From commits-return-11231-apmail-qpid-commits-archive=qpid.apache.org@qpid.apache.org Wed Nov 11 22:59:56 2009
Return-Path: <commits-return-11231-apmail-qpid-commits-archive=qpid.apache.org@qpid.apache.org>
Delivered-To: apmail-qpid-commits-archive@www.apache.org
Received: (qmail 2413 invoked from network); 11 Nov 2009 22:59:56 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 11 Nov 2009 22:59:56 -0000
Received: (qmail 78853 invoked by uid 500); 11 Nov 2009 22:59:56 -0000
Delivered-To: apmail-qpid-commits-archive@qpid.apache.org
Received: (qmail 78817 invoked by uid 500); 11 Nov 2009 22:59:56 -0000
Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@qpid.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@qpid.apache.org>
List-Post: <mailto:commits@qpid.apache.org>
List-Id: <commits.qpid.apache.org>
Reply-To: dev@qpid.apache.org
Delivered-To: mailing list commits@qpid.apache.org
Received: (qmail 78808 invoked by uid 99); 11 Nov 2009 22:59:56 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 22:59:56 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2009 22:59:52 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id BB52F23888C2; Wed, 11 Nov 2009 22:59:30 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r835115 - in /qpid/trunk/qpid/java:
 broker/src/main/java/org/apache/qpid/server/configuration/
 broker/src/main/java/org/apache/qpid/server/security/access/
 broker/src/test/java/org/apache/qpid/server/configuration/ systests/etc/
 systests/sr...
Date: Wed, 11 Nov 2009 22:59:30 -0000
To: commits@qpid.apache.org
From: aidan@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20091111225930.BB52F23888C2@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: aidan
Date: Wed Nov 11 22:59:29 2009
New Revision: 835115

URL: http://svn.apache.org/viewvc?rev=835115&view=rev
Log:
QPID-2184: make sure global security plugins are reconfigured properly

ServerConfigurationTest: add test for reloading firewall config in main section,
not just as a combined file

FirewallConfigTest: add a systest for firewalls with real broker

QpidTestCase: add a reloadBroker() method

Added:
    qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
    qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml
    qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/
    qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
Modified:
    qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
    qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
    qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
    qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
    qpid/trunk/qpid/java/test-profiles/010Excludes

Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java (original)
+++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java Wed Nov 11 22:59:29 2009
@@ -311,13 +311,13 @@
         {
             Configuration newConfig = parseConfig(_configFile);
             _securityConfiguration = new SecurityConfiguration(newConfig.subset("security"));
-            ApplicationRegistry.getInstance().getAccessManager().configurePlugins(_securityConfiguration);
 
             VirtualHostRegistry vhostRegistry = ApplicationRegistry.getInstance().getVirtualHostRegistry();
             for (String hostname : _virtualHosts.keySet())
             {
                 VirtualHost vhost = vhostRegistry.getVirtualHost(hostname);
                 SecurityConfiguration hostSecurityConfig = new SecurityConfiguration(newConfig.subset("virtualhosts.virtualhost."+hostname+".security"));
+                vhost.getAccessManager().configureGlobalPlugins(_securityConfiguration);
                 vhost.getAccessManager().configureHostPlugins(hostSecurityConfig);
             }
         }

Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java (original)
+++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/ACLManager.java Wed Nov 11 22:59:29 2009
@@ -67,14 +67,18 @@
             _allSecurityPlugins.put(securityPlugin.getClass().getName(), securityPlugin);
         }
 
-        _globalPlugins = configurePlugins(configuration);
+        configureGlobalPlugins(configuration);
     }
 
-
     public void configureHostPlugins(SecurityConfiguration hostConfig) throws ConfigurationException
     {
         _hostPlugins = configurePlugins(hostConfig);
     }
+    
+    public void configureGlobalPlugins(SecurityConfiguration configuration) throws ConfigurationException
+    {
+        _globalPlugins = configurePlugins(configuration);
+    }
 
     public Map<String, ACLPlugin> configurePlugins(SecurityConfiguration hostConfig) throws ConfigurationException
     {
@@ -93,7 +97,7 @@
                 {
                     if (plugin.supportsTag(tag))
                     {
-                        _logger.warn("Plugin handling security section "+tag+" is "+plugin.getClass().getSimpleName());
+                        _logger.info("Plugin handling security section "+tag+" is "+plugin);
                         handledTags.add(tag);
                         plugins.put(plugin.getClass().getName(), plugin.newInstance(securityConfig));
                     }

