You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2021/06/25 21:25:43 UTC
[qpid-dispatch] branch 1.16.x updated (27d6554 -> 12abc9f)
This is an automated email from the ASF dual-hosted git repository.
kgiusti pushed a change to branch 1.16.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git.
from 27d6554 DISPATCH-2170: Free the tcp_conn_properties pn_data_t object when freeing the qdr_tcp_connection_t object. This closes #1257
new 2effba6 DISPATCH-2179: Set SSLDomain.VERIFY_PEER or SSLDomain.VERIFY_PEER_NAME based on the ssl_disable_peer_name_verify flag. Removed --ssl-disable-peer-name-verify from run_qdstat in system_tests_qdstat. This closes #1270.
new d7dd4f7 NO-JIRA: remove KEYS file.
new 12abc9f DISPATCH-1797: Added a retry to qdmanage to make sure we give enough time for addresses to be added to the router address table. This closes #1255
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
KEYS | 116 -------------------------
python/qpid_dispatch_internal/tools/command.py | 19 ++--
tests/authservice.py.in | 16 +++-
tests/system_tests_authz_service_plugin.py.in | 20 +++--
tests/system_tests_qdmanage.py | 36 ++++----
tests/system_tests_qdstat.py | 82 +++++++++++++----
tests/system_tests_ssl.py | 4 +
tests/system_tests_user_id.py | 10 +--
8 files changed, 129 insertions(+), 174 deletions(-)
delete mode 100644 KEYS
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[qpid-dispatch] 03/03: DISPATCH-1797: Added a retry to qdmanage to
make sure we give enough time for addresses to be added to the router
address table. This closes #1255
Posted by kg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kgiusti pushed a commit to branch 1.16.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit 12abc9f0d546d23b1a6275ebb81c62fccdd16694
Author: Ganesh Murthy <gm...@apache.org>
AuthorDate: Thu Jun 10 10:22:21 2021 -0400
DISPATCH-1797: Added a retry to qdmanage to make sure we give enough time for addresses to be added to the router address table. This closes #1255
(cherry picked from commit bbed4647dda6b1ce8ed332d5a831c73d79055466)
---
tests/system_tests_qdmanage.py | 36 +++++++++++++++++-------------------
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/tests/system_tests_qdmanage.py b/tests/system_tests_qdmanage.py
index 5bc7ac2..81c7aa2 100644
--- a/tests/system_tests_qdmanage.py
+++ b/tests/system_tests_qdmanage.py
@@ -543,30 +543,29 @@ class QdmanageTest(TestCase):
# This qdmanage query command would fail without the fix
# for DISPATCH-974
query_command = 'QUERY --type=org.apache.qpid.dispatch.router.address'
- outs = json.loads(self.run_qdmanage(query_command))
-
- sender_addresses = 0
- receiver_addresses = 0
-
- for out in outs:
- if ADDRESS_SENDER in out['name']:
- sender_addresses += 1
- if ADDRESS_RECEIVER in out['name']:
- receiver_addresses += 1
+ for i in range(3):
+ sender_addresses = 0
+ receiver_addresses = 0
+ outs = json.loads(self.run_qdmanage(query_command))
+ for out in outs:
+ if ADDRESS_SENDER in out['name']:
+ sender_addresses += 1
+ if ADDRESS_RECEIVER in out['name']:
+ receiver_addresses += 1
+ if sender_addresses < COUNT or receiver_addresses < COUNT:
+ sleep(2)
+ else:
+ break
self.assertEqual(sender_addresses, COUNT)
self.assertEqual(receiver_addresses, COUNT)
query_command = 'QUERY --type=link'
- outs = json.loads(self.run_qdmanage(query_command))
-
- out_links = 0
- in_links = 0
success = False
-
- i = 0
- while i < 3:
- i += 1
+ for i in range(3):
+ out_links = 0
+ in_links = 0
+ outs = json.loads(self.run_qdmanage(query_command))
for out in outs:
if out.get('owningAddr'):
if ADDRESS_SENDER in out['owningAddr']:
@@ -581,7 +580,6 @@ class QdmanageTest(TestCase):
if out_links < COUNT or in_links < COUNT:
self.logger.log("out_links=%s, in_links=%s" % (str(out_links), str(in_links)))
sleep(2)
- outs = json.loads(self.run_qdmanage(query_command))
else:
self.logger.log("Test success!")
success = True
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[qpid-dispatch] 02/03: NO-JIRA: remove KEYS file.
Posted by kg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kgiusti pushed a commit to branch 1.16.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit d7dd4f75c513e0e0e214aa694ade00cc42ef190a
Author: Kenneth Giusti <kg...@apache.org>
AuthorDate: Wed May 12 11:20:14 2021 -0400
NO-JIRA: remove KEYS file.
The proper KEYS file to use for verifying downloaded artifacts
can be found here: https://downloads.apache.org/qpid/KEYS
This is explained on the Qpid project website.
Do NOT include a KEYS file in the dispatch tarball since an attacker
can spoof the one in the tarfile itself.
