QPID-4334: removed the firewall plugin and moved its functionality into the Access Control plugin.

Applied patch from Philip Harvey <phil@philharveyonline.com>.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1391430 13f79535-47bb-0310-9956-ffa450edef68

6 files changed, 29 insertions, 511 deletions

diff --git a/java/systests/etc/config-systests-firewall-2.xml b/java/systests/etc/config-systests-firewall-2.xml
deleted file mode 100644
index 5167d88f12..0000000000
--- a/java/systests/etc/config-systests-firewall-2.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements.  See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership.  The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License.  You may obtain a copy of the License at
- -
- -   http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied.  See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
- -->
-<broker>
-    <prefix>${QPID_HOME}</prefix>
-    <work>${QPID_WORK}</work>
-    <conf>${prefix}/etc</conf>
-    <plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>
-    <cache-directory>${QPID_WORK}/cache</cache-directory>
-    <connector>
-        <!-- To enable SSL edit the keystorePath and keystorePassword
-	     and set enabled to true. 
-             To disasble Non-SSL port set sslOnly to true -->
-        <ssl>
-            <enabled>false</enabled>
-            <port>8672</port>
-            <sslOnly>false</sslOnly>
-            <keyStorePath>/path/to/keystore.ks</keyStorePath>
-            <keyStorePassword>keystorepass</keyStorePassword>
-        </ssl>
-        <port>5672</port>
-        <socketReceiveBuffer>262144</socketReceiveBuffer>
-        <socketSendBuffer>262144</socketSendBuffer>
-    </connector>
-    <management>
-        <enabled>false</enabled>
-    </management>
-    <advanced>
-        <framesize>65535</framesize>
-        <locale>en_US</locale>	
-    </advanced>
-
-    <security>
-        <pd-auth-manager>
-            <principal-database>
-                <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
-                <attributes>
-                    <attribute>
-                        <name>passwordFile</name>
-                        <value>${conf}/passwd</value>
-                    </attribute>
-                </attributes>
-            </principal-database>
-        </pd-auth-manager>
-
-        <msg-auth>false</msg-auth>
-        
-        <firewall default-action="deny"/>
-    </security>
-
-    <virtualhosts>${conf}/virtualhosts-systests-firewall-2.xml</virtualhosts>
-    
-    <heartbeat>
-        <delay>0</delay>
-        <timeoutFactor>2.0</timeoutFactor>
-    </heartbeat>
-    <queue>
-        <auto_register>true</auto_register>
-    </queue>
-
-    <status-updates>ON</status-updates>
-
-</broker>
-
-
diff --git a/java/systests/etc/config-systests-firewall-3.xml b/java/systests/etc/config-systests-firewall-3.xml
deleted file mode 100644
index 2bcbf53a39..0000000000
--- a/java/systests/etc/config-systests-firewall-3.xml
+++ /dev/null
@@ -1,85 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements.  See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership.  The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License.  You may obtain a copy of the License at
- -
- -   http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied.  See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
- -->
-<broker>
-    <prefix>${QPID_HOME}</prefix>
-    <work>${QPID_WORK}</work>
-    <conf>${prefix}/etc</conf>
-    <plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>
-    <cache-directory>${QPID_WORK}/cache</cache-directory>
-    <connector>
-        <!-- To enable SSL edit the keystorePath and keystorePassword
-	     and set enabled to true. 
-             To disable Non-SSL port set sslOnly to true -->
-        <ssl>
-            <enabled>false</enabled>
-            <port>8672</port>
-            <sslOnly>false</sslOnly>
-            <keyStorePath>/path/to/keystore.ks</keyStorePath>
-            <keyStorePassword>keystorepass</keyStorePassword>
-        </ssl>
-        <port>5672</port>
-        <socketReceiveBuffer>262144</socketReceiveBuffer>
-        <socketSendBuffer>262144</socketSendBuffer>
-    </connector>
-    <management>
-        <enabled>false</enabled>
-    </management>
-    <advanced>
-        <framesize>65535</framesize>
-        <locale>en_US</locale>	
-    </advanced>
-
-    <security>
-        <pd-auth-manager>
-            <principal-database>
-                <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
-                <attributes>
-                    <attribute>
-                        <name>passwordFile</name>
-                        <value>${conf}/passwd</value>
-                    </attribute>
-                </attributes>
-            </principal-database>
-        </pd-auth-manager>
-
-        <msg-auth>false</msg-auth>
-        
-        <firewall default-action="deny">
-            <rule access="allow" network="127.0.0.1"/>
-        </firewall>
-    </security>
-
-    <virtualhosts>${conf}/virtualhosts-systests-firewall-3.xml</virtualhosts>
-    
-    <heartbeat>
-        <delay>0</delay>
-        <timeoutFactor>2.0</timeoutFactor>
-    </heartbeat>
-    <queue>
-        <auto_register>true</auto_register>
-    </queue>
-
-    <status-updates>ON</status-updates>
-
-</broker>
-
-
diff --git a/java/systests/etc/config-systests-firewall-settings.xml b/java/systests/etc/config-systests-firewall-settings.xml
