diff options
| author | Rajith Muditha Attapattu <rajith@apache.org> | 2011-05-27 15:44:23 +0000 |
|---|---|---|
| committer | Rajith Muditha Attapattu <rajith@apache.org> | 2011-05-27 15:44:23 +0000 |
| commit | 66765100f4257159622cefe57bed50125a5ad017 (patch) | |
| tree | a88ee23bb194eb91f0ebb2d9b23ff423e3ea8e37 /cpp/src/qpid/acl | |
| parent | 1aeaa7b16e5ce54f10c901d75c4d40f9f88b9db6 (diff) | |
| parent | 88b98b2f4152ef59a671fad55a0d08338b6b78ca (diff) | |
| download | qpid-python-rajith_jms_client.tar.gz | |
Creating a branch for experimenting with some ideas for JMS client.rajith_jms_client
git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/rajith_jms_client@1128369 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/qpid/acl')
| -rw-r--r-- | cpp/src/qpid/acl/Acl.cpp | 191 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/Acl.h | 86 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclData.cpp | 261 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclData.h | 84 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclPlugin.cpp | 96 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclReader.cpp | 581 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclReader.h | 118 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclValidator.cpp | 150 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/AclValidator.h | 83 | ||||
| -rw-r--r-- | cpp/src/qpid/acl/management-schema.xml | 44 |
10 files changed, 0 insertions, 1694 deletions
diff --git a/cpp/src/qpid/acl/Acl.cpp b/cpp/src/qpid/acl/Acl.cpp deleted file mode 100644 index 4b3dda7962..0000000000 --- a/cpp/src/qpid/acl/Acl.cpp +++ /dev/null @@ -1,191 +0,0 @@ -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/acl/Acl.h" -#include "qpid/acl/AclData.h" -#include "qpid/acl/AclValidator.h" -#include "qpid/sys/Mutex.h" - -#include "qpid/broker/Broker.h" -#include "qpid/Plugin.h" -#include "qpid/Options.h" -#include "qpid/log/Logger.h" -#include "qpid/types/Variant.h" -#include "qmf/org/apache/qpid/acl/Package.h" -#include "qmf/org/apache/qpid/acl/EventAllow.h" -#include "qmf/org/apache/qpid/acl/EventDeny.h" -#include "qmf/org/apache/qpid/acl/EventFileLoaded.h" -#include "qmf/org/apache/qpid/acl/EventFileLoadFailed.h" - -#include <map> - -#include <boost/shared_ptr.hpp> -#include <boost/utility/in_place_factory.hpp> - -using namespace std; -using namespace qpid::acl; -using qpid::broker::Broker; -using namespace qpid::sys; -using qpid::management::ManagementAgent; -using qpid::management::ManagementObject; -using qpid::management::Manageable; -using qpid::management::Args; -namespace _qmf = qmf::org::apache::qpid::acl; - -Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), transferAcl(false), mgmtObject(0) -{ - - agent = broker->getManagementAgent(); - - if (agent != 0){ - _qmf::Package packageInit(agent); - mgmtObject = new _qmf::Acl (agent, this, broker); - agent->addObject (mgmtObject); - } - std::string errorString; - if (!readAclFile(errorString)){ - throw Exception("Could not read ACL file " + errorString); - if (mgmtObject!=0) mgmtObject->set_enforcingAcl(0); - } - QPID_LOG(info, "ACL Plugin loaded"); - if (mgmtObject!=0) mgmtObject->set_enforcingAcl(1); -} - - bool Acl::authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params) - { - boost::shared_ptr<AclData> dataLocal; - { - Mutex::ScopedLock locker(dataLock); - dataLocal = data; //rcu copy - } - - // add real ACL check here... - AclResult aclreslt = dataLocal->lookup(id,action,objType,name,params); - - - return result(aclreslt, id, action, objType, name); - } - - bool Acl::authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName, const std::string& RoutingKey) - { - boost::shared_ptr<AclData> dataLocal; - { - Mutex::ScopedLock locker(dataLock); - dataLocal = data; //rcu copy - } - - // only use dataLocal here... - AclResult aclreslt = dataLocal->lookup(id,action,objType,ExchangeName,RoutingKey); - - return result(aclreslt, id, action, objType, ExchangeName); - } - - - bool Acl::result(const AclResult& aclreslt, const std::string& id, const Action& action, const ObjectType& objType, const std::string& name) - { - switch (aclreslt) - { - case ALLOWLOG: - QPID_LOG(info, "ACL Allow id:" << id <<" action:" << AclHelper::getActionStr(action) << - " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name ); - agent->raiseEvent(_qmf::EventAllow(id, AclHelper::getActionStr(action), - AclHelper::getObjectTypeStr(objType), - name, types::Variant::Map())); - case ALLOW: - return true; - case DENY: - if (mgmtObject!=0) mgmtObject->inc_aclDenyCount(); - return false; - case DENYLOG: - if (mgmtObject!=0) mgmtObject->inc_aclDenyCount(); - default: - QPID_LOG(info, "ACL Deny id:" << id << " action:" << AclHelper::getActionStr(action) << " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name); - agent->raiseEvent(_qmf::EventDeny(id, AclHelper::getActionStr(action), - AclHelper::getObjectTypeStr(objType), - name, types::Variant::Map())); - return false; - } - return false; - } - - bool Acl::readAclFile(std::string& errorText) - { - // only set transferAcl = true if a rule implies the use of ACL on transfer, else keep false for performance reasons. - return readAclFile(aclValues.aclFile, errorText); - } - - bool Acl::readAclFile(std::string& aclFile, std::string& errorText) { - boost::shared_ptr<AclData> d(new AclData); - AclReader ar; - if (ar.read(aclFile, d)){ - agent->raiseEvent(_qmf::EventFileLoadFailed("", ar.getError())); - errorText = ar.getError(); - QPID_LOG(error,ar.getError()); - return false; - } - - AclValidator validator; - validator.validate(d); - - { - Mutex::ScopedLock locker(dataLock); - data = d; - } - transferAcl = data->transferAcl; // any transfer ACL - - if (data->transferAcl){ - QPID_LOG(debug,"Transfer ACL is Enabled!"); - } - - data->aclSource = aclFile; - if (mgmtObject!