You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2018/05/01 20:25:23 UTC
[01/10] qpid-dispatch git commit: DISPATCH-976: Update doc book
description of new config attributes
Repository: qpid-dispatch
Updated Branches:
refs/heads/master 51db02b18 -> e91950779
DISPATCH-976: Update doc book description of new config attributes
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/e9195077
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/e9195077
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/e9195077
Branch: refs/heads/master
Commit: e9195077972e4eb9e6cb577cdcace766e9f027b3
Parents: f9e02ec
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 15:39:31 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
doc/book/policy.adoc | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/e9195077/doc/book/policy.adoc
----------------------------------------------------------------------
diff --git a/doc/book/policy.adoc b/doc/book/policy.adoc
index 62cc7a6..c2be257 100644
--- a/doc/book/policy.adoc
+++ b/doc/book/policy.adoc
@@ -163,6 +163,8 @@ This object is the data value contained in entries in the policy/groups map.
| allowUserIdProxy | false | This connection is allowed to send messages with a user_id property that differs from the connection's authenticated user id.
| sources | "" | List of Source addresses allowed when creating receiving links. This list may be expressed as a CSV string or as a list of strings. An empty list denies all access.
| targets | "" | List of Target addresses allowed when creating sending links. This list may be expressed as a CSV string or as a list of strings. An empty list denies all access.
+| sourcePattern | "" | List of Source address patterns allowed when creating receiving links. This list must be expressed as a CSV string. An empty string denies all access.
+| targetPattern | "" | List of Target address patterns allowed when creating sending links. This list must be expressed as a CSV string. An empty string denies all access.
|====
== Policy Wildcard and User Name Substitution
@@ -182,9 +184,10 @@ specify all hosts.
The asterisk must stand alone and cannot be appended to a host name
or to an IP address fragment.
-=== AMQP Source and Target Wildcard and Name Substitution
+=== AMQP Source and Target User Name Substitution
-The rule definitions for `sources` and `targets` may include the username
+The rule definitions for `sources`, `targets`, `sourcePattern`, and
+`targetPattern` may include the username
substitution token
[options="nowrap"]
@@ -192,14 +195,16 @@ substitution token
${user}
----
-or a trailing asterisk.
-
The username substitution token is replaced with the authenticated user name for
the connection. Using this token, an administrator may allow access to
some resources specific to each user without having to name each user
individually. This token is substituted once for the leftmost
occurrence in the link name.
+=== AMQP Source and Target Link Name Match Wildcard
+
+The rule definitions for `sources` and `targets` may contain a trailing
+asterisk character.
The asterisk is recognized only if it is the last character in the
link name.
@@ -208,6 +213,29 @@ link name.
sources: tmp_${user}, temp*, ${user}-home-*
----
+The rule definitions for `sourcePattern` and `targetPattern` use the same
+patterns defined for router addresses and link routes. The patterns consist of one or more
+tokens separated by a forward slash /. A token can be one of the following:
+a * character, a # character, or a sequence of characters that do not
+include /, *, or #. The * token matches any single token. The # token
+matches zero or more tokens.
+
+For each rule definition multiple patterns may be specified in a comma
+separated list.
+
+[options="nowrap"]
+----
+ sourcePattern: tmp_${user}, temp/#, ${user}-home/*
+----
+
+[NOTE]
+====
+A rule definition may contain `sources` or `sourcePattern` but not both.
+A rule definition may contain `targets` or `targetPattern` but not both.
+====
+
+
+
== Composing Policies
This section shows policy examples designed to illustrate some common use cases.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[04/10] qpid-dispatch git commit: DISPATCH-976: add address match
patterns to vhostUserGroupSettings
Posted by ch...@apache.org.
DISPATCH-976: add address match patterns to vhostUserGroupSettings
The pattern match settings supercede the existing simple wildcard settings.
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/210683db
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/210683db
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/210683db
Branch: refs/heads/master
Commit: 210683db7188875486a1615e2426987e2e1fa057
Parents: 51db02b
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 13:53:58 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
python/qpid_dispatch/management/qdrouter.json | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/210683db/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 71d932d..97e8e09 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -1824,15 +1824,29 @@
},
"sources": {
"type": "string",
- "description": "A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
+ "description": "(DEPRECATED - use sourcePattern instead). A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
"required": false,
+ "deprecated": true,
"create": true
},
"targets": {
"type": "string",
- "description": "A list of target addresses to which users in this group may send messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
+ "description": "(DEPRECATED - use targetPattern instead). A list of target addresses to which users in this group may send messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
"required": false,
+ "deprecated": true,
"create": true
+ },
+ "sourcePattern": {
+ "type": "string",
+ "description": "A wildcarded pattern for matching source addresses from which users in this group may receive messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '{user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses.",
+ "create": true,
+ "required": false
+ },
+ "targetPattern": {
+ "type": "string",
+ "description": "A wildcarded pattern for matching target addresses to which users in this group may send messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '{user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses.",
+ "create": true,
+ "required": false
}
}
},
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[02/10] qpid-dispatch git commit: DISPATCH-976: pass empty strings
from python to C
Posted by ch...@apache.org.
DISPATCH-976: pass empty strings from python to C
when the strings are absent then the C code generates a
python 'index not found' exception and a python log trace
entry.
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/1b36bc26
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/1b36bc26
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/1b36bc26
Branch: refs/heads/master
Commit: 1b36bc26ecad88490f80a64cc0d5d967431b5b3a
Parents: 9c6f3c1
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 14:18:39 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
python/qpid_dispatch_internal/policy/policy_local.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/1b36bc26/python/qpid_dispatch_internal/policy/policy_local.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/policy/policy_local.py b/python/qpid_dispatch_internal/policy/policy_local.py
index ebbd00e..b482b7f 100644
--- a/python/qpid_dispatch_internal/policy/policy_local.py
+++ b/python/qpid_dispatch_internal/policy/policy_local.py
@@ -228,10 +228,10 @@ class PolicyCompiler(object):
policy_out[PolicyKeys.KW_ALLOW_DYNAMIC_SRC] = False
policy_out[PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER] = False
policy_out[PolicyKeys.KW_ALLOW_USERID_PROXY] = False
- #policy_out[PolicyKeys.KW_SOURCES] = None
- #policy_out[PolicyKeys.KW_TARGETS] = None
- #policy_out[PolicyKeys.KW_SOURCE_PATTERN] = None
- #policy_out[PolicyKeys.KW_TARGET_PATTERN] = None
+ policy_out[PolicyKeys.KW_SOURCES] = ''
+ policy_out[PolicyKeys.KW_TARGETS] = ''
+ policy_out[PolicyKeys.KW_SOURCE_PATTERN] = ''
+ policy_out[PolicyKeys.KW_TARGET_PATTERN] = ''
cerror = []
user_sources = False
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[06/10] qpid-dispatch git commit: DISPATCH-976: add mission code to
do tree checks; add unit test
Posted by ch...@apache.org.
DISPATCH-976: add mission code to do tree checks; add unit test
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/17d9977f
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/17d9977f
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/17d9977f
Branch: refs/heads/master
Commit: 17d9977ff1e02ce8190c0881a4825891970fb06b
Parents: 2f35a9f
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 13:59:09 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
src/policy.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++
src/policy.h | 11 +++++++++++
src/policy_internal.h | 12 ++++++++++++
tests/policy_test.c | 27 +++++++++++++++++++++++++-
4 files changed, 96 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/17d9977f/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 099295f..cddafe4 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -609,6 +609,28 @@ bool _qd_policy_approve_link_name(const char *username, const char *allowed, con
}
+bool _qd_policy_approve_link_name_tree(const char *username, qd_parse_tree_t *tree, const char *proposed)
+{
+ // Verify string sizes are usable
+ size_t p_len = strlen(proposed);
+ if (p_len == 0) {
+ // degenerate case of blank name being opened. will never match anything.
+ return false;
+ }
+ void * unused_payload = 0;
+
+ if (qd_parse_tree_retrieve_match_str(tree, proposed, &unused_payload))
+ return true;
+
+ // Do reverse user substitution into proposed
+ char substbuf[QPALN_USERBUFSIZE];
+ char * prop2 = _qd_policy_link_user_name_subst(username, proposed, substbuf, QPALN_USERBUFSIZE);
+ if (prop2 && qd_parse_tree_retrieve_match_str(tree, prop2, &unused_payload))
+ return true;
+ return false;
+}
+
+
bool qd_policy_approve_amqp_sender_link(pn_link_t *pn_link, qd_connection_t *qd_conn)
{
const char *hostip = qd_connection_remote_ip(qd_conn);
@@ -778,3 +800,28 @@ void qd_policy_settings_free(qd_policy_settings_t *settings)
if (settings->targetParseTree) qd_parse_tree_free(settings->targetParseTree);
free (settings);
}
+
+
+bool qd_policy_approve_link_name(const char *username,
+ const qd_policy_settings_t *settings,
+ const char *proposed,
+ bool isReceiver)
+{
+ if (isReceiver) {
+ if (settings->sourceParseTree) {
+ return _qd_policy_approve_link_name_tree(username, settings->sourceParseTree, proposed);
+ } else if (settings->sourcePattern) {
+ return _qd_policy_approve_link_name(username, settings->sources, proposed);
+ } else {
+ return false;
+ }
+ } else {
+ if (settings->targetParseTree) {
+ return _qd_policy_approve_link_name_tree(username, settings->sourceParseTree, proposed);
+ } else if (settings->sourcePattern) {
+ return _qd_policy_approve_link_name(username, settings->sources, proposed);
+ } else {
+ return false;
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/17d9977f/src/policy.h
----------------------------------------------------------------------
diff --git a/src/policy.h b/src/policy.h
index edf11f6..9bddd28 100644
--- a/src/policy.h
+++ b/src/policy.h
@@ -166,4 +166,15 @@ void qd_policy_amqp_open(qd_connection_t *conn);
*/
void qd_policy_settings_free(qd_policy_settings_t *settings);
+/** Approve link by source/target name.
+ * @param[in] username authenticated user name
+ * @param[in] settings policy settings
+ * @param[in] proposed the link target name to be approved
+ * @param[in] isReceiver indication to check using receiver settings
+ */
+bool qd_policy_approve_link_name(const char *username,
+ const qd_policy_settings_t *settings,
+ const char *proposed,
+ bool isReceiver
+ );
#endif
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/17d9977f/src/policy_internal.h
----------------------------------------------------------------------
diff --git a/src/policy_internal.h b/src/policy_internal.h
index 374d4ea..100338f 100644
--- a/src/policy_internal.h
+++ b/src/policy_internal.h
@@ -100,4 +100,16 @@ char * _qd_policy_link_user_name_subst(const char *uname, const char *proposed,
* @param[in] proposed the link target name to be approved
*/
bool _qd_policy_approve_link_name(const char *username, const char *allowed, const char *proposed);
+
+
+/** Approve link by source/target name.
+ * This match supports a parse_tree match.
+ * proposed 'temp-305' matches allowed 'temp-*'
+ * This match supports username substitution:
+ * user 'joe', proposed 'temp-joe' matches allowed 'temp-${user}'
+ * @param[in] username authenticated user name
+ * @param[in] allowed policy settings source/target string in packed CSV form.
