diff options
Diffstat (limited to 'qpid/java/broker-core/src/test/java')
14 files changed, 752 insertions, 292 deletions
diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/FanoutExchangeTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/FanoutExchangeTest.java index cb5034b3f3..3e0ba31b08 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/FanoutExchangeTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/FanoutExchangeTest.java @@ -32,6 +32,9 @@ import java.util.Set; import java.util.UUID; import junit.framework.TestCase; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.VirtualHost; +import org.apache.qpid.server.model.VirtualHostNode; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; @@ -63,14 +66,27 @@ public class FanoutExchangeTest extends TestCase attributes.put(Exchange.NAME, "test"); attributes.put(Exchange.DURABLE, false); + Broker broker = mock(Broker.class); + SecurityManager securityManager = new SecurityManager(broker, false); + when(broker.getCategoryClass()).thenReturn(Broker.class); + when(broker.getModel()).thenReturn(BrokerModel.getInstance()); + when(broker.getSecurityManager()).thenReturn(securityManager); + + VirtualHostNode virtualHostNode = mock(VirtualHostNode.class); + when(virtualHostNode.getCategoryClass()).thenReturn(VirtualHostNode.class); + when(virtualHostNode.getParent(Broker.class)).thenReturn(broker); + when(virtualHostNode.getModel()).thenReturn(BrokerModel.getInstance()); + _taskExecutor = new CurrentThreadTaskExecutor(); _taskExecutor.start(); _virtualHost = mock(VirtualHostImpl.class); - SecurityManager securityManager = mock(SecurityManager.class); + when(_virtualHost.getSecurityManager()).thenReturn(securityManager); when(_virtualHost.getEventLogger()).thenReturn(new EventLogger()); when(_virtualHost.getTaskExecutor()).thenReturn(_taskExecutor); when(_virtualHost.getModel()).thenReturn(BrokerModel.getInstance()); + when(_virtualHost.getParent(VirtualHostNode.class)).thenReturn(virtualHostNode); + when(_virtualHost.getCategoryClass()).thenReturn(VirtualHost.class); _exchange = new FanoutExchange(attributes, _virtualHost); _exchange.open(); } @@ -134,6 +150,7 @@ public class FanoutExchangeTest extends TestCase when(queue.getCategoryClass()).thenReturn(Queue.class); when(queue.getModel()).thenReturn(BrokerModel.getInstance()); when(queue.getTaskExecutor()).thenReturn(CurrentThreadTaskExecutor.newStartedInstance()); + when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); return queue; } diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/HeadersExchangeTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/HeadersExchangeTest.java index 6d9277006f..c5ad190477 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/HeadersExchangeTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/exchange/HeadersExchangeTest.java @@ -35,6 +35,9 @@ import java.util.Set; import java.util.UUID; import junit.framework.TestCase; +import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.VirtualHostNode; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; @@ -70,7 +73,18 @@ public class HeadersExchangeTest extends TestCase _taskExecutor = new CurrentThreadTaskExecutor(); _taskExecutor.start(); _virtualHost = mock(VirtualHostImpl.class); - SecurityManager securityManager = mock(SecurityManager.class); + + Broker broker = mock(Broker.class); + SecurityManager securityManager = new SecurityManager(broker, false); + when(broker.getCategoryClass()).thenReturn(Broker.class); + when(broker.getModel()).thenReturn(BrokerModel.getInstance()); + when(broker.getSecurityManager()).thenReturn(securityManager); + + VirtualHostNode virtualHostNode = mock(VirtualHostNode.class); + when(virtualHostNode.getCategoryClass()).thenReturn(VirtualHostNode.class); + when(virtualHostNode.getParent(Broker.class)).thenReturn(broker); + when(virtualHostNode.getModel()).thenReturn(BrokerModel.getInstance()); + when(_virtualHost.getSecurityManager()).thenReturn(securityManager); when(_virtualHost.getEventLogger()).thenReturn(new EventLogger()); when(_virtualHost.getCategoryClass()).thenReturn(VirtualHost.class); @@ -78,6 +92,7 @@ public class HeadersExchangeTest extends TestCase _factory = new ConfiguredObjectFactoryImpl(BrokerModel.getInstance()); when(_virtualHost.getObjectFactory()).thenReturn(_factory); when(_virtualHost.getModel()).thenReturn(_factory.getModel()); + when(_virtualHost.getParent(VirtualHostNode.class)).thenReturn(virtualHostNode); Map<String,Object> attributes = new HashMap<String, Object>(); attributes.put(Exchange.ID, UUID.randomUUID()); attributes.put(Exchange.NAME, "test"); @@ -149,6 +164,7 @@ public class HeadersExchangeTest extends TestCase AMQQueue q = mock(AMQQueue.class); when(q.toString()).thenReturn(name); when(q.getVirtualHost()).thenReturn(_virtualHost); + when(q.getParent(VirtualHost.class)).thenReturn(_virtualHost); when(q.getCategoryClass()).thenReturn(Queue.class); when(q.getObjectFactory()).thenReturn(_factory); when(q.getModel()).thenReturn(_factory.getModel()); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/VirtualHostTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/VirtualHostTest.java index aa05447851..20f6e31ebe 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/VirtualHostTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/VirtualHostTest.java @@ -64,7 +64,7 @@ public class VirtualHostTest extends QpidTestCase private final SecurityManager _mockSecurityManager = mock(SecurityManager.class); private Broker _broker; private TaskExecutor _taskExecutor; - private VirtualHostNode<?> _virtualHostNode; + private VirtualHostNode _virtualHostNode; private DurableConfigurationStore _configStore; private VirtualHost<?, ?, ?> _virtualHost; private StoreConfigurationChangeListener _storeConfigurationChangeListener; @@ -81,6 +81,8 @@ public class VirtualHostTest extends QpidTestCase when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); _virtualHostNode = mock(VirtualHostNode.class); + when(_virtualHostNode.getParent(Broker.class)).thenReturn(_broker); + when(_virtualHostNode.getCategoryClass()).thenReturn(VirtualHostNode.class); when(_virtualHostNode.isDurable()).thenReturn(true); _configStore = mock(DurableConfigurationStore.class); _storeConfigurationChangeListener = new StoreConfigurationChangeListener(_configStore); @@ -328,9 +330,7 @@ public class VirtualHostTest extends QpidTestCase String virtualHostName = getName(); VirtualHost<?,?,?> virtualHost = createVirtualHost(virtualHostName); - doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHost( - virtualHostName, - Operation.UPDATE); + doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseUpdate(virtualHost); assertNull(virtualHost.getDescription()); @@ -354,9 +354,7 @@ public class VirtualHostTest extends QpidTestCase String virtualHostName = getName(); VirtualHost<?,?,?> virtualHost = createVirtualHost(virtualHostName); - doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHost( - virtualHostName, - Operation.UPDATE); + doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseUpdate(virtualHost); try { @@ -378,9 +376,7 @@ public class VirtualHostTest extends QpidTestCase String virtualHostName = getName(); VirtualHost<?,?,?> virtualHost = createVirtualHost(virtualHostName); - doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHost( - virtualHostName, - Operation.DELETE); + doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseDelete(virtualHost); try { diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestKitCarImpl.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestKitCarImpl.java index 5785071e15..43dcecd6c8 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestKitCarImpl.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestKitCarImpl.java @@ -25,6 +25,7 @@ import org.apache.qpid.server.model.AbstractConfiguredObject; import org.apache.qpid.server.model.ConfiguredObject; import org.apache.qpid.server.model.ManagedObject; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; +import org.apache.qpid.server.security.SecurityManager; @ManagedObject( category = false, type = TestKitCarImpl.TEST_KITCAR_TYPE) @@ -32,11 +33,13 @@ public class TestKitCarImpl extends AbstractConfiguredObject<TestKitCarImpl> implements TestKitCar<TestKitCarImpl> { public static final String TEST_KITCAR_TYPE = "testkitcar"; + private final SecurityManager _securityManager; @ManagedObjectFactoryConstructor public TestKitCarImpl(final Map<String, Object> attributes) { super(parentsMap(), attributes, newTaskExecutor(), TestModel.getInstance()); + _securityManager = new SecurityManager(this, false); } @Override @@ -53,4 +56,10 @@ public class TestKitCarImpl extends AbstractConfiguredObject<TestKitCarImpl> currentThreadTaskExecutor.start(); return currentThreadTaskExecutor; } + + @Override + protected SecurityManager getSecurityManager() + { + return _securityManager; + } } diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestStandardCarImpl.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestStandardCarImpl.java index 83dfd73b8b..7582de2952 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestStandardCarImpl.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/hierarchy/TestStandardCarImpl.java @@ -29,6 +29,7 @@ import org.apache.qpid.server.configuration.updater.CurrentThreadTaskExecutor; import org.apache.qpid.server.model.AbstractConfiguredObject; import org.apache.qpid.server.model.ManagedObject; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; +import org.apache.qpid.server.security.SecurityManager; @ManagedObject( category = false, type = TestStandardCarImpl.TEST_STANDARD_CAR_TYPE, @@ -37,11 +38,13 @@ public class TestStandardCarImpl extends AbstractConfiguredObject<TestStandardCa implements TestStandardCar<TestStandardCarImpl> { public static final String TEST_STANDARD_CAR_TYPE = "testpertrolcar"; + private final SecurityManager _securityManager; @ManagedObjectFactoryConstructor public TestStandardCarImpl(final Map<String, Object> attributes) { super(parentsMap(), attributes, newTaskExecutor(), TestModel.getInstance()); + _securityManager = new SecurityManager(this, false); } private static CurrentThreadTaskExecutor newTaskExecutor() @@ -57,4 +60,10 @@ public class TestStandardCarImpl extends AbstractConfiguredObject<TestStandardCa Collection<String> types = Arrays.asList(TestPetrolEngineImpl.TEST_PETROL_ENGINE_TYPE, TestHybridEngineImpl.TEST_HYBRID_ENGINE_TYPE); return Collections.singletonMap(TestEngine.class.getSimpleName(), types); } + + @Override + protected SecurityManager getSecurityManager() + { + return _securityManager; + } } diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/lifecycle/TestConfiguredObject.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/lifecycle/TestConfiguredObject.java index 0b35ba9330..6935230aeb 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/lifecycle/TestConfiguredObject.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/lifecycle/TestConfiguredObject.java @@ -39,10 +39,12 @@ import org.apache.qpid.server.model.Model; import org.apache.qpid.server.model.State; import org.apache.qpid.server.model.StateTransition; import org.apache.qpid.server.plugin.ConfiguredObjectRegistration; +import org.apache.qpid.server.security.SecurityManager; @ManagedObject public class TestConfiguredObject extends AbstractConfiguredObject { + private final SecurityManager _securityManager; private boolean _opened; private boolean _validated; private boolean _resolved; @@ -76,6 +78,13 @@ public class TestConfiguredObject extends AbstractConfiguredObject { super(parents, attributes, taskExecutor, model); _opened = false; + _securityManager = new SecurityManager(this, false); + } + + @Override + protected SecurityManager getSecurityManager() + { + return _securityManager; } @Override diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/singleton/TestSingletonImpl.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/singleton/TestSingletonImpl.java index c4dc0fa39d..5de40042cc 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/singleton/TestSingletonImpl.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/model/testmodels/singleton/TestSingletonImpl.java @@ -27,6 +27,7 @@ import org.apache.qpid.server.model.AbstractConfiguredObject; import org.apache.qpid.server.model.ManagedAttributeField; import org.apache.qpid.server.model.ManagedObject; import org.apache.qpid.server.model.ManagedObjectFactoryConstructor; +import org.apache.qpid.server.security.SecurityManager; @ManagedObject( category = false, type = TestSingletonImpl.TEST_SINGLETON_TYPE) public class TestSingletonImpl extends AbstractConfiguredObject<TestSingletonImpl> @@ -35,6 +36,7 @@ public class TestSingletonImpl extends AbstractConfiguredObject<TestSingletonImp public static final String TEST_SINGLETON_TYPE = "testsingleton"; public static final int DERIVED_VALUE = -100; + private final SecurityManager _securityManager; @ManagedAttributeField private String _automatedPersistedValue; @@ -71,6 +73,7 @@ public class TestSingletonImpl extends AbstractConfiguredObject<TestSingletonImp public TestSingletonImpl(final Map<String, Object> attributes) { super(parentsMap(), attributes, newTaskExecutor(), TestModel.getInstance()); + _securityManager = new SecurityManager(this, false); } private static CurrentThreadTaskExecutor newTaskExecutor() @@ -84,6 +87,7 @@ public class TestSingletonImpl extends AbstractConfiguredObject<TestSingletonImp final TaskExecutor taskExecutor) { super(parentsMap(), attributes, taskExecutor); + _securityManager = new SecurityManager(this, false); } @@ -152,4 +156,10 @@ public class TestSingletonImpl extends AbstractConfiguredObject<TestSingletonImp { return _secureValue; } + + @Override + protected SecurityManager getSecurityManager() + { + return _securityManager; + } } diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java index 0a2e122d16..c691c21ce2 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileKeyStoreTest.java @@ -49,7 +49,7 @@ import org.apache.qpid.util.FileUtils; public class FileKeyStoreTest extends QpidTestCase { - private final Broker<?