You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2013/04/10 21:56:21 UTC
svn commit: r1466652 - in /qpid/trunk/qpid/cpp/src: qpid/acl/AclData.cpp
qpid/acl/AclData.h tests/acl.py tests/run_acl_tests
Author: chug
Date: Wed Apr 10 19:56:21 2013
New Revision: 1466652
URL: http://svn.apache.org/r1466652
Log:
QPID-4735: ACL file size/count upper limit checks incorrect
Merge IntMin and IntMax functions into a single function to contain duplicated code.
Improve log messages so that reading a log file is less painful.
Turn on ACL debug logging for main broker in ACL self test.
Modified:
qpid/trunk/qpid/cpp/src/qpid/acl/AclData.cpp
qpid/trunk/qpid/cpp/src/qpid/acl/AclData.h
qpid/trunk/qpid/cpp/src/tests/acl.py
qpid/trunk/qpid/cpp/src/tests/run_acl_tests
Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclData.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclData.cpp?rev=1466652&r1=1466651&r2=1466652&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/AclData.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/AclData.cpp Wed Apr 10 19:56:21 2013
@@ -254,10 +254,11 @@ namespace acl {
case acl::SPECPROP_MAXFILECOUNTUPPERLIMIT:
case acl::SPECPROP_MAXFILESIZEUPPERLIMIT:
limitChecked &=
- compareIntMax(
+ compareInt(
rulePropMapItr->first,
boost::lexical_cast<std::string>(rulePropMapItr->second),
- boost::lexical_cast<std::string>(lookupParamItr->second));
+ boost::lexical_cast<std::string>(lookupParamItr->second),
+ true);
break;
case acl::SPECPROP_MAXQUEUECOUNTLOWERLIMIT:
@@ -265,10 +266,11 @@ namespace acl {
case acl::SPECPROP_MAXFILECOUNTLOWERLIMIT:
case acl::SPECPROP_MAXFILESIZELOWERLIMIT:
limitChecked &=
- compareIntMin(
+ compareInt(
rulePropMapItr->first,
boost::lexical_cast<std::string>(rulePropMapItr->second),
- boost::lexical_cast<std::string>(lookupParamItr->second));
+ boost::lexical_cast<std::string>(lookupParamItr->second),
+ false);
break;
default:
@@ -635,95 +637,56 @@ namespace acl {
//
- // Limit check a MAX int limit
+ // Limit check an int limit
//
- bool AclData::compareIntMax(const qpid::acl::SpecProperty theProperty,
- const std::string theAclValue,
- const std::string theLookupValue)
+ bool AclData::compareInt(const qpid::acl::SpecProperty theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue,
+ bool theMaxFlag)
{
- uint64_t aclMax (0);
- uint64_t paramMax (0);
+ uint64_t aclRuleValue (0);
+ uint64_t lookupValue (0);
- try
- {
- aclMax = boost::lexical_cast<uint64_t>(theAclValue);
- }
- catch(const boost::bad_lexical_cast&)
- {
- assert (false);
- return false;
- }
+ QPID_LOG(debug, "ACL: "
+ << (theMaxFlag ? "Upper" : "Lower") << "-limit comparison for property "
+ << AclHelper::getPropertyStr(theProperty)
+ << ". Success if lookup(" << theLookupValue
+ << ") "
+ << (theMaxFlag ? "<=" : ">=") << " rule(" << theAclValue << ")");
try
{
- paramMax = boost::lexical_cast<uint64_t>(theLookupValue);
+ aclRuleValue = boost::lexical_cast<uint64_t>(theAclValue);
}
catch(const boost::bad_lexical_cast&)
{
- QPID_LOG(error,"ACL: Error evaluating rule. "
- << "Illegal value given in lookup for property '"
- << AclHelper::getPropertyStr(theProperty)
- << "' : " << theLookupValue);
- return false;
- }
-
- QPID_LOG(debug, "ACL: Numeric greater-than comparison for property "
- << AclHelper::getPropertyStr(theProperty)
- << " (value given in lookup = " << theLookupValue
- << ", value give in rule = " << theAclValue << " )");
-
- if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax))
- {
- QPID_LOG(debug, "ACL: Max limit exceeded for property '"
- << AclHelper::getPropertyStr(theProperty) << "'");
+ assert (false);
return false;
}
- return true;
- }
-
-
- //
- // limit check a MIN int limit
- //
- bool AclData::compareIntMin(const qpid::acl::SpecProperty theProperty,
- const std::string theAclValue,
- const std::string theLookupValue)
- {
- uint64_t aclMin (0);
- uint64_t paramMin (0);
-
- try
- {
- aclMin = boost::lexical_cast<uint64_t>(theAclValue);
- }
- catch(const boost::bad_lexical_cast&)
+ if (aclRuleValue == 0)
{
- assert (false);
- return false;
+ QPID_LOG(debug, "ACL: Comparison is always true when ACL rule value is zero");
+ return true;
}
try
{
- paramMin = boost::lexical_cast<uint64_t>(theLookupValue);
+ lookupValue = boost::lexical_cast<uint64_t>(theLookupValue);
}
catch(const boost::bad_lexical_cast&)
{
- QPID_LOG(error,"ACL: Error evaluating rule. "
- << "Illegal value given in lookup for property '"
+ QPID_LOG(error,"ACL: Illegal value given in lookup for property '"
<< AclHelper::getPropertyStr(theProperty)
<< "' : " << theLookupValue);
return false;
}
- QPID_LOG(debug, "ACL: Numeric less-than comparison for property "
- << AclHelper::getPropertyStr(theProperty)
- << " (value given in lookup = " << theLookupValue
- << ", value give in rule = " << theAclValue << " )");
-
- if (( aclMin ) && ( paramMin == 0 || paramMin < aclMin))
+ bool result =
+ (theMaxFlag ? lookupValue > aclRuleValue : lookupValue < aclRuleValue);
+ if ( result )
{
- QPID_LOG(debug, "ACL: Min limit exceeded for property '"
+ QPID_LOG(debug, "ACL: Limit exceeded for property '"
<< AclHelper::getPropertyStr(theProperty) << "'");
return false;
}
Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclData.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclData.h?rev=1466652&r1=1466651&r2=1466652&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/AclData.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/AclData.h Wed Apr 10 19:56:21 2013
@@ -204,13 +204,11 @@ public:
virtual ~AclData();
private:
- bool compareIntMax(const qpid::acl::SpecProperty theProperty,
- const std::string theAclValue,
- const std::string theLookupValue);
- bool compareIntMin(const qpid::acl::SpecProperty theProperty,
- const std::string theAclValue,
- const std::string theLookupValue);
+ bool compareInt(const qpid::acl::SpecProperty theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue,
+ bool theMaxFlag);
// Per-user connection quota
bool connQuotaRulesExist;
Modified: qpid/trunk/qpid/cpp/src/tests/acl.py
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/acl.py?rev=1466652&r1=1466651&r2=1466652&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/acl.py (original)
+++ qpid/trunk/qpid/cpp/src/tests/acl.py Wed Apr 10 19:56:21 2013
@@ -976,6 +976,7 @@ class ACLTests(TestBase010):
aclf.write('acl deny bob@QPID purge queue name=qf3\n')
aclf.write('acl deny bob@QPID delete queue name=qf4\n')
aclf.write('acl deny bob@QPID create queue name=qf5 filemaxsizeupperlimit=1000 filemaxcountupperlimit=100\n')
+ aclf.write('acl deny bob@QPID create queue name=ABCDE queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n')
aclf.write('acl allow all all')
aclf.close()
@@ -985,6 +986,16 @@ class ACLTests(TestBase010):
session = self.get_session('bob','bob')
+ self.Lookup("bob@QPID", "create", "queue", "ABCDE", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"0",
+ "maxfilecount":"0" }, "deny")
+
try:
queue_options = {}
queue_options["qpid.file_count"] = 200
@@ -1020,6 +1031,9 @@ class ACLTests(TestBase010):
aclf.write('acl allow bob@QPID delete queue name=qfd4\n')
