You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2016/02/03 21:56:48 UTC

qpid-dispatch git commit: Generate and provide accessor for numeric host ip address of connector. Scavenge the authenticated user name from connection/transport.

Repository: qpid-dispatch
Updated Branches:
  refs/heads/crolke-DISPATCH-188-1 d1f764e3f -> 49e64e597


Generate and provide accessor for numeric host ip address of connector.
Scavenge the authenticated user name from connection/transport.


Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/49e64e59
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/49e64e59
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/49e64e59

Branch: refs/heads/crolke-DISPATCH-188-1
Commit: 49e64e597991197ecf16a90952696f3a9ad60a64
Parents: d1f764e
Author: Chuck Rolke <cr...@redhat.com>
Authored: Wed Feb 3 15:45:40 2016 -0500
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Wed Feb 3 15:45:40 2016 -0500

----------------------------------------------------------------------
 include/qpid/dispatch/driver.h              |  9 ++++-
 src/policy.c                                | 48 ++++++++++++++----------
 src/posix/driver.c                          | 12 +++++-
 tests/policy-1/test-router-with-policy.json | 16 ++++++--
 4 files changed, 59 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/include/qpid/dispatch/driver.h
----------------------------------------------------------------------
diff --git a/include/qpid/dispatch/driver.h b/include/qpid/dispatch/driver.h
index 1a69a27..2235264 100644
--- a/include/qpid/dispatch/driver.h
+++ b/include/qpid/dispatch/driver.h
@@ -308,11 +308,18 @@ void qdpn_connector_set_context(qdpn_connector_t *connector, void *context);
 
 /** Access the name of the connector
  *
- * @param[in] connector the connector which will hole the name
+ * @param[in] connector the connector of interest
  * @return the name of the connector in the form of a null-terminated character string.
  */
 const char *qdpn_connector_name(const qdpn_connector_t *connector);
 
+/** Access the numeric host ip of the connector
+ *
+ * @param[in] connector the connector of interest
+ * @return the numeric host ip address of the connector in the form of a null-terminated character string.
+ */
+const char *qdpn_connector_hostip(const qdpn_connector_t *connector);
+
 /** Access the transport used by this connector.
  *
  * @param[in] connector connector whose transport will be returned

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 45908bd..2d285fa 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -29,6 +29,7 @@
 #include <proton/message.h>
 #include <proton/condition.h>
 #include <proton/connection.h>
+#include <proton/transport.h>
 #include <proton/error.h>
 #include <proton/event.h>
 #include <qpid/dispatch/ctools.h>
@@ -37,21 +38,6 @@
 #include <qpid/dispatch/iterator.h>
 #include <qpid/dispatch/log.h>
 
-//
-// TODO: get a real policy engine
-//       This engine accepts every other connection
-//
-static bool allow_this = true;
-
-bool policy_engine()
-{
-    return allow_this;
-}
-
-void policy_engine_step()
-{
-    // allow_this = !allow_this;
-}
 
 
 //
@@ -206,6 +192,21 @@ void qd_policy_socket_close(void *context, const char *hostname)
 // allow or deny the Open. Denied Open attempts are
 // effected with a returned Open-Close_with_condition.
 //
+bool qd_policy_open_lookup_user(
+    qd_policy_t *policy,
+    const char *username,
+    const char *hostip,
+    const char *app,
+    const char *conn_name)
+{
+    // Log the name
+    qd_log(policy->log_source, 
+           POLICY_LOG_LEVEL, 
+           "Policy AMQP Open lookup user: %s, hostip: %s, app: %s, connection: %s", 
+           username, hostip, app, conn_name);
+    return true;
+}
+
 void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *cond_name, const char *cond_descr)
 {
     // Set the error condition and close the connection.
@@ -220,12 +221,21 @@ void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *c
 void qd_policy_amqp_open(void *context, bool discard)
 {
     qd_connection_t *qd_conn = (qd_connection_t *)context;
-
     if (!discard) {
         pn_connection_t *conn = qd_connection_pn(qd_conn);
+        qd_dispatch_t *qd = qd_conn->server->qd;
+        qd_policy_t *policy = qd->policy;
+
+        // username = pn_connection_get_user(conn) returns blank when
+        // the transport returns 'anonymous'.
+        pn_transport_t *pn_trans = pn_connection_transport(conn);
+        const char *username = pn_transport_get_user(pn_trans);
+
+        const char *hostip = qdpn_connector_hostip(qd_conn->pn_cxtr);
+        const char *app = "fixme";
+        const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
 