> _broker = mock(Broker.class); + private final Broker _broker = mock(Broker.class); private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); private final SecurityManager _securityManager = mock(SecurityManager.class); private final Model _model = BrokerModel.getInstance(); @@ -63,6 +63,7 @@ public class FileKeyStoreTest extends QpidTestCase when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); when(_broker.getModel()).thenReturn(_model); when(_broker.getSecurityManager()).thenReturn(_securityManager); + when(_broker.getCategoryClass()).thenReturn(Broker.class); } public void testCreateKeyStoreFromFile_Success() throws Exception @@ -237,9 +238,6 @@ public class FileKeyStoreTest extends QpidTestCase public void testUpdateKeyStore_Success() throws Exception { - - when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); @@ -278,9 +276,6 @@ public class FileKeyStoreTest extends QpidTestCase public void testDeleteKeyStore_Success() throws Exception { - - when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); @@ -293,10 +288,6 @@ public class FileKeyStoreTest extends QpidTestCase public void testDeleteKeyStore_KeyManagerInUseByPort() throws Exception { - when(_securityManager.authoriseConfiguringBroker(any(String.class), - any(Class.class), - any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileKeyStore.NAME, "myFileKeyStore"); attributes.put(FileKeyStore.STORE_URL, TestSSLConstants.BROKER_KEYSTORE); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java index 72c8926f85..8e7f004923 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/FileTrustStoreTest.java @@ -53,7 +53,7 @@ import org.apache.qpid.util.FileUtils; public class FileTrustStoreTest extends QpidTestCase { - private final Broker<?> _broker = mock(Broker.class); + private final Broker _broker = mock(Broker.class); private final TaskExecutor _taskExecutor = CurrentThreadTaskExecutor.newStartedInstance(); private final SecurityManager _securityManager = mock(SecurityManager.class); private final Model _model = BrokerModel.getInstance(); @@ -66,7 +66,7 @@ public class FileTrustStoreTest extends QpidTestCase when(_broker.getTaskExecutor()).thenReturn(_taskExecutor); when(_broker.getModel()).thenReturn(_model); when(_broker.getSecurityManager()).thenReturn(_securityManager); - + when(_broker.getCategoryClass()).thenReturn(Broker.class); } public void testCreateTrustStoreFromFile_Success() throws Exception @@ -186,9 +186,6 @@ public class FileTrustStoreTest extends QpidTestCase public void testUpdateTrustStore_Success() throws Exception { - - when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE); @@ -228,9 +225,6 @@ public class FileTrustStoreTest extends QpidTestCase public void testDeleteTrustStore_Success() throws Exception { - - when(_securityManager.authoriseConfiguringBroker(any(String.class), (Class<? extends ConfiguredObject>)any(), any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE); @@ -244,10 +238,6 @@ public class FileTrustStoreTest extends QpidTestCase public void testDeleteTrustStore_TrustManagerInUseByAuthProvider() throws Exception { - when(_securityManager.authoriseConfiguringBroker(any(String.class), - any(Class.class), - any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE); @@ -275,10 +265,6 @@ public class FileTrustStoreTest extends QpidTestCase public void testDeleteTrustStore_TrustManagerInUseByPort() throws Exception { - when(_securityManager.authoriseConfiguringBroker(any(String.class), - any(Class.class), - any(Operation.class))).thenReturn(true); - Map<String,Object> attributes = new HashMap<>(); attributes.put(FileTrustStore.NAME, "myFileTrustStore"); attributes.put(FileTrustStore.STORE_URL, TestSSLConstants.TRUSTSTORE); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java index 54bd69120b..4b63577376 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java @@ -32,16 +32,31 @@ import static org.mockito.Mockito.when; import java.security.AccessControlException; import java.util.Collections; -import org.apache.qpid.server.binding.BindingImpl; -import org.apache.qpid.server.consumer.ConsumerImpl; -import org.apache.qpid.server.exchange.ExchangeImpl; import org.apache.qpid.server.model.AccessControlProvider; +import org.apache.qpid.server.model.AuthenticationProvider; +import org.apache.qpid.server.model.Binding; import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.BrokerModel; +import org.apache.qpid.server.model.ConfiguredObject; +import org.apache.qpid.server.model.Consumer; +import org.apache.qpid.server.model.Exchange; +import org.apache.qpid.server.model.ExclusivityPolicy; +import org.apache.qpid.server.model.Group; +import org.apache.qpid.server.model.GroupMember; +import org.apache.qpid.server.model.GroupProvider; +import org.apache.qpid.server.model.KeyStore; import org.apache.qpid.server.model.LifetimePolicy; +import org.apache.qpid.server.model.Port; +import org.apache.qpid.server.model.Queue; +import org.apache.qpid.server.model.Session; import org.apache.qpid.server.model.State; +import org.apache.qpid.server.model.TrustStore; +import org.apache.qpid.server.model.User; import org.apache.qpid.server.model.VirtualHost; +import org.apache.qpid.server.model.VirtualHostNode; import org.apache.qpid.server.protocol.AMQConnectionModel; import org.apache.qpid.server.queue.AMQQueue; +import org.apache.qpid.server.queue.QueueConsumer; import org.apache.qpid.server.security.access.ObjectProperties; import org.apache.qpid.server.security.access.ObjectProperties.Property; import org.apache.qpid.server.security.access.ObjectType; @@ -59,6 +74,8 @@ public class SecurityManagerTest extends QpidTestCase private AccessControl _accessControl; private SecurityManager _securityManager; private VirtualHost<?,?,?> _virtualHost; + private Broker _broker; + private VirtualHostNode<?> _virtualHostNode; @Override public void setUp() throws Exception @@ -72,28 +89,38 @@ public class SecurityManagerTest extends QpidTestCase when(aclProvider.getState()).thenReturn(State.ACTIVE); when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST); - - Broker broker = mock(Broker.class); - when(broker.getAccessControlProviders()).thenReturn(Collections.singleton(aclProvider)); - _securityManager = new SecurityManager(broker, false); + when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST); + + _broker = mock(Broker.class); + when(_broker.getAccessControlProviders()).thenReturn(Collections.singleton(aclProvider)); + when(_broker.getChildren(AccessControlProvider.class)).thenReturn(Collections.singleton(aclProvider)); + when(_broker.getCategoryClass()).thenReturn(Broker.class); + when(_broker.getName()).thenReturn("My Broker"); + when(_broker.getAttribute(Broker.NAME)).thenReturn("My Broker"); + when(_broker.getModel()).thenReturn(BrokerModel.getInstance()); + + _virtualHostNode = getMockVirtualHostNode(); + _securityManager = new SecurityManager(_broker, false); } public void testAuthoriseCreateBinding() { - ExchangeImpl exchange = mock(ExchangeImpl.class); + VirtualHost vh = getMockVirtualHost(); + + Exchange exchange = mock(Exchange.class); when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getName()).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getModel()).thenReturn(BrokerModel.getInstance()); - AMQQueue<?