Modified: qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java (original)
+++ qpid/trunk/qpid/java/broker/src/test/java/org/apache/qpid/server/configuration/ServerConfigurationTest.java Wed Nov 11 22:59:29 2009
@@ -760,38 +760,8 @@
      // Write out config
         File mainFile = File.createTempFile(getClass().getName(), null);
         mainFile.deleteOnExit();
-        FileWriter out = new FileWriter(mainFile);
-
-        out.write("<broker>\n");
-        out.write("\t<management><enabled>false</enabled></management>\n");
-        out.write("\t<security>\n");
-        out.write("\t\t<principal-databases>\n");
-        out.write("\t\t\t<principal-database>\n");
-        out.write("\t\t\t\t<name>passwordfile</name>\n");
-        out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
-        out.write("\t\t\t\t<attributes>\n");
-        out.write("\t\t\t\t\t<attribute>\n");
-        out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
-        out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
-        out.write("\t\t\t\t\t</attribute>\n");
-        out.write("\t\t\t\t</attributes>\n");
-        out.write("\t\t\t</principal-database>\n");
-        out.write("\t\t</principal-databases>\n");
-        out.write("\t\t<jmx>\n");
-        out.write("\t\t\t<access>/dev/null</access>\n");
-        out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
-        out.write("\t\t</jmx>\n");
-        out.write("\t\t<firewall>\n");
-        out.write("\t\t\t<rule access=\"deny\" network=\"127.0.0.1\"/>");
-        out.write("\t\t</firewall>\n");
-        out.write("\t</security>\n");
-        out.write("\t<virtualhosts>\n");
-        out.write("\t\t<virtualhost>\n");
-        out.write("\t\t\t<name>test</name>\n");
-        out.write("\t\t</virtualhost>\n");
-        out.write("\t</virtualhosts>\n");
-        out.write("</broker>\n");
-        out.close();
+        FileWriter out;
+        writeConfigFile(mainFile, false);
 
         // Load config
         ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
@@ -882,6 +852,70 @@
         session.setNetworkDriver(testDriver);
         assertFalse(reg.getAccessManager().authoriseConnect(session, virtualHost));
     }
+    
+    public void testConfigurationFirewallReload() throws Exception
+    {
+        // Write out config
+        File mainFile = File.createTempFile(getClass().getName(), null);
+
+        mainFile.deleteOnExit();        
+        writeConfigFile(mainFile, false);
+
+        // Load config
+        ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile);
+        ApplicationRegistry.initialise(reg, 1);
+
+        // Test config
+        TestNetworkDriver testDriver = new TestNetworkDriver();
+        testDriver.setRemoteAddress("127.0.0.1");
+        VirtualHostRegistry virtualHostRegistry = reg.getVirtualHostRegistry();
+        VirtualHost virtualHost = virtualHostRegistry.getVirtualHost("test");
+        AMQProtocolSession session = new AMQProtocolEngine(virtualHostRegistry, testDriver);
+        
+        assertFalse(reg.getAccessManager().authoriseConnect(session, virtualHost));
+       
+        // Switch to deny the connection
+        writeConfigFile(mainFile, true);
+        
+        reg.getConfiguration().reparseConfigFile();
+
+        assertTrue(reg.getAccessManager().authoriseConnect(session, virtualHost));
+
+    }
+
+    private void writeConfigFile(File mainFile, boolean allow) throws IOException {
+        FileWriter out = new FileWriter(mainFile);
+        out.write("<broker>\n");
+        out.write("\t<management><enabled>false</enabled></management>\n");
+        out.write("\t<security>\n");
+        out.write("\t\t<principal-databases>\n");
+        out.write("\t\t\t<principal-database>\n");
+        out.write("\t\t\t\t<name>passwordfile</name>\n");
+        out.write("\t\t\t\t<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>\n");
+        out.write("\t\t\t\t<attributes>\n");
+        out.write("\t\t\t\t\t<attribute>\n");
+        out.write("\t\t\t\t\t\t<name>passwordFile</name>\n");
+        out.write("\t\t\t\t\t\t<value>/dev/null</value>\n");
+        out.write("\t\t\t\t\t</attribute>\n");
+        out.write("\t\t\t\t</attributes>\n");
+        out.write("\t\t\t</principal-database>\n");
+        out.write("\t\t</principal-databases>\n");
+        out.write("\t\t<jmx>\n");
+        out.write("\t\t\t<access>/dev/null</access>\n");
+        out.write("\t\t\t<principal-database>passwordfile</principal-database>\n");
+        out.write("\t\t</jmx>\n");
+        out.write("\t\t<firewall>\n");
+        out.write("\t\t\t<rule access=\""+ ((allow) ? "allow" : "deny") +"\" network=\"127.0.0.1\"/>");
+        out.write("\t\t</firewall>\n");
+        out.write("\t</security>\n");
+        out.write("\t<virtualhosts>\n");
+        out.write("\t\t<virtualhost>\n");
+        out.write("\t\t\t<name>test</name>\n");
+        out.write("\t\t</virtualhost>\n");
+        out.write("\t</virtualhosts>\n");
+        out.write("</broker>\n");
+        out.close();
+    }
 
