activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chir...@apache.org
Subject svn commit: r1309486 - in /activemq/activemq-apollo/trunk: apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/ apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/ apollo-cli/src/main/resources/org/apache/activemq/apollo...
Date Wed, 04 Apr 2012 16:37:56 GMT
Author: chirino
Date: Wed Apr  4 16:37:55 2012
New Revision: 1309486

URL: http://svn.apache.org/viewvc?rev=1309486&view=rev
Log:
Implements APLO-180 : Add support for IP address credentials

Added:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SourceAddressPrincipal.scala
Modified:
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
    activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SocketAddressLoginModule.scala
    activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
    activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/Queue.scala
Wed Apr  4 16:37:55 2012
@@ -607,6 +607,7 @@ class Queue(val router: LocalRouter, val
                   while(entry!=null && is_enqueue_buffer_maxed) {
                     entry = eval_drop(entry)
                   }
+                case _ =>
               }
             }
           }

Modified: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SocketAddressLoginModule.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SocketAddressLoginModule.scala?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SocketAddressLoginModule.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SocketAddressLoginModule.scala
Wed Apr  4 16:37:55 2012
@@ -1,5 +1,3 @@
-package org.apache.activemq.apollo.broker.security
-
 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
@@ -16,6 +14,7 @@ package org.apache.activemq.apollo.broke
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+package org.apache.activemq.apollo.broker.security
 
 import javax.security.auth.Subject
 import javax.security.auth.callback.CallbackHandler
@@ -27,6 +26,7 @@ import javax.security.auth.spi.LoginModu
 import java.net.{InetSocketAddress, SocketAddress}
 import java.io.{File, IOException}
 import org.apache.activemq.apollo.util.{FileCache, FileSupport, Log}
+import java.security.Principal
 
 /**
  * <p>
@@ -78,11 +78,14 @@ class SocketAddressLoginModule extends L
 
   var white_list_file: Option[File] = None
   var black_list_file: Option[File] = None
+  private val principals = new ju.HashSet[Principal]()
+  private var subject:Subject = _
 
   /**
    * Overriding to allow for proper initialization. Standard JAAS.
    */
   def initialize(subject: Subject, callback_handler: CallbackHandler, shared_state: ju.Map[String,
_], options: ju.Map[String, _]): Unit = {
+    this.subject = subject
     this.callback_handler = callback_handler
 
     val base_dir = if (System.getProperty(LOGIN_CONFIG) != null) {
@@ -112,10 +115,16 @@ class SocketAddressLoginModule extends L
       return false;
     }
 
+    val address = address_callback.remote match {
+      case address:InetSocketAddress =>
+        address.getAddress.getHostAddress
+      case _ => null
+    }
+
     white_list_file match {
       case None =>
       case Some(file)=>
-        if( !matches(file, address_callback.remote) ) {
+        if( !matches(file, address) ) {
           throw new LoginException("Remote address is not whitelisted.")
         }
     }
@@ -123,37 +132,42 @@ class SocketAddressLoginModule extends L
     black_list_file match {
       case None =>
       case Some(file)=>
-        if( matches(file, address_callback.remote) ) {
+        if( matches(file, address) ) {
           throw new LoginException("Remote address blacklisted.")
         }
     }
 
+    if( address!=null ) {
+      principals.add(SourceAddressPrincipal(address))
+    }
+
     return false
   }
 
-  def matches(file:File, address:SocketAddress):Boolean = {
-    val needle = address match {
-      case address:InetSocketAddress =>
-        address.getAddress.getHostAddress
-      case _ => return false
-    }
+  def matches(file:File, address:String):Boolean = {
+    if( address == null )
+      return false
 
     file_cache.get(file) match {
       case None => false
       case Some(haystack) =>
-        haystack.contains(needle)
+        haystack.contains(address)
     }
   }
 
   def commit: Boolean = {
+    subject.getPrincipals().addAll(principals)
     return true
   }
 
   def abort: Boolean = {
+    principals.clear
     return true
   }
 
   def logout: Boolean = {
+    subject.getPrincipals().removeAll(principals)
+    principals.clear
     return true
   }
 

Added: activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SourceAddressPrincipal.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SourceAddressPrincipal.scala?rev=1309486&view=auto
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SourceAddressPrincipal.scala
(added)
+++ activemq/activemq-apollo/trunk/apollo-broker/src/main/scala/org/apache/activemq/apollo/broker/security/SourceAddressPrincipal.scala
Wed Apr  4 16:37:55 2012
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.apollo.broker.security
+
+import java.security.Principal
+
+/**
+ * <p>
+ * </p>
+ *
+ * @author <a href="http://hiramchirino.com">Hiram Chirino</a>
+ */
+case class SourceAddressPrincipal(name:String) extends Principal {
+  def getName = name
+  override def toString = name
+}

