Author: chug Date: Sun Jul 13 13:36:50 2014 New Revision: 1610195 URL: http://svn.apache.org/r1610195 Log: QPID-5890: Refactor AclModule Remove AclHelper::loaValidationMap() function from AclLexer and replace it with new logic in AclValidator.
See https://reviews.apache.org/r/23447/ for a visual diff of the changes. Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.h qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.h Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp?rev=1610195&r1=1610194&r2=1610195&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.cpp Sun Jul 13 13:36:50 2014 @@ -39,7 +39,7 @@ ObjectType AclHelper::getObjectType(cons if (str.compare(objectNames[i]) == 0) return ObjectType(i); } - throw qpid::Exception(str); + throw qpid::Exception("Acl illegal object name: " + str); } const std::string& AclHelper::getObjectTypeStr(const ObjectType o) { @@ -57,7 +57,7 @@ Action AclHelper::getAction(const std::s if (str.compare(actionNames[i]) == 0) return Action(i); } - throw qpid::Exception(str); + throw qpid::Exception("Acl illegal action name: " + str); } const std::string& AclHelper::getActionStr(const Action a) { @@ -79,7 +79,7 @@ Property AclHelper::getProperty(const st if (str.compare(propertyNames[i]) == 0) return Property(i); } - throw qpid::Exception(str); + throw qpid::Exception("Acl illegal property name: " + str); } const std::string& AclHelper::getPropertyStr(const Property p) { @@ -110,7 +110,7 @@ SpecProperty AclHelper::getSpecProperty( return SPECPROP_MAXQUEUESIZEUPPERLIMIT; if (str.compare("maxqueuecount") == 0) return SPECPROP_MAXQUEUECOUNTUPPERLIMIT; - throw qpid::Exception(str); + throw qpid::Exception("Acl illegal spec property name: " + str); } const std::string& AclHelper::getPropertyStr(const SpecProperty p) { @@ -126,106 +126,11 @@ AclResult AclHelper::getAclResult(const if (str.compare(resultNames[i]) == 0) return AclResult(i); } - throw qpid::Exception(str); + throw qpid::Exception("Acl illegal result name: " + str); } const std::string& AclHelper::getAclResultStr(const AclResult r) { return resultNames[r]; } -// This map contains the legal combinations of object/action/properties -// found in an ACL file -void AclHelper::loadValidationMap(objectMapPtr& map) { - if (!map.get()) return; - map->clear(); - propSetPtr p0; // empty ptr, used for no properties - - // == Exchanges == - - propSetPtr p1(new propSet); - p1->insert(PROP_TYPE); - p1->insert(PROP_ALTERNATE); - p1->insert(PROP_DURABLE); - - propSetPtr p2(new propSet); - p2->insert(PROP_ROUTINGKEY); - - propSetPtr p3(new propSet); - p3->insert(PROP_QUEUENAME); - p3->insert(PROP_ROUTINGKEY); - - actionMapPtr a0(new actionMap); - a0->insert(actionPair(ACT_CREATE, p1)); - a0->insert(actionPair(ACT_DELETE, p0)); - a0->insert(actionPair(ACT_ACCESS, p0)); - a0->insert(actionPair(ACT_BIND, p2)); - a0->insert(actionPair(ACT_UNBIND, p2)); - a0->insert(actionPair(ACT_ACCESS, p3)); - a0->insert(actionPair(ACT_PUBLISH, p0)); - - map->insert(objectPair(OBJ_EXCHANGE, a0)); - - // == Queues == - - propSetPtr p4(new propSet); - p4->insert(PROP_ALTERNATE); - p4->insert(PROP_DURABLE); - p4->insert(PROP_EXCLUSIVE); - p4->insert(PROP_AUTODELETE); - p4->insert(PROP_POLICYTYPE); - p4->insert(PROP_PAGING); - p4->insert(PROP_MAXPAGES); - p4->insert(PROP_MAXPAGEFACTOR); - p4->insert(PROP_MAXQUEUESIZE); - p4->insert(PROP_MAXQUEUECOUNT); - - propSetPtr p5(new propSet); - p5->insert(PROP_QUEUENAME); - - propSetPtr p6(new