activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1162755 - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/ apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-openwire/src/main/scala/org/apache/activemq/apoll...
Date Mon, 29 Aug 2011 12:03:36 GMT
Author: chirino
Date: Mon Aug 29 12:03:36 2011
New Revision: 1162755

URL: http://svn.apache.org/viewvc?rev=1162755&view=rev
Log:
Fixes https://issues.apache.org/jira/browse/APLO-84 : Log more information in case of authorization
failures

Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
    activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
    activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
    activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/LocalRouter.scala
Mon Aug 29 12:03:36 2011
@@ -271,24 +271,21 @@ class LocalRouter(val virtual_host:Virtu
         return None
       }
 
-      if( destination.temp_owner != null ) {
-        for( connection <- security.connection_id) {
-          if( connection != destination.temp_owner.longValue() ) {
-            return Some("Not authorized to destroy the destination.")
+      for(dest <- get_destination_matches(path)) {
+
+        if( destination.temp_owner != null ) {
+          for( connection <- security.connection_id) {
+            if( connection != destination.temp_owner.longValue() ) {
+              return Some("Not authorized to destroy the temp %s '%s'. Principals=%s".format(dest.resource_kind.id,
dest.id, security.principal_dump))
+            }
           }
         }
-      }
 
-      val matches = get_destination_matches(path)
-      matches.foldLeft(None:Option[String]) { case (rc,dest) =>
-        rc.orElse {
-          if( authorizer.can(security, "destroy", dest) ) {
-            None
-          } else {
-            Some("Not authorized to destroy destination: %s".format(dest.id))
-          }
+        if( !authorizer.can(security, "destroy", dest) ) {
+          return Some("Not authorized to destroy the %s '%s'. Principals=%s".format(dest.resource_kind.id,
dest.id, security.principal_dump))
         }
       }
+      None
     }
     def destroy_destination(path:Path, destination:DestinationDTO, security: SecurityContext):Unit
 
@@ -303,7 +300,7 @@ class LocalRouter(val virtual_host:Virtu
       if( destination.temp_owner != null ) {
         for( connection <- security.connection_id) {
           if( connection != destination.temp_owner.longValue() ) {
-            return Some("Not authorized to receive from the temporary destination.")
+            return Some("Not authorized to receive from the temporary destination. Principals=%s".format(security.principal_dump))
           }
         }
       }
@@ -325,8 +322,9 @@ class LocalRouter(val virtual_host:Virtu
         }
 
         matches.foreach { dest =>
-          if( !authorizer.can(security, bind_action(consumer), dest) ) {
-            return Some("Not authorized to receive from the destination.")
+          var action: String = bind_action(consumer)
+          if (!authorizer.can(security, action, dest)) {
+            return Some("Not authorized to %s from the %s '%s'. Principals=%s".format(action,
dest.resource_kind.id, dest.id, security.principal_dump))
           }
         }
       }
@@ -390,7 +388,7 @@ class LocalRouter(val virtual_host:Virtu
         assert( matches.size == 1 )
         for( dest <- matches ) {
           if( !authorizer.can(security, "send", dest) ) {
-            return Some("Not authorized to send to the destination.")
+            return Some("Not authorized to send to the %s '%s'. Principals=%s".format(dest.resource_kind.id,
dest.id, security.principal_dump))
           }
         }
 
@@ -533,7 +531,7 @@ class LocalRouter(val virtual_host:Virtu
         def id = destination_parser.encode_path(path)
       }
       if( !authorizer.can(security, "create", resource)) {
-        Some("Not authorized to create the destination")
+        return Some("Not authorized to create the topic '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       } else {
         None
       }
@@ -551,7 +549,7 @@ class LocalRouter(val virtual_host:Virtu
         def id = destination_parser.encode_path(path)
       }
       if( !authorizer.can(security, "create", resource)) {
-        return new Failure("Not authorized to create the destination")
+        return Failure("Not authorized to create the topic '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       }
 
       val topic = new Topic(LocalRouter.this, destination.asInstanceOf[TopicDestinationDTO],
()=>topic_config(path), path.toString(destination_parser), path)
@@ -715,7 +713,7 @@ class LocalRouter(val virtual_host:Virtu
     def can_create_dsub(config:DurableSubscriptionDTO, security:SecurityContext) = {
       val resource = get_dsub_secured_resource(config)
       if( !authorizer.can(security, "create", resource) ) {
-        Some("Not authorized to create the durable subscription.")
+        Some("Not authorized to create the durable subscription '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       } else {
         None
       }
@@ -724,7 +722,7 @@ class LocalRouter(val virtual_host:Virtu
     def can_connect_dsub(config:DurableSubscriptionDTO, security:SecurityContext):Option[String]
= {
       val resource = get_dsub_secured_resource(config)
       if( !authorizer.can(security, "send", resource) ) {
-        Some("Not authorized to send to the durable subscription.")
+        Some("Not authorized to send to durable subscription '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       } else {
         None
       }
@@ -734,7 +732,7 @@ class LocalRouter(val virtual_host:Virtu
       val resource = get_dsub_secured_resource(config)
       val action = if ( consumer.browser ) "receive" else "consume"
       if( !authorizer.can(security, action, resource) ) {
-        Some("Not authorized to "+action+" from the durable subscription.")
+        Some("Not authorized to %s from durable subscription '%s'. Principals=%s".format(action,
resource.id, security.principal_dump))
       } else {
         None
       }
@@ -788,7 +786,7 @@ class LocalRouter(val virtual_host:Virtu
       if( authorizer.can(security, "create", resource)) {
         None
       } else {
-        Some("Not authorized to create the queue")
+        Some("Not authorized to create the queue '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       }
     }
 
