You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2012/09/28 14:46:07 UTC
svn commit: r1391430 [1/2] - in /qpid/trunk/qpid/java: ./
broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/
broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/
broker-plu...
Author: kwall
Date: Fri Sep 28 12:46:06 2012
New Revision: 1391430
URL: http://svn.apache.org/viewvc?rev=1391430&view=rev
Log:
QPID-4334: removed the firewall plugin and moved its functionality into the Access Control plugin.
Applied patch from Philip Harvey <ph...@philharveyonline.com>.
Added:
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AccessControlFirewallException.java
- copied, changed from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java
- copied, changed from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java
- copied, changed from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/InetNetwork.java
- copied, changed from r1391232, qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRuleTest.java
Removed:
qpid/trunk/qpid/java/broker-plugins/firewall/MANIFEST.MF
qpid/trunk/qpid/java/broker-plugins/firewall/build.xml
qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallRule.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/Firewall.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallConfiguration.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java
qpid/trunk/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java
qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Modified:
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AbstractConfiguration.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/PlainConfiguration.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/plugins/AccessControlTest.java
qpid/trunk/qpid/java/broker/etc/broker_example.acl
qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ObjectProperties.java
qpid/trunk/qpid/java/ivy.nexus.xml
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AbstractConfiguration.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AbstractConfiguration.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AbstractConfiguration.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AbstractConfiguration.java Fri Sep 28 12:46:06 2012
@@ -23,12 +23,9 @@ package org.apache.qpid.server.security.
import java.io.File;
import org.apache.commons.configuration.ConfigurationException;
-import org.apache.log4j.Logger;
public abstract class AbstractConfiguration implements ConfigurationFile
{
- private static final Logger _logger = Logger.getLogger(ConfigurationFile.class);
-
private File _file;
private RuleSet _config;
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclAction.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang.builder.ToStringStyle;
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
+import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+public class AclAction
+{
+ private Action _action;
+ private FirewallRule _firewallRule;
+
+ public AclAction(Operation operation, ObjectType object, AclRulePredicates predicates)
+ {
+ _action = new Action(operation, object, predicates.getObjectProperties());
+ _firewallRule = predicates.getFirewallRule();
+ }
+
+ public AclAction(Operation operation)
+ {
+ _action = new Action(operation);
+ }
+
+ public AclAction(Operation operation, ObjectType object, ObjectProperties properties)
+ {
+ _action = new Action(operation, object, properties);
+ }
+
+ public FirewallRule getFirewallRule()
+ {
+ return _firewallRule;
+ }
+
+ public Action getAction()
+ {
+ return _action;
+ }
+
+ public boolean isAllowed()
+ {
+ return _action.isAllowed();
+ }
+
+ @Override
+ public int hashCode()
+ {
+ return new HashCodeBuilder()
+ .append(_action)
+ .append(_firewallRule).toHashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj)
+ {
+ if (obj == null)
+ {
+ return false;
+ }
+ if (obj == this)
+ {
+ return true;
+ }
+ if (obj.getClass() != getClass())
+ {
+ return false;
+ }
+ AclAction rhs = (AclAction) obj;
+ return new EqualsBuilder()
+ .append(_action, rhs._action)
+ .append(_firewallRule, rhs._firewallRule).isEquals();
+ }
+
+ @Override
+ public String toString()
+ {
+ return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
+ .append(_action)
+ .append(_firewallRule).toString();
+ }
+}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/AclRulePredicates.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang.builder.ToStringStyle;
+import org.apache.log4j.Logger;
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectProperties.Property;
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory;
+
+/**
+ * Represents the predicates on an ACL rule by combining predicates relating to the object being operated on
+ * (e.g. name=foo) with firewall rules.
+ */
+public class AclRulePredicates
+{
+ private static final Logger _logger = Logger.getLogger(AclRulePredicates.class);
+
+ private static final String SEPARATOR = ",";
+
+ private ObjectProperties _properties = new ObjectProperties();
+
+ private FirewallRule _firewallRule;
+
+ private FirewallRuleFactory _firewallRuleFactory = new FirewallRuleFactory();
+
+ public void parse(String key, String value)
+ {
+ ObjectProperties.Property property = ObjectProperties.Property.parse(key);
+
+ if(property == Property.FROM_HOSTNAME)
+ {
+ checkFirewallRuleNotAlreadyDefined(key, value);
+ _firewallRule = _firewallRuleFactory.createForHostname(value.split(SEPARATOR));
+ }
+ else if(property == Property.FROM_NETWORK)
+ {
+ checkFirewallRuleNotAlreadyDefined(key, value);
+ _firewallRule = _firewallRuleFactory.createForNetwork(value.split(SEPARATOR));
+ }
+ else
+ {
+ _properties.put(property, value);
+ }
+
+ _logger.debug("Parsed " + property + " with value " + value);
+ }
+
+ private void checkFirewallRuleNotAlreadyDefined(String key, String value)
+ {
+ if(_firewallRule != null)
+ {
+ throw new IllegalStateException(
+ "Cannot parse " + key + "=" + value
+ + " because firewall rule " + _firewallRule + " has already been defined");
+ }
+ }
+
+ @Override
+ public String toString()
+ {
+ return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
+ .append(_properties)
+ .append(_firewallRule).toString();
+ }
+
+ public FirewallRule getFirewallRule()
+ {
+ return _firewallRule;
+ }
+
+ public ObjectProperties getObjectProperties()
+ {
+ return _properties;
+ }
+
+ void setFirewallRuleFactory(FirewallRuleFactory firewallRuleFactory)
+ {
+ _firewallRuleFactory = firewallRuleFactory;
+ }
+}
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Action.java Fri Sep 28 12:46:06 2012
@@ -20,8 +20,6 @@
*/
package org.apache.qpid.server.security.access.config;
-import java.util.Comparator;
-
import org.apache.commons.lang.builder.EqualsBuilder;
import org.apache.commons.lang.builder.HashCodeBuilder;
import org.apache.commons.lang.builder.ToStringBuilder;
@@ -32,7 +30,7 @@ import org.apache.qpid.server.security.a
/**
* An access control v2 rule action.
