Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-2431

[AMQP] Broker does not send security errors for unauthorized anonymous sasl with pipelined open

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.9.0
    • 2.29.0
    • AMQP
    • None

    Description

      If a client sends open, begin and attach frames all at once, then the issue ARTEMIS-2344 still manifests itself. Sending the initial frames all at once is known as the pipelined open, http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-transport-v1.0-os.html#doc-idp157520 and one client that does this is qpid-proton-cpp.

      $ PN_TRACE_FRM=1 ./target/bin/aac3_sender -b "localhost:34949/examples" --log-msgs dict -c 1
[0x9ea9d0]:  -> SASL
[0x9ea9d0]:  <- SASL
[0x9ea9d0]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:PLAIN, :ANONYMOUS]]
[0x9ea9d0]:0 -> @sasl-init(65) [mechanism=:ANONYMOUS, initial-response=b"anonymous@nixos"]
[0x9ea9d0]:0 <- @sasl-outcome(68) [code=0]
[0x9ea9d0]:  -> AMQP
[0x9ea9d0]:0 -> @open(16) [container-id="204c1d45-9c47-402d-809f-7d17a4d97d6e", hostname="localhost", channel-max=32767]
[0x9ea9d0]:0 -> @begin(17) [next-outgoing-id=0, incoming-window=2147483647, outgoing-window=2147483647]
[0x9ea9d0]:0 -> @attach(18) [name="2b46ad5b-834b-454e-a2f7-2e5e0e324e21", handle=0, role=false, snd-settle-mode=2, rcv-settle-mode=0, source=@source(40) [durable=0, timeout=0, dynamic=false], target=@target(41) [address="examples", durable=0, timeout=0, dynamic=false], initial-delivery-count=0, max-message-size=0]
[0x9ea9d0]:  <- AMQP
[0x9ea9d0]:0 <- @open(16) [container-id="localhost", max-frame-size=131072, channel-max=65535, idle-time-out=30000, offered-capabilities=@PN_SYMBOL[:"sole-connection-for-container", :"DELAYED_DELIVERY", :"SHARED-SUBS", :"ANONYMOUS-RELAY"], properties={:product="apache-activemq-artemis", :version="2.9.0"}]
[0x9ea9d0]:0 <- @close(24) [error=@error(29) [condition=:"amqp:internal-error", description="Unrecoverable error: NullPointerException"]]
[0x9ea9d0]:  <- EOS
[error]: Failed to connect to localhost:34949
[0x9ea9d0]:0 -> @close(24) []
[0x9ea9d0]:  -> EOS

      The broker side then looks like this

      DEBUG - -Dio.netty.recycler.maxCapacityPerThread: 4096
DEBUG - -Dio.netty.recycler.maxSharedCapacityFactor: 2
DEBUG - -Dio.netty.recycler.linkCapacity: 16
DEBUG - -Dio.netty.recycler.ratio: 8
DEBUG - onSaslInit: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, done=false, role=SERVER]
DEBUG - saslComplete: SaslImpl [_outcome=PN_SASL_NONE, state=PN_SASL_STEP, done=false, role=SERVER]
DEBUG - using hardware address 2:42:ffffffbb:ffffffa4:4d:-110
INFO - AMQ601267: User anonymous is creating a core session on target resource ActiveMQServerImpl::serverUUID=85b3269d-8773-11e9-8808-c0b6f9980288 [with parameters: [dbdce52b-ae0f-11e9-8b93-0242bba44d92, null, ****, 102400, org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection@26c5379b, false, false, false, true, null, org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback@673826ee, true, OperationContextImpl [834445691] [minimalStore=9223372036854775807, storeLineUp=0, stored=0, minimalReplicated=9223372036854775807, replicationLineUp=0, replicated=0, paged=0, minimalPage=9223372036854775807, pageLineUp=0, errorCode=-1, errorMessage=null, executorsPending=0, executor=OrderedExecutor(tasks=[])], {}]]
DEBUG - Couldn't validate user
javax.security.auth.login.LoginException: Invalid null input: name
	at javax.security.auth.login.LoginContext.init(LoginContext.java:238)
	at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)
	at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190)
	at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99)
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137)
	at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
	at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
DEBUG - Couldn't find any bindings for address=activemq.notifications on message=CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860
DEBUG - Message CoreMessage[messageID=10737418300,durable=true,userID=null,priority=0, timestamp=0,expiration=0, durable=true, address=activemq.notifications,size=411,properties=TypedProperties[_AMQ_User=NULL-value,_AMQ_RemoteAddress=/127.0.0.1:42740,_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_CertSubjectDN=unavailable,_AMQ_NotifTimestamp=1563971874800]]@762983860 is not going anywhere as it didn't have a binding on address:activemq.notifications
WARN - AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable
WARN - AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable
ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user from /127.0.0.1:42740. Username: null; SSL certificate subject DN: unavailable]
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:162)
	at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1519)
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.init(AMQPSessionCallback.java:181)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.initialise(AMQPSessionContext.java:72)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:460)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:50)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
	at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
WARN - null
java.lang.NullPointerException
	at org.apache.activemq.artemis.protocol.amqp.broker.AMQPSessionCallback.getAddress(AMQPSessionCallback.java:679)
	at org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.getRoutingType(ProtonServerReceiverContext.java:247)
	at org.apache.activemq.artemis.protocol.amqp.proton.ProtonServerReceiverContext.initialise(ProtonServerReceiverContext.java:172)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPSessionContext.addReceiver(AMQPSessionContext.java:201)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.remoteLinkOpened(AMQPConnectionContext.java:251)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.onRemoteOpen(AMQPConnectionContext.java:481)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.Events.dispatch(Events.java:68)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.dispatch(ProtonHandler.java:485)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.flush(ProtonHandler.java:285)
	at org.apache.activemq.artemis.protocol.amqp.proton.handler.ProtonHandler.inputBuffer(ProtonHandler.java:242)
	at org.apache.activemq.artemis.protocol.amqp.proton.AMQPConnectionContext.inputBuffer(AMQPConnectionContext.java:170)
	at org.apache.activemq.artemis.protocol.amqp.broker.ActiveMQProtonRemotingConnection.bufferReceived(ActiveMQProtonRemotingConnection.java:149)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:649)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930)
	at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796)
	at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:432)
	at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:333)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:906)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
DEBUG - RemotingServiceImpl::removing connection ID 4d86c1cb

      The NullPointerException happens when the broker is acting on the Attach frame. This is wrong, because at this point we know the client has not authenticated, and any subsequent communication should be ignored.

      Furthermore, the broker authenticates the client on the initial SASL exchange, and only throws the auth error on processing the Begin frame. Is that correct? Shouldn't the broker fail the initial sasl exchange? (Assuming broker configured as in test org.apache.activemq.artemis.tests.integration.amqp.JMSConnectionWithSecurityTest#testNoUserOrPasswordWithoutSaslRestrictions). And should the broker advertise SASL ANONYMOUS?

      Failing test for this is attached in a PR.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. ARTEMIS-2344 [AMQP] Broker does not send security errors for unauthorized anonymous sasl

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #2767

          Web Link GitHub Pull Request #4358

          Activity

            People

              tabish Timothy A. Bish
              jdanek Jiri Daněk
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h