qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rob...@apache.org
Subject svn commit: r949781 [4/5] - in /qpid/trunk/qpid/java: broker/etc/ broker/src/main/java/org/apache/qpid/qmf/ broker/src/main/java/org/apache/qpid/server/ broker/src/main/java/org/apache/qpid/server/binding/ broker/src/main/java/org/apache/qpid/server/co...
Date Mon, 31 May 2010 16:03:44 GMT
Added: qpid/trunk/qpid/java/systests/etc/test-default.txt
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/test-default.txt?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/test-default.txt (added)
+++ qpid/trunk/qpid/java/systests/etc/test-default.txt Mon May 31 16:03:41 2010
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# This section grants virtualhost access rights
+ACL ALLOW client ACCESS VIRTUALHOST
+ACL ALLOW server ACCESS VIRTUALHOST
+
+# This section grants publish rights to an exchange + routing key pair
+
+# Allow clients to publish requests
+ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue"
+
+# Allow the processor to respond to a client on their Temporary Topic
+ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="tmp_*"
+ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*"
+
+# This section grants users the ability to consume from the broker
+
+# Allow client to consume from temporary queues
+ACL ALLOW client CONSUME QUEUE temporary=true
+
+# Only allow the server to consume from the Request Queue
+ACL ALLOW server CONSUME QUEUE name="example.RequestQueue"
+
+# Allow client and server to consume from kipper queues
+ACL ALLOW client CONSUME QUEUE name="clientid:kipper"
+ACL ALLOW server CONSUME QUEUE name="clientid:kipper"
+
+# This section grants users the ability to create/delete queues and exchanges
+
+# Allow clients to create and delete temporary and kipper queue on this exchange
+ACL ALLOW client CREATE QUEUE temporary=true
+ACL ALLOW client DELETE QUEUE temporary=true
+ACL ALLOW client CREATE QUEUE durable="true"
+ACL ALLOW client DELETE QUEUE durable="true"
+
+# Allow the server to create the Request Queue and kipper queue
+ACL ALLOW server CREATE QUEUE name="example.RequestQueue"
+ACL ALLOW server CREATE QUEUE name="clientid:kipper"
+
+## Allow client and server exchange access for the relevant queues
+ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary=true
+ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary=true
+ACL ALLOW client BIND EXCHANGE name="amq.direct" durable=true
+ACL ALLOW client UNBIND EXCHANGE name="amq.direct" durable=true
+ACL ALLOW server BIND EXCHANGE name="amq.direct" queueName="example.RequestQueue"
+
+## Allow client and server exchange access for the relevant topics
+ACL ALLOW client BIND EXCHANGE name="amq.topic" durable=true routingKey=kipper
+ACL ALLOW client UNBIND EXCHANGE name="amq.topic" durable=true routingKey=kipper
+ACL ALLOW server BIND EXCHANGE name="amq.topic" durable=true routingKey=kipper
+
+# Action[operation=BIND,objectType=EXCHANGE,properties={OWNER=client, DURABLE=true, QUEUE_NAME=IllegalQueue, AUTO_DELETE=false, ROUTING_KEY=IllegalQueue, NAME=amq.direct, TEMPORARY=false, EXCLUSIVE=false}]
+
+
+ACL ALLOW client CREATE EXCHANGE
+ACL ALLOW server CREATE EXCHANGE

Added: qpid/trunk/qpid/java/systests/etc/test-externalacljmx-deleteexchangefailure.txt
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/test-externalacljmx-deleteexchangefailure.txt?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/test-externalacljmx-deleteexchangefailure.txt (added)
+++ qpid/trunk/qpid/java/systests/etc/test-externalacljmx-deleteexchangefailure.txt Mon May 31 16:03:41 2010
@@ -0,0 +1,26 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# This section grants virtualhost management rights
+ACL ALLOW admin ALL METHOD
+
+# testDeleteExchangeFailure()
+ACL ALLOW admin CREATE EXCHANGE name="amq.kipper.delete"
+ACL DENY admin DELETE EXCHANGE name="amq.kipper.delete"
+

Added: qpid/trunk/qpid/java/systests/etc/test-externalacljmx.txt
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/test-externalacljmx.txt?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/test-externalacljmx.txt (added)
+++ qpid/trunk/qpid/java/systests/etc/test-externalacljmx.txt Mon May 31 16:03:41 2010
@@ -0,0 +1,35 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# This section grants management access to the virtualhost
+ACL ALLOW admin ALL METHOD
+ACL ALLOW client ALL METHOD
+ACL ALLOW server ALL METHOD
+
+# Allow create kipper queue
+ACL ALLOW admin CREATE QUEUE name="kipper" owner = client # kipper
+ACL ALLOW admin BIND EXCHANGE name="amq.direct"
+
+# testCreateExchangeSuccess(), testDeleteExchangeSuccess()
+ACL ALLOW admin CREATE EXCHANGE name="amq.kipper.success"
+ACL ALLOW admin DELETE EXCHANGE name="amq.kipper.success"
+
+# testCreateExchangeFailure()
+ACL DENY admin CREATE EXCHANGE name="amq.kipper.failure"
+

Added: qpid/trunk/qpid/java/systests/etc/test2-default.txt
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/test2-default.txt?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/test2-default.txt (added)
+++ qpid/trunk/qpid/java/systests/etc/test2-default.txt Mon May 31 16:03:41 2010
@@ -0,0 +1,21 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# This section grants all access rights
+ACL ALLOW guest ALL ALL
\ No newline at end of file

Modified: qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-acl-settings.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-acl-settings.xml?rev=949781&r1=949780&r2=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-acl-settings.xml (original)
+++ qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-acl-settings.xml Mon May 31 16:03:41 2010
@@ -35,9 +35,6 @@
 
 
             <security>
-                <access>
-                    <class>org.apache.qpid.server.security.access.plugins.SimpleXML</class>
-                </access>
                 <access_control_list>
                     <!-- This section grants pubish rights to an exchange + routing key pair -->
                     <publish>
@@ -45,7 +42,6 @@
                             <exchange>
                                 <name>amq.direct</name>
                                 <routing_keys>
-
                                     <!-- Allow clients to publish requests -->
                                     <routing_key>
                                         <value>example.RequestQueue</value>
@@ -68,7 +64,6 @@
                                         </users>
                                     </routing_key>
                                 </routing_keys>
-
                             </exchange>
                         </exchanges>
                     </publish>
@@ -90,7 +85,14 @@
                                 </users>
                             </queue>
 
