summaryrefslogtreecommitdiff
path: root/cpp
diff options
context:
space:
mode:
authorCharles E. Rolke <chug@apache.org>2012-02-23 19:13:12 +0000
committerCharles E. Rolke <chug@apache.org>2012-02-23 19:13:12 +0000
commita5457a45fb688b26ffed654dba98a28f1be002bc (patch)
treea1438ea9f6817f2efed99caaa2813b96be16a5ff /cpp
parentd4c1e8dbd039ff00e10258f97c00f571d21a2169 (diff)
downloadqpid-python-a5457a45fb688b26ffed654dba98a28f1be002bc.tar.gz
QPID-3799 ACL processing
1. Reformat AclData::lookup function. 2. Break int limit comparison code out of lookup(). git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/QPID-3799-acl@1292905 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp')
-rw-r--r--cpp/src/qpid/acl/Acl.cpp48
-rw-r--r--cpp/src/qpid/acl/Acl.h23
-rw-r--r--cpp/src/qpid/acl/AclData.cpp278
-rw-r--r--cpp/src/qpid/acl/AclData.h21
-rw-r--r--cpp/src/qpid/acl/AclValidator.cpp4
-rw-r--r--cpp/src/qpid/broker/AclModule.h168
-rw-r--r--cpp/src/qpid/broker/Broker.cpp4
-rw-r--r--cpp/src/qpid/broker/SessionAdapter.cpp4
8 files changed, 408 insertions, 142 deletions
diff --git a/cpp/src/qpid/acl/Acl.cpp b/cpp/src/qpid/acl/Acl.cpp
index c690492795..7e7f8e4d49 100644
--- a/cpp/src/qpid/acl/Acl.cpp
+++ b/cpp/src/qpid/acl/Acl.cpp
@@ -66,7 +66,12 @@ Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), transferAcl(fals
if (mgmtObject!=0) mgmtObject->set_enforcingAcl(1);
}
-bool Acl::authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params)
+bool Acl::authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params)
{
boost::shared_ptr<AclData> dataLocal;
{
@@ -81,7 +86,12 @@ bool Acl::authorise(const std::string& id, const Action& action, const ObjectTyp
return result(aclreslt, id, action, objType, name);
}
-bool Acl::authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName, const std::string& RoutingKey)
+bool Acl::authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey)
{
boost::shared_ptr<AclData> dataLocal;
{
@@ -96,33 +106,47 @@ bool Acl::authorise(const std::string& id, const Action& action, const ObjectTyp
}
-bool Acl::result(const AclResult& aclreslt, const std::string& id, const Action& action, const ObjectType& objType, const std::string& name)
+bool Acl::result(
+ const AclResult& aclreslt,
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name)
{
+ bool result(false);
+
switch (aclreslt)
{
case ALLOWLOG:
QPID_LOG(info, "ACL Allow id:" << id <<" action:" << AclHelper::getActionStr(action) <<
- " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name );
+ " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name );
agent->raiseEvent(_qmf::EventAllow(id, AclHelper::getActionStr(action),
- AclHelper::getObjectTypeStr(objType),
- name, types::Variant::Map()));
+ AclHelper::getObjectTypeStr(objType),
+ name, types::Variant::Map()));
// FALLTHROUGH
case ALLOW:
- return true;
+ result = true;
+ break;
case DENYLOG:
QPID_LOG(info, "ACL Deny id:" << id << " action:" << AclHelper::getActionStr(action) <<
- " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name);
+ " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:" << name);
agent->raiseEvent(_qmf::EventDeny(id, AclHelper::getActionStr(action),
AclHelper::getObjectTypeStr(objType),
name, types::Variant::Map()));
// FALLTHROUGH
case DENY:
- if (mgmtObject!=0) mgmtObject->inc_aclDenyCount();
- return false;
+ if (mgmtObject!=0)
+ mgmtObject->inc_aclDenyCount();
+ result = false;
+ break;
+
+ default:
+ assert (false);
}
- assert(false);
- return false;
+
+ QPID_LOG(debug, "ACL result() returns " << result);
+ return result;
}
bool Acl::readAclFile(std::string& errorText)
diff --git a/cpp/src/qpid/acl/Acl.h b/cpp/src/qpid/acl/Acl.h
index 77f43838de..74b0872f11 100644
--- a/cpp/src/qpid/acl/Acl.h
+++ b/cpp/src/qpid/acl/Acl.h
@@ -66,12 +66,29 @@ public:
inline virtual bool doTransferAcl() {return transferAcl;};
// create specilied authorise methods for cases that need faster matching as needed.
