Author: aidan
Date: Wed Nov 11 22:59:29 2009
New Revision: 835115
URL: http://svn.apache.org/viewvc?rev=835115&view=rev
Log:
QPID-2184: make sure global security plugins are reconfigured properly
ServerConfigurationTest: add test for reloading firewall config in main section,
not just as a combined file
FirewallConfigTest: add a systest for firewalls with real broker
QpidTestCase: add a reloadBroker() method
Added:
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
qpid/trunk/qpid/java/test-profiles/010Excludes
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
Wed Nov 11 22:59:29 2009
@@ -311,13 +311,13 @@
{
Configuration newConfig = parseConfig(_configFile);
_securityConfiguration = new
SecurityConfiguration(newConfig.subset("security"));
-
ApplicationRegistry.getInstance().getAccessManager().configurePlugins(_securityConfiguration);
VirtualHostRegistry vhostRegistry =
ApplicationRegistry.getInstance().getVirtualHostRegistry();
for (String hostname : _virtualHosts.keySet())
{
VirtualHost vhost = vhostRegistry.getVirtualHost(hostname);
SecurityConfiguration hostSecurityConfig = new
SecurityConfiguration(newConfig.subset("virtualhosts.virtualhost."+hostname+".security"));
+
vhost.getAccessManager().configureGlobalPlugins(_securityConfiguration);
vhost.getAccessManager().configureHostPlugins(hostSecurityConfig);
}
}
Modified:
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
(original)
+++
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
Wed Nov 11 22:59:29 2009
@@ -67,14 +67,18 @@
_allSecurityPlugins.put(securityPlugin.getClass().getName(),
securityPlugin);
}
- _globalPlugins = configurePlugins(configuration);
+ configureGlobalPlugins(configuration);
}
-
public void configureHostPlugins(SecurityConfiguration hostConfig) throws
ConfigurationException
{
_hostPlugins = configurePlugins(hostConfig);
}
+
+ public void configureGlobalPlugins(SecurityConfiguration configuration)
throws ConfigurationException
+ {
+ _globalPlugins = configurePlugins(configuration);
+ }
public Map<String, ACLPlugin> configurePlugins(SecurityConfiguration
hostConfig) throws ConfigurationException
{
@@ -93,7 +97,7 @@
{
if (plugin.supportsTag(tag))
{
- _logger.warn("Plugin handling security section "+tag+"
is "+plugin.getClass().getSimpleName());
+ _logger.info("Plugin handling security section "+tag+"
is "+plugin);
handledTags.add(tag);
plugins.put(plugin.getClass().getName(),
plugin.newInstance(securityConfig));
}
Modified:
qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
---
qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
(original)
+++
qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
Wed Nov 11 22:59:29 2009
@@ -760,38 +760,8 @@
// Write out config
File mainFile = File.createTempFile(getClass().getName(), null);
mainFile.deleteOnExit();
- FileWriter out = new FileWriter(mainFile);
-
- out.write("<broker>\n");
- out.write("\t<management><enabled>false</enabled></management>\n");
- out.write("\t<security>\n");
- out.write("\t\t<principal-databases>\n");
- out.write("\t\t\t<principal-database>\n");
- out.write("\t\t\t\t<name>passwordfile</name>\n");
-
out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
- out.write("\t\t\t\t<attributes>\n");
- out.write("\t\t\t\t\t<attribute>\n");
- out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
- out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
- out.write("\t\t\t\t\t</attribute>\n");
- out.write("\t\t\t\t</attributes>\n");
- out.write("\t\t\t</principal-database>\n");
- out.write("\t\t</principal-databases>\n");
- out.write("\t\t<jmx>\n");
- out.write("\t\t\t<access>/dev/null</access>\n");
-
out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
- out.write("\t\t</jmx>\n");
- out.write("\t\t<firewall>\n");
- out.write("\t\t\t<rule access=\"deny\" network=\"127.0.0.1\"/>");
- out.write("\t\t</firewall>\n");
- out.write("\t</security>\n");
- out.write("\t<virtualhosts>\n");
- out.write("\t\t<virtualhost>\n");
- out.write("\t\t\t<name>test</name>\n");
- out.write("\t\t</virtualhost>\n");
- out.write("\t</virtualhosts>\n");
- out.write("</broker>\n");
- out.close();
+ FileWriter out;
+ writeConfigFile(mainFile, false);
// Load config
ApplicationRegistry reg = new
ConfigurationFileApplicationRegistry(mainFile);
@@ -882,6 +852,70 @@
session.setNetworkDriver(testDriver);
assertFalse(reg.getAccessManager().authoriseConnect(session,
virtualHost));
}
+
+ public void testConfigurationFirewallReload() throws Exception
+ {
+ // Write out config
+ File mainFile = File.createTempFile(getClass().getName(), null);
+
+ mainFile.deleteOnExit();
