ARTEMIS-1872 Fixing address security checks

Ensure CREATE_ADDRESS is honored and behavior is consistent across protocols.
This commit is contained in:
Michael André Pearce 2018-05-24 04:47:35 +01:00
parent 0746ea8aca
commit 659d23cb28
4 changed files with 34 additions and 12 deletions

View File

@ -298,7 +298,7 @@ public class AMQPSessionCallback implements SessionCallback {
} }
// if auto-create we will return whatever type was used before // if auto-create we will return whatever type was used before
if (!queueQueryResult.isAutoCreated() && queueQueryResult.getRoutingType() != routingType) { if (queueQueryResult.isExists() && !queueQueryResult.isAutoCreated() && queueQueryResult.getRoutingType() != routingType) {
throw new IllegalStateException("Incorrect Routing Type for queue, expecting: " + routingType); throw new IllegalStateException("Incorrect Routing Type for queue, expecting: " + routingType);
} }

View File

@ -583,9 +583,15 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
securityCheck(addressInfo.getName(), name, CheckType.CREATE_NON_DURABLE_QUEUE, this); securityCheck(addressInfo.getName(), name, CheckType.CREATE_NON_DURABLE_QUEUE, this);
} }
AddressSettings as = server.getAddressSettingsRepository().getMatch(art.getName().toString());
if (as.isAutoCreateAddresses() && server.getAddressInfo(art.getName()) == null) {
securityCheck(addressInfo.getName(), name, CheckType.CREATE_ADDRESS, this);
}
server.checkQueueCreationLimit(getUsername()); server.checkQueueCreationLimit(getUsername());
Queue queue = server.createQueue(art, unPrefixedName, filterString, SimpleString.toSimpleString(getUsername()), durable, temporary, autoCreated, maxConsumers, purgeOnNoConsumers, exclusive, lastValue, server.getAddressSettingsRepository().getMatch(art.getName().toString()).isAutoCreateAddresses()); Queue queue = server.createQueue(art, unPrefixedName, filterString, SimpleString.toSimpleString(getUsername()), durable, temporary, autoCreated, maxConsumers, purgeOnNoConsumers, exclusive, lastValue, as.isAutoCreateAddresses());
if (temporary) { if (temporary) {
// Temporary queue in core simply means the queue will be deleted if // Temporary queue in core simply means the queue will be deleted if

View File

@ -16,7 +16,6 @@
*/ */
package org.apache.activemq.artemis.tests.integration.server; package org.apache.activemq.artemis.tests.integration.server;
import java.lang.IllegalStateException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import javax.jms.Connection; import javax.jms.Connection;
@ -45,7 +44,6 @@ import org.junit.After;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Assume; import org.junit.Assume;
import org.junit.Before; import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.junit.runners.Parameterized; import org.junit.runners.Parameterized;
@ -168,9 +166,14 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
@Test @Test
public void testTemporaryQueue() throws Exception { public void testTemporaryQueue() throws Exception {
ConnectionFactory connectionFactory = getConnectionFactory("c", "c"); ConnectionFactory connectionFactory = getConnectionFactory("a", "a");
String message = "blah"; String message = "blah";
//Expect to be able to create subscriber on pre-defined/existing queue.
String messageRecieved = sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryQueue(), (d, s) -> s.createConsumer(d));
Assert.assertEquals(message, messageRecieved);
connectionFactory = getConnectionFactory("c", "c");
try { try {
sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryQueue(), (d, s) -> s.createConsumer(d)); sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryQueue(), (d, s) -> s.createConsumer(d));
Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to create a temporary queue"); Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to create a temporary queue");
@ -183,9 +186,14 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
@Test @Test
public void testTemporaryTopic() throws Exception { public void testTemporaryTopic() throws Exception {
ConnectionFactory connectionFactory = getConnectionFactory("c", "c"); ConnectionFactory connectionFactory = getConnectionFactory("a", "a");
String message = "blah"; String message = "blah";
//Expect to be able to create subscriber on pre-defined/existing queue.
String messageRecieved = sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryTopic(), (d, s) -> s.createConsumer(d));
Assert.assertEquals(message, messageRecieved);
connectionFactory = getConnectionFactory("c", "c");
try { try {
sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryTopic(), (d, s) -> s.createConsumer(d)); sendAndReceiveText(connectionFactory, "clientId", message, s -> s.createTemporaryTopic(), (d, s) -> s.createConsumer(d));
Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to create a temporary queue"); Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to create a temporary queue");
@ -198,8 +206,6 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
@Test @Test
public void testSecureQueue() throws Exception { public void testSecureQueue() throws Exception {
// Core & OpenWire are not creating the queue as the test expects.. just querying
Assume.assumeTrue(protocol.equals("AMQP"));
ConnectionFactory connectionFactory = getConnectionFactory("b", "b"); ConnectionFactory connectionFactory = getConnectionFactory("b", "b");
String message = "blah"; String message = "blah";
@ -207,12 +213,22 @@ public class SecureConfigurationTest extends ActiveMQTestBase {
String messageRecieved = sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "secured_queue", (q, s) -> s.createConsumer(q)); String messageRecieved = sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "secured_queue", (q, s) -> s.createConsumer(q));
Assert.assertEquals(message, messageRecieved); Assert.assertEquals(message, messageRecieved);
connectionFactory = getConnectionFactory("a", "a");
messageRecieved = sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "new-queue-1", (q, s) -> s.createConsumer(q));
Assert.assertEquals(message, messageRecieved);
connectionFactory = getConnectionFactory("b", "b");
try { try {
sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "non-existent-queue", (q, s) -> s.createConsumer(q)); sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "new-queue-2", (q, s) -> s.createConsumer(q));
Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to dynamically create queue"); Assert.fail("Security exception expected, but did not occur, excepetion expected as not permissioned to dynamically create address, or queue");
} catch (JMSSecurityException j) { } catch (JMSSecurityException j) {
//Expected exception //Expected exception
} }
connectionFactory = getConnectionFactory("a", "a");
messageRecieved = sendAndReceiveTextUsingQueue(connectionFactory, "clientId", message, "new-queue-2", (q, s) -> s.createConsumer(q));
Assert.assertEquals(message, messageRecieved);
} }

View File

@ -91,6 +91,7 @@ under the License.
<security-settings> <security-settings>
<security-setting match="#"> <security-setting match="#">
<permission type="createAddress" roles="a" />
<permission type="createNonDurableQueue" roles="a,b"/> <permission type="createNonDurableQueue" roles="a,b"/>
<permission type="deleteNonDurableQueue" roles="a,b"/> <permission type="deleteNonDurableQueue" roles="a,b"/>
<permission type="createDurableQueue" roles="a,b"/> <permission type="createDurableQueue" roles="a,b"/>
@ -139,7 +140,6 @@ under the License.
<address-settings> <address-settings>
<!--default for catch all--> <!--default for catch all-->
<address-setting match="#"> <address-setting match="#">
<auto-create-queues>false</auto-create-queues>
<dead-letter-address>DLQ</dead-letter-address> <dead-letter-address>DLQ</dead-letter-address>
<expiry-address>ExpiryQueue</expiry-address> <expiry-address>ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay> <redelivery-delay>0</redelivery-delay>