diff options
| author | Keith Wall <kwall@apache.org> | 2014-07-04 14:40:13 +0000 |
|---|---|---|
| committer | Keith Wall <kwall@apache.org> | 2014-07-04 14:40:13 +0000 |
| commit | fce3f24c6745e0def3cf98725a949dfca07b9a0d (patch) | |
| tree | 0d9c786584f21c57657f4600656e9d1726aee69f /qpid/java/systests/src | |
| parent | 67b6cafa1b23daa3edb36325e2e1c0970130106d (diff) | |
| download | qpid-python-fce3f24c6745e0def3cf98725a949dfca07b9a0d.tar.gz | |
QPID-5873: [Java Broker] Allow ACL rules to be applied to VirtualHostNode objects
* ACL rules using the new operation VIRTUALHOSTNODE apply to VHN model objects.
* ACL rules using the operation VIRTUALHOST apply to VH model objects for CREATE, UPDATE and DELETE. This
is a change from previous version where BROKER operation permission was required.
* For HA, VIRTUALHOSTNODE permission is required to perform updates on RemoteReplicationNodes.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1607868 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/systests/src')
3 files changed, 301 insertions, 86 deletions
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java index a7874155df..8c4effd685 100644 --- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java +++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java @@ -27,7 +27,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import org.apache.qpid.server.virtualhostnode.JsonVirtualHostNode; import org.codehaus.jackson.JsonGenerationException; import org.codehaus.jackson.map.JsonMappingException; import org.apache.qpid.server.management.plugin.HttpManagement; @@ -45,7 +44,6 @@ import org.apache.qpid.server.model.adapter.FileBasedGroupProvider; import org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl; import org.apache.qpid.server.security.FileKeyStore; import org.apache.qpid.server.security.FileTrustStore; -import org.apache.qpid.server.model.VirtualHostNode; import org.apache.qpid.server.security.access.FileAccessControlProviderConstants; import org.apache.qpid.server.security.acl.AbstractACLTestCase; import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager; @@ -72,7 +70,7 @@ public class BrokerACLTest extends QpidRestTestCase "ACL DENY-LOG " + DENIED_USER + " CONFIGURE BROKER", "ACL DENY-LOG ALL ALL"); - _secondaryAclFileContent = + _secondaryAclFileContent = "ACL ALLOW-LOG ALL ACCESS MANAGEMENT\n" + "ACL ALLOW-LOG " + ALLOWED_USER + " CONFIGURE BROKER\n" + "ACL DENY-LOG " + DENIED_USER + " CONFIGURE BROKER\n" + @@ -190,58 +188,6 @@ public class BrokerACLTest extends QpidRestTestCase provider.get(ExternalFileBasedAuthenticationManager.PATH)); } - /* === VirtualHostNode === */ - - public void testCreateVirtualHostNodeAllowed() throws Exception - { - getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); - - String hostName = getTestName(); - - int responseCode = createVirtualHostNode(hostName); - assertEquals("Host creation should be allowed", 201, responseCode); - - assertVirtualHostNodeExists(hostName); - } - - public void testCreateVirtualHostNodeDenied() throws Exception - { - getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); - - String hostName = getTestName(); - - int responseCode = createVirtualHostNode(hostName); - assertEquals("Virtual host node creation should be denied", 403, responseCode); - - assertVirtualHostNodeDoesNotExist(hostName); - } - - public void testDeleteVirtualHostNodeAllowed() throws Exception - { - getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); - - assertVirtualHostNodeExists(TEST2_VIRTUALHOST); - - int responseCode = getRestTestHelper().submitRequest("virtualhostnode/" + TEST2_VIRTUALHOST, "DELETE"); - assertEquals("Virtual host node deletion should be allowed", 200, responseCode); - - assertVirtualHostNodeDoesNotExist(TEST2_VIRTUALHOST); - } - - public void testDeleteVirtualHostNodeDenied() throws Exception - { - getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); - - assertVirtualHostNodeExists(TEST2_VIRTUALHOST); - - getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); - - int responseCode = getRestTestHelper().submitRequest("virtualhostnode/" + TEST2_VIRTUALHOST, "DELETE"); - assertEquals("Virtual host