diff options
author | Gordon Sim <gsim@apache.org> | 2015-11-26 22:48:55 +0000 |
---|---|---|
committer | Gordon Sim <gsim@apache.org> | 2015-11-26 22:48:55 +0000 |
commit | a97fec3b8f6c62c6564212e08dcd36eaa10f9b7b (patch) | |
tree | 16259c91a593fa1e7aff5787b64c844eb5210fec | |
parent | f33df5cc5e536ff6d22a01be971d9746c0ece38d (diff) | |
download | qpid-python-a97fec3b8f6c62c6564212e08dcd36eaa10f9b7b.tar.gz |
QPID-6754: ensure anonymous-relay doesn't expose ability to detect whether or not entity exists for those without permissions
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1716781 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | qpid/cpp/src/qpid/broker/amqp/Session.cpp | 1 | ||||
-rw-r--r-- | qpid/cpp/src/tests/acl_1.py | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/qpid/cpp/src/qpid/broker/amqp/Session.cpp b/qpid/cpp/src/qpid/broker/amqp/Session.cpp index 33d3373bd7..3358d8e6be 100644 --- a/qpid/cpp/src/qpid/broker/amqp/Session.cpp +++ b/qpid/cpp/src/qpid/broker/amqp/Session.cpp @@ -968,6 +968,7 @@ void AnonymousRelay::handle(qpid::broker::Message& message, qpid::broker::TxBuff { // need to retrieve AMQP 1.0 'to' field and resolve it to a queue or exchange std::string dest = message.getTo(); + authorise.access(dest, false, false); QPID_LOG(debug, "AnonymousRelay received message for " << dest); boost::shared_ptr<qpid::broker::Exchange> exchange; boost::shared_ptr<qpid::broker::Queue> queue; diff --git a/qpid/cpp/src/tests/acl_1.py b/qpid/cpp/src/tests/acl_1.py index 5419b87372..79d87fdc6e 100644 --- a/qpid/cpp/src/tests/acl_1.py +++ b/qpid/cpp/src/tests/acl_1.py @@ -270,23 +270,41 @@ class Acl_AMQP1_Tests (VersionTest): def test_publish_to_anonymous_relay(self): self.acl.allow('bob', 'access', 'exchange', 'name=ANONYMOUS-RELAY') self.acl.allow('bob', 'access', 'queue', 'name=acl_test_queue') + self.acl.allow('bob', 'access', 'exchange', 'name=acl_test_queue') self.acl.allow('bob', 'publish', 'exchange', 'routingkey=acl_test_queue') self.acl.allow('bob', 'access', 'exchange', 'name=amq.topic') + self.acl.allow('bob', 'access', 'queue', 'name=amq.topic') self.acl.allow('bob', 'publish', 'exchange', 'name=amq.topic', 'routingkey=abc') + self.acl.allow('bob', 'access', 'exchange', 'name=amq.direct') + self.acl.allow('bob', 'access', 'queue', 'name=amq.direct') self.acl.allow('alice').deny().apply() sender = self.bob.sender("<null>") sender.send(Message("a message", properties={'x-amqp-to':'acl_test_queue'}), sync=True) sender.send(Message("another", subject='abc', properties={'x-amqp-to':'amq.topic'}), sync=True) try: + # have access permission, but publish not allowed for given key sender.send(Message("a third", subject='def', properties={'x-amqp-to':'amq.topic'}), sync=True) assert False, "bob should not be allowed to send message to amq.topic with key 'def'" except UnauthorizedAccess: pass sender = self.bob.sender("<null>") try: + # have access permission, but no publish sender.send(Message("a fourth", subject='abc', properties={'x-amqp-to':'amq.direct'}), sync=True) assert False, "bob should not be allowed to send message to amq.direct" except UnauthorizedAccess: pass + sender = self.bob.sender("<null>") + try: + # have no access permission + sender.send(Message("a fiftth", subject='abc', properties={'x-amqp-to':'amq.fanout'}), sync=True) + assert False, "bob should not be allowed to send message to amq.fanout" + except UnauthorizedAccess: pass + sender = self.bob.sender("<null>") + try: + # have no access permission + sender.send(Message("a sixth", properties={'x-amqp-to':'somewhereelse'}), sync=True) + assert False, "bob should not be allowed to send message to somewhere else" + except UnauthorizedAccess: pass sender = self.alice.sender("<null>") sender.send(Message("alice's message", properties={'x-amqp-to':'abc'}), sync=True) sender.send(Message("another from alice", properties={'x-amqp-to':'def'}), sync=True) |