-
+                            <!-- Allow client and server to consume from the kipper Queue-->
+                            <queue>
+                                <name>clientid:kipper</name>
+                                <users>
+                                    <user>client</user>
+                                    <user>server</user>
+                                </users>
+                            </queue>
                         </queues>
                     </consume>
 
@@ -110,10 +112,28 @@
                                         <name>amq.direct</name>
                                         <users>
                                             <user>client</user>
+                                            <user>server</user>
+                                        </users>
+                                    </exchange>
+                                    <exchange>
+                                        <name>amq.topic</name>
+                                        <users>
+                                            <user>client</user>
+                                            <user>server</user>
                                         </users>
                                     </exchange>
                                 </exchanges>
                             </queue>
+                            
+                            <!--  everyone can create the kipper queue --> 
+                            <queue>
+                                <name>clientid:kipper</name>
+                                <users>
+                                    <user>client</user>
+                                    <user>server</user>
+                                </users>
+                            </queue>
+                            
                             <!-- Allow the server to create the Request Queue-->
                             <queue>
                                 <name>example.RequestQueue</name>
@@ -121,13 +141,21 @@
                                     <user>server</user>
                                 </users>
                             </queue>
-
                         </queues>
                     </create>
 
-
+                    <delete>
+                        <queues>
+                            <!--  only client can delete the kipper queue --> 
+                            <queue>
+                                <name>clientid:kipper</name>
+                                <users>
+                                    <user>client</user>
+                                </users>
+                            </queue>
+                        </queues>
+                    </delete>
                 </access_control_list>
-
             </security>
         </test>
     </virtualhost>
@@ -136,10 +164,6 @@
         <name>test2</name>
         <test2>
             <security>
-                <access>
-                    <class>org.apache.qpid.server.security.access.plugins.SimpleXML</class>
-                </access>
-                
                 <access_control_list>
                     <!-- This section grants specific users full permissions to all artifacts in this virtualhost -->
                     <access>

Copied: qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2-settings.xml (from r949780, qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2-settings.xml?p2=qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2-settings.xml&p1=qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml&r1=949780&r2=949781&rev=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml (original)
+++ qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2-settings.xml Mon May 31 16:03:41 2010
@@ -20,28 +20,29 @@
  -
  -->
 <virtualhosts>
-    <default>test</default>
-
     <virtualhost>
         <name>test</name>
         <test>
-            <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
-            </store>
+            <queues>
+                <exchange>amq.direct</exchange>
+                <!-- 4Mb -->
+                <maximumQueueDepth>4235264</maximumQueueDepth>
+                <!-- 2Mb -->
+                <maximumMessageSize>2117632</maximumMessageSize>
+                <!-- 10 mins -->
+                <maximumMessageAge>600000</maximumMessageAge>
+            </queues>
+
             <security>
-                <firewall default-action="allow"/>
+                <aclv2>${QPID_HOME}/etc/test-default.txt</aclv2>
             </security>
         </test>
     </virtualhost>
 
     <virtualhost>
         <name>test2</name>
-        <test2>
-            <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
-            </store>
-        </test2>
+        <test2 />
     </virtualhost>
-</virtualhosts>
\ No newline at end of file
+</virtualhosts>
+
+

Copied: qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2.xml (from r949780, qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2.xml?p2=qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2.xml&p1=qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml&r1=949780&r2=949781&rev=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml (original)
+++ qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-aclv2.xml Mon May 31 16:03:41 2010
@@ -19,31 +19,11 @@
  - under the License.
  -
  -->
-<virtualhosts>
-    <default>test</default>
-
-    <virtualhost>
-        <name>test</name>
-        <test>
-            <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
-            </store>
-        </test>
-    </virtualhost>
-
-    <virtualhost>
-        <name>test2</name>
-        <test2>
-            <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
-            </store>
-            <security>
-         <firewall default-action="deny"/>
-     </security>
-        </test2>
-    </virtualhost>
-</virtualhosts>
-
-
+<configuration>
+    <system/>
+    <override>
+        <xml fileName="${test.virtualhosts}" optional="true"/>
+        <xml fileName="${QPID_HOME}/etc/virtualhosts-systests-aclv2-settings.xml"/>
+        <xml fileName="${QPID_HOME}/etc/virtualhosts.xml"/>
+    </override>
+</configuration>

Modified: qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml?rev=949781&r1=949780&r2=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml (original)
+++ qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-2.xml Mon May 31 16:03:41 2010
@@ -26,8 +26,7 @@
         <name>test</name>
         <test>
             <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
+                <class>org.apache.qpid.server.store.MemoryMessageStore</class>
             </store>
             <security>
                 <firewall default-action="allow"/>
@@ -39,8 +38,7 @@
         <name>test2</name>
         <test2>
             <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
+                <class>org.apache.qpid.server.store.MemoryMessageStore</class>
             </store>
         </test2>
     </virtualhost>

Modified: qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml?rev=949781&r1=949780&r2=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml (original)
+++ qpid/trunk/qpid/java/systests/etc/virtualhosts-systests-firewall-3.xml Mon May 31 16:03:41 2010
@@ -26,8 +26,7 @@
         <name>test</name>
         <test>
             <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
+                <class>org.apache.qpid.server.store.MemoryMessageStore</class>
             </store>
         </test>
     </virtualhost>
@@ -36,8 +35,7 @@
         <name>test2</name>
         <test2>
             <store>
-                <class>org.apache.qpid.server.store.MemoryMessageStore
-                </class>
+                <class>org.apache.qpid.server.store.MemoryMessageStore</class>
             </store>
             <security>
          <firewall default-action="deny"/>