node deletion should be denied", 403, responseCode); - - assertVirtualHostNodeExists(TEST2_VIRTUALHOST); - } - /* === Port === */ public void testCreatePortAllowed() throws Exception @@ -977,37 +923,6 @@ public class BrokerACLTest extends QpidRestTestCase assertEquals("Unexpected result", exists, !trustStores.isEmpty()); } - private int createVirtualHostNode(String virtualHostNodeName) throws Exception - { - Map<String, Object> data = new HashMap<String, Object>(); - data.put(VirtualHostNode.NAME, virtualHostNodeName); - data.put(VirtualHostNode.TYPE, getTestProfileVirtualHostNodeType()); - data.put(JsonVirtualHostNode.STORE_PATH, getStoreLocation(virtualHostNodeName)); - - return getRestTestHelper().submitRequest("virtualhostnode/" + virtualHostNodeName, "PUT", data); - } - - private void assertVirtualHostNodeDoesNotExist(String name) throws Exception - { - assertVirtualHostNodeExistence(name, false); - } - - private void assertVirtualHostNodeExists(String name) throws Exception - { - assertVirtualHostNodeExistence(name, true); - } - - private void assertVirtualHostNodeExistence(String name, boolean exists) throws Exception - { - List<Map<String, Object>> hosts = getRestTestHelper().getJsonAsList("virtualhostnode/" + name); - assertEquals("Node " + name + (exists ? " does not exist" : " exists" ), exists, !hosts.isEmpty()); - } - - private String getStoreLocation(String hostName) - { - return new File(TMP_FOLDER, "store-" + hostName + "-" + System.currentTimeMillis()).getAbsolutePath(); - } - private int createAuthenticationProvider(String authenticationProviderName) throws Exception { Map<String, Object> attributes = new HashMap<String, Object>(); diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostACLTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostACLTest.java new file mode 100644 index 0000000000..45123325e3 --- /dev/null +++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostACLTest.java @@ -0,0 +1,145 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.qpid.systest.rest.acl; + +import java.io.File; +import java.io.IOException; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.qpid.server.management.plugin.HttpManagement; +import org.apache.qpid.server.model.Plugin; +import org.apache.qpid.server.model.VirtualHost; +import org.apache.qpid.server.model.VirtualHostNode; +import org.apache.qpid.server.security.acl.AbstractACLTestCase; +import org.apache.qpid.server.virtualhost.ProvidedStoreVirtualHostImpl; +import org.apache.qpid.server.virtualhostnode.JsonVirtualHostNode; +import org.apache.qpid.systest.rest.QpidRestTestCase; +import org.apache.qpid.test.utils.TestBrokerConfiguration; + +public class VirtualHostACLTest extends QpidRestTestCase +{ + private static final String VHN_WITHOUT_VH = "myVhnWithoutVh"; + + private static final String ALLOWED_USER = "user1"; + private static final String DENIED_USER = "user2"; + + @Override + protected void customizeConfiguration() throws IOException + { + super.customizeConfiguration(); + getRestTestHelper().configureTemporaryPasswordFile(this, ALLOWED_USER, DENIED_USER); + + AbstractACLTestCase.writeACLFileUtil(this, "ACL ALLOW-LOG ALL ACCESS MANAGEMENT", + "ACL ALLOW-LOG " + ALLOWED_USER + " ALL VIRTUALHOST", + "ACL DENY-LOG " + DENIED_USER + " ALL VIRTUALHOST", + "ACL DENY-LOG ALL ALL"); + + getBrokerConfiguration().setObjectAttribute(Plugin.class, TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, + HttpManagement.HTTP_BASIC_AUTHENTICATION_ENABLED, true); + + Map<String, Object> virtualHostNodeAttributes = new HashMap<>(); + virtualHostNodeAttributes.put(VirtualHostNode.NAME, VHN_WITHOUT_VH); + virtualHostNodeAttributes.put(VirtualHostNode.TYPE, getTestProfileVirtualHostNodeType()); + // TODO need better way to determine the VHN's optional attributes + virtualHostNodeAttributes.put(JsonVirtualHostNode.STORE_PATH, getStoreLocation(VHN_WITHOUT_VH)); + + getBrokerConfiguration().addObjectConfiguration(VirtualHostNode.class, virtualHostNodeAttributes); + } + + public void testCreateVirtualHostAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String hostName = getTestName(); + + int responseCode = createVirtualHost(VHN_WITHOUT_VH, hostName); + assertEquals("Virtual host creation should be allowed", HttpServletResponse.SC_CREATED, responseCode); + + assertVirtualHostExists(VHN_WITHOUT_VH, hostName); + } + + public void testCreateVirtualHostDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String hostName = getTestName(); + + int responseCode = createVirtualHost(VHN_WITHOUT_VH, hostName); + assertEquals("Virtual host creation should be denied", HttpServletResponse.SC_FORBIDDEN, responseCode); + + assertVirtualHostDoesNotExist(VHN_WITHOUT_VH, hostName); + } + + public void testDeleteVirtualHostDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + getRestTestHelper().submitRequest("virtualhost/" + TEST2_VIRTUALHOST + "/" + TEST2_VIRTUALHOST, "DELETE", HttpServletResponse.SC_FORBIDDEN); + + assertVirtualHostExists(TEST2_VIRTUALHOST, TEST2_VIRTUALHOST); + } + + public void testUpdateVirtualHostDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + Map<String, Object> attributes = new HashMap<>(); + attributes.put(VirtualHost.NAME, TEST2_VIRTUALHOST); + attributes.put(VirtualHost.DESCRIPTION, "new description"); + + getRestTestHelper().submitRequest("virtualhost/" + TEST2_VIRTUALHOST + "/" + TEST2_VIRTUALHOST, "PUT", attributes, HttpServletResponse.SC_FORBIDDEN); + } + + /* === Utility Methods === */ + + private int createVirtualHost(final String testVirtualHostNode, String virtualHostName) throws Exception + { + Map<String, Object> data = new HashMap<>(); + data.put(VirtualHost.NAME, virtualHostName); + data.put(VirtualHost.TYPE, ProvidedStoreVirtualHostImpl.VIRTUAL_HOST_TYPE); + + return getRestTestHelper().submitRequest("virtualhost/" + testVirtualHostNode + "/" + virtualHostName, "PUT", data); + } + + private void assertVirtualHostDoesNotExist(final String virtualHostNodeName, String virtualHostName) throws Exception + { + assertVirtualHostExistence(virtualHostNodeName, virtualHostName, false); + } + + private void assertVirtualHostExists(final String virtualHostNodeName, String virtualHostName) throws Exception + { + assertVirtualHostExistence(virtualHostNodeName, virtualHostName, true); + } + + private void assertVirtualHostExistence(final String virtualHostNodeName, String virtualHostName, boolean exists) throws Exception + { + List<Map<String, Object>> hosts = getRestTestHelper().getJsonAsList("virtualhost/" + virtualHostNodeName + "/" + virtualHostName); + assertEquals("Node " + virtualHostName + (exists ? " does not exist" : " exists"), exists, !hosts.isEmpty()); + } + + private String getStoreLocation(String hostName) + { + return new File(TMP_FOLDER, "store-" + hostName + "-" + System.currentTimeMillis()).getAbsolutePath(); + } + +} diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostNodeACLTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostNodeACLTest.java new file mode 100644 index 0000000000..4809962f24 --- /dev/null +++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/VirtualHostNodeACLTest.java @@ -0,0 +1,155 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.qpid.systest.rest.acl; + +import java.io.File; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletResponse; + +import org.codehaus.jackson.JsonGenerationException; +import org.codehaus.jackson.map.JsonMappingException; + +import org.apache.qpid.server.management.plugin.HttpManagement; +import org.apache.qpid.server.model.AccessControlProvider; +import org.apache.qpid.server.model.AuthenticationProvider; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ExternalFileBasedAuthenticationManager; +import org.apache.qpid.server.model.GroupProvider; +import org.apache.qpid.server.model.KeyStore; +import org.apache.qpid.server.model.Plugin; +import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.Protocol; +import org.apache.qpid.server.model.TrustStore; +import org.apache.qpid.server.model.VirtualHostNode; +import org.apache.qpid.server.model.adapter.FileBasedGroupProvider; +import org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl; +import org.apache.qpid.server.security.FileKeyStore; +import org.apache.qpid.server.security.FileTrustStore; +import org.apache.qpid.server.security.access.FileAccessControlProviderConstants; +import org.apache.qpid.server.security.acl.AbstractACLTestCase; +import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManager; +import org.apache.qpid.server.security.auth.manager.PlainPasswordDatabaseAuthenticationManager; +import org.apache.qpid.server.virtualhost.memory.MemoryVirtualHost; +import org.apache.qpid.server.virtualhostnode.JsonVirtualHostNode; +import org.apache.qpid.systest.rest.QpidRestTestCase; +import org.apache.qpid.test.utils.TestBrokerConfiguration; +import org.apache.qpid.test.utils.TestFileUtils; +import org.apache.qpid.test.utils.TestSSLConstants; + +public class VirtualHostNodeACLTest extends QpidRestTestCase +{ + private static final String TEST_VIRTUAL_HOST_NODE = "myTestVirtualHostNode"; + private static final String ALLOWED_USER = "user1"; + private static final String DENIED_USER = "user2"; + + @Override + protected void customizeConfiguration() throws IOException + { + super.customizeConfiguration(); + getRestTestHelper().configureTemporaryPasswordFile(this, ALLOWED_USER, DENIED_USER); + + AbstractACLTestCase.writeACLFileUtil(this, "ACL ALLOW-LOG ALL ACCESS MANAGEMENT", + "ACL ALLOW-LOG " + ALLOWED_USER + " ALL VIRTUALHOSTNODE", + "ACL DENY-LOG " + DENIED_USER + " ALL VIRTUALHOSTNODE", + "ACL DENY-LOG ALL ALL"); + + getBrokerConfiguration().setObjectAttribute(Plugin.class, TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, + HttpManagement.HTTP_BASIC_AUTHENTICATION_ENABLED, true); + + Map<String, Object> virtualHostNodeAttributes = new HashMap<>(); + virtualHostNodeAttributes.put(VirtualHostNode.NAME, TEST_VIRTUAL_HOST_NODE); + virtualHostNodeAttributes.put(VirtualHostNode.TYPE, getTestProfileVirtualHostNodeType()); + // TODO need better way to determine the VHN's optional attributes + virtualHostNodeAttributes.put(JsonVirtualHostNode.STORE_PATH, getStoreLocation(TEST_VIRTUAL_HOST_NODE)); + + + getBrokerConfiguration().addObjectConfiguration(VirtualHostNode.class, virtualHostNodeAttributes); + } + + public void testCreateVirtualHostNodeAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String hostName = getTestName(); + + int responseCode = createVirtualHostNode(hostName); + assertEquals("Virtual host node creation should be allowed", HttpServletResponse.SC_CREATED, responseCode); + + assertVirtualHostNodeExists(hostName); + } + + public void testCreateVirtualHostNodeDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String hostName = getTestName(); + + int responseCode = createVirtualHostNode(hostName); + assertEquals("Virtual host node creation should be denied", HttpServletResponse.SC_FORBIDDEN, responseCode); + + assertVirtualHostNodeDoesNotExist(hostName); + } + + public void testDeleteVirtualHostNodeDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + getRestTestHelper().submitRequest("virtualhostnode/" + TEST_VIRTUAL_HOST_NODE, "DELETE", HttpServletResponse.SC_FORBIDDEN); + + assertVirtualHostNodeExists(TEST_VIRTUAL_HOST_NODE); + } + + /* === Utility Methods === */ + + private int createVirtualHostNode(String virtualHostNodeName) throws Exception + { + Map<String, Object> data = new HashMap<>(); + data.put(VirtualHostNode.NAME, virtualHostNodeName); + data.put(VirtualHostNode.TYPE, getTestProfileVirtualHostNodeType()); + data.put(JsonVirtualHostNode.STORE_PATH, getStoreLocation(virtualHostNodeName)); + + return getRestTestHelper().submitRequest("virtualhostnode/" + virtualHostNodeName, "PUT", data); + } + + private void assertVirtualHostNodeDoesNotExist(String name) throws Exception + { + assertVirtualHostNodeExistence(name, false); + } + + private void assertVirtualHostNodeExists(String name) throws Exception + { + assertVirtualHostNodeExistence(name, true); + } + + private void assertVirtualHostNodeExistence(String name, boolean exists) throws Exception + { + List<Map<String, Object>> hosts = getRestTestHelper().getJsonAsList("virtualhostnode/" + name); + assertEquals("Node " + name + (exists ? " does not exist" : " exists"), exists, !hosts.isEmpty()); + } + + private String getStoreLocation(String hostName) + { + return new File(TMP_FOLDER, "store-" + hostName + "-" + System.currentTimeMillis()).getAbsolutePath(); + } + +} |