Modified: activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
(original)
+++ activemq/activemq-apollo/trunk/apollo-cli/src/main/resources/org/apache/activemq/apollo/cli/commands/etc/login.config
Wed Apr  4 16:37:55 2012
@@ -22,6 +22,8 @@ apollo {
   // The black-list.txt is a text file that contains a new line separated IP address
   // which are not allowed to connect to this server.
   //
+  //   adds: org.apache.activemq.apollo.broker.security.SourceAddressPrincipal
+  //
   org.apache.activemq.apollo.broker.security.SocketAddressLoginModule requisite
     // Uncomment to use a while list of allowed address that can connect to us
     // white_list_file="white-list.txt"

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/apollo-stomp-secure.xml
Wed Apr  4 16:37:55 2012
@@ -19,6 +19,7 @@
 
   <authentication domain="StompSecurityTest"/>
   <access_rule allow="connect_group" action="connect"/>
+  <access_rule allow="can_send_create_consume_queue" kind="queue" action="send create
consume"/>
   <access_rule allow="can_send_create_queue" kind="queue" action="send create"/>
   <access_rule allow="can_send_queue"        kind="queue" action="send"/>
   <access_rule allow="can_receive_queue"     kind="queue" action="receive"/>
@@ -42,7 +43,10 @@
   </virtual_host>
 
   <connector id="tcp" bind="tcp://0.0.0.0:0">
-    <stomp add_user_header="JMSXUserID"/>
+    <stomp>
+      <add_user_header kind="org.apache.activemq.jaas.UserPrincipal">JMSXUserID</add_user_header>
+      <add_user_header kind="org.apache.activemq.apollo.broker.security.SourceAddressPrincipal">sender-ip</add_user_header>
+    </stomp>
   </connector>
   <connector id="tcp2" bind="tcp://0.0.0.0:0">
   </connector>

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/login.config Wed Apr  4
16:37:55 2012
@@ -16,6 +16,8 @@
 // ---------------------------------------------------------------------------
 StompSecurityTest {
 
+  org.apache.activemq.apollo.broker.security.SocketAddressLoginModule requisite;
+
   org.apache.activemq.apollo.broker.security.FileUserLoginModule optional
     file="users.properties";
 

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties (original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/resources/users.properties Wed Apr
 4 16:37:55 2012
@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-connect_group=CN=ssl_user|can_only_connect|can_send_create_queue|can_send_queue|can_receive_queue|can_consume_queue|can_send_create_topic|can_send_topic|can_recieve_topic|can_consume_create_ds|can_consume_ds
+connect_group=CN=ssl_user|can_only_connect|can_send_create_queue|can_send_queue|can_receive_queue|can_consume_queue|can_send_create_topic|can_send_topic|can_recieve_topic|can_consume_create_ds|can_consume_ds|can_send_create_consume_queue
 
 guest=guest
 can_not_connect=can_not_connect
@@ -29,6 +29,7 @@ can_send_create_queue=can_send_create_qu
 can_send_queue=can_send_queue
 can_receive_queue=can_receive_queue
 can_consume_queue=can_consume_queue
+can_send_create_consume_queue=can_send_create_consume_queue
 
 #
 # Users with specific roles related to topics
@@ -38,4 +39,3 @@ can_send_topic=can_send_topic
 can_recieve_topic=can_recieve_topic
 can_consume_create_ds=can_consume_create_ds
 can_consume_ds=can_consume_ds
-

Modified: activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
URL: http://svn.apache.org/viewvc/activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala?rev=1309486&r1=1309485&r2=1309486&view=diff
==============================================================================
--- activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
(original)
+++ activemq/activemq-apollo/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/StompTest.scala
Wed Apr  4 16:37:55 2012
@@ -2034,21 +2034,19 @@ class StompSecurityTest extends StompTes
     frame should include("message:Not authorized to consume from the queue")
   }
 
-//  test("Consume authorized and JMSXUserID is set on message") {
-//    connect("1.1", client,
-//      "login:can_consume_queue\n" +
-//      "passcode:can_consume_queue\n")
-//
-//    client.write(
-//      "SUBSCRIBE\n" +
-//      "destination:/queue/secure\n" +
-//      "id:0\n" +
-//      "\n")
-//
-//    val frame = client.receive()
-//    frame should startWith("MESSAGE\n")
-//    frame should include("JMSXUserID:can_send_create_queue\n")
-//  }
+  test("Consume authorized and JMSXUserID is set on message") {
+    connect("1.1", client,
+      "login:can_send_create_consume_queue\n" +
+      "passcode:can_send_create_consume_queue\n")
+
+    subscribe("0","/queue/sendsid")
+    async_send("/queue/sendsid", "hello")
+
+    val frame = client.receive()
+    frame should startWith("MESSAGE\n")
+    frame should include("JMSXUserID:can_send_create_consume_queue\n")
+    frame should include("sender-ip:127.0.0.1\n")
+  }
 }
 
 class StompSslSecurityTest extends StompTestSupport {



Mime
View raw message