=0){ - mgmtObject->set_transferAcl(transferAcl?1:0); - mgmtObject->set_policyFile(aclFile); - sys::AbsTime now = sys::AbsTime::now(); - int64_t ns = sys::Duration(sys::EPOCH, now); - mgmtObject->set_lastAclLoad(ns); - agent->raiseEvent(_qmf::EventFileLoaded("")); - } - return true; - } - - Acl::~Acl(){} - - ManagementObject* Acl::GetManagementObject(void) const - { - return (ManagementObject*) mgmtObject; - } - - Manageable::status_t Acl::ManagementMethod (uint32_t methodId, Args& /*args*/, string& text) - { - Manageable::status_t status = Manageable::STATUS_UNKNOWN_METHOD; - QPID_LOG (debug, "Queue::ManagementMethod [id=" << methodId << "]"); - - switch (methodId) - { - case _qmf::Acl::METHOD_RELOADACLFILE : - readAclFile(text); - if (text.empty()) - status = Manageable::STATUS_OK; - else - status = Manageable::STATUS_USER; - break; - } - - return status; -} diff --git a/cpp/src/qpid/acl/Acl.h b/cpp/src/qpid/acl/Acl.h deleted file mode 100644 index 77f43838de..0000000000 --- a/cpp/src/qpid/acl/Acl.h +++ /dev/null @@ -1,86 +0,0 @@ -#ifndef QPID_ACL_ACL_H -#define QPID_ACL_ACL_H - - -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - - - -#include "qpid/acl/AclReader.h" -#include "qpid/RefCounted.h" -#include "qpid/broker/AclModule.h" -#include "qpid/management/Manageable.h" -#include "qpid/management/ManagementAgent.h" -#include "qmf/org/apache/qpid/acl/Acl.h" -#include "qpid/sys/Mutex.h" - -#include <map> -#include <string> - - -namespace qpid { -namespace broker { -class Broker; -} - -namespace acl { - -struct AclValues { - std::string aclFile; -}; - - -class Acl : public broker::AclModule, public RefCounted, public management::Manageable -{ - -private: - acl::AclValues aclValues; - broker::Broker* broker; - bool transferAcl; - boost::shared_ptr<AclData> data; - qmf::org::apache::qpid::acl::Acl* mgmtObject; // mgnt owns lifecycle - qpid::management::ManagementAgent* agent; - mutable qpid::sys::Mutex dataLock; - -public: - Acl (AclValues& av, broker::Broker& b); - - void initialize(); - - inline virtual bool doTransferAcl() {return transferAcl;}; - - // create specilied authorise methods for cases that need faster matching as needed. - virtual bool authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params=0); - virtual bool authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName,const std::string& RoutingKey); - - virtual ~Acl(); -private: - bool result(const AclResult& aclreslt, const std::string& id, const Action& action, const ObjectType& objType, const std::string& name); - bool readAclFile(std::string& errorText); - bool readAclFile(std::string& aclFile, std::string& errorText); - virtual qpid::management::ManagementObject* GetManagementObject(void) const; - virtual management::Manageable::status_t ManagementMethod (uint32_t methodId, management::Args& args, std::string& text); - -}; - - - -}} // namespace qpid::acl - -#endif // QPID_ACL_ACL_H diff --git a/cpp/src/qpid/acl/AclData.cpp b/cpp/src/qpid/acl/AclData.cpp deleted file mode 100644 index 658529b270..0000000000 --- a/cpp/src/qpid/acl/AclData.cpp +++ /dev/null @@ -1,261 +0,0 @@ -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/acl/AclData.h" -#include "qpid/log/Statement.h" -#include "qpid/sys/IntegerTypes.h" -#include <boost/lexical_cast.hpp> - -namespace qpid { -namespace acl { - -AclData::AclData():decisionMode(qpid::acl::DENY),transferAcl(false),aclSource("UNKNOWN") -{ - for (unsigned int cnt=0; cnt< qpid::acl::ACTIONSIZE; cnt++){ - actionList[cnt]=0; - } - -} - -void AclData::clear () -{ - for (unsigned int cnt=0; cnt< qpid::acl::ACTIONSIZE; cnt++){ - if (actionList[cnt]){ - for (unsigned int cnt1=0; cnt1< qpid::acl::OBJECTSIZE; cnt1++) - delete actionList[cnt][cnt1]; - } - delete[] actionList[cnt]; - } - -} - -bool AclData::matchProp(const std::string & src, const std::string& src1) -{ - // allow wildcard on the end of strings... - if (src.data()[src.size()-1]=='*') { - return (src.compare(0, src.size()-1, src1, 0,src.size()-1 ) == 0); - } else { - return (src.compare(src1)==0) ; - } -} - -AclResult AclData::lookup(const std::string& id, const Action& action, const ObjectType& objType, - const std::string& name, std::map<Property, std::string>* params) { - - QPID_LOG(debug, "ACL: Lookup for id:" << id << " action:" << AclHelper::getActionStr((Action) action) - << " objectType:" << AclHelper::getObjectTypeStr((ObjectType) objType) << " name:" << name - << " with params " << AclHelper::propertyMapToString(params)); - - AclResult aclresult = decisionMode; - if (actionList[action] && actionList[action][objType]) { - AclData::actObjItr itrRule = actionList[action][objType]->find(id); - if (itrRule == actionList[action][objType]->end()) - itrRule = actionList[action][objType]->find("*"); - - if (itrRule != actionList[action][objType]->end()) { - - QPID_LOG(debug, "ACL: checking the following rules for : " << itrRule->first ); - - //loop the vector - for (ruleSetItr i = itrRule->second.begin(); i < itrRule->second.end(); i++) { - QPID_LOG(debug, "ACL: checking rule " << i->toString()); - // loop the names looking for match - bool match = true; - for (propertyMapItr pMItr = i->props.begin(); (pMItr != i->props.end()) && match; pMItr++) { - //match name is exists first - if (pMItr->first == acl::PROP_NAME) { - if (matchProp(pMItr->second, name)){ - QPID_LOG(debug, "ACL: name '" << name << "' matched with name '" - << pMItr->second << "' given in the rule"); - }else{ - match = false; - QPID_LOG(debug, "ACL: name '" << name << "' didn't match with name '" - << pMItr->second << "' given in the rule"); - } - } else if (params) { //match pMItr against params - propertyMapItr paramItr = params->find(pMItr->first); - if (paramItr == params->end()) { - match = false; - QPID_LOG(debug, "ACL: the given parameter map in lookup doesn't contain the property '" - << AclHelper::getPropertyStr(pMItr->first) << "'"); - }else if ( pMItr->first == acl::PROP_MAXQUEUECOUNT || pMItr->first == acl::PROP_MAXQUEUESIZE ) { - if ( pMItr->first == paramItr->first ) { - - uint64_t aclMax = 0; - uint64_t paramMax = 0; - - try{ - aclMax = boost::lexical_cast<uint64_t>(pMItr->second); - }catch(const boost::bad_lexical_cast&){ - match = false; - QPID_LOG(error,"Error