Example 1 with RuleOutcome
use of org.apache.qpid.server.security.access.plugins.RuleOutcome in project qpid-broker-j by apache.
the class AclFileParser method parseAcl.
private static void parseAcl(Integer number, List<String> args, final RuleSetCreator ruleSetCreator, final int line) {
if (args.size() < 3) {
throw new IllegalConfigurationException(String.format(NOT_ENOUGH_ACL_MSG, line));
}
String text = args.get(0);
RuleOutcome outcome;
try {
outcome = RuleOutcome.valueOf(text.replace('-', '_').toUpperCase());
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("Not a valid permission: " + text, e);
}
String identity = args.get(1);
LegacyOperation operation = LegacyOperation.valueOf(args.get(2).toUpperCase());
if (number != null && !ruleSetCreator.isValidNumber(number)) {
throw new IllegalConfigurationException(String.format(BAD_ACL_RULE_NUMBER_MSG, line));
}
if (args.size() == 3) {
ruleSetCreator.addRule(number, identity, outcome, operation);
} else {
ObjectType object = ObjectType.valueOf(args.get(3).toUpperCase());
AclRulePredicates predicates = toRulePredicates(args.subList(4, args.size()), line);
ruleSetCreator.addRule(number, identity, outcome, operation, object, predicates);
}
}
Also used :
IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException)
RuleOutcome(org.apache.qpid.server.security.access.plugins.RuleOutcome)
Example 2 with RuleOutcome
use of org.apache.qpid.server.security.access.plugins.RuleOutcome in project qpid-broker-j by apache.
the class RuleSet method check.
/**
* Check the authorisation granted to a particular identity for an operation on an object type with
* specific properties.
*
* Looks up the entire ruleset, which may be cached, for the user and operation and goes through the rules
* in order to find the first one that matches. Either defers if there are no rules, returns the result of
* the first match found, or denies access if there are no matching rules. Normally, it would be expected
* to have a default deny or allow rule at the end of an access configuration however.
*/
public Result check(Subject subject, LegacyOperation operation, ObjectType objectType, ObjectProperties properties, InetAddress addressOfClient) {
ClientAction action = new ClientAction(operation, objectType, properties);
LOGGER.debug("Checking action: {}", action);
// get the list of rules relevant for this request
List<Rule> rules = getRules(subject, operation, objectType);
if (rules == null) {
LOGGER.debug("No rules found, returning default result");
return getDefault();
}
// Iterate through a filtered set of rules dealing with this identity and operation
for (Rule rule : rules) {
LOGGER.debug("Checking against rule: {}", rule);
if (action.matches(rule.getAclAction(), addressOfClient)) {
RuleOutcome ruleOutcome = rule.getRuleOutcome();
LOGGER.debug("Action matches. Result: {}", ruleOutcome);
boolean allowed = ruleOutcome.isAllowed();
if (ruleOutcome.isLogged()) {
if (allowed) {
getEventLogger().message(AccessControlMessages.ALLOWED(action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
} else {
getEventLogger().message(AccessControlMessages.DENIED(action.getOperation().toString(), action.getObjectType().toString(), action.getProperties().toString()));
}
}
return allowed ? Result.ALLOWED : Result.DENIED;
}
}
LOGGER.debug("Deferring result of ACL check");
// Defer to the next plugin of this type, if it exists
return Result.DEFER;
}
Also used :
RuleOutcome(org.apache.qpid.server.security.access.plugins.RuleOutcome)
Example 3 with RuleOutcome
use of org.apache.qpid.server.security.access.plugins.RuleOutcome in project qpid-broker-j by apache.
the class MessagingACLTest method configureACL.
