Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java (original) +++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java Wed Jun 29 23:23:09 2016 @@ -20,9 +20,6 @@ */ package org.apache.qpid.server.security; -import static org.apache.qpid.server.security.access.ObjectType.BROKER; -import static org.apache.qpid.server.security.access.ObjectType.VIRTUALHOST; -import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS; import static org.mockito.Matchers.any; import static org.mockito.Matchers.eq; import static org.mockito.Mockito.doReturn; @@ -35,52 +32,24 @@ import java.security.AccessControlExcept import java.util.Collections; import org.apache.qpid.server.model.AccessControlProvider; -import org.apache.qpid.server.model.AuthenticationProvider; -import org.apache.qpid.server.model.Binding; import org.apache.qpid.server.model.Broker; -import org.apache.qpid.server.model.BrokerLogInclusionRule; import org.apache.qpid.server.model.BrokerLogger; import org.apache.qpid.server.model.BrokerModel; import org.apache.qpid.server.model.ConfiguredObject; -import org.apache.qpid.server.model.Consumer; -import org.apache.qpid.server.model.Exchange; -import org.apache.qpid.server.model.ExclusivityPolicy; -import org.apache.qpid.server.model.Group; -import org.apache.qpid.server.model.GroupMember; -import org.apache.qpid.server.model.GroupProvider; -import org.apache.qpid.server.model.KeyStore; -import org.apache.qpid.server.model.LifetimePolicy; -import org.apache.qpid.server.model.Port; import org.apache.qpid.server.model.Queue; -import org.apache.qpid.server.model.Session; import org.apache.qpid.server.model.State; -import org.apache.qpid.server.model.TrustStore; -import org.apache.qpid.server.model.User; import org.apache.qpid.server.model.VirtualHost; -import org.apache.qpid.server.model.VirtualHostLogInclusionRule; -import org.apache.qpid.server.model.VirtualHostLogger; -import org.apache.qpid.server.model.VirtualHostNode; -import org.apache.qpid.server.queue.QueueConsumer; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectProperties.Property; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; -import org.apache.qpid.server.security.access.OperationLoggingDetails; -import org.apache.qpid.server.transport.AMQPConnection; import org.apache.qpid.test.utils.QpidTestCase; public class SecurityManagerTest extends QpidTestCase { - private static final String TEST_EXCHANGE_TYPE = "testExchangeType"; private static final String TEST_VIRTUAL_HOST = "testVirtualHost"; - private static final String TEST_EXCHANGE = "testExchange"; - private static final String TEST_QUEUE = "testQueue"; private AccessControl _accessControl; private SecurityManager _securityManager; private VirtualHost<?> _virtualHost; private Broker _broker; - private VirtualHostNode<?> _virtualHostNode; @Override public void setUp() throws Exception @@ -106,796 +75,13 @@ public class SecurityManagerTest extends when(_broker.getAttribute(Broker.NAME)).thenReturn("My Broker"); when(_broker.getModel()).thenReturn(BrokerModel.getInstance()); - _virtualHostNode = getMockVirtualHostNode(); _securityManager = new SecurityManager(_broker, false); } - public void testAuthoriseCreateBinding() - { - VirtualHost vh = getMockVirtualHost(); - - Exchange exchange = mock(Exchange.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(vh); - when(exchange.getModel()).thenReturn(BrokerModel.getInstance()); - - Queue queue = mock(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); - when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); - when(queue.getCategoryClass()).thenReturn(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(vh); - - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_EXCHANGE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.QUEUE_NAME, TEST_QUEUE); - properties.put(Property.ROUTING_KEY, "bindingKey"); - properties.put(Property.TEMPORARY, false); - properties.put(Property.DURABLE, true); - - Binding binding = mock(Binding.class); - when(binding.getParent(Exchange.class)).thenReturn(exchange); - when(binding.getParent(Queue.class)).thenReturn(queue); - when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); - when(binding.getCategoryClass()).thenReturn(Binding.class); - - assertCreateAuthorization(binding, Operation.BIND, ObjectType.EXCHANGE, properties, exchange, queue); - } - - - public void testAuthoriseMethod() - { - ObjectProperties properties = new ObjectProperties("testMethod"); - properties.put(ObjectProperties.Property.COMPONENT, "testComponent"); - properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseMethod(Operation.UPDATE, "testComponent", "testMethod", TEST_VIRTUAL_HOST); - verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.METHOD), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseMethod(Operation.UPDATE, "testComponent", "testMethod", TEST_VIRTUAL_HOST); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.METHOD), eq(properties)); - } - - public void testAccessManagement() - { - configureAccessPlugin(Result.ALLOWED); - _securityManager.accessManagement(); - verify(_accessControl).authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.accessManagement(); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY); - } - - public void testAuthoriseCreateConnection() - { - AMQPConnection<?> connection = mock(AMQPConnection.class); - when(connection.getAddressSpaceName()).thenReturn(TEST_VIRTUAL_HOST); - - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_VIRTUAL_HOST); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseCreateConnection(connection); - verify(_accessControl).authorise(eq(Operation.ACCESS), eq(ObjectType.VIRTUALHOST), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseCreateConnection(connection); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.ACCESS), eq(ObjectType.VIRTUALHOST), eq(properties)); - } - - public void testAuthoriseCreateConsumer() - { - Queue queue = mock(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); - when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); - when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); - when(queue.getCategoryClass()).thenReturn(Queue.class); - - Session session = mock(Session.class); - when(session.getCategoryClass()).thenReturn(Session.class); - when(session.getAttribute(Session.NAME)).thenReturn("1"); - - QueueConsumer consumer = mock(QueueConsumer.class); - when(consumer.getAttribute(QueueConsumer.NAME)).thenReturn("1"); - when(consumer.getParent(Queue.class)).thenReturn(queue); - when(consumer.getParent(Session.class)).thenReturn(session); - when(consumer.getCategoryClass()).thenReturn(Consumer.class); - - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_QUEUE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.AUTO_DELETE, false); - properties.put(Property.TEMPORARY, false); - properties.put(Property.DURABLE, true); - properties.put(Property.EXCLUSIVE, false); - - assertAuthorization(Operation.CREATE, consumer, Operation.CONSUME, ObjectType.QUEUE, properties, queue, session); - } - - public void testAuthoriseUserOperation() - { - ObjectProperties properties = new ObjectProperties("testUser"); - - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseUserUpdate("testUser"); - verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseUserUpdate("testUser"); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties)); - } - - public void testAuthoriseCreateExchange() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); - - Exchange exchange = mock(Exchange.class); - when(exchange.