ARTEMIS-547 authorize AMQP sender on attach

2017-04-28 13:06:41 -05:00 · 2017-04-28 13:06:41 -05:00 · 849c4b7def
parent 90efd86133
commit 849c4b7def
3 changed files with 50 additions and 0 deletions
--- a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
+++ b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/broker/AMQPSessionCallback.java
@ -31,6 +31,8 @@ import org.apache.activemq.artemis.core.io.IOCallback;
 import org.apache.activemq.artemis.core.paging.PagingStore;
 import org.apache.activemq.artemis.core.persistence.OperationContext;
 import org.apache.activemq.artemis.core.persistence.StorageManager;
+import org.apache.activemq.artemis.core.security.CheckType;
+import org.apache.activemq.artemis.core.security.SecurityAuth;
 import org.apache.activemq.artemis.core.server.AddressQueryResult;
 import org.apache.activemq.artemis.core.server.BindingQueryResult;
 import org.apache.activemq.artemis.core.server.MessageReference;
@ -654,4 +656,8 @@ public class AMQPSessionCallback implements SessionCallback {
   public RoutingType getDefaultRoutingType(String address) {
      return manager.getServer().getAddressSettingsRepository().getMatch(address).getDefaultQueueRoutingType();
   }
+
+   public void check(SimpleString address, CheckType checkType, SecurityAuth session) throws Exception {
+      manager.getServer().getSecurityStore().check(address, checkType, session);
+   }
 }
--- a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/logger/ActiveMQAMQPProtocolMessageBundle.java
+++ b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/logger/ActiveMQAMQPProtocolMessageBundle.java
@ -84,4 +84,7 @@ public interface ActiveMQAMQPProtocolMessageBundle {
   @Message(id = 219016, value = "not authorized to create temporary destination, {0}", format = Message.Format.MESSAGE_FORMAT)
   ActiveMQAMQPSecurityException securityErrorCreatingTempDestination(String message);

+   @Message(id = 219017, value = "not authorized to create producer, {0}", format = Message.Format.MESSAGE_FORMAT)
+   ActiveMQAMQPSecurityException securityErrorCreatingProducer(String message);
+
 }
--- a/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/proton/ProtonServerReceiverContext.java
+++ b/artemis-protocols/artemis-amqp-protocol/src/main/java/org/apache/activemq/artemis/protocol/amqp/proton/ProtonServerReceiverContext.java
@ -21,12 +21,18 @@ import java.util.List;

 import org.apache.activemq.artemis.api.core.ActiveMQSecurityException;
 import org.apache.activemq.artemis.api.core.RoutingType;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.core.security.CheckType;
+import org.apache.activemq.artemis.core.security.SecurityAuth;
 import org.apache.activemq.artemis.core.transaction.Transaction;
 import org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback;
 import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPException;
 import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPInternalErrorException;
 import org.apache.activemq.artemis.protocol.amqp.exceptions.ActiveMQAMQPNotFoundException;
 import org.apache.activemq.artemis.protocol.amqp.logger.ActiveMQAMQPProtocolMessageBundle;
+import org.apache.activemq.artemis.protocol.amqp.sasl.PlainSASLResult;
+import org.apache.activemq.artemis.protocol.amqp.sasl.SASLResult;
+import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
 import org.apache.qpid.proton.amqp.Symbol;
 import org.apache.qpid.proton.amqp.messaging.Rejected;
 import org.apache.qpid.proton.amqp.messaging.TerminusExpiryPolicy;
@ -121,6 +127,41 @@ public class ProtonServerReceiverContext extends ProtonInitializable implements
               } catch (Exception e) {
                  throw new ActiveMQAMQPInternalErrorException(e.getMessage(), e);
               }
+
+               try {
+                  sessionSPI.check(SimpleString.toSimpleString(address), CheckType.SEND, new SecurityAuth() {
+                     @Override
+                     public String getUsername() {
+                        String username = null;
+                        SASLResult saslResult = connection.getSASLResult();
+                        if (saslResult != null) {
+                           username = saslResult.getUser();
+                        }
+
+                        return username;
+                     }
+
+                     @Override
+                     public String getPassword() {
+                        String password = null;
+                        SASLResult saslResult = connection.getSASLResult();
+                        if (saslResult != null) {
+                           if (saslResult instanceof PlainSASLResult) {
+                              password = ((PlainSASLResult) saslResult).getPassword();
+                           }
+                        }
+
+                        return password;
+                     }
+
+                     @Override
+                     public RemotingConnection getRemotingConnection() {
+                        return null;
+                     }
+                  });
+               } catch (ActiveMQSecurityException e) {
+                  throw ActiveMQAMQPProtocolMessageBundle.BUNDLE.securityErrorCreatingProducer(e.getMessage());
+               }
            }
         }