You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by mg...@apache.org on 2010/11/30 19:39:49 UTC
svn commit: r1040689 - in /qpid/trunk/qpid/cpp/src/qpid: SaslFactory.cpp
SaslFactory.h broker/Broker.h broker/ConnectionHandler.cpp
Author: mgoulish
Date: Tue Nov 30 18:39:48 2010
New Revision: 1040689
URL: http://svn.apache.org/viewvc?rev=1040689&view=rev
Log:
This patch was posted in JIRA QPID-2949.
It provides a way to tell SaslFactory that console
interaction is NOT ok. i.e. if the code is running
as part of a broker, or a demonized client of some
kind. Just tell it to never do interaction, and any
patch attempt to interact will be treated as an error.
This script demonstrates that all goes well if you supply enough info :
rm -rf /tmp/data_1 /tmp/data_2
mkdir /tmp/data_1 /tmp/data_2
# in window 1:
../qpidd -p 5672 --data-dir /tmp/data_1 --auth=yes --mgmt-enable=yes \
--log-enable info+ ./qpidd_1.log --log-source yes \
--sasl-config=/home/mick/trunk/qpid/cpp/src/tests/sasl_config
# in window 2:
../qpidd -p 10000 --data-dir /tmp/data_2 --auth=yes --mgmt-enable=yes \
--log-enable info+ ./qpidd_1.log --log-source yes \
--sasl-config=/home/mick/trunk/qpid/cpp/src/tests/sasl_config
# in window 3 ( from qpid dir )
./tools/src/py/qpid-route dynamic add zig/zig@localhost zig/zig@localhost:10000 qmf.default.direct
# and now view the created route
./tools/src/py/qpid-route route list localhost:5672
If you say auth=no, that works fine also.
HOWEVER PLEASE NOTE --
if you say auth=yes, but then do not supply enough into to avoid the need for interaction,
the attempted interaction will result in the connection being closed. Then the originating broker
will re-try the connection, and you will get a two-broker infinite loop until you fix it.
Modified:
qpid/trunk/qpid/cpp/src/qpid/SaslFactory.cpp
qpid/trunk/qpid/cpp/src/qpid/SaslFactory.h
qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h
qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
Modified: qpid/trunk/qpid/cpp/src/qpid/SaslFactory.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/SaslFactory.cpp?rev=1040689&r1=1040688&r2=1040689&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/SaslFactory.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/SaslFactory.cpp Tue Nov 30 18:39:48 2010
@@ -110,7 +110,7 @@ struct CyrusSaslSettings
class CyrusSasl : public Sasl
{
public:
- CyrusSasl(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf);
+ CyrusSasl(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf, bool allowInteraction);
~CyrusSasl();
std::string start(const std::string& mechanisms, const SecuritySettings* externalSettings);
std::string step(const std::string& challenge);
@@ -125,6 +125,10 @@ class CyrusSasl : public Sasl
std::string mechanism;
char login[MAX_LOGIN_LENGTH];
+ /* In some contexts, like running in the broker or as a daemon, console
+ * interaction is impossible. In those cases, we will treat the attempt
+ * to interact as an error. */
+ bool allowInteraction;
void interact(sasl_interact_t* client_interact);
};
@@ -159,14 +163,14 @@ SaslFactory& SaslFactory::getInstance()
return *instance;
}
-std::auto_ptr<Sasl> SaslFactory::create(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf)
+std::auto_ptr<Sasl> SaslFactory::create(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf, bool allowInteraction)
{
- std::auto_ptr<Sasl> sasl(new CyrusSasl(username, password, serviceName, hostName, minSsf, maxSsf));
+ std::auto_ptr<Sasl> sasl(new CyrusSasl(username, password, serviceName, hostName, minSsf, maxSsf, allowInteraction));
return sasl;
}
-CyrusSasl::CyrusSasl(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf)
- : conn(0), settings(username, password, serviceName, hostName, minSsf, maxSsf)
+CyrusSasl::CyrusSasl(const std::string & username, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf, bool allowInteraction)
+ : conn(0), settings(username, password, serviceName, hostName, minSsf, maxSsf), allowInteraction(allowInteraction)
{
size_t i = 0;
@@ -330,6 +334,15 @@ std::string CyrusSasl::getUserId()
void CyrusSasl::interact(sasl_interact_t* client_interact)
{
+ /*
+ In some context console interaction cannot be allowed, such
+ as when this code run as part of a broker, or as a some other
+ daemon. In those cases we will treat the attempt to
+ */
+ if ( ! allowInteraction ) {
+ throw InternalErrorException("interaction disallowed");
+ }
+
if (client_interact->id == SASL_CB_PASS) {
char* password = getpass(client_interact->prompt);
input = std::string(password);
Modified: qpid/trunk/qpid/cpp/src/qpid/SaslFactory.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/SaslFactory.h?rev=1040689&r1=1040688&r2=1040689&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/SaslFactory.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/SaslFactory.h Tue Nov 30 18:39:48 2010
@@ -34,7 +34,7 @@ namespace qpid {
class SaslFactory
{
public:
- QPID_COMMON_EXTERN std::auto_ptr<Sasl> create(const std::string & userName, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf );
+ QPID_COMMON_EXTERN std::auto_ptr<Sasl> create(const std::string & userName, const std::string & password, const std::string & serviceName, const std::string & hostName, int minSsf, int maxSsf, bool allowInteraction=true );
QPID_COMMON_EXTERN static SaslFactory& getInstance();
QPID_COMMON_EXTERN ~SaslFactory();
private:
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h?rev=1040689&r1=1040688&r2=1040689&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h Tue Nov 30 18:39:48 2010
@@ -286,6 +286,7 @@ public:
boost::function<bool (const std::string& queue,
const boost::intrusive_ptr<Message>& msg)> deferDelivery;
+ bool isAuthenticating ( ) { return config.auth; }
};
}}
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp?rev=1040689&r1=1040688&r2=1040689&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp Tue Nov 30 18:39:48 2010
@@ -246,12 +246,15 @@ void ConnectionHandler::Handler::start(c
std::string host = connection.getHost();
std::string service("qpidd");
- sasl = SaslFactory::getInstance().create( username,
- password,
- service,
- host,
- 0, // TODO -- mgoulish Fri Sep 24 06:41:26 EDT 2010
- 256 /* TODO -- mgoulish*/ );
+ if ( connection.getBroker().isAuthenticating() ) {
+ sasl = SaslFactory::getInstance().create( username,
+ password,
+ service,
+ host,
+ 0, // TODO -- mgoulish Fri Sep 24 2010
+ 256,
+ false ); // disallow interaction
+ }
std::string supportedMechanismsList;
bool requestedMechanismIsSupported = false;
Array::const_iterator i;
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org