- virtual bool authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params=0);
- virtual bool authorise(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName,const std::string& RoutingKey);
+ virtual bool authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property,
+ std::string>* params=0);
+
+ virtual bool authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey);
virtual ~Acl();
private:
- bool result(const AclResult& aclreslt, const std::string& id, const Action& action, const ObjectType& objType, const std::string& name);
+ bool result(
+ const AclResult& aclreslt,
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name);
bool readAclFile(std::string& errorText);
bool readAclFile(std::string& aclFile, std::string& errorText);
virtual qpid::management::ManagementObject* GetManagementObject(void) const;
diff --git a/cpp/src/qpid/acl/AclData.cpp b/cpp/src/qpid/acl/AclData.cpp
index 466271110e..96d9ef9c6e 100644
--- a/cpp/src/qpid/acl/AclData.cpp
+++ b/cpp/src/qpid/acl/AclData.cpp
@@ -52,114 +52,162 @@ namespace acl {
}
}
- AclResult AclData::lookup(const std::string& id, const Action& action, const ObjectType& objType,
- const std::string& name, std::map<Property, std::string>* params) {
-
- QPID_LOG(debug, "ACL: Lookup for id:" << id << " action:" << AclHelper::getActionStr((Action) action)
- << " objectType:" << AclHelper::getObjectTypeStr((ObjectType) objType) << " name:" << name
- << " with params " << AclHelper::propertyMapToString(params));
-
- AclResult aclresult = decisionMode;
- if (actionList[action] && actionList[action][objType]) {
- AclData::actObjItr itrRule = actionList[action][objType]->find(id);
- if (itrRule == actionList[action][objType]->end())
- itrRule = actionList[action][objType]->find("*");
-
- if (itrRule != actionList[action][objType]->end()) {
-
- //loop the vector
- ruleSetItr rsItr = itrRule->second.end();
- for (int cnt = itrRule->second.size(); cnt != 0; cnt--) {
- rsItr--;
- QPID_LOG(debug, "ACL: checking rule " << rsItr->toString());
- // loop the names looking for match
- bool match = true;
- for (propertyMapItr pMItr = rsItr->props.begin(); (pMItr != rsItr->props.end()) && match; pMItr++) {
- //match name is exists first
- if (pMItr->first == acl::PROP_NAME) {
- if (matchProp(pMItr->second, name)){
- QPID_LOG(debug, "ACL: lookup name '" << name << "' matched with rule name '"
- << pMItr->second << "'");
- }else{
- match = false;
- QPID_LOG(debug, "ACL: lookup name '" << name << "' didn't match with rule name '"
- << pMItr->second << "'");
- }
- } else if (params) { //match pMItr against params
- propertyMapItr paramItr = params->find(pMItr->first);
- if (paramItr == params->end()) {
+ AclResult AclData::lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params) {
+
+ QPID_LOG(debug, "ACL: Lookup for id:" << id
+ << " action:" << AclHelper::getActionStr((Action) action)
+ << " objectType:" << AclHelper::getObjectTypeStr((ObjectType) objType)
+ << " name:" << name
+ << " with params " << AclHelper::propertyMapToString(params));
+
+ // A typical log looks like:
+ // ACL: Lookup for id:bob@QPID action:create objectType:queue name:q2 with params { durable=false
+ // passive=false autodelete=false exclusive=false alternate= policytype= maxqueuesize=0 maxqueuecount=0 }
+
+ // Default result is blanket decision mode for the entire ACL list.