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); - when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(vh); - - assertCreateAuthorization(exchange, Operation.CREATE, ObjectType.EXCHANGE, expectedProperties, vh); - } - - public void testAuthoriseCreateQueue() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); - - Queue queue = mock(Queue.class); - when(queue.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_QUEUE); - when(queue.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(queue.getAttribute(Queue.OWNER)).thenReturn(null); - when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); - when(queue.getAttribute(Queue.ALTERNATE_EXCHANGE)).thenReturn(null); - when(queue.getCategoryClass()).thenReturn(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(vh); - - assertCreateAuthorization(queue, Operation.CREATE, ObjectType.QUEUE, expectedProperties, vh); - } - - public void testAuthoriseDeleteQueue() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); - - Queue queueObject = mock(Queue.class); - when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); - when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); - when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); - when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); - when(queueObject.getCategoryClass()).thenReturn(Queue.class); - - assertDeleteAuthorization(queueObject, Operation.DELETE, ObjectType.QUEUE, expectedProperties, vh); - } - - public void testAuthoriseUpdateQueue() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); - - Queue queueObject = mock(Queue.class); - when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); - when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); - when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); - when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); - when(queueObject.getCategoryClass()).thenReturn(Queue.class); - - assertUpdateAuthorization(queueObject, Operation.UPDATE, ObjectType.QUEUE, expectedProperties, vh); - } - - public void testAuthoriseUpdateExchange() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); - - Exchange exchange = mock(Exchange.class); - when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); - when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); - when(exchange.getParent(VirtualHost.class)).thenReturn(vh); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - - assertUpdateAuthorization(exchange, Operation.UPDATE, ObjectType.EXCHANGE, expectedProperties, vh); - } - - public void testAuthoriseDeleteExchange() - { - VirtualHost vh = getMockVirtualHost(); - ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); - - Exchange exchange = mock(Exchange.class); - when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); - when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); - when(exchange.getParent(VirtualHost.class)).thenReturn(vh); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - - assertDeleteAuthorization(exchange, Operation.DELETE, ObjectType.EXCHANGE, expectedProperties, vh); - } - - public void testAuthorisePublish() - { - String routingKey = "routingKey"; - String exchangeName = "exchangeName"; - boolean immediate = true; - ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate); - - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); - verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); - } - - public void testAuthorisePurge() - { - Queue queue = mock(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queue.getCategoryClass()).thenReturn(Queue.class); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); - when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); - when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); - - ObjectProperties properties = createExpectedQueueObjectProperties(); - - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorisePurge(queue); - verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorisePurge(queue); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); - } - - public void testAuthoriseUnbind() - { - Exchange exchange = mock(Exchange.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - - Queue queue = mock(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); - when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); - when(queue.getCategoryClass()).thenReturn(Queue.class); - - Binding binding = mock(Binding.class); - when(binding.getParent(Exchange.class)).thenReturn(exchange); - when(binding.getParent(Queue.class)).thenReturn(queue); - when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); - when(binding.getCategoryClass()).thenReturn(Binding.class); - - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_EXCHANGE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.QUEUE_NAME, TEST_QUEUE); - properties.put(Property.ROUTING_KEY, "bindingKey"); - properties.put(Property.TEMPORARY, false); - properties.put(Property.DURABLE, true); - - assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); - } - - public void testAuthoriseCreateVirtualHostNode() - { - VirtualHostNode vhn = getMockVirtualHostNode(); - assertCreateAuthorization(vhn, Operation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"), _broker); - } - - public void testAuthoriseCreatePort() - { - Port port = mock(Port.class); - when(port.getParent(Broker.class)).thenReturn(_broker); - when(port.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(port.getCategoryClass()).thenReturn(Port.class); - - assertBrokerChildCreateAuthorization(port); - } - - public void testAuthoriseCreateAuthenticationProvider() - { - AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); - when(authenticationProvider.getParent(Broker.class)).thenReturn(_broker); - when(authenticationProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); - - assertBrokerChildCreateAuthorization(authenticationProvider); - } - - public void testAuthoriseCreateGroupProvider() - { - GroupProvider groupProvider = mock(GroupProvider.class); - when(groupProvider.getParent(Broker.class)).thenReturn(_broker); - when(groupProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); - - assertBrokerChildCreateAuthorization(groupProvider); - } - - public void testAuthoriseCreateAccessControlProvider() - { - AccessControlProvider accessControlProvider = mock(AccessControlProvider.class); - when(accessControlProvider.getParent(Broker.class)).thenReturn(_broker); - when(accessControlProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class); - - assertBrokerChildCreateAuthorization(accessControlProvider); - } - - public void testAuthoriseCreateKeyStore() - { - KeyStore keyStore = mock(KeyStore.class); - when(keyStore.getParent(Broker.class)).thenReturn(_broker); - when(keyStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(keyStore.getCategoryClass()).thenReturn(KeyStore.class); - - assertBrokerChildCreateAuthorization(keyStore); - } - - public