+ * @param[in] proposed the link target name to be approved
+ */
+bool _qd_policy_approve_link_name_tree(const char *username, qd_parse_tree_t *tree, const char *proposed);
#endif
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/17d9977f/tests/policy_test.c
----------------------------------------------------------------------
diff --git a/tests/policy_test.c b/tests/policy_test.c
index 9409c3d..ca73f32 100644
--- a/tests/policy_test.c
+++ b/tests/policy_test.c
@@ -22,6 +22,7 @@
#include <string.h>
#include "policy.h"
#include "policy_internal.h"
+#include "parse_tree.h"
static char *test_link_name_lookup(void *context)
{
@@ -74,16 +75,40 @@ static char *test_link_name_lookup(void *context)
// Combine user name and wildcard
if (!_qd_policy_approve_link_name("chuck", "ab${user}*", "abchuckzyxw"))
return "proposed link 'abchuckzyxw' should match allowed links with ${user}* but does not";
-
+
return 0;
}
+
+static char *test_link_name_tree_lookup(void *context)
+{
+ qd_parse_tree_t *node = qd_parse_tree_new(QD_PARSE_TREE_ADDRESS);
+ void *payload = (void*)1;
+
+ qd_parse_tree_add_pattern_str(node, "ab${user}xyz", payload);
+
+ if (!_qd_policy_approve_link_name_tree("chuck", node, "abchuckxyz"))
+ return "proposed link 'abchuckxyz' should tree-match allowed links with ${user} but does not";
+
+ qd_parse_tree_add_pattern_str(node, "${user}.#", payload);
+
+ if (!_qd_policy_approve_link_name_tree("motronic", node, "motronic"))
+ return "proposed link 'motronic' should tree-match allowed links with ${user} but does not";
+
+ if (!_qd_policy_approve_link_name_tree("motronic", node, "motronic.stubs.wobbler"))
+ return "proposed link 'motronic.stubs.wobbler' should tree-match allowed links with ${user} but does not";
+
+ return 0;
+}
+
+
int policy_tests(void)
{
int result = 0;
char *test_group = "policy_tests";
TEST_CASE(test_link_name_lookup, 0);
+ TEST_CASE(test_link_name_tree_lookup, 0);
return result;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[03/10] qpid-dispatch git commit: DISPATCH-976: instantiate and
destroy policy parse trees
Posted by ch...@apache.org.
DISPATCH-976: instantiate and destroy policy parse trees
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/2f35a9f0
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/2f35a9f0
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/2f35a9f0
Branch: refs/heads/master
Commit: 2f35a9f00c2d7c19a702bdeedc2041d55a7781b6
Parents: 05440db
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 13:58:17 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
src/policy.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
src/policy.h | 9 +++++++++
src/server.c | 11 +----------
3 files changed, 67 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2f35a9f0/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 4ee1930..099295f 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -21,6 +21,7 @@
#include "qpid/dispatch/python_embedded.h"
#include "policy.h"
#include "policy_internal.h"
+#include "parse_tree.h"
#include <stdio.h>
#include <string.h>
#include "dispatch_private.h"
@@ -240,6 +241,44 @@ void qd_policy_socket_close(qd_policy_t *policy, const qd_connection_t *conn)
}
+// C in the CSV string
+static const char* QPALN_COMMA_SEP =",";
+
+//
+// Given a CSV string defining parser tree specs for allowed sender or
+// receiver links, return a parse_tree
+//
+// @param config_spec CSV string with link name match patterns
+// @return pointer to parse tree
+//
+qd_parse_tree_t * qd_policy_parse_tree(const char *config_spec)
+{
+ if (!config_spec || strlen(config_spec) == 0)
+ // empty config specs never match so don't even create parse tree
+ return NULL;
+
+ qd_parse_tree_t *tree = qd_parse_tree_new(QD_PARSE_TREE_ADDRESS);
+ if (!tree)
+ return NULL;
+
+ // Add CSV's values to the tree.
+ // Note that tree's pattern is unused. This code uses a dummy '1'.
+ char * dup = strdup(config_spec);
+ char * dupend = dup + strlen(dup);
+ char * pch = dup;
+ while (pch < dupend) {
+ size_t vsize = strcspn(pch, QPALN_COMMA_SEP);
+ if (vsize > 0) {
+ pch[vsize] = '\0';
+ qd_parse_tree_add_pattern_str(tree, pch, (void *)1);
+ }
+ pch += vsize + 1;
+ }
+ free(dup);
+ return tree;
+}
+
+
//
// Functions related to authenticated connection denial.
// An AMQP Open has been received over some connection.
@@ -326,6 +365,8 @@ bool qd_policy_open_lookup_user(
settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets");
settings->sourcePattern = qd_entity_get_string((qd_entity_t*)upolicy, "sourcePattern");
settings->targetPattern = qd_entity_get_string((qd_entity_t*)upolicy, "targetPattern");
+ settings->sourceParseTree = qd_policy_parse_tree(settings->sourcePattern);
+ settings->targetParseTree = qd_policy_parse_tree(settings->targetPattern);
settings->denialCounts = (qd_policy_denial_counts_t*)
qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts");
Py_XDECREF(result2);
@@ -505,8 +546,6 @@ char * _qd_policy_link_user_name_subst(const char *uname, const char *proposed,
#define QPALN_SIZE 1024
// Size of user-name-substituted proposed string.
