QPID-4705: Restrict access to web management interfaces to authenticated and authorised users only

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1465590 13f79535-47bb-0310-9956-ffa450edef68
author: Alex Rudyy <orudyy@apache.org> 2013-04-08 11:17:41 +0000
committer: Alex Rudyy <orudyy@apache.org> 2013-04-08 11:17:41 +0000
commit: ad56a06e1f1c22a0baccb99c27a64ee9564da83b (patch)
tree: f6c77961e2f1fcb28e0b65368b8b7cc5a9e3ba6b /qpid/java/systests/src
parent: d85edbc941559aa85c5a998bbb8894f13baaf81c (diff)
download: qpid-python-ad56a06e1f1c22a0baccb99c27a64ee9564da83b.tar.gz
5 files changed, 115 insertions, 12 deletions
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AnonymousAccessRestTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AnonymousAccessRestTest.java
new file mode 100644
index 0000000000..907b476bc4
--- /dev/null
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/AnonymousAccessRestTest.java
@@ -0,0 +1,95 @@
+package org.apache.qpid.systest.rest;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.plugin.AuthenticationManagerFactory;
+import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManagerFactory;
+import org.apache.qpid.test.utils.TestBrokerConfiguration;
+
+public class AnonymousAccessRestTest extends QpidRestTestCase
+{
+    @Override
+    public void startBroker()
+    {
+        // prevent broker from starting in setUp
+    }
+
+    public void startBrokerNow() throws Exception
+    {
+        super.startBroker();
+    }
+
+    @Override
+    protected void customizeConfiguration() throws ConfigurationException, IOException
+    {
+        super.customizeConfiguration();
+        TestBrokerConfiguration config = getBrokerConfiguration();
+
+        Map<String, Object> anonymousAuthProviderAttributes = new HashMap<String, Object>();
+        anonymousAuthProviderAttributes.put(AuthenticationManagerFactory.ATTRIBUTE_TYPE, AnonymousAuthenticationManagerFactory.PROVIDER_TYPE);
+        anonymousAuthProviderAttributes.put(AuthenticationProvider.NAME, TestBrokerConfiguration.ENTRY_NAME_ANONYMOUS_PROVIDER);
+        config.addAuthenticationProviderConfiguration(anonymousAuthProviderAttributes);
+
+        // set anonymous authentication provider on http port for the tests
+        config.setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_PORT, Port.AUTHENTICATION_PROVIDER,
+                TestBrokerConfiguration.ENTRY_NAME_ANONYMOUS_PROVIDER);
+        config.setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, "httpBasicAuthenticationEnabled", false);
+
+        // reset credentials
+        getRestTestHelper().setUsernameAndPassword(null, null);
+    }
+
+    public void testGetWithAnonymousProvider() throws Exception
+    {
+        startBrokerNow();
+
+        Map<String, Object> brokerDetails = getRestTestHelper().getJsonAsSingletonList("/rest/broker");
+        assertNotNull("Unexpected broker attributes", brokerDetails);
+        assertNotNull("Unexpected value of attribute " + Broker.ID, brokerDetails.get(Broker.ID));
+    }
+
+    public void testPutAnonymousProvider() throws Exception
+    {
+        startBrokerNow();
+
+        Map<String, Object> brokerAttributes = new HashMap<String, Object>();
+        brokerAttributes.put(Broker.DEFAULT_VIRTUAL_HOST, TEST3_VIRTUALHOST);
+
+        int response = getRestTestHelper().submitRequest("/rest/broker", "PUT", brokerAttributes);
+        assertEquals("Unexpected update response", 200, response);
+
+        Map<String, Object> brokerDetails = getRestTestHelper().getJsonAsSingletonList("/rest/broker");
+        assertNotNull("Unexpected broker attributes", brokerDetails);
+        assertNotNull("Unexpected value of attribute " + Broker.ID, brokerDetails.get(Broker.ID));
+        assertEquals("Unexpected default virtual host", TEST3_VIRTUALHOST, brokerDetails.get(Broker.DEFAULT_VIRTUAL_HOST));
+    }
+
+    public void testGetWithPasswordAuthProvider() throws Exception
+    {
+        getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_PORT, Port.AUTHENTICATION_PROVIDER,
+                TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER);
+        startBrokerNow();
+
+        int response = getRestTestHelper().submitRequest("/rest/broker", "GET", null);
+        assertEquals("Anonymous access should be denied", 401, response);
+    }
+
+    public void testPutWithPasswordAuthProvider() throws Exception
+    {
+        getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_PORT, Port.AUTHENTICATION_PROVIDER,
+                TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER);
+        startBrokerNow();
+
+        Map<String, Object> brokerAttributes = new HashMap<String, Object>();
+        brokerAttributes.put(Broker.DEFAULT_VIRTUAL_HOST, TEST3_VIRTUALHOST);
+
+        int response = getRestTestHelper().submitRequest("/rest/broker", "PUT", brokerAttributes);
+        assertEquals("Anonymous access should be denied", 401, response);
+    }
+}
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/BasicAuthRestTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/BasicAuthRestTest.java
index 0574b6cc24..22fb70fa68 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/BasicAuthRestTest.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/BasicAuthRestTest.java
@@ -68,7 +68,7 @@ public class BasicAuthRestTest extends QpidRestTestCase
         assertEquals(responseCode, conn.getResponseCode());
     }
 
