.plugins.ACLFileAccessControlProviderFactory diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlFactoryTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactoryTest.java index c4c36df6d9..102cfb4be1 100644 --- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlFactoryTest.java +++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderFactoryTest.java @@ -23,11 +23,13 @@ package org.apache.qpid.server.security.access.plugins; import java.io.File; import java.util.HashMap; import java.util.Map; +import java.util.UUID; import java.util.regex.Pattern; import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.logging.EventLoggerProvider; +import org.apache.qpid.server.model.AccessControlProvider; +import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.GroupProvider; import org.apache.qpid.server.security.AccessControl; import org.apache.qpid.server.security.access.FileAccessControlProviderConstants; @@ -36,25 +38,36 @@ import org.apache.qpid.test.utils.TestFileUtils; import static org.mockito.Mockito.mock; -public class DefaultAccessControlFactoryTest extends QpidTestCase +public class ACLFileAccessControlProviderFactoryTest extends QpidTestCase { public void testCreateInstanceWhenAclFileIsNotPresent() { - DefaultAccessControlFactory factory = new DefaultAccessControlFactory(); + ACLFileAccessControlProviderFactory factory = new ACLFileAccessControlProviderFactory(); Map<String, Object> attributes = new HashMap<String, Object>(); - AccessControl acl = factory.createInstance(attributes, mock(EventLoggerProvider.class)); - assertNull("ACL was created without a configuration file", acl); + attributes.put(AccessControlProvider.ID, UUID.randomUUID()); + attributes.put(AccessControlProvider.NAME, "acl"); + try + { + AccessControlProvider acl = factory.create(attributes, mock(Broker.class)); + fail("ACL was created without a configuration file path specified"); + } + catch(IllegalArgumentException e) + { + // pass + } } public void testCreateInstanceWhenAclFileIsSpecified() { File aclFile = TestFileUtils.createTempFile(this, ".acl", "ACL ALLOW all all"); - DefaultAccessControlFactory factory = new DefaultAccessControlFactory(); + ACLFileAccessControlProviderFactory factory = new ACLFileAccessControlProviderFactory(); Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(AccessControlProvider.ID, UUID.randomUUID()); + attributes.put(AccessControlProvider.NAME, "acl"); attributes.put(GroupProvider.TYPE, FileAccessControlProviderConstants.ACL_FILE_PROVIDER_TYPE); attributes.put(FileAccessControlProviderConstants.PATH, aclFile.getAbsolutePath()); - AccessControl acl = factory.createInstance(attributes, mock(EventLoggerProvider.class)); - acl.open(); + AccessControlProvider acl = factory.create(attributes, mock(Broker.class)); + acl.getAccessControl().open(); assertNotNull("ACL was not created from acl file: " + aclFile.getAbsolutePath(), acl); } @@ -63,14 +76,16 @@ public class DefaultAccessControlFactoryTest extends QpidTestCase { File aclFile = new File(TMP_FOLDER, "my-non-existing-acl-" + System.currentTimeMillis()); assertFalse("ACL file " + aclFile.getAbsolutePath() + " actually exists but should not", aclFile.exists()); - DefaultAccessControlFactory factory = new DefaultAccessControlFactory(); + ACLFileAccessControlProviderFactory factory = new ACLFileAccessControlProviderFactory(); Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(AccessControlProvider.ID, UUID.randomUUID()); + attributes.put(AccessControlProvider.NAME, "acl"); attributes.put(GroupProvider.TYPE, FileAccessControlProviderConstants.ACL_FILE_PROVIDER_TYPE); attributes.put(FileAccessControlProviderConstants.PATH, aclFile.getAbsolutePath()); try { - AccessControl control = factory.createInstance(attributes, mock(EventLoggerProvider.class)); - control.open(); + AccessControlProvider control = factory.create(attributes, mock(Broker.class)); + control.getAccessControl().open(); fail("It should not be possible to create and initialise ACL with non existing file"); } catch (IllegalConfigurationException e) |