#define QPALN_USERBUFSIZE 300
-// C in the CSV string
-#define QPALN_COMMA_SEP ","
// Wildcard character
#define QPALN_WILDCARD '*'
@@ -530,6 +569,9 @@ bool _qd_policy_approve_link_name(const char *username, const char *allowed, con
if (a_len > QPALN_SIZE) {
pa = (char *)malloc(a_len + 1); // malloc a buffer for larger allow lists
}
+ if (!pa)
+ return false;
+
strncpy(pa, allowed, a_len);
pa[a_len] = 0;
// Do reverse user substitution into proposed
@@ -723,3 +765,16 @@ void qd_policy_amqp_open(qd_connection_t *qd_conn) {
qd_policy_private_deny_amqp_connection(conn, QD_AMQP_COND_RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
}
}
+
+
+void qd_policy_settings_free(qd_policy_settings_t *settings)
+{
+ if (!settings) return;
+ if (settings->sources) free(settings->sources);
+ if (settings->targets) free(settings->targets);
+ if (settings->sourcePattern) free(settings->sourcePattern);
+ if (settings->targetPattern) free(settings->targetPattern);
+ if (settings->sourceParseTree) qd_parse_tree_free(settings->sourceParseTree);
+ if (settings->targetParseTree) qd_parse_tree_free(settings->targetParseTree);
+ free (settings);
+}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2f35a9f0/src/policy.h
----------------------------------------------------------------------
diff --git a/src/policy.h b/src/policy.h
index 80d50aa..edf11f6 100644
--- a/src/policy.h
+++ b/src/policy.h
@@ -28,6 +28,7 @@
#include "config.h"
#include "entity.h"
#include "entity_cache.h"
+#include "parse_tree.h"
#include <dlfcn.h>
typedef struct qd_policy_denial_counts_s qd_policy_denial_counts_t;
@@ -54,6 +55,8 @@ struct qd_policy__settings_s {
char *targets;
char *sourcePattern;
char *targetPattern;
+ qd_parse_tree_t *sourceParseTree;
+ qd_parse_tree_t *targetParseTree;
qd_policy_denial_counts_t *denialCounts;
};
@@ -157,4 +160,10 @@ bool qd_policy_approve_amqp_receiver_link(pn_link_t *pn_link, qd_connection_t *q
**/
void qd_policy_amqp_open(qd_connection_t *conn);
+/** Dispose of policy settings
+ *
+ * @param settings the settings to be destroyed
+ */
+void qd_policy_settings_free(qd_policy_settings_t *settings);
+
#endif
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2f35a9f0/src/server.c
----------------------------------------------------------------------
diff --git a/src/server.c b/src/server.c
index 2e87a15..cb90510 100644
--- a/src/server.c
+++ b/src/server.c
@@ -804,16 +804,7 @@ static void qd_connection_free(qd_connection_t *ctx)
invoke_deferred_calls(ctx, true); // Discard any pending deferred calls
sys_mutex_free(ctx->deferred_call_lock);
-
- if (ctx->policy_settings) {
- if (ctx->policy_settings->sources)
- free(ctx->policy_settings->sources);
- if (ctx->policy_settings->targets)
- free(ctx->policy_settings->targets);
- free (ctx->policy_settings);
- ctx->policy_settings = 0;
- }
-
+ qd_policy_settings_free(ctx->policy_settings);
if (ctx->free_user_id) free((char*)ctx->user_id);
if (ctx->timer) qd_timer_free(ctx->timer);
free(ctx->name);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[07/10] qpid-dispatch git commit: DISPATCH-976: Add string-based
parse tree add/match functions
Posted by ch...@apache.org.
DISPATCH-976: Add string-based parse tree add/match functions
Add self test that uses new interfaces.
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/05440dbc
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/05440dbc
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/05440dbc
Branch: refs/heads/master
Commit: 05440dbc14829a3b32b4bddaebcc3ad97e74ff0d
Parents: dc981ec
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 13:57:02 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
src/parse_tree.c | 54 +++++++++++++++++++++++++++++++++++++++++++
src/parse_tree.h | 14 +++++++++++
tests/parse_tree_tests.c | 27 ++++++++++++++++++++++
3 files changed, 95 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/05440dbc/src/parse_tree.c
----------------------------------------------------------------------
diff --git a/src/parse_tree.c b/src/parse_tree.c
index 256b838..b3651ac 100644
--- a/src/parse_tree.c
+++ b/src/parse_tree.c
@@ -771,3 +771,57 @@ void qd_parse_tree_free(qd_parse_node_t *node)
}
#endif
+//
+// parse tree functions using string interface
+//
+
+// returns old payload or NULL if new
+void *qd_parse_tree_add_pattern_str(qd_parse_tree_t *node,
+ const char *pattern,
+ void *payload)
+{
+ token_iterator_t key;
+ void *rc = NULL;
+ char *str = strdup(pattern);
+
+ normalize_pattern(node->type, str);
+ qd_log(node->log_source, QD_LOG_TRACE,
+ "Parse tree(str) add address pattern '%s'", str);
+
+ token_iterator_init(&key, node->type, str);
+ rc = parse_node_add_pattern(node, &key, str, payload);
+ free(str);
+ return rc;
+}
+
+
+// visit each matching pattern that matches value in the order based on the
+// precedence rules
+void qd_parse_tree_search_str(qd_parse_tree_t *node,
+ const char *value,
+ qd_parse_tree_visit_t *callback, void *handle)
+{
+ token_iterator_t t_iter;
+ // @TODO(kgiusti) for now:
+ char *str = strdup(value);
+ qd_log(node->log_source, QD_LOG_TRACE, "Parse tree(str) search for '%s'", str);
+
+ token_iterator_init(&t_iter, node->type, str);
+ parse_node_find(node, &t_iter, callback, handle);
+
+ free(str);
+}
+
+
+// returns true on match and sets *payload
+bool qd_parse_tree_retrieve_match_str(qd_parse_tree_t *tree,
+ const char *value,
+ void **payload)
+{
+ *payload = NULL;
+ qd_parse_tree_search_str(tree, value, get_first, payload);
+ if (*payload == NULL)
+ qd_log(tree->log_source, QD_LOG_TRACE, "Parse tree(str) match not found");
+ return *payload != NULL;
+}
+
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/05440dbc/src/parse_tree.h
----------------------------------------------------------------------
diff --git a/src/parse_tree.h b/src/parse_tree.h
index 1b586ce..34d29f4 100644
--- a/src/parse_tree.h
+++ b/src/parse_tree.h
@@ -111,4 +111,18 @@ void qd_parse_tree_search(qd_parse_tree_t *tree, const qd_iterator_t *value,
// visit each terminal node on the tree, returns last value returned by callback
bool qd_parse_tree_walk(qd_parse_tree_t *tree, qd_parse_tree_visit_t *callback, void *handle);
+//
+// parse tree functions using string interface
+//
+
+// returns old payload or NULL if new
+void *qd_parse_tree_add_pattern_str(qd_parse_tree_t *node,
+ const char *pattern,
+ void *payload);
+
+// returns true on match and sets *payload
+bool qd_parse_tree_retrieve_match_str(qd_parse_tree_t *tree,
+ const char *value,
+ void **payload);
+
#endif /* parse_tree.h */
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/05440dbc/tests/parse_tree_tests.c
----------------------------------------------------------------------
diff --git a/tests/parse_tree_tests.c b/tests/parse_tree_tests.c
index e8bcf3f..d04204d 100644
--- a/tests/parse_tree_tests.c
+++ b/tests/parse_tree_tests.c
@@ -66,6 +66,32 @@ static char *test_add_remove(void *context)
return NULL;
}
+static char *test_add_and_match_str(void *context)
+{
+ const char *str1 = "I.am.Sam";
+ const char *str2 = "Sam.I.Am";
+ qd_parse_tree_t *node = qd_parse_tree_new(QD_PARSE_TREE_ADDRESS);
+ void *payload;
+
+ if (qd_parse_tree_add_pattern_str(node, str1, "Hi Sam"))
+ return "Add returned existing value (1)";
+
+ if (qd_parse_tree_add_pattern_str(node, str2, "Bye Sam"))
+ return "Add returned existing value (2)";
+
+ if (!qd_parse_tree_retrieve_match_str(node, str1, &payload))
+ return "Failed to get expected match (1)";
+
+ if (!qd_parse_tree_retrieve_match_str(node, str2, &payload))
+ return "Failed to get expected match (2)";
+
+ if (qd_parse_tree_retrieve_match_str(node, "notSoFast", &payload))
+ return "Match pattern should not match but did match";
+
+ qd_parse_tree_free(node);
+ return NULL;
+}
+
// for pattern match callback
typedef struct {
int count;
@@ -600,6 +626,7 @@ int parse_tree_tests(void)
char *test_group = "parse_tree_tests";
TEST_CASE(test_add_remove, 0);
+ TEST_CASE(test_add_and_match_str, 0);
TEST_CASE(test_normalization, 0);
TEST_CASE(test_matches, 0);
TEST_CASE(test_multiple_matches, 0);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[09/10] qpid-dispatch git commit: DISPATCH-976: Permissive default
policy using src/tgt patterns
Posted by ch...@apache.org.