void testAuthoriseCreateTrustStore() - { - TrustStore trustStore = mock(TrustStore.class); - when(trustStore.getParent(Broker.class)).thenReturn(_broker); - when(trustStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(trustStore.getCategoryClass()).thenReturn(TrustStore.class); - - assertBrokerChildCreateAuthorization(trustStore); - } - - public void testAuthoriseCreateGroup() - { - GroupProvider groupProvider = mock(GroupProvider.class); - when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); - when(groupProvider.getAttribute(GroupProvider.NAME)).thenReturn("testGroupProvider"); - when(groupProvider.getModel()).thenReturn(BrokerModel.getInstance()); - - Group group = mock(Group.class); - when(group.getCategoryClass()).thenReturn(Group.class); - when(group.getParent(GroupProvider.class)).thenReturn(groupProvider); - when(group.getAttribute(Group.NAME)).thenReturn("test"); - - assertCreateAuthorization(group, Operation.CREATE, ObjectType.GROUP, new ObjectProperties("test"), groupProvider); - } - - public void testAuthoriseCreateGroupMember() - { - Group group = mock(Group.class); - when(group.getCategoryClass()).thenReturn(Group.class); - when(group.getAttribute(Group.NAME)).thenReturn("testGroup"); - when(group.getModel()).thenReturn(BrokerModel.getInstance()); - - GroupMember groupMember = mock(GroupMember.class); - when(groupMember.getCategoryClass()).thenReturn(GroupMember.class); - when(groupMember.getParent(Group.class)).thenReturn(group); - when(groupMember.getAttribute(Group.NAME)).thenReturn("test"); - - assertCreateAuthorization(groupMember, Operation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"), group); - } - - public void testAuthoriseCreateUser() - { - AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); - when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); - when(authenticationProvider.getAttribute(AuthenticationProvider.NAME)).thenReturn("testAuthenticationProvider"); - when(authenticationProvider.getModel()).thenReturn(BrokerModel.getInstance()); - - User user = mock(User.class); - when(user.getCategoryClass()).thenReturn(User.class); - when(user.getAttribute(User.NAME)).thenReturn("test"); - when(user.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); - when(user.getModel()).thenReturn(BrokerModel.getInstance()); - - assertCreateAuthorization(user, Operation.CREATE, ObjectType.USER, new ObjectProperties("test"), authenticationProvider); - } - - public void testAuthoriseCreateVirtualHost() - { - VirtualHost vh = getMockVirtualHost(); - assertCreateAuthorization(vh, Operation.CREATE, ObjectType.VIRTUALHOST, new ObjectProperties(TEST_VIRTUAL_HOST), _virtualHostNode); - } - - public void testAuthoriseUpdateVirtualHostNode() - { - VirtualHostNode vhn = getMockVirtualHostNode(); - assertUpdateAuthorization(vhn, Operation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); - } - - public void testAuthoriseUpdatePort() - { - Port mock = mock(Port.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(Port.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateAuthenticationProvider() - { - AuthenticationProvider mock = mock(AuthenticationProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateGroupProvider() - { - GroupProvider mock = mock(GroupProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(GroupProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateAccessControlProvider() - { - AccessControlProvider mock = mock(AccessControlProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateKeyStore() - { - KeyStore mock = mock(KeyStore.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(KeyStore.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateTrustStore() - { - TrustStore mock = mock(TrustStore.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(TrustStore.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildUpdateAuthorization(mock); - } - - public void testAuthoriseUpdateGroup() - { - GroupProvider groupProvider = mock(GroupProvider.class); - when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); - when(groupProvider.getName()).thenReturn("testGroupProvider"); - Group mock = mock(Group.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(Group.class); - when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, groupProvider); - } - - public void testAuthoriseUpdateGroupMember() - { - Group group = mock(Group.class); - when(group.getCategoryClass()).thenReturn(Group.class); - when(group.getName()).thenReturn("testGroup"); - GroupMember mock = mock(GroupMember.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(GroupMember.class); - when(mock.getParent(Group.class)).thenReturn(group); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); - } - - public void testAuthoriseUpdateUser() - { - AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); - when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); - when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); - User mock = mock(User.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(User.class); - when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.USER, properties, authenticationProvider); - } - - public void testAuthoriseUpdateVirtualHost() - { - VirtualHostNode vhn = getMockVirtualHostNode(); - - VirtualHost mock = mock(VirtualHost.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(VirtualHost.class); - when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhn); - } - - public void testAuthoriseDeleteVirtualHostNode() - { - VirtualHostNode vhn = getMockVirtualHostNode(); - assertDeleteAuthorization(vhn, Operation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); - } - - public void testAuthoriseDeletePort() - { - Port mock = mock(Port.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(Port.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteAuthenticationProvider() - { - AuthenticationProvider mock = mock(AuthenticationProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteGroupProvider() - { - GroupProvider mock = mock(GroupProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(GroupProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteAccessControlProvider() - { - AccessControlProvider mock = mock(AccessControlProvider.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteKeyStore() - { - KeyStore mock = mock(KeyStore.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(KeyStore.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteTrustStore() - { - TrustStore mock = mock(TrustStore.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(TrustStore.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseDeleteGroup() - { - GroupProvider groupProvider = mock(GroupProvider.class); - when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); - when(groupProvider.getName()).thenReturn("testGroupProvider"); - Group mock = mock(Group.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(Group.class); - when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.GROUP, properties, groupProvider); - } - public void testAuthoriseDeleteGroupMember() - { - Group group = mock(Group.class); - when(group.getCategoryClass()).thenReturn(Group.class); - when(group.getName()).thenReturn("testGroup"); - GroupMember mock = mock(GroupMember.