コード例 #1
0
 private ManagementResourceRegistration getDummyRegistration() {
   return ManagementResourceRegistration.Factory.create(
       new DescriptionProvider() {
         @Override
         public ModelNode getModelDescription(Locale locale) {
           return new ModelNode();
         }
       });
 }
コード例 #2
0
/** @author Ladislav Thon <*****@*****.**> */
public class DefaultPermissionFactoryTestCase {

  private static final ManagementResourceRegistration ROOT_RR =
      ManagementResourceRegistration.Factory.create(
          new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) {
            @Override
            public List<AccessConstraintDefinition> getAccessConstraints() {
              return Collections.emptyList();
            }
          });

  private static final AuthorizerConfiguration PERMISSIVE;
  private static final AuthorizerConfiguration REJECTING;

  static {
    PERMISSIVE = new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION);
    WritableAuthorizerConfiguration rejecting =
        new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION);
    rejecting.setPermissionCombinationPolicy(CombinationPolicy.REJECTING);
    REJECTING = rejecting;
  }

  private Caller caller;
  private Environment environment;

  @Before
  public void setUp() {
    caller = Caller.createCaller(null);
    ControlledProcessState processState = new ControlledProcessState(false);
    processState.setRunning();
    environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
  }

  @Test
  public void testSingleRoleRejectingCombinationPolicy() {
    testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true);
    testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false);

    testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true);
    testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false);
  }

  @Test
  public void testSingleRolePermissiveCombinationPolicy() {
    testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true);
    testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false);

    testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true);
    testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false);
  }

  @Test
  public void testSingleUserRoleMoreAllowedRoles() {
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR},
        new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR},
        true);
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR},
        new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
        false);

    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR},
        new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR},
        true);
    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR},
        new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
        false);
  }

  @Test
  public void testMoreUserRolesSingleAllowedRole() {
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.MONITOR},
        true);
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.OPERATOR},
        true);
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.ADMINISTRATOR},
        false);

    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.MONITOR},
        true);
    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.OPERATOR},
        true);
    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.ADMINISTRATOR},
        false);
  }

  @Test
  public void testMoreUserRolesMoreAllowedRoles() {
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        true);
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
        true);
    testResource(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR},
        false);

    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        true);
    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
        true);
    testAttribute(
        PERMISSIVE,
        new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
        new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR},
        false);
  }

  private void testResourceSingleRole(
      AuthorizerConfiguration authorizerConfiguration,
      StandardRole userRole,
      StandardRole allowedRole,
      boolean accessExpectation) {
    testResource(
        authorizerConfiguration,
        new StandardRole[] {userRole},
        new StandardRole[] {allowedRole},
        accessExpectation);
  }

  private void testAttributeSingleRole(
      AuthorizerConfiguration authorizerConfiguration,
      StandardRole userRole,
      StandardRole allowedRole,
      boolean accessExpectation) {
    testAttribute(
        authorizerConfiguration,
        new StandardRole[] {userRole},
        new StandardRole[] {allowedRole},
        accessExpectation);
  }

  private void testResource(
      AuthorizerConfiguration authorizerConfiguration,
      StandardRole[] userRoles,
      StandardRole[] allowedRoles,
      boolean accessExpectation) {

    ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles);
    TestRoleMapper roleMapper = new TestRoleMapper(userRoles);
    DefaultPermissionFactory permissionFactory =
        new DefaultPermissionFactory(
            roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration);

    Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);

    PermissionCollection userPermissions =
        permissionFactory.getUserPermissions(caller, environment, action, targetResource);
    PermissionCollection requiredPermissions =
        permissionFactory.getRequiredPermissions(action, targetResource);

    for (Permission requiredPermission : toSet(requiredPermissions)) {
      assertEquals(accessExpectation, userPermissions.implies(requiredPermission));
    }
  }

  private void testAttribute(
      AuthorizerConfiguration authorizerConfiguration,
      StandardRole[] userRoles,
      StandardRole[] allowedRoles,
      boolean accessExpectation) {

    ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles);
    TestRoleMapper roleMapper = new TestRoleMapper(userRoles);
    DefaultPermissionFactory permissionFactory =
        new DefaultPermissionFactory(
            roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration);

    Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    TargetAttribute targetAttribute =
        new TargetAttribute("test", null, new ModelNode(), targetResource);

    PermissionCollection userPermissions =
        permissionFactory.getUserPermissions(caller, environment, action, targetAttribute);
    PermissionCollection requiredPermissions =
        permissionFactory.getRequiredPermissions(action, targetAttribute);

    for (Permission requiredPermission : toSet(requiredPermissions)) {
      assertEquals(accessExpectation, userPermissions.implies(requiredPermission));
    }
  }

  @Test
  public void testRoleCombinationRejecting() {
    Action action =
        new Action(
            null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);

