summaryrefslogtreecommitdiff
path: root/cpp/src/qpid/acl/AclData.cpp
diff options
context:
space:
mode:
authorCharles E. Rolke <chug@apache.org>2013-02-09 00:56:42 +0000
committerCharles E. Rolke <chug@apache.org>2013-02-09 00:56:42 +0000
commit28c7ca7bb7ec9bb8ef523b2146fc115b2d9547e4 (patch)
tree5bed0e8f9c47d1f6d071e7eb7ed37f2e26afb492 /cpp/src/qpid/acl/AclData.cpp
parent285cbec919347b038c1684894cb483628744bdbf (diff)
downloadqpid-python-28c7ca7bb7ec9bb8ef523b2146fc115b2d9547e4.tar.gz
QPID-4054 C++ Broker connection limits per user
1. Constrain maximum limits to be a few ticks below Uint16_t max to avoid inadvertent wrapping and to allow room for some named constants such as UNLIMITED. 2. Add syntax to Acl rule file quota connections N user|group [user|group] 3. Pseudo user 'all' receives value from command line switch or from Acl rule file. 4. Named constant strings used in comparisons instead of local strings. 5. Connection counts maintained all the time to support reolad of Acl rule file that may change limits. 6. Self tests exercise all the features. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1444302 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/acl/AclData.cpp')
-rw-r--r--cpp/src/qpid/acl/AclData.cpp103
1 files changed, 86 insertions, 17 deletions
diff --git a/cpp/src/qpid/acl/AclData.cpp b/cpp/src/qpid/acl/AclData.cpp
index 997fbdf2eb..ca866ab7d3 100644
--- a/cpp/src/qpid/acl/AclData.cpp
+++ b/cpp/src/qpid/acl/AclData.cpp
@@ -25,11 +25,19 @@ namespace qpid {
namespace acl {
//
- // Instantiate the substitution keyword string
+ // Instantiate the keyword strings
//
- const std::string AclData::USER_SUBSTITUTION_KEYWORD = "${user}";
- const std::string AclData::DOMAIN_SUBSTITUTION_KEYWORD = "${domain}";
- const std::string AclData::USERDOMAIN_SUBSTITUTION_KEYWORD = "${userdomain}";
+ const std::string AclData::ACL_KEYWORD_USER_SUBST = "${user}";
+ const std::string AclData::ACL_KEYWORD_DOMAIN_SUBST = "${domain}";
+ const std::string AclData::ACL_KEYWORD_USERDOMAIN_SUBST = "${userdomain}";
+ const std::string AclData::ACL_KEYWORD_ALL = "all";
+ const std::string AclData::ACL_KEYWORD_ACL = "acl";
+ const std::string AclData::ACL_KEYWORD_GROUP = "group";
+ const std::string AclData::ACL_KEYWORD_QUOTA = "quota";
+ const std::string AclData::ACL_KEYWORD_QUOTA_CONNECTIONS = "connections";
+ const char AclData::ACL_SYMBOL_WILDCARD = '*';
+ const std::string AclData::ACL_KEYWORD_WILDCARD = "*";
+ const char AclData::ACL_SYMBOL_LINE_CONTINUATION = '\\';
//
// constructor
@@ -37,7 +45,9 @@ namespace acl {
AclData::AclData():
decisionMode(qpid::acl::DENY),
transferAcl(false),
- aclSource("UNKNOWN")
+ aclSource("UNKNOWN"),
+ connQuotaRulesExist(false),
+ connQuotaRuleSettings(new quotaRuleSet)
{
for (unsigned int cnt=0; cnt< qpid::acl::ACTIONSIZE; cnt++)
{
@@ -60,6 +70,9 @@ namespace acl {
}
delete[] actionList[cnt];
}
+ transferAcl = false;
+ connQuotaRulesExist = false;
+ connQuotaRuleSettings->clear();
}
@@ -73,7 +86,7 @@ namespace acl {
const std::string& lookupStr)
{
// allow wildcard on the end of rule strings...
- if (ruleStr.data()[ruleStr.size()-1]=='*')
+ if (ruleStr.data()[ruleStr.size()-1]==ACL_SYMBOL_WILDCARD)
{
return ruleStr.compare(0,
ruleStr.size()-1,
@@ -124,7 +137,7 @@ namespace acl {
// If individual actorId not found then find a rule set for '*'.
