diff options
Diffstat (limited to 'qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java')
-rw-r--r-- | qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java | 625 |
1 files changed, 602 insertions, 23 deletions
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java index 5d23219336..220d2bc574 100644 --- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java +++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/acl/BrokerACLTest.java @@ -28,22 +28,32 @@ import java.util.List; import java.util.Map; import org.apache.commons.configuration.ConfigurationException; +import org.apache.qpid.server.model.AccessControlProvider; import org.apache.qpid.server.model.AuthenticationProvider; import org.apache.qpid.server.model.Broker; +import org.apache.qpid.server.model.GroupProvider; +import org.apache.qpid.server.model.KeyStore; import org.apache.qpid.server.model.Port; import org.apache.qpid.server.model.Protocol; +import org.apache.qpid.server.model.TrustStore; import org.apache.qpid.server.model.VirtualHost; +import org.apache.qpid.server.security.access.FileAccessControlProviderConstants; import org.apache.qpid.server.security.acl.AbstractACLTestCase; import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManagerFactory; import org.apache.qpid.server.security.auth.manager.PlainPasswordFileAuthenticationManagerFactory; +import org.apache.qpid.server.security.group.FileGroupManagerFactory; import org.apache.qpid.systest.rest.QpidRestTestCase; import org.apache.qpid.test.utils.TestBrokerConfiguration; import org.apache.qpid.test.utils.TestFileUtils; +import org.apache.qpid.test.utils.TestSSLConstants; +import org.codehaus.jackson.JsonGenerationException; +import org.codehaus.jackson.map.JsonMappingException; public class BrokerACLTest extends QpidRestTestCase { private static final String ALLOWED_USER = "user1"; private static final String DENIED_USER = "user2"; + private String _secondaryAclFileContent = ""; @Override protected void customizeConfiguration() throws ConfigurationException, IOException @@ -57,10 +67,18 @@ public class BrokerACLTest extends QpidRestTestCase "ACL DENY-LOG " + DENIED_USER + " CONFIGURE BROKER", "ACL DENY-LOG ALL ALL"); + _secondaryAclFileContent = + "ACL ALLOW-LOG ALL ACCESS MANAGEMENT\n" + + "ACL ALLOW-LOG " + ALLOWED_USER + " CONFIGURE BROKER\n" + + "ACL DENY-LOG " + DENIED_USER + " CONFIGURE BROKER\n" + + "ACL DENY-LOG ALL ALL"; + getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, "httpBasicAuthenticationEnabled", true); } + /* === AuthenticationProvider === */ + public void testCreateAuthenticationProviderAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); @@ -168,6 +186,8 @@ public class BrokerACLTest extends QpidRestTestCase provider.get(PlainPasswordFileAuthenticationManagerFactory.ATTRIBUTE_PATH)); } + /* === VirtualHost === */ + public void testCreateVirtualHostAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); @@ -218,6 +238,8 @@ public class BrokerACLTest extends QpidRestTestCase assertVirtualHostExists(TEST2_VIRTUALHOST); } + /* === Port === */ + public void testCreatePortAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); @@ -249,8 +271,6 @@ public class BrokerACLTest extends QpidRestTestCase String portName = TestBrokerConfiguration.ENTRY_NAME_AMQP_PORT; assertPortExists(portName); - restartBrokerInManagementMode(); - getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); int responseCode = getRestTestHelper().submitRequest("/rest/port/" + portName, "DELETE", null); @@ -259,15 +279,14 @@ public class BrokerACLTest extends QpidRestTestCase assertPortExists(portName); } - public void testDeletePortAllowed() throws Exception + // TODO: test disabled until allowing the deletion of active ports outside management mode + public void DISABLED_testDeletePortAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); String portName = TestBrokerConfiguration.ENTRY_NAME_AMQP_PORT; assertPortExists(portName); - restartBrokerInManagementMode(); - getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); int responseCode = getRestTestHelper().submitRequest("/rest/port/" + portName, "DELETE", null); @@ -276,7 +295,8 @@ public class BrokerACLTest extends QpidRestTestCase assertPortDoesNotExist(portName); } - public void testSetPortAttributesAllowed() throws Exception + // TODO: test disabled until allowing the updating of active