evaluating rule. " << - "Illegal value given in ACL source <" << aclSource << - "> for property '" << - AclHelper::getPropertyStr(pMItr->first) << "' : " << - boost::lexical_cast<std::string>(pMItr->second)); - break; - } - - try{ - paramMax = boost::lexical_cast<uint64_t>(paramItr->second); - }catch(const boost::bad_lexical_cast&){ - match = false; - QPID_LOG(error,"Error evaluating rule. " << - "Illegal value given in lookup for property '" << - AclHelper::getPropertyStr(pMItr->first) << "' : " << - boost::lexical_cast<std::string>(paramItr->second)); - break; - } - - QPID_LOG(debug, "ACL: Numeric comparison for property " << - AclHelper::getPropertyStr(paramItr->first) << - " (value given in lookup = " << - boost::lexical_cast<std::string>(paramItr->second) << - ", value give in rule = " << - boost::lexical_cast<std::string>(pMItr->second) << " )"); - - if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax)){ - match = decisionMode == qpid::acl::ALLOW ; - QPID_LOG(debug, "ACL: Limit exceeded and match=" << - (match ? "true": "false") << - " as decision mode is " << AclHelper::getAclResultStr(decisionMode)); - } - } - }else if (matchProp(pMItr->second, paramItr->second)) { - QPID_LOG(debug, "ACL: the pair(" - << AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second - << ") given in lookup matched the pair(" - << AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in the rule"); - } else { - QPID_LOG(debug, "ACL: the pair(" - << AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second - << ") given in lookup doesn't match the pair(" - << AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in the rule"); - match = false; - } - } - } - if (match) - { - aclresult = getACLResult(i->logOnly, i->log); - QPID_LOG(debug,"Successful match, the decision is:" << AclHelper::getAclResultStr(aclresult)); - return aclresult; - } - } - } - } - - QPID_LOG(debug,"No successful match, defaulting to the decision mode " << AclHelper::getAclResultStr(aclresult)); - return aclresult; -} - -AclResult AclData::lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& /*Exchange*/ name, const std::string& RoutingKey) -{ - - QPID_LOG(debug, "ACL: Lookup for id:" << id << " action:" << AclHelper::getActionStr((Action) action) - << " objectType:" << AclHelper::getObjectTypeStr((ObjectType) objType) << " exchange name:" << name - << " with routing key " << RoutingKey); - - AclResult aclresult = decisionMode; - - if (actionList[action] && actionList[action][objType]){ - AclData::actObjItr itrRule = actionList[action][objType]->find(id); - - if (itrRule == actionList[action][objType]->end()) - itrRule = actionList[action][objType]->find("*"); - - if (itrRule != actionList[action][objType]->end() ) { - - QPID_LOG(debug, "ACL: checking the following rules for : " << itrRule->first ); - - //loop the vector - for (ruleSetItr i=itrRule->second.begin(); i<itrRule->second.end(); i++) { - QPID_LOG(debug, "ACL: checking rule " << i->toString()); - - // loop the names looking for match - bool match =true; - for (propertyMapItr pMItr = i->props.begin(); (pMItr != i->props.end()) && match; pMItr++) - { - //match name is exists first - if (pMItr->first == acl::PROP_NAME){ - if (matchProp(pMItr->second, name)){ - QPID_LOG(debug, "ACL: name '" << name << "' matched with name '" - << pMItr->second << "' given in the rule"); - - }else{ - match= false; - QPID_LOG(debug, "ACL: name '" << name << "' didn't match with name '" - << pMItr->second << "' given in the rule"); - } - }else if (pMItr->first == acl::PROP_ROUTINGKEY){ - if (matchProp(pMItr->second, RoutingKey)){ - QPID_LOG(debug, "ACL: name '" << name << "' matched with routing_key '" - << pMItr->second << "' given in the rule"); - }else{ - match= false; - QPID_LOG(debug, "ACL: name '" << name << "' didn't match with routing_key '" - << pMItr->second << "' given in the rule"); - } - } - } - if (match){ - aclresult = getACLResult(i->logOnly, i->log); - QPID_LOG(debug,"Successful match, the decision is:" << AclHelper::getAclResultStr(aclresult)); - return aclresult; - } - } - } - } - QPID_LOG(debug,"No successful match, defaulting to the decision mode " << AclHelper::getAclResultStr(aclresult)); - return aclresult; - -} - - -AclResult AclData::getACLResult(bool logOnly, bool log) -{ - switch (decisionMode) - { - case qpid::acl::ALLOWLOG: - case qpid::acl::ALLOW: - if (logOnly) return qpid::acl::ALLOWLOG; - if (log) - return qpid::acl::DENYLOG; - else - return qpid::acl::DENY; - - - case qpid::acl::DENYLOG: - case qpid::acl::DENY: - if (logOnly) return qpid::acl::DENYLOG; - if (log) - return qpid::acl::ALLOWLOG; - else - return qpid::acl::ALLOW; - } - - QPID_LOG(error, "ACL Decision Failed, setting DENY"); - return qpid::acl::DENY; -} - -AclData::~AclData() -{ - clear(); -} - -}} diff --git a/cpp/src/qpid/acl/AclData.h b/cpp/src/qpid/acl/AclData.h deleted file mode 100644 index efd3b60145..0000000000 --- a/cpp/src/qpid/acl/AclData.h +++ /dev/null @@ -1,84 +0,0 @@ -#ifndef QPID_ACL_ACLDATA_H -#define QPID_ACL_ACLDATA_H - - -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/broker/AclModule.h" -#include <vector> -#include <sstream> - -namespace qpid { -namespace acl { - -class AclData { - - -public: - - typedef std::map<qpid::acl::Property, std::string> propertyMap; - typedef propertyMap::const_iterator propertyMapItr; - struct rule { - - bool log; - bool logOnly; // this is a rule is to log only - - // key value map - //?? - propertyMap props; - - - rule (propertyMap& p):log(false),logOnly(false),props(p) {}; - - std::string toString () const { - std::ostringstream ruleStr; - ruleStr << "[log=" << log << ", logOnly=" << logOnly << " props{"; - for (propertyMapItr pMItr = props.begin(); pMItr != props.end(); pMItr++) { - ruleStr << " " << AclHelper::getPropertyStr((Property) pMItr-> first) << "=" << pMItr->second; - } - ruleStr << " }]"; - return ruleStr.str(); - } - }; - typedef std::vector<rule> ruleSet; - typedef ruleSet::const_iterator ruleSetItr; - typedef std::map<std::string, ruleSet > actionObject; // user - typedef actionObject::iterator actObjItr; - typedef actionObject* aclAction; - - // Action*[] -> Object*[] -> map<user -> set<Rule> > - aclAction* actionList[qpid::acl::ACTIONSIZE]; - qpid::acl::AclResult decisionMode; // determines if the rule set is a deny or allow mode. - bool transferAcl; - std::string aclSource; - - AclResult lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params=0); - AclResult lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName, const std::string& RoutingKey); - AclResult getACLResult(bool logOnly, bool log); - - bool matchProp(const std::string & src, const std::string& src1); - void clear (); - - AclData(); - virtual ~AclData(); -}; - -}} // namespace qpid::acl - -#endif // QPID_ACL_ACLDATA_H diff --git a/cpp/src/qpid/acl/AclPlugin.cpp b/cpp/src/qpid/acl/AclPlugin.cpp deleted file mode 100644 index e4d721ea44..0000000000 --- a/cpp/src/qpid/acl/AclPlugin.cpp +++ /dev/null @@ -1,96 +0,0 @@ -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include <sstream> -#include "qpid/acl/Acl.h" -#include "qpid/broker/Broker.h" -#include "qpid/Plugin.h" -#include "qpid/Options.h" -#include "qpid/log/Statement.h" - -#include <boost/shared_ptr.hpp> -#include <boost/utility/in_place_factory.hpp> - -namespace qpid { -namespace acl { - -using namespace std; - -/** Note separating options from values to work around boost version differences. - * Old boost takes a reference to options objects, but new boost makes a copy. - * New boost allows a shared_ptr but that's not compatible with old boost. - */ -struct AclOptions : public Options { - AclValues& values; - - AclOptions(AclValues& v) : Options("ACL Options"), values(v) { - addOptions() - ("acl-file", optValue(values.aclFile, "FILE"), "The policy file to load from, loaded from data dir"); - } -}; - -struct AclPlugin : public Plugin { - - AclValues values; - AclOptions options; - boost::intrusive_ptr<Acl> acl; - - AclPlugin() : options(values) {} - - Options* getOptions() { return &options; } - - void init(broker::Broker& b) { - if (values.aclFile.empty()){ - QPID_LOG(info, "Policy file not specified. ACL Disabled, no ACL checking being done!"); - return; - } - - if (acl) throw Exception("ACL plugin cannot be initialized twice in one process."); - - if (values.aclFile.at(0) != '/' && !b.getDataDir().getPath().empty()) { - std::ostringstream oss; - oss << b.getDataDir().getPath() << "/" << values.aclFile; - values.aclFile = oss.str(); - } - - acl = new Acl(values, b); - b.setAcl(acl.get()); - b.addFinalizer(boost::bind(&AclPlugin::shutdown, this)); - } - - template <class T> bool init(Plugin::Target& target) { - T* t = dynamic_cast<T*>(&target); - if (t) init(*t); - return t; - } - - void earlyInitialize(Plugin::Target&) {} - - void initialize(Plugin::Target& target) { - init<broker::Broker>(target); - } - - void shutdown() { acl = 0; } -}; - -static AclPlugin instance; // Static initialization. - -// For test purposes. -boost::intrusive_ptr<Acl> getGlobalAcl() { return instance.acl; } - -}} // namespace qpid::acl diff --git a/cpp/src/qpid/acl/AclReader.cpp b/cpp/src/qpid/acl/AclReader.cpp deleted file mode 100644 index 31c69e69b5..0000000000 --- a/cpp/src/qpid/acl/AclReader.cpp +++ /dev/null @@ -1,581 +0,0 @@ -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/acl/AclReader.h" - -#include <cctype> -#include <cstring> -#include <fstream> -#include <sstream> -#include "qpid/log/Statement.h" -#include "qpid/Exception.h" - -#include <iomanip> // degug -#include <iostream> // debug - -#define ACL_FORMAT_ERR_LOG_PREFIX "ACL format error: " << fileName << ":" << lineNumber << ": " - -namespace qpid { -namespace acl { - -AclReader::aclRule::aclRule(const AclResult r, const std::string n, const groupMap& groups) : res(r), actionAll(true), objStatus(NONE) { - processName(n, groups); -} -AclReader::aclRule::aclRule(const AclResult r, const std::string n, const groupMap& groups, const Action a) : res(r), actionAll(false), action(a), objStatus(NONE) { - processName(n, groups); -} - -void AclReader::aclRule::setObjectType(const ObjectType o) { - objStatus = VALUE; - object = o; -} - -void AclReader::aclRule::setObjectTypeAll() { - objStatus = ALL; -} - -bool AclReader::aclRule::addProperty(const Property p, const std::string v) { - return props.insert(propNvPair(p, v)).second; -} - -bool AclReader::aclRule::validate(const AclHelper::objectMapPtr& /*validationMap*/) { - // TODO - invalid rules won't ever be called in real life... - return true; -} - -// Debug aid -std::string AclReader::aclRule::toString() { - std::ostringstream oss; - oss << AclHelper::getAclResultStr(res) << " ["; - for (nsCitr itr = names.begin(); itr != names.end(); itr++) { - if (itr != names.begin()) oss << ", "; - oss << *itr; - } - oss << "]"; - if (actionAll) { - oss << " *"; - } else { - oss << " " << AclHelper::getActionStr(action); - } - if (objStatus == ALL) { - oss << " *"; - } else if (objStatus == VALUE) { - oss << " " << AclHelper::getObjectTypeStr(object); - } - for (pmCitr i=props.begin(); i!=props.end(); i++) { - oss << " " << AclHelper::getPropertyStr(i->first) << "=" << i->second; - } - return oss.str(); -} - -void AclReader::loadDecisionData(boost::shared_ptr<AclData> d) { - d->clear(); - QPID_LOG(debug, "ACL Load Rules"); - int cnt = rules.size(); - bool foundmode = false; - - for (rlCitr i = rules.end(); cnt; cnt--) { - i--; - QPID_LOG(debug, "ACL Processing " << std::setfill(' ') << std::setw(2) - << cnt << " " << (*i)->toString()); - - if (!foundmode && (*i)->actionAll && (*i)->names.size() == 1 - && (*((*i)->names.begin())).compare("*") == 0) { - d->decisionMode = (*i)->res; - QPID_LOG(debug, "ACL FoundMode " - << AclHelper::getAclResultStr(d->decisionMode)); - foundmode = true; - } else { - AclData::rule rule((*i)->props); - bool addrule = true; - - switch ((*i)->res) { - case qpid::acl::ALLOWLOG: - rule.log = true; - if (d->decisionMode == qpid::acl::ALLOW || - d->decisionMode == qpid::acl::ALLOWLOG) - rule.logOnly = true; - break; - case qpid::acl::ALLOW: - if (d->decisionMode == qpid::acl::ALLOW || - d->decisionMode == qpid::acl::ALLOWLOG) - addrule = false; - break; - case qpid::acl::DENYLOG: - rule.log = true; - if (d->decisionMode == qpid::acl::DENY || - d->decisionMode == qpid::acl::DENYLOG) - rule.logOnly = true; - break; - case qpid::acl::DENY: - if (d->decisionMode == qpid::acl::DENY || - d->decisionMode == qpid::acl::DENYLOG) - addrule = false; - break; - default: - throw Exception("Invalid ACL Result loading rules."); - } - - // Action -> Object -> map<user -> set<Rule> > - if (addrule) { - std::ostringstream actionstr; - for (int acnt = ((*i)->actionAll ? 0 : (*i)->action); - acnt < acl::ACTIONSIZE; - (*i)->actionAll ? acnt++ : acnt = acl::ACTIONSIZE) { - - if (acnt == acl::ACT_PUBLISH) - d->transferAcl = true; // we have transfer ACL - - actionstr << AclHelper::getActionStr((Action) acnt) << ","; - - //find the Action, create if not exist - if (d->actionList[acnt] == NULL) { - d->actionList[acnt] = - new AclData::aclAction[qpid::acl::OBJECTSIZE]; - for (int j = 0; j < qpid::acl::OBJECTSIZE; j++) - d->actionList[acnt][j] = NULL; - } - - // optimize this loop to limit to valid options only!! - for (int ocnt = ((*i)->objStatus != aclRule::VALUE ? 0 - : (*i)->object); - ocnt < acl::OBJECTSIZE; - (*i)->objStatus != aclRule::VALUE ? ocnt++ : ocnt = acl::OBJECTSIZE) { - - //find the Object, create if not exist - if (d->actionList[acnt][ocnt] == NULL) - d->actionList[acnt][ocnt] = - new AclData::actionObject; - - // add users and Rule to object set - bool allNames = false; - // check to see if names.begin is '*' - if ((*(*i)->names.begin()).compare("*") == 0) - allNames = true; - - for (nsCitr itr = (allNames ? names.begin() - : (*i)->names.begin()); - itr != (allNames ? names.end() : (*i)->names.end()); - itr++) { - - AclData::actObjItr itrRule = - d->actionList[acnt][ocnt]->find(*itr); - - if (itrRule == d->actionList[acnt][ocnt]->end()) { - AclData::ruleSet rSet; - rSet.push_back(rule); - d->actionList[acnt][ocnt]->insert - (make_pair(std::string(*itr), rSet)); - } else { - // TODO add code to check for dead rules - // allow peter create queue name=tmp <-- dead rule!! - // allow peter create queue - - itrRule->second.push_back(rule); - } - } - - } - } - - std::ostringstream objstr; - for (int ocnt = ((*i)->objStatus != aclRule::VALUE ? 0 : (*i)->object); - ocnt < acl::OBJECTSIZE; - (*i)->objStatus != aclRule::VALUE ? ocnt++ : ocnt = acl::OBJECTSIZE) { - objstr << AclHelper::getObjectTypeStr((ObjectType) ocnt) << ","; - } - - bool allNames = ((*(*i)->names.begin()).compare("*") == 0); - std::ostringstream userstr; - for (nsCitr itr = (allNames ? names.begin() : (*i)->names.begin()); - itr != (allNames ? names.end() : (*i)->names.end()); - itr++) { - userstr << *itr << ","; - } - - QPID_LOG(debug, "ACL: Adding actions {" << - actionstr.str().substr(0,actionstr.str().length()-1) - << "} to objects {" << - objstr.str().substr(0,objstr.str().length()-1) - << "} with props " << - AclHelper::propertyMapToString(&rule.props) - << " for users {" << - userstr.str().substr(0,userstr.str().length()-1) - << "}" ); - } else { - QPID_LOG(debug, "ACL Skipping based on Mode:" - << AclHelper::getAclResultStr(d->decisionMode)); - } - } - - } - -} - - -void AclReader::aclRule::processName(const std::string& name, const groupMap& groups) { - if (name.compare("all") == 0) { - names.insert("*"); - } else { - gmCitr itr = groups.find(name); - if (itr == groups.end()) { - names.insert(name); - } else { - names.insert(itr->second->begin(), itr->second->end()); - } - } -} - -AclReader::AclReader() : lineNumber(0), contFlag(false), validationMap(new AclHelper::objectMap) { - AclHelper::loadValidationMap(validationMap); - names.insert("*"); -} - -AclReader::~AclReader() {} - -std::string AclReader::getError() { - return errorStream.str(); -} - -int AclReader::read(const std::string& fn, boost::shared_ptr<AclData> d) { - fileName = fn; - lineNumber = 0; - char buff[1024]; - std::ifstream ifs(fn.c_str(), std::ios_base::in); - if (!ifs.good()) { - errorStream << "Unable to open ACL file \"" << fn << "\": eof=" << (ifs.eof()?"T":"F") << "; fail=" << (ifs.fail()?"T":"F") << "; bad=" << (ifs.bad()?"T":"F"); - return -1; - } - try { - bool err = false; - while (ifs.good()) { - ifs.getline(buff, 1024); - lineNumber++; - if (std::strlen(buff) > 0 && buff[0] != '#') // Ignore blank lines and comments - err |= !processLine(buff); - } - if (!ifs.eof()) - { - errorStream << "Unable to read ACL file \"" << fn << "\": eof=" << (ifs.eof()?"T":"F") << "; fail=" << (ifs.fail()?"T":"F") << "; bad=" << (ifs.bad()?"T":"F"); - ifs.close(); - return -2; - } - ifs.close(); - if (err) return -3; - QPID_LOG(notice, "Read ACL file \"" << fn << "\""); - } catch (const std::exception& e) { - errorStream << "Unable to read ACL file \"" << fn << "\": " << e.what(); - ifs.close(); - return -4; - } catch (...) { - errorStream << "Unable to read ACL file \"" << fn << "\": Unknown exception"; - ifs.close(); - return -5; - } - printNames(); - printRules(); - loadDecisionData(d); - - return 0; -} - -bool AclReader::processLine(char* line) { - bool ret = false; - std::vector<std::string> toks; - - // Check for continuation - char* contCharPtr = std::strrchr(line, '\\'); - bool cont = contCharPtr != 0; - if (cont) *contCharPtr = 0; - - int numToks = tokenize(line, toks); - - if (cont && numToks == 0){ - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line \"" << lineNumber << "\" contains an illegal extension."; - return false; - } - - if (numToks && (toks[0].compare("group") == 0 || contFlag)) { - ret = processGroupLine(toks, cont); - } else if (numToks && toks[0].compare("acl") == 0) { - ret = processAclLine(toks); - } else { - // Check for whitespace only line, ignore these - bool ws = true; - for (unsigned i=0; i<std::strlen(line) && ws; i++) { - if (!std::isspace(line[i])) ws = false; - } - if (ws) { - ret = true; - } else { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Non-continuation line must start with \"group\" or \"acl\"."; - ret = false; - } - } - contFlag = cont; - return ret; -} - -int AclReader::tokenize(char* line, std::vector<std::string>& toks) { - const char* tokChars = " \t\n\f\v\r"; - int cnt = 0; - char* cp = std::strtok(line, tokChars); - while (cp != 0) { - toks.push_back(std::string(cp)); - cnt++; - cp = std::strtok(0, tokChars); - } - return cnt; -} - -// Return true if the line is successfully processed without errors -// If cont is true, then groupName must be set to the continuation group name -bool AclReader::processGroupLine(tokList& toks, const bool cont) { - const unsigned toksSize = toks.size(); - - if (contFlag) { - gmCitr citr = groups.find(groupName); - for (unsigned i = 0; i < toksSize; i++) { - if (!isValidUserName(toks[i])) return false; - addName(toks[i], citr->second); - } - } else { - const unsigned minimumSize = (cont ? 