This closes #3231
This commit is contained in:
commit
4fea2c4e42
|
@ -463,8 +463,15 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
|
|||
processSearchResult(newRoles, (SearchResult) namingEvent.getNewBinding());
|
||||
for (Map.Entry<String, Set<Role>> entry : newRoles.entrySet()) {
|
||||
Set<Role> existingRoles = securityRepository.getMatch(entry.getKey());
|
||||
for (Role role : entry.getValue()) {
|
||||
existingRoles.add(role);
|
||||
// see if this the *actual* default object, not just "equals"; we don't want to change the default security match
|
||||
if (existingRoles != securityRepository.getDefault()) {
|
||||
for (Role role : entry.getValue()) {
|
||||
logger.debug("adding role " + role + " to existing roles " + existingRoles + " at " + entry.getKey());
|
||||
existingRoles.add(role);
|
||||
}
|
||||
} else {
|
||||
logger.debug("adding new roles " + entry.getValue() + " at " + entry.getKey());
|
||||
securityRepository.addMatch(entry.getKey(), entry.getValue());
|
||||
}
|
||||
}
|
||||
} catch (NamingException e) {
|
||||
|
|
|
@ -62,6 +62,12 @@ public interface HierarchicalRepository<T> {
|
|||
*/
|
||||
void setDefault(T defaultValue);
|
||||
|
||||
/**
|
||||
*
|
||||
* @return the default match for this repo
|
||||
*/
|
||||
T getDefault();
|
||||
|
||||
/**
|
||||
* remove a match from the repository
|
||||
*
|
||||
|
|
|
@ -348,6 +348,15 @@ public class HierarchicalObjectRepository<T> implements HierarchicalRepository<T
|
|||
defaultmatch = defaultValue;
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @return the default match for this repo
|
||||
*/
|
||||
@Override
|
||||
public T getDefault() {
|
||||
return defaultmatch;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void clear() {
|
||||
lock.writeLock().lock();
|
||||
|
|
|
@ -35,6 +35,7 @@ import java.util.Map;
|
|||
|
||||
import org.apache.activemq.artemis.api.core.ActiveMQException;
|
||||
import org.apache.activemq.artemis.api.core.QueueConfiguration;
|
||||
import org.apache.activemq.artemis.api.core.RoutingType;
|
||||
import org.apache.activemq.artemis.api.core.SimpleString;
|
||||
import org.apache.activemq.artemis.api.core.TransportConfiguration;
|
||||
import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
|
||||
|
@ -49,7 +50,6 @@ import org.apache.activemq.artemis.core.remoting.impl.invm.InVMAcceptorFactory;
|
|||
import org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnectorFactory;
|
||||
import org.apache.activemq.artemis.core.server.ActiveMQServer;
|
||||
import org.apache.activemq.artemis.core.server.ActiveMQServers;
|
||||
import org.apache.activemq.artemis.api.core.RoutingType;
|
||||
import org.apache.activemq.artemis.core.server.impl.LegacyLDAPSecuritySettingPlugin;
|
||||
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
|
||||
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
|
||||
|
@ -361,7 +361,7 @@ public class LegacyLDAPSecuritySettingPluginListenerTest extends AbstractLdapTes
|
|||
// authentication should succeed now, but authorization for sending should still fail
|
||||
try {
|
||||
ClientSession session = cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
ClientProducer producer = session.createProducer(SimpleString.toSimpleString(queue));
|
||||
ClientProducer producer = session.createProducer(queue);
|
||||
producer.send(session.createMessage(true));
|
||||
Assert.fail("Producing here should fail due to the original security data.");
|
||||
} catch (ActiveMQException e) {
|
||||
|
@ -377,9 +377,104 @@ public class LegacyLDAPSecuritySettingPluginListenerTest extends AbstractLdapTes
|
|||
}
|
||||
|
||||
ClientSession session = cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
ClientProducer producer = session.createProducer(SimpleString.toSimpleString(queue));
|
||||
ClientProducer producer = session.createProducer(queue);
|
||||
producer.send(session.createMessage(true));
|
||||
|
||||
cf.close();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testNewUserAndRoleWithNewDestination() throws Exception {
|
||||
