activemq-shiro/src/main/java/org/apache/activemq/shiro/authz/AuthorizationFilter.java - activemq - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.activemq.shiro.authz;

 import org.apache.activemq.broker.ConnectionContext;
 import org.apache.activemq.broker.ProducerBrokerExchange;
 import org.apache.activemq.broker.region.Destination;
 import org.apache.activemq.broker.region.Subscription;
 import org.apache.activemq.command.ActiveMQDestination;
 import org.apache.activemq.command.ConsumerInfo;
 import org.apache.activemq.command.DestinationInfo;
 import org.apache.activemq.command.Message;
 import org.apache.activemq.command.ProducerInfo;
 import org.apache.activemq.security.SecurityContext;
 import org.apache.activemq.shiro.env.EnvironmentFilter;
 import org.apache.activemq.shiro.subject.ConnectionSubjectResolver;
 import org.apache.shiro.authz.Permission;
 import org.apache.shiro.authz.UnauthorizedException;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.Subject;

 import java.util.Collection;

 /**
  * The {@code AuthorizationFilter} asserts that actions are allowed to execute first before they are actually
  * executed.  Such actions include creating, removing, reading from and writing to destinations.
  * <p/>
  * This implementation is strictly permission-based, allowing for the finest-grained security policies possible.
  * Whenever a {@link Subject} associated with a connection attempts to perform an {@link org.apache.activemq.shiro.authz.Action} (such as creating a
  * destination, or reading from a queue, etc), one or more {@link Permission}s representing that {@code action} are
  * checked.
  * <p/>
  * If the {@code Subject}{@link Subject#isPermitted(org.apache.shiro.authz.Permission) isPermitted} to perform the
  * {@code action}, the action is allowed to execute and the broker filter chain executes uninterrupted.
  * <p/>
  * However, if the {@code Subject} is not permitted to perform the action, an {@link UnauthorizedException} will be
  * thrown, preventing the filter chain from executing that action.
  * <h2>ActionPermissionResolver</h2>
  * The attempted {@code Action} is guarded by one or more {@link Permission}s as indicated by a configurable
  * {@link #setActionPermissionResolver(org.apache.activemq.shiro.authz.ActionPermissionResolver) actionPermissionResolver}.  The
  * {@code actionPermissionResolver} indicates which permissions must be granted to the connection {@code Subject} in
  * order for the action to execute.
  * <p/>
  * The default {@code actionPermissionResolver} instance is a
  * {@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver DestinationActionPermissionResolver}, which indicates which permissions
  * are required to perform any action on a particular destination.  Those familiar with Shiro's
  * {@link org.apache.shiro.authz.permission.WildcardPermission WildcardPermission} syntax will find the
  * {@code DestinationActionPermissionResolver}'s
  * {@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver#createPermissionString createPermissionString} method
  * documentation valuable for understanding how destination actions are represented as permissions.
  *
  * @see org.apache.activemq.shiro.authz.ActionPermissionResolver
  * @see org.apache.activemq.shiro.authz.DestinationActionPermissionResolver
  * @since 5.10.0
  */
 public class AuthorizationFilter extends EnvironmentFilter {

     private ActionPermissionResolver actionPermissionResolver;

     public AuthorizationFilter() {
         this.actionPermissionResolver = new DestinationActionPermissionResolver();
     }

     /**
      * Returns the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
      * a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
      * destination, or reading from a queue, etc).  The default instance is a
      * {@link DestinationActionPermissionResolver}.
      *
      * @return the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
      *         a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
      *         destination, or reading from a queue, etc).
      */
     public ActionPermissionResolver getActionPermissionResolver() {
         return actionPermissionResolver;
     }

     /**
      * Sets the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
      * a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
      * destination, or reading from a queue, etc).  Unless overridden by this method, the default instance is a
      * {@link DestinationActionPermissionResolver}.
      *
      * @param actionPermissionResolver the {@code ActionPermissionResolver} used to indicate which permissions are
      *                                 required to be granted to a {@link Subject} to perform a particular destination
      *                                 {@link org.apache.activemq.shiro.authz.Action}, (such as creating a destination, or reading from a queue, etc).
      */
     public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver) {
         this.actionPermissionResolver = actionPermissionResolver;
     }