> queue = mock(AMQQueue.class); + Queue queue = mock(Queue.class); when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); - when(queue.isDurable()).thenReturn(true); - when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT); - - BindingImpl binding = mock(BindingImpl.class); - when(binding.getExchange()).thenReturn(exchange); - when(binding.getAMQQueue()).thenReturn(queue); - when(binding.getBindingKey()).thenReturn("bindingKey"); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(vh); ObjectProperties properties = new ObjectProperties(); properties.put(Property.NAME, TEST_EXCHANGE); @@ -103,22 +130,13 @@ public class SecurityManagerTest extends QpidTestCase properties.put(Property.TEMPORARY, false); properties.put(Property.DURABLE, true); + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseCreateBinding(binding); - verify(_accessControl).authorise(eq(Operation.BIND), eq(ObjectType.EXCHANGE), eq(properties)); - - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseCreateBinding(binding); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.BIND), eq(ObjectType.EXCHANGE), eq(properties)); + assertCreateAuthorization(binding, Operation.BIND, ObjectType.EXCHANGE, properties, exchange, queue); } @@ -192,14 +210,23 @@ public class SecurityManagerTest extends QpidTestCase public void testAuthoriseCreateConsumer() { - AMQQueue<?> queue = mock(AMQQueue.class); + Queue queue = mock(Queue.class); when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); - when(queue.isDurable()).thenReturn(true); - when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT); - - ConsumerImpl consumer = mock(ConsumerImpl.class); - when(consumer.getMessageSource()).thenReturn(queue); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getCategoryClass()).thenReturn(Queue.class); + + Session session = mock(Session.class); + when(session.getCategoryClass()).thenReturn(Session.class); + when(session.getAttribute(Session.NAME)).thenReturn("1"); + + QueueConsumer consumer = mock(QueueConsumer.class); + when(consumer.getAttribute(QueueConsumer.NAME)).thenReturn("1"); + when(consumer.getParent(Queue.class)).thenReturn(queue); + when(consumer.getParent(Session.class)).thenReturn(session); + when(consumer.getCategoryClass()).thenReturn(Consumer.class); ObjectProperties properties = new ObjectProperties(); properties.put(Property.NAME, TEST_QUEUE); @@ -209,284 +236,573 @@ public class SecurityManagerTest extends QpidTestCase properties.put(Property.DURABLE, true); properties.put(Property.EXCLUSIVE, false); + assertAuthorization(Operation.CREATE, consumer, Operation.CONSUME, ObjectType.QUEUE, properties, queue, session); + } + + public void testAuthoriseUserOperation() + { + ObjectProperties properties = new ObjectProperties("testUser"); + configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseCreateConsumer(consumer); - verify(_accessControl).authorise(eq(Operation.CONSUME), eq(ObjectType.QUEUE), eq(properties)); + _securityManager.authoriseUserUpdate("testUser"); + verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties)); - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseCreateConsumer(consumer); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.CONSUME), eq(ObjectType.QUEUE), eq(properties)); + configureAccessPlugin(Result.DENIED); + try + { + _securityManager.authoriseUserUpdate("testUser"); + fail("AccessControlException is expected"); + } + catch(AccessControlException e) + { + // pass + } + verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties)); } public void testAuthoriseCreateExchange() { - ExchangeImpl<?> exchange = mock(ExchangeImpl.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getName()).thenReturn(TEST_EXCHANGE); - when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE); + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + + assertCreateAuthorization( exchange, Operation.CREATE, ObjectType.EXCHANGE, expectedProperties, vh); + } - ObjectProperties properties = createExpectedExchangeObjectProperties(); + public void testAuthoriseCreateQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queue = mock(Queue.class); + when(queue.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queue.getAttribute(Queue.OWNER)).thenReturn(null); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queue.getAttribute(Queue.ALTERNATE_EXCHANGE)).thenReturn(null); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getParent(VirtualHost.class)).thenReturn(vh); + + assertCreateAuthorization(queue, Operation.CREATE, ObjectType.QUEUE, expectedProperties, vh); + } - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseCreateExchange(exchange); - verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.EXCHANGE), eq(properties)); + public void testAuthoriseDeleteQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queueObject = mock(Queue.class); + when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); + when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); + when(queueObject.getCategoryClass()).thenReturn(Queue.class); + + assertDeleteAuthorization(queueObject, Operation.DELETE, ObjectType.QUEUE, expectedProperties, vh); + } - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseCreateExchange(exchange); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.EXCHANGE), eq(properties)); + public void testAuthoriseUpdateQueue() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedQueueObjectProperties(); + + Queue queueObject = mock(Queue.class); + when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null); + when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queueObject.getParent(VirtualHost.class)).thenReturn(vh); + when(queueObject.getCategoryClass()).thenReturn(Queue.class); + + assertUpdateAuthorization(queueObject, Operation.UPDATE, ObjectType.QUEUE, expectedProperties, vh); } - public void testAuthoriseCreateQueue() + public void testAuthoriseUpdateExchange() { - AMQQueue<?> queue = mock(AMQQueue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + assertUpdateAuthorization(exchange, Operation.UPDATE, ObjectType.EXCHANGE, expectedProperties, vh); + } - ObjectProperties properties = createExpectedQueueObjectProperties(); + public void testAuthoriseDeleteExchange() + { + VirtualHost vh = getMockVirtualHost(); + ObjectProperties expectedProperties = createExpectedExchangeObjectProperties(); + + Exchange exchange = mock(Exchange.class); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); + when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false); + when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE); + when(exchange.getParent(VirtualHost.class)).thenReturn(vh); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + assertDeleteAuthorization(exchange, Operation.DELETE, ObjectType.EXCHANGE, expectedProperties, vh); + } + + public void testAuthorisePublish() + { + String routingKey = "routingKey"; + String exchangeName = "exchangeName"; + boolean immediate = true; + ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate); configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseCreateQueue(queue); - verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.QUEUE), eq(properties)); + _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); + verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); configureAccessPlugin(Result.DENIED); try { - _securityManager.authoriseCreateQueue(queue); + _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); fail("AccessControlException is expected"); } catch(AccessControlException e) { // pass } - verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.QUEUE), eq(properties)); + verify(_accessControl, times(2)).