Enable Jolokia Camel restrictor allowed MBean domains to be configurable

Fixes #7051
apache · Feb 25, 2025 · db2e7ac · db2e7ac
1 parent 5419dfe
commit db2e7ac
Show file tree

Hide file tree

Showing 6 changed files with 148 additions and 7 deletions.
diff --git a/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc b/docs/modules/ROOT/pages/reference/extensions/jolokia.adoc
@@ -84,10 +84,20 @@ By default, a Jolokia restrictor is automatically registered that exposes access
 * `java.lang`
 * `java.nio`
 
-If this is too restrictive, then you can either disable the default restrictor, or create your own custom restrictor.
+If this is too restrictive, then you can either specify your own MBean domains, disable the default restrictor, or create a custom restrictor.
 
-[id="extensions-jolokia-usage-disable-the-default-restrictor"]
-==== Disable the default restrictor
+[id="extensions-jolokia-usage-default-restrictor-mbean-domains"]
+==== Default restrictor MBean domains
+
+You can modify the set of MBean domains referenced by the default restrictor by adding configuration like the following to `application.properties`.
+
+[source]
+----
+quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains=org.apache.camel
+----
+
+[id="extensions-jolokia-usage-disabling-the-default-restrictor"]
+==== Disabling the default restrictor
 
 The following configuration added to `application.properties` disables the default restrictor.
 
@@ -182,6 +192,12 @@ have quarkus-vertx-http on the application classpath.
 | `boolean`
 | `true`
 
+|icon:lock[title=Fixed at build time] [[quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains]]`link:#quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains[quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains]`
+
+Comma separated list of allowed MBean domains used by CamelJolokiaRestrictor.
+| List of `string`
+| `org.apache.camel,java.lang,java.nio`
+
 |icon:lock[title=Fixed at build time] [[quarkus.camel.jolokia.kubernetes.expose-container-port]]`link:#quarkus.camel.jolokia.kubernetes.expose-container-port[quarkus.camel.jolokia.kubernetes.expose-container-port]`
 
 When {@code true} and the quarkus-kubernetes extension is present, a container port named jolokia will

diff --git a/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc b/extensions-jvm/jolokia/runtime/src/main/doc/usage.adoc
@@ -44,9 +44,18 @@ By default, a Jolokia restrictor is automatically registered that exposes access
 * `java.lang`
 * `java.nio`
 
-If this is too restrictive, then you can either disable the default restrictor, or create your own custom restrictor.
+If this is too restrictive, then you can either specify your own MBean domains, disable the default restrictor, or create a custom restrictor.
 
-==== Disable the default restrictor
+==== Default restrictor MBean domains
+
+You can modify the set of MBean domains referenced by the default restrictor by adding configuration like the following to `application.properties`.
+
+[source]
+----
+quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains=org.apache.camel
+----
+
+==== Disabling the default restrictor
 
 The following configuration added to `application.properties` disables the default restrictor.
 

diff --git a/...runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java b/...runtime/src/main/java/org/apache/camel/quarkus/jolokia/config/JolokiaBuildTimeConfig.java
@@ -16,6 +16,8 @@
  */
 package org.apache.camel.quarkus.jolokia.config;
 
+import java.util.Set;
+
 import io.quarkus.runtime.annotations.ConfigPhase;
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.smallrye.config.ConfigMapping;
@@ -47,6 +49,12 @@ public interface JolokiaBuildTimeConfig {
     @WithDefault("true")
     boolean registerManagementEndpoint();
 
+    /**
+     * Comma separated list of allowed MBean domains used by CamelJolokiaRestrictor.
+     */
+    @WithDefault("org.apache.camel,java.lang,java.nio")
+    Set<String> camelRestrictorAllowedMbeanDomains();
+
     /**
      * Jolokia Kubernetes build time configuration.
      */

diff --git a/...ime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java b/...ime/src/main/java/org/apache/camel/quarkus/jolokia/restrictor/CamelJolokiaRestrictor.java
@@ -16,14 +16,20 @@
  */
 package org.apache.camel.quarkus.jolokia.restrictor;
 
