Author: ritchiem Date: Wed Oct 28 15:28:03 2009 New Revision: 830577 URL: http://svn.apache.org/viewvc?rev=830577&view=rev Log: QPID-1304: implement the ACCESS section of SimpleXML ACL. Enables virtualhost level access control, giving the defined users full access to all artifacts in the vhost
Modified: qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java Modified: qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java URL: http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java?rev=830577&r1=830576&r2=830577&view=diff ============================================================================== --- qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java (original) +++ qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/PrincipalPermissions.java Wed Oct 28 15:28:03 2009 @@ -53,6 +53,7 @@ private static final int PUBLISH_EXCHANGES_KEY = 0; private Map _permissions; + private boolean _fullVHostAccess = false; private String _user; @@ -82,6 +83,9 @@ { switch (permission) { + case ACCESS:// Parameters : None + grantAccess(permission); + break; case CONSUME: // Parameters : AMQShortString queueName, Boolean Temporary, Boolean ownQueueOnly grantConsume(permission, parameters); break; @@ -98,7 +102,6 @@ break; /* The other cases just fall through to no-op */ case DELETE: - case ACCESS: // This is a no-op as the existence of this PrincipalPermission object is scoped per VHost for ACCESS case BIND: // All the details are currently included in the create setup. case PURGE: case UNBIND: @@ -107,6 +110,11 @@ } + private void grantAccess(Permission permission) + { + _fullVHostAccess = true; + } + private void grantPublish(Permission permission, Object... parameters) { Map publishRights = (Map) _permissions.get(permission); @@ -353,9 +361,8 @@ switch (permission) { - case ACCESS: - return AuthzResult.ALLOWED; // This is here for completeness but the SimpleXML ACLManager never calls it. - // The existence of this user specific PP can be validated in the map SimpleXML maintains. + case ACCESS://No Parameters + return AuthzResult.ALLOWED; // The existence of this user-specific PP infers some level of access is authorised case BIND: // Parameters : QueueBindMethod , Exchange , AMQQueue, AMQShortString routingKey return authoriseBind(parameters); case CREATEQUEUE:// Parameters : boolean autodelete, AMQShortString name @@ -376,7 +383,14 @@ } - private AuthzResult authoriseConsume(Permission permission, Object... parameters) { + private AuthzResult authoriseConsume(Permission permission, Object... parameters) + { + if(_fullVHostAccess) + { + //user has been granted full access to the vhost + return AuthzResult.ALLOWED; + } + if (parameters.length == 1 && parameters[0] instanceof AMQQueue) { AMQQueue queue = ((AMQQueue) parameters[0]); @@ -434,8 +448,15 @@ return AuthzResult.DENIED; } - private AuthzResult authorisePublish(Permission permission, Object... parameters) { - Map publishRights = (Map) _permissions.get(permission); + private AuthzResult authorisePublish(Permission permission, Object... parameters) + { + if(_fullVHostAccess) + { + //user has been granted full access to the vhost + return AuthzResult.ALLOWED; + } + + Map publishRights = (Map) _permissions.get(permission); if (publishRights == null) { @@ -494,7 +515,14 @@ } } - private AuthzResult authoriseCreateExchange(Permission permission, Object... parameters) { + private AuthzResult authoriseCreateExchange(Permission permission, Object... parameters) + { + if(_fullVHostAccess) + { + //user has been granted full access to the vhost + return AuthzResult.ALLOWED; + } + Map rights = (Map) _permissions.get(permission); AMQShortString exchangeName = (AMQShortString) parameters[0]; @@ -511,8 +539,15 @@ } } - private AuthzResult authoriseCreateQueue(Permission permission, Object... parameters) { - Map createRights = (Map) _permissions.get(permission); + private AuthzResult authoriseCreateQueue(Permission permission, Object... parameters) + { + if(_fullVHostAccess) + { + //user has been granted full access to the vhost + return AuthzResult.ALLOWED; + } + + Map createRights = (Map) _permissions.get(permission); // If there are no create rights then deny request if (createRights == null) @@ -549,8 +584,15 @@ } } - private AuthzResult authoriseBind(Object... parameters) { - Exchange exchange = (Exchange) parameters[1]; + private AuthzResult authoriseBind(Object... parameters) + { + if(_fullVHostAccess) + { + //user has been granted full access to the vhost + return AuthzResult.ALLOWED; + } + + Exchange exchange = (Exchange) parameters[1]; AMQQueue bind_queueName = (AMQQueue) parameters[2]; AMQShortString routingKey = (AMQShortString) parameters[3]; Modified: qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java URL: http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java?rev=830577&r1=830576&r2=830577&view=diff ============================================================================== --- qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java (original) +++ qpid/branches/0.5.x-dev/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/plugins/SimpleXML.java Wed Oct 28 15:28:03 2009 @@ -85,8 +85,29 @@ processConsume(config); processCreate(config); + + processAccess(config); } + private void processAccess(Configuration config) + { + Configuration accessConfig = config.subset("access_control_list.access"); + + if(accessConfig.isEmpty()) + { + //there is no access configuration to process + return; + } + + // Process users that have full