Modified: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/failover/MessageDisappearWithIOExceptionTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/failover/MessageDisappearWithIOExceptionTest.java?rev=949781&r1=949780&r2=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/failover/MessageDisappearWithIOExceptionTest.java (original)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/failover/MessageDisappearWithIOExceptionTest.java Mon May 31 16:03:41 2010
@@ -263,7 +263,7 @@ public class MessageDisappearWithIOExcep
             throws Exception
     {
         //Create Connection using the default connection URL. i.e. not the Failover URL that would be used by default
-        _connection = (AMQConnection) getConnection(getConnectionFactory("default").getConnectionURL());
+        _connection = (AMQConnection) getConnectionFactory("default").createConnection("guest", "guest");
         // The default connection does not have any retries configured so
         // Allow this connection to retry so that we can block on the failover.
         // The alternative would be to use the getConnection() default. However,

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/AbstractACLTestCase.java Mon May 31 16:03:41 2010
@@ -0,0 +1,285 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+*  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.qpid.server.security.acl;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+import javax.jms.Connection;
+import javax.jms.ExceptionListener;
+import javax.jms.JMSException;
+import javax.naming.NamingException;
+
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.lang.StringUtils;
+import org.apache.qpid.AMQException;
+import org.apache.qpid.client.AMQConnection;
+import org.apache.qpid.client.AMQConnectionURL;
+import org.apache.qpid.jms.ConnectionListener;
+import org.apache.qpid.protocol.AMQConstant;
+import org.apache.qpid.test.utils.QpidTestCase;
+import org.apache.qpid.url.URLSyntaxException;
+
+/**
+ * Abstract test case for ACLs.
+ * 
+ * This base class contains convenience methods to mange ACL files and implements a mechanism that allows each
+ * test method to run its own setup code before the broker starts.
+ * 
+ * TODO move the pre broker-startup setup method invocation code to {@link QpidTestCase}
+ * 
+ * @see SimpleACLTest
+ * @see ExternalACLTest
+ * @see ExternalACLFileTest
+ * @see ExternalACLJMXTest
+ * @see ExternalAdminACLTest
+ * @see ExhaustiveACLTest
+ */
+public abstract class AbstractACLTestCase extends QpidTestCase implements ConnectionListener
+{
+    /** Used to synchronise {@link #tearDown()} when exceptions are thrown */
+	protected CountDownLatch _exceptionReceived;
+	
+    /** Override this to return the name of the configuration XML file. */
+    public String getConfig()
+    {
+        return "config-systests-acl.xml";
+    }
+    
+    /** Override this to setup external ACL files for virtual hosts. */
+    public List<String> getHostList()
+    {
+        return Collections.emptyList();
+    }
+    
+    /**
+     * This setup method checks {@link #getConfig()} and {@link #getHostList()} to initialise the broker with specific
+     * ACL configurations and then runs an optional per-test setup method, which is simply a method with the same name
+     * as the test, but starting with {@code setUp} rather than {@code test}.
+     * 
+     * @see #setUpACLFile(String)
+     * @see org.apache.qpid.test.utils.QpidTestCase#setUp()
+     */
+    @Override
+    public void setUp() throws Exception
+    {
+        if (QpidHome == null)
+        {
+            fail("QPID_HOME not set");
+        }
+
+        // Initialise ACLs.
+        _configFile = new File(QpidHome, "etc" + File.separator + getConfig());
+        
+        // Initialise ACL files
+        for (String virtualHost : getHostList())
+        {
+            setUpACLFile(virtualHost);
+        }
+        
+        // run test specific setup
+        String testSetup = StringUtils.replace(getName(), "test", "setUp");
+        try
+        {
+            Method setup = getClass().getDeclaredMethod(testSetup);
+            setup.invoke(this);
+        }
+        catch (NoSuchMethodException e)
+        {
+            // Ignore
+        }
+        catch (InvocationTargetException e)
+        {
+            throw (Exception) e.getTargetException();
+        }
+        
+        super.setUp();
+    }
+
+    @Override
+    public void tearDown() throws Exception
+    {
+        try
+        {
+            super.tearDown();
+        }
+        catch (JMSException e)
+        {
+            //we're throwing this away as it can happen in this test as the state manager remembers exceptions
+            //that we provoked with authentication failures, where the test passes - we can ignore on con close
+        }
+    }
+    
+    /**
+     * Configures specific ACL files for a virtual host.
+     * 
+     * This method checks for ACL files that exist on the filesystem. If dynamically generatyed ACL files are required in a test, 
+     * then it is easier to use the {@code setUp} prefix on a method to generate the ACL file. In order, this method looks
+     * for three files:
+     * <ol>
+     * <li><em>virtualhost</em>-<em>class</em>-<em>test</em>.txt
+     * <li><em>virtualhost</em>-<em>class</em>.txt
+     * <li><em>virtualhost</em>-default.txt
+     * </ol>
