ARTEMIS-3892 user limits not working with cert auth

2022-06-07 15:06:11 +03:00 · 2022-06-07 15:06:11 +03:00 · ff1fe7f6b5
parent ff770d540d
commit ff1fe7f6b5
4 changed files with 173 additions and 5 deletions
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ActiveMQServerImpl.java
@ -1764,7 +1764,7 @@ public class ActiveMQServerImpl implements ActiveMQServer {
      int sessionCount = 0;

      for (Entry<String, ServerSession> sessionEntry : sessions.entrySet()) {
-         if (sessionEntry.getValue().getUsername().equals(username)) {
+         if ((sessionEntry.getValue().getValidatedUser() != null && sessionEntry.getValue().getValidatedUser().equals(username)) || (sessionEntry.getValue().getUsername() != null && sessionEntry.getValue().getUsername().equals(username))) {
            sessionCount++;
         }
      }
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/core/server/impl/ServerSessionImpl.java
@ -737,9 +737,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {
         securityCheck(queueConfiguration.getAddress(), queueConfiguration.getName(), CheckType.CREATE_ADDRESS, this);
      }

-      server.checkQueueCreationLimit(getUsername());
+      server.checkQueueCreationLimit(getValidatedUser());

-      Queue queue = server.createQueue(queueConfiguration.setUser(getUsername()));
+      Queue queue = server.createQueue(queueConfiguration.setUser(getValidatedUser()));

      if (queueConfiguration.isTemporary()) {
         // Temporary queue in core simply means the queue will be deleted if
@ -1046,9 +1046,9 @@ public class ServerSessionImpl implements ServerSession, FailureListener {

      securityCheck(queueConfiguration.getAddress(), queueConfiguration.getName(), queueConfiguration.isDurable() ? CheckType.CREATE_DURABLE_QUEUE : CheckType.CREATE_NON_DURABLE_QUEUE, this);

-      server.checkQueueCreationLimit(getUsername());
+      server.checkQueueCreationLimit(getValidatedUser());

-      server.createSharedQueue(queueConfiguration.setUser(getUsername()));
+      server.createSharedQueue(queueConfiguration.setUser(getValidatedUser()));
   }

   @Deprecated
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTest.java
@ -104,6 +104,7 @@ public class ResourceLimitTest extends ActiveMQTestBase {

      try {
         clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
      } catch (Exception e) {
         assertTrue(e instanceof ActiveMQSecurityException);
      }
@ -114,12 +115,14 @@ public class ResourceLimitTest extends ActiveMQTestBase {

      try {
         clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
      } catch (Exception e) {
         assertTrue(e instanceof ActiveMQSecurityException);
      }

      try {
         clientSession.createSharedQueue(new QueueConfiguration("anotherQueue").setAddress("address").setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
      } catch (Exception e) {
         assertTrue(e instanceof ActiveMQSecurityException);
      }
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTestWithCerts.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/server/ResourceLimitTestWithCerts.java
@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.server;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.ActiveMQSecurityException;
+import org.apache.activemq.artemis.api.core.ActiveMQSessionCreationException;
+import org.apache.activemq.artemis.api.core.QueueConfiguration;
+import org.apache.activemq.artemis.api.core.RoutingType;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.impl.ResourceLimitSettings;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.junit.Before;
+import org.junit.Test;
+
+public class ResourceLimitTestWithCerts extends ActiveMQTestBase {
+
+   static {
+      String path = System.getProperty("java.security.auth.login.config");
+      if (path == null) {
+         URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
+         if (resource != null) {
+            path = resource.getFile();
+            System.setProperty("java.security.auth.login.config", path);
+         }
+      }
+   }
+
+   @Override
+   @Before
+   public void setUp() throws Exception {
+      super.setUp();
+
+      ResourceLimitSettings limit = new ResourceLimitSettings();
+      limit.setMaxConnections(1);
+      limit.setMaxQueues(1);
+      limit.setMatch(new SimpleString("first"));
+
+      ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager("CertLogin");
+      ActiveMQServer server = addServer(ActiveMQServers.newActiveMQServer(createDefaultInVMConfig().setSecurityEnabled(true).addResourceLimitSettings(limit), ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+
+      Map<String, Object> params = new HashMap<>();
+      params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "server-keystore.jks");
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "client-ca-truststore.jks");
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+
+      server.getConfiguration().addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
+
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("programmers", true, true, true, true, true, true, true, true, true, true));
+      server.getConfiguration().putSecurityRoles("#", roles);
+
+      server.start();
+   }
+
+   @Test
+   public void testSessionLimitForUser() throws Exception {
+      TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+      ClientSessionFactory cf = createSessionFactory(locator);
+
+      ClientSession clientSession = cf.createSession();
+
+      try {
+         ClientSessionFactory extraClientSessionFactory = locator.createSessionFactory();
+         ClientSession extraClientSession = extraClientSessionFactory.createSession();
+         fail("creating a session factory here should fail");
+      } catch (Exception e) {
+         assertTrue(e instanceof ActiveMQSessionCreationException);
+      }
+
+      clientSession.close();
+
+      clientSession = cf.createSession();
+
+      try {
+         ClientSessionFactory extraClientSessionFactory = locator.createSessionFactory();
+         ClientSession extraClientSession = extraClientSessionFactory.createSession();
+         fail("creating a session factory here should fail");
+      } catch (Exception e) {
+         assertTrue(e instanceof ActiveMQSessionCreationException);
+      }
+      clientSession.close();
+      cf.close();
+   }
+
+   @Test
+   public void testQueueLimitForUser() throws Exception {
+      TransportConfiguration tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, "server-ca-truststore.jks");
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, "securepass");
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, "client-keystore.jks");
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, "securepass");
+      ServerLocator locator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+      ClientSessionFactory cf = createSessionFactory(locator);
+
+      ClientSession clientSession = cf.createSession();
+      clientSession.createQueue(new QueueConfiguration("queue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+
+      try {
+         clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
+      } catch (Exception e) {
+         assertTrue(e instanceof ActiveMQSecurityException);
+      }
+
+      clientSession.deleteQueue("queue");
+
+      clientSession.createQueue(new QueueConfiguration("queue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+
+      try {
+         clientSession.createQueue(new QueueConfiguration("anotherQueue").setAddress("address").setRoutingType(RoutingType.ANYCAST).setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
+      } catch (Exception e) {
+         assertTrue(e instanceof ActiveMQSecurityException);
+      }
+
+      try {
+         clientSession.createSharedQueue(new QueueConfiguration("anotherQueue").setAddress("address").setDurable(false));
+         fail("Should have thrown an ActiveMQSecurityException");
+      } catch (Exception e) {
+         assertTrue(e instanceof ActiveMQSecurityException);
+      }
+   }
+}