QPID-3310 - Principal/Subject refactoring.

Refactoring to the connection/session objects to pass the Subject from Authentication tier to Access tier, rather than just
the Principal.  Change the access-control to be able to make access decisions based on Groups from the Authentication tier
whilst retaining support for groups declared within the ACL file itself.  Improve unit tests.

Applied patch by Keith Wall <keith.wall@gmail.com>

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1146079 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 159 insertions, 18 deletions

diff --git a/java/broker/src/test/java/org/apache/qpid/server/logging/UnitTestMessageLogger.java b/java/broker/src/test/java/org/apache/qpid/server/logging/UnitTestMessageLogger.java
index 3752dcb37e..e8defd0e58 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/logging/UnitTestMessageLogger.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/logging/UnitTestMessageLogger.java
@@ -28,11 +28,7 @@ import org.apache.qpid.server.logging.AbstractRootMessageLogger;
 
 public class UnitTestMessageLogger extends AbstractRootMessageLogger
 {
-    List<Object> _log;
-    
-    {
-        _log = new LinkedList<Object>();
-    }
+    private final List<Object> _log = new LinkedList<Object>();
     
     public UnitTestMessageLogger()
     {
@@ -69,4 +65,14 @@ public class UnitTestMessageLogger extends AbstractRootMessageLogger
     {
         _log.clear();
     }
+    
+    public boolean messageContains(final int index, final String contains)
+    {
+        if (index + 1 > _log.size())
+        {
+            throw new IllegalArgumentException("Message with index " + index + " has not been logged");
+        }
+        final String message = _log.get(index).toString();
+        return message.contains(contains);
+    }
 }
diff --git a/java/broker/src/test/java/org/apache/qpid/server/protocol/InternalTestProtocolSession.java b/java/broker/src/test/java/org/apache/qpid/server/protocol/InternalTestProtocolSession.java
index 2b724af2b1..3af665141c 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/protocol/InternalTestProtocolSession.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/protocol/InternalTestProtocolSession.java
@@ -22,12 +22,15 @@ package org.apache.qpid.server.protocol;
 
 import java.security.Principal;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicInteger;
 
+import javax.security.auth.Subject;
+
 import org.apache.qpid.AMQException;
 import org.apache.qpid.framing.AMQShortString;
 import org.apache.qpid.framing.ContentHeaderBody;
@@ -39,6 +42,8 @@ import org.apache.qpid.server.message.MessageContentSource;
 import org.apache.qpid.server.output.ProtocolOutputConverter;
 import org.apache.qpid.server.queue.QueueEntry;
 import org.apache.qpid.server.registry.ApplicationRegistry;
+import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal;
+import org.apache.qpid.server.state.AMQState;
 import org.apache.qpid.server.virtualhost.VirtualHost;
 import org.apache.qpid.transport.TestNetworkConnection;
 
@@ -55,13 +60,8 @@ public class InternalTestProtocolSession extends AMQProtocolEngine implements Pr
         _channelDelivers = new HashMap<Integer, Map<AMQShortString, LinkedList<DeliveryPair>>>();
 
         // Need to authenticate session for it to be representative testing.
-        setAuthorizedID(new Principal()
-        {
-            public String getName()
-            {
-                return "InternalTestProtocolSession";
-            }
-        });
+        setAuthorizedSubject(new Subject(true, Collections.singleton(new UsernamePrincipal("InternalTestProtocolSession")),
+                Collections.EMPTY_SET, Collections.EMPTY_SET));
 
         setVirtualHost(virtualHost);
     }
diff --git a/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java b/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
index 888a16053c..4c31092983 100644
--- a/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
+++ b/java/broker/src/test/java/org/apache/qpid/server/queue/MockAMQQueue.java
@@ -29,7 +29,7 @@ import org.apache.qpid.server.subscription.Subscription;
 import org.apache.qpid.server.virtualhost.VirtualHost;
 import org.apache.qpid.server.management.ManagedObject;
 import org.apache.qpid.server.message.ServerMessage;
-import org.apache.qpid.server.security.PrincipalHolder;
+import org.apache.qpid.server.security.AuthorizationHolder;
 import org.apache.qpid.server.AMQChannel;
 import org.apache.qpid.server.protocol.AMQSessionModel;
 import org.apache.qpid.server.binding.Binding;
@@ -48,7 +48,7 @@ public class MockAMQQueue implements AMQQueue
     private AMQShortString _name;
     private VirtualHost _virtualhost;
 