+ writeConfigFile(mainFile, false);
+
+ // Load config
+ ApplicationRegistry reg = new
ConfigurationFileApplicationRegistry(mainFile);
+ ApplicationRegistry.initialise(reg, 1);
+
+ // Test config
+ TestNetworkDriver testDriver = new TestNetworkDriver();
+ testDriver.setRemoteAddress("127.0.0.1");
+ VirtualHostRegistry virtualHostRegistry = reg.getVirtualHostRegistry();
+ VirtualHost virtualHost = virtualHostRegistry.getVirtualHost("test");
+ AMQProtocolSession session = new
AMQProtocolEngine(virtualHostRegistry, testDriver);
+
+ assertFalse(reg.getAccessManager().authoriseConnect(session,
virtualHost));
+
+ // Switch to deny the connection
+ writeConfigFile(mainFile, true);
+
+ reg.getConfiguration().reparseConfigFile();
+
+ assertTrue(reg.getAccessManager().authoriseConnect(session,
virtualHost));
+
+ }
+
+ private void writeConfigFile(File mainFile, boolean allow) throws
IOException {
+ FileWriter out = new FileWriter(mainFile);
+ out.write("<broker>\n");
+ out.write("\t<management><enabled>false</enabled></management>\n");
+ out.write("\t<security>\n");
+ out.write("\t\t<principal-databases>\n");
+ out.write("\t\t\t<principal-database>\n");
+ out.write("\t\t\t\t<name>passwordfile</name>\n");
+
out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
+ out.write("\t\t\t\t<attributes>\n");
+ out.write("\t\t\t\t\t<attribute>\n");
+ out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
+ out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
+ out.write("\t\t\t\t\t</attribute>\n");
+ out.write("\t\t\t\t</attributes>\n");
+ out.write("\t\t\t</principal-database>\n");
+ out.write("\t\t</principal-databases>\n");
+ out.write("\t\t<jmx>\n");
+ out.write("\t\t\t<access>/dev/null</access>\n");
+
out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
+ out.write("\t\t</jmx>\n");
+ out.write("\t\t<firewall>\n");
+ out.write("\t\t\t<rule access=\""+ ((allow) ? "allow" : "deny") +"\"
network=\"127.0.0.1\"/>");
+ out.write("\t\t</firewall>\n");
+ out.write("\t</security>\n");
+ out.write("\t<virtualhosts>\n");
+ out.write("\t\t<virtualhost>\n");
+ out.write("\t\t\t<name>test</name>\n");
+ out.write("\t\t</virtualhost>\n");
+ out.write("\t</virtualhosts>\n");
+ out.write("</broker>\n");
+ out.close();
+ }
public void testCombinedConfigurationFirewallReload() throws Exception
{
Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml?rev=835115&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
(added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml Wed
Nov 11 22:59:29 2009
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+ <security>
+ <firewall>
+ <rule access="allow" network="127.0.0.1"/>
+ </firewall>
+ </security>
+</broker>
Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml?rev=835115&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml (added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml Wed Nov 11
22:59:29 2009
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<configuration>
+ <system/>
+ <override>
+ <xml fileName="${test.config}" config-optional="true"/>
+ <xml fileName="${QPID_FIREWALL_SETTINGS}"/>
+ <xml fileName="${QPID_HOME}/etc/config-systests-settings.xml"/>
+ <xml fileName="${QPID_HOME}/etc/config.xml"/>
+ </override>
+</configuration>
Added:
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java?rev=835115&view=auto
==============================================================================
---
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
(added)
+++
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Wed Nov 11 22:59:29 2009
@@ -0,0 +1,164 @@
+package org.apache.qpid.server.security.firewall;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+
+import javax.jms.Connection;
+import javax.jms.JMSException;
+
+import org.apache.qpid.test.utils.QpidTestCase;
+
+public class FirewallConfigTest extends QpidTestCase
+{
+
+ private File tmpFile = null;
+ @Override
+ protected void setUp() throws Exception
+ {
+ // do setup
+ final String QPID_HOME = System.getProperty("QPID_HOME");
+
+ if (QPID_HOME == null)
+ {
+ fail("QPID_HOME not set");
+ }
+
+ // Setup initial config.
+ _configFile = new File(QPID_HOME, "etc/config-systests-firewall.xml");
+ tmpFile = File.createTempFile("config-systests-firewall", ".xml");
+ setSystemProperty("QPID_FIREWALL_SETTINGS", tmpFile.getAbsolutePath());
+ tmpFile.deleteOnExit();
+ }
+
+ private void writeFirewallFile(boolean allow, boolean inVhost) throws
IOException
+ {
+ FileWriter out = new FileWriter(tmpFile);
+ String ipAddr = "127.0.0.1"; // FIXME: get this from
InetAddress.getLocalHost().getAddress() ?
