[WFLY-490][WFLY-488] rbac jmx tests

QStephen · Aug 28, 2013 · a4c6369 · a4c6369
1 parent 671ac72
commit a4c6369
Show file tree

Hide file tree

Showing 13 changed files with 1,047 additions and 35 deletions.
diff --git a/controller/src/main/java/org/jboss/as/controller/access/SimpleConfigurableAuthorizer.java b/controller/src/main/java/org/jboss/as/controller/access/SimpleConfigurableAuthorizer.java
@@ -124,7 +124,7 @@ public AuthorizationResult authorize(Caller caller, Environment callEnvironment,
     @Override
     public AuthorizationResult authorizeJmxOperation(Caller caller, Environment callEnvironment, JmxTarget target) {
         Set<String> roles = roleMapper.mapRoles(caller, null, FAKE_JMX_ACTION, (TargetAttribute) null);
-        if (target.isNonFacadeMBeansSensitive()) {
+        if (target.isNonFacadeMBeansSensitive() || target.isSuperUserOrAdminOnly()) {
             return authorize(roles, StandardRole.SUPERUSER, StandardRole.ADMINISTRATOR);
         } else {
             if (target.isReadOnly()) {

diff --git a/...nt/src/main/java/org/jboss/as/domain/management/access/RoleMappingResourceDefinition.java b/...nt/src/main/java/org/jboss/as/domain/management/access/RoleMappingResourceDefinition.java
@@ -40,10 +40,12 @@
  */
 public class RoleMappingResourceDefinition extends SimpleResourceDefinition {
 
+    public static final String PATH_KEY = ROLE_MAPPING;
+
     private final ConfigurableRoleMapper roleMapper;
 
     private RoleMappingResourceDefinition(final ConfigurableRoleMapper roleMapper) {
-        super(PathElement.pathElement(ROLE_MAPPING), DomainManagementResolver.getResolver("core.access-control.role-mapping"),
+        super(PathElement.pathElement(PATH_KEY), DomainManagementResolver.getResolver("core.access-control.role-mapping"),
                 RoleMappingAdd.create(roleMapper), RoleMappingRemove.create(roleMapper));
         this.roleMapper = roleMapper;
     }

diff --git a/jmx/pom.xml b/jmx/pom.xml
@@ -50,7 +50,6 @@
                     </includes>
                     <enableAssertions>false</enableAssertions>
                     <systemPropertyVariables>
-                        <javax.management.builder.initial>org.jboss.as.jmx.PluggableMBeanServerBuilder</javax.management.builder.initial>
                         <org.jboss.model.test.cache.root>${org.jboss.model.test.cache.root}</org.jboss.model.test.cache.root>
                         <org.jboss.model.test.classpath.cache>${org.jboss.model.test.classpath.cache}</org.jboss.model.test.classpath.cache>
                         <org.jboss.model.test.maven.repository.urls>${org.jboss.model.test.maven.repository.urls}</org.jboss.model.test.maven.repository.urls>

diff --git a/jmx/src/main/java/org/jboss/as/jmx/JMXSubsystemRootResource.java b/jmx/src/main/java/org/jboss/as/jmx/JMXSubsystemRootResource.java
@@ -63,7 +63,7 @@ public class JMXSubsystemRootResource extends SimpleResourceDefinition {
             .build();
 
     public static final SimpleAttributeDefinition CORE_MBEAN_SENSITIVITY = new SimpleAttributeDefinitionBuilder(CommonAttributes.CORE_MBEAN_SENSITIVITY, ModelType.BOOLEAN, true)
-            //.setAllowExpression(true)
+            //.setAllowExpression(true) //I don't think we should support expressions here
             .setXmlName(CommonAttributes.CORE_MBEANS)
             .setDefaultValue(new ModelNode(false)).build();
 

diff --git a/jmx/src/main/java/org/jboss/as/jmx/JmxMessages.java b/jmx/src/main/java/org/jboss/as/jmx/JmxMessages.java
@@ -32,6 +32,7 @@
 import javax.management.MBeanException;
 import javax.management.ObjectName;
 import javax.management.ReflectionException;
+import javax.management.RuntimeMBeanException;
 import javax.management.openmbean.OpenDataException;
 import javax.management.openmbean.OpenType;
 
@@ -384,6 +385,6 @@ public interface JmxMessages {
     IllegalStateException noHandlerCalled(String name);
 
