This commit is contained in:
Clebert Suconic 2019-01-23 11:52:33 -05:00
commit 99b24adfba
4 changed files with 575 additions and 21 deletions

View File

@ -326,30 +326,46 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
return;
}
LdapName searchResultLdapName = new LdapName(searchResult.getName());
logger.debug("LDAP search result : " + searchResultLdapName);
if (logger.isDebugEnabled()) {
logger.debug("LDAP search result : " + searchResultLdapName);
}
String permissionType = null;
String destination = null;
String destinationType = "unknown";
for (Rdn rdn : searchResultLdapName.getRdns()) {
if (rdn.getType().equals("cn")) {
logger.debug("\tPermission type: " + rdn.getValue());
permissionType = rdn.getValue().toString();
}
if (rdn.getType().equals("uid")) {
logger.debug("\tDestination name: " + rdn.getValue());
destination = rdn.getValue().toString();
}
if (rdn.getType().equals("ou")) {
String rawDestinationType = rdn.getValue().toString();
if (rawDestinationType.toLowerCase().contains("queue")) {
destinationType = "queue";
} else if (rawDestinationType.toLowerCase().contains("topic")) {
destinationType = "topic";
}
logger.debug("\tDestination type: " + destinationType);
List<Rdn> rdns = searchResultLdapName.getRdns();
if (rdns.size() != 3) {
if (logger.isDebugEnabled()) {
logger.debug("\tSkipping unexpected search result with " + rdns.size() + " RDNs.");
}
return;
}
// we can count on the RNDs being in order from right to left
Rdn rdn = rdns.get(0);
String rawDestinationType = rdn.getValue().toString();
if (rawDestinationType.toLowerCase().contains("queue")) {
destinationType = "queue";
} else if (rawDestinationType.toLowerCase().contains("topic")) {
destinationType = "topic";
}
if (logger.isDebugEnabled()) {
logger.debug("\tDestination type: " + destinationType);
}
rdn = rdns.get(1);
if (logger.isDebugEnabled()) {
logger.debug("\tDestination name: " + rdn.getValue());
}
destination = rdn.getValue().toString();
rdn = rdns.get(2);
if (logger.isDebugEnabled()) {
logger.debug("\tPermission type: " + rdn.getValue());
}
permissionType = rdn.getValue().toString();
if (logger.isDebugEnabled()) {
logger.debug("\tAttributes: " + attrs);
}
logger.debug("\tAttributes: " + attrs);
Attribute attr = attrs.get(roleAttribute);
NamingEnumeration<?> e = attr.getAll();
Set<Role> roles = securityRoles.get(destination);
@ -363,9 +379,11 @@ public class LegacyLDAPSecuritySettingPlugin implements SecuritySettingPlugin {
while (e.hasMore()) {
String value = (String) e.next();
LdapName ldapname = new LdapName(value);
Rdn rdn = ldapname.getRdn(ldapname.size() - 1);
rdn = ldapname.getRdn(ldapname.size() - 1);
String roleName = rdn.getValue().toString();
logger.debug("\tRole name: " + roleName);
if (logger.isDebugEnabled()) {
logger.debug("\tRole name: " + roleName);
}
Role role = new Role(roleName,
permissionType.equalsIgnoreCase(writePermissionValue), // send
permissionType.equalsIgnoreCase(readPermissionValue), // consume

