Author: rajith
Date: Tue Sep 30 09:50:02 2008
New Revision: 700525
URL: http://svn.apache.org/viewvc?rev=700525&view=rev
Log:
This is for QPID-1297.
This commit adds ACL checks for creation and deletion of federation links.
The AclModule.h was modified to have a defaut value for params in the authorize
method.
Modified:
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.h
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?rev=700525&r1=700524&r2=700525&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h Tue Sep 30
09:50:02 2008
@@ -54,7 +54,7 @@
virtual bool doTransferAcl()=0;
virtual bool authorise(const std::string& id, const acl::Action& action,
const acl::ObjectType& objType, const std::string& name,
- std::map<acl::Property, std::string>* params)=0;
+ std::map<acl::Property, std::string>* params=0)=0;
virtual bool authorise(const std::string& id, const acl::Action& action,
const acl::ObjectType& objType, const std::string& ExchangeName,
const std::string& RoutingKey)=0;
// create specilied authorise methods for cases that need faster matching
as needed.
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp?rev=700525&r1=700524&r2=700525&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp
(original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.cpp Tue Sep
30 09:50:02 2008
@@ -28,6 +28,7 @@
#include "qpid/framing/ServerInvoker.h"
#include "qpid/framing/enum.h"
#include "qpid/log/Statement.h"
+#include "AclModule.h"
using namespace qpid;
using namespace qpid::broker;
@@ -72,9 +73,12 @@
ConnectionHandler::Handler::Handler(Connection& c, bool isClient) :
client(c.getOutput()), server(c.getOutput()),
- connection(c), serverMode(!isClient)
+ connection(c), serverMode(!isClient), acl(0)
{
if (serverMode) {
+
+ acl = connection.getBroker().getAcl();
+
FieldTable properties;
Array mechanisms(0x95);
@@ -100,7 +104,11 @@
authenticator->start(mechanism, response);
connection.setFederationLink(clientProperties.get(QPID_FED_LINK));
if (connection.isFederationLink()){
- QPID_LOG(info, "Connection is a federation link");
+ if (acl &&
!acl->authorise(connection.getUserId(),acl::CREATE,acl::LINK,"")){
+
client.close(framing::connection::CLOSE_CODE_CONNECTION_FORCED,"ACL denied
creating a federation link");
+ return;
+ }
+ QPID_LOG(info, "Connection is a federation link");
}
}
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h?rev=700525&r1=700524&r2=700525&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/ConnectionHandler.h Tue Sep
30 09:50:02 2008
@@ -33,6 +33,7 @@
#include "qpid/framing/ProtocolInitiation.h"
#include "qpid/framing/ProtocolVersion.h"
#include "qpid/Exception.h"
+#include "AclModule.h"
namespace qpid {
namespace broker {
@@ -49,35 +50,36 @@
Connection& connection;
bool serverMode;
std::auto_ptr<SaslAuthenticator> authenticator;
-
+ AclModule* acl;
+
Handler(Connection& connection, bool isClient);
~Handler();
void startOk(const qpid::framing::FieldTable& clientProperties,
const std::string& mechanism, const std::string& response,
- const std::string& locale);
- void secureOk(const std::string& response);
- void tuneOk(uint16_t channelMax, uint16_t frameMax, uint16_t
heartbeat);
+ const std::string& locale);
+ void secureOk(const std::string& response);
+ void tuneOk(uint16_t channelMax, uint16_t frameMax, uint16_t
heartbeat);
void heartbeat() {}
void open(const std::string& virtualHost,
- const framing::Array& capabilities, bool insist);
- void close(uint16_t replyCode, const std::string& replyText);
- void closeOk();
+ const framing::Array& capabilities, bool insist);
+ void close(uint16_t replyCode, const std::string& replyText);
+ void closeOk();
void start(const qpid::framing::FieldTable& serverProperties,
const framing::Array& mechanisms,
const framing::Array& locales);
-
+
void secure(const std::string& challenge);
-
+
void tune(uint16_t channelMax,
uint16_t frameMax,
uint16_t heartbeatMin,
uint16_t heartbeatMax);
-
+
void openOk(const framing::Array& knownHosts);
-
- void redirect(const std::string& host, const framing::Array&
knownHosts);
+
+ void redirect(const std::string& host, const framing::Array&
knownHosts);
};
std::auto_ptr<Handler> handler;
public:
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.cpp
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.cpp?rev=700525&r1=700524&r2=700525&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.cpp Tue Sep 30 09:50:02
2008
@@ -26,10 +26,13 @@
#include "qpid/agent/ManagementAgent.h"
#include "boost/bind.hpp"
#include "qpid/log/Statement.h"
+#include "qpid/framing/reply_exceptions.h"
+#include "AclModule.h"
using namespace qpid::broker;
using qpid::framing::Buffer;
using qpid::framing::FieldTable;
+using qpid::framing::NotAllowedException;
using qpid::management::ManagementAgent;
using qpid::management::ManagementObject;
using qpid::management::Manageable;
@@ -154,6 +157,12 @@
Mutex::ScopedLock mutex(lock);
Bridges toDelete;
+ AclModule* acl = getBroker()->getAcl();
+ std::string userID = getUsername() + "@" + getBroker()->getOptions().realm;
+ if (acl && !acl->authorise(userID,acl::DELETE,acl::LINK,"")){
+ throw NotAllowedException("ACL denied delete link request");
+ }
+
QPID_LOG (info, "Inter-broker link to " << host << ":" << port << "
removed by management");
if (connection)
connection->close(403, "closed by management");
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.h?rev=700525&r1=700524&r2=700525&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Link.h Tue Sep 30 09:50:02
2008
@@ -110,6 +110,7 @@
string getAuthMechanism() { return authMechanism; }
string getUsername() { return username; }
string getPassword() { return password; }
+ Broker* getBroker() { return broker; }
void notifyConnectionForced(const std::string text);
