Repository: qpid-broker-j
Updated Branches:
  refs/heads/master b91ddb20e -> 2443fe648


QPID-8163: [Access Control Plugin] Support OWNER psuedo principal in ACL rules.


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/2443fe64
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/2443fe64
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/2443fe64

Branch: refs/heads/master
Commit: 2443fe648347e5775a1f1c41c20eada49f62970b
Parents: b91ddb2
Author: Keith Wall <kw...@apache.org>
Authored: Thu Apr 12 17:36:24 2018 +0100
Committer: Keith Wall <kw...@apache.org>
Committed: Fri Apr 13 12:11:09 2018 +0100

----------------------------------------------------------------------
 .../config/LegacyAccessControlAdapter.java      | 109 ++++++++++++++-----
 .../access/config/ObjectProperties.java         |   3 +-
 .../server/security/access/config/Rule.java     |   3 +
 .../server/security/access/config/RuleSet.java  |  31 +++++-
 .../config/LegacyAccessControlAdapterTest.java  |  72 +++++++++---
 .../security/access/config/RuleSetTest.java     |  51 +++++++++
 .../extensions/acl/MessagingACLTest.java        |  56 ++++++++++
 7 files changed, 281 insertions(+), 44 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
index 9a072ab..0aab300 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
@@ -22,6 +22,7 @@ package org.apache.qpid.server.security.access.config;
 
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.ACCESS_LOGS;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.BIND;
+import static 
org.apache.qpid.server.security.access.config.LegacyOperation.CREATE;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.INVOKE;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.PUBLISH;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.PURGE;
@@ -203,16 +204,21 @@ class LegacyAccessControlAdapter
 
