You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2018/04/04 17:56:49 UTC
qpid-dispatch git commit: DISPATCH-918 - Deprecated some attributes
of the authServicePlugin entity and introduced replacements with clearer
names. Also deprecated password of sslProfile attribute
Repository: qpid-dispatch
Updated Branches:
refs/heads/master f36c90335 -> 7237d6930
DISPATCH-918 - Deprecated some attributes of the authServicePlugin entity and introduced replacements with clearer names. Also deprecated password of sslProfile attribute
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/7237d693
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/7237d693
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/7237d693
Branch: refs/heads/master
Commit: 7237d693072a366868469f85a96bdce3f47d76a5
Parents: f36c903
Author: Ganesh Murthy <gm...@redhat.com>
Authored: Wed Apr 4 13:56:35 2018 -0400
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Wed Apr 4 13:56:35 2018 -0400
----------------------------------------------------------------------
python/qpid_dispatch/management/qdrouter.json | 28 ++++++++++---
.../qpid_dispatch_internal/management/schema.py | 39 +++++++++++--------
src/connection_manager.c | 33 ++++++++++++++--
src/dispatch.c | 3 +-
src/dispatch_private.h | 1 -
tests/system_test.py | 2 +-
tests/system_tests_auth_service_plugin.py | 41 +++++++++++++++++++-
tests/system_tests_authz_service_plugin.py | 31 ++++++++++++++-
8 files changed, 147 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 9b801c7..82aa806 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -631,13 +631,14 @@
},
"passwordFile": {
"type": "path",
- "description": "If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key.",
+ "description": "If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key. This file should be permission protected to limit access",
"create": true
},
"password": {
"type": "string",
- "description": "An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This takes precedence over the passwordFile if both are specified.",
+ "description": "(DEPRECATED) An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This takes precedence over the passwordFile if both are specified. This attribute has been deprecated because it is unsafe to store plain text passwords in config files. Use the passwordFile instead",
+ "deprecated": true,
"create": true
},
@@ -663,20 +664,35 @@
"attributes": {
"authService": {
"type": "string",
- "description": "Address of a service to delegate authentication to.",
- "required": true,
+ "description": "(DEPRECATED) Address of a service to delegate authentication to. This attribute has been deprecated. Use the host and port attributes instead.",
+ "deprecated": true,
"create": true
},
- "saslInitHostname": {
+ "host": {
+ "description":"A host name, IPV4 or IPV6 literal, of the service to delegate to.",
+ "type": "string",
+ "default": "",
+ "create": true
+ },
+ "port": {
+ "description": "Port number of the service delegated host.",
+ "type": "string",
+ "default": "amqp",
+ "create": true
+
+ },
+ "hostname": {
"type": "string",
"description": "Value to set for hostname field on sasl-init",
"required": false,
+ "deprecationName": "saslInitHostname",
"create": true
},
- "authSslProfile": {
+ "sslProfile": {
"type": "string",
"required": false,
"description": "Name of the sslProfile to use for the authentication service.",
+ "deprecationName": "authSslProfile",
"create": true
}
}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/python/qpid_dispatch_internal/management/schema.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/management/schema.py b/python/qpid_dispatch_internal/management/schema.py
index d1ca2b9..7427851 100644
--- a/python/qpid_dispatch_internal/management/schema.py
+++ b/python/qpid_dispatch_internal/management/schema.py
@@ -324,21 +324,28 @@ class EntityType(object):
self.deprecated_attributes = OrderedDict()
for key, value in self.attributes.items():
- if value.deprecation_name:
- self.deprecated_attributes[value.deprecation_name] = AttributeType(value.deprecation_name,
- type=value.type, defined_in=self,
- default=value.default,
- required=value.required,
- unique=value.unique,
- hidden=value.hidden,
- deprecated=True,
- deprecationName=None,
- value=value.value,
- description="(DEPRECATED) " + value.description,
- create=value.create,
- update=value.update,
- graph=value.graph)
+ if value.deprecation_name or value.deprecated:
+ attr_type = AttributeType(value.deprecation_name or key,
+ type=value.type,
+ defined_in=self,
+ default=value.default,
+ required=value.required,
+ unique=value.unique,
+ hidden=value.hidden,
+ deprecated=True,
+ deprecationName=None,
+ value=value.value,
+ description="(DEPRECATED) " + value.description,
+ create=value.create,
+ update=value.update,
+ graph=value.graph)
+ if value.deprecation_name:
+ self.deprecated_attributes[value.deprecation_name] = attr_type
+ else:
+ self.deprecated_attributes[key] = attr_type
+
self.operations = operations or []
+
# Bases are resolved in self.init()
self.base = extends
self.all_bases = []
@@ -418,7 +425,7 @@ class EntityType(object):
deprecation_name = attr.deprecation_name
if deprecation_name:
value = attributes.get(deprecation_name)
- if not value is None:
+ if value is not None:
if logger_available:
self.log(LOG_WARNING, "Attribute '%s' of entity '%s' has been deprecated."
" Use '%s' instead"%(deprecation_name, self.short_name, attr.name))
@@ -447,7 +454,7 @@ class EntityType(object):
value = self.schema.long_name(value)
attributes[name] = self.attribute(name).validate(value)
except ValidationError, e:
- raise ValidationError, "%s: %s"%(self, e), sys.exc_info()[2]
+ raise ValidationError, "%s: %s"%(self, e), sys.exc_info()[2]
return attributes
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/src/connection_manager.c
----------------------------------------------------------------------
diff --git a/src/connection_manager.c b/src/connection_manager.c
index 3aa1913..4ce145d 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -513,6 +513,11 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd
ssl_profile->ssl_private_key_file = qd_entity_opt_string(entity, "privateKeyFile", 0); CHECK();
ssl_profile->ssl_password = qd_entity_opt_string(entity, "password", 0); CHECK();
+ if (ssl_profile->ssl_password) {
+ qd_log(cm->log_source, QD_LOG_WARNING, "Attribute password of entity sslProfile has been deprecated. Use passwordFile instead.");
+ }
+
+
if (!ssl_profile->ssl_password) {
// SSL password not provided. Check if passwordFile property is specified.
char *password_file = qd_entity_opt_string(entity, "passwordFile", 0); CHECK();
@@ -573,9 +578,31 @@ qd_config_sasl_plugin_t *qd_dispatch_configure_sasl_plugin(qd_dispatch_t *qd, qd
DEQ_ITEM_INIT(sasl_plugin);
DEQ_INSERT_TAIL(cm->config_sasl_plugins, sasl_plugin);
sasl_plugin->name = qd_entity_opt_string(entity, "name", 0); CHECK();
- sasl_plugin->auth_service = qd_entity_opt_string(entity, "authService", 0); CHECK();
- sasl_plugin->sasl_init_hostname = qd_entity_opt_string(entity, "saslInitHostname", 0); CHECK();
- sasl_plugin->auth_ssl_profile = qd_entity_opt_string(entity, "authSslProfile", 0); CHECK();
+
+ char *auth_host = qd_entity_opt_string(entity, "host", 0);
+ char *auth_port = qd_entity_opt_string(entity, "port", 0);
+
+ if (auth_host && auth_port) {
+ int strlen_auth_host = strlen(auth_host);
+ int strlen_auth_port = strlen(auth_port);
+
+ if (strlen_auth_host > 0 && strlen_auth_port > 0) {
+
+ int hplen = strlen(auth_host) + strlen(auth_port) + 2;
+ if (hplen > 2) {
+ sasl_plugin->auth_service = malloc(hplen);
+ snprintf(sasl_plugin->auth_service, hplen, "%s:%s", auth_host, auth_port);
+ }
+ }
+ }
+
+ if (!sasl_plugin->auth_service) {
+ sasl_plugin->auth_service = qd_entity_opt_string(entity, "authService", 0); CHECK();
+ qd_log(cm->log_source, QD_LOG_WARNING, "Attribute authService of entity authServicePlugin has been deprecated. Use host and port instead.");
+ }
+
+ sasl_plugin->sasl_init_hostname = qd_entity_opt_string(entity, "hostname", 0); CHECK();
+ sasl_plugin->auth_ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK();
qd_log(cm->log_source, QD_LOG_INFO, "Created SASL plugin config with name %s", sasl_plugin->name);
return sasl_plugin;
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/src/dispatch.c
----------------------------------------------------------------------
diff --git a/src/dispatch.c b/src/dispatch.c
index 622bb79..840fd29 100644
--- a/src/dispatch.c
+++ b/src/dispatch.c
@@ -192,9 +192,8 @@ qd_error_t qd_dispatch_configure_router(qd_dispatch_t *qd, qd_entity_t *entity)