     public void testCombinedConfigurationFirewallReload() throws Exception
     {

Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml?rev=835115&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml (added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall-settings.xml Wed Nov 11 22:59:29 2009
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<broker>
+    <security>
+    <firewall>
+        <rule access="allow" network="127.0.0.1"/>
+    </firewall>
+    </security>
+</broker>

Added: qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml?rev=835115&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml (added)
+++ qpid/trunk/qpid/java/systests/etc/config-systests-firewall.xml Wed Nov 11 22:59:29 2009
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ -
+ - Licensed to the Apache Software Foundation (ASF) under one
+ - or more contributor license agreements.  See the NOTICE file
+ - distributed with this work for additional information
+ - regarding copyright ownership.  The ASF licenses this file
+ - to you under the Apache License, Version 2.0 (the
+ - "License"); you may not use this file except in compliance
+ - with the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing,
+ - software distributed under the License is distributed on an
+ - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ - KIND, either express or implied.  See the License for the
+ - specific language governing permissions and limitations
+ - under the License.
+ -
+ -->
+<configuration>
+    <system/>
+    <override>
+        <xml fileName="${test.config}" config-optional="true"/>
+        <xml fileName="${QPID_FIREWALL_SETTINGS}"/>
+        <xml fileName="${QPID_HOME}/etc/config-systests-settings.xml"/>
+        <xml fileName="${QPID_HOME}/etc/config.xml"/>                
+    </override>
+</configuration>