This closes #1215
(cherry picked from commit 8aa4d8d749f5817bf894b316e941cbe438d8581c)
---
KEYS | 116 -------------------------------------------------------------------
1 file changed, 116 deletions(-)
diff --git a/KEYS b/KEYS
deleted file mode 100644
index 2a21f84..0000000
--- a/KEYS
+++ /dev/null
@@ -1,116 +0,0 @@
-pub 4096R/40851BBB 2013-10-25
- Key fingerprint = 02D9 166C 2C79 509E 2968 7C73 B0D1 E368 4085 1BBB
-uid Ted Ross (CODE SIGNING KEY) <tr...@apache.org>
-sub 4096R/50FD353D 2013-10-25
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.13 (GNU/Linux)
-
-mQINBFJqaLUBEAC/fM8stbqi6gK5ZEYMKLuuEVtg9rpUkno1/s9l+f09kXaNG2/Y
-kh7zbLbGhHJcNVgdIIDAtIZ4hPmRnxVcC5XFyxXJEemu3qtzMe+C4ad9KWdC8XVZ
-wNBLvqDUrEumjGh3ORasZYe/DbhK3AAxvNf20HRlcfVqfa+fxtvCLwRWThH6KS45
-1fTBHMhsDuZGTt3+HyV5+JGhWxaaY7hjEt+JDNa/HSG0Vge43t8r0g/kXMp/y7DU
-OapKm3Qf0COSNOz56mmrXQ7EDH7SoVR6fEMd5vnv9kwZGfD892XkZwbWmNYuoQog
-3yDfwbFVjLNkmnE3BnSt3L4+duzdM1VUu7ze7R1CYVd8B8ZUeRN/stN8C9hV2jmf
-VFsFTPiZkmoqoYXAGisaMZ2jqJHM/ECwJznXQU7TLIoxyOTANbEDgPGqHEekK//E
-cZZjxbMQq/1vaeDWeIzjVEO7D+9aJRckC/STMw4sNCzTi3hrgVnFJLDvWfhKg4EF
-Fm1cW8+96TsXr9kJscT4K5wY+ErqYDo7IqtcLqgUUfd/2P29I3SyEVu9PsH8VU+j
-uEQPbrf/ntfS0m+CoNpaQylMEII0/4gXbTZTIgD7+PUzCJiQkz8B87qPO82NLxYn
-Uw9V7HGhnhJYW3vPYJBYNWio15D9Ql7kTYYHowMuoALqAq4nZbp6CTNDqwARAQAB
-tC5UZWQgUm9zcyAoQ09ERSBTSUdOSU5HIEtFWSkgPHRyb3NzQGFwYWNoZS5vcmc+
-iQI3BBMBAgAhAhsDAh4BAheABQJSamqmBQsJCAcDBRUKCQgLBRYCAwEAAAoJELDR
-42hAhRu7BjwP/RiuajTKl45EJSsuHH1YOWUf3gb0AgUfO6xrGHxbvNnrrVOcZyEJ
-xuH4eacxtIheH+CQHdnrxzWIO/00++gjteXFxGwp+6U71F/YC52Kk8EbfdhnzFEF
-9FmOMUHqyCjNL7cbfeujOmIOfGJg7FOVT6LF4TdQCNQrSM1DelL2bX2B4yX2oKeq
-4fcTbf9fzcTJg675E8f+hQvGY9CpPw9cYLfXsVQeiGJ8vyDQm0mP1D7mD8lovN72
-e1G2U2L9dwAu+NTqjjBJ05t+8hkOCg2zUp7HHcSyv4y74Kh3neVAm0r7ROI3uE4W
-/80pvV4OFdAFBMINCGrgz2KQhrdNwn7puc4Q1cHMcecnZjOh/uncaxBytUc4xlCO
-6E9C3YvfzE9ysT16gSJO+97/1lz41EWOMwBLTWMyEqNJ2tgQh2bWBPtqG1yOup1s
-bsr2E/tBE5QcOVZrPfhGMrFauGR4rjfyiCI0rl7gXyEkE62ijHezcuCfyMe3+1jD
-9KfbZgtOOqJXac6GXrCnfB5i+UfciXuPiQmgn96FPC4PGV3lEMBOGd//6R3dO1Rr
-4k66zD3lpeiltIE6Ff9yYqdHYQv05lYqf7pNqV724+2hiVjJcBCF6OvlRrg4IPHE
-Fp2mqzLDca4qm/o7GDSr3A/5fL7BGWa6p0l2f+8xchXPl5jbCjDM53DIuQINBFJq
-aLUBEADFEQxN8Tjc3pMP+fTTFI6/MuVcNLhsRWS2QjhqcH8rRqn9rryVIHpHsHli
-jOX16kyczm846KiHr68Hzl5ll3rHHQiMG71Om+2szJjxAd3KZ3x+ozBA3gsXSzfV
-q3RY1XuvBZsEbnERNpppDas8a6nAa6fcueN5//cem6PnaYEa3+eiZx5YviSKoVqM
-JIH83++LFHgV/ifgv1GO8lWv6qf01mDFeUqxM0uobUf7gI8kOt/mf66tI5rSKeX0
-wOvSU77MknxThuCxvXy3eYOkj15G73PXXt0LbVYMJfPQgKI1x1p8SD6svOTqD047
-I4CzZzahbAIZ6cRjCm7zqo6zvWodTSUNgxplp7uCFVlLU2AVOGD1duJHBIyCXNyV
-/XcnfO2q+SInosZgZBsoX0ejAYrNeK73z+HgVL1U9iEZpgCUb51onjDdsXPt8uaz
-w7bJaLOWBhrhDO37WnAPc5ci8qByMGE5DCMu10C8/8HCgmJTK9XBriPp8OZkjIID
-ypm2eUSuOJHNKhJjSwHqBD6MAMH8MrHH+T7QlB3oa7DkrgQFojoVzQHi8GG24vwy
-91FiyESxe9PTEgdPCQsfYIN6/LQTdHp+w+sRp+pWNBIG/QhAs9DhN+dZ7/1fvjEz
-cnXqNVXAdkr9xYGM0HIyGr+8oxFKTqp8O9ZlCfk+VxYo8BjITwARAQABiQIfBBgB
-AgAJBQJSami1AhsMAAoJELDR42hAhRu7aZ4P/2S9V8m6IklQqEuoMAwZ5in8LDGH
-Y6xBNs/3xzwcNGXgxKHbIg3G0bQkkABdc22/z0rH1XLAT2OWPw1UDija6OACAUHF
-+R6JZvKWi+qSoqF3S+psPMyYyAOEbgA1AMwce1yTS/jmPXh/eMfq8+1wVrhwy6gd
-fm5f6qVpJvsrmXG7hKMu6w4JsMmxobgin+7vXMimXowlcnm/DxKWQzVLbTDvHeRk
-YtsYaeYfElSxS803/tqtlnr8qEwOHgK/LtWVg5Aojay2wnNJwPpJWEoRPkgO1UCa
-zeovgFjWrTv/ccvPXQk48e/q3i8EzPM1A9ZjZZbZa5lCcYLIdiH+03yFq8T5nPe/
-WGUjg63tw2Q3oINrbklrDHECV3loXTdGuafhxjnMiHLbm8Zci//WJ+qKT9oASSvn
-JiDeyEwLMJ6ZqfwvcdzW1ISDdcMBKxNkD3BTjadgkD5w1Z1ATHViae1DFciCkm8C
-Bkhqr0lQDZe+tsGeH4sb1Me7bsmJby772MgqKS1f5hPEZs9mQw3jC7ZTIHOUAcR5
-pCyY+HdoCA3Rke3rPXpFe5OqvRwui/BRGrtOSCkSRkghcFFfFGhX/w2SdMOEWFPW
-aNza9296q0uETHSa6v49UkN34Sb5fIC1OSmtjlJxcVCDayawjje0rn0Fq+X7xy2O
-+coC6qGNNiLFEN9R
-=qSGX
------END PGP PUBLIC KEY BLOCK-----
-pub rsa4096 2018-04-10 [SC]
- 42A18EFF2267BEF0C4F202E291A5A5203FE38330
-uid [ultimate] Ganesh Murthy (CODE SIGNING KEY) <gm...@apache.org>
-sig 3 91A5A5203FE38330 2018-04-10 Ganesh Murthy (CODE SIGNING KEY) <gm...@apache.org>
-sub rsa4096 2018-04-10 [E]
-sig 91A5A5203FE38330 2018-04-10 Ganesh Murthy (CODE SIGNING KEY) <gm...@apache.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFrMyjUBEADCgA2KxdJDiNdhR2lQCTexWDB4d/AK+uuiGYneFU7TC3Kp/cs+
-9Ah9A+GLifhXRy8uCODQXYY1iJ71g5Wy27Zifr5TnIXUYeQzWqodKUmlrzfiBDkU
-iOsl4N9uhfugOBYyCm5pqRlzprmItfbcD/lmegLrWkx/+aHld+fRN4NlBR6Q0cCF
-cj6rdP0DK2CgwLDRXNfgZqNHA1IZE9fTpBxmGc+BCTJNTiP9WU0fZ/SUOOKv3BR6
-owLD6lqVsKezmGZ3CJSCbl5umM4iDYr+ToOEj680XRK9lwgM/S0KES0KPpb9EWkR
-HHc5itrak4pdS5DvH9qGm8xr67jeHjn9MOW8e+EPTVs8U0tg96yao6X+AlvMOtDf
-d1lyF0RVcEmgh7fU8MGApphOJiaWF7f2q+7sj86UP0rB0ZuK6EuC3K7sFP75KK8j
-vmVI85H6y9gHuWm5UHwxKYfzGdT0oXaKZvUbpJV8C74my3i3pQM+FezXNHywP/B1
-sHId/JwXp+AC589DvVn7Eb+lqyvEBopOYOLuU7K0KMWDp6ijWTe0VzwfoVO+/b1D
-N5crr2MG4YH0d8kxhBpystxQSq4OfuFpFxNpSpa0G6asSQjiGlS2hp+0zCRkXN/y
-xxU6eTKAqADvvIKoKFsOwREv4ARt8rAycnWB/NoMiQRWN78Yo5z6oAfHOwARAQAB
-tDVHYW5lc2ggTXVydGh5IChDT0RFIFNJR05JTkcgS0VZKSA8Z211cnRoeUBhcGFj
-aGUub3JnPokCTgQTAQoAOBYhBEKhjv8iZ77wxPIC4pGlpSA/44MwBQJazMo1AhsD
-BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEJGlpSA/44MwmnQP/igt5GgI8H5G
