1 /*
2 * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 5106721
27 * @summary Check the NotificationAccessController methods are properly called.
28 * @author Luis-Miguel Alventosa
29 * @modules java.management/com.sun.jmx.remote.security
30 * @run clean NotificationAccessControllerTest
31 * @run build NotificationAccessControllerTest
32 * @run main NotificationAccessControllerTest
33 */
34
35 import com.sun.jmx.remote.security.NotificationAccessController;
36 import java.util.ArrayList;
37 import java.util.Collections;
38 import java.util.HashMap;
39 import java.util.List;
40 import java.util.Map;
41 import java.util.concurrent.CopyOnWriteArrayList;
42 import java.util.concurrent.Semaphore;
43 import javax.management.MBeanServer;
44 import javax.management.MBeanServerConnection;
45 import javax.management.MBeanServerFactory;
46 import javax.management.Notification;
47 import javax.management.NotificationBroadcasterSupport;
48 import javax.management.NotificationListener;
49 import javax.management.ObjectName;
50 import javax.management.remote.JMXAuthenticator;
51 import javax.management.remote.JMXConnector;
52 import javax.management.remote.JMXConnectorFactory;
53 import javax.management.remote.JMXConnectorServer;
54 import javax.management.remote.JMXConnectorServerFactory;
55 import javax.management.remote.JMXPrincipal;
56 import javax.management.remote.JMXServiceURL;
57 import javax.security.auth.Subject;
58
59 public class NotificationAccessControllerTest {
60
61 public class NAC implements NotificationAccessController {
62 private final boolean throwException;
63 public NAC(boolean throwException) {
64 this.throwException = throwException;
65 }
66
67 @Override
68 public void addNotificationListener(
69 String connectionId,
70 ObjectName name,
71 Subject subject)
72 throws SecurityException {
73 echo("addNotificationListener:");
74 echo("\tconnectionId: " + connectionId);
75 echo("\tname: " + name);
76 echo("\tsubject: " +
77 (subject == null ? null : subject.getPrincipals()));
78 if (throwException)
79 if (name.getCanonicalName().equals("domain:name=1,type=NB")
80 &&
81 subject != null
82 &&
83 subject.getPrincipals().contains(new JMXPrincipal("role")))
84 throw new SecurityException();
85 }
86
87 @Override
88 public void removeNotificationListener(
89 String connectionId,
90 ObjectName name,
91 Subject subject)
92 throws SecurityException {
93 echo("removeNotificationListener:");
94 echo("\tconnectionId: " + connectionId);
95 echo("\tname: " + name);
96 echo("\tsubject: " +
97 (subject == null ? null : subject.getPrincipals()));
98 if (throwException)
99 if (name.getCanonicalName().equals("domain:name=2,type=NB")
100 &&
101 subject != null
102 &&
103 subject.getPrincipals().contains(new JMXPrincipal("role")))
104 throw new SecurityException();
105 }
106
107 @Override
108 public void fetchNotification(
109 String connectionId,
110 ObjectName name,
111 Notification notification,
112 Subject subject)
113 throws SecurityException {
114 echo("fetchNotification:");
115 echo("\tconnectionId: " + connectionId);
116 echo("\tname: " + name);
117 echo("\tnotification: " + notification);
118 echo("\tsubject: " +
119 (subject == null ? null : subject.getPrincipals()));
120 if (!throwException)
121 if (name.getCanonicalName().equals("domain:name=2,type=NB")
122 &&
123 subject != null
124 &&
125 subject.getPrincipals().contains(new JMXPrincipal("role")))
126 throw new SecurityException();
127 }
128 }
129
130 public class CustomJMXAuthenticator implements JMXAuthenticator {
131 @Override
132 public Subject authenticate(Object credentials) {
133 String role = ((String[]) credentials)[0];
134 echo("\nCreate principal with name = " + role);