-        // Consult policy engine for this connection attempt
-        if ( policy_engine() ) { // TODO: get rid of this phony policy engine
+        if ( qd_policy_open_lookup_user(policy, username, hostip, app, conn_name) ) {
             // This connection is allowed.
             if (pn_connection_state(conn) & PN_LOCAL_UNINIT)
                 pn_connection_open(conn);
@@ -234,8 +244,6 @@ void qd_policy_amqp_open(void *context, bool discard)
             // This connection is denied.
             qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
         }
-        // update the phony policy engine
-        policy_engine_step();
     }
     qd_connection_set_event_stall(qd_conn, false);
 }

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/posix/driver.c
----------------------------------------------------------------------
diff --git a/src/posix/driver.c b/src/posix/driver.c
index ca7d48c..99eb6fb 100644
--- a/src/posix/driver.c
+++ b/src/posix/driver.c
@@ -98,6 +98,7 @@ struct qdpn_connector_t {
     DEQ_LINKS(qdpn_connector_t);
     qdpn_driver_t *driver;
     char name[PN_NAME_MAX];
+    char hostip[PN_NAME_MAX];
     pn_timestamp_t wakeup;
     pn_connection_t *connection;
     pn_transport_t *transport;
@@ -352,6 +353,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
     char name[PN_NAME_MAX];
     char host[MAX_HOST];
     char serv[MAX_SERV];
+    char hostip[MAX_HOST];
 
     struct sockaddr_in addr = {0};
     addr.sin_family = AF_UNSPEC;
@@ -363,7 +365,8 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
         return 0;
     } else {
         int code;
-        if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0))) {
+        if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0)) ||
+            (code = getnameinfo((struct sockaddr *) &addr, addrlen, hostip, MAX_HOST, 0, 0, NI_NUMERICHOST))) {
             qd_log(l->driver->log, QD_LOG_ERROR, "getnameinfo: %s\n", gai_strerror(code));
             close(sock);
             return 0;
@@ -383,6 +386,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (*
 
     qdpn_connector_t *c = qdpn_connector_fd(l->driver, sock, NULL);
     snprintf(c->name, PN_NAME_MAX, "%s", name);
+    snprintf(c->hostip, PN_NAME_MAX, "%s", hostip);
     c->listener = l;
     return c;
 }
@@ -580,6 +584,12 @@ const char *qdpn_connector_name(const qdpn_connector_t *ctor)
     return ctor->name;
 }
 
+const char *qdpn_connector_hostip(const qdpn_connector_t *ctor)
+{
+    if (!ctor) return 0;
+    return ctor->hostip;
+}
+
 qdpn_listener_t *qdpn_connector_listener(qdpn_connector_t *ctor)
 {
     return ctor ? ctor->listener : NULL;

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/tests/policy-1/test-router-with-policy.json
----------------------------------------------------------------------
diff --git a/tests/policy-1/test-router-with-policy.json b/tests/policy-1/test-router-with-policy.json
index dcf2de0..3e92b49 100644
--- a/tests/policy-1/test-router-with-policy.json
+++ b/tests/policy-1/test-router-with-policy.json
@@ -1,7 +1,7 @@
 [
     ["container", {
 	"containerName": "QdstatSslTest",
-	"saslConfigName": "tests-mech-EXTERNAL",
+	"saslConfigName": "tests-mech-PLAIN",
 	"saslConfigPath": "/home/chug/Research/qdr/standaloneSsl/sasl_configs",
 	"debugDump": "qddebug.txt"
     }],
@@ -13,7 +13,7 @@
 	"certDb": "/home/chug/Research/qdr/standaloneSsl/ssl_certs/ca-certificate.pem"
     }],
     ["listener", {
-	"saslMechanisms": "ANONYMOUS",
+	"saslMechanisms": "ANONYMOUS PLAIN",
 	"authenticatePeer": "no",
 	"idleTimeoutSeconds": "120",
 	"port": 21000,
@@ -23,7 +23,7 @@
 	"addr": "0.0.0.0",
 	"requireSsl": "yes",
 	"idleTimeoutSeconds": "120",
-	"saslMechanisms": "ANONYMOUS",
+	"saslMechanisms": "PLAIN",
 	"sslProfile": "server-ssl",
 	"authenticatePeer": "no",
 	"port": 21001
@@ -46,9 +46,17 @@
 	"authenticatePeer": "yes",
 	"port": 21003
     }],
+    ["listener", {
+	"addr": "0.0.0.0",
+	"requireSsl": "no",
+	"idleTimeoutSeconds": "120",
+	"saslMechanisms": "ANONYMOUS",
+	"authenticatePeer": "yes",
+	"port": 21004
+    }],
     ["log", {
 	"source": "true",
-	"enable": "info+",
+	"enable": "trace+",
 	"module": "DEFAULT"
     }],
     ["policy", {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org