1 /*
2 * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 5106721
27 * @summary Check the NotificationAccessController methods are properly called.
28 * @author Luis-Miguel Alventosa
29 * @run clean NotificationAccessControllerTest
30 * @run build NotificationAccessControllerTest
31 * @run main NotificationAccessControllerTest
32 */
33
34 import com.sun.jmx.remote.security.NotificationAccessController;
35 import java.util.ArrayList;
36 import java.util.Collections;
37 import java.util.HashMap;
38 import java.util.List;
39 import java.util.Map;
40 import java.util.concurrent.CopyOnWriteArrayList;
41 import java.util.concurrent.Semaphore;
42 import javax.management.MBeanServer;
43 import javax.management.MBeanServerConnection;
44 import javax.management.MBeanServerFactory;
45 import javax.management.Notification;
46 import javax.management.NotificationBroadcasterSupport;
47 import javax.management.NotificationListener;
48 import javax.management.ObjectName;
49 import javax.management.remote.JMXAuthenticator;
50 import javax.management.remote.JMXConnector;
51 import javax.management.remote.JMXConnectorFactory;
52 import javax.management.remote.JMXConnectorServer;
53 import javax.management.remote.JMXConnectorServerFactory;
54 import javax.management.remote.JMXPrincipal;
55 import javax.management.remote.JMXServiceURL;
56 import javax.security.auth.Subject;
57
58 public class NotificationAccessControllerTest {
59
60 public class NAC implements NotificationAccessController {
61 private final boolean throwException;
62 public NAC(boolean throwException) {
63 this.throwException = throwException;
64 }
65
66 @Override
67 public void addNotificationListener(
68 String connectionId,
69 ObjectName name,
70 Subject subject)
71 throws SecurityException {
72 echo("addNotificationListener:");
73 echo("\tconnectionId: " + connectionId);
74 echo("\tname: " + name);
75 echo("\tsubject: " +
76 (subject == null ? null : subject.getPrincipals()));
77 if (throwException)
78 if (name.getCanonicalName().equals("domain:name=1,type=NB")
79 &&
80 subject != null
81 &&
82 subject.getPrincipals().contains(new JMXPrincipal("role")))
83 throw new SecurityException();
84 }
85
86 @Override
87 public void removeNotificationListener(
88 String connectionId,
89 ObjectName name,
90 Subject subject)
91 throws SecurityException {
92 echo("removeNotificationListener:");
93 echo("\tconnectionId: " + connectionId);
94 echo("\tname: " + name);
95 echo("\tsubject: " +
96 (subject == null ? null : subject.getPrincipals()));
97 if (throwException)
98 if (name.getCanonicalName().equals("domain:name=2,type=NB")
99 &&
100 subject != null
101 &&
102 subject.getPrincipals().contains(new JMXPrincipal("role")))
103 throw new SecurityException();
104 }
105
106 @Override
107 public void fetchNotification(
108 String connectionId,
109 ObjectName name,
110 Notification notification,
111 Subject subject)
112 throws SecurityException {
113 echo("fetchNotification:");
114 echo("\tconnectionId: " + connectionId);
115 echo("\tname: " + name);
116 echo("\tnotification: " + notification);
117 echo("\tsubject: " +
118 (subject == null ? null : subject.getPrincipals()));
119 if (!throwException)
120 if (name.getCanonicalName().equals("domain:name=2,type=NB")
121 &&
122 subject != null
123 &&
124 subject.getPrincipals().contains(new JMXPrincipal("role")))
125 throw new SecurityException();
126 }
127 }
128
129 public class CustomJMXAuthenticator implements JMXAuthenticator {
130 @Override
131 public Subject authenticate(Object credentials) {
132 String role = ((String[]) credentials)[0];
133 echo("\nCreate principal with name = " + role);
134 return new Subject(true,
