Author: robbie Date: Thu Jun 17 15:32:12 2010 New Revision: 955642 URL: http://svn.apache.org/viewvc?rev=955642&view=rev Log: QPID-2654: Add Actor logging to the ACL plugin
Applied patch from Andrew Kennedy <[email protected]> Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties qpid/trunk/qpid/java/systests/etc/test-logging.txt qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/logging/AccessControlLoggingTest.java Modified: qpid/trunk/qpid/java/broker-plugins/access-control/MANIFEST.MF qpid/trunk/qpid/java/broker-plugins/access-control/build.xml qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java Modified: qpid/trunk/qpid/java/broker-plugins/access-control/MANIFEST.MF URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/MANIFEST.MF?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker-plugins/access-control/MANIFEST.MF (original) +++ qpid/trunk/qpid/java/broker-plugins/access-control/MANIFEST.MF Thu Jun 17 15:32:12 2010 @@ -4,13 +4,13 @@ Bundle-Name: Qpid Broker-Plugins Access Bundle-SymbolicName: broker-plugins-access-control Bundle-Description: Access control plugin for Qpid. Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt -Bundle-DocURL: http://www.apache.org/ +Bundle-DocURL: http://qpid.apache.org/acl.html Bundle-Version: 1.0.0 Bundle-Activator: org.apache.qpid.server.security.access.plugins.AccessControlActivator Bundle-RequiredExecutionEnvironment: JavaSE-1.5 Bundle-ClassPath: . Bundle-ActivationPolicy: lazy -Import-Package: org.apache.qpid, +Import-Package: org.apache.qpid, org.apache.qpid.exchange, org.apache.qpid.framing, org.apache.qpid.junit.extensions.util, @@ -19,8 +19,12 @@ Import-Package: org.apache.qpid, org.apache.qpid.server.configuration.plugins, org.apache.qpid.server.exchange, org.apache.qpid.server.management, + org.apache.qpid.server.logging, + org.apache.qpid.server.logging.actors, + org.apache.qpid.server.logging.subjects, org.apache.qpid.server.plugins, org.apache.qpid.server.queue, + org.apache.qpid.server.registry, org.apache.qpid.server.security, org.apache.qpid.server.security.access, org.apache.qpid.server.virtualhost, @@ -33,5 +37,6 @@ Import-Package: org.apache.qpid, javax.management.openmbean;version=1.0.0, org.osgi.util.tracker;version=1.0.0, org.osgi.framework;version=1.3 -Private-Package: org.apache.qpid.server.security.access.config +Private-Package: org.apache.qpid.server.security.access.config, + org.apache.qpid.server.security.access.logging Export-Package: org.apache.qpid.server.security.access.plugins Modified: qpid/trunk/qpid/java/broker-plugins/access-control/build.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/build.xml?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker-plugins/access-control/build.xml (original) +++ qpid/trunk/qpid/java/broker-plugins/access-control/build.xml Thu Jun 17 15:32:12 2010 @@ -25,5 +25,7 @@ <import file="../../module.xml" /> - <target name="bundle" depends="bundle-tasks" /> + <target name="bundle" depends="bundle-tasks"/> + + <target name="precompile" depends="gen_logging"/> </project> Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java (original) +++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java Thu Jun 17 15:32:12 2010 @@ -33,11 +33,13 @@ import org.apache.commons.lang.BooleanUt import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.apache.qpid.exchange.ExchangeDefaults; +import org.apache.qpid.server.logging.actors.CurrentActor; import org.apache.qpid.server.security.Result; import org.apache.qpid.server.security.access.ObjectProperties; import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.Permission; +import org.apache.qpid.server.security.access.logging.AccessControlMessages; /** * Models the rule configuration for the access control plugin. @@ -183,6 +185,20 @@ public class RuleSet } return false; } + + private Permission noLog(Permission permission) + { + switch (permission) + { + case ALLOW: + case ALLOW_LOG: + return Permission.ALLOW; + case DENY: + case DENY_LOG: + default: + return Permission.DENY; + } + } // TODO make this work when group membership is not known at file parse time public void addRule(Integer number, String identity, Permission permission, Action action) @@ -201,7 +217,7 @@ public class RuleSet { if (action.getOperation() == Operation.CREATE && action.getObjectType() == ObjectType.TOPIC) { - addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE, + addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE, new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME)))); ObjectProperties topicProperties = new ObjectProperties(); topicProperties.put(ObjectProperties.Property.DURABLE, true); @@ -210,7 +226,7 @@ public class RuleSet } if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.TOPIC) { - addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE, + addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE, new ObjectProperties("amq.topic", action.getProperties().get(ObjectProperties.Property.NAME)))); ObjectProperties topicProperties = new ObjectProperties(); topicProperties.put(ObjectProperties.Property.DURABLE, true); @@ -227,10 +243,10 @@ public class RuleSet ObjectProperties exchProperties = new ObjectProperties(action.getProperties()); exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME); exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME)); - addRule(null, identity, permission, new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties)); + addRule(null, identity, noLog(permission), new