if (itrRule == actionList[action][objType]->end())
- itrRule = actionList[action][objType]->find("*");
+ itrRule = actionList[action][objType]->find(ACL_KEYWORD_WILDCARD);
if (itrRule != actionList[action][objType]->end())
{
@@ -390,7 +403,7 @@ namespace acl {
AclData::actObjItr itrRule = actionList[action][objType]->find(id);
if (itrRule == actionList[action][objType]->end())
- itrRule = actionList[action][objType]->find("*");
+ itrRule = actionList[action][objType]->find(ACL_KEYWORD_WILDCARD);
if (itrRule != actionList[action][objType]->end() )
{
@@ -436,9 +449,9 @@ namespace acl {
if (match && rsItr->pubRoutingKeyInRule)
{
- if ((routingKey.find(USER_SUBSTITUTION_KEYWORD, 0) != std::string::npos) ||
- (routingKey.find(DOMAIN_SUBSTITUTION_KEYWORD, 0) != std::string::npos) ||
- (routingKey.find(USERDOMAIN_SUBSTITUTION_KEYWORD, 0) != std::string::npos))
+ if ((routingKey.find(ACL_KEYWORD_USER_SUBST, 0) != std::string::npos) ||
+ (routingKey.find(ACL_KEYWORD_DOMAIN_SUBST, 0) != std::string::npos) ||
+ (routingKey.find(ACL_KEYWORD_USERDOMAIN_SUBST, 0) != std::string::npos))
{
// The user is not allowed to present a routing key with the substitution key in it
QPID_LOG(debug, "ACL: Rule: " << rsItr->rawRuleNum <<
@@ -489,6 +502,62 @@ namespace acl {
}
+
+ //
+ //
+ //
+ void AclData::setConnQuotaRuleSettings (
+ bool rulesExist, boost::shared_ptr<quotaRuleSet> quotaPtr)
+ {
+ connQuotaRulesExist = rulesExist;
+ connQuotaRuleSettings = quotaPtr;
+ }
+
+
+ //
+ // getConnQuotaForUser
+ //
+ // Return the true or false value of connQuotaRulesExist,
+ // indicating whether any kind of lookup was done or not.
+ //
+ // When lookups are performed return the result value of
+ // 1. The user's setting else
+ // 2. The 'all' user setting else
+ // 3. Zero
+ // When lookups are not performed then return a result value of Zero.
+ //
+ bool AclData::getConnQuotaForUser(const std::string& theUserName,
+ uint16_t* theResult) const {
+ if (connQuotaRulesExist) {
+ // look for this user explicitly
+ quotaRuleSetItr nameItr = (*connQuotaRuleSettings).find(theUserName);
+ if (nameItr != (*connQuotaRuleSettings).end()) {
+ QPID_LOG(trace, "ACL: Connection quota for user " << theUserName
+ << " explicitly set to : " << (*nameItr).second);
+ *theResult = (*nameItr).second;
+ } else {
+ // Look for the 'all' user
+ nameItr = (*connQuotaRuleSettings).find(ACL_KEYWORD_ALL);
+ if (nameItr != (*connQuotaRuleSettings).end()) {
+ QPID_LOG(trace, "ACL: Connection quota for user " << theUserName
+ << " chosen through value for 'all' : " << (*nameItr).second);
+ *theResult = (*nameItr).second;
+ } else {
+ // Neither userName nor "all" found.
+ QPID_LOG(trace, "ACL: Connection quota for user " << theUserName
+ << " absent in quota settings. Return value : 0");
+ *theResult = 0;
+ }
+ }
+ } else {
+ // Rules do not exist
+ QPID_LOG(trace, "ACL: Connection quota for user " << theUserName
+ << " unavailable; quota settings are not specified. Return value : 0");
+ *theResult = 0;
+ }
+ return connQuotaRulesExist;
+ }
+
//
//
//
@@ -656,9 +725,9 @@ namespace acl {
domain = normalizeUserId(userId.substr(locDomSeparator+1));
}
- substituteString(ruleString, USER_SUBSTITUTION_KEYWORD, user);
- substituteString(ruleString, DOMAIN_SUBSTITUTION_KEYWORD, domain);
- substituteString(ruleString, USERDOMAIN_SUBSTITUTION_KEYWORD, userdomain);
+ substituteString(ruleString, ACL_KEYWORD_USER_SUBST, user);
+ substituteString(ruleString, ACL_KEYWORD_DOMAIN_SUBST, domain);
+ substituteString(ruleString, ACL_KEYWORD_USERDOMAIN_SUBST, userdomain);
}
@@ -689,8 +758,8 @@ namespace acl {
domain = normalizeUserId(userId.substr(locDomSeparator+1));
}
std::string oRule(ruleString);
- substituteString(ruleString, userdomain, USERDOMAIN_SUBSTITUTION_KEYWORD);
- substituteString(ruleString, user, USER_SUBSTITUTION_KEYWORD);
- substituteString(ruleString, domain, DOMAIN_SUBSTITUTION_KEYWORD);
+ substituteString(ruleString, userdomain, ACL_KEYWORD_USERDOMAIN_SUBST);
+ substituteString(ruleString, user, ACL_KEYWORD_USER_SUBST);
+ substituteString(ruleString, domain, ACL_KEYWORD_DOMAIN_SUBST);
}
}}
View Lorry Controller Status