[
https://issues.apache.org/jira/browse/ARTEMIS-2431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17683358#comment-17683358
]
ASF subversion and git services commented on ARTEMIS-2431:
----------------------------------------------------------
Commit d1b3610f687f25531476eed5726f956c913e3851 in activemq-artemis's branch
refs/heads/main from Timothy Bish
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=d1b3610f68 ]
ARTEMIS-2431 Stop processing Begin and Attach frames if open fails
For pipelined open cases the events processing should ignore additional begin
and attach events if the open event handler closes the connection to avoid the
processing throwing additional exceptions and replacing the error condition in
the connection with an unrelated error about NPE from the additional events.
> [AMQP] Broker does not send security errors for unauthorized anonymous sasl
> with pipelined open
> -----------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-2431
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2431
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 2.9.0
> Reporter: Jiri Daněk
> Assignee: Timothy A. Bish
> Priority: Major
> Time Spent: 50m
> Remaining Estimate: 0h
>
> If a client sends open, begin and attach frames all at once, then the issue
> ARTEMIS-2344 still manifests itself. Sending the initial frames all at once
> is known as the pipelined open,
> http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520
> and one client that does this is qpid-proton-cpp.
> {noformat}
> $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples"
> --log-msgs dict -c 1
> [0x9ea9d0]: -> SASL
> [0x9ea9d0]: <- SASL
> [0x9ea9d0]:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
> [0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS,
> initial-response=b"anonymous@nixos"]
> [0x9ea9d0]:0 <- @sasl-outcome(68) [code=0]
> [0x9ea9d0]: -> AMQP
> [0x9ea9d0]:0 -> @open(16)
> [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost",
> channel-max=32767]
> [0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647,
> outgoing-window=2147483647]
> [0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21",
> handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41)
> [address="examples", durable=0, timeout=0, dynamic=false],
> initial-delivery-count=0, max-message-size=0]
> [0x9ea9d0]: <- AMQP
> [0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072,
> channel-max=65535, idle-time-out=30000,
> offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container",
> :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"],
> properties={:product="apache-activemq-artemis", :version="2.9.0"}]
> [0x9ea9d0]:0 <- @close(24) [error=@error(29)
> [condition=:"amqp:internal-error", description="Unrecoverable error:
> NullPointerException"]]
> [0x9ea9d0]: <- EOS
> [error]: Failed to connect to localhost:34949
> [0x9ea9d0]:0 -> @close(24) []
> [0x9ea9d0]: -> EOS
> {noformat}
> The broker side then looks like this
> {noformat}
> DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096
> DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2
> DEBUG - -Dio.netty.recycler.linkCapacity: 16
> DEBUG - -Dio.netty.recycler.ratio: 8
> DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110
> INFO - AMQ601267: User anonymous is creating a core session on target
> resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288
> [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400,
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b,
> false, false, false, true, null,
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee,
> true, OperationContextImpl [834445691] [minimalStore=9223372036854775807,
> storeLineUp=0, stored=0, minimalReplicated=9223372036854775807,
> replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807,
> pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0,
> executor=OrderedExecutor(tasks=[])], {}]]
> DEBUG - Couldn't validate user
> javax.security.auth.login.LoginException: Invalid null input: name
> at javax.security.auth.login.LoginContext.init(LoginContext.java:238)
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99)
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - Couldn't find any bindings for address=activemq.notifications on
> message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> DEBUG - Message
> CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> is not going anywhere as it didn't have a binding on
> address:activemq.notifications
> WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to
> validate user from /127.0.0.1:42740. Username: null; SSL certificate subject
> DN: unavailable
> WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username:
> null; SSL certificate subject DN: unavailable
> ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031:
> Unable to validate user from /127.0.0.1:42740. Username: null; SSL
> certificate subject DN: unavailable]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> WARN - null
> java.lang.NullPointerException
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb
> {noformat}
> The NullPointerException happens when the broker is acting on the Attach
> frame. This is wrong, because at this point we know the client has not
> authenticated, and any subsequent communication should be ignored.
> Furthermore, the broker authenticates the client on the initial SASL
> exchange, and only throws the auth error on processing the Begin frame. Is
> that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming
> broker configured as in test
> org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions).
> And should the broker advertise SASL ANONYMOUS?
> Failing test for this is attached in a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