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); } - public void testAuthoriseDeleteQueue() + public void testAuthorisePurge() { - AMQQueue<?> queue = mock(AMQQueue.class); + Queue queue = mock(Queue.class); when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getCategoryClass()).thenReturn(Queue.class); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(false); + when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE); ObjectProperties properties = createExpectedQueueObjectProperties(); configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseDelete(queue); - verify(_accessControl).authorise(eq(Operation.DELETE), eq(ObjectType.QUEUE), eq(properties)); + _securityManager.authorisePurge(queue); + verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); configureAccessPlugin(Result.DENIED); try { - _securityManager.authoriseDelete(queue); + _securityManager.authorisePurge(queue); fail("AccessControlException is expected"); } catch(AccessControlException e) { // pass } - verify(_accessControl, times(2)).authorise(eq(Operation.DELETE), eq(ObjectType.QUEUE), eq(properties)); + verify(_accessControl, times(2)).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); } - public void testAuthoriseUpdateQueue() + public void testAuthoriseUnbind() { - AMQQueue<?> queue = mock(AMQQueue.class); + Exchange exchange = mock(Exchange.class); + when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); + + Queue queue = mock(Queue.class); when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); - ObjectProperties properties = createExpectedQueueObjectProperties(); + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseUpdate(queue); - verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.QUEUE), eq(properties)); + ObjectProperties properties = new ObjectProperties(); + properties.put(Property.NAME, TEST_EXCHANGE); + properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); + properties.put(Property.QUEUE_NAME, TEST_QUEUE); + properties.put(Property.ROUTING_KEY, "bindingKey"); + properties.put(Property.TEMPORARY, false); + properties.put(Property.DURABLE, true); - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseUpdate(queue); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.QUEUE), eq(properties)); + assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); } - public void testAuthoriseUpdateExchange() + public void testAuthoriseCreateVirtualHostNode() { - ExchangeImpl<?> exchange = mock(ExchangeImpl.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getName()).thenReturn(TEST_EXCHANGE); - when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE); + VirtualHostNode vhn = getMockVirtualHostNode(); + assertCreateAuthorization(vhn, Operation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"), _broker); + } - ObjectProperties properties = createExpectedExchangeObjectProperties(); + public void testAuthoriseCreatePort() + { + Port port = mock(Port.class); + when(port.getParent(Broker.class)).thenReturn(_broker); + when(port.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(port.getCategoryClass()).thenReturn(Port.class); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseUpdate(exchange); - verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.EXCHANGE), eq(properties)); + assertBrokerChildCreateAuthorization(port); + } - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseUpdate(exchange); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.EXCHANGE), eq(properties)); + public void testAuthoriseCreateAuthenticationProvider() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getParent(Broker.class)).thenReturn(_broker); + when(authenticationProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + + assertBrokerChildCreateAuthorization(authenticationProvider); } - public void testAuthoriseDeleteExchange() + public void testAuthoriseCreateGroupProvider() { - ExchangeImpl<?> exchange = mock(ExchangeImpl.class); - when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getName()).thenReturn(TEST_EXCHANGE); - when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE); + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getParent(Broker.class)).thenReturn(_broker); + when(groupProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); - ObjectProperties properties = createExpectedExchangeObjectProperties(); + assertBrokerChildCreateAuthorization(groupProvider); + } - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseDelete(exchange); - verify(_accessControl).authorise(eq(Operation.DELETE), eq(ObjectType.EXCHANGE), eq(properties)); + public void testAuthoriseCreateAccessControlProvider() + { + AccessControlProvider accessControlProvider = mock(AccessControlProvider.class); + when(accessControlProvider.getParent(Broker.class)).thenReturn(_broker); + when(accessControlProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class); - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseDelete(exchange); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.DELETE), eq(ObjectType.EXCHANGE), eq(properties)); + assertBrokerChildCreateAuthorization(accessControlProvider); } - public void testAuthoriseGroupOperation() + public void testAuthoriseCreateKeyStore() { - ObjectProperties properties = new ObjectProperties("testGroup"); + KeyStore keyStore = mock(KeyStore.class); + when(keyStore.getParent(Broker.class)).thenReturn(_broker); + when(keyStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(keyStore.getCategoryClass()).thenReturn(KeyStore.class); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseGroupOperation(Operation.CREATE, "testGroup"); - verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.GROUP), eq(properties)); + assertBrokerChildCreateAuthorization(keyStore); + } - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseGroupOperation(Operation.CREATE, "testGroup"); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.GROUP), eq(properties)); + public void testAuthoriseCreateTrustStore() + { + TrustStore trustStore = mock(TrustStore.class); + when(trustStore.getParent(Broker.class)).thenReturn(_broker); + when(trustStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST"); + when(trustStore.getCategoryClass()).thenReturn(TrustStore.class); + + assertBrokerChildCreateAuthorization(trustStore); } - public void testAuthoriseUserOperation() + public void testAuthoriseCreateGroup() { - ObjectProperties properties = new ObjectProperties("testUser"); + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getAttribute(GroupProvider.NAME)).thenReturn("testGroupProvider"); + when(groupProvider.getModel()).thenReturn(BrokerModel.getInstance()); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseUserOperation(Operation.CREATE, "testUser"); - verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.USER), eq(properties)); + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getParent(GroupProvider.class)).thenReturn(groupProvider); + when(group.getAttribute(Group.NAME)).thenReturn("test"); - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authoriseUserOperation(Operation.CREATE, "testUser"); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.USER), eq(properties)); + assertCreateAuthorization(group, Operation.CREATE, ObjectType.GROUP, new