You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2009/11/26 17:47:37 UTC
svn commit: r884634 - in /qpid/trunk/qpid/java/systests:
etc/config-systests-firewall-2.xml etc/config-systests-firewall-3.xml
src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Author: robbie
Date: Thu Nov 26 16:47:36 2009
New Revision: 884634
URL: http://svn.apache.org/viewvc?rev=884634&view=rev
Log:
QPID-2184: add additional testing against static firewall configurations
Added:
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml
qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml
Modified:
qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml?rev=884634&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml (added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall-2.xml Thu Nov 26 16:47:36 2009
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+ <prefix>${QPID_HOME}</prefix>
+ <work>${QPID_WORK}</work>
+ <conf>${prefix}/etc</conf>
+ <connector>
+ <!-- To enable SSL edit the keystorePath and keystorePassword
+ and set enabled to true.
+ To disasble Non-SSL port set sslOnly to true -->
+ <ssl>
+ <enabled>false</enabled>
+ <sslOnly>false</sslOnly>
+ <keystorePath>/path/to/keystore.ks</keystorePath>
+ <keystorePassword>keystorepass</keystorePassword>
+ </ssl>
+ <qpidnio>false</qpidnio>
+ <protectio>
+ <enabled>false</enabled>
+ <readBufferLimitSize>262144</readBufferLimitSize>
+ <writeBufferLimitSize>262144</writeBufferLimitSize>
+ </protectio>
+ <transport>nio</transport>
+ <port>5672</port>
+ <sslport>8672</sslport>
+ <socketReceiveBuffer>32768</socketReceiveBuffer>
+ <socketSendBuffer>32768</socketSendBuffer>
+ </connector>
+ <management>
+ <enabled>false</enabled>
+ <jmxport>8999</jmxport>
+ <ssl>
+ <enabled>false</enabled>
+ <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore -->
+ <keyStorePath>${prefix}/../test-profiles/test_resources/ssl/keystore.jks</keyStorePath>
+ <keyStorePassword>password</keyStorePassword>
+ </ssl>
+ </management>
+ <advanced>
+ <filterchain enableExecutorPool="true"/>
+ <enablePooledAllocator>false</enablePooledAllocator>
+ <enableDirectBuffers>false</enableDirectBuffers>
+ <framesize>65535</framesize>
+ <compressBufferOnQueue>false</compressBufferOnQueue>
+ <enableJMSXUserID>false</enableJMSXUserID>
+ <locale>en_US</locale>
+ </advanced>
+
+ <security>
+ <principal-databases>
+ <!-- Example use of Base64 encoded MD5 hashes for authentication via CRAM-MD5-Hashed -->
+ <principal-database>
+ <name>passwordfile</name>
+ <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
+ <attributes>
+ <attribute>
+ <name>passwordFile</name>
+ <value>${conf}/passwd</value>
+ </attribute>
+ </attributes>
+ </principal-database>
+ </principal-databases>
+
+ <access>
+ <class>org.apache.qpid.server.security.access.plugins.AllowAll</class>
+ </access>
+
+ <msg-auth>false</msg-auth>
+
+ <jmx>
+ <access>${conf}/jmxremote.access</access>
+ <principal-database>passwordfile</principal-database>
+ </jmx>
+
+ <firewall default-action="allow">
+ <rule access="deny" network="127.0.0.1"/>
+ </firewall>
+ </security>
+
+ <virtualhosts>
+ <default>test</default>
+
+ <virtualhost>
+ <name>test</name>
+ <test>
+ <store>
+ <class>org.apache.qpid.server.store.MemoryMessageStore
+ </class>
+ </store>
+ <security>
+ <firewall default-action="allow"/>
+ </security>
+ </test>
+ </virtualhost>
+
+ <virtualhost>
+ <name>test2</name>
+ <test2>
+ <store>
+ <class>org.apache.qpid.server.store.MemoryMessageStore
+ </class>
+ </store>
+ </test2>
+ </virtualhost>
+ </virtualhosts>
+ <heartbeat>
+ <delay>0</delay>
+ <timeoutFactor>2.0</timeoutFactor>
+ </heartbeat>
+ <queue>
+ <auto_register>true</auto_register>
+ </queue>
+
+ <status-updates>ON</status-updates>
+
+</broker>
+
+
Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml?rev=884634&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml (added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall-3.xml Thu Nov 26 16:47:36 2009
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements. See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership. The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied. See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+ <prefix>${QPID_HOME}</prefix>
+ <work>${QPID_WORK}</work>
+ <conf>${prefix}/etc</conf>
+ <connector>
+ <!-- To enable SSL edit the keystorePath and keystorePassword
+ and set enabled to true.
