You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2015/06/10 22:56:30 UTC
qpid-proton git commit: PROTON-866: Tell SASL the external ssf and
authid when we detect SASL - Add Internal API to set external ssf/authid to
SASL
Repository: qpid-proton
Updated Branches:
refs/heads/master f252261b9 -> 1cfeef1c0
PROTON-866: Tell SASL the external ssf and authid when we detect SASL
- Add Internal API to set external ssf/authid to SASL
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/1cfeef1c
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/1cfeef1c
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/1cfeef1c
Branch: refs/heads/master
Commit: 1cfeef1c03d4607844320320ab50054f750f3aa8
Parents: f252261
Author: Andrew Stitcher <as...@apache.org>
Authored: Tue May 26 15:11:54 2015 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Wed Jun 10 16:41:51 2015 -0400
----------------------------------------------------------------------
proton-c/src/sasl/cyrus_sasl.c | 33 ++++++++++++++++++++++++---------
proton-c/src/sasl/sasl-internal.h | 3 +++
proton-c/src/sasl/sasl.c | 13 +++++++++++++
proton-c/src/transport/transport.c | 1 +
4 files changed, 41 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/cyrus_sasl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/cyrus_sasl.c b/proton-c/src/sasl/cyrus_sasl.c
index 4bf5f4d..e280324 100644
--- a/proton-c/src/sasl/cyrus_sasl.c
+++ b/proton-c/src/sasl/cyrus_sasl.c
@@ -122,6 +122,23 @@ bool pni_init_client(pn_transport_t* transport) {
if (result!=SASL_OK) return false;
sasl->impl_context = cyrus_conn;
+ sasl_security_properties_t secprops = {0};
+ secprops.security_flags =
+ SASL_SEC_NOPLAINTEXT |
+ ( transport->auth_required ? SASL_SEC_NOANONYMOUS : 0 ) ;
+
+ result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops);
+ if (result!=SASL_OK) return false;
+
+ sasl_ssf_t ssf = sasl->external_ssf;
+ result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
+ if (result!=SASL_OK) return false;
+
+ const char *extid = sasl->external_auth;
+ if (extid) {
+ result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid);
+ if (result!=SASL_OK) return false;
+ }
return true;
}
@@ -242,17 +259,15 @@ static int pni_wrap_server_new(pn_transport_t *transport)
result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops);
if (result!=SASL_OK) return result;
- // EXTERNAL not implemented yet
- #if 0
- sasl_ssf_t ssf = 128;
- result = sasl_setprop(sasl->cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
+ sasl_ssf_t ssf = sasl->external_ssf;
+ result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
if (result!=SASL_OK) return result;
- const char *extid = "user";
- result = sasl_setprop(sasl->cyrus_conn, SASL_AUTH_EXTERNAL, extid);
- if (result!=SASL_OK) return result;
- #endif
-
+ const char *extid = sasl->external_auth;
+ if (extid) {
+ result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid);
+ if (result!=SASL_OK) return result;
+ }
return result;
}
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl-internal.h
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/sasl-internal.h b/proton-c/src/sasl/sasl-internal.h
index da180e4..40df261 100644
--- a/proton-c/src/sasl/sasl-internal.h
+++ b/proton-c/src/sasl/sasl-internal.h
@@ -29,6 +29,7 @@
void pn_sasl_free(pn_transport_t *transport);
void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, const char *password);
void pni_sasl_set_remote_hostname(pn_transport_t *transport, const char* fqdn);
+void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid);
// Internal SASL authenticator interface
void pni_sasl_impl_free(pn_transport_t *transport);
@@ -63,6 +64,8 @@ struct pni_sasl_t {
const char *config_name;
char *config_dir;
const char *remote_fqdn;
+ char *external_auth;
+ int external_ssf;
pn_sasl_outcome_t outcome;
pn_bytes_t bytes_out;
enum pni_sasl_state desired_state;
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/sasl.c b/proton-c/src/sasl/sasl.c
index e180280..3142832 100644
--- a/proton-c/src/sasl/sasl.c
+++ b/proton-c/src/sasl/sasl.c
@@ -24,6 +24,7 @@
#include "dispatch_actions.h"
#include "engine/engine-internal.h"
#include "protocol.h"
+#include "proton/ssl.h"
#include "util.h"
#include "transport/autodetect.h"
@@ -87,6 +88,7 @@ static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int
}
if (transport->trace & PN_TRACE_FRM)
pn_transport_logf(transport, " <- %s", "SASL");
+ pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport));
return SASL_HEADER_LEN;
case PNI_PROTOCOL_INSUFFICIENT:
if (!eos) return 0;
@@ -367,6 +369,8 @@ pn_sasl_t *pn_sasl(pn_transport_t *transport)
sasl->config_name = sasl->client ? "proton-client" : "proton-server";
sasl->config_dir = sasl_config_path ? pn_strdup(sasl_config_path) : NULL;
sasl->remote_fqdn = NULL;
+ sasl->external_auth = NULL;
+ sasl->external_ssf = 0;
sasl->outcome = PN_SASL_NONE;
sasl->impl_context = NULL;
sasl->bytes_out.size = 0;
@@ -417,6 +421,14 @@ void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, con
sasl->password = password ? pn_strdup(password) : NULL;
}
+void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid)
+{
+ pni_sasl_t *sasl = transport->sasl;
+ sasl->external_ssf = ssf;
+ free(sasl->external_auth);
+ sasl->external_auth = authid ? pn_strdup(authid) : NULL;
+}
+
const char *pn_sasl_get_user(pn_sasl_t *sasl0)
{
pni_sasl_t *sasl = get_sasl_internal(sasl0);
@@ -476,6 +488,7 @@ void pn_sasl_free(pn_transport_t *transport)
free(sasl->included_mechanisms);
free(sasl->password);
free(sasl->config_dir);
+ free(sasl->external_auth);
// CYRUS_SASL
if (sasl->impl_context) {
http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/transport/transport.c
----------------------------------------------------------------------
diff --git a/proton-c/src/transport/transport.c b/proton-c/src/transport/transport.c
index b5887ef..0e23975 100644
--- a/proton-c/src/transport/transport.c
+++ b/proton-c/src/transport/transport.c
@@ -250,6 +250,7 @@ ssize_t pn_io_layer_input_autodetect(pn_transport_t *transport, unsigned int lay
transport->io_layers[layer+1] = &pni_autodetect_layer;
if (transport->trace & PN_TRACE_FRM)
pn_transport_logf(transport, " <- %s", "SASL");
+ pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport));
return 8;
case PNI_PROTOCOL_AMQP1:
if (transport->auth_required && !pn_transport_is_authenticated(transport)) {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org