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(GroupMember.class); - when(mock.getParent(Group.class)).thenReturn(group); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertDeleteAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); - } - public void testAuthoriseDeleteUser() - { - AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); - when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); - when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); - User mock = mock(User.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(User.class); - when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.USER, properties, authenticationProvider); - } - public void testAuthoriseDeleteVirtualHost() - { - VirtualHostNode vhn = getMockVirtualHostNode(); - VirtualHost mock = mock(VirtualHost.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - when(mock.getCategoryClass()).thenReturn(VirtualHost.class); - when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); - ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); - assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhn); - } - - public void testAuthoriseDeleteBinding() - { - Exchange exchange = mock(Exchange.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); - when(exchange.getCategoryClass()).thenReturn(Exchange.class); - - Queue queue = mock(Queue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); - when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); - when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); - when(queue.getCategoryClass()).thenReturn(Queue.class); - - Binding binding = mock(Binding.class); - when(binding.getParent(Exchange.class)).thenReturn(exchange); - when(binding.getParent(Queue.class)).thenReturn(queue); - when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); - when(binding.getCategoryClass()).thenReturn(Binding.class); - - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_EXCHANGE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.QUEUE_NAME, TEST_QUEUE); - properties.put(Property.ROUTING_KEY, "bindingKey"); - properties.put(Property.TEMPORARY, false); - properties.put(Property.DURABLE, true); - - assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); - } - - public void testAuthoriseBrokerLoggerOperations() - { - BrokerLogger mock = mock(BrokerLogger.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(mock.getCategoryClass()).thenReturn(BrokerLogger.class); - when(mock.getParent(Broker.class)).thenReturn(_broker); - assertBrokerChildCreateAuthorization(mock); - - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - assertBrokerChildUpdateAuthorization(mock); - assertBrokerChildDeleteAuthorization(mock); - } - - public void testAuthoriseBrokerLogInclusionRuleOperations() - { - BrokerLogger bl = mock(BrokerLogger.class); - when(bl.getAttribute(ConfiguredObject.NAME)).thenReturn("LOGGER"); - when(bl.getCategoryClass()).thenReturn(BrokerLogger.class); - when(bl.getParent(Broker.class)).thenReturn(_broker); - - BrokerLogInclusionRule mock = mock(BrokerLogInclusionRule.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - when(mock.getCategoryClass()).thenReturn(BrokerLogInclusionRule.class); - when(mock.getParent(BrokerLogger.class)).thenReturn(bl); - when(mock.getModel()).thenReturn(BrokerModel.getInstance()); - assertBrokerChildCreateAuthorization(mock, bl); - - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - assertBrokerChildUpdateAuthorization(mock, bl); - assertBrokerChildDeleteAuthorization(mock, bl); - } - - - public void testAuthoriseVirtualHostLoggerOperations() - { - ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST); - - VirtualHostLogger<?> mock = mock(VirtualHostLogger.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - doReturn(VirtualHostLogger.class).when(mock).getCategoryClass(); - when(mock.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(mock.getModel()).thenReturn(BrokerModel.getInstance()); - - assertCreateAuthorization(mock, Operation.CREATE, ObjectType.VIRTUALHOST, properties, _virtualHost); - - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, _virtualHost); - assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, _virtualHost); - } - - public void testAuthoriseVirtualHostLogInclusionRuleOperations() - { - ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST); - - VirtualHostLogger<?> vhl = mock(VirtualHostLogger.class); - when(vhl.getAttribute(ConfiguredObject.NAME)).thenReturn("LOGGER"); - doReturn(VirtualHostLogger.class).when(vhl).getCategoryClass(); - when(vhl.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(vhl.getModel()).thenReturn(BrokerModel.getInstance()); - - VirtualHostLogInclusionRule<?> mock = mock(VirtualHostLogInclusionRule.class); - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); - doReturn(VirtualHostLogInclusionRule.class).when(mock).getCategoryClass(); - when(mock.getParent(VirtualHostLogger.class)).thenReturn(vhl); - when(mock.getModel()).thenReturn(BrokerModel.getInstance()); - - assertCreateAuthorization(mock, Operation.CREATE, ObjectType.VIRTUALHOST, properties, vhl); - - when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); - - assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhl); - assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhl); - } public void testDenyWhenAccessControlProviderIsErrored() { @@ -919,155 +105,6 @@ public class SecurityManagerTest extends assertAuthorisationDenied(); } - private VirtualHost getMockVirtualHost() - { - VirtualHost vh = mock(VirtualHost.class); - when(vh.getCategoryClass()).thenReturn(VirtualHost.class); - when(vh.getName()).thenReturn(TEST_VIRTUAL_HOST); - when(vh.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST); - when(vh.getParent(VirtualHostNode.class)).thenReturn(_virtualHostNode); - when(vh.getModel()).thenReturn(BrokerModel.getInstance()); - return vh; - } - - private VirtualHostNode getMockVirtualHostNode() - { - VirtualHostNode vhn = mock(VirtualHostNode.class); - when(vhn.getCategoryClass()).thenReturn(VirtualHostNode.class); - when(vhn.getName()).thenReturn("testVHN"); - when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN"); - when(vhn.getParent(Broker.class)).thenReturn(_broker); - when(vhn.getModel()).thenReturn(BrokerModel.getInstance()); - return vhn; - } - - private void assertBrokerChildCreateAuthorization(ConfiguredObject object) - { - assertBrokerChildCreateAuthorization(object, _broker); - } - - private void assertBrokerChildCreateAuthorization(ConfiguredObject object, ConfiguredObject parent) - { - String description = String.format("%s %s '%s'", - Operation.CREATE.name().toLowerCase(), - object.getCategoryClass().getSimpleName().toLowerCase(), - "TEST"); - ObjectProperties properties = new OperationLoggingDetails(description); - assertCreateAuthorization(object, Operation.CONFIGURE, ObjectType.BROKER, properties, parent); - } - - private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject) - { - assertBrokerChildUpdateAuthorization(configuredObject, _broker); - } - - private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent) - { - String description = String.format("%s %s '%s'", - Operation.UPDATE.name().toLowerCase(), - configuredObject.getCategoryClass().getSimpleName().toLowerCase(), - configuredObject.getAttribute(ConfiguredObject.NAME)); - ObjectProperties properties = new OperationLoggingDetails(description); - - assertUpdateAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, - properties, parent); - } - - private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject) - { - assertBrokerChildDeleteAuthorization(configuredObject, _broker); - } - - private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent) - { - String description = String.format("%s %s '%s'", - Operation.DELETE.name().toLowerCase(), - configuredObject.getCategoryClass().getSimpleName().toLowerCase(), - configuredObject.getAttribute(ConfiguredObject.NAME)); - ObjectProperties properties = new OperationLoggingDetails(description); - - assertDeleteAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, - properties, parent); - } - - private void assertAuthorization(Operation operation, ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) - { - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorise(operation, configuredObject); - verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorise(operation, configuredObject); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - String expectedMessage = "Permission " + aclOperation.name() + " " - + aclObjectType.name() +" is denied for : " + operation.name() + " " - + configuredObject.getCategoryClass().getSimpleName() + " '" - + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on"; - - assertTrue("Unexpected exception message: " + e.getMessage() + " vs " + expectedMessage, - e.getMessage().startsWith(expectedMessage)); - for (ConfiguredObject object: objects) - { - String parentInfo = object.getCategoryClass().getSimpleName() + " '" - + object.getAttribute(ConfiguredObject.NAME) + "'"; - assertTrue("Exception message does not contain information about parent object " - + object.getCategoryClass() + " " + object.getAttribute(ConfiguredObject.NAME) + ":" - + e.getMessage(), - e.getMessage().contains(parentInfo)); - } - } - - verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); - } - - private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) - { - assertAuthorization(Operation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); - } - - private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) - { - assertAuthorization(Operation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); - } - - private void assertCreateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject<?>... parents) - { - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorise(Operation.CREATE, configuredObject); - verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorise(Operation.CREATE, configuredObject); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - String expectedMessage = "Permission " + aclOperation.name() + " " - + aclObjectType.name() +" is denied for : CREATE " + configuredObject.getCategoryClass().getSimpleName() + " '" - + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on"; - - assertTrue("Unexpected exception message", e.getMessage().startsWith(expectedMessage)); - for (ConfiguredObject object: parents) - { - String parentInfo = object.getCategoryClass().getSimpleName() + " '" - + object.getAttribute(ConfiguredObject.NAME) + "'"; - assertTrue("Exception message does not contain information about parent configuredObject " - + parentInfo + ": " - + e.getMessage(), - e.getMessage().contains(parentInfo)); - } - } - - verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); - } - private void assertAuthorisationDenied() { ConfiguredObject mockConfiguredObject = mock(BrokerLogger.class); @@ -1105,17 +142,7 @@ public class SecurityManagerTest extends try { - _securityManager.authoriseLogsAccess(mockConfiguredObject); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - - try - { - _securityManager.authoriseUserUpdate("guest"); + _securityManager.authoriseExecute(mockConfiguredObject, "getAllFiles", Collections.<String,Object>emptyMap()); fail("AccessControlException is expected"); } catch(AccessControlException e) @@ -1125,17 +152,7 @@ public class SecurityManagerTest extends try { - _securityManager.authoriseCreateConnection(mock(AMQPConnection.class)); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - - try - { - _securityManager.authorisePublish(true, TEST_QUEUE, TEST_EXCHANGE, TEST_VIRTUAL_HOST); + _securityManager.authoriseExecute(mockConfiguredObject, "getPreferences", Collections.<String,Object>singletonMap("userId", "guest")); fail("AccessControlException is expected"); } catch(AccessControlException e) @@ -1147,7 +164,8 @@ public class SecurityManagerTest extends { Queue mockQueue = mock(Queue.class); when(mockQueue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - _securityManager.authorisePurge(mockQueue); + when(mockQueue.getCategoryClass()).thenReturn(Queue.class); + _securityManager.authoriseExecute(mockQueue, "clearQueue", Collections.<String,Object>emptyMap()); fail("AccessControlException is expected"); } catch(AccessControlException e) @@ -1157,7 +175,7 @@ public class SecurityManagerTest extends try { - _securityManager.accessManagement(); + _securityManager.authoriseExecute(_broker, "manage", Collections.<String,Object>emptyMap()); fail("AccessControlException is expected"); } catch(AccessControlException e) @@ -1167,7 +185,10 @@ public class SecurityManagerTest extends try { - _securityManager.authoriseMethod(Operation.UPDATE, "testComponent", "testMethod", TEST_VIRTUAL_HOST); + Queue mockQueue = mock(Queue.class); + when(mockQueue.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(mockQueue.getCategoryClass()).thenReturn(Queue.class); + _securityManager.authoriseExecute(mockQueue, "deleteMessages", Collections.<String,Object>emptyMap()); fail("AccessControlException is expected"); } catch(AccessControlException e) @@ -1177,73 +198,5 @@ public class SecurityManagerTest extends } - public void testAuthoriseLogsAccessOnBroker() - { - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseLogsAccess(_broker); - - verify(_accessControl).authorise(ACCESS_LOGS, BROKER, ObjectProperties.EMPTY); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseLogsAccess(_broker); - fail("AccessControlException is expected"); - } - catch (AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(ACCESS_LOGS, BROKER, ObjectProperties.EMPTY); - } - - public void testAuthoriseLogsAccessOnVirtualHost() - { - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseLogsAccess(_virtualHost); - ObjectProperties expectedObjectProperties = new ObjectProperties((String)_virtualHost.getAttribute(ConfiguredObject.NAME)); - verify(_accessControl).authorise(ACCESS_LOGS, VIRTUALHOST, expectedObjectProperties); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseLogsAccess(_virtualHost); - fail("AccessControlException is expected"); - } - catch (AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(ACCESS_LOGS, VIRTUALHOST, expectedObjectProperties); - } - - private void configureAccessPlugin(Result result) - { - when(_accessControl.authorise(any(Operation.class), any(ObjectType.class), any(ObjectProperties.class))).thenReturn(result); - } - - private ObjectProperties createExpectedExchangeObjectProperties() - { - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_EXCHANGE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.AUTO_DELETE, true); - properties.put(Property.TEMPORARY, true); - properties.put(Property.DURABLE, false); - properties.put(Property.TYPE, TEST_EXCHANGE_TYPE); - return properties; - } - - private ObjectProperties createExpectedQueueObjectProperties() - { - ObjectProperties properties = new ObjectProperties(); - properties.put(Property.NAME, TEST_QUEUE); - properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.AUTO_DELETE, true); - properties.put(Property.TEMPORARY, true); - properties.put(Property.DURABLE, false); - properties.put(Property.EXCLUSIVE, false); - return properties; - } }
Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java Wed Jun 29 23:23:09 2016 @@ -18,8 +18,6 @@ */ package org.apache.qpid.server.security.access.config; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.firewall.FirewallRule; Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java Wed Jun 29 23:23:09 2016 @@ -40,7 +40,6 @@ import org.slf4j.LoggerFactory; import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.RuleOutcome; Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java Wed Jun 29 23:23:09 2016 @@ -23,8 +23,7 @@ import java.util.Map; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectProperties.Property; +import org.apache.qpid.server.security.access.config.ObjectProperties.Property; import org.apache.qpid.server.security.access.firewall.FirewallRule; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java Wed Jun 29 23:23:09 2016 @@ -20,8 +20,6 @@ */ package org.apache.qpid.server.security.access.config; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; /** Added: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java?rev=1750734&view=auto ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java (added) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java Wed Jun 29 23:23:09 2016 @@ -0,0 +1,144 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; +import java.util.concurrent.atomic.AtomicReferenceFieldUpdater; + +import javax.security.auth.Subject; + +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.SecurityToken; + +class CachingSecurityToken implements SecurityToken +{ + private final Subject _subject; + private volatile AccessControlCache _cache; + + private static final AtomicReferenceFieldUpdater<CachingSecurityToken, AccessControlCache> CACHE_UPDATE = + AtomicReferenceFieldUpdater.newUpdater(CachingSecurityToken.class, AccessControlCache.class, "_cache"); + + CachingSecurityToken(final Subject subject, final RuleBasedAccessControl accessControl) + { + _subject = subject; + _cache = new AccessControlCache(accessControl); + } + + Subject getSubject() + { + return _subject; + } + + Result authoriseMethod(final RuleBasedAccessControl ruleBasedAccessControl, + final ConfiguredObject<?> configuredObject, + final String methodName, + final Map<String, Object> arguments) + { + AccessControlCache cache = CACHE_UPDATE.get(this); + while(cache.getAccessControl() != ruleBasedAccessControl) + { + CACHE_UPDATE.compareAndSet(this, cache, new AccessControlCache(ruleBasedAccessControl)); + } + final CachedMethodAuthKey key = new CachedMethodAuthKey(configuredObject, methodName, arguments); + Result result = cache.getCache().get(key); + if(result == null) + { + result = ruleBasedAccessControl.authoriseMethod(configuredObject, methodName, arguments); + cache.getCache().putIfAbsent(key, result); + } + return result; + } + + private static final class CachedMethodAuthKey + { + private final ConfiguredObject<?> _configuredObject; + private final String _methodName; + private final Map<String, Object> _arguments; + private final int _hashCode; + + public CachedMethodAuthKey(final ConfiguredObject<?> configuredObject, + final String methodName, + final Map<String, Object> arguments) + { + _configuredObject = configuredObject; + _methodName = methodName; + _arguments = arguments; + int result = _configuredObject != null ? _configuredObject.hashCode() : 0; + result = 31 * result + (_methodName != null ? _methodName.hashCode() : 0); + result = 31 * result + (_arguments != null ? _arguments.hashCode() : 0); + _hashCode = result; + } + + @Override + public boolean equals(final Object o) + { + if (this == o) + { + return true; + } + if (o == null || getClass() != o.getClass()) + { + return false; + } + + final CachedMethodAuthKey that = (CachedMethodAuthKey) o; + + return _configuredObject != null + ? _configuredObject.equals(that._configuredObject) + : that._configuredObject == null && (_methodName != null + ? _methodName.equals(that._methodName) + : that._methodName == null && (_arguments != null + ? _arguments.equals(that._arguments) + : that._arguments == null)); + + } + + @Override + public int hashCode() + { + return _hashCode; + } + } + + private static final class AccessControlCache + { + private final RuleBasedAccessControl _accessControl; + private final ConcurrentMap<CachedMethodAuthKey, Result> _cache = new ConcurrentHashMap<>(); + + private AccessControlCache(final RuleBasedAccessControl accessControl) + { + _accessControl = accessControl; + } + + public RuleBasedAccessControl getAccessControl() + { + return _accessControl; + } + + public ConcurrentMap<CachedMethodAuthKey, Result> getCache() + { + return _cache; + } + } +} Propchange: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/CachingSecurityToken.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java?rev=1750734&r1=1750733&r2=1750734&view=diff ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java (original) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java Wed Jun 29 23:23:09 2016 @@ -20,8 +20,6 @@ package org.apache.qpid.server.security. import java.net.InetAddress; -import org.apache.qpid.server.security.access.ObjectProperties; -import org.apache.qpid.server.security.access.ObjectType; import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.security.access.firewall.FirewallRule; Added: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java?rev=1750734&view=auto ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java (added) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java Wed Jun 29 23:23:09 2016 @@ -0,0 +1,29 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.access.Operation; + +interface LegacyAccessControl +{ + Result authorise(Operation authoriseOperation, ObjectType objectType, ObjectProperties properties); +} Propchange: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControl.java ------------------------------------------------------------------------------ svn:eol-style = native Added: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java?rev=1750734&view=auto ============================================================================== --- qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java (added) +++ qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java Wed Jun 29 23:23:09 2016 @@ -0,0 +1,427 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.qpid.server.security.access.config; + +import static org.apache.qpid.server.security.SecurityManager.getCurrentUser; +import static org.apache.qpid.server.security.access.config.ObjectType.EXCHANGE; +import static org.apache.qpid.server.security.access.config.ObjectType.METHOD; +import static org.apache.qpid.server.security.access.config.ObjectType.QUEUE; +import static org.apache.qpid.server.security.access.config.ObjectType.USER; +import static org.apache.qpid.server.security.access.Operation.ACCESS_LOGS; +import static org.apache.qpid.server.security.access.Operation.PUBLISH; +import static org.apache.qpid.server.security.access.Operation.PURGE; +import static org.apache.qpid.server.security.access.Operation.UPDATE; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +import org.apache.qpid.server.model.