[
https://issues.apache.org/jira/browse/ARTEMIS-2431?focusedWorklogId=843027&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-843027
]
ASF GitHub Bot logged work on ARTEMIS-2431:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 01/Feb/23 22:05
Start Date: 01/Feb/23 22:05
Worklog Time Spent: 10m
Work Description: tabish121 opened a new pull request, #4358:
URL: https://github.com/apache/activemq-artemis/pull/4358
For pipelined open cases the events processing should ignore additional
begin and attach events if the open event handler closes the connection to
avoid the processing throwing additional exceptions and replacing the error
condition in the connection with an unrelated error about NPE from the
additional events.
Issue Time Tracking
-------------------
Worklog Id: (was: 843027)
Time Spent: 50m (was: 40m)
> [AMQP] Broker does not send security errors for unauthorized anonymous sasl
> with pipelined open
> -----------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-2431
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2431
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 2.9.0
> Reporter: Jiri Daněk
> Assignee: Timothy A. Bish
> Priority: Major
> Time Spent: 50m
> Remaining Estimate: 0h
>
> If a client sends open, begin and attach frames all at once, then the issue
> ARTEMIS-2344 still manifests itself. Sending the initial frames all at once
> is known as the pipelined open,
> http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520
> and one client that does this is qpid-proton-cpp.
> {noformat}
> $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples"
> --log-msgs dict -c 1
> [0x9ea9d0]: -> SASL
> [0x9ea9d0]: <- SASL
> [0x9ea9d0]:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
> [0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS,
> initial-response=b"anonymous@nixos"]
> [0x9ea9d0]:0 <- @sasl-outcome(68) [code=0]
> [0x9ea9d0]: -> AMQP
> [0x9ea9d0]:0 -> @open(16)
> [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost",
> channel-max=32767]
> [0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647,
> outgoing-window=2147483647]
> [0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21",
> handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0,
> source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41)
> [address="examples", durable=0, timeout=0, dynamic=false],
> initial-delivery-count=0, max-message-size=0]
> [0x9ea9d0]: <- AMQP
> [0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072,
> channel-max=65535, idle-time-out=30000,
> offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container",
> :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"],
> properties={:product="apache-activemq-artemis", :version="2.9.0"}]
> [0x9ea9d0]:0 <- @close(24) [error=@error(29)
> [condition=:"amqp:internal-error", description="Unrecoverable error:
> NullPointerException"]]
> [0x9ea9d0]: <- EOS
> [error]: Failed to connect to localhost:34949
> [0x9ea9d0]:0 -> @close(24) []
> [0x9ea9d0]: -> EOS
> {noformat}
> The broker side then looks like this
> {noformat}
> DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096
> DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2
> DEBUG - -Dio.netty.recycler.linkCapacity: 16
> DEBUG - -Dio.netty.recycler.ratio: 8
> DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP,
> done=false, role=SERVER]
> DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110
> INFO - AMQ601267: User anonymous is creating a core session on target
> resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288
> [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400,
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b,
> false, false, false, true, null,
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee,
> true, OperationContextImpl [834445691] [minimalStore=9223372036854775807,
> storeLineUp=0, stored=0, minimalReplicated=9223372036854775807,
> replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807,
> pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0,
> executor=OrderedExecutor(tasks=[])], {}]]
> DEBUG - Couldn't validate user
> javax.security.auth.login.LoginException: Invalid null input: name
> at javax.security.auth.login.LoginContext.init(LoginContext.java:238)
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190)
> at
> org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99)
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - Couldn't find any bindings for address=activemq.notifications on
> message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> DEBUG - Message
> CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0,
> timestamp=0,expiration=0, durable=true,
> address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> is not going anywhere as it didn't have a binding on
> address:activemq.notifications
> WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to
> validate user from /127.0.0.1:42740. Username: null; SSL certificate subject
> DN: unavailable
> WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username:
> null; SSL certificate subject DN: unavailable
> ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031:
> Unable to validate user from /127.0.0.1:42740. Username: null; SSL
> certificate subject DN: unavailable]
> at
> org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162)
> at
> org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> WARN - null
> java.lang.NullPointerException
> at
> org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at
> org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at
> org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at
> org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at
> org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb
> {noformat}
> The NullPointerException happens when the broker is acting on the Attach
> frame. This is wrong, because at this point we know the client has not
> authenticated, and any subsequent communication should be ignored.
> Furthermore, the broker authenticates the client on the initial SASL
> exchange, and only throws the auth error on processing the Begin frame. Is
> that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming
> broker configured as in test
> org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions).
> And should the broker advertise SASL ANONYMOUS?
> Failing test for this is attached in a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