     @Message(id = 11360, value = "Unauthorized access")
-    MBeanException unauthorized();
+    RuntimeMBeanException unauthorized();
 }
 
diff --git a/jmx/src/test/java/org/jboss/as/jmx/rbac/Bean.java b/jmx/src/test/java/org/jboss/as/jmx/rbac/Bean.java
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.jmx.rbac;
+
+import java.io.Serializable;
+
+import javax.management.ListenerNotFoundException;
+import javax.management.MBeanNotificationInfo;
+import javax.management.NotificationBroadcaster;
+import javax.management.NotificationFilter;
+import javax.management.NotificationListener;
+
+public class Bean implements BeanMBean, NotificationBroadcaster, Serializable {
+    private static final long serialVersionUID = 1L;
+    volatile int attr = 5;
+
+    @Override
+    public int getAttr() {
+        return attr;
+    }
+
+    @Override
+    public void setAttr(int i) {
+        attr = i;
+    }
+
+    public void method() {
+
+    }
+
+    @Override
+    public void addNotificationListener(NotificationListener listener, NotificationFilter filter, Object handback)
+            throws IllegalArgumentException {
+    }
+
+    @Override
+    public void removeNotificationListener(NotificationListener listener) throws ListenerNotFoundException {
+    }
+
+    @Override
+    public MBeanNotificationInfo[] getNotificationInfo() {
+        return null;
+    }
+}
diff --git a/jmx/src/test/java/org/jboss/as/jmx/rbac/BeanMBean.java b/jmx/src/test/java/org/jboss/as/jmx/rbac/BeanMBean.java
@@ -0,0 +1,28 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.jmx.rbac;
+
+public interface BeanMBean {
+    int getAttr();
+    void setAttr(int i);
+    void method();
+}
diff --git a/jmx/src/test/java/org/jboss/as/jmx/rbac/JmxRbacDisabledTestCase.java b/jmx/src/test/java/org/jboss/as/jmx/rbac/JmxRbacDisabledTestCase.java
@@ -0,0 +1,51 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.jmx.rbac;
+
+import org.jboss.as.controller.access.rbac.StandardRole;
+
+/**
+ *
+ * @author <a href="[email protected]">Kabir Khan</a>
+ */
+public class JmxRbacDisabledTestCase extends JmxRbacTestCase {
+
+    public JmxRbacDisabledTestCase() {
+        super(false);
+    }
+
+    @Override
+    protected boolean canRead(StandardRole standardRole, boolean sensitiveMBeans) {
+        return true;
+    }
+
+    @Override
+    protected boolean canWrite(StandardRole standardRole, boolean sensitiveMBeans) {
+        return true;
+    }
+
+    @Override
+    protected boolean canAccessSpecial(StandardRole standardRole) {
+        return true;
+    }
+
+}
diff --git a/jmx/src/test/java/org/jboss/as/jmx/rbac/JmxRbacEnabledTestCase.java b/jmx/src/test/java/org/jboss/as/jmx/rbac/JmxRbacEnabledTestCase.java
@@ -0,0 +1,76 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.as.jmx.rbac;
+
+import org.jboss.as.controller.access.rbac.StandardRole;
+
+/**
+ *
+ * @author <a href="[email protected]">Kabir Khan</a>
+ */
+public class JmxRbacEnabledTestCase extends JmxRbacTestCase {
+
+    public JmxRbacEnabledTestCase() {
+        super(true);
+    }
+
+    @Override
+    protected boolean canRead(StandardRole standardRole, boolean sensitiveMBeans) {
+        if (!sensitiveMBeans) {
+            return true;
+        }
+        switch (standardRole) {
+        case SUPERUSER:
+        case ADMINISTRATOR:
+            return true;
+        default:
+            return false;
+        }
+    }
+
+    @Override
+    protected boolean canWrite(StandardRole standardRole, boolean sensitiveMBeans) {
+        if (!sensitiveMBeans) {
+            switch (standardRole) {
+            case MONITOR:
+            case DEPLOYER:
+            case AUDITOR:
+                return false;
+            default:
+                return true;
+            }
+        }
+        switch (standardRole) {
+        case SUPERUSER:
+        case ADMINISTRATOR:
+            return true;
+        default:
+            return false;
+        }
+    }
+
+    @Override
+    protected boolean canAccessSpecial(StandardRole standardRole) {
+        return standardRole == StandardRole.ADMINISTRATOR || standardRole == StandardRole.SUPERUSER;
+    }
+
+}