Repository: qpid-broker-j
Updated Branches:
  refs/heads/7.0.x c271e4573 -> 5f19120a8


QPID-8163: [Access Control Plugin] Support OWNER psuedo principal in ACL rules.

(cherry picked from commit 2443fe648347e5775a1f1c41c20eada49f62970b)


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/5f19120a
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/5f19120a
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/5f19120a

Branch: refs/heads/7.0.x
Commit: 5f19120a82e119050c80172d756442eae1ec1897
Parents: c271e45
Author: Keith Wall <kw...@apache.org>
Authored: Thu Apr 12 17:36:24 2018 +0100
Committer: Alex Rudyy <oru...@apache.org>
Committed: Mon Apr 16 22:52:13 2018 +0100

----------------------------------------------------------------------
 .../config/LegacyAccessControlAdapter.java      | 109 ++++++++++++++-----
 .../access/config/ObjectProperties.java         |   3 +-
 .../server/security/access/config/Rule.java     |   3 +
 .../server/security/access/config/RuleSet.java  |  31 +++++-
 .../config/LegacyAccessControlAdapterTest.java  |  72 +++++++++---
 .../security/access/config/RuleSetTest.java     |  49 +++++++++
 .../server/security/acl/MessagingACLTest.java   |  61 +++++++++++
 7 files changed, 284 insertions(+), 44 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
index 9a072ab..0aab300 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
@@ -22,6 +22,7 @@ package org.apache.qpid.server.security.access.config;
 
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.ACCESS_LOGS;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.BIND;
+import static 
org.apache.qpid.server.security.access.config.LegacyOperation.CREATE;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.INVOKE;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.PUBLISH;
 import static 
org.apache.qpid.server.security.access.config.LegacyOperation.PURGE;
@@ -203,16 +204,21 @@ class LegacyAccessControlAdapter
 
