@Override public Object[] getRoles() throws Exception { clearIO(); try { Set<Role> roles = securityRepository.getMatch(addressInfo.getName().toString()); Object[] objRoles = new Object[roles.size()]; int i = 0; for (Role role : roles) { objRoles[i++] = new Object[]{role.getName(), CheckType.SEND.hasRole(role), CheckType.CONSUME.hasRole(role), CheckType.CREATE_DURABLE_QUEUE.hasRole(role), CheckType.DELETE_DURABLE_QUEUE.hasRole(role), CheckType.CREATE_NON_DURABLE_QUEUE.hasRole(role), CheckType.DELETE_NON_DURABLE_QUEUE.hasRole(role), CheckType.MANAGE.hasRole(role)}; } return objRoles; } finally { blockOnIO(); } }
private boolean checkCached(final SimpleString dest, final String user, final CheckType checkType) { long now = System.currentTimeMillis(); boolean granted = false; if (now - lastCheck > invalidationInterval) { invalidateCache(); lastCheck = now; } else { ConcurrentHashSet<SimpleString> act = cache.get(user + "." + checkType.name()); if (act != null) { granted = act.contains(dest); } } return granted; }
props.putSimpleStringProperty(ManagementHelper.HDR_CHECK_TYPE, new SimpleString(checkType.toString())); props.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(user)); ConcurrentHashSet<SimpleString> act = cache.putIfAbsent(user + "." + checkType.name(), set); if (act != null) { set = act;
@Test public void testSECURITY_PERMISSION_VIOLATION() throws Exception { SimpleString queue = RandomUtil.randomSimpleString(); SimpleString address = RandomUtil.randomSimpleString(); // guest can not create queue Role role = new Role("roleCanNotCreateQueue", true, true, false, true, false, true, true, true, true, true); Set<Role> roles = new HashSet<>(); roles.add(role); server.getSecurityRepository().addMatch(address.toString(), roles); ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager(); securityManager.getConfiguration().addRole("guest", "roleCanNotCreateQueue"); SecurityNotificationTest.flush(notifConsumer); ServerLocator locator = createInVMNonHALocator(); ClientSessionFactory sf = createSessionFactory(locator); ClientSession guestSession = sf.createSession("guest", "guest", false, true, true, false, 1); try { guestSession.createQueue(address, queue, true); Assert.fail("session creation must fail and a notification of security violation must be sent"); } catch (Exception e) { } ClientMessage[] notifications = SecurityNotificationTest.consumeMessages(1, notifConsumer); Assert.assertEquals(SECURITY_PERMISSION_VIOLATION.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_NOTIFICATION_TYPE).toString()); Assert.assertEquals("guest", notifications[0].getObjectProperty(ManagementHelper.HDR_USER).toString()); Assert.assertEquals(address.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_ADDRESS).toString()); Assert.assertEquals(CheckType.CREATE_DURABLE_QUEUE.toString(), notifications[0].getObjectProperty(ManagementHelper.HDR_CHECK_TYPE).toString()); guestSession.close(); }
@Override public Object[] getRoles(final String addressMatch) throws Exception { checkStarted(); checkStarted(); clearIO(); try { Set<Role> roles = server.getSecurityRepository().getMatch(addressMatch); Object[] objRoles = new Object[roles.size()]; int i = 0; for (Role role : roles) { objRoles[i++] = new Object[]{role.getName(), CheckType.SEND.hasRole(role), CheckType.CONSUME.hasRole(role), CheckType.CREATE_DURABLE_QUEUE.hasRole(role), CheckType.DELETE_DURABLE_QUEUE.hasRole(role), CheckType.CREATE_NON_DURABLE_QUEUE.hasRole(role), CheckType.DELETE_NON_DURABLE_QUEUE.hasRole(role), CheckType.MANAGE.hasRole(role)}; } return objRoles; } finally { blockOnIO(); } }
private Set<Principal> getRolePrincipals(final CheckType checkType, final Set<Role> roles) { Set<Principal> principals = new HashSet<Principal>(); for (Role role : roles) { if (checkType.hasRole(role)) { principals.add(new SimplePrincipal(role.getName())); } } return principals; }
