You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by ta...@apache.org on 2018/03/02 21:48:05 UTC
[1/2] activemq-artemis git commit: ARTEMIS-1726 - check proper
permissions when using OpenWire
Repository: activemq-artemis
Updated Branches:
refs/heads/master 9f9040dd6 -> 985a8cf7e
ARTEMIS-1726 - check proper permissions when using OpenWire
Ensure that on queue creation and deletion that the proper permissions
are checked
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/da3dd291
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/da3dd291
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/da3dd291
Branch: refs/heads/master
Commit: da3dd29101c8ab14abfde9dbdac6261c87ba3efa
Parents: 9f9040d
Author: Christopher L. Shannon (cshannon) <ch...@gmail.com>
Authored: Wed Feb 28 16:28:55 2018 -0500
Committer: Timothy Bish <ta...@gmail.com>
Committed: Fri Mar 2 16:47:23 2018 -0500
----------------------------------------------------------------------
.../protocol/openwire/OpenWireConnection.java | 5 +-
.../core/protocol/openwire/amq/AMQSession.java | 2 +-
.../integration/security/SecurityTest.java | 125 ++++++++++++++++++-
3 files changed, 124 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/da3dd291/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java
----------------------------------------------------------------------
diff --git a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java
index 803ed22..90dfe97 100644
--- a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java
+++ b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/OpenWireConnection.java
@@ -80,7 +80,6 @@ import org.apache.activemq.artemis.core.transaction.TransactionOperationAbstract
import org.apache.activemq.artemis.core.transaction.TransactionPropertyIndexes;
import org.apache.activemq.artemis.spi.core.protocol.AbstractRemotingConnection;
import org.apache.activemq.artemis.spi.core.protocol.ConnectionEntry;
-import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
import org.apache.activemq.artemis.spi.core.remoting.Connection;
import org.apache.activemq.artemis.utils.UUIDGenerator;
import org.apache.activemq.artemis.utils.collections.ConcurrentHashSet;
@@ -227,7 +226,7 @@ public class OpenWireConnection extends AbstractRemotingConnection implements Se
// SecurityAuth implementation
@Override
- public RemotingConnection getRemotingConnection() {
+ public OpenWireConnection getRemotingConnection() {
return this;
}
@@ -989,7 +988,7 @@ public class OpenWireConnection extends AbstractRemotingConnection implements Se
public void removeDestination(ActiveMQDestination dest) throws Exception {
if (dest.isQueue()) {
try {
- server.destroyQueue(new SimpleString(dest.getPhysicalName()));
+ server.destroyQueue(new SimpleString(dest.getPhysicalName()), getRemotingConnection());
} catch (ActiveMQNonExistentQueueException neq) {
//this is ok, ActiveMQ 5 allows this and will actually do it quite often
ActiveMQServerLogger.LOGGER.debug("queue never existed");
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/da3dd291/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java
----------------------------------------------------------------------
diff --git a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java
index fecb5a1..c607ca4 100644
--- a/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java
+++ b/artemis-protocols/artemis-openwire-protocol/src/main/java/org/apache/activemq/artemis/core/protocol/openwire/amq/AMQSession.java
@@ -249,7 +249,7 @@ public class AMQSession implements SessionCallback {
routingTypeToUse = as.getDefaultAddressRoutingType();
}
}
- server.createQueue(addressToUse, routingTypeToUse, queueNameToUse, null, true, isTemporary);
+ coreSession.createQueue(addressToUse, queueNameToUse, routingTypeToUse, null, isTemporary, true);
connection.addKnownDestination(queueName);
} else {
hasQueue = false;
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/da3dd291/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
index cb59471..2bced47 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/SecurityTest.java
@@ -16,10 +16,6 @@
*/
package org.apache.activemq.artemis.tests.integration.security;
-import javax.jms.Session;
-import javax.security.cert.X509Certificate;
-import javax.transaction.xa.XAResource;
-import javax.transaction.xa.Xid;
import java.lang.management.ManagementFactory;
import java.net.URL;
import java.util.HashMap;
@@ -27,6 +23,13 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Set;
+import javax.jms.MessageProducer;
+import javax.jms.QueueBrowser;
+import javax.jms.Session;
+import javax.security.cert.X509Certificate;
+import javax.transaction.xa.XAResource;
+import javax.transaction.xa.Xid;
+
import org.apache.activemq.ActiveMQConnection;
import org.apache.activemq.ActiveMQSslConnectionFactory;
import org.apache.activemq.artemis.api.core.ActiveMQException;
@@ -60,6 +63,7 @@ import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.tests.util.CreateMessage;
