Author: rgodfrey
Date: Wed Aug 3 21:45:58 2016
New Revision: 1755117
URL: http://svn.apache.org/viewvc?rev=1755117&view=rev
Log:
QPID-7318 : Ensure reload of ACL file causes update of policy
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/acl/ExchangeRestACLTest.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java?rev=1755117&r1=1755116&r2=1755117&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
Wed Aug 3 21:45:58 2016
@@ -234,7 +234,6 @@ public class BrokerImpl extends Abstract
{
super.postResolveChildren();
-
final SystemConfig parent = getParent(SystemConfig.class);
Runnable task = parent.getOnContainerResolveTask();
if(task != null)
@@ -242,6 +241,10 @@ public class BrokerImpl extends Abstract
task.run();
}
addChangeListener(_accessControlProviderListener);
+ for(AccessControlProvider aclProvider :
getChildren(AccessControlProvider.class))
+ {
+ aclProvider.addChangeListener(_accessControlProviderListener);
+ }
_eventLogger.message(BrokerMessages.CONFIG(parent instanceof
FileBasedSettings
?
((FileBasedSettings) parent).getStorePath()
: "N/A"));
Modified:
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java?rev=1755117&r1=1755116&r2=1755117&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
(original)
+++
qpid/java/trunk/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AclFileAccessControlProviderImpl.java
Wed Aug 3 21:45:58 2016
@@ -20,6 +20,7 @@
*/
package org.apache.qpid.server.security.access.plugins;
+import java.util.Collections;
import java.util.Map;
import org.apache.qpid.server.logging.messages.AccessControlMessages;
@@ -82,6 +83,9 @@ public class AclFileAccessControlProvide
try
{
recreateAccessController();
+ LOGGER.debug("Calling changeAttributes to try to force update");
+ // force the change listener to fire, causing the parent broker to
update its cache
+ changeAttributes(Collections.<String,Object>emptyMap());
getEventLogger().message(AccessControlMessages.LOADED(String.valueOf(getPath()).startsWith("data:")
? "data:..." : getPath()));
}
Modified:
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java?rev=1755117&r1=1755116&r2=1755117&view=diff
==============================================================================
---
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java
(original)
+++
qpid/java/trunk/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java
Wed Aug 3 21:45:58 2016
@@ -97,7 +97,7 @@ public abstract class AbstractACLTestCas
writeACLFileUtil(this, rules);
}
- public static void writeACLFileUtil(QpidBrokerTestCase testcase,
String...rules) throws IOException
+ public static String writeACLFileUtil(QpidBrokerTestCase testcase,
String...rules) throws IOException
{
File aclFile =
File.createTempFile(testcase.getClass().getSimpleName(), testcase.getName());
aclFile.deleteOnExit();
@@ -111,6 +111,7 @@ public abstract class AbstractACLTestCas
out.println(line);
}
out.close();
+ return aclFile.getCanonicalPath();
}
/**
Modified:
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/acl/ExchangeRestACLTest.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/acl/ExchangeRestACLTest.java?rev=1755117&r1=1755116&r2=1755117&view=diff
==============================================================================
---
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/acl/ExchangeRestACLTest.java
(original)
+++
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/acl/ExchangeRestACLTest.java
Wed Aug 3 21:45:58 2016
@@ -20,13 +20,20 @@
*/
package org.apache.qpid.systest.rest.acl;
+import static
org.apache.qpid.server.security.acl.AbstractACLTestCase.writeACLFileUtil;
+import static
org.apache.qpid.test.utils.TestBrokerConfiguration.ENTRY_NAME_ACL_FILE;
+
+import java.io.FileWriter;
import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletResponse;
import org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet;
+import org.apache.qpid.server.model.AccessControlProvider;
import org.apache.qpid.server.model.Binding;
import org.apache.qpid.server.model.Exchange;
import org.apache.qpid.server.model.Queue;
@@ -38,30 +45,35 @@ public class ExchangeRestACLTest extends
{
private static final String ALLOWED_USER = "user1";