         if (configuredObject instanceof Queue)
         {
-            setQueueProperties((Queue)configuredObject, properties);
+            setQueueProperties((Queue<?>)configuredObject, properties);
         }
         else if (configuredObject instanceof Exchange)
         {
-            Exchange<?> exchange = (Exchange<?>)configuredObject;
+            Exchange<?> exchange = (Exchange<?>) configuredObject;
             Object lifeTimePolicy = 
exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY);
             properties.put(ObjectProperties.Property.AUTO_DELETE, 
lifeTimePolicy != LifetimePolicy.PERMANENT);
             properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy 
!= LifetimePolicy.PERMANENT);
             properties.put(ObjectProperties.Property.DURABLE, (Boolean) 
exchange.getAttribute(ConfiguredObject.DURABLE));
             properties.put(ObjectProperties.Property.TYPE, (String) 
exchange.getAttribute(Exchange.TYPE));
+            if (exchange.getAttribute(Queue.CREATED_BY) != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, (String) 
exchange.getAttribute(ConfiguredObject.CREATED_BY));
+            }
+
             VirtualHost virtualHost = (VirtualHost) exchange.getParent();
             properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
         }
@@ -221,18 +227,27 @@ class LegacyAccessControlAdapter
             Queue<?> queue = 
(Queue<?>)((QueueConsumer<?,?>)configuredObject).getParent();
             setQueueProperties(queue, properties);
         }
-        else if (isBrokerType(configuredObjectType))
-        {
-            String description = String.format("%s %s '%s'",
-                                               configuredObjectOperation == 
null? null : configuredObjectOperation.name().toLowerCase(),
-                                               configuredObjectType == null ? 
null : configuredObjectType.getSimpleName().toLowerCase(),
-                                               objectName);
-            properties = new OperationLoggingDetails(description);
-        }
-        else if (isVirtualHostType(configuredObjectType))
+        else
         {
-            ConfiguredObject<?> virtualHost = 
getModel().getAncestor(VirtualHost.class, 
(ConfiguredObject<?>)configuredObject);
-            properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
+            final ConfiguredObject<?> object = (ConfiguredObject<?>) 
configuredObject;
+            if (isBrokerType(configuredObjectType))
+            {
+                String description = String.format("%s %s '%s'",
+                                                   configuredObjectOperation 
== null? null : configuredObjectOperation.name().toLowerCase(),
+                                                   configuredObjectType == 
null ? null : configuredObjectType.getSimpleName().toLowerCase(),
+                                                   objectName);
+                properties = new OperationLoggingDetails(description);
+            }
+            else if (isVirtualHostType(configuredObjectType))
+            {
+                ConfiguredObject<?> virtualHost = 
getModel().getAncestor(VirtualHost.class,
+                                                                         
object);
+                properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
+            }
+            if (object.getAttribute(ConfiguredObject.CREATED_BY) != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, (String) 
object.getAttribute(ConfiguredObject.CREATED_BY));
+            }
         }
         return properties;
     }
@@ -245,6 +260,10 @@ class LegacyAccessControlAdapter
         properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy != 
LifetimePolicy.PERMANENT);
         properties.put(ObjectProperties.Property.DURABLE, 
(Boolean)queue.getAttribute(ConfiguredObject.DURABLE));
         properties.put(ObjectProperties.Property.EXCLUSIVE, 
queue.getAttribute(Queue.EXCLUSIVE) != ExclusivityPolicy.NONE);
+        if (queue.getAttribute(Queue.CREATED_BY) != null)
+        {
+            properties.put(ObjectProperties.Property.CREATED_BY, (String) 
queue.getAttribute(Queue.CREATED_BY));
+        }
         Object alternateBinding = queue.getAttribute(Queue.ALTERNATE_BINDING);
         if (alternateBinding instanceof AlternateBinding)
         {
@@ -306,6 +325,8 @@ class LegacyAccessControlAdapter
                            final Map<String, Object> arguments)
     {
         Class<? extends ConfiguredObject> categoryClass = 
configuredObject.getCategoryClass();
+        String createdBy = configuredObject instanceof ConfiguredObject<?> ? 
(String) ((ConfiguredObject) 
configuredObject).getAttribute(ConfiguredObject.CREATED_BY) : null;
+
         if(categoryClass == Exchange.class)
         {
             MessageDestination exchange = (MessageDestination) 
configuredObject;
@@ -321,6 +342,10 @@ class LegacyAccessControlAdapter
                     props.put(ObjectProperties.Property.AUTO_DELETE, 
lifetimePolicy != LifetimePolicy.PERMANENT);
                     props.put(ObjectProperties.Property.TEMPORARY, 
lifetimePolicy != LifetimePolicy.PERMANENT);
                 }
+                if (createdBy != null)
+                {
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
                 return _accessControl.authorise(PUBLISH, EXCHANGE, props);
             }
         }
@@ -331,6 +356,10 @@ class LegacyAccessControlAdapter
                 String virtualHostName = configuredObject.getName();
                 ObjectProperties properties = new 
ObjectProperties(virtualHostName);
                 properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
virtualHostName);
+                if (createdBy != null)
+                {
+                    properties.put(ObjectProperties.Property.CREATED_BY, 
createdBy);
+                }
                 return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.VIRTUALHOST, properties);
             }
         }
@@ -338,7 +367,13 @@ class LegacyAccessControlAdapter
         {
             if("manage".equals(actionName))
             {
-                return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.MANAGEMENT, ObjectProperties.EMPTY);
+                ObjectProperties props = ObjectProperties.EMPTY;
+                if (createdBy != null)
+                {
+                    props = new ObjectProperties();
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
+                return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.MANAGEMENT, props);
             }
         }
         else if(categoryClass == Queue.class)
@@ -347,9 +382,14 @@ class LegacyAccessControlAdapter
             if("publish".equals(actionName))
             {
 
-                final ObjectProperties _props =
+                final ObjectProperties props =
                         new ObjectProperties(queue.getParent().getName(), "", 
queue.getName());
-                return _accessControl.authorise(PUBLISH, EXCHANGE, _props);
+                if (createdBy != null)
+                {
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
+
+                return _accessControl.authorise(PUBLISH, EXCHANGE, props);
             }
         }
 
@@ -371,11 +411,18 @@ class LegacyAccessControlAdapter
             return invokeResult;
         }
 