+ To disasble Non-SSL port set sslOnly to true -->
+ <ssl>
+ <enabled>false</enabled>
+ <sslOnly>false</sslOnly>
+ <keystorePath>/path/to/keystore.ks</keystorePath>
+ <keystorePassword>keystorepass</keystorePassword>
+ </ssl>
+ <qpidnio>false</qpidnio>
+ <protectio>
+ <enabled>false</enabled>
+ <readBufferLimitSize>262144</readBufferLimitSize>
+ <writeBufferLimitSize>262144</writeBufferLimitSize>
+ </protectio>
+ <transport>nio</transport>
+ <port>5672</port>
+ <sslport>8672</sslport>
+ <socketReceiveBuffer>32768</socketReceiveBuffer>
+ <socketSendBuffer>32768</socketSendBuffer>
+ </connector>
+ <management>
+ <enabled>false</enabled>
+ <jmxport>8999</jmxport>
+ <ssl>
+ <enabled>false</enabled>
+ <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore -->
+ <keyStorePath>${prefix}/../test-profiles/test_resources/ssl/keystore.jks</keyStorePath>
+ <keyStorePassword>password</keyStorePassword>
+ </ssl>
+ </management>
+ <advanced>
+ <filterchain enableExecutorPool="true"/>
+ <enablePooledAllocator>false</enablePooledAllocator>
+ <enableDirectBuffers>false</enableDirectBuffers>
+ <framesize>65535</framesize>
+ <compressBufferOnQueue>false</compressBufferOnQueue>
+ <enableJMSXUserID>false</enableJMSXUserID>
+ <locale>en_US</locale>
+ </advanced>
+
+ <security>
+ <principal-databases>
+ <!-- Example use of Base64 encoded MD5 hashes for authentication via CRAM-MD5-Hashed -->
+ <principal-database>
+ <name>passwordfile</name>
+ <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
+ <attributes>
+ <attribute>
+ <name>passwordFile</name>
+ <value>${conf}/passwd</value>
+ </attribute>
+ </attributes>
+ </principal-database>
+ </principal-databases>
+
+ <access>
+ <class>org.apache.qpid.server.security.access.plugins.AllowAll</class>
+ </access>
+
+ <msg-auth>false</msg-auth>
+
+ <jmx>
+ <access>${conf}/jmxremote.access</access>
+ <principal-database>passwordfile</principal-database>
+ </jmx>
+
+ <firewall default-action="deny">
+ <rule access="allow" network="127.0.0.1"/>
+ </firewall>
+ </security>
+
+ <virtualhosts>
+ <default>test</default>
+
+ <virtualhost>
+ <name>test</name>
+ <test>
+ <store>
+ <class>org.apache.qpid.server.store.MemoryMessageStore
+ </class>
+ </store>
+ </test>
+ </virtualhost>
+
+ <virtualhost>
+ <name>test2</name>
+ <test2>
+ <store>
+ <class>org.apache.qpid.server.store.MemoryMessageStore
+ </class>
+ </store>
+ <security>
+ <firewall default-action="deny"/>
+ </security>
+ </test2>
+ </virtualhost>
+ </virtualhosts>
+ <heartbeat>
+ <delay>0</delay>
+ <timeoutFactor>2.0</timeoutFactor>
+ </heartbeat>
+ <queue>
+ <auto_register>true</auto_register>
+ </queue>
+
+ <status-updates>ON</status-updates>
+
+</broker>
+
+
Modified: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java?rev=884634&r1=884633&r2=884634&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java (original)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java Thu Nov 26 16:47:36 2009
@@ -7,6 +7,7 @@
import javax.jms.Connection;
import javax.jms.JMSException;
+import org.apache.qpid.client.AMQConnectionURL;
import org.apache.qpid.test.utils.QpidTestCase;
public class FirewallConfigTest extends QpidTestCase
@@ -50,6 +51,87 @@
out.write("</broker>");
out.close();
}
+
+ public void testVhostAllowBrokerDeny() throws Exception
+ {
+ if (_broker.equals(VM))
+ {
+ //No point running this test with an InVM broker as the
+ //firewall plugin only functions for TCP connections.
+ return;
+ }
+
+ _configFile = new File(System.getProperty("QPID_HOME"), "etc/config-systests-firewall-2.xml");
+
+ super.setUp();
+
+ Connection conn = null;
+ try
+ {
+ //Try to get a connection to the 'test2' vhost
+ //This is expected to fail as it is denied at the broker level
+ conn = getConnection(new AMQConnectionURL(
+ "amqp://username:password@clientid/test2?brokerlist='" + getBroker() + "'"));
+ fail("We expected the connection to fail");
+ }
+ catch (JMSException e)
+ {
+ //ignore
+ }
+
+ conn = null;
+ try
+ {
+ //Try to get a connection to the 'test' vhost
+ //This is expected to succeed as it is allowed at the vhost level
+ conn = getConnection();
+ }
+ catch (JMSException e)
+ {
+ e.getLinkedException().printStackTrace();
+ fail("The connection was expected to succeed: " + e.getMessage());
+ }
+ }
+
+ public void testVhostDenyBrokerAllow() throws Exception
+ {
+ if (_broker.equals(VM))
+ {
+ //No point running this test with an InVM broker as the
+ //firewall plugin only functions for TCP connections.
+ return;
+ }
+
+ _configFile = new File(System.getProperty("QPID_HOME"), "etc/config-systests-firewall-3.xml");
+
+ super.setUp();
+
+ Connection conn = null;
+ try
+ {
+ //Try to get a connection to the 'test2' vhost
+ //This is expected to fail as it is denied at the vhost level
+ conn = getConnection(new AMQConnectionURL(
+ "amqp://username:password@clientid/test2?brokerlist='" + getBroker() + "'"));
+ }
+ catch (JMSException e)
+ {
+ //ignore
+ }
+
+ conn = null;
+ try
+ {
+ //Try to get a connection to the 'test' vhost
+ //This is expected to succeed as it is allowed at the broker level
+ conn = getConnection();
+ }
+ catch (JMSException e)
+ {
+ e.getLinkedException().printStackTrace();
+ fail("The connection was expected to succeed: " + e.getMessage());
+ }
+ }
public void testDenyOnRestart() throws Exception
{
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org