135 Collections.singleton(new JMXPrincipal(role)),
136 Collections.EMPTY_SET,
137 Collections.EMPTY_SET);
138 }
139 }
140
141 public interface NBMBean {
142 public void emitNotification(int seqnum, ObjectName name);
143 }
144
145 public static class NB
146 extends NotificationBroadcasterSupport
147 implements NBMBean {
148 @Override
149 public void emitNotification(int seqnum, ObjectName name) {
150 if (name == null) {
151 sendNotification(new Notification("nb", this, seqnum));
152 } else {
153 sendNotification(new Notification("nb", name, seqnum));
154 }
155 }
156 }
157
158 public class Listener implements NotificationListener {
159 public final List<Notification> notifs = new CopyOnWriteArrayList<>();
160
161 private final Semaphore s;
162 public Listener(Semaphore s) {
163 this.s = s;
164 }
165 @Override
166 public void handleNotification(Notification n, Object h) {
167 echo("handleNotification:");
168 echo("\tNotification = " + n);
169 echo("\tNotification.SeqNum = " + n.getSequenceNumber());
170 echo("\tHandback = " + h);
171 notifs.add(n);
172 s.release();
173 }
174 }
175
176 /**
177 * Check received notifications
178 */
179 public int checkNotifs(int size,
180 List<Notification> received,
181 List<ObjectName> expected) {
182 if (received.size() != size) {
183 echo("Error: expecting " + size + " notifications, got " +
184 received.size());
185 return 1;
186 } else {
187 for (Notification n : received) {
188 echo("Received notification: " + n);
189 if (!n.getType().equals("nb")) {
190 echo("Notification type must be \"nb\"");
191 return 1;
192 }
193 ObjectName o = (ObjectName) n.getSource();
194 int index = (int) n.getSequenceNumber();
195 ObjectName nb = expected.get(index);
196 if (!o.equals(nb)) {
197 echo("Notification source must be " + nb);
198 return 1;
199 }
200 }
201 }
202 return 0;
203 }
204
205 /**
206 * Run test
207 */
208 public int runTest(boolean enableChecks, boolean throwException)
209 throws Exception {
210
211 echo("\n=-=-= " + (enableChecks ? "Enable" : "Disable") +
212 " notification access control checks " +
213 (!enableChecks ? "" : (throwException ? ": add/remove " :
214 ": fetch ")) + "=-=-=");
215
216 JMXConnectorServer server = null;
217 JMXConnector client = null;
218
219 /*
220 * (!enableChecks)
221 * - List must contain three notifs from sources nb1, nb2 and nb3
222 * (enableChecks && !throwException)
223 * - List must contain one notif from source nb1
224 * (enableChecks && throwException)
225 * - List must contain two notifs from sources nb2 and nb3
226 */
227 final int expected_notifs =
228 (!enableChecks ? 3 : (throwException ? 2 : 1));
229
230 // Create a new MBeanServer
231 //
232 final MBeanServer mbs = MBeanServerFactory.createMBeanServer();
233
234 try {
235 // Create server environment map
236 //
237 final Map<String,Object> env = new HashMap<>();
238 env.put("jmx.remote.authenticator", new CustomJMXAuthenticator());
239 if (enableChecks) {
240 env.put("com.sun.jmx.remote.notification.access.controller",
241 new NAC(throwException));
242 }
243
244 // Create the JMXServiceURL
245 //
246 final JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://");
247
248 // Create a JMXConnectorServer
249 //
250 server = JMXConnectorServerFactory.newJMXConnectorServer(url,
251 env,
252 mbs);
253
254 // Start the JMXConnectorServer
255 //
256 server.start();
257
258 // Create server environment map
259 //
260 final Map<String,Object> cenv = new HashMap<>();
261 String[] credentials = new String[] { "role" , "password" };
262 cenv.put("jmx.remote.credentials", credentials);
263
264 // Create JMXConnector and connect to JMXConnectorServer
265 //
266 client = JMXConnectorFactory.connect(server.getAddress(), cenv);
