QPID-5634: [Java Broker] Remove support for AccessPlugins at the level of the virtualhost. Introduce supports for ACLs rules that include virtualhost predicate.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1579986 13f79535-47bb-0310-9956-ffa450edef68
author: Keith Wall <kwall@apache.org> 2014-03-21 17:16:34 +0000
committer: Keith Wall <kwall@apache.org> 2014-03-21 17:16:34 +0000
commit: d77447d7230dd29d7dc9ee0575caf1997ec3a7a6 (patch)
tree: a6e4dcfe2edf677b6c20bd361886edc6dfbf01d3 /qpid/java/broker-plugins/access-control/src
parent: 801e80d3b2361375c357b2f33feaeae77b3f8a14 (diff)
download: qpid-python-d77447d7230dd29d7dc9ee0575caf1997ec3a7a6.tar.gz
2 files changed, 104 insertions, 17 deletions
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
index 74ea7639ff..72dadb736f 100644
--- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/DefaultAccessControlTest.java
@@ -20,7 +20,9 @@
  */
 package org.apache.qpid.server.security.access.plugins;
 
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
@@ -182,7 +184,7 @@ public class DefaultAccessControlTest extends TestCase
         final RuleSet rs = new RuleSet(mock(EventLoggerProvider.class));
 
         // grant user4 access right on any method in any component
-        rs.grant(1, "user4", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, new ObjectProperties(ObjectProperties.STAR));
+        rs.grant(1, "user4", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, new ObjectProperties(ObjectProperties.WILD_CARD));
         configureAccessControl(rs);
         Subject.doAs(TestPrincipalUtils.createTestSubject("user4"), new PrivilegedAction<Object>()
         {
@@ -208,7 +210,7 @@ public class DefaultAccessControlTest extends TestCase
         final RuleSet rs = new RuleSet(mock(EventLoggerProvider.class));
 
         // grant user5 access right on any methods in "Test" component
-        ObjectProperties ruleProperties = new ObjectProperties(ObjectProperties.STAR);
+        ObjectProperties ruleProperties = new ObjectProperties(ObjectProperties.WILD_CARD);
         ruleProperties.put(ObjectProperties.Property.COMPONENT, "Test");
         rs.grant(1, "user5", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, ruleProperties);
         configureAccessControl(rs);
@@ -235,6 +237,7 @@ public class DefaultAccessControlTest extends TestCase
     public void testAccess() throws Exception
     {
         final Subject subject = TestPrincipalUtils.createTestSubject("user1");
+        final String testVirtualHost = getName();
         final InetAddress inetAddress = InetAddress.getLocalHost();
         final InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, 1);
 
@@ -250,13 +253,12 @@ public class DefaultAccessControlTest extends TestCase
             {
                 RuleSet mockRuleSet = mock(RuleSet.class);
 
-
-
                 DefaultAccessControl accessControl = new DefaultAccessControl(mockRuleSet);
 
-                accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+                ObjectProperties properties = new ObjectProperties(testVirtualHost);
+                accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, properties);
 
-                verify(mockRuleSet).check(subject, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY, inetAddress);
+                verify(mockRuleSet).check(subject, Operation.ACCESS, ObjectType.VIRTUALHOST, properties, inetAddress);
                 return null;
             }
         });
diff --git a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
index caf9b2fb61..32037807cd 100644
--- a/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
+++ b/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/RuleSetTest.java
@@ -21,24 +21,26 @@
 
 package org.apache.qpid.server.security.access.plugins;
 
-import java.security.Principal;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 import javax.security.auth.Subject;
 
-import org.apache.qpid.server.logging.EventLogger;
+import org.apache.qpid.server.exchange.ExchangeImpl;
 import org.apache.qpid.server.logging.EventLoggerProvider;
+import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.queue.AMQQueue;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectType;
 import org.apache.qpid.server.security.access.Operation;
 import org.apache.qpid.server.security.access.Permission;
+import org.apache.qpid.server.security.access.ObjectProperties.Property;
 import org.apache.qpid.server.security.access.config.Rule;
 import org.apache.qpid.server.security.access.config.RuleSet;
 import org.apache.qpid.server.security.auth.TestPrincipalUtils;
 import org.apache.qpid.test.utils.QpidTestCase;
 
-import static org.mockito.Mockito.mock;
-
 /**
  * This test checks that the {@link RuleSet} object which forms the core of the access control plugin performs correctly.
  *
@@ -51,6 +53,9 @@ import static org.mockito.Mockito.mock;
  */
 public class RuleSetTest extends QpidTestCase
 {
+    private static final String DENIED_VH = "deniedVH";
+    private static final String ALLOWED_VH = "allowedVH";
+
     private RuleSet _ruleSet; // Object under test
 
     private static final String TEST_USER = "user";
@@ -60,6 +65,8 @@ public class RuleSetTest extends QpidTestCase
     private String _exchangeName = "amq.direct";
     private String _exchangeType = "direct";
     private Subject _testSubject = TestPrincipalUtils.createTestSubject(TEST_USER);
+    private AMQQueue<?> _queue;
+    private VirtualHost<?> _virtualHost;
 
