diff options
Diffstat (limited to 'qpid/cpp/src/tests/acl.py')
-rwxr-xr-x | qpid/cpp/src/tests/acl.py | 3959 |
1 files changed, 3959 insertions, 0 deletions
diff --git a/qpid/cpp/src/tests/acl.py b/qpid/cpp/src/tests/acl.py new file mode 100755 index 0000000000..2838bd3f83 --- /dev/null +++ b/qpid/cpp/src/tests/acl.py @@ -0,0 +1,3959 @@ +#!/usr/bin/env python +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +import sys +import qpid +from qpid.util import connect +from qpid.connection import Connection +from qpid.datatypes import uuid4 +from qpid.testlib import TestBase010 +from qmf.console import Session +from qpid.datatypes import Message +import qpid.messaging +from qpidtoollibs import BrokerAgent + +class ACLFile: + def __init__(self, policy='data_dir/policy.acl'): + self.f = open(policy,'w') + + def write(self,line): + self.f.write(line) + + def close(self): + self.f.close() + +class ACLTests(TestBase010): + + # required for testing QMF methods + def get_messaging_connection(self, user, passwd): + parms = {'username':user, 'password':passwd, 'sasl_mechanisms':'PLAIN'} + brokerurl="%s:%s" %(self.broker.host, self.broker.port) + connection = qpid.messaging.Connection(brokerurl, **parms) + connection.open() + return connection + + # For connection limit tests this function + # throws if the connection won't start + # returns a connection that the caller can close if he likes. + def get_connection(self, user, passwd): + socket = connect(self.broker.host, self.broker.port) + connection = Connection (sock=socket, username=user, password=passwd, + mechanism="PLAIN") + connection.start() + return connection + + def get_session(self, user, passwd): + socket = connect(self.broker.host, self.broker.port) + connection = Connection (sock=socket, username=user, password=passwd, + mechanism="PLAIN") + connection.start() + return connection.session(str(uuid4())) + + def port_i(self): + return int(self.defines["port-i"]) + + def port_u(self): + return int(self.defines["port-u"]) + + def port_q(self): + return int(self.defines["port-q"]) + + def get_session_by_port(self, user, passwd, byPort): + socket = connect(self.broker.host, byPort) + connection = Connection (sock=socket, username=user, password=passwd, + mechanism="PLAIN") + connection.start() + return connection.session(str(uuid4())) + + def reload_acl(self): + result = None + try: + self.broker_access.reloadAclFile() + except Exception, e: + result = str(e) + return result + + def acl_lookup(self, userName, action, aclObj, aclObjName, propMap): + result = {} + try: + result = self.broker_access.acl_lookup(userName, action, aclObj, aclObjName, propMap) + except Exception, e: + result['text'] = str(e) + result['result'] = str(e) + return result + + def acl_lookupPublish(self, userName, exchange, key): + result = {} + try: + result = self.broker_access.acl_lookupPublish(userName, exchange, key) + except Exception, e: + result['text'] = str(e) + result['result'] = str(e) + return result + + def get_acl_file(self): + return ACLFile(self.config.defines.get("policy-file", "data_dir/policy.acl")) + + def setUp(self): + aclf = self.get_acl_file() + aclf.write('acl allow all all\n') + aclf.close() + TestBase010.setUp(self) + self.startBrokerAccess() + self.reload_acl() + + def tearDown(self): + aclf = self.get_acl_file() + aclf.write('acl allow all all\n') + aclf.close() + self.reload_acl() + TestBase010.tearDown(self) + + + def Lookup(self, userName, action, aclObj, aclObjName, propMap, expectedResult): + result = self.acl_lookup(userName, action, aclObj, aclObjName, propMap) + if (result['result'] != expectedResult): + suffix = ', [ERROR: Expected= ' + expectedResult + if (result['result'] is None): + suffix = suffix + ', Exception= ' + result['text'] + ']' + else: + suffix = suffix + ', Actual= ' + result['result'] + ']' + self.fail('Lookup: name=' + userName + ', action=' + action + ', aclObj=' + aclObj + ', aclObjName=' + aclObjName + ', propertyMap=' + str(propMap) + suffix) + + + def LookupPublish(self, userName, exchName, keyName, expectedResult): + result = self.acl_lookupPublish(userName, exchName, keyName) + if (result['result'] != expectedResult): + suffix = ', [ERROR: Expected= ' + expectedResult + if (result['result'] is None): + suffix = suffix + ', Exception= ' + result['text'] + ']' + else: + suffix = suffix + ', Actual= ' + result['result'] + ']' + self.fail('LookupPublish: name=' + userName + ', exchange=' + exchName + ', key=' + keyName + suffix) + + def AllBut(self, allList, removeList): + tmpList = allList[:] + for item in removeList: + try: + tmpList.remove(item) + except Exception, e: + self.fail("ERROR in AllBut() \nallList = %s \nremoveList = %s \nerror = %s " \ + % (allList, removeList, e)) + return tmpList + + #===================================== + # ACL general tests + #===================================== + + def test_deny_mode(self): + """ + Test the deny all mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow anonymous all all\n') + aclf.write('acl allow bob@QPID create queue\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + try: + session.queue_declare(queue="deny_queue") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request"); + self.fail("Error during queue create request"); + + try: + session.exchange_bind(exchange="amq.direct", queue="deny_queue", binding_key="routing_key") + self.fail("ACL should deny queue bind request"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + + def test_allow_mode(self): + """ + Test the allow all mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID bind exchange\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + try: + session.queue_declare(queue="allow_queue") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request"); + self.fail("Error during queue create request"); + + try: + session.exchange_bind(exchange="amq.direct", queue="allow_queue", binding_key="routing_key") + self.fail("ACL should deny queue bind request"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + + + def test_allow_mode_with_specfic_allow_override(self): + """ + Specific allow overrides a general deny + """ + aclf = self.get_acl_file() + aclf.write('group admins bob@QPID joe@QPID \n') + aclf.write('acl allow bob@QPID create queue \n') + aclf.write('acl deny admins create queue \n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue='zed') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow create queue request"); + + + #===================================== + # ACL file format tests + #===================================== + + def test_empty_groups(self): + """ + Test empty groups + """ + aclf = self.get_acl_file() + aclf.write('acl group\n') + aclf.write('acl group admins bob@QPID joe@QPID\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result.find("Insufficient tokens for acl definition",0,len(result)) == -1): + self.fail("ACL Reader should reject the acl file due to empty group name") + + def test_illegal_acl_formats(self): + """ + Test illegal acl formats + """ + aclf = self.get_acl_file() + aclf.write('acl group admins bob@QPID joe@QPID\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result.find("Unknown ACL permission",0,len(result)) == -1): + self.fail(result) + + def test_illegal_extension_lines(self): + """ + Test illegal extension lines + """ + + aclf = self.get_acl_file() + aclf.write('group admins bob@QPID \n') + aclf.write(' \ \n') + aclf.write('joe@QPID \n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result.find("contains an illegal extension",0,len(result)) == -1): + self.fail(result) + + if (result.find("Non-continuation line must start with \"group\" or \"acl\"",0,len(result)) == -1): + self.fail(result) + + def test_illegal_extension_lines(self): + """ + Test proper extention lines + """ + aclf = self.get_acl_file() + aclf.write('group test1 joe@EXAMPLE.com \\ \n') # should be allowed + aclf.write(' jack@EXAMPLE.com \\ \n') # should be allowed + aclf.write('jill@TEST.COM \\ \n') # should be allowed + aclf.write('host/123.example.com@TEST.COM\n') # should be allowed + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + def test_nested_groups(self): + """ + Test nested groups + """ + + aclf = self.get_acl_file() + aclf.write('group user-consume martin@QPID ted@QPID\n') + aclf.write('group group2 kim@QPID user-consume rob@QPID \n') + aclf.write('acl allow anonymous all all \n') + aclf.write('acl allow group2 create queue \n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('rob','rob') + try: + session.queue_declare(queue="rob_queue") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request"); + self.fail("Error during queue create request"); + + + + def test_user_realm(self): + """ + Test a user defined without a realm + Ex. group admin rajith + Note: a user name without a realm is interpreted as a group name + """ + aclf = self.get_acl_file() + aclf.write('group admin bob\n') # shouldn't be allowed + aclf.write('acl deny admin bind exchange\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result.find("not defined yet.",0,len(result)) == -1): + self.fail(result) + + def test_allowed_chars_for_username(self): + """ + Test a user defined without a realm + Ex. group admin rajith + """ + aclf = self.get_acl_file() + aclf.write('group test1 joe@EXAMPLE.com\n') # should be allowed + aclf.write('group test2 jack_123-jill@EXAMPLE.com\n') # should be allowed + aclf.write('group test4 host/somemachine.example.com@EXAMPLE.COM\n') # should be allowed + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('group test1 joe$H@EXAMPLE.com\n') # shouldn't be allowed + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result.find("Username \"joe$H@EXAMPLE.com\" contains illegal characters",0,len(result)) == -1): + self.fail(result) + + #===================================== + # ACL validation tests + #===================================== + + def test_illegal_queue_policy(self): + """ + Test illegal queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 exclusive=true policytype=ding\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "ding is not a valid value for 'policytype', possible values are one of" + if (result.find(expected) == -1): + self.fail(result) + + def test_illegal_queuemaxsize_upper_limit_spec(self): + """ + Test illegal queue policy + """ + # + # Use maxqueuesize + # + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 maxqueuesize=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 maxqueuesize=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + # + # Use queuemaxsizeupperlimit + # + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxsizeupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxsizeupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + + def test_illegal_queuemaxcount_upper_limit_spec(self): + """ + Test illegal queue policy + """ + # + # Use maxqueuecount + # + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 maxqueuecount=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 maxqueuecount=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + # + # use maxqueuecountupperlimit + # + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxcountupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxcountupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_queuemaxsize_lower_limit_spec(self): + """ + Test illegal queue policy + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxsizelowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxsizelowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxsizelowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxsizelowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + + def test_illegal_queuemaxcount_lower_limit_spec(self): + """ + Test illegal queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxcountlowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'queuemaxcountlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 queuemaxcountlowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'queuemaxcountlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_filemaxsize_upper_limit_spec(self): + """ + Test illegal file policy + """ + # + # Use filemaxsizeupperlimit + # + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxsizeupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'filemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxsizeupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'filemaxsizeupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + + def test_illegal_filemaxcount_upper_limit_spec(self): + """ + Test illegal file policy + """ + # + # use maxfilecountupperlimit + # + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxcountupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'filemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxcountupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'filemaxcountupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_filemaxsize_lower_limit_spec(self): + """ + Test illegal file policy + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxsizelowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'filemaxsizelowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxsizelowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'filemaxsizelowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + + def test_illegal_filemaxcount_lower_limit_spec(self): + """ + Test illegal file policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxcountlowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'filemaxcountlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 filemaxcountlowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'filemaxcountlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_pages_lower_limit_spec(self): + """ + Test illegal paged queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pageslowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'pageslowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pageslowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'pageslowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_pages_upper_limit_spec(self): + """ + Test illegal paged queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagesupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'pagesupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagesupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'pagesupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_pagefactor_lower_limit_spec(self): + """ + Test illegal paged queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagefactorlowerlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'pagefactorlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagefactorlowerlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'pagefactorlowerlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + def test_illegal_pagefactor_upper_limit_spec(self): + """ + Test illegal paged queue policy + """ + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagefactorupperlimit=-1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "-1 is not a valid value for 'pagefactorupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=q2 pagefactorupperlimit=9223372036854775808\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + expected = "9223372036854775808 is not a valid value for 'pagefactorupperlimit', " \ + "values should be between 0 and 9223372036854775807"; + if (result.find(expected) == -1): + self.fail(result) + + + #===================================== + # ACL queue tests + #===================================== + + def test_queue_allow_mode(self): + """ + Test cases for queue acl in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID access queue name=q1\n') + aclf.write('acl deny bob@QPID create queue name=q1 durable=true\n') + aclf.write('acl deny bob@QPID create queue name=q2 exclusive=true policytype=ring\n') + aclf.write('acl deny bob@QPID access queue name=q3\n') + aclf.write('acl deny bob@QPID delete queue name=q4\n') + aclf.write('acl deny bob@QPID create queue name=q5 maxqueuesize=1000 maxqueuecount=100\n') + aclf.write('acl deny bob@QPID create queue name=q6 paging=true\n') + aclf.write('acl deny bob@QPID purge queue name=q7\n') + aclf.write('acl deny bob@QPID move queue name=q7\n') + aclf.write('acl deny bob@QPID move queue name=q8 queuename=q7\n') + aclf.write('acl deny bob@QPID redirect queue name=q7\n') + aclf.write('acl deny bob@QPID redirect queue name=q8 queuename=q7\n') + aclf.write('acl deny bob@QPID reroute queue name=q7\n') + aclf.write('acl deny bob@QPID reroute queue name=q8 exchangename=amq.fanout\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="q1", durable=True) + self.fail("ACL should deny queue create request with name=q1 durable=true"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="q1", durable=True, passive=True) + self.fail("ACL should deny queue passive declare request with name=q1 durable=true"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.policy_type"] = "ring" + session.queue_declare(queue="q2", exclusive=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=q2 exclusive=true qpid.policy_type=ring"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.policy_type"] = "ring_strict" + session.queue_declare(queue="q2", exclusive=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=q2 exclusive=true qpid.policy_type=ring_strict"); + + try: + queue_options = {} + queue_options["qpid.max_count"] = 200 + queue_options["qpid.max_size"] = 500 + session.queue_declare(queue="q5", exclusive=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=q2, qpid.max_size=500 and qpid.max_count=200"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + session.queue_declare(queue="q6", arguments=queue_options) + self.fail("ACL should deny queue create request with name=q6, qpid.paging=True"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 200 + queue_options["qpid.max_size"] = 100 + session.queue_declare(queue="q2", exclusive=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=q2, qpid.max_size=100 and qpid.max_count=200 "); + try: + session.queue_declare(queue="q3", exclusive=True) + session.queue_declare(queue="q4", durable=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request for q3 and q4 with any parameter"); + + try: + session.queue_query(queue="q3") + self.fail("ACL should deny queue query request for q3"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + # some queues needs to be created for testing purge / move / reroute / redirect + session.queue_declare(queue="q7") + session.queue_declare(queue="q8") + session.queue_declare(queue="q9") + try: + session.queue_purge(queue="q7") + self.fail("ACL should deny queue purge request for q7"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_purge(queue="q8") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue purge request for q8"); + + # as we use QMF methods, it is easier to use BrokerAgent from messaging.connection and not use session object as above + broker_agent = BrokerAgent(self.get_messaging_connection('bob','bob')) + + try: + broker_agent.queueMoveMessages("q7", "q8", 0) + self.fail("ACL should deny queue move request from q7 to q8"); + except Exception, e: + self.assertTrue("'error_code': 7" in e.args[0]) + broker_agent = BrokerAgent(self.get_messaging_connection('bob','bob')) + + try: + broker_agent.queueMoveMessages("q8", "q9", 0) + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue move request from q8 to q9"); + + try: + broker_agent.queueMoveMessages("q9", "q8", 0) + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue move request from q9 to q8"); + + try: + broker_agent.Redirect("q7", "q8") + self.fail("ACL should deny queue redirect request from q7 to q8"); + except Exception, e: + self.assertTrue("'error_code': 7" in e.args[0]) + broker_agent = BrokerAgent(self.get_messaging_connection('bob','bob')) + + try: + broker_agent.Redirect("q8", "q9") + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue redirect request from q8 to q9"); + + try: + broker_agent.Redirect("q9", "q8") + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue redirect request from q9 to q8"); + + try: + broker_agent.getQueue('q7').reroute(0, False, "amq.fanout") + self.fail("ACL should deny queue reroute request from q7 to amq.fanout"); + except Exception, e: + self.assertTrue("'error_code': 7" in e.args[0]) + broker_agent = BrokerAgent(self.get_messaging_connection('bob','bob')) + + try: + broker_agent.getQueue('q8').reroute(0, False, "amq.fanout") + self.fail("ACL should deny queue reroute request from q8 to amq.fanout"); + except Exception, e: + self.assertTrue("'error_code': 7" in e.args[0]) + broker_agent = BrokerAgent(self.get_messaging_connection('bob','bob')) + + try: + broker_agent.getQueue('q8').reroute(0, False, "amq.direct") + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue reroute request from q8 to amq.direct"); + + try: + broker_agent.getQueue('q9').reroute(0, False, "amq.fanout") + except Exception, e: + if ("'error_code': 7" in e.args[0]): + self.fail("ACL should allow queue reroute request from q9 to amq.fanout"); + + try: + session.queue_delete(queue="q4") + self.fail("ACL should deny queue delete request for q4"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_delete(queue="q3") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue delete request for q3"); + + + def test_queue_deny_mode(self): + """ + Test cases for queue acl in deny mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID access queue name=q1\n') + aclf.write('acl allow bob@QPID create queue name=q1 durable=true\n') + aclf.write('acl allow bob@QPID create queue name=q2 exclusive=true policytype=ring\n') + aclf.write('acl allow bob@QPID access queue name=q3\n') + aclf.write('acl allow bob@QPID purge queue name=q3\n') + aclf.write('acl allow bob@QPID create queue name=q3\n') + aclf.write('acl allow bob@QPID create queue name=q4\n') + aclf.write('acl allow bob@QPID delete queue name=q4\n') + aclf.write('acl allow bob@QPID create queue name=q5 maxqueuesize=1000 maxqueuecount=100\n') + aclf.write('acl allow bob@QPID create queue name=q6 queuemaxsizelowerlimit=50 queuemaxsizeupperlimit=100 queuemaxcountlowerlimit=50 queuemaxcountupperlimit=100\n') + aclf.write('acl allow bob@QPID create queue name=q7 policytype=self-destruct\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="q1", durable=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=q1 durable=true"); + + try: + session.queue_declare(queue="q1", durable=True, passive=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue passive declare request with name=q1 durable=true passive=true"); + + try: + session.queue_declare(queue="q1", durable=False, passive=False) + self.fail("ACL should deny queue create request with name=q1 durable=true passive=false"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="q2", exclusive=False) + self.fail("ACL should deny queue create request with name=q2 exclusive=false"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 200 + queue_options["qpid.max_size"] = 500 + session.queue_declare(queue="q5", arguments=queue_options) + self.fail("ACL should deny queue create request with name=q5 maxqueuesize=500 maxqueuecount=200"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 100 + queue_options["qpid.max_size"] = 500 + session.queue_declare(queue="q5", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=q5 maxqueuesize=500 maxqueuecount=200"); + + try: + queue_options = {} + queue_options["qpid.max_count"] = 49 + queue_options["qpid.max_size"] = 100 + session.queue_declare(queue="q6", arguments=queue_options) + self.fail("ACL should deny queue create request with name=q6 maxqueuesize=100 maxqueuecount=49"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 101 + queue_options["qpid.max_size"] = 100 + session.queue_declare(queue="q6", arguments=queue_options) + self.fail("ACL should allow queue create request with name=q6 maxqueuesize=100 maxqueuecount=101"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 100 + queue_options["qpid.max_size"] = 49 + session.queue_declare(queue="q6", arguments=queue_options) + self.fail("ACL should deny queue create request with name=q6 maxqueuesize=49 maxqueuecount=100"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 100 + queue_options["qpid.max_size"] =101 + session.queue_declare(queue="q6", arguments=queue_options) + self.fail("ACL should deny queue create request with name=q6 maxqueuesize=101 maxqueuecount=100"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.max_count"] = 50 + queue_options["qpid.max_size"] = 50 + session.queue_declare(queue="q6", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=q6 maxqueuesize=50 maxqueuecount=50"); + + try: + queue_options = {} + queue_options["qpid.policy_type"] = "ring" + session.queue_declare(queue="q2", exclusive=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request for q2 with exclusive=true policytype=ring"); + + try: + session.queue_declare(queue="q7", arguments={"qpid.policy_type": "ring"}) + self.fail("ACL should not allow queue create request for q7 with policytype=ring"); + except qpid.session.SessionException, e: + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="q7", arguments={"qpid.policy_type": "self-destruct"}) + except qpid.session.SessionException, e: + self.fail("ACL should allow queue create request for q7 with policytype=self-destruct"); + + try: + session.queue_declare(queue="q3") + session.queue_declare(queue="q4") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request for q3 and q4"); + + try: + session.queue_query(queue="q4") + self.fail("ACL should deny queue query request for q4"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_purge(queue="q4") + self.fail("ACL should deny queue purge request for q4"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_purge(queue="q3") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue purge request for q3"); + + try: + session.queue_query(queue="q3") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue query request for q3"); + + try: + session.queue_delete(queue="q3") + self.fail("ACL should deny queue delete request for q3"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_delete(queue="q4") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue delete request for q4"); + + #===================================== + # ACL paged tests + #===================================== + + def test_paged_allow_mode(self): + """ + Test cases for paged acl in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID create queue name=qf1 pageslowerlimit=1000\n') + aclf.write('acl deny bob@QPID create queue name=qf2 pagesupperlimit=100\n') + aclf.write('acl deny bob@QPID create queue name=qf3 pagefactorlowerlimit=10\n') + aclf.write('acl deny bob@QPID create queue name=qf4 pagefactorupperlimit=1\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.max_pages_loaded"] = 500 + session.queue_declare(queue="qf1", arguments=queue_options) + self.fail("ACL should deny queue create request with name=qf1, qpid.paging=True, qpid.max_pages_loaded=500"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.max_pages_loaded"] = 500 + session.queue_declare(queue="qf2", arguments=queue_options) + self.fail("ACL should deny queue create request with name=qf2, qpid.paging=True, qpid.max_pages_loaded=500"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.page_factor"] = 5 + session.queue_declare(queue="qf3", arguments=queue_options) + self.fail("ACL should deny queue create request with name=qf3, qpid.paging=True, qpid.page_factor=5"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.page_factor"] = 5 + session.queue_declare(queue="qf4", arguments=queue_options) + self.fail("ACL should deny queue create request with name=qf4, qpid.paging=True, qpid.page_factor=5"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + + def test_paged_deny_mode(self): + """ + Test cases for paged acl in deny mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID create queue name=qf1 pageslowerlimit=100 pagesupperlimit=1000\n') + aclf.write('acl allow bob@QPID create queue name=qf2 pagefactorlowerlimit=1 pagefactorupperlimit=10\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.max_pages_loaded"] = 500 + session.queue_declare(queue="qf1", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qf1, qpid.paging=True, qpid.max_pages_loaded=500"); + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.paging"] = True + queue_options["qpid.page_factor"] = 5 + session.queue_declare(queue="qf2", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qf2, qpid.paging=True, qpid.page_factor=5"); + session = self.get_session('bob','bob') + + + #===================================== + # ACL file tests + #===================================== + + def test_file_allow_mode(self): + """ + Test cases for file acl in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID access queue name=qf1\n') + aclf.write('acl deny bob@QPID create queue name=qf1 durable=true\n') + aclf.write('acl deny bob@QPID create queue name=qf2 exclusive=true policytype=ring\n') + aclf.write('acl deny bob@QPID access queue name=qf3\n') + aclf.write('acl deny bob@QPID purge queue name=qf3\n') + aclf.write('acl deny bob@QPID delete queue name=qf4\n') + aclf.write('acl deny bob@QPID create queue name=qf5 filemaxsizeupperlimit=1000 filemaxcountupperlimit=100\n') + aclf.write('acl deny bob@QPID create queue name=ABCDE queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "queue", "ABCDE", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"0", + "maxfilecount":"0" }, "deny") + + try: + queue_options = {} + queue_options["qpid.file_count"] = 200 + queue_options["qpid.file_size"] = 500 + session.queue_declare(queue="qf5", exclusive=True, durable=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=qf5, qpid.file_size=500 and qpid.file_count=200"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 200 + queue_options["qpid.file_size"] = 100 + session.queue_declare(queue="qf2", exclusive=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qf2, qpid.file_size=100 and qpid.file_count=200 "); + + + def test_file_deny_mode(self): + """ + Test cases for queue acl in deny mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID access queue name=qfd1\n') + aclf.write('acl allow bob@QPID create queue name=qfd1 durable=true\n') + aclf.write('acl allow bob@QPID create queue name=qfd2 exclusive=true policytype=ring\n') + aclf.write('acl allow bob@QPID access queue name=qfd3\n') + aclf.write('acl allow bob@QPID purge queue name=qfd3\n') + aclf.write('acl allow bob@QPID create queue name=qfd3\n') + aclf.write('acl allow bob@QPID create queue name=qfd4\n') + aclf.write('acl allow bob@QPID delete queue name=qfd4\n') + aclf.write('acl allow bob@QPID create queue name=qfd5 filemaxsizeupperlimit=1000 filemaxcountupperlimit=100\n') + aclf.write('acl allow bob@QPID create queue name=qfd6 filemaxsizelowerlimit=50 filemaxsizeupperlimit=100 filemaxcountlowerlimit=50 filemaxcountupperlimit=100\n') + aclf.write('acl allow bob@QPID create queue name=ABCDE queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n') + aclf.write('acl allow bob@QPID create queue name=FGHIJ queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=2 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n') + aclf.write('acl allow bob@QPID