Repository: qpid-broker-j Updated Branches: refs/heads/master d0eb86938 -> 15d21c472
QPID-7904: [System Tests] Refactor messaging ACL tests to allow running them with AMQP 1.0 JMS Client Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/15d21c47 Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/15d21c47 Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/15d21c47 Branch: refs/heads/master Commit: 15d21c47210e6bb41805a4e0d38314594fde25bf Parents: d0eb869 Author: Alex Rudyy <[email protected]> Authored: Tue Sep 19 17:23:25 2017 +0100 Committer: Alex Rudyy <[email protected]> Committed: Tue Sep 19 17:23:25 2017 +0100 ---------------------------------------------------------------------- .../v1_0/AnonymousRelayDestination.java | 2 +- .../qpid/test/utils/ConnectionBuilder.java | 4 +- .../utils/QpidJmsClient0xConnectionBuilder.java | 15 + .../utils/QpidJmsClientConnectionBuilder.java | 7 + .../security/acl/AbstractACLTestCase.java | 150 +++-- .../security/acl/Amqp0xMessagingACLTest.java | 56 ++ .../server/security/acl/ExhaustiveACLTest.java | 217 ------- .../server/security/acl/ExternalACLTest.java | 562 ------------------- .../server/security/acl/MessagingACLTest.java | 498 ++++++++++++++++ .../qpid/systest/rest/acl/QueueRestACLTest.java | 6 +- test-profiles/Java10Excludes | 6 + test-profiles/Java10UninvestigatedTestsExcludes | 2 - 12 files changed, 650 insertions(+), 875 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AnonymousRelayDestination.java ---------------------------------------------------------------------- diff --git a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AnonymousRelayDestination.java b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AnonymousRelayDestination.java index fa83516..de7991c 100644 --- a/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AnonymousRelayDestination.java +++ b/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AnonymousRelayDestination.java @@ -99,7 +99,7 @@ public class AnonymousRelayDestination implements ReceivingDestination } else { - outcome = createdRejectedOutcome(AmqpError.NOT_FOUND, "Unknown destination '" + routingAddress + '"'); + outcome = createdRejectedOutcome(AmqpError.NOT_FOUND, "Unknown destination '" + routingAddress + "'"); } } else http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/main/java/org/apache/qpid/test/utils/ConnectionBuilder.java ---------------------------------------------------------------------- diff --git a/systests/src/main/java/org/apache/qpid/test/utils/ConnectionBuilder.java b/systests/src/main/java/org/apache/qpid/test/utils/ConnectionBuilder.java index 52d39c2..8390614 100644 --- a/systests/src/main/java/org/apache/qpid/test/utils/ConnectionBuilder.java +++ b/systests/src/main/java/org/apache/qpid/test/utils/ConnectionBuilder.java @@ -20,8 +20,6 @@ package org.apache.qpid.test.utils; -import java.util.Map; - import javax.jms.Connection; import javax.jms.JMSException; import javax.naming.NamingException; @@ -38,6 +36,8 @@ public interface ConnectionBuilder ConnectionBuilder setFailover(boolean enableFailover); ConnectionBuilder setFailoverReconnectAttempts(int reconnectAttempts); ConnectionBuilder setTls(boolean enableTls); + ConnectionBuilder setSyncPublish(boolean syncPublish); Connection build() throws NamingException, JMSException, URLSyntaxException; + } http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClient0xConnectionBuilder.java ---------------------------------------------------------------------- diff --git a/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClient0xConnectionBuilder.java b/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClient0xConnectionBuilder.java index 1db0927..5beaed8 100644 --- a/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClient0xConnectionBuilder.java +++ b/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClient0xConnectionBuilder.java @@ -33,6 +33,7 @@ import javax.naming.NamingException; import org.apache.qpid.client.AMQConnectionFactory; import org.apache.qpid.client.AMQConnectionURL; +import org.apache.qpid.jms.ConnectionURL; import org.apache.qpid.url.URLSyntaxException; public class QpidJmsClient0xConnectionBuilder implements ConnectionBuilder @@ -103,6 +104,20 @@ public class QpidJmsClient0xConnectionBuilder implements ConnectionBuilder } @Override + public ConnectionBuilder setSyncPublish(final boolean syncPublish) + { + if (syncPublish) + { + _options.put(ConnectionURL.OPTIONS_SYNC_PUBLISH, "all"); + } + else + { + _options.remove(ConnectionURL.OPTIONS_SYNC_PUBLISH); + } + return this; + } + + @Override public Connection build() throws JMSException, NamingException, URLSyntaxException { Properties contextProperties = new Properties(); http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClientConnectionBuilder.java ---------------------------------------------------------------------- diff --git a/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClientConnectionBuilder.java b/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClientConnectionBuilder.java index 4ce5853..7420a14 100644 --- a/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClientConnectionBuilder.java +++ b/systests/src/main/java/org/apache/qpid/test/utils/QpidJmsClientConnectionBuilder.java @@ -109,6 +109,13 @@ public class QpidJmsClientConnectionBuilder implements ConnectionBuilder } @Override + public ConnectionBuilder setSyncPublish(final boolean syncPublish) + { + _options.put("jms.forceSyncSend", syncPublish); + return this; + } + + @Override public Connection build() throws NamingException, JMSException { final Hashtable<Object, Object> initialContextEnvironment = new Hashtable<>(); http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java b/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java index db5b0d9..ca66488 100644 --- a/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java +++ b/systests/src/test/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java @@ -24,19 +24,19 @@ import java.io.IOException; import java.io.PrintWriter; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; -import java.util.concurrent.CountDownLatch; -import java.util.concurrent.TimeUnit; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; import javax.jms.Connection; -import javax.jms.ExceptionListener; import javax.jms.JMSException; +import javax.jms.Session; -import org.apache.qpid.AMQException; -import org.apache.qpid.client.AMQConnection; -import org.apache.qpid.jms.ConnectionListener; -import org.apache.qpid.server.protocol.ErrorCodes; import org.apache.qpid.test.utils.QpidBrokerTestCase; -import org.apache.qpid.util.AMQExceptionTestUtil; /** * Abstract test case for ACLs. @@ -44,13 +44,12 @@ import