+ AclResult aclresult = decisionMode;
+
+ // Test for lists of rules at the intersection of the Action and the Object
+ if (actionList[action] && actionList[action][objType])
+ {
+ // Find the list of rules for this actorId
+ AclData::actObjItr itrRule = actionList[action][objType]->find(id);
+
+ // If individual actorId not found then find a rule set for '*'.
+ if (itrRule == actionList[action][objType]->end())
+ itrRule = actionList[action][objType]->find("*");
+
+ if (itrRule != actionList[action][objType]->end())
+ {
+ // A list of rules exists for this actor/action/object tuple.
+ // Iterate the rule set to search for a matching rule.
+ ruleSetItr rsItr = itrRule->second.end();
+ for (int cnt = itrRule->second.size(); cnt != 0; cnt--)
+ {
+ rsItr--;
+
+ QPID_LOG(debug, "ACL: checking rule " << rsItr->toString());
+
+ bool match = true;
+ bool limitChecked = true;
+
+ // Iterate this rule's properties
+ for (propertyMapItr rulePropMapItr = rsItr->props.begin();
+ (rulePropMapItr != rsItr->props.end()) && match;
+ rulePropMapItr++)
+ {
+ // The property map's NAME property is handled specially
+ if (rulePropMapItr->first == acl::PROP_NAME)
+ {
+ if (matchProp(rulePropMapItr->second, name))
+ {
+ QPID_LOG(debug, "ACL: lookup name '" << name
+ << "' matched with rule name '" << rulePropMapItr->second << "'");
+ }
+ else
+ {
+ match = false;
+ QPID_LOG(debug, "ACL: lookup name '" << name
+ << "' didn't match with rule name '" << rulePropMapItr->second << "'");
+ }
+ }
+ else
+ {
+ if (params)
+ {
+ // The rule's property map non-NAME properties are
+ // to be found in the lookup's params list
+ propertyMapItr lookupParamItr = params->find(rulePropMapItr->first);
+ if (lookupParamItr == params->end())
+ {
+ // Now the rule has a specified property that does not exist
+ // in the caller's lookup params list. This rule does not match.
match = false;
QPID_LOG(debug, "ACL: lookup parameter map doesn't contain the rule property '"
- << AclHelper::getPropertyStr(pMItr->first) << "'");
- }else if ( pMItr->first == acl::PROP_MAXQUEUECOUNT || pMItr->first == acl::PROP_MAXQUEUESIZE ) {
- if ( pMItr->first == paramItr->first ) {
-
- uint64_t aclMax = 0;
- uint64_t paramMax = 0;
-
- try{
- aclMax = boost::lexical_cast<uint64_t>(pMItr->second);
- }catch(const boost::bad_lexical_cast&){
- match = false;
- QPID_LOG(error,"ACL: Error evaluating rule. " <<
- "Illegal value given in ACL source <" << aclSource <<
- "> for property '" <<
- AclHelper::getPropertyStr(pMItr->first) << "' : " <<
- boost::lexical_cast<std::string>(pMItr->second));
- break;
- }
-
- try{
- paramMax = boost::lexical_cast<uint64_t>(paramItr->second);
- }catch(const boost::bad_lexical_cast&){
+ << AclHelper::getPropertyStr(rulePropMapItr->first) << "'");
+ }
+ else
+ {
+ if ( rulePropMapItr->first == acl::PROP_QUEUEMAXCOUNT || rulePropMapItr->first == acl::PROP_QUEUEMAXSIZE )
+ {
+ assert ( rulePropMapItr->first == lookupParamItr->first );
+ limitChecked &= compareIntMax(rulePropMapItr->first,
