QPID-3032 - Modifications to the QMFv2 implementation:

1) Use the topic exchange as the base for direct and reply-to addresses. 2) Add a strict-security option to the Console and Agent APIs that narrows the messaging patterns used such that they can easily be controlled by broker ACL policy. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1066562 13f79535-47bb-0310-9956-ffa450edef68
author: Ted Ross <tross@apache.org> 2011-02-02 18:16:57 +0000
committer: Ted Ross <tross@apache.org> 2011-02-02 18:16:57 +0000
commit: 9991fae5ea4415b6ef760a4430658202b90264bc (patch)
tree: 93399916cd50e0ac10aa761144b4915d9085e217 /cpp/src/qmf/AgentSession.cpp
parent: 24fb6939e5420ecae9033687c8c6081a62cd42a5 (diff)
download: qpid-python-9991fae5ea4415b6ef760a4430658202b90264bc.tar.gz
1 files changed, 39 insertions, 3 deletions
diff --git a/cpp/src/qmf/AgentSession.cpp b/cpp/src/qmf/AgentSession.cpp
index 24356519d7..fb18f27150 100644
--- a/cpp/src/qmf/AgentSession.cpp
+++ b/cpp/src/qmf/AgentSession.cpp
@@ -116,6 +116,8 @@ namespace qmf {
         uint32_t minSubInterval;
         uint32_t subLifetime;
         bool publicEvents;
+        bool listenOnDirect;
+        bool strictSecurity;
         uint64_t schemaUpdateTime;
         string directBase;
         string topicBase;
@@ -179,6 +181,7 @@ AgentSessionImpl::AgentSessionImpl(Connection& c, const string& options) :
     bootSequence(1), interval(60), lastHeartbeat(0), lastVisit(0), forceHeartbeat(false),
     externalStorage(false), autoAllowQueries(true), autoAllowMethods(true),
     maxSubscriptions(64), minSubInterval(3000), subLifetime(300), publicEvents(true),
+    listenOnDirect(true), strictSecurity(false),
     schemaUpdateTime(uint64_t(qpid::sys::Duration(qpid::sys::EPOCH, qpid::sys::now())))
 {
     //
@@ -231,6 +234,14 @@ AgentSessionImpl::AgentSessionImpl(Connection& c, const string& options) :
         iter = optMap.find("public-events");
         if (iter != optMap.end())
             publicEvents = iter->second.asBool();
+
+        iter = optMap.find("listen-on-direct");
+        if (iter != optMap.end())
+            listenOnDirect = iter->second.asBool();
+
+        iter = optMap.find("strict-security");
+        if (iter != optMap.end())
+            strictSecurity = iter->second.asBool();
     }
 }
 
@@ -248,6 +259,8 @@ void AgentSessionImpl::open()
         throw QmfException("The session is already open");
 
     const string addrArgs(";{create:never,node:{type:topic}}");
+    const string routableAddr("direct-agent.route." + qpid::types::Uuid(true).str());
+    attributes["_direct_subject"] = routableAddr;
 
     // Establish messaging addresses
     setAgentName();
@@ -256,13 +269,20 @@ void AgentSessionImpl::open()
 
     // Create AMQP session, receivers, and senders
     session = connection.createSession();
-    Receiver directRx = session.createReceiver(directBase + "/" + agentName + addrArgs);
+    Receiver directRx;
+    Receiver routableDirectRx = session.createReceiver(topicBase + "/" + routableAddr + addrArgs);
     Receiver topicRx = session.createReceiver(topicBase + "/console.#" + addrArgs);
 
-    directRx.setCapacity(64);
+    if (listenOnDirect && !strictSecurity) {
+        directRx = session.createReceiver(directBase + "/" + agentName + addrArgs);
+        directRx.setCapacity(64);
+    }
+
+    routableDirectRx.setCapacity(64);
     topicRx.setCapacity(64);
 
-    directSender = session.createSender(directBase + addrArgs);
+    if (!strictSecurity)
+        directSender = session.createSender(directBase + addrArgs);
     topicSender = session.createSender(topicBase + addrArgs);
 
     // Start the receiver thread
@@ -794,6 +814,17 @@ void AgentSessionImpl::dispatch(Message msg)
     const Variant::Map& properties(msg.getProperties());
     Variant::Map::const_iterator iter;
 
+    //
+    // If strict-security is enabled, make sure that reply-to address complies with the
+    // strict-security addressing pattern (i.e. start with 'qmf.<domain>.topic/direct-console.').
+    //
+    if (strictSecurity && msg.getReplyTo()) {
+        if (msg.getReplyTo().getName() != topicBase || msg.getReplyTo().getSubject().find("direct-console.") != 0) {
+            QPID_LOG(warning, "Reply-to violates strict-security policy: " << msg.getReplyTo().str());
+            return;
+        }
+    }
+
     iter = properties.find(protocol::HEADER_KEY_APP_ID);
     if (iter != properties.end() && iter->second.asString() == protocol::HEADER_APP_ID_QMF) {
         //
@@ -892,6 +923,11 @@ void AgentSessionImpl::send(Message msg, const Address& to)
 {
     Sender sender;
 
+    if (strictSecurity && to.getName() != topicBase) {
+        QPID_LOG(warning, "Address violates strict-security policy: " << to);
+        return;
+    }
+
     if (to.getName() == directBase) {
         msg.setSubject(to.getSubject());
         sender = directSender;
author	Ted Ross <tross@apache.org>	2011-02-02 18:16:57 +0000
committer	Ted Ross <tross@apache.org>	2011-02-02 18:16:57 +0000
commit	9991fae5ea4415b6ef760a4430658202b90264bc (patch)
tree	93399916cd50e0ac10aa761144b4915d9085e217 /cpp/src/qmf/AgentSession.cpp
parent	24fb6939e5420ecae9033687c8c6081a62cd42a5 (diff)
download	qpid-python-9991fae5ea4415b6ef760a4430658202b90264bc.tar.gz