Copied: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java (from r1750731, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java) URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java?p2=qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java&r1=1750731&r2=1750734&rev=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java Wed Jun 29 23:23:09 2016 @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.qpid.server.security.access; +package org.apache.qpid.server.security.access.config; import java.util.Collections; import java.util.EnumMap;
Copied: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java (from r1750613, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectType.java) URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java?p2=qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectType.java&r1=1750613&r2=1750734&rev=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/ObjectType.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java Wed Jun 29 23:23:09 2016 @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.qpid.server.security.access; +package org.apache.qpid.server.security.access.config; import static org.apache.qpid.server.security.access.Operation.ACCESS; import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS; @@ -34,6 +34,8 @@ import static org.apache.qpid.server.sec import java.util.EnumSet; import java.util.Set; +import org.apache.qpid.server.security.access.Operation; + /** * An enumeration of all possible object types that can form part of an access control v2 rule. * Copied: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/OperationLoggingDetails.java (from r1750613, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java) URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/OperationLoggingDetails.java?p2=qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/OperationLoggingDetails.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java&r1=1750613&r2=1750734&rev=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationLoggingDetails.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/OperationLoggingDetails.java Wed Jun 29 23:23:09 2016 @@ -18,7 +18,7 @@ * under the License. * */ -package org.apache.qpid.server.security.access; +package org.apache.qpid.server.security.access.config; public class OperationLoggingDetails extends ObjectProperties Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java Wed Jun 29 23:23:09 2016 @@ -24,6 +24,7 @@ import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.AccessController; +import java.util.Map; import java.util.Set; import javax.security.auth.Subject; @@ -32,21 +33,22 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.qpid.server.connection.ConnectionPrincipal; +import org.apache.qpid.server.model.*; import org.apache.qpid.server.security.AccessControl; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; -public class RuleBasedAccessControl implements AccessControl +public class RuleBasedAccessControl implements AccessControl<CachingSecurityToken>, LegacyAccessControl { private static final Logger _logger = LoggerFactory.getLogger(RuleBasedAccessControl.class); + private final LegacyAccessControlAdapter _adapter; private RuleSet _ruleSet; - public RuleBasedAccessControl(RuleSet rs) + public RuleBasedAccessControl(RuleSet rs, final Model model) { _ruleSet = rs; + _adapter = new LegacyAccessControlAdapter(this, model); } public Result getDefault() @@ -54,6 +56,18 @@ public class RuleBasedAccessControl impl return _ruleSet.getDefault(); } + @Override + public CachingSecurityToken newToken() + { + return newToken(Subject.getSubject(AccessController.getContext())); + } + + @Override + public CachingSecurityToken newToken(final Subject subject) + { + return new CachingSecurityToken(subject, this); + } + /** * Check if an operation is authorised by asking the configuration object about the access * control rules granted to the current thread's {@link Subject}. If there is no current @@ -98,4 +112,33 @@ public class RuleBasedAccessControl impl } } + @Override + public Result authorise(final Operation operation, final ConfiguredObject<?> configuredObject) + { + return _adapter.authorise(operation, configuredObject); + } + + @Override + public Result authoriseMethod(final ConfiguredObject<?> configuredObject, + final String methodName, + final Map<String, Object> arguments) + { + return _adapter.authoriseExecute(configuredObject, methodName, arguments); + } + + @Override + public Result authoriseMethod(final CachingSecurityToken token, + final ConfiguredObject<?> configuredObject, + final String methodName, + final Map<String,Object> arguments) + { + if(token != null) + { + return token.authoriseMethod(this, configuredObject, methodName, arguments); + + } + return authoriseMethod(configuredObject, methodName, arguments); + } + + } Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java Wed Jun 29 23:23:09 2016 @@ -30,7 +30,6 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; -import java.util.SortedMap; import java.util.WeakHashMap; import javax.security.auth.Subject; @@ -42,8 +41,6 @@ import org.apache.qpid.server.logging.Ev import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.logging.messages.AccessControlMessages; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; @@ -66,13 +63,6 @@ public class RuleSet implements EventLog private final EventLoggerProvider _eventLogger; private Result _defaultResult = Result.DENIED; - public RuleSet(EventLoggerProvider eventLogger) - { - _eventLogger = eventLogger; - // set some default configuration properties - _rules = new ArrayList<>(); - } - public RuleSet(final EventLoggerProvider eventLogger, final Collection<Rule> rules, final Result defaultResult) @@ -82,16 +72,7 @@ public class RuleSet implements EventLog _defaultResult = defaultResult; } - /** - * Clear the contents, including acl rules and configuration. - */ - public void clear() - { - _rules.clear(); - _cache.clear(); - } - - public int getRuleCount() + int getRuleCount() { return _rules.size(); } @@ -102,7 +83,7 @@ public class RuleSet implements EventLog * Allows only enabled rules with identity equal to all, the same, or a group with identity as a member, * and operation is either all or the same operation. */ - public List<Rule> getRules(final Subject subject, final Operation operation, final ObjectType objectType) + private List<Rule> getRules(final Subject subject, final Operation operation, final ObjectType objectType) { final Map<ObjectType, List<Rule>> objects = getObjectToRuleCache(subject, operation); @@ -128,7 +109,7 @@ public class RuleSet implements EventLog } // Return null if there are no rules at all for this operation and object type - if (filtered.isEmpty() && controlled == false) + if (filtered.isEmpty() && !controlled) { filtered = null; } @@ -240,7 +221,7 @@ public class RuleSet implements EventLog * Returns all rules in the {@link RuleSet}. Primarily intended to support unit-testing. * @return map of rules */ - public List<Rule> getAllRules() + public List<Rule> getAllRules() { return Collections.unmodifiableList(_rules); } Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSetCreator.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSetCreator.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSetCreator.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSetCreator.java Wed Jun 29 23:23:09 2016 @@ -25,8 +25,6 @@ import java.util.TreeMap; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/ACLFileAccessControlProviderImpl.java Wed Jun 29 23:23:09 2016 @@ -22,21 +22,15 @@ package org.apache.qpid.server.security. import java.util.Map; -import com.google.common.util.concurrent.Futures; -import com.google.common.util.concurrent.ListenableFuture; -import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.logging.messages.AccessControlMessages; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.model.AbstractConfiguredObject; import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.BrokerModel; import org.apache.qpid.server.model.ManagedAttributeField; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; -import org.apache.qpid.server.model.State; -import org.apache.qpid.server.model.StateTransition; -import org.apache.qpid.server.security.AccessControl; import org.apache.qpid.server.security.access.config.AclFileParser; import org.apache.qpid.server.security.access.config.RuleBasedAccessControl; import org.apache.qpid.server.util.urlstreamhandler.data.Handler; @@ -64,7 +58,7 @@ public class ACLFileAccessControlProvide @Override protected RuleBasedAccessControl createRuleBasedAccessController() { - return new RuleBasedAccessControl(AclFileParser.parse(getPath(), getBroker())); + return new RuleBasedAccessControl(AclFileParser.parse(getPath(), getBroker()), getBroker().getModel()); } @Override Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclRule.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclRule.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclRule.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclRule.java Wed Jun 29 23:23:09 2016 @@ -24,8 +24,8 @@ import java.util.Map; import org.apache.qpid.server.model.ManagedAttributeValue; import org.apache.qpid.server.model.ManagedAttributeValueType; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.config.ObjectProperties; +import org.apache.qpid.server.security.access.config.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/RuleBasedAccessControlProviderImpl.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/RuleBasedAccessControlProviderImpl.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/RuleBasedAccessControlProviderImpl.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/RuleBasedAccessControlProviderImpl.java Wed Jun 29 23:23:09 2016 @@ -31,18 +31,15 @@ import java.util.Map; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.apache.qpid.server.configuration.IllegalConfigurationException; -import org.apache.qpid.server.logging.messages.AccessControlMessages; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.Content; import org.apache.qpid.server.model.CustomRestHeaders; import org.apache.qpid.server.model.ManagedAttributeField; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; -import org.apache.qpid.server.model.Param; import org.apache.qpid.server.model.RestContentHeader; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.config.ObjectProperties; +import org.apache.qpid.server.security.access.config.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; import org.apache.qpid.server.security.access.config.AclAction; @@ -99,7 +96,7 @@ public class RuleBasedAccessControlProvi new AclRulePredicates(configuredRule.getAttributes())), configuredRule.getOutcome())); } - return new RuleBasedAccessControl(new RuleSet(getBroker(), rules, _defaultResult)); + return new RuleBasedAccessControl(new RuleSet(getBroker(), rules, _defaultResult), getModel()); } @Override Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java Wed Jun 29 23:23:09 2016 @@ -20,8 +20,6 @@ package org.apache.qpid.server.security. import static org.mockito.Mockito.*; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.firewall.FirewallRule; Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java Wed Jun 29 23:23:09 2016 @@ -25,13 +25,10 @@ import java.io.FileReader; import java.io.FileWriter; import java.io.PrintWriter; import java.util.List; -import java.util.Map; import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.logging.EventLoggerProvider; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectProperties.Property; -import org.apache.qpid.server.security.access.ObjectType; +import org.apache.qpid.server.security.access.config.ObjectProperties.Property; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.test.utils.QpidTestCase; Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java Wed Jun 29 23:23:09 2016 @@ -18,7 +18,7 @@ */ package org.apache.qpid.server.security.access.config; -import static org.apache.qpid.server.security.access.ObjectProperties.Property.*; +import static org.apache.qpid.server.security.access.config.ObjectProperties.Property.*; import org.apache.qpid.server.security.access.firewall.FirewallRule; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ActionTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ActionTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ActionTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ActionTest.java Wed Jun 29 23:23:09 2016 @@ -20,8 +20,6 @@ package org.apache.qpid.server.security. import static org.mockito.Mockito.*; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.test.utils.QpidTestCase; Added: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java?rev=1750734&view=auto ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java (added) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java Wed Jun 29 23:23:09 2016 @@ -0,0 +1,966 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import static org.apache.qpid.server.security.access.config.ObjectType.BROKER; +import static org.apache.qpid.server.security.access.config.ObjectType.VIRTUALHOST; +import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS; +import static org.mockito.Matchers.eq; +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import org.apache.qpid.server.model.*; +import org.apache.qpid.server.queue.QueueConsumer; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.test.utils.QpidTestCase; + +public class LegacyAccessControlAdapterTest extends QpidTestCase +{ + private static final String TEST_EXCHANGE_TYPE = "testExchangeType"; + private static final String TEST_VIRTUAL_HOST = "testVirtualHost"; + private static final String TEST_EXCHANGE = "testExchange"; + private static final String TEST_QUEUE = "testQueue"; + + private LegacyAccessControl _accessControl; + private VirtualHost<?> _virtualHost; + private Broker _broker; + private VirtualHostNode<?> _virtualHostNode; + private LegacyAccessControlAdapter _adapter; + + @Override + public void setUp() throws Exception + { + super.setUp(); + _accessControl = mock(LegacyAccessControl.class); + _virtualHost = mock(VirtualHost.class); + + + when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST); + when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST); + when(_virtualHost.getModel()).thenReturn(BrokerModel.getInstance()); + doReturn(VirtualHost.class).when(_virtualHost).getCategoryClass(); + + _broker = mock(Broker.class); + when(_broker.getCategoryClass()).thenReturn(Broker.class); + when(_broker.getName()).thenReturn("My Broker"); + when(_broker.getAttribute(Broker.NAME)).thenReturn("My Broker"); + when(_broker.getModel()).thenReturn(BrokerModel.getInstance()); + + _virtualHostNode = getMockVirtualHostNode(); + + _adapter = new LegacyAccessControlAdapter(_accessControl, BrokerModel.getInstance()); + } + + private VirtualHost getMockVirtualHost() + { + VirtualHost vh = mock(VirtualHost.class); + when(vh.getCategoryClass()).thenReturn(VirtualHost.class); + when(vh.getName()).thenReturn(TEST_VIRTUAL_HOST); + when(vh.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST); + when(vh.getParent(VirtualHostNode.class)).thenReturn(_virtualHostNode); + when(vh.getModel()).thenReturn(BrokerModel.getInstance()); + return vh; + } + + private VirtualHostNode getMockVirtualHostNode() + { + VirtualHostNode vhn = mock(VirtualHostNode.class); + when(vhn.getCategoryClass()).thenReturn(VirtualHostNode.class); + when(vhn.getName()).thenReturn("testVHN"); + when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN"); + when(vhn.getParent(Broker.class)).thenReturn(_broker); + when(vhn.getModel()).thenReturn(BrokerModel.getInstance()); + return vhn; + } + + + public void testAuthoriseCreateAccessControlProvider() + { + AccessControlProvider accessControlProvider = mock(AccessControlProvider.class); + when(accessControlProvider.getParent(Broker.class)).thenReturn(_broker); + when(accessControlProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class); + + assertBrokerChildCreateAuthorization(accessControlProvider); + } + + public void testAuthoriseCreateBinding() + { + VirtualHost vh = getMockVirtualHost(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getModel()).thenReturn(BrokerModel.getInstance()); + + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(vh); + + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_EXCHANGE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.QUEUE_NAME, TEST_QUEUE); + properties.put(ObjectProperties.Property.ROUTING_KEY, "bindingKey"); + properties.put(ObjectProperties.Property.TEMPORARY, false); + properties.put(ObjectProperties.Property.DURABLE, true); + + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); + + assertCreateAuthorization(binding, Operation.BIND, ObjectType.EXCHANGE, properties, exchange, queue); + } + + + public void testAuthoriseCreateConsumer() + { + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getCategoryClass()).thenReturn(Queue.class); + + Session session = mock(Session.class); + when(session.getCategoryClass()).thenReturn(Session.class); + when(session.getAttribute(Session.NAME)).thenReturn("1"); + + QueueConsumer consumer = mock(QueueConsumer.class); + when(consumer.getAttribute(QueueConsumer.NAME)).thenReturn("1"); + when(consumer.getParent(Queue.class)).thenReturn(queue); + when(consumer.getParent(Session.class)).thenReturn(session); + when(consumer.getCategoryClass()).thenReturn(Consumer.class); + + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_QUEUE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.AUTO_DELETE, false); + properties.put(ObjectProperties.Property.TEMPORARY, false); + properties.put(ObjectProperties.Property.DURABLE, true); + properties.put(ObjectProperties.Property.EXCLUSIVE, false); + + assertAuthorization(Operation.CREATE, consumer, Operation.CONSUME, ObjectType.QUEUE, properties, queue, session); + } + + + public void testAuthoriseUpdatePort() + { + Port mock = mock(Port.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Port.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateUser() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); + User mock = mock(User.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(User.class); + when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.USER, properties, authenticationProvider); + } + + + public void testAuthoriseDeleteVirtualHost() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + + VirtualHost mock = mock(VirtualHost.