- *
+ *
* An action consists of an {@link Operation} on an {@link ObjectType} with certain properties, stored in a {@link java.util.Map}.
* The operation and object should be an allowable combination, based on the {@link ObjectType#isAllowed(Operation)}
* method of the object, which is exposed as the {@link #isAllowed()} method here. The internal {@link #propertiesMatch(Map)}
@@ -48,29 +46,29 @@ public class Action
private Operation _operation;
private ObjectType _object;
private ObjectProperties _properties;
-
+
public Action(Operation operation)
{
this(operation, ObjectType.ALL);
}
-
+
public Action(Operation operation, ObjectType object, String name)
{
this(operation, object, new ObjectProperties(name));
}
-
+
public Action(Operation operation, ObjectType object)
{
this(operation, object, ObjectProperties.EMPTY);
}
-
+
public Action(Operation operation, ObjectType object, ObjectProperties properties)
{
setOperation(operation);
setObjectType(object);
setProperties(properties);
}
-
+
public Operation getOperation()
{
return _operation;
@@ -95,12 +93,12 @@ public class Action
{
return _properties;
}
-
+
public void setProperties(ObjectProperties properties)
{
_properties = properties;
}
-
+
public boolean isAllowed()
{
return _object.isAllowed(_operation);
@@ -109,40 +107,13 @@ public class Action
/** @see Comparable#compareTo(Object) */
public boolean matches(Action a)
{
- return ((Operation.ALL == a.getOperation() || getOperation() == a.getOperation())
- && (ObjectType.ALL == a.getObjectType() || getObjectType() == a.getObjectType())
- && _properties.matches(a.getProperties()));
- }
+ boolean operationMatches = Operation.ALL == a.getOperation() || getOperation() == a.getOperation();
+ boolean objectTypeMatches = ObjectType.ALL == a.getObjectType() || getObjectType() == a.getObjectType();
+ boolean propertiesMatch = _properties.matches(a.getProperties());
- /**
- * An ordering based on specificity
- *
- * @see Comparator#compare(Object, Object)
- */
- public class Specificity implements Comparator<Action>
- {
- public int compare(Action a, Action b)
- {
- if (a.getOperation() == Operation.ALL && b.getOperation() != Operation.ALL)
- {
- return 1; // B is more specific
- }
- else if (b.getOperation() == Operation.ALL && a.getOperation() != Operation.ALL)
- {
- return 1; // A is more specific
- }
- else if (a.getOperation() == b.getOperation())
- {
- return 1; // b is more specific
- }
- else // Different operations
- {
- return a.getOperation().compareTo(b.getOperation()); // Arbitrary
- }
- }
+ return (operationMatches && objectTypeMatches && propertiesMatch);
}
- /** @see Object#equals(Object) */
@Override
public boolean equals(Object o)
{
@@ -151,26 +122,24 @@ public class Action
return false;
}
Action a = (Action) o;
-
+
return new EqualsBuilder()
.append(_operation, a.getOperation())
.append(_object, a.getObjectType())
- .appendSuper(_properties.equals(a.getProperties()))
+ .append(_properties, a.getProperties())
.isEquals();
}
- /** @see Object#hashCode() */
@Override
public int hashCode()
{
return new HashCodeBuilder()
.append(_operation)
- .append(_operation)
+ .append(_object)
.append(_properties)
.toHashCode();
}
- /** @see Object#toString() */
@Override
public String toString()
{
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ClientAction.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import java.net.InetAddress;
+
+import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang.builder.ToStringStyle;
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
+import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+/**
+ * I represent an {@link Action} taken by a client from a known address. The address is used to
+ * determine if I match an {@link AclAction}, which may contain firewall rules.
+ */
+public class ClientAction
+{
+ private Action _clientAction;
+
+ public ClientAction(Action clientAction)
+ {
+ _clientAction = clientAction;
+ }
+
+ public ClientAction(Operation operation, ObjectType objectType, ObjectProperties properties)
+ {
+ _clientAction = new Action(operation, objectType, properties);
+ }
+
+ public boolean matches(AclAction ruleAction, InetAddress addressOfClient)
+ {
+ return _clientAction.matches(ruleAction.getAction())
+ && addressOfClientMatches(ruleAction, addressOfClient);
+ }
+
+ private boolean addressOfClientMatches(AclAction ruleAction, InetAddress addressOfClient)
+ {
+ FirewallRule firewallRule = ruleAction.getFirewallRule();
+ if(firewallRule == null || addressOfClient == null)
+ {
+ return true;
+ }
+ else
+ {
+ return firewallRule.matches(addressOfClient);
+ }
+ }
+
+ public Operation getOperation()
+ {
+ return _clientAction.getOperation();
+ }
+
+ public ObjectType getObjectType()
+ {
+ return _clientAction.getObjectType();
+ }
+
+ public ObjectProperties getProperties()
+ {
+ return _clientAction.getProperties();
+ }
+
+ @Override
+ public String toString()
+ {
+ return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
+ .append(_clientAction).toString();
+ }
+}
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/PlainConfiguration.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/PlainConfiguration.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/PlainConfiguration.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/PlainConfiguration.java Fri Sep 28 12:46:06 2012
@@ -34,13 +34,15 @@ import java.util.Stack;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.commons.lang.StringUtils;
-import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.log4j.Logger;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.access.Permission;
public class PlainConfiguration extends AbstractConfiguration
{
+ private static final Logger _logger = Logger.getLogger(PlainConfiguration.class);
+
public static final Character COMMENT = '#';
public static final Character CONTINUATION = '\\';
@@ -74,9 +76,16 @@ public class PlainConfiguration extends
{
RuleSet ruleSet = super.load();
+ File file = getFile();
+
try
{
- _st = new StreamTokenizer(new BufferedReader(new FileReader(getFile())));
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("About to load ACL file " + file);
+ }
+
+ _st = new StreamTokenizer(new BufferedReader(new FileReader(file)));
_st.resetSyntax(); // setup the tokenizer
_st.commentChar(COMMENT); // single line comments