org.apache.qpid.util.AMQExceptionTestUtil; * This base class contains convenience methods to manage ACL files and implements a mechanism that allows each * test method to run its own setup code before the broker starts. * - * @see ExternalACLTest - * @see ExhaustiveACLTest + * @see MessagingACLTest */ -public abstract class AbstractACLTestCase extends QpidBrokerTestCase implements ConnectionListener +public abstract class AbstractACLTestCase extends QpidBrokerTestCase { - /** Used to synchronise {@link #tearDown()} when exceptions are thrown */ - protected CountDownLatch _exceptionReceived; + private Connection _adminConnection; + private Session _adminSession; @Override public void setUp() throws Exception @@ -74,20 +73,20 @@ public abstract class AbstractACLTestCase extends QpidBrokerTestCase implements } super.setUp(); + + _adminConnection = getConnection("test", "admin", "admin"); + _adminSession = _adminConnection.createSession(false, Session.AUTO_ACKNOWLEDGE); + _adminConnection.start(); } - @Override - public void tearDown() throws Exception + public Connection getAdminConnection() { - try - { - super.tearDown(); - } - catch (JMSException e) - { - //we're throwing this away as it can happen in this test as the state manager remembers exceptions - //that we provoked with authentication failures, where the test passes - we can ignore on con close - } + return _adminConnection; + } + + public Session getAdminSession() + { + return _adminSession; } public void writeACLFile(final String...rules) throws IOException @@ -112,82 +111,59 @@ public abstract class AbstractACLTestCase extends QpidBrokerTestCase implements return aclFile.getCanonicalPath(); } - /** - * Creates a connection to the broker, and sets a connection listener to prevent failover and an exception listener - * with a {@link CountDownLatch} to synchronise in the {@link #check403Exception(Throwable)} method and allow the - * {@link #tearDown()} method to complete properly. - */ public Connection getConnection(String vhost, String username, String password) throws Exception { - AMQConnection connection = (AMQConnection) getConnection(createConnectionURL(vhost, username, password)); - - //Prevent Failover - connection.setConnectionListener(this); - - //QPID-2081: use a latch to sync on exception causing connection close, to work - //around the connection close race during tearDown() causing sporadic failures - _exceptionReceived = new CountDownLatch(1); - - connection.setExceptionListener(new ExceptionListener() - { - @Override - public void onException(JMSException e) - { - _exceptionReceived.countDown(); - } - }); - - return (Connection) connection; + return getConnectionBuilder().setFailover(false) + .setVirtualHost(vhost) + .setSyncPublish(true) + .setPassword(password) + .setUsername(username) + .build(); } - // Connection Listener Interface - Used here to block failover - - @Override - public void bytesSent(long count) + public void writeACLFileWithAdminSuperUser(String... rules) throws IOException { + List<String> newRules = new ArrayList<>(Arrays.asList(rules)); + newRules.add(0, "ACL ALLOW-LOG admin ALL ALL"); + writeACLFile(newRules.toArray(new String[newRules.size()])); } - @Override - public void bytesReceived(long count) - { - } - - @Override - public boolean preFailover(boolean redirect) - { - //Prevent failover. - return false; - } - - @Override - public boolean preResubscribe() + protected void createQueue(final String queueName) throws JMSException { - return false; + createEntityUsingAmqpManagement(queueName, getAdminSession(), "org.apache.qpid.Queue"); } - @Override - public void failoverComplete() + protected void bindExchangeToQueue(final String exchangeName, final String queueName) throws JMSException { + final Map<String, Object> bindingArguments = new HashMap<>(); + bindingArguments.put("destination", queueName); + bindingArguments.put("bindingKey", queueName); + + performOperationUsingAmqpManagement(exchangeName, + "bind", + getAdminSession(), + "org.apache.qpid.Exchange", + bindingArguments); } - private String createConnectionURL(String vhost, String username, String password) + protected void assertJMSExceptionMessageContains(final JMSException e, final String expectedMessage) { - String url = "amqp://" + username + ":" + password + "@clientid/" + vhost + "?brokerlist='" + getBrokerDetailsFromDefaultConnectionUrl() - + "?retries='0''"; - return url; - } - - /** - * Convenience method to validate a JMS exception with a linked {@link ErrorCodes#ACCESS_REFUSED} 403 error code exception. - */ - public void check403Exception(Throwable t) throws Exception - { - assertNotNull("There was no linked exception", t); - assertTrue("Wrong linked exception type : " + t.getClass(), t instanceof AMQException); - AMQExceptionTestUtil.assertAMQException("Incorrect error code received", 403, ((AMQException) t)); - - //use the latch to ensure the control thread waits long enough for the exception thread - //to have done enough to mark the connection closed before teardown commences - assertTrue("Timed out waiting for connection to report close", _exceptionReceived.await(2, TimeUnit.SECONDS)); + Set<Throwable> examined = new HashSet<>(); + Throwable current = e; + do + { + if (current.getMessage().contains(expectedMessage)) + { + return; + } + examined.add(current); + current = current.getCause(); + } + while (current != null && !examined.contains(current)); + e.printStackTrace(); + fail("Unexpected message. Root exception : " + + e.getMessage() + + " expected root or underlyings to contain : " + + expectedMessage); } } http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/server/security/acl/Amqp0xMessagingACLTest.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/server/security/acl/Amqp0xMessagingACLTest.java b/systests/src/test/java/org/apache/qpid/server/security/acl/Amqp0xMessagingACLTest.java new file mode 100644 index 0000000..319c988 --- /dev/null +++ b/systests/src/test/java/org/apache/qpid/server/security/acl/Amqp0xMessagingACLTest.