This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
commit 935108a8fa093e71fee13385dc2a0c94348eeb5c Author: Alex Rudyy <oru...@apache.org> AuthorDate: Mon Nov 1 01:20:09 2021 +0000 QPID-8565: [Broker-J] Tidy-up ACL refactoring This closes #110 --- .../config/{predicates => }/AclRulePredicates.java | 14 ++--- .../{predicates => }/AclRulePredicatesBuilder.java | 13 +---- .../access/{firewall => config}/FirewallRule.java | 8 +-- .../qpid/server/security/access/config/Rule.java | 21 +++---- .../security/access/config/RuleCollector.java | 1 - .../security/access/config/RulePredicate.java | 66 ++++++++++++++++++++++ .../config/predicates/AbstractPredicate.java | 48 ---------------- .../config/predicates/{Some.java => AnyValue.java} | 27 ++------- .../access/config/predicates/AttributeNames.java | 21 ++----- .../security/access/config/predicates/Equal.java | 27 ++------- ...ulePredicate.java => RulePredicateBuilder.java} | 60 +++----------------- .../access/config/predicates/WildCard.java | 26 ++------- .../access/firewall/AbstractFirewallRuleImpl.java | 30 +--------- .../access/firewall/FirewallRuleFactory.java | 2 + .../access/firewall/HostnameFirewallRule.java | 15 ----- .../access/firewall/NetworkFirewallRule.java | 16 +----- .../security/access/config/AclFileParserTest.java | 12 ---- .../{predicates => }/AclRulePredicatesTest.java | 23 ++------ .../access/config/RuleBasedAccessControlTest.java | 2 - .../server/security/access/config/RuleSetTest.java | 1 - .../server/security/access/config/RuleTest.java | 1 - .../access/config/predicates/TestFirewallRule.java | 2 +- .../security/access/firewall/FirewallRuleTest.java | 27 ++++----- 23 files changed, 137 insertions(+), 326 deletions(-) diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicates.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java similarity index 88% rename from broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicates.java rename to broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java index fd304eb..3d4cad4 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicates.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.qpid.server.security.access.config.predicates; +package org.apache.qpid.server.security.access.config; import java.util.AbstractMap; import java.util.Collection; @@ -28,9 +28,7 @@ import java.util.stream.Collectors; import javax.security.auth.Subject; -import org.apache.qpid.server.security.access.config.LegacyOperation; -import org.apache.qpid.server.security.access.config.ObjectProperties; -import org.apache.qpid.server.security.access.config.Property; +import org.apache.qpid.server.security.access.config.predicates.RulePredicateBuilder; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; import com.google.common.base.Joiner; @@ -57,14 +55,14 @@ public final class AclRulePredicates extends AbstractMap<Property, Set<Object>> { super(); _properties = newProperties(builder); - _rulePredicate = RulePredicate.build(builder.getParsedProperties()); + _rulePredicate = RulePredicateBuilder.build(builder.getParsedProperties()); } AclRulePredicates(FirewallRuleFactory factory, AclRulePredicatesBuilder builder) { super(); _properties = newProperties(builder); - _rulePredicate = RulePredicate.build(factory, builder.getParsedProperties()); + _rulePredicate = RulePredicateBuilder.build(factory, builder.getParsedProperties()); } private Map<Property, Set<Object>> newProperties(AclRulePredicatesBuilder builder) @@ -104,9 +102,9 @@ public final class AclRulePredicates extends AbstractMap<Property, Set<Object>> } @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { - return _rulePredicate.test(operation, objectProperties, subject); + return _rulePredicate.matches(operation, objectProperties, subject); } @Override diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesBuilder.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicatesBuilder.java similarity index 92% rename from broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesBuilder.java rename to broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicatesBuilder.java index 89e1fdb..a05317f 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesBuilder.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicatesBuilder.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.qpid.server.security.access.config.predicates; +package org.apache.qpid.server.security.access.config; import java.util.Arrays; import java.util.Collections; @@ -27,7 +27,6 @@ import java.util.Map; import java.util.Objects; import java.util.Set; -import org.apache.qpid.server.security.access.config.Property; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; import org.slf4j.Logger; @@ -124,16 +123,6 @@ public final class AclRulePredicatesBuilder { _attributeNames.addAll(splitToSet(value)); } - else if (property == Property.CONNECTION_LIMIT) - { - LOGGER.warn("The ACL Rule property 'connection_limit' has been deprecated"); - return false; - } - else if (property == Property.CONNECTION_FREQUENCY_LIMIT) - { - LOGGER.warn("The ACL Rule property 'connection_frequency_limit' has been deprecated"); - return false; - } else { _parsedProperties.put(property, Collections.singleton(sanitiseValue(property, value))); diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java similarity index 72% rename from broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java rename to broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java index 602420c..60e1398 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java @@ -17,21 +17,17 @@ * under the License. */ -package org.apache.qpid.server.security.access.firewall; +package org.apache.qpid.server.security.access.config; import javax.security.auth.Subject; -import org.apache.qpid.server.security.access.config.LegacyOperation; -import org.apache.qpid.server.security.access.config.ObjectProperties; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; - @FunctionalInterface public interface FirewallRule extends RulePredicate { boolean matches(Subject subject); @Override - default boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + default boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { return matches(subject); } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java index 15f558f..1bf4213 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java @@ -25,9 +25,6 @@ import java.util.Objects; import javax.security.auth.Subject; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicates; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicatesBuilder; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; import org.apache.qpid.server.security.access.plugins.AclRule; import org.apache.qpid.server.security.access.plugins.RuleOutcome; @@ -104,7 +101,7 @@ public class Rule private boolean propertiesAttributesMatch(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { - return _rulePredicate.test(operation, objectProperties, subject); + return _rulePredicate.matches(operation, objectProperties, subject); } private boolean operationsMatch(LegacyOperation actionOperation) @@ -220,12 +217,12 @@ public class Rule private ObjectType _object = ObjectType.ALL; private RuleOutcome _outcome = RuleOutcome.DENY_LOG; - private final AclRulePredicatesBuilder _predicates; + private final AclRulePredicatesBuilder _aclRulePredicatesBuilder; public Builder() { super(); - _predicates = new AclRulePredicatesBuilder(); + _aclRulePredicatesBuilder = new AclRulePredicatesBuilder(); } public Builder withIdentity(String identity) @@ -254,13 +251,13 @@ public class Rule public Builder withPredicate(String key, String value) { - _predicates.parse(key, value); + _aclRulePredicatesBuilder.parse(key, value); return this; } public Builder withPredicate(Property key, String value) { - _predicates.put(key, value); + _aclRulePredicatesBuilder.put(key, value); return this; } @@ -274,11 +271,11 @@ public class Rule { for (final Map.Entry<Property, Object> entry : properties.getAll().entrySet()) { - _predicates.put(entry.getKey(), entry.getValue().toString()); + _aclRulePredicatesBuilder.put(entry.getKey(), entry.getValue().toString()); } for (final String name : properties.getAttributeNames()) { - _predicates.put(Property.ATTRIBUTES, name); + _aclRulePredicatesBuilder.put(Property.ATTRIBUTES, name); } return this; } @@ -286,13 +283,13 @@ public class Rule public Rule build() { validate(); - return new Rule(_identity, _operation, _object, _predicates.build(), _outcome); + return new Rule(_identity, _operation, _object, _aclRulePredicatesBuilder.build(), _outcome); } public Rule build(FirewallRuleFactory firewallRuleFactory) { validate(); - return new Rule(_identity, _operation, _object, _predicates.build(firewallRuleFactory), _outcome); + return new Rule(_identity, _operation, _object, _aclRulePredicatesBuilder.build(firewallRuleFactory), _outcome); } private void validate() diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleCollector.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleCollector.java index bbfdf7e..0981435 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleCollector.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleCollector.java @@ -28,7 +28,6 @@ import java.util.TreeMap; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicates; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RulePredicate.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RulePredicate.java new file mode 100644 index 0000000..73792df --- /dev/null +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RulePredicate.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.qpid.server.security.access.config; + +import java.util.Objects; + +import javax.security.auth.Subject; + +@FunctionalInterface +public interface RulePredicate +{ + boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject); + + default RulePredicate and(RulePredicate other) + { + Objects.requireNonNull(other); + return (operation, objectProperties, subject) -> + RulePredicate.this.matches(operation, objectProperties, subject) + && other.matches(operation, objectProperties, subject); + } + + default RulePredicate or(RulePredicate other) { + Objects.requireNonNull(other); + return (operation, objectProperties, subject) -> + RulePredicate.this.matches(operation, objectProperties, subject) + || other.matches(operation, objectProperties, subject); + } + + static RulePredicate any() + { + return Any.INSTANCE; + } + + final class Any implements RulePredicate + { + public static final RulePredicate INSTANCE = new Any(); + + private Any() + { + super(); + } + + @Override + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + { + return true; + } + + } +} diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AbstractPredicate.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AbstractPredicate.java deleted file mode 100644 index 77b7763..0000000 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AbstractPredicate.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.qpid.server.security.access.config.predicates; - -import java.util.Objects; - -abstract class AbstractPredicate implements RulePredicate -{ - final RulePredicate _previousPredicate; - - abstract RulePredicate copy(RulePredicate subPredicate); - - AbstractPredicate(RulePredicate previousPredicate) - { - _previousPredicate = Objects.requireNonNull(previousPredicate); - } - - AbstractPredicate() - { - this(RulePredicate.any()); - } - - @Override - public RulePredicate and(RulePredicate other) - { - if (other instanceof Any) - { - return this; - } - return copy(_previousPredicate.and(other)); - } -} diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Some.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AnyValue.java similarity index 64% rename from broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Some.java rename to broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AnyValue.java index 7202b4e..2b39e7d 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Some.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AnyValue.java @@ -25,42 +25,27 @@ import javax.security.auth.Subject; import org.apache.qpid.server.security.access.config.LegacyOperation; import org.apache.qpid.server.security.access.config.ObjectProperties; import org.apache.qpid.server.security.access.config.Property; +import org.apache.qpid.server.security.access.config.RulePredicate; -final class Some extends AbstractPredicate +final class AnyValue implements RulePredicate { private final Property _property; static RulePredicate newInstance(Property property) { - return new Some(property); + return new AnyValue(property); } - private Some(Property property) + private AnyValue(Property property) { super(); _property = Objects.requireNonNull(property); } - private Some(Property property, RulePredicate subPredicate) - { - super(subPredicate); - _property = Objects.requireNonNull(property); - } - - private Some(Some predicate, RulePredicate subPredicate) - { - this(predicate._property, subPredicate); - } - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { - return objectProperties.get(_property) != null && _previousPredicate.test(operation, objectProperties, subject); + return objectProperties.get(_property) != null; } - @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new Some(this, subPredicate); - } } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AttributeNames.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AttributeNames.java index 6882f64..a54d72a 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AttributeNames.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/AttributeNames.java @@ -25,12 +25,13 @@ import javax.security.auth.Subject; import org.apache.qpid.server.security.access.config.LegacyOperation; import org.apache.qpid.server.security.access.config.ObjectProperties; +import org.apache.qpid.server.security.access.config.RulePredicate; -final class AttributeNames extends AbstractPredicate +final class AttributeNames implements RulePredicate { private final Set<String> _attributeNames; - static RulePredicate newInstance(Set<String> attributeNames) + public static RulePredicate newInstance(Set<String> attributeNames) { return attributeNames.isEmpty() ? RulePredicate.any() : new AttributeNames(attributeNames); } @@ -41,23 +42,11 @@ final class AttributeNames extends AbstractPredicate _attributeNames = new HashSet<>(attributeNames); } - private AttributeNames(AttributeNames predicate, RulePredicate subPredicate) - { - super(subPredicate); - _attributeNames = predicate._attributeNames; - } - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { return (operation != LegacyOperation.UPDATE || - _attributeNames.containsAll(objectProperties.getAttributeNames())) && - _previousPredicate.test(operation, objectProperties, subject); + _attributeNames.containsAll(objectProperties.getAttributeNames())); } - @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new AttributeNames(this, subPredicate); - } } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Equal.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Equal.java index cd69063..5656e3e 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Equal.