@@ -195,11 +204,11 @@ public class PlainConfiguration extends
}
catch (FileNotFoundException fnfe)
{
- throw new ConfigurationException(String.format(CONFIG_NOT_FOUND_MSG, getFile().getName()), fnfe);
+ throw new ConfigurationException(String.format(CONFIG_NOT_FOUND_MSG, file.getName()), fnfe);
}
catch (IOException ioe)
{
- throw new ConfigurationException(String.format(CANNOT_LOAD_MSG, getFile().getName()), ioe);
+ throw new ConfigurationException(String.format(CANNOT_LOAD_MSG, file.getName()), ioe);
}
return ruleSet;
@@ -228,9 +237,9 @@ public class PlainConfiguration extends
else
{
ObjectType object = ObjectType.parse(args.get(3));
- ObjectProperties properties = toObjectProperties(args.subList(4, args.size()));
+ AclRulePredicates predicates = toRulePredicates(args.subList(4, args.size()));
- getConfiguration().grant(number, identity, permission, operation, object, properties);
+ getConfiguration().grant(number, identity, permission, operation, object, predicates);
}
}
@@ -246,10 +255,9 @@ public class PlainConfiguration extends
getConfiguration().configure(properties);
}
- /** Converts a {@link List} of "name", "=", "value" tokens into a {@link Map}. */
- protected ObjectProperties toObjectProperties(List<String> args) throws ConfigurationException
+ private AclRulePredicates toRulePredicates(List<String> args) throws ConfigurationException
{
- ObjectProperties properties = new ObjectProperties();
+ AclRulePredicates predicates = new AclRulePredicates();
Iterator<String> i = args.iterator();
while (i.hasNext())
{
@@ -268,11 +276,9 @@ public class PlainConfiguration extends
}
String value = i.next();
- // parse property key
- ObjectProperties.Property property = ObjectProperties.Property.parse(key);
- properties.put(property, value);
+ predicates.parse(key, value);
}
- return properties;
+ return predicates;
}
/** Converts a {@link List} of "name", "=", "value" tokens into a {@link Map}. */
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/Rule.java Fri Sep 28 12:46:06 2012
@@ -41,10 +41,10 @@ public class Rule implements Comparable<
private Integer _number;
private Boolean _enabled = Boolean.TRUE;
private String _identity;
- private Action _action;
+ private AclAction _action;
private Permission _permission;
- public Rule(Integer number, String identity, Action action, Permission permission)
+ public Rule(Integer number, String identity, AclAction action, Permission permission)
{
setNumber(number);
setIdentity(identity);
@@ -52,7 +52,7 @@ public class Rule implements Comparable<
setPermission(permission);
}
- public Rule(String identity, Action action, Permission permission)
+ public Rule(String identity, AclAction action, Permission permission)
{
this(null, identity, action, permission);
}
@@ -99,10 +99,15 @@ public class Rule implements Comparable<
public Action getAction()
{
+ return _action.getAction();
+ }
+
+ public AclAction getAclAction()
+ {
return _action;
}
- public void setAction(Action action)
+ public void setAction(AclAction action)
{
_action = action;
}
@@ -117,7 +122,7 @@ public class Rule implements Comparable<
_permission = permission;
}
- /** @see Comparable#compareTo(Object) */
+ @Override
public int compareTo(Rule r)
{
return new CompareToBuilder()
@@ -127,7 +132,6 @@ public class Rule implements Comparable<
.toComparison();
}
- /** @see Object#equals(Object) */
@Override
public boolean equals(Object o)
{
@@ -139,30 +143,28 @@ public class Rule implements Comparable<
return new EqualsBuilder()
.append(getIdentity(), r.getIdentity())
- .append(getAction(), r.getAction())
+ .append(getAclAction(), r.getAclAction())
.append(getPermission(), r.getPermission())
.isEquals();
}
- /** @see Object#hashCode() */
@Override
public int hashCode()
{
return new HashCodeBuilder()
.append(getIdentity())
- .append(getAction())
+ .append(getAclAction())
.append(getPermission())
.toHashCode();
}
- /** @see Object#toString() */
@Override
public String toString()
{
return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
.append("#", getNumber())
.append("identity", getIdentity())
- .append("action", getAction())
+ .append("action", getAclAction())
.append("permission", getPermission())
.append("enabled", isEnabled())
.toString();
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java Fri Sep 28 12:46:06 2012
@@ -18,6 +18,7 @@
*/
package org.apache.qpid.server.security.access.config;
+import java.net.InetAddress;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
@@ -53,7 +54,7 @@ import org.apache.qpid.server.security.a
*/
public class RuleSet
{
- public static final Logger _logger = Logger.getLogger(RuleSet.class);
+ private static final Logger _logger = Logger.getLogger(RuleSet.class);
private static final String AT = "@";
private static final String SLASH = "/";
@@ -154,21 +155,27 @@ public class RuleSet
public void grant(Integer number, String identity, Permission permission, Operation operation)
{
- Action action = new Action(operation);
+ AclAction action = new AclAction(operation);
addRule(number, identity, permission, action);
}
public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, ObjectProperties properties)
{
- Action action = new Action(operation, object, properties);
+ AclAction action = new AclAction(operation, object, properties);
addRule(number, identity, permission, action);
}
- public boolean ruleExists(String identity, Action action)
+ public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, AclRulePredicates predicates)
+ {
+ AclAction aclAction = new AclAction(operation, object, predicates);
+ addRule(number, identity, permission, aclAction);
+ }
+
+ public boolean ruleExists(String identity, AclAction action)
{
for (Rule rule : _rules.values())
{
- if (rule.getIdentity().equals(identity) && rule.getAction().equals(action))
+ if (rule.getIdentity().equals(identity) && rule.getAclAction().equals(action))
{
return true;
}
@@ -176,8 +183,7 @@ public class RuleSet
return false;
}
- // TODO make this work when group membership is not known at file parse time
- public void addRule(Integer number, String identity, Permission permission, Action action)
+ public void addRule(Integer number, String identity, Permission permission, AclAction action)
{
_cache.clear();
@@ -263,6 +269,16 @@ public class RuleSet
}
/**
+ * Checks for the case when the client's address is not known.
+ *
+ * @see #check(Subject, Operation, ObjectType, ObjectProperties, InetAddress)
+ */
+ public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
+ {
+ return check(subject, operation, objectType, properties, null);
+ }
+
+ /**
* Check the authorisation granted to a particular identity for an operation on an object type with
* specific properties.
*
@@ -271,10 +287,9 @@ public class RuleSet
* the first match found, or denies access if there are no matching rules. Normally, it would be expected
* to have a default deny or allow rule at the end of an access configuration however.
*/
- public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
+ public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties, InetAddress addressOfClient)
{
- // Create the action to check
- Action action = new Action(operation, objectType, properties);
+ ClientAction action = new ClientAction(operation, objectType, properties);
if(_logger.isDebugEnabled())
{
@@ -293,27 +308,31 @@ public class RuleSet
}
// Iterate through a filtered set of rules dealing with this identity and operation
- for (Rule current : rules)
+ for (Rule rule : rules)
{
if(_logger.isDebugEnabled())
{
- _logger.debug("Checking against rule: " + current);
+ _logger.debug("Checking against rule: " + rule);
}
- // Check if action matches
- if (action.matches(current.getAction()))
+
+ if (action.matches(rule.getAclAction(), addressOfClient))
{
- Permission permission = current.getPermission();
+ Permission permission = rule.getPermission();
switch (permission)
{
case ALLOW_LOG:
CurrentActor.get().message(AccessControlMessages.ALLOWED(
- action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
+ action.getOperation().toString(),
+ action.getObjectType().toString(),
+ action.getProperties().toString()));
case ALLOW:
return Result.ALLOWED;
case DENY_LOG:
CurrentActor.get().message(AccessControlMessages.DENIED(
- action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
+ action.getOperation().toString(),
+ action.getObjectType().toString(),
+ action.getProperties().toString()));
case DENY:
return Result.DENIED;
}
@@ -419,5 +438,4 @@ public class RuleSet
}
return objects;
}
-
}
Copied: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AccessControlFirewallException.java (from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AccessControlFirewallException.java?p2=qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AccessControlFirewallException.java&p1=qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java&r1=1391232&r2=1391430&rev=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/AccessControlFirewallException.java Fri Sep 28 12:46:06 2012
@@ -18,29 +18,26 @@
* under the License.
*
*/
-package org.apache.qpid.server.security.access.config;
+package org.apache.qpid.server.security.access.firewall;
-/**
- * Firewall plugin exception.
- */
-public class FirewallException extends Exception
+public class AccessControlFirewallException extends RuntimeException
{
/** serialVersionUID */
private static final long serialVersionUID = 4526157149690917805L;
-
- public FirewallException() {
+
+ public AccessControlFirewallException() {
super();
}
- public FirewallException(String message) {
+ public AccessControlFirewallException(String message) {
super(message);
}
- public FirewallException(String message, Throwable cause) {
+ public AccessControlFirewallException(String message, Throwable cause) {
super(message, cause);
}
- public FirewallException(Throwable cause) {
+ public AccessControlFirewallException(Throwable cause) {
super(cause);
}
}
\ No newline at end of file
Copied: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java (from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java?p2=qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java&p1=qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java&r1=1391232&r2=1391430&rev=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/config/FirewallException.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRule.java Fri Sep 28 12:46:06 2012
@@ -1,5 +1,4 @@
/*
- *
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -16,31 +15,12 @@
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
- *
*/
-package org.apache.qpid.server.security.access.config;
+package org.apache.qpid.server.security.access.firewall;
-/**
- * Firewall plugin exception.
- */
-public class FirewallException extends Exception
-{
- /** serialVersionUID */
- private static final long serialVersionUID = 4526157149690917805L;
-
- public FirewallException() {
- super();
- }
+import java.net.InetAddress;
- public FirewallException(String message) {
- super(message);
- }
-
- public FirewallException(String message, Throwable cause) {
- super(message, cause);
- }
-
- public FirewallException(Throwable cause) {
- super(cause);
- }
-}
\ No newline at end of file
+public interface FirewallRule
+{
+ boolean matches(InetAddress addressOfClient);
+}
Copied: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java (from r1391232, qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java?p2=qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java&p1=qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java&r1=1391232&r2=1391430&rev=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/firewall/src/main/java/org/apache/qpid/server/security/access/plugins/FirewallActivator.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/FirewallRuleFactory.java Fri Sep 28 12:46:06 2012
@@ -1,5 +1,4 @@
/*
- *
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -7,35 +6,28 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
- *
*/
-package org.apache.qpid.server.security.access.plugins;
+package org.apache.qpid.server.security.access.firewall;
-import org.apache.qpid.server.configuration.plugins.ConfigurationPluginFactory;
-import org.apache.qpid.server.security.SecurityPluginActivator;
-import org.apache.qpid.server.security.SecurityPluginFactory;
-
-/**
- * The OSGi {@link org.osgi.framework.BundleActivator} for {@link Firewall}.