create queue name=KLMNO queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=0 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "queue", "ABCDE", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"0", + "maxfilecount":"0" }, "allow") + + self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"1", + "maxfilecount":"0" }, "deny") + + self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"2", + "maxfilecount":"0" }, "allow") + + self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"32", + "maxfilecount":"0" }, "allow") + + self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"33", + "maxfilecount":"0" }, "deny") + + self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"0", + "maxfilecount":"0" }, "allow") + + self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"17", + "maxfilecount":"0" }, "allow") + + self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false", + "autodelete":"true", + "exclusive":"false", + "alternate":"", + "policytype":"ring", + "maxqueuesize":"1024000", + "maxqueuecount":"1000", + "maxfilesize":"33", + "maxfilecount":"0" }, "allow") + + try: + session.queue_declare(queue="qfd1", durable=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qfd1 durable=true"); + + try: + session.queue_declare(queue="qfd1", durable=True, passive=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue passive declare request with name=qfd1 durable=true passive=true"); + + try: + session.queue_declare(queue="qfd1", durable=False, passive=False) + self.fail("ACL should deny queue create request with name=qfd1 durable=true passive=false"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qfd2", exclusive=False) + self.fail("ACL should deny queue create request with name=qfd2 exclusive=false"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 200 + queue_options["qpid.file_size"] = 500 + session.queue_declare(queue="qfd5", durable=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=qfd5 filemaxsizeupperlimit=500 filemaxcountupperlimit=200"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 100 + queue_options["qpid.file_size"] = 500 + session.queue_declare(queue="qfd5", durable=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qfd5 filemaxsizeupperlimit=500 filemaxcountupperlimit=200"); + + try: + queue_options = {} + queue_options["qpid.file_count"] = 49 + queue_options["qpid.file_size"] = 100 + session.queue_declare(queue="qfd6", durable=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=qfd6 filemaxsizeupperlimit=100 filemaxcountupperlimit=49"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 101 + queue_options["qpid.file_size"] = 100 + session.queue_declare(queue="qfd6", durable=True, arguments=queue_options) + self.fail("ACL should allow queue create request with name=qfd6 filemaxsizeupperlimit=100 filemaxcountupperlimit=101"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 100 + queue_options["qpid.file_size"] = 49 + session.queue_declare(queue="qfd6", durable=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=qfd6 filemaxsizeupperlimit=49 filemaxcountupperlimit=100"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 100 + queue_options["qpid.file_size"] =101 + session.queue_declare(queue="qfd6", durable=True, arguments=queue_options) + self.fail("ACL should deny queue create request with name=qfd6 filemaxsizeupperlimit=101 filemaxcountupperlimit=100"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.file_count"] = 50 + queue_options["qpid.file_size"] = 50 + session.queue_declare(queue="qfd6", durable=True, arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qfd6 filemaxsizeupperlimit=50 filemaxcountupperlimit=50"); + + + #===================================== + # ACL exchange tests + #===================================== + + def test_exchange_acl_allow_mode(self): + session = self.get_session('bob','bob') + session.queue_declare(queue="baz") + + """ + Test cases for exchange acl in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID access exchange name=testEx\n') + aclf.write('acl deny bob@QPID create exchange name=testEx durable=true\n') + aclf.write('acl deny bob@QPID create exchange name=ex1 type=direct\n') + aclf.write('acl deny bob@QPID access exchange name=myEx queuename=q1 routingkey=rk1.*\n') + aclf.write('acl deny bob@QPID bind exchange name=myEx queuename=q1 routingkey=rk1\n') + aclf.write('acl deny bob@QPID unbind exchange name=myEx queuename=q1 routingkey=rk1\n') + aclf.write('acl deny bob@QPID delete exchange name=myEx\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + session.queue_declare(queue='q1') + session.queue_declare(queue='q2') + session.exchange_declare(exchange='myEx', type='direct') + + try: + session.exchange_declare(exchange='testEx', durable=True) + self.fail("ACL should deny exchange create request with name=testEx durable=true"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='testEx', durable=True, passive=True) + self.fail("ACL should deny passive exchange declare request with name=testEx durable=true passive=true"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='testEx', type='direct', durable=False) + except qpid.session.SessionException, e: + print e + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange create request for testEx with any parameter other than durable=true"); + + try: + session.exchange_declare(exchange='ex1', type='direct') + self.fail("ACL should deny exchange create request with name=ex1 type=direct"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='myXml', type='direct') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange create request for myXml with any parameter"); + + try: + session.exchange_query(name='myEx') + self.fail("ACL should deny exchange query request for myEx"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_bound(exchange='myEx', queue='q1', binding_key='rk1.*') + self.fail("ACL should deny exchange bound request for myEx with queuename=q1 and routing_key='rk1.*' "); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_query(name='amq.topic') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange query request for exchange='amq.topic'"); + + try: + session.exchange_bound(exchange='myEx', queue='q1', binding_key='rk2.*') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange bound request for myEx with queuename=q1 and binding_key='rk2.*'"); + + try: + session.exchange_bind(exchange='myEx', queue='q1', binding_key='rk1') + self.fail("ACL should deny exchange bind request with exchange='myEx' queuename='q1' bindingkey='rk1'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_bind(exchange='myEx', queue='q1', binding_key='x') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange bind request for exchange='myEx', queue='q1', binding_key='x'"); + + try: + session.exchange_bind(exchange='myEx', queue='q2', binding_key='rk1') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange bind request for exchange='myEx', queue='q2', binding_key='rk1'"); + + try: + session.exchange_unbind(exchange='myEx', queue='q1', binding_key='rk1') + self.fail("ACL should deny exchange unbind request with exchange='myEx' queuename='q1' bindingkey='rk1'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_unbind(exchange='myEx', queue='q1', binding_key='x') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange unbind request for exchange='myEx', queue='q1', binding_key='x'"); + + try: + session.exchange_unbind(exchange='myEx', queue='q2', binding_key='rk1') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange unbind request for exchange='myEx', queue='q2', binding_key='rk1'"); + + try: + session.exchange_delete(exchange='myEx') + self.fail("ACL should deny exchange delete request for myEx"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_delete(exchange='myXml') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange delete request for myXml"); + + + def test_exchange_acl_deny_mode(self): + session = self.get_session('bob','bob') + session.queue_declare(queue='bar') + + """ + Test cases for exchange acl in deny mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID create exchange name=myEx durable=true\n') + aclf.write('acl allow bob@QPID bind exchange name=amq.topic queuename=bar routingkey=foo.*\n') + aclf.write('acl allow bob@QPID unbind exchange name=amq.topic queuename=bar routingkey=foo.*\n') + aclf.write('acl allow bob@QPID access exchange name=myEx queuename=q1 routingkey=rk1.*\n') + aclf.write('acl allow bob@QPID delete exchange name=myEx\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='myEx', type='direct', durable=True, passive=False) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange create request for myEx with durable=true and passive=false"); + + try: + session.exchange_declare(exchange='myEx', type='direct', durable=False) + self.fail("ACL should deny exchange create request with name=myEx durable=false"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_bind(exchange='amq.topic', queue='bar', binding_key='foo.bar') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange bind request for exchange='amq.topic', queue='bar', binding_key='foor.bar'"); + + try: + session.exchange_bind(exchange='amq.topic', queue='baz', binding_key='foo.bar') + self.fail("ACL should deny exchange bind request for exchange='amq.topic', queue='baz', binding_key='foo.bar'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_bind(exchange='amq.topic', queue='bar', binding_key='fooz.bar') + self.fail("ACL should deny exchange bind request for exchange='amq.topic', queue='bar', binding_key='fooz.bar'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_unbind(exchange='amq.topic', queue='bar', binding_key='foo.bar') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange unbind request for exchange='amq.topic', queue='bar', binding_key='foor.bar'"); + try: + session.exchange_unbind(exchange='amq.topic', queue='baz', binding_key='foo.bar') + self.fail("ACL should deny exchange unbind request for exchange='amq.topic', queue='baz', binding_key='foo.bar'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_unbind(exchange='amq.topic', queue='bar', binding_key='fooz.bar') + self.fail("ACL should deny exchange unbind request for exchange='amq.topic', queue='bar', binding_key='fooz.bar'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_query(name='amq.topic') + self.fail("ACL should deny exchange query request for amq.topic"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_bound(exchange='myEx', queue='q1', binding_key='rk2.*') + self.fail("ACL should deny exchange bound request for amq.topic with queuename=q1 and routing_key='rk2.*' "); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_query(name='myEx') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange query request for exchange='myEx'"); + + try: + session.exchange_bound(exchange='myEx', queue='q1', binding_key='rk1.*') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange bound request for myEx with queuename=q1 and binding_key='rk1.*'"); + + try: + session.exchange_delete(exchange='myEx') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow exchange delete request for myEx"); + + def test_create_and_delete_exchange_via_qmf(self): + """ + Test acl is enforced when creating/deleting via QMF + methods. Note that in order to be able to send the QMF methods + and receive the responses a significant amount of permissions + need to be enabled (TODO: can the set below be narrowed down + at all?) + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID create exchange\n') + aclf.write('acl allow admin@QPID delete exchange\n') + aclf.write('acl allow all access exchange\n') + aclf.write('acl allow all bind exchange\n') + aclf.write('acl allow all create queue\n') + aclf.write('acl allow all access queue\n') + aclf.write('acl allow all delete queue\n') + aclf.write('acl allow all consume queue\n') + aclf.write('acl allow all access method\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + bob = BrokerAdmin(self.config.broker, "bob", "bob") + bob.create_exchange("my-exchange") #should pass + #cleanup by deleting exchange + try: + bob.delete_exchange("my-exchange") #should fail + self.fail("ACL should deny exchange delete request for my-exchange"); + except Exception, e: + self.assertEqual(7,e.args[0]["error_code"]) + assert e.args[0]["error_text"].find("unauthorized-access") == 0 + admin = BrokerAdmin(self.config.broker, "admin", "admin") + admin.delete_exchange("my-exchange") #should pass + + anonymous = BrokerAdmin(self.config.broker) + try: + anonymous.create_exchange("another-exchange") #should fail + self.fail("ACL should deny exchange create request for another-exchange"); + except Exception, e: + self.assertEqual(7,e.args[0]["error_code"]) + assert e.args[0]["error_text"].find("unauthorized-access") == 0 + + def test_qmf_query(self): + aclf = self.get_acl_file() + aclf.write('acl allow all access exchange\n') + aclf.write('acl allow all bind exchange\n') + aclf.write('acl allow all create queue\n') + aclf.write('acl allow all access queue\n') + aclf.write('acl allow all delete queue\n') + aclf.write('acl allow all consume queue\n') + aclf.write('acl allow all access method\n') + aclf.write('acl allow bob@QPID access query name=org.apache.qpid.broker:queue:q1\n') + aclf.write('acl allow bob@QPID access query schemaclass=exchange\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + bob = BrokerAdmin(self.config.broker, "bob", "bob") + + try: + bob.query(object_name="org.apache.qpid.broker:queue:q1") + except Exception, e: + if ("unauthorized-access:" in e.args[0]): + self.fail("ACL should allow queue QMF query for q1"); + + try: + bob.query(object_name="org.apache.qpid.broker:queue:q2") + self.fail("ACL should deny queue QMF query for q2"); + except Exception, e: + self.assertTrue("unauthorized-access:" in e.args[0]) + bob = BrokerAdmin(self.config.broker, "bob", "bob") + + try: + bob.query(class_name="binding") + self.fail("ACL should deny class binding QMF query"); + except Exception, e: + self.assertTrue("unauthorized-access:" in e.args[0]) + bob = BrokerAdmin(self.config.broker, "bob", "bob") + + try: + bob.query(class_name="exchange") + except Exception, e: + if ("unauthorized-access:" in e.args[0]): + self.fail("ACL should allow class exchange QMF query"); + + + #===================================== + # ACL consume tests + #===================================== + + def test_consume_allow_mode(self): + """ + Test cases for consume in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID consume queue name=q1\n') + aclf.write('acl deny bob@QPID consume queue name=q2\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + + try: + session.queue_declare(queue='q1') + session.queue_declare(queue='q2') + session.queue_declare(queue='q3') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow create queue request"); + + try: + session.message_subscribe(queue='q1', destination='myq1') + self.fail("ACL should deny subscription for queue='q1'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.message_subscribe(queue='q2', destination='myq1') + self.fail("ACL should deny subscription for queue='q2'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.message_subscribe(queue='q3', destination='myq3') + session.message_cancel(destination='myq3') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow subscription for q3"); + + + def test_consume_deny_mode(self): + """ + Test cases for consume in allow mode + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID consume queue name=q1\n') + aclf.write('acl allow bob@QPID consume queue name=q2\n') + aclf.write('acl allow bob@QPID create queue\n') + aclf.write('acl