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the +* "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.qpid.server.security.acl; + +import javax.jms.Connection; +import javax.jms.Destination; +import javax.jms.JMSException; +import javax.jms.Session; + + +public class Amqp0xMessagingACLTest extends AbstractACLTestCase +{ + public void setUpCreateNamedQueueFailure() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client CREATE QUEUE name=\"ValidQueue\""); + } + + /* + * Legacy client creates the queue as part of consumer creation + */ + public void testCreateNamedQueueFailure() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + Destination dest = sess.createQueue("IllegalQueue"); + + try + { + sess.createConsumer(dest); + fail("Test failed as Queue creation succeeded."); + } + catch (JMSException e) + { + assertJMSExceptionMessageContains(e, "Permission CREATE is denied for : Queue"); + } + } + + +} http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java b/systests/src/test/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java deleted file mode 100644 index f8b9feb..0000000 --- a/systests/src/test/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java +++ /dev/null @@ -1,217 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.qpid.server.security.acl; - -import javax.jms.Connection; -import javax.jms.MessageConsumer; -import javax.jms.Queue; -import javax.jms.Session; - -import org.apache.qpid.QpidException; -import org.apache.qpid.AMQException; -import org.apache.qpid.client.AMQSession; -import org.apache.qpid.configuration.ClientProperties; -import org.apache.qpid.server.protocol.ErrorCodes; -import org.apache.qpid.util.AMQExceptionTestUtil; - -/** - * ACL version 2/3 file testing to verify that ACL entries control queue creation with specific properties. - * - * Tests have their own ACL files that setup specific permissions, and then try to create queues with every possible combination - * of properties to show that rule matching works correctly. For example, a rule that specified {@code autodelete="true"} for - * queues with {@code name="temp.true.*"} as well should not affect queues that have names that do not match, or queues that - * are not autodelete, or both. Also checks that ACL entries only affect the specified users and virtual hosts. - */ -public class ExhaustiveACLTest extends AbstractACLTestCase -{ - - /** - * Creates a queue. - * - * Connects to the broker as a particular user and create the named queue on a virtual host, with the provided - * parameters. Uses a new {@link Connection} and {@link Session} and closes them afterwards. - */ - private void createQueue(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception - { - Connection conn = getConnection(vhost, user, "guest"); - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - conn.start(); - ((AMQSession<?, ?>) sess).createQueue(name, autoDelete, durable, false); - sess.commit(); - conn.close(); - } - - /** - * Calls {@link #createQueue(String, String, String, boolean, boolean)} with the provided parameters and checks that - * no exceptions were thrown. - */ - private void createQueueSuccess(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception - { - try - { - createQueue(vhost, user, name, autoDelete, durable); - } - catch (QpidException e) - { - fail(String.format("Create queue should have worked for \"%s\" for user %s@%s, autoDelete=%s, durable=%s", - name, user, vhost, Boolean.toString(autoDelete), Boolean.toString(durable))); - } - } - - /** - * Calls {@link #createQueue(String, String, String, boolean, boolean)} with the provided parameters and checks that - * the exception thrown was an {@link ErrorCodes#ACCESS_REFUSED} or 403 error code. - */ - private void createQueueFailure(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception - { - try - { - createQueue(vhost, user, name, autoDelete, durable); - fail(String.format("Create queue should have failed for \"%s\" for user %s@%s, autoDelete=%s, durable=%s", - name, user, vhost, Boolean.toString(autoDelete), Boolean.toString(durable))); - } - catch (AMQException e) - { - AMQExceptionTestUtil.assertAMQException("Should be an ACCESS_REFUSED error", 403, e); - } - } - - public void setUpAuthoriseCreateQueueAutodelete() throws Exception - { - writeACLFile("acl allow client access virtualhost", - "acl allow server access virtualhost", - "acl allow client create queue name=\"temp.true.*\" autodelete=true", - "acl allow client create queue name=\"temp.false.*\" autodelete=false", - "acl deny client create queue", - "acl allow client delete queue", - "acl deny all create queue" - ); - } - - /** - * Test creation of temporary queues, with the autodelete property set to true. - */ - public void testAuthoriseCreateQueueAutodelete() throws Exception - { - createQueueSuccess("test", "client", "temp.true.00", true, false); - createQueueSuccess("test", "client", "temp.true.01", true, false); - createQueueSuccess("test", "client", "temp.true.02", true, true); - createQueueSuccess("test", "client", "temp.false.03", false, false); - createQueueSuccess("test", "client", "temp.false.04", false, false); - createQueueSuccess("test", "client", "temp.false.05", false, true); - createQueueFailure("test", "client", "temp.true.06", false, false); - createQueueFailure("test", "client", "temp.false.07", true, false); - createQueueFailure("test", "server", "temp.true.08", true, false); - createQueueFailure("test", "client", "temp.other.09", false, false); - } - - - public void setUpAuthoriseQueueAutodeleteDeleteByOther() throws Exception - { - writeACLFile("acl allow client access virtualhost", - "acl allow server access virtualhost", - "acl allow client create queue name=\"temp.true.*\" autodelete=true", - "acl allow server consume queue name=\"temp.true.*\"", - "acl allow server bind exchange", - "acl deny client create queue", - "acl allow client delete queue", - "acl deny all create queue" - ); - } - /** - * Test creation of temporary queues, with the autodelete property and then autodeleted. - */ - public void testAuthoriseQueueAutodeleteDeleteByOther() throws Exception - { - // stop the consumer trying to redeclare the queue - setTestSystemProperty(ClientProperties.QPID_DECLARE_QUEUES_PROP_NAME, "false"); - - // create a temp queue as use client - createQueueSuccess("test", "client", "temp.true.00", true, false); - - // consume from temp queue as user server - Connection conn = getConnection("test", "server", "guest"); - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - Queue queue = sess.createQueue("temp.true.00"); - MessageConsumer cons = sess.createConsumer(queue); - cons.close(); - sess.close(); - - sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - - // test if the queue is bound to the default exchange - assertFalse(((AMQSession)sess).isQueueBound("","temp.true.00","temp.true.00",null)); - sess.close(); - - conn.close(); - - - } - - public void setUpAuthoriseCreateQueue() throws Exception - { - writeACLFile("acl allow client access virtualhost", - "acl allow server access virtualhost", - "acl allow client create queue name=\"create.