- */
-public class FirewallActivator extends SecurityPluginActivator
+public class FirewallRuleFactory
{
- public SecurityPluginFactory getFactory()
+ public FirewallRule createForHostname(String[] hostnames)
{
- return Firewall.FACTORY;
+ return new HostnameFirewallRule(hostnames);
}
- public ConfigurationPluginFactory getConfigurationFactory()
+ public FirewallRule createForNetwork(String[] networks)
{
- return FirewallConfiguration.FACTORY;
+ return new NetworkFirewallRule(networks);
}
+
}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRule.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
+
+import java.net.InetAddress;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.FutureTask;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang.builder.ToStringStyle;
+import org.apache.log4j.Logger;
+
+public class HostnameFirewallRule implements FirewallRule
+{
+ private static final Logger _logger = Logger.getLogger(HostnameFirewallRule.class);
+
+ private static final long DNS_TIMEOUT = 30000;
+ private static final ExecutorService DNS_LOOKUP = Executors.newCachedThreadPool();
+
+ private Pattern[] _hostnamePatterns;
+ private String[] _hostnames;
+
+ public HostnameFirewallRule(String... hostnames)
+ {
+ _hostnames = hostnames;
+
+ int i = 0;
+ _hostnamePatterns = new Pattern[hostnames.length];
+ for (String hostname : hostnames)
+ {
+ _hostnamePatterns[i++] = Pattern.compile(hostname);
+ }
+
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Created " + this);
+ }
+ }
+
+ @Override
+ public boolean matches(InetAddress remote)
+ {
+ String hostname = getHostname(remote);
+ if (hostname == null)
+ {
+ throw new AccessControlFirewallException("DNS lookup failed");
+ }
+ for (Pattern pattern : _hostnamePatterns)
+ {
+ boolean hostnameMatches = pattern.matcher(hostname).matches();
+
+
+ if (hostnameMatches)
+ {
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Hostname " + hostname + " matches rule " + pattern.toString());
+ }
+ return true;
+ }
+ }
+
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Hostname " + hostname + " matches no configured hostname patterns");
+ }
+
+ return false;
+ }
+
+
+ /**
+ * @param remote
+ * the InetAddress to look up
+ * @return the hostname, null if not found, takes longer than
+ * {@value #DNS_LOOKUP} to find or otherwise fails
+ */
+ private String getHostname(final InetAddress remote) throws AccessControlFirewallException
+ {
+ FutureTask<String> lookup = new FutureTask<String>(new Callable<String>()
+ {
+ public String call()
+ {
+ return remote.getCanonicalHostName();
+ }
+ });
+ DNS_LOOKUP.execute(lookup);
+
+ try
+ {
+ return lookup.get(DNS_TIMEOUT, TimeUnit.MILLISECONDS);
+ }
+ catch (Exception e)
+ {
+ return null;
+ }
+ finally
+ {
+ lookup.cancel(true);
+ }
+ }
+
+ @Override
+ public int hashCode()
+ {
+ return new HashCodeBuilder().append(_hostnames).toHashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj)
+ {
+ if (obj == null)
+ {
+ return false;
+ }
+ if (obj == this)
+ {
+ return true;
+ }
+ if (obj.getClass() != getClass())
+ {
+ return false;
+ }
+ HostnameFirewallRule rhs = (HostnameFirewallRule) obj;
+ return new EqualsBuilder().append(_hostnames, rhs._hostnames).isEquals();
+ }
+
+ @Override
+ public String toString()
+ {
+ return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
+ .append(_hostnames).toString();
+ }
+}
Copied: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/InetNetwork.java (from r1391232, qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/InetNetwork.java?p2=qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/InetNetwork.java&p1=qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java&r1=1391232&r2=1391430&rev=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/common/src/main/java/org/apache/qpid/util/NetMatcher.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/InetNetwork.java Fri Sep 28 12:46:06 2012
@@ -1,131 +1,24 @@
-/***********************************************************************
- * Copyright (c) 2000-2006 The Apache Software Foundation. *
- * All rights reserved. *
- * ------------------------------------------------------------------- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you *
- * may not use this file except in compliance with the License. You *
- * may obtain a copy of the License at: *
- * *
- * http://www.apache.org/licenses/LICENSE-2.0 *
- * *
- * Unless required by applicable law or agreed to in writing, software *
- * distributed under the License is distributed on an "AS IS" BASIS, *
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or *
- * implied. See the License for the specific language governing *
- * permissions and limitations under the License. *
- ***********************************************************************/
-
-package org.apache.qpid.util;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
import java.net.InetAddress;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-
-public class NetMatcher
-{
- private ArrayList networks;
-
- public void initInetNetworks(final Collection nets)
- {
- networks = new ArrayList();
- for (Iterator iter = nets.iterator(); iter.hasNext(); )
- {
- try
- {
- InetNetwork net = InetNetwork.getFromString((String) iter.next());
- if (!networks.contains(net))
- {
- networks.add(net);
- }
- }
- catch (java.net.UnknownHostException uhe)
- {
- log("Cannot resolve address: " + uhe.getMessage());
- }
- }
- networks.trimToSize();
- }
-
- public void initInetNetworks(final String[] nets)
- {
- networks = new ArrayList();
- for (int i = 0; i < nets.length; i++)
- {
- try
- {
- InetNetwork net = InetNetwork.getFromString(nets[i]);
- if (!networks.contains(net))
- {
- networks.add(net);
- }
- }
- catch (java.net.UnknownHostException uhe)
- {
- log("Cannot resolve address: " + uhe.getMessage());
- }
- }
- networks.trimToSize();
- }
-
