private ManagementResourceRegistration getDummyRegistration() { return ManagementResourceRegistration.Factory.create( new DescriptionProvider() { @Override public ModelNode getModelDescription(Locale locale) { return new ModelNode(); } }); }
/** @author Ladislav Thon <*****@*****.**> */ public class DefaultPermissionFactoryTestCase { private static final ManagementResourceRegistration ROOT_RR = ManagementResourceRegistration.Factory.create( new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) { @Override public List<AccessConstraintDefinition> getAccessConstraints() { return Collections.emptyList(); } }); private static final AuthorizerConfiguration PERMISSIVE; private static final AuthorizerConfiguration REJECTING; static { PERMISSIVE = new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION); WritableAuthorizerConfiguration rejecting = new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION); rejecting.setPermissionCombinationPolicy(CombinationPolicy.REJECTING); REJECTING = rejecting; } private Caller caller; private Environment environment; @Before public void setUp() { caller = Caller.createCaller(null); ControlledProcessState processState = new ControlledProcessState(false); processState.setRunning(); environment = new Environment(processState, ProcessType.EMBEDDED_SERVER); } @Test public void testSingleRoleRejectingCombinationPolicy() { testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true); testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false); testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true); testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false); } @Test public void testSingleRolePermissiveCombinationPolicy() { testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true); testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false); testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true); testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false); } @Test public void testSingleUserRoleMoreAllowedRoles() { testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR}, new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR}, true); testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR}, new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR}, false); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR}, new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR}, true); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR}, new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR}, false); } @Test public void testMoreUserRolesSingleAllowedRole() { testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.MONITOR}, true); testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.OPERATOR}, true); testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.ADMINISTRATOR}, false); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.MONITOR}, true); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.OPERATOR}, true); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.ADMINISTRATOR}, false); } @Test public void testMoreUserRolesMoreAllowedRoles() { testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, true); testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR}, true); testResource( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR}, false); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, true); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR}, true); testAttribute( PERMISSIVE, new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR}, new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR}, false); } private void testResourceSingleRole( AuthorizerConfiguration authorizerConfiguration, StandardRole userRole, StandardRole allowedRole, boolean accessExpectation) { testResource( authorizerConfiguration, new StandardRole[] {userRole}, new StandardRole[] {allowedRole}, accessExpectation); } private void testAttributeSingleRole( AuthorizerConfiguration authorizerConfiguration, StandardRole userRole, StandardRole allowedRole, boolean accessExpectation) { testAttribute( authorizerConfiguration, new StandardRole[] {userRole}, new StandardRole[] {allowedRole}, accessExpectation); } private void testResource( AuthorizerConfiguration authorizerConfiguration, StandardRole[] userRoles, StandardRole[] allowedRoles, boolean accessExpectation) { ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles); TestRoleMapper roleMapper = new TestRoleMapper(userRoles); DefaultPermissionFactory permissionFactory = new DefaultPermissionFactory( roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration); Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); PermissionCollection userPermissions = permissionFactory.getUserPermissions(caller, environment, action, targetResource); PermissionCollection requiredPermissions = permissionFactory.getRequiredPermissions(action, targetResource); for (Permission requiredPermission : toSet(requiredPermissions)) { assertEquals(accessExpectation, userPermissions.implies(requiredPermission)); } } private void testAttribute( AuthorizerConfiguration authorizerConfiguration, StandardRole[] userRoles, StandardRole[] allowedRoles, boolean accessExpectation) { ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles); TestRoleMapper roleMapper = new TestRoleMapper(userRoles); DefaultPermissionFactory permissionFactory = new