-oX5zag/gklS0RDRArvADnsIXkVHmUzCvidW1v5f5Ctkc3MEe8lkoUtRAbGKevfO0
-RwjfC6yZ77424JtRWsC0u53Ebap9WoRqHks7x1Ner8COIWD+Yq/qkOOFr27mSXMf
-U6ZQEVime0mDMiiGG62WC50AzwMYY75jVzyp0VDHKp9z0oVr7OCvQbHOD5c0tT2o
-snStOWwFrOiRVEZISdgV8gyC1VmL3x/OWCfu5VRt3LjJLBa5YxdlPTMDJMwfSG6A
-TURpPxMkq4ohazsF1s5u6gtB2XLe7eGLDGMm+iEcTqxOT+7eeX7t/NL0Te46GGpt
-1pb4p5OHgzk+OFX6nsE9TCOYhciCbr/pvwUoXhDiCZaFbscsCeZRIm5zCxOw9qrt
-coxm1KJSwyI+IoRn9QhOwRU35r1gcqX1GPrkNX7nucv0Kcuim6T4YVa4rNiV+a0k
-4p/iUfOpE9LWlmS5GKkOnNV3b8jt/8tEFsJ+pAXq0/Qv4KbgmfpghLFhEho8fG+P
-CXE4CwectERPB3phQE6zZPxmJ5iVtWwWuE9fKyxV98pI8eOvYZ1EC3u5yRBGliVv
-12ftJR1RY1Y2x9pfiLi4VyjvDUdfA+UPZ5F9ISs5DOyQK1IzqSOTMAsyn6mkHf8G
-lJRWE44TMbCXUxzuwhXQFFGHqpKrKcvzuQINBFrMyjUBEADKthoBbLMZAlOTBf9k
-wb4QJQTM2WlNs9itD8S62rNfMyuThR0yQ4HYHs0DUTB/6bA1tozUIVTqnwcArHYm
-SZvIfSffg0BwV2rhuXtEebEth0bGg+FMycighnXRZSgM54sULBVRJUnA8tEzvScf
-ulCCz1ZdSiRNK9hRaFIeRHjGjVOLiI42lZYEEYLxd/hGtJQ46wLngM3xAnLheawi
-+nyA8B10zuXj4/lKtjXLMy9bZQeRDfVqOHEdIvcShYiCRs6IDN679Dnw63/T6iY6
-0X2qUyIc6PQcnBX+ys1nh82yasMiUewsNLoQpvU5lm+dJq7Nem09/eplsBfjCTfj
-H/F2/gxxDYqz26XN5q09WhVwMKfYW0sHSPq5LGtrQwTI0zfj60rRw+au1kUd6l+N
-R2g2DHLRaQO+zLO5LoDEDZWsAbQzGIRRpMPPmYVHvQzp4ZGbndwEdpLEA6KtX0dm
-JVuthhHxzOvB0sWv3P5ZYkKqDqYeVX3QClUPzpcSxzrtQzVpPP20ipGtzQxt1IFL
-xwBRl/hL+R8OGKFWTzMw+tYEq27gSb2iUu+fEFEsFZj9Z9nYzWevF67k0GIEw2Z3
-0SY3eBe4txOu7kfDnh9aOaIaX1Ch1p74PRxp6eRTHsc67aBy6RrH+7CdvHsgE6lB
-ZRtOGrL/ICIe7pMkLxkPe/qLnwARAQABiQI2BBgBCgAgFiEEQqGO/yJnvvDE8gLi
-kaWlID/jgzAFAlrMyjUCGwwACgkQkaWlID/jgzBcQA//RJS61TIf318RRQH37W0A
-GYeoU8lnaDO6Docz6SSkl8sCRi8AWMqqu2z0xyOTESmvDk3+1VTe1PKNOFfguw44
-gMT9a62bNfaoCnUiIwe8Yq5Q3ej3F63c1J14b/mLiGpcqu17QbI9SS6LjHlp4rol
-UhXpA5dYoQHjm0VF+XJXfK5E6JnHThHO7YH37xX4zydOJ00agM1XuqDaiwrD0b+i
-ZDSXZdrPWrhSVmNh6zRzU3UGEyq0c4j8ZsN8LI1d6KVVf0GpF+w0fgIejCajBzl6
-ZvGodBW/CZEHsr9Vmk5V1O6YD00NOJ7UVY2CXmUVYCVXi87r8R1MfK285C85Jw2Q
-LuHyPJ521gvEo72YoN/iMUml9MLyXBJSqoyGTDkM5lCQzPhGejGlfkSWjx4RhoZR
-eoPGA/sZNdCAZBjOvL8LY6atKINH3MOGwnMG17GWSDYlAOaBVHMpcpnGshy3Mmec
-kK7doInf30Gn1KR5CiqoodNzId1KZ2fFAo7pPeZFDds9jQzS06yqiQKCAGRaoT2p
-CjYtTovv3fS1fi25Fopl+U8Y8X4rV3mqjchFYf5Wy82SbLgcKLVmgUIymmqsZm6m
-JiQ4YKOZd1Do7DAOGF9SEd6LdiWbEOSCc5OLFvZiwSFEU4xOo39kP/pd6200PRYr
-hjxwnQsWG0arATWXmtf1JGU=
-=E2x4
------END PGP PUBLIC KEY BLOCK-----
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[qpid-dispatch] 01/03: DISPATCH-2179: Set SSLDomain.VERIFY_PEER or
SSLDomain.VERIFY_PEER_NAME based on the ssl_disable_peer_name_verify flag.
Removed --ssl-disable-peer-name-verify from run_qdstat in
system_tests_qdstat. This closes #1270.