2 : 3); - if (toksSize < minimumSize) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Insufficient tokens for group definition."; - return false; - } - if (!isValidGroupName(toks[1])) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Group name \"" << toks[1] << "\" contains illegal characters."; - return false; - } - gmCitr citr = addGroup(toks[1]); - if (citr == groups.end()) return false; - for (unsigned i = 2; i < toksSize; i++) { - if (!isValidUserName(toks[i])) return false; - addName(toks[i], citr->second); - } - } - return true; -} - -// Return true if sucessfully added group -AclReader::gmCitr AclReader::addGroup(const std::string& newGroupName) { - gmCitr citr = groups.find(newGroupName); - if (citr != groups.end()) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Duplicate group name \"" << newGroupName << "\"."; - return groups.end(); - } - groupPair p(newGroupName, nameSetPtr(new nameSet)); - gmRes res = groups.insert(p); - assert(res.second); - groupName = newGroupName; - return res.first; -} - -void AclReader::addName(const std::string& name, nameSetPtr groupNameSet) { - gmCitr citr = groups.find(name); - if (citr != groups.end() && citr->first != name){ - // This is a previously defined group: add all the names in that group to this group - groupNameSet->insert(citr->second->begin(), citr->second->end()); - } else { - // Not a known group name - groupNameSet->insert(name); - addName(name); - } -} - -void AclReader::addName(const std::string& name) { - names.insert(name); -} - -// Debug aid -void AclReader::printNames() const { - QPID_LOG(debug, "Group list: " << groups.size() << " groups found:" ); - std::string tmp; - for (gmCitr i=groups.begin(); i!= groups.end(); i++) { - tmp += " \""; - tmp += i->first; - tmp += "\":"; - for (nsCitr j=i->second->begin(); j!=i->second->end(); j++) { - tmp += " "; - tmp += *j; - } - QPID_LOG(debug, tmp); - tmp.clear(); - } - QPID_LOG(debug, "Name list: " << names.size() << " names found:" ); - tmp.clear(); - for (nsCitr k=names.begin(); k!=names.end(); k++) { - tmp += " "; - tmp += *k; - } - QPID_LOG(debug, tmp); -} - -bool AclReader::processAclLine(tokList& toks) { - const unsigned toksSize = toks.size(); - if (toksSize < 4) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Insufficient tokens for acl definition."; - return false; - } - - AclResult res; - try { - res = AclHelper::getAclResult(toks[1]); - } catch (...) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Unknown ACL permission \"" << toks[1] << "\"."; - return false; - } - - bool actionAllFlag = toks[3].compare("all") == 0; - bool userAllFlag = toks[2].compare("all") == 0; - Action action; - if (actionAllFlag) { - - if (userAllFlag && toksSize > 4) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Tokens found after action \"all\"."; - return false; - } - action = ACT_CONSUME; // dummy; compiler must initialize action for this code path - } else { - try { - action = AclHelper::getAction(toks[3]); - } catch (...) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Unknown action \"" << toks[3] << "\"."; - return false; - } - } - - // Create rule obj; then add object (if any) and properties (if any) - aclRulePtr rule; - if (actionAllFlag) { - rule.reset(new aclRule(res, toks[2], groups)); - } else { - rule.reset(new aclRule(res, toks[2], groups, action)); - } - - if (toksSize >= 5) { // object name-value pair - if (toks[4].compare("all") == 0) { - rule->setObjectTypeAll(); - } else { - try { - rule->setObjectType(AclHelper::getObjectType(toks[4])); - } catch (...) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Unknown object \"" << toks[4] << "\"."; - return false; - } - } - } - - if (toksSize >= 6) { // property name-value pair(s) - for (unsigned i=5; i<toksSize; i++) { - nvPair propNvp = splitNameValuePair(toks[i]); - if (propNvp.second.size() == 0) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - <<", Badly formed property name-value pair \"" - << propNvp.first << "\". (Must be name=value)"; - return false; - } - Property prop; - try { - prop = AclHelper::getProperty(propNvp.first); - } catch (...) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Unknown property \"" << propNvp.first << "\"."; - return false; - } - rule->addProperty(prop, propNvp.second); - } - } - // Check if name (toks[2]) is group; if not, add as name of individual - if (toks[2].compare("all") != 0) { - if (groups.find(toks[2]) == groups.end()) { - addName(toks[2]); - } - } - - // If rule validates, add to rule list - if (!rule->validate(validationMap)) { - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Invalid object/action/property combination."; - return false; - } - rules.push_back(rule); - - return true; -} - -// Debug aid -void AclReader::printRules() const { - QPID_LOG(debug, "Rule list: " << rules.size() << " ACL rules found:"); - int cnt = 0; - for (rlCitr i=rules.begin(); i<rules.end(); i++,cnt++) { - QPID_LOG(debug, " " << std::setfill(' ') << std::setw(2) << cnt << " " << (*i)->toString()); - } -} - -// Static function -// Return true if the name is well-formed (ie contains legal characters) -bool AclReader::isValidGroupName(const