ports outside management mode + public void DISABLED_testSetPortAttributesAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); @@ -287,7 +307,6 @@ public class BrokerACLTest extends QpidRestTestCase assertPortExists(portName); - restartBrokerInManagementMode(); Map<String, Object> attributes = new HashMap<String, Object>(); attributes.put(Port.NAME, portName); @@ -311,8 +330,6 @@ public class BrokerACLTest extends QpidRestTestCase assertPortExists(portName); - restartBrokerInManagementMode(); - getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); Map<String, Object> attributes = new HashMap<String, Object>(); @@ -327,48 +344,541 @@ public class BrokerACLTest extends QpidRestTestCase TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER, port.get(Port.AUTHENTICATION_PROVIDER)); } + /* === KeyStore === */ + + public void testCreateKeyStoreAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String keyStoreName = getTestName(); + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, "app1"); + assertEquals("keyStore creation should be allowed", 201, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + } + + public void testCreateKeyStoreDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String keyStoreName = getTestName(); + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, "app1"); + assertEquals("keyStore creation should be allowed", 403, responseCode); + + assertKeyStoreExistence(keyStoreName, false); + } + + public void testDeleteKeyStoreDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String keyStoreName = getTestName(); + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, "app1"); + assertEquals("keyStore creation should be allowed", 201, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/keystore/" + keyStoreName, "DELETE", null); + assertEquals("keystore deletion should be denied", 403, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + } + + public void testDeleteKeyStoreAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String keyStoreName = getTestName(); + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, "app1"); + assertEquals("keyStore creation should be allowed", 201, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/keystore/" + keyStoreName, "DELETE", null); + assertEquals("keystore deletion should be allowed", 200, responseCode); + + assertKeyStoreExistence(keyStoreName, false); + } + + public void testSetKeyStoreAttributesAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String keyStoreName = getTestName(); + String initialCertAlias = "app1"; + String updatedCertAlias = "app2"; + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, initialCertAlias); + assertEquals("keyStore creation should be allowed", 201, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + Map<String, Object> keyStore = getRestTestHelper().getJsonAsSingletonList("/rest/keystore/" + keyStoreName); + assertEquals("Unexpected certificateAlias attribute value", initialCertAlias, keyStore.get(KeyStore.CERTIFICATE_ALIAS)); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(KeyStore.NAME, keyStoreName); + attributes.put(KeyStore.CERTIFICATE_ALIAS, updatedCertAlias); + responseCode = getRestTestHelper().submitRequest("/rest/keystore/" + keyStoreName, "PUT", attributes); + assertEquals("Setting of keystore attributes should be allowed", 200, responseCode); + + keyStore = getRestTestHelper().getJsonAsSingletonList("/rest/keystore/" + keyStoreName); + assertEquals("Unexpected certificateAlias attribute value", updatedCertAlias, keyStore.get(KeyStore.CERTIFICATE_ALIAS)); + } + + public void testSetKeyStoreAttributesDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String keyStoreName = getTestName(); + String initialCertAlias = "app1"; + String updatedCertAlias = "app2"; + + assertKeyStoreExistence(keyStoreName, false); + + int responseCode = createKeyStore(keyStoreName, initialCertAlias); + assertEquals("keyStore creation should be allowed", 201, responseCode); + + assertKeyStoreExistence(keyStoreName, true); + Map<String, Object> keyStore = getRestTestHelper().getJsonAsSingletonList("/rest/keystore/" + keyStoreName); + assertEquals("Unexpected certificateAlias attribute value", initialCertAlias, keyStore.get(KeyStore.CERTIFICATE_ALIAS)); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(KeyStore.NAME, keyStoreName); + attributes.put(KeyStore.CERTIFICATE_ALIAS, updatedCertAlias); + responseCode = getRestTestHelper().submitRequest("/rest/keystore/" + keyStoreName, "PUT", attributes); + assertEquals("Setting of keystore attributes should be denied", 403, responseCode); + + keyStore = getRestTestHelper().getJsonAsSingletonList("/rest/keystore/" + keyStoreName); + assertEquals("Unexpected certificateAlias attribute value", initialCertAlias, keyStore.get(KeyStore.CERTIFICATE_ALIAS)); + } + + /* === TrustStore === */ + + public void testCreateTrustStoreAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String trustStoreName = getTestName(); + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, false); + assertEquals("trustStore creation should be allowed", 201, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + } + + public void testCreateTrustStoreDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String trustStoreName = getTestName(); + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, false); + assertEquals("trustStore creation should be allowed", 403, responseCode); + + assertTrustStoreExistence(trustStoreName, false); + } + + public void testDeleteTrustStoreDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String trustStoreName = getTestName(); + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, false); + assertEquals("trustStore creation should be allowed", 201, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/truststore/" + trustStoreName, "DELETE", null); + assertEquals("truststore deletion should be denied", 403, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + } + + public void testDeleteTrustStoreAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String trustStoreName = getTestName(); + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, false); + assertEquals("trustStore creation should be allowed", 201, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/truststore/" + trustStoreName, "DELETE", null); + assertEquals("truststore deletion should be allowed", 200, responseCode); + + assertTrustStoreExistence(trustStoreName, false); + } + + public void testSetTrustStoreAttributesAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String trustStoreName = getTestName(); + boolean initialPeersOnly = false; + boolean updatedPeersOnly = true; + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, initialPeersOnly); + assertEquals("trustStore creation should be allowed", 201, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + Map<String, Object> trustStore = getRestTestHelper().getJsonAsSingletonList("/rest/truststore/" + trustStoreName); + assertEquals("Unexpected peersOnly attribute value", initialPeersOnly, trustStore.get(TrustStore.PEERS_ONLY)); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(TrustStore.NAME, trustStoreName); + attributes.put(TrustStore.PEERS_ONLY, updatedPeersOnly); + responseCode = getRestTestHelper().submitRequest("/rest/truststore/" + trustStoreName, "PUT", attributes); + assertEquals("Setting of truststore attributes should be allowed", 200, responseCode); + + trustStore = getRestTestHelper().getJsonAsSingletonList("/rest/truststore/" + trustStoreName); + assertEquals("Unexpected peersOnly attribute value", updatedPeersOnly, trustStore.get(TrustStore.PEERS_ONLY)); + } + + public void testSetTrustStoreAttributesDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String trustStoreName = getTestName(); + boolean initialPeersOnly = false; + boolean updatedPeersOnly = true; + + assertTrustStoreExistence(trustStoreName, false); + + int responseCode = createTrustStore(trustStoreName, initialPeersOnly); + assertEquals("trustStore creation should be allowed", 201, responseCode); + + assertTrustStoreExistence(trustStoreName, true); + Map<String, Object> trustStore = getRestTestHelper().getJsonAsSingletonList("/rest/truststore/" + trustStoreName); + assertEquals("Unexpected peersOnly attribute value", initialPeersOnly, trustStore.get(TrustStore.PEERS_ONLY)); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(TrustStore.NAME, trustStoreName); + attributes.put(TrustStore.PEERS_ONLY, updatedPeersOnly); + responseCode = getRestTestHelper().submitRequest("/rest/truststore/" + trustStoreName, "PUT", attributes); + assertEquals("Setting of truststore attributes should be denied", 403, responseCode); + + trustStore = getRestTestHelper().getJsonAsSingletonList("/rest/truststore/" + trustStoreName); + assertEquals("Unexpected