     /**
      * Returns the {@code Subject} associated with the specified connection using a
      * {@link org.apache.activemq.shiro.subject.ConnectionSubjectResolver}.
      *
      * @param ctx the connection context
      * @return the {@code Subject} associated with the specified connection.
      */
     protected Subject getSubject(ConnectionContext ctx) {
         return new ConnectionSubjectResolver(ctx).getSubject();
     }

     protected String toString(Subject subject) {
         PrincipalCollection pc = subject.getPrincipals();
         if (pc != null && !pc.isEmpty()) {
             return "[" + pc.toString() + "] ";
         }
         return "";
     }

     protected void assertAuthorized(DestinationAction action) {
         assertAuthorized(action, action.getVerb());
     }

     //ActiveMQ internals will create a ConnectionContext with a SecurityContext that is not
     //Shiro specific.  We need to allow actions for internal system operations:
     protected boolean isSystemBroker(DestinationAction action) {
         ConnectionContext context = action.getConnectionContext();
         SecurityContext securityContext = context.getSecurityContext();
         return securityContext != null && securityContext.isBrokerContext();
     }

     protected void assertAuthorized(DestinationAction action, String verbText) {
         if (!isEnabled() || isSystemBroker(action)) {
             return;
         }

         final Subject subject = getSubject(action.getConnectionContext());

         Collection<Permission> perms = this.actionPermissionResolver.getPermissions(action);

         if (!subject.isPermittedAll(perms)) {
             String msg = createUnauthorizedMessage(subject, action, verbText);
             throw new UnauthorizedException(msg);
         }
     }

     protected String createUnauthorizedMessage(Subject subject, DestinationAction action, String verbDisplayText) {
         return "Subject " + toString(subject) + "is not authorized to " + verbDisplayText + " destination: " + action.getDestination();
     }

     @Override
     public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception {

         DestinationAction action = new DestinationAction(context, info.getDestination(), "create");
         assertAuthorized(action);

         super.addDestinationInfo(context, info);
     }

     @Override
     public Destination addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create) throws Exception {

         DestinationAction action = new DestinationAction(context, destination, "create");
         assertAuthorized(action);

         return super.addDestination(context, destination, create);
     }

     @Override
     public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception {

         DestinationAction action = new DestinationAction(context, destination, "remove");
         assertAuthorized(action);

         super.removeDestination(context, destination, timeout);
     }

     @Override
     public void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception {

         DestinationAction action = new DestinationAction(context, info.getDestination(), "remove");
         assertAuthorized(action);

         super.removeDestinationInfo(context, info);
     }

     @Override
     public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception {

         //Unlike when adding a producer, consumers must specify the destination at creation time, so we can rely on
         //a destination being available to perform the authz check:
         DestinationAction action = new DestinationAction(context, info.getDestination(), "read");
         assertAuthorized(action, "read from");

         return super.addConsumer(context, info);
     }

     @Override
     public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception {

         // JMS allows producers to be created without first specifying a destination.  In these cases, every send
         // operation must specify a destination.  Because of this, we only authorize 'addProducer' if a destination is
         // specified. If not specified, the authz check in the 'send' method below will ensure authorization.
         if (info.getDestination() != null) {
             DestinationAction action = new DestinationAction(context, info.getDestination(), "write");
             assertAuthorized(action, "write to");
         }

         super.addProducer(context, info);
     }

     @Override
     public void send(ProducerBrokerExchange exchange, Message message) throws Exception {

