You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2021/07/12 15:28:19 UTC

[activemq-artemis] 02/02: ARTEMIS-3381 AMQP bypasses session when deleting queues

This is an automated email from the ASF dual-hosted git repository.

clebertsuconic pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git

commit ec508d8306b8e0db5dcdbf8c26a0f480608d97dc
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Thu Jul 8 20:01:44 2021 -0500

    ARTEMIS-3381 AMQP bypasses session when deleting queues
    
    The AMQP implementation bypasses the ServerSession when deleting queues
    which also bypasses security authorization.
---
 .../protocol/amqp/broker/AMQPSessionCallback.java     |  2 +-
 .../integration/server/SecureConfigurationTest.java   | 19 ++++++++++++++++++-
 .../src/test/resources/multicast_topic.xml            |  6 +++---
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
index 9be3858..82dbec7 100644
--- a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
+++ b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
@@ -642,7 +642,7 @@ public class AMQPSessionCallback implements SessionCallback {
    }
 
    public void deleteQueue(SimpleString queueName) throws Exception {
-      manager.getServer().destroyQueue(queueName);
+      serverSession.deleteQueue(queueName);
    }
 
    public void resetContext(OperationContext oldContext) {
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/SecureConfigurationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/SecureConfigurationTest.java
index 87adf23..7d6e802 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/SecureConfigurationTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/SecureConfigurationTest.java
@@ -120,7 +120,7 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
    }
 
    @Test
-   public void testSecureDurableSubscriber() throws Exception {
+   public void testCreateSecureDurableSubscriber() throws Exception {
       ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
       String message = "blah";
 
@@ -137,6 +137,23 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
    }
 
    @Test
+   public void testDeleteSecureDurableSubscriber() throws Exception {
+      ConnectionFactory connectionFactory = getConnectionFactory("c", "c");
+      String message = "blah";
+
+      //Expect to be able to create durable queue for subscription
+      String messageRecieved = sendAndReceiveTextUsingTopic(connectionFactory, "clientId", message, "secured_topic_durable", (t, s) -> s.createDurableSubscriber(t, "secured_topic_durable/non-existant-queue"));
+      Assert.assertEquals(message, messageRecieved);
+
+      try {
+         sendAndReceiveTextUsingTopic(connectionFactory, "clientId", message, "secured_topic_durable", (t, s) -> s.createDurableSubscriber(t, "secured_topic_durable/non-existant-queue", "age > 10", false));
+         Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to dynamically delete queue");
+      } catch (JMSSecurityException j) {
+         //Expected exception
+      }
+   }
+
+   @Test
    public void testTemporaryQueue() throws Exception {
       ConnectionFactory connectionFactory = getConnectionFactory("a", "a");
       String message = "blah";
diff --git a/tests/integration-tests/src/test/resources/multicast_topic.xml b/tests/integration-tests/src/test/resources/multicast_topic.xml
index a4891d0..009b3e8 100644
--- a/tests/integration-tests/src/test/resources/multicast_topic.xml
+++ b/tests/integration-tests/src/test/resources/multicast_topic.xml
@@ -127,11 +127,11 @@ under the License.
          <security-setting match="secured_topic_durable">
             <permission type="createNonDurableQueue" roles="a"/>
             <permission type="deleteNonDurableQueue" roles="a"/>
-            <permission type="createDurableQueue" roles="a"/>
+            <permission type="createDurableQueue" roles="a,c"/>
             <permission type="deleteDurableQueue" roles="a"/>
             <permission type="browse" roles="a"/>
-            <permission type="send" roles="a,b"/>
-            <permission type="consume" roles="a,b" />
+            <permission type="send" roles="a,b,c"/>
+            <permission type="consume" roles="a,b,c" />
             <!-- we need this otherwise ./artemis data imp wouldn't work -->
             <permission type="manage" roles="a"/>
          </security-setting>