Repository: activemq-artemis Updated Branches: refs/heads/master e971f117b -> 1b49559c6
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java index 1eb0ed8..269c3db 100644 --- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java @@ -18,6 +18,8 @@ package org.apache.activemq.artemis.tests.integration.security; import javax.transaction.xa.XAResource; import javax.transaction.xa.Xid; +import java.lang.management.ManagementFactory; +import java.net.URL; import java.util.HashSet; import java.util.Set; @@ -30,24 +32,37 @@ import org.apache.activemq.artemis.api.core.client.ClientProducer; import org.apache.activemq.artemis.api.core.client.ClientSession; import org.apache.activemq.artemis.api.core.client.ClientSessionFactory; import org.apache.activemq.artemis.api.core.client.ServerLocator; -import org.apache.activemq.artemis.tests.util.CreateMessage; -import org.apache.activemq.artemis.tests.util.ActiveMQTestBase; import org.apache.activemq.artemis.core.config.Configuration; import org.apache.activemq.artemis.core.security.CheckType; import org.apache.activemq.artemis.core.security.Role; import org.apache.activemq.artemis.core.server.ActiveMQServer; +import org.apache.activemq.artemis.core.server.ActiveMQServers; import org.apache.activemq.artemis.core.server.Queue; import org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl; import org.apache.activemq.artemis.core.settings.HierarchicalRepository; import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager; import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2; import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManagerImpl; +import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; +import org.apache.activemq.artemis.tests.util.ActiveMQTestBase; +import org.apache.activemq.artemis.tests.util.CreateMessage; import org.junit.Assert; import org.junit.Before; import org.junit.Test; public class SecurityTest extends ActiveMQTestBase { + static { + String path = System.getProperty("java.security.auth.login.config"); + if (path == null) { + URL resource = SecurityTest.class.getClassLoader().getResource("login.config"); + if (resource != null) { + path = resource.getFile(); + System.setProperty("java.security.auth.login.config", path); + } + } + } + /* * create session tests */ @@ -68,6 +83,301 @@ public class SecurityTest extends ActiveMQTestBase { } @Test + public void testJAASSecurityManagerAuthentication() throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("PropertiesLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + server.start(); + ClientSessionFactory cf = createSessionFactory(locator); + + try { + ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0); + session.close(); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception"); + } + } + + @Test + public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("PropertiesLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + server.start(); + ClientSessionFactory cf = createSessionFactory(locator); + + try { + cf.createSession("first", "badpassword", false, true, true, false, 0); + Assert.fail("should throw exception here"); + } + catch (Exception e) { + // ignore + } + } + + @Test + public void testJAASSecurityManagerAuthenticationGuest() throws Exception { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("GuestLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + server.start(); + ClientSessionFactory cf = createSessionFactory(locator); + + try { + ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0); + session.close(); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception"); + } + } + + @Test + public void testJAASSecurityManagerAuthorizationNegative() throws Exception { + final SimpleString ADDRESS = new SimpleString("address"); + final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); + final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); + + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("PropertiesLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + Set<Role> roles = new HashSet<>(); + roles.add(new Role("programmers", false, false, false, false, false, false, false)); + server.getConfiguration().getSecurityRoles().put("#", roles); + server.start(); + server.createQueue(ADDRESS, DURABLE_QUEUE, null, true, false); + server.createQueue(ADDRESS, NON_DURABLE_QUEUE, null, false, false); + + ClientSessionFactory cf = createSessionFactory(locator); + ClientSession session = addClientSession(cf.createSession("first", "secret", false, true, true, false, 0)); + + // CREATE_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // DELETE_DURABLE_QUEUE + try { + session.deleteQueue(DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // CREATE_NON_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // DELETE_NON_DURABLE_QUEUE + try { + session.deleteQueue(NON_DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // PRODUCE + try { + ClientProducer producer = session.createProducer(ADDRESS); + producer.send(session.createMessage(true)); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // CONSUME + try { + ClientConsumer consumer = session.createConsumer(DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // MANAGE + try { + ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress()); + producer.send(session.createMessage(true)); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + } + + @Test + public void testJAASSecurityManagerAuthorizationPositive() throws Exception { + final SimpleString ADDRESS = new SimpleString("address"); + final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); + final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); + + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("PropertiesLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + Set<Role> roles = new HashSet<>(); + roles.add(new Role("programmers", true, true, true, true, true, true, true)); + server.getConfiguration().getSecurityRoles().put("#", roles); + server.start(); + + ClientSessionFactory cf = createSessionFactory(locator); + ClientSession session = addClientSession(cf.createSession("first", "secret", false, true, true, false, 0)); + + // CREATE_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // DELETE_DURABLE_QUEUE + try { + session.deleteQueue(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // CREATE_NON_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // DELETE_NON_DURABLE_QUEUE + try { + session.deleteQueue(NON_DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + + // PRODUCE + try { + ClientProducer producer = session.createProducer(ADDRESS); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // CONSUME + try { + session.createConsumer(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // MANAGE + try { + ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress()); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + } + + @Test + public void testJAASSecurityManagerAuthorizationPositiveGuest() throws Exception { + final SimpleString ADDRESS = new SimpleString("address"); + final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); + final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); + + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("GuestLogin"); + ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false)); + Set<Role> roles = new HashSet<>(); + roles.add(new Role("bar", true, true, true, true, true, true, true)); + server.getConfiguration().getSecurityRoles().put("#", roles); + server.start(); + + ClientSessionFactory cf = createSessionFactory(locator); + ClientSession session = addClientSession(cf.createSession("junk", "junk", false, true, true, false, 0)); + + // CREATE_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception here"); + } + + // DELETE_DURABLE_QUEUE + try { + session.deleteQueue(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // CREATE_NON_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // DELETE_NON_DURABLE_QUEUE + try { + session.deleteQueue(NON_DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + + // PRODUCE + try { + ClientProducer producer = session.createProducer(ADDRESS); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // CONSUME + try { + session.createConsumer(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // MANAGE + try { + ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress()); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + } + + @Test public void testCreateSessionWithNullUserPass() throws Exception { ActiveMQServer server = createServer(); ActiveMQSecurityManagerImpl securityManager = (ActiveMQSecurityManagerImpl) server.getSecurityManager(); http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/resources/login.config ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config new file mode 100644 index 0000000..9b1e1c0 --- /dev/null +++ b/tests/integration-tests/src/test/resources/login.config @@ -0,0 +1,118 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +PropertiesLogin { + org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required + debug=true + org.apache.activemq.jaas.properties.user="users.properties" + org.apache.activemq.jaas.properties.role="roles.properties"; +}; + +LDAPLogin { + org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:1024"; + connectionUsername="uid=admin,ou=system" + connectionPassword=secret + connectionProtocol=s + authentication=simple + userBase="ou=system" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleBase="ou=system" + roleName=cn + roleSearchMatching="(member=uid={1},ou=system)" + roleSearchSubtree=false + ; +}; + +UnAuthenticatedLDAPLogin { + org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:1024"; + connectionUsername="uid=admin,ou=system" + connectionPassword="" + connectionProtocol=s + authentication=simple + userBase="ou=system" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleBase="ou=system" + roleName=dummyRoleName + roleSearchMatching="(uid={1})" + roleSearchSubtree=false + ; +}; + +ExpandedLDAPLogin { + org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:1024"; + connectionUsername="uid=admin,ou=system" + connectionPassword=secret + connectionProtocol=s + authentication=simple + userBase="ou=system" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleBase="ou=system" + roleName=cn + roleSearchMatching="(uid={1})" + roleSearchSubtree=false + expandRoles=true + expandRolesMatching="(member={0})" + ; +}; + +GuestLogin { + org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule required + debug=true + org.apache.activemq.jaas.guest.user="foo" + org.apache.activemq.jaas.guest.role="bar"; + +}; + +GuestLoginWithDefaults { + org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule required + debug=true; +}; + +OpenLdapConfiguration { + org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required + debug=true + initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory + connectionURL="ldap://localhost:389"; + connectionUsername="cn=mqbroker,ou=Services,ou=system,dc=fusesource,dc=com" + connectionPassword="sunflower" + connectionProtocol="s" + topicSearchMatchingFormat="cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=system,dc=fusesource,dc=com" + topicSearchSubtreeBool=true + authentication=simple + userBase="ou=User,ou=ActiveMQ,ou=system,dc=fusesource,dc=com" + userSearchMatching="(uid={0})" + userSearchSubtree=false + roleSearchMatching="(uid={1})" + queueSearchMatchingFormat="cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=system,dc=fusesource,dc=com" + queueSearchSubtreeBool=true + roleBase="ou=Group,ou=ActiveMQ,ou=system,dc=fusesource,dc=com" + roleName=cn + roleSearchMatching="(member:=uid={1})" + roleSearchSubtree=true + ; +}; http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/resources/roles.properties ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/roles.properties b/tests/integration-tests/src/test/resources/roles.properties new file mode 100644 index 0000000..de332d3 --- /dev/null +++ b/tests/integration-tests/src/test/resources/roles.properties @@ -0,0 +1,20 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +programmers=first +accounting=second +employees=first,second http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/resources/test.ldif ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/test.ldif b/tests/integration-tests/src/test/resources/test.ldif new file mode 100644 index 0000000..6d6bd58 --- /dev/null +++ b/tests/integration-tests/src/test/resources/test.ldif @@ -0,0 +1,39 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- + +dn: uid=first,ou=system +uid: first +userPassword: secret +objectClass: account +objectClass: simpleSecurityObject +objectClass: top + +################### +## Define groups ## +################### + +dn: cn=admins,ou=system +cn: admins +member: uid=first,ou=system +objectClass: groupOfNames +objectClass: top + +dn: cn=users,ou=system +cn: users +member: cn=admins,ou=system +objectClass: groupOfNames +objectClass: top \ No newline at end of file http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/resources/users.properties ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/resources/users.properties b/tests/integration-tests/src/test/resources/users.properties new file mode 100644 index 0000000..1087b0b --- /dev/null +++ b/tests/integration-tests/src/test/resources/users.properties @@ -0,0 +1,19 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +first=secret +second=password
