ARTEMIS-4265 make more web console tabs conditional on permission

Many of the tabs on the web console show up even though the user doesn't have permission to execute the command corresponding to the tab. For example the "Connections" tab shows up even though the user can't execute the `listConnections` management operation.
2023-04-28 11:04:52 -05:00 · 2023-04-28 11:04:52 -05:00 · bc0b75d25a
parent c2bada6a77
commit bc0b75d25a
6 changed files with 245 additions and 7 deletions
--- a/artemis-hawtio/artemis-plugin/src/main/webapp/plugin/js/components/navigation.js
+++ b/artemis-hawtio/artemis-plugin/src/main/webapp/plugin/js/components/navigation.js
@ -128,6 +128,12 @@ var Artemis;
        ctrl.showDeleteAddress = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'deleteAddress');
        ctrl.showCreateQueue = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'createQueue');
        ctrl.showDeleteQueue = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'destroyQueue');
+        ctrl.showConnections = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listConnections');
+        ctrl.showSessions = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listSessions');
+        ctrl.showConsumers = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listConsumers');
+        ctrl.showProducers = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listProducers');
+        ctrl.showAddresses = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listAddresses');
+        ctrl.showQueues = hasInvokeRights(jolokia, Artemis.getBrokerMBean(workspace, jolokia), 'listQueues');

