You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2019/10/04 15:31:09 UTC
[qpid-dispatch] 02/02: Revert "DISPATCH-1434 - Added new attribute
saslPasswordFile to the connector entity. saslPassword entity has been
deprecated. This closes #578."
This is an automated email from the ASF dual-hosted git repository.
gmurthy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
commit 61b9a7a277e957deb25e3319937158817d776840
Author: Ganesh Murthy <gm...@apache.org>
AuthorDate: Wed Oct 2 16:54:58 2019 -0400
Revert "DISPATCH-1434 - Added new attribute saslPasswordFile to the connector entity. saslPassword entity has been deprecated. This closes #578."
This reverts commit a97dea9aace6142d58f70caf66710386dc3e1156.
---
docs/books/user-guide/configuration-reference.adoc | 2 +-
docs/books/user-guide/configuration-security.adoc | 4 +-
...ing-using-username-password-authentication.adoc | 2 +-
include/qpid/dispatch/server.h | 7 --
pom.xml | 1 -
python/qpid_dispatch/management/qdrouter.json | 9 +--
src/connection_manager.c | 75 ++++++++--------------
tests/sasl_password/sasl-password-file.txt | 1 -
tests/system_tests_sasl_plain.py | 11 +---
9 files changed, 35 insertions(+), 77 deletions(-)
diff --git a/docs/books/user-guide/configuration-reference.adoc b/docs/books/user-guide/configuration-reference.adoc
index d3077cb..c25cd2c 100644
--- a/docs/books/user-guide/configuration-reference.adoc
+++ b/docs/books/user-guide/configuration-reference.adoc
@@ -144,7 +144,7 @@ Establishes an outgoing connection from the router.
* *_linkCapacity_* (integer) : The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.
* *_verifyHostname_* (boolean, default=True) : yes: Ensures that when initiating a connection (as a client) the hostname in the URL to which this connector connects to matches the hostname in the digital certificate that the peer sends back as part of the SSL/TLS connection; no: Does not perform hostname verification
* *_saslUsername_* (string) : The username that the connector is using to connect to a peer.
-* *_saslPasswordFile_* (string) : The absolute path to the file that contains the password that the connector uses to connect to a peer.
+* *_saslPassword_* (string) : The password that the connector is using to connect to a peer.
* *_sslProfile_* (string) : The name of the _sslProfile_ entity to use in order to have SSL/TLS configuration.
[id='router-configuration-file-log']
diff --git a/docs/books/user-guide/configuration-security.adoc b/docs/books/user-guide/configuration-security.adoc
index b4c97a2..d0e4018 100644
--- a/docs/books/user-guide/configuration-security.adoc
+++ b/docs/books/user-guide/configuration-security.adoc
@@ -370,7 +370,7 @@ connector {
...
saslMechanisms: _MECHANISMS_
saslUsername: _USERNAME_
- saslPasswordFile: _ABSOLUTE PATH_
+ saslPassword: _PASSWORD_
}
----
@@ -378,7 +378,7 @@ connector {
+
For a full list of supported Cyrus SASL authentication mechanisms, see link:https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html[Authentication Mechanisms^].
`saslUsername`:: If any of the SASL mechanisms uses username/password authentication, then provide the username to connect to the external container.
-`saslPasswordFile`:: If any of the SASL mechanisms uses username/password authentication, then provide the absolute path to the file that contains the password to connect to the external container.
+`saslPassword`:: If any of the SASL mechanisms uses username/password authentication, then provide the password to connect to the external container.
--
[id='integrating-with-kerberos']
diff --git a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
index f5b40a7..cf3f254 100644
--- a/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
+++ b/docs/books/user-guide/modules/connecting-using-username-password-authentication.adoc
@@ -52,7 +52,7 @@ connector {
role: route-container
saslMechanisms: PLAIN
saslUsername: user
- saslPasswordFile: /path/to/file/passwd.txt
+ saslPassword: password
}
----
--
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index 992ded6..043baa5 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -205,15 +205,8 @@ typedef struct qd_server_config_t {
char *sasl_username;
/**
- * The full path of the file that contains the sasl password. Use this instead of sasl_password.
- */
- char *sasl_password_file;
-
- /**
* If appropriate for the mechanism, the password for authentication
* (connector only)
- *
- * Deprecated - Use sasl_password_file instead.
*/
char *sasl_password;
diff --git a/pom.xml b/pom.xml
index 74d7bf8..3769861 100644
--- a/pom.xml
+++ b/pom.xml
@@ -104,7 +104,6 @@
<exclude>**/VERSION.txt</exclude>
<exclude>**/v3_ca.ext</exclude>
<exclude>**/system_test.dir/**</exclude>
- <exclude>**/sasl-password-file.txt</exclude>
<exclude>**/server-password-file.txt</exclude>
<exclude>**/server-password-file-bad.txt</exclude>
<exclude>**/client-password-file.txt</exclude>
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 5d1f4d9..707ae46 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -1002,17 +1002,10 @@
"saslPassword": {
"type": "string",
"required": false,
- "description": "(DEPRECATED) The password that the connector is using to connect to a peer. This takes precedence over the saslPasswordFile if both are specified. This attribute has been deprecated because it is unsafe to store plain text passwords in config files. Use the saslPasswordFile instead",
+ "description": "The password that the connector is using to connect to a peer.",
"create": true,
- "deprecated": true,
"hidden": true
},
- "saslPasswordFile": {
- "type": "string",
- "required": false,
- "description": "The absolute path to the file that contains the password that the connector uses to connect to a peer. This file should be permission protected to limit access",
- "create": true
- },
"messageLoggingComponents": {
"type": "string",
"default": "none",
diff --git a/src/connection_manager.c b/src/connection_manager.c
index 5df28d8..b571555 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -89,38 +89,6 @@ const char *ALL = "all";
const char *NONE = "none";
/**
- * Reads the password from the password_file and populates the contents of the file in password_field.