     @Override
     public void setUp() throws Exception
@@ -67,6 +74,11 @@ public class RuleSetTest extends QpidTestCase
         super.setUp();
 
         _ruleSet = new RuleSet(mock(EventLoggerProvider.class));
+
+        _virtualHost = mock(VirtualHost.class);
+        _queue = mock(AMQQueue.class);
+        when(_queue.getName()).thenReturn(_queueName);
+        when(_queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
     }
 
     @Override
@@ -83,10 +95,8 @@ public class RuleSetTest extends QpidTestCase
 
     public void assertDenyGrantAllow(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
     {
-        final Principal identity = subject.getPrincipals().iterator().next();
-
         assertEquals(Result.DENIED, _ruleSet.check(subject, operation, objectType, properties));
-        _ruleSet.grant(0, identity.getName(), Permission.ALLOW, operation, objectType, properties);
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, operation, objectType, properties);
         assertEquals(1, _ruleSet.getRuleCount());
         assertEquals(Result.ALLOWED, _ruleSet.check(subject, operation, objectType, properties));
     }
@@ -98,17 +108,77 @@ public class RuleSetTest extends QpidTestCase
         assertEquals(_ruleSet.getDefault(), _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY));
     }
 
-    public void testVirtualHostAccess() throws Exception
+    public void testVirtualHostAccessAllowPermissionWithVirtualHostName() throws Exception
     {
-        assertDenyGrantAllow(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST);
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
     }
 
+    public void testVirtualHostAccessAllowPermissionWithNameSetToWildCard() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ObjectProperties.WILD_CARD));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowPermissionWithNoName() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessDenyPermissionWithNoName() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessDenyPermissionWithNameSetToWildCard() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ObjectProperties.WILD_CARD));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowDenyPermissions() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH));
+        _ruleSet.grant(1, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH));
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(ALLOWED_VH)));
+        assertEquals(Result.DENIED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+    public void testVirtualHostAccessAllowPermissionWithVirtualHostNameOtherPredicate() throws Exception
+    {
+        ObjectProperties properties = new ObjectProperties();
+        properties.put(Property.VIRTUALHOST_NAME, ALLOWED_VH);
+
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, properties);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, properties));
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.ACCESS, ObjectType.VIRTUALHOST, new ObjectProperties(DENIED_VH)));
+    }
+
+
     public void testQueueCreateNamed() throws Exception
     {
         assertDenyGrantAllow(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queueName));
     }
 
-    public void testQueueCreatenamedNullRoutingKey()
+    public void testQueueCreateNamedVirtualHost() throws Exception
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(Property.VIRTUALHOST_NAME, ALLOWED_VH));
+
+        when(_virtualHost.getName()).thenReturn(ALLOWED_VH);
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queue)));
+
+        when(_virtualHost.getName()).thenReturn(DENIED_VH);
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(_queue)));
+    }
+
+    public void testQueueCreateNamedNullRoutingKey()
     {
         ObjectProperties properties = new ObjectProperties(_queueName);
         properties.put(ObjectProperties.Property.ROUTING_KEY, (String) null);
@@ -116,6 +186,21 @@ public class RuleSetTest extends QpidTestCase
         assertDenyGrantAllow(_testSubject, Operation.CREATE, ObjectType.QUEUE, properties);
     }
 
+    public void testExchangeCreateNamedVirtualHost()
+    {
+        _ruleSet.grant(0, TEST_USER, Permission.ALLOW, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(Property.VIRTUALHOST_NAME, ALLOWED_VH));
+
+        ExchangeImpl<?> exchange = mock(ExchangeImpl.class);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
+        when(exchange.getTypeName()).thenReturn(_exchangeType);
+        when(_virtualHost.getName()).thenReturn(ALLOWED_VH);
+
+        assertEquals(Result.ALLOWED, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(exchange)));
+
+        when(_virtualHost.getName()).thenReturn(DENIED_VH);
+        assertEquals(Result.DEFER, _ruleSet.check(_testSubject, Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(exchange)));
+    }
+
     public void testExchangeCreate()
     {
         ObjectProperties properties = new ObjectProperties(_exchangeName);
author	Keith Wall <kwall@apache.org>	2014-03-21 17:16:34 +0000
committer	Keith Wall <kwall@apache.org>	2014-03-21 17:16:34 +0000
commit	d77447d7230dd29d7dc9ee0575caf1997ec3a7a6 (patch)
tree	a6e4dcfe2edf677b6c20bd361886edc6dfbf01d3 /qpid/java/broker-plugins/access-control/src
parent	801e80d3b2361375c357b2f33feaeae77b3f8a14 (diff)
download	qpid-python-d77447d7230dd29d7dc9ee0575caf1997ec3a7a6.tar.gz