ARTEMIS-4950 - MBeanGuard throws an NPE

Although this doesnt affect the current console it does the new so needs addressing

artemis-server/src/main/java/org/apache/activemq/artemis/core/server/management/ArtemisMBeanServerGuard.java

@@ -132,7 +132,13 @@ public class ArtemisMBeanServerGuard implements GuardInvocationHandler {
          logger.debug("can't check invoke rights as object name invalid: {}", object, e);
          return false;
       }
-      if (canBypassRBAC(objectName)) {
+      /* HawtIO calls this with a null operationName as a coarse grained way of authenticating against all the operations
+       * on an mbean. Until this addition this was throwing a null pointer on operationName later in this call which was
+       * swallowed by HawtIO. Since fine grained checks are carried out against every operation this was never an issue
+       * however the new console based on HawtIO 4 passes this exception back to the console which breaks it. Since it is
+       * just an optimisation it is fine to always return true. Note that the alternative ArtemisRbacInvocationHandler
+       * does allow the ability to restrict a whole mbean */
+      if (operationName == null || canBypassRBAC(objectName)) {
          return true;
       }
       List<String> requiredRoles = getRequiredRoles(objectName, operationName);

artemis-server/src/test/java/org/apache/activemq/artemis/core/server/management/ArtemisMBeanServerGuardTest.java

@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.core.server.management;
+
+import org.apache.activemq.artemis.api.core.management.ObjectNameBuilder;
+import org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal;
+import org.apache.activemq.artemis.tests.util.ServerTestBase;
+import org.junit.Test;
+
+import javax.management.ObjectName;
+import javax.security.auth.Subject;
+import java.security.PrivilegedExceptionAction;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class ArtemisMBeanServerGuardTest extends ServerTestBase {
+   @Test
+   public void testInvokeNoMethod() throws Throwable {
+      ArtemisMBeanServerGuard  guard = new ArtemisMBeanServerGuard();
+      ObjectNameBuilder objectNameBuilder = ObjectNameBuilder.create("testdomain", "myBroker");
+      ObjectName activeMQServerObjectName = objectNameBuilder.getActiveMQServerObjectName();
+      assertTrue(guard.canInvoke(activeMQServerObjectName.getCanonicalName(), null));
+   }
+
+   @Test
+   public void testCantInvokeMethod() throws Throwable {
+      ArtemisMBeanServerGuard  guard = new ArtemisMBeanServerGuard();
+      ObjectNameBuilder objectNameBuilder = ObjectNameBuilder.create("testdomain", "myBroker");
+      ObjectName activeMQServerObjectName = objectNameBuilder.getActiveMQServerObjectName();
+      assertFalse(guard.canInvoke(activeMQServerObjectName.getCanonicalName(), "getSomething"));
+   }
+
+
+   @Test
+   public void testCanInvokeMethodWhiteList() throws Throwable {
+      ArtemisMBeanServerGuard  guard = new ArtemisMBeanServerGuard();
+      JMXAccessControlList controlList = new JMXAccessControlList();
+      guard.setJMXAccessControlList(controlList);
+      ObjectNameBuilder objectNameBuilder = ObjectNameBuilder.create("testdomain", "myBroker");
+      ObjectName activeMQServerObjectName = objectNameBuilder.getActiveMQServerObjectName();
+      controlList.addToAllowList("testdomain", "broker=myBroker");
+      assertTrue(guard.canInvoke(activeMQServerObjectName.getCanonicalName(), "getSomething"));
+   }
+
+
+   @Test
+   public void testCanInvokeMethodHasRole() throws Throwable {
+      ArtemisMBeanServerGuard  guard = new ArtemisMBeanServerGuard();
+      JMXAccessControlList controlList = new JMXAccessControlList();
+      guard.setJMXAccessControlList(controlList);
+      ObjectNameBuilder objectNameBuilder = ObjectNameBuilder.create("testdomain", "myBroker");
+      ObjectName activeMQServerObjectName = objectNameBuilder.getActiveMQServerObjectName();
+      controlList.addToRoleAccess("testdomain", "broker=myBroker", "getSomething", "admin");
+      Subject subject = new Subject();
+      subject.getPrincipals().add(new RolePrincipal("admin"));
+      Object result = Subject.doAs(subject, (PrivilegedExceptionAction<Object>) () -> {
+         try {
+            return guard.canInvoke(activeMQServerObjectName.getCanonicalName(), "getSomething");
+         } catch (Exception e1) {
+            return e1;
+         }
+      });
+      assertTrue((Boolean) result);
+   }
+
+
+   @Test
+   public void testCanInvokeMethodDoeNotHasRole() throws Throwable {
+      ArtemisMBeanServerGuard  guard = new ArtemisMBeanServerGuard();
+      JMXAccessControlList controlList = new JMXAccessControlList();
+      guard.setJMXAccessControlList(controlList);
+      ObjectNameBuilder objectNameBuilder = ObjectNameBuilder.create("testdomain", "myBroker");
+      ObjectName activeMQServerObjectName = objectNameBuilder.getActiveMQServerObjectName();
+      controlList.addToRoleAccess("testdomain", "broker=myBroker", "getSomething", "admin");
+      Subject subject = new Subject();
+      subject.getPrincipals().add(new RolePrincipal("view"));
+      Object result = Subject.doAs(subject, (PrivilegedExceptionAction<Object>) () -> {
+         try {
+            return guard.canInvoke(activeMQServerObjectName.getCanonicalName(), "getSomething");
+         } catch (Exception e1) {
+            return e1;
+         }
+      });
+      assertFalse((Boolean) result);
+   }
+}