diff options
author | Ted Ross <tross@apache.org> | 2013-10-10 19:41:01 +0000 |
---|---|---|
committer | Ted Ross <tross@apache.org> | 2013-10-10 19:41:01 +0000 |
commit | db38bebfc16ac15b9ef93d5130e08df2dda97c76 (patch) | |
tree | 03c104739524f068a673c58b06204efbcd787f9d /extras | |
parent | 7ca659b5e12c8113017891e4361603113a3c2c69 (diff) | |
download | qpid-python-db38bebfc16ac15b9ef93d5130e08df2dda97c76.tar.gz |
QPID-5221 - Added a configurable role for connections that constrains their use.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1531084 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'extras')
-rw-r--r-- | extras/dispatch/etc/qpid-dispatch.conf | 2 | ||||
-rw-r--r-- | extras/dispatch/include/qpid/dispatch/container.h | 1 | ||||
-rw-r--r-- | extras/dispatch/include/qpid/dispatch/server.h | 197 | ||||
-rw-r--r-- | extras/dispatch/python/qpid/dispatch/config/schema.py | 2 | ||||
-rw-r--r-- | extras/dispatch/src/container.c | 21 | ||||
-rw-r--r-- | extras/dispatch/src/dispatch.c | 1 | ||||
-rw-r--r-- | extras/dispatch/src/router_node.c | 47 | ||||
-rw-r--r-- | extras/dispatch/src/server.c | 8 | ||||
-rw-r--r-- | extras/dispatch/tests/threerouters-A.conf | 1 | ||||
-rw-r--r-- | extras/dispatch/tests/threerouters-B.conf | 2 | ||||
-rw-r--r-- | extras/dispatch/tests/threerouters-C.conf | 1 | ||||
-rw-r--r-- | extras/dispatch/tests/tworouters-A.conf | 1 | ||||
-rw-r--r-- | extras/dispatch/tests/tworouters-B.conf | 2 |
13 files changed, 189 insertions, 97 deletions
diff --git a/extras/dispatch/etc/qpid-dispatch.conf b/extras/dispatch/etc/qpid-dispatch.conf index 4e74f1e96b..83fa98af60 100644 --- a/extras/dispatch/etc/qpid-dispatch.conf +++ b/extras/dispatch/etc/qpid-dispatch.conf @@ -102,6 +102,7 @@ listener { listener { label: Router Interconnect Access + role: inter-router addr: 0.0.0.0 port: 5671 sasl-mechanisms: EXTERNAL @@ -112,6 +113,7 @@ listener { connector { label: Router Uplink + role: inter-router addr: backbone.enterprise.com port: amqps sasl-mechanisms: EXTERNAL diff --git a/extras/dispatch/include/qpid/dispatch/container.h b/extras/dispatch/include/qpid/dispatch/container.h index 62373f7e61..03fdd0c4cc 100644 --- a/extras/dispatch/include/qpid/dispatch/container.h +++ b/extras/dispatch/include/qpid/dispatch/container.h @@ -166,6 +166,7 @@ void *dx_link_get_context(dx_link_t *link); void dx_link_set_conn_context(dx_link_t *link, void *link_context); void *dx_link_get_conn_context(dx_link_t *link); +dx_connection_t *dx_link_connection(dx_link_t *link); pn_link_t *dx_link_pn(dx_link_t *link); pn_terminus_t *dx_link_source(dx_link_t *link); pn_terminus_t *dx_link_target(dx_link_t *link); diff --git a/extras/dispatch/include/qpid/dispatch/server.h b/extras/dispatch/include/qpid/dispatch/server.h index dcdc6ad73f..e50f9ac75b 100644 --- a/extras/dispatch/include/qpid/dispatch/server.h +++ b/extras/dispatch/include/qpid/dispatch/server.h @@ -186,7 +186,7 @@ typedef struct dx_connector_t dx_connector_t; typedef struct dx_connection_t dx_connection_t; /** - * Event type for the connection callback. + * \brief Event type for the connection callback. */ typedef enum { /// The connection just opened via a listener (inbound). @@ -204,6 +204,106 @@ typedef enum { /** + * \brief Configuration block for a connector or a listener. + */ +typedef struct dx_server_config_t { + /** + * Host name or network address to bind to a listener or use in the connector. + */ + const char *host; + + /** + * Port name or number to bind to a listener or use in the connector. + */ + const char *port; + + /** + * Space-separated list of SASL mechanisms to be accepted for the connection. + */ + const char *sasl_mechanisms; + + /** + * If appropriate for the mechanism, the username for authentication + * (connector only) + */ + const char *sasl_username; + + /** + * If appropriate for the mechanism, the password for authentication + * (connector only) + */ + const char *sasl_password; + + /** + * If appropriate for the mechanism, the minimum acceptable security strength factor + */ + int sasl_minssf; + + /** + * If appropriate for the mechanism, the maximum