You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by or...@apache.org on 2017/09/22 13:40:07 UTC
[2/2] qpid-broker-j git commit: QPID-7921: [Java Broker] [ACL] Allow
managed operation invocation to be controlled by existing ACL mechanism
QPID-7921: [Java Broker] [ACL] Allow managed operation invocation to be controlled by existing ACL mechanism
Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/0ce2ecd8
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/0ce2ecd8
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/0ce2ecd8
Branch: refs/heads/master
Commit: 0ce2ecd88d2ea5871ed1224080ecae5d6a2d8b50
Parents: a120d24
Author: Alex Rudyy <or...@apache.org>
Authored: Fri Sep 22 14:25:29 2017 +0100
Committer: Alex Rudyy <or...@apache.org>
Committed: Fri Sep 22 14:39:57 2017 +0100
----------------------------------------------------------------------
.../model/ConfiguredObjectFactoryGenerator.java | 59 +++--
.../qpid/server/exchange/AbstractExchange.java | 2 +-
.../server/exchange/DefaultDestination.java | 2 +-
.../org/apache/qpid/server/model/Broker.java | 9 +-
.../qpid/server/model/ConfiguredObject.java | 2 +-
.../model/ConfiguredObjectMethodOperation.java | 3 -
.../qpid/server/model/ManagedOperation.java | 1 +
.../apache/qpid/server/model/VirtualHost.java | 5 +-
.../apache/qpid/server/queue/AbstractQueue.java | 2 +-
.../qpid/server/security/access/Operation.java | 8 +-
.../server/security/access/OperationType.java | 4 +-
.../server/virtualhost/AbstractVirtualHost.java | 2 +-
.../virtualhost/QueueManagingVirtualHost.java | 3 +-
.../config/LegacyAccessControlAdapter.java | 162 ++++--------
.../security/access/config/LegacyOperation.java | 3 +-
.../access/config/ObjectProperties.java | 3 +-
.../security/access/config/ObjectType.java | 15 +-
.../server/security/access/config/RuleSet.java | 20 +-
.../config/LegacyAccessControlAdapterTest.java | 256 ++++++++++++-------
.../management/amqp/ManagementAddressSpace.java | 2 +-
.../management/plugin/HttpManagementUtil.java | 2 +-
.../OAuth2InteractiveAuthenticatorTest.java | 2 +-
.../security/Java-Broker-Security-ACLs.xml | 114 +++------
.../server/security/acl/MessagingACLTest.java | 6 +-
.../qpid/systest/rest/acl/QueueRestACLTest.java | 63 +++--
25 files changed, 364 insertions(+), 386 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-codegen/src/main/java/org/apache/qpid/server/model/ConfiguredObjectFactoryGenerator.java
----------------------------------------------------------------------
diff --git a/broker-codegen/src/main/java/org/apache/qpid/server/model/ConfiguredObjectFactoryGenerator.java b/broker-codegen/src/main/java/org/apache/qpid/server/model/ConfiguredObjectFactoryGenerator.java
index c3f8085..a63f12f 100644
--- a/broker-codegen/src/main/java/org/apache/qpid/server/model/ConfiguredObjectFactoryGenerator.java
+++ b/broker-codegen/src/main/java/org/apache/qpid/server/model/ConfiguredObjectFactoryGenerator.java
@@ -128,7 +128,7 @@ public class ConfiguredObjectFactoryGenerator extends AbstractProcessor
pw.print(packageElement.getQualifiedName());
pw.println(";");
pw.println();
- pw.println("import static org.apache.qpid.server.security.access.Operation.METHOD;");
+ pw.println("import static org.apache.qpid.server.security.access.Operation.INVOKE_METHOD;");
pw.println();
pw.println("import java.util.Map;");
pw.println("import java.util.concurrent.ExecutionException;");
@@ -283,8 +283,28 @@ public class ConfiguredObjectFactoryGenerator extends AbstractProcessor
private void processManagedOperation(final PrintWriter pw, final String className, final ExecutableElement methodElement, final AnnotationMirror annotationMirror)
{
+ final Map<? extends ExecutableElement, ? extends AnnotationValue> elementValues =
+ processingEnv.getElementUtils().getElementValuesWithDefaults(annotationMirror);
+ boolean wrapCallToSuper = false;
+ boolean log = false;
+ boolean skipAclCheck = false;
+ for (ExecutableElement executableElement : elementValues.keySet())
+ {
+ if ("changesConfiguredObjectState".contentEquals(executableElement.getSimpleName()))
+ {
+ wrapCallToSuper = (Boolean) elementValues.get(executableElement).getValue();
+ }
+ else if("log".contentEquals(executableElement.getSimpleName()))
+ {
+ log = (Boolean) elementValues.get(executableElement).getValue();
+ }
+ else if("skipAclCheck".contentEquals(executableElement.getSimpleName()))
+ {
+ skipAclCheck = (Boolean) elementValues.get(executableElement).getValue();
+ }
+ }
- if(!methodElement.getParameters().isEmpty())
+ if(!(methodElement.getParameters().isEmpty() || skipAclCheck))
{
pw.print(" private static final FixedKeyMapCreator ");
pw.print(methodElement.getSimpleName().toString().replaceAll("([A-Z])", "_$1").toUpperCase() + "_MAP_CREATOR");
@@ -326,34 +346,25 @@ public class ConfiguredObjectFactoryGenerator extends AbstractProcessor
}
pw.println(")");
pw.println(" {");
- pw.print(" authorise(METHOD(\"");
- pw.print(methodElement.getSimpleName().toString());
- pw.print("\")");
+
final String parameterList = getParameterList(methodElement);
- if(!methodElement.getParameters().isEmpty())
+ if (!skipAclCheck)
{
- pw.print(", ");
- pw.print(methodElement.getSimpleName().toString().replaceAll("([A-Z])", "_$1").toUpperCase() + "_MAP_CREATOR");
- pw.print(".createMap" + parameterList);
- }
- pw.println(");");
- pw.println();
+ pw.print(" authorise(INVOKE_METHOD(\"");
+ pw.print(methodElement.getSimpleName().toString());
+ pw.print("\")");
- final Map<? extends ExecutableElement, ? extends AnnotationValue> elementValues =
- processingEnv.getElementUtils().getElementValuesWithDefaults(annotationMirror);
- boolean wrapCallToSuper = false;
- boolean log = false;
- for (ExecutableElement executableElement : elementValues.keySet())
- {
- if ("changesConfiguredObjectState".contentEquals(executableElement.getSimpleName()))
- {
- wrapCallToSuper = (Boolean) elementValues.get(executableElement).getValue();
- }
- else if("log".contentEquals(executableElement.getSimpleName()))
+
+ if (!methodElement.getParameters().isEmpty())
{
- log = (Boolean) elementValues.get(executableElement).getValue();
+ pw.print(", ");
+ pw.print(methodElement.getSimpleName().toString().replaceAll("([A-Z])", "_$1").toUpperCase()
+ + "_MAP_CREATOR");
+ pw.print(".createMap" + parameterList);
}
+ pw.println(");");
+ pw.println();
}
if(log)
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java b/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
index c7cfa93..b67f6ef 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/exchange/AbstractExchange.java
@@ -99,7 +99,7 @@ public abstract class AbstractExchange<T extends AbstractExchange<T>>
private static final FixedKeyMapCreator UNBIND_ARGUMENTS_CREATOR =
new FixedKeyMapCreator("bindingKey", "destination");
- private static final Operation PUBLISH_ACTION = Operation.ACTION("publish");
+ private static final Operation PUBLISH_ACTION = Operation.PERFORM_ACTION("publish");
private final AtomicBoolean _closed = new AtomicBoolean();
@ManagedAttributeField(beforeSet = "preSetAlternateBinding", afterSet = "postSetAlternateBinding" )
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java b/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
index 7e281f8..8b94c60 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/exchange/DefaultDestination.java
@@ -42,7 +42,7 @@ import org.apache.qpid.server.virtualhost.QueueManagingVirtualHost;
public class DefaultDestination implements MessageDestination, PermissionedObject
{
- private static final Operation PUBLISH_ACTION = Operation.ACTION("publish");