- public boolean matchInetNetwork(final String hostIP)
- {
- InetAddress ip = null;
-
- try
- {
- ip = InetAddress.getByName(hostIP);
- }
- catch (java.net.UnknownHostException uhe)
- {
- log("Cannot resolve address for " + hostIP + ": " + uhe.getMessage());
- }
-
- boolean sameNet = false;
-
- if (ip != null)
- {
- for (Iterator iter = networks.iterator(); (!sameNet) && iter.hasNext(); )
- {
- InetNetwork network = (InetNetwork) iter.next();
- sameNet = network.contains(ip);
- }
- }
- return sameNet;
- }
-
- public boolean matchInetNetwork(final InetAddress ip)
- {
- boolean sameNet = false;
-
- for (Iterator iter = networks.iterator(); (!sameNet) && iter.hasNext(); )
- {
- InetNetwork network = (InetNetwork) iter.next();
- sameNet = network.contains(ip);
- }
- return sameNet;
- }
-
- public NetMatcher()
- {
- }
-
- public NetMatcher(final String[] nets)
- {
- initInetNetworks(nets);
- }
-
- public NetMatcher(final Collection nets)
- {
- initInetNetworks(nets);
- }
-
- public String toString() {
- return networks.toString();
- }
-
- protected void log(String s) { }
-}
class InetNetwork
{
@@ -218,7 +111,7 @@ class InetNetwork
/*
* This converts from an uncommon "wildcard" CIDR format
* to "address + mask" format:
- *
+ *
* * => 000.000.000.0/000.000.000.0
* xxx.* => xxx.000.000.0/255.000.000.0
* xxx.xxx.* => xxx.xxx.000.0/255.255.000.0
@@ -227,7 +120,7 @@ class InetNetwork
static private String normalizeFromAsterisk(final String netspec)
{
String[] masks = { "0.0.0.0/0.0.0.0", "0.0.0/255.0.0.0", "0.0/255.255.0.0", "0/255.255.255.0" };
- char[] srcb = netspec.toCharArray();
+ char[] srcb = netspec.toCharArray();
int octets = 0;
for (int i = 1; i < netspec.length(); i++)
{
@@ -261,8 +154,8 @@ class InetNetwork
static {
try {
- Class inetAddressClass = Class.forName("java.net.InetAddress");
- Class[] parameterTypes = { byte[].class };
+ Class<?> inetAddressClass = Class.forName("java.net.InetAddress");
+ Class<?>[] parameterTypes = { byte[].class };
getByAddress = inetAddressClass.getMethod("getByAddress", parameterTypes);
} catch (Exception e) {
getByAddress = null;
@@ -297,4 +190,4 @@ class InetNetwork
}
return addr;
}
-}
+}
\ No newline at end of file
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/firewall/NetworkFirewallRule.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
+
+import java.net.InetAddress;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang.builder.EqualsBuilder;
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.commons.lang.builder.ToStringBuilder;
+import org.apache.commons.lang.builder.ToStringStyle;
+import org.apache.log4j.Logger;
+
+public class NetworkFirewallRule implements FirewallRule
+{
+ private static final Logger _logger = Logger.getLogger(NetworkFirewallRule.class);
+
+ private List<InetNetwork> _networks;
+
+ public NetworkFirewallRule(String... networks)
+ {
+ _networks = new ArrayList<InetNetwork>();
+ for (int i = 0; i < networks.length; i++)
+ {
+ String network = networks[i];
+ try
+ {
+ InetNetwork inetNetwork = InetNetwork.getFromString(network);
+ if (!_networks.contains(inetNetwork))
+ {
+ _networks.add(inetNetwork);
+ }
+ }
+ catch (java.net.UnknownHostException uhe)
+ {
+ _logger.error("Cannot resolve address: " + network, uhe);
+ }
+ }
+
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Created " + this);
+ }
+ }
+
+ @Override
+ public boolean matches(InetAddress ip)
+ {
+ for (InetNetwork network : _networks)
+ {
+ if (network.contains(ip))
+ {
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Client address " + ip + " matches configured network " + network);
+ }
+ return true;
+ }
+ }
+
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Client address " + ip + " does not match any configured networks");
+ }
+
+ return false;
+ }
+
+ @Override
+ public int hashCode()
+ {
+ return new HashCodeBuilder().append(_networks).toHashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj)
+ {
+ if (obj == null)
+ {
+ return false;
+ }
+ if (obj == this)
+ {
+ return true;
+ }
+ if (obj.getClass() != getClass())
+ {
+ return false;
+ }
+ NetworkFirewallRule rhs = (NetworkFirewallRule) obj;
+ return new EqualsBuilder().append(_networks, rhs._networks).isEquals();
+ }
+
+ @Override
+ public String toString()
+ {
+ return new ToStringBuilder(this, ToStringStyle.SHORT_PREFIX_STYLE)
+ .append(_networks).toString();
+ }
+}
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/logging/AccessControl_logmessages.properties Fri Sep 28 12:46:06 2012
@@ -25,4 +25,4 @@
ALLOWED = ACL-1001 : Allowed : {0} {1} {2}
# 'deny-log' rule message
-DENIED = ACL-1002 : Denied : {0} {1} {2}
\ No newline at end of file
+DENIED = ACL-1002 : Denied : {0} {1} {2}
Modified: qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java?rev=1391430&r1=1391429&r2=1391430&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java (original)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/plugins/AccessControl.java Fri Sep 28 12:46:06 2012
@@ -20,9 +20,13 @@
*/
package org.apache.qpid.server.security.access.plugins;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+
import javax.security.auth.Subject;
import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.lang.ObjectUtils;
import org.apache.log4j.Logger;
import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
import org.apache.qpid.server.security.AbstractPlugin;
@@ -39,7 +43,7 @@ import org.apache.qpid.server.security.a
*/
public class AccessControl extends AbstractPlugin
{
- public static final Logger _logger = Logger.getLogger(AccessControl.class);
+ private static final Logger _logger = Logger.getLogger(AccessControl.class);
private RuleSet _ruleSet;
@@ -82,9 +86,16 @@ public class AccessControl extends Abstr
* Delegate to the {@link #authorise(Operation, ObjectType, ObjectProperties)} method, with
* the operation set to ACCESS and no object properties.