+        String createdBy = configuredObject instanceof ConfiguredObject<?> ? 
(String) ((ConfiguredObject) 
configuredObject).getAttribute(ConfiguredObject.CREATED_BY)
+                : null;
+        final ObjectProperties properties = new ObjectProperties();
+        if (createdBy != null)
+        {
+            properties.put(ObjectProperties.Property.CREATED_BY, createdBy);
+        }
+
         // Otherwise fallback to the older rule-style
         if(categoryClass == Queue.class)
         {
             Queue queue = (Queue) configuredObject;
-            final ObjectProperties properties = new ObjectProperties();
             if("clearQueue".equals(methodName))
             {
                 setQueueProperties(queue, properties);
@@ -393,26 +440,32 @@ class LegacyAccessControlAdapter
         }
         else if ((categoryClass == BrokerLogger.class || categoryClass == 
VirtualHostLogger.class) && LOG_ACCESS_METHOD_NAMES.contains(methodName))
         {
-            ObjectProperties empty = categoryClass == BrokerLogger.class ? 
ObjectProperties.EMPTY : new ObjectProperties(
-                    ((ConfiguredObject) 
configuredObject).getParent().getName());
+            if (categoryClass != BrokerLogger.class)
+            {
+                properties.setName(((ConfiguredObject<?>) 
configuredObject).getParent().getName());
+            }
+
             return _accessControl.authorise(ACCESS_LOGS, categoryClass == 
BrokerLogger.class ? ObjectType.BROKER : ObjectType.VIRTUALHOST,
-                                            empty);
+                                            properties);
         }
         else if(categoryClass == Broker.class && 
"initiateShutdown".equals(methodName))
         {
-            _accessControl.authorise(LegacyOperation.SHUTDOWN, 
ObjectType.BROKER, ObjectProperties.EMPTY);
+            _accessControl.authorise(LegacyOperation.SHUTDOWN, 
ObjectType.BROKER, properties);
         }
         else if (categoryClass == Exchange.class)
         {
+            final ObjectProperties props = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
+            if (createdBy != null)
+            {
+                props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+            }
             if ("bind".equals(methodName))
             {
-                final ObjectProperties properties = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
-                return _accessControl.authorise(BIND, EXCHANGE, properties);
+                return _accessControl.authorise(BIND, EXCHANGE, props);
             }
             else if ("unbind".equals(methodName))
             {
-                final ObjectProperties properties = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
-                return _accessControl.authorise(UNBIND, EXCHANGE, properties);
+                return _accessControl.authorise(UNBIND, EXCHANGE, props);
             }
         }
 
@@ -442,6 +495,12 @@ class LegacyAccessControlAdapter
                 componentName = 
buildHierarchicalCategoryName(configuredObject, model.getAncestor(Broker.class, 
configuredObject));
             }
             properties.put(ObjectProperties.Property.COMPONENT, componentName);
+            final String createdBy = (String) 
configuredObject.getAttribute(ConfiguredObject.CREATED_BY);
+            if (createdBy != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, 
createdBy);
+            }
+
         }
 
         return properties;

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
index 8cd57f0..deec6f7 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
@@ -63,7 +63,8 @@ public class ObjectProperties
         FROM_HOSTNAME,
         VIRTUALHOST_NAME,
         METHOD_NAME,
-        ATTRIBUTES;
+        ATTRIBUTES,
+        CREATED_BY;
 
         private static final Map<String, Property> _canonicalNameToPropertyMap 
= new HashMap<String, ObjectProperties.Property>();
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
index b0d1b09..bf82b6c 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
@@ -33,6 +33,9 @@ public class Rule
        /** String indicating all identified. */
        public static final String ALL = "all";
 
+       /** String indicating all identified. */
+       public static final String OWNER = "owner";
+
     private final String _identity;
     private final AclAction _action;
     private final RuleOutcome _ruleOutcome;

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index cf439fe..151e1ac 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -41,6 +41,7 @@ import org.apache.qpid.server.logging.EventLoggerProvider;
 import org.apache.qpid.server.logging.messages.AccessControlMessages;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.plugins.RuleOutcome;
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
 
 /**
  * Models the rule configuration for the access control plugin.
@@ -108,7 +109,7 @@ public class RuleSet implements EventLoggerProvider
             }
 
             // Save the rules we selected
-            objects.put(objectType, filtered);
+            objects.put(objectType, filtered == null ? null : 
Collections.unmodifiableList(filtered));
 
