This is an automated email from the ASF dual-hosted git repository.
jamesnetherton pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-quarkus.git
The following commit(s) were added to refs/heads/main by this push:
new 318f9eb615 Enable Jolokia Camel restrictor allowed MBean domains to be
configurable
318f9eb615 is described below
commit 318f9eb615a920237e0929864169190c131fa24c
Author: James Netherton <[email protected]>
AuthorDate: Tue Feb 25 11:18:55 2025 +0000
Enable Jolokia Camel restrictor allowed MBean domains to be configurable
Fixes #7051
---
.../ROOT/pages/reference/extensions/jolokia.adoc | 22 ++++++++--
.../jolokia/runtime/src/main/doc/usage.adoc | 13 +++++-
.../jolokia/config/JolokiaBuildTimeConfig.java | 8 ++++
.../jolokia/restrictor/CamelJolokiaRestrictor.java | 10 ++++-
...ava => JolokiaCustomRestrictorDomainsTest.java} | 48 ++++++++++++----------
.../quarkus/component/jolokia/it/JolokiaTest.java | 30 ++++++++++++++
6 files changed, 102 insertions(+), 29 deletions(-)
diff --git a/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc
b/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc
index 67d3cf7c3f..513186eef7 100644
--- a/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc
+++ b/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc
@@ -84,10 +84,20 @@ By default, a Jolokia restrictor is automatically
registered that exposes access
* `java.lang`
* `java.nio`
-If this is too restrictive, then you can either disable the default
restrictor, or create your own custom restrictor.
+If this is too restrictive, then you can either specify your own MBean
domains, disable the default restrictor, or create a custom restrictor.
-[id="extensions-jolokia-usage-disable-the-default-restrictor"]
-==== Disable the default restrictor
+[id="extensions-jolokia-usage-default-restrictor-mbean-domains"]
+==== Default restrictor MBean domains
+
+You can modify the set of MBean domains referenced by the default restrictor
by adding configuration like the following to `application.properties`.
+
+[source]
+----
+quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains=org.apache.camel
+----
+
+[id="extensions-jolokia-usage-disabling-the-default-restrictor"]
+==== Disabling the default restrictor
The following configuration added to `application.properties` disables the
default restrictor.
@@ -182,6 +192,12 @@ have quarkus-vertx-http on the application classpath.
| `boolean`
| `true`
+|icon:lock[title=Fixed at build time]
[[quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains]]`link:#quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains[quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains]`
+
+Comma separated list of allowed MBean domains used by CamelJolokiaRestrictor.
+| List of `string`
+| `org.apache.camel,java.lang,java.nio`
+
|icon:lock[title=Fixed at build time]
[[quarkus.camel.jolokia.kubernetes.expose-container-port]]`link:#quarkus.camel.jolokia.kubernetes.expose-container-port[quarkus.camel.jolokia.kubernetes.expose-container-port]`
When {@code true} and the quarkus-kubernetes extension is present, a container
port named jolokia will
diff --git a/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc
b/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc
index 4da0826ee9..dfc0345318 100644
--- a/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc
+++ b/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc
@@ -44,9 +44,18 @@ By default, a Jolokia restrictor is automatically registered
that exposes access
* `java.lang`
* `java.nio`
-If this is too restrictive, then you can either disable the default
restrictor, or create your own custom restrictor.
+If this is too restrictive, then you can either specify your own MBean
domains, disable the default restrictor, or create a custom restrictor.
-==== Disable the default restrictor
+==== Default restrictor MBean domains
+
+You can modify the set of MBean domains referenced by the default restrictor
by adding configuration like the following to `application.properties`.
+
+[source]
+----
+quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains=org.apache.camel
+----
+
+==== Disabling the default restrictor
The following configuration added to `application.properties` disables the
default restrictor.
diff --git
a/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java
b/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java
index afa7dcf180..97cd06cd55 100644
---
a/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java
+++
b/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java
@@ -16,6 +16,8 @@
*/
package org.apache.camel.quarkus.jolokia.config;
+import java.util.Set;
+
import io.quarkus.runtime.annotations.ConfigPhase;
import io.quarkus.runtime.annotations.ConfigRoot;
import io.smallrye.config.ConfigMapping;
@@ -47,6 +49,12 @@ public interface JolokiaBuildTimeConfig {
@WithDefault("true")
boolean registerManagementEndpoint();
+ /**
+ * Comma separated list of allowed MBean domains used by
CamelJolokiaRestrictor.
+ */
+ @WithDefault("org.apache.camel,java.lang,java.nio")
+ Set<String> camelRestrictorAllowedMbeanDomains();
+
/**
* Jolokia Kubernetes build time configuration.
