You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by cl...@apache.org on 2022/07/19 17:20:53 UTC
[activemq-artemis] branch main updated: ARTEMIS-3892 user limits not working with cert auth
This is an automated email from the ASF dual-hosted git repository.
clebertsuconic pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git
The following commit(s) were added to refs/heads/main by this push:
new ff1fe7f6b5 ARTEMIS-3892 user limits not working with cert auth
ff1fe7f6b5 is described below
commit ff1fe7f6b5f9595eedc80480dcdcd6093db9e32b
Author: Yesenkov <10...@users.noreply.github.com>
AuthorDate: Tue Jun 7 15:06:11 2022 +0300
ARTEMIS-3892 user limits not working with cert auth
---
.../core/server/impl/ActiveMQServerImpl.java | 2 +-
.../core/server/impl/ServerSessionImpl.java | 8 +-
.../integration/server/ResourceLimitTest.java | 3 +
...itTest.java => ResourceLimitTestWithCerts.java} | 92 +++++++++++++++-------
4 files changed, 73 insertions(+), 32 deletions(-)
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java
index a659e46e61..5459df8b0e 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java
@@ -1764,7 +1764,7 @@ public class ActiveMQServerImpl implements ActiveMQServer {
int sessionCount = 0;
for (Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {
- if (sessionEntry.getValue().getUsername().equals(username)) {
+ if ((sessionEntry.getValue().getValidatedUser() != null && sessionEntry.getValue().getValidatedUser().equals(username)) || (sessionEntry.getValue().getUsername() != null && sessionEntry.getValue().getUsername().equals(username))) {
sessionCount++;
}
}
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
index 977d94835d..2aa1a86d3e 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
@@ -737,9 +737,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
securityCheck(queueConfiguration.getAddress(), queueConfiguration.getName(), CheckType.CREATE_ADDRESS, this);
}
- server.checkQueueCreationLimit(getUsername());
+ server.checkQueueCreationLimit(getValidatedUser());
- Queue queue = server.createQueue(queueConfiguration.setUser(getUsername()));
+ Queue queue = server.createQueue(queueConfiguration.setUser(getValidatedUser()));
if (queueConfiguration.isTemporary()) {
// Temporary queue in core simply means the queue will be deleted if
@@ -1046,9 +1046,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
securityCheck(queueConfiguration.getAddress(), queueConfiguration.getName(), queueConfiguration.isDurable() ? CheckType.CREATE_DURABLE_QUEUE : CheckType.CREATE_NON_DURABLE_QUEUE, this);
- server.checkQueueCreationLimit(getUsername());
+ server.checkQueueCreationLimit(getValidatedUser());
- server.createSharedQueue(queueConfiguration.setUser(getUsername()));
+ server.createSharedQueue(queueConfiguration.setUser(getValidatedUser()));
}
@Deprecated
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
index 0c041297c4..cb5766e26b 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
@@ -104,6 +104,7 @@ public class ResourceLimitTest extends ActiveMQTestBase {
try {
clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}
@@ -114,12 +115,14 @@ public class ResourceLimitTest extends ActiveMQTestBase {
try {
clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}
try {
clientSession.createSharedQueue(new QueueConfiguration("anotherQueue").setAddress("address").setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTestWithCerts.java
similarity index 50%
copy from tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
copy to tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTestWithCerts.java
index 0c041297c4..14a383c9e5 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTestWithCerts.java
@@ -16,7 +16,11 @@
*/
package org.apache.activemq.artemis.tests.integration.server;
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Map;
import java.util.Set;
import org.apache.activemq.artemis.api.core.ActiveMQSecurityException;
@@ -25,58 +29,80 @@ import org.apache.activemq.artemis.api.core.QueueConfiguration;
import org.apache.activemq.artemis.api.core.RoutingType;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
import org.apache.activemq.artemis.api.core.client.ClientSession;
import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
import org.apache.activemq.artemis.api.core.client.ServerLocator;
-import org.apache.activemq.artemis.core.config.Configuration;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.ActiveMQServers;
import org.apache.activemq.artemis.core.settings.impl.ResourceLimitSettings;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.junit.Before;
import org.junit.Test;
-public class ResourceLimitTest extends ActiveMQTestBase {
+public class ResourceLimitTestWithCerts extends ActiveMQTestBase {
- private ActiveMQServer server;
-
- private TransportConfiguration liveTC;