-import java.util.List;
+import java.util.Set;
 
 import javax.management.ObjectName;
 
+import io.smallrye.config.SmallRyeConfig;
+import org.apache.camel.quarkus.jolokia.config.JolokiaBuildTimeConfig;
+import org.eclipse.microprofile.config.ConfigProvider;
 import org.jolokia.server.core.restrictor.AllowAllRestrictor;
 
 public final class CamelJolokiaRestrictor extends AllowAllRestrictor {
-    private static final List<String> ALLOWED_DOMAINS = List.of("org.apache.camel", "java.lang", "java.nio");
+    private static final Set<String> ALLOWED_DOMAINS = ConfigProvider.getConfig()
+            .unwrap(SmallRyeConfig.class)
+            .getConfigMapping(JolokiaBuildTimeConfig.class)
+            .camelRestrictorAllowedMbeanDomains();
 
     @Override
     public boolean isAttributeReadAllowed(ObjectName objectName, String attribute) {

diff --git a/...ava/org/apache/camel/quarkus/component/jolokia/it/JolokiaCustomRestrictorDomainsTest.java b/...ava/org/apache/camel/quarkus/component/jolokia/it/JolokiaCustomRestrictorDomainsTest.java
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.quarkus.component.jolokia.it;
+
+import java.util.Map;
+
+import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.QuarkusTestProfile;
+import io.quarkus.test.junit.TestProfile;
+import io.restassured.RestAssured;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.Matchers.equalTo;
+
+@TestProfile(JolokiaCustomRestrictorDomainsTest.JolokiaAdditionalPropertiesProfile.class)
+@QuarkusTest
+class JolokiaCustomRestrictorDomainsTest {
+    @BeforeEach
+    public void beforeEach() {
+        RestAssured.port = 8778;
+    }
+
+    @Test
+    void customMBeanAllowDomains() {
+        // Verify org.apache.camel domain allowed
+        RestAssured.given()
+                .get("/jolokia/read/org.apache.camel:context=camel-1,type=context,name=\"camel-1\"/CamelId")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(200),
+                        "value", equalTo("camel-1"));
+
+        // Verify java.lang domain disallowed
+        RestAssured.given()
+                .get("/jolokia/read/java.lang:type=ClassLoading/LoadedClassCount")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(403));
+
+        // Verify java.nio domain disallowed
+        RestAssured.given()
+                .get("/jolokia/read/java.nio:type=BufferPool,name=direct/MemoryUsed")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(403));
+    }
+
+    public static final class JolokiaAdditionalPropertiesProfile implements QuarkusTestProfile {
+        @Override
+        public Map<String, String> getConfigOverrides() {
+            return Map.of("quarkus.camel.jolokia.camel-restrictor-allowed-mbean-domains", "org.apache.camel");
+        }
+    }
+}
diff --git a/...-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java b/...-jvm/jolokia/src/test/java/org/apache/camel/quarkus/component/jolokia/it/JolokiaTest.java
@@ -25,6 +25,7 @@
 import org.junit.jupiter.api.Test;
 
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 
 @QuarkusTest
 class JolokiaTest {
@@ -64,4 +65,33 @@ void sendMessage() {
                 .statusCode(200)
                 .body(equalTo("Hello World"));
     }
+
+    @Test
+    void additionalAllowedDefaultMBeanDomains() {
+        // Verify java.lang domain
+        RestAssured.given()
+                .get("/jolokia/read/java.lang:type=ClassLoading/LoadedClassCount")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(200),
+                        "value", greaterThanOrEqualTo(0));
+
+        // Verify java.nio domain
+        RestAssured.given()
+                .get("/jolokia/read/java.nio:type=BufferPool,name=direct/MemoryUsed")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(200),
+                        "value", greaterThanOrEqualTo(0));
+
+        // Disallowed domain
+        RestAssured.given()
+                .get("/jolokia/read/java.util.logging:type=Logging/LoggerNames")
+                .then()
+                .statusCode(200)
+                .body(
+                        "status", equalTo(403));
+    }
 }