private Set<RolePrincipal> getPrincipalsInRole(final CheckType checkType, final Set<Role> roles) { Set principals = new HashSet<>(); for (Role role : roles) { if (checkType.hasRole(role)) { try { principals.add(createGroupPrincipal(role.getName(), rolePrincipalClass)); } catch (Exception e) { ActiveMQServerLogger.LOGGER.failedAddRolePrincipal(e); } } } return principals; }
@Override public boolean validateUserAndRole(String username, String password, Set<Role> roles, CheckType checkType) { if (defaultUser.equals(username) && defaultPassword.equals(password)) return true; final SecurityIdentity identity = this.authenticate(username, password); final Set<String> filteredRoles = new HashSet<>(); for (Role role : roles) { if (checkType.hasRole(role)) { String name = role.getName(); filteredRoles.add(name); } } return identity.getRoles().containsAny(filteredRoles); }
@Override public boolean validateUserAndRole(String username, String password, Set<Role> roles, CheckType checkType) { if (defaultUser.equals(username) && defaultPassword.equals(password)) return true; final SecurityIdentity identity = this.authenticate(username, password); final Set<String> filteredRoles = new HashSet<>(); for (Role role : roles) { if (checkType.hasRole(role)) { String name = role.getName(); filteredRoles.add(name); } } return identity.getRoles().containsAny(filteredRoles); }
@Test public void testManageRole() throws Exception { Role role = new Role("testManageRole", false, false, false, false, false, false, true, false, false, false); Assert.assertFalse(SEND.hasRole(role)); Assert.assertFalse(CONSUME.hasRole(role)); Assert.assertFalse(CREATE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(CREATE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertTrue(MANAGE.hasRole(role)); Assert.assertFalse(BROWSE.hasRole(role)); Assert.assertFalse(CREATE_ADDRESS.hasRole(role)); }
@Test public void testCreateRole() throws Exception { Role role = new Role("testCreateRole", false, false, true, false, false, false, false, false, false, false); Assert.assertFalse(SEND.hasRole(role)); Assert.assertFalse(CONSUME.hasRole(role)); Assert.assertTrue(CREATE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(CREATE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(MANAGE.hasRole(role)); Assert.assertFalse(BROWSE.hasRole(role)); Assert.assertFalse(CREATE_ADDRESS.hasRole(role)); }
@Test public void testWriteRole() throws Exception { Role role = new Role("testWriteRole", true, false, false, false, false, false, false, false, false, false); Assert.assertTrue(SEND.hasRole(role)); Assert.assertFalse(CONSUME.hasRole(role)); Assert.assertFalse(CREATE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(CREATE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(MANAGE.hasRole(role)); Assert.assertFalse(BROWSE.hasRole(role)); Assert.assertFalse(CREATE_ADDRESS.hasRole(role)); }
@Test public void testReadRole() throws Exception { Role role = new Role("testReadRole", false, true, false, false, false, false, false, true, false, false); Assert.assertFalse(SEND.hasRole(role)); Assert.assertTrue(CONSUME.hasRole(role)); Assert.assertFalse(CREATE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(CREATE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(DELETE_NON_DURABLE_QUEUE.hasRole(role)); Assert.assertFalse(MANAGE.hasRole(role)); Assert.assertTrue(BROWSE.hasRole(role)); Assert.assertFalse(CREATE_ADDRESS.hasRole(role)); }
@Override public boolean validateUserAndRole(final String user, final String password, final Set<Role> roles, final CheckType checkType) { if (validateUser(user, password)) { String defaultUser = configuration.getDefaultUser(); List<String> availableRoles = configuration.getRole(user == null ? defaultUser : user); if (availableRoles == null) { return false; } for (String availableRole : availableRoles) { if (roles != null) { for (Role role : roles) { if (role.getName().equals(availableRole) && checkType.hasRole(role)) { return true; } } } } } return false; }
