/*
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.qpid.server.security.access.plugins;
import java.util.Arrays;
import junit.framework.TestCase;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.qpid.server.configuration.plugins.ConfigurationPlugin;
import org.apache.qpid.server.logging.UnitTestMessageLogger;
import org.apache.qpid.server.logging.actors.CurrentActor;
import org.apache.qpid.server.logging.actors.TestLogActor;
import org.apache.qpid.server.security.Result;
import org.apache.qpid.server.security.SecurityManager;
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.access.Permission;
import org.apache.qpid.server.security.access.config.Rule;
import org.apache.qpid.server.security.access.config.RuleSet;
import org.apache.qpid.server.security.auth.sasl.TestPrincipalUtils;
/**
* Unit test for ACL V2 plugin.
*
* This unit test tests the AccessControl class and it collaboration with {@link RuleSet},
* {@link SecurityManager} and {@link CurrentActor}. The ruleset is configured programmatically,
* rather than from an external file.
*
* @see RuleSetTest
*/
public class AccessControlTest extends TestCase
{
private AccessControl _plugin = null; // Class under test
private final UnitTestMessageLogger messageLogger = new UnitTestMessageLogger();
private void setUpGroupAccessControl() throws ConfigurationException
{
configureAccessControl(createGroupRuleSet());
}
private void configureAccessControl(final RuleSet rs) throws ConfigurationException
{
_plugin = (AccessControl) AccessControl.FACTORY.newInstance(createConfiguration(rs));
SecurityManager.setThreadSubject(null);
CurrentActor.set(new TestLogActor(messageLogger));
}
private RuleSet createGroupRuleSet()
{
final RuleSet rs = new RuleSet();
rs.addGroup("aclGroup1", Arrays.asList(new String[] {"member1", "member2"}));
// Rule expressed with username
rs.grant(0, "user1", Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
// Rule expressed with a acl group
rs.grant(1, "aclGroup1", Permission.ALLOW, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
// Rule expressed with an external group
rs.grant(2, "extGroup1", Permission.DENY, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
// Catch all rule
rs.grant(3, Rule.ALL, Permission.DENY_LOG, Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
return rs;
}
protected void tearDown() throws Exception
{
super.tearDown();
SecurityManager.setThreadSubject(null);
}
/**
* ACL plugin must always abstain if there is no subject attached to the thread.
*/
public void testNoSubjectAlwaysAbstains() throws ConfigurationException
{
setUpGroupAccessControl();
SecurityManager.setThreadSubject(null);
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
assertEquals(Result.ABSTAIN, result);
}
/**
* Tests that an allow rule expressed with a username allows an operation performed by a thread running
* with the same username.
*/
public void testUsernameAllowsOperation() throws ConfigurationException
{
setUpGroupAccessControl();
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user1"));
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
assertEquals(Result.ALLOWED, result);
}
/**
* Tests that an allow rule expressed with an <b>ACL groupname</b> allows an operation performed by a thread running
* by a user who belongs to the same group..
*/
public void testAclGroupMembershipAllowsOperation() throws ConfigurationException
{
setUpGroupAccessControl();
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("member1"));
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
assertEquals(Result.ALLOWED, result);
}
/**
* Tests that a deny rule expressed with an <b>External groupname</b> denies an operation performed by a thread running
* by a user who belongs to the same group.
*/
public void testExternalGroupMembershipDeniesOperation() throws ConfigurationException
{
setUpGroupAccessControl();
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user3", "extGroup1"));
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
assertEquals(Result.DENIED, result);
}
/**
* Tests that the catch all deny denies the operation and logs with the logging actor.