Posted by kg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kgiusti pushed a commit to branch 1.16.x
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit 2effba6a3a4c8ff46017c0621ea693b8c40b3961
Author: Ganesh Murthy <gm...@apache.org>
AuthorDate: Sun Jun 20 22:40:24 2021 -0400
DISPATCH-2179: Set SSLDomain.VERIFY_PEER or SSLDomain.VERIFY_PEER_NAME based on the ssl_disable_peer_name_verify flag. Removed --ssl-disable-peer-name-verify from run_qdstat in system_tests_qdstat. This closes #1270.
(cherry picked from commit e3f27339a7fba6c8f43c4715392d20dafad33bfa)
---
python/qpid_dispatch_internal/tools/command.py | 19 +++---
tests/authservice.py.in | 16 ++++-
tests/system_tests_authz_service_plugin.py.in | 20 ++++---
tests/system_tests_qdstat.py | 82 +++++++++++++++++++++-----
tests/system_tests_ssl.py | 4 ++
tests/system_tests_user_id.py | 10 ++--
6 files changed, 112 insertions(+), 39 deletions(-)
diff --git a/python/qpid_dispatch_internal/tools/command.py b/python/qpid_dispatch_internal/tools/command.py
index 39137dd..470713a 100644
--- a/python/qpid_dispatch_internal/tools/command.py
+++ b/python/qpid_dispatch_internal/tools/command.py
@@ -261,9 +261,8 @@ def opts_url(opts):
url = Url(opts.bus)
# If the options indicate SSL, make sure we use the amqps scheme.
- if opts.ssl_certificate or opts.ssl_trustfile:
+ if opts.ssl_certificate or opts.ssl_trustfile or opts.bus.startswith("amqps:"):
url.scheme = "amqps"
-
return url
@@ -282,6 +281,10 @@ def opts_ssl_domain(opts, mode=SSLDomain.MODE_CLIENT):
@param opts: Parsed optoins including connection_options()
"""
+ url = opts_url(opts)
+ if not url.scheme == "amqps":
+ return None
+
certificate, key, trustfile, password, password_file, ssl_disable_peer_name_verify = opts.ssl_certificate,\
opts.ssl_key,\
opts.ssl_trustfile,\
@@ -289,9 +292,6 @@ def opts_ssl_domain(opts, mode=SSLDomain.MODE_CLIENT):
opts.ssl_password_file, \
opts.ssl_disable_peer_name_verify
- if not (certificate or trustfile):
- return None
-
if password_file:
password = get_password(password_file)
@@ -299,10 +299,11 @@ def opts_ssl_domain(opts, mode=SSLDomain.MODE_CLIENT):
if trustfile:
domain.set_trusted_ca_db(str(trustfile))
- if ssl_disable_peer_name_verify:
- domain.set_peer_authentication(SSLDomain.VERIFY_PEER, str(trustfile))
- else:
- domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(trustfile))
+
+ if ssl_disable_peer_name_verify:
+ domain.set_peer_authentication(SSLDomain.VERIFY_PEER)
+ else:
+ domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME)
if certificate:
domain.set_credentials(str(certificate), str(key), str(password))
diff --git a/tests/authservice.py.in b/tests/authservice.py.in
index 9c235b8..7219a2f 100755
--- a/tests/authservice.py.in
+++ b/tests/authservice.py.in
@@ -18,18 +18,23 @@
# under the License.
#
+
from __future__ import unicode_literals
from __future__ import division
from __future__ import absolute_import
from __future__ import print_function
+
import sys
import signal
import optparse
+import os
from proton.handlers import MessagingHandler
from proton.reactor import Container
from proton import Array, Data, symbol, UNDESCRIBED
+from proton import SSLDomain
from cproton import pn_sasl_config_path
+import system_test
class AuthService(MessagingHandler):
@@ -42,6 +47,15 @@ class AuthService(MessagingHandler):
self.listener = None
self.tmo = 0.1 # seconds
self.stop_req = False
+ self.acceptor = None
+ self.ssl_domain = SSLDomain(SSLDomain.MODE_SERVER)
+ self.ssl_domain.set_credentials(self.ssl_file('server-certificate.pem'),
+ self.ssl_file('server-private-key.pem'),
+ password="server-password")
+ self.ssl_domain.set_trusted_ca_db(self.ssl_file('ca-certificate.pem'))
+
+ def ssl_file(self, name):
+ return os.path.join(system_test.DIR, 'ssl_certs', name)
def allow(self, user, address, permissions):
if not self.permissions.get(user):
@@ -49,7 +63,7 @@ class AuthService(MessagingHandler):
self.permissions[user][address] = Array(UNDESCRIBED, Data.STRING, *permissions)
def on_start(self, event):
- self.listener = event.container.listen(self.address)
+ self.listener = event.container.listen(self.address, ssl_domain=self.ssl_domain)
event.container.schedule(self.tmo, self)
def stop(self):
diff --git a/tests/system_tests_authz_service_plugin.py.in b/tests/system_tests_authz_service_plugin.py.in
index 85a2fad..ca4a75d 100644
--- a/tests/system_tests_authz_service_plugin.py.in
+++ b/tests/system_tests_authz_service_plugin.py.in
@@ -57,6 +57,10 @@ sasldb_path: users.sasldb
mech_list: SCRAM-SHA-1 PLAIN
""")
+ @staticmethod
+ def ssl_file(name):
+ return os.path.join(DIR, 'ssl_certs', name)
+
@classmethod
def setUpClass(cls):
"""
@@ -71,18 +75,18 @@ mech_list: SCRAM-SHA-1 PLAIN
cls.auth_service_port = cls.tester.get_port()
cls.tester.popen(['/usr/bin/env', '${PY_STRING}', os.path.join(os.path.dirname(os.path.abspath(__file__)), 'authservice.py'),
- '-a', 'amqps://127.0.0.1:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
+ '-a', 'amqps://localhost:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
policy_config_path = os.path.join(DIR, 'policy-authz')
cls.router_port = cls.tester.get_port()
cls.tester.qdrouterd('router', Qdrouterd.Config([
- ('sslProfile', {'name': 'myssl'}),
+ ('sslProfile', {'name': 'myssl', 'caCertFile': cls.ssl_file('ca-certificate.pem')}),
('policy', {'maxConnections': 2, 'policyDir': policy_config_path, 'enableVhostPolicy': 'true'}),