DefaultPermissionFactory( roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration); Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); TargetAttribute targetAttribute = new TargetAttribute("test", null, new ModelNode(), targetResource); PermissionCollection userPermissions = permissionFactory.getUserPermissions(caller, environment, action, targetAttribute); PermissionCollection requiredPermissions = permissionFactory.getRequiredPermissions(action, targetAttribute); for (Permission requiredPermission : toSet(requiredPermissions)) { assertEquals(accessExpectation, userPermissions.implies(requiredPermission)); } } @Test public void testRoleCombinationRejecting() { Action action = new Action( null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); DefaultPermissionFactory permissionFactory = null; try { permissionFactory = new DefaultPermissionFactory( new TestRoleMapper(), Collections.<ConstraintFactory>emptySet(), REJECTING); permissionFactory.getUserPermissions(caller, environment, action, targetResource); } catch (Exception e) { fail(); } try { permissionFactory = new DefaultPermissionFactory( new TestRoleMapper(StandardRole.MONITOR), Collections.<ConstraintFactory>emptySet(), REJECTING); permissionFactory.getUserPermissions(caller, environment, action, targetResource); } catch (Exception e) { fail(); } permissionFactory = new DefaultPermissionFactory( new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER), REJECTING); try { permissionFactory.getUserPermissions(caller, environment, action, targetResource); fail(); } catch (Exception e) { /* expected */ } permissionFactory = new DefaultPermissionFactory( new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER, StandardRole.AUDITOR), Collections.<ConstraintFactory>emptySet(), REJECTING); try { permissionFactory.getUserPermissions(caller, environment, action, targetResource); fail(); } catch (Exception e) { /* expected */ } } // --- private static Set<Permission> toSet(PermissionCollection permissionCollection) { Set<Permission> result = new HashSet<>(); Enumeration<Permission> elements = permissionCollection.elements(); while (elements.hasMoreElements()) { result.add(elements.nextElement()); } return Collections.unmodifiableSet(result); } private static final class TestRoleMapper implements RoleMapper { private final Set<String> roles; private TestRoleMapper(StandardRole... roles) { Set<String> stringRoles = new HashSet<>(); for (StandardRole role : roles) { stringRoles.add(role.name()); } this.roles = Collections.unmodifiableSet(stringRoles); } @Override public Set<String> mapRoles( Caller caller, Environment callEnvironment, Action action, TargetAttribute attribute) { return roles; } @Override public Set<String> mapRoles( Caller caller, Environment callEnvironment, Action action, TargetResource resource) { return roles; } @Override public Set<String> mapRoles( Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) { return roles; } @Override public boolean canRunAs(Set<String> mappedRoles, String runAsRole) { return runAsRole != null && roles.contains(runAsRole) && mappedRoles.contains(StandardRole.SUPERUSER.toString()); } } private static final class TestConstraintFactory implements ConstraintFactory { private final Set<StandardRole> allowedRoles; private TestConstraintFactory(StandardRole... allowedRoles) { Set<StandardRole> roles = new HashSet<>(); for (StandardRole allowedRole : allowedRoles) { roles.add(allowedRole); } this.allowedRoles = Collections.unmodifiableSet(roles); } @Override public Constraint getStandardUserConstraint( StandardRole role, Action.ActionEffect actionEffect) { boolean allowed = allowedRoles.contains(role); return new TestConstraint(allowed); } @Override public Constraint getRequiredConstraint( Action.ActionEffect actionEffect, Action action, TargetAttribute target) { return new TestConstraint(true); } @Override public Constraint getRequiredConstraint( Action.ActionEffect actionEffect, Action action, TargetResource target) { return new TestConstraint(true); } @Override public boolean equals(Object obj) { return obj instanceof TestConstraintFactory; } @Override public int hashCode() { return 0; } @Override public int compareTo(ConstraintFactory o) { return this.equals(o) ? 0 : -1; } } private static final class TestConstraint implements Constraint { private final boolean allowed; private TestConstraint(boolean allowed) { this.allowed = allowed; } @Override public boolean violates(Constraint other, Action.ActionEffect actionEffect) { if (other instanceof TestConstraint) { return this.allowed != ((TestConstraint) other).allowed; } return false; } @Override public boolean replaces(Constraint other) { return false; } } }
