This is an automated email from the ASF dual-hosted git repository.
vavrtom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/main by this push:
new e7ca9f3 QPID-8578: [Broker-J] ACL firewall predicates should be
applied to HTTP(S) connections (#119)
e7ca9f3 is described below
commit e7ca9f3f50fa2575378aa673d656591089c6bb9d
Author: Daniil Kirilyuk <[email protected]>
AuthorDate: Fri Mar 11 08:45:43 2022 +0100
QPID-8578: [Broker-J] ACL firewall predicates should be applied to HTTP(S)
connections (#119)
---
.../access/firewall/AbstractFirewallRuleImpl.java | 19 +++---
.../access/firewall/HostnameFirewallRuleTest.java | 68 ++++++++++++++++++++-
.../access/firewall/NetworkFirewallRuleTest.java | 70 +++++++++++++++++++++-
3 files changed, 148 insertions(+), 9 deletions(-)
diff --git
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java
index fc31e5c..c20df45 100644
---
a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java
+++
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java
@@ -20,12 +20,15 @@ package org.apache.qpid.server.security.access.firewall;
import java.net.InetAddress;
import java.net.InetSocketAddress;
-import java.net.SocketAddress;
+import java.util.Set;
+import java.util.stream.Stream;
import javax.security.auth.Subject;
import org.apache.qpid.server.connection.ConnectionPrincipal;
import org.apache.qpid.server.security.access.config.FirewallRule;
+import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
+import org.apache.qpid.server.security.auth.SocketConnectionPrincipal;
abstract class AbstractFirewallRuleImpl implements FirewallRule
{
@@ -39,13 +42,15 @@ abstract class AbstractFirewallRuleImpl implements
FirewallRule
@Override
public boolean matches(final Subject subject)
{
- for (final ConnectionPrincipal principal :
subject.getPrincipals(ConnectionPrincipal.class))
+ final Set<ConnectionPrincipal> connectionPrincipals =
subject.getPrincipals(ConnectionPrincipal.class);
+ final Set<ManagementConnectionPrincipal> mgmtConnectionPrincipals =
subject.getPrincipals(ManagementConnectionPrincipal.class);
+ if (!connectionPrincipals.isEmpty() ||
!mgmtConnectionPrincipals.isEmpty())
{
- final SocketAddress address =
principal.getConnection().getRemoteSocketAddress();
- if (address instanceof InetSocketAddress)
- {
- return matches(((InetSocketAddress) address).getAddress());
- }
+ return Stream.concat(connectionPrincipals.stream(),
mgmtConnectionPrincipals.stream())
+ .map(SocketConnectionPrincipal::getRemoteAddress)
+ .filter(InetSocketAddress.class::isInstance)
+ .map(address -> matches(((InetSocketAddress)
address).getAddress()))
+ .findFirst().orElse(true);
}
return true;
}
diff --git
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
index 4bd6a44..f944514 100644
---
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
+++
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
@@ -24,12 +24,24 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.net.InetAddress;
-
+import java.net.InetSocketAddress;
+import java.util.Collections;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.security.access.config.FirewallRule;
+import org.apache.qpid.server.security.access.config.LegacyOperation;
+import org.apache.qpid.server.security.access.config.ObjectProperties;
+import org.apache.qpid.server.security.access.config.RulePredicate;
+import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.junit.Before;
import org.junit.Test;
import org.apache.qpid.test.utils.UnitTestBase;
+import javax.security.auth.Subject;
+
public class HostnameFirewallRuleTest extends UnitTestBase
{
private InetAddress _addressNotInRule;
@@ -104,4 +116,58 @@ public class HostnameFirewallRuleTest extends UnitTestBase
rule.equals(new HostnameFirewallRule(hostname1,
"different-hostname")));
}
+
+ @Test
+ public void testManagementConnectionPrincipals()
+ {
+ final ManagementConnectionPrincipal managementConnectionPrincipal =
mock(ManagementConnectionPrincipal.class);
+ when(managementConnectionPrincipal.getRemoteAddress())
+ .thenReturn(new InetSocketAddress("127.0.0.1", 8000));
+
+ final ManagementConnectionPrincipal
invalidManagementConnectionPrincipal =
mock(ManagementConnectionPrincipal.class);
+ when(invalidManagementConnectionPrincipal.getRemoteAddress())
+ .thenReturn(new InetSocketAddress("127.0.0.3", 8000));
+
+ final Subject subject = new Subject();
+ final FirewallRule rule1 = new HostnameFirewallRule("127.0.0.1",
"localhost");
+ final FirewallRule rule2 = new HostnameFirewallRule("127.0.0.2");
+
+ assertTrue(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+ assertTrue(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
+
assertTrue(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
assertTrue(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
+ final Subject anotherSubject = new Subject(false,
+ ImmutableSet.of(
+ new UsernamePrincipal("name",