         if (configuredObject instanceof Queue)
         {
-            setQueueProperties((Queue)configuredObject, properties);
+            setQueueProperties((Queue<?>)configuredObject, properties);
         }
         else if (configuredObject instanceof Exchange)
         {
-            Exchange<?> exchange = (Exchange<?>)configuredObject;
+            Exchange<?> exchange = (Exchange<?>) configuredObject;
             Object lifeTimePolicy = 
exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY);
             properties.put(ObjectProperties.Property.AUTO_DELETE, 
lifeTimePolicy != LifetimePolicy.PERMANENT);
             properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy 
!= LifetimePolicy.PERMANENT);
             properties.put(ObjectProperties.Property.DURABLE, (Boolean) 
exchange.getAttribute(ConfiguredObject.DURABLE));
             properties.put(ObjectProperties.Property.TYPE, (String) 
exchange.getAttribute(Exchange.TYPE));
+            if (exchange.getAttribute(Queue.CREATED_BY) != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, (String) 
exchange.getAttribute(ConfiguredObject.CREATED_BY));
+            }
+
             VirtualHost virtualHost = (VirtualHost) exchange.getParent();
             properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
         }
@@ -221,18 +227,27 @@ class LegacyAccessControlAdapter
             Queue<?> queue = 
(Queue<?>)((QueueConsumer<?,?>)configuredObject).getParent();
             setQueueProperties(queue, properties);
         }
-        else if (isBrokerType(configuredObjectType))
-        {
-            String description = String.format("%s %s '%s'",
-                                               configuredObjectOperation == 
null? null : configuredObjectOperation.name().toLowerCase(),
-                                               configuredObjectType == null ? 
null : configuredObjectType.getSimpleName().toLowerCase(),
-                                               objectName);
-            properties = new OperationLoggingDetails(description);
-        }
-        else if (isVirtualHostType(configuredObjectType))
+        else
         {
-            ConfiguredObject<?> virtualHost = 
getModel().getAncestor(VirtualHost.class, 
(ConfiguredObject<?>)configuredObject);
-            properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
+            final ConfiguredObject<?> object = (ConfiguredObject<?>) 
configuredObject;
+            if (isBrokerType(configuredObjectType))
+            {
+                String description = String.format("%s %s '%s'",
+                                                   configuredObjectOperation 
== null? null : configuredObjectOperation.name().toLowerCase(),
+                                                   configuredObjectType == 
null ? null : configuredObjectType.getSimpleName().toLowerCase(),
+                                                   objectName);
+                properties = new OperationLoggingDetails(description);
+            }
+            else if (isVirtualHostType(configuredObjectType))
+            {
+                ConfiguredObject<?> virtualHost = 
getModel().getAncestor(VirtualHost.class,
+                                                                         
object);
+                properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
(String)virtualHost.getAttribute(VirtualHost.NAME));
+            }
+            if (object.getAttribute(ConfiguredObject.CREATED_BY) != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, (String) 
object.getAttribute(ConfiguredObject.CREATED_BY));
+            }
         }
         return properties;
     }
@@ -245,6 +260,10 @@ class LegacyAccessControlAdapter
         properties.put(ObjectProperties.Property.TEMPORARY, lifeTimePolicy != 
LifetimePolicy.PERMANENT);
         properties.put(ObjectProperties.Property.DURABLE, 
(Boolean)queue.getAttribute(ConfiguredObject.DURABLE));
         properties.put(ObjectProperties.Property.EXCLUSIVE, 
queue.getAttribute(Queue.EXCLUSIVE) != ExclusivityPolicy.NONE);
+        if (queue.getAttribute(Queue.CREATED_BY) != null)
+        {
+            properties.put(ObjectProperties.Property.CREATED_BY, (String) 
queue.getAttribute(Queue.CREATED_BY));
+        }
         Object alternateBinding = queue.getAttribute(Queue.ALTERNATE_BINDING);
         if (alternateBinding instanceof AlternateBinding)
         {
@@ -306,6 +325,8 @@ class LegacyAccessControlAdapter
                            final Map<String, Object> arguments)
     {
         Class<? extends ConfiguredObject> categoryClass = 
configuredObject.getCategoryClass();
+        String createdBy = configuredObject instanceof ConfiguredObject<?> ? 
(String) ((ConfiguredObject) 
configuredObject).getAttribute(ConfiguredObject.CREATED_BY) : null;
+
         if(categoryClass == Exchange.class)
         {
             MessageDestination exchange = (MessageDestination) 
configuredObject;
@@ -321,6 +342,10 @@ class LegacyAccessControlAdapter
                     props.put(ObjectProperties.Property.AUTO_DELETE, 
lifetimePolicy != LifetimePolicy.PERMANENT);
                     props.put(ObjectProperties.Property.TEMPORARY, 
lifetimePolicy != LifetimePolicy.PERMANENT);
                 }
+                if (createdBy != null)
+                {
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
                 return _accessControl.authorise(PUBLISH, EXCHANGE, props);
             }
         }
@@ -331,6 +356,10 @@ class LegacyAccessControlAdapter
                 String virtualHostName = configuredObject.getName();
                 ObjectProperties properties = new 
ObjectProperties(virtualHostName);
                 properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
virtualHostName);
+                if (createdBy != null)
+                {
+                    properties.put(ObjectProperties.Property.CREATED_BY, 
createdBy);
+                }
                 return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.VIRTUALHOST, properties);
             }
         }
@@ -338,7 +367,13 @@ class LegacyAccessControlAdapter
         {
             if("manage".equals(actionName))
             {
-                return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.MANAGEMENT, ObjectProperties.EMPTY);
+                ObjectProperties props = ObjectProperties.EMPTY;
+                if (createdBy != null)
+                {
+                    props = new ObjectProperties();
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
+                return _accessControl.authorise(LegacyOperation.ACCESS, 
ObjectType.MANAGEMENT, props);
             }
         }
         else if(categoryClass == Queue.class)
@@ -347,9 +382,14 @@ class LegacyAccessControlAdapter
             if("publish".equals(actionName))
             {
 
-                final ObjectProperties _props =
+                final ObjectProperties props =
                         new ObjectProperties(queue.getParent().getName(), "", 
queue.getName());
-                return _accessControl.authorise(PUBLISH, EXCHANGE, _props);
+                if (createdBy != null)
+                {
+                    props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+                }
+
+                return _accessControl.authorise(PUBLISH, EXCHANGE, props);
             }
         }
 
@@ -371,11 +411,18 @@ class LegacyAccessControlAdapter
             return invokeResult;
         }
 