*; +import org.apache.qpid.server.queue.QueueConsumer; +import org.apache.qpid.server.security.Result; +import org.apache.qpid.server.security.access.Operation; +import org.apache.qpid.server.security.auth.AuthenticatedPrincipal; + +class LegacyAccessControlAdapter +{ + private static final Set<String> LOG_ACCESS_METHOD_NAMES = + Collections.unmodifiableSet(new HashSet<>(Arrays.asList("getFile", + "getFiles", + "getAllFiles", + "getLogEntries"))); + private static final Set<String> QUEUE_UPDATE_METHODS = + Collections.unmodifiableSet(new HashSet<>(Arrays.asList("moveMessages", + "copyMessages", + "deleteMessages"))); + + private static final Set<String> LEGACY_PREFERENCES_METHOD_NAMES = + Collections.unmodifiableSet(new HashSet<>(Arrays.asList("getPreferences", + "setPreferences", + "deletePreferences"))); + + private final LegacyAccessControl _accessControl; + private final Model _model; + + LegacyAccessControlAdapter(final LegacyAccessControl accessControl, + final Model model) + { + _accessControl = accessControl; + _model = model; + } + + private Model getModel() + { + return _model; + } + + Result authorise(final Operation operation, final ConfiguredObject<?> configuredObject) + { + if (isAllowedOperation(operation, configuredObject)) + { + // creation of remote replication node is out of control for user of this broker + return Result.ALLOWED; + } + + Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass(); + ObjectType objectType = getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass); + if (objectType == null) + { + throw new IllegalArgumentException("Cannot identify object type for category " + categoryClass ); + } + + ObjectProperties properties = getACLObjectProperties(configuredObject, operation); + Operation authoriseOperation = validateAuthoriseOperation(operation, categoryClass); + return _accessControl.authorise(authoriseOperation, objectType, properties); + + } + + private boolean isAllowedOperation(Operation operation, ConfiguredObject<?> configuredObject) + { + if (configuredObject instanceof Session && (operation == Operation.CREATE || operation == Operation.UPDATE + || operation == Operation.DELETE)) + { + return true; + + } + + if (configuredObject instanceof Consumer && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + if (configuredObject instanceof Connection && (operation == Operation.UPDATE || operation == Operation.DELETE)) + { + return true; + } + + return false; + } + + private ObjectType getACLObjectTypeManagingConfiguredObjectOfCategory(Class<? extends ConfiguredObject> category) + { + if (Binding.class.isAssignableFrom(category)) + { + return ObjectType.EXCHANGE; + } + else if (VirtualHostNode.class.isAssignableFrom(category)) + { + return ObjectType.VIRTUALHOSTNODE; + } + else if (isBrokerType(category)) + { + return ObjectType.BROKER; + } + else if (isVirtualHostType(category)) + { + return ObjectType.VIRTUALHOST; + } + else if (Group.class.isAssignableFrom(category)) + { + return ObjectType.GROUP; + } + else if (GroupMember.class.isAssignableFrom(category)) + { + // UPDATE GROUP + return ObjectType.GROUP; + } + else if (User.class.isAssignableFrom(category)) + { + return ObjectType.USER; + } + else if (Queue.class.isAssignableFrom(category)) + { + return ObjectType.QUEUE; + } + else if (Exchange.class.isAssignableFrom(category)) + { + return ObjectType.EXCHANGE; + } + else if (Session.class.isAssignableFrom(category)) + { + // PUBLISH EXCHANGE + return ObjectType.EXCHANGE; + } + else if (Consumer.class.isAssignableFrom(category)) + { + // CONSUME QUEUE + return ObjectType.QUEUE; + } + else if (RemoteReplicationNode.class.isAssignableFrom(category)) + { + // VHN permissions apply to remote nodes + return ObjectType.VIRTUALHOSTNODE; + } + return null; + } + + private boolean isVirtualHostType(Class<? extends ConfiguredObject> category) + { + return VirtualHost.class.isAssignableFrom(category) || + VirtualHostLogger.class.isAssignableFrom(category) || + VirtualHostLogInclusionRule.class.isAssignableFrom(category) || + Connection.class.isAssignableFrom(category); + } + + private boolean isBrokerType(Class<? extends ConfiguredObject> category) + { + return Broker.class.isAssignableFrom(category) || + PreferencesProvider.class.isAssignableFrom(category) || + BrokerLogInclusionRule.class.isAssignableFrom(category) || + VirtualHostAlias.class.isAssignableFrom(category) || + ( !VirtualHostNode.class.isAssignableFrom(category) && getModel().getChildTypes(Broker.class).contains(category)); + } + + + private ObjectProperties getACLObjectProperties(ConfiguredObject<?> configuredObject, Operation configuredObjectOperation) + { + String objectName = (String)configuredObject.getAttribute(ConfiguredObject.NAME); + Class<? extends ConfiguredObject> configuredObjectType = configuredObject.getCategoryClass(); + ObjectProperties properties = new ObjectProperties(objectName); + if (configuredObject instanceof Binding) + { + Exchange<?> exchange = (Exchange<?>)configuredObject.getParent(Exchange.class); + Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class); + properties.setName((String)exchange.getAttribute(Exchange.NAME)); + properties.put(ObjectProperties.Property.QUEUE_NAME, (String)queue.getAttribute(Queue.NAME)); + properties.put(ObjectProperties.Property.ROUTING_KEY, (String)configuredObject.getAttribute(Binding.NAME)); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)queue.getParent(VirtualHost.class).getAttribute(VirtualHost.NAME)); + + // The temporary attribute (inherited from the binding's queue) seems to exist to allow the user to + // express rules about the binding of temporary queues (whose names cannot be predicted). + properties.put(ObjectProperties.Property.TEMPORARY, queue.getAttribute(Queue.LIFETIME_POLICY) != LifetimePolicy.PERMANENT); + properties.put(ObjectProperties.Property.DURABLE, (Boolean)queue.getAttribute(Queue.DURABLE)); + } + else if (configuredObject instanceof Queue) + { + setQueueProperties(configuredObject, properties); + } + else if (configuredObject instanceof Exchange) + { + Object lifeTimePolicy = configuredObject.getAttribute(ConfiguredObject.LIFETIME_POLICY); + properties.put(ObjectProperties.Property.AUTO_DELETE, lifeTimePolicy != LifetimePolicy.PERMANENT); + properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT); + properties.put(ObjectProperties.Property.DURABLE, (Boolean) configuredObject.getAttribute(ConfiguredObject.DURABLE)); + properties.put(ObjectProperties.Property.TYPE, (String) configuredObject.getAttribute(Exchange.TYPE)); + VirtualHost virtualHost = configuredObject.getParent(VirtualHost.class); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME)); + } + else if (configuredObject instanceof QueueConsumer) + { + Queue<?