Update from trunk r1375509 through r1450773asyncstore

git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/asyncstore@1451244 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 37 insertions, 76 deletions

diff --git a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
index 815df99f80..e61370fced 100644
--- a/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
+++ b/java/broker-plugins/access-control/src/main/java/org/apache/qpid/server/security/access/config/RuleSet.java
@@ -18,8 +18,8 @@
  */
 package org.apache.qpid.server.security.access.config;
 
+import java.net.InetAddress;
 import java.security.Principal;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.EnumMap;
@@ -54,7 +54,7 @@ import org.apache.qpid.server.security.access.logging.AccessControlMessages;
  */
 public class RuleSet
 {
-    public static final Logger _logger = Logger.getLogger(RuleSet.class);
+    private static final Logger _logger = Logger.getLogger(RuleSet.class);
 
     private static final String AT = "@";
     private static final String SLASH = "/";
@@ -66,7 +66,6 @@ public class RuleSet
 
     private static final Integer _increment = 10;
 
-    private final Map<String, List<String>> _aclGroups = new HashMap<String, List<String>>();
     private final SortedMap<Integer, Rule> _rules = new TreeMap<Integer, Rule>();
     private final Map<Subject, Map<Operation, Map<ObjectType, List<Rule>>>> _cache =
                         new WeakHashMap<Subject, Map<Operation, Map<ObjectType, List<Rule>>>>();
@@ -79,14 +78,13 @@ public class RuleSet
     }
 
     /**
-     * Clear the contents, including acl groups, rules and configuration.
+     * Clear the contents, including acl rules and configuration.
      */
     public void clear()
     {
         _rules.clear();
         _cache.clear();
         _config.clear();
-        _aclGroups.clear();
     }
 
     public int getRuleCount()
@@ -157,21 +155,27 @@ public class RuleSet
 
     public void grant(Integer number, String identity, Permission permission, Operation operation)
     {
-        Action action = new Action(operation);
+        AclAction action = new AclAction(operation);
         addRule(number, identity, permission, action);
     }
 
     public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, ObjectProperties properties)
     {
-        Action action = new Action(operation, object, properties);
+        AclAction action = new AclAction(operation, object, properties);
         addRule(number, identity, permission, action);
     }
 
-    public boolean ruleExists(String identity, Action action)
+    public void grant(Integer number, String identity, Permission permission, Operation operation, ObjectType object, AclRulePredicates predicates)
+    {
+        AclAction aclAction = new AclAction(operation, object, predicates);
+        addRule(number, identity, permission, aclAction);
+    }
+
+    public boolean ruleExists(String identity, AclAction action)
     {
         for (Rule rule : _rules.values())
         {
-            if (rule.getIdentity().equals(identity) && rule.getAction().equals(action))
+            if (rule.getIdentity().equals(identity) && rule.getAclAction().equals(action))
             {
                 return true;
             }
@@ -179,8 +183,7 @@ public class RuleSet
         return false;
     }
 
-    // TODO make this work when group membership is not known at file parse time
-    public void addRule(Integer number, String identity, Permission permission, Action action)
+    public void addRule(Integer number, String identity, Permission permission, AclAction action)
     {
         _cache.clear();
 
@@ -222,53 +225,6 @@ public class RuleSet
         _rules.get(Integer.valueOf(ruleNumber)).disable();
     }
 
-    public boolean addGroup(String group, List<String> constituents)
-    {
-        _cache.clear();
-
-        if (_aclGroups.containsKey(group))
-        {
-            // cannot redefine
-            return false;
-        }
-        else
-        {
-            _aclGroups.put(group, new ArrayList<String>());
-        }
-
-        for (String name : constituents)
-        {
-            if (name.equalsIgnoreCase(group))
-            {
-                // recursive definition
-                return false;
-            }
-
-            if (!checkName(name))
-            {
-                // invalid name
-                return false;
-            }
-
-            if (_aclGroups.containsKey(name))
-            {
-                // is a group
-                _aclGroups.get(group).addAll(_aclGroups.get(name));
-            }
-            else
-            {
-                // is a user
-                if (!isvalidUserName(name))
-                {
-                    // invalid username
-                    return false;
-                }
-                _aclGroups.get(group).add(name);
-            }
-        }
-        return true;
-    }
-
     /** Return true if the name is well-formed (contains legal characters). */
     protected boolean checkName(String name)
     {
@@ -312,11 +268,15 @@ public class RuleSet
         return true;
     }
 
-    // CPP broker authorise function prototype
-    // virtual bool authorise(const std::string& id, const Action& action, const ObjectType& objType,
-    //        const std::string& name, std::map<Property, std::string>* params=0)
-
-    // Possibly add a String name paramater?
+    /**
+     * Checks for the case when the client's address is not known.
+     *
+     * @see #check(Subject, Operation, ObjectType, ObjectProperties, InetAddress)
+     */
+    public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
+    {
+        return check(subject, operation, objectType, properties, null);
+    }
 
     /**
      * Check the authorisation granted to a particular identity for an operation on an object type with
@@ -327,10 +287,9 @@ public class RuleSet
      * the first match found, or denies access if there are no matching rules. Normally, it would be expected
      * to have a default deny or allow rule at the end of an access configuration however.
      */
-    public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties)
+    public Result check(Subject subject, Operation operation, ObjectType objectType, ObjectProperties properties, InetAddress addressOfClient)
     {
-        // Create the action to check
-        Action action = new Action(operation, objectType, properties);
+        ClientAction action = new ClientAction(operation, objectType, properties);
 
         if(_logger.isDebugEnabled())
         {
@@ -349,27 +308,31 @@ public class RuleSet
         }
 
         // Iterate through a filtered set of rules dealing with this identity and operation
-        for (Rule current : rules)
+        for (Rule rule : rules)
         {
             if(_logger.isDebugEnabled())
             {
-                _logger.debug("Checking against rule: " + current);
+                _logger.debug("Checking against rule: " + rule);
             }
-            // Check if action matches
-            if (action.matches(current.getAction()))
+
+            if (action.matches(rule.getAclAction(), addressOfClient))
             {
-                Permission permission = current.getPermission();
+                Permission permission = rule.getPermission();
 
                 switch (permission)
                 {
                     case ALLOW_LOG:
                         CurrentActor.get().message(AccessControlMessages.ALLOWED(
-                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
+                                action.getOperation().toString(),
+                                action.getObjectType().toString(),
+                                action.getProperties().toString()));
                     case ALLOW:
                         return Result.ALLOWED;
                     case DENY_LOG:
                         CurrentActor.get().message(AccessControlMessages.DENIED(
-                                action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
+                                action.getOperation().toString(),
+                                action.getObjectType().toString(),
+                                action.getProperties().toString()));
                     case DENY:
                         return Result.DENIED;
                 }
@@ -446,8 +409,7 @@ public class RuleSet
             {
                 final Principal principal = iterator.next();
 
-                if (rule.getIdentity().equalsIgnoreCase(principal.getName())
-                    || (_aclGroups.containsKey(rule.getIdentity()) && _aclGroups.get(rule.getIdentity()).contains(principal.getName())))
+                if (rule.getIdentity().equalsIgnoreCase(principal.getName()))
                 {
                     return true;
                 }
@@ -476,5 +438,4 @@ public class RuleSet
         }
         return objects;
     }
-
 }