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(VirtualHost.class); + when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhn); + } + + public void testAuthoriseDeleteBinding() + { + Exchange exchange = mock(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); + + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); + + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_EXCHANGE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.QUEUE_NAME, TEST_QUEUE); + properties.put(ObjectProperties.Property.ROUTING_KEY, "bindingKey"); + properties.put(ObjectProperties.Property.TEMPORARY, false); + properties.put(ObjectProperties.Property.DURABLE, true); + + assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); + } + + + public void testAuthoriseDeleteKeyStore() + { + KeyStore mock = mock(KeyStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(KeyStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteTrustStore() + { + TrustStore mock = mock(TrustStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(TrustStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteGroup() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getName()).thenReturn("testGroupProvider"); + Group mock = mock(Group.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Group.class); + when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.GROUP, properties, groupProvider); + } + + public void testAuthoriseDeleteGroupMember() + { + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getName()).thenReturn("testGroup"); + GroupMember mock = mock(GroupMember.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupMember.class); + when(mock.getParent(Group.class)).thenReturn(group); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); + } + + public void testAuthoriseDeleteUser() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); + User mock = mock(User.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(User.class); + when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.USER, properties, authenticationProvider); + } + + public void testAuthoriseCreateExchange() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + + assertCreateAuthorization(exchange, Operation.CREATE, ObjectType.EXCHANGE, expectedProperties, vh); + } + + public void testAuthoriseCreateQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queue = mock(Queue.class); + when(queue.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queue.getAttribute(Queue.OWNER)).thenReturn(null); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queue.getAttribute(Queue.ALTERNATE_EXCHANGE)).thenReturn(null); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(vh); + + assertCreateAuthorization(queue, Operation.CREATE, ObjectType.QUEUE, expectedProperties, vh); + } + + public void testAuthoriseDeleteQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queueObject = mock(Queue.class); + when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); + when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); + when(queueObject.getCategoryClass()).thenReturn(Queue.class); + + assertDeleteAuthorization(queueObject, Operation.DELETE, ObjectType.QUEUE, expectedProperties, vh); + } + + public void testAuthoriseUpdateQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queueObject = mock(Queue.class); + when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); + when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); + when(queueObject.getCategoryClass()).thenReturn(Queue.class); + + assertUpdateAuthorization(queueObject, Operation.UPDATE, ObjectType.QUEUE, expectedProperties, vh); + } + + public void testAuthoriseUpdateExchange() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + assertUpdateAuthorization(exchange, Operation.UPDATE, ObjectType.EXCHANGE, expectedProperties, vh); + } + + public void testAuthoriseDeleteExchange() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + assertDeleteAuthorization(exchange, Operation.DELETE, ObjectType.EXCHANGE, expectedProperties, vh); + } + + public void testAuthoriseUnbind() + { + Exchange exchange = mock(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); + + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); + + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_EXCHANGE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.QUEUE_NAME, TEST_QUEUE); + properties.put(ObjectProperties.Property.ROUTING_KEY, "bindingKey"); + properties.put(ObjectProperties.Property.TEMPORARY, false); + properties.put(ObjectProperties.Property.DURABLE, true); + + assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); + } + + public void testAuthoriseCreateVirtualHostNode() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + assertCreateAuthorization(vhn, Operation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"), _broker); + } + + public void testAuthoriseCreatePort() + { + Port port = mock(Port.class); + when(port.getParent(Broker.class)).thenReturn(_broker); + when(port.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(port.getCategoryClass()).thenReturn(Port.class); + + assertBrokerChildCreateAuthorization(port); + } + + public void testAuthoriseCreateAuthenticationProvider() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getParent(Broker.class)).thenReturn(_broker); + when(authenticationProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + + assertBrokerChildCreateAuthorization(authenticationProvider); + } + + public void testAuthoriseCreateGroupProvider() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getParent(Broker.class)).thenReturn(_broker); + when(groupProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + + assertBrokerChildCreateAuthorization(groupProvider); + } + + + public void testAuthoriseCreateKeyStore() + { + KeyStore keyStore = mock(KeyStore.class); + when(keyStore.getParent(Broker.class)).thenReturn(_broker); + when(keyStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(keyStore.getCategoryClass()).thenReturn(KeyStore.class); + + assertBrokerChildCreateAuthorization(keyStore); + } + + public void testAuthoriseCreateTrustStore() + { + TrustStore trustStore = mock(TrustStore.class); + when(trustStore.getParent(Broker.class)).thenReturn(_broker); + when(trustStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(trustStore.getCategoryClass()).thenReturn(TrustStore.class); + + assertBrokerChildCreateAuthorization(trustStore); + } + + public void