peersOnly attribute value", initialPeersOnly, trustStore.get(TrustStore.PEERS_ONLY)); + } + + /* === Broker === */ + public void testSetBrokerAttributesAllowed() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); - String defaultAuthenticationProvider = TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER; + int initialAlertRepeatGap = 30000; + int updatedAlertRepeatGap = 29999; + Map<String, Object> brokerAttributes = getRestTestHelper().getJsonAsSingletonList("/rest/broker"); - assertEquals("Unexpected authentication provider", defaultAuthenticationProvider, - brokerAttributes.get(Broker.DEFAULT_AUTHENTICATION_PROVIDER)); - restartBrokerInManagementMode(); + assertEquals("Unexpected alert repeat gap", initialAlertRepeatGap, + brokerAttributes.get(Broker.QUEUE_ALERT_REPEAT_GAP)); Map<String, Object> newAttributes = new HashMap<String, Object>(); - newAttributes.put(Broker.DEFAULT_AUTHENTICATION_PROVIDER, ANONYMOUS_AUTHENTICATION_PROVIDER); + newAttributes.put(Broker.QUEUE_ALERT_REPEAT_GAP, updatedAlertRepeatGap); + int responseCode = getRestTestHelper().submitRequest("/rest/broker", "PUT", newAttributes); assertEquals("Setting of port attribites should be allowed", 200, responseCode); brokerAttributes = getRestTestHelper().getJsonAsSingletonList("/rest/broker"); - assertEquals("Unexpected default authentication provider attribute value", ANONYMOUS_AUTHENTICATION_PROVIDER, - brokerAttributes.get(Broker.DEFAULT_AUTHENTICATION_PROVIDER)); + assertEquals("Unexpected default alert repeat gap", updatedAlertRepeatGap, + brokerAttributes.get(Broker.QUEUE_ALERT_REPEAT_GAP)); } public void testSetBrokerAttributesDenied() throws Exception { getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); - String defaultAuthenticationProvider = TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER; + int initialAlertRepeatGap = 30000; + int updatedAlertRepeatGap = 29999; Map<String, Object> brokerAttributes = getRestTestHelper().getJsonAsSingletonList("/rest/broker"); - assertEquals("Unexpected authentication provider", defaultAuthenticationProvider, - brokerAttributes.get(Broker.DEFAULT_AUTHENTICATION_PROVIDER)); - restartBrokerInManagementMode(); + assertEquals("Unexpected alert repeat gap", initialAlertRepeatGap, + brokerAttributes.get(Broker.QUEUE_ALERT_REPEAT_GAP)); getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); Map<String, Object> newAttributes = new HashMap<String, Object>(); - newAttributes.put(Broker.DEFAULT_AUTHENTICATION_PROVIDER, ANONYMOUS_AUTHENTICATION_PROVIDER); + newAttributes.put(Broker.QUEUE_ALERT_REPEAT_GAP, updatedAlertRepeatGap); + int responseCode = getRestTestHelper().submitRequest("/rest/broker", "PUT", newAttributes); assertEquals("Setting of port attribites should be allowed", 403, responseCode); brokerAttributes = getRestTestHelper().getJsonAsSingletonList("/rest/broker"); - assertEquals("Unexpected default authentication provider attribute value", defaultAuthenticationProvider, - brokerAttributes.get(Broker.DEFAULT_AUTHENTICATION_PROVIDER)); + assertEquals("Unexpected default alert repeat gap", initialAlertRepeatGap, + brokerAttributes.get(Broker.QUEUE_ALERT_REPEAT_GAP)); + } + + /* === GroupProvider === */ + + public void testCreateGroupProviderAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be allowed", 201, responseCode); + + assertGroupProviderExistence(groupProviderName, true); } + public void testCreateGroupProviderDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be denied", 403, responseCode); + + assertGroupProviderExistence(groupProviderName, false); + } + + public void testDeleteGroupProviderDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be allowed", 201, responseCode); + + assertGroupProviderExistence(groupProviderName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/groupprovider/" + groupProviderName, "DELETE", null); + assertEquals("Group provider deletion should be denied", 403, responseCode); + + assertGroupProviderExistence(groupProviderName, true); + } + + public void testDeleteGroupProviderAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be allowed", 201, responseCode); + + assertGroupProviderExistence(groupProviderName, true); + + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/groupprovider/" + groupProviderName, "DELETE", null); + assertEquals("Group provider deletion should be