allow anonymous all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + + try: + session.queue_declare(queue='q1') + session.queue_declare(queue='q2') + session.queue_declare(queue='q3') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow create queue request"); + + try: + session.message_subscribe(queue='q1', destination='myq1') + session.message_subscribe(queue='q2', destination='myq2') + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow subscription for q1 and q2"); + + try: + session.message_subscribe(queue='q3', destination='myq3') + self.fail("ACL should deny subscription for queue='q3'"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + + #===================================== + # ACL publish tests + #===================================== + + def test_publish_acl_allow_mode(self): + """ + Test various publish acl + """ + aclf = self.get_acl_file() + aclf.write('acl deny bob@QPID publish exchange name=amq.direct routingkey=rk1\n') + aclf.write('acl deny bob@QPID publish exchange name=amq.topic\n') + aclf.write('acl deny bob@QPID publish exchange name=myEx routingkey=rk2\n') + aclf.write("acl deny bob@QPID publish exchange name=amq.default routingkey=restricted\n") + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + props = session.delivery_properties(routing_key="rk1") + + try: + session.message_transfer(destination="amq.direct", message=Message(props,"Test")) + self.fail("ACL should deny message transfer to name=amq.direct routingkey=rk1"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.message_transfer(destination="amq.topic", message=Message(props,"Test")) + self.fail("ACL should deny message transfer to name=amq.topic"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='myEx', type='direct', durable=False) + session.message_transfer(destination="myEx", message=Message(props,"Test")) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow message transfer to exchange myEx with routing key rk1"); + + + props = session.delivery_properties(routing_key="rk2") + try: + session.message_transfer(destination="amq.direct", message=Message(props,"Test")) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow message transfer to exchange amq.direct with routing key rk2"); + + self.LookupPublish("bob@QPID", "", "restricted", "deny") + self.LookupPublish("bob@QPID", "", "another", "allow") + self.LookupPublish("joe@QPID", "", "restricted", "allow") + + + def test_publish_acl_deny_mode(self): + """ + Test various publish acl + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID publish exchange name=amq.direct routingkey=rk1\n') + aclf.write('acl allow bob@QPID publish exchange name=amq.topic\n') + aclf.write('acl allow bob@QPID publish exchange name=myEx routingkey=rk2\n') + aclf.write('acl allow bob@QPID create exchange\n') + aclf.write("acl allow bob@QPID publish exchange name=amq.default routingkey=unrestricted\n") + aclf.write('acl allow anonymous all all \n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + props = session.delivery_properties(routing_key="rk2") + + try: + session.message_transfer(destination="amq.direct", message=Message(props,"Test")) + self.fail("ACL should deny message transfer to name=amq.direct routingkey=rk2"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.message_transfer(destination="amq.topic", message=Message(props,"Test")) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow message transfer to exchange amq.topic with any routing key"); + + try: + session.exchange_declare(exchange='myEx', type='direct', durable=False) + session.message_transfer(destination="myEx", message=Message(props,"Test")) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow message transfer to exchange myEx with routing key=rk2"); + + props = session.delivery_properties(routing_key="rk1") + + try: + session.message_transfer(destination="myEx", message=Message(props,"Test")) + self.fail("ACL should deny message transfer to name=myEx routingkey=rk1"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.message_transfer(destination="amq.direct", message=Message(props,"Test")) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow message transfer to exchange amq.direct with routing key rk1"); + + self.LookupPublish("bob@QPID", "", "unrestricted", "allow") + self.LookupPublish("bob@QPID", "", "another", "deny") + self.LookupPublish("joe@QPID", "", "unrestricted", "deny") + + + #===================================== + # ACL broker configuration tests + #===================================== + + def test_broker_timestamp_config(self): + """ + Test ACL control of the broker timestamp configuration + """ + aclf = self.get_acl_file() + # enable lots of stuff to allow QMF to work + aclf.write('acl allow all create exchange\n') + aclf.write('acl allow all access exchange\n') + aclf.write('acl allow all bind exchange\n') + aclf.write('acl allow all publish exchange\n') + aclf.write('acl allow all create queue\n') + aclf.write('acl allow all access queue\n') + aclf.write('acl allow all delete queue\n') + aclf.write('acl allow all consume queue\n') + aclf.write('acl allow all access method\n') + # this should let bob access the timestamp configuration + aclf.write('acl allow bob@QPID access broker\n') + aclf.write('acl allow bob@QPID update broker\n') + aclf.write('acl allow admin@QPID all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + ts = None + bob = BrokerAdmin(self.config.broker, "bob", "bob") + ts = bob.get_timestamp_cfg() #should work + bob.set_timestamp_cfg(ts); #should work + + obo = BrokerAdmin(self.config.broker, "obo", "obo") + try: + ts = obo.get_timestamp_cfg() #should fail + failed = False + except Exception, e: + failed = True + self.assertEqual(7,e.args[0]["error_code"]) + assert e.args[0]["error_text"].find("unauthorized-access") == 0 + assert(failed) + + try: + obo.set_timestamp_cfg(ts) #should fail + failed = False + except Exception, e: + failed = True + self.assertEqual(7,e.args[0]["error_code"]) + assert e.args[0]["error_text"].find("unauthorized-access") == 0 + assert(failed) + + admin = BrokerAdmin(self.config.broker, "admin", "admin") + ts = admin.get_timestamp_cfg() #should pass + admin.set_timestamp_cfg(ts) #should pass + + + + #===================================== + # QMF Functional tests + #===================================== + + def test_qmf_functional_tests(self): + """ + Test using QMF method hooks into ACL logic + """ + aclf = self.get_acl_file() + aclf.write('group admins moe@COMPANY.COM \\\n') + aclf.write(' larry@COMPANY.COM \\\n') + aclf.write(' curly@COMPANY.COM \\\n') + aclf.write(' shemp@COMPANY.COM\n') + aclf.write('group auditors aaudit@COMPANY.COM baudit@COMPANY.COM caudit@COMPANY.COM \\\n') + aclf.write(' daudit@COMPANY.COM eaduit@COMPANY.COM eaudit@COMPANY.COM\n') + aclf.write('group tatunghosts tatung01@COMPANY.COM \\\n') + aclf.write(' tatung02/x86.build.company.com@COMPANY.COM \\\n') + aclf.write(' tatung03/x86.build.company.com@COMPANY.COM \\\n') + aclf.write(' tatung04/x86.build.company.com@COMPANY.COM \n') + aclf.write('group publishusers publish@COMPANY.COM x-pubs@COMPANY.COM\n') + aclf.write('acl allow-log admins all all\n') + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + aclf.write('acl allow-log auditors all exchange name=company.topic routingkey=private.audit.*\n') + aclf.write('acl allow-log tatunghosts publish exchange name=company.topic routingkey=tatung.*\n') + aclf.write('acl allow-log tatunghosts publish exchange name=company.direct routingkey=tatung-service-queue\n') + aclf.write('acl allow-log publishusers create queue\n') + aclf.write('acl allow-log publishusers publish exchange name=qpid.management routingkey=broker\n') + aclf.write('acl allow-log publishusers publish exchange name=qmf.default.topic routingkey=*\n') + aclf.write('acl allow-log publishusers publish exchange name=qmf.default.direct routingkey=*\n') + aclf.write('acl allow-log all bind exchange name=company.topic routingkey=tatung.*\n') + aclf.write('acl allow-log all bind exchange name=company.direct routingkey=tatung-service-queue\n') + aclf.write('acl allow-log all consume queue\n') + aclf.write('acl allow-log all access exchange\n') + aclf.write('acl allow-log all access queue\n') + aclf.write('acl allow-log all create queue name=tmp.* durable=false autodelete=true exclusive=true policytype=ring\n') + aclf.write('acl allow mrQ create queue queuemaxsizelowerlimit=100 queuemaxsizeupperlimit=200 queuemaxcountlowerlimit=300 queuemaxcountupperlimit=400\n') + aclf.write('acl deny-log all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # + # define some group lists + # + g_admins = ['moe@COMPANY.COM', \ + 'larry@COMPANY.COM', \ + 'curly@COMPANY.COM', \ + 'shemp@COMPANY.COM'] + + g_auditors = [ 'aaudit@COMPANY.COM','baudit@COMPANY.COM','caudit@COMPANY.COM', \ + 'daudit@COMPANY.COM','eaduit@COMPANY.COM','eaudit@COMPANY.COM'] + + g_tatunghosts = ['tatung01@COMPANY.COM', \ + 'tatung02/x86.build.company.com@COMPANY.COM', \ + 'tatung03/x86.build.company.com@COMPANY.COM', \ + 'tatung04/x86.build.company.com@COMPANY.COM'] + + g_publishusers = ['publish@COMPANY.COM', 'x-pubs@COMPANY.COM'] + + g_public = ['jpublic@COMPANY.COM', 'me@yahoo.com'] + + g_all = g_admins + g_auditors + g_tatunghosts + g_publishusers + g_public + + action_all = ['consume','publish','create','access','bind','unbind','delete','purge','update'] + + # + # Run some tests verifying against users who are in and who are out of given groups. + # + + for u in g_admins: + self.Lookup(u, "create", "queue", "anything", {"durable":"true"}, "allow-log") + uInTest = g_auditors + g_admins + uOutTest = self.AllBut(g_all, uInTest) + + for u in uInTest: + self.LookupPublish(u, "company.topic", "private.audit.This", "allow-log") + + for u in uInTest: + for a in ['bind', 'unbind', 'access', 'publish']: + self.Lookup(u, a, "exchange", "company.topic", {"routingkey":"private.audit.This"}, "allow-log") + + for u in uOutTest: + self.LookupPublish(u, "company.topic", "private.audit.This", "deny-log") + self.Lookup(u, "bind", "exchange", "company.topic", {"routingkey":"private.audit.This"}, "deny-log") + + uInTest = g_admins + g_tatunghosts + uOutTest = self.AllBut(g_all, uInTest) + + for u in uInTest: + self.LookupPublish(u, "company.topic", "tatung.this2", "allow-log") + self.LookupPublish(u, "company.direct", "tatung-service-queue", "allow-log") + + for u in uOutTest: + self.LookupPublish(u, "company.topic", "tatung.this2", "deny-log") + self.LookupPublish(u, "company.direct", "tatung-service-queue", "deny-log") + + for u in uOutTest: + for a in ["bind", "access"]: + self.Lookup(u, a, "exchange", "company.topic", {"routingkey":"tatung.this2"}, "allow-log") + self.Lookup(u, a, "exchange", "company.direct", {"routingkey":"tatung-service-queue"}, "allow-log") + + uInTest = g_admins + g_publishusers + uOutTest = self.AllBut(g_all, uInTest) + + for u in uInTest: + self.LookupPublish(u, "qpid.management", "broker", "allow-log") + self.LookupPublish(u, "qmf.default.topic", "this3", "allow-log") + self.LookupPublish(u, "qmf.default.direct", "this4", "allow-log") + + for u in uOutTest: + self.LookupPublish(u, "qpid.management", "broker", "deny-log") + self.LookupPublish(u, "qmf.default.topic", "this3", "deny-log") + self.LookupPublish(u, "qmf.default.direct", "this4", "deny-log") + + for u in uOutTest: + for a in ["bind"]: + self.Lookup(u, a, "exchange", "qpid.management", {"routingkey":"broker"}, "deny-log") + self.Lookup(u, a, "exchange", "qmf.default.topic", {"routingkey":"this3"}, "deny-log") + self.Lookup(u, a, "exchange", "qmf.default.direct", {"routingkey":"this4"}, "deny-log") + for a in ["access"]: + self.Lookup(u, a, "exchange", "qpid.management", {"routingkey":"broker"}, "allow-log") + self.Lookup(u, a, "exchange", "qmf.default.topic", {"routingkey":"this3"}, "allow-log") + self.Lookup(u, a, "exchange", "qmf.default.direct", {"routingkey":"this4"}, "allow-log") + + # Test against queue size limits + + self.Lookup('mrQ', 'create', 'queue', 'abc', {"maxqueuesize":"150", "maxqueuecount":"350"}, "allow") + self.Lookup('mrQ', 'create', 'queue', 'def', {"maxqueuesize":"99", "maxqueuecount":"350"}, "deny") + self.Lookup('mrQ', 'create', 'queue', 'uvw', {"maxqueuesize":"201", "maxqueuecount":"350"}, "deny") + self.Lookup('mrQ', 'create', 'queue', 'xyz', {"maxqueuesize":"150", "maxqueuecount":"299"}, "deny") + self.Lookup('mrQ', 'create', 'queue', '', {"maxqueuesize":"150", "maxqueuecount":"401"}, "deny") + self.Lookup('mrQ', 'create', 'queue', '', {"maxqueuesize":"0", "maxqueuecount":"401"}, "deny") + self.Lookup('mrQ', 'create', 'queue', '', {"maxqueuesize":"150", "maxqueuecount":"0" }, "deny") + + + #===================================== + # Routingkey lookup using Topic Exchange tests + #===================================== + + def test_topic_exchange_publish_tests(self): + """ + Test using QMF method hooks into ACL logic + """ + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + aclf.write('acl allow-log uPlain1@COMPANY publish exchange name=X routingkey=ab.cd.e\n') + aclf.write('acl allow-log uPlain2@COMPANY publish exchange name=X routingkey=.\n') + aclf.write('acl allow-log uStar1@COMPANY publish exchange name=X routingkey=a.*.b\n') + aclf.write('acl allow-log uStar2@COMPANY publish exchange name=X routingkey=*.x\n') + aclf.write('acl allow-log uStar3@COMPANY publish exchange name=X routingkey=x.x.*\n') + aclf.write('acl allow-log uHash1@COMPANY publish exchange name=X routingkey=a.#.b\n') + aclf.write('acl allow-log uHash2@COMPANY publish exchange name=X routingkey=a.#\n') + aclf.write('acl allow-log uHash3@COMPANY publish exchange name=X routingkey=#.a\n') + aclf.write('acl allow-log uHash4@COMPANY publish exchange name=X routingkey=a.#.b.#.c\n') + aclf.write('acl allow-log uMixed1@COMPANY publish exchange name=X routingkey=*.x.#.y\n') + aclf.write('acl allow-log uMixed2@COMPANY publish exchange name=X routingkey=a.#.b.*\n') + aclf.write('acl allow-log uMixed3@COMPANY publish exchange name=X routingkey=*.*.*.#\n') + + aclf.write('acl allow-log all publish exchange name=X routingkey=MN.OP.Q\n') + aclf.write('acl allow-log all publish exchange name=X routingkey=M.*.N\n') + aclf.write('acl allow-log all publish exchange name=X routingkey=M.#.N\n') + aclf.write('acl allow-log all publish exchange name=X routingkey=*.M.#.N\n') + + aclf.write('acl deny-log all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # aclKey: "ab.cd.e" + self.LookupPublish("uPlain1@COMPANY", "X", "ab.cd.e", "allow-log") + self.LookupPublish("uPlain1@COMPANY", "X", "abx.cd.e", "deny-log") + self.LookupPublish("uPlain1@COMPANY", "X", "ab.cd", "deny-log") + self.LookupPublish("uPlain1@COMPANY", "X", "ab.cd..e.", "deny-log") + self.LookupPublish("uPlain1@COMPANY", "X", "ab.cd.e.", "deny-log") + self.LookupPublish("uPlain1@COMPANY", "X", ".ab.cd.e", "deny-log") + # aclKey: "." + self.LookupPublish("uPlain2@COMPANY", "X", ".", "allow-log") + + # aclKey: "a.*.b" + self.LookupPublish("uStar1@COMPANY", "X", "a.xx.b", "allow-log") + self.LookupPublish("uStar1@COMPANY", "X", "a.b", "deny-log") + # aclKey: "*.x" + self.LookupPublish("uStar2@COMPANY", "X", "y.x", "allow-log") + self.LookupPublish("uStar2@COMPANY", "X", ".x", "allow-log") + self.LookupPublish("uStar2@COMPANY", "X", "x", "deny-log") + # aclKey: "x.x.*" + self.LookupPublish("uStar3@COMPANY", "X", "x.x.y", "allow-log") + self.LookupPublish("uStar3@COMPANY", "X", "x.x.", "allow-log") + self.LookupPublish("uStar3@COMPANY", "X", "x.x", "deny-log") + self.LookupPublish("uStar3@COMPANY", "X", "q.x.y", "deny-log") + + # aclKey: "a.