testAuthoriseCreateGroup() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getAttribute(GroupProvider.NAME)).thenReturn("testGroupProvider"); + when(groupProvider.getModel()).thenReturn(BrokerModel.getInstance()); + + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getParent(GroupProvider.class)).thenReturn(groupProvider); + when(group.getAttribute(Group.NAME)).thenReturn("test"); + + assertCreateAuthorization(group, Operation.CREATE, ObjectType.GROUP, new ObjectProperties("test"), groupProvider); + } + + public void testAuthoriseCreateGroupMember() + { + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getAttribute(Group.NAME)).thenReturn("testGroup"); + when(group.getModel()).thenReturn(BrokerModel.getInstance()); + + GroupMember groupMember = mock(GroupMember.class); + when(groupMember.getCategoryClass()).thenReturn(GroupMember.class); + when(groupMember.getParent(Group.class)).thenReturn(group); + when(groupMember.getAttribute(Group.NAME)).thenReturn("test"); + + assertCreateAuthorization(groupMember, Operation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"), group); + } + + public void testAuthoriseCreateUser() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getAttribute(AuthenticationProvider.NAME)).thenReturn("testAuthenticationProvider"); + when(authenticationProvider.getModel()).thenReturn(BrokerModel.getInstance()); + + User user = mock(User.class); + when(user.getCategoryClass()).thenReturn(User.class); + when(user.getAttribute(User.NAME)).thenReturn("test"); + when(user.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + when(user.getModel()).thenReturn(BrokerModel.getInstance()); + + assertCreateAuthorization(user, Operation.CREATE, ObjectType.USER, new ObjectProperties("test"), authenticationProvider); + } + + public void testAuthoriseCreateVirtualHost() + { + VirtualHost vh = getMockVirtualHost(); + assertCreateAuthorization(vh, Operation.CREATE, ObjectType.VIRTUALHOST, new ObjectProperties(TEST_VIRTUAL_HOST), _virtualHostNode); + } + + public void testAuthoriseUpdateVirtualHostNode() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + assertUpdateAuthorization(vhn, Operation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); + } + + + public void testAuthoriseUpdateAuthenticationProvider() + { + AuthenticationProvider mock = mock(AuthenticationProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateGroupProvider() + { + GroupProvider mock = mock(GroupProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateAccessControlProvider() + { + AccessControlProvider mock = mock(AccessControlProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateKeyStore() + { + KeyStore mock = mock(KeyStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(KeyStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateTrustStore() + { + TrustStore mock = mock(TrustStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(TrustStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateGroup() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getName()).thenReturn("testGroupProvider"); + Group mock = mock(Group.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Group.class); + when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, groupProvider); + } + + public void testAuthoriseUpdateGroupMember() + { + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getName()).thenReturn("testGroup"); + GroupMember mock = mock(GroupMember.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupMember.class); + when(mock.getParent(Group.class)).thenReturn(group); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); + } + + public void testAuthoriseUpdateVirtualHost() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + + VirtualHost mock = mock(VirtualHost.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(VirtualHost.class); + when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhn); + } + + public void testAuthoriseDeleteVirtualHostNode() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + assertDeleteAuthorization(vhn, Operation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); + } + + public void testAuthoriseDeletePort() + { + Port mock = mock(Port.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Port.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteAuthenticationProvider() + { + AuthenticationProvider mock = mock(AuthenticationProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteGroupProvider() + { + GroupProvider mock = mock(GroupProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteAccessControlProvider() + { + AccessControlProvider mock = mock(AccessControlProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseBrokerLoggerOperations() + { + BrokerLogger mock = mock(BrokerLogger.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(mock.getCategoryClass()).thenReturn(BrokerLogger.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildCreateAuthorization(mock); + + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + assertBrokerChildUpdateAuthorization(mock); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseBrokerLogInclusionRuleOperations() + { + BrokerLogger bl = mock(BrokerLogger.class); + when(bl.getAttribute(ConfiguredObject.NAME)).thenReturn("LOGGER"); + when(bl.getCategoryClass()).thenReturn(BrokerLogger.class); + when(bl.getParent(Broker.class)).thenReturn(_broker); + + BrokerLogInclusionRule mock = mock(BrokerLogInclusionRule.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(mock.getCategoryClass()).thenReturn(BrokerLogInclusionRule.class); + when(mock.getParent(BrokerLogger.class)).thenReturn(bl); + when(mock.getModel()).thenReturn(BrokerModel.getInstance()); + assertBrokerChildCreateAuthorization(mock, bl); + + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + assertBrokerChildUpdateAuthorization(mock, bl); + assertBrokerChildDeleteAuthorization(mock, bl); + } + + + public void testAuthoriseVirtualHostLoggerOperations() + { + ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST); + + VirtualHostLogger<?> mock = mock(VirtualHostLogger.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + doReturn(VirtualHostLogger.class).when(mock).getCategoryClass(); + when(mock.