+     * The <em>class</em> and <em>test</em> parts are the test class and method names respectively, with the word {@code test}
+     * removed and the rest of the text converted to lowercase. For example, the test class and method named
+     * {@code org.apache.qpid.test.AccessExampleTest#testExampleMethod} on the {@code testhost} virtualhost would use
+     * one of the following files:
+     * <ol>
+     * <li>testhost-accessexample-examplemethod.txt
+     * <li>testhost-accessexample.txt
+     * <li>testhost-default.txt
+     * </ol>
+     * These files should be copied to the <em>${QPID_HOME}/etc</em> directory when the test is run.
+     * 
+     * @see #writeACLFile(String, String...)
+     */
+    public void setUpACLFile(String virtualHost) throws IOException, ConfigurationException
+    {
+        String path = QpidHome + File.separator + "etc";
+        String className = StringUtils.substringBeforeLast(getClass().getSimpleName().toLowerCase(), "test");
+        String testName = StringUtils.substringAfter(getName(), "test").toLowerCase();
+        
+        File aclFile = new File(path, virtualHost + "-" + className + "-" + testName + ".txt");        
+        if (!aclFile.exists())
+        {
+            aclFile = new File(path, virtualHost + "-" + className + ".txt");      
+            if (!aclFile.exists())
+            {
+                aclFile = new File(path, virtualHost + "-" + "default.txt");
+            }
+        }
+        
+        // Set the ACL file configuration property
+		if (virtualHost.equals("global"))
+		{
+			setConfigurationProperty("security.aclv2", aclFile.getAbsolutePath());
+		}
+		else
+		{
+			setConfigurationProperty("virtualhosts.virtualhost." + virtualHost + ".security.aclv2", aclFile.getAbsolutePath());
+		}
+    }
+
+    public void writeACLFile(String vhost, String...rules) throws ConfigurationException, IOException
+    {
+        File aclFile = File.createTempFile(getClass().getSimpleName(), getName());
+        aclFile.deleteOnExit();
+
+        if ("global".equals(vhost))
+        {
+	        setConfigurationProperty("security.aclv2", aclFile.getAbsolutePath());
+        }
+        else
+        {
+	        setConfigurationProperty("virtualhosts.virtualhost." + vhost + ".security.aclv2", aclFile.getAbsolutePath());
+        }
+
+        PrintWriter out = new PrintWriter(new FileWriter(aclFile));
+        out.println(String.format("# %s", _testName));
+        for (String line : rules)
+        {
+            out.println(line);
+        }
+        out.close();
+    }
+
+    /**
+     * Creates a connection to the broker, and sets a connection listener to prevent failover and an exception listener 
+     * with a {@link CountDownLatch} to synchronise in the {@link #check403Exception(Throwable)} method and allow the
+     * {@link #tearDown()} method to complete properly.
+     */
+    public Connection getConnection(String vhost, String username, String password) throws NamingException, JMSException, URLSyntaxException
+    {
+        AMQConnection connection = (AMQConnection) getConnection(createConnectionURL(vhost, username, password));
+
+        //Prevent Failover
+        connection.setConnectionListener(this);
+        
+        //QPID-2081: use a latch to sync on exception causing connection close, to work 
+        //around the connection close race during tearDown() causing sporadic failures
+        _exceptionReceived = new CountDownLatch(1);
+
+        connection.setExceptionListener(new ExceptionListener()
+        {
+            public void onException(JMSException e)
+            {
+                _exceptionReceived.countDown();
+            }
+        });
+
+        return (Connection) connection;
+    }
+
+    // Connection Listener Interface - Used here to block failover
+
+    public void bytesSent(long count)
+    {
+    }
+
+    public void bytesReceived(long count)
+    {
+    }
+
+    public boolean preFailover(boolean redirect)
+    {
+        //Prevent failover.
+        return false;
+    }
+
+    public boolean preResubscribe()
+    {
+        return false;
+    }
+
+    public void failoverComplete()
+    {
+    }
+
+    /**
+     * Convenience method to build an {@link AMQConnectionURL} with the right parameters.
+     */
+    public AMQConnectionURL createConnectionURL(String vhost, String username, String password) throws URLSyntaxException
+    {
+        String url = "amqp://" + username + ":" + password + "@clientid/" + vhost + "?brokerlist='" + getBroker() + "?retries='0''";
+        return new AMQConnectionURL(url);
+    }
+
+    /**
+     * Convenience method to validate a JMS exception with a linked {@link AMQConstant#ACCESS_REFUSED} 403 error code exception.
+     */
+    public void check403Exception(Throwable t) throws Exception
+    {
+        assertNotNull("There was no linked exception", t);
+        assertTrue("Wrong linked exception type", t instanceof AMQException);
+        assertEquals("Incorrect error code received", 403, ((AMQException) t).getErrorCode().getCode());
+    
+        //use the latch to ensure the control thread waits long enough for the exception thread 
+        //to have done enough to mark the connection closed before teardown commences
+        assertTrue("Timed out waiting for conneciton to report close", _exceptionReceived.await(2, TimeUnit.SECONDS));
+    }
+}