         DestinationAction action = new DestinationAction(exchange.getConnectionContext(), message.getDestination(), "write");
         assertAuthorized(action, "write to");

         super.send(exchange, message);
     }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.activemq.shiro.authz;

	import org.apache.activemq.broker.ConnectionContext;
	import org.apache.activemq.broker.ProducerBrokerExchange;
	import org.apache.activemq.broker.region.Destination;
	import org.apache.activemq.broker.region.Subscription;
	import org.apache.activemq.command.ActiveMQDestination;
	import org.apache.activemq.command.ConsumerInfo;
	import org.apache.activemq.command.DestinationInfo;
	import org.apache.activemq.command.Message;
	import org.apache.activemq.command.ProducerInfo;
	import org.apache.activemq.security.SecurityContext;
	import org.apache.activemq.shiro.env.EnvironmentFilter;
	import org.apache.activemq.shiro.subject.ConnectionSubjectResolver;
	import org.apache.shiro.authz.Permission;
	import org.apache.shiro.authz.UnauthorizedException;
	import org.apache.shiro.subject.PrincipalCollection;
	import org.apache.shiro.subject.Subject;

	import java.util.Collection;

	/**
	* The {@code AuthorizationFilter} asserts that actions are allowed to execute first before they are actually
	* executed. Such actions include creating, removing, reading from and writing to destinations.
	* <p/>
	* This implementation is strictly permission-based, allowing for the finest-grained security policies possible.
	* Whenever a {@link Subject} associated with a connection attempts to perform an {@link org.apache.activemq.shiro.authz.Action} (such as creating a
	* destination, or reading from a queue, etc), one or more {@link Permission}s representing that {@code action} are
	* checked.
	* <p/>
	* If the {@code Subject}{@link Subject#isPermitted(org.apache.shiro.authz.Permission) isPermitted} to perform the
	* {@code action}, the action is allowed to execute and the broker filter chain executes uninterrupted.
	* <p/>
	* However, if the {@code Subject} is not permitted to perform the action, an {@link UnauthorizedException} will be
	* thrown, preventing the filter chain from executing that action.
	* <h2>ActionPermissionResolver</h2>
	* The attempted {@code Action} is guarded by one or more {@link Permission}s as indicated by a configurable
	* {@link #setActionPermissionResolver(org.apache.activemq.shiro.authz.ActionPermissionResolver) actionPermissionResolver}. The
	* {@code actionPermissionResolver} indicates which permissions must be granted to the connection {@code Subject} in
	* order for the action to execute.
	* <p/>
	* The default {@code actionPermissionResolver} instance is a
	* {@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver DestinationActionPermissionResolver}, which indicates which permissions
	* are required to perform any action on a particular destination. Those familiar with Shiro's
	* {@link org.apache.shiro.authz.permission.WildcardPermission WildcardPermission} syntax will find the
	* {@code DestinationActionPermissionResolver}'s
	* {@link org.apache.activemq.shiro.authz.DestinationActionPermissionResolver#createPermissionString createPermissionString} method
	* documentation valuable for understanding how destination actions are represented as permissions.
	*
	* @see org.apache.activemq.shiro.authz.ActionPermissionResolver
	* @see org.apache.activemq.shiro.authz.DestinationActionPermissionResolver
	* @since 5.10.0
	*/
	public class AuthorizationFilter extends EnvironmentFilter {

	private ActionPermissionResolver actionPermissionResolver;

	public AuthorizationFilter() {
	this.actionPermissionResolver = new DestinationActionPermissionResolver();
	}

	/**
	* Returns the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
	* a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
	* destination, or reading from a queue, etc). The default instance is a
	* {@link DestinationActionPermissionResolver}.
	*
	* @return the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
	* a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
	* destination, or reading from a queue, etc).
	*/
	public ActionPermissionResolver getActionPermissionResolver() {
	return actionPermissionResolver;
	}

	/**
	* Sets the {@code ActionPermissionResolver} used to indicate which permissions are required to be granted to
	* a {@link Subject} to perform a particular destination {@link org.apache.activemq.shiro.authz.Action}, (such as creating a
	* destination, or reading from a queue, etc). Unless overridden by this method, the default instance is a
	* {@link DestinationActionPermissionResolver}.
	*
	* @param actionPermissionResolver the {@code ActionPermissionResolver} used to indicate which permissions are
	* required to be granted to a {@link Subject} to perform a particular destination
	* {@link org.apache.activemq.shiro.authz.Action}, (such as creating a destination, or reading from a queue, etc).
	*/
	public void setActionPermissionResolver(ActionPermissionResolver actionPermissionResolver) {
	this.actionPermissionResolver = actionPermissionResolver;
	}