+ static {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+ }
@Override
@Before
public void setUp() throws Exception {
super.setUp();
- ResourceLimitSettings resourceLimitSettings = new ResourceLimitSettings();
- resourceLimitSettings.setMatch(SimpleString.toSimpleString("myUser"));
- resourceLimitSettings.setMaxConnections(1);
- resourceLimitSettings.setMaxQueues(1);
+ ResourceLimitSettings limit = new ResourceLimitSettings();
+ limit.setMaxConnections(1);
+ limit.setMaxQueues(1);
+ limit.setMatch(new SimpleString("first"));
- Configuration configuration = createBasicConfig().addAcceptorConfiguration(new TransportConfiguration(INVM_ACCEPTOR_FACTORY)).addResourceLimitSettings(resourceLimitSettings).setSecurityEnabled(true);
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
+ ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true).addResourceLimitSettings(limit), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
- server = addServer(ActiveMQServers.newActiveMQServer(configuration, false));
- server.start();
+ Map<String, Object> params = new HashMap<>();
+ params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+
+ server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
- ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
- securityManager.getConfiguration().addUser("myUser", "password");
- securityManager.getConfiguration().addRole("myUser", "arole");
- Role role = new Role("arole", false, false, false, false, true, true, false, true, true, true);
Set<Role> roles = new HashSet<>();
- roles.add(role);
- server.getSecurityRepository().addMatch("#", roles);
+ roles.add(new Role("programmers", true, true, true, true, true, true, true, true, true, true));
+ server.getConfiguration().putSecurityRoles("#", roles);
+
+ server.start();
}
@Test
public void testSessionLimitForUser() throws Exception {
- ServerLocator locator = addServerLocator(createNonHALocator(false));
- ClientSessionFactory clientSessionFactory = locator.createSessionFactory();
- ClientSession clientSession = clientSessionFactory.createSession("myUser", "password", false, true, true, false, 0);
+ TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ ClientSessionFactory cf = createSessionFactory(locator);
+
+ ClientSession clientSession = cf.createSession();
try {
ClientSessionFactory extraClientSessionFactory = locator.createSessionFactory();
- ClientSession extraClientSession = extraClientSessionFactory.createSession("myUser", "password", false, true, true, false, 0);
+ ClientSession extraClientSession = extraClientSessionFactory.createSession();
fail("creating a session factory here should fail");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSessionCreationException);
@@ -84,26 +110,36 @@ public class ResourceLimitTest extends ActiveMQTestBase {
clientSession.close();
- clientSession = clientSessionFactory.createSession("myUser", "password", false, true, true, false, 0);
+ clientSession = cf.createSession();
try {
ClientSessionFactory extraClientSessionFactory = locator.createSessionFactory();
- ClientSession extraClientSession = extraClientSessionFactory.createSession("myUser", "password", false, true, true, false, 0);
+ ClientSession extraClientSession = extraClientSessionFactory.createSession();
fail("creating a session factory here should fail");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSessionCreationException);
}
+ clientSession.close();
+ cf.close();
}
@Test
public void testQueueLimitForUser() throws Exception {
- ServerLocator locator = addServerLocator(createNonHALocator(false));
- ClientSessionFactory clientSessionFactory = locator.createSessionFactory();
- ClientSession clientSession = clientSessionFactory.createSession("myUser", "password", false, true, true, false, 0);
+ TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+ tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+ tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+ tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+ tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+ ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+ ClientSessionFactory cf = createSessionFactory(locator);
+
+ ClientSession clientSession = cf.createSession();
clientSession.createQueue(new QueueConfiguration("queue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
try {
clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}
@@ -114,12 +150,14 @@ public class ResourceLimitTest extends ActiveMQTestBase {
try {
clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}
try {
clientSession.createSharedQueue(new QueueConfiguration("anotherQueue").setAddress("address").setDurable(false));
+ fail("Should have thrown an ActiveMQSecurityException");
} catch (Exception e) {
assertTrue(e instanceof ActiveMQSecurityException);
}