*\"" - ); - } - - /** - * Tests creation of named queues. - * - * If a named queue is specified - */ - public void testAuthoriseCreateQueue() throws Exception - { - createQueueSuccess("test", "client", "create.00", true, true); - createQueueSuccess("test", "client", "create.01", true, false); - createQueueSuccess("test", "client", "create.02", false, true); - createQueueSuccess("test", "client", "create.03", true, false); - createQueueFailure("test", "server", "create.04", true, true); - createQueueFailure("test", "server", "create.05", true, false); - createQueueFailure("test", "server", "create.06", false, true); - createQueueFailure("test", "server", "create.07", true, false); - } - - public void setUpAuthoriseCreateQueueBoth() throws Exception - { - writeACLFile("acl allow all access virtualhost", - "acl allow client create queue name=\"create.*\"", - "acl allow all create queue temporary=true" - ); - } - - /** - * Tests creation of named queues. - * - * If a named queue is specified - */ - public void testAuthoriseCreateQueueBoth() throws Exception - { - createQueueSuccess("test", "client", "create.00", true, false); - createQueueSuccess("test", "client", "create.01", false, false); - createQueueFailure("test", "server", "create.02", false, false); - createQueueFailure("test", "guest", "create.03", false, false); - createQueueSuccess("test", "client", "tmp.00", true, false); - createQueueSuccess("test", "server", "tmp.01", true, false); - createQueueSuccess("test", "guest", "tmp.02", true, false); - } -} http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java b/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java deleted file mode 100644 index b0de341..0000000 --- a/systests/src/test/java/org/apache/qpid/server/security/acl/ExternalACLTest.java +++ /dev/null @@ -1,562 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the -* "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.qpid.server.security.acl; - -import javax.jms.Connection; -import javax.jms.Destination; -import javax.jms.JMSException; -import javax.jms.Message; -import javax.jms.MessageConsumer; -import javax.jms.MessageProducer; -import javax.jms.Queue; -import javax.jms.Session; -import javax.jms.TextMessage; -import javax.jms.Topic; -import javax.jms.TopicSubscriber; -import javax.naming.NamingException; - -import org.apache.qpid.QpidException; -import org.apache.qpid.AMQException; -import org.apache.qpid.client.AMQDestination; -import org.apache.qpid.client.AMQSession; -import org.apache.qpid.server.protocol.ErrorCodes; -import org.apache.qpid.url.URLSyntaxException; -import org.apache.qpid.util.AMQExceptionTestUtil; - -/** - * Tests the V2 ACLs. The tests perform basic AMQP operations like creating queues or exchanges and publishing and consuming messages, using - * JMS to contact the broker. - */ -public class ExternalACLTest extends AbstractACLTestCase -{ - - public void setUpAccessAuthorizedSuccess() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST"); - } - - public void testAccessAuthorizedSuccess() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - conn.close(); - } - - public void setUpAccessNoRightsFailure() throws Exception - { - writeACLFile("ACL DENY-LOG client ACCESS VIRTUALHOST"); - } - - public void testAccessNoRightsFailure() throws Exception - { - try - { - getConnection("test", "client", "guest"); - fail("Connection was created."); - } - catch (JMSException e) - { - assertAccessDeniedException(e); - } - } - - private void assertAccessDeniedException(JMSException e) throws Exception - { - assertEquals("Unexpected exception message", "Error creating connection: Permission ACTION(connect) is denied for : VirtualHost 'test' on VirtualHostNode 'test'", e.getMessage()); - - // JMSException -> linkedException -> cause = AMQException (403 or 320) - Exception linkedException = e.getLinkedException(); - assertNotNull("There was no linked exception", linkedException); - Throwable cause = linkedException.getCause(); - assertNotNull("Cause was null", cause); - assertTrue("Wrong linked exception type", cause instanceof QpidException); - int errorCode = isBroker010() ? ErrorCodes.CONNECTION_FORCED : ErrorCodes.ACCESS_REFUSED; - AMQExceptionTestUtil.assertAMQException("Incorrect error code received", errorCode, (AMQException)cause); - } - - public void setUpAccessVirtualHostWithName() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST name='test'", "ACL DENY-LOG guest ACCESS VIRTUALHOST name='test'", - "ACL ALLOW-LOG server ACCESS VIRTUALHOST name='*'"); - } - - public void testAccessVirtualHostWithName() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - conn.close(); - - try - { - getConnection("test", "guest", "guest"); - fail("Access should be denied"); - } - catch (JMSException e) - { - assertAccessDeniedException(e); - } - - Connection conn2 = getConnection("test", "server", "guest"); - conn2.close(); - } - - public void setUpClientCreateVirtualHostQueue() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE virtualhost_name='test'", - "ACL ALLOW-LOG client CONSUME QUEUE", - "ACL ALLOW-LOG client BIND EXCHANGE", - "ACL ALLOW-LOG guest ACCESS VIRTUALHOST", - "ACL DENY-LOG guest CREATE QUEUE virtualhost_name='test'"); - } - - public void testClientCreateVirtualHostQueue() throws NamingException, JMSException, QpidException, Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - Destination dest = sess.createQueue(getTestQueueName()); - sess.createConsumer(dest); - conn.close(); - - try - { - conn = getConnection("test", "guest", "guest"); - sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - sess.createConsumer(dest); - - fail("Queue creation for user 'guest' is denied"); - } - catch (JMSException e) - { - check403Exception(e.getLinkedException()); - } - } - - - public void setUpClientDeleteQueueSuccess() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE durable=\"true\"", - "ACL ALLOW-LOG client CONSUME QUEUE name=\"clientid:kipper\"" , - "ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.topic\" durable=true routingKey=kipper", - "ACL ALLOW-LOG client DELETE QUEUE durable=\"true\"", - "ACL ALLOW-LOG client UNBIND EXCHANGE name=\"amq.topic\" durable=true routingKey=kipper"); - } - - public void testClientDeleteQueueSuccess() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - conn.start(); - - // create kipper - Topic kipper = sess.createTopic("kipper"); - TopicSubscriber subscriber = sess.createDurableSubscriber(kipper, "kipper"); - - subscriber.close(); - sess.unsubscribe("kipper"); - - //Do something to show connection is active. - sess.rollback(); - conn.close(); - } - - - public void setUpClientDeleteQueueFailure() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE durable=\"true\"", - "ACL ALLOW-LOG client CONSUME QUEUE name=\"clientid:kipper\"" , - "ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.topic\" durable=true routingKey=kipper", - "ACL DENY-LOG client DELETE QUEUE durable=\"true\"", - "ACL DENY-LOG