+ private static final Operation PUBLISH_ACTION = Operation.PERFORM_ACTION("publish");
private final AccessControl _accessControl;
private QueueManagingVirtualHost<?> _virtualHost;
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java b/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
index 7480f8c..9916c02 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/Broker.java
@@ -306,18 +306,21 @@ public interface Broker<X extends Broker<X>> extends ConfiguredObject<X>, EventL
@ManagedOperation(nonModifying = true,
description = "Returns the principal of the currently authenticated user",
- changesConfiguredObjectState = false)
+ changesConfiguredObjectState = false,
+ skipAclCheck = true)
Principal getUser();
@ManagedOperation(nonModifying = true,
description = "Returns metadata concerning the current connection",
- changesConfiguredObjectState = false)
+ changesConfiguredObjectState = false,
+ skipAclCheck = true)
SocketConnectionMetaData getConnectionMetaData();
@ManagedOperation(nonModifying = true,
description = "Returns the groups to which the currently authenticated user belongs",
- changesConfiguredObjectState = false)
+ changesConfiguredObjectState = false,
+ skipAclCheck = true)
Set<Principal> getGroups();
@ManagedOperation(description = "Removes a user and all associated preferences from the broker's configuration",
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java b/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
index 3dc294b..a38352f 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObject.java
@@ -172,7 +172,7 @@ public interface ConfiguredObject<X extends ConfiguredObject<X>> extends Context
@ManagedAttribute( defaultValue = "PERMANENT" )
LifetimePolicy getLifetimePolicy();
- @ManagedOperation(description = "Return the (selected) statistic values", nonModifying = true, changesConfiguredObjectState = false)
+ @ManagedOperation(description = "Return the (selected) statistic values", nonModifying = true, changesConfiguredObjectState = false, skipAclCheck = true)
Map<String, Object> getStatistics(@Param(name = "statistics", defaultValue = "[]",
description = "Optional list of statistic values to retrieve") List<String> statistics);
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObjectMethodOperation.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObjectMethodOperation.java b/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObjectMethodOperation.java
index 68d815e..1e25dd3 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObjectMethodOperation.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/ConfiguredObjectMethodOperation.java
@@ -32,7 +32,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
-import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.util.ServerScopedRuntimeException;
public class ConfiguredObjectMethodOperation<C extends ConfiguredObject<?>> implements ConfiguredObjectOperation<C>
@@ -110,8 +109,6 @@ public class ConfiguredObjectMethodOperation<C extends ConfiguredObject<?>> impl
}
else
{
- subject.authorise(Operation.METHOD(_operation.getName()), parameters);
-
Set<String> providedNames = new HashSet<>(parameters.keySet());
providedNames.removeAll(_validNames);
if (!providedNames.isEmpty())
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/model/ManagedOperation.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/ManagedOperation.java b/broker-core/src/main/java/org/apache/qpid/server/model/ManagedOperation.java
index 02196b8..17df9f5 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/ManagedOperation.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/ManagedOperation.java
@@ -36,4 +36,5 @@ public @interface ManagedOperation
boolean changesConfiguredObjectState();
boolean associateAsIfChildren() default false;
boolean log() default false;
+ boolean skipAclCheck() default false;
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/model/VirtualHost.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/model/VirtualHost.java b/broker-core/src/main/java/org/apache/qpid/server/model/VirtualHost.java
index 7f1b0df..5e7d1cc 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/model/VirtualHost.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/model/VirtualHost.java
@@ -48,7 +48,10 @@ public interface VirtualHost<X extends VirtualHost<X>> extends ConfiguredObject<
String getProductVersion();
@Override
- @ManagedOperation(nonModifying = true, changesConfiguredObjectState = false, associateAsIfChildren = true)
+ @ManagedOperation(nonModifying = true,
+ changesConfiguredObjectState = false,
+ associateAsIfChildren = true,
+ skipAclCheck = true)
Collection<? extends Connection<?>> getConnections();
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java b/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
index c043aac..1bfe661 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
@@ -147,7 +147,7 @@ public abstract class AbstractQueue<X extends AbstractQueue<X>>
};
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private static final Operation PUBLISH_ACTION = Operation.ACTION("publish");
+ private static final Operation PUBLISH_ACTION = Operation.PERFORM_ACTION("publish");
private final QueueManagingVirtualHost<?> _virtualHost;
private final DeletedChildListener _deletedChildListener = new DeletedChildListener();
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/security/access/Operation.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/access/Operation.java b/broker-core/src/main/java/org/apache/qpid/server/security/access/Operation.java
index d52a0a2..7188e45 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/access/Operation.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/access/Operation.java
@@ -81,15 +81,15 @@ public final class Operation
return READ;
}
- public static Operation METHOD(String name)
+ public static Operation INVOKE_METHOD(String name)
{
- return new Operation(OperationType.METHOD, name);
+ return new Operation(OperationType.INVOKE_METHOD, name);
}
- public static Operation ACTION(String name)
+ public static Operation PERFORM_ACTION(String name)
{
- return new Operation(OperationType.ACTION, name);
+ return new Operation(OperationType.PERFORM_ACTION, name);
}
@Override
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationType.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationType.java b/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationType.java
index c565c69..750fd3d 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationType.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/security/access/OperationType.java
@@ -27,6 +27,6 @@ public enum OperationType
DELETE,
DISCOVER,
READ,
- METHOD,
- ACTION
+ INVOKE_METHOD,
+ PERFORM_ACTION
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
index 29d2ad9..928a246 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
@@ -1123,7 +1123,7 @@ public abstract class AbstractVirtualHost<X extends AbstractVirtualHost<X>> exte
@Override
public boolean authoriseCreateConnection(final AMQPConnection<?> connection)
{
- authorise(Operation.ACTION("connect"));
+ authorise(Operation.PERFORM_ACTION("connect"));
for(ConnectionValidator validator : _connectionValidators)
{
if(!validator.validateConnectionCreation(connection, this))
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-core/src/main/java/org/apache/qpid/server/virtualhost/QueueManagingVirtualHost.java
----------------------------------------------------------------------
diff --git a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/QueueManagingVirtualHost.java b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/QueueManagingVirtualHost.java