             LOGGER.debug("Cached {} RulesList: {}", objectType, filtered);
         }
@@ -156,10 +157,33 @@ public class RuleSet implements EventLoggerProvider
             return getDefault();
         }
 
+        final boolean ownerRules = rules.stream()
+                                        .anyMatch(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+
+        if (ownerRules)
+        {
+            rules = new LinkedList<>(rules);
+
+            if (operation == LegacyOperation.CREATE)
+            {
+                rules.removeIf(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+            }
+            else
+            {
+                // Discard OWNER rules if the object wasn't created by the 
subject
+                final String objectCreator = 
properties.get(ObjectProperties.Property.CREATED_BY);
+                final Principal principal =
+                        
AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(subject);
+                if (principal == null || 
!principal.getName().equalsIgnoreCase(objectCreator))
+                {
+                    rules.removeIf(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+                }
+            }
+        }
+
         // Iterate through a filtered set of rules dealing with this identity 
and operation
         for (Rule rule : rules)
         {
-
             LOGGER.debug("Checking against rule: {}", rule);
 
             if (action.matches(rule.getAclAction(), addressOfClient))
@@ -212,7 +236,8 @@ public class RuleSet implements EventLoggerProvider
 
     private boolean isRelevant(final Set<Principal> principals, final Rule 
rule)
     {
-        if (rule.getIdentity().equalsIgnoreCase(Rule.ALL))
+        if (rule.getIdentity().equalsIgnoreCase(Rule.ALL) ||
+            rule.getIdentity().equalsIgnoreCase(Rule.OWNER))
         {
             return true;
         }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
index 24373b5..b1ec492 100644
--- 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
+++ 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
@@ -52,6 +52,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
     private static final String TEST_VIRTUAL_HOST = "testVirtualHost";
     private static final String TEST_EXCHANGE = "testExchange";
     private static final String TEST_QUEUE = "testQueue";
+    private static final String TEST_USER = "user";
 
     private LegacyAccessControl _accessControl;
     private QueueManagingVirtualHost<?> _virtualHost;
@@ -72,6 +73,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
 
         when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST);
         
when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
+        
when(_virtualHost.getAttribute(VirtualHost.CREATED_BY)).thenReturn(TEST_USER);
         when(_virtualHost.getModel()).thenReturn(_model);
         doReturn(_virtualHostNode).when(_virtualHost).getParent();
         doReturn(VirtualHost.class).when(_virtualHost).getCategoryClass();
@@ -104,6 +106,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN");
         when(vhn.getParent()).thenReturn(_broker);
         when(vhn.getModel()).thenReturn(BrokerModel.getInstance());
+        
when(vhn.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         return vhn;
     }
 
@@ -115,6 +118,8 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(accessControlProvider.getParent()).thenReturn(_broker);
         when(accessControlProvider.getName()).thenReturn("TEST");
         
when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class);
+        
when(accessControlProvider.getAttribute(Queue.CREATED_BY)).thenReturn(TEST_USER);
+
 
         assertBrokerChildCreateAuthorization(accessControlProvider);
     }
@@ -128,6 +133,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
         
when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
         
when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queue.getAttribute(Queue.CREATED_BY)).thenReturn(TEST_USER);
         when(queue.getCategoryClass()).thenReturn(Queue.class);
 
         Session session = mock(Session.class);
@@ -146,6 +152,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         properties.put(ObjectProperties.Property.TEMPORARY, false);
         properties.put(ObjectProperties.Property.DURABLE, true);
         properties.put(ObjectProperties.Property.EXCLUSIVE, false);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
 
         assertAuthorization(LegacyOperation.CREATE, consumer, 
LegacyOperation.CONSUME, ObjectType.QUEUE, properties,
                             Collections.emptyMap());
@@ -159,6 +166,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(Port.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -204,6 +212,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(KeyStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -214,6 +223,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(TrustStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -375,7 +385,10 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
     public void testAuthoriseCreateVirtualHostNode()
     {
         VirtualHostNode vhn = getMockVirtualHostNode();
-        assertCreateAuthorization(vhn, LegacyOperation.CREATE, 
ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"));
+        final ObjectProperties expectedProperties = new 
ObjectProperties("testVHN");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
+        assertCreateAuthorization(vhn, LegacyOperation.CREATE, 
ObjectType.VIRTUALHOSTNODE,
+                                  expectedProperties);
     }
 