        function getTabs() {

@ -137,12 +143,24 @@ var Artemis;
                .filter(function (route) { return _.startsWith(route, '/artemis'); });
            if (enabledRoutes.length > 0) {
                tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisStatus.title, TAB_CONFIG.artemisStatus.route));
+                if (ctrl.showConnections) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisConnections.title, TAB_CONFIG.artemisConnections.route));
+                }
+                if (ctrl.showSessions) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisSessions.title, TAB_CONFIG.artemisSessions.route));
+                }
+                if (ctrl.showConsumers) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisConsumers.title, TAB_CONFIG.artemisConsumers.route));
+                }
+                if (ctrl.showProducers) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisProducers.title, TAB_CONFIG.artemisProducers.route));
+                }
+                if (ctrl.showAddresses) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisAddresses.title, TAB_CONFIG.artemisAddresses.route));
+                }
+                if (ctrl.showQueues) {
                    tabs.push(new Nav.HawtioTab(TAB_CONFIG.artemisQueues.title, TAB_CONFIG.artemisQueues.route));
+                }
                tabs.push(new Nav.HawtioTab(TAB_CONFIG.attributes.title, TAB_CONFIG.attributes.route));
                tabs.push(new Nav.HawtioTab(TAB_CONFIG.operations.title, TAB_CONFIG.operations.route));
                tabs.push(new Nav.HawtioTab(TAB_CONFIG.chart.title, TAB_CONFIG.chart.route));
--- a/tests/smoke-tests/pom.xml
+++ b/tests/smoke-tests/pom.xml
@ -260,12 +260,13 @@
                     <goal>create</goal>
                  </goals>
                  <configuration>
-                     <role>amq</role>
+                     <role>amq,connections,sessions,consumers,producers,addresses,queues</role>
                     <user>admin</user>
                     <password>admin</password>
                     <allowAnonymous>false</allowAnonymous>
                     <noWeb>false</noWeb>
                     <instance>${basedir}/target/console</instance>
+                     <configuration>${basedir}/target/classes/servers/console</configuration>
                     <args>
                        <arg>--http-host</arg>
                        <arg>${sts-http-host}</arg>
--- a/tests/smoke-tests/src/main/resources/servers/console/artemis-roles.properties
+++ b/tests/smoke-tests/src/main/resources/servers/console/artemis-roles.properties
@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+amq=admin
+connections=connections
+sessions=sessions
+consumers=consumers
+producers=producers
+addresses=addresses
+queues=queues
--- a/tests/smoke-tests/src/main/resources/servers/console/artemis-users.properties
+++ b/tests/smoke-tests/src/main/resources/servers/console/artemis-users.properties
@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+admin=admin
+connections=connections
+sessions=sessions
+consumers=consumers
+producers=producers
+addresses=addresses
+queues=queues
--- a/tests/smoke-tests/src/main/resources/servers/console/management.xml
+++ b/tests/smoke-tests/src/main/resources/servers/console/management.xml
@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements. See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License. You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<management-context xmlns="http://activemq.apache.org/schema">
+   <!--<connector connector-port="1099"/>-->
+   <authorisation>
+      <allowlist>
+         <entry domain="hawtio"/>
+      </allowlist>
+      <default-access>
+         <!--
+         The "default-access" settings apply to every MBean not explicitly configured
+         in the "allowlist" or "role-access" sections
+         -->
+
+         <!-- allow read-only access by default -->
+         <access method="list*" roles="amq"/>
+         <access method="get*" roles="amq"/>
+         <access method="is*" roles="amq"/>
+
+         <!-- don't allow write or other operations by default -->
+         <!--access method="set*" roles="amq"/-->
+         <!--access method="*" roles="amq"/-->
+      </default-access>
+      <role-access>
+         <match domain="org.apache.activemq.artemis">
+            <access method="listConnections" roles="connections,amq"/>
+            <access method="listSessions" roles="sessions,amq"/>
+            <access method="listConsumers" roles="consumers,amq"/>
+            <access method="listProducers" roles="producers,amq"/>
+            <access method="listQueues" roles="queues,amq"/>
+            <access method="listAddresses" roles="addresses,amq"/>
+            <access method="list*" roles="amq"/>
+            <access method="get*" roles="amq"/>
+            <access method="is*" roles="amq"/>
+            <access method="set*" roles="amq"/>
+            <access method="*" roles="amq"/>
+         </match>
+      </role-access>
+   </authorisation>
+</management-context>
--- a/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/console/TabsTest.java
+++ b/tests/smoke-tests/src/test/java/org/apache/activemq/artemis/tests/smoke/console/TabsTest.java
@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.smoke.console;
+
+import org.apache.activemq.artemis.tests.smoke.console.pages.LoginPage;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.openqa.selenium.By;
+import org.openqa.selenium.MutableCapabilities;
+import org.openqa.selenium.NoSuchElementException;
+
+@RunWith(Parameterized.class)
+public class TabsTest extends ConsoleTest {
+
+   public TabsTest(MutableCapabilities browserOptions) {
+      super(browserOptions);
+   }
+
+   @Test
+   public void testConnectionsTab() {
+      testTab("connections", "Connections");
+   }
+
+   @Test
+   public void testSessionsTab() {
+      testTab("sessions", "Sessions");
+   }
+
+   @Test
+   public void testConsumersTab() {
+      testTab("consumers", "Consumers");
+   }
+
+   @Test
+   public void testProducersTab() {
+      testTab("producers", "Producers");
+   }
+
+   @Test
+   public void testAddressesTab() {
+      testTab("addresses", "Addresses");
+   }
+
+   @Test
+   public void testQueuesTab() {
+      testTab("queues", "Queues");
+   }
+
+   private void testTab(String userpass, String tab) {
+      driver.get(webServerUrl + "/console");
+      new LoginPage(driver).loginValidUser(userpass, userpass, DEFAULT_TIMEOUT);
+      driver.findElement(By.xpath("//a[contains(text(),'" + tab + "')]"));
+   }
+
+   @Test
+   public void testConnectionsTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("queues", "Connections");
+   }
+
+   @Test
+   public void testSessionsTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("connections", "Sessions");
+   }
+
+   @Test
+   public void testConsumersTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("connections", "Consumers");
+   }
+
+   @Test
+   public void testProducersTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("connections", "roducers");
+   }
+
+   @Test
+   public void testAddressesTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("connections", "Addresses");
+   }
+
+   @Test
+   public void testQueuesTabNegative() {
+      // use credentials for a valid user who cannot see the tab
+      testTabNegative("connections", "Queues");
+   }
+
+   private void testTabNegative(String userpass, String tab) {
+      driver.get(webServerUrl + "/console");
+      new LoginPage(driver).loginValidUser(userpass, userpass, DEFAULT_TIMEOUT);
+      try {
+         driver.findElement(By.xpath("//a[contains(text(),'" + tab + "')]"));
+         fail("User " + userpass + " should not have been able to see the " + tab + " tab.");
+      } catch (NoSuchElementException e) {
+         // expected
+      }
+   }
+}