You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2018/02/16 20:13:24 UTC
[1/3] qpid-dispatch git commit: DISPATCH-920 - Block policy
enforcement on inter-router connections
Repository: qpid-dispatch
Updated Branches:
refs/heads/1.0.x 7b2c07a32 -> 3fabd9629
DISPATCH-920 - Block policy enforcement on inter-router connections
(cherry picked from commit ee044a15f48e046919bc5679f4b2bef7ae1f1f99)
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/6ba4d09a
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/6ba4d09a
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/6ba4d09a
Branch: refs/heads/1.0.x
Commit: 6ba4d09ae361cae0ee2b1b35515129475fd11acb
Parents: 7b2c07a
Author: Ted Ross <tr...@redhat.com>
Authored: Sat Jan 27 15:02:50 2018 -0500
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Fri Feb 16 14:58:11 2018 -0500
----------------------------------------------------------------------
src/policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/6ba4d09a/src/policy.c
----------------------------------------------------------------------
diff --git a/src/policy.c b/src/policy.c
index 960a3a7..d89fd86 100644
--- a/src/policy.c
+++ b/src/policy.c
@@ -663,7 +663,7 @@ bool qd_policy_approve_amqp_receiver_link(pn_link_t *pn_link, qd_connection_t *q
}
} else {
// A receiver with no remote source.
- qd_log(qd_server_dispatch(qd_conn->server)->policy->log_source, QD_LOG_TRACE,
+ qd_log(qd_server_dispatch(qd_conn->server)->policy->log_source, QD_LOG_INFO,
"DENY AMQP Attach receiver link '' for user '%s', rhost '%s', vhost '%s'",
qd_conn->user_id, hostip, vhost);
_qd_policy_deny_amqp_receiver_link(pn_link, qd_conn, QD_AMQP_COND_UNAUTHORIZED_ACCESS);
@@ -680,7 +680,7 @@ void qd_policy_amqp_open(qd_connection_t *qd_conn) {
qd_policy_t *policy = qd->policy;
bool connection_allowed = true;
- if (policy->enableVhostPolicy) {
+ if (policy->enableVhostPolicy && (!qd_conn->role || strcmp(qd_conn->role, "inter-router"))) {
// Open connection or not based on policy.
pn_transport_t *pn_trans = pn_connection_transport(conn);
const char *hostip = qd_connection_remote_ip(qd_conn);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[2/3] qpid-dispatch git commit: DISPATCH-920: self test to detect
interrouter links being blocked
Posted by gm...@apache.org.
DISPATCH-920: self test to detect interrouter links being blocked
(cherry picked from commit 1f2e3d929af763300af9d901bbe14336ee72bcd5)
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/4126e19b
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/4126e19b
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/4126e19b
Branch: refs/heads/1.0.x
Commit: 4126e19b0489f15ea76854b180a0475e9035b861
Parents: 6ba4d09
Author: Chuck Rolke <cr...@redhat.com>
Authored: Mon Jan 29 15:48:49 2018 -0500
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Fri Feb 16 15:07:57 2018 -0500
----------------------------------------------------------------------
tests/policy-5/permissive-default.json | 15 +++++++++
tests/system_tests_policy.py | 52 +++++++++++++++++++++++++++++
2 files changed, 67 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/4126e19b/tests/policy-5/permissive-default.json
----------------------------------------------------------------------
diff --git a/tests/policy-5/permissive-default.json b/tests/policy-5/permissive-default.json
new file mode 100644
index 0000000..23f29e9
--- /dev/null
+++ b/tests/policy-5/permissive-default.json
@@ -0,0 +1,15 @@
+[
+ ["vhost", {
+ "id": "$default",
+ "allowUnknownUser": true,
+ "groups" : {
+ "$default": {
+ "remoteHosts": "*",
+ "allowDynamicSource": true,
+ "allowAnonymousSender": true,
+ "sources": "*",
+ "targets": "*"
+ }
+ }
+ }]
+]
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/4126e19b/tests/system_tests_policy.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_policy.py b/tests/system_tests_policy.py