#.b" + self.LookupPublish("uHash1@COMPANY", "X", "a.b", "allow-log") + self.LookupPublish("uHash1@COMPANY", "X", "a.x.b", "allow-log") + self.LookupPublish("uHash1@COMPANY", "X", "a..x.y.zz.b", "allow-log") + self.LookupPublish("uHash1@COMPANY", "X", "a.b.", "deny-log") + self.LookupPublish("uHash1@COMPANY", "X", "q.x.b", "deny-log") + + # aclKey: "a.#" + self.LookupPublish("uHash2@COMPANY", "X", "a", "allow-log") + self.LookupPublish("uHash2@COMPANY", "X", "a.b", "allow-log") + self.LookupPublish("uHash2@COMPANY", "X", "a.b.c", "allow-log") + + # aclKey: "#.a" + self.LookupPublish("uHash3@COMPANY", "X", "a", "allow-log") + self.LookupPublish("uHash3@COMPANY", "X", "x.y.a", "allow-log") + + # aclKey: "a.#.b.#.c" + self.LookupPublish("uHash4@COMPANY", "X", "a.b.c", "allow-log") + self.LookupPublish("uHash4@COMPANY", "X", "a.x.b.y.c", "allow-log") + self.LookupPublish("uHash4@COMPANY", "X", "a.x.x.b.y.y.c", "allow-log") + + # aclKey: "*.x.#.y" + self.LookupPublish("uMixed1@COMPANY", "X", "a.x.y", "allow-log") + self.LookupPublish("uMixed1@COMPANY", "X", "a.x.p.qq.y", "allow-log") + self.LookupPublish("uMixed1@COMPANY", "X", "a.a.x.y", "deny-log") + self.LookupPublish("uMixed1@COMPANY", "X", "aa.x.b.c", "deny-log") + + # aclKey: "a.#.b.*" + self.LookupPublish("uMixed2@COMPANY", "X", "a.b.x", "allow-log") + self.LookupPublish("uMixed2@COMPANY", "X", "a.x.x.x.b.x", "allow-log") + + # aclKey: "*.*.*.#" + self.LookupPublish("uMixed3@COMPANY", "X", "x.y.z", "allow-log") + self.LookupPublish("uMixed3@COMPANY", "X", "x.y.z.a.b.c", "allow-log") + self.LookupPublish("uMixed3@COMPANY", "X", "x.y", "deny-log") + self.LookupPublish("uMixed3@COMPANY", "X", "x", "deny-log") + + # Repeat the keys with wildcard user spec + self.LookupPublish("uPlain1@COMPANY", "X", "MN.OP.Q", "allow-log") + self.LookupPublish("uStar1@COMPANY" , "X", "M.xx.N", "allow-log") + self.LookupPublish("uHash1@COMPANY" , "X", "M.N", "allow-log") + self.LookupPublish("uHash1@COMPANY" , "X", "M.x.N", "allow-log") + self.LookupPublish("uHash1@COMPANY" , "X", "M..x.y.zz.N", "allow-log") + self.LookupPublish("uMixed1@COMPANY", "X", "a.M.N", "allow-log") + self.LookupPublish("uMixed1@COMPANY", "X", "a.M.p.qq.N", "allow-log") + + self.LookupPublish("dev@QPID", "X", "MN.OP.Q", "allow-log") + self.LookupPublish("dev@QPID", "X", "M.xx.N", "allow-log") + self.LookupPublish("dev@QPID", "X", "M.N", "allow-log") + self.LookupPublish("dev@QPID", "X", "M.x.N", "allow-log") + self.LookupPublish("dev@QPID", "X", "M..x.y.zz.N", "allow-log") + self.LookupPublish("dev@QPID", "X", "a.M.N", "allow-log") + self.LookupPublish("dev@QPID", "X", "a.M.p.qq.N", "allow-log") + + def test_topic_exchange_other_tests(self): + """ + Test using QMF method hooks into ACL logic + """ + action_list = ['access','bind','unbind'] + + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + for action in action_list: + aclf.write('acl allow-log uPlain1@COMPANY ' + action + ' exchange name=X routingkey=ab.cd.e\n') + aclf.write('acl allow-log uPlain2@COMPANY ' + action + ' exchange name=X routingkey=.\n') + aclf.write('acl allow-log uStar1@COMPANY ' + action + ' exchange name=X routingkey=a.*.b\n') + aclf.write('acl allow-log uStar2@COMPANY ' + action + ' exchange name=X routingkey=*.x\n') + aclf.write('acl allow-log uStar3@COMPANY ' + action + ' exchange name=X routingkey=x.x.*\n') + aclf.write('acl allow-log uHash1@COMPANY ' + action + ' exchange name=X routingkey=a.#.b\n') + aclf.write('acl allow-log uHash2@COMPANY ' + action + ' exchange name=X routingkey=a.#\n') + aclf.write('acl allow-log uHash3@COMPANY ' + action + ' exchange name=X routingkey=#.a\n') + aclf.write('acl allow-log uHash4@COMPANY ' + action + ' exchange name=X routingkey=a.#.b.#.c\n') + aclf.write('acl allow-log uMixed1@COMPANY ' + action + ' exchange name=X routingkey=*.x.#.y\n') + aclf.write('acl allow-log uMixed2@COMPANY ' + action + ' exchange name=X routingkey=a.#.b.*\n') + aclf.write('acl allow-log uMixed3@COMPANY ' + action + ' exchange name=X routingkey=*.*.*.#\n') + + aclf.write('acl allow-log all ' + action + ' exchange name=X routingkey=MN.OP.Q\n') + aclf.write('acl allow-log all ' + action + ' exchange name=X routingkey=M.*.N\n') + aclf.write('acl allow-log all ' + action + ' exchange name=X routingkey=M.#.N\n') + aclf.write('acl allow-log all ' + action + ' exchange name=X routingkey=*.M.#.N\n') + + aclf.write('acl deny-log all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + for action in action_list: + # aclKey: "ab.cd.e" + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd.e"}, "allow-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd.e"}, "allow-log") + + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd.e"}, "allow-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"abx.cd.e"}, "deny-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd"}, "deny-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd..e."}, "deny-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"ab.cd.e."}, "deny-log") + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":".ab.cd.e"}, "deny-log") + # aclKey: "." + self.Lookup("uPlain2@COMPANY", action, "exchange", "X", {"routingkey":"."}, "allow-log") + + # aclKey: "a.*.b" + self.Lookup("uStar1@COMPANY", action, "exchange", "X", {"routingkey":"a.xx.b"}, "allow-log") + self.Lookup("uStar1@COMPANY", action, "exchange", "X", {"routingkey":"a.b"}, "deny-log") + # aclKey: "*.x" + self.Lookup("uStar2@COMPANY", action, "exchange", "X", {"routingkey":"y.x"}, "allow-log") + self.Lookup("uStar2@COMPANY", action, "exchange", "X", {"routingkey":".x"}, "allow-log") + self.Lookup("uStar2@COMPANY", action, "exchange", "X", {"routingkey":"x"}, "deny-log") + # aclKey: "x.x.*" + self.Lookup("uStar3@COMPANY", action, "exchange", "X", {"routingkey":"x.x.y"}, "allow-log") + self.Lookup("uStar3@COMPANY", action, "exchange", "X", {"routingkey":"x.x."}, "allow-log") + self.Lookup("uStar3@COMPANY", action, "exchange", "X", {"routingkey":"x.x"}, "deny-log") + self.Lookup("uStar3@COMPANY", action, "exchange", "X", {"routingkey":"q.x.y"}, "deny-log") + + # aclKey: "a.#.b" + self.Lookup("uHash1@COMPANY", action, "exchange", "X", {"routingkey":"a.b"}, "allow-log") + self.Lookup("uHash1@COMPANY", action, "exchange", "X", {"routingkey":"a.x.b"}, "allow-log") + self.Lookup("uHash1@COMPANY", action, "exchange", "X", {"routingkey":"a..x.y.zz.b"}, "allow-log") + self.Lookup("uHash1@COMPANY", action, "exchange", "X", {"routingkey":"a.b."}, "deny-log") + self.Lookup("uHash1@COMPANY", action, "exchange", "X", {"routingkey":"q.x.b"}, "deny-log") + + # aclKey: "a.#" + self.Lookup("uHash2@COMPANY", action, "exchange", "X", {"routingkey":"a"}, "allow-log") + self.Lookup("uHash2@COMPANY", action, "exchange", "X", {"routingkey":"a.b"}, "allow-log") + self.Lookup("uHash2@COMPANY", action, "exchange", "X", {"routingkey":"a.b.c"}, "allow-log") + + # aclKey: "#.a" + self.Lookup("uHash3@COMPANY", action, "exchange", "X", {"routingkey":"a"}, "allow-log") + self.Lookup("uHash3@COMPANY", action, "exchange", "X", {"routingkey":"x.y.a"}, "allow-log") + + # aclKey: "a.#.b.#.c" + self.Lookup("uHash4@COMPANY", action, "exchange", "X", {"routingkey":"a.b.c"}, "allow-log") + self.Lookup("uHash4@COMPANY", action, "exchange", "X", {"routingkey":"a.x.b.y.c"}, "allow-log") + self.Lookup("uHash4@COMPANY", action, "exchange", "X", {"routingkey":"a.x.x.b.y.y.c"}, "allow-log") + + # aclKey: "*.x.#.y" + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"a.x.y"}, "allow-log") + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"a.x.p.qq.y"}, "allow-log") + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"a.a.x.y"}, "deny-log") + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"aa.x.b.c"}, "deny-log") + + # aclKey: "a.#.b.*" + self.Lookup("uMixed2@COMPANY", action, "exchange", "X", {"routingkey":"a.b.x"}, "allow-log") + self.Lookup("uMixed2@COMPANY", action, "exchange", "X", {"routingkey":"a.x.x.x.b.x"}, "allow-log") + + # aclKey: "*.*.*.#" + self.Lookup("uMixed3@COMPANY", action, "exchange", "X", {"routingkey":"x.y.z"}, "allow-log") + self.Lookup("uMixed3@COMPANY", action, "exchange", "X", {"routingkey":"x.y.z.a.b.c"}, "allow-log") + self.Lookup("uMixed3@COMPANY", action, "exchange", "X", {"routingkey":"x.y"}, "deny-log") + self.Lookup("uMixed3@COMPANY", action, "exchange", "X", {"routingkey":"x"}, "deny-log") + + # Repeat the keys with wildcard user spec + self.Lookup("uPlain1@COMPANY", action, "exchange", "X", {"routingkey":"MN.OP.Q"}, "allow-log") + self.Lookup("uStar1@COMPANY" , action, "exchange", "X", {"routingkey":"M.xx.N"}, "allow-log") + self.Lookup("uHash1@COMPANY" , action, "exchange", "X", {"routingkey":"M.N"}, "allow-log") + self.Lookup("uHash1@COMPANY" , action, "exchange", "X", {"routingkey":"M.x.N"}, "allow-log") + self.Lookup("uHash1@COMPANY" , action, "exchange", "X", {"routingkey":"M..x.y.zz.N"}, "allow-log") + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"a.M.N"}, "allow-log") + self.Lookup("uMixed1@COMPANY", action, "exchange", "X", {"routingkey":"a.M.p.qq.N"}, "allow-log") + + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "MN.OP.Q"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "M.xx.N"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "M.N"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "M.x.N"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "M..x.y.zz.N"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "a.M.N"}, "allow-log") + self.Lookup("dev@QPID", action, "exchange", "X", {"routingkey": "a.M.p.qq.N"}, "allow-log") + + #===================================== + # Connection limits + #===================================== + + def test_connection_limits_cli_sets_all(self): + + try: + sessiona1 = self.get_session_by_port('alice','alice', self.port_u()) + sessiona2 = self.get_session_by_port('alice','alice', self.port_u()) + except Exception, e: + self.fail("Could not create two connections for user alice: " + str(e)) + + # Third session should fail + try: + sessiona3 = self.get_session_by_port('alice','alice', self.port_u()) + self.fail("Should not be able to create third connection for user alice") + except Exception, e: + result = None + + + + def test_connection_limits_by_named_user(self): + """ + Test ACL control connection limits + """ + aclf = self.get_acl_file() + aclf.write('quota connections 2 aliceCL@QPID bobCL@QPID\n') + aclf.write('quota connections 0 evildude@QPID\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # By username should be able to connect twice per user + try: + conna1 = self.get_connection('aliceCL','aliceCL') + conna2 = self.get_connection('aliceCL','aliceCL') + except Exception, e: + self.fail("Could not create two connections for user aliceCL: " + str(e)) + + # Third session should fail + try: + conna3 = self.get_connection('aliceCL','aliceCL') + self.fail("Should not be able to create third connection for user aliceCL") + except Exception, e: + result = None + + # Disconnecting should allow another session. + conna1.close() + try: + conna3 = self.get_connection('aliceCL','aliceCL') + except Exception, e: + self.fail("Could not recreate second connection for user aliceCL: " + str(e)) + + # By username should be able to connect twice per user + try: + connb1 = self.get_connection('bobCL','bobCL') + connb2 = self.get_connection('bobCL','bobCL') + except Exception, e: + self.fail("Could not create two connections for user bobCL: " + str(e)) + + # Third session should fail + try: + connb3 = self.get_connection('bobCL','bobCL') + self.fail("Should not be able to create third connection for user bobCL") + except Exception, e: + result = None + + + # User with quota of 0 is denied + try: + conne1 = self.get_connection('evildude','evildude') + self.fail("Should not be able to create a connection for user evildude") + except Exception, e: + result = None + + + # User not named in quotas is denied + try: + connc1 = self.get_connection('charlie','charlie') + self.fail("Should not be able to create a connection for user charlie") + except Exception, e: + result = None + + # Clean up the connections + conna2.close() + conna3.close() + connb1.close() + connb2.close() + + + + def test_connection_limits_by_unnamed_all(self): + """ + Test ACL control connection limits + """ + aclf = self.get_acl_file() + aclf.write('quota connections 2 aliceUA@QPID bobUA@QPID\n') + aclf.write('quota connections 1 all\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # By username should be able to connect twice per user + try: + connectiona1 = self.get_connection('aliceUA','alice') + connectiona2 = self.get_connection('aliceUA','alice') + except Exception, e: + self.fail("Could not create two connections for user alice: " + str(e)) + + # Third connection should fail + try: + connectiona3 = self.get_connection('aliceUA','alice') + self.fail("Should not be able to create third connection for user alice") + except Exception, e: + result = None + + # By username should be able to connect twice per user + try: + connectionb1 = self.get_connection('bobUA','bob') + connectionb2 = self.get_connection('bobUA','bob') + except Exception, e: + self.fail("Could not create two connections for user bob: " + str(e)) + + # Third connection should fail + try: + connectionb3 = self.get_connection('bobUA','bob') + self.fail("Should not be able to create third connection for user bob") + except Exception, e: + result = None + + # User not named in quotas gets 'all' quota + try: + connectionc1 = self.get_connection('charlieUA','charlie') + except Exception, e: + self.fail("Could not create one connection for user charlie: " + str(e)) + + # Next connection should fail + try: + connectionc2 = self.get_connection('charlieUA','charlie') + self.fail("Should not be able to create second connection for user charlie") + except Exception, e: + result = None + + # Clean up the connections + connectiona1.close() + connectiona2.close() + connectionb1.close() + connectionb2.close() + connectionc1.close() + + + def test_connection_limits_by_group(self): + """ + Test ACL control connection limits + """ + aclf = self.get_acl_file() + aclf.write('group stooges moeGR@QPID larryGR@QPID curlyGR@QPID\n') + aclf.write('quota connections 2 aliceGR@QPID bobGR@QPID\n') + aclf.write('quota connections 2 stooges charlieGR@QPID\n') + aclf.write('# user and groups may be overwritten. Should use last value\n') + aclf.write('quota connections 3 bobGR@QPID stooges\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # Alice gets 2 + try: + connectiona1 = self.get_connection('aliceGR','alice') + connectiona2 = self.get_connection('aliceGR','alice') + except Exception, e: + self.fail("Could not create two connections for user alice: " + str(e)) + + # Third connection should fail + try: + connectiona3 = self.get_connection('aliceGR','alice') + self.fail("Should not be able to create third connection for user alice") + except Exception, e: + result = None + + # Bob gets 3 + try: + connectionb1 = self.get_connection('bobGR','bob') + connectionb2 = self.get_connection('bobGR','bob') + connectionb3 = self.get_connection('bobGR','bob') + except Exception, e: + self.fail("Could not create three connections for user bob: " + str(e)) + + # Fourth connection should fail + try: + connectionb4 = self.get_connection('bobGR','bob') + self.fail("Should not be able to create fourth connection for user bob") + except Exception, e: + result = None + + # Moe gets 3 + try: + connectionm1 = self.get_connection('moeGR','moe') + connectionm2 = self.get_connection('moeGR','moe') + connectionm3 = self.get_connection('moeGR','moe') + except Exception, e: + self.fail("Could not create three connections for user moe: " + str(e)) + + # Fourth connection