(activemq-artemis) branch main updated: ARTEMIS-4580 security settings for FQQN not enforced on send

Mon, 22 Jan 2024 07:12:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new a70c421493 ARTEMIS-4580 security settings for FQQN not enforced on send
a70c421493 is described below

commit a70c421493384a5e8c4501b9b8f948c2e875918e
Author: Justin Bertram <[email protected]>
AuthorDate: Fri Jan 19 16:54:58 2024 -0600

    ARTEMIS-4580 security settings for FQQN not enforced on send
---
 .../core/server/impl/ServerSessionImpl.java        |   4 +-
 .../integration/security/FQQNSendSecurityTest.java | 103 +++++++++++++++++++++
 2 files changed, 105 insertions(+), 2 deletions(-)

diff --git 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
index 55cf83596a..a180b0b842 100644
--- 
a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
+++ 
b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
@@ -2324,9 +2324,9 @@ public class ServerSessionImpl implements ServerSession, 
FailureListener {
          msg.setAddress(art.getName());
       }
 
-      // check the user has write access to this address.
+      // check the user has write access to this address (and potentially 
queue).
       try {
-         securityCheck(CompositeAddress.extractAddressName(art.getName()), 
CompositeAddress.isFullyQualified(art.getName()) ? 
CompositeAddress.extractQueueName(art.getName()) : null, CheckType.SEND, this);
+         
securityCheck(CompositeAddress.extractAddressName(msg.getAddressSimpleString()),
 CompositeAddress.isFullyQualified(msg.getAddressSimpleString()) ? 
CompositeAddress.extractQueueName(msg.getAddressSimpleString()) : null, 
CheckType.SEND, this);
       } catch (ActiveMQException e) {
          if (!autoCommitSends && tx != null) {
             tx.markAsRollbackOnly(e);
diff --git 
a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/FQQNSendSecurityTest.java
 
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/FQQNSendSecurityTest.java
new file mode 100644
index 0000000000..a1db3e9b31
--- /dev/null
+++ 
b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/FQQNSendSecurityTest.java
@@ -0,0 +1,103 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.security;
+
+import javax.jms.Connection;
+import javax.jms.Destination;
+import javax.jms.JMSSecurityException;
+import javax.jms.MessageProducer;
+import javax.jms.Session;
+
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.RoutingType;
+import org.apache.activemq.artemis.core.config.Configuration;
+import org.apache.activemq.artemis.core.config.impl.RoleSet;
+import org.apache.activemq.artemis.core.config.impl.SecurityConfiguration;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory;
+import 
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.jaas.InVMLoginModule;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.tests.util.RandomUtil;
+import org.apache.activemq.artemis.utils.CompositeAddress;
+import org.junit.Before;
+import org.junit.Test;
+
+public class FQQNSendSecurityTest extends ActiveMQTestBase {
+
+   private final String ALLOWED_USER = "allowedUser";
+   private final String ALLOWED_ROLE = "allowedRole";
+   private final String DENIED_USER = "deniedUser";
+   private final String DENIED_ROLE = "deniedRole";
+   private final String PASS = RandomUtil.randomString();
+   private final String ADDRESS = "myAddress";
+   private final String QUEUE = "myQueue";
+
+   @Override
+   @Before
+   public void setUp() throws Exception {
+      super.setUp();
+      Configuration configuration = 
createDefaultInVMConfig().setSecurityEnabled(true);
+      RoleSet roles = new RoleSet();
+      roles.add(new Role(ALLOWED_ROLE, true, false, false, false, false, 
false, false, false, false, false));
+      roles.add(new Role(DENIED_ROLE, false, false, false, false, false, 
false, false, false, false, false));
+      
configuration.putSecurityRoles(CompositeAddress.toFullyQualified(ADDRESS, 
QUEUE), roles);
+
+      ActiveMQServer server = createServer(false, configuration);
+
+      ActiveMQJAASSecurityManager securityManager = new 
ActiveMQJAASSecurityManager(InVMLoginModule.class.getName());
+      SecurityConfiguration securityConfiguration = new 
SecurityConfiguration();
+      securityConfiguration.addUser(ALLOWED_USER, PASS);
+      securityConfiguration.addRole(ALLOWED_USER, ALLOWED_ROLE);
+      securityConfiguration.addUser(DENIED_USER, PASS);
+      securityConfiguration.addRole(DENIED_USER, DENIED_ROLE);
+      securityManager.setConfiguration(securityConfiguration);
+      server.setSecurityManager(securityManager);
+
+      configuration.addQueueConfiguration(new 
QueueConfiguration(QUEUE).setAddress(ADDRESS).setRoutingType(RoutingType.ANYCAST));
+
+      server.start();
+   }
+
+   @Test
+   public void sendMessageToFQQN() throws Exception {
+      ActiveMQConnectionFactory connectionFactory = new 
ActiveMQConnectionFactory("vm://0");
+      try (Connection connection = 
connectionFactory.createConnection(ALLOWED_USER, PASS)) {
+         Session session = connection.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+         Destination destination = 
session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
+         MessageProducer messageProducer = session.createProducer(destination);
+         messageProducer.send(session.createMessage());
+      }
+   }
+
+   @Test
+   public void sendMessageToFQQNNegative() throws Exception {
+      ActiveMQConnectionFactory connectionFactory = new 
ActiveMQConnectionFactory("vm://0");
+      try (Connection connection = 
connectionFactory.createConnection(DENIED_USER, PASS)) {
+         Session session = connection.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+         Destination destination = 
session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
+         MessageProducer messageProducer = session.createProducer(destination);
+         try {
+            messageProducer.send(session.createMessage());
+            fail();
+         } catch (JMSSecurityException e) {
+            // expected
+         }
+      }
+   }
+}
\ No newline at end of file

Reply via email to