-    private PrincipalHolder _principalHolder;
+    private AuthorizationHolder _authorizationHolder;
 
     private AMQSessionModel _exclusiveOwner;
     private AMQShortString _owner;
@@ -536,14 +536,14 @@ public class MockAMQQueue implements AMQQueue
         return null;  //To change body of implemented methods use File | Settings | File Templates.
     }
 
-    public PrincipalHolder getPrincipalHolder()
+    public AuthorizationHolder getAuthorizationHolder()
     {
-        return _principalHolder;
+        return _authorizationHolder;
     }
 
-    public void setPrincipalHolder(PrincipalHolder principalHolder)
+    public void setAuthorizationHolder(final AuthorizationHolder authorizationHolder)
     {
-        _principalHolder = principalHolder;
+        _authorizationHolder = authorizationHolder;
     }
 
     public AMQSessionModel getExclusiveOwningSession()
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/GroupPrincipalTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/GroupPrincipalTest.java
new file mode 100644
index 0000000000..076b7c9248
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/GroupPrincipalTest.java
@@ -0,0 +1,86 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.auth.sasl;
+
+import junit.framework.TestCase;
+
+public class GroupPrincipalTest extends TestCase
+{
+    public void testGetName()
+    {
+        final GroupPrincipal principal = new GroupPrincipal("group");
+        assertEquals("group", principal.getName());
+    }
+
+    public void testAddRejected()
+    {
+        final GroupPrincipal principal = new GroupPrincipal("group");
+        final UsernamePrincipal user = new UsernamePrincipal("name");
+        
+        try
+        {
+            principal.addMember(user);
+            fail("Exception not thrown");
+        }
+        catch (UnsupportedOperationException uso)
+        {
+            // PASS
+        }
+    }
+    
+    public void testEqualitySameName()
+    {
+        final String string = "string";
+        final GroupPrincipal principal1 = new GroupPrincipal(string);
+        final GroupPrincipal principal2 = new GroupPrincipal(string);
+        assertTrue(principal1.equals(principal2));
+    }
+
+    public void testEqualityEqualName()
+    {
+        final GroupPrincipal principal1 = new GroupPrincipal(new String("string"));
+        final GroupPrincipal principal2 = new GroupPrincipal(new String("string"));
+        assertTrue(principal1.equals(principal2));
+    }
+
+    public void testInequalityDifferentGroupPrincipals()
+    {
+        GroupPrincipal principal1 = new GroupPrincipal("string1");
+        GroupPrincipal principal2 = new GroupPrincipal("string2");
+        assertFalse(principal1.equals(principal2));
+    }
+
+    public void testInequalityNonGroupPrincipal()
+    {
+        GroupPrincipal principal = new GroupPrincipal("string");
+        assertFalse(principal.equals(new UsernamePrincipal("string")));
+    }
+
+    public void testInequalityNull()
+    {
+        GroupPrincipal principal = new GroupPrincipal("string");
+        assertFalse(principal.equals(null));
+    }
+
+    
+
+
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalUtils.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalUtils.java
new file mode 100644
index 0000000000..8b9b2df5a3
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalUtils.java
@@ -0,0 +1,49 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.qpid.server.security.auth.sasl;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+public class TestPrincipalUtils
+{
+
+    /**
+     * Creates a test subject, with exactly one UsernamePrincipal and zero or more GroupPrincipals.
+     */
+    public static Subject createTestSubject(final String username, final String... groups)
+    {
+        final Set<Principal> principals = new HashSet<Principal>(1 + groups.length);
+        principals.add(new UsernamePrincipal(username));
+        for (String group : groups)
+        {
+            principals.add(new GroupPrincipal(group));
+        }
+        
+        final Subject subject = new Subject(true, principals, Collections.EMPTY_SET, Collections.EMPTY_SET);
+        return subject;
+    }
+
+}