std::string& name) { - for (unsigned i=0; i<name.size(); i++) { - const char ch = name.at(i); - if (!std::isalnum(ch) && ch != '-' && ch != '_') return false; - } - return true; -} - -// Static function -// Split name-value pair around '=' char of the form "name=value" -AclReader::nvPair AclReader::splitNameValuePair(const std::string& nvpString) { - std::size_t pos = nvpString.find("="); - if (pos == std::string::npos || pos == nvpString.size() - 1) { - return nvPair(nvpString, ""); - } - return nvPair(nvpString.substr(0, pos), nvpString.substr(pos+1)); -} - -// Returns true if a username has the name@realm format -bool AclReader::isValidUserName(const std::string& name){ - size_t pos = name.find('@'); - if ( pos == std::string::npos || pos == name.length() -1){ - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Username '" << name << "' must contain a realm"; - return false; - } - for (unsigned i=0; i<name.size(); i++) { - const char ch = name.at(i); - if (!std::isalnum(ch) && ch != '-' && ch != '_' && ch != '@' && ch != '.' && ch != '/'){ - errorStream << ACL_FORMAT_ERR_LOG_PREFIX << "Line : " << lineNumber - << ", Username \"" << name << "\" contains illegal characters."; - return false; - } - } - return true; -} - -}} // namespace qpid::acl diff --git a/cpp/src/qpid/acl/AclReader.h b/cpp/src/qpid/acl/AclReader.h deleted file mode 100644 index 62c6f38f37..0000000000 --- a/cpp/src/qpid/acl/AclReader.h +++ /dev/null @@ -1,118 +0,0 @@ -#ifndef QPID_ACL_ACLREADER_H -#define QPID_ACL_ACLREADER_H - - -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include <boost/shared_ptr.hpp> -#include <map> -#include <set> -#include <string> -#include <vector> -#include <sstream> -#include "qpid/acl/AclData.h" -#include "qpid/broker/AclModule.h" - -namespace qpid { -namespace acl { - -class AclReader { - typedef std::set<std::string> nameSet; - typedef nameSet::const_iterator nsCitr; - typedef boost::shared_ptr<nameSet> nameSetPtr; - - typedef std::pair<std::string, nameSetPtr> groupPair; - typedef std::map<std::string, nameSetPtr> groupMap; - typedef groupMap::const_iterator gmCitr; - typedef std::pair<gmCitr, bool> gmRes; - - typedef std::pair<Property, std::string> propNvPair; - typedef std::map<Property, std::string> propMap; - typedef propMap::const_iterator pmCitr; - - class aclRule { - public: - enum objectStatus {NONE, VALUE, ALL}; - AclResult res; - nameSet names; - bool actionAll; // True if action is set to keyword "all" - Action action; // Ignored if action is set to keyword "all" - objectStatus objStatus; - ObjectType object; // Ignored for all status values except VALUE - propMap props; - public: - aclRule(const AclResult r, const std::string n, const groupMap& groups); // action = "all" - aclRule(const AclResult r, const std::string n, const groupMap& groups, const Action a); - void setObjectType(const ObjectType o); - void setObjectTypeAll(); - bool addProperty(const Property p, const std::string v); - bool validate(const AclHelper::objectMapPtr& validationMap); - std::string toString(); // debug aid - private: - void processName(const std::string& name, const groupMap& groups); - }; - typedef boost::shared_ptr<aclRule> aclRulePtr; - typedef std::vector<aclRulePtr> ruleList; - typedef ruleList::const_iterator rlCitr; - - typedef std::vector<std::string> tokList; - typedef tokList::const_iterator tlCitr; - - typedef std::set<std::string> keywordSet; - typedef keywordSet::const_iterator ksCitr; - typedef std::pair<std::string, std::string> nvPair; // Name-Value pair - - std::string fileName; - int lineNumber; - bool contFlag; - std::string groupName; - nameSet names; - groupMap groups; - ruleList rules; - AclHelper::objectMapPtr validationMap; - std::ostringstream errorStream; - - public: - AclReader(); - virtual ~AclReader(); - int read(const std::string& fn, boost::shared_ptr<AclData> d); - std::string getError(); - - private: - bool processLine(char* line); - void loadDecisionData( boost::shared_ptr<AclData> d); - int tokenize(char* line, tokList& toks); - - bool processGroupLine(tokList& toks, const bool cont); - gmCitr addGroup(const std::string& groupName); - void addName(const std::string& name, nameSetPtr groupNameSet); - void addName(const std::string& name); - void printNames() const; // debug aid - - bool processAclLine(tokList& toks); - void printRules() const; // debug aid - bool isValidUserName(const std::string& name); - - static bool isValidGroupName(const std::string& name); - static nvPair splitNameValuePair(const std::string& nvpString); -}; - -}} // namespace qpid::acl - -#endif // QPID_ACL_ACLREADER_H diff --git a/cpp/src/qpid/acl/AclValidator.cpp b/cpp/src/qpid/acl/AclValidator.cpp deleted file mode 100644 index 57b68e520a..0000000000 --- a/cpp/src/qpid/acl/AclValidator.cpp +++ /dev/null @@ -1,150 +0,0 @@ -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/acl/AclValidator.h" -#include "qpid/acl/AclData.h" -#include "qpid/Exception.h" -#include "qpid/log/Statement.h" -#include "qpid/sys/IntegerTypes.h" -#include <boost/lexical_cast.hpp> -#include <boost/bind.hpp> -#include <numeric> -#include <sstream> - -namespace qpid { -namespace acl { - -AclValidator::IntPropertyType::IntPropertyType(int64_t i,int64_t j) : min(i), max(j){ -} - -bool AclValidator::IntPropertyType::validate(const std::string& val) { - int64_t v; - try - { - v = boost::lexical_cast<int64_t>(val); - }catch(const boost::bad_lexical_cast&){ - return 0; - } - - if (v < min || v >= max){ - return 0; - }else{ - return 1; - } -} - -std::string AclValidator::IntPropertyType::allowedValues() { - return "values should be between " + - boost::lexical_cast<std::string>(min) + " and " + - boost::lexical_cast<std::string>(max); -} - -AclValidator::EnumPropertyType::EnumPropertyType(std::vector<std::string>& allowed): values(allowed){ -} - -bool AclValidator::EnumPropertyType::validate(const std::string& val) { - for (std::vector<std::string>::iterator itr = values.begin(); itr != values.end(); ++itr ){ - if (val.compare(*itr) == 