267
268 // Get non-secure MBeanServerConnection
269 //
270 final MBeanServerConnection mbsc =
271 client.getMBeanServerConnection();
272
273 // Create NB MBean
274 //
275 ObjectName nb1 = ObjectName.getInstance("domain:type=NB,name=1");
276 ObjectName nb2 = ObjectName.getInstance("domain:type=NB,name=2");
277 ObjectName nb3 = ObjectName.getInstance("domain:type=NB,name=3");
278 mbsc.createMBean(NB.class.getName(), nb1);
279 mbsc.createMBean(NB.class.getName(), nb2);
280 mbsc.createMBean(NB.class.getName(), nb3);
281
282 // Add notification listener
283 //
284 Semaphore s = new Semaphore(0);
285
286 Listener li = new Listener(s);
287 try {
288 mbsc.addNotificationListener(nb1, li, null, null);
289 if (enableChecks && throwException) {
290 echo("Didn't get expected exception");
291 return 1;
292 }
293 } catch (SecurityException e) {
294 if (enableChecks && throwException) {
295 echo("Got expected exception: " + e);
296 } else {
297 echo("Got unexpected exception: " + e);
298 return 1;
299 }
300 }
301 mbsc.addNotificationListener(nb2, li, null, null);
302
303 System.out.println("\n+++ Expecting to receive " + expected_notifs +
304 " notification" + (expected_notifs > 1 ? "s" : "") +
305 " +++");
306 // Invoke the "sendNotification" method
307 //
308 mbsc.invoke(nb1, "emitNotification",
309 new Object[] {0, null},
310 new String[] {"int", "javax.management.ObjectName"});
311 mbsc.invoke(nb2, "emitNotification",
312 new Object[] {1, null},
313 new String[] {"int", "javax.management.ObjectName"});
314 mbsc.invoke(nb2, "emitNotification",
315 new Object[] {2, nb3},
316 new String[] {"int", "javax.management.ObjectName"});
317
318 // Wait for notifications to be emitted
319 //
320 s.acquire(expected_notifs);
321
322 // Remove notification listener
323 //
324 if (!throwException)
325 mbsc.removeNotificationListener(nb1, li);
326 try {
327 mbsc.removeNotificationListener(nb2, li);
328 if (enableChecks && throwException) {
329 echo("Didn't get expected exception");
330 return 1;
331 }
332 } catch (SecurityException e) {
333 if (enableChecks && throwException) {
334 echo("Got expected exception: " + e);
335 } else {
336 echo("Got unexpected exception: " + e);
337 return 1;
338 }
339 }
340
341 int result = 0;
342 List<ObjectName> sources = new ArrayList();
343 sources.add(nb1);
344 sources.add(nb2);
345 sources.add(nb3);
346 result = checkNotifs(expected_notifs, li.notifs, sources);
347 if (result > 0) {
348 return result;
349 }
350 } catch (Exception e) {
351 echo("Failed to perform operation: " + e);
352 e.printStackTrace();
353 return 1;
354 } finally {
355 // Close the connection
356 //
357 if (client != null)
358 client.close();
359
360 // Stop the connector server
361 //
362 if (server != null)
363 server.stop();
364
365 // Release the MBeanServer
366 //
367 if (mbs != null)
368 MBeanServerFactory.releaseMBeanServer(mbs);
369 }
370
371 return 0;
372 }
373
374 /*
375 * Print message
376 */
377 private static void echo(String message) {
378 System.out.println(message);
379 }
380
381 public static void main(String[] args) throws Exception {
382
383 System.out.println("\nTest notification access control.");
384
385 NotificationAccessControllerTest nact =
386 new NotificationAccessControllerTest();
387
388 int error = 0;
389
390 error += nact.runTest(false, false);
391
392 error += nact.runTest(true, false);
393
394 error += nact.runTest(true, true);
395
396 if (error > 0) {
397 final String msg = "\nTest FAILED! Got " + error + " error(s)";
398 System.out.println(msg);
399 throw new IllegalArgumentException(msg);
400 } else {
401 System.out.println("\nTest PASSED!");
402 }
403 }
404 }