+ boost::lexical_cast<std::string>(rulePropMapItr->second),
+ boost::lexical_cast<std::string>(lookupParamItr->second));
+ }
+ else
+ {
+ if (matchProp(rulePropMapItr->second, lookupParamItr->second))
+ {
+ QPID_LOG(debug, "ACL: the pair("
+ << AclHelper::getPropertyStr(lookupParamItr->first) << "," << lookupParamItr->second
+ << ") given in lookup matched the pair("
+ << AclHelper::getPropertyStr(rulePropMapItr->first) << "," << rulePropMapItr->second
+ << ") given in the rule");
+ }
+ else
+ {
match = false;
- QPID_LOG(error,"ACL: Error evaluating rule. " <<
- "Illegal value given in lookup for property '" <<
- AclHelper::getPropertyStr(pMItr->first) << "' : " <<
- boost::lexical_cast<std::string>(paramItr->second));
- break;
- }
-
- QPID_LOG(debug, "ACL: Numeric comparison for property " <<
- AclHelper::getPropertyStr(paramItr->first) <<
- " (value given in lookup = " <<
- boost::lexical_cast<std::string>(paramItr->second) <<
- ", value give in rule = " <<
- boost::lexical_cast<std::string>(pMItr->second) << " )");
-
- if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax)){
- match = decisionMode == qpid::acl::ALLOW ;
- QPID_LOG(debug, "ACL: Limit exceeded and match=" <<
- (match ? "true": "false") <<
- " as decision mode is " << AclHelper::getAclResultStr(decisionMode));
+ QPID_LOG(debug, "ACL: the pair("
+ << AclHelper::getPropertyStr(lookupParamItr->first) << "," << lookupParamItr->second
+ << ") given in lookup doesn't match the pair("
+ << AclHelper::getPropertyStr(rulePropMapItr->first) << "," << rulePropMapItr->second
+ << ") given in the rule");
}
}
- }else if (matchProp(pMItr->second, paramItr->second)) {
- QPID_LOG(debug, "ACL: the pair("
- << AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second
- << ") given in lookup matched the pair("
- << AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in the rule");
- } else {
- QPID_LOG(debug, "ACL: the pair("
- << AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second
- << ") given in lookup doesn't match the pair("
- << AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in the rule");
- match = false;
- }
+ }
+ }
+ else
+ {
+ // params don't exist.
}
}
- if (match)
+ }
+ if (match)
+ {
+ aclresult = rsItr->ruleMode;
+ if (!limitChecked)
{
- aclresult = rsItr->ruleMode;
- QPID_LOG(debug,"ACL: Successful match, the decision is:" << AclHelper::getAclResultStr(aclresult));
- return aclresult;
+ // Now a lookup matched all rule properties but one of the numeric
+ // limits has failed. This has the effect of demoting an allow to a deny.
+ if (aclresult == acl::ALLOW)
+ {
+ aclresult = acl::DENY;
+ }
+ else
+ {
+ if (aclresult == acl::ALLOWLOG)
+ {
+ aclresult = acl::DENYLOG;
+ }
+ }
}
+ QPID_LOG(debug,"ACL: Successful match, the decision is:" << AclHelper::getAclResultStr(aclresult));
+ return aclresult;
+ }
+ else
+ {
+ // this rule did not match the requested lookup
}
}
}
+ else
+ {
+ // The Action-Object list has entries but not for this actorId nor for *.
