qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kw...@apache.org
Subject [1/4] qpid-broker-j git commit: QPID-7923: [Java Broker] [ACL] Ensure that a failure to authorise a method call respects the access control default.
Date Wed, 27 Sep 2017 13:12:52 GMT
Repository: qpid-broker-j
Updated Branches:
  refs/heads/master f61b8b903 -> d8613a623


QPID-7923: [Java Broker] [ACL] Ensure that a failure to authorise a method call respects the
access control default.

Also added the existing COMPONENT property to the match criteria when considering method authorisations.


Project: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/commit/9c44860d
Tree: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/tree/9c44860d
Diff: http://git-wip-us.apache.org/repos/asf/qpid-broker-j/diff/9c44860d

Branch: refs/heads/master
Commit: 9c44860df5485f1c45474dbc86793f61effa1077
Parents: f61b8b9
Author: Keith Wall <kwall@apache.org>
Authored: Wed Sep 27 11:35:36 2017 +0100
Committer: Keith Wall <kwall@apache.org>
Committed: Wed Sep 27 11:35:55 2017 +0100

----------------------------------------------------------------------
 .../config/LegacyAccessControlAdapter.java      | 41 ++++++++++++++------
 .../config/LegacyAccessControlAdapterTest.java  | 12 +++---
 2 files changed, 37 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/9c44860d/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
index 34a3d5a..57a7e19 100644
--- a/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
+++ b/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapter.java
@@ -33,8 +33,10 @@ import static org.apache.qpid.server.security.access.config.ObjectType.QUEUE;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import org.apache.qpid.server.message.MessageDestination;
 import org.apache.qpid.server.model.*;
@@ -331,10 +333,6 @@ class LegacyAccessControlAdapter
             {
                 return _accessControl.authorise(LegacyOperation.ACCESS, ObjectType.MANAGEMENT,
ObjectProperties.EMPTY);
             }
-            else if("CONFIGURE".equals(actionName) || "SHUTDOWN".equals(actionName))
-            {
-                return _accessControl.authorise(LegacyOperation.valueOf(actionName), ObjectType.BROKER,
ObjectProperties.EMPTY);
-            }
         }
         else if(categoryClass == Queue.class)
         {
@@ -381,7 +379,7 @@ class LegacyAccessControlAdapter
                 VirtualHost virtualHost = queue.getVirtualHost();
                 final String virtualHostName = virtualHost.getName();
                 properties.setName(methodName);
-                properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue");
+                properties.put(ObjectProperties.Property.COMPONENT, buildHierarchicalCategoryName(queue,
virtualHost));
                 properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHostName);
                 return _accessControl.authorise(LegacyOperation.UPDATE, METHOD, properties);
             }
@@ -411,8 +409,7 @@ class LegacyAccessControlAdapter
             }
         }
 
-        //TODO: add check for VH#messagePublish
-        return Result.DENIED;
+        return invokeResult;
     }
 
     private ObjectProperties createObjectPropertiesForMethod(final PermissionedObject permissionedObject,
@@ -424,19 +421,41 @@ class LegacyAccessControlAdapter
         if (permissionedObject instanceof ConfiguredObject<?>)
         {
             ConfiguredObject<?> configuredObject = ((ConfiguredObject) permissionedObject);
-            VirtualHost virtualHost = configuredObject.getModel()
-                                                      .getAncestor(VirtualHost.class,
-                                                                   configuredObject.getCategoryClass(),
-                                                                   configuredObject);
+            Model model = configuredObject.getModel();
+            VirtualHost<?> virtualHost = model.getAncestor(VirtualHost.class, configuredObject);
+
+            final String componentName;
             if (virtualHost != null)
             {
                 properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, virtualHost.getName());
+                componentName = buildHierarchicalCategoryName(configuredObject, virtualHost);
             }
+            else
+            {
+                componentName = buildHierarchicalCategoryName(configuredObject, model.getAncestor(Broker.class,
configuredObject));
+            }
+            properties.put(ObjectProperties.Property.COMPONENT, componentName);
         }
 
         return properties;
     }
 
+    private String buildHierarchicalCategoryName(final ConfiguredObject<?> configuredObject,
final ConfiguredObject<?> significantAncestor)
+    {
+        LinkedList<String> hierarchicalName = new LinkedList<>();
+
+        ConfiguredObject<?> current = configuredObject;
+        hierarchicalName.add(configuredObject.getCategoryClass().getSimpleName());
+
+        while (current != null && significantAncestor != current)
+        {
+            ConfiguredObject<?> parent = configuredObject.getParent();
+            hierarchicalName.add(0, parent.getCategoryClass().getSimpleName());
+            current = parent;
+        }
+        return hierarchicalName.stream().collect(Collectors.joining("."));
+    }
+
     private ObjectProperties createObjectPropertiesForExchangeBind(final Map<String, Object>
arguments,
                                                                    final PermissionedObject
configuredObject)
     {

http://git-wip-us.apache.org/repos/asf/qpid-broker-j/blob/9c44860d/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
----------------------------------------------------------------------
diff --git a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
index 1604e05..0efedb7 100644
--- a/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
+++ b/broker-plugins/access-control/src/test/java/org/apache/qpid/server/security/access/config/LegacyAccessControlAdapterTest.java
@@ -61,22 +61,23 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
     {
         super.setUp();
         _accessControl = mock(LegacyAccessControl.class);
+        _model = BrokerModel.getInstance();
+        _broker = mock(Broker.class);
+        _virtualHostNode = getMockVirtualHostNode();
         _virtualHost = mock(QueueManagingVirtualHost.class);
-
+        when(_virtualHost.getParent()).thenReturn(_broker);
 
         when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST);
         when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
-        _model = BrokerModel.getInstance();
         when(_virtualHost.getModel()).thenReturn(_model);
+        doReturn(_virtualHostNode).when(_virtualHost).getParent();
         doReturn(VirtualHost.class).when(_virtualHost).getCategoryClass();
 
-        _broker = mock(Broker.class);
         when(_broker.getCategoryClass()).thenReturn(Broker.class);
         when(_broker.getName()).thenReturn("My Broker");
         when(_broker.getAttribute(Broker.NAME)).thenReturn("My Broker");
         when(_broker.getModel()).thenReturn(BrokerModel.getInstance());
 
-        _virtualHostNode = getMockVirtualHostNode();
 
         _adapter = new LegacyAccessControlAdapter(_accessControl, BrokerModel.getInstance());
     }
@@ -665,6 +666,7 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
         properties.put(ObjectProperties.Property.NAME, TEST_QUEUE);
         properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
         properties.put(ObjectProperties.Property.VIRTUALHOST_NAME, _virtualHost.getName());
+        properties.put(ObjectProperties.Property.COMPONENT, "VirtualHost.Queue");
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.QUEUE),
@@ -681,10 +683,10 @@ public class LegacyAccessControlAdapterTest extends QpidTestCase
         String methodName = "getStatistics";
         VirtualHostNode<?> virtualHostNode = _virtualHostNode;
 
-
         ObjectProperties properties = new ObjectProperties();
         properties.put(ObjectProperties.Property.NAME, virtualHostNode.getName());
         properties.put(ObjectProperties.Property.METHOD_NAME, methodName);
+        properties.put(ObjectProperties.Property.COMPONENT, "Broker.VirtualHostNode");
 
         when(_accessControl.authorise(same(LegacyOperation.INVOKE),
                                       same(ObjectType.VIRTUALHOSTNODE),


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message