@@ -808,7 +806,7 @@ class LocalRouter(val virtual_host:Virtu
         }
         Success(queue)
       } else {
-        Failure("Not authorized to create the queue")
+        Failure("Not authorized to create the queue '%s'. Principals=%s".format(resource.id,
security.principal_dump))
       }
 
     }
@@ -1175,7 +1173,7 @@ class LocalRouter(val virtual_host:Virtu
 
   def _destroy_queue(queue:Queue, security:SecurityContext):Option[String] = {
     if( !authorizer.can(security, "destroy", queue) ) {
-      return Some("Not authorized to destroy")
+      return Some("Not authorized to destroy queue '%s'. Principals=%s".format(queue.id,
security.principal_dump))
     }
     _destroy_queue(queue)
     None

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/Authorizer.scala
Mon Aug 29 12:03:36 2011
@@ -205,9 +205,9 @@ object Authorizer {
           ((ctx:SecurityContext) => {
             principal_kinds match {
               case Some(principal_kinds)=>
-                ctx.principles.find(p=> principal_kinds.contains(p.getClass.getName) ).isDefined
+                ctx.principals.find(p=> principal_kinds.contains(p.getClass.getName) ).isDefined
               case None =>
-                !ctx.principles.isEmpty
+                !ctx.principals.isEmpty
             }
           })
         case principal =>
@@ -219,13 +219,13 @@ object Authorizer {
           ((ctx:SecurityContext) => {
             principal_kinds match {
               case Some(principal_kinds)=>
-                ctx.principles.find{ p=>
+                ctx.principals.find{ p=>
                   val km = principal_kinds.contains(p.getClass.getName)
                   val nm = principals.contains(p.getName)
                   km && nm
                 }.isDefined
               case None =>
-                ctx.principles.find(p=> principals.contains(p.getName) ).isDefined
+                ctx.principals.find(p=> principals.contains(p.getName) ).isDefined
             }
           })
       })

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SecurityContext.scala
Mon Aug 29 12:03:36 2011
@@ -41,30 +41,53 @@ class SecurityContext {
   var login_context:LoginContext = _
   var connection_id:Option[Long] = None
 
+  def credential_dump = {
+    var rc = List[String]()
+    if(certificates!=null) {
+      for(cert<-certificates) {
+        rc ::= "certdn="+cert.getSubjectX500Principal.getName
+      }
+    }
+    if(user!=null) {
+      rc ::= "user="+user
+    }
+    "["+rc.mkString(", ")+"]"
+  }
+
+  def principal_dump = {
+    var rc = List[String]()
+    if(_principals!=null) {
+      for(principal<-_principals) {
+        rc ::= principal.getClass.getName+":"+principal.getName
+      }
+    }
+    "["+rc.mkString(", ")+"]"
+  }
+
   private var _subject:Subject = _
 
   def subject = _subject
 
-  private var _principles = Set[Principal]()
-  def principles = _principles
+  private var _principals = Set[Principal]()
+  def principals = _principals
 
   def subject_= (value:Subject) {
     _subject = value
-    _principles = Set()
+    _principals = Set()
     if( value!=null ) {
       import collection.JavaConversions._
-      _principles = value.getPrincipals.toSet
+      _principals = value.getPrincipals.toSet
     }
   }
 
-  def principles(kind:String):Set[Principal] = {
+  def principals(kind:String):Set[Principal] = {
     kind match {
       case "+"=>
-        principles
+        principals
       case "*"=>
-        principles
+        principals
       case kind=>
-        principles.filter(_.getClass.getName == kind)
+        principals.filter(_.getClass.getName == kind)
     }
   }
 