client UNBIND EXCHANGE name=\"amq.topic\" durable=true routingKey=kipper"); - } - - public void testClientDeleteQueueFailure() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - conn.start(); - - // create kipper - Topic kipper = sess.createTopic("kipper"); - TopicSubscriber subscriber = sess.createDurableSubscriber(kipper, "kipper"); - - subscriber.close(); - try - { - sess.unsubscribe("kipper"); - - //Do something to show connection is active. - sess.rollback(); - - fail("Exception was not thrown"); - } - catch (JMSException e) - { - // JMSException -> linedException = AMQException.403 - check403Exception(e.getLinkedException()); - } - } - - - public void testClientConsumeFromTempQueueSuccess() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - - conn.start(); - - sess.createConsumer(sess.createTemporaryQueue()); - } - - public void setUpClientConsumeFromNamedQueueValid() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE name=\"example.RequestQueue\"", - "ACL ALLOW-LOG client CONSUME QUEUE name=\"example.RequestQueue\"" , - "ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); - } - - - public void testClientConsumeFromNamedQueueValid() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - - conn.start(); - - sess.createConsumer(sess.createQueue("example.RequestQueue")); - } - - public void setUpClientConsumeFromNamedQueueFailure() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE", - "ACL ALLOW-LOG client BIND EXCHANGE" , - "ACL DENY-LOG client CONSUME QUEUE name=\"IllegalQueue\""); - } - - public void testClientConsumeFromNamedQueueFailure() throws NamingException, Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - Destination dest = sess.createQueue("IllegalQueue"); - - try - { - sess.createConsumer(dest); - - fail("Test failed as consumer was created."); - } - catch (JMSException e) - { - check403Exception(e.getLinkedException()); - } - } - - public void setUpClientCreateTemporaryQueueSuccess() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE temporary=\"true\"", - "ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" temporary=true" , - "ACL ALLOW-LOG client DELETE QUEUE temporary=\"true\"", - "ACL ALLOW-LOG client UNBIND EXCHANGE name=\"amq.direct\" temporary=true"); - } - - public void testClientCreateTemporaryQueueSuccess() throws JMSException, URLSyntaxException, Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - - sess.createTemporaryQueue(); - conn.close(); - } - - public void setUpClientCreateTemporaryQueueFailed() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL DENY-LOG client CREATE QUEUE temporary=\"true\""); - } - - public void testClientCreateTemporaryQueueFailed() throws NamingException, Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - - try - { - - session.createTemporaryQueue(); - - fail("Test failed as creation succeded."); - } - catch (JMSException e) - { - check403Exception(e.getLinkedException()); - } - } - - public void setUpClientCreateNamedQueueFailure() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE name=\"ValidQueue\""); - } - - public void testClientCreateNamedQueueFailure() throws NamingException, JMSException, QpidException, Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); - conn.start(); - Destination dest = sess.createQueue("IllegalQueue"); - - try - { - //Create a Named Queue as side effect - sess.createConsumer(dest); - fail("Test failed as Queue creation succeded."); - } - catch (JMSException e) - { - check403Exception(e.getLinkedException()); - } - } - - public void setUpClientPublishUsingTransactionSuccess() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE", - "ACL ALLOW-LOG client BIND EXCHANGE" , - "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); - } - - public void testClientPublishUsingTransactionSuccess() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - - conn.start(); - - Queue queue = sess.createQueue("example.RequestQueue"); - - ((AMQSession<?,?>)sess).declareAndBind((AMQDestination)queue); - - MessageProducer sender = sess.createProducer(queue); - - sender.send(sess.createTextMessage("test")); - - //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. - sess.commit(); - - conn.close(); - } - - public void setUpRequestResponseSuccess() throws Exception - { - // The group "messaging-users", referenced in the ACL below, is currently defined - // in broker/etc/groups-systests. - // We tolerate a dependency from this test to that file because its - // contents are expected to change rarely. - - writeACLFile("ACL ALLOW-LOG messaging-users ACCESS VIRTUALHOST", "# Server side", - "ACL ALLOW-LOG server CREATE QUEUE name=\"example.RequestQueue\"", - "ACL ALLOW-LOG server BIND EXCHANGE" , - "ACL ALLOW-LOG server PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"TempQueue*\"", - "ACL ALLOW-LOG server CONSUME QUEUE name=\"example.RequestQueue\"", - "# Client side", - "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\"", - "ACL ALLOW-LOG client CONSUME QUEUE temporary=true", - "ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" temporary=true", - "ACL ALLOW-LOG client UNBIND EXCHANGE name=\"amq.direct\" temporary=true", - "ACL ALLOW-LOG client CREATE QUEUE temporary=true", - "ACL ALLOW-LOG client DELETE QUEUE temporary=true"); - } - - - public void testRequestResponseSuccess() throws Exception - { - //Set up the Server - Connection serverConnection = getConnection("test", "server", "guest"); - Session serverSession = serverConnection.createSession(true, Session.SESSION_TRANSACTED); - Queue requestQueue = serverSession.createQueue("example.RequestQueue"); - MessageConsumer server = serverSession.createConsumer(requestQueue); - serverConnection.start(); - - //Set up the consumer - Connection clientConnection = getConnection("test", "client", "guest"); - Session clientSession = clientConnection.createSession(true, Session.SESSION_TRANSACTED); - Queue responseQueue = clientSession.createTemporaryQueue(); - MessageConsumer clientResponse = clientSession.createConsumer(responseQueue); - clientConnection.start(); - - // Client - Message request = clientSession.createTextMessage("Request"); - request.setJMSReplyTo(responseQueue); - - clientSession.createProducer(requestQueue).send(request); - clientSession.commit(); - - // Server - Message msg = server.receive(2000); - assertNotNull("Server should have received client's request", msg); - assertNotNull("Received msg should have Reply-To", msg.getJMSReplyTo()); - - MessageProducer sender = serverSession.createProducer(msg.getJMSReplyTo()); - sender.send(serverSession.createTextMessage("Response")); - serverSession.commit(); - - // Client - Message clientResponseMsg = clientResponse.receive(2000); - clientSession.commit(); - assertNotNull("Client