You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ra...@apache.org on 2008/09/25 20:40:32 UTC
svn commit: r699047 - in /incubator/qpid/trunk/qpid/cpp/src/qpid/broker:
Connection.cpp Connection.h ConnectionHandler.cpp ConnectionState.h
SemanticState.cpp SemanticState.h
Author: rajith
Date: Thu Sep 25 11:40:32 2008
New Revision: 699047
URL: http://svn.apache.org/viewvc?rev=699047&view=rev
Log:
This adds the user_id checking described in QPID-943.
If a user_id is supplied in message properties it will be checked against the id used for authentication.
This check is disabled for federation links.
Modified:
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.cpp
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.cpp?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.cpp Thu Sep 25 11:40:32 2008
@@ -157,6 +157,13 @@
mgmtObject->set_authIdentity(userId);
}
+void Connection::setFederationLink(bool b)
+{
+ ConnectionState::setFederationLink(b);
+ if (mgmtObject != 0)
+ mgmtObject->set_federationLink(b);
+}
+
void Connection::close(
ReplyCode code, const string& text, ClassId classId, MethodId methodId)
{
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h Thu Sep 25 11:40:32 2008
@@ -96,6 +96,7 @@
std::string getAuthCredentials();
void notifyConnectionForced(const std::string& text);
void setUserId(const string& uid);
+ void setFederationLink(bool b);
template <class F> void eachSessionHandler(const F& f) {
for (ChannelMap::iterator i = channels.begin(); i != channels.end(); ++i)
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp Thu Sep 25 11:40:32 2008
@@ -34,11 +34,12 @@
using namespace qpid::framing;
-namespace
+namespace
{
const std::string ANONYMOUS = "ANONYMOUS";
const std::string PLAIN = "PLAIN";
const std::string en_US = "en_US";
+const std::string QPID_FED_LINK = "qpid.fed_link";
}
void ConnectionHandler::close(ReplyCode code, const string& text, ClassId, MethodId)
@@ -70,16 +71,16 @@
ConnectionHandler::ConnectionHandler(Connection& connection, bool isClient) : handler(new Handler(connection, isClient)) {}
ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
- client(c.getOutput()), server(c.getOutput()),
+ client(c.getOutput()), server(c.getOutput()),
connection(c), serverMode(!isClient)
{
if (serverMode) {
FieldTable properties;
Array mechanisms(0x95);
-
+
authenticator = SaslAuthenticator::createAuthenticator(c);
authenticator->getMechanisms(mechanisms);
-
+
Array locales(0x95);
boost::shared_ptr<FieldValue> l(new Str16Value(en_US));
locales.add(l);
@@ -91,26 +92,30 @@
ConnectionHandler::Handler::~Handler() {}
-void ConnectionHandler::Handler::startOk(const framing::FieldTable& /*clientProperties*/,
- const string& mechanism,
+void ConnectionHandler::Handler::startOk(const framing::FieldTable& clientProperties,
+ const string& mechanism,
const string& response,
const string& /*locale*/)
{
authenticator->start(mechanism, response);
+ connection.setFederationLink(clientProperties.get(QPID_FED_LINK));
+ if (connection.isFederationLink()){
+ QPID_LOG(info, "Connection is a federation link");
+ }
}
-
+
void ConnectionHandler::Handler::secureOk(const string& response)
{
authenticator->step(response);
}
-
+
void ConnectionHandler::Handler::tuneOk(uint16_t /*channelmax*/,
uint16_t framemax, uint16_t heartbeat)
{
connection.setFrameMax(framemax);
connection.setHeartbeat(heartbeat);
}
-
+
void ConnectionHandler::Handler::open(const string& /*virtualHost*/,
const framing::Array& /*capabilities*/, bool /*insist*/)
{