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java?rev=835115&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java Wed Nov 11 22:59:29 2009
@@ -0,0 +1,164 @@
+package org.apache.qpid.server.security.firewall;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+
+import javax.jms.Connection;
+import javax.jms.JMSException;
+
+import org.apache.qpid.test.utils.QpidTestCase;
+
+public class FirewallConfigTest extends QpidTestCase 
+{
+
+    private File tmpFile = null;
+    @Override
+    protected void setUp() throws Exception
+    {
+        // do setup
+        final String QPID_HOME = System.getProperty("QPID_HOME");
+
+        if (QPID_HOME == null)
+        {
+            fail("QPID_HOME not set");
+        }
+
+        // Setup initial config.
+        _configFile = new File(QPID_HOME, "etc/config-systests-firewall.xml");
+        tmpFile = File.createTempFile("config-systests-firewall", ".xml");
+        setSystemProperty("QPID_FIREWALL_SETTINGS", tmpFile.getAbsolutePath());
+        tmpFile.deleteOnExit();
+    }
+
+    private void writeFirewallFile(boolean allow, boolean inVhost) throws IOException
+    {
+        FileWriter out = new FileWriter(tmpFile);
+        String ipAddr = "127.0.0.1"; // FIXME: get this from InetAddress.getLocalHost().getAddress() ?
+        out.write("<broker>");
+        if (inVhost) 
+        {
+            out.write("<virtualhosts><virtualhost><test>");
+        }
+        out.write("<security><firewall>");
+        out.write("<rule access=\""+((allow) ? "allow" : "deny")+"\" network=\""+ipAddr +"\"/>");
+        out.write("</firewall></security>");
+        if (inVhost)
+        {
+            out.write("</test></virtualhost></virtualhosts>");
+        }
+        out.write("</broker>");
+        out.close();
+    }
+ 
+    public void testDenyOnRestart() throws Exception
+    {
+        testDeny(false, new Runnable() {
+
+            public void run()
+            {
+                try
+                {
+                    restartBroker();
+                } catch (Exception e)
+                {
+                    fail(e.getMessage());
+                }
+            }
+        });
+    }
+    
+    public void testDenyOnRestartInVhost() throws Exception
+    {
+        testDeny(true, new Runnable() {
+
+            public void run()
+            {
+                try
+                {
+                    reloadBroker();
+                } catch (Exception e)
+                {
+                    fail(e.getMessage());
+                }
+            }
+        });
+    }
+    
+    public void testDenyOnReload() throws Exception
+    {
+        testDeny(false, new Runnable() {
+
+            public void run()
+            {
+                try
+                {
+                    reloadBroker();
+                } catch (Exception e)
+                {
+                    fail(e.getMessage());
+                }
+            }
+        }
+        );
+    }
+    
+    public void testDenyOnReloadInVhost() throws Exception
+    {
+        testDeny(true, new Runnable() {
+
+            public void run()
+            {
+                try
+                {
+                    reloadBroker();
+                } catch (Exception e)
+                {
+                   fail(e.getMessage());
+                }
+            }
+        }
+        );
+       
+    }
+    
+    private void testDeny(boolean inVhost, Runnable restartOrReload) throws Exception
+    {
+        if (_broker.equals(VM))
+        {
+            // No point running this test in a vm broker
+            return;
+        }
+        
+        writeFirewallFile(false, inVhost);        
+        super.setUp();
+        
+        Exception exception  = null;
+        Connection conn = null;
+        try 
+        {
+            conn = getConnection();
+        } 
+        catch (JMSException e)
+        {
+            exception = e;
+        }
+        assertNotNull(exception);
+        
+        // Check we can get a connection
+
+        writeFirewallFile(true, inVhost);
+        restartOrReload.run();
+        
+        exception = null;
+        try 
+        {
+            conn = getConnection();
+        } 
+        catch (JMSException e)
+        {
+            exception = e;
+        }
+        assertNull(exception);
+    }    
+}

Modified: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java (original)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/test/utils/QpidTestCase.java Wed Nov 11 22:59:29 2009
@@ -57,6 +57,7 @@
 import java.io.InputStreamReader;
 import java.io.LineNumberReader;
 import java.io.PrintStream;
+import java.io.Reader;
 import java.net.MalformedURLException;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -1241,4 +1242,27 @@
         return null;
     }
 
+    public void reloadBroker() throws ConfigurationException, IOException
+    {
+        reloadBroker(0);
+    }
+    
+    public void reloadBroker(int port) throws ConfigurationException, IOException
+    {
+        if (_broker.equals(VM))
+        {
+            ApplicationRegistry.getInstance().getConfiguration().reparseConfigFile();
+        } 
+        else // FIXME: should really use the JMX interface to do this
+        {
+            /*
+             * Sigh, this is going to get messy. grep for BRKR and the port number
+             */
+
+            Process p = Runtime.getRuntime().exec("/usr/bin/pgrep -f " + getPort(port));
+            BufferedReader reader = new BufferedReader (new InputStreamReader(p.getInputStream()));
+            String cmd = "/bin/kill -SIGHUP " + reader.readLine();
+            p = Runtime.getRuntime().exec(cmd);
+        }
+    }
 }

Modified: qpid/trunk/qpid/java/test-profiles/010Excludes
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/test-profiles/010Excludes?rev=835115&r1=835114&r2=835115&view=diff
==============================================================================
--- qpid/trunk/qpid/java/test-profiles/010Excludes (original)
+++ qpid/trunk/qpid/java/test-profiles/010Excludes Wed Nov 11 22:59:29 2009
@@ -3,6 +3,7 @@
 
 //These tests are for the java broker
 org.apache.qpid.server.security.acl.SimpleACLTest#*
+org.apache.qpid.server.security.firewall.FirewallConfigTest#*
 org.apache.qpid.server.plugins.PluginTest#*
 org.apache.qpid.server.BrokerStartupTest#*
 



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org