Author: mgoulish
Date: Thu Dec 16 21:10:38 2010
New Revision: 1050162
URL: http://svn.apache.org/viewvc?rev=1050162&view=rev
Log:
In broker::ConectionHandler, use the security settings, if any,
provided by the transport layer when starting SASL.
This allows the SASL mechanism EXTERNAL to be satisfied with
SSL transport security.
The test, sasl_fed_ex, uses this SASL/SSL security on a
federated link between two brokers.
Added:
qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex (with props)
Modified:
qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h
qpid/trunk/qpid/cpp/src/tests/sasl.mk
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp?rev=1050162&r1=1050161&r2=1050162&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp Thu Dec 16
21:10:38 2010
@@ -239,9 +239,9 @@ void ConnectionHandler::Handler::start(c
const framing::Array& /*locales*/)
{
string requestedMechanism = connection.getAuthMechanism();
- string response = connection.getAuthCredentials();
std::string username = connection.getUsername();
+
std::string password = connection.getPassword();
std::string host = connection.getHost();
std::string service("qpidd");
@@ -298,19 +298,17 @@ void ConnectionHandler::Handler::start(c
ft.setInt(QPID_FED_LINK,1);
ft.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
+ string response;
if (sasl.get()) {
- string response =
- sasl->start ( requestedMechanism.empty()
- ? supportedMechanismsList
- : requestedMechanism,
- getSecuritySettings
- ? getSecuritySettings()
- : 0
- );
+ const qpid::sys::SecuritySettings& ss =
connection.getExternalSecuritySettings();
+ response = sasl->start ( requestedMechanism.empty()
+ ? supportedMechanismsList
+ : requestedMechanism,
+ & ss );
proxy.startOk ( ft, sasl->getMechanism(), response, en_US );
}
else {
- string response = ((char)0) + username + ((char)0) + password;
+ response = ((char)0) + username + ((char)0) + password;
proxy.startOk ( ft, requestedMechanism, response, en_US );
}
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h?rev=1050162&r1=1050161&r2=1050162&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h Thu Dec 16 21:10:38
2010
@@ -91,7 +91,6 @@ class ConnectionHandler : public framing
std::auto_ptr<Sasl> sasl;
typedef boost::function<const qpid::sys::SecuritySettings*()>
GetSecuritySettings;
- GetSecuritySettings getSecuritySettings; /* query the transport
for its security details */
std::string saslUserId;
uint16_t maxFrameSize;
};
Modified: qpid/trunk/qpid/cpp/src/tests/sasl.mk
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/sasl.mk?rev=1050162&r1=1050161&r2=1050162&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/sasl.mk (original)
+++ qpid/trunk/qpid/cpp/src/tests/sasl.mk Thu Dec 16 21:10:38 2010
@@ -30,7 +30,7 @@ check_PROGRAMS+=sasl_version
sasl_version_SOURCES=sasl_version.cpp
sasl_version_LDADD=$(lib_client)
-TESTS += run_cluster_authentication_test sasl_fed
+TESTS += run_cluster_authentication_test sasl_fed sasl_fed_ex
LONG_TESTS += run_cluster_authentication_soak
EXTRA_DIST += run_cluster_authentication_test sasl_fed
run_cluster_authentication_soak
Added: qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex?rev=1050162&view=auto
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex (added)
+++ qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex Thu Dec 16 21:10:38 2010
@@ -0,0 +1,250 @@
+#! /bin/bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+
+#===============================================================================
+# This test creates a federated link between two brokers using SASL security.
+# The SASL mechanism used is EXTERNAL, which is satisfied by SSL
+# transport-layer security.
+#===============================================================================
+
+source ./test_env.sh
+
+# This minimum value corresponds to sasl version 2.1.22
+minimum_sasl_version=131350
+
+sasl_version=`$QPID_TEST_EXEC_DIR/sasl_version`
+
+# This test is necessary becasue this sasl version is the first one that
permits
+# redirection of the sasl config file path.
+if [ "$sasl_version" -lt "$minimum_sasl_version" ]; then
+ echo "sasl_fed: must have sasl version 2.1.22 or greater. ( Integer value:
$minimum_sasl_version ) Version is: $sasl_version"
+ exit 0
+fi
+
+# In a distribution, the python tools will be absent.
+if [ ! -f $QPID_CONFIG_EXEC ] || [ ! -f $QPID_ROUTE_EXEC ] ; then
+ echo "python tools absent - skipping sasl_fed_ex."
+ exit 0
+fi
+
+CERT_DIR=`pwd`/test_cert_db
+CERT_PW_FILE=`pwd`/cert.password
+TEST_HOSTNAME=127.0.0.1
+
+create_certs() {
+ #create certificate and key databases with single, simple, self-signed
certificate in it
+ mkdir ${CERT_DIR}
+ certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
+ certutil -S -d ${CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t
"CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil 2> /dev/null
+}
+
+delete_certs() {
+ if [[ -e ${CERT_DIR} ]] ; then
+ rm -rf ${CERT_DIR}
+ fi
+}
+
+
+CERTUTIL=$(type -p certutil)
+if [[ !(-x $CERTUTIL) ]] ; then
+ echo "No certutil, skipping ssl test";
+ exit 0;
+fi
+
+delete_certs
+create_certs || error "Could not create test certificate"
+
+
+sasl_config_file=$builddir/sasl_config
+
+my_random_number=$RANDOM
+tmp_root=/tmp/sasl_fed/$my_random_number
+mkdir -p $tmp_root
+
+SRC_SSL_PORT=6667
+DST_SSL_PORT=6666
+
+SRC_TCP_PORT=5801
+DST_TCP_PORT=5807
+
+SSL_LIB=../.libs/ssl.so
+
+export QPID_SSL_CERT_NAME=${TEST_HOSTNAME}
+
+export QPID_NO_MODULE_DIR=1
+export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
+export QPID_SSL_CERT_DB=${CERT_DIR}
+export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
+export QPID_SSL_CERT_NAME=${TEST_HOSTNAME}
+
+
+
+#######################################
+# Understanding this Plumbing
+#######################################
+# 1. when you establish the route with qpid-route,
+# here is the best termiology to use:
+#
+# qpid-route route add DST SRC
+#
+# 2. DST will connect to SRC through the ssl port of SRC.