+ }
+ }
+ else
+ {
+ // The Action-Object list has no entries
+ }
- QPID_LOG(debug,"ACL: No successful match, defaulting to the decision mode " << AclHelper::getAclResultStr(aclresult));
- return aclresult;
+ QPID_LOG(debug,"ACL: No successful match, defaulting to the decision mode " << AclHelper::getAclResultStr(aclresult));
+ return aclresult;
}
AclResult AclData::lookup(const std::string& id, const Action& action, const ObjectType& objType,
@@ -230,4 +278,42 @@ namespace acl {
clear();
}
-}}
+ bool AclData::compareIntMax(const qpid::acl::Property theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue) {
+ uint64_t aclMax (0);
+ uint64_t paramMax (0);
+
+ try {
+ aclMax = boost::lexical_cast<uint64_t>(theAclValue);
+ } catch(const boost::bad_lexical_cast&) {
+ assert (false);
+ return false;
+ }
+
+ try {
+ paramMax = boost::lexical_cast<uint64_t>(theLookupValue);
+ } catch(const boost::bad_lexical_cast&) {
+ QPID_LOG(error,"ACL: Error evaluating rule. " <<
+ "Illegal value given in lookup for property '" <<
+ AclHelper::getPropertyStr(theProperty) << "' : " <<
+ theLookupValue);
+ return false;
+ }
+
+ QPID_LOG(debug, "ACL: Numeric comparison for property " <<
+ AclHelper::getPropertyStr(theProperty) <<
+ " (value given in lookup = " <<
+ theLookupValue <<
+ ", value give in rule = " <<
+ theAclValue << " )");
+
+ if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax)){
+ QPID_LOG(debug, "ACL: Max limit exceeded for property '"
+ << AclHelper::getPropertyStr(theProperty) << "'");
+ return false;
+ }
+
+ return true;
+ }
+}}
diff --git a/cpp/src/qpid/acl/AclData.h b/cpp/src/qpid/acl/AclData.h
index 749b9b6c12..7757fac0db 100644
--- a/cpp/src/qpid/acl/AclData.h
+++ b/cpp/src/qpid/acl/AclData.h
@@ -72,15 +72,30 @@ public:
bool transferAcl;
std::string aclSource;
- AclResult lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params=0);
- AclResult lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& ExchangeName, const std::string& RoutingKey);
- AclResult getACLResult(bool logOnly, bool log);
+ AclResult lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params=0);
+
+ AclResult lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey);
bool matchProp(const std::string & src, const std::string& src1);
void clear ();
AclData();
virtual ~AclData();
+
+private:
+ bool compareIntMax(const qpid::acl::Property theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue);
};
}} // namespace qpid::acl
diff --git a/cpp/src/qpid/acl/AclValidator.cpp b/cpp/src/qpid/acl/AclValidator.cpp
index 540e705bb5..2226623109 100644
--- a/cpp/src/qpid/acl/AclValidator.cpp
+++ b/cpp/src/qpid/acl/AclValidator.cpp
@@ -78,11 +78,11 @@ namespace acl {
}
AclValidator::AclValidator(){
- validators.insert(Validator(acl::PROP_MAXQUEUESIZE,
+ validators.insert(Validator(acl::PROP_QUEUEMAXSIZE,
boost::shared_ptr<PropertyType>(
new IntPropertyType(0,std::numeric_limits<int64_t>::max()))));
- validators.insert(Validator(acl::PROP_MAXQUEUECOUNT,
+ validators.insert(Validator(acl::PROP_QUEUEMAXCOUNT,
boost::shared_ptr<PropertyType>(
new IntPropertyType(0,std::numeric_limits<int64_t>::max()))));
diff --git a/cpp/src/qpid/broker/AclModule.h b/cpp/src/qpid/broker/AclModule.h
index e32ff266b9..ee6acae3d8 100644
--- a/cpp/src/qpid/broker/AclModule.h
+++ b/cpp/src/qpid/broker/AclModule.h
@@ -32,17 +32,77 @@ namespace qpid {
namespace acl {
- enum ObjectType {OBJ_QUEUE, OBJ_EXCHANGE, OBJ_BROKER, OBJ_LINK,
- OBJ_METHOD, OBJECTSIZE}; // OBJECTSIZE must be last in list
- enum Action {ACT_CONSUME, ACT_PUBLISH, ACT_CREATE, ACT_ACCESS, ACT_BIND,
- ACT_UNBIND, ACT_DELETE, ACT_PURGE, ACT_UPDATE,
- ACTIONSIZE}; // ACTIONSIZE must be last in list
- enum Property {PROP_NAME, PROP_DURABLE, PROP_OWNER, PROP_ROUTINGKEY,
- PROP_PASSIVE, PROP_AUTODELETE, PROP_EXCLUSIVE, PROP_TYPE,
- PROP_ALTERNATE, PROP_QUEUENAME, PROP_SCHEMAPACKAGE,
- PROP_SCHEMACLASS, PROP_POLICYTYPE, PROP_MAXQUEUESIZE,
- PROP_MAXQUEUECOUNT};
- enum AclResult {ALLOW, ALLOWLOG, DENY, DENYLOG};
+ // Interface enumerations.
