Apache
/
activemq-artemis
mirror of https://github.com/apache/activemq-artemis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ARTEMIS-4580 security settings for FQQN not enforced on send

This commit is contained in:
Justin Bertram 2024-01-19 16:54:58 -06:00
parent 5e99516a27
commit a70c421493
2 changed files with 105 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
View File

@ -2324,9 +2324,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
msg.setAddress(art.getName());
}
// check the user has write access to this address.
// check the user has write access to this address (and potentially queue).
try {
securityCheck(CompositeAddress.extractAddressName(art.getName()), CompositeAddress.isFullyQualified(art.getName()) ? CompositeAddress.extractQueueName(art.getName()) : null, CheckType.SEND, this);
securityCheck(CompositeAddress.extractAddressName(msg.getAddressSimpleString()), CompositeAddress.isFullyQualified(msg.getAddressSimpleString()) ? CompositeAddress.extractQueueName(msg.getAddressSimpleString()) : null, CheckType.SEND, this);
} catch (ActiveMQException e) {
if (!autoCommitSends && tx != null) {
tx.markAsRollbackOnly(e);

103
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/FQQNSendSecurityTest.java Normal file
View File

@ -0,0 +1,103 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.activemq.artemis.tests.integration.security;
import javax.jms.Connection;
import javax.jms.Destination;
import javax.jms.JMSSecurityException;
import javax.jms.MessageProducer;
import javax.jms.Session;
import org.apache.activemq.artemis.api.core.QueueConfiguration;
import org.apache.activemq.artemis.api.core.RoutingType;
import org.apache.activemq.artemis.core.config.Configuration;
import org.apache.activemq.artemis.core.config.impl.RoleSet;
import org.apache.activemq.artemis.core.config.impl.SecurityConfiguration;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.spi.core.security.jaas.InVMLoginModule;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.tests.util.RandomUtil;
import org.apache.activemq.artemis.utils.CompositeAddress;
import org.junit.Before;
import org.junit.Test;
public class FQQNSendSecurityTest extends ActiveMQTestBase {
private final String ALLOWED_USER = "allowedUser";
private final String ALLOWED_ROLE = "allowedRole";
private final String DENIED_USER = "deniedUser";
private final String DENIED_ROLE = "deniedRole";
private final String PASS = RandomUtil.randomString();
private final String ADDRESS = "myAddress";
private final String QUEUE = "myQueue";
@Override
@Before
public void setUp() throws Exception {
super.setUp();
Configuration configuration = createDefaultInVMConfig().setSecurityEnabled(true);
RoleSet roles = new RoleSet();
roles.add(new Role(ALLOWED_ROLE, true, false, false, false, false, false, false, false, false, false));
roles.add(new Role(DENIED_ROLE, false, false, false, false, false, false, false, false, false, false));
configuration.putSecurityRoles(CompositeAddress.toFullyQualified(ADDRESS, QUEUE), roles);
ActiveMQServer server = createServer(false, configuration);
ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(InVMLoginModule.class.getName());
SecurityConfiguration securityConfiguration = new SecurityConfiguration();
securityConfiguration.addUser(ALLOWED_USER, PASS);
securityConfiguration.addRole(ALLOWED_USER, ALLOWED_ROLE);
securityConfiguration.addUser(DENIED_USER, PASS);
securityConfiguration.addRole(DENIED_USER, DENIED_ROLE);
securityManager.setConfiguration(securityConfiguration);
server.setSecurityManager(securityManager);
configuration.addQueueConfiguration(new QueueConfiguration(QUEUE).setAddress(ADDRESS).setRoutingType(RoutingType.ANYCAST));
server.start();
}
@Test
public void sendMessageToFQQN() throws Exception {
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("vm://0");
try (Connection connection = connectionFactory.createConnection(ALLOWED_USER, PASS)) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
MessageProducer messageProducer = session.createProducer(destination);
messageProducer.send(session.createMessage());
}
}
@Test
public void sendMessageToFQQNNegative() throws Exception {
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("vm://0");
try (Connection connection = connectionFactory.createConnection(DENIED_USER, PASS)) {
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
Destination destination = session.createQueue(CompositeAddress.toFullyQualified(ADDRESS, QUEUE));
MessageProducer messageProducer = session.createProducer(destination);
try {
messageProducer.send(session.createMessage());
fail();
} catch (JMSSecurityException e) {
// expected
}
}
}
}