DISPATCH-976: Permissive default policy using src/tgt patterns
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/f9e02ec1
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/f9e02ec1
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/f9e02ec1
Branch: refs/heads/master
Commit: f9e02ec197e50fd6c3ea6bca8c6fbf7cb16abc28
Parents: 1b36bc2
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 14:32:56 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
.../permissive-default-link-pattern.json | 33 ++++++++++++++++++++
1 file changed, 33 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/f9e02ec1/tests/policy-7/permissive-default-link-pattern.json
----------------------------------------------------------------------
diff --git a/tests/policy-7/permissive-default-link-pattern.json b/tests/policy-7/permissive-default-link-pattern.json
new file mode 100644
index 0000000..b6adee8
--- /dev/null
+++ b/tests/policy-7/permissive-default-link-pattern.json
@@ -0,0 +1,33 @@
+##
+## Licensed to the Apache Software Foundation (ASF) under one
+## or more contributor license agreements. See the NOTICE file
+## distributed with this work for additional information
+## regarding copyright ownership. The ASF licenses this file
+## to you under the Apache License, Version 2.0 (the
+## "License"); you may not use this file except in compliance
+## with the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing,
+## software distributed under the License is distributed on an
+## "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+## KIND, either express or implied. See the License for the
+## specific language governing permissions and limitations
+## under the License
+##
+[
+ ["vhost", {
+ "hostname": "$default",
+ "allowUnknownUser": true,
+ "groups" : {
+ "$default": {
+ "remoteHosts": "*",
+ "allowDynamicSource": true,
+ "allowAnonymousSender": true,
+ "sourcePattern": "#",
+ "targetPattern": "#"
+ }
+ }
+ }]
+]
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[08/10] qpid-dispatch git commit: DISPATCH-976: Enable src/tgt parse
tree processing; add self test
Posted by ch...@apache.org.
DISPATCH-976: Enable src/tgt parse tree processing; add self test
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/f1f4231a
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/f1f4231a
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/f1f4231a
Branch: refs/heads/master
Commit: f1f4231aca1a50006383bd238ec486750eeca012
Parents: 17d9977
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 14:12:31 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
.../policy/policy_local.py | 8 +-
src/policy.c | 12 +-
tests/system_tests_policy.py | 150 +++++++++++++++++++
3 files changed, 160 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/f1f4231a/python/qpid_dispatch_internal/policy/policy_local.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/policy/policy_local.py b/python/qpid_dispatch_internal/policy/policy_local.py
index 19c81c8..a3e503a 100644
--- a/python/qpid_dispatch_internal/policy/policy_local.py
+++ b/python/qpid_dispatch_internal/policy/policy_local.py
@@ -228,10 +228,10 @@ class PolicyCompiler(object):
policy_out[PolicyKeys.KW_ALLOW_DYNAMIC_SRC] = False
policy_out[PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER] = False
policy_out[PolicyKeys.KW_ALLOW_USERID_PROXY] = False
- policy_out[PolicyKeys.KW_SOURCES] = None
- policy_out[PolicyKeys.KW_TARGETS] = None
- policy_out[PolicyKeys.KW_SOURCE_PATTERN] = None
- policy_out[PolicyKeys.KW_TARGET_PATTERN] = None
+ #policy_out[PolicyKeys.KW_SOURCES] = None
+ #policy_out[PolicyKeys.KW_TARGETS] = None
+ #policy_out[PolicyKeys.KW_SOURCE_PATTERN] = None
+ #policy_out[PolicyKeys.KW_TARGET_PATTERN] = None
cerror = []
user_sources = False
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/f1f4231a/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index cddafe4..235c125 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -655,7 +655,7 @@ bool qd_policy_approve_amqp_sender_link(pn_link_t *pn_link, qd_connection_t *qd_
bool lookup;
if (target && *target) {
// a target is specified
- lookup = _qd_policy_approve_link_name(qd_conn->user_id, qd_conn->policy_settings->targets, target);
+ lookup = qd_policy_approve_link_name(qd_conn->user_id, qd_conn->policy_settings, target, false);
qd_log(qd_server_dispatch(qd_conn->server)->policy->log_source, (lookup ? QD_LOG_TRACE : QD_LOG_INFO),
"%s AMQP Attach sender link '%s' for user '%s', rhost '%s', vhost '%s' based on link target name",
@@ -717,7 +717,7 @@ bool qd_policy_approve_amqp_receiver_link(pn_link_t *pn_link, qd_connection_t *q
const char * source = pn_terminus_get_address(pn_link_remote_source(pn_link));
if (source && *source) {
// a source is specified
- bool lookup = _qd_policy_approve_link_name(qd_conn->user_id, qd_conn->policy_settings->sources, source);
+ bool lookup = qd_policy_approve_link_name(qd_conn->user_id, qd_conn->policy_settings, source, true);
qd_log(qd_server_dispatch(qd_conn->server)->policy->log_source, (lookup ? QD_LOG_TRACE : QD_LOG_INFO),
"%s AMQP Attach receiver link '%s' for user '%s', rhost '%s', vhost '%s' based on link source name",
@@ -810,16 +810,16 @@ bool qd_policy_approve_link_name(const char *username,
if (isReceiver) {
if (settings->sourceParseTree) {
return _qd_policy_approve_link_name_tree(username, settings->sourceParseTree, proposed);
- } else if (settings->sourcePattern) {
+ } else if (settings->sources) {
return _qd_policy_approve_link_name(username, settings->sources, proposed);