     @Test
@@ -385,6 +398,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(port.getParent()).thenReturn(_broker);
         when(port.getName()).thenReturn("TEST");
         when(port.getCategoryClass()).thenReturn(Port.class);
+        
when(port.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(port);
     }
@@ -396,7 +410,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(authenticationProvider.getParent()).thenReturn(_broker);
         when(authenticationProvider.getName()).thenReturn("TEST");
         
when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
-
+        
when(authenticationProvider.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildCreateAuthorization(authenticationProvider);
     }
 
@@ -407,6 +421,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(groupProvider.getParent()).thenReturn(_broker);
         when(groupProvider.getName()).thenReturn("TEST");
         when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
+        
when(groupProvider.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(groupProvider);
     }
@@ -419,6 +434,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(keyStore.getParent()).thenReturn(_broker);
         when(keyStore.getName()).thenReturn("TEST");
         when(keyStore.getCategoryClass()).thenReturn(KeyStore.class);
+        
when(keyStore.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(keyStore);
     }
@@ -430,6 +446,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(trustStore.getParent()).thenReturn(_broker);
         when(trustStore.getName()).thenReturn("TEST");
         when(trustStore.getCategoryClass()).thenReturn(TrustStore.class);
+        
when(trustStore.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(trustStore);
     }
@@ -504,6 +521,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         VirtualHostNode vhn = getMockVirtualHostNode();
         ObjectProperties expectedProperties = new 
ObjectProperties(vhn.getName());
         
expectedProperties.setAttributeNames(Collections.singleton(ConfiguredObject.DESCRIPTION));
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
         assertUpdateAuthorization(vhn,
                                   LegacyOperation.UPDATE,
                                   ObjectType.VIRTUALHOSTNODE,
@@ -519,6 +537,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -529,6 +548,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -539,6 +559,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -549,6 +570,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(KeyStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -559,6 +581,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(TrustStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -617,7 +640,10 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
     public void testAuthoriseDeleteVirtualHostNode()
     {
         VirtualHostNode vhn = getMockVirtualHostNode();
-        assertDeleteAuthorization(vhn, LegacyOperation.DELETE, 
ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()));
+        final ObjectProperties expectedProperties = new 
ObjectProperties(vhn.getName());
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
+        assertDeleteAuthorization(vhn, LegacyOperation.DELETE, 
ObjectType.VIRTUALHOSTNODE,
+                                  expectedProperties);
     }
 
     @Test
@@ -627,6 +653,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(Port.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -637,6 +664,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -647,6 +675,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -657,6 +686,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -667,6 +697,8 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(mock.getName()).thenReturn("TEST");
         when(mock.getCategoryClass()).thenReturn(BrokerLogger.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
+
         assertBrokerChildCreateAuthorization(mock);
 
         when(mock.getName()).thenReturn("test");
@@ -681,12 +713,15 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(bl.getName()).thenReturn("LOGGER");
         when(bl.getCategoryClass()).thenReturn(BrokerLogger.class);
         when(bl.getParent()).thenReturn(_broker);
+        
when(bl.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
+
 
         BrokerLogInclusionRule mock = mock(BrokerLogInclusionRule.class);
         when(mock.getName()).thenReturn("TEST");
         when(mock.getCategoryClass()).thenReturn(BrokerLogInclusionRule.class);
         when(mock.getParent()).thenReturn(bl);
         when(mock.getModel()).thenReturn(BrokerModel.getInstance());
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildCreateAuthorization(mock);
 
         when(mock.getName()).thenReturn("test");
@@ -707,12 +742,15 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
         
when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
         
when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        
when(queue.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
-        ObjectProperties properties = new ObjectProperties();
-        properties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
-        properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
-        properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
_virtualHost.getName());
-        properties.put(ObjectProperties.Property.COMPONENT, 
"VirtualHost.Queue");
+
+        ObjectProperties expectedProperties = new ObjectProperties();
+        expectedProperties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
+        expectedProperties.put(ObjectProperties.Property.METHOD_NAME, 
methodName);
+        expectedProperties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
_virtualHost.getName());
+        expectedProperties.put(ObjectProperties.Property.COMPONENT, 
"VirtualHost.Queue");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.QUEUE),
@@ -721,7 +759,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         Result result = _adapter.authoriseMethod(queue, methodName, 
Collections.emptyMap());
         assertEquals("Unexpected authorise result", Result.ALLOWED, result);
 
