Add option to require that only encrypted connections be accepted.

git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk@706321 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 30 insertions, 17 deletions

diff --git a/qpid/cpp/src/qpid/broker/Broker.cpp b/qpid/cpp/src/qpid/broker/Broker.cpp
index 94c4449178..141961d949 100644
--- a/qpid/cpp/src/qpid/broker/Broker.cpp
+++ b/qpid/cpp/src/qpid/broker/Broker.cpp
@@ -87,7 +87,8 @@ Broker::Options::Options(const std::string& name) :
     replayFlushLimit(0),
     replayHardLimit(0),
     queueLimit(100*1048576/*100M default limit*/),
-    tcpNoDelay(false)
+    tcpNoDelay(false),
+    requireEncrypted(false)
 {
     int c = sys::SystemInfo::concurrency();
     workerThreads=c+1;
@@ -114,7 +115,8 @@ Broker::Options::Options(const std::string& name) :
         ("auth", optValue(auth, "yes|no"), "Enable authentication, if disabled all incoming connections will be trusted")
         ("realm", optValue(realm, "REALM"), "Use the given realm when performing authentication")
         ("default-queue-limit", optValue(queueLimit, "BYTES"), "Default maximum size for queues (in bytes)") 
-        ("tcp-nodelay", optValue(tcpNoDelay), "Set TCP_NODELAY on TCP connections");
+        ("tcp-nodelay", optValue(tcpNoDelay), "Set TCP_NODELAY on TCP connections")
+        ("require-encryption", optValue(requireEncrypted), "Only accept connections that are encrypted");
 }
 
 const std::string empty;
@@ -365,18 +367,18 @@ Manageable::status_t Broker::ManagementMethod (uint32_t methodId,
 }
 
 boost::shared_ptr<ProtocolFactory> Broker::getProtocolFactory(const std::string& name) const {
-    ProtocolFactoryMap::const_iterator i = protocolFactories.find(name);
+    ProtocolFactoryMap::const_iterator i 
+        = name.empty() ? protocolFactories.begin() : protocolFactories.find(name);
     if (i == protocolFactories.end()) return boost::shared_ptr<ProtocolFactory>();
     else return i->second;
 }
 
 uint16_t Broker::getPort(const std::string& name) const  {
-    boost::shared_ptr<ProtocolFactory> factory 
-        = getProtocolFactory(name.empty() ? TCP_TRANSPORT : name);
+    boost::shared_ptr<ProtocolFactory> factory = getProtocolFactory(name);
     if (factory) { 
         return factory->getPort();
     } else {
-        throw Exception(QPID_MSG("No such transport: " << name));
+        throw NoSuchTransportException(QPID_MSG("No such transport: '" << name << "'"));
     }
 }
 
@@ -432,7 +434,11 @@ std::vector<Url>
 Broker::getKnownBrokersImpl()
 {
   knownBrokers.clear();
-  knownBrokers.push_back ( qpid::Url::getIpAddressesUrl ( getPort() ) );
+  try {
+      knownBrokers.push_back ( qpid::Url::getIpAddressesUrl ( getPort(TCP_TRANSPORT) ) );
+  } catch (const NoSuchTransportException& e) {
+      QPID_LOG(error, "Could not send client known broker urls for cluster: " << e.what());
+  }
   return knownBrokers;
 }
 
diff --git a/qpid/cpp/src/qpid/broker/Broker.h b/qpid/cpp/src/qpid/broker/Broker.h
index 213bf63837..3d93823ffa 100644
--- a/qpid/cpp/src/qpid/broker/Broker.h
+++ b/qpid/cpp/src/qpid/broker/Broker.h
@@ -102,6 +102,7 @@ class Broker : public sys::Runnable, public Plugin::Target,
         size_t replayHardLimit;
         uint queueLimit;
         bool tcpNoDelay;
+        bool requireEncrypted;
     };
  
   private:
@@ -149,7 +150,7 @@ class Broker : public sys::Runnable, public Plugin::Target,
      * port, which will be different if the configured port is
      * 0.
      */
-    virtual uint16_t getPort(const std::string& name = TCP_TRANSPORT) const;
+    virtual uint16_t getPort(const std::string& name) const;
 
