In broker::ConectionHandler, use the security settings, if any,

provided by the transport layer when starting SASL.
This allows the SASL mechanism EXTERNAL to be satisfied with 
SSL transport security.
The test, sasl_fed_ex, uses this SASL/SSL security on a 
federated link between two brokers.


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1050162 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 259 insertions, 12 deletions

diff --git a/cpp/src/qpid/broker/ConnectionHandler.cpp b/cpp/src/qpid/broker/ConnectionHandler.cpp
index 9843c16326..3f97e5b9de 100644
--- a/cpp/src/qpid/broker/ConnectionHandler.cpp
+++ b/cpp/src/qpid/broker/ConnectionHandler.cpp
@@ -239,9 +239,9 @@ void ConnectionHandler::Handler::start(const FieldTable& serverProperties,
                                        const framing::Array& /*locales*/)
 {
     string requestedMechanism = connection.getAuthMechanism();
-    string response  = connection.getAuthCredentials();
 
     std::string username = connection.getUsername();
+
     std::string password = connection.getPassword();
     std::string host     = connection.getHost();
     std::string service("qpidd");
@@ -298,19 +298,17 @@ void ConnectionHandler::Handler::start(const FieldTable& serverProperties,
     ft.setInt(QPID_FED_LINK,1);
     ft.setString(QPID_FED_TAG, connection.getBroker().getFederationTag());
 
+    string response;
     if (sasl.get()) {
-        string response =
-            sasl->start ( requestedMechanism.empty()
-                              ? supportedMechanismsList
-                              : requestedMechanism,
-                          getSecuritySettings 
-                              ? getSecuritySettings()
-                              : 0
-                        );
+        const qpid::sys::SecuritySettings& ss = connection.getExternalSecuritySettings();
+        response = sasl->start ( requestedMechanism.empty()
+                                 ? supportedMechanismsList
+                                 : requestedMechanism,
+                                 & ss );
         proxy.startOk ( ft, sasl->getMechanism(), response, en_US );
     }
     else {
-        string response = ((char)0) + username + ((char)0) + password;
+        response = ((char)0) + username + ((char)0) + password;
         proxy.startOk ( ft, requestedMechanism, response, en_US );
     }
 
diff --git a/cpp/src/qpid/broker/ConnectionHandler.h b/cpp/src/qpid/broker/ConnectionHandler.h
index 70882a24e9..b32167669e 100644
--- a/cpp/src/qpid/broker/ConnectionHandler.h
+++ b/cpp/src/qpid/broker/ConnectionHandler.h
@@ -91,7 +91,6 @@ class ConnectionHandler : public framing::FrameHandler
 
         std::auto_ptr<Sasl> sasl;
         typedef boost::function<const qpid::sys::SecuritySettings*()> GetSecuritySettings;
-        GetSecuritySettings  getSecuritySettings;     /* query the transport for its security details */
         std::string saslUserId;
         uint16_t maxFrameSize;
     };
diff --git a/cpp/src/tests/sasl.mk b/cpp/src/tests/sasl.mk
index 334a4b9c81..2d62eb73b6 100644
--- a/cpp/src/tests/sasl.mk
+++ b/cpp/src/tests/sasl.mk
@@ -30,7 +30,7 @@ check_PROGRAMS+=sasl_version
 sasl_version_SOURCES=sasl_version.cpp
 sasl_version_LDADD=$(lib_client)
 
-TESTS += run_cluster_authentication_test sasl_fed
+TESTS += run_cluster_authentication_test sasl_fed sasl_fed_ex
 LONG_TESTS += run_cluster_authentication_soak
 EXTRA_DIST += run_cluster_authentication_test sasl_fed run_cluster_authentication_soak
 