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExhaustiveACLTest.java Mon May 31 16:03:41 2010
@@ -0,0 +1,195 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.qpid.server.security.acl;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.jms.Connection;
+import javax.jms.Session;
+
+import org.apache.qpid.AMQException;
+import org.apache.qpid.client.AMQSession;
+import org.apache.qpid.framing.AMQShortString;
+import org.apache.qpid.protocol.AMQConstant;
+
+/**
+ * ACL version 2/3 file testing to verify that ACL entries control queue creation with specific properties.
+ * 
+ * Tests have their own ACL files that setup specific permissions, and then try to create queues with every possible combination
+ * of properties to show that rule matching works correctly. For example, a rule that specified {@code autodelete="true"} for
+ * queues with {@link name="temp.true.*"} as well should not affect queues that have names that do not match, or queues that
+ * are not autodelete, or both. Also checks that ACL entries only affect the specified users and virtual hosts.
+ */
+public class ExhaustiveACLTest extends AbstractACLTestCase
+{
+    @Override
+    public String getConfig()
+    {
+        return "config-systests-aclv2.xml";
+    }
+
+    @Override
+    public List<String> getHostList()
+    {
+        return Arrays.asList("test", "test2");
+    }
+	
+    /**
+     * Creates a queue.
+     * 
+     * Connects to the broker as a particular user and create the named queue on a virtual host, with the provided
+     * parameters. Uses a new {@link Connection} and {@link Session} and closes them afterwards.
+     */
+	private void createQueue(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception
+	{
+		Connection conn = getConnection(vhost, user, "guest");	
+		Session sess = conn.createSession(true, Session.SESSION_TRANSACTED);
+		conn.start();
+		((AMQSession<?, ?>) sess).createQueue(new AMQShortString(name), autoDelete, durable, false);
+		sess.commit();
+		conn.close();
+	}
+	
+	/**
+	 * Calls {@link #createQueue(String, String, String, boolean, boolean)} with the provided parameters and checks that
+	 * no exceptions were thrown.
+	 */
+	private void createQueueSuccess(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception
+	{
+		try
+		{
+			createQueue(vhost, user, name, autoDelete, durable);			
+		}
+		catch (AMQException e)
+		{
+			fail(String.format("Create queue should have worked for \"%s\" for user %s@%s, autoDelete=%s, durable=%s",
+                               name, user, vhost, Boolean.toString(autoDelete), Boolean.toString(durable)));
+		}
+	}
+
+	/**
+	 * Calls {@link #createQueue(String, String, String, boolean, boolean)} with the provided parameters and checks that
+	 * the exception thrown was an {@link AMQConstant#ACCESS_REFUSED} or 403 error code. 
+	 */
+	private void createQueueFailure(String vhost, String user, String name, boolean autoDelete, boolean durable) throws Exception
+	{
+		try
+		{
+			createQueue(vhost, user, name, autoDelete, durable);
+			fail(String.format("Create queue should have failed for \"%s\" for user %s@%s, autoDelete=%s, durable=%s",
+                               name, user, vhost, Boolean.toString(autoDelete), Boolean.toString(durable)));
+		}
+		catch (AMQException e)
+		{
+			assertEquals("Should be an ACCESS_REFUSED error", 403, e.getErrorCode().getCode());
+		}
+	}
+	
+    public void setUpAuthoriseCreateQueueAutodelete() throws Exception
+    {
+        writeACLFile("test",
+					 "acl allow client access virtualhost",
+					 "acl allow server access virtualhost",
+					 "acl allow client create queue name=\"temp.true.*\" autodelete=true",
+					 "acl allow client create queue name=\"temp.false.*\" autodelete=false",
+					 "acl deny client create queue",	
+					 "acl allow client delete queue",				 
+					 "acl deny all create queue"
+            );
+    }
+    
+    /**
+     * Test creation of temporary queues, with the autodelete property set to true.
+     */
+    public void testAuthoriseCreateQueueAutodelete() throws Exception
+	{
+		createQueueSuccess("test", "client", "temp.true.00", true, false); 
+		createQueueSuccess("test", "client", "temp.true.01", true, false);
+		createQueueSuccess("test", "client", "temp.true.02", true, true);
+		createQueueSuccess("test", "client", "temp.false.03", false, false); 
+		createQueueSuccess("test", "client", "temp.false.04", false, false);
+		createQueueSuccess("test", "client", "temp.false.05", false, true);
+		createQueueFailure("test", "client", "temp.true.06", false, false); 
+		createQueueFailure("test", "client", "temp.false.07", true, false);
+		createQueueFailure("test", "server", "temp.true.08", true, false); 
+		createQueueFailure("test", "client", "temp.other.09", false, false);
+		createQueueSuccess("test2", "guest", "temp.true.01", false, false); 
+		createQueueSuccess("test2", "guest", "temp.false.02", true, false);
+		createQueueSuccess("test2", "guest", "temp.true.03", true, false); 
+		createQueueSuccess("test2", "guest", "temp.false.04", false, false);
+		createQueueSuccess("test2", "guest", "temp.other.05", false, false);
+    }
+	
+    public void setUpAuthoriseCreateQueue() throws Exception
+    {
+        writeACLFile("test",
+                     "acl allow client access virtualhost",
+                     "acl allow server access virtualhost",
+                     "acl allow client create queue name=\"create.*\""
+            );
+    }
+    
+    /**
+     * Tests creation of named queues.
+     *
+     * If a named queue is specified 
+     */
+    public void testAuthoriseCreateQueue() throws Exception
+    {
+        createQueueSuccess("test", "client", "create.00", true, true);
+        createQueueSuccess("test", "client", "create.01", true, false);
+        createQueueSuccess("test", "client", "create.02", false, true);
+        createQueueSuccess("test", "client", "create.03", true, false); 
+        createQueueFailure("test", "server", "create.04", true, true);
+        createQueueFailure("test", "server", "create.05", true, false);
+        createQueueFailure("test", "server", "create.06", false, true);
+        createQueueFailure("test", "server", "create.07", true, false); 
+        createQueueSuccess("test2", "guest", "create.00", true, true);
+        createQueueSuccess("test2", "guest", "create.01", true, false);
+        createQueueSuccess("test2", "guest", "create.02", false, true);
+        createQueueSuccess("test2", "guest", "create.03", true, false); 
+    }
+	
+    public void setUpAuthoriseCreateQueueBoth() throws Exception
+    {
+        writeACLFile("test",
+                     "acl allow all access virtualhost",
+                     "acl allow client create queue name=\"create.*\"",
+                     "acl allow all create queue temporary=true"
+            );
+    }
+
+    /**
+     * Tests creation of named queues.
+     *
+     * If a named queue is specified 
+     */
+    public void testAuthoriseCreateQueueBoth() throws Exception
+    {
+        createQueueSuccess("test", "client", "create.00", true, false);
+        createQueueSuccess("test", "client", "create.01", false, false);
+        createQueueFailure("test", "server", "create.02", false, false);
+        createQueueFailure("test", "guest", "create.03", false, false); 
+        createQueueSuccess("test", "client", "tmp.00", true, false);
+        createQueueSuccess("test", "server", "tmp.01", true, false); 
+        createQueueSuccess("test", "guest", "tmp.02", true, false);
+        createQueueSuccess("test2", "guest", "create.02", false, false);
+    }
+}