if (! qd->sasl_config_name) {
qd->sasl_config_name = qd_entity_opt_string(entity, "saslConfigName", "qdrouterd"); QD_ERROR_RET();
}
- qd->auth_service = qd_entity_opt_string(entity, "authService", 0); QD_ERROR_RET();
- char *dump_file = qd_entity_opt_string(entity, "debugDump", 0); QD_ERROR_RET();
+ char *dump_file = qd_entity_opt_string(entity, "debugDumpFile", 0); QD_ERROR_RET();
if (dump_file) {
qd_alloc_debug_dump(dump_file); QD_ERROR_RET();
free(dump_file);
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/src/dispatch_private.h
----------------------------------------------------------------------
diff --git a/src/dispatch_private.h b/src/dispatch_private.h
index 094baba..7faa51d 100644
--- a/src/dispatch_private.h
+++ b/src/dispatch_private.h
@@ -53,7 +53,6 @@ struct qd_dispatch_t {
int thread_count;
char *sasl_config_path;
char *sasl_config_name;
- char *auth_service;
char *router_area;
char *router_id;
qd_router_mode_t router_mode;
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/tests/system_test.py
----------------------------------------------------------------------
diff --git a/tests/system_test.py b/tests/system_test.py
index 4d5bc64..504b4e3 100755
--- a/tests/system_test.py
+++ b/tests/system_test.py
@@ -283,7 +283,7 @@ class Qdrouterd(Process):
'listener': {'host':'0.0.0.0', 'saslMechanisms':'ANONYMOUS', 'idleTimeoutSeconds': '120',
'authenticatePeer': 'no', 'role': 'normal'},
'connector': {'host':'127.0.0.1', 'saslMechanisms':'ANONYMOUS', 'idleTimeoutSeconds': '120'},
- 'router': {'mode': 'standalone', 'id': 'QDR', 'debugDump': 'qddebug.txt'}
+ 'router': {'mode': 'standalone', 'id': 'QDR', 'debugDumpFile': 'qddebug.txt'}
}
def sections(self, name):
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/tests/system_tests_auth_service_plugin.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_auth_service_plugin.py b/tests/system_tests_auth_service_plugin.py
index b1a8e32..f005766 100644
--- a/tests/system_tests_auth_service_plugin.py
+++ b/tests/system_tests_auth_service_plugin.py
@@ -77,7 +77,7 @@ sql_select: dummy select
cls.router_port = cls.tester.get_port()
cls.tester.qdrouterd('router', Qdrouterd.Config([
- ('authServicePlugin', {'name':'myauth', 'authService': '127.0.0.1:%d' % auth_service_port}),
+ ('authServicePlugin', {'name':'myauth', 'host': '127.0.0.1', 'port': auth_service_port}),
('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal', 'saslPlugin':'myauth', 'saslMechanisms':'PLAIN'}),
('router', {'mode': 'standalone', 'id': 'router'})
])).wait_ready()
@@ -109,6 +109,45 @@ sql_select: dummy select
self.assertEqual('amqp:unauthorized-access', test.error.name)
self.assertEqual(test.error.description.startswith('Authentication failed'), True)
+
+class AuthServicePluginDeprecatedTest(AuthServicePluginTest):
+ @classmethod
+ def setUpClass(cls):
+ """
+ Tests the delegation of sasl auth to an external auth service.
+
+ Creates two routers, one acts as the authe service, the other configures the auth service plugin
+ to point at this auth service.
+
+ """
+ super(AuthServicePluginTest, cls).setUpClass()
+
+ if not SASL.extended():
+ return
+
+ cls.createSaslFiles()
+
+ print('launching auth service...')