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/Equal.java @@ -25,14 +25,15 @@ import javax.security.auth.Subject; import org.apache.qpid.server.security.access.config.LegacyOperation; import org.apache.qpid.server.security.access.config.ObjectProperties; import org.apache.qpid.server.security.access.config.Property; +import org.apache.qpid.server.security.access.config.RulePredicate; -final class Equal extends AbstractPredicate +final class Equal implements RulePredicate { private final Object _value; private final Property _property; - static RulePredicate newInstance(Property property, Object value) + public static RulePredicate newInstance(Property property, Object value) { return value == null ? RulePredicate.any() : new Equal(property, value); } @@ -44,28 +45,10 @@ final class Equal extends AbstractPredicate _value = Objects.requireNonNull(value); } - private Equal(Property property, Object value, RulePredicate subPredicate) - { - super(subPredicate); - _property = Objects.requireNonNull(property); - _value = Objects.requireNonNull(value); - } - - private Equal(Equal predicate, RulePredicate subPredicate) - { - this(predicate._property, predicate._value, subPredicate); - } - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { - return _value.equals(objectProperties.get(_property)) && - _previousPredicate.test(operation, objectProperties, subject); + return _value.equals(objectProperties.get(_property)); } - @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new Equal(this, subPredicate); - } } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicate.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicateBuilder.java similarity index 66% rename from broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicate.java rename to broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicateBuilder.java index 7caca59..6f95ca8 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicate.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/RulePredicateBuilder.java @@ -19,66 +19,27 @@ package org.apache.qpid.server.security.access.config.predicates; import java.util.Map; -import java.util.Objects; import java.util.Set; import java.util.stream.Collectors; -import javax.security.auth.Subject; - -import org.apache.qpid.server.security.access.config.LegacyOperation; -import org.apache.qpid.server.security.access.config.ObjectProperties; +import org.apache.qpid.server.security.access.config.AclRulePredicatesBuilder; +import org.apache.qpid.server.security.access.config.RulePredicate; import org.apache.qpid.server.security.access.config.Property; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; -@FunctionalInterface -public interface RulePredicate +public final class RulePredicateBuilder { - boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject); - - default RulePredicate and(RulePredicate other) - { - if (Objects.requireNonNull(other) instanceof Any) - { - return this; - } - return (operation, objectProperties, subject) -> - RulePredicate.this.test(operation, objectProperties, subject) - && other.test(operation, objectProperties, subject); - } - - static RulePredicate any() - { - return Any.INSTANCE; - } - - final class Any implements RulePredicate + private RulePredicateBuilder() { - public static final RulePredicate INSTANCE = new Any(); - - private Any() - { - super(); - } - - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) - { - return true; - } - - @Override - public RulePredicate and(RulePredicate other) - { - return Objects.requireNonNull(other); - } + super(); } - static RulePredicate build(Map<Property, Set<?>> properties) + public static RulePredicate build(Map<Property, Set<?>> properties) { return build(new FirewallRuleFactory(), properties); } - static RulePredicate build(FirewallRuleFactory firewallRuleFactory, Map<Property, Set<?>> properties) + public static RulePredicate build(FirewallRuleFactory firewallRuleFactory, Map<Property, Set<?>> properties) { RulePredicate predicate = RulePredicate.any(); for (final Map.Entry<Property, Set<?>> entry : properties.entrySet()) @@ -88,7 +49,7 @@ public interface RulePredicate return predicate; } - static RulePredicate build(FirewallRuleFactory firewallRuleFactory, Property property, Set<?> values) + public static RulePredicate build(FirewallRuleFactory firewallRuleFactory, Property property, Set<?> values) { RulePredicate predicate = RulePredicate.any(); switch (property) @@ -111,9 +72,6 @@ public interface RulePredicate predicate = AttributeNames.newInstance( values.stream().map(Object::toString).collect(Collectors.toSet())); break; - case CONNECTION_LIMIT: - case CONNECTION_FREQUENCY_LIMIT: - break; default: for (final Object value : values) { @@ -122,7 +80,7 @@ public interface RulePredicate final String str = (String) value; if (AclRulePredicatesBuilder.WILD_CARD.equals(str)) { - predicate = predicate.and(Some.newInstance(property)); + predicate = predicate.and(AnyValue.newInstance(property)); } else if (str.endsWith(AclRulePredicatesBuilder.WILD_CARD)) { diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/WildCard.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/WildCard.java index f3879d6..aa6dd1f 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/WildCard.