+ // These enumerations define enum lists and implied text strings
+ // to match. They are used in two places:
+ // 1. In the ACL specifications in the ACL file.
+ // 2. In the authorize interface in the rest of the broker where
+ // code requests the ACL module to authorize an action.
+
+ // ObjectType shared between ACL spec and ACL authorise interface
+ enum ObjectType {
+ OBJ_QUEUE,
+ OBJ_EXCHANGE,
+ OBJ_BROKER,
+ OBJ_LINK,
+ OBJ_METHOD,
+ OBJECTSIZE }; // OBJECTSIZE must be last in list
+
+ // Action shared between ACL spec and ACL authorise interface
+ enum Action {
+ ACT_CONSUME,
+ ACT_PUBLISH,
+ ACT_CREATE,
+ ACT_ACCESS,
+ ACT_BIND,
+ ACT_UNBIND,
+ ACT_DELETE,
+ ACT_PURGE,
+ ACT_UPDATE,
+ ACTIONSIZE }; // ACTIONSIZE must be last in list
+
+ // Property used in ACL spec file
+ enum SpecProperty {
+ SPECPROP_NAME,
+ SPECPROP_DURABLE,
+ SPECPROP_OWNER,
+ SPECPROP_ROUTINGKEY,
+ SPECPROP_PASSIVE,
+ SPECPROP_AUTODELETE,
+ SPECPROP_EXCLUSIVE,
+ SPECPROP_TYPE,
+ SPECPROP_ALTERNATE,
+ SPECPROP_QUEUENAME,
+ SPECPROP_SCHEMAPACKAGE,
+ SPECPROP_SCHEMACLASS,
+ SPECPROP_POLICYTYPE,
+ SPECPROP_MAXQUEUESIZE,
+ SPECPROP_MAXQUEUECOUNT };
+
+ // Property used in ACL authroize interface
+ enum Property {
+ PROP_NAME,
+ PROP_DURABLE,
+ PROP_OWNER,
+ PROP_ROUTINGKEY,
+ PROP_PASSIVE,
+ PROP_AUTODELETE,
+ PROP_EXCLUSIVE,
+ PROP_TYPE,
+ PROP_ALTERNATE,
+ PROP_QUEUENAME,
+ PROP_SCHEMAPACKAGE,
+ PROP_SCHEMACLASS,
+ PROP_POLICYTYPE,
+ PROP_QUEUEMAXSIZE,
+ PROP_QUEUEMAXCOUNT };
+
+ // AclResult shared between ACL spec and ACL authorise interface
+ enum AclResult {
+ ALLOW,
+ ALLOWLOG,
+ DENY,
+ DENYLOG };
} // namespace acl
@@ -54,12 +114,21 @@ namespace broker {
public:
- // effienty turn off ACL on message transfer.
+ // efficienty turn off ACL on message transfer.
virtual bool doTransferAcl()=0;
- virtual bool authorise(const std::string& id, const acl::Action& action, const acl::ObjectType& objType, const std::string& name,
+ virtual bool authorise(
+ const std::string& id,
+ const acl::Action& action,
+ const acl::ObjectType& objType,
+ const std::string& name,
std::map<acl::Property, std::string>* params=0)=0;
- virtual bool authorise(const std::string& id, const acl::Action& action, const acl::ObjectType& objType, const std::string& ExchangeName,
+
+ virtual bool authorise(
+ const std::string& id,
+ const acl::Action& action,
+ const acl::ObjectType& objType,
+ const std::string& ExchangeName,
const std::string& RoutingKey)=0;
// create specilied authorise methods for cases that need faster matching as needed.