index 120137d..64475e0 100644
--- a/tests/system_tests_policy.py
+++ b/tests/system_tests_policy.py
@@ -301,5 +301,57 @@ class SenderReceiverLimits(TestCase):
bs1.close()
+
+class InterrouterLinksAllowed(TestCase):
+
+ inter_router_port = None
+
+ @classmethod
+ def setUpClass(cls):
+ """Start a router"""
+ super(InterrouterLinksAllowed, cls).setUpClass()
+
+ policy_config_path = os.path.join(DIR, 'policy-5')
+
+ def router(name, connection):
+
+ config = [
+ ('router', {'mode': 'interior', 'id': name}),
+ ('listener', {'port': cls.tester.get_port()}),
+ ('log', {'module': 'DEFAULT', 'enable': 'trace+'}),
+ ('policy', {'enableVhostPolicy': 'yes', 'policyDir': policy_config_path}),
+ connection
+ ]
+
+ config = Qdrouterd.Config(config)
+
+ cls.routers.append(cls.tester.qdrouterd(name, config, wait=True))
+
+ cls.routers = []
+
+ inter_router_port = cls.tester.get_port()
+
+ router('A', ('listener', {'role': 'inter-router', 'port': inter_router_port}))
+ router('B', ('connector', {'name': 'connectorToA', 'role': 'inter-router', 'port': inter_router_port, 'verifyHostName': 'no'}))
+
+ # With these configs before DISPATCH-920 the routers never connect
+ # because the links are disallowed by policy. Before the wait_ready
+ # functions complete the routers should have tried the interrouter
+ # link.
+
+ cls.routers[0].wait_ready()
+ cls.routers[1].wait_ready()
+
+ cls.routers[0].teardown()
+ cls.routers[1].teardown()
+
+ def test_01_dispatch_920(self):
+
+ with open('../setUpClass/A-2.out', 'r') as router_log:
+ log_lines = router_log.read().split("\n")
+ disallow_lines = [s for s in log_lines if "link disallowed" in s]
+ self.assertTrue(len(disallow_lines) == 0, msg='All links should be allowed but some were blocked by policy.')
+
+
if __name__ == '__main__':
unittest.main(main_module())
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org
[3/3] qpid-dispatch git commit: DISPATCH-920: Add Apache license
Posted by gm...@apache.org.
DISPATCH-920: Add Apache license
(cherry picked from commit 67747035a35537d52ba92247b067697079ade5ca)
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/3fabd962
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/3fabd962
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/3fabd962
Branch: refs/heads/1.0.x
Commit: 3fabd962988e2fea0615cb8072f66c493a74322d
Parents: 4126e19
Author: Chuck Rolke <cr...@redhat.com>
Authored: Wed Jan 31 13:30:54 2018 -0500
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Fri Feb 16 15:09:21 2018 -0500
----------------------------------------------------------------------
tests/policy-5/permissive-default.json | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/3fabd962/tests/policy-5/permissive-default.json
----------------------------------------------------------------------
diff --git a/tests/policy-5/permissive-default.json b/tests/policy-5/permissive-default.json
index 23f29e9..9a17289 100644
--- a/tests/policy-5/permissive-default.json
+++ b/tests/policy-5/permissive-default.json
@@ -1,3 +1,21 @@
+##
+## Licensed to the Apache Software Foundation (ASF) under one
+## or more contributor license agreements. See the NOTICE file
+## distributed with this work for additional information
+## regarding copyright ownership. The ASF licenses this file
+## to you under the Apache License, Version 2.0 (the
+## "License"); you may not use this file except in compliance
+## with the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing,
+## software distributed under the License is distributed on an
+## "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+## KIND, either express or implied. See the License for the
+## specific language governing permissions and limitations
+## under the License
+##
[
["vhost", {
"id": "$default",
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org