You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2016/04/18 17:24:36 UTC
qpid-dispatch git commit: DISPATCH-279: Detect, log,
and deny AMQP Open with no hostname when policy is in effect.
Repository: qpid-dispatch
Updated Branches:
refs/heads/master 30889363a -> 08d69ce0e
DISPATCH-279: Detect, log, and deny AMQP Open with no hostname when policy is in effect.
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/08d69ce0
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/08d69ce0
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/08d69ce0
Branch: refs/heads/master
Commit: 08d69ce0e7eebae2d7516c90ea678eaaa1bc9a28
Parents: 3088936
Author: Chuck Rolke <cr...@redhat.com>
Authored: Mon Apr 18 11:03:15 2016 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Mon Apr 18 11:14:12 2016 -0400
----------------------------------------------------------------------
src/policy.c | 47 ++++++++++++++++++++++++++++-------------------
1 file changed, 28 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/08d69ce0/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index a5e2f57..d75a2db 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -713,30 +713,37 @@ void qd_policy_amqp_open(void *context, bool discard)
pn_transport_t *pn_trans = pn_connection_transport(conn);
const char *hostip = qdpn_connector_hostip(qd_conn->pn_cxtr);
const char *app = pn_connection_remote_hostname(conn);
- const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
+ if (app && *app) {
+ const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
#define SETTINGS_NAME_SIZE 256
- char settings_name[SETTINGS_NAME_SIZE];
- uint32_t conn_id = qd_conn->connection_id;
- qd_conn->policy_settings = NEW(qd_policy_settings_t); // TODO: memory pool for settings
- memset(qd_conn->policy_settings, 0, sizeof(qd_policy_settings_t));
-
- if (qd_policy_open_lookup_user(policy, qd_conn->user_id, hostip, app, conn_name,
- settings_name, SETTINGS_NAME_SIZE, conn_id,
- qd_conn->policy_settings) &&
- settings_name[0]) {
- // This connection is allowed by policy.
- // Apply transport policy settings
- if (qd_conn->policy_settings->maxFrameSize > 0)
- pn_transport_set_max_frame(pn_trans, qd_conn->policy_settings->maxFrameSize);
- if (qd_conn->policy_settings->maxSessions > 0)
- pn_transport_set_channel_max(pn_trans, qd_conn->policy_settings->maxSessions - 1);
+ char settings_name[SETTINGS_NAME_SIZE];
+ uint32_t conn_id = qd_conn->connection_id;
+ qd_conn->policy_settings = NEW(qd_policy_settings_t); // TODO: memory pool for settings
+ memset(qd_conn->policy_settings, 0, sizeof(qd_policy_settings_t));
+
+ if (qd_policy_open_lookup_user(policy, qd_conn->user_id, hostip, app, conn_name,
+ settings_name, SETTINGS_NAME_SIZE, conn_id,
+ qd_conn->policy_settings) &&
+ settings_name[0]) {
+ // This connection is allowed by policy.
+ // Apply transport policy settings
+ if (qd_conn->policy_settings->maxFrameSize > 0)
+ pn_transport_set_max_frame(pn_trans, qd_conn->policy_settings->maxFrameSize);
+ if (qd_conn->policy_settings->maxSessions > 0)
+ pn_transport_set_channel_max(pn_trans, qd_conn->policy_settings->maxSessions - 1);
+ } else {
+ // This connection is denied by policy.
+ connection_allowed = false;
+ }
} else {
- // This connection is denied by policy.
+ // No application name implies automatic policy denial
connection_allowed = false;
- qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
+ qd_log(qd_conn->server->qd->policy->log_source, QD_LOG_INFO,
+ "DENY AMQP Open for user '%s', host '%s', application '': "
+ "No application specified", qd_conn->user_id, hostip);
}
} else {
- // This connection not subject to policy and implicitly allowed.
+ // No policy implies automatic policy allow
// Note that connections not governed by policy have no policy_settings.
}
if (connection_allowed) {
@@ -744,6 +751,8 @@ void qd_policy_amqp_open(void *context, bool discard)
pn_connection_open(conn);
qd_connection_manager_connection_opened(qd_conn);
policy_notify_opened(qd_conn->open_container, qd_conn, qd_conn->context);
+ } else {
+ qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
}
}
qd_connection_set_event_stall(qd_conn, false);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org