-    public void testDefaultEnabledWithHttps() throws Exception
+    public void testBasicAuthWhenEnabledWithHttps() throws Exception
     {
         configure(true);
         super.setUp();
@@ -81,15 +81,16 @@ public class BasicAuthRestTest extends QpidRestTestCase
         verifyGetBrokerAttempt(HttpServletResponse.SC_OK);
     }
 
-    public void testDefaultDisabledWithHttp() throws Exception
+    public void testBasicAuthWhenDisabledWithHttp() throws Exception
     {
         configure(false);
+        getBrokerConfiguration().setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, "httpBasicAuthenticationEnabled", false);
         super.setUp();
 
         // Try the attempt with authentication, it should fail because
         // BASIC auth is disabled by default on non-secure connections.
         getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
-        verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_UNAUTHORIZED);
     }
 
     public void testEnablingForHttp() throws Exception
@@ -116,6 +117,6 @@ public class BasicAuthRestTest extends QpidRestTestCase
         // Try the attempt with authentication, it should fail because
         // BASIC auth is now disabled on secure connections.
         getRestTestHelper().setUsernameAndPassword(USERNAME, USERNAME);
-        verifyGetBrokerAttempt(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+        verifyGetBrokerAttempt(HttpServletResponse.SC_UNAUTHORIZED);
     }
 }
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
index f83eb391e7..9e15840d1c 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/QpidRestTestCase.java
@@ -27,9 +27,7 @@ import java.util.Map;
 import org.apache.commons.configuration.ConfigurationException;
 import org.apache.qpid.server.model.AuthenticationProvider;
 import org.apache.qpid.server.model.Port;
-import org.apache.qpid.server.plugin.AuthenticationManagerFactory;
 import org.apache.qpid.server.security.auth.manager.AnonymousAuthenticationManagerFactory;
-import org.apache.qpid.server.security.auth.manager.ExternalAuthenticationManagerFactory;
 import org.apache.qpid.test.utils.TestBrokerConfiguration;
 import org.apache.qpid.test.utils.QpidBrokerTestCase;
 
@@ -49,6 +47,9 @@ public class QpidRestTestCase extends QpidBrokerTestCase
     @Override
     public void setUp() throws Exception
     {
+        // use webadmin account to perform tests
+        getRestTestHelper().setUsernameAndPassword("webadmin", "webadmin");
+
         // Set up virtualhost config with queues and bindings to the amq.direct
         for (String virtualhost : EXPECTED_VIRTUALHOSTS)
         {
@@ -89,6 +90,11 @@ public class QpidRestTestCase extends QpidBrokerTestCase
         anonymousProviderAttributes.put(AuthenticationProvider.TYPE, AnonymousAuthenticationManagerFactory.PROVIDER_TYPE);
         anonymousProviderAttributes.put(AuthenticationProvider.NAME, ANONYMOUS_AUTHENTICATION_PROVIDER);
         config.addAuthenticationProviderConfiguration(anonymousProviderAttributes);
+
+        // set password authentication provider on http port for the tests
+        config.setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_PORT, Port.AUTHENTICATION_PROVIDER,
+                TestBrokerConfiguration.ENTRY_NAME_AUTHENTICATION_PROVIDER);
+        config.setObjectAttribute(TestBrokerConfiguration.ENTRY_NAME_HTTP_MANAGEMENT, "httpBasicAuthenticationEnabled", true);
     }
 