server.getConfiguration().setSecurityInvalidationInterval(0);
|
||||
server.start();
|
||||
ClientSessionFactory cf = locator.createSessionFactory();
|
||||
|
||||
// these queue names actually matter based on what's in the ldif
|
||||
String goodQueue = "queue3";
|
||||
String badQueue = "queue4";
|
||||
|
||||
// authentication should fail
|
||||
try {
|
||||
cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
Assert.fail("Creating a session here should fail due to the original security data.");
|
||||
} catch (ActiveMQException e) {
|
||||
Assert.assertTrue(e.getMessage().contains("229031")); // authentication exception
|
||||
}
|
||||
|
||||
{ // add new user
|
||||
DirContext ctx = getContext();
|
||||
BasicAttributes basicAttributes = new BasicAttributes();
|
||||
basicAttributes.put("userPassword", "secret");
|
||||
Attribute objclass = new BasicAttribute("objectclass");
|
||||
objclass.add("top");
|
||||
objclass.add("simpleSecurityObject");
|
||||
objclass.add("account");
|
||||
basicAttributes.put(objclass);
|
||||
ctx.bind("uid=third,ou=system", null, basicAttributes);
|
||||
}
|
||||
|
||||
{ // add new role
|
||||
DirContext ctx = getContext();
|
||||
BasicAttributes basicAttributes = new BasicAttributes();
|
||||
basicAttributes.put("member", "uid=third,ou=system");
|
||||
Attribute objclass = new BasicAttribute("objectclass");
|
||||
objclass.add("top");
|
||||
objclass.add("groupOfNames");
|
||||
basicAttributes.put(objclass);
|
||||
ctx.bind("cn=role3,ou=system", null, basicAttributes);
|
||||
}
|
||||
|
||||
// authentication should succeed now, but authorization for sending should still fail
|
||||
try {
|
||||
ClientSession session = cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
ClientProducer producer = session.createProducer(goodQueue);
|
||||
producer.send(session.createMessage(true));
|
||||
Assert.fail("Producing here should fail due to the original security data.");
|
||||
} catch (ActiveMQException e) {
|
||||
Assert.assertTrue(e.getMessage().contains("229032")); // authorization exception
|
||||
}
|
||||
|
||||
{ // add new destination
|
||||
DirContext ctx = getContext();
|
||||
BasicAttributes basicAttributes = new BasicAttributes();
|
||||
Attribute objclass = new BasicAttribute("objectclass");
|
||||
objclass.add("top");
|
||||
objclass.add("applicationProcess");
|
||||
basicAttributes.put(objclass);
|
||||
ctx.bind("cn=" + goodQueue + ",ou=queues,ou=destinations,o=ActiveMQ,ou=system", null, basicAttributes);
|
||||
}
|
||||
|
||||
{ // add permissions for new destination
|
||||
DirContext ctx = getContext();
|
||||
BasicAttributes basicAttributes = new BasicAttributes();
|
||||
basicAttributes.put("uniquemember", "cn=role3");
|
||||
Attribute objclass = new BasicAttribute("objectclass");
|
||||
objclass.add("top");
|
||||
objclass.add("groupOfUniqueNames");
|
||||
basicAttributes.put(objclass);
|
||||
ctx.bind("cn=write,cn=" + goodQueue + ",ou=queues,ou=destinations,o=ActiveMQ,ou=system", null, basicAttributes);
|
||||
}
|
||||
|
||||
server.createQueue(new QueueConfiguration(goodQueue).setRoutingType(RoutingType.ANYCAST).setDurable(false));
|
||||
|
||||
ClientSession session = cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
ClientProducer producer = session.createProducer(goodQueue);
|
||||
producer.send(session.createMessage(true));
|
||||
session.close();
|
||||
producer.close();
|
||||
|
||||
server.createQueue(new QueueConfiguration(badQueue).setRoutingType(RoutingType.ANYCAST).setDurable(false));
|
||||
|
||||
// authorization for sending should fail for the new queue
|
||||
try {
|
||||
session = cf.createSession("third", "secret", false, true, true, false, 0);
|
||||
producer = session.createProducer(badQueue);
|
||||
producer.send(session.createMessage(true));
|
||||
Assert.fail("Producing here should fail.");
|
||||
} catch (ActiveMQException e) {
|
||||
Assert.assertTrue(e.getMessage().contains("229032")); // authorization exception
|
||||
}
|
||||
|
||||
cf.close();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue