Repository: qpid-dispatch Updated Branches: refs/heads/crolke-DISPATCH-188-1 d1f764e3f -> 49e64e597
Generate and provide accessor for numeric host ip address of connector. Scavenge the authenticated user name from connection/transport. Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/49e64e59 Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/49e64e59 Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/49e64e59 Branch: refs/heads/crolke-DISPATCH-188-1 Commit: 49e64e597991197ecf16a90952696f3a9ad60a64 Parents: d1f764e Author: Chuck Rolke <[email protected]> Authored: Wed Feb 3 15:45:40 2016 -0500 Committer: Chuck Rolke <[email protected]> Committed: Wed Feb 3 15:45:40 2016 -0500 ---------------------------------------------------------------------- include/qpid/dispatch/driver.h | 9 ++++- src/policy.c | 48 ++++++++++++++---------- src/posix/driver.c | 12 +++++- tests/policy-1/test-router-with-policy.json | 16 ++++++-- 4 files changed, 59 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/include/qpid/dispatch/driver.h ---------------------------------------------------------------------- diff --git a/include/qpid/dispatch/driver.h b/include/qpid/dispatch/driver.h index 1a69a27..2235264 100644 --- a/include/qpid/dispatch/driver.h +++ b/include/qpid/dispatch/driver.h @@ -308,11 +308,18 @@ void qdpn_connector_set_context(qdpn_connector_t *connector, void *context); /** Access the name of the connector * - * @param[in] connector the connector which will hole the name + * @param[in] connector the connector of interest * @return the name of the connector in the form of a null-terminated character string. */ const char *qdpn_connector_name(const qdpn_connector_t *connector); +/** Access the numeric host ip of the connector + * + * @param[in] connector the connector of interest + * @return the numeric host ip address of the connector in the form of a null-terminated character string. + */ +const char *qdpn_connector_hostip(const qdpn_connector_t *connector); + /** Access the transport used by this connector. * * @param[in] connector connector whose transport will be returned http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/policy.c ---------------------------------------------------------------------- diff --git a/src/policy.c b/src/policy.c index 45908bd..2d285fa 100644 --- a/src/policy.c +++ b/src/policy.c @@ -29,6 +29,7 @@ #include <proton/message.h> #include <proton/condition.h> #include <proton/connection.h> +#include <proton/transport.h> #include <proton/error.h> #include <proton/event.h> #include <qpid/dispatch/ctools.h> @@ -37,21 +38,6 @@ #include <qpid/dispatch/iterator.h> #include <qpid/dispatch/log.h> -// -// TODO: get a real policy engine -// This engine accepts every other connection -// -static bool allow_this = true; - -bool policy_engine() -{ - return allow_this; -} - -void policy_engine_step() -{ - // allow_this = !allow_this; -} // @@ -206,6 +192,21 @@ void qd_policy_socket_close(void *context, const char *hostname) // allow or deny the Open. Denied Open attempts are // effected with a returned Open-Close_with_condition. // +bool qd_policy_open_lookup_user( + qd_policy_t *policy, + const char *username, + const char *hostip, + const char *app, + const char *conn_name) +{ + // Log the name + qd_log(policy->log_source, + POLICY_LOG_LEVEL, + "Policy AMQP Open lookup user: %s, hostip: %s, app: %s, connection: %s", + username, hostip, app, conn_name); + return true; +} + void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *cond_name, const char *cond_descr) { // Set the error condition and close the connection. @@ -220,12 +221,21 @@ void qd_policy_private_deny_amqp_connection(pn_connection_t *conn, const char *c void qd_policy_amqp_open(void *context, bool discard) { qd_connection_t *qd_conn = (qd_connection_t *)context; - if (!discard) { pn_connection_t *conn = qd_connection_pn(qd_conn); + qd_dispatch_t *qd = qd_conn->server->qd; + qd_policy_t *policy = qd->policy; + + // username = pn_connection_get_user(conn) returns blank when + // the transport returns 'anonymous'. + pn_transport_t *pn_trans = pn_connection_transport(conn); + const char *username = pn_transport_get_user(pn_trans); + + const char *hostip = qdpn_connector_hostip(qd_conn->pn_cxtr); + const char *app = "fixme"; + const char *conn_name = qdpn_connector_name(qd_conn->pn_cxtr); - // Consult policy engine for this connection attempt - if ( policy_engine() ) { // TODO: get rid of this phony policy engine + if ( qd_policy_open_lookup_user(policy, username, hostip, app, conn_name) ) { // This connection is allowed. if (pn_connection_state(conn) & PN_LOCAL_UNINIT) pn_connection_open(conn); @@ -234,8 +244,6 @@ void qd_policy_amqp_open(void *context, bool discard) // This connection is denied. qd_policy_private_deny_amqp_connection(conn, RESOURCE_LIMIT_EXCEEDED, CONNECTION_DISALLOWED); } - // update the phony policy engine - policy_engine_step(); } qd_connection_set_event_stall(qd_conn, false); } http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/src/posix/driver.c ---------------------------------------------------------------------- diff --git a/src/posix/driver.c b/src/posix/driver.c index ca7d48c..99eb6fb 100644 --- a/src/posix/driver.c +++ b/src/posix/driver.c @@ -98,6 +98,7 @@ struct qdpn_connector_t { DEQ_LINKS(qdpn_connector_t); qdpn_driver_t *driver; char name[PN_NAME_MAX]; + char hostip[PN_NAME_MAX]; pn_timestamp_t wakeup; pn_connection_t *connection; pn_transport_t *transport; @@ -352,6 +353,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (* char name[PN_NAME_MAX]; char host[MAX_HOST]; char serv[MAX_SERV]; + char hostip[MAX_HOST]; struct sockaddr_in addr = {0}; addr.sin_family = AF_UNSPEC; @@ -363,7 +365,8 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (* return 0; } else { int code; - if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0))) { + if ((code = getnameinfo((struct sockaddr *) &addr, addrlen, host, MAX_HOST, serv, MAX_SERV, 0)) || + (code = getnameinfo((struct sockaddr *) &addr, addrlen, hostip, MAX_HOST, 0, 0, NI_NUMERICHOST))) { qd_log(l->driver->log, QD_LOG_ERROR, "getnameinfo: %s\n", gai_strerror(code)); close(sock); return 0; @@ -383,6 +386,7 @@ qdpn_connector_t *qdpn_listener_accept(qdpn_listener_t *l, void *policy, bool (* qdpn_connector_t *c = qdpn_connector_fd(l->driver, sock, NULL); snprintf(c->name, PN_NAME_MAX, "%s", name); + snprintf(c->hostip, PN_NAME_MAX, "%s", hostip); c->listener = l; return c; } @@ -580,6 +584,12 @@ const char *qdpn_connector_name(const qdpn_connector_t *ctor) return ctor->name; } +const char *qdpn_connector_hostip(const qdpn_connector_t *ctor) +{ + if (!ctor) return 0; + return ctor->hostip; +} + qdpn_listener_t *qdpn_connector_listener(qdpn_connector_t *ctor) { return ctor ? ctor->listener : NULL; http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/49e64e59/tests/policy-1/test-router-with-policy.json ---------------------------------------------------------------------- diff --git a/tests/policy-1/test-router-with-policy.json b/tests/policy-1/test-router-with-policy.json index dcf2de0..3e92b49 100644 --- a/tests/policy-1/test-router-with-policy.json +++ b/tests/policy-1/test-router-with-policy.json @@ -1,7 +1,7 @@ [ ["container", { "containerName": "QdstatSslTest", - "saslConfigName": "tests-mech-EXTERNAL", + "saslConfigName": "tests-mech-PLAIN", "saslConfigPath": "/home/chug/Research/qdr/standaloneSsl/sasl_configs", "debugDump": "qddebug.txt" }], @@ -13,7 +13,7 @@ "certDb": "/home/chug/Research/qdr/standaloneSsl/ssl_certs/ca-certificate.pem" }], ["listener", { - "saslMechanisms": "ANONYMOUS", + "saslMechanisms": "ANONYMOUS PLAIN", "authenticatePeer": "no", "idleTimeoutSeconds": "120", "port": 21000, @@ -23,7 +23,7 @@ "addr": "0.0.0.0", "requireSsl": "yes", "idleTimeoutSeconds": "120", - "saslMechanisms": "ANONYMOUS", + "saslMechanisms": "PLAIN", "sslProfile": "server-ssl", "authenticatePeer": "no", "port": 21001 @@ -46,9 +46,17 @@ "authenticatePeer": "yes", "port": 21003 }], + ["listener", { + "addr": "0.0.0.0", + "requireSsl": "no", + "idleTimeoutSeconds": "120", + "saslMechanisms": "ANONYMOUS", + "authenticatePeer": "yes", + "port": 21004 + }], ["log", { "source": "true", - "enable": "info+", + "enable": "trace+", "module": "DEFAULT" }], ["policy", { --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