@@ -143,8 +148,10 @@
{
string mechanism = connection.getAuthMechanism();
string response = connection.getAuthCredentials();
-
- server.startOk(FieldTable(), mechanism, response, en_US);
+
+ FieldTable ft;
+ ft.setInt(QPID_FED_LINK,1);
+ server.startOk(ft, mechanism, response, en_US);
}
void ConnectionHandler::Handler::secure(const string& /*challenge*/)
@@ -169,5 +176,5 @@
void ConnectionHandler::Handler::redirect(const string& /*host*/, const framing::Array& /*knownHosts*/)
{
-
+
}
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h Thu Sep 25 11:40:32 2008
@@ -40,11 +40,12 @@
public:
ConnectionState(qpid::sys::ConnectionOutputHandler* o, Broker& b) :
out(o),
- broker(b),
+ broker(b),
outputTasks(out),
- framemax(65535),
+ framemax(65535),
heartbeat(0),
- stagingThreshold(broker.getStagingThreshold())
+ stagingThreshold(broker.getStagingThreshold()),
+ federationLink(true)
{}
@@ -61,12 +62,15 @@
virtual void setUserId(const string& uid) { userId = uid; }
const string& getUserId() const { return userId; }
-
+
+ void setFederationLink(bool b) { federationLink = b; }
+ bool isFederationLink() const { return federationLink; }
+
Broker& getBroker() { return broker; }
Broker& broker;
std::vector<Queue::shared_ptr> exclusiveQueues;
-
+
//contained output tasks
sys::AggregateOutput outputTasks;
@@ -81,6 +85,7 @@
uint16_t heartbeat;
uint64_t stagingThreshold;
string userId;
+ bool federationLink;
};
}}
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp Thu Sep 25 11:40:32 2008
@@ -61,7 +61,9 @@
deliveryAdapter(da),
tagGenerator("sgen"),
dtxSelected(false),
- outputTasks(ss)
+ outputTasks(ss),
+ authMsg(getSession().getBroker().getOptions().auth && !getSession().getConnection().isFederationLink()),
+ userID(getSession().getConnection().getUserId().substr(0,getSession().getConnection().getUserId().find('@')))
{
acl = getSession().getBroker().getAcl();
}
@@ -348,13 +350,23 @@
// The client library ensures this is always empty for messages from normal clients.
if (msg->isA<MessageTransferBody>()) {
if (!msg->hasProperties<DeliveryProperties>() ||
- msg->getProperties<DeliveryProperties>()->getExchange().empty())
+ msg->getProperties<DeliveryProperties>()->getExchange().empty())
msg->getProperties<DeliveryProperties>()->setExchange(exchangeName);
}
if (!cacheExchange || cacheExchange->getName() != exchangeName){
cacheExchange = session.getBroker().getExchanges().get(exchangeName);
}
+ /* verify the userid if specified: */
+ std::string id =
+ msg->hasProperties<MessageProperties>()? msg->getProperties<MessageProperties>()->getUserId():"";
+
+ if (authMsg && !id.empty() && id != userID )
+ {
+ QPID_LOG(debug, "user id : " << userID << " msgProps.getUserID() " << msg->getProperties<MessageProperties>()->getUserId());
+ throw UnauthorizedAccessException("user id in the message is not the same id used to authenticate the connection");
+ }
+
if (acl && acl->doTransferAcl())
{
if (!acl->authorise(getSession().getConnection().getUserId(),acl::PUBLISH,acl::EXCHANGE,exchangeName, msg->getRoutingKey() ))
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h?rev=699047&r1=699046&r2=699047&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h Thu Sep 25 11:40:32 2008
@@ -135,7 +135,9 @@
boost::shared_ptr<Exchange> cacheExchange;
sys::AggregateOutput outputTasks;
AclModule* acl;
-
+ const bool authMsg;
+ const string userID;
+
void route(boost::intrusive_ptr<Message> msg, Deliverable& strategy);
void record(const DeliveryRecord& delivery);
void checkDtxTimeout();