*/
public void testCatchAllRuleDeniesUnrecognisedUsername() throws ConfigurationException
{
setUpGroupAccessControl();
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("unknown", "unkgroup1", "unkgroup2"));
assertEquals("Expecting zero messages before test", 0, messageLogger.getLogMessages().size());
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY);
assertEquals(Result.DENIED, result);
assertEquals("Expecting one message before test", 1, messageLogger.getLogMessages().size());
assertTrue("Logged message does not contain expected string", messageLogger.messageContains(0, "ACL-1002"));
}
/**
* Tests that a grant access method rule allows any access operation to be performed on any component
*/
public void testAuthoriseAccessMethodWhenAllAccessOperationsAllowedOnAllComponents() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user4 access right on any method in any component
rs.grant(1, "user4", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, new ObjectProperties(ObjectProperties.STAR));
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user4"));
ObjectProperties actionProperties = new ObjectProperties("getName");
actionProperties.put(ObjectProperties.Property.COMPONENT, "Test");
final Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, actionProperties);
assertEquals(Result.ALLOWED, result);
}
/**
* Tests that a grant access method rule allows any access operation to be performed on a specified component
*/
public void testAuthoriseAccessMethodWhenAllAccessOperationsAllowedOnSpecifiedComponent() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user5 access right on any methods in "Test" component
ObjectProperties ruleProperties = new ObjectProperties(ObjectProperties.STAR);
ruleProperties.put(ObjectProperties.Property.COMPONENT, "Test");
rs.grant(1, "user5", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, ruleProperties);
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user5"));
ObjectProperties actionProperties = new ObjectProperties("getName");
actionProperties.put(ObjectProperties.Property.COMPONENT, "Test");
Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, actionProperties);
assertEquals(Result.ALLOWED, result);
actionProperties.put(ObjectProperties.Property.COMPONENT, "Test2");
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, actionProperties);
assertEquals(Result.DEFER, result);
}
/**
* Tests that a grant access method rule allows any access operation to be performed on a specified component
*/
public void testAuthoriseAccessMethodWhenSpecifiedAccessOperationsAllowedOnSpecifiedComponent() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user6 access right on "getAttribute" method in "Test" component
ObjectProperties ruleProperties = new ObjectProperties("getAttribute");
ruleProperties.put(ObjectProperties.Property.COMPONENT, "Test");
rs.grant(1, "user6", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, ruleProperties);
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user6"));
ObjectProperties properties = new ObjectProperties("getAttribute");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
properties.put(ObjectProperties.Property.COMPONENT, "Test2");
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.DEFER, result);
properties = new ObjectProperties("getAttribute2");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.DEFER, result);
}
/**
* Tests that granting of all method rights on a method allows a specified operation to be performed on any component
*/
public void testAuthoriseAccessUpdateMethodWhenAllRightsGrantedOnSpecifiedMethodForAllComponents() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user8 all rights on method queryNames in all component
rs.grant(1, "user8", Permission.ALLOW, Operation.ALL, ObjectType.METHOD, new ObjectProperties("queryNames"));
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user8"));
ObjectProperties properties = new ObjectProperties();
properties.put(ObjectProperties.Property.COMPONENT, "Test");
properties.put(ObjectProperties.Property.NAME, "queryNames");
Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
result = _plugin.authorise(Operation.UPDATE, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
properties = new ObjectProperties("getAttribute");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
result = _plugin.authorise(Operation.UPDATE, ObjectType.METHOD, properties);
assertEquals(Result.DEFER, result);
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.DEFER, result);
}
/**
* Tests that granting of all method rights allows any operation to be performed on any component
*/
public void testAuthoriseAccessUpdateMethodWhenAllRightsGrantedOnAllMethodsInAllComponents() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user9 all rights on any method in all component
rs.grant(1, "user9", Permission.ALLOW, Operation.ALL, ObjectType.METHOD, new ObjectProperties());
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user9"));
ObjectProperties properties = new ObjectProperties("queryNames");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
result = _plugin.authorise(Operation.UPDATE, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
properties = new ObjectProperties("getAttribute");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
result = _plugin.authorise(Operation.UPDATE, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
}
/**
* Tests that granting of access method rights with mask allows matching operations to be performed on the specified component
*/
public void testAuthoriseAccessMethodWhenMatchingAcessOperationsAllowedOnSpecifiedComponent() throws ConfigurationException
{
final RuleSet rs = new RuleSet();
// grant user9 all rights on "getAttribute*" methods in Test component
ObjectProperties ruleProperties = new ObjectProperties();
ruleProperties.put(ObjectProperties.Property.COMPONENT, "Test");
ruleProperties.put(ObjectProperties.Property.NAME, "getAttribute*");
rs.grant(1, "user9", Permission.ALLOW, Operation.ACCESS, ObjectType.METHOD, ruleProperties);
configureAccessControl(rs);
SecurityManager.setThreadSubject(TestPrincipalUtils.createTestSubject("user9"));
ObjectProperties properties = new ObjectProperties("getAttributes");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
Result result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
properties = new ObjectProperties("getAttribute");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.ALLOWED, result);
properties = new ObjectProperties("getAttribut");
properties.put(ObjectProperties.Property.COMPONENT, "Test");
result = _plugin.authorise(Operation.ACCESS, ObjectType.METHOD, properties);
assertEquals(Result.DEFER, result);
}
/**
* Creates a configuration plugin for the {@link AccessControl} plugin.
*/
private ConfigurationPlugin createConfiguration(final RuleSet rs)
{
final ConfigurationPlugin cp = new ConfigurationPlugin()
{
@SuppressWarnings("unchecked")
public AccessControlConfiguration getConfiguration(final String plugin)
{
return new AccessControlConfiguration()
{
public RuleSet getRuleSet()
{
return rs;
}
};
}
public String[] getElementsProcessed()
{
throw new UnsupportedOperationException();
}
};
return cp;
}
}