index 47b8621..6b04ae3 100644
--- a/broker-core/src/main/java/org/apache/qpid/server/virtualhost/QueueManagingVirtualHost.java
+++ b/broker-core/src/main/java/org/apache/qpid/server/virtualhost/QueueManagingVirtualHost.java
@@ -271,7 +271,8 @@ public interface QueueManagingVirtualHost<X extends QueueManagingVirtualHost<X>>
@ManagedOperation(nonModifying = true,
description = "Returns metadata concerning the current connection",
- changesConfiguredObjectState = false)
+ changesConfiguredObjectState = false,
+ skipAclCheck = true)
SocketConnectionMetaData getConnectionMetaData();
Queue<?> getSubscriptionQueue(final String exchangeName,
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
index 68bbf8e..1dae6c3 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
@@ -20,16 +20,15 @@
*/
package org.apache.qpid.server.security.access.config;
+import static org.apache.qpid.server.security.access.config.LegacyOperation.ACCESS_LOGS;
import static org.apache.qpid.server.security.access.config.LegacyOperation.BIND;
+import static org.apache.qpid.server.security.access.config.LegacyOperation.INVOKE;
+import static org.apache.qpid.server.security.access.config.LegacyOperation.PUBLISH;
+import static org.apache.qpid.server.security.access.config.LegacyOperation.PURGE;
import static org.apache.qpid.server.security.access.config.LegacyOperation.UNBIND;
import static org.apache.qpid.server.security.access.config.ObjectType.EXCHANGE;
import static org.apache.qpid.server.security.access.config.ObjectType.METHOD;
import static org.apache.qpid.server.security.access.config.ObjectType.QUEUE;
-import static org.apache.qpid.server.security.access.config.ObjectType.USER;
-import static org.apache.qpid.server.security.access.config.LegacyOperation.ACCESS_LOGS;
-import static org.apache.qpid.server.security.access.config.LegacyOperation.PUBLISH;
-import static org.apache.qpid.server.security.access.config.LegacyOperation.PURGE;
-import static org.apache.qpid.server.security.access.config.LegacyOperation.UPDATE;
import java.util.Arrays;
import java.util.Collections;
@@ -42,7 +41,6 @@ import org.apache.qpid.server.model.*;
import org.apache.qpid.server.queue.QueueConsumer;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.access.Operation;
-import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.virtualhost.QueueManagingVirtualHost;
class LegacyAccessControlAdapter
@@ -57,29 +55,6 @@ class LegacyAccessControlAdapter
"copyMessages",
"deleteMessages")));
- private static final Set<String> LEGACY_PREFERENCES_METHOD_NAMES =
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList("getPreferences",
- "setPreferences",
- "deletePreferences")));
-
- private static final Set<String> BDB_VIRTUAL_HOST_NODE_OPERATIONS =
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList("updateMutableConfig",
- "cleanLog",
- "checkpoint")));
-
- private static final Set<String> BROKER_CONFIGURE_OPERATIONS =
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList("setJVMOptions",
- "dumpHeap",
- "performGC",
- "getThreadStackTraces",
- "findThreadStackTraces",
- "extractConfig",
- "restart")));
-
- private static final Set<String> VIRTUALHOST_UPDATE_OPERATIONS =
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList("importMessageStore",
- "extractMessageStore")));
-
private final LegacyAccessControl _accessControl;
private final Model _model;
@@ -231,7 +206,7 @@ class LegacyAccessControlAdapter
properties.put(ObjectProperties.Property.DURABLE, (Boolean) exchange.getAttribute(ConfiguredObject.DURABLE));
properties.put(ObjectProperties.Property.TYPE, (String) exchange.getAttribute(Exchange.TYPE));
VirtualHost virtualHost = (VirtualHost) exchange.getParent();
- properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(VirtualHost.NAME));
}
else if (configuredObject instanceof QueueConsumer)
{
@@ -249,7 +224,7 @@ class LegacyAccessControlAdapter
else if (isVirtualHostType(configuredObjectType))
{
ConfiguredObject<?> virtualHost = getModel().getAncestor(VirtualHost.class, (ConfiguredObject<?>)configuredObject);
- properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(VirtualHost.NAME));
}
return properties;
}
@@ -277,7 +252,7 @@ class LegacyAccessControlAdapter
properties.put(ObjectProperties.Property.OWNER, owner);
}
VirtualHost virtualHost = (VirtualHost) queue.getParent();
- properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(VirtualHost.NAME));
}
@@ -375,7 +350,17 @@ class LegacyAccessControlAdapter
final String methodName,
final Map<String, Object> arguments)
{
+
Class<? extends ConfiguredObject> categoryClass = configuredObject.getCategoryClass();
+ Result invokeResult = _accessControl.authorise(INVOKE,
+ getACLObjectTypeManagingConfiguredObjectOfCategory(categoryClass),
+ createObjectPropertiesForMethod(configuredObject, methodName));
+ if (invokeResult == Result.ALLOWED)
+ {
+ return invokeResult;
+ }
+
+ // Otherwise fallback to the older rule-style
if(categoryClass == Queue.class)
{
Queue queue = (Queue) configuredObject;
@@ -393,102 +378,61 @@ class LegacyAccessControlAdapter
properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue");
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHostName);
return _accessControl.authorise(LegacyOperation.UPDATE, METHOD, properties);
-
- }
- else if("publish".equals(methodName))
- {
-
- final ObjectProperties _props =
- new ObjectProperties(queue.getParent().getName(), "", queue.getName());
- return _accessControl.authorise(PUBLISH, EXCHANGE, _props);
- }
- }
- else if(categoryClass == BrokerLogger.class)
- {
- if(LOG_ACCESS_METHOD_NAMES.contains(methodName))
- {
- return _accessControl.authorise(ACCESS_LOGS, ObjectType.BROKER, ObjectProperties.EMPTY);
- }
- }
- else if(categoryClass == VirtualHostLogger.class)
- {
- VirtualHostLogger logger = (VirtualHostLogger)configuredObject;
- if(LOG_ACCESS_METHOD_NAMES.contains(methodName))
- {
- return _accessControl.authorise(ACCESS_LOGS,
- ObjectType.VIRTUALHOST,
- new ObjectProperties(logger.getParent().getName()));
}
}
- else if(categoryClass == AuthenticationProvider.class)
+ else if ((categoryClass == BrokerLogger.class || categoryClass == VirtualHostLogger.class) && LOG_ACCESS_METHOD_NAMES.contains(methodName))
{
- if(LEGACY_PREFERENCES_METHOD_NAMES.contains(methodName))
- {
- if(arguments.get("userId") instanceof String)
- {
- String userName = (String) arguments.get("userId");
- AuthenticatedPrincipal principal = AuthenticatedPrincipal.getCurrentUser();
- if (principal != null && principal.getName().equals(userName))
- {
- // allow user to update its own data
- return Result.ALLOWED;
- }
- else
- {
- return _accessControl.authorise(UPDATE,
- USER,
- new ObjectProperties(userName));
- }
- }
- }
- }
- else if(categoryClass == VirtualHostNode.class)
- {
- if(BDB_VIRTUAL_HOST_NODE_OPERATIONS.contains(methodName))
- {
- ObjectProperties properties = getACLObjectProperties(((ConfiguredObject)configuredObject).getParent(), LegacyOperation.UPDATE);
- return _accessControl.authorise(LegacyOperation.UPDATE, ObjectType.BROKER, properties);
- }
- }
- else if(categoryClass == Broker.class)
- {
- if(BROKER_CONFIGURE_OPERATIONS.contains(methodName))
- {
- _accessControl.authorise(LegacyOperation.CONFIGURE, ObjectType.BROKER, ObjectProperties.EMPTY);
- }
- else if("initiateShutdown".equals(methodName))
- {
- _accessControl.authorise(LegacyOperation.SHUTDOWN, ObjectType.BROKER, ObjectProperties.EMPTY);
- }
-
+ ObjectProperties empty = categoryClass == BrokerLogger.class ? ObjectProperties.EMPTY : new ObjectProperties(