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLFileTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLFileTest.java?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLFileTest.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLFileTest.java Mon May 31 16:03:41 2010
@@ -0,0 +1,184 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.qpid.server.security.acl;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.jms.Connection;
+import javax.jms.Session;
+
+import org.apache.qpid.client.AMQSession;
+import org.apache.qpid.framing.AMQShortString;
+
+/**
+ * Tests that ACL version 2/3 files following the specification work correctly.
+ * 
+ * ACL lines that are identical in meaning apart from differences allowed by the specification, such as whitespace or case
+ * of tokens are set up for numbered queues and the queues are then created to show that the meaning is correctly parsed by
+ * the plugin.
+ * 
+ * TODO move this to the access-control plugin unit tests instead
+ */
+public class ExternalACLFileTest extends AbstractACLTestCase
+{
+    @Override
+    public String getConfig()
+    {
+        return "config-systests-aclv2.xml";
+    }
+
+    @Override
+    public List<String> getHostList()
+    {
+        return Arrays.asList("test");
+    }
+
+    private void createQueuePrefixList(String prefix, int count)
+    {
+        try
+        {
+            Connection conn = getConnection("test", "client", "guest");
+            Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+            conn.start();
+
+            //Create n queues
+            for (int n = 0; n < count; n++)
+            {
+                AMQShortString queueName = new AMQShortString(String.format("%s.%03d", prefix, n));
+                ((AMQSession<?, ?>) sess).createQueue(queueName, false, false, false);
+            }
+
+            conn.close();
+        }
+        catch (Exception e)
+        {
+            fail("Test failed due to:" + e.getMessage());
+        }
+    }
+
+    private void createQueueNameList(String...queueNames)
+    {
+        try
+        {
+            Connection conn = getConnection("test", "client", "guest");
+            Session sess = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+            conn.start();
+
+            //Create all queues
+            for (String queueName : queueNames)
+            {
+                ((AMQSession<?, ?>) sess).createQueue(new AMQShortString(queueName), false, false, false);
+            }
+
+            conn.close();
+        }
+        catch (Exception e)
+        {
+            fail("Test failed due to:" + e.getMessage());
+        }
+    }
+
+    public void setUpCreateQueueMixedCase() throws Exception
+    {
+        writeACLFile(
+            "test",
+            "acl allow client create queue name=mixed.000",
+            "ACL ALLOW client CREATE QUEUE NAME=mixed.001",
+            "Acl Allow client Create Queue Name=mixed.002",
+            "aCL aLLOW client cREATE qUEUE nAME=mixed.003",
+            "aCl AlLoW client cReAtE qUeUe NaMe=mixed.004"
+        );
+    }
+
+    public void testCreateQueueMixedCase()
+    {
+        createQueuePrefixList("mixed", 5);
+    }
+
+    public void setUpCreateQueueContinuation() throws Exception
+    {
+        writeACLFile(
+            "test",
+            "acl allow client create queue name=continuation.000",
+            "acl allow client create queue \\",
+            "   name=continuation.001",
+            "acl allow client \\",
+            "   create queue \\",
+            "   name=continuation.002",
+            "acl allow \\",
+            "   client \\",
+            "   create queue \\",
+            "   name=continuation.003",
+            "acl \\",
+            "   allow \\",
+            "   client \\",
+            "   create queue \\",
+            "   name=continuation.004"
+        );
+    }
+
+    public void testCreateQueueContinuation()
+    {
+        createQueuePrefixList("continuation", 5);
+    }
+
+    public void setUpCreateQueueWhitespace() throws Exception
+    {
+        writeACLFile(
+            "test",
+            "acl allow client create queue name=whitespace.000",
+            "acl\tallow\tclient\tcreate\tqueue\tname=whitespace.001",
+            "acl allow client create queue name = whitespace.002",
+            "acl\tallow\tclient\tcreate\tqueue\tname\t=\twhitespace.003",
+            "acl   allow\t\tclient\t   \tcreate\t\t queue\t \t name  \t =\t \twhitespace.004"
+        );
+    }
+
+    public void testCreateQueueWhitespace()
+    {
+        createQueuePrefixList("whitespace", 5);
+    }
+
+    public void setUpCreateQueueQuoting() throws Exception
+    {
+        writeACLFile(
+            "test",
+            "acl allow client create queue name='quoting.ABC.000'",
+            "acl allow client create queue name='quoting.*.000'",
+            "acl allow client create queue name='quoting.#.000'",
+            "acl allow client create queue name='quoting. .000'",
+            "acl allow client create queue name='quoting.!@$%.000'"
+        );
+    }
+
+    public void testCreateQueueQuoting()
+    {
+        createQueueNameList( 
+            "quoting.ABC.000",
+            "quoting.*.000",
+            "quoting.#.000",
+            "quoting. .000",
+            "quoting.!@$%.000"
+        );
+    }
+}
+
+
+

