You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2016/04/18 17:24:36 UTC

qpid-dispatch git commit: DISPATCH-279: Detect, log, and deny AMQP Open with no hostname when policy is in effect.

Repository: qpid-dispatch
Updated Branches:
  refs/heads/master 30889363a -> 08d69ce0e


DISPATCH-279: Detect, log, and deny AMQP Open with no hostname when policy is in effect.


Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/08d69ce0
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/08d69ce0
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/08d69ce0

Branch: refs/heads/master
Commit: 08d69ce0e7eebae2d7516c90ea678eaaa1bc9a28
Parents: 3088936
Author: Chuck Rolke <cr...@redhat.com>
Authored: Mon Apr 18 11:03:15 2016 -0400
Committer: Chuck Rolke <cr...@redhat.com>
Committed: Mon Apr 18 11:14:12 2016 -0400

----------------------------------------------------------------------
 src/policy.c | 47 ++++++++++++++++++++++++++++-------------------
 1 file changed, 28 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/08d69ce0/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index a5e2f57..d75a2db 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -713,30 +713,37 @@ void qd_policy_amqp_open(void *context, bool discard)
             pn_transport_t *pn_trans = pn_connection_transport(conn);
             const char *hostip = qdpn_connector_hostip(qd_conn->pn_cxtr);
             const char *app = pn_connection_remote_hostname(conn);
-            const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
+            if (app && *app) {
+                const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr);
 #define SETTINGS_NAME_SIZE 256
-            char settings_name[SETTINGS_NAME_SIZE];
-            uint32_t conn_id = qd_conn->connection_id;
-            qd_conn->policy_settings = NEW(qd_policy_settings_t); // TODO: memory pool for settings
-            memset(qd_conn->policy_settings, 0, sizeof(qd_policy_settings_t));
-
-            if (qd_policy_open_lookup_user(policy, qd_conn->user_id, hostip, app, conn_name,
-                                           settings_name, SETTINGS_NAME_SIZE, conn_id,
-                                           qd_conn->policy_settings) &&
-                settings_name[0]) {
-                // This connection is allowed by policy.
-                // Apply transport policy settings
-                if (qd_conn->policy_settings->maxFrameSize > 0)
-                    pn_transport_set_max_frame(pn_trans, qd_conn->policy_settings->maxFrameSize);
-                if (qd_conn->policy_settings->maxSessions > 0)
-                    pn_transport_set_channel_max(pn_trans, qd_conn->policy_settings->maxSessions - 1);
+                char settings_name[SETTINGS_NAME_SIZE];
+                uint32_t conn_id = qd_conn->connection_id;
+                qd_conn->policy_settings = NEW(qd_policy_settings_t); // TODO: memory pool for settings
+                memset(qd_conn->policy_settings, 0, sizeof(qd_policy_settings_t));
+
+                if (qd_policy_open_lookup_user(policy, qd_conn->user_id, hostip, app, conn_name,
+                                               settings_name, SETTINGS_NAME_SIZE, conn_id,
+                                               qd_conn->policy_settings) &&
+                    settings_name[0]) {
+                    // This connection is allowed by policy.
+                    // Apply transport policy settings
+                    if (qd_conn->policy_settings->maxFrameSize > 0)
+                        pn_transport_set_max_frame(pn_trans, qd_conn->policy_settings->maxFrameSize);
+                    if (qd_conn->policy_settings->maxSessions > 0)
+                        pn_transport_set_channel_max(pn_trans, qd_conn->policy_settings->maxSessions - 1);
+                } else {
+                    // This connection is denied by policy.
+                    connection_allowed = false;
+                }
             } else {
-                // This connection is denied by policy.
+                // No application name implies automatic policy denial
                 connection_allowed = false;
-                qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
+                qd_log(qd_conn->server->qd->policy->log_source, QD_LOG_INFO,
+                        "DENY AMQP Open for user '%s', host '%s', application '': "
+                        "No application specified", qd_conn->user_id, hostip);
             }
         } else {
-            // This connection not subject to policy and implicitly allowed.
+            // No policy implies automatic policy allow
             // Note that connections not governed by policy have no policy_settings.
         }
         if (connection_allowed) {
@@ -744,6 +751,8 @@ void qd_policy_amqp_open(void *context, bool discard)
                 pn_connection_open(conn);
             qd_connection_manager_connection_opened(qd_conn);
             policy_notify_opened(qd_conn->open_container, qd_conn, qd_conn->context);
+        } else {
+            qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED);
         }
     }
     qd_connection_set_event_stall(qd_conn, false);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org