} else {
return false;
}
} else {
if (settings->targetParseTree) {
- return _qd_policy_approve_link_name_tree(username, settings->sourceParseTree, proposed);
- } else if (settings->sourcePattern) {
- return _qd_policy_approve_link_name(username, settings->sources, proposed);
+ return _qd_policy_approve_link_name_tree(username, settings->targetParseTree, proposed);
+ } else if (settings->targets) {
+ return _qd_policy_approve_link_name(username, settings->targets, proposed);
} else {
return false;
}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/f1f4231a/tests/system_tests_policy.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_policy.py b/tests/system_tests_policy.py
index 275ad75..93c7d6a 100644
--- a/tests/system_tests_policy.py
+++ b/tests/system_tests_policy.py
@@ -595,5 +595,155 @@ class PolicyWarnings(TestCase):
self.assertTrue(len(critical_lines) == 0, msg='Policy manager does not forward policy warnings and shuts down instead.')
+class PolicyLinkNamePatternTest(TestCase):
+ """
+ Verify that specifying a policy that generates a warning does
+ not cause the router to exit without showing the warning.
+ """
+ @classmethod
+ def setUpClass(cls):
+ """Start the router"""
+ super(PolicyLinkNamePatternTest, cls).setUpClass()
+ listen_port = cls.tester.get_port()
+ policy_config_path = os.path.join(DIR, 'policy-7')
+ config = Qdrouterd.Config([
+ ('router', {'mode': 'standalone', 'id': 'QDR.Policy'}),
+ ('listener', {'port': listen_port}),
+ ('policy', {'maxConnections': 2, 'policyDir': policy_config_path, 'enableVhostPolicy': 'true'})
+ ])
+
+ cls.router = cls.tester.qdrouterd('PolicyLinkNamePatternTest', config, wait=False)
+ try:
+ cls.router.wait_ready(timeout = 5)
+ except Exception, e:
+ pass
+
+ def address(self):
+ return self.router.addresses[0]
+
+ def run_qdmanage(self, cmd, input=None, expect=Process.EXIT_OK):
+ p = self.popen(
+ ['qdmanage'] + cmd.split(' ') + ['--bus', 'u1:password@' + self.address(), '--indent=-1', '--timeout', str(TIMEOUT)],
+ stdin=PIPE, stdout=PIPE, stderr=STDOUT, expect=expect)
+ out = p.communicate(input)[0]
+ try:
+ p.teardown()
+ except Exception, e:
+ raise Exception("%s\n%s" % (e, out))
+ return out
+
+ def default_patterns(self):
+ return """
+{
+ "hostname": "$default",
+ "maxConnections": 3,
+ "maxConnectionsPerHost": 3,
+ "maxConnectionsPerUser": 3,
+ "allowUnknownUser": true,
+ "groups": {
+ "$default": {
+ "allowAnonymousSender": true,
+ "maxReceivers": 99,
+ "users": "*",
+ "maxSessionWindow": 1000000,
+ "maxFrameSize": 222222,
+ "sourcePattern": "public, private, $management",
+ "maxMessageSize": 222222,
+ "allowDynamicSource": true,
+ "remoteHosts": "*",
+ "maxSessions": 2,
+ "targetPattern": "public, private, $management",
+ "maxSenders": 22
+ }
+ }
+}
+"""
+
+ def disallowed_source(self):
+ return """
+{
+ "hostname": "DISPATCH-1993-2",
+ "maxConnections": 3,
+ "maxConnectionsPerHost": 3,
+ "maxConnectionsPerUser": 3,
+ "allowUnknownUser": true,
+ "groups": {
+ "$default": {
+ "allowAnonymousSender": true,
+ "maxReceivers": 99,
+ "users": "*",
+ "maxSessionWindow": 1000000,
+ "maxFrameSize": 222222,
+ "sources": "public, private, $management",
+ "sourcePattern": "public, private, $management",
+ "maxMessageSize": 222222,
+ "allowDynamicSource": true,
+ "remoteHosts": "*",
+ "maxSessions": 2,
+ "targetPattern": "public, private, $management",
+ "maxSenders": 22
+ }
+ }
+}
+"""
+
+ def disallowed_target(self):
+ return """
+{
+ "id": "DISPATCH-1993-3",
+ "maxConnections": 3,
+ "maxConnectionsPerHost": 3,
+ "maxConnectionsPerUser": 3,
+ "allowUnknownUser": true,
+ "groups": {
+ "$default": {
+ "allowAnonymousSender": true,
+ "maxReceivers": 99,
+ "users": "*",
+ "maxSessionWindow": 1000000,
+ "maxFrameSize": 222222,
+ "sourcePattern": "public, private, $management",
+ "maxMessageSize": 222222,
+ "allowDynamicSource": true,
+ "remoteHosts": "*",
+ "maxSessions": 2,
+ "targetPattern": "public, private, $management",
+ "targets": "public, private, $management",
+ "maxSenders": 22
+ }
+ }
+}
+"""
+
+ def test_link_name_parse_tree_patterns(self):
+ # update to replace source/target match patterns
+ qdm_out = "<not written>"
+ try:
+ qdm_out = self.run_qdmanage('update --type=vhost --name=vhost/$default --stdin', input=self.default_patterns())
+ except Exception, e:
+ self.assertTrue(False, msg=('Error running qdmanage %s' % e.message))
+ self.assertFalse("PolicyError" in qdm_out)
+
+ # attempt an create that should be rejected
+ qdm_out = "<not written>"
+ exception = False
+ try:
+ qdm_out = self.run_qdmanage('create --type=vhost --name=DISPATCH-1993-2 --stdin', input=self.disallowed_source())
+ except Exception, e:
+ exception = True
+ self.assertTrue("InternalServerErrorStatus: PolicyError: \"Policy 'DISPATCH-1993-2' is invalid:" in e.message)
+ self.assertTrue(exception)
+
+ # attempt another create that should be rejected
+ qdm_out = "<not written>"
+ exception = False
+ try:
+ qdm_out = self.run_qdmanage('create --type=vhost --name=DISPATCH-1993-3 --stdin', input=self.disallowed_target())
+ except Exception, e:
+ exception = True
+ self.assertTrue("InternalServerErrorStatus: PolicyError: \"Policy 'DISPATCH-1993-3' is invalid:" in e.message)
+ self.assertTrue(exception)
+
+
if __name__ == '__main__':
unittest.main(main_module())
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[10/10] qpid-dispatch git commit: DISPATCH-976: undeprecate 'sources'
and 'targets' attributes
Posted by ch...@apache.org.
DISPATCH-976: undeprecate 'sources' and 'targets' attributes
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/9c6f3c17
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/9c6f3c17
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/9c6f3c17
Branch: refs/heads/master
Commit: 9c6f3c17373e012d28bbd7b0559e37e2b06e4d9b
Parents: f1f4231
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 14:15:52 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
python/qpid_dispatch/management/qdrouter.json | 10 ++++------
python/qpid_dispatch_internal/policy/policy_local.py | 8 ++------
src/policy.c | 5 +----
3 files changed, 7 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9c6f3c17/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 97e8e09..7ea0547 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -1824,27 +1824,25 @@
},
"sources": {
"type": "string",
- "description": "(DEPRECATED - use sourcePattern instead). A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
+ "description": "A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name. You may specify attributes 'sources' or 'sourcePattern' but not both at the same time.",
"required": false,
- "deprecated": true,
"create": true
},
"targets": {
"type": "string",
- "description": "(DEPRECATED - use targetPattern instead). A list of target addresses to which users in this group may send messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name.",
+ "description": "A list of target addresses to which users in this group may send messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more characters in an address. However, this wildcard is only recognized if it is the last character in the address name. You may specify attributes 'targets' or 'targetPattern' but not both at the same time.",
"required": false,
- "deprecated": true,
"create": true
},
"sourcePattern": {
"type": "string",
- "description": "A wildcarded pattern for matching source addresses from which users in this group may receive messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '{user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses.",
+ "description": "A wildcarded pattern for matching source addresses from which users in this group may receive messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '${user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You may specify attributes 'sources' or 'sourcePattern' but not both at the same time.",
"create": true,
"required": false
},
"targetPattern": {
"type": "string",
- "description": "A wildcarded pattern for matching target addresses to which users in this group may send messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '{user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses.",
+ "description": "A wildcarded pattern for matching target addresses to which users in this group may send messages. The pattern consists of one or more tokens separated by a forward slash '/'. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. To specify multiple addresses, separate the addresses with either a comma or a space. You can use the text string '${user}' in a token to specify an address that contains a user's authenticated user name. If you do not specify any addresses, users in this group are not allowed to send messages to any addresses. You may specify attributes 'targets' or 'targetPattern' but not both at the same time.",
"create": true,
"required": false
}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9c6f3c17/python/qpid_dispatch_internal/policy/policy_local.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/policy/policy_local.py b/python/qpid_dispatch_internal/policy/policy_local.py
index a3e503a..ebbd00e 100644
--- a/python/qpid_dispatch_internal/policy/policy_local.py
+++ b/python/qpid_dispatch_internal/policy/policy_local.py
@@ -303,15 +303,11 @@ class PolicyCompiler(object):
if key == PolicyKeys.KW_TARGET_PATTERN:
user_tgt_pattern = True
- if user_sources:
- warnings.append("Policy vhost '%s' user group '%s' uses deprecated 'sources' attribute. Use 'sourcePattern' instead" % (vhostname, usergroup))
- if user_targets:
- warnings.append("Policy vhost '%s' user group '%s' uses deprecated 'targets' attribute. Use 'targetPattern' instead" % (vhostname, usergroup))
if user_sources and user_src_pattern:
- errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'sources' and 'sourcePattern' attributes. Use only 'sourcePattern' instead" % (vhostname, usergroup))
+ errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'sources' and 'sourcePattern' attributes. Use only one or the other." % (vhostname, usergroup))
return False
if user_targets and user_tgt_pattern:
- errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'targets' and 'targetPattern' attributes. Use only 'targetPattern' instead" % (vhostname, usergroup))
+ errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'targets' and 'targetPattern' attributes. Use only one or the other." % (vhostname, usergroup))
return False
return True
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9c6f3c17/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 235c125..a7e31cf 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -812,16 +812,13 @@ bool qd_policy_approve_link_name(const char *username,
return _qd_policy_approve_link_name_tree(username, settings->sourceParseTree, proposed);
} else if (settings->sources) {
return _qd_policy_approve_link_name(username, settings->sources, proposed);
- } else {
- return false;
}
} else {
if (settings->targetParseTree) {
return _qd_policy_approve_link_name_tree(username, settings->targetParseTree, proposed);
} else if (settings->targets) {
return _qd_policy_approve_link_name(username, settings->targets, proposed);
- } else {
- return false;
}
}
+ return false;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[05/10] qpid-dispatch git commit: DISPATCH-976: Accept new config
settings and store in local policy
Posted by ch...@apache.org.