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(mock.getModel()).thenReturn(BrokerModel.getInstance()); + + assertCreateAuthorization(mock, Operation.CREATE, ObjectType.VIRTUALHOST, properties, _virtualHost); + + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, _virtualHost); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, _virtualHost); + } + + public void testAuthoriseVirtualHostLogInclusionRuleOperations() + { + ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST); + + VirtualHostLogger<?> vhl = mock(VirtualHostLogger.class); + when(vhl.getAttribute(ConfiguredObject.NAME)).thenReturn("LOGGER"); + doReturn(VirtualHostLogger.class).when(vhl).getCategoryClass(); + when(vhl.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(vhl.getModel()).thenReturn(BrokerModel.getInstance()); + + VirtualHostLogInclusionRule<?> mock = mock(VirtualHostLogInclusionRule.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + doReturn(VirtualHostLogInclusionRule.class).when(mock).getCategoryClass(); + when(mock.getParent(VirtualHostLogger.class)).thenReturn(vhl); + when(mock.getModel()).thenReturn(BrokerModel.getInstance()); + + assertCreateAuthorization(mock, Operation.CREATE, ObjectType.VIRTUALHOST, properties, vhl); + + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhl); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhl); + } + + public void testAuthorisePurge() + { + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + + ObjectProperties properties = createExpectedQueueObjectProperties(); + + _adapter.authoriseExecute(queue, "clearQueue", Collections.<String,Object>emptyMap()); + verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); + + } + + + public void testAuthoriseLogsAccessOnBroker() + { + + ConfiguredObject logger = mock(BrokerLogger.class); + when(logger.getCategoryClass()).thenReturn(BrokerLogger.class); + _adapter.authoriseExecute(logger, "getFile", Collections.singletonMap("fileName", (Object)"qpid.log")); + + verify(_accessControl).authorise(ACCESS_LOGS, BROKER, ObjectProperties.EMPTY); + + } + + public void testAuthoriseLogsAccessOnVirtualHost() + { + ConfiguredObject logger = mock(VirtualHostLogger.class); + when(logger.getCategoryClass()).thenReturn(VirtualHostLogger.class); + when(logger.getParent(eq(VirtualHost.class))).thenReturn(_virtualHost); + + _adapter.authoriseExecute(logger, "getFile", Collections.singletonMap("fileName", (Object)"qpid.log")); + ObjectProperties expectedObjectProperties = new ObjectProperties(_virtualHost.getName()); + verify(_accessControl).authorise(ACCESS_LOGS, VIRTUALHOST, expectedObjectProperties); + + + } + + public void testAuthoriseMethod() + { + ObjectProperties properties = new ObjectProperties("deleteMessages"); + properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue"); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + + Queue queue = mock(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(queue.getVirtualHost()).thenReturn(_virtualHost); + + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getCategoryClass()).thenReturn(Queue.class); + + + _adapter.authoriseExecute(queue, "deleteMessages", Collections.<String,Object>emptyMap()); + verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.METHOD), eq(properties)); + + } + + public void testAuthoriseUserOperation() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getParent(Broker.class)).thenReturn(_broker); + when(authenticationProvider.getAttribute(Queue.NAME)).thenReturn("test"); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + + + ObjectProperties properties = new ObjectProperties("testUser"); + + _adapter.authoriseExecute(authenticationProvider, "getPreferences", Collections.<String,Object>singletonMap("userId","testUser")); + verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties)); + + } + + + public void testAccessManagement() + { + _adapter.authoriseExecute(_broker, "manage", Collections.<String,Object>emptyMap()); + verify(_accessControl).authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY); + + } + + public void testAuthorisePublish() + { + String routingKey = "routingKey"; + String exchangeName = "exchangeName"; + boolean immediate = true; + ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate); + + Exchange exchange = mock(Exchange.class); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + when(exchange.getParent(eq(VirtualHost.class))).thenReturn(_virtualHost); + when(exchange.getName()).thenReturn(exchangeName); + Map<String,Object> args = new HashMap<>(); + args.put("routingKey",routingKey); + args.put("immediate", true); + _adapter.authoriseExecute(exchange, "publish", args); + + verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); + + } + + public void testAuthoriseCreateConnection() + { + + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + + _adapter.authoriseExecute(_virtualHost, "connect", Collections.<String,Object>emptyMap()); + + verify(_accessControl).authorise(eq(Operation.ACCESS), eq(ObjectType.VIRTUALHOST), eq(properties)); + + } + + + private ObjectProperties createExpectedQueueObjectProperties() + { + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_QUEUE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.AUTO_DELETE, true); + properties.put(ObjectProperties.Property.TEMPORARY, true); + properties.put(ObjectProperties.Property.DURABLE, false); + properties.put(ObjectProperties.Property.EXCLUSIVE, false); + return properties; + } + + private ObjectProperties createExpectedExchangeObjectProperties() + { + ObjectProperties properties = new ObjectProperties(); + properties.put(ObjectProperties.Property.NAME, TEST_EXCHANGE); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(ObjectProperties.Property.AUTO_DELETE, true); + properties.put(ObjectProperties.Property.TEMPORARY, true); + properties.put(ObjectProperties.Property.DURABLE, false); + properties.put(ObjectProperties.Property.TYPE, TEST_EXCHANGE_TYPE); + return properties; + } + + private void assertBrokerChildCreateAuthorization(ConfiguredObject object) + { + assertBrokerChildCreateAuthorization(object, _broker); + } + + private void assertBrokerChildCreateAuthorization(ConfiguredObject object, ConfiguredObject parent) + { + String description = String.format("%s %s '%s'", + Operation.CREATE.name().toLowerCase(), + object.getCategoryClass().getSimpleName().toLowerCase(), + "TEST"); + ObjectProperties properties = new OperationLoggingDetails(description); + assertCreateAuthorization(object, Operation.CONFIGURE, ObjectType.BROKER, properties, parent); + } + + + private void assertCreateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject<?