diff --git a/cpp/src/tests/sasl_fed_ex b/cpp/src/tests/sasl_fed_ex
new file mode 100755
index 0000000000..bed8385fdc
--- /dev/null
+++ b/cpp/src/tests/sasl_fed_ex
@@ -0,0 +1,250 @@
+#! /bin/bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+
+#===============================================================================
+# This test creates a federated link between two brokers using SASL security.
+# The SASL mechanism used is EXTERNAL, which is satisfied by SSL
+# transport-layer security.
+#===============================================================================
+
+source ./test_env.sh
+
+# This minimum value corresponds to sasl version 2.1.22
+minimum_sasl_version=131350
+
+sasl_version=`$QPID_TEST_EXEC_DIR/sasl_version`
+
+# This test is necessary becasue this sasl version is the first one that permits 
+# redirection of the sasl config file path.
+if [ "$sasl_version" -lt  "$minimum_sasl_version" ]; then
+  echo "sasl_fed: must have sasl version 2.1.22 or greater.  ( Integer value: $minimum_sasl_version )  Version is: $sasl_version"
+  exit 0
+fi
+
+# In a distribution, the python tools will be absent.
+if [ ! -f $QPID_CONFIG_EXEC ] || [ ! -f $QPID_ROUTE_EXEC ] ; then
+    echo "python tools absent - skipping sasl_fed_ex."
+    exit 0
+fi
+
+CERT_DIR=`pwd`/test_cert_db
+CERT_PW_FILE=`pwd`/cert.password
+TEST_HOSTNAME=127.0.0.1
+
+create_certs() {
+    #create certificate and key databases with single, simple, self-signed certificate in it
+    mkdir ${CERT_DIR}
+    certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE}
+    certutil -S -d ${CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil 2> /dev/null
+}
+
+delete_certs() {
+    if [[ -e ${CERT_DIR} ]] ;  then
+        rm -rf ${CERT_DIR}
+    fi
+}
+
+
+CERTUTIL=$(type -p certutil)
+if [[ !(-x $CERTUTIL) ]] ; then
+    echo "No certutil, skipping ssl test";
+    exit 0;
+fi
+
+delete_certs
+create_certs || error "Could not create test certificate"
+
+
+sasl_config_file=$builddir/sasl_config
+
+my_random_number=$RANDOM
+tmp_root=/tmp/sasl_fed/$my_random_number
+mkdir -p $tmp_root
+
+SRC_SSL_PORT=6667
+DST_SSL_PORT=6666
+
+SRC_TCP_PORT=5801
+DST_TCP_PORT=5807
+
+SSL_LIB=../.libs/ssl.so
+
+export QPID_SSL_CERT_NAME=${TEST_HOSTNAME}
+
+export QPID_NO_MODULE_DIR=1
+export QPID_LOAD_MODULE=$SSLCONNECTOR_LIB
+export QPID_SSL_CERT_DB=${CERT_DIR}
+export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}
+export QPID_SSL_CERT_NAME=${TEST_HOSTNAME}
+
+
+
+#######################################
+# Understanding this Plumbing
+#######################################
+#  1. when you establish the route with qpid-route,
+#     here is the best termiology to use:
+#
+#        qpid-route route add  DST  SRC
+#
+#  2. DST will connect to SRC through the ssl port of SRC.
+#
+#  3. sender client connects to the tcp port of SRC.
+#
+#  4. sender specifies mechanism ANONYMOUS.
+#
+#  5. DST pulls messages off the temp queue on SRC to itself.
+#
+
+
+
+#echo "-----------------------"
+#echo "Starting SRC broker"
+#echo "-----------------------"
+$QPIDD_EXEC                                  \
+  --port=${SRC_TCP_PORT}                     \
+  --ssl-port ${SRC_SSL_PORT}                 \
+  --ssl-sasl-no-dict                         \
+  --sasl-config=$sasl_config_file            \
+  --ssl-require-client-authentication        \
+  --auth yes                                 \
+  --ssl-cert-db $CERT_DIR                    \
+  --ssl-cert-password-file $CERT_PW_FILE     \
+  --ssl-cert-name $TEST_HOSTNAME             \
+  --no-data-dir                              \
+  --no-module-dir                            \
+  --load-module ${SSL_LIB}                   \
+  --mgmt-enable=yes                          \