+#
+# 3. sender client connects to the tcp port of SRC.
+#
+# 4. sender specifies mechanism ANONYMOUS.
+#
+# 5. DST pulls messages off the temp queue on SRC to itself.
+#
+
+
+
+#echo "-----------------------"
+#echo "Starting SRC broker"
+#echo "-----------------------"
+$QPIDD_EXEC \
+ --port=${SRC_TCP_PORT} \
+ --ssl-port ${SRC_SSL_PORT} \
+ --ssl-sasl-no-dict \
+ --sasl-config=$sasl_config_file \
+ --ssl-require-client-authentication \
+ --auth yes \
+ --ssl-cert-db $CERT_DIR \
+ --ssl-cert-password-file $CERT_PW_FILE \
+ --ssl-cert-name $TEST_HOSTNAME \
+ --no-data-dir \
+ --no-module-dir \
+ --load-module ${SSL_LIB} \
+ --mgmt-enable=yes \
+ --log-enable info+ \
+ --log-source yes \
+ --daemon \
+ --log-to-file $tmp_root/qpidd_src.log 2> /dev/null
+
+
+#echo "-----------------------"
+#echo "Starting DST broker"
+#echo "-----------------------"
+$QPIDD_EXEC \
+ --port=${DST_TCP_PORT} \
+ --ssl-port ${DST_SSL_PORT} \
+ --ssl-cert-db $CERT_DIR \
+ --ssl-cert-password-file $CERT_PW_FILE \
+ --ssl-cert-name $TEST_HOSTNAME \
+ --ssl-sasl-no-dict \
+ --ssl-require-client-authentication \
+ --sasl-config=$sasl_config_file \
+ --config ./config.null \
+ --no-data-dir \
+ --no-module-dir \
+ --load-module ${SSL_LIB} \
+ --mgmt-enable=yes \
+ --log-enable info+ \
+ --log-source yes \
+ --daemon \
+ $COMMON_BROKER_OPTIONS \
+ --log-to-file $tmp_root/qpidd_dst.log 2> /dev/null
+
+sleep 2
+
+# I am not randomizing these names, because this test creates its own brokers.
+QUEUE_NAME=sasl_fed_queue
+ROUTING_KEY=sasl_fed_queue
+EXCHANGE_NAME=sasl_fedex
+
+
+#echo "-----------------------"
+#echo "add exchanges"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} add exchange direct
$EXCHANGE_NAME
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} add exchange direct
$EXCHANGE_NAME
+
+
+#echo "-----------------------"
+#echo "add queues"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} add queue $QUEUE_NAME
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} add queue $QUEUE_NAME
+
+sleep 5
+
+#echo "-----------------------"
+#echo "create bindings"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} bind $EXCHANGE_NAME $QUEUE_NAME
$ROUTING_KEY
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} bind $EXCHANGE_NAME $QUEUE_NAME
$ROUTING_KEY
+
+sleep 5
+
+#echo "-----------------------"
+#echo "qpid-route route add"
+#echo "-----------------------"
+# NOTE: The SRC broker *must* be referred to as $TEST_HOSTNAME, and not as
"localhost".
+# It must be referred to by the exact string given as the Common Name
(CN) in the cert,
+# which was created in the function create_certs, above.
+$QPID_ROUTE_EXEC route add localhost:${DST_TCP_PORT}
$TEST_HOSTNAME:${SRC_SSL_PORT} -t ssl $EXCHANGE_NAME $ROUTING_KEY "" "" EXTERNAL
+
+#echo "-----------------------"
+#echo "view the route :"
+#echo "-----------------------"
+#$PYTHON_COMMANDS/qpid-route route list localhost:${DST_TCP_PORT}
+
+sleep 5
+
+n_messages=100
+
+./datagen --count ${n_messages} | ./sender --broker localhost --port
${SRC_TCP_PORT} --exchange ${EXCHANGE_NAME} --routing-key ${ROUTING_KEY}
--mechanism ANONYMOUS
+
+
+sleep 5
+
+#echo "-----------------------"
+#echo "Examine DST Broker"
+#echo "-----------------------"
+dst_message_count=`qpid-stat -q localhost:${DST_TCP_PORT} | grep
sasl_fed_queue | awk '{print $2}'`
+
+sleep 3
+
+#echo "-----------------------"
+#echo "Asking brokers to quit."
+#echo "-----------------------"
+$QPIDD_EXEC --port ${SRC_TCP_PORT} --quit
+$QPIDD_EXEC --port ${DST_TCP_PORT} --quit
+
+
+#echo "-----------------------"
+#echo "Removing temporary directory $tmp_root"
+#echo "-----------------------"
+rm -rf $tmp_root
+
+if [ "$dst_message_count" -eq "$n_messages" ]; then
+ #echo "good: |$dst_message_count| == |$n_messages|"
+ exit 0
+else
+ #echo "not ideal: |$broker_2_message_count| != |$n_messages|"
+ exit 1
+fi
+
+
+
+
+
+
Propchange: qpid/trunk/qpid/cpp/src/tests/sasl_fed_ex
------------------------------------------------------------------------------
svn:executable = *
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