*/
diff --git
a/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java
b/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java
index 43b5016792..225a41dfec 100644
---
a/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java
+++
b/extensions-jvm/jolokia/runtime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java
@@ -16,14 +16,20 @@
*/
package org.apache.camel.quarkus.jolokia.restrictor;
-import java.util.List;
+import java.util.Set;
import javax.management.ObjectName;
+import io.smallrye.config.SmallRyeConfig;
+import org.apache.camel.quarkus.jolokia.config.JolokiaBuildTimeConfig;
+import org.eclipse.microprofile.config.ConfigProvider;
import org.jolokia.server.core.restrictor.AllowAllRestrictor;
public final class CamelJolokiaRestrictor extends AllowAllRestrictor {
- private static final List<String> ALLOWED_DOMAINS =
List.of("org.apache.camel", "java.lang", "java.nio");
+ private static final Set<String> ALLOWED_DOMAINS =
ConfigProvider.getConfig()
+ .unwrap(SmallRyeConfig.class)
+ .getConfigMapping(JolokiaBuildTimeConfig.class)
+ .camelRestrictorAllowedMbeanDomains();
@Override
public boolean isAttributeReadAllowed(ObjectName objectName, String
attribute) {
diff --git
a/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
b/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaCustomRestrictorDomainsTest.java
similarity index 53%
copy from
integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
copy to
integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaCustomRestrictorDomainsTest.java
index fd90c66e21..526ac4b69d 100644
---
a/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
+++
b/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaCustomRestrictorDomainsTest.java
@@ -16,53 +16,57 @@
*/
package org.apache.camel.quarkus.component.jolokia.it;
+import java.util.Map;
+
import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.QuarkusTestProfile;
+import io.quarkus.test.junit.TestProfile;
import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import org.apache.camel.quarkus.jolokia.restrictor.CamelJolokiaRestrictor;
-import org.eclipse.microprofile.config.ConfigProvider;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import static org.hamcrest.Matchers.equalTo;
+@TestProfile(JolokiaCustomRestrictorDomainsTest.JolokiaAdditionalPropertiesProfile.class)
@QuarkusTest
-class JolokiaTest {
+class JolokiaCustomRestrictorDomainsTest {
@BeforeEach
public void beforeEach() {
RestAssured.port = 8778;
}
@Test
- void defaultConfiguration() {
+ void customMBeanAllowDomains() {
+ // Verify org.apache.camel domain allowed
RestAssured.given()
- .get("/jolokia/")
+
.get("/jolokia/read/org.apache.camel:context=camel-1,type=context,name=\"camel-1\"/CamelId")
.then()
.statusCode(200)
.body(
"status", equalTo(200),
- "value.config.discoveryEnabled", equalTo("true"),
- "value.config.restrictorClass",
equalTo(CamelJolokiaRestrictor.class.getName()),
- "value.config.agentDescription",
equalTo("camel-quarkus-integration-test-jolokia"),
- "value.details.url",
equalTo("http://127.0.0.1:8778/jolokia/";));
- }
+ "value", equalTo("camel-1"));
- @Test
- void sendMessage() {
- String jolokiaPayload =
"{\"type\":\"exec\",\"mbean\":\"org.apache.camel:context=camel-1,type=context,name=\\\"camel-1\\\"\",\"operation\":\"sendStringBody(java.lang.String,
java.lang.String)\",\"arguments\":[\"direct://start\",\"Hello World\"]}";
+ // Verify java.lang domain disallowed
RestAssured.given()
- .contentType(ContentType.JSON)
- .body(jolokiaPayload)
- .post("/jolokia/")
+
.get("/jolokia/read/java.lang:type=ClassLoading/LoadedClassCount")
.then()
.statusCode(200)
- .body("status", equalTo(200));
-
- RestAssured.port =
ConfigProvider.getConfig().getValue("quarkus.http.test-port", Integer.class);
+ .body(
+ "status", equalTo(403));
- RestAssured.get("/jolokia/message/get")
+ // Verify java.nio domain disallowed
+ RestAssured.given()
+
.get("/jolokia/read/java.nio:type=BufferPool,name=direct/MemoryUsed")
.then()
.statusCode(200)
- .body(equalTo("Hello World"));
+ .body(
+ "status", equalTo(403));
+ }
+
+ public static final class JolokiaAdditionalPropertiesProfile implements
QuarkusTestProfile {
+ @Override
+ public Map<String, String> getConfigOverrides() {
+ return
Map.of("quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains",
"org.apache.camel");
+ }
}
}
diff --git
a/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
b/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
index fd90c66e21..6b3c686941 100644
---
a/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
+++
b/integration-tests-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
@@ -25,6 +25,7 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
@QuarkusTest
class JolokiaTest {
@@ -65,4 +66,33 @@ class JolokiaTest {
.statusCode(200)
.body(equalTo("Hello World"));
}
+
+ @Test
+ void additionalAllowedDefaultMBeanDomains() {
+ // Verify java.lang domain
+ RestAssured.given()
+
.get("/jolokia/read/java.lang:type=ClassLoading/LoadedClassCount")
+ .then()
+ .statusCode(200)
+ .body(
+ "status", equalTo(200),
+ "value", greaterThanOrEqualTo(0));
+
+ // Verify java.nio domain
+ RestAssured.given()
+
.get("/jolokia/read/java.nio:type=BufferPool,name=direct/MemoryUsed")
+ .then()
+ .statusCode(200)
+ .body(
+ "status", equalTo(200),
+ "value", greaterThanOrEqualTo(0));
+
+ // Disallowed domain
+ RestAssured.given()
+
.get("/jolokia/read/java.util.logging:type=Logging/LoggerNames")
+ .then()
+ .statusCode(200)
+ .body(
+ "status", equalTo(403));
+ }
}
