Author: gsim
Date: Thu Nov 26 22:48:55 2015
New Revision: 1716781
URL: http://svn.apache.org/viewvc?rev=1716781&view=rev
Log:
QPID-6754: ensure anonymous-relay doesn't expose ability to detect whether or
not entity exists for those without permissions
Modified:
qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
qpid/trunk/qpid/cpp/src/tests/acl_1.py
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp Thu Nov 26 22:48:55
2015
@@ -968,6 +968,7 @@ void AnonymousRelay::handle(qpid::broker
{
// need to retrieve AMQP 1.0 'to' field and resolve it to a queue or
exchange
std::string dest = message.getTo();
+ authorise.access(dest, false, false);
QPID_LOG(debug, "AnonymousRelay received message for " << dest);
boost::shared_ptr<qpid::broker::Exchange> exchange;
boost::shared_ptr<qpid::broker::Queue> queue;
Modified: qpid/trunk/qpid/cpp/src/tests/acl_1.py
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/acl_1.py?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/acl_1.py (original)
+++ qpid/trunk/qpid/cpp/src/tests/acl_1.py Thu Nov 26 22:48:55 2015
@@ -270,23 +270,41 @@ class Acl_AMQP1_Tests (VersionTest):
def test_publish_to_anonymous_relay(self):
self.acl.allow('bob', 'access', 'exchange', 'name=ANONYMOUS-RELAY')
self.acl.allow('bob', 'access', 'queue', 'name=acl_test_queue')
+ self.acl.allow('bob', 'access', 'exchange', 'name=acl_test_queue')
self.acl.allow('bob', 'publish', 'exchange',
'routingkey=acl_test_queue')
self.acl.allow('bob', 'access', 'exchange', 'name=amq.topic')
+ self.acl.allow('bob', 'access', 'queue', 'name=amq.topic')
self.acl.allow('bob', 'publish', 'exchange', 'name=amq.topic',
'routingkey=abc')
+ self.acl.allow('bob', 'access', 'exchange', 'name=amq.direct')
+ self.acl.allow('bob', 'access', 'queue', 'name=amq.direct')
self.acl.allow('alice').deny().apply()
sender = self.bob.sender("<null>")
sender.send(Message("a message",
properties={'x-amqp-to':'acl_test_queue'}), sync=True)
sender.send(Message("another", subject='abc',
properties={'x-amqp-to':'amq.topic'}), sync=True)
try:
+ # have access permission, but publish not allowed for given key
sender.send(Message("a third", subject='def',
properties={'x-amqp-to':'amq.topic'}), sync=True)
assert False, "bob should not be allowed to send message to
amq.topic with key 'def'"
except UnauthorizedAccess: pass
sender = self.bob.sender("<null>")
try:
+ # have access permission, but no publish
sender.send(Message("a fourth", subject='abc',
properties={'x-amqp-to':'amq.direct'}), sync=True)
assert False, "bob should not be allowed to send message to
amq.direct"
except UnauthorizedAccess: pass
+ sender = self.bob.sender("<null>")
+ try:
+ # have no access permission
+ sender.send(Message("a fiftth", subject='abc',
properties={'x-amqp-to':'amq.fanout'}), sync=True)
+ assert False, "bob should not be allowed to send message to
amq.fanout"
+ except UnauthorizedAccess: pass
+ sender = self.bob.sender("<null>")
+ try:
+ # have no access permission
+ sender.send(Message("a sixth",
properties={'x-amqp-to':'somewhereelse'}), sync=True)
+ assert False, "bob should not be allowed to send message to
somewhere else"
+ except UnauthorizedAccess: pass
sender = self.alice.sender("<null>")
sender.send(Message("alice's message",
properties={'x-amqp-to':'abc'}), sync=True)
sender.send(Message("another from alice",
properties={'x-amqp-to':'def'}), sync=True)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