@@ -133,8 +202,8 @@ namespace acl {
if (str.compare("schemapackage") == 0) return PROP_SCHEMAPACKAGE;
if (str.compare("schemaclass") == 0) return PROP_SCHEMACLASS;
if (str.compare("policytype") == 0) return PROP_POLICYTYPE;
- if (str.compare("maxqueuesize") == 0) return PROP_MAXQUEUESIZE;
- if (str.compare("maxqueuecount") == 0) return PROP_MAXQUEUECOUNT;
+ if (str.compare("maxqueuesize") == 0) return PROP_QUEUEMAXSIZE;
+ if (str.compare("maxqueuecount") == 0) return PROP_QUEUEMAXCOUNT;
throw str;
}
static inline std::string getPropertyStr(const Property p) {
@@ -152,12 +221,51 @@ namespace acl {
case PROP_SCHEMAPACKAGE: return "schemapackage";
case PROP_SCHEMACLASS: return "schemaclass";
case PROP_POLICYTYPE: return "policytype";
- case PROP_MAXQUEUESIZE: return "maxqueuesize";
- case PROP_MAXQUEUECOUNT: return "maxqueuecount";
+ case PROP_QUEUEMAXSIZE: return "maxqueuesize";
+ case PROP_QUEUEMAXCOUNT: return "maxqueuecount";
default: assert(false); // should never get here
}
return "";
}
+ static inline SpecProperty getSpecProperty(const std::string& str) {
+ if (str.compare("name") == 0) return SPECPROP_NAME;
+ if (str.compare("durable") == 0) return SPECPROP_DURABLE;
+ if (str.compare("owner") == 0) return SPECPROP_OWNER;
+ if (str.compare("routingkey") == 0) return SPECPROP_ROUTINGKEY;
+ if (str.compare("passive") == 0) return SPECPROP_PASSIVE;
+ if (str.compare("autodelete") == 0) return SPECPROP_AUTODELETE;
+ if (str.compare("exclusive") == 0) return SPECPROP_EXCLUSIVE;
+ if (str.compare("type") == 0) return SPECPROP_TYPE;
+ if (str.compare("alternate") == 0) return SPECPROP_ALTERNATE;
+ if (str.compare("queuename") == 0) return SPECPROP_QUEUENAME;
+ if (str.compare("schemapackage") == 0) return SPECPROP_SCHEMAPACKAGE;
+ if (str.compare("schemaclass") == 0) return SPECPROP_SCHEMACLASS;
+ if (str.compare("policytype") == 0) return SPECPROP_POLICYTYPE;
+ if (str.compare("queuemaxsize") == 0) return SPECPROP_MAXQUEUESIZE;
+ if (str.compare("queuemaxcount") == 0) return SPECPROP_MAXQUEUECOUNT;
+ throw str;
+ }
+ static inline std::string getSpecPropertyStr(const SpecProperty p) {
+ switch (p) {
+ case SPECPROP_NAME: return "name";
+ case SPECPROP_DURABLE: return "durable";
+ case SPECPROP_OWNER: return "owner";
+ case SPECPROP_ROUTINGKEY: return "routingkey";
+ case SPECPROP_PASSIVE: return "passive";
+ case SPECPROP_AUTODELETE: return "autodelete";
+ case SPECPROP_EXCLUSIVE: return "exclusive";
+ case SPECPROP_TYPE: return "type";
+ case SPECPROP_ALTERNATE: return "alternate";
+ case SPECPROP_QUEUENAME: return "queuename";
+ case SPECPROP_SCHEMAPACKAGE: return "schemapackage";
+ case SPECPROP_SCHEMACLASS: return "schemaclass";
+ case SPECPROP_POLICYTYPE: return "policytype";
+ case SPECPROP_MAXQUEUESIZE: return "queuemaxsize";
+ case SPECPROP_MAXQUEUECOUNT: return "queuemaxcount";
+ default: assert(false); // should never get here
+ }
+ return "";
+ }
static inline AclResult getAclResult(const std::string& str) {
if (str.compare("allow") == 0) return ALLOW;
if (str.compare("allow-log") == 0) return ALLOWLOG;
@@ -187,7 +295,9 @@ namespace acl {
typedef boost::shared_ptr<objectMap> objectMapPtr;
typedef std::map<Property, std::string> propMap;
typedef propMap::const_iterator propMapItr;
-
+ typedef std::map<SpecProperty, std::string> specPropMap;
+ typedef specPropMap::const_iterator specPropMapItr;
+