Modified: activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-openwire/src/main/scala/org/apache/activemq/apollo/openwire/OpenwireProtocolHandler.scala
Mon Aug 29 12:03:36 2011
@@ -435,11 +435,14 @@ class OpenwireProtocolHandler extends Pr
         if( host.authenticator!=null &&  host.authorizer!=null ) {
           suspendRead("authenticating and authorizing connect")
           if( !host.authenticator.authenticate(security_context) ) {
-            async_die("Authentication failed.", info)
-            noop
+            async_die("Authentication failed. Credentials="+security_context.credential_dump)
+            noop // to make the cps compiler plugin happy.
           } else if( !host.authorizer.can(security_context, "connect", connection.connector)
) {
-            async_die("Connect not authorized.", info)
-            noop
+            async_die("Not authorized to connect to connector '%s'. Principals=".format(connection.connector.id,
security_context.principal_dump))
+            noop // to make the cps compiler plugin happy.
+          } else if( !host.authorizer.can(security_context, "connect", this.host) ) {
+            async_die("Not authorized to connect to virtual host '%s'. Principals=".format(this.host.id,
security_context.principal_dump))
+            noop // to make the cps compiler plugin happy.
           } else {
             resumeRead
             ack(info);

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/main/scala/org/apache/activemq/apollo/stomp/StompProtocolHandler.scala
Mon Aug 29 12:03:36 2011
@@ -827,21 +827,13 @@ class StompProtocolHandler extends Proto
         if( host.authenticator!=null &&  host.authorizer!=null ) {
           suspendRead("authenticating and authorizing connect")
           if( !host.authenticator.authenticate(security_context) ) {
-            var msg = if( security_context.user==null ) {
-              "Authentication failed."
-            } else {
-              "Authentication failed. Username="+security_context.user
-            }
-            async_die(msg)
+            async_die("Authentication failed. Credentials="+security_context.credential_dump)
             noop // to make the cps compiler plugin happy.
           } else if( !host.authorizer.can(security_context, "connect", connection.connector)
) {
-
-            var msg = if( security_context.user==null ) {
-              "Connect not authorized."
-            } else {
-              "Connect not authorized. Username="+security_context.user
-            }
-            async_die(msg)
+            async_die("Not authorized to connect to connector '%s'. Principals=".format(connection.connector.id,
security_context.principal_dump))
+            noop // to make the cps compiler plugin happy.
+          } else if( !host.authorizer.can(security_context, "connect", this.host) ) {
+            async_die("Not authorized to connect to virtual host '%s'. Principals=".format(this.host.id,
security_context.principal_dump))
             noop // to make the cps compiler plugin happy.
           } else {
             resumeRead
@@ -960,7 +952,7 @@ class StompProtocolHandler extends Proto
       if( !config.add_user_headers.isEmpty ){
         import collection.JavaConversions._
         config.add_user_headers.foreach { h =>
-          val matches = security_context.principles(Option(h.kind).getOrElse("*"))
+          val matches = security_context.principals(Option(h.kind).getOrElse("*"))
           if( !matches.isEmpty ) {
             h.separator match {
               case null=>

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Mon Aug 29 12:03:36 2011
@@ -1292,7 +1292,7 @@ class StompSecurityTest extends StompTes
       "login:can_not_connect\n" +
       "passcode:can_not_connect\n")
     frame should startWith("ERROR\n")
-    frame should include("message:Connect not authorized.")
+    frame should include("message:Not authorized to connect")
 
   }
 
@@ -1332,7 +1332,7 @@ class StompSecurityTest extends StompTes
 
     val frame = client.receive()
     frame should startWith("ERROR\n")
-    frame should include("message:Not authorized to create the queue\n")
+    frame should include("message:Not authorized to create the queue")
   }
 
   test("Send authorized but not create") {
@@ -1349,7 +1349,7 @@ class StompSecurityTest extends StompTes
 
     val frame = client.receive()
     frame should startWith("ERROR\n")
-    frame should include("message:Not authorized to create the queue\n")
+    frame should include("message:Not authorized to create the queue")
 
   }
 
@@ -1367,7 +1367,7 @@ class StompSecurityTest extends StompTes
 
     val frame = client.receive()
     frame should startWith("ERROR\n")
-    frame should include("message:Not authorized to create the queue\n")
+    frame should include("message:Not authorized to create the queue")
   }
 
   test("Send and create authorized") {
@@ -1418,7 +1418,7 @@ class StompSecurityTest extends StompTes
 
     val frame = client.receive()
     frame should startWith("ERROR\n")
-    frame should include("message:Not authorized to receive from the destination.\n")
+    frame should include("message:Not authorized to consume from the queue")
   }
 
 //  test("Consume authorized and JMSXUserID is set on message") {

Modified: activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala?rev=1162755&r1=1162754&r2=1162755&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-web/src/main/scala/org/apache/activemq/apollo/web/resources/BrokerResource.scala
Mon Aug 29 12:03:36 2011
@@ -55,7 +55,7 @@ case class BrokerResource() extends Reso
       if(broker.authenticator!=null) {
         authenticate(broker.authenticator) { security_context =>
           if(security_context!=null) {
-            rc.set(Success(security_context.principles))
+            rc.set(Success(security_context.principals))
           } else {
             rc.set(Success(Set[Principal]()))
           }



Mime
View raw message