     /**
      * Run the broker. Implements Runnable::run() so the broker
diff --git a/qpid/cpp/src/qpid/sys/TCPIOPlugin.cpp b/qpid/cpp/src/qpid/sys/TCPIOPlugin.cpp
index 40edfa816f..c4bc99837e 100644
--- a/qpid/cpp/src/qpid/sys/TCPIOPlugin.cpp
+++ b/qpid/cpp/src/qpid/sys/TCPIOPlugin.cpp
@@ -65,9 +65,14 @@ static class TCPIOPlugin : public Plugin {
         // Only provide to a Broker
         if (broker) {
             const broker::Broker::Options& opts = broker->getOptions();
-            ProtocolFactory::shared_ptr protocol(new AsynchIOProtocolFactory(opts.port, opts.connectionBacklog, opts.tcpNoDelay));
-            QPID_LOG(info, "Listening on TCP port " << protocol->getPort());
-            broker->registerProtocolFactory("tcp", protocol);
+            if (opts.requireEncrypted) {
+                QPID_LOG(info, "Not accepting unencrypted connections on TCP");
+            } else {
+                ProtocolFactory::shared_ptr protocol(new AsynchIOProtocolFactory(opts.port, opts.connectionBacklog, 
+                                                                                 opts.tcpNoDelay));
+                QPID_LOG(info, "Listening on TCP port " << protocol->getPort());
+                broker->registerProtocolFactory("tcp", protocol);
+            }
         }
     }
 } tcpPlugin;
diff --git a/qpid/cpp/src/tests/BrokerFixture.h b/qpid/cpp/src/tests/BrokerFixture.h
index 4e10f82809..b3e68fdc41 100644
--- a/qpid/cpp/src/tests/BrokerFixture.h
+++ b/qpid/cpp/src/tests/BrokerFixture.h
@@ -52,7 +52,7 @@ struct  BrokerFixture : private boost::noncopyable {
         // TODO aconway 2007-12-05: At one point BrokerFixture
         // tests could hang in Connection ctor if the following
         // line is removed. This may not be an issue anymore.
-        broker->getPort();
+        broker->getPort(qpid::broker::Broker::TCP_TRANSPORT);
         brokerThread = qpid::sys::Thread(*broker);
     };
 
@@ -63,10 +63,10 @@ struct  BrokerFixture : private boost::noncopyable {
 
     /** Open a connection to the broker. */
     void open(qpid::client::Connection& c) {
-        c.open("localhost", broker->getPort());
+        c.open("localhost", broker->getPort(qpid::broker::Broker::TCP_TRANSPORT));
     }
 
-    uint16_t getPort() { return broker->getPort(); }
+    uint16_t getPort() { return broker->getPort(qpid::broker::Broker::TCP_TRANSPORT); }
 };
 
 /** Connection that opens in its constructor */
@@ -108,7 +108,7 @@ struct  SessionFixtureT : BrokerFixture, ClientT<ConnectionType,SessionType> {
 
     SessionFixtureT(Broker::Options opts=Broker::Options()) :
         BrokerFixture(opts),
-        ClientT<ConnectionType,SessionType>(broker->getPort())
+        ClientT<ConnectionType,SessionType>(broker->getPort(qpid::broker::Broker::TCP_TRANSPORT))
     {}
 
 };
diff --git a/qpid/cpp/src/tests/exception_test.cpp b/qpid/cpp/src/tests/exception_test.cpp
index 41061173a7..a73ea9e36b 100644
--- a/qpid/cpp/src/tests/exception_test.cpp
+++ b/qpid/cpp/src/tests/exception_test.cpp
@@ -39,6 +39,7 @@ using namespace sys;
 using namespace client;
 using namespace framing;
 
+using qpid::broker::Broker;
 using boost::bind;
 using boost::function;
 
@@ -88,7 +89,7 @@ QPID_AUTO_TEST_CASE(TestSessionBusy) {
 
 QPID_AUTO_TEST_CASE(DisconnectedPop) {
     ProxySessionFixture fix;
-    ProxyConnection c(fix.broker->getPort());
+    ProxyConnection c(fix.broker->getPort(Broker::TCP_TRANSPORT));
     fix.session.queueDeclare(arg::queue="q");
     fix.subs.subscribe(fix.lq, "q");
     Catcher<ConnectionException> pop(bind(&LocalQueue::pop, boost::ref(fix.lq)));
@@ -101,7 +102,7 @@ QPID_AUTO_TEST_CASE(DisconnectedListen) {
     struct NullListener : public MessageListener {
         void received(Message&) { BOOST_FAIL("Unexpected message"); }
     } l;
-    ProxyConnection c(fix.broker->getPort());
+    ProxyConnection c(fix.broker->getPort(Broker::TCP_TRANSPORT));
     fix.session.queueDeclare(arg::queue="q");
     fix.subs.subscribe(l, "q");