acceptable security strength factor + */ + int sasl_maxssf; + + /** + * SSL is enabled for this connection iff non-zero. + */ + int ssl_enabled; + + /** + * Connection will take on the role of SSL server iff non-zero. + */ + int ssl_server; + + /** + * Iff non-zero AND ssl_enabled is non-zero, this listener will detect the client's use + * of SSL or non-SSL and conform to the client's protocol. + * (listener only) + */ + int ssl_allow_unsecured_client; + + /** + * Path to the file containing the PEM-formatted public certificate for the local end + * of the connection. + */ + const char *ssl_certificate_file; + + /** + * Path to the file containing the PEM-formatted private key for the local end of the + * connection. + */ + const char *ssl_private_key_file; + + /** + * The password used to sign the private key, or NULL if the key is not protected. + */ + const char *ssl_password; + + /** + * Path to the file containing the PEM-formatted set of certificates of trusted CAs. + */ + const char *ssl_trusted_certificate_db; + + /** + * Iff non-zero, require that the peer's certificate be supplied and that it be authentic + * according to the set of trusted CAs. + */ + int ssl_require_peer_authentication; + + /** + * Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is + * meaningful for outgoing (connector) connections only. + */ + int allow_redirect; + + /** + * The specified role of the connection. This can be used to control the behavior and + * capabilities of the connections. + */ + const char *role; +} dx_server_config_t; + + +/** * \brief Connection Event Handler * * Callback invoked when processing is needed on a proton connection. This @@ -295,97 +395,12 @@ pn_connection_t *dx_connection_pn(dx_connection_t *conn); /** - * \brief Configuration block for a connector or a listener. + * \brief Get the configuration that was used in the setup of this connection. + * + * @param conn Connection object supplied in DX_CONN_EVENT_{LISTENER,CONNETOR}_OPEN + * @return A pointer to the server configuration used in the establishment of this connection. */ -typedef struct dx_server_config_t { - /** - * Host name or network address to bind to a listener or use in the connector. - */ - const char *host; - - /** - * Port name or number to bind to a listener or use in the connector. - */ - const char *port; - - /** - * Space-separated list of SASL mechanisms to be accepted for the connection. - */ - const char *sasl_mechanisms; - - /** - * If appropriate for the mechanism, the username for authentication - * (connector only) - */ - const char *sasl_username; - - /** - * If appropriate for the mechanism, the password for authentication - * (connector only) - */ - const char *sasl_password; - - /** - * If appropriate for the mechanism, the minimum acceptable security strength factor - */ - int sasl_minssf; - - /** - * If appropriate for the mechanism, the maximum acceptable security strength factor - */ - int sasl_maxssf; - - /** - * SSL is enabled for this connection iff non-zero. - */ - int ssl_enabled; - - /** - * Connection will take on the role of SSL server iff non-zero. - */ - int ssl_server; - - /** - * Iff non-zero AND ssl_enabled is non-zero, this listener will detect the client's use - * of SSL or non-SSL and conform to the client's protocol. - * (listener only) - */ - int ssl_allow_unsecured_client; - - /** - * Path to the file containing the PEM-formatted public certificate for the local end - * of the connection. - */ - const char *ssl_certificate_file; - - /** - * Path to the file containing the PEM-formatted private key for the local end of the - * connection. - */ - const char *ssl_private_key_file; - - /** - * The password used to sign the private key, or NULL if the key is not protected. - */ - const char *ssl_password; - - /** - * Path to the file containing the PEM-formatted set of certificates of trusted CAs. - */ - const char *ssl_trusted_certificate_db; - - /** - * Iff non-zero, require that the peer's certificate be supplied and that it be authentic - * according to the set of trusted CAs. - */ - int