+ ((ConfiguredObject) configuredObject).getParent().getName());
+ return _accessControl.authorise(ACCESS_LOGS, categoryClass == BrokerLogger.class ? ObjectType.BROKER : ObjectType.VIRTUALHOST,
+ empty);
}
- else if(categoryClass == VirtualHost.class)
+ else if(categoryClass == Broker.class && "initiateShutdown".equals(methodName))
{
- if(VIRTUALHOST_UPDATE_OPERATIONS.contains(methodName))
- {
- authorise(LegacyOperation.UPDATE, configuredObject);
- }
+ _accessControl.authorise(LegacyOperation.SHUTDOWN, ObjectType.BROKER, ObjectProperties.EMPTY);
}
else if (categoryClass == Exchange.class)
{
if ("bind".equals(methodName))
{
- final ObjectProperties properties = createArgsForExchangeBind(arguments, configuredObject);
+ final ObjectProperties properties = createObjectPropertiesForExchangeBind(arguments, configuredObject);
return _accessControl.authorise(BIND, EXCHANGE, properties);
}
else if ("unbind".equals(methodName))
{
- final ObjectProperties properties = createArgsForExchangeBind(arguments, configuredObject);
+ final ObjectProperties properties = createObjectPropertiesForExchangeBind(arguments, configuredObject);
return _accessControl.authorise(UNBIND, EXCHANGE, properties);
}
+ }
+
+ //TODO: add check for VH#messagePublish
+ return Result.DENIED;
+ }
+ private ObjectProperties createObjectPropertiesForMethod(final PermissionedObject permissionedObject,
+ final String methodName)
+ {
+ ObjectProperties properties = new ObjectProperties(permissionedObject.getName());
+ properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
+
+ if (permissionedObject instanceof ConfiguredObject<?>)
+ {
+ ConfiguredObject<?> configuredObject = ((ConfiguredObject) permissionedObject);
+ VirtualHost virtualHost = configuredObject.getModel()
+ .getAncestor(VirtualHost.class,
+ configuredObject.getCategoryClass(),
+ configuredObject);
+ if (virtualHost != null)
+ {
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHost.getName());
+ }
}
- return Result.ALLOWED;
+ return properties;
}
- private ObjectProperties createArgsForExchangeBind(final Map<String, Object> arguments,
- final PermissionedObject configuredObject)
+ private ObjectProperties createObjectPropertiesForExchangeBind(final Map<String, Object> arguments,
+ final PermissionedObject configuredObject)
{
ObjectProperties properties = new ObjectProperties();
Exchange<?> exchange = (Exchange<?>) configuredObject;
@@ -529,9 +473,9 @@ class LegacyAccessControlAdapter
return authorise(LegacyOperation.UPDATE, configuredObject);
case DELETE:
return authorise(LegacyOperation.DELETE, configuredObject);
- case METHOD:
+ case INVOKE_METHOD:
return authoriseMethod(configuredObject, operation.getName(), arguments);
- case ACTION:
+ case PERFORM_ACTION:
return authoriseAction(configuredObject, operation.getName(), arguments);
case DISCOVER:
case READ:
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyOperation.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyOperation.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyOperation.java
index eae967f..56ca67c 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyOperation.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyOperation.java
@@ -35,7 +35,8 @@ public enum LegacyOperation
UPDATE,
CONFIGURE,
ACCESS_LOGS,
- SHUTDOWN;
+ SHUTDOWN,
+ INVOKE;
@Override
public String toString()
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
index 6b01409..a30c199 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectProperties.java
@@ -57,7 +57,8 @@ public class ObjectProperties
CLASS,
FROM_NETWORK,
FROM_HOSTNAME,
- VIRTUALHOST_NAME;
+ VIRTUALHOST_NAME,
+ METHOD_NAME;
private static final Map<String, Property> _canonicalNameToPropertyMap = new HashMap<String, ObjectProperties.Property>();
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java
index be49e03..b2b4246 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/ObjectType.java
@@ -25,6 +25,7 @@ import static org.apache.qpid.server.security.access.config.LegacyOperation.CONF
import static org.apache.qpid.server.security.access.config.LegacyOperation.CONSUME;
import static org.apache.qpid.server.security.access.config.LegacyOperation.CREATE;
import static org.apache.qpid.server.security.access.config.LegacyOperation.DELETE;
+import static org.apache.qpid.server.security.access.config.LegacyOperation.INVOKE;
import static org.apache.qpid.server.security.access.config.LegacyOperation.PUBLISH;
import static org.apache.qpid.server.security.access.config.LegacyOperation.PURGE;
import static org.apache.qpid.server.security.access.config.LegacyOperation.SHUTDOWN;
@@ -43,15 +44,15 @@ import java.util.Set;
public enum ObjectType
{
ALL(EnumSet.allOf(LegacyOperation.class)),
- VIRTUALHOSTNODE(LegacyOperation.ALL, CREATE, DELETE, UPDATE),
- VIRTUALHOST(LegacyOperation.ALL, ACCESS, CREATE, DELETE, UPDATE, ACCESS_LOGS),
+ VIRTUALHOSTNODE(LegacyOperation.ALL, CREATE, DELETE, UPDATE, INVOKE),
+ VIRTUALHOST(LegacyOperation.ALL, ACCESS, CREATE, DELETE, UPDATE, ACCESS_LOGS, INVOKE),
MANAGEMENT(LegacyOperation.ALL, ACCESS),
- QUEUE(LegacyOperation.ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE),
- EXCHANGE(LegacyOperation.ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE),
+ QUEUE(LegacyOperation.ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE, INVOKE),
+ EXCHANGE(LegacyOperation.ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE, INVOKE),
METHOD(LegacyOperation.ALL, ACCESS, UPDATE),
- USER(LegacyOperation.ALL, CREATE, DELETE, UPDATE),
- GROUP(LegacyOperation.ALL, CREATE, DELETE, UPDATE),
- BROKER(LegacyOperation.ALL, CONFIGURE, ACCESS_LOGS, SHUTDOWN);
+ USER(LegacyOperation.ALL, CREATE, DELETE, UPDATE, INVOKE),
+ GROUP(LegacyOperation.ALL, CREATE, DELETE, UPDATE, INVOKE),
+ BROKER(LegacyOperation.ALL, CONFIGURE, ACCESS_LOGS, SHUTDOWN, INVOKE);
private EnumSet<LegacyOperation> _operations;
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index 0c58524..a7cdea9 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -24,7 +24,6 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
-import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
@@ -50,15 +49,10 @@ public class RuleSet implements EventLoggerProvider
{
private static final Logger _logger = LoggerFactory.getLogger(RuleSet.class);
- public static final String DEFAULT_ALLOW = "defaultallow";
- public static final String DEFAULT_DENY = "defaultdeny";
-
- private static final Integer _increment = 10;
-
private final List<Rule> _rules;
private final Map<Subject, Map<LegacyOperation, Map<ObjectType, List<Rule>>>> _cache =
Collections.synchronizedMap(new WeakHashMap<Subject, Map<LegacyOperation, Map<ObjectType, List<Rule>>>>());
- private final Map<String, Boolean> _config = new HashMap<String, Boolean>();
+
private final EventLoggerProvider _eventLogger;
private Result _defaultResult = Result.DENIED;
@@ -91,7 +85,7 @@ public class RuleSet implements EventLoggerProvider
{
final Set<Principal> principals = subject.getPrincipals();
boolean controlled = false;
- List<Rule> filtered = new LinkedList<Rule>();
+ List<Rule> filtered = new LinkedList<>();
for (Rule rule : _rules)
{
final Action ruleAction = rule.getAction();
@@ -208,16 +202,6 @@ public class RuleSet implements EventLoggerProvider
}
/**
- * Configure properties for the plugin instance.
- *
- * @param properties
- */
- public void configure(Map<String, Boolean> properties)
- {
- _config.putAll(properties);
- }
-
- /**
* Returns all rules in the {@link RuleSet}. Primarily intended to support unit-testing.