deleted file mode 100644
index aa73be0646..0000000000
--- a/java/systests/etc/config-systests-firewall-settings.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements.  See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership.  The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License.  You may obtain a copy of the License at
- -
- -   http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied.  See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
- -->
-<broker>
-    <security>
-    <firewall>
-        <rule access="allow" network="127.0.0.1"/>
-    </firewall>
-    </security>
-    
-    <virtualhosts>${QPID_HOME}/etc/virtualhosts-systests-firewall.xml</virtualhosts>
-</broker>
diff --git a/java/systests/etc/config-systests-firewall.xml b/java/systests/etc/config-systests-firewall.xml
deleted file mode 100644
index a884a39614..0000000000
--- a/java/systests/etc/config-systests-firewall.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements.  See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership.  The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License.  You may obtain a copy of the License at
- -
- -   http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied.  See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
- -->
-<configuration>
-    <system/>
-    <override>
-        <xml fileName="${QPID_HOME}/${test.config}" optional="true"/>
-        <xml fileName="${QPID_FIREWALL_CONFIG_SETTINGS}" optional="true"/>
-        <xml fileName="${QPID_HOME}/etc/config-systests-firewall-settings.xml"/>
-        <xml fileName="${QPID_HOME}/etc/config-systests-settings.xml"/>
-    </override>
-</configuration>
diff --git a/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java b/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
index 400464b4eb..8324ac74a5 100644
--- a/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
+++ b/java/systests/src/main/java/org/apache/qpid/server/security/acl/ExternalACLTest.java
@@ -404,4 +404,33 @@ public class ExternalACLTest extends AbstractACLTestCase
         sess.rollback();
         conn.close();
     }
+
+    public void setUpFirewallAllow() throws Exception
+    {
+        writeACLFile("test", "ACL ALLOW client ACCESS VIRTUALHOST from_network=\"127.0.0.1\"");
+    }
+
+    public void testFirewallAllow() throws Exception
+    {
+        getConnection("test", "client", "guest");
+        // test pass because we successfully connected
+    }
+
+    public void setUpFirewallDeny() throws Exception
+    {
+        writeACLFile("test", "ACL DENY client ACCESS VIRTUALHOST from_network=\"127.0.0.1\"");
+    }
+
+    public void testFirewallDeny() throws Exception
+    {
+        try
+        {
+            getConnection("test", "client", "guest");
+            fail("We expected the connection to fail");
+        }
+        catch(JMSException e)
+        {
+            // pass
+        }
+    }
 }
diff --git a/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java b/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
deleted file mode 100644
index f5adf815aa..0000000000
--- a/java/systests/src/main/java/org/apache/qpid/server/security/firewall/FirewallConfigTest.java
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- * 
- *   http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.qpid.server.security.firewall;
-
-import org.apache.qpid.client.AMQConnectionURL;
-import org.apache.qpid.test.utils.QpidBrokerTestCase;
-
-import javax.jms.Connection;
-import javax.jms.JMSException;
-import java.io.File;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
-public class FirewallConfigTest extends QpidBrokerTestCase 
-{
-    private File _tmpConfig, _tmpVirtualhosts;
-    private String _ipAddressOfBrokerHost;
-
-    @Override
-    protected void setUp() throws Exception
-    {
-        // Setup initial config file.
-        _configFile = new File("build/etc/config-systests-firewall.xml");
-        
-        // Setup temporary config file
-        _tmpConfig = File.createTempFile("config-systests-firewall", ".xml");
-        setSystemProperty("QPID_FIREWALL_CONFIG_SETTINGS", _tmpConfig.getAbsolutePath());
-        _tmpConfig.deleteOnExit();
-
-        // Setup temporary virtualhosts file
-        _tmpVirtualhosts = File.createTempFile("virtualhosts-systests-firewall", ".xml");
-        setSystemProperty("QPID_FIREWALL_VIRTUALHOSTS_SETTINGS", _tmpVirtualhosts.getAbsolutePath());
-        _tmpVirtualhosts.deleteOnExit();
-
-        _ipAddressOfBrokerHost = getIpAddressOfBrokerHost();
-    }
-
-    private void writeFirewallFile(boolean allow, boolean inVhost) throws IOException
-    {
-        FileWriter out = new FileWriter(inVhost ? _tmpVirtualhosts : _tmpConfig);
-        if (inVhost) 
-        {
-            out.write("<virtualhosts><virtualhost><test>");
-        }
-        else
-        {
-            out.write("<broker>");
-        }
-        out.write("<security><firewall>");
-        out.write("<rule access=\""+((allow) ? "allow" : "deny")+"\" network=\"" + _ipAddressOfBrokerHost + "\"/>");
-        out.write("</firewall></security>");
-        if (inVhost)
-        {
-            out.write("</test></virtualhost></virtualhosts>");
-        }
-        else
-        {
-            out.write("</broker>");
-        }
-        out.close();
-    }
-
-    public void testVhostAllowBrokerDeny() throws Exception
-    {
-
-        _configFile = new File("build/etc/config-systests-firewall-2.xml");