private static final String DENIED_USER = "user2";
+ private static final String ADMIN = "ADMIN";
+
private String _queueName;
private String _exchangeName;
private String _exchangeUrl;
+ private String _aclFilePath;
@Override
protected void customizeConfiguration() throws Exception
{
super.customizeConfiguration();
final TestBrokerConfiguration defaultBrokerConfiguration =
getDefaultBrokerConfiguration();
-
defaultBrokerConfiguration.configureTemporaryPasswordFile(ALLOWED_USER,
DENIED_USER);
+
defaultBrokerConfiguration.configureTemporaryPasswordFile(ALLOWED_USER,
DENIED_USER, ADMIN);
- AbstractACLTestCase.writeACLFileUtil(this, "ACL ALLOW-LOG ALL ACCESS
MANAGEMENT",
- "ACL ALLOW-LOG " + ALLOWED_USER + " CREATE QUEUE",
- "ACL ALLOW-LOG " + ALLOWED_USER + " CREATE EXCHANGE",
- "ACL DENY-LOG " + DENIED_USER + " CREATE EXCHANGE",
- "ACL ALLOW-LOG " + ALLOWED_USER + " UPDATE EXCHANGE",
- "ACL DENY-LOG " + DENIED_USER + " UPDATE EXCHANGE",
- "ACL ALLOW-LOG " + ALLOWED_USER + " DELETE EXCHANGE",
- "ACL DENY-LOG " + DENIED_USER + " DELETE EXCHANGE",
- "ACL ALLOW-LOG " + ALLOWED_USER + " BIND EXCHANGE",
- "ACL DENY-LOG " + DENIED_USER + " BIND EXCHANGE",
- "ACL ALLOW-LOG " + ALLOWED_USER + " UNBIND EXCHANGE",
- "ACL DENY-LOG " + DENIED_USER + " UNBIND EXCHANGE",
- "ACL DENY-LOG ALL ALL");
+ _aclFilePath = writeACLFileUtil(this,
+ "ACL ALLOW-LOG ALL ACCESS MANAGEMENT",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
CREATE QUEUE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
CREATE EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + "
CREATE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
UPDATE EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + "
UPDATE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
DELETE EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + "
DELETE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
BIND EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + " BIND
EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + "
UNBIND EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + "
UNBIND EXCHANGE",
+ "ACL ALLOW-LOG " + ADMIN + " ALL ALL",
+ "ACL DENY-LOG ALL ALL");
}
@Override
@@ -100,6 +112,56 @@ public class ExchangeRestACLTest extends
assertExchangeDoesNotExist();
}
+
+ public void testCreateExchangeAllowedAfterReload() throws Exception
+ {
+
+
+ getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER);
+
+ int responseCode = createExchange();
+ assertEquals("Exchange creation should be denied", 403, responseCode);
+
+ assertExchangeDoesNotExist();
+
+ overwriteAclFile("ACL ALLOW-LOG ALL ACCESS MANAGEMENT",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " CREATE QUEUE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " CREATE EXCHANGE",
+ "ACL ALLOW-LOG " + DENIED_USER + " CREATE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " UPDATE EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + " UPDATE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " DELETE EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + " DELETE EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " BIND EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + " BIND EXCHANGE",
+ "ACL ALLOW-LOG " + ALLOWED_USER + " UNBIND EXCHANGE",
+ "ACL DENY-LOG " + DENIED_USER + " UNBIND EXCHANGE",
+ "ACL ALLOW-LOG " + ADMIN + " ALL ALL",
+ "ACL DENY-LOG ALL ALL");
+ getRestTestHelper().setUsernameAndPassword(ADMIN, ADMIN);
+ getRestTestHelper().submitRequest("/api/latest/"
+ +
AccessControlProvider.class.getSimpleName().toLowerCase()
+ + "/" + ENTRY_NAME_ACL_FILE +
"/reload", "POST", Collections.emptyMap(), 200);
+ getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER);
+
+ responseCode = createExchange();
+ assertEquals("Exchange creation should be allowed", 201, responseCode);
+
+ assertExchangeExists();
+
+ }
+
+ private void overwriteAclFile(final String... rules) throws IOException
+ {
+ try(FileWriter fw = new FileWriter(_aclFilePath); PrintWriter out =
new PrintWriter(fw))
+ {
+ for(String line :rules)
+ {
+ out.println(line);
+ }
+ }
+ }
+
public void testDeleteExchangeAllowed() throws Exception
{
getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
