From 5d253f58d6c7710e719da4eeb1eb72037db15706 Mon Sep 17 00:00:00 2001 From: dongeforever Date: Mon, 3 Dec 2018 22:20:16 +0800 Subject: [PATCH] Add signature and redesign the permission graph --- .gitignore | 4 +- acl/pom.xml | 5 +- .../rocketmq/acl/PlainAccessValidator.java | 74 ------ .../rocketmq/acl/common/AclClientRPCHook.java | 85 +++++++ .../rocketmq/acl/common/AclException.java | 52 ++++ .../apache/rocketmq/acl/common/AclSigner.java | 71 ++++++ .../acl/{plug => common}/AclUtils.java | 40 ++- .../rocketmq/acl/common/Permission.java | 20 ++ .../acl/common/SessionCredentials.java | 150 +++++++++++ .../rocketmq/acl/common/SigningAlgorithm.java | 8 + .../AclPlugRuntimeException.java | 2 +- .../{plug => plain}/AuthenticationInfo.java | 18 +- .../{plug => plain}/AuthenticationResult.java | 12 +- .../{plug => plain}/BrokerAccessControl.java | 4 +- .../{plug => plain}/NetaddressStrategy.java | 4 +- .../NetaddressStrategyFactory.java | 21 +- .../acl/plain/PlainAccessResource.java | 137 +++++++++++ .../acl/plain/PlainAccessValidator.java | 143 +++++++++++ .../{plug => plain}/PlainAclPlugEngine.java | 83 +++---- .../rocketmq/acl/plug/AccessControl.java | 95 ------- .../acl/{plug => plain}/AclUtilsTest.java | 3 +- .../NetaddressStrategyTest.java | 128 +++++----- .../PlainAclPlugEngineTest.java | 232 +++++++++--------- acl/src/test/resources/conf/transport.yml | 46 +++- distribution/conf/transport.yml | 10 +- pom.xml | 5 + 26 files changed, 1015 insertions(+), 437 deletions(-) delete mode 100644 acl/src/main/java/org/apache/rocketmq/acl/PlainAccessValidator.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/AclClientRPCHook.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/AclException.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/AclSigner.java rename acl/src/main/java/org/apache/rocketmq/acl/{plug => common}/AclUtils.java (70%) create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/SessionCredentials.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/common/SigningAlgorithm.java rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/AclPlugRuntimeException.java (96%) rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/AuthenticationInfo.java (78%) rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/AuthenticationResult.java (81%) rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/BrokerAccessControl.java (99%) rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/NetaddressStrategy.java (88%) rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/NetaddressStrategyFactory.java (87%) create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessResource.java create mode 100644 acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java rename acl/src/main/java/org/apache/rocketmq/acl/{plug => plain}/PlainAclPlugEngine.java (79%) delete mode 100644 acl/src/main/java/org/apache/rocketmq/acl/plug/AccessControl.java rename acl/src/test/java/org/apache/rocketmq/acl/{plug => plain}/AclUtilsTest.java (97%) rename acl/src/test/java/org/apache/rocketmq/acl/{plug => plain}/NetaddressStrategyTest.java (59%) rename acl/src/test/java/org/apache/rocketmq/acl/{plug => plain}/PlainAclPlugEngineTest.java (64%) diff --git a/.gitignore b/.gitignore index 80c6f569..8abdfd8f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,6 @@ devenv *.versionsBackup !NOTICE-BIN !LICENSE-BIN -.DS_Store \ No newline at end of file +.DS_Store +localbin +nohup.out diff --git a/acl/pom.xml b/acl/pom.xml index 3d8d4a7d..4ea559f8 100644 --- a/acl/pom.xml +++ b/acl/pom.xml @@ -30,7 +30,6 @@ ${project.groupId} rocketmq-remoting - ${project.groupId} rocketmq-logging @@ -43,6 +42,10 @@ org.yaml snakeyaml + + commons-codec + commons-codec + org.apache.commons commons-lang3 diff --git a/acl/src/main/java/org/apache/rocketmq/acl/PlainAccessValidator.java b/acl/src/main/java/org/apache/rocketmq/acl/PlainAccessValidator.java deleted file mode 100644 index 74e988a7..00000000 --- a/acl/src/main/java/org/apache/rocketmq/acl/PlainAccessValidator.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.rocketmq.acl; - -import java.util.HashMap; -import org.apache.commons.lang3.StringUtils; -import org.apache.rocketmq.acl.plug.AccessControl; -import org.apache.rocketmq.acl.plug.AclPlugRuntimeException; -import org.apache.rocketmq.acl.plug.AuthenticationResult; -import org.apache.rocketmq.acl.plug.PlainAclPlugEngine; -import org.apache.rocketmq.remoting.protocol.RemotingCommand; - -public class PlainAccessValidator implements AccessValidator { - - private PlainAclPlugEngine aclPlugEngine; - - public PlainAccessValidator() { - aclPlugEngine = new PlainAclPlugEngine(); - } - - @Override - public AccessResource parse(RemotingCommand request, String remoteAddr) { - HashMap extFields = request.getExtFields(); - int code = request.getCode(); - AccessControl accessControl = new AccessControl(); - accessControl.setCode(request.getCode()); - accessControl.setRecognition(remoteAddr); - accessControl.setNetaddress(StringUtils.split(remoteAddr, ":")[0]); - if (extFields != null) { - accessControl.setAccount(extFields.get("account")); - accessControl.setPassword(extFields.get("password")); - if (code == 310 || code == 320) { - accessControl.setTopic(extFields.get("b")); - } else { - accessControl.setTopic(extFields.get("topic")); - - } - } - return accessControl; - } - - @Override - public void validate(AccessResource accessResource) { - AuthenticationResult authenticationResult = null; - try { - authenticationResult = aclPlugEngine.eachCheckAuthentication((AccessControl) accessResource); - if (authenticationResult.isSucceed()) - return; - } catch (Exception e) { - throw new AclPlugRuntimeException(String.format("validate exception AccessResource data %s", accessResource.toString()), e); - } - if (authenticationResult.getException() != null) { - throw new AclPlugRuntimeException(String.format("eachCheck the inspection appear exception, accessControl data is %s", accessResource.toString()), authenticationResult.getException()); - } - if (authenticationResult.getAccessControl() != null || !authenticationResult.isSucceed()) { - throw new AclPlugRuntimeException(String.format("%s accessControl data is %s", authenticationResult.getResultString(), accessResource.toString())); - } - } - -} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/AclClientRPCHook.java b/acl/src/main/java/org/apache/rocketmq/acl/common/AclClientRPCHook.java new file mode 100644 index 00000000..9b5a5a55 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/AclClientRPCHook.java @@ -0,0 +1,85 @@ +package org.apache.rocketmq.acl.common; + +import org.apache.rocketmq.remoting.CommandCustomHeader; +import org.apache.rocketmq.remoting.RPCHook; +import org.apache.rocketmq.remoting.protocol.RemotingCommand; +import java.lang.reflect.Field; +import java.util.SortedMap; +import java.util.TreeMap; +import java.util.concurrent.ConcurrentHashMap; + +import static org.apache.rocketmq.acl.common.SessionCredentials.AccessKey; +import static org.apache.rocketmq.acl.common.SessionCredentials.SecurityToken; +import static org.apache.rocketmq.acl.common.SessionCredentials.Signature; + +public class AclClientRPCHook implements RPCHook { + protected ConcurrentHashMap, Field[]> fieldCache = + new ConcurrentHashMap, Field[]>(); + + + + private final SessionCredentials sessionCredentials; + + public AclClientRPCHook(SessionCredentials sessionCredentials) { + this.sessionCredentials = sessionCredentials; + } + + @Override + public void doBeforeRequest(String remoteAddr, RemotingCommand request) { + byte[] total = AclUtils.combineRequestContent(request, + parseRequestContent(request, sessionCredentials.getAccessKey(), sessionCredentials.getSecurityToken())); + String signature = AclUtils.calSignature(total, sessionCredentials.getSecretKey()); + request.addExtField(Signature, signature); + request.addExtField(AccessKey, sessionCredentials.getAccessKey()); + + if (sessionCredentials.getSecurityToken() != null) { + request.addExtField(SecurityToken, sessionCredentials.getSecurityToken()); + } + } + + + @Override + public void doAfterResponse(String remoteAddr, RemotingCommand request, RemotingCommand response) { + + } + + protected SortedMap parseRequestContent(RemotingCommand request, String ak, String securityToken) { + CommandCustomHeader header = request.readCustomHeader(); + // sort property + SortedMap map = new TreeMap(); + map.put(AccessKey, ak); + if (securityToken != null) { + map.put(SecurityToken, securityToken); + } + try { + // add header properties + if (null != header) { + Field[] fields = fieldCache.get(header.getClass()); + if (null == fields) { + fields = header.getClass().getDeclaredFields(); + for (Field field : fields) { + field.setAccessible(true); + } + Field[] tmp = fieldCache.putIfAbsent(header.getClass(), fields); + if (null != tmp) { + fields = tmp; + } + } + + for (Field field : fields) { + Object value = field.get(header); + if (null != value && !field.isSynthetic()) { + map.put(field.getName(), value.toString()); + } + } + } + return map; + } catch (Exception e) { + throw new RuntimeException("incompatible exception.", e); + } + } + + public SessionCredentials getSessionCredentials() { + return sessionCredentials; + } +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/AclException.java b/acl/src/main/java/org/apache/rocketmq/acl/common/AclException.java new file mode 100644 index 00000000..cd7aea9f --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/AclException.java @@ -0,0 +1,52 @@ +package org.apache.rocketmq.acl.common; + +public class AclException