should fail + try: + connectionb4 = self.get_connection('moeGR','moe') + self.fail("Should not be able to create fourth connection for user ,pe") + except Exception, e: + result = None + + # User not named in quotas is denied + try: + connections1 = self.get_connection('shempGR','shemp') + self.fail("Should not be able to create a connection for user shemp") + except Exception, e: + result = None + + # Clean up the connections + connectiona1.close() + connectiona2.close() + connectionb1.close() + connectionb2.close() + connectionb3.close() + connectionm1.close() + connectionm2.close() + connectionm3.close() + + + def test_connection_limits_by_ip_address(self): + """ + Test ACL control connection limits by ip address + """ + # By IP address should be able to connect twice per client address + try: + sessionb1 = self.get_session_by_port('alice','alice', self.port_i()) + sessionb2 = self.get_session_by_port('bob','bob', self.port_i()) + except Exception, e: + self.fail("Could not create two connections for client address: " + str(e)) + + # Third session should fail + try: + sessionb3 = self.get_session_by_port('charlie','charlie', self.port_i()) + self.fail("Should not be able to create third connection for client address") + except Exception, e: + result = None + + sessionb1.close() + sessionb2.close() + + #===================================== + # User name substitution + #===================================== + + def test_user_name_substitution(self): + """ + Test name substitution internals, limits, and edge cases. + """ + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + aclf.write('acl allow all create queue name=tmp-${userdomain}\n') + aclf.write('acl allow all create queue name=${userdomain}-tmp\n') + aclf.write('acl allow all create queue name=tmp-${userdomain}-tmp\n') + aclf.write('acl allow all create queue name=tmp-${userdomain}-tmp-${userdomain}\n') + aclf.write('acl allow all create queue name=temp0-${userdomain}\n') + aclf.write('acl allow all access queue name=temp0-${userdomain}\n') + aclf.write('acl allow all purge queue name=temp0-${userdomain}\n') + aclf.write('acl allow all consume queue name=temp0-${userdomain}\n') + aclf.write('acl allow all delete queue name=temp0-${userdomain}\n') + aclf.write('acl allow all create exchange name=temp0-${userdomain}\n') + aclf.write('acl allow all access exchange name=temp0-${userdomain}\n') + aclf.write('acl allow all bind exchange name=temp0-${userdomain}\n') + aclf.write('acl allow all unbind exchange name=temp0-${userdomain}\n') + aclf.write('acl allow all delete exchange name=temp0-${userdomain}\n') + aclf.write('acl allow all publish exchange name=temp0-${userdomain}\n') + + aclf.write('acl allow all publish exchange name=X routingkey=${userdomain}.cd.e\n') + aclf.write('acl allow all publish exchange name=X routingkey=a.*.${userdomain}\n') + aclf.write('acl allow all publish exchange name=X routingkey=b.#.${userdomain}\n') + aclf.write('acl allow all publish exchange name=X routingkey=*.${userdomain}.#.y\n') + + aclf.write('acl allow all create queue name=user-${user}\n') + aclf.write('acl allow all publish exchange name=U routingkey=${user}.cd.e\n') + aclf.write('acl allow all publish exchange name=U routingkey=a.*.${user}\n') + aclf.write('acl allow all publish exchange name=U routingkey=b.#.${user}\n') + aclf.write('acl allow all publish exchange name=U routingkey=*.${user}.#.y\n') + + aclf.write('acl allow all create queue name=domain-${domain}\n') + aclf.write('acl allow all publish exchange name=D routingkey=${domain}.cd.e\n') + aclf.write('acl allow all publish exchange name=D routingkey=a.*.${domain}\n') + aclf.write('acl allow all publish exchange name=D routingkey=b.#.${domain}\n') + aclf.write('acl allow all publish exchange name=D routingkey=*.${domain}.#.y\n') + + # Resolving ${user}_${domain} into ${userdomain} works for everything but routing keys + aclf.write('acl allow all create queue name=mixed-OK-${user}_${domain}\n') + # For routing keys ${user}_${domain} will be parsed into ${userdomain}. + # Routing keys not be found when the rule specifies ${user}_${domain}. + aclf.write('acl allow all publish exchange name=NOGO routingkey=${user}_${domain}.cd.e\n') + # This works since it is does not conflict with ${userdomain} + aclf.write('acl allow all publish exchange name=OK routingkey=${user}___${domain}.cd.e\n') + + aclf.write('acl deny-log all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + self.Lookup("alice@QPID", "create", "queue", "tmp-alice_QPID", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-tmp", {}, "allow") + self.Lookup("charlie@QPID", "create", "queue", "tmp-charlie_QPID-tmp", {}, "allow") + self.Lookup("dave@QPID", "create", "queue", "tmp-dave_QPID-tmp-dave_QPID", {}, "allow") + self.Lookup("ed@BIG.COM", "create", "queue", "tmp-ed_BIG_COM", {}, "allow") + self.Lookup("c.e.r@BIG.GER.COM", "create", "queue", "tmp-c_e_r_BIG_GER_COM", {}, "allow") + self.Lookup("c@", "create", "queue", "tmp-c_", {}, "allow") + self.Lookup("someuser", "create", "queue", "tmp-someuser", {}, "allow") + + self.Lookup("alice@QPID", "create", "queue", "tmp-${user}", {}, "deny-log") + + self.Lookup("bob@QPID", "create", "exchange", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "access", "exchange", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "bind", "exchange", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "unbind", "exchange", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "delete", "exchange", "temp0-bob_QPID", {}, "allow") + self.LookupPublish("bob@QPID", "temp0-bob_QPID", "x", "allow") + + self.Lookup("bob@QPID", "create", "queue", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "access", "queue", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "purge", "queue", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "consume", "queue", "temp0-bob_QPID", {}, "allow") + self.Lookup("bob@QPID", "delete", "queue", "temp0-bob_QPID", {}, "allow") + + self.Lookup("alice@QPID", "access", "queue", "temp0-bob_QPID", {}, "deny-log") + + # aclKey: "${userdomain}.cd.e" + self.LookupPublish("uPlain1@COMPANY", "X", "uPlain1_COMPANY.cd.e", "allow") + # aclKey: "a.*.${userdomain}" + self.LookupPublish("uStar1@COMPANY", "X", "a.xx.uStar1_COMPANY", "allow") + self.LookupPublish("uStar1@COMPANY", "X", "a.b", "deny-log") + # aclKey: "b.#.${userdomain}" + self.LookupPublish("uHash1@COMPANY", "X", "b.uHash1_COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "X", "b.x.uHash1_COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "X", "b..x.y.zz.uHash1_COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "X", "b.uHash1_COMPANY.", "deny-log") + self.LookupPublish("uHash1@COMPANY", "X", "q.x.uHash1_COMPANY", "deny-log") + # aclKey: "*.${userdomain}.#.y" + self.LookupPublish("uMixed1@COMPANY", "X", "a.uMixed1_COMPANY.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "X", "a.uMixed1_COMPANY.p.qq.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "X", "a.a.uMixed1_COMPANY.y", "deny-log") + self.LookupPublish("uMixed1@COMPANY", "X", "aa.uMixed1_COMPANY.b.c", "deny-log") + self.LookupPublish("uMixed1@COMPANY.COM", "X", "a.uMixed1_COMPANY_COM.y", "allow") + + + self.Lookup("bob@QPID", "create", "queue", "user-bob", {}, "allow") + # aclKey: "${user}.cd.e" + self.LookupPublish("uPlain1@COMPANY", "U", "uPlain1.cd.e", "allow") + # aclKey: "a.*.${user}" + self.LookupPublish("uStar1@COMPANY", "U", "a.xx.uStar1", "allow") + self.LookupPublish("uStar1@COMPANY", "U", "a.b", "deny-log") + # aclKey: "b.#.${user}" + self.LookupPublish("uHash1@COMPANY", "U", "b.uHash1", "allow") + self.LookupPublish("uHash1@COMPANY", "U", "b.x.uHash1", "allow") + self.LookupPublish("uHash1@COMPANY", "U", "b..x.y.zz.uHash1", "allow") + self.LookupPublish("uHash1@COMPANY", "U", "b.uHash1.", "deny-log") + self.LookupPublish("uHash1@COMPANY", "U", "q.x.uHash1", "deny-log") + # aclKey: "*.${user}.#.y" + self.LookupPublish("uMixed1@COMPANY", "U", "a.uMixed1.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "U", "a.uMixed1.p.qq.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "U", "a.a.uMixed1.y", "deny-log") + self.LookupPublish("uMixed1@COMPANY", "U", "aa.uMixed1.b.c", "deny-log") + self.LookupPublish("uMixed1@COMPANY.COM", "U", "a.uMixed1.y", "allow") + + + self.Lookup("bob@QPID", "create", "queue", "domain-QPID", {}, "allow") + # aclKey: "${domain}.cd.e" + self.LookupPublish("uPlain1@COMPANY", "D", "COMPANY.cd.e", "allow") + # aclKey: "a.*.${domain}" + self.LookupPublish("uStar1@COMPANY", "D", "a.xx.COMPANY", "allow") + self.LookupPublish("uStar1@COMPANY", "D", "a.b", "deny-log") + # aclKey: "b.#.${domain}" + self.LookupPublish("uHash1@COMPANY", "D", "b.COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "D", "b.x.COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "D", "b..x.y.zz.COMPANY", "allow") + self.LookupPublish("uHash1@COMPANY", "D", "b.COMPANY.", "deny-log") + self.LookupPublish("uHash1@COMPANY", "D", "q.x.COMPANY", "deny-log") + # aclKey: "*.${domain}.#.y" + self.LookupPublish("uMixed1@COMPANY", "D", "a.COMPANY.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "D", "a.COMPANY.p.qq.y", "allow") + self.LookupPublish("uMixed1@COMPANY", "D", "a.a.COMPANY.y", "deny-log") + self.LookupPublish("uMixed1@COMPANY", "D", "aa.COMPANY.b.c", "deny-log") + self.LookupPublish("uMixed1@COMPANY.COM", "D", "a.COMPANY_COM.y", "allow") + + self.Lookup("uPlain1@COMPANY", "create", "queue", "mixed-OK-uPlain1_COMPANY", {}, "allow") + self.LookupPublish("uPlain1@COMPANY", "NOGO", "uPlain1_COMPANY.cd.e", "deny-log") + self.LookupPublish("uPlain1@COMPANY", "OK", "uPlain1___COMPANY.cd.e", "allow") + + + #===================================== + # User name substitution details + #===================================== + # User name substitution allows for three flavors of keyword in the Acl file. + # Given a user name of bob.user@QPID.COM the keywords are normalized and resolve as follows: + # ${userdomain} - bob_user_QPID_COM + # ${user} - bob_user + # ${domain} - QPID_COM + # + # The following substitution tests are very similar but differ in the flavor of keyword used + # in the rules. The tests results using the different keywords differ slightly in how permissive + # the rules become. + # ${userdomain} limits access to one authenticated user + # ${user} limits access to a user name regardless of user's domain + # ${domain} limits access to a domain regardless of user name + # + + def test_user_name_substitution_userdomain(self): + """ + Test a setup where users can create, bind, and publish to a main exchange and queue. + Allow access to a single alternate exchange and queue. + """ + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + # Create primary queue and exchange: + # allow predefined alternate + # deny any other alternate + # allow no alternate + aclf.write('acl allow all create queue name=${userdomain}-work alternate=${userdomain}-work2\n') + aclf.write('acl deny all create queue name=${userdomain}-work alternate=*\n') + aclf.write('acl allow all create queue name=${userdomain}-work\n') + aclf.write('acl allow all create exchange name=${userdomain}-work alternate=${userdomain}-work2\n') + aclf.write('acl deny all create exchange name=${userdomain}-work alternate=*\n') + aclf.write('acl allow all create exchange name=${userdomain}-work\n') + # Create backup queue and exchange + # Deny any alternate + aclf.write('acl deny all create queue name=${userdomain}-work2 alternate=*\n') + aclf.write('acl allow all create queue name=${userdomain}-work2\n') + aclf.write('acl deny all create exchange name=${userdomain}-work2 alternate=*\n') + aclf.write('acl allow all create exchange name=${userdomain}-work2\n') + # Bind/unbind primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work\n') + aclf.write('acl allow all unbind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work\n') + # Bind/unbind backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2\n') + aclf.write('acl allow all unbind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2\n') + # Access primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work\n') + # Access backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2\n') + # Publish primary exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${userdomain}-work routingkey=${userdomain}\n') + # Publish backup exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${userdomain}-work2 routingkey=${userdomain}\n') + # deny mode + aclf.write('acl deny all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # create queues + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work2", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "joe_QPID-work", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "joe_QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work3", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work", {"alternate":"bob_QPID-work2"}, "allow") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work", {"alternate":"joe_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob_QPID-work2", {"alternate":"someexchange"}, "deny") + # create exchanges + self.Lookup("bob@QPID", "create", "exchange", "bob_QPID-work", {}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "bob_QPID-work2",{}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "joe_QPID-work", {}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "joe_QPID-work2",{}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "bob_QPID-work3",{}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "bob_QPID-work", {"alternate":"bob_QPID-work2"}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "bob_QPID-work2",{"alternate":"someexchange"}, "deny") + # bind/unbind/access + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", { "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "allow") + self.Lookup("bob@QPID", "bind", "exchange", "joe_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work"}, "deny") + + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", { "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "allow") + self.Lookup("bob@QPID", "bind", "exchange", "joe_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work2"}, "deny") + + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", { "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "allow") + self.Lookup("bob@QPID", "unbind", "exchange", "joe_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work"}, "deny") + + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", { "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "allow") + self.Lookup("bob@QPID", "unbind", "exchange", "joe_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work2"}, "deny") + + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", { "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "allow") + self.Lookup("bob@QPID", "access", "exchange", "joe_QPID-work", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work"}, "deny") + + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", { "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "allow") + self.Lookup("bob@QPID", "access", "exchange", "joe_QPID-work2", {"routingkey":"bob_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", {"routingkey":"joe_QPID", "queuename":"bob_QPID-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob_QPID-work2", {"routingkey":"bob_QPID", "queuename":"joe_QPID-work2"}, "deny") + # publish + self.LookupPublish("bob@QPID", "bob_QPID-work", "bob_QPID", "allow") + self.LookupPublish("bob@QPID", "bob_QPID-work2", "bob_QPID", "allow") + self.LookupPublish("bob@QPID", "joe_QPID-work", "bob_QPID", "deny") + self.LookupPublish("bob@QPID", "joe_QPID-work2", "bob_QPID", "deny") + self.LookupPublish("bob@QPID", "bob_QPID-work", "joe_QPID", "deny") + self.LookupPublish("bob@QPID", "bob_QPID-work2", "joe_QPID", "deny") + + + def