-        
-        super.setUp();
-        try 
-        {
-            //Try to get a connection to the 'test2' vhost
-            //This is expected to succeed as it is allowed at the vhost level
-            getConnection(new AMQConnectionURL("amqp://guest:guest@clientid/test2?brokerlist='" + getBroker() + "'"));
-        } 
-        catch (JMSException e)
-        {
-            e.getLinkedException().printStackTrace();
-            fail("The connection was expected to succeed: " + e.getMessage());
-        }
-
-        try 
-        {
-            //Try to get a connection to the 'test' vhost
-            //This is expected to fail as it is denied at the broker level
-            getConnection();
-            fail("We expected the connection to fail");
-        } 
-        catch (JMSException e)
-        {
-            //ignore
-        }
-    }
-    
-    public void testVhostDenyBrokerAllow() throws Exception
-    {
-        _configFile = new File("build/etc/config-systests-firewall-3.xml");
-        
-        super.setUp();
-        try 
-        {
-            //Try to get a connection to the 'test2' vhost
-            //This is expected to fail as it is denied at the vhost level
-            getConnection(new AMQConnectionURL("amqp://guest:guest@clientid/test2?brokerlist='" + getBroker() + "'"));
-            fail("The connection was expected to fail");
-        } 
-        catch (JMSException e)
-        {
-            //ignore
-        }
-
-        try 
-        {
-            //Try to get a connection to the 'test' vhost
-            //This is expected to succeed as it is allowed at the broker level
-            getConnection();
-        } 
-        catch (JMSException e)
-        {
-            e.getLinkedException().printStackTrace();
-            fail("The connection was expected to succeed: " + e.getMessage());
-        }
-    }
- 
-    public void testDenyOnRestart() throws Exception
-    {
-        testDeny(false, new Runnable() {
-
-            public void run()
-            {
-                try
-                {
-                    restartBroker();
-                } catch (Exception e)
-                {
-                    fail(e.getMessage());
-                }
-            }
-        });
-    }
-    
-    public void testDenyOnRestartInVhost() throws Exception
-    {
-        testDeny(true, new Runnable() {
-
-            public void run()
-            {
-                try
-                {
-                    restartBroker();
-                } catch (Exception e)
-                {
-                    fail(e.getMessage());
-                }
-            }
-        });
-    }
-    
-    public void testAllowOnReloadInVhost() throws Exception
-    {
-        testFirewall(false, true, new Runnable() {
-
-            public void run()
-            {
-                try
-                {
-                    reloadBrokerSecurityConfig();
-                } catch (Exception e)
-                {
-                    fail(e.getMessage());
-                }
-            }
-        });
-    }
-    
-    public void testDenyOnReload() throws Exception
-    {
-        testDeny(false, new Runnable() {
-
-            public void run()
-            {
-                try
-                {
-                    reloadBrokerSecurityConfig();
-                } catch (Exception e)
-                {
-                    fail(e.getMessage());
-                }
-            }
-        }
-        );
-    }
-
-    public void testDenyOnReloadInVhost() throws Exception
-    {
-        testDeny(true, new Runnable() {
-
-            public void run()
-            {
-                try
-                {
-                    reloadBrokerSecurityConfig();
-                } catch (Exception e)
-                {
-                   fail(e.getMessage());
-                }
-            }
-        }
-        );
-       
-    }
-
-    private void testDeny(boolean inVhost, Runnable restartOrReload) throws Exception
-    {
-        testFirewall(true, inVhost, restartOrReload);
-    }
-
-    /*
-     * Check we can get a connection
-     */
-    private boolean checkConnection() throws Exception
-    {
-        Exception exception  = null;
-        Connection conn = null;
-        try 
-        {
-            conn = getConnection();
-        } 
-        catch (JMSException e)
-        {
-            exception = e;
-        }
-        
-        return conn != null;
-    }
-
-    private void testFirewall(boolean initial, boolean inVhost, Runnable restartOrReload) throws Exception
-    {
-        
-        writeFirewallFile(initial, inVhost);
-        setConfigurationProperty("management.enabled", String.valueOf(true));
-        super.setUp();
-
-        assertEquals("Initial connection check failed", initial, checkConnection());
-
-        // Reload changed firewall file after restart or reload
-        writeFirewallFile(!initial, inVhost);
-        restartOrReload.run();
-        
-        assertEquals("Second connection check failed", !initial, checkConnection());
-    }
-
-    private String getIpAddressOfBrokerHost()
-    {
-        String brokerHost = getBroker().getHost();
-        try
-        {
-            return InetAddress.getByName(brokerHost).getHostAddress();
-        }
-        catch (UnknownHostException e)
-        {
-            throw new RuntimeException("Could not determine IP address of host : " + brokerHost, e);
-        }
-
-    }
-}