# authService attribute has been deprecated. We are using it here to make sure that we are
# still backward compatible.
- ('authServicePlugin', {'name': 'myauth', 'sslProfile': 'myssl', 'port': cls.auth_service_port, 'host': '127.0.0.1'}),
- ('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal', 'saslPlugin': 'myauth', 'saslMechanisms': 'SCRAM-SHA-1 PLAIN'}),
+ ('authServicePlugin', {'name': 'myauth', 'sslProfile': 'myssl', 'port': cls.auth_service_port, 'host': 'localhost'}),
+ ('listener', {'host': 'localhost', 'port': cls.router_port, 'role': 'normal', 'saslPlugin': 'myauth', 'saslMechanisms': 'SCRAM-SHA-1 PLAIN'}),
('router', {'mode': 'standalone', 'id': 'router',
'saslConfigName': 'tests-mech-SCRAM',
'saslConfigPath': os.getcwd()})
@@ -156,15 +160,15 @@ class AuthServicePluginAuthzDeprecatedTest(AuthServicePluginAuthzTest):
cls.auth_service_port = cls.tester.get_port()
cls.tester.popen(['/usr/bin/env', '${PY_STRING}', os.path.join(os.path.dirname(os.path.abspath(__file__)), 'authservice.py'),
- '-a', 'amqps://127.0.0.1:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
+ '-a', 'amqps://localhost:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING)
cls.router_port = cls.tester.get_port()
cls.tester.qdrouterd('router', Qdrouterd.Config([
- ('sslProfile', {'name': 'myssl'}),
+ ('sslProfile', {'name': 'myssl', 'caCertFile': cls.ssl_file('ca-certificate.pem')}),
# authService and authSslProfile attributea have been deprecated.
# We are using it here to make sure that we are backward compatible.
- ('authServicePlugin', {'name': 'myauth', 'authSslProfile': 'myssl', 'authService': '127.0.0.1:%d' % cls.auth_service_port}),
- ('listener', {'host': '0.0.0.0', 'port': cls.router_port, 'role': 'normal', 'saslPlugin': 'myauth', 'saslMechanisms': 'SCRAM-SHA-1 PLAIN'}),
+ ('authServicePlugin', {'name': 'myauth', 'authSslProfile': 'myssl', 'authService': 'localhost:%d' % cls.auth_service_port}),
+ ('listener', {'host': 'localhost', 'port': cls.router_port, 'role': 'normal', 'saslPlugin': 'myauth', 'saslMechanisms': 'SCRAM-SHA-1 PLAIN'}),
('router', {'mode': 'standalone', 'id': 'router',
'saslConfigName': 'tests-mech-SCRAM',
'saslConfigPath': os.getcwd()})
diff --git a/tests/system_tests_qdstat.py b/tests/system_tests_qdstat.py
index d46e163..896fd35 100644
--- a/tests/system_tests_qdstat.py
+++ b/tests/system_tests_qdstat.py
@@ -648,7 +648,6 @@ class QdstatLinkPriorityTest(system_test.TestCase):
def _test_links_all_routers(self, command):
out = self.run_qdstat(command)
- print("_test_links_all_routers out=", out)
self.assertTrue(out.count('UTC') == 1)
self.assertTrue(out.count('Router Links') == 2)
self.assertTrue(out.count('inter-router') == 40)
@@ -728,17 +727,20 @@ try:
'certFile': cls.ssl_file('server-certificate.pem'),
'privateKeyFile': cls.ssl_file('server-private-key.pem'),
'password': 'server-password'}),
- ('listener', {'port': cls.tester.get_port()}),
- ('listener', {'port': cls.tester.get_port(), 'sslProfile': 'server-ssl', 'authenticatePeer': 'no', 'requireSsl': 'yes'}),
- ('listener', {'port': cls.tester.get_port(), 'sslProfile': 'server-ssl', 'authenticatePeer': 'no', 'requireSsl': 'no'}),
- ('listener', {'port': cls.tester.get_port(), 'sslProfile': 'server-ssl', 'authenticatePeer': 'yes', 'requireSsl': 'yes',
+ ('listener', {'host': 'localhost', 'port': cls.tester.get_port()}),
+ ('listener', {'host': 'localhost', 'port': cls.tester.get_port(), 'sslProfile': 'server-ssl',
+ 'authenticatePeer': 'no', 'requireSsl': 'yes'}),
+ ('listener', {'host': 'localhost', 'port': cls.tester.get_port(), 'sslProfile': 'server-ssl',
+ 'authenticatePeer': 'no', 'requireSsl': 'no'}),
+ ('listener', {'host': 'localhost', 'port': cls.tester.get_port(), 'sslProfile': 'server-ssl',
+ 'authenticatePeer': 'yes', 'requireSsl': 'yes',
'saslMechanisms': 'EXTERNAL'})
])
cls.router = cls.tester.qdrouterd('test-router', config)
def run_qdstat(self, args, regexp=None, address=None):
p = self.popen(
- ['qdstat', '--bus', str(address or self.router.addresses[0]), '--ssl-disable-peer-name-verify',
+ ['qdstat', '--bus', str(address or self.router.addresses[0]),
'--timeout', str(system_test.TIMEOUT)] + args,
name='qdstat-' + self.id(), stdout=PIPE, expect=None,
universal_newlines=True)
@@ -778,75 +780,123 @@ try:
def ssl_test_bad(self, url_name, arg_names):
self.assertRaises(AssertionError, self.ssl_test, url_name, arg_names)
- # Non-SSL enabled listener should fail SSL connections.