DISPATCH-976: Accept new config settings and store in local policy
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/dc981ecc
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/dc981ecc
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/dc981ecc
Branch: refs/heads/master
Commit: dc981ecc6cf31d8c605e84703a589553281281c2
Parents: 210683d
Author: Chuck Rolke <cr...@redhat.com>
Authored: Tue May 1 13:55:35 2018 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Tue May 1 15:58:35 2018 -0400
----------------------------------------------------------------------
.../policy/policy_local.py | 42 ++++++++++++++++++--
src/policy.c | 8 ++--
src/policy.h | 2 +
3 files changed, 44 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/dc981ecc/python/qpid_dispatch_internal/policy/policy_local.py
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch_internal/policy/policy_local.py b/python/qpid_dispatch_internal/policy/policy_local.py
index 228d65d..19c81c8 100644
--- a/python/qpid_dispatch_internal/policy/policy_local.py
+++ b/python/qpid_dispatch_internal/policy/policy_local.py
@@ -63,6 +63,8 @@ class PolicyKeys(object):
KW_ALLOW_USERID_PROXY = "allowUserIdProxy"
KW_SOURCES = "sources"
KW_TARGETS = "targets"
+ KW_SOURCE_PATTERN = "sourcePattern"
+ KW_TARGET_PATTERN = "targetPattern"
# Policy stats key words
KW_CONNECTIONS_APPROVED = "connectionsApproved"
@@ -86,6 +88,7 @@ class PolicyKeys(object):
# policy stats controlled by C code but referenced by settings
KW_CSTATS = "denialCounts"
+
#
#
class PolicyCompiler(object):
@@ -122,7 +125,9 @@ class PolicyCompiler(object):
PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER,
PolicyKeys.KW_ALLOW_USERID_PROXY,
PolicyKeys.KW_SOURCES,
- PolicyKeys.KW_TARGETS
+ PolicyKeys.KW_TARGETS,
+ PolicyKeys.KW_SOURCE_PATTERN,
+ PolicyKeys.KW_TARGET_PATTERN
]
def __init__(self):
@@ -223,10 +228,16 @@ class PolicyCompiler(object):
policy_out[PolicyKeys.KW_ALLOW_DYNAMIC_SRC] = False
policy_out[PolicyKeys.KW_ALLOW_ANONYMOUS_SENDER] = False
policy_out[PolicyKeys.KW_ALLOW_USERID_PROXY] = False
- policy_out[PolicyKeys.KW_SOURCES] = ''
- policy_out[PolicyKeys.KW_TARGETS] = ''
+ policy_out[PolicyKeys.KW_SOURCES] = None
+ policy_out[PolicyKeys.KW_TARGETS] = None
+ policy_out[PolicyKeys.KW_SOURCE_PATTERN] = None
+ policy_out[PolicyKeys.KW_TARGET_PATTERN] = None
cerror = []
+ user_sources = False
+ user_targets = False
+ user_src_pattern = False
+ user_tgt_pattern = False
for key, val in policy_in.iteritems():
if key not in self.allowed_settings_options:
warnings.append("Policy vhost '%s' user group '%s' option '%s' is ignored." %
@@ -261,7 +272,9 @@ class PolicyCompiler(object):
policy_out[key] = val
elif key in [PolicyKeys.KW_USERS,
PolicyKeys.KW_SOURCES,
- PolicyKeys.KW_TARGETS
+ PolicyKeys.KW_TARGETS,
+ PolicyKeys.KW_SOURCE_PATTERN,
+ PolicyKeys.KW_TARGET_PATTERN
]:
# accept a string or list
if type(val) is str:
@@ -280,6 +293,27 @@ class PolicyCompiler(object):
val = list(set(val))
# output result is CSV string with no white space between values: 'abc,def,mytarget'
policy_out[key] = ','.join(val)
+
+ if key == PolicyKeys.KW_SOURCES:
+ user_sources = True
+ if key == PolicyKeys.KW_TARGETS:
+ user_targets = True
+ if key == PolicyKeys.KW_SOURCE_PATTERN:
+ user_src_pattern = True
+ if key == PolicyKeys.KW_TARGET_PATTERN:
+ user_tgt_pattern = True
+
+ if user_sources:
+ warnings.append("Policy vhost '%s' user group '%s' uses deprecated 'sources' attribute. Use 'sourcePattern' instead" % (vhostname, usergroup))
+ if user_targets:
+ warnings.append("Policy vhost '%s' user group '%s' uses deprecated 'targets' attribute. Use 'targetPattern' instead" % (vhostname, usergroup))
+ if user_sources and user_src_pattern:
+ errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'sources' and 'sourcePattern' attributes. Use only 'sourcePattern' instead" % (vhostname, usergroup))
+ return False
+ if user_targets and user_tgt_pattern:
+ errors.append("Policy vhost '%s' user group '%s' specifies conflicting 'targets' and 'targetPattern' attributes. Use only 'targetPattern' instead" % (vhostname, usergroup))
+ return False
+
return True
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/dc981ecc/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 7fc460a..4ee1930 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -322,10 +322,10 @@ bool qd_policy_open_lookup_user(
settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false);
settings->allowDynamicSource = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSource", false);
settings->allowUserIdProxy = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowUserIdProxy", false);
- if (settings->sources == 0)
- settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources");
- if (settings->targets == 0)
- settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets");
+ settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources");
+ settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets");
+ settings->sourcePattern = qd_entity_get_string((qd_entity_t*)upolicy, "sourcePattern");
+ settings->targetPattern = qd_entity_get_string((qd_entity_t*)upolicy, "targetPattern");
settings->denialCounts = (qd_policy_denial_counts_t*)
qd_entity_get_long((qd_entity_t*)upolicy, "denialCounts");
Py_XDECREF(result2);
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/dc981ecc/src/policy.h
----------------------------------------------------------------------
diff --git a/src/policy.h b/src/policy.h
index 27d209a..80d50aa 100644
--- a/src/policy.h
+++ b/src/policy.h
@@ -52,6 +52,8 @@ struct qd_policy__settings_s {
bool allowUserIdProxy;
char *sources;
char *targets;
+ char *sourcePattern;
+ char *targetPattern;
qd_policy_denial_counts_t *denialCounts;
};
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org