+  --log-enable info+                         \
+  --log-source yes                           \
+  --daemon                                   \
+  --log-to-file $tmp_root/qpidd_src.log 2> /dev/null
+
+
+#echo "-----------------------"
+#echo "Starting DST broker"
+#echo "-----------------------"
+$QPIDD_EXEC                                  \
+  --port=${DST_TCP_PORT}                     \
+  --ssl-port ${DST_SSL_PORT}                 \
+  --ssl-cert-db $CERT_DIR                    \
+  --ssl-cert-password-file $CERT_PW_FILE     \
+  --ssl-cert-name $TEST_HOSTNAME             \
+  --ssl-sasl-no-dict                         \
+  --ssl-require-client-authentication        \
+  --sasl-config=$sasl_config_file            \
+  --config ./config.null                     \
+  --no-data-dir                              \
+  --no-module-dir                            \
+  --load-module ${SSL_LIB}                   \
+  --mgmt-enable=yes                          \
+  --log-enable info+                         \
+  --log-source yes                           \
+  --daemon                                   \
+  $COMMON_BROKER_OPTIONS                     \
+  --log-to-file $tmp_root/qpidd_dst.log 2> /dev/null
+
+sleep 2
+
+# I am not randomizing these names, because this test creates its own brokers.
+QUEUE_NAME=sasl_fed_queue
+ROUTING_KEY=sasl_fed_queue
+EXCHANGE_NAME=sasl_fedex
+
+
+#echo "-----------------------"
+#echo "add exchanges"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} add exchange direct $EXCHANGE_NAME
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} add exchange direct $EXCHANGE_NAME
+
+
+#echo "-----------------------"
+#echo "add queues"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} add queue $QUEUE_NAME
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} add queue $QUEUE_NAME
+
+sleep 5
+
+#echo "-----------------------"
+#echo "create bindings"
+#echo "-----------------------"
+$QPID_CONFIG_EXEC -a localhost:${SRC_TCP_PORT} bind $EXCHANGE_NAME $QUEUE_NAME $ROUTING_KEY
+$QPID_CONFIG_EXEC -a localhost:${DST_TCP_PORT} bind $EXCHANGE_NAME $QUEUE_NAME $ROUTING_KEY
+
+sleep 5
+
+#echo "-----------------------"
+#echo "qpid-route route add"
+#echo "-----------------------"
+# NOTE: The SRC broker *must* be referred to as $TEST_HOSTNAME, and not as "localhost".
+#       It must be referred to by the exact string given as the Common Name (CN) in the cert,
+#       which was created in the function create_certs, above.
+$QPID_ROUTE_EXEC route add localhost:${DST_TCP_PORT}   $TEST_HOSTNAME:${SRC_SSL_PORT} -t ssl $EXCHANGE_NAME $ROUTING_KEY "" "" EXTERNAL
+
+#echo "-----------------------"
+#echo "view the route :"
+#echo "-----------------------"
+#$PYTHON_COMMANDS/qpid-route route list localhost:${DST_TCP_PORT} 
+
+sleep 5
+
+n_messages=100
+
+./datagen --count ${n_messages} | ./sender --broker localhost --port ${SRC_TCP_PORT} --exchange ${EXCHANGE_NAME} --routing-key ${ROUTING_KEY} --mechanism ANONYMOUS
+
+
+sleep 5
+
+#echo "-----------------------"
+#echo "Examine DST Broker"
+#echo "-----------------------"
+dst_message_count=`qpid-stat -q localhost:${DST_TCP_PORT} | grep sasl_fed_queue | awk '{print $2}'`
+
+sleep 3
+
+#echo "-----------------------"
+#echo "Asking brokers to quit."
+#echo "-----------------------"
+$QPIDD_EXEC --port ${SRC_TCP_PORT} --quit
+$QPIDD_EXEC --port ${DST_TCP_PORT} --quit
+
+
+#echo "-----------------------"
+#echo   "Removing temporary directory $tmp_root"
+#echo "-----------------------"
+rm -rf $tmp_root
+
+if [ "$dst_message_count" -eq  "$n_messages" ]; then
+  #echo "good: |$dst_message_count| == |$n_messages|"
+  exit 0
+else
+   #echo "not ideal: |$broker_2_message_count| != |$n_messages|"
+  exit 1
+fi
+
+
+
+
+
+