    DefaultPermissionFactory permissionFactory = null;
    try {
      permissionFactory =
          new DefaultPermissionFactory(
              new TestRoleMapper(), Collections.<ConstraintFactory>emptySet(), REJECTING);
      permissionFactory.getUserPermissions(caller, environment, action, targetResource);
    } catch (Exception e) {
      fail();
    }

    try {
      permissionFactory =
          new DefaultPermissionFactory(
              new TestRoleMapper(StandardRole.MONITOR),
              Collections.<ConstraintFactory>emptySet(),
              REJECTING);
      permissionFactory.getUserPermissions(caller, environment, action, targetResource);
    } catch (Exception e) {
      fail();
    }

    permissionFactory =
        new DefaultPermissionFactory(
            new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER), REJECTING);
    try {
      permissionFactory.getUserPermissions(caller, environment, action, targetResource);
      fail();
    } catch (Exception e) {
      /* expected */
    }

    permissionFactory =
        new DefaultPermissionFactory(
            new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER, StandardRole.AUDITOR),
            Collections.<ConstraintFactory>emptySet(),
            REJECTING);
    try {
      permissionFactory.getUserPermissions(caller, environment, action, targetResource);
      fail();
    } catch (Exception e) {
      /* expected */
    }
  }

  // ---

  private static Set<Permission> toSet(PermissionCollection permissionCollection) {
    Set<Permission> result = new HashSet<>();
    Enumeration<Permission> elements = permissionCollection.elements();
    while (elements.hasMoreElements()) {
      result.add(elements.nextElement());
    }
    return Collections.unmodifiableSet(result);
  }

  private static final class TestRoleMapper implements RoleMapper {
    private final Set<String> roles;

    private TestRoleMapper(StandardRole... roles) {
      Set<String> stringRoles = new HashSet<>();
      for (StandardRole role : roles) {
        stringRoles.add(role.name());
      }
      this.roles = Collections.unmodifiableSet(stringRoles);
    }

    @Override
    public Set<String> mapRoles(
        Caller caller, Environment callEnvironment, Action action, TargetAttribute attribute) {
      return roles;
    }

    @Override
    public Set<String> mapRoles(
        Caller caller, Environment callEnvironment, Action action, TargetResource resource) {
      return roles;
    }

    @Override
    public Set<String> mapRoles(
        Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
      return roles;
    }

    @Override
    public boolean canRunAs(Set<String> mappedRoles, String runAsRole) {
      return runAsRole != null
          && roles.contains(runAsRole)
          && mappedRoles.contains(StandardRole.SUPERUSER.toString());
    }
  }

  private static final class TestConstraintFactory implements ConstraintFactory {
    private final Set<StandardRole> allowedRoles;

    private TestConstraintFactory(StandardRole... allowedRoles) {
      Set<StandardRole> roles = new HashSet<>();
      for (StandardRole allowedRole : allowedRoles) {
        roles.add(allowedRole);
      }
      this.allowedRoles = Collections.unmodifiableSet(roles);
    }

    @Override
    public Constraint getStandardUserConstraint(
        StandardRole role, Action.ActionEffect actionEffect) {
      boolean allowed = allowedRoles.contains(role);
      return new TestConstraint(allowed);
    }

    @Override
    public Constraint getRequiredConstraint(
        Action.ActionEffect actionEffect, Action action, TargetAttribute target) {
      return new TestConstraint(true);
    }

    @Override
    public Constraint getRequiredConstraint(
        Action.ActionEffect actionEffect, Action action, TargetResource target) {
      return new TestConstraint(true);
    }

    @Override
    public boolean equals(Object obj) {
      return obj instanceof TestConstraintFactory;
    }

    @Override
    public int hashCode() {
      return 0;
    }

    @Override
    public int compareTo(ConstraintFactory o) {
      return this.equals(o) ? 0 : -1;
    }
  }

  private static final class TestConstraint implements Constraint {
    private final boolean allowed;

    private TestConstraint(boolean allowed) {
      this.allowed = allowed;
    }

    @Override
    public boolean violates(Constraint other, Action.ActionEffect actionEffect) {
      if (other instanceof TestConstraint) {
        return this.allowed != ((TestConstraint) other).allowed;
      }
      return false;
    }

    @Override
    public boolean replaces(Constraint other) {
      return false;
    }
  }
}
コード例 #3
0
  public void start(final StartContext context) throws StartException {

    if (configurationPersister == null) {
      throw MESSAGES.persisterNotInjected();
    }
    final ServiceController<?> serviceController = context.getController();
    final ServiceContainer container = serviceController.getServiceContainer();
    final ServiceTarget target = context.getChildTarget();
    final ExecutorService executorService = injectedExecutorService.getOptionalValue();
    ManagementResourceRegistration rootResourceRegistration =
        rootDescriptionProvider != null
            ? ManagementResourceRegistration.Factory.create(rootDescriptionProvider)
            : ManagementResourceRegistration.Factory.create(rootResourceDefinition);
    final ModelControllerImpl controller =
        new ModelControllerImpl(
            container,
            target,
            rootResourceRegistration,
            new ContainerStateMonitor(container),
            configurationPersister,
            processType,
            runningModeControl,
            prepareStep,
            processState,
            executorService,
            expressionResolver,
            authorizer,
            auditLogger);