View File

@ -0,0 +1,181 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.tests.integration.security;
import javax.naming.Context;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import java.io.File;
import java.lang.management.ManagementFactory;
import java.net.URL;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import org.apache.activemq.artemis.api.core.ActiveMQException;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.TransportConfiguration;
import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
import org.apache.activemq.artemis.api.core.client.ClientProducer;
import org.apache.activemq.artemis.api.core.client.ClientSession;
import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
import org.apache.activemq.artemis.api.core.client.ServerLocator;
import org.apache.activemq.artemis.core.config.Configuration;
import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
import org.apache.activemq.artemis.core.remoting.impl.invm.InVMAcceptorFactory;
import org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnectorFactory;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.ActiveMQServers;
import org.apache.activemq.artemis.core.server.impl.LegacyLDAPSecuritySettingPlugin;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.RunWith;
@RunWith(FrameworkRunner.class)
@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
@ApplyLdifFiles("AMQauth2.ldif")
public class LegacyLDAPSecuritySettingPluginTest2 extends AbstractLdapTestUnit {
static {
String path = System.getProperty("java.security.auth.login.config");
if (path == null) {
URL resource = LegacyLDAPSecuritySettingPluginTest2.class.getClassLoader().getResource("login.config");
if (resource != null) {
path = resource.getFile();
System.setProperty("java.security.auth.login.config", path);
}
}
}
private ServerLocator locator;
ActiveMQServer server;
public static final String TARGET_TMP = "./target/tmp";
private static final String PRINCIPAL = "uid=admin,ou=system";
private static final String CREDENTIALS = "secret";
public LegacyLDAPSecuritySettingPluginTest2() {
File parent = new File(TARGET_TMP);
parent.mkdirs();
temporaryFolder = new TemporaryFolder(parent);
}
@Rule
public TemporaryFolder temporaryFolder;
private String testDir;
@Before
public void setUp() throws Exception {
locator = ActiveMQClient.createServerLocatorWithoutHA(new TransportConfiguration(InVMConnectorFactory.class.getCanonicalName()));
testDir = temporaryFolder.getRoot().getAbsolutePath();
Map<String, String> init = new HashMap<>();
init.put("destinationBase", "ou=Destination,ou=ActiveMQ,o=example,ou=system");
init.put("roleAttribute", "member");
LegacyLDAPSecuritySettingPlugin legacyLDAPSecuritySettingPlugin = new LegacyLDAPSecuritySettingPlugin()
.setInitialContextFactory("com.sun.jndi.ldap.LdapCtxFactory")
.setConnectionURL("ldap://localhost:1024")
.setConnectionUsername("uid=admin,ou=system")
.setConnectionPassword("secret")
.setConnectionProtocol("s")
.setAuthentication("simple")
.init(init);
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("LDAPLogin2");
Configuration configuration = new ConfigurationImpl()
.setSecurityEnabled(true)
.addAcceptorConfiguration(new TransportConfiguration(InVMAcceptorFactory.class.getCanonicalName()))
.setJournalDirectory(ActiveMQTestBase.getJournalDir(testDir, 0, false))
.setBindingsDirectory(ActiveMQTestBase.getBindingsDir(testDir, 0, false))
.setPagingDirectory(ActiveMQTestBase.getPageDir(testDir, 0, false))
.setLargeMessagesDirectory(ActiveMQTestBase.getLargeMessagesDir(testDir, 0, false))
.setPersistenceEnabled(false)
.addSecuritySettingPlugin(legacyLDAPSecuritySettingPlugin);
server = ActiveMQServers.newActiveMQServer(configuration, ManagementFactory.getPlatformMBeanServer(), securityManager, false);
}
@After
public void tearDown() throws Exception {
locator.close();
server.stop();
}
@Test
public void testRunning() throws Exception {
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.PROVIDER_URL, "ldap://localhost:1024");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, PRINCIPAL);
env.put(Context.SECURITY_CREDENTIALS, CREDENTIALS);
DirContext ctx = new InitialDirContext(env);
HashSet<String> set = new HashSet<>();
NamingEnumeration<NameClassPair> list = ctx.list("ou=system");
while (list.hasMore()) {
NameClassPair ncp = list.next();
set.add(ncp.getName());
}
Assert.assertTrue(set.contains("uid=admin"));
Assert.assertTrue(set.contains("ou=users"));
Assert.assertTrue(set.contains("ou=groups"));
Assert.assertTrue(set.contains("ou=configuration"));
Assert.assertTrue(set.contains("prefNodeName=sysPrefRoot"));
}
@Test
public void testBasicPluginAuthorization() throws Exception {
org.jboss.logmanager.Logger.getLogger(LDAPLoginModule.class.getName()).setLevel(org.jboss.logmanager.Level.DEBUG);
org.jboss.logmanager.Logger.getLogger(LegacyLDAPSecuritySettingPlugin.class.getName()).setLevel(org.jboss.logmanager.Level.DEBUG);
server.start();
ClientSessionFactory cf = locator.createSessionFactory();
String name = "TEST.FOO";
try {
ClientSession session = cf.createSession("admin", "secret", false, true, true, false, 0);
session.createQueue(SimpleString.toSimpleString(name), SimpleString.toSimpleString(name));
ClientProducer producer = session.createProducer();
producer.send(name, session.createMessage(false));
session.close();
} catch (ActiveMQException e) {
e.printStackTrace();
Assert.fail("should not throw exception");
}
cf.close();
}
}