-        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.QUEUE), eq(properties));
+        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.QUEUE), eq(expectedProperties));
         verify(_accessControl, never()).authorise(eq(LegacyOperation.PURGE), 
eq(ObjectType.QUEUE), any(ObjectProperties.class));
     }
     @Test
@@ -730,10 +768,11 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         String methodName = "getStatistics";
         VirtualHostNode<?> virtualHostNode = _virtualHostNode;
 
-        ObjectProperties properties = new ObjectProperties();
-        properties.put(ObjectProperties.Property.NAME, 
virtualHostNode.getName());
-        properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
-        properties.put(ObjectProperties.Property.COMPONENT, 
"Broker.VirtualHostNode");
+        ObjectProperties expectedProperties = new ObjectProperties();
+        expectedProperties.put(ObjectProperties.Property.NAME, 
virtualHostNode.getName());
+        expectedProperties.put(ObjectProperties.Property.METHOD_NAME, 
methodName);
+        expectedProperties.put(ObjectProperties.Property.COMPONENT, 
"Broker.VirtualHostNode");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.VIRTUALHOSTNODE),
@@ -742,7 +781,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         Result result = _adapter.authoriseMethod(virtualHostNode, methodName, 
Collections.emptyMap());
         assertEquals("Unexpected authorise result", Result.ALLOWED, result);
 
-        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.VIRTUALHOSTNODE), eq(properties));
+        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.VIRTUALHOSTNODE), eq(expectedProperties));
     }
 
     @Test
@@ -883,6 +922,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
         ObjectProperties properties = new ObjectProperties();
         properties.put(ObjectProperties.Property.NAME, TEST_VIRTUAL_HOST);
         properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
TEST_VIRTUAL_HOST);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
 
         _adapter.authoriseAction(_virtualHost, "connect", 
Collections.emptyMap());
 
@@ -920,6 +960,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
                                            
object.getCategoryClass().getSimpleName().toLowerCase(),
                                            "TEST");
         ObjectProperties properties = new OperationLoggingDetails(description);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         assertCreateAuthorization(object, LegacyOperation.CONFIGURE, 
ObjectType.BROKER, properties);
     }
 
@@ -945,6 +986,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
                                            
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
                                            configuredObject.getName());
         ObjectProperties properties = new OperationLoggingDetails(description);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         
properties.setAttributeNames(Collections.singleton(ConfiguredObject.DESCRIPTION));
 
         assertUpdateAuthorization(configuredObject, LegacyOperation.CONFIGURE, 
ObjectType.BROKER,
@@ -967,7 +1009,7 @@ public class LegacyAccessControlAdapterTest extends 
UnitTestBase
                                            
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
                                            configuredObject.getName());
         ObjectProperties properties = new OperationLoggingDetails(description);
-
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         assertDeleteAuthorization(configuredObject, LegacyOperation.CONFIGURE, 
ObjectType.BROKER,
                                   properties);
     }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
index db5995c..1cfb7c1 100644
--- 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
+++ 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
@@ -606,4 +606,55 @@ public class RuleSetTest extends UnitTestBase
                             ruleSet.check(_testSubject, 
LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, updateProperties));
     }
 