extends RuntimeException { + private static final long serialVersionUID = 1L; + + private String status; + private int code; + + + public AclException(String status, int code) { + super(); + this.status = status; + this.code = code; + } + + + public AclException(String status, int code, String message) { + super(message); + this.status = status; + this.code = code; + } + + + public AclException(String status, int code, Throwable throwable) { + super(throwable); + this.status = status; + this.code = code; + } + + + public AclException(String status, int code, String message, Throwable throwable) { + super(message, throwable); + this.status = status; + this.code = code; + } + + public String getStatus() { + return status; + } + + public void setStatus(String status) { + this.status = status; + } + + public int getCode() { + return code; + } + + public void setCode(int code) { + this.code = code; + } +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/AclSigner.java b/acl/src/main/java/org/apache/rocketmq/acl/common/AclSigner.java new file mode 100644 index 00000000..a6c0c879 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/AclSigner.java @@ -0,0 +1,71 @@ +package org.apache.rocketmq.acl.common; + +import org.apache.rocketmq.common.constant.LoggerName; +import org.apache.rocketmq.logging.InternalLogger; +import org.apache.rocketmq.logging.InternalLoggerFactory; +import java.nio.charset.Charset; +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import org.apache.commons.codec.binary.Base64; + + +public class AclSigner { + public static final Charset defaultCharset = Charset.forName("UTF-8"); + public static final SigningAlgorithm defaultAlgorithm = SigningAlgorithm.HmacSHA1; + private static final InternalLogger log = InternalLoggerFactory.getLogger(LoggerName.ROCKETMQ_AUTHORIZE_LOGGER_NAME); + private static final int CAL_SIGNATURE_FAILED = 10015; + private static final String CAL_SIGNATURE_FAILED_MSG = "[%s:signature-failed] unable to calculate a request signature. error=%s"; + + public static String calSignature(String data, String key) throws AclException { + return calSignature(data, key, defaultAlgorithm, defaultCharset); + } + + public static String calSignature(String data, String key, SigningAlgorithm algorithm, Charset charset) throws AclException { + return signAndBase64Encode(data, key, algorithm, charset); + } + + private static String signAndBase64Encode(String data, String key, SigningAlgorithm algorithm, Charset charset) + throws AclException { + try { + byte[] signature = sign(data.getBytes(charset), key.getBytes(charset), algorithm); + return new String(Base64.encodeBase64(signature), defaultCharset); + } catch (Exception e) { + String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage()); + log.error(message, e); + throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e); + } + } + + private static byte[] sign(byte[] data, byte[] key, SigningAlgorithm algorithm) throws AclException { + try { + Mac mac = Mac.getInstance(algorithm.toString()); + mac.init(new SecretKeySpec(key, algorithm.toString())); + return mac.doFinal(data); + } catch (Exception e) { + String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage()); + log.error(message, e); + throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e); + } + } + + public static String calSignature(byte[] data, String key) throws AclException { + return calSignature(data, key, defaultAlgorithm, defaultCharset); + } + + public static String calSignature(byte[] data, String key, SigningAlgorithm algorithm, Charset charset) throws AclException { + return signAndBase64Encode(data, key, algorithm, charset); + } + + private static String signAndBase64Encode(byte[] data, String key, SigningAlgorithm algorithm, Charset charset) + throws AclException { + try { + byte[] signature = sign(data, key.getBytes(charset), algorithm); + return new String(Base64.encodeBase64(signature), defaultCharset); + } catch (Exception e) { + String message = String.format(CAL_SIGNATURE_FAILED_MSG, CAL_SIGNATURE_FAILED, e.getMessage()); + log.error(message, e); + throw new AclException("CAL_SIGNATURE_FAILED", CAL_SIGNATURE_FAILED, message, e); + } + } + +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/AclUtils.java b/acl/src/main/java/org/apache/rocketmq/acl/common/AclUtils.java similarity index 70% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/AclUtils.java rename to acl/src/main/java/org/apache/rocketmq/acl/common/AclUtils.java index 9ba5b79a..0b1b09c2 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/AclUtils.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/AclUtils.java @@ -14,16 +14,54 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.common; import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.util.Map; +import java.util.SortedMap; import org.apache.commons.lang3.StringUtils; +import org.apache.rocketmq.acl.plain.AclPlugRuntimeException; +import org.apache.rocketmq.remoting.protocol.RemotingCommand; import org.yaml.snakeyaml.Yaml; +import static org.apache.rocketmq.acl.common.SessionCredentials.CHARSET; + public class AclUtils { + public static byte[] combineRequestContent(RemotingCommand request, SortedMap fieldsMap) { + try { + StringBuilder sb = new StringBuilder(""); + for (Map.Entry entry : fieldsMap.entrySet()) { + if (!SessionCredentials.Signature.equals(entry.getKey())) { + sb.append(entry.getValue()); + } + } + + return AclUtils.combineBytes(sb.toString().getBytes(CHARSET), request.getBody()); + } catch (Exception e) { + throw new RuntimeException("incompatible exception.", e); + } + } + + + public static byte[] combineBytes(byte[] b1, byte[] b2) { + int size = (null != b1 ? b1.length : 0) + (null != b2 ? b2.length : 0); + byte[] total = new byte[size]; + if (null != b1) + System.arraycopy(b1, 0, total, 0, b1.length); + if (null != b2) + System.arraycopy(b2, 0, total, b1.length, b2.length); + return total; + } + + + public static String calSignature(byte[] data, String secretKey) { + String signature = AclSigner.calSignature(data, secretKey); + return signature; + } + public static void verify(String netaddress, int index) { if (!AclUtils.isScope(netaddress, index)) { throw new AclPlugRuntimeException(String.format("netaddress examine scope Exception netaddress is %s", netaddress)); diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java new file mode 100644 index 00000000..223ad19d --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java @@ -0,0 +1,20 @@ +package org.apache.rocketmq.acl.common; + +public class Permission { + + public static final byte DENY = 1; + public static final byte ANY = 1 << 1; + public static final byte PUB = 1 << 2; + public static final byte SUB = 1 << 3; + + public boolean checkPermission(byte neededPerm, byte ownedPerm) { + if ((ownedPerm & DENY) > 0) { + return false; + } + if ((neededPerm & ANY) > 0) { + return ((ownedPerm & PUB) > 0) || ((ownedPerm & SUB) > 0); + } + return (neededPerm & ownedPerm) > 0; + } + +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/SessionCredentials.java b/acl/src/main/java/org/apache/rocketmq/acl/common/SessionCredentials.java new file mode 100644 index 00000000..650e1116 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/SessionCredentials.java @@ -0,0 +1,150 @@ +package org.apache.rocketmq.acl.common; + +import org.apache.rocketmq.common.MixAll; +import java.io.File; +import java.io.IOException; +import java.nio.charset.Charset; +import java.util.Properties; + +public class SessionCredentials { + public static final Charset CHARSET = Charset.forName("UTF-8"); + public static final String AccessKey = "AccessKey"; + public static final String SecretKey = "SecretKey"; + public static final String Signature = "Signature"; + public static final String SecurityToken = "SecurityToken"; + + public static final String KeyFile = System.getProperty("rocketmq.client.keyFile", + System.getProperty("user.home") + File.separator + "onskey"); + + private String accessKey; + private String secretKey; + private String securityToken; + private String signature; + + public SessionCredentials() { + String keyContent = null; + try { + keyContent = MixAll.file2String(KeyFile); + } catch (IOException ignore) { + } + if (keyContent != null) { + Properties prop = MixAll.string2Properties(keyContent); + if (prop != null) { + this.updateContent(prop); + } + } + } + + public SessionCredentials(String accessKey, String secretKey) { + this.accessKey = accessKey; + this.secretKey = secretKey; + } + + public SessionCredentials(String accessKey, String secretKey, String securityToken) { + this(accessKey, secretKey); + this.securityToken = securityToken; + } + + + public void updateContent(Properties prop) { + { + String value = prop.getProperty(AccessKey); + if (value != null) { + this.accessKey = value.trim(); + } + } + { + String value = prop.getProperty(SecretKey); + if (value != null) { + this.secretKey = value.trim(); + } + } + { + String value = prop.getProperty(SecurityToken); + if (value != null) { + this.securityToken = value.trim(); + } + } + } + + public String getAccessKey() { + return accessKey; + } + + public void setAccessKey(String accessKey) { + this.accessKey = accessKey; + } + + public String getSecretKey() { + return secretKey; + } + + public void setSecretKey(String secretKey) { + this.secretKey = secretKey; + } + + public String getSignature() { + return signature; + } + + public void setSignature(String signature) { + this.signature = signature; + } + + public String getSecurityToken() { + return securityToken; + } + + public void setSecurityToken(final String securityToken) { + this.securityToken = securityToken; + } + + + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((accessKey == null) ? 