ssl_require_peer_authentication; - - /** - * Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is - * meaningful for outgoing (connector) connections only. - */ - int allow_redirect; -} dx_server_config_t; +const dx_server_config_t *dx_connection_config(const dx_connection_t *conn); /** diff --git a/extras/dispatch/python/qpid/dispatch/config/schema.py b/extras/dispatch/python/qpid/dispatch/config/schema.py index 1b3fe885cb..7b00000c99 100644 --- a/extras/dispatch/python/qpid/dispatch/config/schema.py +++ b/extras/dispatch/python/qpid/dispatch/config/schema.py @@ -57,6 +57,7 @@ config_schema = { 'addr' : (str, 0, "M"), 'port' : (str, 1, "M"), 'label' : (str, None, "", None), + 'role' : (str, None, "", 'normal'), 'sasl-mechanisms' : (str, None, "M"), 'ssl-profile' : (str, None, "E", None), 'require-peer-auth' : (bool, None, "", True), @@ -66,6 +67,7 @@ config_schema = { 'addr' : (str, 0, "M"), 'port' : (str, 1, "M"), 'label' : (str, None, "", None), + 'role' : (str, None, "", 'normal'), 'sasl-mechanisms' : (str, None, "M"), 'ssl-profile' : (str, None, "E", None), 'allow-redirect' : (bool, None, "", True) diff --git a/extras/dispatch/src/container.c b/extras/dispatch/src/container.c index f206f492a1..3ae24d81b0 100644 --- a/extras/dispatch/src/container.c +++ b/extras/dispatch/src/container.c @@ -687,6 +687,27 @@ pn_link_t *dx_link_pn(dx_link_t *link) } +dx_connection_t *dx_link_connection(dx_link_t *link) +{ + if (!link || !link->pn_link) + return 0; + + pn_session_t *sess = pn_link_session(link->pn_link); + if (!sess) + return 0; + + pn_connection_t *conn = pn_session_connection(sess); + if (!conn) + return 0; + + dx_connection_t *ctx = pn_connection_get_context(conn); + if (!ctx) + return 0; + + return ctx; +} + + pn_terminus_t *dx_link_source(dx_link_t *link) { return pn_link_source(link->pn_link); diff --git a/extras/dispatch/src/dispatch.c b/extras/dispatch/src/dispatch.c index 6e406de7fb..20ba84afe0 100644 --- a/extras/dispatch/src/dispatch.c +++ b/extras/dispatch/src/dispatch.c @@ -137,6 +137,7 @@ static void load_server_config(dx_dispatch_t *dx, dx_server_config_t *config, co { config->host = dx_config_item_value_string(dx->config, section, i, "addr"); config->port = dx_config_item_value_string(dx->config, section, i, "port"); + config->role = dx_config_item_value_string(dx->config, section, i, "role"); config->sasl_mechanisms = dx_config_item_value_string(dx->config, section, i, "sasl-mechanisms"); config->ssl_enabled = diff --git a/extras/dispatch/src/router_node.c b/extras/dispatch/src/router_node.c index b10e4d2d91..4b13230687 100644 --- a/extras/dispatch/src/router_node.c +++ b/extras/dispatch/src/router_node.c @@ -28,6 +28,7 @@ static char *module = "ROUTER"; +static char *router_role = "inter-router"; static char *local_prefix = "_local/"; static char *topo_prefix = "_topo/"; static char *direct_prefix; @@ -122,6 +123,22 @@ static void dx_router_check_addr_LH(dx_router_t *router, dx_address_t *addr) /** + * Determine whether a connection is configured in the inter-router role. + */ +static int dx_router_connection_is_inter_router(const dx_connection_t *conn) +{ + if (!conn) + return 0; + + const dx_server_config_t *cf = dx_connection_config(conn); + if (cf && strcmp(cf->role, router_role) == 0) + return 1; + + return 0; +} + + +/** * Determine whether a terminus has router capability */ static int dx_router_terminus_is_router(pn_terminus_t *term) @@ -648,11 +665,17 @@ static void router_disp_handler(void* context, dx_link_t *link, dx_delivery_t *d */ static int router_incoming_link_handler(void* context, dx_link_t *link) { - dx_router_t *router = (dx_router_t*) context; - dx_router_link_t *rlink = new_dx_router_link_t(); - pn_link_t *pn_link = dx_link_pn(link); - int is_router = dx_router_terminus_is_router(dx_link_remote_source(link)); + dx_router_t *router = (dx_router_t*) context; + pn_link_t *pn_link = dx_link_pn(link); + int is_router = dx_router_terminus_is_router(dx_link_remote_source(link)); + if (is_router && !dx_router_connection_is_inter_router(dx_link_connection(link))) { + dx_log(module, LOG_WARNING, "Incoming link claims router capability but is not on