    // Initialize the model
    initModel(controller.getRootResource(), controller.getRootRegistration());
    this.controller = controller;

    final long bootStackSize = getBootStackSize();
    final Thread bootThread =
        new Thread(
            null,
            new Runnable() {
              public void run() {
                try {
                  try {
                    boot(
                        new BootContext() {
                          public ServiceTarget getServiceTarget() {
                            return target;
                          }
                        });
                  } finally {
                    processState.setRunning();
                  }
                } catch (Throwable t) {
                  container.shutdown();
                  if (t instanceof StackOverflowError) {
                    ROOT_LOGGER.errorBootingContainer(t, bootStackSize, BOOT_STACK_SIZE_PROPERTY);
                  } else {
                    ROOT_LOGGER.errorBootingContainer(t);
                  }
                } finally {
                  bootThreadDone();
                }
              }
            },
            "Controller Boot Thread",
            bootStackSize);
    bootThread.start();
  }
 @Before
 public void setup() {
   rootRegistration =
       ManagementResourceRegistration.Factory.create(new TestDescriptionProvider("RootResource"));
 }
コード例 #5
0
/** @author Ladislav Thon <*****@*****.**> */
public class ManagementPermissionAuthorizerTestCase {

  private static final ManagementResourceRegistration ROOT_RR =
      ManagementResourceRegistration.Factory.create(
          new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) {
            @Override
            public List<AccessConstraintDefinition> getAccessConstraints() {
              return Collections.emptyList();
            }
          });

  private Caller caller;
  private Environment environment;
  private ManagementPermissionAuthorizer authorizer;

  @Before
  public void setUp() {
    caller = Caller.createCaller(null);
    ControlledProcessState processState = new ControlledProcessState(false);
    processState.setRunning();
    environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
    TestPermissionFactory testPermissionFactory = new TestPermissionFactory();
    authorizer = new ManagementPermissionAuthorizer(testPermissionFactory, testPermissionFactory);
  }

  @Test
  public void testAuthorizerResourcePermit() {
    Action action =
        new Action(
            null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);

    assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
  }

  @Test
  public void testAuthorizerResourceDeny() {
    Action action =
        new Action(
            null,
            null,
            EnumSet.of(
                Action.ActionEffect.ADDRESS,
                Action.ActionEffect.READ_CONFIG,
                Action.ActionEffect.WRITE_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);

    assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
  }

  @Test
  public void testAuthorizerAttributePermit() {
    Action action =
        new Action(
            null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    TargetAttribute targetAttribute =
        new TargetAttribute("test", null, new ModelNode(), targetResource);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);

    assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
  }

  @Test
  public void testAuthorizerAttributeDeny() {
    Action action =
        new Action(
            null,
            null,
            EnumSet.of(
                Action.ActionEffect.ADDRESS,
                Action.ActionEffect.READ_CONFIG,
                Action.ActionEffect.WRITE_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    TargetAttribute targetAttribute =
        new TargetAttribute("test", null, new ModelNode(), targetResource);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);

    assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
  }

  // ---

  private static final class TestPermissionFactory
      implements PermissionFactory, JmxPermissionFactory {
    private PermissionCollection getUserPermissions() {
      ManagementPermissionCollection mpc =
          new ManagementPermissionCollection("test", TestManagementPermission.class);
      mpc.add(new TestManagementPermission(Action.ActionEffect.ADDRESS));
      mpc.add(new TestManagementPermission(Action.ActionEffect.READ_CONFIG));
      mpc.add(new TestManagementPermission(Action.ActionEffect.READ_RUNTIME));
      return mpc;
    }

    private PermissionCollection getRequiredPermissions(Action action) {
      ManagementPermissionCollection mpc =
          new ManagementPermissionCollection(TestManagementPermission.class);
      for (Action.ActionEffect actionEffect : action.getActionEffects()) {
        mpc.add(new TestManagementPermission(actionEffect));
      }
      return mpc;
    }

    @Override
    public PermissionCollection getUserPermissions(
        Caller caller, Environment callEnvironment, Action action, TargetAttribute target) {
      return getUserPermissions();
    }

    @Override
    public PermissionCollection getUserPermissions(
        Caller caller, Environment callEnvironment, Action action, TargetResource target) {
      return getUserPermissions();
    }

    @Override
    public PermissionCollection getRequiredPermissions(Action action, TargetAttribute target) {
      return getRequiredPermissions(action);
    }

    @Override
    public PermissionCollection getRequiredPermissions(Action action, TargetResource target) {
      return getRequiredPermissions(action);
    }

    @Override
    public boolean isNonFacadeMBeansSensitive() {
      return false;
    }

    @Override
    public Set<String> getUserRoles(
        Caller caller, Environment callEnvironment, Action action, TargetResource target) {
      return null;
    }
  }

  private static final class TestManagementPermission extends ManagementPermission {
    private TestManagementPermission(Action.ActionEffect actionEffect) {
      super("test", actionEffect);
    }

    @Override
    public boolean implies(Permission permission) {
      return equals(permission);
    }
  }
}