0 : accessKey.hashCode()); + result = prime * result + ((secretKey == null) ? 0 : secretKey.hashCode()); + result = prime * result + ((signature == null) ? 0 : signature.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + + SessionCredentials other = (SessionCredentials) obj; + if (accessKey == null) { + if (other.accessKey != null) + return false; + } else if (!accessKey.equals(other.accessKey)) + return false; + + if (secretKey == null) { + if (other.secretKey != null) + return false; + } else if (!secretKey.equals(other.secretKey)) + return false; + + if (signature == null) { + if (other.signature != null) + return false; + } else if (!signature.equals(other.signature)) + return false; + + return true; + } + + @Override + public String toString() { + return "SessionCredentials [accessKey=" + accessKey + ", secretKey=" + secretKey + ", signature=" + + signature + ", SecurityToken=" + securityToken + "]"; + } +} \ No newline at end of file diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/SigningAlgorithm.java b/acl/src/main/java/org/apache/rocketmq/acl/common/SigningAlgorithm.java new file mode 100644 index 00000000..7a49c214 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/SigningAlgorithm.java @@ -0,0 +1,8 @@ +package org.apache.rocketmq.acl.common;//package com.aliyun.openservices.ons.api.impl.rocketmq.spas; + +public enum SigningAlgorithm { + HmacSHA1, + HmacSHA256, + HmacMD5; + +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/AclPlugRuntimeException.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/AclPlugRuntimeException.java similarity index 96% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/AclPlugRuntimeException.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/AclPlugRuntimeException.java index 8f6af5d3..d13a29f9 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/AclPlugRuntimeException.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/AclPlugRuntimeException.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; public class AclPlugRuntimeException extends RuntimeException { diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationInfo.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationInfo.java similarity index 78% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationInfo.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationInfo.java index 4852dbdb..009ca30f 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationInfo.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationInfo.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.util.Iterator; import java.util.Map; @@ -22,26 +22,26 @@ import java.util.Map.Entry; public class AuthenticationInfo { - private AccessControl accessControl; + private PlainAccessResource plainAccessResource; private NetaddressStrategy netaddressStrategy; private Map authority; - public AuthenticationInfo(Map authority, AccessControl accessControl, + public AuthenticationInfo(Map authority, PlainAccessResource plainAccessResource, NetaddressStrategy netaddressStrategy) { super(); this.authority = authority; - this.accessControl = accessControl; + this.plainAccessResource = plainAccessResource; this.netaddressStrategy = netaddressStrategy; } - public AccessControl getAccessControl() { - return accessControl; + public PlainAccessResource getPlainAccessResource() { + return plainAccessResource; } - public void setAccessControl(AccessControl accessControl) { - this.accessControl = accessControl; + public void setPlainAccessResource(PlainAccessResource plainAccessResource) { + this.plainAccessResource = plainAccessResource; } public NetaddressStrategy getNetaddressStrategy() { @@ -63,7 +63,7 @@ public class AuthenticationInfo { @Override public String toString() { StringBuilder builder = new StringBuilder(); - builder.append("AuthenticationInfo [accessControl=").append(accessControl).append(", netaddressStrategy=") + builder.append("AuthenticationInfo [plainAccessResource=").append(plainAccessResource).append(", netaddressStrategy=") .append(netaddressStrategy).append(", authority={"); Iterator> it = authority.entrySet().iterator(); while (it.hasNext()) { diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationResult.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationResult.java similarity index 81% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationResult.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationResult.java index de268373..18f98447 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/AuthenticationResult.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/AuthenticationResult.java @@ -14,11 +14,11 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; public class AuthenticationResult { - private AccessControl accessControl; + private PlainAccessResource plainAccessResource; private boolean succeed; @@ -26,12 +26,12 @@ public class AuthenticationResult { private String resultString; - public AccessControl getAccessControl() { - return accessControl; + public PlainAccessResource getPlainAccessResource() { + return plainAccessResource; } - public void setAccessControl(AccessControl accessControl) { - this.accessControl = accessControl; + public void setPlainAccessResource(PlainAccessResource plainAccessResource) { + this.plainAccessResource = plainAccessResource; } public boolean isSucceed() { diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/BrokerAccessControl.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/BrokerAccessControl.java similarity index 99% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/BrokerAccessControl.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/BrokerAccessControl.java index beb8539c..a1d5db03 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/BrokerAccessControl.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/BrokerAccessControl.java @@ -14,12 +14,12 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.util.HashSet; import java.util.Set; -public class BrokerAccessControl extends AccessControl { +public class BrokerAccessControl extends PlainAccessResource { private boolean admin; diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategy.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategy.java similarity index 88% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategy.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategy.java index fa28871a..d639c068 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategy.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategy.java @@ -14,9 +14,9 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; public interface NetaddressStrategy { - public boolean match(AccessControl accessControl); + public boolean match(PlainAccessResource plainAccessResource); } diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategyFactory.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategyFactory.java similarity index 87% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategyFactory.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategyFactory.java index 4f6dde5c..3b20ebe4 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/NetaddressStrategyFactory.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/NetaddressStrategyFactory.java @@ -14,18 +14,19 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.util.HashSet; import java.util.Set; import org.apache.commons.lang3.StringUtils; +import org.apache.rocketmq.acl.common.AclUtils; public class NetaddressStrategyFactory { public static final NullNetaddressStrategy NULL_NET_ADDRESS_STRATEGY = new NullNetaddressStrategy(); - public NetaddressStrategy getNetaddressStrategy(AccessControl accessControl) { - String netaddress = accessControl.getNetaddress(); + public NetaddressStrategy getNetaddressStrategy(PlainAccessResource plainAccessResource) { + String netaddress = plainAccessResource.getRemoteAddr(); if (StringUtils.isBlank(netaddress) || "*".equals(netaddress)) { return NULL_NET_ADDRESS_STRATEGY; } @@ -47,7 +48,7 @@ public class NetaddressStrategyFactory { public static class NullNetaddressStrategy implements NetaddressStrategy { @Override - public boolean match(AccessControl accessControl) { + public boolean match(PlainAccessResource plainAccessResource) { return true; } @@ -65,8 +66,8 @@ public class NetaddressStrategyFactory { } @Override - public boolean match(AccessControl accessControl) { - return multipleSet.contains(accessControl.getNetaddress()); + public boolean match(PlainAccessResource plainAccessResource) { + return multipleSet.contains(plainAccessResource.getRemoteAddr()); } } @@ -81,8 +82,8 @@ public class NetaddressStrategyFactory { } @Override - public boolean match(AccessControl accessControl) { - return netaddress.equals(accessControl.getNetaddress()); + public boolean match(PlainAccessResource plainAccessResource) { + return netaddress.equals(plainAccessResource.getRemoteAddr()); } } @@ -135,8 +136,8 @@ public class NetaddressStrategyFactory { } @Override - public boolean match(AccessControl accessControl) { - String netAddress = accessControl.getNetaddress(); + public boolean match(PlainAccessResource plainAccessResource) { + String netAddress = plainAccessResource.getRemoteAddr(); if (netAddress.startsWith(this.head)) { String value; if (index == 3) { diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessResource.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessResource.java new file mode 100644 index 00000000..eeebfff7 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessResource.java @@ -0,0 +1,137 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.rocketmq.acl.plain; + +import java.util.HashMap; +import java.util.Map; +import org.apache.commons.lang3.builder.ToStringBuilder; +import org.apache.rocketmq.acl.AccessResource; +import org.apache.rocketmq.common.MixAll; + +public class PlainAccessResource implements AccessResource { + //identify the user + private String accessKey; + + private String signature; + //the content to calculate the content + private byte[] content; + + private String secretToken; + + private Map resourcePermMap = new HashMap<>(); + + private String remoteAddr; + + private String recognition; + + private int requestCode; + + + @Deprecated + private String topic; + + public PlainAccessResource() { + } + + public void addResourceAndPerm(String resource, byte perm) { + if (resource == null) { + return; + } + resourcePermMap.put(resource, perm); + } + + public String getAccessKey() { + return accessKey; + } + + public void setAccessKey(String accessKey) { + this.accessKey = accessKey; + } + + public String getSignature() { + return signature; + } + + public void setSignature(String signature) { + this.signature = signature; + } + + public String getRemoteAddr() { + return remoteAddr; + } + + public void setRemoteAddr(String remoteAddr) { + this.remoteAddr = remoteAddr; + } + + public String getRecognition() { + return recognition; + } + + public void setRecognition(String recognition) { + this.recognition = recognition; + } + + public int getRequestCode() { + return requestCode; + } + + public void setRequestCode(int requestCode) { + this.requestCode = requestCode; + } + + public String getTopic() { + return topic; + } + + public void setTopic(String topic) { + this.topic = topic; + } + + public String getSecretToken() { + return secretToken; + } + + public void setSecretToken(String secretToken) { + this.secretToken = secretToken; + } + + @Override + public String toString() { + return ToStringBuilder.reflectionToString(this); + } + + + public static boolean isRetryTopic(String topic) { + return (null != topic && topic.startsWith(MixAll.RETRY_GROUP_TOPIC_PREFIX)); + } + + public static String getRetryTopic(String group) { + if (group == null) { + return null; + } + return MixAll.getRetryTopic(group); + } + + public byte[] getContent() { + return content; + } + + public void setContent(byte[] content) { + this.content = content; + } +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java new file mode 100644 index 00000000..b38bcfe7 --- /dev/null +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java @@ -0,0 +1,143 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.rocketmq.acl.plain; + +import java.util.Map; +import java.util.SortedMap; +import java.util.TreeMap; +import org.apache.rocketmq.acl.AccessResource; +import org.apache.rocketmq.acl.AccessValidator; +import org.apache.rocketmq.acl.common.AclUtils; +import org.apache.rocketmq.acl.common.AclException; +import org.apache.rocketmq.acl.common.Permission; +import org.apache.rocketmq.acl.common.SessionCredentials; +import org.apache.rocketmq.common.protocol.RequestCode; +import org.apache.rocketmq.common.protocol.header.GetConsumerListByGroupRequestHeader; +import org.apache.rocketmq.common.protocol.header.UnregisterClientRequestHeader; +import org.apache.rocketmq.common.protocol.header.UpdateConsumerOffsetRequestHeader; +import org.apache.rocketmq.common.protocol.heartbeat.ConsumerData; +import org.apache.rocketmq.common.protocol.heartbeat.HeartbeatData; +import org.apache.rocketmq.common.protocol.heartbeat.SubscriptionData; +import org.apache.rocketmq.remoting.protocol.RemotingCommand; + +import static org.apache.rocketmq.acl.plain.PlainAccessResource.getRetryTopic; + +public class PlainAccessValidator implements AccessValidator { + + private PlainAclPlugEngine aclPlugEngine; + + public PlainAccessValidator() { + aclPlugEngine = new PlainAclPlugEngine(); + } + + @Override + public AccessResource parse(RemotingCommand request, String remoteAddr) { + PlainAccessResource accessResource = new PlainAccessResource(); + accessResource.setRemoteAddr(remoteAddr); + accessResource.setRequestCode(request.getCode()); + accessResource.setAccessKey(request.getExtFields().get(SessionCredentials.AccessKey)); + accessResource.setSignature(request.getExtFields().get(SessionCredentials.Signature)); + accessResource.setSecretToken(request.getExtFields().get(SessionCredentials.SecurityToken)); + + try { + // resource 和 permission 转换 + switch (request.getCode()) { + case RequestCode.SEND_MESSAGE: + accessResource.addResourceAndPerm(request.getExtFields().get("topic"), Permission.PUB); + break; + case RequestCode.SEND_MESSAGE_V2: + accessResource.addResourceAndPerm(request.getExtFields().get("b"), Permission.PUB); + break; + case RequestCode.CONSUMER_SEND_MSG_BACK: + accessResource.addResourceAndPerm(request.getExtFields().get("originTopic"), Permission.PUB); + accessResource.addResourceAndPerm(getRetryTopic(request.getExtFields().get("group")), Permission.SUB); + break; + case RequestCode.PULL_MESSAGE: + accessResource.addResourceAndPerm(request.getExtFields().get("topic"), Permission.SUB); + accessResource.addResourceAndPerm(getRetryTopic(request.getExtFields().get("consumerGroup")), Permission.SUB); + break; + case RequestCode.QUERY_MESSAGE: + accessResource.addResourceAndPerm(request.getExtFields().get("topic"), Permission.SUB); + break; + case RequestCode.HEART_BEAT: + HeartbeatData heartbeatData = HeartbeatData.decode(request.getBody(), HeartbeatData.class); + for (ConsumerData data : heartbeatData.getConsumerDataSet()) { + accessResource.addResourceAndPerm(getRetryTopic(data.getGroupName()), Permission.SUB); + for (SubscriptionData subscriptionData: data.getSubscriptionDataSet()) { + accessResource.addResourceAndPerm(subscriptionData.getTopic(), Permission.SUB); + } + } + break; + case RequestCode.UNREGISTER_CLIENT: + final UnregisterClientRequestHeader unregisterClientRequestHeader = + (UnregisterClientRequestHeader) request + .decodeCommandCustomHeader(UnregisterClientRequestHeader.class); + accessResource.addResourceAndPerm(getRetryTopic(unregisterClientRequestHeader.getConsumerGroup()), Permission.SUB); + break; + case RequestCode.GET_CONSUMER_LIST_BY_GROUP: + final GetConsumerListByGroupRequestHeader getConsumerListByGroupRequestHeader = + (GetConsumerListByGroupRequestHeader) request + .decodeCommandCustomHeader(GetConsumerListByGroupRequestHeader.class); + accessResource.addResourceAndPerm(getRetryTopic(getConsumerListByGroupRequestHeader.getConsumerGroup()), Permission.SUB); + break; + case RequestCode.UPDATE_CONSUMER_OFFSET: + final UpdateConsumerOffsetRequestHeader updateConsumerOffsetRequestHeader = + (UpdateConsumerOffsetRequestHeader) request + .decodeCommandCustomHeader(UpdateConsumerOffsetRequestHeader.class); + accessResource.addResourceAndPerm(getRetryTopic(updateConsumerOffsetRequestHeader.getConsumerGroup()), Permission.SUB); + accessResource.addResourceAndPerm(updateConsumerOffsetRequestHeader.getTopic(), Permission.SUB); + break; + default: + break; + + } + } catch (Throwable t) { + throw new AclException(t.getMessage(), -1, t); + } + + + // content + SortedMap map = new TreeMap(); + for (Map.Entry entry : request.getExtFields().entrySet()) { + if (!SessionCredentials.Signature.equals(entry.getKey())) { + map.put(entry.getKey(), entry.getValue()); + } + } + accessResource.setContent(AclUtils.combineRequestContent(request, map)); + + return accessResource; + } + + @Override + public void validate(AccessResource accessResource) { + AuthenticationResult authenticationResult = null; + try { + authenticationResult = aclPlugEngine.eachCheckAuthentication((PlainAccessResource) accessResource); + if (authenticationResult.isSucceed()) + return; + } catch (Exception e) { + throw new AclPlugRuntimeException(String.format("validate exception AccessResource data %s", accessResource.toString()), e); + } + if (authenticationResult.getException() != null) { + throw new AclPlugRuntimeException(String.format("eachCheck the inspection appear exception, accessControl data is %s", accessResource.toString()), authenticationResult.getException()); + } + if (authenticationResult.getPlainAccessResource() != null || !authenticationResult.isSucceed()) { + throw new AclPlugRuntimeException(String.format("%s accessControl data is %s", authenticationResult.getResultString(), accessResource.toString())); + } + } + +} diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngine.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngine.java similarity index 79% rename from acl/src/main/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngine.java rename to acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngine.java index 50aab379..73b76ccb 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngine.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngine.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.io.IOException; import java.lang.reflect.Field; @@ -32,6 +32,7 @@ import java.util.List; import java.util.Map; import java.util.Map.Entry; import org.apache.commons.lang3.StringUtils; +import org.apache.rocketmq.acl.common.AclUtils; import org.apache.rocketmq.common.MixAll; import org.apache.rocketmq.common.ServiceThread; import org.apache.rocketmq.common.constant.LoggerName; @@ -123,9 +124,9 @@ public class PlainAclPlugEngine { } } - private void handleAccessControl(AccessControl accessControl) { - if (accessControl instanceof BrokerAccessControl) { - BrokerAccessControl brokerAccessControl = (BrokerAccessControl) accessControl; + private void handleAccessControl(PlainAccessResource plainAccessResource) { + if (plainAccessResource instanceof BrokerAccessControl) { + BrokerAccessControl brokerAccessControl = (BrokerAccessControl) plainAccessResource; if (brokerAccessControl.isAdmin()) { brokerAccessControl.setUpdateAndCreateSubscriptiongroup(true); brokerAccessControl.setDeleteSubscriptiongroup(true); @@ -141,55 +142,55 @@ public class PlainAclPlugEngine { authenticationInfo = null; } - public void setAccessControl(AccessControl accessControl) throws AclPlugRuntimeException { - if (accessControl.getAccount() == null || accessControl.getPassword() == null - || accessControl.getAccount().length() <= 6 || accessControl.getPassword().length() <= 6) { + public void setAccessControl(PlainAccessResource plainAccessResource) throws AclPlugRuntimeException { + if (plainAccessResource.getAccessKey() == null || plainAccessResource.getSignature() == null + || plainAccessResource.getAccessKey().length() <= 6 || plainAccessResource.getSignature().length() <= 6) { throw new AclPlugRuntimeException(String.format( "The account password cannot be null and is longer than 6, account is %s password is %s", - accessControl.getAccount(), accessControl.getPassword())); + plainAccessResource.getAccessKey(), plainAccessResource.getSignature())); } try { - handleAccessControl(accessControl); - NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); - List accessControlAddressList = accessControlMap.get(accessControl.getAccount()); + handleAccessControl(plainAccessResource); + NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); + List accessControlAddressList = accessControlMap.get(plainAccessResource.getAccessKey()); if (accessControlAddressList == null) { accessControlAddressList = new ArrayList<>(); - accessControlMap.put(accessControl.getAccount(), accessControlAddressList); + accessControlMap.put(plainAccessResource.getAccessKey(), accessControlAddressList); } AuthenticationInfo authenticationInfo = new AuthenticationInfo( - accessContralAnalysis.analysis(accessControl), accessControl, netaddressStrategy); + accessContralAnalysis.analysis(plainAccessResource), plainAccessResource, netaddressStrategy); accessControlAddressList.add(authenticationInfo); log.info("authenticationInfo is {}", authenticationInfo.toString()); } catch (Exception e) { throw new AclPlugRuntimeException( - String.format("Exception info %s %s", e.getMessage(), accessControl.toString()), e); + String.format("Exception info %s %s", e.getMessage(), plainAccessResource.toString()), e); } } - public void setAccessControlList(List accessControlList) throws AclPlugRuntimeException { - for (AccessControl accessControl : accessControlList) { - setAccessControl(accessControl); + public void setAccessControlList(List plainAccessResourceList) throws AclPlugRuntimeException { + for (PlainAccessResource plainAccessResource : plainAccessResourceList) { + setAccessControl(plainAccessResource); } } - public void setNetaddressAccessControl(AccessControl accessControl) throws AclPlugRuntimeException { + public void setNetaddressAccessControl(PlainAccessResource plainAccessResource) throws AclPlugRuntimeException { try { - authenticationInfo = new AuthenticationInfo(accessContralAnalysis.analysis(accessControl), accessControl, netaddressStrategyFactory.getNetaddressStrategy(accessControl)); + authenticationInfo = new AuthenticationInfo(accessContralAnalysis.analysis(plainAccessResource), plainAccessResource, netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource)); log.info("default authenticationInfo is {}", authenticationInfo.toString()); } catch (Exception e) { - throw new AclPlugRuntimeException(accessControl.toString(), e); + throw new AclPlugRuntimeException(plainAccessResource.toString(), e); } } - public AuthenticationInfo getAccessControl(AccessControl accessControl) { - if (accessControl.getAccount() == null && authenticationInfo != null) { - return authenticationInfo.getNetaddressStrategy().match(accessControl) ? authenticationInfo : null; + public AuthenticationInfo getAccessControl(PlainAccessResource plainAccessResource) { + if (plainAccessResource.getAccessKey() == null && authenticationInfo != null) { + return authenticationInfo.getNetaddressStrategy().match(plainAccessResource) ? authenticationInfo : null; } else { - List accessControlAddressList = accessControlMap.get(accessControl.getAccount()); + List accessControlAddressList = accessControlMap.get(plainAccessResource.getAccessKey()); if (accessControlAddressList != null) { for (AuthenticationInfo ai : accessControlAddressList) { - if (ai.getNetaddressStrategy().match(accessControl) && ai.getAccessControl().getPassword().equals(accessControl.getPassword())) { + if (ai.getNetaddressStrategy().match(plainAccessResource) && ai.getPlainAccessResource().getSignature().equals(plainAccessResource.getSignature())) { return ai; } } @@ -198,15 +199,15 @@ public class PlainAclPlugEngine { return null; } - public AuthenticationResult eachCheckAuthentication(AccessControl accessControl) { + public AuthenticationResult eachCheckAuthentication(PlainAccessResource plainAccessResource) { AuthenticationResult authenticationResult = new AuthenticationResult(); - AuthenticationInfo authenticationInfo = getAccessControl(accessControl); + AuthenticationInfo authenticationInfo = getAccessControl(plainAccessResource); if (authenticationInfo != null) { - boolean boo = authentication(authenticationInfo, accessControl, authenticationResult); + boolean boo = authentication(authenticationInfo, plainAccessResource, authenticationResult); authenticationResult.setSucceed(boo); - authenticationResult.setAccessControl(authenticationInfo.getAccessControl()); + authenticationResult.setPlainAccessResource(authenticationInfo.getPlainAccessResource()); } else { - authenticationResult.setResultString("accessControl is null, Please check login, password, IP\""); + authenticationResult.setResultString("plainAccessResource is null, Please check login, password, IP\""); } return authenticationResult; } @@ -226,18 +227,18 @@ public class PlainAclPlugEngine { } } - public boolean authentication(AuthenticationInfo authenticationInfo, AccessControl accessControl, + public boolean authentication(AuthenticationInfo authenticationInfo, PlainAccessResource plainAccessResource, AuthenticationResult authenticationResult) { - int code = accessControl.getCode(); + int code = plainAccessResource.getRequestCode(); if (!authenticationInfo.getAuthority().get(code)) { authenticationResult.setResultString(String.format("code is %d Authentication failed", code)); return false; } - if (!(authenticationInfo.getAccessControl() instanceof BrokerAccessControl)) { + if (!(authenticationInfo.getPlainAccessResource() instanceof BrokerAccessControl)) { return true; } - BrokerAccessControl borker = (BrokerAccessControl) authenticationInfo.getAccessControl(); - String topicName = accessControl.getTopic(); + BrokerAccessControl borker = (BrokerAccessControl) authenticationInfo.getPlainAccessResource(); + String topicName = plainAccessResource.getTopic(); if (code == 10 || code == 310 || code == 320) { if (borker.getPermitSendTopic().contains(topicName)) { return true; @@ -284,8 +285,8 @@ public class PlainAclPlugEngine { } } - public Map analysis(AccessControl accessControl) { - Class clazz = accessControl.getClass(); + public Map analysis(PlainAccessResource plainAccessResource) { + Class clazz = plainAccessResource.getClass(); Map codeAndField = classTocodeAndMentod.get(clazz); if (codeAndField == null) { codeAndField = new HashMap<>(); @@ -305,8 +306,8 @@ public class PlainAclPlugEngine { } if (codeAndField.isEmpty()) { - throw new AclPlugRuntimeException(String.format("AccessControl nonexistent code , name %s", - accessControl.getClass().getName())); + throw new AclPlugRuntimeException(String.format("PlainAccessResource nonexistent code , name %s", + plainAccessResource.getClass().getName())); } classTocodeAndMentod.put(clazz, codeAndField); } @@ -315,11 +316,11 @@ public class PlainAclPlugEngine { try { while (it.hasNext()) { Entry e = it.next(); - authority.put(e.getKey(), (Boolean) e.getValue().get(accessControl)); + authority.put(e.getKey(), (Boolean) e.getValue().get(plainAccessResource)); } } catch (IllegalArgumentException | IllegalAccessException e) { throw new AclPlugRuntimeException( - String.format("analysis on failure AccessControl is %s", AccessControl.class.getName()), e); + String.format("analysis on failure PlainAccessResource is %s", PlainAccessResource.class.getName()), e); } return authority; } diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plug/AccessControl.java b/acl/src/main/java/org/apache/rocketmq/acl/plug/AccessControl.java deleted file mode 100644 index f487bf47..00000000 --- a/acl/src/main/java/org/apache/rocketmq/acl/plug/AccessControl.java +++ /dev/null @@ -1,95 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.rocketmq.acl.plug; - -import org.apache.rocketmq.acl.AccessResource; - -public class AccessControl implements AccessResource { - - private String account; - - private String password; - - private String netaddress; - - private String recognition; - - private int code; - - private String topic; - - public AccessControl() { - } - - public String getAccount() { - return account; - } - - public void setAccount(String account) { - this.account = account; - } - - public String