From 58d9bbe8617e61e9cd503f18e914472a7ff5c43d Mon Sep 17 00:00:00 2001 From: Keith Wall Date: Fri, 28 Sep 2012 12:46:06 +0000 Subject: QPID-4334: removed the firewall plugin and moved its functionality into the Access Control plugin. Applied patch from Philip Harvey . git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1391430 13f79535-47bb-0310-9956-ffa450edef68 --- .../security/access/FirewallConfigurationTest.java | 322 --------------------- .../server/security/access/FirewallPluginTest.java | 294 ------------------- 2 files changed, 616 deletions(-) delete mode 100644 qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java delete mode 100644 qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java (limited to 'qpid/java/broker-plugins/firewall/src/test') diff --git a/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java b/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java deleted file mode 100644 index 8969363979..0000000000 --- a/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallConfigurationTest.java +++ /dev/null @@ -1,322 +0,0 @@ -/* - * - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.qpid.server.security.access; - -import org.apache.qpid.server.registry.ApplicationRegistry; -import org.apache.qpid.server.registry.ConfigurationFileApplicationRegistry; -import org.apache.qpid.server.virtualhost.VirtualHost; -import org.apache.qpid.server.virtualhost.VirtualHostRegistry; -import org.apache.qpid.test.utils.QpidTestCase; - -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.io.RandomAccessFile; -import java.net.InetSocketAddress; - -public class FirewallConfigurationTest extends QpidTestCase -{ - @Override - protected void tearDown() throws Exception - { - super.tearDown(); - ApplicationRegistry.remove(); - } - - public void testFirewallConfiguration() throws Exception - { - // Write out config - File mainFile = File.createTempFile(getClass().getName(), null); - mainFile.deleteOnExit(); - writeConfigFile(mainFile, false); - - // Load config - ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); - ApplicationRegistry.initialise(reg); - - // Test config - assertFalse(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - assertTrue(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.1.2.3", 65535))); - } - - public void testCombinedConfigurationFirewall() throws Exception - { - // Write out config - File mainFile = File.createTempFile(getClass().getName(), null); - File fileA = File.createTempFile(getClass().getName(), null); - File fileB = File.createTempFile(getClass().getName(), null); - - mainFile.deleteOnExit(); - fileA.deleteOnExit(); - fileB.deleteOnExit(); - - FileWriter out = new FileWriter(mainFile); - out.write(""); - out.write(""); - out.write(""); - out.close(); - - out = new FileWriter(fileA); - out.write("\n"); - out.write("\t${QPID_HOME}/lib/plugins\n"); - out.write("\t${QPID_WORK}/cache\n"); - out.write("\tfalse\n"); - out.write("\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\t\torg.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\t\tpasswordFile\n"); - out.write("\t\t\t\t\t\t/dev/null\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t"); - out.write("\t\t\n"); - out.write("\t\n"); - out.write("\t\n"); - out.write("\t\t\n"); - out.write("\t\t\ttest\n"); - out.write("\t\t\n"); - out.write("\t\n"); - out.write("\n"); - out.close(); - - out = new FileWriter(fileB); - out.write("\n"); - out.write("\t"); - out.write("\n"); - out.close(); - - // Load config - ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); - ApplicationRegistry.initialise(reg); - - // Test config - assertFalse(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - } - - public void testConfigurationFirewallReload() throws Exception - { - // Write out config - File mainFile = File.createTempFile(getClass().getName(), null); - - mainFile.deleteOnExit(); - writeConfigFile(mainFile, false); - - // Load config - ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); - ApplicationRegistry.initialise(reg); - - // Test config - assertFalse(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - - // Switch to deny the connection - writeConfigFile(mainFile, true); - - reg.getConfiguration().reparseConfigFileSecuritySections(); - - assertTrue(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - } - - public void testCombinedConfigurationFirewallReload() throws Exception - { - // Write out config - File mainFile = File.createTempFile(getClass().getName(), null); - File fileA = File.createTempFile(getClass().getName(), null); - File fileB = File.createTempFile(getClass().getName(), null); - - mainFile.deleteOnExit(); - fileA.deleteOnExit(); - fileB.deleteOnExit(); - - FileWriter out = new FileWriter(mainFile); - out.write(""); - out.write(""); - out.write(""); - out.close(); - - out = new FileWriter(fileA); - out.write("\n"); - out.write("\t${QPID_HOME}/lib/plugins\n"); - out.write("\tfalse\n"); - out.write("\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\t\torg.