@Override public Boolean run() { final SimplePrincipal principal = new SimplePrincipal(username); // push a new security context if there is not one. final SecurityContext currentSecurityContext = SecurityContextAssociation.getSecurityContext(); final SecurityContext securityContext; if (currentSecurityContext == null) { try { securityContext = SecurityContextFactory.createSecurityContext(principal, password, subject, securityDomainContext.getAuthenticationManager().getSecurityDomain()); } catch (Exception e) { throw new RuntimeException(e); } } else { securityContext = currentSecurityContext; securityContext.getUtil().createSubjectInfo(principal, password, subject); } SecurityContextAssociation.setSecurityContext(securityContext); final Set<Principal> principals = new HashSet<Principal>(); for (Role role : roles) { if (checkType.hasRole(role)) { principals.add(new SimplePrincipal(role.getName())); } } final boolean authenticated = securityDomainContext.getAuthorizationManager().doesUserHaveRole(new SimplePrincipal(username), principals); // restore the previous security context if any SecurityContextAssociation.setSecurityContext(currentSecurityContext); return authenticated; } });
@Override public Boolean run() { final SimplePrincipal principal = new SimplePrincipal(username); // push a new security context if there is not one. final SecurityContext currentSecurityContext = SecurityContextAssociation.getSecurityContext(); final SecurityContext securityContext; if (currentSecurityContext == null) { try { securityContext = SecurityContextFactory.createSecurityContext(principal, password, subject, securityDomainContext.getAuthenticationManager().getSecurityDomain()); } catch (Exception e) { throw new RuntimeException(e); } } else { securityContext = currentSecurityContext; securityContext.getUtil().createSubjectInfo(principal, password, subject); } SecurityContextAssociation.setSecurityContext(securityContext); final Set<Principal> principals = new HashSet<Principal>(); for (Role role : roles) { if (checkType.hasRole(role)) { principals.add(new SimplePrincipal(role.getName())); } } final boolean authenticated = securityDomainContext.getAuthorizationManager().doesUserHaveRole(new SimplePrincipal(username), principals); // restore the previous security context if any SecurityContextAssociation.setSecurityContext(currentSecurityContext); return authenticated; } });
@Test public void testGetRoles() throws Exception { SimpleString address = RandomUtil.randomSimpleString(); SimpleString queue = RandomUtil.randomSimpleString(); Role role = new Role(RandomUtil.randomString(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean(), RandomUtil.randomBoolean()); session.createQueue(address, queue, true); AddressControl addressControl = createManagementControl(address); Object[] roles = addressControl.getRoles(); Assert.assertEquals(0, roles.length); Set<Role> newRoles = new HashSet<>(); newRoles.add(role); server.getSecurityRepository().addMatch(address.toString(), newRoles); roles = addressControl.getRoles(); Assert.assertEquals(1, roles.length); Object[] r = (Object[]) roles[0]; Assert.assertEquals(role.getName(), r[0]); Assert.assertEquals(CheckType.SEND.hasRole(role), r[1]); Assert.assertEquals(CheckType.CONSUME.hasRole(role), r[2]); Assert.assertEquals(CheckType.CREATE_DURABLE_QUEUE.hasRole(role), r[3]); Assert.assertEquals(CheckType.DELETE_DURABLE_QUEUE.hasRole(role), r[4]); Assert.assertEquals(CheckType.CREATE_NON_DURABLE_QUEUE.hasRole(role), r[5]); Assert.assertEquals(CheckType.DELETE_NON_DURABLE_QUEUE.hasRole(role), r[6]); Assert.assertEquals(CheckType.MANAGE.hasRole(role), r[7]); session.deleteQueue(queue); }