getPassword() { - return password; - } - - public void setPassword(String password) { - this.password = password; - } - - public String getNetaddress() { - return netaddress; - } - - public void setNetaddress(String netaddress) { - this.netaddress = netaddress; - } - - public String getRecognition() { - return recognition; - } - - public void setRecognition(String recognition) { - this.recognition = recognition; - } - - public int getCode() { - return code; - } - - public void setCode(int code) { - this.code = code; - } - - public String getTopic() { - return topic; - } - - public void setTopic(String topic) { - this.topic = topic; - } - - @Override - public String toString() { - StringBuilder builder = new StringBuilder(); - builder.append("AccessControl [account=").append(account).append(", password=").append(password) - .append(", netaddress=").append(netaddress).append(", recognition=").append(recognition) - .append(", code=").append(code).append(", topic=").append(topic).append("]"); - return builder.toString(); - } - -} diff --git a/acl/src/test/java/org/apache/rocketmq/acl/plug/AclUtilsTest.java b/acl/src/test/java/org/apache/rocketmq/acl/plain/AclUtilsTest.java similarity index 97% rename from acl/src/test/java/org/apache/rocketmq/acl/plug/AclUtilsTest.java rename to acl/src/test/java/org/apache/rocketmq/acl/plain/AclUtilsTest.java index db9d9091..bfb4bd5a 100644 --- a/acl/src/test/java/org/apache/rocketmq/acl/plug/AclUtilsTest.java +++ b/acl/src/test/java/org/apache/rocketmq/acl/plain/AclUtilsTest.java @@ -14,11 +14,12 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.util.ArrayList; import java.util.List; import org.apache.commons.lang3.StringUtils; +import org.apache.rocketmq.acl.common.AclUtils; import org.junit.Assert; import org.junit.Test; diff --git a/acl/src/test/java/org/apache/rocketmq/acl/plug/NetaddressStrategyTest.java b/acl/src/test/java/org/apache/rocketmq/acl/plain/NetaddressStrategyTest.java similarity index 59% rename from acl/src/test/java/org/apache/rocketmq/acl/plug/NetaddressStrategyTest.java rename to acl/src/test/java/org/apache/rocketmq/acl/plain/NetaddressStrategyTest.java index 6c76609d..9ea34c9a 100644 --- a/acl/src/test/java/org/apache/rocketmq/acl/plug/NetaddressStrategyTest.java +++ b/acl/src/test/java/org/apache/rocketmq/acl/plain/NetaddressStrategyTest.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import org.junit.Assert; import org.junit.Test; @@ -25,111 +25,111 @@ public class NetaddressStrategyTest { @Test public void NetaddressStrategyFactoryTest() { - AccessControl accessControl = new AccessControl(); - NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy, NetaddressStrategyFactory.NULL_NET_ADDRESS_STRATEGY); - accessControl.setNetaddress("*"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("*"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy, NetaddressStrategyFactory.NULL_NET_ADDRESS_STRATEGY); - accessControl.setNetaddress("127.0.0.1"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.1"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.OneNetaddressStrategy.class); - accessControl.setNetaddress("127.0.0.1,127.0.0.2,127.0.0.3"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.1,127.0.0.2,127.0.0.3"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.MultipleNetaddressStrategy.class); - accessControl.setNetaddress("127.0.0.{1,2,3}"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.{1,2,3}"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.MultipleNetaddressStrategy.class); - accessControl.setNetaddress("127.0.0.1-200"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.1-200"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.RangeNetaddressStrategy.class); - accessControl.setNetaddress("127.0.0.*"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.*"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.RangeNetaddressStrategy.class); - accessControl.setNetaddress("127.0.1-20.*"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.1-20.*"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); Assert.assertEquals(netaddressStrategy.getClass(), NetaddressStrategyFactory.RangeNetaddressStrategy.class); } @Test(expected = AclPlugRuntimeException.class) public void verifyTest() { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1"); - netaddressStrategyFactory.getNetaddressStrategy(accessControl); - accessControl.setNetaddress("256.0.0.1"); - netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1"); + netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); + plainAccessResource.setRemoteAddr("256.0.0.1"); + netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); } @Test public void nullNetaddressStrategyTest() { - boolean isMatch = NetaddressStrategyFactory.NULL_NET_ADDRESS_STRATEGY.match(new AccessControl()); + boolean isMatch = NetaddressStrategyFactory.NULL_NET_ADDRESS_STRATEGY.match(new PlainAccessResource()); Assert.assertTrue(isMatch); } public void oneNetaddressStrategyTest() { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1"); - NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); - accessControl.setNetaddress(""); - boolean match = netaddressStrategy.match(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1"); + NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); + plainAccessResource.setRemoteAddr(""); + boolean match = netaddressStrategy.match(plainAccessResource); Assert.assertFalse(match); - accessControl.setNetaddress("127.0.0.2"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.2"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertFalse(match); - accessControl.setNetaddress("127.0.0.1"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.1"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertTrue(match); } @Test public void multipleNetaddressStrategyTest() { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1,127.0.0.2,127.0.0.3"); - NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1,127.0.0.2,127.0.0.3"); + NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); multipleNetaddressStrategyTest(netaddressStrategy); - accessControl.setNetaddress("127.0.0.{1,2,3}"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.{1,2,3}"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); multipleNetaddressStrategyTest(netaddressStrategy); } @Test(expected = AclPlugRuntimeException.class) public void multipleNetaddressStrategyExceptionTest() { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1,2,3}"); - netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1,2,3}"); + netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); } private void multipleNetaddressStrategyTest(NetaddressStrategy netaddressStrategy) { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1"); - boolean match = netaddressStrategy.match(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1"); + boolean match = netaddressStrategy.match(plainAccessResource); Assert.assertTrue(match); - accessControl.setNetaddress("127.0.0.2"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.2"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertTrue(match); - accessControl.setNetaddress("127.0.0.3"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.3"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertTrue(match); - accessControl.setNetaddress("127.0.0.4"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.4"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertFalse(match); - accessControl.setNetaddress("127.0.0.0"); - match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.0"); + match = netaddressStrategy.match(plainAccessResource); Assert.assertFalse(match); } @@ -137,25 +137,25 @@ public class NetaddressStrategyTest { @Test public void rangeNetaddressStrategyTest() { String head = "127.0.0."; - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress("127.0.0.1-200"); - NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr("127.0.0.1-200"); + NetaddressStrategy netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); rangeNetaddressStrategyTest(netaddressStrategy, head, 1, 200, true); - accessControl.setNetaddress("127.0.0.*"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.*"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); rangeNetaddressStrategyTest(netaddressStrategy, head, 0, 255, true); - accessControl.setNetaddress("127.0.1-200.*"); - netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(accessControl); + plainAccessResource.setRemoteAddr("127.0.1-200.