+ out.write("<broker>");
+ if (inVhost)
+ {
+ out.write("<virtualhosts><virtualhost><test>");
+ }
+ out.write("<security><firewall>");
+ out.write("<rule access=\""+((allow) ? "allow" : "deny")+"\"
network=\""+ipAddr +"\"/>");
+ out.write("</firewall></security>");
+ if (inVhost)
+ {
+ out.write("</test></virtualhost></virtualhosts>");
+ }
+ out.write("</broker>");
+ out.close();
+ }
+
+ public void testDenyOnRestart() throws Exception
+ {
+ testDeny(false, new Runnable() {
+
+ public void run()
+ {
+ try
+ {
+ restartBroker();
+ } catch (Exception e)
+ {
+ fail(e.getMessage());
+ }
+ }
+ });
+ }
+
+ public void testDenyOnRestartInVhost() throws Exception
+ {
+ testDeny(true, new Runnable() {
+
+ public void run()
+ {
+ try
+ {
+ reloadBroker();
+ } catch (Exception e)
+ {
+ fail(e.getMessage());
+ }
+ }
+ });
+ }
+
+ public void testDenyOnReload() throws Exception
+ {
+ testDeny(false, new Runnable() {
+
+ public void run()
+ {
+ try
+ {
+ reloadBroker();
+ } catch (Exception e)
+ {
+ fail(e.getMessage());
+ }
+ }
+ }
+ );
+ }
+
+ public void testDenyOnReloadInVhost() throws Exception
+ {
+ testDeny(true, new Runnable() {
+
+ public void run()
+ {
+ try
+ {
+ reloadBroker();
+ } catch (Exception e)
+ {
+ fail(e.getMessage());
+ }
+ }
+ }
+ );
+
+ }
+
+ private void testDeny(boolean inVhost, Runnable restartOrReload) throws
Exception
+ {
+ if (_broker.equals(VM))
+ {
+ // No point running this test in a vm broker
+ return;
+ }
+
+ writeFirewallFile(false, inVhost);
+ super.setUp();
+
+ Exception exception = null;
+ Connection conn = null;
+ try
+ {
+ conn = getConnection();
+ }
+ catch (JMSException e)
+ {
+ exception = e;
+ }
+ assertNotNull(exception);
+
+ // Check we can get a connection
+
+ writeFirewallFile(true, inVhost);
+ restartOrReload.run();
+
+ exception = null;
+ try
+ {
+ conn = getConnection();
+ }
+ catch (JMSException e)
+ {
+ exception = e;
+ }
+ assertNull(exception);
+ }
+}
Modified:
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
---
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
(original)
+++
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
Wed Nov 11 22:59:29 2009
@@ -57,6 +57,7 @@
import java.io.InputStreamReader;
import java.io.LineNumberReader;
import java.io.PrintStream;
+import java.io.Reader;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.HashMap;
@@ -1241,4 +1242,27 @@
return null;
}
+ public void reloadBroker() throws ConfigurationException, IOException
+ {
+ reloadBroker(0);
+ }
+
+ public void reloadBroker(int port) throws ConfigurationException,
IOException
+ {
+ if (_broker.equals(VM))
+ {
+
ApplicationRegistry.getInstance().getConfiguration().reparseConfigFile();
+ }
+ else // FIXME: should really use the JMX interface to do this
+ {
+ /*
+ * Sigh, this is going to get messy. grep for BRKR and the port
number
+ */
+
+ Process p = Runtime.getRuntime().exec("/usr/bin/pgrep -f " +
getPort(port));
+ BufferedReader reader = new BufferedReader (new
InputStreamReader(p.getInputStream()));
+ String cmd = "/bin/kill -SIGHUP " + reader.readLine();
+ p = Runtime.getRuntime().exec(cmd);
+ }
+ }
}
Modified: qpid/trunk/qpid/java/test-profiles/010Excludes
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/java/test-profiles/010Excludes?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/test-profiles/010Excludes (original)
+++ qpid/trunk/qpid/java/test-profiles/010Excludes Wed Nov 11 22:59:29 2009
@@ -3,6 +3,7 @@
//These tests are for the java broker
org.apache.qpid.server.security.acl.SimpleACLTest#*
+org.apache.qpid.server.security.firewall.FirewallConfigTest#*
org.apache.qpid.server.plugins.PluginTest#*
org.apache.qpid.server.BrokerStartupTest#*
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscr...@qpid.apache.org