*/
- public Result access(ObjectType objectType, Object instance)
+ public Result access(ObjectType objectType, Object inetSocketAddress)
{
- return authorise(Operation.ACCESS, objectType, ObjectProperties.EMPTY);
+ InetAddress addressOfClient = null;
+
+ if(inetSocketAddress != null)
+ {
+ addressOfClient = ((InetSocketAddress) inetSocketAddress).getAddress();
+ }
+
+ return authoriseFromAddress(Operation.ACCESS, objectType, ObjectProperties.EMPTY, addressOfClient);
}
/**
@@ -94,6 +105,11 @@ public class AccessControl extends Abstr
*/
public Result authorise(Operation operation, ObjectType objectType, ObjectProperties properties)
{
+ return authoriseFromAddress(operation, objectType, properties, null);
+ }
+
+ public Result authoriseFromAddress(Operation operation, ObjectType objectType, ObjectProperties properties, InetAddress addressOfClient)
+ {
final Subject subject = SecurityManager.getThreadSubject();
// Abstain if there is no subject/principal associated with this thread
if (subject == null || subject.getPrincipals().size() == 0)
@@ -101,8 +117,20 @@ public class AccessControl extends Abstr
return Result.ABSTAIN;
}
- _logger.debug("Checking " + operation + " " + objectType);
- return _ruleSet.check(subject, operation, objectType, properties);
+ if(_logger.isDebugEnabled())
+ {
+ _logger.debug("Checking " + operation + " " + objectType + " " + ObjectUtils.defaultIfNull(addressOfClient, ""));
+ }
+
+ try
+ {
+ return _ruleSet.check(subject, operation, objectType, properties, addressOfClient);
+ }
+ catch(Exception e)
+ {
+ _logger.error("Unable to check " + operation + " " + objectType + " " + ObjectUtils.defaultIfNull(addressOfClient, ""), e);
+ return Result.DENIED;
+ }
}
public void configure(ConfigurationPlugin config)
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclActionTest.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import org.apache.qpid.server.security.access.ObjectProperties;
+import org.apache.qpid.server.security.access.ObjectType;
+import org.apache.qpid.server.security.access.Operation;
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+import junit.framework.TestCase;
+
+public class AclActionTest extends TestCase
+{
+ public void testEqualsAndHashCode()
+ {
+ AclRulePredicates predicates = createAclRulePredicates();
+ ObjectType objectType = ObjectType.EXCHANGE;
+ Operation operation = Operation.ACCESS;
+
+ AclAction aclAction = new AclAction(operation, objectType, predicates);
+ AclAction equalAclAction = new AclAction(operation, objectType, predicates);
+
+ assertTrue(aclAction.equals(aclAction));
+ assertTrue(aclAction.equals(equalAclAction));
+ assertTrue(equalAclAction.equals(aclAction));
+
+ assertTrue(aclAction.hashCode() == equalAclAction.hashCode());
+
+ assertFalse("Different operation should cause aclActions to be unequal",
+ aclAction.equals(new AclAction(Operation.BIND, objectType, predicates)));
+
+ assertFalse("Different operation type should cause aclActions to be unequal",
+ aclAction.equals(new AclAction(operation, ObjectType.GROUP, predicates)));
+
+ assertFalse("Different predicates should cause aclActions to be unequal",
+ aclAction.equals(new AclAction(operation, objectType, createAclRulePredicates())));
+
+ }
+
+ private AclRulePredicates createAclRulePredicates()
+ {
+ AclRulePredicates predicates = mock(AclRulePredicates.class);
+ when(predicates.getFirewallRule()).thenReturn(mock(FirewallRule.class));
+ when(predicates.getObjectProperties()).thenReturn(mock(ObjectProperties.class));
+ return predicates;
+ }
+
+}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/AclRulePredicatesTest.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.apache.qpid.server.security.access.ObjectProperties.Property.*;
+
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+import org.apache.qpid.server.security.access.firewall.FirewallRuleFactory;
+
+import static org.mockito.Mockito.*;
+
+import junit.framework.TestCase;
+
+public class AclRulePredicatesTest extends TestCase
+{
+ private AclRulePredicates _aclRulePredicates = new AclRulePredicates();
+ private FirewallRuleFactory _firewallRuleFactory = mock(FirewallRuleFactory.class);
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ _aclRulePredicates.setFirewallRuleFactory(_firewallRuleFactory);
+
+ when(_firewallRuleFactory.createForHostname((String[]) any())).thenReturn(mock(FirewallRule.class));
+ when(_firewallRuleFactory.createForNetwork((String[]) any())).thenReturn(mock(FirewallRule.class));
+ }
+
+ public void testParse()
+ {
+ String name = "name";
+ String className = "class";
+
+ _aclRulePredicates.parse(NAME.name(), name);
+ _aclRulePredicates.parse(CLASS.name(), className);
+
+ assertEquals(name, _aclRulePredicates.getObjectProperties().get(NAME));
+ assertEquals(className, _aclRulePredicates.getObjectProperties().get(CLASS));
+ }
+
+ public void testParseHostnameFirewallRule()
+ {
+ String hostname = "hostname1,hostname2";
+ _aclRulePredicates.parse(FROM_HOSTNAME.name(), hostname);
+
+ verify(_firewallRuleFactory).createForHostname(new String[] {"hostname1", "hostname2"});
+ }
+
+ public void testParseNetworkFirewallRule()
+ {
+ _aclRulePredicates.setFirewallRuleFactory(_firewallRuleFactory);
+
+ String networks = "network1,network2";
+ _aclRulePredicates.parse(FROM_NETWORK.name(), networks);
+
+ verify(_firewallRuleFactory).createForNetwork(new String[] {"network1", "network2"});
+ }
+
+ public void testParseThrowsExceptionIfBothHostnameAndNetworkSpecified()
+ {
+ _aclRulePredicates.parse(FROM_NETWORK.name(), "network1,network2");
+ try
+ {
+ _aclRulePredicates.parse(FROM_HOSTNAME.name(), "hostname1,hostname2");
+ fail("Exception not thrown");
+ }
+ catch(IllegalStateException e)
+ {
+ // pass
+ }
+ }
+}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/ClientActionTest.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import java.net.InetAddress;
+