propSet); - p6->insert(PROP_EXCHANGENAME); - - - actionMapPtr a1(new actionMap); - a1->insert(actionPair(ACT_ACCESS, p0)); - a1->insert(actionPair(ACT_CREATE, p4)); - a1->insert(actionPair(ACT_PURGE, p0)); - a1->insert(actionPair(ACT_DELETE, p0)); - a1->insert(actionPair(ACT_CONSUME, p0)); - a1->insert(actionPair(ACT_MOVE, p5)); - a1->insert(actionPair(ACT_REDIRECT, p5)); - a1->insert(actionPair(ACT_REROUTE, p6)); - - map->insert(objectPair(OBJ_QUEUE, a1)); - - // == Links == - - actionMapPtr a2(new actionMap); - a2->insert(actionPair(ACT_CREATE, p0)); - - map->insert(objectPair(OBJ_LINK, a2)); - - // == Method == - - propSetPtr p7(new propSet); - p7->insert(PROP_SCHEMAPACKAGE); - p7->insert(PROP_SCHEMACLASS); - - actionMapPtr a4(new actionMap); - a4->insert(actionPair(ACT_ACCESS, p7)); - - map->insert(objectPair(OBJ_METHOD, a4)); - - // == Query == - - propSetPtr p8(new propSet); - p8->insert(PROP_SCHEMACLASS); - - actionMapPtr a5(new actionMap); - a5->insert(actionPair(ACT_ACCESS, p8)); - - map->insert(objectPair(OBJ_QUERY, a5)); - -} - }} // namespace qpid::acl Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.h URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.h?rev=1610195&r1=1610194&r2=1610195&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.h (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclLexer.h Sun Jul 13 13:36:50 2014 @@ -165,10 +165,6 @@ namespace acl { typedef std::map<SpecProperty, std::string> specPropMap; typedef specPropMap::const_iterator specPropMapItr; - // This map contains the legal combinations of object/action/properties - // found in an ACL file - static void loadValidationMap(objectMapPtr& map); - // // properyMapToString // Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp?rev=1610195&r1=1610194&r2=1610195&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclReader.cpp Sun Jul 13 13:36:50 2014 @@ -251,7 +251,6 @@ namespace acl { cliMaxQueuesPerUser (theCliMaxQueuesPerUser), queueQuotaRulesExist(false), queueQuota(new AclData::quotaRuleSet) { - AclHelper::loadValidationMap(validationMap); names.insert(AclData::ACL_KEYWORD_WILDCARD); } Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp?rev=1610195&r1=1610194&r2=1610195&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.cpp Sun Jul 13 13:36:50 2014 @@ -21,6 +21,7 @@ #include "qpid/Exception.h" #include "qpid/log/Statement.h" #include "qpid/sys/IntegerTypes.h" +#include "qpid/StringUtils.h" #include <boost/lexical_cast.hpp> #include <boost/bind.hpp> #include <numeric> @@ -132,6 +133,42 @@ namespace acl { boost::shared_ptr<PropertyType>( new EnumPropertyType(v)))); + // Insert allowed action/object/property sets (generated manually 20140712) +#define RP registerProperties + RP("Broker::queryQueue", ACT_ACCESS, OBJ_QUEUE); + RP("Broker::getTimestampConfig", ACT_ACCESS, OBJ_BROKER); + RP("Broker::setTimestampConfig", ACT_UPDATE, OBJ_BROKER); + RP("Broker::queueRedirect", ACT_REDIRECT,OBJ_QUEUE); + RP("Broker::queueMoveMessages", ACT_MOVE, OBJ_QUEUE); + RP("Broker::createQueue", ACT_CREATE, OBJ_QUEUE, "alternate durable exclusive autodelete policytype paging maxpages maxpagefactor maxqueuecount maxqueuesize maxfilecount maxfilesize"); + RP("Broker::deleteQueue", ACT_DELETE, OBJ_QUEUE, "alternate durable exclusive autodelete policytype"); + RP("Broker::createExchange", ACT_CREATE, OBJ_EXCHANGE, "type alternate durable autodelete"); + RP("Broker::deleteExchange", ACT_DELETE, OBJ_EXCHANGE, "type alternate durable"); + RP("Broker::bind", ACT_BIND, OBJ_EXCHANGE, "queuename