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLJMXTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLJMXTest.java?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLJMXTest.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLJMXTest.java Mon May 31 16:03:41 2010
@@ -0,0 +1,244 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+*  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package org.apache.qpid.server.security.acl;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.qpid.AMQConnectionClosedException;
+import org.apache.qpid.AMQException;
+import org.apache.qpid.AMQSecurityException;
+import org.apache.qpid.protocol.AMQConstant;
+import org.apache.qpid.test.utils.JMXTestUtils;
+
+/**
+ * Tests that ACL entries that apply to AMQP objects also apply when those objects are accessed via JMX.
+ */
+public class ExternalACLJMXTest extends AbstractACLTestCase
+{
+    private JMXTestUtils _jmx;
+    
+    private static final String QUEUE_NAME = "kipper";
+    private static final String EXCHANGE_NAME = "amq.kipper";
+    
+    @Override
+    public String getConfig()
+    {
+        return "config-systests-aclv2.xml";
+    }
+
+    @Override
+    public List<String> getHostList()
+    {
+        return Arrays.asList("test");
+    }
+
+    @Override
+    public void setUp() throws Exception
+    {
+        _jmx = new JMXTestUtils(this, "admin", "admin");
+        _jmx.setUp();
+        super.setUp();
+        _jmx.open();
+    }
+    
+    @Override
+    public void tearDown() throws Exception
+    {
+        _jmx.close();
+        super.tearDown();
+    }
+
+    // test-externalacljmx.txt
+    // create queue owner=client # success
+    public void testCreateClientQueueSuccess() throws Exception
+    {   
+        //Queue Parameters
+        String queueOwner = "client";
+        
+        _jmx.createQueue("test", QUEUE_NAME, queueOwner, true);
+    }
+
+    // test-externalacljmx.txt
+    // create queue owner=client # failure
+    public void testCreateServerQueueFailure() throws Exception
+    {   
+        //Queue Parameters
+        String queueOwner = "server";
+        
+        try
+        {
+            _jmx.createQueue("test", QUEUE_NAME, queueOwner, true);
+            
+            fail("Queue create should fail");
+        }
+        catch (Exception e)
+        {
+            assertNotNull("Cause is not set", e.getCause());
+            assertEquals("Cause message incorrect",
+                    "org.apache.qpid.AMQSecurityException: Permission denied: queue-name 'kipper' [error code 403: access refused]", e.getCause().getMessage());
+        }
+    }
+
+    // no create queue acl in file # failure
+    public void testCreateQueueFailure() throws Exception
+    {   
+        //Queue Parameters
+        String queueOwner = "guest";
+        
+        try
+        {
+            _jmx.createQueue("test", QUEUE_NAME, queueOwner, true);
+            
+            fail("Queue create should fail");
+        }
+        catch (Exception e)
+        {
+            assertNotNull("Cause is not set", e.getCause());
+            assertEquals("Cause message incorrect",
+                    "org.apache.qpid.AMQSecurityException: Permission denied: queue-name 'kipper' [error code 403: access refused]", e.getCause().getMessage());
+        }
+    }
+
+    // test-externalacljmx.txt
+    // allow create exchange name=amq.kipper.success
+    public void testCreateExchangeSuccess() throws Exception
+    {   
+        _jmx.createExchange("test", EXCHANGE_NAME + ".success", "direct", true);
+    }
+
+    // test-externalacljmx.txt
+    // deny create exchange name=amq.kipper.failure
+    public void testCreateExchangeFailure() throws Exception
+    {   
+        try
+        {
+            _jmx.createExchange("test", EXCHANGE_NAME + ".failure", "direct", true);
+            
+            fail("Exchange create should fail");
+        }
+        catch (Exception e)
+        {
+            assertNotNull("Cause is not set", e.getCause());
+            assertEquals("Cause message incorrect",
+                    "org.apache.qpid.AMQSecurityException: Permission denied: exchange-name 'amq.kipper.failure' [error code 403: access refused]", e.getCause().getMessage());
+        }
+    }
+
+    // test-externalacljmx.txt
+    // allow create exchange name=amq.kipper.success
+    // allow delete exchange name=amq.kipper.success
+    public void testDeleteExchangeSuccess() throws Exception
+    {   
+        _jmx.createExchange("test", EXCHANGE_NAME + ".success", "direct", true);
+        _jmx.unregisterExchange("test", EXCHANGE_NAME + ".success");
+    }
+
+    // test-externalacljmx-deleteexchangefailure.txt
+    // allow create exchange name=amq.kipper.delete
+    // deny delete exchange name=amq.kipper.delete
+    public void testDeleteExchangeFailure() throws Exception
+    {   
+        _jmx.createExchange("test", EXCHANGE_NAME + ".delete", "direct", true);
+        try
+        {
+            _jmx.unregisterExchange("test", EXCHANGE_NAME + ".delete");
+            
+            fail("Exchange delete should fail");
+        }
+        catch (Exception e)
+        {
+            assertNotNull("Cause is not set", e.getCause());
+            assertEquals("Cause message incorrect",
+                    "org.apache.qpid.AMQSecurityException: Permission denied [error code 403: access refused]", e.getCause().getMessage());
+        }
+    }
+    
+    /**
+     * admin user has JMX right but not AMQP
+     */
+    public void setUpCreateQueueJMXRights() throws Exception
+    {
+        writeACLFile("test",
+                "ACL ALLOW admin EXECUTE METHOD component=\"VirtualHost.VirtualHostManager\" name=\"createNewQueue\"",
+			    "ACL DENY admin CREATE QUEUE");
+    }
+    
+    public void testCreateQueueJMXRights() throws Exception
+    {
+        try
+        {
+            _jmx.createQueue("test", QUEUE_NAME, "admin", true);
+            
+            fail("Queue create should fail");
+        }
+        catch (Exception e)
+        {
+            assertNotNull("Cause is not set", e.getCause());
+            assertEquals("Cause message incorrect",
+                    "org.apache.qpid.AMQSecurityException: Permission denied: queue-name 'kipper' [error code 403: access refused]", e.getCause().getMessage());
+        }
+    }
+
+    /**
+     * admin user has AMQP right but not JMX
+     */
+    public void setUpCreateQueueAMQPRights() throws Exception
+    {
+        writeACLFile("test",
+	    		"ACL DENY admin EXECUTE METHOD component=\"VirtualHost.VirtualHostManager\" name=\"createNewQueue\"",
+	    		"ACL ALLOW admin CREATE QUEUE");
+    }
+    
+    public void testCreateQueueAMQPRights() throws Exception
+    {
+        try
+        {
+            _jmx.createQueue("test", QUEUE_NAME, "admin", true);
+            
+            fail("Queue create should fail");
+        }
+        catch (Exception e)
+        {
+            assertEquals("Cause message incorrect", "Permission denied: Execute createNewQueue", e.getMessage());
+        }
+    }
+
+    /**
+     * admin has both JMX and AMQP rights
+     */
+    public void setUpCreateQueueJMXAMQPRights() throws Exception
+    {
+        writeACLFile("test",
+                    "ACL ALLOW admin EXECUTE METHOD component=\"VirtualHost.VirtualHostManager\" name=\"createNewQueue\"",
+                    "ACL ALLOW admin CREATE QUEUE");
+    }
+    
+    public void testCreateQueueJMXAMQPRights() throws Exception
+    {
+        try
+        {
+            _jmx.createQueue("test", QUEUE_NAME, "admin", true);
+        }
+        catch (Exception e)
+        {
+            fail("Queue create should succeed: " + e.getCause().getMessage());
+        }
+    }
+}