     public RestTestHelper getRestTestHelper()
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/SaslRestTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/SaslRestTest.java
index 856fda9419..a5b1c4ff74 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/SaslRestTest.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/SaslRestTest.java
@@ -131,7 +131,7 @@ public class SaslRestTest extends QpidRestTestCase
         os.flush();
 
         int code = connection.getResponseCode();
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         List<String> cookies = connection.getHeaderFields().get("Set-Cookie");
 
@@ -156,7 +156,7 @@ public class SaslRestTest extends QpidRestTestCase
         os.flush();
 
         int code = connection.getResponseCode();
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         List<String> cookies = connection.getHeaderFields().get("Set-Cookie");
 
@@ -196,7 +196,7 @@ public class SaslRestTest extends QpidRestTestCase
 
         // authenticate user with correct credentials
         int code = authenticateUser(connection, "admin", "incorrect", "CRAM-MD5");
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         // request authenticated user details
         connection = getRestTestHelper().openManagementConnection("/rest/sasl", "GET");
@@ -215,7 +215,7 @@ public class SaslRestTest extends QpidRestTestCase
 
         // authenticate user with correct credentials
         int code = authenticateUser(connection, "nonexisting", "admin", "CRAM-MD5");
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         // request authenticated user details
         connection = getRestTestHelper().openManagementConnection("/rest/sasl", "GET");
@@ -254,7 +254,7 @@ public class SaslRestTest extends QpidRestTestCase
 
         // try to authenticate user with incorrect passowrd
         int code = authenticateUser(connection, "admin", "incorrect", "CRAM-MD5-HEX");
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         // request authenticated user details
         connection = getRestTestHelper().openManagementConnection("/rest/sasl", "GET");
@@ -273,7 +273,7 @@ public class SaslRestTest extends QpidRestTestCase
 
         // try to authenticate non-existing user
         int code = authenticateUser(connection, "nonexisting", "admin", "CRAM-MD5-HEX");
-        assertEquals("Unexpected response code", 403, code);
+        assertEquals("Unexpected response code", 401, code);
 
         // request authenticated user details
         connection = getRestTestHelper().openManagementConnection("/rest/sasl", "GET");
diff --git a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/UserRestTest.java b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/UserRestTest.java
index 017467a8be..e2a6762731 100644
--- a/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/UserRestTest.java
+++ b/qpid/java/systests/src/main/java/org/apache/qpid/systest/rest/UserRestTest.java
@@ -34,6 +34,7 @@ public class UserRestTest extends QpidRestTestCase
         getRestTestHelper().configureTemporaryPasswordFile(this, "user1", "user2");
 
         super.setUp(); // do this last because it starts the broker, using the modified config
+        getRestTestHelper().setUsernameAndPassword("user1", "user1");
     }
 
     public void testGet() throws Exception
author	Alex Rudyy <orudyy@apache.org>	2013-04-08 11:17:41 +0000
committer	Alex Rudyy <orudyy@apache.org>	2013-04-08 11:17:41 +0000
commit	ad56a06e1f1c22a0baccb99c27a64ee9564da83b (patch)
tree	f6c77961e2f1fcb28e0b65368b8b7cc5a9e3ba6b /qpid/java/systests/src
parent	d85edbc941559aa85c5a998bbb8894f13baaf81c (diff)
download	qpid-python-ad56a06e1f1c22a0baccb99c27a64ee9564da83b.tar.gz