routingkey"); + RP("Broker::unbind", ACT_UNBIND, OBJ_EXCHANGE, "queuename routingkey"); + RP("ConnectionHandler::Handler::open", ACT_CREATE, OBJ_LINK); + RP("Queue::ManagementMethod", ACT_PURGE, OBJ_QUEUE); + RP("Queue::ManagementMethod", ACT_REROUTE, OBJ_QUEUE, "exchangename"); + RP("SemanticState::route", ACT_PUBLISH, OBJ_EXCHANGE, "routingkey"); + RP("ExchangeHandlerImpl::declare", ACT_ACCESS, OBJ_EXCHANGE, "type alternate durable autodelete"); + RP("ExchangeHandlerImpl::query", ACT_ACCESS, OBJ_EXCHANGE); + RP("ExchangeHandlerImpl::bound", ACT_ACCESS, OBJ_EXCHANGE, "queuename routingkey"); + RP("QueueHandlerImpl::query", ACT_ACCESS, OBJ_QUEUE); + RP("QueueHandlerImpl::declare", ACT_ACCESS, OBJ_QUEUE, "alternate durable exclusive autodelete policytype maxqueuecount maxqueuesize"); // ?? Why not ACT_CREATE? + RP("QueueHandlerImpl::purge", ACT_PURGE, OBJ_QUEUE); + RP("MessageHandlerImpl::subscribe", ACT_CONSUME, OBJ_QUEUE); + RP("Authorise::access", ACT_ACCESS, OBJ_EXCHANGE, "type durable"); + RP("Authorise::access", ACT_ACCESS, OBJ_QUEUE, "alternate durable exclusive autodelete policytype maxqueuecount maxqueuesize"); + RP("Authorise::incoming", ACT_PUBLISH, OBJ_EXCHANGE); + RP("Authorise::outgoing", ACT_BIND, OBJ_EXCHANGE, "queuename routingkey"); + RP("Authorise::outgoing", ACT_CONSUME, OBJ_QUEUE); + RP("Authorise::route", ACT_PUBLISH, OBJ_EXCHANGE, "routingkey"); + RP("Authorise::interlink", ACT_CREATE, OBJ_LINK); + RP("Authorise::access", ACT_ACCESS, OBJ_EXCHANGE); + RP("Authorise::access", ACT_ACCESS, OBJ_QUEUE); + RP("ManagementAgent::handleMethodRequest", ACT_ACCESS, OBJ_METHOD, "schemapackage schemaclass"); + RP("ManagementAgent::handleGetQuery", ACT_ACCESS, OBJ_QUERY, "schemaclass"); + RP("ManagementAgent::authorizeAgentMessage",ACT_ACCESS, OBJ_METHOD, "schemapackage schemaclass"); } AclValidator::~AclValidator(){ @@ -186,4 +223,61 @@ namespace acl { } } + /** + * Construct a record of all the calls that the broker will + * make to acl::authorize and the properties for each call. + * From that create the list of all the spec properties that + * users are then allowed to specify in acl rule files. + */ + void AclValidator::registerProperties( + const std::string& /* source */, + Action action, + ObjectType object, + const std::string& properties) { + if (!allowedProperties[action][object].get()) { + boost::shared_ptr<std::set<Property> > t1(new std::set<Property>()); + allowedProperties[action][object] = t1; + boost::shared_ptr<std::set<SpecProperty> > t2(new std::set<SpecProperty>()); + allowedSpecProperties[action][object] = t2; + } + std::vector<std::string> props = split(properties, " "); + for (size_t i=0; i<props.size(); i++) { + Property prop = AclHelper::getProperty(props[i]); + allowedProperties[action][object]->insert(prop); + // Given that the broker will be calling with this property, + // determine what user rule settings are allowed. + switch (prop) { + // Cases where broker supplies a property but Acl has upper/lower limit for it + case PROP_MAXPAGES: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGESLOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGESUPPERLIMIT); + break; + case PROP_MAXPAGEFACTOR: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGEFACTORLOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGEFACTORUPPERLIMIT); + break; + case PROP_MAXQUEUESIZE: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUESIZELOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUESIZEUPPERLIMIT); + break; + case PROP_MAXQUEUECOUNT: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUECOUNTLOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUECOUNTUPPERLIMIT); + break; + case PROP_MAXFILESIZE: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILESIZELOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILESIZEUPPERLIMIT); + break; + case PROP_MAXFILECOUNT: + allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILECOUNTLOWERLIMIT); + allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILECOUNTUPPERLIMIT); + break; + default: + // Cases where broker supplies a property and Acl matches it directly + allowedSpecProperties[action][object]->insert( SpecProperty(prop) ); + break; + } + } + } + }} Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.h URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.h?rev=1610195&r1=1610194&r2=1610195&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.h (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclValidator.h Sun Jul 13 13:36:50 2014 @@ -33,15 +33,15 @@ namespace acl { class AclValidator { /* Base Property */ - class PropertyType{ + class PropertyType{ public: virtual ~PropertyType(){}; virtual bool validate(const std::string& val)=0; virtual std::string allowedValues()=0; - }; + }; - class IntPropertyType : public PropertyType{ + class IntPropertyType : public PropertyType{ int64_t min; int64_t max; @@ -50,9 +50,9 @@ class AclValidator { virtual ~IntPropertyType (){}; virtual bool validate(const std::string& val); virtual std::string allowedValues(); - }; + }; - class EnumPropertyType : public PropertyType{ + class EnumPropertyType : public PropertyType{ std::vector<std::string> values; public: @@ -60,22 +60,32 @@ class AclValidator { virtual ~EnumPropertyType (){}; virtual bool validate(const std::string& val); virtual std::string allowedValues(); - }; + }; - typedef std::pair<acl::SpecProperty,boost::shared_ptr<PropertyType> > Validator; - typedef std::map<acl::SpecProperty,boost::shared_ptr<PropertyType> > ValidatorMap; - typedef ValidatorMap::iterator ValidatorItr; - - ValidatorMap validators; + typedef std::pair<acl::SpecProperty,boost::shared_ptr<PropertyType> > Validator; + typedef std::map<acl::SpecProperty,boost::shared_ptr<PropertyType> > ValidatorMap; + typedef ValidatorMap::iterator ValidatorItr; + typedef boost::shared_ptr<std::set<Property> > AllowedProperties [ACTIONSIZE][OBJECTSIZE]; + typedef boost::shared_ptr<std::set<SpecProperty> > AllowedSpecProperties[ACTIONSIZE][OBJECTSIZE]; + + ValidatorMap validators; + AllowedProperties allowedProperties; + AllowedSpecProperties allowedSpecProperties; public: - void validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules); - void validateRule(qpid::acl::AclData::Rule& rule); - void validateProperty(std::pair<const qpid::acl::SpecProperty, std::string>& prop); - void validate(boost::shared_ptr<AclData> d); - AclValidator(); - ~AclValidator(); + void validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules); + void validateRule(qpid::acl::AclData::Rule& rule); + void validateProperty(std::pair<const qpid::acl::SpecProperty, std::string>& prop); + void validate(boost::shared_ptr<AclData> d); + AclValidator(); + ~AclValidator(); + +private: + void registerProperties(const std::string& source, + Action action, + ObjectType object, + const std::string& properties = ""); }; }} // namespace qpid::acl --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