ObjectProperties("test"), groupProvider); } - public void testAuthorisePublish() + public void testAuthoriseCreateGroupMember() { - String routingKey = "routingKey"; - String exchangeName = "exchangeName"; - boolean immediate = true; - ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate); + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getAttribute(Group.NAME)).thenReturn("testGroup"); + when(group.getModel()).thenReturn(BrokerModel.getInstance()); - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); - verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); + GroupMember groupMember = mock(GroupMember.class); + when(groupMember.getCategoryClass()).thenReturn(GroupMember.class); + when(groupMember.getParent(Group.class)).thenReturn(group); + when(groupMember.getAttribute(Group.NAME)).thenReturn("test"); - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties)); + assertCreateAuthorization(groupMember, Operation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"), group); } - public void testAuthorisePurge() + public void testAuthoriseCreateUser() { - AMQQueue<?> queue = mock(AMQQueue.class); - when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getAttribute(AuthenticationProvider.NAME)).thenReturn("testAuthenticationProvider"); + when(authenticationProvider.getModel()).thenReturn(BrokerModel.getInstance()); + + User user = mock(User.class); + when(user.getCategoryClass()).thenReturn(User.class); + when(user.getAttribute(User.NAME)).thenReturn("test"); + when(user.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + when(user.getModel()).thenReturn(BrokerModel.getInstance()); + + assertCreateAuthorization(user, Operation.CREATE, ObjectType.USER, new ObjectProperties("test"), authenticationProvider); + } - ObjectProperties properties = createExpectedQueueObjectProperties(); + public void testAuthoriseCreateVirtualHost() + { + VirtualHost vh = getMockVirtualHost(); + assertCreateAuthorization(vh, Operation.CREATE, ObjectType.VIRTUALHOST, new ObjectProperties(TEST_VIRTUAL_HOST), _virtualHostNode); + } - configureAccessPlugin(Result.ALLOWED); - _securityManager.authorisePurge(queue); - verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); + public void testAuthoriseUpdateVirtualHostNode() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + assertUpdateAuthorization(vhn, Operation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); + } - configureAccessPlugin(Result.DENIED); - try - { - _securityManager.authorisePurge(queue); - fail("AccessControlException is expected"); - } - catch(AccessControlException e) - { - // pass - } - verify(_accessControl, times(2)).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties)); + public void testAuthoriseUpdatePort() + { + Port mock = mock(Port.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Port.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); } + public void testAuthoriseUpdateAuthenticationProvider() + { + AuthenticationProvider mock = mock(AuthenticationProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } - public void testAuthoriseUnbind() + public void testAuthoriseUpdateGroupProvider() + { + GroupProvider mock = mock(GroupProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateAccessControlProvider() + { + AccessControlProvider mock = mock(AccessControlProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateKeyStore() + { + KeyStore mock = mock(KeyStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(KeyStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateTrustStore() { - ExchangeImpl exchange = mock(ExchangeImpl.class); + TrustStore mock = mock(TrustStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(TrustStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildUpdateAuthorization(mock); + } + + public void testAuthoriseUpdateGroup() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getName()).thenReturn("testGroupProvider"); + Group mock = mock(Group.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Group.class); + when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, groupProvider); + } + + public void testAuthoriseUpdateGroupMember() + { + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getName()).thenReturn("testGroup"); + GroupMember mock = mock(GroupMember.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupMember.class); + when(mock.getParent(Group.class)).thenReturn(group); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); + } + + public void testAuthoriseUpdateUser() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); + User mock = mock(User.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(User.class); + when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.USER, properties, authenticationProvider); + } + + public void testAuthoriseUpdateVirtualHost() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + + VirtualHost mock = mock(VirtualHost.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(VirtualHost.class); + when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhn); + } + + public void testAuthoriseDeleteVirtualHostNode() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + assertDeleteAuthorization(vhn, Operation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn); + } + + public void testAuthoriseDeletePort() + { + Port mock = mock(Port.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Port.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteAuthenticationProvider() + { + AuthenticationProvider mock = mock(AuthenticationProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteGroupProvider() + { + GroupProvider mock = mock(GroupProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteAccessControlProvider() + { + AccessControlProvider mock = mock(AccessControlProvider.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteKeyStore() + { + KeyStore mock = mock(KeyStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(KeyStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteTrustStore() + { + TrustStore mock = mock(TrustStore.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(TrustStore.class); + when(mock.getParent(Broker.class)).thenReturn(_broker); + assertBrokerChildDeleteAuthorization(mock); + } + + public void testAuthoriseDeleteGroup() + { + GroupProvider groupProvider = mock(GroupProvider.class); + when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class); + when(groupProvider.getName()).thenReturn("testGroupProvider"); + Group mock = mock(Group.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(Group.class); + when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.GROUP, properties, groupProvider); + } + + public void testAuthoriseDeleteGroupMember() + { + Group group = mock(Group.class); + when(group.getCategoryClass()).thenReturn(Group.class); + when(group.getName()).thenReturn("testGroup"); + GroupMember mock = mock(GroupMember.