+ # qdstat -b amqp://localhost:<port> --general and makes sure
+ # the router sends back a valid response.
def test_ssl_none(self):
self.ssl_test('none', [])
+ # qdstat -b amqps://localhost:<port> --general
+ # Make sure that the command fails.
def test_ssl_scheme_to_none(self):
self.ssl_test_bad('none_s', [])
+ # qdstat -b amqp://localhost:<port> --general --ssl-certificate /path/to/client-certificate.pem
+ # Makes sure the command fails.
def test_ssl_cert_to_none(self):
self.ssl_test_bad('none', ['client_cert'])
- # Strict SSL listener, SSL only
+ # Tries to run the following command on a listener that requires SSL (requireSsl:yes)
+ # qdstat -b amqp://localhost:<port> --general
+ # Makes sure the command fails.
def test_ssl_none_to_strict(self):
self.ssl_test_bad('strict', [])
+ # qdstat -b amqps://localhost:<port> --general
def test_ssl_schema_to_strict(self):
- self.ssl_test('strict_s', [])
+ self.ssl_test_bad('strict_s', [])
+ # qdstat -b amqps://localhost:<port> --general --ssl-certificate /path/to/client-certificate.pem
+ # --ssl-key /path/to/client-private-key.pem --ssl-password client-password'
def test_ssl_cert_to_strict(self):
- self.ssl_test('strict_s', ['client_cert_all'])
+ self.ssl_test_bad('strict_s', ['client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/ca-certificate.pem
def test_ssl_trustfile_to_strict(self):
self.ssl_test('strict_s', ['trustfile'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile
+ # /path/to/ca-certificate.pem --ssl-certificate /path/to/client-certificate.pem
+ # --ssl-key /path/to/client-private-key.pem --ssl-password client-password
def test_ssl_trustfile_cert_to_strict(self):
self.ssl_test('strict_s', ['trustfile', 'client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/bad-ca-certificate.pem
+ # Send in a bad ca cert and make sure the test fails.
def test_ssl_bad_trustfile_to_strict(self):
self.ssl_test_bad('strict_s', ['bad_trustfile'])
# Require-auth SSL listener
-
+ # qdstat -b amqp://localhost:<port> --general
+ # Send in no certs to a 'authenticatePeer': 'yes', 'requireSsl': 'yes' listener and make sure it fails.
+ # Also protocol is amqp not amqps
def test_ssl_none_to_auth(self):
self.ssl_test_bad('auth', [])
+ # qdstat -b amqps://localhost:28491 --general
+ # Send in no certs to a 'authenticatePeer': 'yes', 'requireSsl': 'yes' listener and make sure it fails.
def test_ssl_schema_to_auth(self):
self.ssl_test_bad('auth_s', [])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/ca-certificate.pem'
+ # Send in just a trustfile to an 'authenticatePeer': 'yes', 'requireSsl': 'yes' listener and make sure it fails.
def test_ssl_trustfile_to_auth(self):
self.ssl_test_bad('auth_s', ['trustfile'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-certificate /path/to/client-certificate.pem
+ # --ssl-key /path/to/client-private-key.pem --ssl-password client-password
+ # Without a trustfile, this test fails
def test_ssl_cert_to_auth(self):
- self.ssl_test('auth_s', ['client_cert_all'])
+ self.ssl_test_bad('auth_s', ['client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/ca-certificate.pem
+ # --ssl-certificate /path/to/client-certificate.pem
+ # --ssl-key /path/to/client-private-key.pem --ssl-password client-password
+ # This has everything, the test should pass.
def test_ssl_trustfile_cert_to_auth(self):
self.ssl_test('auth_s', ['trustfile', 'client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/bad-ca-certificate.pem
+ # --ssl-certificate /path/to/client-certificate.pem --ssl-key /path/to/client-private-key.pem
+ # --ssl-password client-password
+ # Bad trustfile should be rejected.