- */
-static void set_password_from_file(char *password_file, char **password_field)
-{
- if (password_file) {
- FILE *file = fopen(password_file, "r");
-
- if (file) {
- char buffer[200];
-
- int c;
- int i=0;
-
- while (i < 200 - 1) {
- c = fgetc(file);
- if (c == EOF || c == '\n')
- break;
- buffer[i++] = c;
- }
-
- if (i != 0) {
- buffer[i] = '\0';
- free(*password_field);
- *password_field = strdup(buffer);
- }
- fclose(file);
- }
- }
-}
-
-
-/**
* Search the list of config_ssl_profiles for an ssl-profile that matches the passed in name
*/
static qd_config_ssl_profile_t *qd_find_ssl_profile(qd_connection_manager_t *cm, char *name)
@@ -331,8 +299,6 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
{
qd_error_clear();
- qd_connection_manager_t *cm = qd->connection_manager;
-
bool authenticatePeer = qd_entity_opt_bool(entity, "authenticatePeer", false); CHECK();
bool verifyHostName = qd_entity_opt_bool(entity, "verifyHostname", true); CHECK();
bool requireEncryption = qd_entity_opt_bool(entity, "requireEncryption", false); CHECK();
@@ -361,17 +327,6 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
}
config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK();
config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK();
-
- if (config->sasl_password) {
- qd_log(cm->log_source, QD_LOG_WARNING, "Attribute saslPassword of entity connector has been deprecated. Use saslPasswordFile instead.");
- }
- else {
- // saslPassword not provided. Check if saslPasswordFile property is specified.
- char *password_file = qd_entity_opt_string(entity, "saslPasswordFile", 0); CHECK();
- set_password_from_file(password_file, &config->sasl_password);
- free(password_file);
- }
-
config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK();
config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK();
config->sasl_plugin = qd_entity_opt_string(entity, "saslPlugin", 0); CHECK();
@@ -557,10 +512,36 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd
if (ssl_profile->ssl_password) {
qd_log(cm->log_source, QD_LOG_WARNING, "Attribute password of entity sslProfile has been deprecated. Use passwordFile instead.");
}
- else {
+
+
+ if (!ssl_profile->ssl_password) {
// SSL password not provided. Check if passwordFile property is specified.
char *password_file = qd_entity_opt_string(entity, "passwordFile", 0); CHECK();
- set_password_from_file(password_file, &ssl_profile->ssl_password);
+
+ if (password_file) {
+ FILE *file = fopen(password_file, "r");
+
+ if (file) {
+ char buffer[200];
+
+ int c;
+ int i=0;
+
+ while (i < 200 - 1) {
+ c = fgetc(file);
+ if (c == EOF || c == '\n')
+ break;
+ buffer[i++] = c;
+ }
+
+ if (i != 0) {
+ buffer[i] = '\0';
+ free(ssl_profile->ssl_password);
+ ssl_profile->ssl_password = strdup(buffer);
+ }
+ fclose(file);
+ }
+ }
free(password_file);
}
ssl_profile->ssl_ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK();
diff --git a/tests/sasl_password/sasl-password-file.txt b/tests/sasl_password/sasl-password-file.txt
deleted file mode 100644
index f3097ab..0000000
--- a/tests/sasl_password/sasl-password-file.txt
+++ /dev/null
@@ -1 +0,0 @@
-password
diff --git a/tests/system_tests_sasl_plain.py b/tests/system_tests_sasl_plain.py
index 6a6749f..95b1ecd 100644
--- a/tests/system_tests_sasl_plain.py
+++ b/tests/system_tests_sasl_plain.py
@@ -58,9 +58,6 @@ sql_select: dummy select
""")
class RouterTestPlainSasl(RouterTestPlainSaslCommon):
- @staticmethod
- def sasl_password_file(name):
- return os.path.join(DIR, 'sasl_password', name)
@classmethod
def setUpClass(cls):
@@ -104,7 +101,7 @@ class RouterTestPlainSasl(RouterTestPlainSaslCommon):
# Provide a sasl user name and password to connect to QDR.X
'saslMechanisms': 'PLAIN',
'saslUsername': 'test@domain.com',
- 'saslPasswordFile': cls.sasl_password_file('sasl-password-file.txt')}),
+ 'saslPassword': 'password'}),
('router', {'workerThreads': 1,
'mode': 'interior',
'id': 'QDR.Y'}),
@@ -197,10 +194,6 @@ class RouterTestPlainSaslOverSsl(RouterTestPlainSaslCommon):
def ssl_file(name):
return os.path.join(DIR, 'ssl_certs', name)
- @staticmethod
- def sasl_password_file(name):
- return os.path.join(DIR, 'sasl_password', name)
-
@classmethod
def setUpClass(cls):
"""
@@ -255,7 +248,7 @@ class RouterTestPlainSaslOverSsl(RouterTestPlainSaslCommon):
# Provide a sasl user name and password to connect to QDR.X
'saslMechanisms': 'PLAIN',
'saslUsername': 'test@domain.com',
- 'saslPasswordFile': cls.sasl_password_file('sasl-password-file.txt')}),
+ 'saslPassword': 'password'}),
('router', {'workerThreads': 1,
'mode': 'interior',
'id': 'QDR.Y'}),
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org