You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2015/06/10 22:56:30 UTC

qpid-proton git commit: PROTON-866: Tell SASL the external ssf and authid when we detect SASL - Add Internal API to set external ssf/authid to SASL

Repository: qpid-proton
Updated Branches:
  refs/heads/master f252261b9 -> 1cfeef1c0


PROTON-866: Tell SASL the external ssf and authid when we detect SASL
- Add Internal API to set external ssf/authid to SASL


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/1cfeef1c
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/1cfeef1c
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/1cfeef1c

Branch: refs/heads/master
Commit: 1cfeef1c03d4607844320320ab50054f750f3aa8
Parents: f252261
Author: Andrew Stitcher <as...@apache.org>
Authored: Tue May 26 15:11:54 2015 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Wed Jun 10 16:41:51 2015 -0400

----------------------------------------------------------------------
 proton-c/src/sasl/cyrus_sasl.c     | 33 ++++++++++++++++++++++++---------
 proton-c/src/sasl/sasl-internal.h  |  3 +++
 proton-c/src/sasl/sasl.c           | 13 +++++++++++++
 proton-c/src/transport/transport.c |  1 +
 4 files changed, 41 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/cyrus_sasl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/cyrus_sasl.c b/proton-c/src/sasl/cyrus_sasl.c
index 4bf5f4d..e280324 100644
--- a/proton-c/src/sasl/cyrus_sasl.c
+++ b/proton-c/src/sasl/cyrus_sasl.c
@@ -122,6 +122,23 @@ bool pni_init_client(pn_transport_t* transport) {
     if (result!=SASL_OK) return false;
     sasl->impl_context = cyrus_conn;
 
+    sasl_security_properties_t secprops = {0};
+    secprops.security_flags =
+    SASL_SEC_NOPLAINTEXT |
+    ( transport->auth_required ? SASL_SEC_NOANONYMOUS : 0 ) ;
+
+    result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops);
+    if (result!=SASL_OK) return false;
+
+    sasl_ssf_t ssf = sasl->external_ssf;
+    result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
+    if (result!=SASL_OK) return false;
+
+    const char *extid = sasl->external_auth;
+    if (extid) {
+      result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid);
+      if (result!=SASL_OK) return false;
+    }
     return true;
 }
 
@@ -242,17 +259,15 @@ static int pni_wrap_server_new(pn_transport_t *transport)
     result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops);
     if (result!=SASL_OK) return result;
 
-    // EXTERNAL not implemented yet
-    #if 0
-    sasl_ssf_t ssf = 128;
-    result = sasl_setprop(sasl->cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
+    sasl_ssf_t ssf = sasl->external_ssf;
+    result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf);
     if (result!=SASL_OK) return result;
 
-    const char *extid = "user";
-    result = sasl_setprop(sasl->cyrus_conn, SASL_AUTH_EXTERNAL, extid);
-    if (result!=SASL_OK) return result;
-    #endif
-
+    const char *extid = sasl->external_auth;
+    if (extid) {
+      result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid);
+      if (result!=SASL_OK) return result;
+    }
     return result;
 }
 

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl-internal.h
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/sasl-internal.h b/proton-c/src/sasl/sasl-internal.h
index da180e4..40df261 100644
--- a/proton-c/src/sasl/sasl-internal.h
+++ b/proton-c/src/sasl/sasl-internal.h
@@ -29,6 +29,7 @@
 void pn_sasl_free(pn_transport_t *transport);
 void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, const char *password);
 void pni_sasl_set_remote_hostname(pn_transport_t *transport, const char* fqdn);
+void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid);
 
 // Internal SASL authenticator interface
 void pni_sasl_impl_free(pn_transport_t *transport);
@@ -63,6 +64,8 @@ struct pni_sasl_t {
   const char *config_name;
   char *config_dir;
   const char *remote_fqdn;
+  char *external_auth;
+  int external_ssf;
   pn_sasl_outcome_t outcome;
   pn_bytes_t bytes_out;
   enum pni_sasl_state desired_state;

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/sasl/sasl.c b/proton-c/src/sasl/sasl.c
index e180280..3142832 100644
--- a/proton-c/src/sasl/sasl.c
+++ b/proton-c/src/sasl/sasl.c
@@ -24,6 +24,7 @@
 #include "dispatch_actions.h"
 #include "engine/engine-internal.h"
 #include "protocol.h"
+#include "proton/ssl.h"
 #include "util.h"
 #include "transport/autodetect.h"
 
@@ -87,6 +88,7 @@ static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int
     }
     if (transport->trace & PN_TRACE_FRM)
         pn_transport_logf(transport, "  <- %s", "SASL");
+    pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport));
     return SASL_HEADER_LEN;
   case PNI_PROTOCOL_INSUFFICIENT:
     if (!eos) return 0;
@@ -367,6 +369,8 @@ pn_sasl_t *pn_sasl(pn_transport_t *transport)
     sasl->config_name = sasl->client ? "proton-client" : "proton-server";
     sasl->config_dir =  sasl_config_path ? pn_strdup(sasl_config_path) : NULL;
     sasl->remote_fqdn = NULL;
+    sasl->external_auth = NULL;
+    sasl->external_ssf = 0;
     sasl->outcome = PN_SASL_NONE;
     sasl->impl_context = NULL;
     sasl->bytes_out.size = 0;
@@ -417,6 +421,14 @@ void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, con
   sasl->password = password ? pn_strdup(password) : NULL;
 }
 
+void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid)
+{
+  pni_sasl_t *sasl = transport->sasl;
+  sasl->external_ssf = ssf;
+  free(sasl->external_auth);
+  sasl->external_auth = authid ? pn_strdup(authid) : NULL;
+}
+
 const char *pn_sasl_get_user(pn_sasl_t *sasl0)
 {
     pni_sasl_t *sasl = get_sasl_internal(sasl0);
@@ -476,6 +488,7 @@ void pn_sasl_free(pn_transport_t *transport)
       free(sasl->included_mechanisms);
       free(sasl->password);
       free(sasl->config_dir);
+      free(sasl->external_auth);
 
       // CYRUS_SASL
       if (sasl->impl_context) {

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/transport/transport.c
----------------------------------------------------------------------
diff --git a/proton-c/src/transport/transport.c b/proton-c/src/transport/transport.c
index b5887ef..0e23975 100644
--- a/proton-c/src/transport/transport.c
+++ b/proton-c/src/transport/transport.c
@@ -250,6 +250,7 @@ ssize_t pn_io_layer_input_autodetect(pn_transport_t *transport, unsigned int lay
     transport->io_layers[layer+1] = &pni_autodetect_layer;
     if (transport->trace & PN_TRACE_FRM)
         pn_transport_logf(transport, "  <- %s", "SASL");
+    pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport));
     return 8;
   case PNI_PROTOCOL_AMQP1:
     if (transport->auth_required && !pn_transport_is_authenticated(transport)) {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org