test_user_name_substitution_user(self): + """ + Test a setup where users can create, bind, and publish to a main exchange and queue. + Allow access to a single backup exchange and queue. + """ + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + # Create primary queue and exchange + # allow predefined alternate + # deny any other alternate + # allow no alternate + aclf.write('acl allow all create queue name=${user}-work alternate=${user}-work2\n') + aclf.write('acl deny all create queue name=${user}-work alternate=*\n') + aclf.write('acl allow all create queue name=${user}-work\n') + aclf.write('acl allow all create exchange name=${user}-work alternate=${user}-work2\n') + aclf.write('acl deny all create exchange name=${user}-work alternate=*\n') + aclf.write('acl allow all create exchange name=${user}-work\n') + # Create backup queue and exchange + # Deny any alternate + aclf.write('acl deny all create queue name=${user}-work2 alternate=*\n') + aclf.write('acl allow all create queue name=${user}-work2\n') + aclf.write('acl deny all create exchange name=${user}-work2 alternate=*\n') + aclf.write('acl allow all create exchange name=${user}-work2\n') + # Bind/unbind primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${user}-work routingkey=${user} queuename=${user}-work\n') + aclf.write('acl allow all unbind exchange name=${user}-work routingkey=${user} queuename=${user}-work\n') + # Bind/unbind backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${user}-work2 routingkey=${user} queuename=${user}-work2\n') + aclf.write('acl allow all unbind exchange name=${user}-work2 routingkey=${user} queuename=${user}-work2\n') + # Access primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${user}-work routingkey=${user} queuename=${user}-work\n') + # Access backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${user}-work2 routingkey=${user} queuename=${user}-work2\n') + # Publish primary exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${user}-work routingkey=${user}\n') + # Publish backup exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${user}-work2 routingkey=${user}\n') + # deny mode + aclf.write('acl deny all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # create queues + self.Lookup("bob@QPID", "create", "queue", "bob-work", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "bob-work2", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "joe-work", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "joe-work2", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob-work3", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob-work", {"alternate":"bob-work2"}, "allow") + self.Lookup("bob@QPID", "create", "queue", "bob-work", {"alternate":"joe-work2"}, "deny") + self.Lookup("bob@QPID", "create", "queue", "bob-work2", {"alternate":"someexchange"},"deny") + # create exchanges + self.Lookup("bob@QPID", "create", "exchange", "bob-work", {}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "bob-work2",{}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "joe-work", {}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "joe-work2",{}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "bob-work3",{}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "bob-work", {"alternate":"bob-work2"}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "bob-work2",{"alternate":"someexchange"},"deny") + # bind/unbind/access + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", { "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", {"routingkey":"bob", "queuename":"bob-work"}, "allow") + self.Lookup("bob@QPID", "bind", "exchange", "joe-work", {"routingkey":"bob", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", {"routingkey":"joe", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work", {"routingkey":"bob", "queuename":"joe-work"}, "deny") + + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", { "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "allow") + self.Lookup("bob@QPID", "bind", "exchange", "joe-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", {"routingkey":"joe", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"joe-work2"}, "deny") + + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", { "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", {"routingkey":"bob", "queuename":"bob-work"}, "allow") + self.Lookup("bob@QPID", "unbind", "exchange", "joe-work", {"routingkey":"bob", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", {"routingkey":"joe", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work", {"routingkey":"bob", "queuename":"joe-work"}, "deny") + + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", { "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "allow") + self.Lookup("bob@QPID", "unbind", "exchange", "joe-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", {"routingkey":"joe", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"joe-work2"}, "deny") + + self.Lookup("bob@QPID", "access", "exchange", "bob-work", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work", { "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work", {"routingkey":"bob", "queuename":"bob-work"}, "allow") + self.Lookup("bob@QPID", "access", "exchange", "joe-work", {"routingkey":"bob", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work", {"routingkey":"joe", "queuename":"bob-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work", {"routingkey":"bob", "queuename":"joe-work"}, "deny") + + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", {"routingkey":"bob"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", { "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "allow") + self.Lookup("bob@QPID", "access", "exchange", "joe-work2", {"routingkey":"bob", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", {"routingkey":"joe", "queuename":"bob-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "bob-work2", {"routingkey":"bob", "queuename":"joe-work2"}, "deny") + # publish + self.LookupPublish("bob@QPID", "bob-work", "bob", "allow") + self.LookupPublish("bob@QPID", "bob-work2", "bob", "allow") + self.LookupPublish("bob@QPID", "joe-work", "bob", "deny") + self.LookupPublish("bob@QPID", "joe-work2", "bob", "deny") + self.LookupPublish("bob@QPID", "bob-work", "joe", "deny") + self.LookupPublish("bob@QPID", "bob-work2", "joe", "deny") + + + def test_user_name_substitution_domain(self): + """ + Test a setup where users can create, bind, and publish to a main exchange and queue. + Allow access to a single backup exchange and queue. + """ + aclf = self.get_acl_file() + aclf.write('# begin hack alert: allow anonymous to access the lookup debug functions\n') + aclf.write('acl allow-log anonymous create queue\n') + aclf.write('acl allow-log anonymous all exchange name=qmf.*\n') + aclf.write('acl allow-log anonymous all exchange name=amq.direct\n') + aclf.write('acl allow-log anonymous all exchange name=qpid.management\n') + aclf.write('acl allow-log anonymous access method name=*\n') + aclf.write('# end hack alert\n') + # Create primary queue and exchange + # allow predefined alternate + # deny any other alternate + # allow no alternate + aclf.write('acl allow all create queue name=${domain}-work alternate=${domain}-work2\n') + aclf.write('acl deny all create queue name=${domain}-work alternate=*\n') + aclf.write('acl allow all create queue name=${domain}-work\n') + aclf.write('acl allow all create exchange name=${domain}-work alternate=${domain}-work2\n') + aclf.write('acl deny all create exchange name=${domain}-work alternate=*\n') + aclf.write('acl allow all create exchange name=${domain}-work\n') + # Create backup queue and exchange + # Deny any alternate + aclf.write('acl deny all create queue name=${domain}-work2 alternate=*\n') + aclf.write('acl allow all create queue name=${domain}-work2\n') + aclf.write('acl deny all create exchange name=${domain}-work2 alternate=*\n') + aclf.write('acl allow all create exchange name=${domain}-work2\n') + # Bind/unbind primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${domain}-work routingkey=${domain} queuename=${domain}-work\n') + aclf.write('acl allow all unbind exchange name=${domain}-work routingkey=${domain} queuename=${domain}-work\n') + # Bind/unbind backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all bind exchange name=${domain}-work2 routingkey=${domain} queuename=${domain}-work2\n') + aclf.write('acl allow all unbind exchange name=${domain}-work2 routingkey=${domain} queuename=${domain}-work2\n') + # Access primary exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${domain}-work routingkey=${domain} queuename=${domain}-work\n') + # Access backup exchange + # Use only predefined routingkey and queuename + aclf.write('acl allow all access exchange name=${domain}-work2 routingkey=${domain} queuename=${domain}-work2\n') + # Publish primary exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${domain}-work routingkey=${domain}\n') + # Publish backup exchange + # Use only predefined routingkey + aclf.write('acl allow all publish exchange name=${domain}-work2 routingkey=${domain}\n') + # deny mode + aclf.write('acl deny all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # create queues + self.Lookup("bob@QPID", "create", "queue", "QPID-work", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "QPID-work2", {}, "allow") + self.Lookup("bob@QPID", "create", "queue", "QPID-work3", {}, "deny") + self.Lookup("bob@QPID", "create", "queue", "QPID-work", {"alternate":"QPID-work2"}, "allow") + self.Lookup("bob@QPID", "create", "queue", "QPID-work", {"alternate":"bob_QPID-work2"},"deny") + self.Lookup("bob@QPID", "create", "queue", "QPID-work", {"alternate":"joe_QPID-work2"},"deny") + self.Lookup("bob@QPID", "create", "queue", "QPID-work2", {"alternate":"someexchange"}, "deny") + # create exchanges + self.Lookup("bob@QPID", "create", "exchange", "QPID-work", {}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "QPID-work2",{}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "QPID-work3",{}, "deny") + self.Lookup("bob@QPID", "create", "exchange", "QPID-work", {"alternate":"QPID-work2"}, "allow") + self.Lookup("bob@QPID", "create", "exchange", "QPID-work2",{"alternate":"someexchange"}, "deny") + # bind/unbind/access + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work", { "queuename":"QPID-work"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work", {"routingkey":"QPID", "queuename":"QPID-work"}, "allow") + + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work2", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work2", { "queuename":"QPID-work2"}, "deny") + self.Lookup("bob@QPID", "bind", "exchange", "QPID-work2", {"routingkey":"QPID", "queuename":"QPID-work2"}, "allow") + + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work", { "queuename":"QPID-work"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work", {"routingkey":"QPID", "queuename":"QPID-work"}, "allow") + + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work2", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work2", { "queuename":"QPID-work2"}, "deny") + self.Lookup("bob@QPID", "unbind", "exchange", "QPID-work2", {"routingkey":"QPID", "queuename":"QPID-work2"}, "allow") + + self.Lookup("bob@QPID", "access", "exchange", "QPID-work", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work", { "queuename":"QPID-work"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work", {"routingkey":"QPID", "queuename":"QPID-work"}, "allow") + + self.Lookup("bob@QPID", "access", "exchange", "QPID-work2", {}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work2", {"routingkey":"QPID"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work2", { "queuename":"QPID-work2"}, "deny") + self.Lookup("bob@QPID", "access", "exchange", "QPID-work2", {"routingkey":"QPID", "queuename":"QPID-work2"}, "allow") + # publish + self.LookupPublish("bob@QPID", "QPID-work", "QPID", "allow") + self.LookupPublish("bob@QPID", "QPID-work2", "QPID", "allow") + self.LookupPublish("joe@QPID", "QPID-work", "QPID", "allow") + self.LookupPublish("joe@QPID", "QPID-work2", "QPID", "allow") + + #===================================== + # Queue per-user quota + #===================================== + + def queue_quota(self, user, passwd, count, byPort=None): + """ Helper method to: + - create a number of queues (should succeed) + - create too many queues (should fail) + - create another queue after deleting a queue (should succeed) + """ + + try: + if byPort: + session = self.get_session_by_port(user, passwd, byPort) + else: + session = self.get_session(user, passwd) + except Exception, e: + self.fail("Unexpected error creating session for %s: %s" % (user, str(e))) + + # Should be able to create count queues per user + try: + for i in range(count): + session.queue_declare(queue="%s%d" % (user, i)) + except Exception, e: + self.fail("Could not create %s for %s: %s" % ("%s%d" % (user, i), user, str(e))) + + # next queue should fail + try: + session.queue_declare(queue="%s%d" % (user, count)) + self.fail("Should not be able to create another queue for user %s" % user) + except Exception, e: + if byPort: + session = self.get_session_by_port(user, passwd, byPort) + else: + session = self.get_session(user, passwd) + + if count > 0: + # Deleting a queue should allow another queue. + session.queue_delete(queue="%s0" % user) + try: + session.queue_declare(queue="%s%d" % (user, count)) + except Exception, e: + self.fail("Could not recreate additional queue for user %s: %s " % (user, str(e))) + + # Clean up + for i in range(1, count+1): + session.queue_delete(queue="%s%d" % (user, i)) + try: + session.close() + except Exception, e: + pass + + def test_queue_per_named_user_quota(self): + """ + Test ACL queue counting limits per named user. + """ + aclf = self.get_acl_file() + aclf.write('quota queues 2 ted@QPID carrol@QPID\n') + aclf.write('quota queues 1 edward@QPID\n') + aclf.write('quota queues 0 mick@QPID\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # named users should be able to create specified number of queues + self.queue_quota("ted", 'ted', 2) + self.queue_quota("carrol", 'carrol', 2) + self.queue_quota("edward", 'edward', 1) + + # User with quota of 0 is denied + self.queue_quota("mick", 'mick', 0) + + # User not named in quotas is denied + self.queue_quota("dan", 'dan', 0) + + def test_queue_per_user_quota(self): + """ + Test ACL queue counting limits. + port_q has a limit of 2 + """ + # bob should be able to create two queues + self.queue_quota("bob", 'bob', 2, self.port_q()) + + # alice should be able to create two queues + self.queue_quota("alice", 'alice', 2, self.port_q()) + + + def test_queue_limits_by_unnamed_all(self): + """ + Test ACL control queue limits + """ + aclf = self.get_acl_file() + aclf.write('quota queues 2 aliceQUA@QPID bobQUA@QPID\n') + aclf.write('quota queues 1 all\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # By username should be able to connect twice per user + self.queue_quota('aliceQUA', 'alice', 2) + self.queue_quota('bobQUA', 'bob', 2) + + # User not named in quotas gets 'all' quota + self.queue_quota('charlieQUA', 'charlie', 1) + + + def test_queue_limits_by_group(self): + """ + Test ACL control queue limits + """ + aclf = self.get_acl_file() + aclf.write('group hobbits frodoGR@QPID samGR@QPID merryGR@QPID\n') + aclf.write('quota queues 2 gandalfGR@QPID aragornGR@QPID\n') + aclf.write('quota queues 2 hobbits