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\t\tpasswordFile\n"); - out.write("\t\t\t\t\t\t/dev/null\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t"); - out.write("\t\t\n"); - out.write("\t\n"); - out.write("\t\n"); - out.write("\t\t\n"); - out.write("\t\t\ttest\n"); - out.write("\t\t\n"); - out.write("\t\n"); - out.write("\n"); - out.close(); - - out = new FileWriter(fileB); - out.write("\n"); - out.write("\t"); - out.write("\n"); - out.close(); - - // Load config - ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); - ApplicationRegistry.initialise(reg); - - // Test config - assertFalse(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - - RandomAccessFile fileBRandom = new RandomAccessFile(fileB, "rw"); - fileBRandom.setLength(0); - fileBRandom.seek(0); - fileBRandom.close(); - - out = new FileWriter(fileB); - out.write("\n"); - out.write("\t"); - out.write("\n"); - out.close(); - - reg.getConfiguration().reparseConfigFileSecuritySections(); - - assertTrue(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - - fileBRandom = new RandomAccessFile(fileB, "rw"); - fileBRandom.setLength(0); - fileBRandom.seek(0); - fileBRandom.close(); - - out = new FileWriter(fileB); - out.write("\n"); - out.write("\t"); - out.write("\n"); - out.close(); - - reg.getConfiguration().reparseConfigFileSecuritySections(); - - assertFalse(reg.getSecurityManager().accessVirtualhost("test", new InetSocketAddress("127.0.0.1", 65535))); - } - - private void writeFirewallVhostsFile(File vhostsFile, boolean allow) throws IOException - { - FileWriter out = new FileWriter(vhostsFile); - String ipAddr = "127.0.0.1"; // FIXME: get this from InetAddress.getLocalHost().getAddress() ? - out.write(""); - out.write("test"); - out.write(""); - out.write(""); - out.write(""); - out.write(""); - out.write(""); - out.write(""); - out.close(); - } - - private void writeConfigFile(File mainFile, boolean allow) throws IOException { - writeConfigFile(mainFile, allow, true, null, "test"); - } - - /* - XMLConfiguration config = new XMLConfiguration(mainFile); - PluginManager pluginManager = new MockPluginManager(""); - SecurityManager manager = new SecurityManager(config, pluginManager, Firewall.FACTORY); - - */ - private void writeConfigFile(File mainFile, boolean allow, boolean includeVhosts, File vhostsFile, String name) throws IOException { - FileWriter out = new FileWriter(mainFile); - out.write("\n"); - out.write("\t${QPID_HOME}/lib/plugins\n"); - out.write("\tfalse\n"); - out.write("\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\t\torg.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\t\tpasswordFile\n"); - out.write("\t\t\t\t\t\t/dev/null\n"); - out.write("\t\t\t\t\t\n"); - out.write("\t\t\t\t\n"); - out.write("\t\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\n"); - out.write("\t\t\t"); - out.write("\t\t\n"); - out.write("\t\n"); - if (includeVhosts) - { - out.write("\t\n"); - out.write("\t\ttest\n"); - out.write("\t\t\n"); - out.write(String.format("\t\t\t%s\n", name)); - out.write("\t\t\n"); - out.write("\t\n"); - } - if (vhostsFile != null) - { - out.write("\t"+vhostsFile.getAbsolutePath()+"\n"); - } - out.write("\n"); - out.close(); - } - - /** - * Test that configuration loads correctly when virtual hosts are specified in an external - * configuration file only. - *

- * Test for QPID-2360 - */ - public void testExternalFirewallVirtualhostXMLFile() throws Exception - { - // Write out config - File mainFile = File.createTempFile(getClass().getName(), "config"); - mainFile.deleteOnExit(); - File vhostsFile = File.createTempFile(getClass().getName(), "vhosts"); - vhostsFile.deleteOnExit(); - writeConfigFile(mainFile, false, false, vhostsFile, null); - writeFirewallVhostsFile(vhostsFile, false); - - // Load config - ApplicationRegistry reg = new ConfigurationFileApplicationRegistry(mainFile); - ApplicationRegistry.initialise(reg); - - // Test config - VirtualHostRegistry virtualHostRegistry = reg.getVirtualHostRegistry(); - VirtualHost virtualHost = virtualHostRegistry.getVirtualHost("test"); - - assertEquals("Incorrect virtualhost count", 1, virtualHostRegistry.getVirtualHosts().size()); - assertEquals("Incorrect virtualhost name", "test", virtualHost.getName()); - } -} diff --git a/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java b/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java deleted file mode 100644 index 2004852c48..0000000000 --- a/qpid/java/broker-plugins/firewall/src/test/java/org/apache/qpid/server/security/access/FirewallPluginTest.java +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.qpid.server.security.access; - -import org.apache.commons.configuration.ConfigurationException; -import org.apache.commons.configuration.XMLConfiguration; - -import org.apache.qpid.server.configuration.ServerConfiguration; -import org.apache.qpid.server.registry.ApplicationRegistry; -import org.apache.qpid.server.security.Result; -import org.apache.qpid.server.security.access.plugins.Firewall; -import org.apache.qpid.server.security.access.plugins.FirewallConfiguration; -import org.apache.qpid.server.util.TestApplicationRegistry; -import org.apache.qpid.test.utils.QpidTestCase; - -import java.io.BufferedWriter; -import java.io.File; -import java.io.FileWriter; -import java.io.IOException; -import java.net.InetSocketAddress; -import java.net.SocketAddress; - -public class