[activemq-artemis] branch main updated: ARTEMIS-4405 wrong user logged for authz audits

Tue, 29 Aug 2023 07:35:33 -0700 

This is an automated email from the ASF dual-hosted git repository.

robbie pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new 56c8afe934 ARTEMIS-4405 wrong user logged for authz audits
56c8afe934 is described below

commit 56c8afe93458ef44b7ebd9c2cd9d8187ddc565ba
Author: Justin Bertram <[email protected]>
AuthorDate: Mon Aug 28 16:49:29 2023 -0500

    ARTEMIS-4405 wrong user logged for authz audits
---
 .../apache/activemq/artemis/logs/AuditLogger.java  |   4 +-
 .../core/security/impl/SecurityStoreImpl.java      |   2 +-
 .../integration/stomp/StompAuditLoggingTest.java   | 107 +++++++++++++++++++++
 3 files changed, 110 insertions(+), 3 deletions(-)

diff --git 
a/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
 
b/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
index a676d8761d..62fa7ca62e 100644
--- 
a/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
+++ 
b/artemis-commons/src/main/java/org/apache/activemq/artemis/logs/AuditLogger.java
@@ -1993,8 +1993,8 @@ public interface AuditLogger {
    void handleManagementMessage2(String user, Object source, String args);
 
 
-   static void securityFailure(String reason, Exception cause) {
-      BASE_LOGGER.securityFailure(getCaller(), reason, cause);
+   static void securityFailure(Subject subject, String remoteAddress, String 
reason, Exception cause) {
+      BASE_LOGGER.securityFailure(getCaller(subject, remoteAddress), reason, 
cause);
    }
 
    @LogMessage(id = 601264, value = "User {} gets security check failure, 
reason = {}", level = LogMessage.Level.INFO)
diff --git 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
index 35c4c87417..7e3e627100 100644
--- 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
+++ 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java
@@ -314,7 +314,7 @@ public class SecurityStoreImpl implements SecurityStore, 
HierarchicalRepositoryC
             } else {
                ex = 
ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), 
checkType, bareQueue, bareAddress);
             }
-            AuditLogger.securityFailure(ex.getMessage(), ex);
+            
AuditLogger.securityFailure(session.getRemotingConnection().getSubject(), 
session.getRemotingConnection().getRemoteAddress(), ex.getMessage(), ex);
             throw ex;
          }
 
diff --git 
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/stomp/StompAuditLoggingTest.java
 
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/stomp/StompAuditLoggingTest.java
new file mode 100644
index 0000000000..fdc390ae08
--- /dev/null
+++ 
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/stomp/StompAuditLoggingTest.java
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.stomp;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.activemq.artemis.core.protocol.stomp.Stomp;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.logs.AssertionLoggerHandler;
+import org.apache.activemq.artemis.logs.AssertionLoggerHandler.LogLevel;
+import org.apache.activemq.artemis.logs.AuditLogger;
+import 
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import 
org.apache.activemq.artemis.tests.integration.stomp.util.ClientStompFrame;
+import 
org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnection;
+import 
org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnectionFactory;
+import org.apache.activemq.artemis.tests.util.RandomUtil;
+import org.apache.activemq.artemis.tests.util.Wait;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class StompAuditLoggingTest extends StompTestBase {
+
+   private static final String BASE_AUDIT_LOGGER_NAME = 
AuditLogger.BASE_LOGGER.getLogger().getName();
+   private static LogLevel previousLevel = null;
+   private static AssertionLoggerHandler loggerHandler;
+   protected StompClientConnection conn;
+   private final String user = "nopriv";
+   private final String pass = user;
+   private final String role = "nopriv";
+
+   @Override
+   public boolean isSecurityEnabled() {
+      return true;
+   }
+
+   @Override
+   protected ActiveMQServer createServer() throws Exception {
+      server = super.createServer();
+
+      ActiveMQJAASSecurityManager securityManager = 
(ActiveMQJAASSecurityManager) server.getSecurityManager();
+
+      securityManager.getConfiguration().addUser(user, pass);
+      securityManager.getConfiguration().addRole(user, role);
+      server.getConfiguration().getSecurityRoles().put("#", new 
HashSet<>(Set.of(new Role(role, false, false, false, false, false, false, 
false, false, false, false))));
+
+      return server;
+   }
+
+   @Override
+   @Before
+   public void setUp() throws Exception {
+      super.setUp();
+      conn = StompClientConnectionFactory.createClientConnection(uri);
+   }
+
+   @BeforeClass
+   public static void prepareLogger() {
+      previousLevel = AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME, 
LogLevel.INFO);
+      loggerHandler = new AssertionLoggerHandler();
+   }
+
+   @AfterClass
+   public static void clearLogger() throws Exception {
+      try {
+         loggerHandler.close();
+      } finally {
+         AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME, 
previousLevel);
+      }
+   }
+
+   @Test
+   public void testAuthzFailureAuditLogging() throws Exception {
+      conn.connect(user, pass);
+
+      ClientStompFrame frame = conn.createFrame(Stomp.Commands.SEND);
+      frame.addHeader(Stomp.Headers.Subscribe.DESTINATION, getQueuePrefix() + 
getQueueName());
+      frame.setBody(RandomUtil.randomString());
+
+      try {
+         conn.sendFrame(frame);
+      } catch (Exception e) {
+         // ignore
+      }
+
+      conn.disconnect();
+
+      Wait.assertTrue(() -> loggerHandler.matchText(".*User 
nopriv\\(nopriv\\).* gets security check failure.*"), 2000, 100);
+   }
+}

Reply via email to