def test_ssl_bad_trustfile_to_auth(self):
self.ssl_test_bad('auth_s', ['bad_trustfile', 'client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --sasl-mechanisms EXTERNAL
+ # --ssl-certificate /path/to/client-certificate.pem --ssl-key /path/to/client-private-key.pem
+ # --ssl-password client-password --ssl-trustfile /path/to/ca-certificate.pem'
def test_ssl_cert_explicit_external_to_auth(self):
- self.ssl_test('auth_s', ['sasl_external', 'client_cert_all'])
+ self.ssl_test('auth_s', ['sasl_external', 'client_cert_all', 'trustfile'])
# Unsecured SSL listener, allows non-SSL
-
+ # qdstat -b amqp://localhost:<port> --general
def test_ssl_none_to_unsecured(self):
self.ssl_test('unsecured', [])
+ # qdstat -b amqps://localhost:<port> --general
def test_ssl_schema_to_unsecured(self):
- self.ssl_test('unsecured_s', [])
+ self.ssl_test_bad('unsecured_s', [])
+ # qdstat -b amqps://localhost:<port> --general --ssl-certificate /path/to/client-certificate.pem --ssl-key
+ # /path/to/client-private-key.pem --ssl-password client-password
+ # A trustfile is required, test will fail
def test_ssl_cert_to_unsecured(self):
- self.ssl_test('unsecured_s', ['client_cert_all'])
+ self.ssl_test_bad('unsecured_s', ['client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/ca-certificate.pem'
+ # Just send in the trustfile, should be all good.
def test_ssl_trustfile_to_unsecured(self):
self.ssl_test('unsecured_s', ['trustfile'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/ca-certificate.pem
+ # --ssl-certificate /path/to/client-certificate.pem --ssl-key /path/to/client-private-key.pem
+ # --ssl-password client-password
+ # We have everything, this should work.
def test_ssl_trustfile_cert_to_unsecured(self):
self.ssl_test('unsecured_s', ['trustfile', 'client_cert_all'])
+ # qdstat -b amqps://localhost:<port> --general --ssl-trustfile /path/to/bad-ca-certificate.pem']
+ # Bad trustfile, test will fail.
def test_ssl_bad_trustfile_to_unsecured(self):
self.ssl_test_bad('unsecured_s', ['bad_trustfile'])
diff --git a/tests/system_tests_ssl.py b/tests/system_tests_ssl.py
index b101882..ed563d4 100644
--- a/tests/system_tests_ssl.py
+++ b/tests/system_tests_ssl.py
@@ -382,6 +382,8 @@ class RouterTestSslClient(RouterTestSslBase):
url = Url("amqps://0.0.0.0:%d/$management" % listener_port)
# Preparing SSLDomain (client cert) and SASL authentication info
domain = SSLDomain(SSLDomain.MODE_CLIENT)
+ domain.set_trusted_ca_db(self.ssl_file('ca-certificate.pem'))
+ domain.set_peer_authentication(SSLDomain.VERIFY_PEER)
# Enforcing given TLS protocol
cproton.pn_ssl_domain_set_protocols(domain._domain, tls_protocol)
@@ -415,6 +417,8 @@ class RouterTestSslClient(RouterTestSslBase):
domain.set_credentials(self.ssl_file('client-certificate.pem'),
self.ssl_file('client-private-key.pem'),
'client-password')
+ domain.set_trusted_ca_db(self.ssl_file('ca-certificate.pem'))
+ domain.set_peer_authentication(SSLDomain.VERIFY_PEER)
# Enforcing given TLS protocol
cproton.pn_ssl_domain_set_protocols(domain._domain, tls_protocol)
diff --git a/tests/system_tests_user_id.py b/tests/system_tests_user_id.py
index 7fe6bba..76289b2 100644
--- a/tests/system_tests_user_id.py
+++ b/tests/system_tests_user_id.py
@@ -208,7 +208,7 @@ class QdSSLUseridTest(TestCase):
('listener', {'port': cls.tester.get_port(), 'sslProfile': 'server-ssl11', 'authenticatePeer': 'yes',
'requireSsl': 'yes', 'saslMechanisms': 'EXTERNAL'}),
- # peer is not being authenticated here. the user must "anonymous" which is what pn_transport_get_user
+ # peer is not being authenticated here. the user must be "anonymous" which is what pn_transport_get_user
# returns
('listener', {'port': cls.tester.get_port(), 'sslProfile': 'server-ssl12', 'authenticatePeer': 'no',
'requireSsl': 'yes', 'saslMechanisms': 'ANONYMOUS'}),
@@ -242,7 +242,7 @@ class QdSSLUseridTest(TestCase):
domain = SSLDomain(mode)
if trustfile:
domain.set_trusted_ca_db(str(trustfile))
- domain.set_peer_authentication(SSLDomain.VERIFY_PEER, str(trustfile))
+ domain.set_peer_authentication(SSLDomain.VERIFY_PEER, None)
if certificate:
domain.set_credentials(str(certificate), str(key), str(password))
@@ -314,11 +314,11 @@ class QdSSLUseridTest(TestCase):
user = node.query(type='org.apache.qpid.dispatch.connection', attribute_names=[u'user']).results[10][0]
self.assertEqual("C=US,ST=NC,L=Raleigh,OU=Dev,O=Client,CN=127.0.0.1", str(user))
- # authenticatePeer is set to 'no' in this listener, there should be no user on the connection.
+ # authenticatePeer is set to 'no' in this listener, the user should anonymous on the connection.
addr = self.address(11).replace("amqp", "amqps")
- node = Node.connect(addr)
+ node = Node.connect(addr, ssl_domain=domain)
user = node.query(type='org.apache.qpid.dispatch.connection', attribute_names=[u'user']).results[11][0]
- self.assertEqual(None, user)
+ self.assertEqual("anonymous", user)
addr = self.address(12).replace("amqp", "amqps")
node = Node.connect(addr, ssl_domain=domain)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org