View File

@ -0,0 +1,335 @@
## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements. See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License. You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------
##########################
## Define basic objects ##
##########################
dn: o=example,ou=system
#objectClass: dcObject
#objectClass: container
objectClass: organization
objectClass: top
#cn: activemq
#o: activemq
o: example
dn: ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: ActiveMQ
dn: ou=Services,o=example,ou=system
ou: Services
objectClass: organizationalUnit
objectClass: top
dn: cn=mqbroker,ou=Services,o=example,ou=system
cn: mqbroker
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: {SSHA}YvMAkkd66cDecNoejo8jnw5uUUBziyl0
description: Bind user for MQ broker
###################
## Define groups ##
###################
dn: ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
cn: admins
member: uid=admin
objectClass: groupOfNames
objectClass: top
dn: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
cn: users
member: uid=jdoe
objectClass: groupOfNames
objectClass: top
##################
## Define users ##
##################
dn: ou=User,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: User
dn: uid=admin,ou=User,ou=ActiveMQ,o=example,ou=system
uid: admin
userPassword: secret
objectclass: uidObject
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Admin
sn: Admin
dn: uid=jdoe,ou=User,ou=ActiveMQ,o=example,ou=system
uid: jdoe
userPassword: secret
objectclass: uidObject
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: Jane Doe
sn: Doe
#########################
## Define destinations ##
#########################
dn: ou=Destination,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Destination
dn: ou=Topic,ou=Destination,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Topic
dn: ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Queue
## TEST.FOO
dn: uid=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
uid: TEST.FOO
description: A queue
objectClass: applicationProcess
objectclass: uidObject
objectClass: top
cn: TEST.FOO
dn: cn=admin,uid=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=read,uid=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,uid=TEST.FOO,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
objectClass: groupOfNames
objectClass: top
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
## TEST.FOOBAR
dn: cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: TEST.FOOBAR
description: A queue
objectClass: applicationProcess
objectClass: top
dn: cn=admin,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=read,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: uid=jdoe,ou=User,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=TEST.FOOBAR,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
objectClass: groupOfNames
objectClass: top
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: uid=jdoe,ou=User,ou=ActiveMQ,o=example,ou=system
## FOO.>
dn: cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: FOO.$
description: A queue
objectClass: applicationProcess
objectClass: top
dn: cn=admin,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=read,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=FOO.$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
objectClass: groupOfNames
objectClass: top
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
## BAR.*
dn: cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: BAR.*
description: A queue
objectClass: applicationProcess
objectClass: top
dn: cn=admin,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=read,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=BAR.*,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
objectClass: groupOfNames
objectClass: top
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
## $
dn: cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: $
description: A queue
objectclass: applicationProcess
objectclass: top
dn: cn=admin,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
description: Admin privilege group, members are roles
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectclass: groupOfNames
objectclass: top
dn: cn=read,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectclass: groupOfNames
objectclass: top
dn: cn=write,cn=$,ou=Queue,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
objectclass: groupOfNames
objectclass: top
#######################
## Define advisories ##
#######################
dn: cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: ActiveMQ.Advisory.$
objectClass: applicationProcess
objectClass: top
description: Advisory topics
dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
######################
## Define temporary ##
######################
dn: ou=Temp,ou=Destination,ou=ActiveMQ,o=example,ou=system
objectClass: organizationalUnit
objectClass: top
ou: Temp
dn: cn=read,ou=Temp,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: read
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=write,ou=Temp,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: write
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top
dn: cn=admin,ou=Temp,ou=Destination,ou=ActiveMQ,o=example,ou=system
cn: admin
member: cn=admins,ou=Group,ou=ActiveMQ,o=example,ou=system
member: cn=users,ou=Group,ou=ActiveMQ,o=example,ou=system
objectClass: groupOfNames
objectClass: top

View File

@ -21,6 +21,7 @@ PropertiesLogin {
org.apache.activemq.jaas.properties.role="roles.properties";
};
LDAPLogin {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
@ -40,6 +41,25 @@ LDAPLogin {
;
};
LDAPLogin2 {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://localhost:1024"
connectionUsername="uid=admin,ou=system"
connectionPassword=secret
connectionProtocol=s
authentication=simple
userBase="ou=User,ou=ActiveMQ,o=example,ou=system"
userSearchMatching="(uid={0})"
userSearchSubtree=true
roleBase="ou=Group,ou=ActiveMQ,o=example,ou=system"
roleName=cn
roleSearchMatching="(member=uid={1})"
roleSearchSubtree=true
;
};
UnAuthenticatedLDAPLogin {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true