+        String createdBy = configuredObject instanceof ConfiguredObject<?> ? 
(String) ((ConfiguredObject) 
configuredObject).getAttribute(ConfiguredObject.CREATED_BY)
+                : null;
+        final ObjectProperties properties = new ObjectProperties();
+        if (createdBy != null)
+        {
+            properties.put(ObjectProperties.Property.CREATED_BY, createdBy);
+        }
+
         // Otherwise fallback to the older rule-style
         if(categoryClass == Queue.class)
         {
             Queue queue = (Queue) configuredObject;
-            final ObjectProperties properties = new ObjectProperties();
             if("clearQueue".equals(methodName))
             {
                 setQueueProperties(queue, properties);
@@ -393,26 +440,32 @@ class LegacyAccessControlAdapter
         }
         else if ((categoryClass == BrokerLogger.class || categoryClass == 
VirtualHostLogger.class) && LOG_ACCESS_METHOD_NAMES.contains(methodName))
         {
-            ObjectProperties empty = categoryClass == BrokerLogger.class ? 
ObjectProperties.EMPTY : new ObjectProperties(
-                    ((ConfiguredObject) 
configuredObject).getParent().getName());
+            if (categoryClass != BrokerLogger.class)
+            {
+                properties.setName(((ConfiguredObject<?>) 
configuredObject).getParent().getName());
+            }
+
             return _accessControl.authorise(ACCESS_LOGS, categoryClass == 
BrokerLogger.class ? ObjectType.BROKER : ObjectType.VIRTUALHOST,
-                                            empty);
+                                            properties);
         }
         else if(categoryClass == Broker.class && 
"initiateShutdown".equals(methodName))
         {
-            _accessControl.authorise(LegacyOperation.SHUTDOWN, 
ObjectType.BROKER, ObjectProperties.EMPTY);
+            _accessControl.authorise(LegacyOperation.SHUTDOWN, 
ObjectType.BROKER, properties);
         }
         else if (categoryClass == Exchange.class)
         {
+            final ObjectProperties props = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
+            if (createdBy != null)
+            {
+                props.put(ObjectProperties.Property.CREATED_BY, createdBy);
+            }
             if ("bind".equals(methodName))
             {
-                final ObjectProperties properties = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
-                return _accessControl.authorise(BIND, EXCHANGE, properties);
+                return _accessControl.authorise(BIND, EXCHANGE, props);
             }
             else if ("unbind".equals(methodName))
             {
-                final ObjectProperties properties = 
createObjectPropertiesForExchangeBind(arguments, configuredObject);
-                return _accessControl.authorise(UNBIND, EXCHANGE, properties);
+                return _accessControl.authorise(UNBIND, EXCHANGE, props);
             }
         }
 
@@ -442,6 +495,12 @@ class LegacyAccessControlAdapter
                 componentName = 
buildHierarchicalCategoryName(configuredObject, model.getAncestor(Broker.class, 
configuredObject));
             }
             properties.put(ObjectProperties.Property.COMPONENT, componentName);
+            final String createdBy = (String) 
configuredObject.getAttribute(ConfiguredObject.CREATED_BY);
+            if (createdBy != null)
+            {
+                properties.put(ObjectProperties.Property.CREATED_BY, 
createdBy);
+            }
+
         }
 
         return properties;

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
index 8cd57f0..deec6f7 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
@@ -63,7 +63,8 @@ public class ObjectProperties
         FROM_HOSTNAME,
         VIRTUALHOST_NAME,
         METHOD_NAME,
-        ATTRIBUTES;
+        ATTRIBUTES,
+        CREATED_BY;
 
         private static final Map<String, Property> _canonicalNameToPropertyMap 
= new HashMap<String, ObjectProperties.Property>();
 

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
index b0d1b09..bf82b6c 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
@@ -33,6 +33,9 @@ public class Rule
        /** String indicating all identified. */
        public static final String ALL = "all";
 
+       /** String indicating all identified. */
+       public static final String OWNER = "owner";
+
     private final String _identity;
     private final AclAction _action;
     private final RuleOutcome _ruleOutcome;

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index cf439fe..151e1ac 100644
--- 
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ 
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -41,6 +41,7 @@ import org.apache.qpid.server.logging.EventLoggerProvider;
 import org.apache.qpid.server.logging.messages.AccessControlMessages;
 import org.apache.qpid.server.security.Result;
 import org.apache.qpid.server.security.access.plugins.RuleOutcome;
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
 
 /**
  * Models the rule configuration for the access control plugin.
@@ -108,7 +109,7 @@ public class RuleSet implements EventLoggerProvider
             }
 