*"); + netaddressStrategy = netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); rangeNetaddressStrategyThirdlyTest(netaddressStrategy, head, 1, 200); } private void rangeNetaddressStrategyTest(NetaddressStrategy netaddressStrategy, String head, int start, int end, boolean isFalse) { - AccessControl accessControl = new AccessControl(); + PlainAccessResource plainAccessResource = new PlainAccessResource(); for (int i = -10; i < 300; i++) { - accessControl.setNetaddress(head + i); - boolean match = netaddressStrategy.match(accessControl); + plainAccessResource.setRemoteAddr(head + i); + boolean match = netaddressStrategy.match(plainAccessResource); if (isFalse && i >= start && i <= end) { Assert.assertTrue(match); continue; @@ -192,9 +192,9 @@ public class NetaddressStrategyTest { } private void rangeNetaddressStrategyExceptionTest(String netaddress) { - AccessControl accessControl = new AccessControl(); - accessControl.setNetaddress(netaddress); - netaddressStrategyFactory.getNetaddressStrategy(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + plainAccessResource.setRemoteAddr(netaddress); + netaddressStrategyFactory.getNetaddressStrategy(plainAccessResource); } } diff --git a/acl/src/test/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngineTest.java b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngineTest.java similarity index 64% rename from acl/src/test/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngineTest.java rename to acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngineTest.java index 3d3f254e..0ce308a4 100644 --- a/acl/src/test/java/org/apache/rocketmq/acl/plug/PlainAclPlugEngineTest.java +++ b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainAclPlugEngineTest.java @@ -14,7 +14,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.rocketmq.acl.plug; +package org.apache.rocketmq.acl.plain; import java.io.File; import java.io.FileWriter; @@ -26,8 +26,8 @@ import java.util.List; import java.util.Map; import java.util.Map.Entry; import java.util.Set; -import org.apache.rocketmq.acl.plug.PlainAclPlugEngine.AccessContralAnalysis; -import org.apache.rocketmq.acl.plug.PlainAclPlugEngine.BrokerAccessControlTransport; +import org.apache.rocketmq.acl.plain.PlainAclPlugEngine.AccessContralAnalysis; +import org.apache.rocketmq.acl.plain.PlainAclPlugEngine.BrokerAccessControlTransport; import org.apache.rocketmq.common.protocol.RequestCode; import org.junit.Assert; import org.junit.Before; @@ -42,9 +42,9 @@ public class PlainAclPlugEngineTest { AccessContralAnalysis accessContralAnalysis = new AccessContralAnalysis(); - AccessControl accessControl; + PlainAccessResource plainAccessResource; - AccessControl accessControlTwo; + PlainAccessResource plainAccessResourceTwo; AuthenticationInfo authenticationInfo; @@ -96,42 +96,42 @@ public class PlainAclPlugEngineTest { System.setProperty("rocketmq.home.dir", "src/test/resources"); plainAclPlugEngine = new PlainAclPlugEngine(); - accessControl = new BrokerAccessControl(); - accessControl.setAccount("rokcetmq"); - accessControl.setPassword("aliyun11"); - accessControl.setNetaddress("127.0.0.1"); - accessControl.setRecognition("127.0.0.1:1"); + plainAccessResource = new BrokerAccessControl(); + plainAccessResource.setAccessKey("rokcetmq"); + plainAccessResource.setSignature("aliyun11"); + plainAccessResource.setRemoteAddr("127.0.0.1"); + plainAccessResource.setRecognition("127.0.0.1:1"); - accessControlTwo = new BrokerAccessControl(); - accessControlTwo.setAccount("rokcet1"); - accessControlTwo.setPassword("aliyun1"); - accessControlTwo.setNetaddress("127.0.0.1"); - accessControlTwo.setRecognition("127.0.0.1:2"); + plainAccessResourceTwo = new BrokerAccessControl(); + plainAccessResourceTwo.setAccessKey("rokcet1"); + plainAccessResourceTwo.setSignature("aliyun1"); + plainAccessResourceTwo.setRemoteAddr("127.0.0.1"); + plainAccessResourceTwo.setRecognition("127.0.0.1:2"); } @Test(expected = AclPlugRuntimeException.class) public void accountNullTest() { - accessControl.setAccount(null); - plainAclPlugEngine.setAccessControl(accessControl); + plainAccessResource.setAccessKey(null); + plainAclPlugEngine.setAccessControl(plainAccessResource); } @Test(expected = AclPlugRuntimeException.class) public void accountThanTest() { - accessControl.setAccount("123"); - plainAclPlugEngine.setAccessControl(accessControl); + plainAccessResource.setAccessKey("123"); + plainAclPlugEngine.setAccessControl(plainAccessResource); } @Test(expected = AclPlugRuntimeException.class) public void passWordtNullTest() { - accessControl.setAccount(null); - plainAclPlugEngine.setAccessControl(accessControl); + plainAccessResource.setAccessKey(null); + plainAclPlugEngine.setAccessControl(plainAccessResource); } @Test(expected = AclPlugRuntimeException.class) public void passWordThanTest() { - accessControl.setAccount("123"); - plainAclPlugEngine.setAccessControl(accessControl); + plainAccessResource.setAccessKey("123"); + plainAclPlugEngine.setAccessControl(plainAccessResource); } @Test(expected = AclPlugRuntimeException.class) @@ -142,66 +142,66 @@ public class PlainAclPlugEngineTest { @Test public void authenticationInfoOfSetAccessControl() { - plainAclPlugEngine.setAccessControl(accessControl); + plainAclPlugEngine.setAccessControl(plainAccessResource); - AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(accessControl); + AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(plainAccessResource); - AccessControl getAccessControl = authenticationInfo.getAccessControl(); - Assert.assertEquals(accessControl, getAccessControl); + PlainAccessResource getPlainAccessResource = authenticationInfo.getPlainAccessResource(); + Assert.assertEquals(plainAccessResource, getPlainAccessResource); - AccessControl testAccessControl = new AccessControl(); - testAccessControl.setAccount("rokcetmq"); - testAccessControl.setPassword("aliyun11"); - testAccessControl.setNetaddress("127.0.0.1"); - testAccessControl.setRecognition("127.0.0.1:1"); + PlainAccessResource testPlainAccessResource = new PlainAccessResource(); + testPlainAccessResource.setAccessKey("rokcetmq"); + testPlainAccessResource.setSignature("aliyun11"); + testPlainAccessResource.setRemoteAddr("127.0.0.1"); + testPlainAccessResource.setRecognition("127.0.0.1:1"); - testAccessControl.setAccount("rokcetmq1"); - authenticationInfo = plainAclPlugEngine.getAccessControl(testAccessControl); + testPlainAccessResource.setAccessKey("rokcetmq1"); + authenticationInfo = plainAclPlugEngine.getAccessControl(testPlainAccessResource); Assert.assertNull(authenticationInfo); - testAccessControl.setAccount("rokcetmq"); - testAccessControl.setPassword("1234567"); - authenticationInfo = plainAclPlugEngine.getAccessControl(testAccessControl); + testPlainAccessResource.setAccessKey("rokcetmq"); + testPlainAccessResource.setSignature("1234567"); + authenticationInfo = plainAclPlugEngine.getAccessControl(testPlainAccessResource); Assert.assertNull(authenticationInfo); - testAccessControl.setNetaddress("127.0.0.2"); - authenticationInfo = plainAclPlugEngine.getAccessControl(testAccessControl); + testPlainAccessResource.setRemoteAddr("127.0.0.2"); + authenticationInfo = plainAclPlugEngine.getAccessControl(testPlainAccessResource); Assert.assertNull(authenticationInfo); } @Test public void setAccessControlList() { - List accessControlList = new ArrayList<>(); - accessControlList.add(accessControl); + List plainAccessResourceList = new ArrayList<>(); + plainAccessResourceList.add(plainAccessResource); - accessControlList.add(accessControlTwo); + plainAccessResourceList.add(plainAccessResourceTwo); - plainAclPlugEngine.setAccessControlList(accessControlList); + plainAclPlugEngine.setAccessControlList(plainAccessResourceList); - AuthenticationInfo newAccessControl = plainAclPlugEngine.getAccessControl(accessControl); - Assert.assertEquals(accessControl, newAccessControl.getAccessControl()); + AuthenticationInfo newAccessControl = plainAclPlugEngine.getAccessControl(plainAccessResource); + Assert.assertEquals(plainAccessResource, newAccessControl.getPlainAccessResource()); - newAccessControl = plainAclPlugEngine.getAccessControl(accessControlTwo); - Assert.assertEquals(accessControlTwo, newAccessControl.getAccessControl()); + newAccessControl = plainAclPlugEngine.getAccessControl(plainAccessResourceTwo); + Assert.assertEquals(plainAccessResourceTwo, newAccessControl.getPlainAccessResource()); } @Test public void setNetaddressAccessControl() { - AccessControl accessControl = new BrokerAccessControl(); - accessControl.setAccount("RocketMQ"); - accessControl.setPassword("RocketMQ"); - accessControl.setNetaddress("127.0.0.1"); - plainAclPlugEngine.setAccessControl(accessControl); - plainAclPlugEngine.setNetaddressAccessControl(accessControl); + PlainAccessResource plainAccessResource = new BrokerAccessControl(); + plainAccessResource.setAccessKey("RocketMQ"); + plainAccessResource.setSignature("RocketMQ"); + plainAccessResource.setRemoteAddr("127.0.0.1"); + plainAclPlugEngine.setAccessControl(plainAccessResource); + plainAclPlugEngine.setNetaddressAccessControl(plainAccessResource); - AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(accessControl); + AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(plainAccessResource); - AccessControl getAccessControl = authenticationInfo.getAccessControl(); - Assert.assertEquals(accessControl, getAccessControl); + PlainAccessResource getPlainAccessResource = authenticationInfo.getPlainAccessResource(); + Assert.assertEquals(plainAccessResource, getPlainAccessResource); - accessControl.setNetaddress("127.0.0.2"); - authenticationInfo = plainAclPlugEngine.getAccessControl(accessControl); + plainAccessResource.setRemoteAddr("127.0.0.2"); + authenticationInfo = plainAclPlugEngine.getAccessControl(plainAccessResource); Assert.assertNull(authenticationInfo); } @@ -219,68 +219,68 @@ public class PlainAclPlugEngineTest { public void BrokerAccessControlTransportTest() { BrokerAccessControlTransport accessControlTransport = new BrokerAccessControlTransport(); List list = new ArrayList<>(); - list.add((BrokerAccessControl) this.accessControlTwo); - accessControlTransport.setOnlyNetAddress((BrokerAccessControl) this.accessControl); + list.add((BrokerAccessControl) this.plainAccessResourceTwo); + accessControlTransport.setOnlyNetAddress((BrokerAccessControl) this.plainAccessResource); accessControlTransport.setList(list); plainAclPlugEngine.setBrokerAccessControlTransport(accessControlTransport); - AccessControl accessControl = new