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(GroupMember.class); + when(mock.getParent(Group.class)).thenReturn(group); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group); + } + + public void testAuthoriseDeleteUser() + { + AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class); + when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class); + when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider"); + User mock = mock(User.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(User.class); + when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.USER, properties, authenticationProvider); + } + + public void testAuthoriseDeleteVirtualHost() + { + VirtualHostNode vhn = getMockVirtualHostNode(); + + VirtualHost mock = mock(VirtualHost.class); + when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test"); + when(mock.getCategoryClass()).thenReturn(VirtualHost.class); + when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn); + ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME)); + assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhn); + } + + public void testAuthoriseDeleteBinding() + { + Exchange exchange = mock(Exchange.class); when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(exchange.getName()).thenReturn(TEST_EXCHANGE); + when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE); + when(exchange.getCategoryClass()).thenReturn(Exchange.class); - AMQQueue<?> queue = mock(AMQQueue.class); + Queue queue = mock(Queue.class); when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost); - when(queue.getName()).thenReturn(TEST_QUEUE); - when(queue.isDurable()).thenReturn(true); - when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE); + when(queue.getAttribute(Queue.DURABLE)).thenReturn(true); + when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT); + when(queue.getCategoryClass()).thenReturn(Queue.class); - BindingImpl binding = mock(BindingImpl.class); - when(binding.getExchange()).thenReturn(exchange); - when(binding.getAMQQueue()).thenReturn(queue); - when(binding.getBindingKey()).thenReturn("bindingKey"); + Binding binding = mock(Binding.class); + when(binding.getParent(Exchange.class)).thenReturn(exchange); + when(binding.getParent(Queue.class)).thenReturn(queue); + when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey"); + when(binding.getCategoryClass()).thenReturn(Binding.class); ObjectProperties properties = new ObjectProperties(); properties.put(Property.NAME, TEST_EXCHANGE); @@ -496,35 +812,141 @@ public class SecurityManagerTest extends QpidTestCase properties.put(Property.TEMPORARY, false); properties.put(Property.DURABLE, true); + assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue); + } + + private VirtualHost getMockVirtualHost() + { + VirtualHost vh = mock(VirtualHost.class); + when(vh.getCategoryClass()).thenReturn(VirtualHost.class); + when(vh.getName()).thenReturn(TEST_VIRTUAL_HOST); + when(vh.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST); + when(vh.getParent(VirtualHostNode.class)).thenReturn(_virtualHostNode); + when(vh.getModel()).thenReturn(BrokerModel.getInstance()); + return vh; + } + + private VirtualHostNode getMockVirtualHostNode() + { + VirtualHostNode vhn = mock(VirtualHostNode.class); + when(vhn.getCategoryClass()).thenReturn(VirtualHostNode.class); + when(vhn.getName()).thenReturn("testVHN"); + when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN"); + when(vhn.getParent(Broker.class)).thenReturn(_broker); + when(vhn.getModel()).thenReturn(BrokerModel.getInstance()); + return vhn; + } + + private void assertBrokerChildCreateAuthorization(ConfiguredObject object) + { + String description = String.format("%s %s '%s'", + Operation.CREATE.name().toLowerCase(), + object.getCategoryClass().getSimpleName().toLowerCase(), + "TEST"); + ObjectProperties properties = new OperationLoggingDetails(description); + assertCreateAuthorization(object, Operation.CONFIGURE, ObjectType.BROKER, properties, _broker ); + } + + private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject) + { + String description = String.format("%s %s '%s'", + Operation.UPDATE.name().toLowerCase(), + configuredObject.getCategoryClass().getSimpleName().toLowerCase(), + configuredObject.getAttribute(ConfiguredObject.NAME)); + ObjectProperties properties = new OperationLoggingDetails(description); + + assertUpdateAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, + properties, _broker ); + } + + private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject) + { + String description = String.format("%s %s '%s'", + Operation.DELETE.name().toLowerCase(), + configuredObject.getCategoryClass().getSimpleName().toLowerCase(), + configuredObject.getAttribute(ConfiguredObject.NAME)); + ObjectProperties properties = new OperationLoggingDetails(description); + + assertDeleteAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER, + properties, _broker ); + } + private void assertAuthorization(Operation operation, ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) + { configureAccessPlugin(Result.ALLOWED); - _securityManager.authoriseUnbind(binding); - verify(_accessControl).authorise(eq(Operation.UNBIND), eq(ObjectType.EXCHANGE), eq(properties)); + _securityManager.authorise(operation, configuredObject); + verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); configureAccessPlugin(Result.DENIED); try { - _securityManager.authoriseUnbind(binding); + _securityManager.authorise(operation, configuredObject); fail("AccessControlException is expected"); } catch(AccessControlException e) { - // pass + String expectedMessage = "Permission " + aclOperation.name() + " " + + aclObjectType.name() +" is denied for : " + operation.name() + " " + + configuredObject.getCategoryClass().getSimpleName() + " '" + + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on"; + + assertTrue("Unexpected exception message: " + e.getMessage() + " vs " + expectedMessage, + e.getMessage().startsWith(expectedMessage)); + for (ConfiguredObject object: objects) + { + String parentInfo = object.getCategoryClass().getSimpleName() + " '" + + object.getAttribute(ConfiguredObject.NAME) + "'"; + assertTrue("Exception message does not contain information about parent object " + + object.getCategoryClass() + " " + object.getAttribute(ConfiguredObject.NAME) + ":" + + e.getMessage(), + e.getMessage().contains(parentInfo)); + } } - verify(_accessControl, times(2)).authorise(eq(Operation.UNBIND), eq(ObjectType.EXCHANGE), eq(properties)); + + verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); } - public void testAuthoriseConfiguringBroker() + private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) { - OperationLoggingDetails properties = new OperationLoggingDetails("create virtualhost 'test'"); + assertAuthorization(Operation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); + } + private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects) + { + assertAuthorization(Operation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects); + } + + private void assertCreateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject<?