	/**
	* Returns the {@code Subject} associated with the specified connection using a
	* {@link org.apache.activemq.shiro.subject.ConnectionSubjectResolver}.
	*
	* @param ctx the connection context
	* @return the {@code Subject} associated with the specified connection.
	*/
	protected Subject getSubject(ConnectionContext ctx) {
	return new ConnectionSubjectResolver(ctx).getSubject();
	}

	protected String toString(Subject subject) {
	PrincipalCollection pc = subject.getPrincipals();
	if (pc != null && !pc.isEmpty()) {
	return "[" + pc.toString() + "] ";
	}
	return "";
	}

	protected void assertAuthorized(DestinationAction action) {
	assertAuthorized(action, action.getVerb());
	}

	//ActiveMQ internals will create a ConnectionContext with a SecurityContext that is not
	//Shiro specific. We need to allow actions for internal system operations:
	protected boolean isSystemBroker(DestinationAction action) {
	ConnectionContext context = action.getConnectionContext();
	SecurityContext securityContext = context.getSecurityContext();
	return securityContext != null && securityContext.isBrokerContext();
	}

	protected void assertAuthorized(DestinationAction action, String verbText) {
	if (!isEnabled() \|\| isSystemBroker(action)) {
	return;
	}

	final Subject subject = getSubject(action.getConnectionContext());

	Collection<Permission> perms = this.actionPermissionResolver.getPermissions(action);

	if (!subject.isPermittedAll(perms)) {
	String msg = createUnauthorizedMessage(subject, action, verbText);
	throw new UnauthorizedException(msg);
	}
	}

	protected String createUnauthorizedMessage(Subject subject, DestinationAction action, String verbDisplayText) {
	return "Subject " + toString(subject) + "is not authorized to " + verbDisplayText + " destination: " + action.getDestination();
	}

	@Override
	public void addDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception {

	DestinationAction action = new DestinationAction(context, info.getDestination(), "create");
	assertAuthorized(action);

	super.addDestinationInfo(context, info);
	}

	@Override
	public Destination addDestination(ConnectionContext context, ActiveMQDestination destination, boolean create) throws Exception {

	DestinationAction action = new DestinationAction(context, destination, "create");
	assertAuthorized(action);

	return super.addDestination(context, destination, create);
	}

	@Override
	public void removeDestination(ConnectionContext context, ActiveMQDestination destination, long timeout) throws Exception {

	DestinationAction action = new DestinationAction(context, destination, "remove");
	assertAuthorized(action);

	super.removeDestination(context, destination, timeout);
	}

	@Override
	public void removeDestinationInfo(ConnectionContext context, DestinationInfo info) throws Exception {

	DestinationAction action = new DestinationAction(context, info.getDestination(), "remove");
	assertAuthorized(action);

	super.removeDestinationInfo(context, info);
	}

	@Override
	public Subscription addConsumer(ConnectionContext context, ConsumerInfo info) throws Exception {

	//Unlike when adding a producer, consumers must specify the destination at creation time, so we can rely on
	//a destination being available to perform the authz check:
	DestinationAction action = new DestinationAction(context, info.getDestination(), "read");
	assertAuthorized(action, "read from");

	return super.addConsumer(context, info);
	}

	@Override
	public void addProducer(ConnectionContext context, ProducerInfo info) throws Exception {

	// JMS allows producers to be created without first specifying a destination. In these cases, every send
	// operation must specify a destination. Because of this, we only authorize 'addProducer' if a destination is
	// specified. If not specified, the authz check in the 'send' method below will ensure authorization.
	if (info.getDestination() != null) {
	DestinationAction action = new DestinationAction(context, info.getDestination(), "write");
	assertAuthorized(action, "write to");
	}

	super.addProducer(context, info);
	}

	@Override
	public void send(ProducerBrokerExchange exchange, Message message) throws Exception {

	DestinationAction action = new DestinationAction(exchange.getConnectionContext(), message.getDestination(), "write");
	assertAuthorized(action, "write to");

	super.send(exchange, message);
	}

	}