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/predicates/WildCard.java @@ -25,8 +25,9 @@ import javax.security.auth.Subject; import org.apache.qpid.server.security.access.config.LegacyOperation; import org.apache.qpid.server.security.access.config.ObjectProperties; import org.apache.qpid.server.security.access.config.Property; +import org.apache.qpid.server.security.access.config.RulePredicate; -final class WildCard extends AbstractPredicate +final class WildCard implements RulePredicate { private final String _prefix; @@ -44,30 +45,11 @@ final class WildCard extends AbstractPredicate _prefix = Objects.requireNonNull(prefix); } - private WildCard(Property property, String prefix, RulePredicate subPredicate) - { - super(subPredicate); - _property = Objects.requireNonNull(property); - _prefix = Objects.requireNonNull(prefix); - } - - private WildCard(WildCard predicate, RulePredicate subPredicate) - { - this(predicate._property, predicate._prefix, subPredicate); - } - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) + public boolean matches(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) { final Object value = objectProperties.get(_property); - return (value instanceof String) && - ((String) value).startsWith(_prefix) && - _previousPredicate.test(operation, objectProperties, subject); + return (value instanceof String) && ((String) value).startsWith(_prefix); } - @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new WildCard(this, subPredicate); - } } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java index 9792b10..e335b2f 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AbstractFirewallRuleImpl.java @@ -21,34 +21,17 @@ package org.apache.qpid.server.security.access.firewall; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.SocketAddress; -import java.util.Objects; import javax.security.auth.Subject; import org.apache.qpid.server.connection.ConnectionPrincipal; -import org.apache.qpid.server.security.access.config.LegacyOperation; -import org.apache.qpid.server.security.access.config.ObjectProperties; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; +import org.apache.qpid.server.security.access.config.FirewallRule; abstract class AbstractFirewallRuleImpl implements FirewallRule { - private final RulePredicate _previousPredicate; - AbstractFirewallRuleImpl() { super(); - _previousPredicate = RulePredicate.any(); - } - - AbstractFirewallRuleImpl(RulePredicate previousPredicate) - { - _previousPredicate = Objects.requireNonNull(previousPredicate); - } - - @Override - public boolean test(LegacyOperation operation, ObjectProperties objectProperties, Subject subject) - { - return matches(subject) && _previousPredicate.test(operation, objectProperties, subject); } @Override @@ -65,17 +48,6 @@ abstract class AbstractFirewallRuleImpl implements FirewallRule return true; } - @Override - public RulePredicate and(RulePredicate other) - { - if (other instanceof Any) - { - return this; - } - return copy(_previousPredicate.and(other)); - } - abstract boolean matches(InetAddress addressOfClient); - abstract RulePredicate copy(RulePredicate subPredicate); } diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java index dcb3273..d0f632a 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java @@ -20,6 +20,8 @@ package org.apache.qpid.server.security.access.firewall; import java.util.Collection; +import org.apache.qpid.server.security.access.config.FirewallRule; + public class FirewallRuleFactory { public FirewallRule createForHostname(Collection<String> hostnames) diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java index 38397bd..d382829 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java @@ -36,8 +36,6 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; import java.util.regex.Pattern; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; - public class HostnameFirewallRule extends AbstractFirewallRuleImpl { private static final Logger LOGGER = LoggerFactory.getLogger(HostnameFirewallRule.class); @@ -67,13 +65,6 @@ public class HostnameFirewallRule extends AbstractFirewallRuleImpl LOGGER.debug("Created {}", this); } - private HostnameFirewallRule(HostnameFirewallRule rule, RulePredicate subPredicate) - { - super(subPredicate); - _hostnames = rule._hostnames; - _hostnamePatterns = rule._hostnamePatterns; - } - @Override boolean matches(InetAddress remote) { @@ -94,12 +85,6 @@ public class HostnameFirewallRule extends AbstractFirewallRuleImpl return false; } - @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new HostnameFirewallRule(this, subPredicate); - } - /** * @param remote the InetAddress to look up * @return the hostname, null if not found, takes longer than diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java index 9ac26c1..118c5ac 100644 --- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java +++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java @@ -25,8 +25,6 @@ import java.util.Collection; import java.util.HashSet; import java.util.Set; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; - import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,7 +32,7 @@ public class NetworkFirewallRule extends AbstractFirewallRuleImpl { private static final Logger LOGGER = LoggerFactory.getLogger(NetworkFirewallRule.class); - private Set<InetNetwork> _networks = new HashSet<>(); + private final Set<InetNetwork> _networks = new HashSet<>(); public NetworkFirewallRule(String... networks) { @@ -58,12 +56,6 @@ public class NetworkFirewallRule extends AbstractFirewallRuleImpl LOGGER.debug("Created {}", this); } - private NetworkFirewallRule(NetworkFirewallRule rule, RulePredicate subPredicate) - { - super(subPredicate); - _networks = rule._networks; - } - @Override boolean matches(InetAddress ip) { @@ -80,12 +72,6 @@ public class NetworkFirewallRule extends AbstractFirewallRuleImpl } @Override - RulePredicate copy(RulePredicate subPredicate) - { - return new NetworkFirewallRule(this, subPredicate); - } - - @Override public boolean equals(final Object o) { if (this == o) diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java index 9d786f3..247e569 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclFileParserTest.java @@ -38,8 +38,6 @@ import org.mockito.Mockito; import org.apache.qpid.server.configuration.IllegalConfigurationException; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicates; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicatesBuilder; import org.apache.qpid.test.utils.UnitTestBase; public class AclFileParserTest extends UnitTestBase @@ -642,16 +640,6 @@ public class AclFileParserTest extends UnitTestBase } @Test - public void testDynamicRuleParsing() throws Exception - { - validateRule(writeACLConfig("ACL ALLOW all ACCESS VIRTUALHOST connection_limit=10 connection_frequency_limit=12"), - Rule.ALL, - LegacyOperation.ACCESS, - ObjectType.VIRTUALHOST, - EMPTY); - } - - @Test public void testBrokerRuleParsing() throws Exception { validateRule(writeACLConfig("ACL ALLOW user1 CONFIGURE BROKER"), diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java similarity index 94% rename from broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesTest.java rename to broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java index 2880b6d..91343fe 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/AclRulePredicatesTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java @@ -16,15 +16,18 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.qpid.server.security.access.config.predicates; +package org.apache.qpid.server.security.access.config; import java.util.Collection; import java.util.Collections; import java.util.Map; import java.util.Set; +import org.apache.qpid.server.security.access.config.AclRulePredicates; +import org.apache.qpid.server.security.access.config.AclRulePredicatesBuilder; import org.apache.qpid.server.security.access.config.Property; -import org.apache.qpid.server.security.access.firewall.FirewallRule; +import org.apache.qpid.server.security.access.config.FirewallRule; +import org.apache.qpid.server.security.access.config.predicates.TestFirewallRule; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; import org.apache.qpid.test.utils.UnitTestBase; @@ -36,8 +39,6 @@ import org.mockito.internal.util.collections.Sets; import static org.apache.qpid.server.security.access.config.Property.ATTRIBUTES; import static org.apache.qpid.server.security.access.config.Property.CLASS; -import static org.apache.qpid.server.security.access.config.Property.CONNECTION_FREQUENCY_LIMIT; -import static org.apache.qpid.server.security.access.config.Property.CONNECTION_LIMIT; import static org.apache.qpid.server.security.access.config.Property.DURABLE; import static org.apache.qpid.server.security.access.config.Property.FROM_HOSTNAME; import static org.apache.qpid.server.security.access.config.Property.FROM_NETWORK; @@ -104,20 +105,6 @@ public class AclRulePredicatesTest extends UnitTestBase } @Test - public void testParseConnectionLimitRule() - { - final String limit = "20"; - _builder.parse(CONNECTION_LIMIT.name(), limit).build(_firewallRuleFactory); - } - - @Test - public void testParseConnectionFrequencyLimitRule() - { - final String limit = "20"; - _builder.parse(CONNECTION_FREQUENCY_LIMIT.name(), limit).build(_firewallRuleFactory); - } - - @Test public void testParseThrowsExceptionIfBothHostnameAndNetworkSpecified() { _builder.parse(FROM_NETWORK.name(), "network1,network2"); diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java index eb9e86c..8b6702f 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleBasedAccessControlTest.java @@ -33,8 +33,6 @@ import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.logging.UnitTestMessageLogger; import org.apache.qpid.server.model.BrokerModel; import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicates; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicatesBuilder; import org.apache.qpid.server.security.access.plugins.RuleOutcome; import org.apache.qpid.server.security.auth.TestPrincipalUtils; import org.apache.qpid.server.transport.AMQPConnection; diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java index e2eb404..af2f643 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleSetTest.java @@ -35,7 +35,6 @@ import org.junit.Test; import org.apache.qpid.server.logging.EventLoggerProvider; import