did not receive response message,", clientResponseMsg); - assertEquals("Incorrect message received", "Response", ((TextMessage) clientResponseMsg).getText()); - } - - public void setUpClientDeleteQueueSuccessWithOnlyAllPermissions() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client ALL QUEUE", - "ACL ALLOW-LOG client ALL EXCHANGE"); - } - - public void testClientDeleteQueueSuccessWithOnlyAllPermissions() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - conn.start(); - - // create kipper - String topicName = "kipper"; - Topic topic = sess.createTopic(topicName); - TopicSubscriber subscriber = sess.createDurableSubscriber(topic, topicName); - - subscriber.close(); - sess.unsubscribe(topicName); - - //Do something to show connection is active. - sess.rollback(); - conn.close(); - } - - public void setUpFirewallAllow() throws Exception - { - writeACLFile("ACL ALLOW client ACCESS VIRTUALHOST from_network=\"127.0.0.1\""); - } - - public void testFirewallAllow() throws Exception - { - getConnection("test", "client", "guest"); - // test pass because we successfully connected - } - - public void setUpFirewallDeny() throws Exception - { - writeACLFile("ACL DENY client ACCESS VIRTUALHOST from_network=\"127.0.0.1\""); - } - - public void testFirewallDeny() throws Exception - { - try - { - getConnection("test", "client", "guest"); - fail("We expected the connection to fail"); - } - catch(JMSException e) - { - // pass - } - } - - - public void setUpClientPublishToAnonymousSuccess() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE", - "ACL ALLOW-LOG client BIND EXCHANGE" , - "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"\" routingKey=\"example.RequestQueue\"", - "ACL DENY-LOG ALL ALL"); - } - - public void testClientPublishToAnonymousSuccess() throws Exception - { - Connection conn = getConnection("test", "client", "guest"); - - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - - conn.start(); - - Queue queue = sess.createQueue("example.RequestQueue"); - - ((AMQSession<?,?>)sess).declareAndBind((AMQDestination)queue); - - MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue")); - - sender.send(sess.createTextMessage("test")); - - //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. - sess.commit(); - - conn.close(); - } - - - - public void setUpClientPublishToAnonymousFailure() throws Exception - { - writeACLFile("ACL ALLOW-LOG client ACCESS VIRTUALHOST", - "ACL ALLOW-LOG client CREATE QUEUE", - "ACL ALLOW-LOG client BIND EXCHANGE", - "ACL DENY-LOG ALL ALL"); - } - - public void testClientPublishToAnonymousFailure() throws Exception - { - try - { - Connection conn = getConnection("test", "client", "guest"); - - Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); - - conn.start(); - - Queue queue = sess.createQueue("example.RequestQueue"); - - ((AMQSession<?, ?>) sess).declareAndBind((AMQDestination) queue); - - MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue")); - - sender.send(sess.createTextMessage("test")); - - //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. - sess.commit(); - - fail("Sending to the anonymousExchange without permission should fail"); - } - catch (JMSException e) - { - assertEquals("403",e.getErrorCode()); - } - } - - -} http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java b/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java new file mode 100644 index 0000000..1855d04 --- /dev/null +++ b/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java @@ -0,0 +1,498 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the +* "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.qpid.server.security.acl; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import javax.jms.Connection; +import javax.jms.Destination; +import javax.jms.JMSException; +import javax.jms.Message; +import javax.jms.MessageConsumer; +import javax.jms.MessageProducer; +import javax.jms.Queue; +import javax.jms.Session; +import javax.jms.TemporaryQueue; +import javax.jms.TextMessage; + + +public class MessagingACLTest extends AbstractACLTestCase +{ + + public void setUpAccessAuthorizedSuccess() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST"); + } + + public void testAccessAuthorizedSuccess() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + conn.close(); + } + + public void setUpAccessNoRightsFailure() throws Exception + { + writeACLFileWithAdminSuperUser("ACL DENY-LOG client ACCESS VIRTUALHOST"); + } + + public void testAccessNoRightsFailure() throws Exception + { + try + { + getConnection("test", "client", "guest"); + fail("Connection was created."); + } + catch (JMSException e) + { + assertAccessDeniedException(e); + } + } + + private void assertAccessDeniedException(JMSException e) throws Exception + { + assertTrue("Unexpected exception message:" + e.getMessage(), + e.getMessage().contains("Permission ACTION(connect) is denied")); + } + + public void setUpAccessVirtualHostWithName() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST name='test'", + "ACL DENY-LOG guest ACCESS VIRTUALHOST name='test'", + "ACL ALLOW-LOG server ACCESS VIRTUALHOST name='*'"); + } + + public void testAccessVirtualHostWithName() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + conn.close(); + + try + { + getConnection("test", "guest", "guest"); + fail("Access should be denied"); + } + catch (JMSException e) + { + assertAccessDeniedException(e); + } + + Connection conn2 = getConnection("test", "server", "guest"); + conn2.close(); + } + + public void setUpConsumeFromTempQueueSuccess() throws Exception + { + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client CREATE QUEUE temporary=\"true\"", + "ACL ALLOW-LOG client CONSUME QUEUE temporary=\"true\"")); + if (!isBroker10()) + { + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + public void testConsumeFromTempQueueSuccess() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + conn.start(); + + sess.createConsumer(sess.createTemporaryQueue()); + } + + public void setUpConsumeFromTempQueueFailure() throws Exception + { + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client CREATE QUEUE temporary=\"true\"", + "ACL DENY-LOG client CONSUME QUEUE temporary=\"true\"")); + if (!isBroker10()) + { + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + public void testConsumeFromTempQueueFailure() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + conn.start(); + + TemporaryQueue temporaryQueue = sess.createTemporaryQueue(); + try + { + sess.createConsumer(temporaryQueue); + fail("Exception is not thrown"); + } + catch (JMSException e) + { + assertJMSExceptionMessageContains(e, + isBrokerPre010() + ? "Cannot subscribe to queue" + : "Permission CREATE is