FirewallPluginTest extends QpidTestCase -{ - public class RuleInfo - { - private String _access; - private String _network; - private String _hostname; - - public void setAccess(String _access) - { - this._access = _access; - } - - public String getAccess() - { - return _access; - } - - public void setNetwork(String _network) - { - this._network = _network; - } - - public String getNetwork() - { - return _network; - } - - public void setHostname(String _hostname) - { - this._hostname = _hostname; - } - - public String getHostname() - { - return _hostname; - } - } - - // IP address - private SocketAddress _address; - private ServerConfiguration _serverConfig; - - @Override - protected void setUp() throws Exception - { - super.setUp(); - _serverConfig = new ServerConfiguration(new XMLConfiguration()); - ApplicationRegistry.initialise(new TestApplicationRegistry(_serverConfig)); - _address = new InetSocketAddress("127.0.0.1", 65535); - } - - @Override - protected void tearDown() throws Exception - { - super.tearDown(); - ApplicationRegistry.remove(); - } - private Firewall initialisePlugin(String defaultAction, RuleInfo[] rules) throws IOException, ConfigurationException - { - // Create sample config file - File confFile = File.createTempFile(getClass().getSimpleName()+"conffile", null); - confFile.deleteOnExit(); - BufferedWriter buf = new BufferedWriter(new FileWriter(confFile)); - buf.write("\n"); - if (rules != null) - { - for (RuleInfo rule : rules) - { - buf.write("\n"); - } - } - buf.write(""); - buf.close(); - - // Configure plugin - FirewallConfiguration config = new FirewallConfiguration(); - config.setConfiguration("", new XMLConfiguration(confFile)); - Firewall plugin = new Firewall(); - plugin.configure(config); - return plugin; - } - - private Firewall initialisePlugin(String string) throws ConfigurationException, IOException - { - return initialisePlugin(string, null); - } - - public void testDefaultAction() throws Exception - { - // Test simple deny - Firewall plugin = initialisePlugin("deny"); - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Test simple allow - plugin = initialisePlugin("allow"); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - - public void testSingleIPRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setNetwork("192.168.23.23"); - - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testSingleNetworkRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setNetwork("192.168.23.0/24"); - - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testSingleHostRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - rule.setHostname(new InetSocketAddress("127.0.0.1", 5672).getHostName()); - - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("127.0.0.1", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testSingleHostWilcardRule() throws Exception - { - RuleInfo rule = new RuleInfo(); - rule.setAccess("allow"); - String hostname = new InetSocketAddress("127.0.0.1", 0).getHostName(); - rule.setHostname(".*"+hostname.subSequence(hostname.length() - 1, hostname.length())+"*"); - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{rule}); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("127.0.0.1", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testSeveralFirstAllowsAccess() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("192.168.23.23"); - - RuleInfo secondRule = new RuleInfo(); - secondRule.setAccess("deny"); - secondRule.setNetwork("192.168.42.42"); - - RuleInfo thirdRule = new RuleInfo(); - thirdRule.setAccess("deny"); - thirdRule.setHostname("localhost"); - - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testSeveralLastAllowsAccess() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("deny"); - firstRule.setHostname("localhost"); - - RuleInfo secondRule = new RuleInfo(); - secondRule.setAccess("deny"); - secondRule.setNetwork("192.168.42.42"); - - RuleInfo thirdRule = new RuleInfo(); - thirdRule.setAccess("allow"); - thirdRule.setNetwork("192.168.23.23"); - - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule, secondRule, thirdRule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testNetmask() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("192.168.23.0/24"); - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testCommaSeperatedNetmask() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setNetwork("10.1.1.1/8, 192.168.23.0/24"); - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("192.168.23.23", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } - - public void testCommaSeperatedHostnames() throws Exception - { - RuleInfo firstRule = new RuleInfo(); - firstRule.setAccess("allow"); - firstRule.setHostname("foo, bar, "+new InetSocketAddress("127.0.0.1", 5672).getHostName()); - Firewall plugin = initialisePlugin("deny", new RuleInfo[]{firstRule}); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("10.0.0.1", 65535); - assertEquals(Result.DENIED, plugin.access(ObjectType.VIRTUALHOST, _address)); - - // Set IP so that we're connected from the right address - _address = new InetSocketAddress("127.0.0.1", 65535); - assertEquals(Result.ALLOWED, plugin.access(ObjectType.VIRTUALHOST, _address)); - } -} -- cgit v1.2.1