+import org.apache.qpid.server.security.access.firewall.FirewallRule;
+
+import junit.framework.TestCase;
+
+public class ClientActionTest extends TestCase
+{
+ private Action _action = mock(Action.class);
+ private AclAction _ruleAction = mock(AclAction.class);
+ private InetAddress _addressOfClient = mock(InetAddress.class);
+
+ private ClientAction _clientAction = new ClientAction(_action);
+
+ public void testMatches_returnsTrueWhenActionsMatchAndNoFirewallRule()
+ {
+ when(_action.matches(any(Action.class))).thenReturn(true);
+ when(_ruleAction.getFirewallRule()).thenReturn(null);
+
+ assertTrue(_clientAction.matches(_ruleAction, _addressOfClient));
+ }
+
+ public void testMatches_returnsFalseWhenActionsDontMatch()
+ {
+ FirewallRule firewallRule = mock(FirewallRule.class);
+ when(firewallRule.matches(_addressOfClient)).thenReturn(true);
+
+ when(_action.matches(any(Action.class))).thenReturn(false);
+ when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+ assertFalse(_clientAction.matches(_ruleAction, _addressOfClient));
+ }
+
+ public void testMatches_returnsTrueWhenActionsAndFirewallRuleMatch()
+ {
+ FirewallRule firewallRule = mock(FirewallRule.class);
+ when(firewallRule.matches(_addressOfClient)).thenReturn(true);
+
+ when(_action.matches(any(Action.class))).thenReturn(true);
+ when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+ assertTrue(_clientAction.matches(_ruleAction, _addressOfClient));
+ }
+
+ public void testMatches_ignoresFirewallRuleIfClientAddressIsNull()
+ {
+ FirewallRule firewallRule = mock(FirewallRule.class);
+
+ when(_action.matches(any(Action.class))).thenReturn(true);
+ when(_ruleAction.getFirewallRule()).thenReturn(firewallRule);
+
+ assertTrue(_clientAction.matches(_ruleAction, null));
+
+ verifyZeroInteractions(firewallRule);
+ }
+
+}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/RuleTest.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.config;
+
+import static org.mockito.Mockito.*;
+
+import org.apache.qpid.server.security.access.Permission;
+
+import junit.framework.TestCase;
+
+public class RuleTest extends TestCase
+{
+ public void testEqualsAndHashCode()
+ {
+ AclAction aclAction = mock(AclAction.class);
+ String identity = "identity";
+ Permission allow = Permission.ALLOW;
+
+ Rule rule = new Rule(identity, aclAction, allow);
+ Rule equalRule = new Rule(identity, aclAction, allow);
+
+ assertTrue(rule.equals(rule));
+ assertTrue(rule.equals(equalRule));
+ assertTrue(equalRule.equals(rule));
+
+ assertTrue(rule.hashCode() == equalRule.hashCode());
+
+ assertFalse("Different identity should cause rules to be unequal",
+ rule.equals(new Rule("identity2", aclAction, allow)));
+
+ assertFalse("Different action should cause rules to be unequal",
+ rule.equals(new Rule(identity, mock(AclAction.class), allow)));
+
+ assertFalse("Different permission should cause rules to be unequal",
+ rule.equals(new Rule(identity, aclAction, Permission.DENY)));
+ }
+}
Added: qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java?rev=1391430&view=auto
==============================================================================
--- qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java (added)
+++ qpid/trunk/qpid/java/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/firewall/HostnameFirewallRuleTest.java Fri Sep 28 12:46:06 2012
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.access.firewall;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.net.InetAddress;
+
+import org.apache.qpid.server.security.access.firewall.HostnameFirewallRule;
+
+import junit.framework.TestCase;
+
+public class HostnameFirewallRuleTest extends TestCase
+{
+ private InetAddress _addressNotInRule;
+
+ private HostnameFirewallRule _HostnameFirewallRule;
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ _addressNotInRule = InetAddress.getByName("127.0.0.1");
+ }
+
+ public void testSingleHostname() throws Exception
+ {
+ String hostnameInRule = "hostnameInRule";
+ InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+ when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn(hostnameInRule);
+
+ _HostnameFirewallRule = new HostnameFirewallRule(hostnameInRule);
+
+ assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+ assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+ }
+
+ public void testSingleHostnameWilcard() throws Exception
+ {
+ String hostnameInRule = ".*FOO.*";
+ InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+ when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn("xxFOOxx");
+
+ _HostnameFirewallRule = new HostnameFirewallRule(hostnameInRule);
+
+ assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+ assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+ }
+
+ public void testMultipleHostnames() throws Exception
+ {
+ String[] hostnamesInRule = new String[] {"hostnameInRule1", "hostnameInRule2"};
+
+ _HostnameFirewallRule = new HostnameFirewallRule(hostnamesInRule);
+
+ assertFalse(_HostnameFirewallRule.matches(_addressNotInRule));
+ for (String hostnameInRule : hostnamesInRule)
+ {
+ InetAddress addressWithMatchingHostname = mock(InetAddress.class);
+ when(addressWithMatchingHostname.getCanonicalHostName()).thenReturn(hostnameInRule);
+
+ assertTrue(_HostnameFirewallRule.matches(addressWithMatchingHostname));
+ }
+ }
+
+ public void testEqualsAndHashCode()
+ {
+ String hostname1 = "hostname1";
+ String hostname2 = "hostname2";
+
+ HostnameFirewallRule rule = new HostnameFirewallRule(hostname1, hostname2);
+ HostnameFirewallRule equalRule = new HostnameFirewallRule(hostname1, hostname2);
+
+ assertTrue(rule.equals(rule));
+ assertTrue(rule.equals(equalRule));
+ assertTrue(equalRule.equals(rule));
+
+ assertTrue(rule.hashCode() == equalRule.hashCode());
+
+ assertFalse("Different hostnames should cause rules to be unequal",
+ rule.equals(new HostnameFirewallRule(hostname1, "different-hostname")));
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org