+import org.apache.activemq.command.ActiveMQQueue;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
@@ -220,6 +224,119 @@ public class SecurityTest extends ActiveMQTestBase {
}
}
+ /**
+ * Verify role permissions are applied properly when using OpenWire
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testJAASSecurityManagerOpenWireNegative() throws Exception {
+ ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
+ ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+
+ Set<Role> roles = new HashSet<>();
+ roles.add(new Role("programmers", false, false, false, false, false, false, false, false, false, false));
+ server.getConfiguration().putSecurityRoles("#", roles);
+
+ Map<String, Object> params = new HashMap<>();
+ params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+ params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-side-keystore.jks");
+ params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-side-truststore.jks");
+ params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "secureexample");
+ params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+
+ server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
+ server.start();
+
+ ActiveMQSslConnectionFactory factory = new ActiveMQSslConnectionFactory("ssl://localhost:61616");
+ factory.setUserName("test-user");
+ factory.setTrustStore("client-side-truststore.jks");
+ factory.setTrustStorePassword("secureexample");
+ factory.setKeyStore("client-side-keystore.jks");
+ factory.setKeyStorePassword("secureexample");
+
+ try (ActiveMQConnection connection = (ActiveMQConnection) factory.createConnection()) {
+ Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+ //Test queue creation permission
+ try {
+ session.createConsumer(session.createQueue("test.queue"));
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_DURABLE_QUEUE' for queue test.queue on address test.queue"));
+ }
+
+ //Test non durable create permission
+ try {
+ session.createConsumer(session.createTopic("test.topic"));
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_NON_DURABLE_QUEUE'"));
+ }
+
+ //Add a test queue and topic to the server
+ SimpleString address = SimpleString.toSimpleString("test.queue");
+ server.addAddressInfo(new AddressInfo(address, RoutingType.ANYCAST));
+ server.createQueue(address, RoutingType.ANYCAST, address, null, true, false);
+
+ SimpleString address2 = SimpleString.toSimpleString("test.topic");
+ server.addAddressInfo(new AddressInfo(address2, RoutingType.MULTICAST));
+
+ //Test queue produce permission
+ try {
+ MessageProducer producer = session.createProducer(session.createQueue("test.queue"));
+ producer.send(session.createMessage());
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='SEND'"));
+ }
+
+ //Test queue consume permission
+ try {
+ session.createConsumer(session.createQueue("test.queue"));
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='CONSUME' for queue test.queue on address test.queue"));
+ }
+
+ //Test queue browse permission
+ try {
+ QueueBrowser browser = session.createBrowser(session.createQueue("test.queue"));
+ browser.getEnumeration();
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='BROWSE' for queue test.queue on address test.queue"));
+ }
+
+ //Test queue deletion permission
+ try {
+ connection.destroyDestination(new ActiveMQQueue("test.queue"));
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='DELETE_DURABLE_QUEUE' for queue test.queue on address test.queue"));
+ }
+
+ //Test temp queue
+ try {
+ session.createTemporaryQueue();
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_NON_DURABLE_QUEUE'"));
+ }
+
+ //Test temp topic
+ try {
+ session.createTemporaryTopic();
+ Assert.fail("should throw exception here");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("User: test-user does not have permission='CREATE_ADDRESS'"));
+ }
+
+ session.close();
+ }
+ }
+
@Test
public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception {
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("PropertiesLogin");
[2/2] activemq-artemis git commit: This closes #1923
Posted by ta...@apache.org.
This closes #1923
Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/985a8cf7
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/985a8cf7
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/985a8cf7
Branch: refs/heads/master
Commit: 985a8cf7e10b7e7063b39e3e38884377d5f7268f
Parents: 9f9040d da3dd29
Author: Timothy Bish <ta...@gmail.com>
Authored: Fri Mar 2 16:47:47 2018 -0500
Committer: Timothy Bish <ta...@gmail.com>
Committed: Fri Mar 2 16:47:47 2018 -0500
----------------------------------------------------------------------
.../protocol/openwire/OpenWireConnection.java | 5 +-
.../core/protocol/openwire/amq/AMQSession.java | 2 +-
.../integration/security/SecurityTest.java | 125 ++++++++++++++++++-
3 files changed, 124 insertions(+), 8 deletions(-)
----------------------------------------------------------------------