             // Save the rules we selected
-            objects.put(objectType, filtered);
+            objects.put(objectType, filtered == null ? null : 
Collections.unmodifiableList(filtered));
 
             LOGGER.debug("Cached {} RulesList: {}", objectType, filtered);
         }
@@ -156,10 +157,33 @@ public class RuleSet implements EventLoggerProvider
             return getDefault();
         }
 
+        final boolean ownerRules = rules.stream()
+                                        .anyMatch(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+
+        if (ownerRules)
+        {
+            rules = new LinkedList<>(rules);
+
+            if (operation == LegacyOperation.CREATE)
+            {
+                rules.removeIf(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+            }
+            else
+            {
+                // Discard OWNER rules if the object wasn't created by the 
subject
+                final String objectCreator = 
properties.get(ObjectProperties.Property.CREATED_BY);
+                final Principal principal =
+                        
AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(subject);
+                if (principal == null || 
!principal.getName().equalsIgnoreCase(objectCreator))
+                {
+                    rules.removeIf(rule -> 
rule.getIdentity().equalsIgnoreCase(Rule.OWNER));
+                }
+            }
+        }
+
         // Iterate through a filtered set of rules dealing with this identity 
and operation
         for (Rule rule : rules)
         {
-
             LOGGER.debug("Checking against rule: {}", rule);
 
             if (action.matches(rule.getAclAction(), addressOfClient))
@@ -212,7 +236,8 @@ public class RuleSet implements EventLoggerProvider
 
     private boolean isRelevant(final Set<Principal> principals, final Rule 
rule)
     {
-        if (rule.getIdentity().equalsIgnoreCase(Rule.ALL))
+        if (rule.getIdentity().equalsIgnoreCase(Rule.ALL) ||
+            rule.getIdentity().equalsIgnoreCase(Rule.OWNER))
         {
             return true;
         }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
index 3d21010..7a7e1b4 100644
--- 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
+++ 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
@@ -48,6 +48,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
     private static final String TEST_VIRTUAL_HOST = "testVirtualHost";
     private static final String TEST_EXCHANGE = "testExchange";
     private static final String TEST_QUEUE = "testQueue";
+    private static final String TEST_USER = "user";
 
     private LegacyAccessControl _accessControl;
     private QueueManagingVirtualHost<?> _virtualHost;
@@ -69,6 +70,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
 
         when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST);
         
when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
+        
when(_virtualHost.getAttribute(VirtualHost.CREATED_BY)).thenReturn(TEST_USER);
         when(_virtualHost.getModel()).thenReturn(_model);
         doReturn(_virtualHostNode).when(_virtualHost).getParent();
         doReturn(VirtualHost.class).when(_virtualHost).getCategoryClass();
@@ -101,6 +103,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN");
         when(vhn.getParent()).thenReturn(_broker);
         when(vhn.getModel()).thenReturn(BrokerModel.getInstance());
+        
when(vhn.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         return vhn;
     }
 
@@ -111,6 +114,8 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(accessControlProvider.getParent()).thenReturn(_broker);
         when(accessControlProvider.getName()).thenReturn("TEST");
         
when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class);
+        
when(accessControlProvider.getAttribute(Queue.CREATED_BY)).thenReturn(TEST_USER);
+
 
         assertBrokerChildCreateAuthorization(accessControlProvider);
     }
@@ -123,6 +128,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
         
when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
         
when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queue.getAttribute(Queue.CREATED_BY)).thenReturn(TEST_USER);
         when(queue.getCategoryClass()).thenReturn(Queue.class);
 
         Session session = mock(Session.class);
@@ -141,6 +147,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         properties.put(ObjectProperties.Property.TEMPORARY, false);
         properties.put(ObjectProperties.Property.DURABLE, true);
         properties.put(ObjectProperties.Property.EXCLUSIVE, false);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
 
         assertAuthorization(LegacyOperation.CREATE, consumer, 
LegacyOperation.CONSUME, ObjectType.QUEUE, properties,
                             Collections.emptyMap());
@@ -153,6 +160,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(Port.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -195,6 +203,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(KeyStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -204,6 +213,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(TrustStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -355,7 +365,10 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
     public void testAuthoriseCreateVirtualHostNode()
     {
         VirtualHostNode vhn = getMockVirtualHostNode();
-        assertCreateAuthorization(vhn, LegacyOperation.CREATE, 
ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"));
+        final ObjectProperties expectedProperties = new 
ObjectProperties("testVHN");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
+        assertCreateAuthorization(vhn, LegacyOperation.CREATE, 
ObjectType.VIRTUALHOSTNODE,
+                                  expectedProperties);
     }
 
     public void testAuthoriseCreatePort()
@@ -364,6 +377,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(port.getParent()).thenReturn(_broker);
         when(port.getName()).thenReturn("TEST");
         when(port.getCategoryClass()).thenReturn(Port.class);
+        
when(port.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(port);
     }
@@ -374,7 +388,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(authenticationProvider.getParent()).thenReturn(_broker);
         when(authenticationProvider.getName()).thenReturn("TEST");
         
when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
-
+        
when(authenticationProvider.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildCreateAuthorization(authenticationProvider);
     }
 
@@ -384,6 +398,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(groupProvider.getParent()).thenReturn(_broker);
         when(groupProvider.getName()).thenReturn("TEST");
         when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
+        
when(groupProvider.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(groupProvider);
     }
@@ -395,6 +410,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(keyStore.getParent()).thenReturn(_broker);
         when(keyStore.getName()).thenReturn("TEST");
         when(keyStore.getCategoryClass()).thenReturn(KeyStore.class);
+        
when(keyStore.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(keyStore);
     }
@@ -405,6 +421,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(trustStore.getParent()).thenReturn(_broker);
         when(trustStore.getName()).thenReturn("TEST");
         when(trustStore.getCategoryClass()).thenReturn(TrustStore.class);
+        
when(trustStore.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
         assertBrokerChildCreateAuthorization(trustStore);
     }
@@ -474,6 +491,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         VirtualHostNode vhn = getMockVirtualHostNode();
         ObjectProperties expectedProperties = new 
ObjectProperties(vhn.getName());
         
expectedProperties.setAttributeNames(Collections.singleton(ConfiguredObject.DESCRIPTION));
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
         assertUpdateAuthorization(vhn,
                                   LegacyOperation.UPDATE,
                                   ObjectType.VIRTUALHOSTNODE,
@@ -488,6 +506,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -497,6 +516,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -506,6 +526,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -515,6 +536,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(KeyStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -524,6 +546,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(TrustStore.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildUpdateAuthorization(mock);
     }
 
@@ -578,7 +601,10 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
     public void testAuthoriseDeleteVirtualHostNode()
     {
         VirtualHostNode vhn = getMockVirtualHostNode();
-        assertDeleteAuthorization(vhn, LegacyOperation.DELETE, 
ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()));
+        final ObjectProperties expectedProperties = new 
ObjectProperties(vhn.getName());
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
+        assertDeleteAuthorization(vhn, LegacyOperation.DELETE, 
ObjectType.VIRTUALHOSTNODE,
+                                  expectedProperties);
     }
 
     public void testAuthoriseDeletePort()
@@ -587,6 +613,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(Port.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -596,6 +623,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -605,6 +633,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -614,6 +643,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("test");
         when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildDeleteAuthorization(mock);
     }
 
@@ -623,6 +653,8 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(mock.getName()).thenReturn("TEST");
         when(mock.getCategoryClass()).thenReturn(BrokerLogger.class);
         when(mock.getParent()).thenReturn(_broker);
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
+
         assertBrokerChildCreateAuthorization(mock);
 
         when(mock.getName()).thenReturn("test");
@@ -636,12 +668,15 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(bl.getName()).thenReturn("LOGGER");
         when(bl.getCategoryClass()).thenReturn(BrokerLogger.class);
         when(bl.getParent()).thenReturn(_broker);
+        
when(bl.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
+
 
         BrokerLogInclusionRule mock = mock(BrokerLogInclusionRule.class);
         when(mock.getName()).thenReturn("TEST");
         when(mock.getCategoryClass()).thenReturn(BrokerLogInclusionRule.class);
         when(mock.getParent()).thenReturn(bl);
         when(mock.getModel()).thenReturn(BrokerModel.getInstance());
+        
when(mock.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
         assertBrokerChildCreateAuthorization(mock);
 
         when(mock.getName()).thenReturn("test");
@@ -661,12 +696,15 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
         
when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
         
when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        
when(queue.getAttribute(ConfiguredObject.CREATED_BY)).thenReturn(TEST_USER);
 
