You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2013/11/08 15:08:14 UTC
svn commit: r1540041 - in /qpid/trunk/qpid/cpp/src/qpid/broker/amqp:
Authorise.cpp Authorise.h Session.cpp
Author: gsim
Date: Fri Nov 8 14:08:14 2013
New Revision: 1540041
URL: http://svn.apache.org/r1540041
Log:
QPID-5299: check access permissions before resolving node
Modified:
qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp
qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h
qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.cpp Fri Nov 8 14:08:14 2013
@@ -128,4 +128,22 @@ void Authorise::interlink()
}
}
+void Authorise::access(const std::string& node, bool queueRequested, bool exchangeRequested)
+{
+ if (acl) {
+ std::map<acl::Property, std::string> params;
+ bool checkExchange = true;
+ bool checkQueue = true;
+ if (exchangeRequested) checkQueue = false;
+ else if (queueRequested) checkExchange = false;
+
+ bool allowExchange = !checkExchange || acl->authorise(user, acl::ACT_ACCESS, acl::OBJ_EXCHANGE, node, ¶ms);
+ bool allowQueue = !checkQueue || acl->authorise(user, acl::ACT_ACCESS, acl::OBJ_QUEUE, node, ¶ms);
+
+ if (!allowQueue || !allowExchange) {
+ throw Exception(qpid::amqp::error_conditions::UNAUTHORIZED_ACCESS, QPID_MSG("ACL denied access request to " << node << " from " << user));
+ }
+ }
+}
+
}}} // namespace qpid::broker::amqp
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Authorise.h Fri Nov 8 14:08:14 2013
@@ -48,6 +48,13 @@ class Authorise
void outgoing(boost::shared_ptr<Queue>);
void route(boost::shared_ptr<Exchange>, const Message&);
void interlink();
+ /**
+ * Used to determine whether the user has access permission for a
+ * given node name. If a specific type of node was requested, only
+ * acces to that type is checked. Otherwise access to either queue
+ * or exchange is required.
+ */
+ void access(const std::string& name, bool queueRequested, bool exchangeRequested);
private:
const std::string user;
AclModule* const acl;
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp?rev=1540041&r1=1540040&r2=1540041&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp Fri Nov 8 14:08:14 2013
@@ -199,13 +199,25 @@ Session::Session(pn_session_t* s, Connec
Session::ResolvedNode Session::resolve(const std::string name, pn_terminus_t* terminus, bool incoming)
{
- ResolvedNode node;
- node.exchange = connection.getBroker().getExchanges().find(name);
- node.queue = connection.getBroker().getQueues().find(name);
- node.topic = connection.getTopics().get(name);
- bool createOnDemand = is_capability_requested(CREATE_ON_DEMAND, pn_terminus_capabilities(terminus));
bool isQueueRequested = is_capability_requested(QUEUE, pn_terminus_capabilities(terminus));
bool isTopicRequested = is_capability_requested(TOPIC, pn_terminus_capabilities(terminus));
+ if (isTopicRequested && isQueueRequested) {
+ //requesting both renders each request meaningless
+ isQueueRequested = false;
+ isTopicRequested = false;
+ }
+ //check whether user is even allowed access to queues/topics before resolving
+ authorise.access(name, isQueueRequested, isTopicRequested);
+ ResolvedNode node;
+ if (isTopicRequested || !isQueueRequested) {
+ node.topic = connection.getTopics().get(name);
+ if (node.topic) node.exchange = node.topic->getExchange();
+ else node.exchange = connection.getBroker().getExchanges().find(name);
+ }
+ if (isQueueRequested || !isTopicRequested) {
+ node.queue = connection.getBroker().getQueues().find(name);
+ }
+ bool createOnDemand = is_capability_requested(CREATE_ON_DEMAND, pn_terminus_capabilities(terminus));
//Strictly speaking, properties should only be specified when the
//terminus is dynamic. However we will not enforce that here. If
//properties are set on the attach request, we will set them on
@@ -213,7 +225,6 @@ Session::ResolvedNode Session::resolve(c
//qpid messaging API to be implemented over 1.0.
node.properties.read(pn_terminus_properties(terminus));
- if (node.topic) node.exchange = node.topic->getExchange();
if (node.exchange && createOnDemand && isTopicRequested) {
if (!node.properties.getExchangeType().empty() && node.properties.getExchangeType() != node.exchange->getType()) {
//emulate 0-10 exchange-declare behaviour
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org