+    @Test
+    public void testExistingObjectOwner()
+    {
+        _ruleSetCreator.addRule(1,
+                                Rule.OWNER,
+                                RuleOutcome.ALLOW,
+                                LegacyOperation.CONSUME,
+                                ObjectType.QUEUE,
+                                ObjectProperties.EMPTY);
+        RuleSet ruleSet = createRuleSet();
+        assertEquals((long) 1, (long) ruleSet.getRuleCount());
+
+        assertEquals(Result.ALLOWED,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CONSUME,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
TEST_USER)));
+
+        assertEquals(Result.DEFER,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CONSUME,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
"anotherUser")));
+    }
+
+    @Test
+    public void testCreateIgnoresOwnerRule()
+    {
+        _ruleSetCreator.addRule(1,
+                                Rule.OWNER,
+                                RuleOutcome.ALLOW,
+                                LegacyOperation.ALL,
+                                ObjectType.QUEUE,
+                                ObjectProperties.EMPTY);
+        RuleSet ruleSet = createRuleSet();
+        assertEquals((long) 1, (long) ruleSet.getRuleCount());
+
+        assertEquals(Result.ALLOWED,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.UPDATE,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
TEST_USER)));
+
+        assertEquals(Result.DEFER,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CREATE,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
"anotherUser")));
+
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/2443fe64/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/acl/MessagingACLTest.java
----------------------------------------------------------------------
diff --git 
a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/acl/MessagingACLTest.java
 
b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/acl/MessagingACLTest.java
index c507bd8..a96c2ad 100644
--- 
a/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/acl/MessagingACLTest.java
+++ 
b/systests/qpid-systests-jms_1.1/src/test/java/org/apache/qpid/systests/jms_1_1/extensions/acl/MessagingACLTest.java
@@ -23,6 +23,7 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeThat;
@@ -52,10 +53,12 @@ import javax.jms.TemporaryTopic;
 import javax.jms.TextMessage;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Sets;
 import org.junit.Test;
 
 import org.apache.qpid.server.logging.EventLogger;
 import org.apache.qpid.server.logging.EventLoggerProvider;
+import org.apache.qpid.server.model.ConfiguredObject;
 import org.apache.qpid.server.model.Group;
 import org.apache.qpid.server.model.GroupMember;
 import org.apache.qpid.server.model.Protocol;
@@ -229,6 +232,59 @@ public class MessagingACLTest extends JmsTestBase
     }
 
     @Test
+    public void testConsumeOwnQueueSuccess() throws Exception
+    {
+        final String queueName = "user1Queue";
+        assumeThat(getBrokerAdmin().getValidUsername(), is(equalTo(USER1)));
+
+        createQueue(queueName);
+
+        Map<String, Object> queueAttributes = 
readEntityUsingAmqpManagement(queueName, "org.apache.qpid.Queue", true);
+        assertThat("Test prerequiste not met, queue belongs to unexpected 
user", queueAttributes.get(ConfiguredObject.CREATED_BY), is(equalTo(USER1)));
+
+        configureACL("ACL ALLOW-LOG ALL ACCESS VIRTUALHOST",
+                     "ACL ALLOW-LOG OWNER CONSUME QUEUE",
+                     "ACL DENY-LOG ALL CONSUME QUEUE");
+
+        final String queueAddress = String.format(isLegacyClient() ? "ADDR:%s; 
{create:never}" : "%s", queueName);
+
+        Connection queueOwnerCon = 
getConnectionBuilder().setUsername(USER1).setPassword(USER1_PASSWORD).build();
+        try
+        {
+            Session queueOwnerSession = queueOwnerCon.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+            final Queue queue = queueOwnerSession.createQueue(queueAddress);
+            queueOwnerSession.createConsumer(queue).close();
+        }
+        finally
+        {
+            queueOwnerCon.close();
+        }
+
+        Connection otherUserCon = 
getConnectionBuilder().setUsername(USER2).setPassword(USER2_PASSWORD).build();
+        try
+        {
+            Session otherUserSession = otherUserCon.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+            try
+            {
+                
otherUserSession.createConsumer(otherUserSession.createQueue(queueAddress)).close();
+                fail("Exception not thrown");
+            }
+            catch (JMSException e)
+            {
+                final String expectedMessage =
+                        Sets.newHashSet(Protocol.AMQP_1_0, 
Protocol.AMQP_0_10).contains(getProtocol())
+                                ? "Permission CREATE is denied for : Consumer"
+                                : "403(access refused)";
+                assertJMSExceptionMessageContains(e, expectedMessage);
+            }
+        }
+        finally
+        {
+            otherUserCon.close();
+        }
+    }
+
+    @Test
     public void testConsumeFromTempTopicSuccess() throws Exception
     {
         configureACL(String.format("ACL ALLOW-LOG %s ACCESS VIRTUALHOST", 
USER1),


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org

Reply via email to