* @return map of rules
*/
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
index 1985035..96fdbb2 100644
--- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
+++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
@@ -23,9 +23,12 @@ package org.apache.qpid.server.security.access.config;
import static org.apache.qpid.server.security.access.config.ObjectType.BROKER;
import static org.apache.qpid.server.security.access.config.ObjectType.VIRTUALHOST;
import static org.apache.qpid.server.security.access.config.LegacyOperation.ACCESS_LOGS;
+import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
+import static org.mockito.Matchers.same;
import static org.mockito.Mockito.doReturn;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
@@ -35,6 +38,7 @@ import java.util.Map;
import org.apache.qpid.server.model.*;
import org.apache.qpid.server.queue.QueueConsumer;
+import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.virtualhost.QueueManagingVirtualHost;
import org.apache.qpid.test.utils.QpidTestCase;
@@ -50,6 +54,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
private Broker _broker;
private VirtualHostNode<?> _virtualHostNode;
private LegacyAccessControlAdapter _adapter;
+ private Model _model;
@Override
public void setUp() throws Exception
@@ -61,7 +66,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST);
when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
- when(_virtualHost.getModel()).thenReturn(BrokerModel.getInstance());
+ _model = BrokerModel.getInstance();
+ when(_virtualHost.getModel()).thenReturn(_model);
doReturn(VirtualHost.class).when(_virtualHost).getCategoryClass();
_broker = mock(Broker.class);
@@ -135,7 +141,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
properties.put(ObjectProperties.Property.DURABLE, true);
properties.put(ObjectProperties.Property.EXCLUSIVE, false);
- assertAuthorization(LegacyOperation.CREATE, consumer, LegacyOperation.CONSUME, ObjectType.QUEUE, properties, queue, session);
+ assertAuthorization(LegacyOperation.CREATE, consumer, LegacyOperation.CONSUME, ObjectType.QUEUE, properties);
}
@@ -157,8 +163,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(User.class);
when(mock.getParent()).thenReturn(authenticationProvider);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.USER, properties, authenticationProvider);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.USER, properties);
}
@@ -172,8 +178,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(virtualHost.getCategoryClass()).thenReturn(VirtualHost.class);
when(virtualHost.getParent()).thenReturn(vhn);
ObjectProperties properties = new ObjectProperties(virtualHost.getName());
- properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(virtualHost.NAME));
- assertDeleteAuthorization(virtualHost, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties, vhn);
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, (String)virtualHost.getAttribute(VirtualHost.NAME));
+ assertDeleteAuthorization(virtualHost, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties);
}
public void testAuthoriseDeleteKeyStore()
@@ -203,8 +209,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(Group.class);
when(mock.getParent()).thenReturn(groupProvider);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.GROUP, properties, groupProvider);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.GROUP, properties);
}
public void testAuthoriseDeleteGroupMember()
@@ -216,8 +222,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(GroupMember.class);
when(mock.getParent()).thenReturn(group);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertDeleteAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties, group);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertDeleteAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties);
}
public void testAuthoriseDeleteUser()
@@ -229,8 +235,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(User.class);
when(mock.getParent()).thenReturn(authenticationProvider);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.USER, properties, authenticationProvider);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.USER, properties);
}
public void testAuthoriseCreateExchange()
@@ -246,7 +252,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(exchange.getCategoryClass()).thenReturn(Exchange.class);
when(exchange.getParent()).thenReturn(vh);
- assertCreateAuthorization(exchange, LegacyOperation.CREATE, ObjectType.EXCHANGE, expectedProperties, vh);
+ assertCreateAuthorization(exchange, LegacyOperation.CREATE, ObjectType.EXCHANGE, expectedProperties);
}
public void testAuthoriseCreateQueue()
@@ -265,7 +271,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(queue.getCategoryClass()).thenReturn(Queue.class);
when(queue.getParent()).thenReturn(vh);
- assertCreateAuthorization(queue, LegacyOperation.CREATE, ObjectType.QUEUE, expectedProperties, vh);
+ assertCreateAuthorization(queue, LegacyOperation.CREATE, ObjectType.QUEUE, expectedProperties);
}
public void testAuthoriseDeleteQueue()
@@ -282,7 +288,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(queueObject.getParent()).thenReturn(vh);
when(queueObject.getCategoryClass()).thenReturn(Queue.class);
- assertDeleteAuthorization(queueObject, LegacyOperation.DELETE, ObjectType.QUEUE, expectedProperties, vh);
+ assertDeleteAuthorization(queueObject, LegacyOperation.DELETE, ObjectType.QUEUE, expectedProperties);
}
public void testAuthoriseUpdateQueue()
@@ -299,7 +305,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(queueObject.getParent()).thenReturn(vh);
when(queueObject.getCategoryClass()).thenReturn(Queue.class);
- assertUpdateAuthorization(queueObject, LegacyOperation.UPDATE, ObjectType.QUEUE, expectedProperties, vh);
+ assertUpdateAuthorization(queueObject, LegacyOperation.UPDATE, ObjectType.QUEUE, expectedProperties);
}
public void testAuthoriseUpdateExchange()
@@ -315,7 +321,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(exchange.getParent()).thenReturn(vh);
when(exchange.getCategoryClass()).thenReturn(Exchange.class);
- assertUpdateAuthorization(exchange, LegacyOperation.UPDATE, ObjectType.EXCHANGE, expectedProperties, vh);
+ assertUpdateAuthorization(exchange, LegacyOperation.UPDATE, ObjectType.EXCHANGE, expectedProperties);
}
public void testAuthoriseDeleteExchange()
@@ -332,13 +338,13 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(exchange.getParent()).thenReturn(vh);
when(exchange.getCategoryClass()).thenReturn(Exchange.class);
- assertDeleteAuthorization(exchange, LegacyOperation.DELETE, ObjectType.EXCHANGE, expectedProperties, vh);
+ assertDeleteAuthorization(exchange, LegacyOperation.DELETE, ObjectType.EXCHANGE, expectedProperties);
}
public void testAuthoriseCreateVirtualHostNode()
{
VirtualHostNode vhn = getMockVirtualHostNode();
- assertCreateAuthorization(vhn, LegacyOperation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"), _broker);
+ assertCreateAuthorization(vhn, LegacyOperation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"));
}
public void testAuthoriseCreatePort()
@@ -406,7 +412,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(group.getAttribute(Group.NAME)).thenReturn("test");
when(group.getName()).thenReturn("test");
- assertCreateAuthorization(group, LegacyOperation.CREATE, ObjectType.GROUP, new ObjectProperties("test"), groupProvider);
+ assertCreateAuthorization(group, LegacyOperation.CREATE, ObjectType.GROUP, new ObjectProperties("test"));
}
public void testAuthoriseCreateGroupMember()
@@ -423,7 +429,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(groupMember.getAttribute(Group.NAME)).thenReturn("test");
when(groupMember.getName()).thenReturn("test");
- assertCreateAuthorization(groupMember, LegacyOperation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"), group);
+ assertCreateAuthorization(groupMember, LegacyOperation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"));
}
public void testAuthoriseCreateUser()
@@ -440,7 +446,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(user.getParent()).thenReturn(authenticationProvider);
when(user.getModel()).thenReturn(BrokerModel.getInstance());
- assertCreateAuthorization(user, LegacyOperation.CREATE, ObjectType.USER, new ObjectProperties("test"), authenticationProvider);
+ assertCreateAuthorization(user, LegacyOperation.CREATE, ObjectType.USER, new ObjectProperties("test"));
}
public void testAuthoriseCreateVirtualHost()
@@ -449,13 +455,13 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties expectedProperties = new ObjectProperties(TEST_VIRTUAL_HOST);
expectedProperties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
