You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Timothy A. Bish (Jira)" <ji...@apache.org> on 2023/02/01 22:05:00 UTC
[jira] [Assigned] (ARTEMIS-2431) [AMQP] Broker does not send security errors for unauthorized anonymous sasl with pipelined open
[ https://issues.apache.org/jira/browse/ARTEMIS-2431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy A. Bish reassigned ARTEMIS-2431:
----------------------------------------
Assignee: Timothy A. Bish
> [AMQP] Broker does not send security errors for unauthorized anonymous sasl with pipelined open
> -----------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-2431
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2431
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 2.9.0
> Reporter: Jiri Daněk
> Assignee: Timothy A. Bish
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If a client sends open, begin and attach frames all at once, then the issue ARTEMIS-2344 still manifests itself. Sending the initial frames all at once is known as the pipelined open, http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520 and one client that does this is qpid-proton-cpp.
> {noformat}
> $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples" --log-msgs dict -c 1
> [0x9ea9d0]: -> SASL
> [0x9ea9d0]: <- SASL
> [0x9ea9d0]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
> [0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS, initial-response=b"anonymous@nixos"]
> [0x9ea9d0]:0 <- @sasl-outcome(68) [code=0]
> [0x9ea9d0]: -> AMQP
> [0x9ea9d0]:0 -> @open(16) [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost", channel-max=32767]
> [0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647, outgoing-window=2147483647]
> [0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21", handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) [address="examples", durable=0, timeout=0, dynamic=false], initial-delivery-count=0, max-message-size=0]
> [0x9ea9d0]: <- AMQP
> [0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072, channel-max=65535, idle-time-out=30000, offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container", :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"], properties={:product="apache-activemq-artemis", :version="2.9.0"}]
> [0x9ea9d0]:0 <- @close(24) [error=@error(29) [condition=:"amqp:internal-error", description="Unrecoverable error: NullPointerException"]]
> [0x9ea9d0]: <- EOS
> [error]: Failed to connect to localhost:34949
> [0x9ea9d0]:0 -> @close(24) []
> [0x9ea9d0]: -> EOS
> {noformat}
> The broker side then looks like this
> {noformat}
> DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096
> DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2
> DEBUG - -Dio.netty.recycler.linkCapacity: 16
> DEBUG - -Dio.netty.recycler.ratio: 8
> DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, done=false, role=SERVER]
> DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, done=false, role=SERVER]
> DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110
> INFO - AMQ601267: User anonymous is creating a core session on target resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288 [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400, org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b, false, false, false, true, null, org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee, true, OperationContextImpl [834445691] [minimalStore=9223372036854775807, storeLineUp=0, stored=0, minimalReplicated=9223372036854775807, replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807, pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0, executor=OrderedExecutor(tasks=[])], {}]]
> DEBUG - Couldn't validate user
> javax.security.auth.login.LoginException: Invalid null input: name
> at javax.security.auth.login.LoginContext.init(LoginContext.java:238)
> at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)
> at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190)
> at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99)
> at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137)
> at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - Couldn't find any bindings for address=activemq.notifications on message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
> DEBUG - Message CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860 is not going anywhere as it didn't have a binding on address:activemq.notifications
> WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable
> WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable
> ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable]
> at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162)
> at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
> at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> WARN - null
> java.lang.NullPointerException
> at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679)
> at org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247)
> at org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
> at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
> at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
> at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
> at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
> at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
> at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
> at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
> at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
> at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
> at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
> DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb
> {noformat}
> The NullPointerException happens when the broker is acting on the Attach frame. This is wrong, because at this point we know the client has not authenticated, and any subsequent communication should be ignored.
> Furthermore, the broker authenticates the client on the initial SASL exchange, and only throws the auth error on processing the Begin frame. Is that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming broker configured as in test org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions). And should the broker advertise SASL ANONYMOUS?
> Failing test for this is attached in a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)