QPID-5890: Refactor AclModule

Remove AclHelper::loaValidationMap() function from AclLexer and replace it
with new logic in AclValidator.

See https://reviews.apache.org/r/23447/ for a visual diff of the changes.


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1610195 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 125 insertions, 121 deletions

diff --git a/cpp/src/qpid/acl/AclLexer.cpp b/cpp/src/qpid/acl/AclLexer.cpp
index 4bc2573cf1..1b24193e7c 100644
--- a/cpp/src/qpid/acl/AclLexer.cpp
+++ b/cpp/src/qpid/acl/AclLexer.cpp
@@ -39,7 +39,7 @@ ObjectType AclHelper::getObjectType(const std::string& str) {
         if (str.compare(objectNames[i]) == 0)
             return ObjectType(i);
     }
-    throw qpid::Exception(str);
+    throw qpid::Exception("Acl illegal object name: " + str);
 }
 
 const std::string& AclHelper::getObjectTypeStr(const ObjectType o) {
@@ -57,7 +57,7 @@ Action AclHelper::getAction(const std::string& str) {
         if (str.compare(actionNames[i]) == 0)
             return Action(i);
     }
-    throw qpid::Exception(str);
+    throw qpid::Exception("Acl illegal action name: " + str);
 }
 
 const std::string& AclHelper::getActionStr(const Action a) {
@@ -79,7 +79,7 @@ Property AclHelper::getProperty(const std::string& str) {
         if (str.compare(propertyNames[i]) == 0)
             return Property(i);
     }
-    throw qpid::Exception(str);
+    throw qpid::Exception("Acl illegal property name: " + str);
 }
 
 const std::string& AclHelper::getPropertyStr(const Property p) {
@@ -110,7 +110,7 @@ SpecProperty AclHelper::getSpecProperty(const std::string& str) {
         return SPECPROP_MAXQUEUESIZEUPPERLIMIT;
     if (str.compare("maxqueuecount") == 0)
         return SPECPROP_MAXQUEUECOUNTUPPERLIMIT;
-    throw qpid::Exception(str);
+    throw qpid::Exception("Acl illegal spec property name: " + str);
 }
 
 const std::string& AclHelper::getPropertyStr(const SpecProperty p) {
@@ -126,106 +126,11 @@ AclResult AclHelper::getAclResult(const std::string& str) {
         if (str.compare(resultNames[i]) == 0)
             return AclResult(i);
     }
-    throw qpid::Exception(str);
+    throw qpid::Exception("Acl illegal result name: " + str);
 }
 
 const std::string& AclHelper::getAclResultStr(const AclResult r) {
     return resultNames[r];
 }
 
-// This map contains the legal combinations of object/action/properties
-// found in an ACL file
-void AclHelper::loadValidationMap(objectMapPtr& map) {
-    if (!map.get()) return;
-    map->clear();
-    propSetPtr p0; // empty ptr, used for no properties
-
-    // == Exchanges ==
-
-    propSetPtr p1(new propSet);
-    p1->insert(PROP_TYPE);
-    p1->insert(PROP_ALTERNATE);
-    p1->insert(PROP_DURABLE);
-
-    propSetPtr p2(new propSet);
-    p2->insert(PROP_ROUTINGKEY);
-
-    propSetPtr p3(new propSet);
-    p3->insert(PROP_QUEUENAME);
-    p3->insert(PROP_ROUTINGKEY);
-
-    actionMapPtr a0(new actionMap);
-    a0->insert(actionPair(ACT_CREATE,  p1));
-    a0->insert(actionPair(ACT_DELETE,  p0));
-    a0->insert(actionPair(ACT_ACCESS,  p0));
-    a0->insert(actionPair(ACT_BIND,    p2));
-    a0->insert(actionPair(ACT_UNBIND,  p2));
-    a0->insert(actionPair(ACT_ACCESS,  p3));
-    a0->insert(actionPair(ACT_PUBLISH, p0));
-
-    map->insert(objectPair(OBJ_EXCHANGE, a0));
-
-    // == Queues ==
-
-    propSetPtr p4(new propSet);
-    p4->insert(PROP_ALTERNATE);
-    p4->insert(PROP_DURABLE);
-    p4->insert(PROP_EXCLUSIVE);
-    p4->insert(PROP_AUTODELETE);
-    p4->insert(PROP_POLICYTYPE);
-    p4->insert(PROP_PAGING);
-    p4->insert(PROP_MAXPAGES);
-    p4->insert(PROP_MAXPAGEFACTOR);
-    p4->insert(PROP_MAXQUEUESIZE);
-    p4->insert(PROP_MAXQUEUECOUNT);
-
-    propSetPtr p5(new propSet);
-    p5->insert(PROP_QUEUENAME);
-
-    propSetPtr p6(new propSet);
-    p6->insert(PROP_EXCHANGENAME);
-
-
-    actionMapPtr a1(new actionMap);
-    a1->insert(actionPair(ACT_ACCESS,   p0));
-    a1->insert(actionPair(ACT_CREATE,   p4));
-    a1->insert(actionPair(ACT_PURGE,    p0));
-    a1->insert(actionPair(ACT_DELETE,   p0));
-    a1->insert(actionPair(ACT_CONSUME,  p0));
-    a1->insert(actionPair(ACT_MOVE,     p5));
-    a1->insert(actionPair(ACT_REDIRECT, p5));
-    a1->insert(actionPair(ACT_REROUTE,  p6));
-
-    map->insert(objectPair(OBJ_QUEUE, a1));
-
-    // == Links ==
-
-    actionMapPtr a2(new actionMap);
-    a2->insert(actionPair(ACT_CREATE,  p0));
-
-    map->insert(objectPair(OBJ_LINK, a2));
-
-    // == Method ==
-
-    propSetPtr p7(new propSet);
-    p7->insert(PROP_SCHEMAPACKAGE);
-    p7->insert(PROP_SCHEMACLASS);
-
-    actionMapPtr a4(new actionMap);
-    a4->insert(actionPair(ACT_ACCESS, p7));
-
-    map->insert(objectPair(OBJ_METHOD, a4));
-
-    // == Query ==
-
-    propSetPtr p8(new propSet);
-    p8->insert(PROP_SCHEMACLASS);
-
-    actionMapPtr a5(new actionMap);
-    a5->insert(actionPair(ACT_ACCESS, p8));
-
-    map->insert(objectPair(OBJ_QUERY, a5));
-
-}
-
 }} // namespace qpid::acl
diff --git a/cpp/src/qpid/acl/AclLexer.h b/cpp/src/qpid/acl/AclLexer.h
index 4c2c8048ef..18789c093e 100644
--- a/cpp/src/qpid/acl/AclLexer.h
+++ b/cpp/src/qpid/acl/AclLexer.h
@@ -165,10 +165,6 @@ namespace acl {
         typedef std::map<SpecProperty, std::string> specPropMap;
         typedef specPropMap::const_iterator         specPropMapItr;
 
-        // This map contains the legal combinations of object/action/properties
-        // found in an ACL file
-        static void loadValidationMap(objectMapPtr& map);
-
         //
         // properyMapToString
         //
diff --git a/cpp/src/qpid/acl/AclReader.cpp b/cpp/src/qpid/acl/AclReader.cpp
index 8f2e6f1fad..496d9b6132 100644
--- a/cpp/src/qpid/acl/AclReader.cpp
+++ b/cpp/src/qpid/acl/AclReader.cpp
@@ -251,7 +251,6 @@ namespace acl {
         cliMaxQueuesPerUser (theCliMaxQueuesPerUser),
         queueQuotaRulesExist(false),
         queueQuota(new AclData::quotaRuleSet) {
-        AclHelper::loadValidationMap(validationMap);
         names.insert(AclData::ACL_KEYWORD_WILDCARD);
     }
 
diff --git a/cpp/src/qpid/acl/AclValidator.cpp b/cpp/src/qpid/acl/AclValidator.cpp
index 89e072000e..c3b9462c06 100644
--- a/cpp/src/qpid/acl/AclValidator.cpp
+++ b/cpp/src/qpid/acl/AclValidator.cpp
@@ -21,6 +21,7 @@
 #include "qpid/Exception.h"
 #include "qpid/log/Statement.h"
 #include "qpid/sys/IntegerTypes.h"
+#include "qpid/StringUtils.h"
 #include <boost/lexical_cast.hpp>
 #include <boost/bind.hpp>
 #include <numeric>
@@ -132,6 +133,42 @@ namespace acl {
                           boost::shared_ptr<PropertyType>(
                             new EnumPropertyType(v))));
 
+        // Insert allowed action/object/property sets (generated manually 20140712)
+#define RP registerProperties
+        RP("Broker::queryQueue",                    ACT_ACCESS,  OBJ_QUEUE);
+        RP("Broker::getTimestampConfig",            ACT_ACCESS,  OBJ_BROKER);
+        RP("Broker::setTimestampConfig",            ACT_UPDATE,  OBJ_BROKER);
+        RP("Broker::queueRedirect",                 ACT_REDIRECT,OBJ_QUEUE);
+        RP("Broker::queueMoveMessages",             ACT_MOVE,    OBJ_QUEUE);
+        RP("Broker::createQueue",                   ACT_CREATE,  OBJ_QUEUE, "alternate durable exclusive autodelete policytype paging maxpages maxpagefactor maxqueuecount maxqueuesize maxfilecount maxfilesize");
+        RP("Broker::deleteQueue",                   ACT_DELETE,  OBJ_QUEUE, "alternate durable exclusive autodelete policytype");
+        RP("Broker::createExchange",                ACT_CREATE,  OBJ_EXCHANGE, "type alternate durable autodelete");
+        RP("Broker::deleteExchange",                ACT_DELETE,  OBJ_EXCHANGE, "type alternate durable");
+        RP("Broker::bind",                          ACT_BIND,    OBJ_EXCHANGE, "queuename routingkey");
+        RP("Broker::unbind",                        ACT_UNBIND,  OBJ_EXCHANGE, "queuename routingkey");
+        RP("ConnectionHandler::Handler::open",      ACT_CREATE,  OBJ_LINK);
+        RP("Queue::ManagementMethod",               ACT_PURGE,   OBJ_QUEUE);
+        RP("Queue::ManagementMethod",               ACT_REROUTE, OBJ_QUEUE, "exchangename");
+        RP("SemanticState::route",                  ACT_PUBLISH, OBJ_EXCHANGE, "routingkey");
+        RP("ExchangeHandlerImpl::declare",          ACT_ACCESS,  OBJ_EXCHANGE, "type alternate durable autodelete");
+        RP("ExchangeHandlerImpl::query",            ACT_ACCESS,  OBJ_EXCHANGE);
+        RP("ExchangeHandlerImpl::bound",            ACT_ACCESS,  OBJ_EXCHANGE, "queuename routingkey");
+        RP("QueueHandlerImpl::query",               ACT_ACCESS,  OBJ_QUEUE);
+        RP("QueueHandlerImpl::declare",             ACT_ACCESS,  OBJ_QUEUE, "alternate durable exclusive autodelete policytype maxqueuecount maxqueuesize"); // ?? Why not ACT_CREATE?
+        RP("QueueHandlerImpl::purge",               ACT_PURGE,   OBJ_QUEUE);
+        RP("MessageHandlerImpl::subscribe",         ACT_CONSUME, OBJ_QUEUE);
+        RP("Authorise::access",                     ACT_ACCESS,  OBJ_EXCHANGE, "type durable");
+        RP("Authorise::access",                     ACT_ACCESS,  OBJ_QUEUE, "alternate durable exclusive autodelete policytype maxqueuecount maxqueuesize");
+        RP("Authorise::incoming",                   ACT_PUBLISH, OBJ_EXCHANGE);
+        RP("Authorise::outgoing",                   ACT_BIND,    OBJ_EXCHANGE, "queuename routingkey");
+        RP("Authorise::outgoing",                   ACT_CONSUME, OBJ_QUEUE);
+        RP("Authorise::route",                      ACT_PUBLISH, OBJ_EXCHANGE, "routingkey");
+        RP("Authorise::interlink",                  ACT_CREATE,  OBJ_LINK);
+        RP("Authorise::access",                     ACT_ACCESS,  OBJ_EXCHANGE);
+        RP("Authorise::access",                     ACT_ACCESS,  OBJ_QUEUE);
+        RP("ManagementAgent::handleMethodRequest",  ACT_ACCESS,  OBJ_METHOD, "schemapackage schemaclass");
+        RP("ManagementAgent::handleGetQuery",       ACT_ACCESS,  OBJ_QUERY, "schemaclass");
+        RP("ManagementAgent::authorizeAgentMessage",ACT_ACCESS,  OBJ_METHOD, "schemapackage schemaclass");
     }
 
     AclValidator::~AclValidator(){
@@ -186,4 +223,61 @@ namespace acl {
         }
     }
 
+    /**
+     * Construct a record of all the calls that the broker will
+     * make to acl::authorize and the properties for each call.
+     * From that create the list of all the spec properties that
+     * users are then allowed to specify in acl rule files.
+     */
+    void AclValidator::registerProperties(
+        const std::string& /* source */,
+        Action action,
+        ObjectType object,
+        const std::string& properties) {
+        if (!allowedProperties[action][object].get()) {
+            boost::shared_ptr<std::set<Property> > t1(new std::set<Property>());
+            allowedProperties[action][object] = t1;
+            boost::shared_ptr<std::set<SpecProperty> > t2(new std::set<SpecProperty>());
+            allowedSpecProperties[action][object] = t2;
+        }
+        std::vector<std::string> props = split(properties, " ");
+        for (size_t i=0; i<props.size(); i++) {
+            Property prop = AclHelper::getProperty(props[i]);
+            allowedProperties[action][object]->insert(prop);
+            // Given that the broker will be calling with this property,
+            // determine what user rule settings are allowed.
+            switch (prop) {
+                // Cases where broker supplies a property but Acl has upper/lower limit for it
+                case PROP_MAXPAGES:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGESLOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGESUPPERLIMIT);
+                    break;
+                case PROP_MAXPAGEFACTOR:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGEFACTORLOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXPAGEFACTORUPPERLIMIT);
+                    break;
+                case PROP_MAXQUEUESIZE:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUESIZELOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUESIZEUPPERLIMIT);
+                    break;
+                case PROP_MAXQUEUECOUNT:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUECOUNTLOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXQUEUECOUNTUPPERLIMIT);
+                    break;
+                case PROP_MAXFILESIZE:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILESIZELOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILESIZEUPPERLIMIT);
+                    break;
+                case PROP_MAXFILECOUNT:
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILECOUNTLOWERLIMIT);
+                    allowedSpecProperties[action][object]->insert(SPECPROP_MAXFILECOUNTUPPERLIMIT);
+                    break;
+                default:
+                    // Cases where broker supplies a property and Acl matches it directly
+                    allowedSpecProperties[action][object]->insert( SpecProperty(prop) );
+                    break;
+            }
+        }
+    }
+
 }}
diff --git a/cpp/src/qpid/acl/AclValidator.h b/cpp/src/qpid/acl/AclValidator.h
index 76eb222d2f..03a80c5b09 100644
--- a/cpp/src/qpid/acl/AclValidator.h
+++ b/cpp/src/qpid/acl/AclValidator.h
@@ -33,15 +33,15 @@ namespace acl {
 class AclValidator {
 
     /* Base Property */
-   class PropertyType{
+    class PropertyType{
 
         public:
             virtual ~PropertyType(){};
             virtual bool validate(const std::string& val)=0;
             virtual std::string allowedValues()=0;
-   };
+    };
 
-   class IntPropertyType : public PropertyType{
+    class IntPropertyType : public PropertyType{
             int64_t min;
             int64_t max;
 
@@ -50,9 +50,9 @@ class AclValidator {
             virtual ~IntPropertyType (){};
             virtual bool validate(const std::string& val);
             virtual std::string allowedValues();
-   };
+    };
 
-   class EnumPropertyType : public PropertyType{
+    class EnumPropertyType : public PropertyType{
             std::vector<std::string> values;
 
         public:
@@ -60,22 +60,32 @@ class AclValidator {
             virtual ~EnumPropertyType (){};
             virtual bool validate(const std::string& val);
             virtual std::string allowedValues();
-   };
+    };
 
-   typedef std::pair<acl::SpecProperty,boost::shared_ptr<PropertyType> > Validator;
-   typedef std::map<acl::SpecProperty,boost::shared_ptr<PropertyType> > ValidatorMap;
-   typedef ValidatorMap::iterator ValidatorItr;
+    typedef std::pair<acl::SpecProperty,boost::shared_ptr<PropertyType> > Validator;
+    typedef std::map<acl::SpecProperty,boost::shared_ptr<PropertyType> > ValidatorMap;
+    typedef ValidatorMap::iterator ValidatorItr;
+    typedef boost::shared_ptr<std::set<Property> >     AllowedProperties    [ACTIONSIZE][OBJECTSIZE];
+    typedef boost::shared_ptr<std::set<SpecProperty> > AllowedSpecProperties[ACTIONSIZE][OBJECTSIZE];
 
-   ValidatorMap validators;
+    ValidatorMap validators;
+    AllowedProperties     allowedProperties;
+    AllowedSpecProperties allowedSpecProperties;
 
 public:
 
-   void validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules);
-   void validateRule(qpid::acl::AclData::Rule& rule);
-   void validateProperty(std::pair<const qpid::acl::SpecProperty, std::string>& prop);
-   void validate(boost::shared_ptr<AclData> d);
-   AclValidator();
-   ~AclValidator();
+    void validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules);
+    void validateRule(qpid::acl::AclData::Rule& rule);
+    void validateProperty(std::pair<const qpid::acl::SpecProperty, std::string>& prop);
+    void validate(boost::shared_ptr<AclData> d);
+    AclValidator();
+    ~AclValidator();
+
+private:
+    void registerProperties(const std::string& source,
+                            Action action,
+                            ObjectType object,
+                            const std::string& properties = "");
 };
 
 }} // namespace qpid::acl