// This map contains the legal combinations of object/action/properties found in an ACL file
static void loadValidationMap(objectMapPtr& map) {
if (!map.get()) return;
@@ -229,8 +339,8 @@ namespace acl {
p4->insert(PROP_EXCLUSIVE);
p4->insert(PROP_AUTODELETE);
p4->insert(PROP_POLICYTYPE);
- p4->insert(PROP_MAXQUEUESIZE);
- p4->insert(PROP_MAXQUEUECOUNT);
+ p4->insert(PROP_QUEUEMAXSIZE);
+ p4->insert(PROP_QUEUEMAXCOUNT);
actionMapPtr a1(new actionMap);
a1->insert(actionPair(ACT_ACCESS, p0));
@@ -266,7 +376,21 @@ namespace acl {
if (params)
{
for (propMapItr pMItr = params->begin(); pMItr != params->end(); pMItr++) {
- ss << " " << getPropertyStr((Property) pMItr-> first) << "=" << pMItr->second;
+ ss << " " << getPropertyStr((Property) pMItr-> first)
+ << "=" << pMItr->second;
+ }
+ }
+ ss << " }";
+ return ss.str();
+ }
+ static std::string specPropertyMapToString(const std::map<SpecProperty, std::string>* params) {
+ std::ostringstream ss;
+ ss << "{";
+ if (params)
+ {
+ for (specPropMapItr pMItr = params->begin(); pMItr != params->end(); pMItr++) {
+ ss << " " << getSpecPropertyStr((SpecProperty) pMItr-> first)
+ << "=" << pMItr->second;
}
}
ss << " }";
diff --git a/cpp/src/qpid/broker/Broker.cpp b/cpp/src/qpid/broker/Broker.cpp
index 221c31583b..effa0f0da9 100644
--- a/cpp/src/qpid/broker/Broker.cpp
+++ b/cpp/src/qpid/broker/Broker.cpp
@@ -885,8 +885,8 @@ std::pair<boost::shared_ptr<Queue>, bool> Broker::createQueue(
params.insert(make_pair(acl::PROP_EXCLUSIVE, owner ? _TRUE : _FALSE));
params.insert(make_pair(acl::PROP_AUTODELETE, autodelete ? _TRUE : _FALSE));
params.insert(make_pair(acl::PROP_POLICYTYPE, arguments.getAsString("qpid.policy_type")));
- params.insert(make_pair(acl::PROP_MAXQUEUECOUNT, boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
- params.insert(make_pair(acl::PROP_MAXQUEUESIZE, boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXCOUNT, boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXSIZE, boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
if (!acl->authorise(userId,acl::ACT_CREATE,acl::OBJ_QUEUE,name,&params) )
throw framing::UnauthorizedAccessException(QPID_MSG("ACL denied queue create request from " << userId));
diff --git a/cpp/src/qpid/broker/SessionAdapter.cpp b/cpp/src/qpid/broker/SessionAdapter.cpp
index 4aad46f782..551d2188c9 100644
--- a/cpp/src/qpid/broker/SessionAdapter.cpp
+++ b/cpp/src/qpid/broker/SessionAdapter.cpp
@@ -286,8 +286,8 @@ void SessionAdapter::QueueHandlerImpl::declare(const string& name, const string&
params.insert(make_pair(acl::PROP_EXCLUSIVE, std::string(exclusive ? _TRUE : _FALSE)));
params.insert(make_pair(acl::PROP_AUTODELETE, std::string(autoDelete ? _TRUE : _FALSE)));
params.insert(make_pair(acl::PROP_POLICYTYPE, arguments.getAsString("qpid.policy_type")));
- params.insert(make_pair(acl::PROP_MAXQUEUECOUNT, boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
- params.insert(make_pair(acl::PROP_MAXQUEUESIZE, boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXCOUNT, boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXSIZE, boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
if (!acl->authorise(getConnection().getUserId(),acl::ACT_CREATE,acl::OBJ_QUEUE,name,&params) )
throw UnauthorizedAccessException(QPID_MSG("ACL denied queue create request from " << getConnection().getUserId()));
}
View Lorry Controller Status