mock(AuthenticationProvider.class)), managementConnectionPrincipal
+ ),
+ Collections.emptySet(),
+ Collections.emptySet());
+
+
assertTrue(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
assertTrue(RulePredicate.any().and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+ assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+ assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+
assertFalse(rule2.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
assertFalse(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+ final Subject invalidSubject = new Subject(false,
+ ImmutableSet.of(
+ new UsernamePrincipal("name",
mock(AuthenticationProvider.class)), invalidManagementConnectionPrincipal
+ ),
+ Collections.emptySet(),
+ Collections.emptySet());
+
+
assertFalse(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
assertFalse(RulePredicate.any().and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
+ assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+ assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
+
assertFalse(rule2.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
assertFalse(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+ }
}
diff --git
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
index 7acb15d..773cb32 100644
---
a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
+++
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
@@ -20,14 +20,28 @@ package org.apache.qpid.server.security.access.firewall;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
import java.net.InetAddress;
-
+import java.net.InetSocketAddress;
+import java.util.Collections;
+
+import com.google.common.collect.ImmutableSet;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.security.access.config.FirewallRule;
+import org.apache.qpid.server.security.access.config.LegacyOperation;
+import org.apache.qpid.server.security.access.config.ObjectProperties;
+import org.apache.qpid.server.security.access.config.RulePredicate;
+import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
+import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.junit.Before;
import org.junit.Test;
import org.apache.qpid.test.utils.UnitTestBase;
+import javax.security.auth.Subject;
+
public class NetworkFirewallRuleTest extends UnitTestBase
{
private static final String LOCALHOST_IP = "127.0.0.1";
@@ -122,4 +136,58 @@ public class NetworkFirewallRuleTest extends UnitTestBase
rule.equals(new NetworkFirewallRule(LOCALHOST_IP,
OTHER_IP_2)));
}
+
+ @Test
+ public void testManagementConnectionPrincipals()
+ {
+ final ManagementConnectionPrincipal managementConnectionPrincipal =
mock(ManagementConnectionPrincipal.class);
+ when(managementConnectionPrincipal.getRemoteAddress())
+ .thenReturn(new InetSocketAddress("192.168.1.1", 8000));
+
+ final ManagementConnectionPrincipal
invalidManagementConnectionPrincipal =
mock(ManagementConnectionPrincipal.class);
+ when(invalidManagementConnectionPrincipal.getRemoteAddress())
+ .thenReturn(new InetSocketAddress("192.168.3.1", 8000));
+
+ final Subject subject = new Subject();
+ final FirewallRule rule1 = new NetworkFirewallRule("192.168.1.*");
+ final FirewallRule rule2 = new NetworkFirewallRule("192.168.2.*");
+
+ assertTrue(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+ assertTrue(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
+
assertTrue(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
assertTrue(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), subject));
+
+ final Subject anotherSubject = new Subject(false,
+ ImmutableSet.of(
+ new UsernamePrincipal("name",
mock(AuthenticationProvider.class)), managementConnectionPrincipal
+ ),
+ Collections.emptySet(),
+ Collections.emptySet());
+
+
assertTrue(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
assertTrue(RulePredicate.any().and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+ assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+ assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+
assertFalse(rule2.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
assertFalse(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), anotherSubject));
+
+ final Subject invalidSubject = new Subject(false,
+ ImmutableSet.of(
+ new UsernamePrincipal("name",
mock(AuthenticationProvider.class)), invalidManagementConnectionPrincipal
+ ),
+ Collections.emptySet(),
+ Collections.emptySet());
+
+
assertFalse(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
assertFalse(RulePredicate.any().and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
+ assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+ assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
+
assertFalse(rule2.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+
assertFalse(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new
ObjectProperties(), invalidSubject));
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