an inter-router connection"); + pn_link_close(pn_link); + return 0; + } + + dx_router_link_t *rlink = new_dx_router_link_t(); DEQ_ITEM_INIT(rlink); rlink->link_type = is_router ? DX_LINK_ROUTER : DX_LINK_ENDPOINT; rlink->link_direction = DX_INCOMING; @@ -697,6 +720,12 @@ static int router_outgoing_link_handler(void* context, dx_link_t *link) int is_router = dx_router_terminus_is_router(dx_link_remote_target(link)); dx_field_iterator_t *iter = 0; + if (is_router && !dx_router_connection_is_inter_router(dx_link_connection(link))) { + dx_log(module, LOG_WARNING, "Outgoing link claims router capability but is not on an inter-router connection"); + pn_link_close(pn_link); + return 0; + } + // // If this link is not a router link and it has no source address, we can't // accept it. @@ -861,8 +890,14 @@ static void router_inbound_open_handler(void *type_context, dx_connection_t *con static void router_outbound_open_handler(void *type_context, dx_connection_t *conn) { - // TODO - Make sure this connection is annotated as an inter-router transport. - // Ignore otherwise + // + // Check the configured role of this connection. If it is not the inter-router + // role, ignore it. + // + if (!dx_router_connection_is_inter_router(conn)) { + dx_log(module, LOG_WARNING, "Outbound connection set up without inter-router role"); + return; + } dx_router_t *router = (dx_router_t*) type_context; dx_link_t *sender; diff --git a/extras/dispatch/src/server.c b/extras/dispatch/src/server.c index e81672dea9..65e181bd2c 100644 --- a/extras/dispatch/src/server.c +++ b/extras/dispatch/src/server.c @@ -880,6 +880,14 @@ pn_connection_t *dx_connection_pn(dx_connection_t *conn) } +const dx_server_config_t *dx_connection_config(const dx_connection_t *conn) +{ + if (conn->listener) + return conn->listener->config; + return conn->connector->config; +} + + dx_listener_t *dx_server_listen(dx_dispatch_t *dx, const dx_server_config_t *config, void *context) { dx_server_t *dx_server = dx->server; diff --git a/extras/dispatch/tests/threerouters-A.conf b/extras/dispatch/tests/threerouters-A.conf index c8c74d6eb2..3f18ad668c 100644 --- a/extras/dispatch/tests/threerouters-A.conf +++ b/extras/dispatch/tests/threerouters-A.conf @@ -54,6 +54,7 @@ listener { connector { label: Router Uplink + role: inter-router addr: 0.0.0.0 port: 20002 sasl-mechanisms: ANONYMOUS diff --git a/extras/dispatch/tests/threerouters-B.conf b/extras/dispatch/tests/threerouters-B.conf index 12dfc11c54..10310306d6 100644 --- a/extras/dispatch/tests/threerouters-B.conf +++ b/extras/dispatch/tests/threerouters-B.conf @@ -47,6 +47,7 @@ container { ## Listeners and Connectors ## listener { + role: inter-router addr: 0.0.0.0 port: 20002 sasl-mechanisms: ANONYMOUS @@ -54,6 +55,7 @@ listener { connector { label: Router Uplink + role: inter-router addr: 0.0.0.0 port: 20003 sasl-mechanisms: ANONYMOUS diff --git a/extras/dispatch/tests/threerouters-C.conf b/extras/dispatch/tests/threerouters-C.conf index 03ec5296f9..83c0ff603d 100644 --- a/extras/dispatch/tests/threerouters-C.conf +++ b/extras/dispatch/tests/threerouters-C.conf @@ -47,6 +47,7 @@ container { ## Listeners and Connectors ## listener { + role: inter-router addr: 0.0.0.0 port: 20003 sasl-mechanisms: ANONYMOUS diff --git a/extras/dispatch/tests/tworouters-A.conf b/extras/dispatch/tests/tworouters-A.conf index d46d47787b..0d00efdbd4 100644 --- a/extras/dispatch/tests/tworouters-A.conf +++ b/extras/dispatch/tests/tworouters-A.conf @@ -47,6 +47,7 @@ container { ## Listeners and Connectors ## listener { + role: inter-router addr: 0.0.0.0 port: 20001 sasl-mechanisms: ANONYMOUS diff --git a/extras/dispatch/tests/tworouters-B.conf b/extras/dispatch/tests/tworouters-B.conf index f0d689755a..8999c9878c 100644 --- a/extras/dispatch/tests/tworouters-B.conf +++ b/extras/dispatch/tests/tworouters-B.conf @@ -47,6 +47,7 @@ container { ## Listeners and Connectors ## listener { + role: inter-router addr: 0.0.0.0 port: 20002 sasl-mechanisms: ANONYMOUS @@ -54,6 +55,7 @@ listener { connector { label: Router Uplink + role: inter-router addr: 0.0.0.0 port: 20001 sasl-mechanisms: ANONYMOUS |