Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-1872 Improving Security Checks on AMQP Protocol 

Also improving test coverage on SecureConfigurationTest
This commit will fix JMSConnectionWithSecurityTest.
This commit is contained in:
Clebert Suconic 2018-05-23 14:52:07 -04:00
parent 88b23994c3
commit 3a5971ec81
4 changed files with 58 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
View File

@ -248,7 +248,7 @@ public class AMQPSessionCallback implements SessionCallback {
try { try {
serverSession.createQueue(address, queueName, routingType, filter, true, false); serverSession.createQueue(address, queueName, routingType, filter, true, false);
} catch (ActiveMQSecurityException se) { } catch (ActiveMQSecurityException se) {
throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingConsumer(se.getMessage()); throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingTempDestination(se.getMessage());
} }
} }

3
artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/proton/ProtonServerReceiverContext.java
View File

@ -29,6 +29,7 @@ import org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback;
import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPException; import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPException;
import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException; import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException;
import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException; import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException;
import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPSecurityException;
import org.apache.activemq.artemis.protocol.amqp.logger.ActiveMQAMQPProtocolMessageBundle; import org.apache.activemq.artemis.protocol.amqp.logger.ActiveMQAMQPProtocolMessageBundle;
import org.apache.activemq.artemis.protocol.amqp.sasl.PlainSASLResult; import org.apache.activemq.artemis.protocol.amqp.sasl.PlainSASLResult;
import org.apache.activemq.artemis.protocol.amqp.sasl.SASLResult; import org.apache.activemq.artemis.protocol.amqp.sasl.SASLResult;
@ -108,6 +109,8 @@ public class ProtonServerReceiverContext extends ProtonInitializable implements
try { try {
sessionSPI.createTemporaryQueue(address, defRoutingType); sessionSPI.createTemporaryQueue(address, defRoutingType);
} catch (ActiveMQAMQPSecurityException e) {
throw e;
} catch (ActiveMQSecurityException e) { } catch (ActiveMQSecurityException e) {
throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingTempDestination(e.getMessage()); throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingTempDestination(e.getMessage());
} catch (Exception e) { } catch (Exception e) {

89
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/SecureConfigurationTest.java
View File

