[
https://issues.apache.org/jira/browse/ARTEMIS-4405?focusedWorklogId=878883&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-878883
]
ASF GitHub Bot logged work on ARTEMIS-4405:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 29/Aug/23 13:46
Start Date: 29/Aug/23 13:46
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #4594:
URL: https://github.com/apache/activemq-artemis/pull/4594#discussion_r1308844872
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/stomp/StompAuditLoggingTest.java:
##########
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.stomp;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.activemq.artemis.core.protocol.stomp.Stomp;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.logs.AssertionLoggerHandler;
+import org.apache.activemq.artemis.logs.AssertionLoggerHandler.LogLevel;
+import org.apache.activemq.artemis.logs.AuditLogger;
+import
org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import
org.apache.activemq.artemis.tests.integration.stomp.util.ClientStompFrame;
+import
org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnection;
+import
org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnectionFactory;
+import org.apache.activemq.artemis.tests.util.RandomUtil;
+import org.apache.activemq.artemis.tests.util.Wait;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class StompAuditLoggingTest extends StompTestBase {
+
+ private static final String BASE_AUDIT_LOGGER_NAME =
AuditLogger.BASE_LOGGER.getLogger().getName();
+ private static LogLevel previousLevel = null;
+ private static AssertionLoggerHandler loggerHandler;
+ protected StompClientConnection conn;
+ private final String user = "nopriv";
+ private final String pass = user;
+ private final String role = "nopriv";
+
+ @Override
+ public boolean isSecurityEnabled() {
+ return true;
+ }
+
+ @Override
+ protected ActiveMQServer createServer() throws Exception {
+ server = super.createServer();
+
+ ActiveMQJAASSecurityManager securityManager =
(ActiveMQJAASSecurityManager) server.getSecurityManager();
+
+ securityManager.getConfiguration().addUser(user, pass);
+ securityManager.getConfiguration().addRole(user, role);
+ server.getConfiguration().getSecurityRoles().put("#", new
HashSet<>(Set.of(new Role(role, false, false, false, false, false, false,
false, false, false, false))));
+
+ return server;
+ }
+
+ @Override
+ @Before
+ public void setUp() throws Exception {
+ super.setUp();
+ conn = StompClientConnectionFactory.createClientConnection(uri);
+ }
+
+ @BeforeClass
+ public static void prepareLogger() {
+ previousLevel = AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME,
LogLevel.INFO);
+ loggerHandler = new AssertionLoggerHandler();
+ }
+
+ @AfterClass
+ public static void clearLogger() throws Exception {
+ try {
+ loggerHandler.close();
+ } finally {
+ AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME,
previousLevel);
+ }
+ }
+
+ @Test
+ public void testConcurrentLogging() throws Exception {
Review Comment:
Not really clear from the test which bit is concurrent / with what, i.e what
is the interesting bit of what the test is actually doing? Perhaps add a
comment?
Issue Time Tracking
-------------------
Worklog Id: (was: 878883)
Time Spent: 20m (was: 10m)
> Incorrect username logging in AMQ601264 events
> ----------------------------------------------
>
> Key: ARTEMIS-4405
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4405
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.30.0
> Reporter: Aleksandr Milovidov
> Assignee: Justin Bertram
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> We have ActiveMQ Artemis with audit logging turned on, and sometimes wrong
> username is logged when user gets an authorization error (audit log event
> AMQ601264). I have reproduced this issue when client uses STOMP to connect to
> the broker. In that case client username is always logged as anonymous, and
> source IP address seems to be correct.
> We have a lot of other audit log messages where different usernames are
> logged in single log event, but I cannot attach these logs because it
> contains sensitive information. I think this problem is not specific to STOMP
> clients because most our clients use core and openwire. I will try to
> reproduce it later.
> The problem is not specific to the current version of Artemis.
> Steps to reproduce (for STOMP client):
> 1. Create Artemis instance
> {{artemis create --user admin --password admin --require-login }}
> Edit {{artemis-roles.properties}} and {{artemis-users.properties}} to create
> some other user with password and non-admin role. For example, add string
> {{alice = alice}} to both files.
> Edit log4j2.properties to enable base audit logging:
> {code:java}
> logger.audit_base = INFO, audit_log_file{code}
> To connect to the broker with STOMP I have used python with Stompest library
> (it has to be installed using pip install stompest).
> Example STOMP producer python code (it does not handle authorization errors):
>
> {code:java}
> from stompest.config import StompConfig
> from stompest.protocol import StompSpec
> from stompest.sync import Stomp
> CONFIG = StompConfig("tcp://localhost:61613", login="alice",
> passcode="alice", version=StompSpec.VERSION_1_0)
> QUEUE = 'test.queue'
> client = Stomp(CONFIG)
> client.connect()
> client.send(QUEUE, 'Test message'.encode())
> client.disconnect()
> {code}
> Run this example code. Check broker audit.log. For example:
>
> {code:java}
> 2023-08-28 17:39:20,042 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601267:
> User alice(alice)@127.0.0.1:56685 is creating a core session on target
> resource ActiveMQServerImpl::name=0.0.0.0 with parameters:
> [ac22db0e-45b0-11ee-b333-005056abe8b9, alice, ****, 102400,
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection@3313e538,
> true, false, false, false, null,
> org.apache.activemq.artemis.core.protocol.stomp.StompSession@2fc820ee, true,
> {}]
> 2023-08-28 17:39:20,081 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601262:
> User alice(alice)@127.0.0.1:56685 is creating address on target resource:
> ac22db0e-45b0-11ee-b333-005056abe8b9 with parameters: [Address
> [name=test.queue, id=0, routingTypes={MULTICAST}, autoCreated=false,
> paused=false, bindingRemovedTimestamp=-1, swept=false,
> createdTimestamp=1693233560081], true]
> 2023-08-28 17:39:20,116 [AUDIT](Thread-1 (activemq-netty-threads)) AMQ601264:
> User [email protected]:56685 gets security check failure, reason =
> AMQ229032: User: alice does not have permission='CREATE_ADDRESS' on address
> test.queue
> org.apache.activemq.artemis.api.core.ActiveMQSecurityException: AMQ229032:
> User: alice does not have permission='CREATE_ADDRESS' on address test.queue
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:305)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.check(SecurityStoreImpl.java:227)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.securityCheck(ServerSessionImpl.java:503)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:972)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.server.impl.ServerSessionImpl.createAddress(ServerSessionImpl.java:962)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection.autoCreateDestinationIfPossible(StompConnection.java:184)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.onSend(VersionedStompFrameHandler.java:188)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.VersionedStompFrameHandler.handleFrame(VersionedStompFrameHandler.java:87)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection.handleFrame(StompConnection.java:424)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.StompProtocolManager.handleBuffer(StompProtocolManager.java:162)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.protocol.stomp.StompConnection.bufferReceived(StompConnection.java:307)
> [artemis-stomp-protocol-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:698)
> [artemis-server-2.30.0.jar:2.30.0]
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> [artemis-core-client-2.30.0.jar:2.30.0]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
> [netty-transport-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
> [netty-common-4.1.94.Final.jar:4.1.94.Final]
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> [netty-common-4.1.94.Final.jar:4.1.94.Final]
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> [artemis-commons-2.30.0.jar:?]{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