-        ObjectProperties properties = new ObjectProperties();
-        properties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
-        properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
-        properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
_virtualHost.getName());
-        properties.put(ObjectProperties.Property.COMPONENT, 
"VirtualHost.Queue");
+
+        ObjectProperties expectedProperties = new ObjectProperties();
+        expectedProperties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
+        expectedProperties.put(ObjectProperties.Property.METHOD_NAME, 
methodName);
+        expectedProperties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
_virtualHost.getName());
+        expectedProperties.put(ObjectProperties.Property.COMPONENT, 
"VirtualHost.Queue");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.QUEUE),
@@ -675,7 +713,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         Result result = _adapter.authoriseMethod(queue, methodName, 
Collections.emptyMap());
         assertEquals("Unexpected authorise result", Result.ALLOWED, result);
 
-        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.QUEUE), eq(properties));
+        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.QUEUE), eq(expectedProperties));
         verify(_accessControl, never()).authorise(eq(LegacyOperation.PURGE), 
eq(ObjectType.QUEUE), any(ObjectProperties.class));
     }
     public void testAuthoriseInvokeBrokerDescendantMethod()
@@ -683,10 +721,11 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         String methodName = "getStatistics";
         VirtualHostNode<?> virtualHostNode = _virtualHostNode;
 
-        ObjectProperties properties = new ObjectProperties();
-        properties.put(ObjectProperties.Property.NAME, 
virtualHostNode.getName());
-        properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
-        properties.put(ObjectProperties.Property.COMPONENT, 
"Broker.VirtualHostNode");
+        ObjectProperties expectedProperties = new ObjectProperties();
+        expectedProperties.put(ObjectProperties.Property.NAME, 
virtualHostNode.getName());
+        expectedProperties.put(ObjectProperties.Property.METHOD_NAME, 
methodName);
+        expectedProperties.put(ObjectProperties.Property.COMPONENT, 
"Broker.VirtualHostNode");
+        expectedProperties.put(ObjectProperties.Property.CREATED_BY, 
TEST_USER);
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.VIRTUALHOSTNODE),
@@ -695,7 +734,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         Result result = _adapter.authoriseMethod(virtualHostNode, methodName, 
Collections.emptyMap());
         assertEquals("Unexpected authorise result", Result.ALLOWED, result);
 
-        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.VIRTUALHOSTNODE), eq(properties));
+        verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), 
eq(ObjectType.VIRTUALHOSTNODE), eq(expectedProperties));
     }
 
     public void testAuthorisePurge()
@@ -830,6 +869,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
         ObjectProperties properties = new ObjectProperties();
         properties.put(ObjectProperties.Property.NAME, TEST_VIRTUAL_HOST);
         properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, 
TEST_VIRTUAL_HOST);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
 
         _adapter.authoriseAction(_virtualHost, "connect", 
Collections.emptyMap());
 
@@ -867,6 +907,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
                                            
object.getCategoryClass().getSimpleName().toLowerCase(),
                                            "TEST");
         ObjectProperties properties = new OperationLoggingDetails(description);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         assertCreateAuthorization(object, LegacyOperation.CONFIGURE, 
ObjectType.BROKER, properties);
     }
 
@@ -892,6 +933,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
                                            
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
                                            configuredObject.getName());
         ObjectProperties properties = new OperationLoggingDetails(description);
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         
properties.setAttributeNames(Collections.singleton(ConfiguredObject.DESCRIPTION));
 
         assertUpdateAuthorization(configuredObject, LegacyOperation.CONFIGURE, 
ObjectType.BROKER,
@@ -914,7 +956,7 @@ public class LegacyAccessControlAdapterTest extends 
QpidTestCase
                                            
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
                                            configuredObject.getName());
         ObjectProperties properties = new OperationLoggingDetails(description);
-
+        properties.put(ObjectProperties.Property.CREATED_BY, TEST_USER);
         assertDeleteAuthorization(configuredObject, LegacyOperation.CONFIGURE, 
ObjectType.BROKER,
                                   properties);
     }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
----------------------------------------------------------------------
diff --git 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
index 72db732..1bb4f63 100644
--- 
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
+++ 
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java
@@ -506,4 +506,53 @@ public class RuleSetTest extends QpidTestCase
         assertEquals(Result.ALLOWED, ruleSet.check(_testSubject, 
LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, updateProperties));
     }
 