assertCreateAuthorization(vh, LegacyOperation.CREATE, ObjectType.VIRTUALHOST,
- expectedProperties, _virtualHostNode);
+ expectedProperties);
}
public void testAuthoriseUpdateVirtualHostNode()
{
VirtualHostNode vhn = getMockVirtualHostNode();
- assertUpdateAuthorization(vhn, LegacyOperation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn);
+ assertUpdateAuthorization(vhn, LegacyOperation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()));
}
@@ -513,8 +519,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(Group.class);
when(mock.getParent()).thenReturn(groupProvider);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties, groupProvider);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties);
}
public void testAuthoriseUpdateGroupMember()
@@ -526,8 +532,8 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getName()).thenReturn("test");
when(mock.getCategoryClass()).thenReturn(GroupMember.class);
when(mock.getParent()).thenReturn(group);
- ObjectProperties properties = new ObjectProperties((String)mock.getName());
- assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties, group);
+ ObjectProperties properties = new ObjectProperties(mock.getName());
+ assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.GROUP, properties);
}
public void testAuthoriseUpdateVirtualHost()
@@ -541,13 +547,13 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(virtualHost.getParent()).thenReturn(vhn);
ObjectProperties properties = new ObjectProperties(virtualHost.getName());
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHost.getName());
- assertUpdateAuthorization(virtualHost, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties, vhn);
+ assertUpdateAuthorization(virtualHost, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties);
}
public void testAuthoriseDeleteVirtualHostNode()
{
VirtualHostNode vhn = getMockVirtualHostNode();
- assertDeleteAuthorization(vhn, LegacyOperation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn);
+ assertDeleteAuthorization(vhn, LegacyOperation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()));
}
public void testAuthoriseDeletePort()
@@ -611,11 +617,11 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
when(mock.getCategoryClass()).thenReturn(BrokerLogInclusionRule.class);
when(mock.getParent()).thenReturn(bl);
when(mock.getModel()).thenReturn(BrokerModel.getInstance());
- assertBrokerChildCreateAuthorization(mock, bl);
+ assertBrokerChildCreateAuthorization(mock);
when(mock.getName()).thenReturn("test");
- assertBrokerChildUpdateAuthorization(mock, bl);
- assertBrokerChildDeleteAuthorization(mock, bl);
+ assertBrokerChildUpdateAuthorization(mock);
+ assertBrokerChildDeleteAuthorization(mock);
}
@@ -629,9 +635,9 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties properties = new ObjectProperties(mock.getName());
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
- assertCreateAuthorization(mock, LegacyOperation.CREATE, ObjectType.VIRTUALHOST, properties, _virtualHost);
- assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties, _virtualHost);
- assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties, _virtualHost);
+ assertCreateAuthorization(mock, LegacyOperation.CREATE, ObjectType.VIRTUALHOST, properties);
+ assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties);
+ assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties);
}
public void testAuthoriseVirtualHostLogInclusionRuleOperations()
@@ -651,15 +657,64 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties properties = new ObjectProperties(mock.getName());
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
- assertCreateAuthorization(mock, LegacyOperation.CREATE, ObjectType.VIRTUALHOST, properties, vhl);
- assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties, vhl);
- assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties, vhl);
+ assertCreateAuthorization(mock, LegacyOperation.CREATE, ObjectType.VIRTUALHOST, properties);
+ assertUpdateAuthorization(mock, LegacyOperation.UPDATE, ObjectType.VIRTUALHOST, properties);
+ assertDeleteAuthorization(mock, LegacyOperation.DELETE, ObjectType.VIRTUALHOST, properties);
+ }
+
+ public void testAuthoriseInvokeVirtualHostDescendantMethod()
+ {
+ String methodName = "clearQueue";
+ Queue queue = mock(Queue.class);
+ when(queue.getParent()).thenReturn(_virtualHost);
+ when(queue.getModel()).thenReturn(_model);
+ when(queue.getName()).thenReturn(TEST_QUEUE);
+ when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+ when(queue.getCategoryClass()).thenReturn(Queue.class);
+ when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
+ when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+ when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+
+ ObjectProperties properties = new ObjectProperties();
+ properties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
+ properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
+ properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, _virtualHost.getName());
+
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ same(ObjectType.QUEUE),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
+
+ Result result = _adapter.authoriseMethod(queue, methodName, Collections.emptyMap());
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
+
+ verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), eq(ObjectType.QUEUE), eq(properties));
+ verify(_accessControl, never()).authorise(eq(LegacyOperation.PURGE), eq(ObjectType.QUEUE), any(ObjectProperties.class));
+ }
+ public void testAuthoriseInvokeBrokerDescendantMethod()
+ {
+ String methodName = "getStatistics";
+ VirtualHostNode<?> virtualHostNode = _virtualHostNode;
+
+
+ ObjectProperties properties = new ObjectProperties();
+ properties.put(ObjectProperties.Property.NAME, virtualHostNode.getName());
+ properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
+
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ same(ObjectType.VIRTUALHOSTNODE),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
+
+ Result result = _adapter.authoriseMethod(virtualHostNode, methodName, Collections.emptyMap());
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
+
+ verify(_accessControl).authorise(eq(LegacyOperation.INVOKE), eq(ObjectType.VIRTUALHOSTNODE), eq(properties));
}
public void testAuthorisePurge()
{
Queue queue = mock(Queue.class);
when(queue.getParent()).thenReturn(_virtualHost);
+ when(queue.getModel()).thenReturn(_model);
when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
when(queue.getCategoryClass()).thenReturn(Queue.class);
when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
@@ -668,38 +723,73 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties properties = createExpectedQueueObjectProperties();
- _adapter.authoriseMethod(queue, "clearQueue", Collections.<String,Object>emptyMap());
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ any(ObjectType.class),
+ any(ObjectProperties.class))).thenReturn(Result.DENIED);
+
+ when(_accessControl.authorise(same(LegacyOperation.PURGE),
+ same(ObjectType.QUEUE),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
+
+ Result result = _adapter.authoriseMethod(queue, "clearQueue", Collections.emptyMap());
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
+
verify(_accessControl).authorise(eq(LegacyOperation.PURGE), eq(ObjectType.QUEUE), eq(properties));
}
-
public void testAuthoriseLogsAccessOnBroker()
{
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ same(ObjectType.BROKER),
+ any(ObjectProperties.class))).thenReturn(Result.DENIED);
+ when(_accessControl.authorise(same(LegacyOperation.ACCESS_LOGS),
+ same(ObjectType.BROKER),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
ConfiguredObject logger = mock(BrokerLogger.class);
when(logger.getCategoryClass()).thenReturn(BrokerLogger.class);
- _adapter.authoriseMethod(logger, "getFile", Collections.singletonMap("fileName", (Object)"qpid.log"));
+ when(logger.getModel()).thenReturn(_model);
+ when(logger.getParent()).thenReturn(_broker);
- verify(_accessControl).authorise(ACCESS_LOGS, BROKER, ObjectProperties.EMPTY);
+ Result result = _adapter.authoriseMethod(logger, "getFile", Collections.singletonMap("fileName", "qpid.log"));
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
+
+ verify(_accessControl).authorise(ACCESS_LOGS, BROKER, ObjectProperties.EMPTY);
}
public void testAuthoriseLogsAccessOnVirtualHost()
{
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ same(ObjectType.VIRTUALHOST),
+ any(ObjectProperties.class))).thenReturn(Result.DENIED);
+ when(_accessControl.authorise(same(LegacyOperation.ACCESS_LOGS),
+ same(ObjectType.VIRTUALHOST),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