> queue = (Queue<?>)configuredObject.getParent(Queue.class); + setQueueProperties(queue, properties); + } + else if (isBrokerType(configuredObjectType)) + { + String description = String.format("%s %s '%s'", + configuredObjectOperation == null? null : configuredObjectOperation.name().toLowerCase(), + configuredObjectType == null ? null : configuredObjectType.getSimpleName().toLowerCase(), + objectName); + properties = new OperationLoggingDetails(description); + } + else if (isVirtualHostType(configuredObjectType)) + { + ConfiguredObject<?> virtualHost = getModel().getAncestor(VirtualHost.class, configuredObject); + properties = new ObjectProperties((String)virtualHost.getAttribute(ConfiguredObject.NAME)); + } + return properties; + } + + private void setQueueProperties(ConfiguredObject<?> queue, ObjectProperties properties) + { + properties.setName((String)queue.getAttribute(Exchange.NAME)); + Object lifeTimePolicy = queue.getAttribute(ConfiguredObject.LIFETIME_POLICY); + properties.put(ObjectProperties.Property.AUTO_DELETE, lifeTimePolicy != LifetimePolicy.PERMANENT); + properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy != LifetimePolicy.PERMANENT); + properties.put(ObjectProperties.Property.DURABLE, (Boolean)queue.getAttribute(ConfiguredObject.DURABLE)); + properties.put(ObjectProperties.Property.EXCLUSIVE, queue.getAttribute(Queue.EXCLUSIVE) != ExclusivityPolicy.NONE); + Object alternateExchange = queue.getAttribute(Queue.ALTERNATE_EXCHANGE); + if (alternateExchange != null) + { + String name = alternateExchange instanceof ConfiguredObject ? + (String)((ConfiguredObject)alternateExchange).getAttribute(ConfiguredObject.NAME) : + String.valueOf(alternateExchange); + properties.put(ObjectProperties.Property.ALTERNATE, name); + } + String owner = (String)queue.getAttribute(Queue.OWNER); + if (owner != null) + { + properties.put(ObjectProperties.Property.OWNER, owner); + } + VirtualHost virtualHost = queue.getParent(VirtualHost.class); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME)); + } + + + private Operation validateAuthoriseOperation(Operation operation, Class<? extends ConfiguredObject> category) + { + if (operation == Operation.CREATE || operation == Operation.UPDATE) + { + if (Binding.class.isAssignableFrom(category)) + { + // CREATE BINDING is transformed into BIND EXCHANGE rule + return Operation.BIND; + } + else if (Consumer.class.isAssignableFrom(category)) + { + // CREATE CONSUMER is transformed into CONSUME QUEUE rule + return Operation.CONSUME; + } + else if (GroupMember.class.isAssignableFrom(category)) + { + // CREATE GROUP MEMBER is transformed into UPDATE GROUP rule + return Operation.UPDATE; + } + else if (isBrokerType(category)) + { + // CREATE/UPDATE broker child is transformed into CONFIGURE BROKER rule + return Operation.CONFIGURE; + } + } + else if (operation == Operation.DELETE) + { + if (Binding.class.isAssignableFrom(category)) + { + // DELETE BINDING is transformed into UNBIND EXCHANGE rule + return Operation.UNBIND; + } + else if (isBrokerType(category)) + { + // DELETE broker child is transformed into CONFIGURE BROKER rule + return Operation.CONFIGURE; + + } + else if (GroupMember.class.isAssignableFrom(category)) + { + // DELETE GROUP MEMBER is transformed into UPDATE GROUP rule + return Operation.UPDATE; + } + } + return operation; + } + + Result authoriseExecute(final ConfiguredObject<?> configuredObject, + final String methodName, + final Map<String, Object> arguments) + { + Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass(); + if(categoryClass == Exchange.class) + { + Exchange exchange = (Exchange) configuredObject; + if("publish".equals(methodName)) + { + + final ObjectProperties _props = + new ObjectProperties(exchange.getParent(VirtualHost.class).getName(), exchange.getName(), (String)arguments.get("routingKey"), (Boolean)arguments.get("immediate")); + return _accessControl.authorise(PUBLISH, EXCHANGE, _props); + } + } + else if(categoryClass == VirtualHost.class) + { + if("connect".equals(methodName)) + { + String virtualHostName = configuredObject.getName(); + ObjectProperties properties = new ObjectProperties(virtualHostName); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHostName); + return _accessControl.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, properties); + } + } + else if(categoryClass == Broker.class) + { + if("manage".equals(methodName)) + { + return _accessControl.authorise(Operation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY); + } + } + else if(categoryClass == Queue.class) + { + Queue queue = (Queue) configuredObject; + final ObjectProperties properties = new ObjectProperties(); + if("clearQueue".equals(methodName)) + { + setQueueProperties(queue, properties); + return _accessControl.authorise(PURGE, QUEUE, properties); + } + else if(QUEUE_UPDATE_METHODS.contains(methodName)) + { + VirtualHost virtualHost = queue.getVirtualHost(); + final String virtualHostName = virtualHost.getName(); + properties.setName(methodName); + properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue"); + properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHostName); + return _accessControl.authorise(Operation.UPDATE, METHOD, properties); + + } + else if("queue".equals(methodName)) + { + + final ObjectProperties _props = + new ObjectProperties(queue.getParent(VirtualHost.class).getName(), "", queue.getName(), (Boolean)arguments.get("immediate")); + return _accessControl.authorise(PUBLISH, EXCHANGE, _props); + } + } + else if(categoryClass == BrokerLogger.class) + { + if(LOG_ACCESS_METHOD_NAMES.contains(methodName)) + { + return _accessControl.authorise(ACCESS_LOGS, ObjectType.BROKER, ObjectProperties.EMPTY); + } + } + else if(categoryClass == VirtualHostLogger.class) + { + VirtualHostLogger logger = (VirtualHostLogger)configuredObject; + if(LOG_ACCESS_METHOD_NAMES.contains(methodName)) + { + return _accessControl.authorise(ACCESS_LOGS, + ObjectType.VIRTUALHOST, + new ObjectProperties(logger.getParent(VirtualHost.class).getName())); + } + } + else if(categoryClass == AuthenticationProvider.class) + { + if(LEGACY_PREFERENCES_METHOD_NAMES.contains(methodName)) + { + if(arguments.get("userId") instanceof String) + { + String userName = (String) arguments.get("userId"); + AuthenticatedPrincipal principal = getCurrentUser(); + if (principal != null && principal.getName().equals(userName)) + { + // allow user to update its own data + return Result.ALLOWED; + } + else + { + return _accessControl.authorise(UPDATE, + USER, + new ObjectProperties(userName)); + } + } + } + } + + return Result.ALLOWED; + + } + + +} Propchange: qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java ------------------------------------------------------------------------------ svn:eol-style = native --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
