academy/mq-container
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable only app user to do REST messaging

Browse Source
This commit is contained in:
Arthur Barr
2018-08-07 14:19:46 +01:00
parent 739a01a83d
commit bbbd305654
5 changed files with 40 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
cmd/runmqserver/webserver.go
View File

@@ -21,7 +21,9 @@ import (
"fmt"
"io"
"os"
"os/exec"
"path/filepath"
"syscall"
"github.com/ibm-messaging/mq-container/internal/command"
)
@@ -33,7 +35,22 @@ func startWebServer() error {
return nil
}
log.Println("Starting web server")
out, rc, err := command.RunAsMQM("strmqweb")
cmd := exec.Command("strmqweb")
// Set a default app password for the web server, if one isn't already set
_, set := os.LookupEnv("MQ_APP_PASSWORD")
log.Println(cmd.Env)
if !set {
// Take all current environment variables, and add the app password
cmd.Env = append(os.Environ(), "MQ_APP_PASSWORD=passw0rd")
}
log.Println(cmd.Env)
cmd.SysProcAttr = &syscall.SysProcAttr{}
uid, gid, err := command.LookupMQM()
if err != nil {
return err
}
cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}
out, rc, err := command.RunCmd(cmd)
if err != nil {
log.Printf("Error %v starting web server: %v", rc, string(out))
return err

4
incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml
View File

@@ -23,13 +23,15 @@
</enterpriseApplication>
<basicRegistry id="basic" realm="defaultRealm">
<user name="admin" password="${env.MQ_ADMIN_PASSWORD}"/>
<!-- The app user will always get a default password of "passw0rd",
even if you don't set the environment variable.
See `webserver.go` -->
<user name="app" password="${env.MQ_APP_PASSWORD}"/>
<group name="MQWebUI">
<member name="admin"/>
</group>
<group name="MQWebMessaging">
<member name="app"/>
<member name="admin"/>
</group>
</basicRegistry>
<variable name="httpHost" value="*"/>

24
test/docker/devconfig_test.go
View File

@@ -50,15 +50,14 @@ func TestDevGoldenPath(t *testing.T) {
waitForWebReady(t, cli, id, insecureTLSConfig)
t.Run("JMS", func(t *testing.T) {
// Run the JMS tests, with no password specified
runJMSTests(t, cli, id, false, "app", "")
runJMSTests(t, cli, id, false, "app", defaultAppPasswordOS)
})
t.Run("REST admin", func(t *testing.T) {
testRESTAdmin(t, cli, id, insecureTLSConfig)
})
t.Run("REST messaging as admin", func(t *testing.T) {
testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "admin", devAdminPassword)
t.Run("REST messaging", func(t *testing.T) {
testRESTMessaging(t, cli, id, insecureTLSConfig, qm, "app", defaultAppPasswordWeb)
})
// Can't run the messaging tests as "app" with the defaults, because you can't have an empty password
// Stop the container cleanly
stopContainer(t, cli, id)
}
@@ -73,11 +72,12 @@ func TestDevSecure(t *testing.T) {
}
const tlsPassPhrase string = "passw0rd"
qm := "qm1"
appPassword := "differentPassw0rd"
containerConfig := container.Config{
Env: []string{
"LICENSE=accept",
"MQ_QMGR_NAME=", qm,
"MQ_APP_PASSWORD=" + devAppPassword,
"MQ_QMGR_NAME=" + qm,
"MQ_APP_PASSWORD=" + appPassword,
"MQ_TLS_KEYSTORE=/var/tls/server.p12",
"MQ_TLS_PASSPHRASE=" + tlsPassPhrase,
"DEBUG=1",
@@ -111,17 +111,13 @@ func TestDevSecure(t *testing.T) {
waitForWebReady(t, cli, ctr.ID, createTLSConfig(t, cert, tlsPassPhrase))
t.Run("JMS", func(t *testing.T) {
// Run the JMS tests, with no password specified
runJMSTests(t, cli, ctr.ID, true, "app", devAppPassword)
runJMSTests(t, cli, ctr.ID, true, "app", appPassword)
})
t.Run("REST admin", func(t *testing.T) {
testRESTAdmin(t, cli, ctr.ID, insecureTLSConfig)
})
t.Run("REST messaging as admin", func(t *testing.T) {
testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "admin", devAdminPassword)
})
t.Run("REST messaging as app", func(t *testing.T) {
testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", devAppPassword)
t.Run("REST messaging", func(t *testing.T) {
testRESTMessaging(t, cli, ctr.ID, insecureTLSConfig, qm, "app", appPassword)
})
// Stop the container cleanly
@@ -152,7 +148,7 @@ func TestDevWebDisabled(t *testing.T) {
})
t.Run("JMS", func(t *testing.T) {
// Run the JMS tests, with no password specified
runJMSTests(t, cli, id, false, "app", "")
runJMSTests(t, cli, id, false, "app", defaultAppPasswordOS)
})
// Stop the container cleanly
stopContainer(t, cli, id)

9
test/docker/devconfig_test_util.go
View File

@@ -36,8 +36,9 @@ import (
"github.com/docker/docker/client"
)
const devAdminPassword string = "passw0rd"
const devAppPassword string = "passw0rd"
const defaultAdminPassword string = "passw0rd"
const defaultAppPasswordOS string = ""
const defaultAppPasswordWeb string = "passw0rd"
// Disable TLS verification (server uses a self-signed certificate by default,
// so verification isn't useful anyway)
@@ -60,7 +61,7 @@ func waitForWebReady(t *testing.T, cli *client.Client, ID string, tlsConfig *tls
select {
case <-time.After(1 * time.Second):
req, err := http.NewRequest("GET", url, nil)
req.SetBasicAuth("admin", devAdminPassword)
req.SetBasicAuth("admin", defaultAdminPassword)
resp, err := httpClient.Do(req.WithContext(ctx))
if err == nil && resp.StatusCode == http.StatusOK {
t.Log("MQ web server is ready")
@@ -151,7 +152,7 @@ func testRESTAdmin(t *testing.T, cli *client.Client, ID string, tlsConfig *tls.C
}
url := fmt.Sprintf("https://localhost:%s/ibmmq/rest/v1/admin/installation", getPort(t, cli, ID, 9443))
req, err := http.NewRequest("GET", url, nil)
req.SetBasicAuth("admin", devAdminPassword)
req.SetBasicAuth("admin", defaultAdminPassword)
resp, err := httpClient.Do(req)
if err != nil {
t.Fatal(err)

4
test/messaging/src/main/java/com/ibm/mqcontainer/test/JMSTests.java
View File

@@ -73,6 +73,10 @@ class JMSTests {
factory.setTransportType(WMQConstants.WMQ_CM_CLIENT);
factory.setChannel(channel);
factory.setConnectionNameList(String.format("%s(1414)", addr));
// If a password is set, make sure it gets sent to the queue manager for authentication
if (password != null) {
factory.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
}
// factory.setClientReconnectOptions(WMQConstants.WMQ_CLIENT_RECONNECT);
if (TRUSTSTORE == null) {
LOGGER.info("Not using TLS");