+
ConfiguredObject logger = mock(VirtualHostLogger.class);
when(logger.getCategoryClass()).thenReturn(VirtualHostLogger.class);
when(logger.getParent()).thenReturn(_virtualHost);
+ when(logger.getModel()).thenReturn(_model);
+
+ Result result = _adapter.authoriseMethod(logger, "getFile", Collections.singletonMap("fileName", "qpid.log"));
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
- _adapter.authoriseMethod(logger, "getFile", Collections.singletonMap("fileName", (Object)"qpid.log"));
ObjectProperties expectedObjectProperties = new ObjectProperties(_virtualHost.getName());
verify(_accessControl).authorise(ACCESS_LOGS, VIRTUALHOST, expectedObjectProperties);
-
-
}
public void testAuthoriseMethod()
{
+ when(_accessControl.authorise(same(LegacyOperation.INVOKE),
+ any(ObjectType.class),
+ any(ObjectProperties.class))).thenReturn(Result.DENIED);
+
+ when(_accessControl.authorise(same(LegacyOperation.UPDATE),
+ same(ObjectType.METHOD),
+ any(ObjectProperties.class))).thenReturn(Result.ALLOWED);
+
ObjectProperties properties = new ObjectProperties("deleteMessages");
properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue");
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
@@ -707,37 +797,22 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
Queue queue = mock(Queue.class);
when(queue.getParent()).thenReturn(_virtualHost);
when(queue.getVirtualHost()).thenReturn(_virtualHost);
+ when(queue.getModel()).thenReturn(_model);
+
when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
when(queue.getCategoryClass()).thenReturn(Queue.class);
+ Result result = _adapter.authoriseMethod(queue, "deleteMessages", Collections.emptyMap());
+ assertEquals("Unexpected authorise result", Result.ALLOWED, result);
- _adapter.authoriseMethod(queue, "deleteMessages", Collections.<String,Object>emptyMap());
verify(_accessControl).authorise(eq(LegacyOperation.UPDATE), eq(ObjectType.METHOD), eq(properties));
-
}
- public void testAuthoriseUserOperation()
- {
- AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class);
- when(authenticationProvider.getParent()).thenReturn(_broker);
- when(authenticationProvider.getAttribute(Queue.NAME)).thenReturn("test");
- when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
-
-
- ObjectProperties properties = new ObjectProperties("testUser");
-
- _adapter.authoriseMethod(authenticationProvider, "getPreferences", Collections.<String,Object>singletonMap("userId", "testUser"));
- verify(_accessControl).authorise(eq(LegacyOperation.UPDATE), eq(ObjectType.USER), eq(properties));
-
- }
-
-
public void testAccessManagement()
{
- _adapter.authoriseAction(_broker, "manage", Collections.<String,Object>emptyMap());
+ _adapter.authoriseAction(_broker, "manage", Collections.emptyMap());
verify(_accessControl).authorise(LegacyOperation.ACCESS, ObjectType.MANAGEMENT, ObjectProperties.EMPTY);
-
}
public void testAuthorisePublish()
@@ -765,10 +840,9 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
properties.put(ObjectProperties.Property.NAME, TEST_VIRTUAL_HOST);
properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
- _adapter.authoriseAction(_virtualHost, "connect", Collections.<String,Object>emptyMap());
+ _adapter.authoriseAction(_virtualHost, "connect", Collections.emptyMap());
verify(_accessControl).authorise(eq(LegacyOperation.ACCESS), eq(ObjectType.VIRTUALHOST), eq(properties));
-
}
@@ -798,21 +872,19 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
private void assertBrokerChildCreateAuthorization(ConfiguredObject object)
{
- assertBrokerChildCreateAuthorization(object, _broker);
- }
-
- private void assertBrokerChildCreateAuthorization(ConfiguredObject object, ConfiguredObject parent)
- {
String description = String.format("%s %s '%s'",
LegacyOperation.CREATE.name().toLowerCase(),
object.getCategoryClass().getSimpleName().toLowerCase(),
"TEST");
ObjectProperties properties = new OperationLoggingDetails(description);
- assertCreateAuthorization(object, LegacyOperation.CONFIGURE, ObjectType.BROKER, properties, parent);
+ assertCreateAuthorization(object, LegacyOperation.CONFIGURE, ObjectType.BROKER, properties);
}
- private void assertCreateAuthorization(ConfiguredObject<?> configuredObject, LegacyOperation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject<?>... parents)
+ private void assertCreateAuthorization(ConfiguredObject<?> configuredObject,
+ LegacyOperation aclOperation,
+ ObjectType aclObjectType,
+ ObjectProperties expectedProperties)
{
_adapter.authorise(LegacyOperation.CREATE, configuredObject);
verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
@@ -821,11 +893,6 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject)
{
- assertBrokerChildUpdateAuthorization(configuredObject, _broker);
- }
-
- private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent)
- {
String description = String.format("%s %s '%s'",
LegacyOperation.UPDATE.name().toLowerCase(),
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
@@ -833,21 +900,19 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties properties = new OperationLoggingDetails(description);
assertUpdateAuthorization(configuredObject, LegacyOperation.CONFIGURE, ObjectType.BROKER,
- properties, parent);
+ properties);
}
- private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject, LegacyOperation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
+ private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject,
+ LegacyOperation aclOperation,
+ ObjectType aclObjectType,
+ ObjectProperties expectedProperties)
{
- assertAuthorization(LegacyOperation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects);
+ assertAuthorization(LegacyOperation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties);
}
private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject)
{
- assertBrokerChildDeleteAuthorization(configuredObject, _broker);
- }
-
- private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject, ConfiguredObject parent)
- {
String description = String.format("%s %s '%s'",
LegacyOperation.DELETE.name().toLowerCase(),
configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
@@ -855,16 +920,23 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
ObjectProperties properties = new OperationLoggingDetails(description);
assertDeleteAuthorization(configuredObject, LegacyOperation.CONFIGURE, ObjectType.BROKER,
- properties, parent);
+ properties);
}
- private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject, LegacyOperation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
+ private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject,
+ LegacyOperation aclOperation,
+ ObjectType aclObjectType,
+ ObjectProperties expectedProperties)
{
- assertAuthorization(LegacyOperation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects);
+ assertAuthorization(LegacyOperation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties);
}
- private void assertAuthorization(LegacyOperation operation, ConfiguredObject<?> configuredObject, LegacyOperation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
+ private void assertAuthorization(LegacyOperation operation,
+ ConfiguredObject<?> configuredObject,
+ LegacyOperation aclOperation,
+ ObjectType aclObjectType,
+ ObjectProperties expectedProperties)
{
_adapter.authorise(operation, configuredObject);
verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
----------------------------------------------------------------------
diff --git a/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java b/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
index ea2975a..ee61dcb 100644
--- a/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
+++ b/broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
@@ -252,7 +252,7 @@ public class ManagementAddressSpace implements NamedAddressSpace
@Override
public boolean authoriseCreateConnection(final AMQPConnection<?> connection)
{
- _broker.authorise(Operation.ACTION("manage"));
+ _broker.authorise(Operation.PERFORM_ACTION("manage"));
return true;
}
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
----------------------------------------------------------------------
diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
index 720ca93..c9f8e04 100644
--- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
+++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
@@ -81,7 +81,7 @@ public class HttpManagementUtil
public static final String GZIP_CONTENT_ENCODING = "gzip";
private static final Collection<HttpRequestPreemptiveAuthenticator> AUTHENTICATORS;
- private static final Operation MANAGE_ACTION = Operation.ACTION("manage");
+ private static final Operation MANAGE_ACTION = Operation.PERFORM_ACTION("manage");
