From 45fc3b612fe45ec01db5e6e6e65661b5d8898f1b Mon Sep 17 00:00:00 2001
From: Alex Rudyy <orudyy@apache.org>
Date: Wed, 3 Apr 2013 11:50:36 +0000
Subject: QPID-4695: Add validation of configured object names and IDs

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1463933 13f79535-47bb-0310-9956-ffa450edef68
---
 .../main/java/resources/addAuthenticationProvider.html  |  2 +-
 .../src/main/java/resources/addExchange.html            |  2 +-
 .../src/main/java/resources/addPort.html                |  2 +-
 .../src/main/java/resources/addQueue.html               |  2 +-
 .../src/main/java/resources/addVirtualHost.html         |  2 +-
 .../qpid/server/model/adapter/AbstractAdapter.java      | 11 +++++++++++
 .../systest/rest/AuthenticationProviderRestTest.java    | 17 +++++++++++++++++
 7 files changed, 33 insertions(+), 5 deletions(-)

(limited to 'qpid')

diff --git a/qpid/java/broker-plugins/management-http/src/main/java/resources/addAuthenticationProvider.html b/qpid/java/broker-plugins/management-http/src/main/java/resources/addAuthenticationProvider.html
index f164ece082..90dd1f1090 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/resources/addAuthenticationProvider.html
+++ b/qpid/java/broker-plugins/management-http/src/main/java/resources/addAuthenticationProvider.html
@@ -25,7 +25,7 @@
                 <tr>
                     <td class="tableContainer-labelCell" style="width: 300px;">Name*:</td>
                     <td class="tableContainer-valueCell"><input type="text" required="true" name="name"
-                        id="formAddAuthenticationProvider.name" placeholder="Name"
+                        id="formAddAuthenticationProvider.name" placeholder="Name" regexp="^[\x20-\x2e\x30-\x7F]{1,255}$"
                         dojoType="dijit.form.ValidationTextBox" missingMessage="A name must be supplied" /></div></td>
                 </tr>
                 </table>
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/resources/addExchange.html b/qpid/java/broker-plugins/management-http/src/main/java/resources/addExchange.html
index 10ac5388ff..4a59cd2cbc 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/resources/addExchange.html
+++ b/qpid/java/broker-plugins/management-http/src/main/java/resources/addExchange.html
@@ -26,7 +26,7 @@
                     <td valign="top"><strong>Exchange Name*: </strong></td>
                     <td><input type="text" required="true" name="name" id="formAddExchange.name" placeholder="Exchange Name"
                         dojoType="dijit.form.ValidationTextBox" missingMessage="A name must be supplied"
-                        data-dojo-props="regExp:'^(?!qpid\.|amq\.|\<\<default\>\>).*$', invalidMessage:'Reserved exchange name!'"/></td>
+                        data-dojo-props="regExp:'^(?!qpid\.|amq\.|\<\<default\>\>)[\x20-\x2e\x30-\x7F]{1,255}$', invalidMessage:'Illegal or reserved exchange name!'"/></td>
                 </tr>
                 <tr>
                     <td valign="top"><strong>Durable? </strong></td>
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/resources/addPort.html b/qpid/java/broker-plugins/management-http/src/main/java/resources/addPort.html
index 11acccb2ac..c37b879bd5 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/resources/addPort.html
+++ b/qpid/java/broker-plugins/management-http/src/main/java/resources/addPort.html
@@ -25,7 +25,7 @@
             <div id="formAddPort:fields">
                 <input type="text" required="true" name="name" id="formAddPort.name" placeholder="Name"
                     data-dojo-props="label: 'Name*:'" dojoType="dijit.form.ValidationTextBox"
-                    missingMessage="A name must be supplied" />
+                    missingMessage="A name must be supplied" regexp="^[\x20-\x2e\x30-\x7F]{1,255}$"/>
                 <input data-dojo-type="dijit.form.NumberSpinner" id="formAddPort.port" required="true" data-dojo-props="label: 'Port Number*:'"
                      name="port" smallDelta="1" constraints="{min:1,max:65535,places:0, pattern: '#####'}"
                      missingMessage="A port number must be supplied"  />
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/resources/addQueue.html b/qpid/java/broker-plugins/management-http/src/main/java/resources/addQueue.html
index d396f28877..950809d5fc 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/resources/addQueue.html
+++ b/qpid/java/broker-plugins/management-http/src/main/java/resources/addQueue.html
@@ -25,7 +25,7 @@
                 <tr>
                     <td valign="top"><strong>Queue Name*: </strong></td>
                     <td><input type="text" required="true" name="name" id="formAddQueue.name" placeholder="Queue Name"
-                        dojoType="dijit.form.ValidationTextBox" missingMessage="A name must be supplied" /></td>
+                        dojoType="dijit.form.ValidationTextBox" missingMessage="A name must be supplied" regexp="^[\x20-\x2e\x30-\x7F]{1,255}$"/></td>
                 </tr>
                 <tr>
                     <td valign="top"><strong>Durable? </strong></td>
diff --git a/qpid/java/broker-plugins/management-http/src/main/java/resources/addVirtualHost.html b/qpid/java/broker-plugins/management-http/src/main/java/resources/addVirtualHost.html
index d66e0e1b03..9b492ef26d 100644
--- a/qpid/java/broker-plugins/management-http/src/main/java/resources/addVirtualHost.html
+++ b/qpid/java/broker-plugins/management-http/src/main/java/resources/addVirtualHost.html
@@ -27,7 +27,7 @@
                     <td class="tableContainer-valueCell">
                         <input type="text" required="true" name="name" id="formAddVirtualHost.name"
                             placeholder="Virtual Host Name" dojoType="dijit.form.ValidationTextBox"
-                            missingMessage="A name must be supplied" />
+                            missingMessage="A name must be supplied" regexp="^[\x20-\x2e\x30-\x7F]{1,255}$"/>
                     </td>
                 </tr>
             </table>
diff --git a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java
index e57c8c2d16..05977a22af 100644
--- a/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java
+++ b/qpid/java/broker/src/main/java/org/apache/qpid/server/model/adapter/AbstractAdapter.java
@@ -32,6 +32,7 @@ import org.apache.qpid.server.model.ConfigurationChangeListener;
 import org.apache.qpid.server.model.ConfiguredObject;
 import org.apache.qpid.server.model.IllegalStateTransitionException;
 import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
 import org.apache.qpid.server.configuration.updater.ChangeAttributesTask;
 import org.apache.qpid.server.configuration.updater.ChangeStateTask;
 import org.apache.qpid.server.configuration.updater.CreateChildTask;
@@ -40,6 +41,7 @@ import org.apache.qpid.server.configuration.updater.TaskExecutor;
 