+    public void testExistingObjectOwner()
+    {
+        _ruleSetCreator.addRule(1,
+                                Rule.OWNER,
+                                RuleOutcome.ALLOW,
+                                LegacyOperation.CONSUME,
+                                ObjectType.QUEUE,
+                                ObjectProperties.EMPTY);
+        RuleSet ruleSet = createRuleSet();
+        assertEquals((long) 1, (long) ruleSet.getRuleCount());
+
+        assertEquals(Result.ALLOWED,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CONSUME,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
TEST_USER)));
+
+        assertEquals(Result.DEFER,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CONSUME,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
"anotherUser")));
+    }
+
+    public void testCreateIgnoresOwnerRule()
+    {
+        _ruleSetCreator.addRule(1,
+                                Rule.OWNER,
+                                RuleOutcome.ALLOW,
+                                LegacyOperation.ALL,
+                                ObjectType.QUEUE,
+                                ObjectProperties.EMPTY);
+        RuleSet ruleSet = createRuleSet();
+        assertEquals((long) 1, (long) ruleSet.getRuleCount());
+
+        assertEquals(Result.ALLOWED,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.UPDATE,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
TEST_USER)));
+
+        assertEquals(Result.DEFER,
+                     ruleSet.check(_testSubject,
+                                   LegacyOperation.CREATE,
+                                   ObjectType.QUEUE,
+                                   new ObjectProperties(Property.CREATED_BY, 
"anotherUser")));
+
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/5f19120a/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java
----------------------------------------------------------------------
diff --git 
a/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java
 
b/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java
index 8913baa..2bbb701 100644
--- 
a/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java
+++ 
b/systests/src/test/java/org/apache/qpid/server/security/acl/MessagingACLTest.java
@@ -161,6 +161,67 @@ public class MessagingACLTest extends AbstractACLTestCase
         }
     }
 
+    public void  setUpConsumeOwnQueueSuccess() throws Exception
+    {
+        List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG 
guest ACCESS VIRTUALHOST",
+                                                           "ACL ALLOW-LOG 
OWNER CONSUME QUEUE",
+                                                           "ACL DENY-LOG ALL 
CONSUME QUEUE"));
+
+        if (isBroker10())
+        {
+            rules.add("ACL ALLOW-LOG client BIND EXCHANGE temporary=\"true\"");
+        }
+        else
+        {
+            rules.add("ACL ALLOW-LOG client BIND EXCHANGE name=\"amq.topic\"");
+        }
+        writeACLFileWithAdminSuperUser(rules.toArray(new 
String[rules.size()]));
+    }
+
+    public void testConsumeOwnQueueSuccess() throws Exception
+    {
+        final String queueName = "user1Queue";
+
+        createQueue(queueName);
+
+        final String queueAddress = String.format(isBroker10() ? "%s" :  
"ADDR:%s; {create:never}", queueName);
+
+        Connection queueOwnerCon = 
getConnectionBuilder().setUsername("admin").setPassword("admin").build();
+        try
+        {
+            Session queueOwnerSession = queueOwnerCon.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+            final Queue queue = queueOwnerSession.createQueue(queueAddress);
+            queueOwnerSession.createConsumer(queue).close();
+        }
+        finally
+        {
+            queueOwnerCon.close();
+        }
+
+        Connection otherUserCon = 
getConnectionBuilder().setUsername("guest").setPassword("guest").build();
+        try
+        {
+            Session otherUserSession = otherUserCon.createSession(false, 
Session.AUTO_ACKNOWLEDGE);
+            try
+            {
+                
otherUserSession.createConsumer(otherUserSession.createQueue(queueAddress)).close();
+                fail("Exception not thrown");
+            }
+            catch (JMSException e)
+            {
+                final String expectedMessage =
+                        isBroker10()
+                                ? "Permission CREATE is denied for : Consumer"
+                                : "403: access refused";
+                assertJMSExceptionMessageContains(e, expectedMessage);
+            }
+        }
+        finally
+        {
+            otherUserCon.close();
+        }
+    }
+
     public void setUpConsumeFromTempTopicSuccess() throws Exception
     {
         List<String> rules = new ArrayList<>(Arrays.asList("ACL ALLOW-LOG 
client ACCESS VIRTUALHOST",


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org

Reply via email to