@ -25,10 +25,13 @@ import org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory;
import org.apache.activemq.artemis.jms.server.config.impl.FileJMSConfiguration; import org.apache.activemq.artemis.jms.server.config.impl.FileJMSConfiguration;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.spi.core.security.jaas.InVMLoginModule; import org.apache.activemq.artemis.spi.core.security.jaas.InVMLoginModule;
import org.apache.activemq.artemis.tests.integration.IntegrationTestLogger;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase; import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.qpid.jms.JmsConnectionFactory; import org.apache.qpid.jms.JmsConnectionFactory;
import org.junit.After;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.junit.runners.Parameterized; import org.junit.runners.Parameterized;
@ -58,24 +61,30 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
@Parameterized.Parameter(0) @Parameterized.Parameter(0)
public String protocol; public String protocol;
ActiveMQServer server;
@Before
public void startSever() throws Exception {
server = getActiveMQServer("multicast_topic.xml");
server.start();
}
@After
public void stopServer() throws Exception {
try {
if (server != null) {
server.stop();
}
} catch (Throwable e) {
e.printStackTrace();
}
}
@Test @Test
public void testSecureSharedDurableSubscriber() throws Exception { public void testSecureSharedDurableSubscriber() throws Exception {
//This is because OpenWire does not support JMS 2.0 //This is because OpenWire does not support JMS 2.0
Assume.assumeFalse(protocol.equals("OPENWIRE")); Assume.assumeFalse(protocol.equals("OPENWIRE"));
ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
ActiveMQServer server = getActiveMQServer("multicast_topic.xml");
try {
server.start();
internal_testSecureSharedDurableSubscriber(getConnectionFactory("b", "b"));
} finally {
try {
server.stop();
} catch (Exception e) {
}
}
}
private void internal_testSecureSharedDurableSubscriber(ConnectionFactory connectionFactory) throws JMSException {
String message = "blah"; String message = "blah";
//Expect to be able to create subscriber on pre-defined/existing queue. //Expect to be able to create subscriber on pre-defined/existing queue.
@ -101,20 +110,7 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
public void testSecureSharedSubscriber() throws Exception { public void testSecureSharedSubscriber() throws Exception {
//This is because OpenWire does not support JMS 2.0 //This is because OpenWire does not support JMS 2.0
Assume.assumeFalse(protocol.equals("OPENWIRE")); Assume.assumeFalse(protocol.equals("OPENWIRE"));
ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
ActiveMQServer server = getActiveMQServer("multicast_topic.xml");
try {
server.start();
internal_testSecureSharedSubscriber(getConnectionFactory("b", "b"));
} finally {
try {
server.stop();
} catch (Exception e) {
}
}
}
private void internal_testSecureSharedSubscriber(ConnectionFactory connectionFactory) throws JMSException {
String message = "blah"; String message = "blah";
//Expect to be able to create subscriber on pre-defined/existing queue. //Expect to be able to create subscriber on pre-defined/existing queue.
@ -138,19 +134,7 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
@Test @Test
public void testSecureDurableSubscriber() throws Exception { public void testSecureDurableSubscriber() throws Exception {
ActiveMQServer server = getActiveMQServer("multicast_topic.xml"); ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
try {
server.start();
internal_testSecureDurableSubscriber(getConnectionFactory("b", "b"));
} finally {
try {
server.stop();
} catch (Exception e) {
}
}
}
private void internal_testSecureDurableSubscriber(ConnectionFactory connectionFactory) throws JMSException {
String message = "blah"; String message = "blah";
//Expect to be able to create subscriber on pre-defined/existing queue. //Expect to be able to create subscriber on pre-defined/existing queue.
@ -177,8 +161,31 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
} catch (JMSSecurityException j) { } catch (JMSSecurityException j) {
//Expected exception //Expected exception
} }
Connection connection = null;
try {
connection = connectionFactory.createConnection();
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
try {
session.createTemporaryQueue();
Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to create a temporary queue");
} catch (JMSSecurityException jmsse) {
IntegrationTestLogger.LOGGER.info("Client should have thrown a JMSSecurityException but only threw JMSException");
} catch (JMSException e) {
e.printStackTrace();
Assert.fail("thrown a JMSEXception instead of a JMSSEcurityException");
} }
// Should not be fatal
assertNotNull(connection.createSession(false, Session.AUTO_ACKNOWLEDGE));
} finally {
connection.close();
}
}
private ConnectionFactory getConnectionFactory(String user, String password) { private ConnectionFactory getConnectionFactory(String user, String password) {
switch (protocol) { switch (protocol) {
case "CORE": return getActiveMQConnectionFactory(user, password); case "CORE": return getActiveMQConnectionFactory(user, password);

12
tests/integration-tests/src/test/resources/multicast_topic.xml
View File

@ -85,13 +85,13 @@ under the License.
<security-settings> <security-settings>
<security-setting match="#"> <security-setting match="#">
<permission type="createNonDurableQueue" roles="a,b"/> <permission type="createNonDurableQueue" roles="a"/>
<permission type="deleteNonDurableQueue" roles="a,b"/> <permission type="deleteNonDurableQueue" roles="a"/>
<permission type="createDurableQueue" roles="a,b"/> <permission type="createDurableQueue" roles="a"/>
<permission type="deleteDurableQueue" roles="a,b"/> <permission type="deleteDurableQueue" roles="a"/>
<permission type="browse" roles="a"/> <permission type="browse" roles="a"/>
<permission type="send" roles="a,b"/> <permission type="send" roles="a"/>
<permission type="consume" roles="a,b" /> <permission type="consume" roles="a" />
<!-- we need this otherwise ./artemis data imp wouldn't work --> <!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="a"/> <permission type="manage" roles="a"/>
</security-setting> </security-setting>