BrokerAccessControl(); - accessControl.setAccount("RocketMQ"); - accessControl.setPassword("RocketMQ"); - accessControl.setNetaddress("127.0.0.1"); - plainAclPlugEngine.setAccessControl(accessControl); - AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(accessControl); - Assert.assertNotNull(authenticationInfo.getAccessControl()); + PlainAccessResource plainAccessResource = new BrokerAccessControl(); + plainAccessResource.setAccessKey("RocketMQ"); + plainAccessResource.setSignature("RocketMQ"); + plainAccessResource.setRemoteAddr("127.0.0.1"); + plainAclPlugEngine.setAccessControl(plainAccessResource); + AuthenticationInfo authenticationInfo = plainAclPlugEngine.getAccessControl(plainAccessResource); + Assert.assertNotNull(authenticationInfo.getPlainAccessResource()); - authenticationInfo = plainAclPlugEngine.getAccessControl(accessControlTwo); - Assert.assertEquals(accessControlTwo, authenticationInfo.getAccessControl()); + authenticationInfo = plainAclPlugEngine.getAccessControl(plainAccessResourceTwo); + Assert.assertEquals(plainAccessResourceTwo, authenticationInfo.getPlainAccessResource()); } @Test public void authenticationTest() { AuthenticationResult authenticationResult = new AuthenticationResult(); - accessControl.setCode(317); + plainAccessResource.setRequestCode(317); - boolean isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + boolean isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setCode(321); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(321); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); - accessControl.setCode(10); - accessControl.setTopic("permitSendTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(10); + plainAccessResource.setTopic("permitSendTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setCode(310); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(310); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setCode(320); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(320); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setTopic("noPermitSendTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setTopic("noPermitSendTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); - accessControl.setTopic("nopermitSendTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setTopic("nopermitSendTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); - accessControl.setCode(11); - accessControl.setTopic("permitPullTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(11); + plainAccessResource.setTopic("permitPullTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setTopic("noPermitPullTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setTopic("noPermitPullTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); - accessControl.setTopic("nopermitPullTopic"); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setTopic("nopermitPullTopic"); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); } @@ -288,31 +288,31 @@ public class PlainAclPlugEngineTest { @Test public void isEmptyTest() { AuthenticationResult authenticationResult = new AuthenticationResult(); - accessControl.setCode(10); - accessControl.setTopic("absentTopic"); - boolean isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(10); + plainAccessResource.setTopic("absentTopic"); + boolean isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); Set permitSendTopic = new HashSet<>(); brokerAccessControl.setPermitSendTopic(permitSendTopic); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); - accessControl.setCode(11); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + plainAccessResource.setRequestCode(11); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertFalse(isReturn); brokerAccessControl.setPermitPullTopic(permitSendTopic); - isReturn = plainAclPlugEngine.authentication(authenticationInfo, accessControl, authenticationResult); + isReturn = plainAclPlugEngine.authentication(authenticationInfo, plainAccessResource, authenticationResult); Assert.assertTrue(isReturn); } @Test public void adminBrokerAccessControlTest() { BrokerAccessControl admin = new BrokerAccessControl(); - admin.setAccount("adminTest"); - admin.setPassword("adminTest"); - admin.setNetaddress("127.0.0.1"); + admin.setAccessKey("adminTest"); + admin.setSignature("adminTest"); + admin.setRemoteAddr("127.0.0.1"); plainAclPlugEngine.setAccessControl(admin); Assert.assertFalse(admin.isUpdateAndCreateTopic()); @@ -324,12 +324,12 @@ public class PlainAclPlugEngineTest { @Test public void adminEachCheckAuthentication() { BrokerAccessControl accessControl = new BrokerAccessControl(); - accessControl.setAccount("RocketMQ1"); - accessControl.setPassword("1234567"); - accessControl.setNetaddress("127.0.0.1"); + accessControl.setAccessKey("RocketMQ1"); + accessControl.setSignature("1234567"); + accessControl.setRemoteAddr("127.0.0.1"); plainAclPlugEngine.setAccessControl(accessControl); for (Integer code : adminCode) { - accessControl.setCode(code); + accessControl.setRequestCode(code); AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControl); Assert.assertFalse(authenticationResult.isSucceed()); @@ -338,7 +338,7 @@ public class PlainAclPlugEngineTest { accessControl.setAdmin(true); plainAclPlugEngine.setAccessControl(accessControl); for (Integer code : adminCode) { - accessControl.setCode(code); + accessControl.setRequestCode(code); AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControl); Assert.assertTrue(authenticationResult.isSucceed()); } @@ -346,12 +346,12 @@ public class PlainAclPlugEngineTest { @Test public void cleanAuthenticationInfoTest() { - plainAclPlugEngine.setAccessControl(accessControl); - accessControl.setCode(202); - AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControl); + plainAclPlugEngine.setAccessControl(plainAccessResource); + plainAccessResource.setRequestCode(202); + AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(plainAccessResource); Assert.assertTrue(authenticationResult.isSucceed()); plainAclPlugEngine.cleanAuthenticationInfo(); - authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControl); + authenticationResult = plainAclPlugEngine.eachCheckAuthentication(plainAccessResource); Assert.assertFalse(authenticationResult.isSucceed()); } @@ -380,8 +380,8 @@ public class PlainAclPlugEngineTest { writer.flush(); writer.close(); PlainAclPlugEngine plainAclPlugEngine = new PlainAclPlugEngine(); - accessControl.setCode(203); - AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControl); + plainAccessResource.setRequestCode(203); + AuthenticationResult authenticationResult = plainAclPlugEngine.eachCheckAuthentication(plainAccessResource); Assert.assertTrue(authenticationResult.isSucceed()); writer = new FileWriter(new File("src/test/resources/watch/conf/transport.yml"), true); @@ -396,8 +396,8 @@ public class PlainAclPlugEngineTest { // TODO Auto-generated catch block e.printStackTrace(); } - accessControlTwo.setCode(203); - authenticationResult = plainAclPlugEngine.eachCheckAuthentication(accessControlTwo); + plainAccessResourceTwo.setRequestCode(203); + authenticationResult = plainAclPlugEngine.eachCheckAuthentication(plainAccessResourceTwo); Assert.assertTrue(authenticationResult.isSucceed()); transport.delete(); @@ -430,7 +430,7 @@ public class PlainAclPlugEngineTest { @Test(expected = AclPlugRuntimeException.class) public void analysisExceptionTest() { - AccessControl accessControl = new AccessControl(); - accessContralAnalysis.analysis(accessControl); + PlainAccessResource plainAccessResource = new PlainAccessResource(); + accessContralAnalysis.analysis(plainAccessResource); } } diff --git a/acl/src/test/resources/conf/transport.yml b/acl/src/test/resources/conf/transport.yml index 6b1450ef..384769f1 100644 --- a/acl/src/test/resources/conf/transport.yml +++ b/acl/src/test/resources/conf/transport.yml @@ -14,22 +14,52 @@ # limitations under the License. onlyNetAddress: - netaddress: 10.10.103.* + remoteAddr: 10.10.103.* noPermitPullTopic: - broker-a list: -- account: RocketMQ - password: 1234567 - netaddress: 192.0.0.* +- accessKey: RocketMQ + signature: 1234567 + remoteAddr: 192.0.0.* admin: true permitSendTopic: - test1 - test2 -- account: RocketMQ - password: 1234567 - netaddress: 192.0.2.1 +- accessKey: RocketMQ + signature: 1234567 + remoteAddr: 192.0.2.1 permitSendTopic: - test3 - test4 - \ No newline at end of file + + +## suggested format + +globalWhiteRemoteAddresses: + - 10.10.103.* + - 192.168.0.* + +accounts: +- accessKey: ak1 + secretKey: sk1 + whiteRemoteAddress: 192.168.0.* + admin: false + defaultTopicPerm: DENY + defaultGroupPerm: SUB + topics: + - topicA=DENY + - topicB=PUB|SUB + - topicC=SUB + groups: + # the group should convert to retry topic + - groupA=DENY + - groupB=SUB + - groupC=SUB + +- accessKey: ak2 + secretKey: sk2 + whiteRemoteAddress: 192.168.1.* + # if it is admin, it could access all resources + admin: true + diff --git a/distribution/conf/transport.yml b/distribution/conf/transport.yml index f8180ede..69c86bcd 100644 --- a/distribution/conf/transport.yml +++ b/distribution/conf/transport.yml @@ -14,20 +14,20 @@ # limitations under the License. onlyNetAddress: - netaddress: 192.168.0.* + remoteAddr: 192.168.0.* noPermitPullTopic: - broker-a list: - account: RocketMQ - password: 1234567 - netaddress: 192.168.0.* + signature: 1234567 + remoteAddr: 192.168.0.* permitSendTopic: - TopicTest - test2 - account: RocketMQ - password: 1234567 - netaddress: 192.168.2.1 + signature: 1234567 + remoteAddr: 192.168.2.1 permitSendTopic: - test3 - test4 diff --git a/pom.xml b/pom.xml index 84f45fd8..1f2091a5 100644 --- a/pom.xml +++ b/pom.xml @@ -593,6 +593,11 @@ snakeyaml 1.19 + + commons-codec + commons-codec + 1.9 + org.apache.logging.log4j log4j-core -- GitLab