public void start(final StartContext context) throws StartException { if (configurationPersister == null) { throw MESSAGES.persisterNotInjected(); } final ServiceController<?> serviceController = context.getController(); final ServiceContainer container = serviceController.getServiceContainer(); final ServiceTarget target = context.getChildTarget(); final ExecutorService executorService = injectedExecutorService.getOptionalValue(); ManagementResourceRegistration rootResourceRegistration = rootDescriptionProvider != null ? ManagementResourceRegistration.Factory.create(rootDescriptionProvider) : ManagementResourceRegistration.Factory.create(rootResourceDefinition); final ModelControllerImpl controller = new ModelControllerImpl( container, target, rootResourceRegistration, new ContainerStateMonitor(container), configurationPersister, processType, runningModeControl, prepareStep, processState, executorService, expressionResolver, authorizer, auditLogger); // Initialize the model initModel(controller.getRootResource(), controller.getRootRegistration()); this.controller = controller; final long bootStackSize = getBootStackSize(); final Thread bootThread = new Thread( null, new Runnable() { public void run() { try { try { boot( new BootContext() { public ServiceTarget getServiceTarget() { return target; } }); } finally { processState.setRunning(); } } catch (Throwable t) { container.shutdown(); if (t instanceof StackOverflowError) { ROOT_LOGGER.errorBootingContainer(t, bootStackSize, BOOT_STACK_SIZE_PROPERTY); } else { ROOT_LOGGER.errorBootingContainer(t); } } finally { bootThreadDone(); } } }, "Controller Boot Thread", bootStackSize); bootThread.start(); }
@Before public void setup() { rootRegistration = ManagementResourceRegistration.Factory.create(new TestDescriptionProvider("RootResource")); }
/** @author Ladislav Thon <*****@*****.**> */ public class ManagementPermissionAuthorizerTestCase { private static final ManagementResourceRegistration ROOT_RR = ManagementResourceRegistration.Factory.create( new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) { @Override public List<AccessConstraintDefinition> getAccessConstraints() { return Collections.emptyList(); } }); private Caller caller; private Environment environment; private ManagementPermissionAuthorizer authorizer; @Before public void setUp() { caller = Caller.createCaller(null); ControlledProcessState processState = new ControlledProcessState(false); processState.setRunning(); environment = new Environment(processState, ProcessType.EMBEDDED_SERVER); TestPermissionFactory testPermissionFactory = new TestPermissionFactory(); authorizer = new ManagementPermissionAuthorizer(testPermissionFactory, testPermissionFactory); } @Test public void testAuthorizerResourcePermit() { Action action = new Action( null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource); assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision()); } @Test public void testAuthorizerResourceDeny() { Action action = new Action( null, null, EnumSet.of( Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG, Action.ActionEffect.WRITE_CONFIG)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource); assertEquals(AuthorizationResult.Decision.DENY, result.getDecision()); } @Test public void testAuthorizerAttributePermit() { Action action = new Action( null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); TargetAttribute targetAttribute = new TargetAttribute("test", null, new ModelNode(), targetResource); AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute); assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision()); } @Test public void testAuthorizerAttributeDeny() { Action action = new Action( null, null, EnumSet.of( Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG, Action.ActionEffect.WRITE_CONFIG)); TargetResource targetResource = TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null); TargetAttribute targetAttribute = new TargetAttribute("test", null, new ModelNode(), targetResource); AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute); assertEquals(AuthorizationResult.Decision.DENY, result.getDecision()); } // --- private static final class TestPermissionFactory implements PermissionFactory, JmxPermissionFactory { private PermissionCollection getUserPermissions() { ManagementPermissionCollection mpc = new ManagementPermissionCollection("test", TestManagementPermission.class); mpc.add(new TestManagementPermission(Action.ActionEffect.ADDRESS)); mpc.add(new TestManagementPermission(Action.ActionEffect.READ_CONFIG)); mpc.add(new TestManagementPermission(Action.ActionEffect.READ_RUNTIME)); return mpc; } private PermissionCollection getRequiredPermissions(Action action) { ManagementPermissionCollection mpc = new ManagementPermissionCollection(TestManagementPermission.class); for (Action.ActionEffect actionEffect : action.getActionEffects()) { mpc.add(new TestManagementPermission(actionEffect)); } return mpc; } @Override public PermissionCollection getUserPermissions( Caller caller, Environment callEnvironment, Action action, TargetAttribute target) { return getUserPermissions(); } @Override public PermissionCollection getUserPermissions( Caller caller, Environment callEnvironment, Action action, TargetResource target) { return getUserPermissions(); } @Override public PermissionCollection getRequiredPermissions(Action action, TargetAttribute target) { return getRequiredPermissions(action); } @Override public PermissionCollection getRequiredPermissions(Action action, TargetResource target) { return getRequiredPermissions(action); } @Override public boolean isNonFacadeMBeansSensitive() { return false; } @Override public Set<String> getUserRoles( Caller caller, Environment callEnvironment, Action action, TargetResource target) { return null; } } private static final class TestManagementPermission extends ManagementPermission { private TestManagementPermission(Action.ActionEffect actionEffect) { super("test", actionEffect); } @Override public boolean implies(Permission permission) { return equals(permission); } } }