static
{
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java
----------------------------------------------------------------------
diff --git a/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java b/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java
index 681a868..c0045ef 100644
--- a/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java
+++ b/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticatorTest.java
@@ -313,7 +313,7 @@ public class OAuth2InteractiveAuthenticatorTest extends QpidTestCase
}
return null;
}
- }).when(mockBroker).authorise(eq(Operation.ACTION("manage")));
+ }).when(mockBroker).authorise(eq(Operation.PERFORM_ACTION("manage")));
when(authenticationProvider.getAuthorizationEndpointURI(any())).thenReturn(new URI(TEST_AUTHORIZATION_ENDPOINT));
when(authenticationProvider.getClientId()).thenReturn(TEST_CLIENT_ID);
http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/0ce2ecd8/doc/java-broker/src/docbkx/security/Java-Broker-Security-ACLs.xml
----------------------------------------------------------------------
diff --git a/doc/java-broker/src/docbkx/security/Java-Broker-Security-ACLs.xml b/doc/java-broker/src/docbkx/security/Java-Broker-Security-ACLs.xml
index fce9e42..8cd3f8e 100644
--- a/doc/java-broker/src/docbkx/security/Java-Broker-Security-ACLs.xml
+++ b/doc/java-broker/src/docbkx/security/Java-Broker-Security-ACLs.xml
@@ -251,6 +251,12 @@
<entry><para>BROKER</para></entry>
<entry><para/></entry>
</row>
+ <row>
+ <entry><command>INVOKE</command> </entry>
+ <entry><para>Allows/denies the specific user to invoke the named operation.</para> </entry>
+ <entry><para>BROKER, VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry>
+ <entry><para>method_name, name and virtualhost_name</para></entry>
+ </row>
</tbody>
</tgroup>
</table>
@@ -269,49 +275,43 @@
<row>
<entry> <command>VIRTUALHOSTNODE</command> </entry>
<entry> <para>A virtualhostnode or remote replication node</para> </entry>
- <entry><para>ALL, CREATE, UPDATE, DELETE</para> </entry>
+ <entry><para>ALL, CREATE, UPDATE, DELETE, INVOKE</para> </entry>
<entry><para>name</para> </entry>
</row>
<row>
<entry> <command>VIRTUALHOST</command> </entry>
<entry> <para>A virtualhost</para> </entry>
- <entry><para>ALL, CREATE, UPDATE, DELETE, ACCESS, ACCESS_LOGS</para> </entry>
+ <entry><para>ALL, CREATE, UPDATE, DELETE, ACCESS, ACCESS_LOGS, INVOKE</para> </entry>
<entry><para>name</para> </entry>
</row>
<row>
<entry> <command>QUEUE</command> </entry>
<entry> <para>A queue </para> </entry>
- <entry><para>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE</para></entry>
+ <entry><para>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE, INVOKE</para></entry>
<entry><para>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</para></entry>
</row>
<row>
<entry> <command>EXCHANGE</command> </entry>
<entry><para>An exchange</para></entry>
- <entry><para>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</para></entry>
+ <entry><para>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE, INVOKE</para></entry>
<entry><para>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</para></entry>
</row>
<row>
<entry> <command>USER</command> </entry>
<entry> <para>A user</para> </entry>
- <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry>
+ <entry><para>ALL, CREATE, DELETE, UPDATE, INVOKE</para></entry>
<entry><para>name</para></entry>
</row>
<row>
<entry> <command>GROUP</command> </entry>
<entry> <para>A group</para> </entry>
- <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry>
+ <entry><para>ALL, CREATE, DELETE, UPDATE, INVOKE</para></entry>
<entry><para>name</para></entry>
</row>
<row>
- <entry> <command>METHOD</command> </entry>
- <entry> <para>Management or agent or broker method</para> </entry>
- <entry><para>ALL, ACCESS, UPDATE</para></entry>
- <entry><para>name, component, virtualhost_name</para></entry>
- </row>
- <row>
<entry> <command>BROKER</command> </entry>
<entry> <para>The broker</para> </entry>
- <entry><para>ALL, CONFIGURE, ACCESS_LOGS</para></entry>
+ <entry><para>ALL, CONFIGURE, ACCESS_LOGS, INVOKE</para></entry>
<entry><para> </para></entry>
</row>
</tbody>
@@ -415,36 +415,13 @@
</para>
</entry>
</row>
- </tbody>
- </tgroup>
- </table>
- <table xml:id="table-Java-Broker-Security-ACLs-Queue-Exchnage-Operations">
- <title>ACL for Queue management operations invoked via REST interfaces</title>
- <tgroup cols="4">
- <tbody>
- <row>
- <entry> <command>Operation</command> </entry>
- <entry> <para>Component</para> </entry>
- <entry> <para>Method</para> </entry>
- <entry> <para>Description</para> </entry>
- </row>
- <row>
- <entry> <command>UPDATE</command> </entry>
- <entry> <para>VirtualHost.Queue</para> </entry>
- <entry> <para>copyMessages</para> </entry>
- <entry> <para>Copy messages</para> </entry>
- </row>
- <row>
- <entry> <command>UPDATE</command> </entry>
- <entry> <para>VirtualHost.Queue</para> </entry>
- <entry> <para>moveMessages</para> </entry>
- <entry> <para>Move messages</para> </entry>
- </row>
<row>
- <entry> <command>UPDATE</command> </entry>
- <entry> <para>VirtualHost.Queue</para> </entry>
- <entry> <para>deleteMessages</para> </entry>
- <entry> <para>Delete messages</para> </entry>
+ <entry><command>method_name</command></entry>
+ <entry>
+ <para>
+ String. The name of the method. Used with INVOKE ACL action.
+ </para>
+ </entry>
</row>
</tbody>
</tgroup>
@@ -467,7 +444,7 @@
should be allowed to connect clients for messaging.
</para>
<programlisting>
-# Deny (loggged) operator/readonly permission to connect messaging clients.
+# Deny (logged) operator/readonly permission to connect messaging clients.
ACL DENY-LOG operator ACCESS VIRTUALHOST
ACL DENY-LOG readonly ACCESS VIRTUALHOST
# Give operator permission to perfom all other actions
@@ -494,7 +471,9 @@ ACL DENY-LOG ALL ALL
# Give usermaint access to management and permission to create
# and delete users through management
ACL ALLOW usermaint ALL USER
+ACL ALLOW usermaint ALL GROUP
ACL DENY ALL ALL USER
+ACL DENY ALL ALL GROUP
...
... rules for other users
...
@@ -575,53 +554,20 @@ ACL DENY-LOG all all
</section>
<section role="h4" xml:id="Java-Broker-Security-ACLs-WorkedExample5">
<title>
- Worked example 5 - REST management ACL example
+ Worked example 5 - REST management ACL example for queue operator
</title>
<para>
This example illustrates how to set up an ACL that restricts usage of REST management interfaces.
</para>
<programlisting>
-# allow to the users from webadmins group to change broker model
-# this rule allows adding/removing/editing of Broker level objects:
-# Broker, Group Provider, Authentication Provider, Port, Access Control Provider etc
-ACL ALLOW-LOG webadmins CONFIGURE BROKER
-
-# allow to the users from webadmins group to perform
-# create/update/delete on virtualhost node and children
-ACL ALLOW-LOG webadmins CREATE VIRTUALHOSTNODE
-ACL ALLOW-LOG webadmins UPDATE VIRTUALHOSTNODE
-ACL ALLOW-LOG webadmins DELETE VIRTUALHOSTNODE
-ACL ALLOW-LOG webadmins CREATE VIRTUALHOST
-ACL ALLOW-LOG webadmins UPDATE VIRTUALHOST
-ACL ALLOW-LOG webadmins DELETE VIRTUALHOST
-ACL ALLOW-LOG webadmins CREATE QUEUE
-ACL ALLOW-LOG webadmins UPDATE QUEUE
-ACL ALLOW-LOG webadmins DELETE QUEUE
-ACL ALLOW-LOG webadmins PURGE QUEUE
-ACL ALLOW-LOG webadmins CREATE EXCHANGE
-ACL ALLOW-LOG webadmins DELETE EXCHANGE
-ACL ALLOW-LOG webadmins BIND EXCHANGE
-ACL ALLOW-LOG webadmins UNBIND EXCHANGE
-
-# allow to the users from webadmins group to create/update/delete groups on Group Providers
-ACL ALLOW-LOG webadmins CREATE GROUP
-ACL ALLOW-LOG webadmins DELETE GROUP
-ACL ALLOW-LOG webadmins UPDATE GROUP
-
-# allow to the users from webadmins group to create/update/delete users for Authentication Providers
-ACL ALLOW-LOG webadmins CREATE USER
-ACL ALLOW-LOG webadmins DELETE USER
-ACL ALLOW-LOG webadmins UPDATE USER
-
-# allow to the users from webadmins group to move, copy, delete messagaes, and clear the queue
-# using REST management interfaces
-ACL ALLOW-LOG webadmins UPDATE METHOD
+# allow to the users from operators group to do the following
+ access virtualhost "default"
+ create, delete, update and invoke any method on queues
+ invoke any method "getStatistics" on virtaul host
-# at the moment only the following UPDATE METHOD rules are supported by web management console
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="clearQueue"
+ACL ALLOW-LOG operators ACCESS MANAGEMENT
+ACL ALLOW-LOG operators ALL QUEUE
+ACL ALLOW-LOG operators INVOKE VIRTUALHOST method_name="getStatistics"
ACL DENY-LOG all all
</programlisting>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org