>... parents) + { + _adapter.authorise(Operation.CREATE, configuredObject); + verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); + } + + + private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject) + { + assertBrokerChildUpdateAuthorization(configuredObject, _broker); + } + + private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent) + { + String description = String.format("%s %s '%s'", + Operation.UPDATE.name().toLowerCase(), + configuredObject.getCategoryClass().getSimpleName().toLowerCase(), + configuredObject.getAttribute(ConfiguredObject.NAME)); + ObjectProperties properties = new OperationLoggingDetails(description); + + assertUpdateAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, + properties, parent); + } + + private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) + { + assertAuthorization(Operation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); + } + + private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject) + { + assertBrokerChildDeleteAuthorization(configuredObject, _broker); + } + + private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent) + { + String description = String.format("%s %s '%s'", + Operation.DELETE.name().toLowerCase(), + configuredObject.getCategoryClass().getSimpleName().toLowerCase(), + configuredObject.getAttribute(ConfiguredObject.NAME)); + ObjectProperties properties = new OperationLoggingDetails(description); + + assertDeleteAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, + properties, parent); + } + + + private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) + { + assertAuthorization(Operation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); + } + + private void assertAuthorization(Operation operation, ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) + { + _adapter.authorise(operation, configuredObject); + verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); + } +} Propchange: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java Wed Jun 29 23:23:09 2016 @@ -35,9 +35,8 @@ import org.apache.qpid.server.connection import org.apache.qpid.server.logging.EventLogger; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.logging.UnitTestMessageLogger; +import org.apache.qpid.server.model.BrokerModel; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; import org.apache.qpid.server.security.auth.TestPrincipalUtils; @@ -73,7 +72,7 @@ public class RuleBasedAccessControlTest private void configureAccessControl(final RuleSet rs) { - _plugin = new RuleBasedAccessControl(rs); + _plugin = new RuleBasedAccessControl(rs, BrokerModel.getInstance()); } private RuleSet createGroupRuleSet() @@ -249,7 +248,8 @@ public class RuleBasedAccessControlTest { RuleSet mockRuleSet = mock(RuleSet.class); - RuleBasedAccessControl accessControl = new RuleBasedAccessControl(mockRuleSet); + RuleBasedAccessControl accessControl = new RuleBasedAccessControl(mockRuleSet, + BrokerModel.getInstance()); ObjectProperties properties = new ObjectProperties(testVirtualHost); accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, properties); @@ -287,7 +287,8 @@ public class RuleBasedAccessControlTest ObjectProperties.EMPTY, inetAddress)).thenThrow(new RuntimeException()); - RuleBasedAccessControl accessControl = new RuleBasedAccessControl(mockRuleSet); + RuleBasedAccessControl accessControl = new RuleBasedAccessControl(mockRuleSet, + BrokerModel.getInstance()); Result result = accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY); assertEquals(Result.DENIED, result); Modified: qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java Wed Jun 29 23:23:09 2016 @@ -27,11 +27,9 @@ import javax.security.auth.Subject; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; -import org.apache.qpid.server.security.access.ObjectProperties.Property; +import org.apache.qpid.server.security.access.config.ObjectProperties.Property; import org.apache.qpid.server.security.auth.TestPrincipalUtils; import org.apache.qpid.test.utils.QpidTestCase; Modified: qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java (original) +++ qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSession.java Wed Jun 29 23:23:09 2016 @@ -76,6 +76,7 @@ import org.apache.qpid.server.model.Queu import org.apache.qpid.server.protocol.AMQSessionModel; import org.apache.qpid.server.protocol.CapacityChecker; import org.apache.qpid.server.protocol.ConsumerListener; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.store.MessageStore; import org.apache.qpid.server.store.StoreException; import org.apache.qpid.server.transport.AMQPConnection; @@ -128,6 +129,7 @@ public class ServerSession extends Sessi private final UUID _id = UUID.randomUUID(); private final Subject _subject = new Subject(); private final AccessControlContext _accessControllerContext; + private final SecurityToken _token; private long _createTime = System.currentTimeMillis(); private final Set<Object> _blockingEntities = Collections.synchronizedSet(new HashSet<Object>()); @@ -144,6 +146,11 @@ public class ServerSession extends Sessi private boolean _wireBlockingState; private final List<ConsumerTarget> _consumersWithPendingWork = new ArrayList<>(); + public SecurityToken getToken() + { + return _token; + } + public static interface MessageDispositionChangeListener { public void onAccept(); @@ -190,7 +197,7 @@ public class ServerSession extends Sessi _subject.getPrincipals().addAll(((ServerConnection) connection).getAuthorizedSubject().getPrincipals()); _subject.getPrincipals().add(new SessionPrincipal(this)); _accessControllerContext = org.apache.qpid.server.security.SecurityManager.getAccessControlContextFromSubject(_subject); - + _token = ((ServerConnection) connection).getBroker().getSecurityManager().newToken(_subject); _transactionTimeoutHelper = new TransactionTimeoutHelper(_logSubject, new CloseAction() { @Override Modified: qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java (original) +++ qpid/java/trunk/broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerSessionDelegate.java Wed Jun 