>... parents) + { configureAccessPlugin(Result.ALLOWED); - assertTrue(_securityManager.authoriseConfiguringBroker("test", VirtualHost.class, Operation.CREATE)); - verify(_accessControl).authorise(eq(Operation.CONFIGURE), eq(ObjectType.BROKER), eq(properties)); + _securityManager.authorise(Operation.CREATE, configuredObject); + verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); configureAccessPlugin(Result.DENIED); - assertFalse(_securityManager.authoriseConfiguringBroker("test", VirtualHost.class, Operation.CREATE)); - verify(_accessControl, times(2)).authorise(eq(Operation.CONFIGURE), eq(ObjectType.BROKER), eq(properties)); + try + { + _securityManager.authorise(Operation.CREATE, configuredObject); + fail("AccessControlException is expected"); + } + catch(AccessControlException e) + { + String expectedMessage = "Permission " + aclOperation.name() + " " + + aclObjectType.name() +" is denied for : CREATE " + configuredObject.getCategoryClass().getSimpleName() + " '" + + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on"; + + assertTrue("Unexpected exception message", e.getMessage().startsWith(expectedMessage)); + for (ConfiguredObject object: parents) + { + String parentInfo = object.getCategoryClass().getSimpleName() + " '" + + object.getAttribute(ConfiguredObject.NAME) + "'"; + assertTrue("Exception message does not contain information about parent configuredObject " + + parentInfo + ": " + + e.getMessage(), + e.getMessage().contains(parentInfo)); + } + } + + verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties)); } public void testAuthoriseLogsAccess() @@ -548,7 +970,7 @@ public class SecurityManagerTest extends QpidTestCase ObjectProperties properties = new ObjectProperties(); properties.put(Property.NAME, TEST_EXCHANGE); properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST); - properties.put(Property.AUTO_DELETE, false); + properties.put(Property.AUTO_DELETE, true); properties.put(Property.TEMPORARY, true); properties.put(Property.DURABLE, false); properties.put(Property.TYPE, TEST_EXCHANGE_TYPE); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java index 2f44218cf1..0f256d0999 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/util/BrokerTestHelper.java @@ -196,7 +196,10 @@ public class BrokerTestHelper public static ExchangeImpl<?> createExchange(String hostName, final boolean durable, final EventLogger eventLogger) throws Exception { - SecurityManager securityManager = new SecurityManager(mock(Broker.class), false); + Broker broker = mock(Broker.class); + when(broker.getModel()).thenReturn(BrokerModel.getInstance()); + when(broker.getCategoryClass()).thenReturn(Broker.class); + SecurityManager securityManager = new SecurityManager(broker, false); final VirtualHostImpl<?,?,?> virtualHost = mock(VirtualHostImpl.class); when(virtualHost.getName()).thenReturn(hostName); when(virtualHost.getSecurityManager()).thenReturn(securityManager); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/AbstractVirtualHostTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/AbstractVirtualHostTest.java index 889097f850..1231f5393e 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/AbstractVirtualHostTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/AbstractVirtualHostTest.java @@ -50,12 +50,11 @@ import org.apache.qpid.server.security.SecurityManager; import org.apache.qpid.server.store.DurableConfigurationStore; import org.apache.qpid.server.store.MessageStore; import org.apache.qpid.test.utils.QpidTestCase; -import org.mockito.verification.VerificationMode; public class AbstractVirtualHostTest extends QpidTestCase { private TaskExecutor _taskExecutor; - private VirtualHostNode<?> _node; + private VirtualHostNode _node; private MessageStore _failingStore; @Override @@ -78,6 +77,7 @@ public class AbstractVirtualHostTest extends QpidTestCase when(_node.getModel()).thenReturn(BrokerModel.getInstance()); when(_node.getTaskExecutor()).thenReturn(_taskExecutor); when(_node.getConfigurationStore()).thenReturn(mock(DurableConfigurationStore.class)); + when(_node.getCategoryClass()).thenReturn(VirtualHostNode.class); _failingStore = mock(MessageStore.class); doThrow(new RuntimeException("Cannot open store")).when(_failingStore).openMessageStore(any(ConfiguredObject.class)); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/VirtualHostQueueCreationTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/VirtualHostQueueCreationTest.java index 78793726a8..fd6748f500 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/VirtualHostQueueCreationTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhost/VirtualHostQueueCreationTest.java @@ -68,7 +68,6 @@ public class VirtualHostQueueCreationTest extends QpidTestCase EventLogger eventLogger = mock(EventLogger.class); SecurityManager securityManager = mock(SecurityManager.class); - when(securityManager.authoriseConfiguringBroker(anyString(),any(Class.class),any(Operation.class))).thenReturn(true); ConfiguredObjectFactory objectFactory = new ConfiguredObjectFactoryImpl(BrokerModel.getInstance()); _taskExecutor = new CurrentThreadTaskExecutor(); diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhostnode/AbstractStandardVirtualHostNodeTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhostnode/AbstractStandardVirtualHostNodeTest.java index b17f383217..e799f62d56 100644 --- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhostnode/AbstractStandardVirtualHostNodeTest.java +++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/virtualhostnode/AbstractStandardVirtualHostNodeTest.java @@ -49,7 +49,6 @@ import org.apache.qpid.server.model.SystemConfig; import org.apache.qpid.server.model.VirtualHost; import org.apache.qpid.server.model.VirtualHostNode; import org.apache.qpid.server.security.SecurityManager; -import org.apache.qpid.server.security.access.Operation; import org.apache.qpid.server.store.ConfiguredObjectRecord; import org.apache.qpid.server.store.DurableConfigurationStore; import org.apache.qpid.server.store.NullMessageStore; @@ -275,9 +274,7 @@ public class AbstractStandardVirtualHostNodeTest extends QpidTestCase node.open(); node.start(); - doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseVirtualHostNode( - TEST_VIRTUAL_HOST_NODE_NAME, - Operation.UPDATE); + doThrow(new AccessControlException("mocked ACL exception")).when(_mockSecurityManager).authoriseUpdate(node); assertNull(node.getDescription()); try @@ -307,9 +304,7 @@ public class AbstractStandardVirtualHostNodeTest extends QpidTestCase node.open(); node.start(); - doThrow(new AccessControlException("mocked ACL exception")).when(mockSecurityManager).authoriseVirtualHostNode( - TEST_VIRTUAL_HOST_NODE_NAME, - Operation.DELETE); + doThrow(new AccessControlException("mocked ACL exception")).when(mockSecurityManager).authoriseDelete(node); try { @@ -339,9 +334,7 @@ public class AbstractStandardVirtualHostNodeTest extends QpidTestCase node.open(); node.start(); - doThrow(new AccessControlException("mocked ACL exception")).when(mockSecurityManager).authoriseVirtualHostNode( - TEST_VIRTUAL_HOST_NODE_NAME, - Operation.UPDATE); + doThrow(new AccessControlException("mocked ACL exception")).when(mockSecurityManager).authoriseUpdate(node); try { |