Action(Operation.BIND, ObjectType.EXCHANGE, exchProperties)); if (action.getProperties().isSet(ObjectProperties.Property.AUTO_DELETE)) { - addRule(null, identity, permission, new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties())); + addRule(null, identity, noLog(permission), new Action(Operation.DELETE, ObjectType.QUEUE, action.getProperties())); } } else if (action.getOperation() == Operation.DELETE && action.getObjectType() == ObjectType.QUEUE) @@ -238,11 +254,11 @@ public class RuleSet ObjectProperties exchProperties = new ObjectProperties(action.getProperties()); exchProperties.setName(ExchangeDefaults.DEFAULT_EXCHANGE_NAME); exchProperties.put(ObjectProperties.Property.ROUTING_KEY, action.getProperties().get(ObjectProperties.Property.NAME)); - addRule(null, identity, permission, new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties)); + addRule(null, identity, noLog(permission), new Action(Operation.UNBIND, ObjectType.EXCHANGE, exchProperties)); } else if (action.getOperation() != Operation.ACCESS && action.getObjectType() != ObjectType.VIRTUALHOST) { - addRule(null, identity, permission, new Action(Operation.ACCESS, ObjectType.VIRTUALHOST)); + addRule(null, identity, noLog(permission), new Action(Operation.ACCESS, ObjectType.VIRTUALHOST)); } } @@ -409,11 +425,13 @@ public class RuleSet switch (permission) { case ALLOW_LOG: - _logger.info("ALLOWED " + action); + CurrentActor.get().message(AccessControlMessages.ALLOWED( + action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString())); case ALLOW: return Result.ALLOWED; case DENY_LOG: - _logger.info("DENIED " + action); + CurrentActor.get().message(AccessControlMessages.DENIED( + action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString())); case DENY: return Result.DENIED; } Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties?rev=955642&view=auto ============================================================================== --- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties (added) +++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties Thu Jun 17 15:32:12 2010 @@ -0,0 +1,28 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# org.apache.qpid.server.security.access.logging.AccessControl + +# Access Control logging message i18n strings. + +# 'accept-log' rule message +ALLOWED = ACL-1001 : Allowed : {0} {1} {2} + +# 'deny-log' rule message +DENIED = ACL-1002 : Denied : {0} {1} {2} \ No newline at end of file Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java (original) +++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java Thu Jun 17 15:32:12 2010 @@ -20,7 +20,6 @@ */ package org.apache.qpid.server.security.access.plugins; -import java.io.File; import java.security.Principal; import org.apache.commons.configuration.ConfigurationException; @@ -33,8 +32,6 @@ import org.apache.qpid.server.security.S import org.apache.qpid.server.security.access.ObjectProperties; import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; -import org.apache.qpid.server.security.access.config.ConfigurationFile; -import org.apache.qpid.server.security.access.config.PlainConfiguration; import org.apache.qpid.server.security.access.config.RuleSet; /** Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java (original) +++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/plugins/PluginManager.java Thu Jun 17 15:32:12 2010 @@ -124,6 +124,7 @@ public class PluginManager implements Cl "org.apache.qpid.server.exchange; version=0.7," + "org.apache.qpid.server.logging; version=0.7," + "org.apache.qpid.server.logging.actors; version=0.7," + + "org.apache.qpid.server.logging.subjects; version=0.7," + "org.apache.qpid.server.management; version=0.7," + "org.apache.qpid.server.persistent; version=0.7," + "org.apache.qpid.server.plugins; version=0.7," + Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java (original) +++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectType.java Thu Jun 17 15:32:12 2010 @@ -87,4 +87,10 @@ public enum ObjectType } throw new IllegalArgumentException("Not a valid object type: " + text); } + + public String toString() + { + String name = name(); + return name.charAt(0) + name.substring(1).toLowerCase(); + } } Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java?rev=955642&r1=955641&r2=955642&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java (original) +++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Operation.java Thu Jun 17 15:32:12 2010 @@ -46,4 +46,10 @@ public enum Operation } throw new IllegalArgumentException("Not a valid operation: " + text); } + + public String toString() + { + String name = name(); + return name.charAt(0) + name.substring(1).toLowerCase(); + } } \ No newline at end of file Added: qpid/trunk/qpid/java/systests/etc/test-logging.txt URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/test-logging.txt?rev=955642&view=auto ============================================================================== --- qpid/trunk/qpid/java/systests/etc/test-logging.txt (added) +++ qpid/trunk/qpid/java/systests/etc/test-logging.txt Thu Jun 17 15:32:12 2010 @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +ACL ALLOW client CREATE QUEUE name="allow" +ACL ALLOW-LOG client CREATE QUEUE name="allow-log" +ACL DENY client CREATE QUEUE name="deny" +ACL DENY-LOG client CREATE QUEUE name="deny-log" Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/logging/AccessControlLoggingTest.