ARTEMIS-4405 wrong user logged for authz audits
This commit is contained in:
Justin Bertram
Robbie Gemmell
parent
6b053dd290
commit
56c8afe934
|
|
@ -1993,8 +1993,8 @@ public interface AuditLogger {
|
|||
void handleManagementMessage2(String user, Object source, String args);
|
||||
|
||||
|
||||
static void securityFailure(String reason, Exception cause) {
|
||||
BASE_LOGGER.securityFailure(getCaller(), reason, cause);
|
||||
static void securityFailure(Subject subject, String remoteAddress, String reason, Exception cause) {
|
||||
BASE_LOGGER.securityFailure(getCaller(subject, remoteAddress), reason, cause);
|
||||
}
|
||||
|
||||
@LogMessage(id = 601264, value = "User {} gets security check failure, reason = {}", level = LogMessage.Level.INFO)
|
||||
|
|
|
|||
|
|
@ -314,7 +314,7 @@ public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryC
|
|||
} else {
|
||||
ex = ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(session.getUsername(), checkType, bareQueue, bareAddress);
|
||||
}
|
||||
AuditLogger.securityFailure(ex.getMessage(), ex);
|
||||
AuditLogger.securityFailure(session.getRemotingConnection().getSubject(), session.getRemotingConnection().getRemoteAddress(), ex.getMessage(), ex);
|
||||
throw ex;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,107 @@
|
|||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
* contributor license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright ownership.
|
||||
* The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
* (the "License"); you may not use this file except in compliance with
|
||||
* the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.activemq.artemis.tests.integration.stomp;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.activemq.artemis.core.protocol.stomp.Stomp;
|
||||
import org.apache.activemq.artemis.core.security.Role;
|
||||
import org.apache.activemq.artemis.core.server.ActiveMQServer;
|
||||
import org.apache.activemq.artemis.logs.AssertionLoggerHandler;
|
||||
import org.apache.activemq.artemis.logs.AssertionLoggerHandler.LogLevel;
|
||||
import org.apache.activemq.artemis.logs.AuditLogger;
|
||||
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
|
||||
import org.apache.activemq.artemis.tests.integration.stomp.util.ClientStompFrame;
|
||||
import org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnection;
|
||||
import org.apache.activemq.artemis.tests.integration.stomp.util.StompClientConnectionFactory;
|
||||
import org.apache.activemq.artemis.tests.util.RandomUtil;
|
||||
import org.apache.activemq.artemis.tests.util.Wait;
|
||||
import org.junit.AfterClass;
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
public class StompAuditLoggingTest extends StompTestBase {
|
||||
|
||||
private static final String BASE_AUDIT_LOGGER_NAME = AuditLogger.BASE_LOGGER.getLogger().getName();
|
||||
private static LogLevel previousLevel = null;
|
||||
private static AssertionLoggerHandler loggerHandler;
|
||||
protected StompClientConnection conn;
|
||||
private final String user = "nopriv";
|
||||
private final String pass = user;
|
||||
private final String role = "nopriv";
|
||||
|
||||
@Override
|
||||
public boolean isSecurityEnabled() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected ActiveMQServer createServer() throws Exception {
|
||||
server = super.createServer();
|
||||
|
||||
ActiveMQJAASSecurityManager securityManager = (ActiveMQJAASSecurityManager) server.getSecurityManager();
|
||||
|
||||
securityManager.getConfiguration().addUser(user, pass);
|
||||
securityManager.getConfiguration().addRole(user, role);
|
||||
server.getConfiguration().getSecurityRoles().put("#", new HashSet<>(Set.of(new Role(role, false, false, false, false, false, false, false, false, false, false))));
|
||||
|
||||
return server;
|
||||
}
|
||||
|
||||
@Override
|
||||
@Before
|
||||
public void setUp() throws Exception {
|
||||
super.setUp();
|
||||
conn = StompClientConnectionFactory.createClientConnection(uri);
|
||||
}
|
||||
|
||||
@BeforeClass
|
||||
public static void prepareLogger() {
|
||||
previousLevel = AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME, LogLevel.INFO);
|
||||
loggerHandler = new AssertionLoggerHandler();
|
||||
}
|
||||
|
||||
@AfterClass
|
||||
public static void clearLogger() throws Exception {
|
||||
try {
|
||||
loggerHandler.close();
|
||||
} finally {
|
||||
AssertionLoggerHandler.setLevel(BASE_AUDIT_LOGGER_NAME, previousLevel);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthzFailureAuditLogging() throws Exception {
|
||||
conn.connect(user, pass);
|
||||
|
||||
ClientStompFrame frame = conn.createFrame(Stomp.Commands.SEND);
|
||||
frame.addHeader(Stomp.Headers.Subscribe.DESTINATION, getQueuePrefix() + getQueueName());
|
||||
frame.setBody(RandomUtil.randomString());
|
||||
|
||||
try {
|
||||
conn.sendFrame(frame);
|
||||
} catch (Exception e) {
|
||||
// ignore
|
||||
}
|
||||
|
||||
conn.disconnect();
|
||||
|
||||
Wait.assertTrue(() -> loggerHandler.matchText(".*User nopriv\\(nopriv\\).* gets security check failure.*"), 2000, 100);
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue