You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2016/02/03 21:56:48 UTC
qpid-dispatch git commit: Generate and provide accessor for numeric
host ip address of connector. Scavenge the authenticated user name from
connection/transport.
Repository: qpid-dispatch
Updated Branches:
refs/heads/crolke-DISPATCH-188-1 d1f764e3f -> 49e64e597
Generate and provide accessor for numeric host ip address of connector.
Scavenge the authenticated user name from connection/transport.
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/49e64e59
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/49e64e59
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/49e64e59
Branch: refs/heads/crolke-DISPATCH-188-1
Commit: 49e64e597991197ecf16a90952696f3a9ad60a64
Parents: d1f764e
Author: Chuck Rolke <cr...@redhat.com>
Authored: Wed Feb 3 15:45:40 2016 -0500
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Wed Feb 3 15:45:40 2016 -0500
----------------------------------------------------------------------
include/qpid/dispatch/driver.h | 9 ++++-
src/policy.c | 48 ++++++++++++++----------
src/posix/driver.c | 12 +++++-
tests/policy-1/test-router-with-policy.json | 16 ++++++--
4 files changed, 59 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/include/qpid/dispatch/driver.h
----------------------------------------------------------------------
diff --git a/include/qpid/dispatch/driver.h b/include/qpid/dispatch/driver.h
index 1a69a27..2235264 100644
--- a/include/qpid/dispatch/driver.h
+++ b/include/qpid/dispatch/driver.h
@@ -308,11 +308,18 @@ void qdpn_connector_set_context(qdpn_connector_t *connector, void *context);
/** Access the name of the connector
*
- * @param[in] connector the connector which will hole the name
+ * @param[in] connector the connector of interest
* @return the name of the connector in the form of a null-terminated character string.
*/
const char *qdpn_connector_name(const qdpn_connector_t *connector);
+/** Access the numeric host ip of the connector
+ *
+ * @param[in] connector the connector of interest
+ * @return the numeric host ip address of the connector in the form of a null-terminated character string.
+ */
+const char *qdpn_connector_hostip(const qdpn_connector_t *connector);
+
/** Access the transport used by this connector.
*
* @param[in] connector connector whose transport will be returned
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 45908bd..2d285fa 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -29,6 +29,7 @@
#include <proton/message.h>
#include <proton/condition.h>
#include <proton/connection.h>
+#include <proton/transport.h>
#include <proton/error.h>
#include <proton/event.h>
#include <qpid/dispatch/ctools.h>
@@ -37,21 +38,6 @@
#include <qpid/dispatch/iterator.h>
#include <qpid/dispatch/log.h>
-//
-// TODO: get a real policy engine
-// This engine accepts every other connection
-//
-static bool allow_this = true;
-
-bool policy_engine()
-{
- return allow_this;
-}
-
-void policy_engine_step()
-{
- // allow_this = !allow_this;
-}
//
@@ -206,6 +192,21 @@ void qd_policy_socket_close(void *context, const char *hostname)
// allow or deny the Open. Denied Open attempts are
// effected with a returned Open-Close_with_condition.
//
+bool qd_policy_open_lookup_user(
+ qd_policy_t *policy,
+ const char *username,
+ const char *hostip,
+ const char *app,
+ const char *conn_name)
+{
+ // Log the name
+ qd_log(policy->log_source,
+ POLICY_LOG_LEVEL,
+ "Policy AMQP Open lookup user: %s, hostip: %s, app: %s, connection: %s",
+ username, hostip, app, conn_name);
+ return true;
+}
+
void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *cond_name, const char *cond_descr)
{
// Set the error condition and close the connection.
@@ -220,12 +221,21 @@ void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *c
void qd_policy_amqp_open(void *context, bool discard)
{
qd_connection_t *qd_conn = (qd_connection_t *)context;
-
if (!discard) {
pn_connection_t *conn = qd_connection_pn(qd_conn);
+ qd_dispatch_t *qd = qd_conn->server->qd;
+ qd_policy_t *policy = qd->policy;
+
+ // username = pn_connection_get_user(conn) returns blank when
+ // the transport returns 'anonymous'.
+ pn_transport_t *pn_trans = pn_connection_transport(conn);
+ const char *username = pn_transport_get_user(pn_trans);
+
+ const char *hostip = qdpn_connector_hostip(qd_conn->pn_cxtr);
+ const char *app = "fixme";
+ const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
- // Consult policy engine for this connection attempt
- if ( policy_engine() ) { // TODO: get rid of this phony policy engine
+ if ( qd_policy_open_lookup_user(policy, username, hostip, app, conn_name) ) {
// This connection is allowed.
if (pn_connection_state(conn) & PN_LOCAL_UNINIT)
pn_connection_open(conn);
@@ -234,8 +244,6 @@ void qd_policy_amqp_open(void *context, bool discard)
// This connection is denied.
qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
}
- // update the phony policy engine
- policy_engine_step();
}
qd_connection_set_event_stall(qd_conn, false);
}
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/posix/driver.c
----------------------------------------------------------------------
diff --git a/src/posix/driver.c b/src/posix/driver.c
index ca7d48c..99eb6fb 100644
--- a/src/posix/driver.c
+++ b/src/posix/driver.c
@@ -98,6 +98,7 @@ struct qdpn_connector_t {
DEQ_LINKS(qdpn_connector_t);
qdpn_driver_t *driver;
char name[PN_NAME_MAX];
+ char hostip[PN_NAME_MAX];
pn_timestamp_t wakeup;
pn_connection_t *connection;
pn_transport_t *transport;
@@ -352,6 +353,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
char name[PN_NAME_MAX];
char host[MAX_HOST];
char serv[MAX_SERV];
+ char hostip[MAX_HOST];
struct sockaddr_in addr = {0};
addr.sin_family = AF_UNSPEC;
@@ -363,7 +365,8 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
return 0;
} else {
int code;
- if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0))) {
+ if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0)) ||
+ (code = getnameinfo((struct sockaddr *) &addr, addrlen, hostip, MAX_HOST, 0, 0, NI_NUMERICHOST))) {
qd_log(l->driver->log, QD_LOG_ERROR, "getnameinfo: %s\n", gai_strerror(code));
close(sock);
return 0;
@@ -383,6 +386,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
qdpn_connector_t *c = qdpn_connector_fd(l->driver, sock, NULL);
snprintf(c->name, PN_NAME_MAX, "%s", name);
+ snprintf(c->hostip, PN_NAME_MAX, "%s", hostip);
c->listener = l;
return c;
}
@@ -580,6 +584,12 @@ const char *qdpn_connector_name(const qdpn_connector_t *ctor)
return ctor->name;
}
+const char *qdpn_connector_hostip(const qdpn_connector_t *ctor)
+{
+ if (!ctor) return 0;
+ return ctor->hostip;
+}
+
qdpn_listener_t *qdpn_connector_listener(qdpn_connector_t *ctor)
{
return ctor ? ctor->listener : NULL;
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/tests/policy-1/test-router-with-policy.json
----------------------------------------------------------------------
diff --git a/tests/policy-1/test-router-with-policy.json b/tests/policy-1/test-router-with-policy.json
index dcf2de0..3e92b49 100644
--- a/tests/policy-1/test-router-with-policy.json
+++ b/tests/policy-1/test-router-with-policy.json
@@ -1,7 +1,7 @@
[
["container", {
"containerName": "QdstatSslTest",
- "saslConfigName": "tests-mech-EXTERNAL",
+ "saslConfigName": "tests-mech-PLAIN",
"saslConfigPath": "/home/chug/Research/qdr/standaloneSsl/sasl_configs",
"debugDump": "qddebug.txt"
}],
@@ -13,7 +13,7 @@
"certDb": "/home/chug/Research/qdr/standaloneSsl/ssl_certs/ca-certificate.pem"
}],
["listener", {
- "saslMechanisms": "ANONYMOUS",
+ "saslMechanisms": "ANONYMOUS PLAIN",
"authenticatePeer": "no",
"idleTimeoutSeconds": "120",
"port": 21000,
@@ -23,7 +23,7 @@
"addr": "0.0.0.0",
"requireSsl": "yes",
"idleTimeoutSeconds": "120",
- "saslMechanisms": "ANONYMOUS",
+ "saslMechanisms": "PLAIN",
"sslProfile": "server-ssl",
"authenticatePeer": "no",
"port": 21001
@@ -46,9 +46,17 @@
"authenticatePeer": "yes",
"port": 21003
}],
+ ["listener", {
+ "addr": "0.0.0.0",
+ "requireSsl": "no",
+ "idleTimeoutSeconds": "120",
+ "saslMechanisms": "ANONYMOUS",
+ "authenticatePeer": "yes",
+ "port": 21004
+ }],
["log", {
"source": "true",
- "enable": "info+",
+ "enable": "trace+",
"module": "DEFAULT"
}],
["policy", {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org