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/logging/AccessControlLoggingTest.java?rev=955642&view=auto ============================================================================== --- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/logging/AccessControlLoggingTest.java (added) +++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/logging/AccessControlLoggingTest.java Thu Jun 17 15:32:12 2010 @@ -0,0 +1,174 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.qpid.server.logging; + +import java.io.File; +import java.util.List; + +import javax.jms.Connection; +import javax.jms.JMSException; +import javax.jms.Session; + +import org.apache.qpid.AMQException; +import org.apache.qpid.client.AMQSession; +import org.apache.qpid.framing.AMQShortString; +import org.apache.qpid.protocol.AMQConstant; + +/** + * ACL version 2/3 file testing to verify that ACL actor logging works correctly. + * + * This suite of tests validate that the AccessControl messages occur correctly + * and according to the following format: + * + * <pre> + * ACL-1001 : Allowed Operation Object {PROPERTIES} + * ACL-1002 : Denied Operation Object {PROPERTIES} + * </pre> + */ +public class AccessControlLoggingTest extends AbstractTestLogging +{ + private static final String ACL_LOG_PREFIX = "ACL-"; + private static final String USER = "client"; + private static final String PASS = "guest"; + + public void setUp() throws Exception + { + setConfigurationProperty("virtualhosts.virtualhost.test.security.aclv2", + QpidHome + File.separator + "etc" + File.separator + "test-logging.txt"); + + super.setUp(); + } + + /** FIXME This comes from {...@link SimpleACLTest} and makes me suspicious. */ + @Override + public void tearDown() throws Exception + { + try + { + super.tearDown(); + } + catch (JMSException e) + { + //we're throwing this away as it can happen in this test as the state manager remembers exceptions + //that we provoked with authentication failures, where the test passes - we can ignore on con close + } + } + + /** + * Test that {...@code allow} ACL entries do not log anything. + */ + public void testAllow() throws Exception + { + Connection conn = getConnection(USER, PASS); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + ((AMQSession<?, ?>) sess).createQueue(new AMQShortString("allow"), false, false, false); + + List<String> matches = _monitor.findMatches(ACL_LOG_PREFIX); + + assertTrue("Should be no ACL log messages", matches.isEmpty()); + } + + /** + * Test that {...@code allow-log} ACL entries log correctly. + */ + public void testAllowLog() throws Exception + { + Connection conn = getConnection(USER, PASS); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + ((AMQSession<?, ?>) sess).createQueue(new AMQShortString("allow-log"), false, false, false); + + List<String> matches = _monitor.findMatches(ACL_LOG_PREFIX); + + assertEquals("Should only be one ACL log message", 1, matches.size()); + + String log = getLog(matches.get(0)); + String actor = fromActor(log); + String subject = fromSubject(log); + String message = getMessageString(fromMessage(log)); + + validateMessageID(ACL_LOG_PREFIX + 1001, log); + + assertTrue("Actor should contain the user identity", actor.contains(USER)); + assertTrue("Subject should be empty", subject.length() == 0); + assertTrue("Message should start with 'Allowed'", message.startsWith("Allowed")); + assertTrue("Message should contain 'Create Queue'", message.contains("Create Queue")); + assertTrue("Message should have contained the queue name", message.contains("allow-log")); + } + + /** + * Test that {...@code deny-log} ACL entries log correctly. + */ + public void testDenyLog() throws Exception + { + Connection conn = getConnection(USER, PASS); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + try { + ((AMQSession<?, ?>) sess).createQueue(new AMQShortString("deny-log"), false, false, false); + fail("Should have denied queue creation"); + } + catch (AMQException amqe) + { + // Denied, so exception thrown + assertEquals("Expected ACCESS_REFUSED error code", AMQConstant.ACCESS_REFUSED, amqe.getErrorCode()); + } + + List<String> matches = _monitor.findMatches(ACL_LOG_PREFIX); + + assertEquals("Should only be one ACL log message", 1, matches.size()); + + String log = getLog(matches.get(0)); + String actor = fromActor(log); + String subject = fromSubject(log); + String message = getMessageString(fromMessage(log)); + + validateMessageID(ACL_LOG_PREFIX + 1002, log); + + assertTrue("Actor should contain the user identity", actor.contains(USER)); + assertTrue("Subject should be empty", subject.length() == 0); + assertTrue("Message should start with 'Denied'", message.startsWith("Denied")); + assertTrue("Message should contain 'Create Queue'", message.contains("Create Queue")); + assertTrue("Message should have contained the queue name", message.contains("deny-log")); + } + + /** + * Test that {...@code deny} ACL entries do not log anything. + */ + public void testDeny() throws Exception + { + Connection conn = getConnection(USER, PASS); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + try { + ((AMQSession<?, ?>) sess).createQueue(new AMQShortString("deny"), false, false, false); + fail("Should have denied queue creation"); + } + catch (AMQException amqe) + { + // Denied, so exception thrown + assertEquals("Expected ACCESS_REFUSED error code", AMQConstant.ACCESS_REFUSED, amqe.getErrorCode()); + } + + List<String> matches = _monitor.findMatches(ACL_LOG_PREFIX); + + assertTrue("Should be no ACL log messages", matches.isEmpty()); + } +} --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
