diff options
Diffstat (limited to 'qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java')
-rw-r--r-- | qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java | 267 |
1 files changed, 267 insertions, 0 deletions
diff --git a/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java b/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java new file mode 100644 index 0000000000..5229146847 --- /dev/null +++ b/qpid/java/broker/src/test/java/org/apache/qpid/server/security/access/plugins/network/FirewallPluginTest.java @@ -0,0 +1,267 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +package org.apache.qpid.server.security.access.plugins.network; + +import java.io.BufferedWriter; +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.net.Inet4Address; +import java.net.InetAddress; +import java.net.InetSocketAddress; + +import junit.framework.TestCase; + +import org.apache.commons.configuration.ConfigurationException; +import org.apache.commons.configuration.XMLConfiguration; +import org.apache.mina.common.IoSession; +import org.apache.qpid.codec.AMQCodecFactory; +import org.apache.qpid.server.protocol.AMQMinaProtocolSession; +import org.apache.qpid.server.protocol.TestIoSession; +import org.apache.qpid.server.security.access.ACLPlugin.AuthzResult; +import org.apache.qpid.server.store.TestableMemoryMessageStore; +import org.apache.qpid.server.virtualhost.VirtualHost; +import org.apache.qpid.server.virtualhost.VirtualHostRegistry; + +public class FirewallPluginTest extends TestCase +{ + + public class RuleInfo + { + private String _access; + private String _network; + private String _hostname; + + public void setAccess(String _access) + { + this._access = _access; + } + + public String getAccess() + { + return _access; + } + + public void setNetwork(String _network) + { + this._network = _network; + } + + public String getNetwork() + { + return _network; + } + + public void setHostname(String _hostname) + { + this._hostname = _hostname; + } + + public String getHostname() + { + return _hostname; + } + } + + private TestableMemoryMessageStore _store; + private VirtualHost _virtualHost; + private AMQMinaProtocolSession _session; + + @Override + public void setUp() throws Exception + { + _store = new TestableMemoryMessageStore(); + _virtualHost = new VirtualHost("vhost", _store); + TestIoSession iosession = new TestIoSession(); + iosession.setAddress("127.0.0.1"); + VirtualHostRegistry virtualHostRegistry = null; + AMQCodecFactory codecFactory = new AMQCodecFactory(true); + _session = new AMQMinaProtocolSession(iosession, virtualHostRegistry, codecFactory); + } + + private FirewallPlugin initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException + { + // Create sample config file + File confFile = File.createTempFile(getClass().getSimpleName()+"conffile", null); + confFile.deleteOnExit(); + BufferedWriter buf = new BufferedWriter(new FileWriter(confFile)); + buf.write("<firewall default-action=\""+defaultAction+"\">\n"); + if (rules != null) + { + for (RuleInfo rule : rules) + { + buf.write("<rule"); + buf.write(" access=\""+rule.getAccess()+"\""); + if (rule.getHostname() != null) + { + buf.write(" hostname=\""+rule.getHostname()+"\""); + } + if (rule.getNetwork() != null) + { + buf.write(" network=\""+rule.getNetwork()+"\""); + } + buf.write("/>\n"); + } + } + buf.write("</firewall>"); + buf.close(); + + // Configure plugin + FirewallPlugin plugin = new FirewallPlugin(); + plugin.setConfiguration(new XMLConfiguration(confFile)); + return plugin; + } + + private FirewallPlugin initialisePlugin(String string) throws ConfigurationException, IOException + { + return initialisePlugin(string, null); + } + + public void testDefaultAction() throws Exception + { + // Test simple deny + FirewallPlugin plugin = initialisePlugin("deny"); + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Test simple allow + plugin = initialisePlugin("allow"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + + public void testSingleIPRule() throws Exception + { + RuleInfo rule = new RuleInfo(); + rule.setAccess("allow"); + rule.setNetwork("192.168.23.23"); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("192.168.23.23"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testSingleNetworkRule() throws Exception + { + RuleInfo rule = new RuleInfo(); + rule.setAccess("allow"); + rule.setNetwork("192.168.23.0/24"); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("192.168.23.23"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testSingleHostRule() throws Exception + { + RuleInfo rule = new RuleInfo(); + rule.setAccess("allow"); + rule.setHostname(new InetSocketAddress("127.0.0.1", 5672).getHostName()); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("127.0.0.1"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testSingleHostWilcardRule() throws Exception + { + RuleInfo rule = new RuleInfo(); + rule.setAccess("allow"); + rule.setHostname(".*ocal.*"); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{rule}); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("127.0.0.1"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testSeveralFirstAllowsAccess() throws Exception + { + RuleInfo firstRule = new RuleInfo(); + firstRule.setAccess("allow"); + firstRule.setNetwork("192.168.23.23"); + + RuleInfo secondRule = new RuleInfo(); + secondRule.setAccess("deny"); + secondRule.setNetwork("192.168.42.42"); + + RuleInfo thirdRule = new RuleInfo(); + thirdRule.setAccess("deny"); + thirdRule.setHostname("localhost"); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); + + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("192.168.23.23"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testSeveralLastAllowsAccess() throws Exception + { + RuleInfo firstRule = new RuleInfo(); + firstRule.setAccess("deny"); + firstRule.setHostname("localhost"); + + RuleInfo secondRule = new RuleInfo(); + secondRule.setAccess("deny"); + secondRule.setNetwork("192.168.42.42"); + + RuleInfo thirdRule = new RuleInfo(); + thirdRule.setAccess("allow"); + thirdRule.setNetwork("192.168.23.23"); + + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); + + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("192.168.23.23"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + + public void testNetmask() throws Exception + { + RuleInfo firstRule = new RuleInfo(); + firstRule.setAccess("allow"); + firstRule.setNetwork("192.168.23.0/24"); + FirewallPlugin plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); + + assertEquals(AuthzResult.DENIED, plugin.authoriseConnect(_session, _virtualHost)); + + // Set session IP so that we're connected from the right address + ((TestIoSession) _session.getIOSession()).setAddress("192.168.23.23"); + assertEquals(AuthzResult.ALLOWED, plugin.authoriseConnect(_session, _virtualHost)); + } + +} |