[
https://issues.apache.org/jira/browse/ARTEMIS-2431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy A. Bish reassigned ARTEMIS-2431:
----------------------------------------
Assignee: Timothy A. Bish
> [AMQP] Broker does not send security errors for unauthorized anonymous sasl
> with pipelined open
> -----------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-2431
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2431
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 2.9.0
> Reporter: Jiri Daněk
> Assignee: Timothy A. Bish
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If a client sends open, begin and attach frames all at once, then the issue
> ARTEMIS-2344 still manifests itself. Sending the initial frames all at once
> is known as the pipelined open,
> http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520
> and one client that does this is qpid-proton-cpp.
> {noformat}
> $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples"
> --log-msgs dict -c 1
> [0x9ea9d0]: -> SASL
> [0x9ea9d0]: <- SASL
> [0x9ea9d0]:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
> [0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS,
> initial-response=b"anonymous@nixos"]
> [0x9ea9d0]:0 <- @sasl-outcome(68) [code=0]
> [0x9ea9d0]: -> AMQP
> [0x9ea9d0]:0 -> @open(16)
> [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost",
> channel-max=32767]
> [0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647,
> outgoing-window=2147483647]
> [0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21",
> handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41)
> [address="examples", durable=0, timeout=0, dynamic=false],
> initial-delivery-count=0, max-message-size=0]
> [0x9ea9d0]: <- AMQP
> [0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072,
> channel-max=65535, idle-time-out=30000,
> offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container",
> :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"],
> properties={:product="apache-activemq-artemis", :version="2.9.0"}]
> [0x9ea9d0]:0 <- @close(24) [error=@error(29)
> [condition=:"amqp:internal-error", description="Unrecoverable error:
> NullPointerException"]]
> [0x9ea9d0]: <- EOS
> [error]: Failed to connect to localhost:34949
> [0x9ea9d0]:0 -> @close(24) []
> [0x9ea9d0]: -> EOS
> {noformat}
> The broker side then looks like this
> {noformat}
> DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096
> DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2
> DEBUG - -Dio.netty.recycler.linkCapacity: 16
> DEBUG - -Dio.netty.recycler.ratio: 8
> DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110
> INFO - AMQ601267: User anonymous is creating a core session on target
> resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288
> [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400,
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b,
> false, false, false, true, null,
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee,
> true, OperationContextImpl [834445691] [minimalStore=9223372036854775807,
> storeLineUp=0, stored=0, minimalReplicated=9223372036854775807,
> replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807,
> pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0,
> executor=OrderedExecutor(tasks=[])], {}]]
> DEBUG - Couldn't validate user
> javax.security.auth.login.LoginException: Invalid null input: name
> at javax.security.auth.login.LoginContext.init(LoginContext.java:238)
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99)
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - Couldn't find any bindings for address=activemq.notifications on
> message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> DEBUG - Message
> CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> is not going anywhere as it didn't have a binding on
> address:activemq.notifications
> WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to
> validate user from /127.0.0.1:42740. Username: null; SSL certificate subject
> DN: unavailable
> WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username:
> null; SSL certificate subject DN: unavailable
> ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031:
> Unable to validate user from /127.0.0.1:42740. Username: null; SSL
> certificate subject DN: unavailable]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> WARN - null
> java.lang.NullPointerException
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb
> {noformat}
> The NullPointerException happens when the broker is acting on the Attach
> frame. This is wrong, because at this point we know the client has not
> authenticated, and any subsequent communication should be ignored.
> Furthermore, the broker authenticates the client on the initial SASL
> exchange, and only throws the auth error on processing the Begin frame. Is
> that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming
> broker configured as in test
> org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions).
> And should the broker advertise SASL ANONYMOUS?
> Failing test for this is attached in a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