denied for : Consumer"); + } + } + + public void setUpConsumeFromNamedQueueValid() throws Exception + { + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client CONSUME QUEUE name=\"example.RequestQueue\"")); + if (!isBroker10()) + { + rules.add("ACL ALLOW-LOG client CREATE QUEUE name=\"example.RequestQueue\""); + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + + public void testConsumeFromNamedQueueValid() throws Exception + { + final String testQueueName = "example.RequestQueue"; + createQueue(testQueueName); + + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + conn.start(); + + Queue queue = createTestQueue(sess, testQueueName); + + sess.createConsumer(queue); + } + + public void setUpConsumeFromNamedQueueFailure() throws Exception + { + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL DENY-LOG client CONSUME QUEUE name=\"example.RequestQueue\"")); + if (!isBroker10()) + { + rules.add("ACL ALLOW-LOG client CREATE QUEUE name=\"example.RequestQueue\""); + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + public void testConsumeFromNamedQueueFailure() throws Exception + { + String testQueueName = "example.RequestQueue"; + createQueue(testQueueName); + + Connection conn = getConnection("test", "client", "guest"); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + + Destination dest = sess.createQueue(testQueueName); + + try + { + sess.createConsumer(dest); + + fail("Test failed as consumer was created."); + } + catch (JMSException e) + { + assertJMSExceptionMessageContains(e, + isBrokerPre010() + ? "Cannot subscribe to queue" + : "Permission CREATE is denied for : Consumer"); + } + } + + + public void setUpCreateTemporaryQueueSuccess() throws Exception + { + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client CREATE QUEUE temporary=\"true\"")); + if (!isBroker10()) + { + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" temporary=true"); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + public void testCreateTemporaryQueueSuccess() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + sess.createTemporaryQueue(); + conn.close(); + } + + public void setUpCreateTemporaryQueueFailed() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL DENY-LOG client CREATE QUEUE temporary=\"true\""); + } + + public void testCreateTemporaryQueueFailed() throws Exception + { + Connection conn = getConnection("test", "client", "guest"); + Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + conn.start(); + + try + { + + session.createTemporaryQueue(); + + fail("Test failed as creation succeeded."); + } + catch (JMSException e) + { + assertJMSExceptionMessageContains(e, "Permission CREATE is denied for : Queue"); + } + } + + public void setUpPublishUsingTransactionSuccess() throws Exception + { + List<String> rules = new ArrayList<>(); + rules.add("ACL ALLOW-LOG client ACCESS VIRTUALHOST"); + + if (isBroker10()) + { + rules.add("ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"\" routingKey=\"example.RequestQueue\""); + } + else + { + rules.add("ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + public void testPublishUsingTransactionSuccess() throws Exception + { + String queueName = "example.RequestQueue"; + createQueue(queueName); + + bindExchangeToQueue("amq.direct", queueName); + + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); + + Queue queue = sess.createQueue(queueName); + + MessageProducer sender = sess.createProducer(queue); + + sender.send(sess.createTextMessage("test")); + + //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. + sess.commit(); + + conn.close(); + } + + public void setUpPublishToExchangeUsingTransactionSuccess() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); + } + + public void testPublishToExchangeUsingTransactionSuccess() throws Exception + { + String queueName = "example.RequestQueue"; + createQueue(queueName); + bindExchangeToQueue("amq.direct", queueName); + + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); + + Queue queue = sess.createQueue(isBroker10() ? ("amq.direct/" + queueName) : ("ADDR:amq.direct/" + queueName)); + + MessageProducer sender = sess.createProducer(queue); + + sender.send(sess.createTextMessage("test")); + + //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. + sess.commit(); + + conn.close(); + } + + public void setUpRequestResponseSuccess() throws Exception + { + // The group "messaging-users", referenced in the ACL below, is currently defined + // in broker/etc/groups-systests. + // We tolerate a dependency from this test to that file because its + // contents are expected to change rarely. + + List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG messaging-users ACCESS VIRTUALHOST", + "# Server side", + "ACL ALLOW-LOG server CONSUME QUEUE name=\"example.RequestQueue\"", + "# Client side", + "ACL ALLOW-LOG client CONSUME QUEUE temporary=true", + "ACL ALLOW-LOG client CREATE QUEUE temporary=true")); + if (isBroker10()) + { + rules.add("ACL ALLOW-LOG server PUBLISH EXCHANGE name=\"\" routingKey=\"TempQueue*\""); + rules.add("ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"\" routingKey=\"example.RequestQueue\""); + } + else + { + rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.direct\" temporary=true"); + rules.add("ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"example.RequestQueue\""); + + rules.add("ACL ALLOW-LOG server CREATE QUEUE name=\"example.RequestQueue\""); + rules.add("ACL ALLOW-LOG server BIND EXCHANGE"); + rules.add("ACL ALLOW-LOG server PUBLISH EXCHANGE name=\"amq.direct\" routingKey=\"TempQueue*\""); + } + writeACLFileWithAdminSuperUser(rules.toArray(new String[rules.size()])); + } + + + public void testRequestResponseSuccess() throws Exception + { + String queueName = "example.RequestQueue"; + createQueue(queueName); + + //Set up the Server + Connection serverConnection = getConnection("test", "server", "guest"); + Session serverSession = serverConnection.createSession(true, Session.SESSION_TRANSACTED); + Queue requestQueue = serverSession.createQueue(queueName); + MessageConsumer server = serverSession.createConsumer(requestQueue); + serverConnection.start(); + + //Set up the consumer + Connection clientConnection = getConnection("test", "client", "guest"); + Session clientSession = clientConnection.createSession(true, Session.SESSION_TRANSACTED); + Queue responseQueue = clientSession.createTemporaryQueue(); + MessageConsumer clientResponse = clientSession.createConsumer(responseQueue); + clientConnection.start(); + + // Client + Message request = clientSession.createTextMessage("Request"); + request.setJMSReplyTo(responseQueue); + + clientSession.createProducer(requestQueue).send(request); + clientSession.commit(); + + // Server + Message msg = server.receive(getReceiveTimeout()); + assertNotNull("Server should have received client's request", msg); + assertNotNull("Received msg should have Reply-To", msg.getJMSReplyTo()); + + MessageProducer sender = serverSession.createProducer(msg.getJMSReplyTo()); + sender.send(serverSession.createTextMessage("Response")); + serverSession.commit(); + + // Client + Message clientResponseMsg = clientResponse.receive(getReceiveTimeout()); + clientSession.commit(); + assertNotNull("Client did not receive response message,", clientResponseMsg); + assertEquals("Incorrect message received", "Response", ((TextMessage) clientResponseMsg).getText()); + } + + public void setUpFirewallAllow() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW client ACCESS VIRTUALHOST from_network=\"127.0.0.1\""); + } + + public void testFirewallAllow() throws Exception + { + getConnection("test", "client", "guest"); + } + + public void setUpFirewallDeny() throws Exception + { + writeACLFileWithAdminSuperUser("ACL DENY client ACCESS VIRTUALHOST from_network=\"127.0.0.1\""); + } + + public void testFirewallDeny() throws Exception + { + try + { + getConnection("test", "client", "guest"); + fail("We expected the connection to fail"); + } + catch (JMSException e) + { + // pass + } + } + + + public void setUpPublishToDefaultExchangeSuccess() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL ALLOW-LOG client PUBLISH EXCHANGE name=\"\" routingKey=\"example.RequestQueue\"", + "ACL DENY-LOG ALL ALL"); + } + + public void testPublishToDefaultExchangeSuccess() throws Exception + { + String queueName = "example.RequestQueue"; + createQueue(queueName); + + Connection conn = getConnection("test", "client", "guest"); + + Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); + + MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue")); + + sender.send(sess.createTextMessage("test")); + + //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. + sess.commit(); + + conn.close(); + } + + + public void setUpPublishToDefaultExchangeFailure() throws Exception + { + writeACLFileWithAdminSuperUser("ACL ALLOW-LOG client ACCESS VIRTUALHOST", + "ACL DENY-LOG ALL ALL"); + } + + public void testPublishToDefaultExchangeFailure() throws Exception + { + String queueName = "example.RequestQueue"; + createQueue(queueName); + + try + { + Connection conn = getConnection("test", "client", "guest"); + Session sess = conn.createSession(true, Session.SESSION_TRANSACTED); + + MessageProducer sender = sess.createProducer(sess.createQueue("ADDR: example.RequestQueue")); + + sender.send(sess.createTextMessage("test")); + + //Send the message using a transaction as this will allow us to retrieve any errors that occur on the broker. + sess.commit(); + + fail("Sending to the anonymousExchange without permission should fail"); + } + catch (JMSException e) + { + assertJMSExceptionMessageContains(e, "Access denied to publish to default exchange"); + } + } +} http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/systests/src/test/java/org/apache/qpid/systest/rest/acl/QueueRestACLTest.java ---------------------------------------------------------------------- diff --git a/systests/src/test/java/org/apache/qpid/systest/rest/acl/QueueRestACLTest.java b/systests/src/test/java/org/apache/qpid/systest/rest/acl/QueueRestACLTest.java index 575ae6f..c366898 100644 --- a/systests/src/test/java/org/apache/qpid/systest/rest/acl/QueueRestACLTest.java +++ b/systests/src/test/java/org/apache/qpid/systest/rest/acl/QueueRestACLTest.java @@ -128,8 +128,7 @@ public class QueueRestACLTest extends QpidRestTestCase attributes.put(Queue.NAME, _queueName); attributes.put(Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES, 100000); - responseCode = getRestTestHelper().submitRequest(_queueUrl, "PUT", attributes); - assertEquals("Setting of queue attribites should be allowed", 200, responseCode); + getRestTestHelper().submitRequest(_queueUrl, "PUT", attributes, HttpServletResponse.SC_OK); Map<String, Object> queueData = getRestTestHelper().getJsonAsMap(_queueUrl); assertEquals("Unexpected " + Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES, 100000, queueData.get(Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES)); @@ -148,8 +147,7 @@ public class QueueRestACLTest extends QpidRestTestCase attributes.put(Queue.NAME, _queueName); attributes.put(Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES, 100000); - responseCode = getRestTestHelper().submitRequest(_queueUrl, "PUT", attributes); - assertEquals("Setting of queue attribites should be allowed", 403, responseCode); + getRestTestHelper().submitRequest(_queueUrl, "PUT", attributes, HttpServletResponse.SC_FORBIDDEN); Map<String, Object> queueData = getRestTestHelper().getJsonAsMap(_queueUrl); assertEquals("Unexpected " + Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES, -1, queueData.get(Queue.MAXIMUM_QUEUE_DEPTH_MESSAGES)); http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/test-profiles/Java10Excludes ---------------------------------------------------------------------- diff --git a/test-profiles/Java10Excludes b/test-profiles/Java10Excludes index 98d5d62..7b7a21f 100644 --- a/test-profiles/Java10Excludes +++ b/test-profiles/Java10Excludes @@ -210,6 +210,12 @@ org.apache.qpid.test.unit.client.MaxDeliveryCountTest#testAsynchronousClientAckS org.apache.qpid.test.unit.client.MaxDeliveryCountTest#testAsynchronousDupsOkSession org.apache.qpid.test.unit.client.MaxDeliveryCountTest#testAsynchronousAutoAckSession +//ACL tests not applicable for AMQP 1.0 +org.apache.qpid.server.security.acl.MessagingACLTest#testPublishToDefaultExchangeSuccess +org.apache.qpid.server.security.acl.MessagingACLTest#testPublishToDefaultExchangeFailure +org.apache.qpid.server.security.acl.Amqp0xMessagingACLTest#* +// QPID-7904 : Temporary exclude temporary queue creation test +org.apache.qpid.server.security.acl.MessagingACLTest#testCreateTemporaryQueueFailed http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/15d21c47/test-profiles/Java10UninvestigatedTestsExcludes ---------------------------------------------------------------------- diff --git a/test-profiles/Java10UninvestigatedTestsExcludes b/test-profiles/Java10UninvestigatedTestsExcludes index dd5b9c7..82e8a89 100644 --- a/test-profiles/Java10UninvestigatedTestsExcludes +++ b/test-profiles/Java10UninvestigatedTestsExcludes @@ -21,8 +21,6 @@ // working, defined as broken, or excluded as they test version specific functionality org.apache.qpid.client.prefetch.PrefetchBehaviourTest#* -org.apache.qpid.server.security.acl.ExternalACLTest#* -org.apache.qpid.server.security.acl.ExhaustiveACLTest#* --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