+ auth_service_port = cls.tester.get_port()
+ cls.tester.qdrouterd('auth_service', Qdrouterd.Config([
+ ('listener', {'host': '0.0.0.0', 'role': 'normal', 'port': auth_service_port,
+ 'saslMechanisms':'PLAIN', 'authenticatePeer': 'yes'}),
+ ('router', {'workerThreads': 1,
+ 'id': 'auth_service',
+ 'mode': 'standalone',
+ 'saslConfigName': 'tests-mech-PLAIN',
+ 'saslConfigPath': os.getcwd()})
+ ])).wait_ready()
+
+ cls.router_port = cls.tester.get_port()
+ cls.tester.qdrouterd('router', Qdrouterd.Config([
+ ('authServicePlugin', {'name':'myauth', 'authService': '127.0.0.1:%d' % auth_service_port}),
+ ('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal',
+ 'saslPlugin':'myauth', 'saslMechanisms':'PLAIN'}),
+ ('router', {'mode': 'standalone', 'id': 'router'})
+ ])).wait_ready()
+
+
class SimpleConnect(MessagingHandler):
def __init__(self, url, username, password):
super(SimpleConnect, self).__init__()
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/7237d693/tests/system_tests_authz_service_plugin.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_authz_service_plugin.py b/tests/system_tests_authz_service_plugin.py
index 565b6dc..0dc839f 100644
--- a/tests/system_tests_authz_service_plugin.py
+++ b/tests/system_tests_authz_service_plugin.py
@@ -70,7 +70,9 @@ mech_list: SCRAM-SHA-1 PLAIN
cls.router_port = cls.tester.get_port()
cls.tester.qdrouterd('router', Qdrouterd.Config([
('sslProfile', {'name':'myssl'}),
- ('authServicePlugin', {'name':'myauth', 'authSslProfile':'myssl', 'authService': '127.0.0.1:%d' % cls.auth_service_port}),
+ # authService attribute has been deprecated. We are using it here to make sure that we are
+ # still backward compatible.
+ ('authServicePlugin', {'name':'myauth', 'sslProfile':'myssl', 'port': cls.auth_service_port, 'host': '127.0.0.1'}),
('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal', 'saslPlugin':'myauth', 'saslMechanisms':'SCRAM-SHA-1 PLAIN'}),
('router', {'mode': 'standalone', 'id': 'router',
'saslConfigName': 'tests-mech-SCRAM',
@@ -127,6 +129,33 @@ mech_list: SCRAM-SHA-1 PLAIN
self.assertEqual(0, len(client.errors))
+class AuthServicePluginAuthzDeprecatedTest(AuthServicePluginAuthzTest):
+ @classmethod
+ def setUpClass(cls):
+ """
+ Tests the delegation of sasl auth to an external auth service.
+ """
+ super(AuthServicePluginAuthzTest, cls).setUpClass()
+
+ if not SASL.extended():
+ return
+
+ cls.createSaslFiles()
+
+ cls.auth_service_port = cls.tester.get_port()
+ cls.tester.popen(['/usr/bin/env', 'python', os.path.join(os.path.dirname(os.path.abspath(__file__)), 'authservice.py'), '-a', 'amqps://127.0.0.1:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
+
+ cls.router_port = cls.tester.get_port()
+ cls.tester.qdrouterd('router', Qdrouterd.Config([
+ ('sslProfile', {'name':'myssl'}),
+ # authService and authSslProfile attributea have been deprecated.
+ # We are using it here to make sure that we are backward compatible.
+ ('authServicePlugin', {'name':'myauth', 'authSslProfile':'myssl', 'authService': '127.0.0.1:%d' % cls.auth_service_port}),
+ ('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal', 'saslPlugin':'myauth', 'saslMechanisms':'SCRAM-SHA-1 PLAIN'}),
+ ('router', {'mode': 'standalone', 'id': 'router',
+ 'saslConfigName': 'tests-mech-SCRAM',
+ 'saslConfigPath': os.getcwd()})
+ ])).wait_ready()
class ConnectionHandler(MessagingHandler):
def __init__(self, address, count):
super(ConnectionHandler, self).__init__()
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org