aclf.write('acl allow bob@QPID create queue name=qfd5 filemaxsizeupperlimit=1000 filemaxcountupperlimit=100\n')
aclf.write('acl allow bob@QPID create queue name=qfd6 filemaxsizelowerlimit=50 filemaxsizeupperlimit=100 filemaxcountlowerlimit=50 filemaxcountupperlimit=100\n')
+ aclf.write('acl allow bob@QPID create queue name=ABCDE queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n')
+ aclf.write('acl allow bob@QPID create queue name=FGHIJ queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=2 filemaxsizeupperlimit=32 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n')
+ aclf.write('acl allow bob@QPID create queue name=KLMNO queuemaxsizelowerlimit=900000 queuemaxsizeupperlimit=1024000 queuemaxcountlowerlimit=900 queuemaxcountupperlimit=2000 filemaxsizelowerlimit=0 filemaxsizeupperlimit=0 filemaxcountlowerlimit=0 filemaxcountupperlimit=4 policytype=ring durable=false autodelete=true\n')
aclf.write('acl allow anonymous all all\n')
aclf.write('acl deny all all')
aclf.close()
@@ -1030,6 +1044,86 @@ class ACLTests(TestBase010):
session = self.get_session('bob','bob')
+ self.Lookup("bob@QPID", "create", "queue", "ABCDE", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"0",
+ "maxfilecount":"0" }, "allow")
+
+ self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"1",
+ "maxfilecount":"0" }, "deny")
+
+ self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"2",
+ "maxfilecount":"0" }, "allow")
+
+ self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"32",
+ "maxfilecount":"0" }, "allow")
+
+ self.Lookup("bob@QPID", "create", "queue", "FGHIJ", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"33",
+ "maxfilecount":"0" }, "deny")
+
+ self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"0",
+ "maxfilecount":"0" }, "allow")
+
+ self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"17",
+ "maxfilecount":"0" }, "allow")
+
+ self.Lookup("bob@QPID", "create", "queue", "KLMNO", {"durable":"false",
+ "autodelete":"true",
+ "exclusive":"false",
+ "alternate":"",
+ "policytype":"ring",
+ "maxqueuesize":"1024000",
+ "maxqueuecount":"1000",
+ "maxfilesize":"33",
+ "maxfilecount":"0" }, "allow")
+
try:
session.queue_declare(queue="qfd1", durable=True)
except qpid.session.SessionException, e:
@@ -1778,7 +1872,6 @@ class ACLTests(TestBase010):
for u in g_admins:
self.Lookup(u, "create", "queue", "anything", {"durable":"true"}, "allow-log")
-
uInTest = g_auditors + g_admins
uOutTest = self.AllBut(g_all, uInTest)
Modified: qpid/trunk/qpid/cpp/src/tests/run_acl_tests
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/run_acl_tests?rev=1466652&r1=1466651&r2=1466652&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/run_acl_tests (original)
+++ qpid/trunk/qpid/cpp/src/tests/run_acl_tests Wed Apr 10 19:56:21 2013
@@ -29,7 +29,7 @@ DATA_DIRQ=`pwd`/data_dirq
trap stop_brokers INT TERM QUIT
start_brokers() {
- ../qpidd --daemon --port 0 --no-module-dir --data-dir $DATA_DIR --load-module $ACL_LIB --acl-file policy.acl --auth no --log-to-file local.log > qpidd.port
+ ../qpidd --daemon --port 0 --no-module-dir --data-dir $DATA_DIR --load-module $ACL_LIB --acl-file policy.acl --auth no --log-enable trace+:acl --log-to-file local.log > qpidd.port
LOCAL_PORT=`cat qpidd.port`
../qpidd --daemon --port 0 --no-module-dir --data-dir $DATA_DIRI --load-module $ACL_LIB --acl-file policy.acl --auth no --connection-limit-per-ip 2 --log-to-file locali.log > qpiddi.port
LOCAL_PORTI=`cat qpiddi.port`
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org