135 return new Subject(true,
136 Collections.singleton(new JMXPrincipal(role)),
137 Collections.EMPTY_SET,
138 Collections.EMPTY_SET);
139 }
140 }
141
142 public interface NBMBean {
143 public void emitNotification(int seqnum, ObjectName name);
144 }
145
146 public static class NB
147 extends NotificationBroadcasterSupport
148 implements NBMBean {
149 @Override
150 public void emitNotification(int seqnum, ObjectName name) {
151 if (name == null) {
152 sendNotification(new Notification("nb", this, seqnum));
153 } else {
154 sendNotification(new Notification("nb", name, seqnum));
155 }
156 }
157 }
158
159 public class Listener implements NotificationListener {
160 public final List<Notification> notifs = new CopyOnWriteArrayList<>();
161
162 private final Semaphore s;
163 public Listener(Semaphore s) {
164 this.s = s;
165 }
166 @Override
167 public void handleNotification(Notification n, Object h) {
168 echo("handleNotification:");
169 echo("\tNotification = " + n);
170 echo("\tNotification.SeqNum = " + n.getSequenceNumber());
171 echo("\tHandback = " + h);
172 notifs.add(n);
173 s.release();
174 }
175 }
176
177 /**
178 * Check received notifications
179 */
180 public int checkNotifs(int size,
181 List<Notification> received,
182 List<ObjectName> expected) {
183 if (received.size() != size) {
184 echo("Error: expecting " + size + " notifications, got " +
185 received.size());
186 return 1;
187 } else {
188 for (Notification n : received) {
189 echo("Received notification: " + n);
190 if (!n.getType().equals("nb")) {
191 echo("Notification type must be \"nb\"");
192 return 1;
193 }
194 ObjectName o = (ObjectName) n.getSource();
195 int index = (int) n.getSequenceNumber();
196 ObjectName nb = expected.get(index);
197 if (!o.equals(nb)) {
198 echo("Notification source must be " + nb);
199 return 1;
200 }
201 }
202 }
203 return 0;
204 }
205
206 /**
207 * Run test
208 */
209 public int runTest(boolean enableChecks, boolean throwException)
210 throws Exception {
211
212 echo("\n=-=-= " + (enableChecks ? "Enable" : "Disable") +
213 " notification access control checks " +
214 (!enableChecks ? "" : (throwException ? ": add/remove " :
215 ": fetch ")) + "=-=-=");
216
217 JMXConnectorServer server = null;
218 JMXConnector client = null;
219
220 /*
221 * (!enableChecks)
222 * - List must contain three notifs from sources nb1, nb2 and nb3
223 * (enableChecks && !throwException)
224 * - List must contain one notif from source nb1
225 * (enableChecks && throwException)
226 * - List must contain two notifs from sources nb2 and nb3
227 */
228 final int expected_notifs =
229 (!enableChecks ? 3 : (throwException ? 2 : 1));
230
231 // Create a new MBeanServer
232 //
233 final MBeanServer mbs = MBeanServerFactory.createMBeanServer();
234
235 try {
236 // Create server environment map
237 //
238 final Map<String,Object> env = new HashMap<>();
239 env.put("jmx.remote.authenticator", new CustomJMXAuthenticator());
240 if (enableChecks) {
241 env.put("com.sun.jmx.remote.notification.access.controller",
242 new NAC(throwException));
243 }
244
245 // Create the JMXServiceURL
246 //
247 final JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://");
248
249 // Create a JMXConnectorServer
250 //
251 server = JMXConnectorServerFactory.newJMXConnectorServer(url,
252 env,
253 mbs);
254
255 // Start the JMXConnectorServer
256 //
257 server.start();
258
259 // Create server environment map
260 //
261 final Map<String,Object> cenv = new HashMap<>();
262 String[] credentials = new String[] { "role" , "password" };
263 cenv.put("jmx.remote.credentials", credentials);
264
265 // Create JMXConnector and connect to JMXConnectorServer
266 //