 abstract class AbstractAdapter implements ConfiguredObject
 {
+    private static final Object ID = "id";
     private final Map<String,Object> _attributes = new HashMap<String, Object>();
     private final Map<Class<? extends ConfiguredObject>, ConfiguredObject> _parents =
             new HashMap<Class<? extends ConfiguredObject>, ConfiguredObject>();
@@ -347,6 +349,15 @@ abstract class AbstractAdapter implements ConfiguredObject
 
     protected void changeAttributes(final Map<String, Object> attributes)
     {
+        if (attributes.containsKey(ID))
+        {
+            UUID id = getId();
+            Object idAttributeValue = attributes.get(ID);
+            if (idAttributeValue != null && !idAttributeValue.equals(id))
+            {
+                throw new IllegalConfigurationException("Cannot change existing configured object id");
+            }
+        }
         Collection<String> names = getAttributeNames();
         for (String name : names)
         {
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AuthenticationProviderRestTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AuthenticationProviderRestTest.java
index 4ba2069dfd..09408572d7 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AuthenticationProviderRestTest.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AuthenticationProviderRestTest.java
@@ -24,6 +24,7 @@ import java.io.File;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
 
 import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.LifetimePolicy;
@@ -90,6 +91,22 @@ public class AuthenticationProviderRestTest extends QpidRestTestCase
         assertProvider(false, AnonymousAuthenticationManagerFactory.PROVIDER_TYPE, provider);
     }
 
+    public void testUpdateAuthenticationProviderIdFails() throws Exception
+    {
+        String providerName = "test-provider";
+        Map<String, Object> attributes = new HashMap<String, Object>();
+        attributes.put(AuthenticationProvider.NAME, providerName);
+        attributes.put(AuthenticationProvider.TYPE, AnonymousAuthenticationManagerFactory.PROVIDER_TYPE);
+
+        int responseCode = getRestTestHelper().submitRequest("/rest/authenticationprovider/" + providerName, "PUT", attributes);
+        assertEquals("Unexpected response code", 201, responseCode);
+
+        attributes.put(AuthenticationProvider.ID, UUID.randomUUID());
+
+        responseCode = getRestTestHelper().submitRequest("/rest/authenticationprovider/" + providerName, "PUT", attributes);
+        assertEquals("Update with new ID should fail", 409, responseCode);
+    }
+
     public void testDeleteOfDefaultAuthenticationProviderFails() throws Exception
     {
         String providerName = TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER;
-- 
cgit v1.2.1