You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by tr...@apache.org on 2013/10/10 21:41:02 UTC
svn commit: r1531084 - in /qpid/trunk/qpid/extras/dispatch: etc/
include/qpid/dispatch/ python/qpid/dispatch/config/ src/ tests/
Author: tross
Date: Thu Oct 10 19:41:01 2013
New Revision: 1531084
URL: http://svn.apache.org/r1531084
Log:
QPID-5221 - Added a configurable role for connections that constrains their use.
Modified:
qpid/trunk/qpid/extras/dispatch/etc/qpid-dispatch.conf
qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/container.h
qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/server.h
qpid/trunk/qpid/extras/dispatch/python/qpid/dispatch/config/schema.py
qpid/trunk/qpid/extras/dispatch/src/container.c
qpid/trunk/qpid/extras/dispatch/src/dispatch.c
qpid/trunk/qpid/extras/dispatch/src/router_node.c
qpid/trunk/qpid/extras/dispatch/src/server.c
qpid/trunk/qpid/extras/dispatch/tests/threerouters-A.conf
qpid/trunk/qpid/extras/dispatch/tests/threerouters-B.conf
qpid/trunk/qpid/extras/dispatch/tests/threerouters-C.conf
qpid/trunk/qpid/extras/dispatch/tests/tworouters-A.conf
qpid/trunk/qpid/extras/dispatch/tests/tworouters-B.conf
Modified: qpid/trunk/qpid/extras/dispatch/etc/qpid-dispatch.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/etc/qpid-dispatch.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/etc/qpid-dispatch.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/etc/qpid-dispatch.conf Thu Oct 10 19:41:01 2013
@@ -102,6 +102,7 @@ listener {
listener {
label: Router Interconnect Access
+ role: inter-router
addr: 0.0.0.0
port: 5671
sasl-mechanisms: EXTERNAL
@@ -112,6 +113,7 @@ listener {
connector {
label: Router Uplink
+ role: inter-router
addr: backbone.enterprise.com
port: amqps
sasl-mechanisms: EXTERNAL
Modified: qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/container.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/container.h?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/container.h (original)
+++ qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/container.h Thu Oct 10 19:41:01 2013
@@ -166,6 +166,7 @@ void *dx_link_get_context(dx_link_t *lin
void dx_link_set_conn_context(dx_link_t *link, void *link_context);
void *dx_link_get_conn_context(dx_link_t *link);
+dx_connection_t *dx_link_connection(dx_link_t *link);
pn_link_t *dx_link_pn(dx_link_t *link);
pn_terminus_t *dx_link_source(dx_link_t *link);
pn_terminus_t *dx_link_target(dx_link_t *link);
Modified: qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/server.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/server.h?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/server.h (original)
+++ qpid/trunk/qpid/extras/dispatch/include/qpid/dispatch/server.h Thu Oct 10 19:41:01 2013
@@ -186,7 +186,7 @@ typedef struct dx_connector_t dx_connect
typedef struct dx_connection_t dx_connection_t;
/**
- * Event type for the connection callback.
+ * \brief Event type for the connection callback.
*/
typedef enum {
/// The connection just opened via a listener (inbound).
@@ -204,6 +204,106 @@ typedef enum {
/**
+ * \brief Configuration block for a connector or a listener.
+ */
+typedef struct dx_server_config_t {
+ /**
+ * Host name or network address to bind to a listener or use in the connector.
+ */
+ const char *host;
+
+ /**
+ * Port name or number to bind to a listener or use in the connector.
+ */
+ const char *port;
+
+ /**
+ * Space-separated list of SASL mechanisms to be accepted for the connection.
+ */
+ const char *sasl_mechanisms;
+
+ /**
+ * If appropriate for the mechanism, the username for authentication
+ * (connector only)
+ */
+ const char *sasl_username;
+
+ /**
+ * If appropriate for the mechanism, the password for authentication
+ * (connector only)
+ */
+ const char *sasl_password;
+
+ /**
+ * If appropriate for the mechanism, the minimum acceptable security strength factor
+ */
+ int sasl_minssf;
+
+ /**
+ * If appropriate for the mechanism, the maximum acceptable security strength factor
+ */
+ int sasl_maxssf;
+
+ /**
+ * SSL is enabled for this connection iff non-zero.
+ */
+ int ssl_enabled;
+
+ /**
+ * Connection will take on the role of SSL server iff non-zero.
+ */
+ int ssl_server;
+
+ /**
+ * Iff non-zero AND ssl_enabled is non-zero, this listener will detect the client's use
+ * of SSL or non-SSL and conform to the client's protocol.
+ * (listener only)
+ */
+ int ssl_allow_unsecured_client;
+
+ /**
+ * Path to the file containing the PEM-formatted public certificate for the local end
+ * of the connection.
+ */
+ const char *ssl_certificate_file;
+
+ /**
+ * Path to the file containing the PEM-formatted private key for the local end of the
+ * connection.
+ */
+ const char *ssl_private_key_file;
+
+ /**
+ * The password used to sign the private key, or NULL if the key is not protected.
+ */
+ const char *ssl_password;
+
+ /**
+ * Path to the file containing the PEM-formatted set of certificates of trusted CAs.
+ */
+ const char *ssl_trusted_certificate_db;
+
+ /**
+ * Iff non-zero, require that the peer's certificate be supplied and that it be authentic
+ * according to the set of trusted CAs.
+ */
+ int ssl_require_peer_authentication;
+
+ /**
+ * Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is
+ * meaningful for outgoing (connector) connections only.
+ */
+ int allow_redirect;
+
+ /**
+ * The specified role of the connection. This can be used to control the behavior and
+ * capabilities of the connections.
+ */
+ const char *role;
+} dx_server_config_t;
+
+
+/**
* \brief Connection Event Handler
*
* Callback invoked when processing is needed on a proton connection. This
@@ -295,97 +395,12 @@ pn_connection_t *dx_connection_pn(dx_con
/**
- * \brief Configuration block for a connector or a listener.
+ * \brief Get the configuration that was used in the setup of this connection.
+ *
+ * @param conn Connection object supplied in DX_CONN_EVENT_{LISTENER,CONNETOR}_OPEN
+ * @return A pointer to the server configuration used in the establishment of this connection.
*/
-typedef struct dx_server_config_t {
- /**
- * Host name or network address to bind to a listener or use in the connector.
- */
- const char *host;
-
- /**
- * Port name or number to bind to a listener or use in the connector.
- */
- const char *port;
-
- /**
- * Space-separated list of SASL mechanisms to be accepted for the connection.
- */
- const char *sasl_mechanisms;
-
- /**
- * If appropriate for the mechanism, the username for authentication
- * (connector only)
- */
- const char *sasl_username;
-
- /**
- * If appropriate for the mechanism, the password for authentication
- * (connector only)
- */
- const char *sasl_password;
-
- /**
- * If appropriate for the mechanism, the minimum acceptable security strength factor
- */
- int sasl_minssf;
-
- /**
- * If appropriate for the mechanism, the maximum acceptable security strength factor
- */
- int sasl_maxssf;
-
- /**
- * SSL is enabled for this connection iff non-zero.
- */
- int ssl_enabled;
-
- /**
- * Connection will take on the role of SSL server iff non-zero.
- */
- int ssl_server;
-
- /**
- * Iff non-zero AND ssl_enabled is non-zero, this listener will detect the client's use
- * of SSL or non-SSL and conform to the client's protocol.
- * (listener only)
- */
- int ssl_allow_unsecured_client;
-
- /**
- * Path to the file containing the PEM-formatted public certificate for the local end
- * of the connection.
- */
- const char *ssl_certificate_file;
-
- /**
- * Path to the file containing the PEM-formatted private key for the local end of the
- * connection.
- */
- const char *ssl_private_key_file;
-
- /**
- * The password used to sign the private key, or NULL if the key is not protected.
- */
- const char *ssl_password;
-
- /**
- * Path to the file containing the PEM-formatted set of certificates of trusted CAs.
- */
- const char *ssl_trusted_certificate_db;
-
- /**
- * Iff non-zero, require that the peer's certificate be supplied and that it be authentic
- * according to the set of trusted CAs.
- */
- int ssl_require_peer_authentication;
-
- /**
- * Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is
- * meaningful for outgoing (connector) connections only.
- */
- int allow_redirect;
-} dx_server_config_t;
+const dx_server_config_t *dx_connection_config(const dx_connection_t *conn);
/**
Modified: qpid/trunk/qpid/extras/dispatch/python/qpid/dispatch/config/schema.py
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/python/qpid/dispatch/config/schema.py?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/python/qpid/dispatch/config/schema.py (original)
+++ qpid/trunk/qpid/extras/dispatch/python/qpid/dispatch/config/schema.py Thu Oct 10 19:41:01 2013
@@ -57,6 +57,7 @@ config_schema = {
'addr' : (str, 0, "M"),
'port' : (str, 1, "M"),
'label' : (str, None, "", None),
+ 'role' : (str, None, "", 'normal'),
'sasl-mechanisms' : (str, None, "M"),
'ssl-profile' : (str, None, "E", None),
'require-peer-auth' : (bool, None, "", True),
@@ -66,6 +67,7 @@ config_schema = {
'addr' : (str, 0, "M"),
'port' : (str, 1, "M"),
'label' : (str, None, "", None),
+ 'role' : (str, None, "", 'normal'),
'sasl-mechanisms' : (str, None, "M"),
'ssl-profile' : (str, None, "E", None),
'allow-redirect' : (bool, None, "", True)
Modified: qpid/trunk/qpid/extras/dispatch/src/container.c
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/src/container.c?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/src/container.c (original)
+++ qpid/trunk/qpid/extras/dispatch/src/container.c Thu Oct 10 19:41:01 2013
@@ -687,6 +687,27 @@ pn_link_t *dx_link_pn(dx_link_t *link)
}
+dx_connection_t *dx_link_connection(dx_link_t *link)
+{
+ if (!link || !link->pn_link)
+ return 0;
+
+ pn_session_t *sess = pn_link_session(link->pn_link);
+ if (!sess)
+ return 0;
+
+ pn_connection_t *conn = pn_session_connection(sess);
+ if (!conn)
+ return 0;
+
+ dx_connection_t *ctx = pn_connection_get_context(conn);
+ if (!ctx)
+ return 0;
+
+ return ctx;
+}
+
+
pn_terminus_t *dx_link_source(dx_link_t *link)
{
return pn_link_source(link->pn_link);
Modified: qpid/trunk/qpid/extras/dispatch/src/dispatch.c
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/src/dispatch.c?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/src/dispatch.c (original)
+++ qpid/trunk/qpid/extras/dispatch/src/dispatch.c Thu Oct 10 19:41:01 2013
@@ -137,6 +137,7 @@ static void load_server_config(dx_dispat
{
config->host = dx_config_item_value_string(dx->config, section, i, "addr");
config->port = dx_config_item_value_string(dx->config, section, i, "port");
+ config->role = dx_config_item_value_string(dx->config, section, i, "role");
config->sasl_mechanisms =
dx_config_item_value_string(dx->config, section, i, "sasl-mechanisms");
config->ssl_enabled =
Modified: qpid/trunk/qpid/extras/dispatch/src/router_node.c
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/src/router_node.c?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/src/router_node.c (original)
+++ qpid/trunk/qpid/extras/dispatch/src/router_node.c Thu Oct 10 19:41:01 2013
@@ -28,6 +28,7 @@
static char *module = "ROUTER";
+static char *router_role = "inter-router";
static char *local_prefix = "_local/";
static char *topo_prefix = "_topo/";
static char *direct_prefix;
@@ -122,6 +123,22 @@ static void dx_router_check_addr_LH(dx_r
/**
+ * Determine whether a connection is configured in the inter-router role.
+ */
+static int dx_router_connection_is_inter_router(const dx_connection_t *conn)
+{
+ if (!conn)
+ return 0;
+
+ const dx_server_config_t *cf = dx_connection_config(conn);
+ if (cf && strcmp(cf->role, router_role) == 0)
+ return 1;
+
+ return 0;
+}
+
+
+/**
* Determine whether a terminus has router capability
*/
static int dx_router_terminus_is_router(pn_terminus_t *term)
@@ -648,11 +665,17 @@ static void router_disp_handler(void* co
*/
static int router_incoming_link_handler(void* context, dx_link_t *link)
{
- dx_router_t *router = (dx_router_t*) context;
- dx_router_link_t *rlink = new_dx_router_link_t();
- pn_link_t *pn_link = dx_link_pn(link);
- int is_router = dx_router_terminus_is_router(dx_link_remote_source(link));
+ dx_router_t *router = (dx_router_t*) context;
+ pn_link_t *pn_link = dx_link_pn(link);
+ int is_router = dx_router_terminus_is_router(dx_link_remote_source(link));
+ if (is_router && !dx_router_connection_is_inter_router(dx_link_connection(link))) {
+ dx_log(module, LOG_WARNING, "Incoming link claims router capability but is not on an inter-router connection");
+ pn_link_close(pn_link);
+ return 0;
+ }
+
+ dx_router_link_t *rlink = new_dx_router_link_t();
DEQ_ITEM_INIT(rlink);
rlink->link_type = is_router ? DX_LINK_ROUTER : DX_LINK_ENDPOINT;
rlink->link_direction = DX_INCOMING;
@@ -697,6 +720,12 @@ static int router_outgoing_link_handler(
int is_router = dx_router_terminus_is_router(dx_link_remote_target(link));
dx_field_iterator_t *iter = 0;
+ if (is_router && !dx_router_connection_is_inter_router(dx_link_connection(link))) {
+ dx_log(module, LOG_WARNING, "Outgoing link claims router capability but is not on an inter-router connection");
+ pn_link_close(pn_link);
+ return 0;
+ }
+
//
// If this link is not a router link and it has no source address, we can't
// accept it.
@@ -861,8 +890,14 @@ static void router_inbound_open_handler(
static void router_outbound_open_handler(void *type_context, dx_connection_t *conn)
{
- // TODO - Make sure this connection is annotated as an inter-router transport.
- // Ignore otherwise
+ //
+ // Check the configured role of this connection. If it is not the inter-router
+ // role, ignore it.
+ //
+ if (!dx_router_connection_is_inter_router(conn)) {
+ dx_log(module, LOG_WARNING, "Outbound connection set up without inter-router role");
+ return;
+ }
dx_router_t *router = (dx_router_t*) type_context;
dx_link_t *sender;
Modified: qpid/trunk/qpid/extras/dispatch/src/server.c
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/src/server.c?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/src/server.c (original)
+++ qpid/trunk/qpid/extras/dispatch/src/server.c Thu Oct 10 19:41:01 2013
@@ -880,6 +880,14 @@ pn_connection_t *dx_connection_pn(dx_con
}
+const dx_server_config_t *dx_connection_config(const dx_connection_t *conn)
+{
+ if (conn->listener)
+ return conn->listener->config;
+ return conn->connector->config;
+}
+
+
dx_listener_t *dx_server_listen(dx_dispatch_t *dx, const dx_server_config_t *config, void *context)
{
dx_server_t *dx_server = dx->server;
Modified: qpid/trunk/qpid/extras/dispatch/tests/threerouters-A.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/tests/threerouters-A.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/tests/threerouters-A.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/tests/threerouters-A.conf Thu Oct 10 19:41:01 2013
@@ -54,6 +54,7 @@ listener {
connector {
label: Router Uplink
+ role: inter-router
addr: 0.0.0.0
port: 20002
sasl-mechanisms: ANONYMOUS
Modified: qpid/trunk/qpid/extras/dispatch/tests/threerouters-B.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/tests/threerouters-B.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/tests/threerouters-B.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/tests/threerouters-B.conf Thu Oct 10 19:41:01 2013
@@ -47,6 +47,7 @@ container {
## Listeners and Connectors
##
listener {
+ role: inter-router
addr: 0.0.0.0
port: 20002
sasl-mechanisms: ANONYMOUS
@@ -54,6 +55,7 @@ listener {
connector {
label: Router Uplink
+ role: inter-router
addr: 0.0.0.0
port: 20003
sasl-mechanisms: ANONYMOUS
Modified: qpid/trunk/qpid/extras/dispatch/tests/threerouters-C.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/tests/threerouters-C.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/tests/threerouters-C.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/tests/threerouters-C.conf Thu Oct 10 19:41:01 2013
@@ -47,6 +47,7 @@ container {
## Listeners and Connectors
##
listener {
+ role: inter-router
addr: 0.0.0.0
port: 20003
sasl-mechanisms: ANONYMOUS
Modified: qpid/trunk/qpid/extras/dispatch/tests/tworouters-A.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/tests/tworouters-A.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/tests/tworouters-A.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/tests/tworouters-A.conf Thu Oct 10 19:41:01 2013
@@ -47,6 +47,7 @@ container {
## Listeners and Connectors
##
listener {
+ role: inter-router
addr: 0.0.0.0
port: 20001
sasl-mechanisms: ANONYMOUS
Modified: qpid/trunk/qpid/extras/dispatch/tests/tworouters-B.conf
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/extras/dispatch/tests/tworouters-B.conf?rev=1531084&r1=1531083&r2=1531084&view=diff
==============================================================================
--- qpid/trunk/qpid/extras/dispatch/tests/tworouters-B.conf (original)
+++ qpid/trunk/qpid/extras/dispatch/tests/tworouters-B.conf Thu Oct 10 19:41:01 2013
@@ -47,6 +47,7 @@ container {
## Listeners and Connectors
##
listener {
+ role: inter-router
addr: 0.0.0.0
port: 20002
sasl-mechanisms: ANONYMOUS
@@ -54,6 +55,7 @@ listener {
connector {
label: Router Uplink
+ role: inter-router
addr: 0.0.0.0
port: 20001
sasl-mechanisms: ANONYMOUS
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org