0){ - return 1; - } - } - - return 0; -} - -std::string AclValidator::EnumPropertyType::allowedValues() { - std::ostringstream oss; - oss << "possible values are one of { "; - for (std::vector<std::string>::iterator itr = values.begin(); itr != values.end(); itr++ ){ - oss << "'" << *itr << "' "; - } - oss << "}"; - return oss.str(); -} - -AclValidator::AclValidator(){ - validators.insert(Validator(acl::PROP_MAXQUEUESIZE, - boost::shared_ptr<PropertyType>( - new IntPropertyType(0,std::numeric_limits<int64_t>::max())) - ) - ); - - validators.insert(Validator(acl::PROP_MAXQUEUECOUNT, - boost::shared_ptr<PropertyType>( - new IntPropertyType(0,std::numeric_limits<int64_t>::max())) - ) - ); - - std::string policyTypes[] = {"ring", "ring_strict", "flow_to_disk", "reject"}; - std::vector<std::string> v(policyTypes, policyTypes + sizeof(policyTypes) / sizeof(std::string)); - validators.insert(Validator(acl::PROP_POLICYTYPE, - boost::shared_ptr<PropertyType>(new EnumPropertyType(v)) - ) - ); - -} - -AclValidator::~AclValidator(){ -} - -/* Iterate through the data model and validate the parameters. */ -void AclValidator::validate(boost::shared_ptr<AclData> d) { - - for (unsigned int cnt=0; cnt< qpid::acl::ACTIONSIZE; cnt++){ - - if (d->actionList[cnt]){ - - for (unsigned int cnt1=0; cnt1< qpid::acl::OBJECTSIZE; cnt1++){ - - if (d->actionList[cnt][cnt1]){ - - std::for_each(d->actionList[cnt][cnt1]->begin(), - d->actionList[cnt][cnt1]->end(), - boost::bind(&AclValidator::validateRuleSet, this, _1)); - }//if - }//for - }//if - }//for -} - -void AclValidator::validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules){ - std::for_each(rules.second.begin(), - rules.second.end(), - boost::bind(&AclValidator::validateRule, this, _1)); -} - -void AclValidator::validateRule(qpid::acl::AclData::rule& rule){ - std::for_each(rule.props.begin(), - rule.props.end(), - boost::bind(&AclValidator::validateProperty, this, _1)); -} - -void AclValidator::validateProperty(std::pair<const qpid::acl::Property, std::string>& prop){ - ValidatorItr itr = validators.find(prop.first); - if (itr != validators.end()){ - QPID_LOG(debug,"Found validator for property " << itr->second->allowedValues()); - - if (!itr->second->validate(prop.second)){ - throw Exception( prop.second + " is not a valid value for '" + - AclHelper::getPropertyStr(prop.first) + "', " + - itr->second->allowedValues()); - } - } -} - -}} diff --git a/cpp/src/qpid/acl/AclValidator.h b/cpp/src/qpid/acl/AclValidator.h deleted file mode 100644 index 966e5d326b..0000000000 --- a/cpp/src/qpid/acl/AclValidator.h +++ /dev/null @@ -1,83 +0,0 @@ -#ifndef QPID_ACL_ACLVALIDATOR_H -#define QPID_ACL_ACLVALIDATOR_H - - -/* - * - * Copyright (c) 2006 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -#include "qpid/broker/AclModule.h" -#include "qpid/acl/AclData.h" -#include "qpid/sys/IntegerTypes.h" -#include <boost/shared_ptr.hpp> -#include <vector> -#include <sstream> - -namespace qpid { -namespace acl { - -class AclValidator { - - /* Base Property */ - class PropertyType{ - - public: - virtual ~PropertyType(){}; - virtual bool validate(const std::string& val)=0; - virtual std::string allowedValues()=0; - }; - - class IntPropertyType : public PropertyType{ - int64_t min; - int64_t max; - - public: - IntPropertyType(int64_t min,int64_t max); - virtual ~IntPropertyType (){}; - virtual bool validate(const std::string& val); - virtual std::string allowedValues(); - }; - - class EnumPropertyType : public PropertyType{ - std::vector<std::string> values; - - public: - EnumPropertyType(std::vector<std::string>& allowed); - virtual ~EnumPropertyType (){}; - virtual bool validate(const std::string& val); - virtual std::string allowedValues(); - }; - - typedef std::pair<acl::Property,boost::shared_ptr<PropertyType> > Validator; - typedef std::map<acl::Property,boost::shared_ptr<PropertyType> > ValidatorMap; - typedef ValidatorMap::iterator ValidatorItr; - - ValidatorMap validators; - -public: - - void validateRuleSet(std::pair<const std::string, qpid::acl::AclData::ruleSet>& rules); - void validateRule(qpid::acl::AclData::rule& rule); - void validateProperty(std::pair<const qpid::acl::Property, std::string>& prop); - void validate(boost::shared_ptr<AclData> d); - AclValidator(); - ~AclValidator(); -}; - -}} // namespace qpid::acl - -#endif // QPID_ACL_ACLVALIDATOR_H diff --git a/cpp/src/qpid/acl/management-schema.xml b/cpp/src/qpid/acl/management-schema.xml deleted file mode 100644 index 7f48a9be34..0000000000 --- a/cpp/src/qpid/acl/management-schema.xml +++ /dev/null @@ -1,44 +0,0 @@ -<schema package="org.apache.qpid.acl"> - -<!-- - * Copyright (c) 2008 The Apache Software Foundation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. ---> - - <class name="Acl"> - <property name="brokerRef" type="objId" references="org.apache.qpid.broker:Broker" access="RO" index="y" parentRef="y"/> - <property name="policyFile" type="lstr" access="RO" desc="Name of the policy file"/> - <property name="enforcingAcl" type="bool" access="RO" desc="Currently Enforcing ACL"/> - <property name="transferAcl" type="bool" access="RO" desc="Any transfer ACL rules in force"/> - <property name="lastAclLoad" type="absTime" access="RO" desc="Timestamp of last successful load of ACL"/> - <statistic name="aclDenyCount" type="count64" unit="request" desc="Number of ACL requests denied"/> - - <method name="reloadACLFile" desc="Reload the ACL file"/> - </class> - - <eventArguments> - <arg name="action" type="sstr"/> - <arg name="arguments" type="map"/> - <arg name="objectName" type="sstr"/> - <arg name="objectType" type="sstr"/> - <arg name="reason" type="lstr"/> - <arg name="userId" type="sstr"/> - </eventArguments> - - <event name="allow" sev="inform" args="userId, action, objectType, objectName, arguments"/> - <event name="deny" sev="notice" args="userId, action, objectType, objectName, arguments"/> - <event name="fileLoaded" sev="inform" args="userId"/> - <event name="fileLoadFailed" sev="error" args="userId, reason"/> - -</schema> |