Copied: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java (from r949780, qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Accessable.java)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java?p2=qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java&p1=qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Accessable.java&r1=949780&r2=949781&rev=949781&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/security/access/Accessable.java (original)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java Mon May 31 16:03:41 2010
@@ -4,7 +4,7 @@
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
- *  "License"); you may not use this file except in compliance
+*  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
@@ -14,14 +14,24 @@
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
- *  under the License.    
- *
- * 
+ *  under the License.
  */
-package org.apache.qpid.server.security.access;
+package org.apache.qpid.server.security.acl;
+
+import java.util.Arrays;
+import java.util.List;
 
-public interface Accessable
+public class ExternalACLTest extends SimpleACLTest
 {
-    void setAccessableName(String name);
-    String getAccessableName();    
+    @Override
+    public String getConfig()
+    {
+        return "config-systests-aclv2.xml";
+    }
+
+    @Override
+    public List<String> getHostList()
+    {
+        return Arrays.asList("test", "test2");
+    }
 }

Added: qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalAdminACLTest.java
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalAdminACLTest.java?rev=949781&view=auto
==============================================================================
--- qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalAdminACLTest.java (added)
+++ qpid/trunk/qpid/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalAdminACLTest.java Mon May 31 16:03:41 2010
@@ -0,0 +1,186 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.    
+ *
+ * 
+ */
+package org.apache.qpid.server.security.acl;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.qpid.server.logging.management.LoggingManagementMBean;
+import org.apache.qpid.test.utils.JMXTestUtils;
+
+/**
+ * Tests that ACLs can be applied to mangement operations that do not correspond to a specific AMQP object.
+ * 
+ * Theses tests use the logging component, exposed as the {@link LoggingManagementMBean}, to get and set properties.
+ */
+public class ExternalAdminACLTest extends AbstractACLTestCase
+{
+    private static final String CATEGORY_PRIORITY = "LogManMBeanTest.category.priority";
+    private static final String CATEGORY_LEVEL = "LogManMBeanTest.category.level";
+    private static final String LOGGER_LEVEL = "LogManMBeanTest.logger.level";
+	
+    private static final String NEWLINE = System.getProperty("line.separator");
+		
+    private JMXTestUtils _jmx;
+    private File _testConfigFile;
+    
+    @Override
+	public String getConfig()
+    {
+		return "config-systests-aclv2.xml";
+    }
+	
+    @Override
+	public List<String> getHostList()
+    {
+		return Arrays.asList("global");
+    }
+	
+    @Override
+	public void setUp() throws Exception
+    {
+		_testConfigFile = createTempTestLog4JConfig();
+		
+        _jmx = new JMXTestUtils(this, "admin", "admin");
+        _jmx.setUp();
+        super.setUp();
+        _jmx.open();
+    }
+    
+	@Override
+    public void tearDown() throws Exception
+    {
+        _jmx.close();
+		super.tearDown();
+    }
+	
+    private File createTempTestLog4JConfig()
+    {
+        File tmpFile = null;
+        try
+        {
+            tmpFile = File.createTempFile("LogManMBeanTestLog4jConfig", ".tmp");
+            tmpFile.deleteOnExit();
+
+            FileWriter fstream = new FileWriter(tmpFile);
+            BufferedWriter writer = new BufferedWriter(fstream);
+
+            writer.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>"+NEWLINE);
+            writer.write("<!DOCTYPE log4j:configuration SYSTEM \"log4j.dtd\">"+NEWLINE);
+
+            writer.write("<log4j:configuration xmlns:log4j=\"http://jakarta.apache.org/log4j/\" debug=\"null\" " +
+            		                                                                "threshold=\"null\">"+NEWLINE);
+
+            writer.write("  <appender class=\"org.apache.log4j.ConsoleAppender\" name=\"STDOUT\">"+NEWLINE);
+            writer.write("      <layout class=\"org.apache.log4j.PatternLayout\">"+NEWLINE);
+            writer.write("          <param name=\"ConversionPattern\" value=\"%d %-5p [%t] %C{2} (%F:%L) - %m%n\"/>"+NEWLINE);
+            writer.write("      </layout>"+NEWLINE);
+            writer.write("  </appender>"+NEWLINE);
+
+            //Example of a 'category' with a 'priority'
+            writer.write("  <category additivity=\"true\" name=\"" + CATEGORY_PRIORITY +"\">"+NEWLINE);
+            writer.write("      <priority value=\"info\"/>"+NEWLINE);
+            writer.write("      <appender-ref ref=\"STDOUT\"/>"+NEWLINE);
+            writer.write("  </category>"+NEWLINE);
+
+            //Example of a 'category' with a 'level'
+            writer.write("  <category additivity=\"true\" name=\"" + CATEGORY_LEVEL +"\">"+NEWLINE);
+            writer.write("      <level value=\"warn\"/>"+NEWLINE);
+            writer.write("      <appender-ref ref=\"STDOUT\"/>"+NEWLINE);
+            writer.write("  </category>"+NEWLINE);
+
+            //Example of a 'logger' with a 'level'
+            writer.write("  <logger additivity=\"true\" name=\"" + LOGGER_LEVEL + "\">"+NEWLINE);
+            writer.write("      <level value=\"error\"/>"+NEWLINE);
+            writer.write("      <appender-ref ref=\"STDOUT\"/>"+NEWLINE);
+            writer.write("  </logger>"+NEWLINE);
+
+            //'root' logger
+            writer.write("  <root>"+NEWLINE);
+            writer.write("      <priority value=\"info\"/>"+NEWLINE);
+            writer.write("      <appender-ref ref=\"STDOUT\"/>"+NEWLINE);
+            writer.write("  </root>"+NEWLINE);
+
+            writer.write("</log4j:configuration>"+NEWLINE);
+
+            writer.flush();
+            writer.close();
+        }
+        catch (IOException e)
+        {
+            fail("Unable to create temporary test log4j configuration");
+        }
+
+        return tmpFile;
+    }
+	
+	public void testGetAllLoggerLevels() throws Exception
+	{
+		String[] levels = _jmx.getAvailableLoggerLevels();				
+		for (int i = 0; i < levels.length; i++)
+		{
+			System.out.println(levels[i]);
+		}
+		assertEquals("Got incorrect number of log levels", 9, levels.length);
+	}
+	
+	public void testGetAllLoggerLevelsDenied() throws Exception
+	{
+		try
+		{
+			_jmx.getAvailableLoggerLevels();
+			fail("Got list of log levels");
+		}
+		catch (Exception e)
+		{
+			// Exception throws
+			e.printStackTrace();
+			assertEquals("Permission denied: Access getAvailableLoggerLevels", e.getMessage());			
+		}
+	}
+		
+	public void testChangeLoggerLevel() throws Exception
+	{			
+		String oldLevel = _jmx.getRuntimeRootLoggerLevel();
+		System.out.println("old level = " + oldLevel);
+		_jmx.setRuntimeRootLoggerLevel("DEBUG"); 
+		String newLevel = _jmx.getRuntimeRootLoggerLevel();
+		System.out.println("new level = " + newLevel);
+		assertEquals("Logging level was not changed", "DEBUG", newLevel);
+	}
+	
+	public void testChangeLoggerLevelDenied() throws Exception
+	{
+		try
+		{
+			_jmx.setRuntimeRootLoggerLevel("DEBUG"); 
+			fail("Logging level was changed");
+		}
+		catch (Exception e)
+		{
+			assertEquals("Permission denied: Update setRuntimeRootLoggerLevel", e.getMessage());
+		}
+	}
+}



---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org


Mime
View raw message