29 23:23:09 2016 @@ -40,6 +40,7 @@ import org.apache.qpid.common.AMQPFilter import org.apache.qpid.exchange.ExchangeDefaults; import org.apache.qpid.protocol.AMQConstant; import org.apache.qpid.server.logging.EventLogger; +import org.apache.qpid.server.model.ConfiguredObject; import org.apache.qpid.server.model.Exchange; import org.apache.qpid.server.model.NamedAddressSpace; import org.apache.qpid.server.transport.ProtocolEngine; @@ -419,14 +420,17 @@ public class ServerSessionDelegate exten final NamedAddressSpace virtualHost = getAddressSpace(ssn); try { - getServerConnection(ssn).getAmqpConnection().getBroker().getSecurityManager() - .authorisePublish(messageMetaData.isImmediate(), - messageMetaData.getRoutingKey(), - destination.getName(), - virtualHost.getName(), - serverSession.getAuthorizedSubject(), - getMessageUserId(xfr), - serverSession.getAMQPConnection()); + serverSession.getAMQPConnection().checkAuthorizedMessagePrincipal(getMessageUserId(xfr)); + if(destination instanceof ConfiguredObject) + { + Map<String,Object> args = new HashMap<>(); + args.put("routingKey", messageMetaData.getRoutingKey()); + args.put("immediate", messageMetaData.isImmediate()); + + getServerConnection(ssn).getAmqpConnection().getBroker().getSecurityManager() + .authoriseExecute(serverSession.getToken(), (ConfiguredObject)destination, "publish", args ); + + }; } catch (AccessControlException e) { Modified: qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java (original) +++ qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java Wed Jun 29 23:23:09 2016 @@ -100,6 +100,7 @@ import org.apache.qpid.server.protocol.C import org.apache.qpid.server.protocol.ConsumerListener; import org.apache.qpid.server.queue.QueueArgumentsConverter; import org.apache.qpid.server.security.SecurityManager; +import org.apache.qpid.server.security.SecurityToken; import org.apache.qpid.server.store.MessageHandle; import org.apache.qpid.server.store.MessageStore; import org.apache.qpid.server.store.StoredMessage; @@ -136,6 +137,7 @@ public class AMQChannel private final Pre0_10CreditManager _creditManager; private final FlowCreditManager _noAckCreditManager; private final AccessControlContext _accessControllerContext; + private final SecurityToken _token; /** * The delivery tag is unique per channel. This is pre-incremented before putting into the deliver frame so that @@ -240,6 +242,7 @@ public class AMQChannel _subject.getPrincipals().add(new SessionPrincipal(this)); _accessControllerContext = org.apache.qpid.server.security.SecurityManager.getAccessControlContextFromSubject(_subject); + _token = _connection.getBroker().getSecurityManager().newToken(_subject); _maxUncommittedInMemorySize = connection.getContextProvider().getContextValue(Long.class, Connection.MAX_UNCOMMITTED_IN_MEMORY_SIZE); _logSubject = new ChannelLogSubject(this); @@ -430,13 +433,19 @@ public class AMQChannel try { ContentHeaderBody contentHeader = _currentMessage.getContentHeader(); - securityManager.authorisePublish(info.isImmediate(), - routingKey, - _currentMessage.getDestination().getName(), - virtualHost.getName(), - _subject, - AMQShortString.toString(contentHeader.getProperties().getUserId()), - _connection); + _connection.checkAuthorizedMessagePrincipal(AMQShortString.toString(contentHeader.getProperties().getUserId())); + + if(_currentMessage.getDestination() instanceof ConfiguredObject) + { + Map<String,Object> args = new HashMap<>(); + args.put("routingKey", routingKey); + args.put("immediate", info.isImmediate()); + + securityManager + .authoriseExecute(_token, (ConfiguredObject)_currentMessage.getDestination(), "publish", args ); + + }; + if (_confirmOnPublish) { @@ -1379,11 +1388,6 @@ public class AMQChannel return message; } - private boolean checkMessageUserId(ContentHeaderBody header) - { - return _connection.isAuthorizedMessagePrincipal(AMQShortString.toString(header.getProperties().getUserId())); - } - @Override public UUID getId() { Modified: qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/test/java/org/apache/qpid/server/protocol/v0_8/AMQChannelTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/test/java/org/apache/qpid/server/protocol/v0_8/AMQChannelTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/test/java/org/apache/qpid/server/protocol/v0_8/AMQChannelTest.java (original) +++ qpid/java/trunk/broker-plugins/amqp-0-8-protocol/src/test/java/org/apache/qpid/server/protocol/v0_8/AMQChannelTest.java Wed Jun 29 23:23:09 2016 @@ -24,11 +24,13 @@ import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyString; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyZeroInteractions; import static org.mockito.Mockito.when; +import java.security.AccessControlException; import java.security.Principal; import java.util.Collections; import java.util.Set; @@ -117,8 +119,6 @@ public class AMQChannelTest extends Qpid when(_amqConnection.getMethodRegistry()).thenReturn(new MethodRegistry(ProtocolVersion.v0_9)); when(_amqConnection.getContextProvider()).thenReturn(_virtualHost); when(_amqConnection.getEventLogger()).thenReturn(mock(EventLogger.class)); - when(_amqConnection.isAuthorizedMessagePrincipal(eq(authenticatedPrincipal.getName()))).thenReturn(true); - _messageDestination = mock(MessageDestination.class); } @@ -171,6 +171,8 @@ public class AMQChannelTest extends Qpid public void testPublishContentHeaderWhenMessageAuthorizationFails() throws Exception { + final String impostorId = "impostor"; + doThrow(new AccessControlException("fail")).when(_amqConnection).checkAuthorizedMessagePrincipal(eq(impostorId)); when(_virtualHost.getDefaultDestination()).thenReturn(mock(MessageDestination.class)); when(_virtualHost.getMessageStore()).thenReturn(new NullMessageStore() { @@ -187,7 +189,7 @@ public class AMQChannelTest extends Qpid AMQChannel channel = new AMQChannel(_amqConnection, channelId, _virtualHost.getMessageStore()); BasicContentHeaderProperties properties = new BasicContentHeaderProperties(); - properties.setUserId("impostor"); + properties.setUserId(impostorId); channel.receiveBasicPublish(AMQShortString.EMPTY_STRING, AMQShortString.EMPTY_STRING, false, false); channel.receiveMessageHeader(properties, 0); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