rosieGR@QPID\n') + aclf.write('# user and groups may be overwritten. Should use last value\n') + aclf.write('quota queues 3 aragornGR@QPID hobbits\n') + aclf.write('acl allow all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + # gandalf gets 2 + self.queue_quota('gandalfGR', 'gandalf', 2) + + # aragorn gets 3 + self.queue_quota('aragornGR', 'aragorn', 3) + + # frodo gets 3 + self.queue_quota('frodoGR', 'frodo', 3) + + # User not named in quotas is denied + self.queue_quota('bilboGR', 'bilbo', 0) + + def test_queue_delete_with_properties(self): + """ + Test cases for queue delete with properties + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID access queue\n') + aclf.write('acl allow bob@QPID access exchange\n') + aclf.write('acl allow bob@QPID create queue name=qdaq1 durable=true\n') + aclf.write('acl allow bob@QPID create queue name=qdaq2 exclusive=true\n') + aclf.write('acl allow bob@QPID create queue name=qdaq3 policytype=ring\n') + aclf.write('acl allow bob@QPID create queue name=qdaq4 durable=false\n') + aclf.write('acl allow bob@QPID create queue name=qdaq5 exclusive=false\n') + aclf.write('acl allow bob@QPID create queue name=qdaq6 policytype=reject\n') + aclf.write('acl allow bob@QPID create queue name=qdaq7 autodelete=true\n') + aclf.write('acl allow bob@QPID create queue name=qdaq8 autodelete=false\n') + aclf.write('acl allow bob@QPID create queue name=qdaq9\n') + aclf.write('acl allow bob@QPID create exchange name=qdae9\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq1 durable=true\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq2 exclusive=true\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq3 policytype=ring\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq4 durable=false\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq5 exclusive=false\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq6 policytype=reject\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq7 autodelete=true\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq8 autodelete=false\n') + aclf.write('acl deny bob@QPID delete queue name=qdaq9 alternate=qdaq9a\n') + aclf.write('acl allow all access queue\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq1", durable=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq1 durable=true"); + + try: + session.queue_delete(queue="qdaq1") + self.fail("ACL should deny queue delete request for qdaq1"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq2", exclusive=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq2 exclusive=true"); + + try: + session.queue_delete(queue="qdaq2") + self.fail("ACL should deny queue delete request for qdaq2"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.policy_type"] = "ring" + session.queue_declare(queue="qdaq3", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request for qdaq3 with policytype=ring"); + + try: + session.queue_delete(queue="qdaq3") + self.fail("ACL should deny queue delete request for qdaq3"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq4", durable=False) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq4 durable=false"); + + try: + session.queue_delete(queue="qdaq4") + self.fail("ACL should deny queue delete request for qdaq4"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq5", exclusive=False) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq5 exclusive=false"); + + try: + session.queue_delete(queue="qdaq5") + self.fail("ACL should deny queue delete request for qdaq5"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + queue_options = {} + queue_options["qpid.policy_type"] = "reject" + session.queue_declare(queue="qdaq6", arguments=queue_options) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request for qdaq6 with policytype=reject"); + + try: + session.queue_delete(queue="qdaq6") + self.fail("ACL should deny queue delete request for qdaq6"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq7", auto_delete=True) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq7 autodelete=true"); + + try: + session.queue_delete(queue="qdaq7") + self.fail("ACL should deny queue delete request for qdaq7"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.queue_declare(queue="qdaq8", auto_delete=False) + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq8 autodelete=false"); + + try: + session.queue_delete(queue="qdaq8") + self.fail("ACL should deny queue delete request for qdaq8"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='qdae9', type='direct') + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=qdae9"); + + try: + session.queue_declare(queue="qdaq9", alternate_exchange="qdae9") + except qpid.session.SessionException, e: + if (403 == e.args[0].error_code): + self.fail("ACL should allow queue create request with name=qdaq9 alternate=qdaq9a"); + + try: + session.queue_delete(queue="qdaq9") + self.fail("ACL should deny queue delete request for qdaq9"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + + def test_exchange_delete_with_properties(self): + """ + Test cases for exchange delete with properties + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID access exchange\n') + aclf.write('acl allow bob@QPID create exchange\n') + aclf.write('acl deny bob@QPID delete exchange name=edae1 durable=true\n') + aclf.write('acl deny bob@QPID delete exchange name=edae2 alternate=edae2a\n') + aclf.write('acl deny bob@QPID delete exchange type=direct\n') + aclf.write('acl allow bob@QPID delete exchange type=headers\n') + aclf.write('acl allow anonymous all all\n') + aclf.write('acl deny all all') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='edae1', type='direct', durable=True) + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=edae1"); + + try: + session.exchange_delete(exchange="edae1") + self.fail("ACL should deny exchange delete request for edae1"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='edae2a', type='direct') + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=edae2a"); + + try: + session.exchange_declare(exchange='edae2', type='direct', alternate_exchange='edae2a') + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=edae2"); + + try: + session.exchange_delete(exchange="edae2") + self.fail("ACL should deny exchange delete request for edae2"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_declare(exchange='edae3d', type='direct') + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=edae3d"); + + try: + session.exchange_declare(exchange='edae3h', type='headers') + except qpid.session.SessionException, e: + self.fail("ACL should allow exchange create request with name=eda3h"); + + try: + session.exchange_delete(exchange="edae3d") + self.fail("ACL should deny exchange delete request for edae3d"); + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + session = self.get_session('bob','bob') + + try: + session.exchange_delete(exchange="edae3h") + except qpid.session.SessionException, e: + self.assertEqual(403,e.args[0].error_code) + self.fail("ACL should allow exchange delete request for edae3h"); + + #===================================== + # 'create connection' tests + #===================================== +# def test_connect_mode_file_rejects_two_defaults(self): +# """ +# Should reject a file with two connect mode statements +# """ +# aclf = self.get_acl_file() +# aclf.write('acl allow all create connection host=all\n') +# aclf.write('acl allow all create connection host=all\n') +# aclf.close() +# +# result = self.reload_acl() +# if (result): +# pass +# else: +# self.fail(result) + + def test_connect_mode_accepts_host_spec_formats(self): + """ + Should accept host specs of various forms + """ + aclf = self.get_acl_file() + aclf.write('acl allow bob@QPID create connection host=all\n') + aclf.write('acl allow bob@QPID create connection host=1.1.1.1\n') + aclf.write('acl allow bob@QPID create connection host=1.1.1.1,2.2.2.2\n') + aclf.write('acl allow bob@QPID create connection host=localhost\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + def test_connect_mode_allow_all_mode(self): + """ + Should allow one 'all', 'all' + """ + aclf = self.get_acl_file() + aclf.write('acl allow all create connection host=all\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + + def test_connect_mode_allow_all_localhost(self): + """ + Should allow 'all' 'localhost' + """ + aclf = self.get_acl_file() + aclf.write('acl allow all create connection host=localhost\n') + aclf.write('acl deny all create connection host=all\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + + def test_connect_mode_global_deny(self): + """ + Should allow 'all' 'localhost' + """ + aclf = self.get_acl_file() + aclf.write('acl allow all create connection host=localhost\n') + aclf.write('acl deny all create connection host=all\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "connection", "", {"host":"127.0.0.1"}, "allow") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"127.0.0.2"}, "deny") + + + def test_connect_mode_global_range(self): + """ + Should allow 'all' 'localhost' + """ + aclf = self.get_acl_file() + aclf.write('acl allow all create connection host=10.0.0.0,10.255.255.255\n') + aclf.write('acl allow all create connection host=localhost\n') + aclf.write('acl deny all create connection host=all\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "connection", "", {"host":"0.0.0.0"}, "deny") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"9.255.255.255"}, "deny") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.0.0"}, "allow") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.255.255.255"}, "allow") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"11.0.0.0"}, "deny") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"255.255.255.255"},"deny") + + + def test_connect_mode_nested_ranges(self): + """ + Tests nested ranges for single user + """ + aclf = self.get_acl_file() + aclf.write('acl deny-log bob@QPID create connection host=10.0.1.0,10.0.1.255\n') + aclf.write('acl allow-log bob@QPID create connection host=10.0.0.0,10.255.255.255\n') + aclf.write('acl deny-log bob@QPID create connection host=all\n') + aclf.write('acl allow all create connection host=localhost\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "connection", "", {"host":"0.0.0.0"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"9.255.255.255"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.0.0"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.0.255"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.1.0"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.1.255"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.2.0"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.255.255.255"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"11.0.0.0"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"255.255.255.255"},"deny-log") + + + def test_connect_mode_user_ranges(self): + """ + Two user ranges should not interfere with each other + """ + aclf = self.get_acl_file() + aclf.write('acl allow-log bob@QPID create connection host=10.0.0.0,10.255.255.255\n') + aclf.write('acl deny-log bob@QPID create connection host=all\n') + aclf.write('acl allow-log cat@QPID create connection host=192.168.0.0,192.168.255.255\n') + aclf.write('acl deny-log cat@QPID create connection host=all\n') + aclf.write('acl allow all create connection host=localhost\n') + aclf.write('acl allow all all\n') + aclf.close() + + result = self.reload_acl() + if (result): + self.fail(result) + + session = self.get_session('bob','bob') + + self.Lookup("bob@QPID", "create", "connection", "", {"host":"0.0.0.0"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"9.255.255.255"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.0.0.0"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"10.255.255.255"}, "allow-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"11.0.0.0"}, "deny-log") + self.Lookup("bob@QPID", "create", "connection", "", {"host":"255.255.255.255"},"deny-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"0.0.0.0"}, "deny-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"192.167.255.255"},"deny-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"192.168.0.0"}, "allow-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"192.168.255.255"},"allow-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"192.169.0.0"}, "deny-log") + self.Lookup("cat@QPID", "create", "connection", "", {"host":"255.255.255.255"},"deny-log") + + +class BrokerAdmin: + def __init__(self, broker, username=None, password=None): + self.connection = qpid.messaging.Connection(broker) + if username: + self.connection.username = username + self.connection.password = password + self.connection.sasl_mechanisms = "PLAIN" + self.connection.open() + self.session = self.connection.session() + self.sender = self.session.sender("qmf.default.direct/broker") + self.reply_to = "responses-#; {create:always}" + self.receiver = self.session.receiver(self.reply_to) + + def invoke(self, method, arguments): + content = { + "_object_id": {"_object_name": "org.apache.qpid.broker:broker:amqp-broker"}, + "_method_name": method, + "_arguments": arguments + } + request = qpid.messaging.Message(reply_to=self.reply_to, content=content) + request.properties["x-amqp-0-10.app-id"] = "qmf2" + request.properties["qmf.opcode"] = "_method_request" + self.sender.send(request) + response = self.receiver.fetch() + self.session.acknowledge() + if response.properties['x-amqp-0-10.app-id'] == 'qmf2': + if response.properties['qmf.opcode'] == '_method_response': + return response.content['_arguments'] + elif response.properties['qmf.opcode'] == '_exception': + raise Exception(response.content['_values']) + else: raise Exception("Invalid response received, unexpected opcode: %s" % response.properties['qmf.opcode']) + else: raise Exception("Invalid response received, not a qmfv2 method: %s" % response.properties['x-amqp-0-10.app-id']) + + def query(self, object_name=None, class_name=None): + content = { "_what": "OBJECT" } + if object_name is not None: + content["_object_id"] = {"_object_name": object_name } + if class_name is not None: + content["_schema_id"] = {"_class_name": class_name } + request = qpid.messaging.Message(reply_to=self.reply_to, content=content) + request.properties["x-amqp-0-10.app-id"] = "qmf2" + request.properties["qmf.opcode"] = "_query_request" + self.sender.send(request) + response = self.receiver.fetch() + self.session.acknowledge() + if response.properties['x-amqp-0-10.app-id'] == 'qmf2': + if response.properties['qmf.opcode'] == '_query_response': + return + elif response.properties['qmf.opcode'] == '_exception': + raise Exception(response.content['_values']) + else: raise Exception("Invalid response received, unexpected opcode: %s" % response.properties['qmf.opcode']) + else: raise Exception("Invalid response received, not a qmfv2 method: %s" % response.properties['x-amqp-0-10.app-id']) + + def create_exchange(self, name, exchange_type=None, options={}): + properties = options + if exchange_type: properties["exchange_type"] = exchange_type + self.invoke("create", {"type": "exchange", "name":name, "properties":properties}) + + def create_queue(self, name, properties={}): + self.invoke("create", {"type": "queue", "name":name, "properties":properties}) + + def delete_exchange(self, name): + self.invoke("delete", {"type": "exchange", "name":name}) + + def delete_queue(self, name): + self.invoke("delete", {"type": "queue", "name":name}) + + def get_timestamp_cfg(self): + return self.invoke("getTimestampConfig", {}) + + def set_timestamp_cfg(self, receive): + return self.invoke("getTimestampConfig", {"receive":receive}) |