org.apache.qpid.server.security.Result; import org.apache.qpid.server.security.access.config.Rule.Builder; -import org.apache.qpid.server.security.access.config.predicates.AclRulePredicatesBuilder; import org.apache.qpid.server.security.access.plugins.RuleOutcome; import org.apache.qpid.server.security.auth.TestPrincipalUtils; import org.apache.qpid.test.utils.UnitTestBase; diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java index 546f275..f04d3ba 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java @@ -24,7 +24,6 @@ import java.util.Map; import javax.security.auth.Subject; -import org.apache.qpid.server.security.access.firewall.FirewallRule; import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory; import org.apache.qpid.server.security.access.plugins.RuleOutcome; import org.apache.qpid.server.security.auth.TestPrincipalUtils; diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/TestFirewallRule.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/TestFirewallRule.java index dfb6139..b04c8e5 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/TestFirewallRule.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/predicates/TestFirewallRule.java @@ -20,7 +20,7 @@ package org.apache.qpid.server.security.access.config.predicates; import javax.security.auth.Subject; -import org.apache.qpid.server.security.access.firewall.FirewallRule; +import org.apache.qpid.server.security.access.config.FirewallRule; public class TestFirewallRule implements FirewallRule { diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/FirewallRuleTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/FirewallRuleTest.java index b2ecce4..793839e 100644 --- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/FirewallRuleTest.java +++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/FirewallRuleTest.java @@ -23,9 +23,10 @@ import java.util.Collections; import javax.security.auth.Subject; import org.apache.qpid.server.model.AuthenticationProvider; +import org.apache.qpid.server.security.access.config.FirewallRule; import org.apache.qpid.server.security.access.config.LegacyOperation; import org.apache.qpid.server.security.access.config.ObjectProperties; -import org.apache.qpid.server.security.access.config.predicates.RulePredicate; +import org.apache.qpid.server.security.access.config.RulePredicate; import org.apache.qpid.server.security.auth.UsernamePrincipal; import org.apache.qpid.test.utils.UnitTestBase; @@ -44,21 +45,21 @@ public class FirewallRuleTest extends UnitTestBase final FirewallRule rule1 = s -> s.equals(subject); final FirewallRule rule2 = s -> s.equals(subject); - assertTrue(rule1.and(rule2).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertTrue(rule2.and(rule1).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertTrue(rule1.and(rule2).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertTrue(rule2.and(rule1).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertTrue(rule1.and(RulePredicate.any()).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertTrue(RulePredicate.any().and(rule2).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertTrue(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertTrue(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); final Subject anotherSubject = new Subject(false, Collections.singleton(new UsernamePrincipal("name", Mockito.mock(AuthenticationProvider.class))), Collections.emptySet(), Collections.emptySet()); - assertFalse(rule1.and(rule2).test(LegacyOperation.ACCESS, new ObjectProperties(),anotherSubject)); - assertFalse(rule2.and(rule1).test(LegacyOperation.ACCESS, new ObjectProperties(),anotherSubject)); + assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); + assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); - assertFalse(rule1.and(RulePredicate.any()).test(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); - assertFalse(RulePredicate.any().and(rule1).test(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); + assertFalse(rule1.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); + assertFalse(RulePredicate.any().and(rule1).matches(LegacyOperation.ACCESS, new ObjectProperties(), anotherSubject)); } @Test @@ -68,11 +69,11 @@ public class FirewallRuleTest extends UnitTestBase final FirewallRule rule1 = s -> s.equals(subject); final FirewallRule rule2 = s -> !s.equals(subject); - assertFalse(rule1.and(rule2).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertFalse(rule2.and(rule1).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertFalse(rule1.and(rule2).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertFalse(rule2.and(rule1).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertFalse(RulePredicate.any().and(rule2).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); - assertFalse(rule2.and(RulePredicate.any()).test(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertFalse(RulePredicate.any().and(rule2).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); + assertFalse(rule2.and(RulePredicate.any()).matches(LegacyOperation.ACCESS, new ObjectProperties(), subject)); } } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org