allowed", 200, responseCode); + + assertGroupProviderExistence(groupProviderName, false); + } + + public void testSetGroupProviderAttributesAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be allowed", 201, responseCode); + + assertGroupProviderExistence(groupProviderName, true); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(GroupProvider.NAME, groupProviderName); + attributes.put(GroupProvider.TYPE, FileGroupManagerFactory.GROUP_FILE_PROVIDER_TYPE); + attributes.put(FileGroupManagerFactory.PATH, "/path/to/file"); + responseCode = getRestTestHelper().submitRequest("/rest/groupprovider/" + groupProviderName, "PUT", attributes); + assertEquals("Setting of group provider attributes should be allowed but not supported", 409, responseCode); + } + + public void testSetGroupProviderAttributesDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String groupProviderName = getTestName(); + + assertGroupProviderExistence(groupProviderName, false); + + int responseCode = createGroupProvider(groupProviderName); + assertEquals("Group provider creation should be allowed", 201, responseCode); + + assertGroupProviderExistence(groupProviderName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(GroupProvider.NAME, groupProviderName); + attributes.put(GroupProvider.TYPE, FileGroupManagerFactory.GROUP_FILE_PROVIDER_TYPE); + attributes.put(FileGroupManagerFactory.PATH, "/path/to/file"); + responseCode = getRestTestHelper().submitRequest("/rest/groupprovider/" + groupProviderName, "PUT", attributes); + assertEquals("Setting of group provider attributes should be denied", 403, responseCode); + } + + /* === AccessControlProvider === */ + + public void testCreateAccessControlProviderAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be allowed", 201, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + } + + public void testCreateAccessControlProviderDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be denied", 403, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, false); + } + + public void testDeleteAccessControlProviderDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be allowed", 201, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + responseCode = getRestTestHelper().submitRequest("/rest/accesscontrolprovider/" + accessControlProviderName, "DELETE", null); + assertEquals("Access control provider deletion should be denied", 403, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + } + + public void testDeleteAccessControlProviderAllowed() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be allowed", 201, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + + responseCode = getRestTestHelper().submitRequest("/rest/accesscontrolprovider/" + accessControlProviderName, "DELETE", null); + assertEquals("Access control provider deletion should be allowed", 200, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, false); + } + + public void testSetAccessControlProviderAttributesAllowedButUnsupported() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be allowed", 201, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(GroupProvider.NAME, accessControlProviderName); + attributes.put(GroupProvider.TYPE, FileGroupManagerFactory.GROUP_FILE_PROVIDER_TYPE); + attributes.put(FileGroupManagerFactory.PATH, "/path/to/file"); + responseCode = getRestTestHelper().submitRequest("/rest/accesscontrolprovider/" + accessControlProviderName, "PUT", attributes); + assertEquals("Setting of access control provider attributes should be allowed but not supported", 409, responseCode); + } + + public void testSetAccessControlProviderAttributesDenied() throws Exception + { + getRestTestHelper().setUsernameAndPassword(ALLOWED_USER, ALLOWED_USER); + + String accessControlProviderName = getTestName(); + + assertAccessControlProviderExistence(accessControlProviderName, false); + + int responseCode = createAccessControlProvider(accessControlProviderName); + assertEquals("Access control provider creation should be allowed", 201, responseCode); + + assertAccessControlProviderExistence(accessControlProviderName, true); + + getRestTestHelper().setUsernameAndPassword(DENIED_USER, DENIED_USER); + + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(GroupProvider.NAME, accessControlProviderName); + attributes.put(GroupProvider.TYPE, FileGroupManagerFactory.GROUP_FILE_PROVIDER_TYPE); + attributes.put(FileGroupManagerFactory.PATH, "/path/to/file"); + responseCode = getRestTestHelper().submitRequest("/rest/accesscontrolprovider/" + accessControlProviderName, "PUT", attributes); + assertEquals("Setting of access control provider attributes should be denied", 403, responseCode); + } + + /* === Utility Methods === */ + private int createPort(String portName) throws Exception { Map<String, Object> attributes = new HashMap<String, Object>(); @@ -395,6 +905,18 @@ public class BrokerACLTest extends QpidRestTestCase assertEquals("Unexpected result", exists, !hosts.isEmpty()); } + private void assertKeyStoreExistence(String keyStoreName, boolean exists) throws Exception + { + List<Map<String, Object>> keyStores = getRestTestHelper().getJsonAsList("/rest/keystore/" + keyStoreName); + assertEquals("Unexpected result", exists, !keyStores.isEmpty()); + } + + private void assertTrustStoreExistence(String trustStoreName, boolean exists) throws Exception + { + List<Map<String, Object>> trustStores = getRestTestHelper().getJsonAsList("/rest/truststore/" + trustStoreName); + assertEquals("Unexpected result", exists, !trustStores.isEmpty()); + } + private int createHost(String hostName) throws Exception { Map<String, Object> hostData = new HashMap<String, Object>(); @@ -452,4 +974,61 @@ public class BrokerACLTest extends QpidRestTestCase assertEquals("Unexpected result", exists, !providers.isEmpty()); } + private int createKeyStore(String name, String certAlias) throws IOException, JsonGenerationException, JsonMappingException + { + Map<String, Object> keyStoreAttributes = new HashMap<String, Object>(); + keyStoreAttributes.put(KeyStore.NAME, name); + keyStoreAttributes.put(KeyStore.PATH, TestSSLConstants.KEYSTORE); + keyStoreAttributes.put(KeyStore.PASSWORD, TestSSLConstants.KEYSTORE_PASSWORD); + keyStoreAttributes.put(KeyStore.CERTIFICATE_ALIAS, certAlias); + + return getRestTestHelper().submitRequest("/rest/keystore/" + name, "PUT", keyStoreAttributes); + } + + private int createTrustStore(String name, boolean peersOnly) throws IOException, JsonGenerationException, JsonMappingException + { + Map<String, Object> trustStoreAttributes = new HashMap<String, Object>(); + trustStoreAttributes.put(TrustStore.NAME, name); + trustStoreAttributes.put(TrustStore.PATH, TestSSLConstants.KEYSTORE); + trustStoreAttributes.put(TrustStore.PASSWORD, TestSSLConstants.KEYSTORE_PASSWORD); + trustStoreAttributes.put(TrustStore.PEERS_ONLY, peersOnly); + + return getRestTestHelper().submitRequest("/rest/truststore/" + name, "PUT", trustStoreAttributes); + } + + private void assertGroupProviderExistence(String groupProviderName, boolean exists) throws Exception + { + String path = "/rest/groupprovider/" + groupProviderName; + List<Map<String, Object>> providers = getRestTestHelper().getJsonAsList(path); + assertEquals("Unexpected result", exists, !providers.isEmpty()); + } + + private int createGroupProvider(String groupProviderName) throws Exception + { + File file = TestFileUtils.createTempFile(this, ".groups"); + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(GroupProvider.NAME, groupProviderName); + attributes.put(GroupProvider.TYPE, FileGroupManagerFactory.GROUP_FILE_PROVIDER_TYPE); + attributes.put(FileGroupManagerFactory.PATH, file.getAbsoluteFile()); + + return getRestTestHelper().submitRequest("/rest/groupprovider/" + groupProviderName, "PUT", attributes); + } + + private void assertAccessControlProviderExistence(String accessControlProviderName, boolean exists) throws Exception + { + String path = "/rest/accesscontrolprovider/" + accessControlProviderName; + List<Map<String, Object>> providers = getRestTestHelper().getJsonAsList(path); + assertEquals("Unexpected result", exists, !providers.isEmpty()); + } + + private int createAccessControlProvider(String accessControlProviderName) throws Exception + { + File file = TestFileUtils.createTempFile(this, ".acl", _secondaryAclFileContent); + Map<String, Object> attributes = new HashMap<String, Object>(); + attributes.put(AccessControlProvider.NAME, accessControlProviderName); + attributes.put(AccessControlProvider.TYPE, FileAccessControlProviderConstants.ACL_FILE_PROVIDER_TYPE); + attributes.put(FileAccessControlProviderConstants.PATH, file.getAbsoluteFile()); + + return getRestTestHelper().submitRequest("/rest/accesscontrolprovider/" + accessControlProviderName, "PUT", attributes); + } } |