267 client = JMXConnectorFactory.connect(server.getAddress(), cenv);
268
269 // Get non-secure MBeanServerConnection
270 //
271 final MBeanServerConnection mbsc =
272 client.getMBeanServerConnection();
273
274 // Create NB MBean
275 //
276 ObjectName nb1 = ObjectName.getInstance("domain:type=NB,name=1");
277 ObjectName nb2 = ObjectName.getInstance("domain:type=NB,name=2");
278 ObjectName nb3 = ObjectName.getInstance("domain:type=NB,name=3");
279 mbsc.createMBean(NB.class.getName(), nb1);
280 mbsc.createMBean(NB.class.getName(), nb2);
281 mbsc.createMBean(NB.class.getName(), nb3);
282
283 // Add notification listener
284 //
285 Semaphore s = new Semaphore(0);
286
287 Listener li = new Listener(s);
288 try {
289 mbsc.addNotificationListener(nb1, li, null, null);
290 if (enableChecks && throwException) {
291 echo("Didn't get expected exception");
292 return 1;
293 }
294 } catch (SecurityException e) {
295 if (enableChecks && throwException) {
296 echo("Got expected exception: " + e);
297 } else {
298 echo("Got unexpected exception: " + e);
299 return 1;
300 }
301 }
302 mbsc.addNotificationListener(nb2, li, null, null);
303
304 System.out.println("\n+++ Expecting to receive " + expected_notifs +
305 " notification" + (expected_notifs > 1 ? "s" : "") +
306 " +++");
307 // Invoke the "sendNotification" method
308 //
309 mbsc.invoke(nb1, "emitNotification",
310 new Object[] {0, null},
311 new String[] {"int", "javax.management.ObjectName"});
312 mbsc.invoke(nb2, "emitNotification",
313 new Object[] {1, null},
314 new String[] {"int", "javax.management.ObjectName"});
315 mbsc.invoke(nb2, "emitNotification",
316 new Object[] {2, nb3},
317 new String[] {"int", "javax.management.ObjectName"});
318
319 // Wait for notifications to be emitted
320 //
321 s.acquire(expected_notifs);
322
323 // Remove notification listener
324 //
325 if (!throwException)
326 mbsc.removeNotificationListener(nb1, li);
327 try {
328 mbsc.removeNotificationListener(nb2, li);
329 if (enableChecks && throwException) {
330 echo("Didn't get expected exception");
331 return 1;
332 }
333 } catch (SecurityException e) {
334 if (enableChecks && throwException) {
335 echo("Got expected exception: " + e);
336 } else {
337 echo("Got unexpected exception: " + e);
338 return 1;
339 }
340 }
341
342 int result = 0;
343 List<ObjectName> sources = new ArrayList();
344 sources.add(nb1);
345 sources.add(nb2);
346 sources.add(nb3);
347 result = checkNotifs(expected_notifs, li.notifs, sources);
348 if (result > 0) {
349 return result;
350 }
351 } catch (Exception e) {
352 echo("Failed to perform operation: " + e);
353 e.printStackTrace();
354 return 1;
355 } finally {
356 // Close the connection
357 //
358 if (client != null)
359 client.close();
360
361 // Stop the connector server
362 //
363 if (server != null)
364 server.stop();
365
366 // Release the MBeanServer
367 //
368 if (mbs != null)
369 MBeanServerFactory.releaseMBeanServer(mbs);
370 }
371
372 return 0;
373 }
374
375 /*
376 * Print message
377 */
378 private static void echo(String message) {
379 System.out.println(message);
380 }
381
382 public static void main(String[] args) throws Exception {
383
384 System.out.println("\nTest notification access control.");
385
386 NotificationAccessControllerTest nact =
387 new NotificationAccessControllerTest();
388
389 int error = 0;
390
391 error += nact.runTest(false, false);
392
393 error += nact.runTest(true, false);
394
395 error += nact.runTest(true, true);
396
397 if (error > 0) {
398 final String msg = "\nTest FAILED! Got " + error + " error(s)";
399 System.out.println(msg);
400 throw new IllegalArgumentException(msg);
401 } else {
402 System.out.println("\nTest PASSED!");
403 }
404 }
405 }