QPID-7935: [Java Broker] [ACL] Allow an ACL file format to convey a default result of DEFER
Changed AbstractCommonRuleBasedAccessControlProvider#extractRules to write a default decision CONFIG directive if the decision is not the default. Required so that a user may use extractRules -> edit -> loadFromFile without the loss of the current default decision. Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/16a186ba Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/16a186ba Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/16a186ba Branch: refs/heads/master Commit: 16a186babfa8ec9383b247172e255dc6a2951346 Parents: 1a9875c Author: Keith Wall <[email protected]> Authored: Thu Sep 28 13:03:49 2017 +0100 Committer: Keith Wall <[email protected]> Committed: Fri Sep 29 10:24:34 2017 +0100 ---------------------------------------------------------------------- .../security/access/config/AclFileParser.java | 13 +++++++---- ...actCommonRuleBasedAccessControlProvider.java | 10 ++++++++ .../access/config/AclFileParserTest.java | 24 ++++++++++++++++---- 3 files changed, 38 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/16a186ba/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java ---------------------------------------------------------------------- diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java index c071345..d5b61e5 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclFileParser.java @@ -45,8 +45,9 @@ import org.apache.qpid.server.security.access.plugins.RuleOutcome; public final class AclFileParser { private static final Logger _logger = LoggerFactory.getLogger(AclFileParser.class); - private static final String DEFAULT_ALLOW = "defaultallow"; - private static final String DEFAULT_DENY = "defaultdeny"; + public static final String DEFAULT_ALLOW = "defaultallow"; + public static final String DEFAULT_DEFER = "defaultdefer"; + public static final String DEFAULT_DENY = "defaultdeny"; private static final Character COMMENT = '#'; private static final Character CONTINUATION = '\\'; @@ -138,7 +139,7 @@ public final class AclFileParser tokenizer.wordChars(':', ':'); // colon // parse the acl file lines - Stack<String> stack = new Stack<String>(); + Stack<String> stack = new Stack<>(); int current; do { current = tokenizer.nextToken(); @@ -301,6 +302,10 @@ public final class AclFileParser { ruleSetCreator.setDefaultResult(Result.ALLOWED); } + if (Boolean.TRUE.equals(properties.get(DEFAULT_DEFER))) + { + ruleSetCreator.setDefaultResult(Result.DEFER); + } if (Boolean.TRUE.equals(properties.get(DEFAULT_DENY))) { ruleSetCreator.setDefaultResult(Result.DENIED); @@ -337,7 +342,7 @@ public final class AclFileParser /** Converts a {@link List} of "name", "=", "value" tokens into a {@link Map}. */ private static Map<String, Boolean> toPluginProperties(List<String> args, final int line) { - Map<String, Boolean> properties = new HashMap<String, Boolean>(); + Map<String, Boolean> properties = new HashMap<>(); Iterator<String> i = args.iterator(); while (i.hasNext()) { http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/16a186ba/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractCommonRuleBasedAccessControlProvider.java ---------------------------------------------------------------------- diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractCommonRuleBasedAccessControlProvider.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractCommonRuleBasedAccessControlProvider.java index 43379ae..3b92c65 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractCommonRuleBasedAccessControlProvider.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AbstractCommonRuleBasedAccessControlProvider.java @@ -159,6 +159,16 @@ abstract class AbstractCommonRuleBasedAccessControlProvider<X extends AbstractCo public Content extractRules() { StringBuilder sb = new StringBuilder(); + switch (_defaultResult) + { + case DENIED: + // This is the default assumed by ResultSet for ACL files without a CONFIG directive + break; + case ALLOWED: + case DEFER: + sb.append(String.format("CONFIG %s=true\n", _defaultResult == Result.ALLOWED ? AclFileParser.DEFAULT_ALLOW : AclFileParser.DEFAULT_DEFER)); + break; + } for(AclRule rule : _rules) { sb.append("ACL "); http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/16a186ba/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java ---------------------------------------------------------------------- diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java index e9b8b22..8359840 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java @@ -28,6 +28,7 @@ import java.util.List; import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.logging.EventLoggerProvider; +import org.apache.qpid.server.security.Result; import org.apache.qpid.server.security.access.config.ObjectProperties.Property; import org.apache.qpid.test.utils.QpidTestCase; @@ -39,18 +40,24 @@ public class AclFileParserTest extends QpidTestCase acl.deleteOnExit(); // Write ACL file - PrintWriter aclWriter = new PrintWriter(new FileWriter(acl)); - for (String line : aclData) + try (PrintWriter aclWriter = new PrintWriter(new FileWriter(acl))) { - aclWriter.println(line); + for (String line : aclData) + { + aclWriter.println(line); + } } - aclWriter.close(); // Load ruleset return AclFileParser.parse(new FileReader(acl), mock(EventLoggerProvider.class)); - } + public void testEmptyRuleSetDefaults() throws Exception + { + RuleSet ruleSet = writeACLConfig(); + assertEquals(0, ruleSet.getRuleCount()); + assertEquals(Result.DENIED, ruleSet.getDefault()); + } public void testACLFileSyntaxContinuation() throws Exception { try @@ -157,6 +164,13 @@ public class AclFileParserTest extends QpidTestCase } } + public void testValidConfig() throws Exception + { + RuleSet ruleSet = writeACLConfig("CONFIG defaultdefer=true"); + assertEquals("Unexpected number of rules", 0, ruleSet.getRuleCount()); + assertEquals("Unexpected number of rules", Result.DEFER, ruleSet.getDefault()); + } + /** * Tests interpretation of an acl rule with no object properties. * --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