private void configureACL(String... rules) throws Exception {
EventLoggerProvider eventLoggerProvider = mock(EventLoggerProvider.class);
EventLogger eventLogger = mock(EventLogger.class);
when(eventLoggerProvider.getEventLogger()).thenReturn(eventLogger);
List<AclRule> aclRules = new ArrayList<>();
try (StringReader stringReader = new StringReader(Arrays.stream(rules).collect(Collectors.joining(LINE_SEPARATOR)))) {
RuleSet ruleSet = AclFileParser.parse(stringReader, eventLoggerProvider);
final List<Rule> parsedRules = ruleSet.getAllRules();
for (final Rule rule : parsedRules) {
aclRules.add(new AclRule() {
@Override
public String getIdentity() {
return rule.getIdentity();
}
@Override
public ObjectType getObjectType() {
return rule.getAction().getObjectType();
}
@Override
public LegacyOperation getOperation() {
return rule.getAction().getOperation();
}
@Override
public Map<ObjectProperties.Property, String> getAttributes() {
Map<ObjectProperties.Property, String> attributes = new HashMap<>(rule.getAction().getProperties().asPropertyMap());
FirewallRule firewallRule = rule.getAclAction().getFirewallRule();
if (firewallRule != null) {
if (firewallRule instanceof HostnameFirewallRule) {
attributes.put(ObjectProperties.Property.FROM_HOSTNAME, "127.0.0.1");
} else if (firewallRule instanceof NetworkFirewallRule) {
// tests use only 127.0.0.1 at the moment
attributes.put(ObjectProperties.Property.FROM_NETWORK, "127.0.0.1");
}
}
return attributes;
}
@Override
public RuleOutcome getOutcome() {
return rule.getRuleOutcome();
}
});
}
}
configureACL(aclRules.toArray(new AclRule[aclRules.size()]));
}
Also used :
NetworkFirewallRule(org.apache.qpid.server.security.access.firewall.NetworkFirewallRule)
RuleSet(org.apache.qpid.server.security.access.config.RuleSet)
LegacyOperation(org.apache.qpid.server.security.access.config.LegacyOperation)
EventLoggerProvider(org.apache.qpid.server.logging.EventLoggerProvider)
EventLogger(org.apache.qpid.server.logging.EventLogger)
ArrayList(java.util.ArrayList)
ObjectProperties(org.apache.qpid.server.security.access.config.ObjectProperties)
ObjectType(org.apache.qpid.server.security.access.config.ObjectType)
HostnameFirewallRule(org.apache.qpid.server.security.access.firewall.HostnameFirewallRule)
StringReader(java.io.StringReader)
RuleOutcome(org.apache.qpid.server.security.access.plugins.RuleOutcome)
AclRule(org.apache.qpid.server.security.access.plugins.AclRule)
AclRule(org.apache.qpid.server.security.access.plugins.AclRule)
NetworkFirewallRule(org.apache.qpid.server.security.access.firewall.NetworkFirewallRule)
Rule(org.apache.qpid.server.security.access.config.Rule)
FirewallRule(org.apache.qpid.server.security.access.firewall.FirewallRule)
HostnameFirewallRule(org.apache.qpid.server.security.access.firewall.HostnameFirewallRule)
Map(java.util.Map)
HashMap(java.util.HashMap)
NetworkFirewallRule(org.apache.qpid.server.security.access.firewall.NetworkFirewallRule)
FirewallRule(org.apache.qpid.server.security.access.firewall.FirewallRule)
HostnameFirewallRule(org.apache.qpid.server.security.access.firewall.HostnameFirewallRule)
Example 4 with RuleOutcome
use of org.apache.qpid.server.security.access.plugins.RuleOutcome in project qpid-broker-j by apache.
the class RuleTest method testEqualsAndHashCode.
public void testEqualsAndHashCode() {
AclAction aclAction = mock(AclAction.class);
String identity = "identity";
RuleOutcome allow = RuleOutcome.ALLOW;
Rule rule = new Rule(identity, aclAction, allow);
Rule equalRule = new Rule(identity, aclAction, allow);
assertTrue(rule.equals(rule));
assertTrue(rule.equals(equalRule));
assertTrue(equalRule.equals(rule));
assertTrue(rule.hashCode() == equalRule.hashCode());
assertFalse("Different identity should cause rules to be unequal", rule.equals(new Rule("identity2", aclAction, allow)));
final AclAction differentAclAction = mock(AclAction.class);
Action action = new Action(LegacyOperation.PURGE);
Action differentAction = new Action(LegacyOperation.ACCESS);
when(aclAction.getAction()).thenReturn(action);
when(differentAclAction.getAction()).thenReturn(differentAction);
assertFalse("Different action should cause rules to be unequal", rule.equals(new Rule(identity, differentAclAction, allow)));
assertFalse("Different permission should cause rules to be unequal", rule.equals(new Rule(identity, aclAction, RuleOutcome.DENY)));
}
Also used :
RuleOutcome(org.apache.qpid.server.security.access.plugins.RuleOutcome)
Aggregations
RuleOutcome (org.apache.qpid.server.security.access.plugins.RuleOutcome)4
StringReader (java.io.StringReader)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
IllegalConfigurationException (org.apache.qpid.server.configuration.IllegalConfigurationException)1
EventLogger (org.apache.qpid.server.logging.EventLogger)1
EventLoggerProvider (org.apache.qpid.server.logging.EventLoggerProvider)1
LegacyOperation (org.apache.qpid.server.security.access.config.LegacyOperation)1
ObjectProperties (org.apache.qpid.server.security.access.config.ObjectProperties)1
ObjectType (org.apache.qpid.server.security.access.config.ObjectType)1
Rule (org.apache.qpid.server.security.access.config.Rule)1
RuleSet (org.apache.qpid.server.security.access.config.RuleSet)1
FirewallRule (org.apache.qpid.server.security.access.firewall.FirewallRule)1
HostnameFirewallRule (org.apache.qpid.server.security.access.firewall.HostnameFirewallRule)1
NetworkFirewallRule (org.apache.qpid.server.security.access.firewall.NetworkFirewallRule)1
AclRule (org.apache.qpid.server.security.access.plugins.AclRule)1