access permission + String[] users = accessConfig.getStringArray("users.user"); + + for (String user : users) + { + grant(Permission.ACCESS, user); + } + } + /** * Publish format takes Exchange + Routing Key Pairs * Modified: qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java URL: http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java?rev=830577&r1=830576&r2=830577&view=diff ============================================================================== --- qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java (original) +++ qpid/branches/0.5.x-dev/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/PrincipalPermissionsTest.java Wed Oct 28 15:28:03 2009 @@ -165,4 +165,37 @@ assertEquals(AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgs)); } + public void testVhostAccess() + { + //Tests that granting a user Virtualhost level access allows all authorisation requests + //where previously they would be denied + + //QPID-2133 createExchange rights currently allow all exchange creation unless rights for creating some + //specific exchanges are granted. Grant a specific exchange creation to cause all others to be denied. + Object[] createArgsCreateExchange = new Object[]{new AMQShortString("madeup"), _exchangeType}; + Object[] authArgsCreateExchange = new Object[]{_exchangeName,_exchangeType}; + assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + _perms.grant(Permission.CREATEEXCHANGE, createArgsCreateExchange); + + Object[] authArgsPublish = new Object[]{_exchange, _routingKey}; + Object[] authArgsConsume = new Object[]{_queue}; + Object[] authArgsCreateQueue = new Object[]{_autoDelete, _queueName}; + QueueBindBodyImpl bind = new QueueBindBodyImpl(_ticket, _queueName, _exchangeName, _routingKey, _nowait, _arguments); + Object[] authArgsBind = new Object[]{bind, _exchange, _queue, _routingKey}; + + assertEquals("Exchange creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + assertEquals("Publish was not denied", AuthzResult.DENIED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); + assertEquals("Consume creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CONSUME, authArgsConsume)); + assertEquals("Queue creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); + //BIND pre-grant authorise check disabled due to QPID-1597 + //assertEquals("Binding creation was not denied", AuthzResult.DENIED, _perms.authorise(Permission.BIND, authArgsBind)); + + _perms.grant(Permission.ACCESS); + + assertEquals("Exchange creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEEXCHANGE, authArgsCreateExchange)); + assertEquals("Publish was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.PUBLISH, authArgsPublish)); + assertEquals("Consume creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CONSUME, authArgsConsume)); + assertEquals("Queue creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.CREATEQUEUE, authArgsCreateQueue)); + assertEquals("Binding creation was not allowed", AuthzResult.ALLOWED, _perms.authorise(Permission.BIND, authArgsBind)); + } } Modified: qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java URL: http://svn.apache.org/viewvc/qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java?rev=830577&r1=830576&r2=830577&view=diff ============================================================================== --- qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java (original) +++ qpid/branches/0.5.x-dev/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/SimpleACLTest.java Wed Oct 28 15:28:03 2009 @@ -102,7 +102,51 @@ fail("Connection was not created due to:" + e); } } + + public void testAccessVhostAuthorisedGuest() throws IOException, Exception + { + //The 'guest' user normally has no access, as tested below in testAccessNoRights(), and so is unable to perform + //actions such as connecting (and by extension, creating a queue, and consuming from a queue etc). In order to test + //the vhost-wide 'access' right, we will now give the guest user 'access' ACL rights and perform various such actions. + setConfigurationProperty("virtualhosts.virtualhost.test.security.access_control_list.access.users.user", "guest"); + + setUpACLTest(); + + try + { + //get a connection + Connection conn = getConnection("guest", "guest"); + ((AMQConnection) conn).setConnectionListener(this); + + Session sesh = conn.createSession(false, Session.AUTO_ACKNOWLEDGE); + + conn.start(); + //create Queues and consumers for each + Queue namedQueue = sesh.createQueue("vhostAccessCreatedQueue" + getTestQueueName()); + Queue tempQueue = sesh.createTemporaryQueue(); + MessageConsumer consumer = sesh.createConsumer(namedQueue); + MessageConsumer tempConsumer = sesh.createConsumer(tempQueue); + + //send a message to each queue (also causing an exchange declare) + MessageProducer sender = ((AMQSession)sesh).createProducer(null); + ((org.apache.qpid.jms.MessageProducer) sender).send(namedQueue, sesh.createTextMessage("test"), + DeliveryMode.NON_PERSISTENT, 0, 0L, false, false, true); + ((org.apache.qpid.jms.MessageProducer) sender).send(tempQueue, sesh.createTextMessage("test"), + DeliveryMode.NON_PERSISTENT, 0, 0L, false, false, true); + + //consume the messages from the queues + consumer.receive(2000); + tempConsumer.receive(2000); + + conn.close(); + } + catch (Exception e) + { + fail("Test failed due to:" + e.getMessage()); + } + } + public void testAccessNoRights() throws Exception { setUpACLTest(); --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:commits-subscr...@qpid.apache.org