QPID-648: Patch from Matt Farrellee

- support for realms
- updates to packaging to create a default db and the necessary conf files for plain and anon



git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk@654902 13f79535-47bb-0310-9956-ffa450edef68

8 files changed, 98 insertions, 9 deletions

diff --git a/qpid/cpp/Makefile.am b/qpid/cpp/Makefile.am
index 7a7c45aeb0..a97020c701 100644
--- a/qpid/cpp/Makefile.am
+++ b/qpid/cpp/Makefile.am
@@ -5,14 +5,11 @@ SPEC=$(PACKAGE).spec
 
 EXTRA_DIST = \
   LICENSE NOTICE README RELEASE_NOTES\
-  etc/qpidd etc/qpidd.conf \
   $(SPEC) $(SPEC).in \
   rpm/README.qpidd-devel \
   xml/cluster.xml
 
-sysconf_DATA = etc/qpidd.conf
-
-SUBDIRS = managementgen src docs/api docs/man examples
+SUBDIRS = managementgen etc src docs/api docs/man examples
 
 # Update libtool, if needed.
 libtool: $(LIBTOOL_DEPS)
diff --git a/qpid/cpp/configure.ac b/qpid/cpp/configure.ac
index 751ca7ce80..646f39025d 100644
--- a/qpid/cpp/configure.ac
+++ b/qpid/cpp/configure.ac
@@ -177,6 +177,7 @@ AS_IF([test "x$WANT_SASL" != xyes -a \
   [AC_MSG_ERROR([Bad value for --with-sasl: $withval])])
 
 # If we weren't explicitly asked /not/ to test, i.e. not given --without-sasl
+have_sasl=no
 AS_IF([test "x$WANT_SASL" != xno],
   # Perform tests for headers and libraries. Remember, AC_CHECK_LIB
   # will give you some useful default behavior, e.g. setup LDFLAGS, if
@@ -189,10 +190,12 @@ AS_IF([test "x$WANT_SASL" != xno],
      # And we were given --with, then fail
      [AS_IF([test "x$WANT_SASL" = xyes],
        [AC_MSG_ERROR([sasl requested but not available])])],
-     # Otherwise, no tests failed, setup AC_SUBST/AC_DEFINE/AM_CONDITIONALs
+     # Otherwise, no tests failed, setup AC_SUBST/AC_DEFINE/vars for AM_CONDITIONALs
      [AC_DEFINE([BROKER_SASL_NAME], ["qpidd"],
                 [The SASL app name for the qpid Broker])
-      AC_DEFINE([HAVE_SASL], [1], [Enable if libsasl is present])])])
+      AC_DEFINE([HAVE_SASL], [1], [Enable if libsasl is present])
+      have_sasl=yes])])
+AM_CONDITIONAL([HAVE_SASL], [test "x$have_sasl" = xyes])
 
 
 # Setup --with-xml/--without-xml as arguments to configure
@@ -261,6 +264,7 @@ AC_CONFIG_FILES([
   Makefile
   examples/Makefile
   managementgen/Makefile
+  etc/Makefile
   src/Makefile
   src/tests/Makefile
   docs/man/Makefile
diff --git a/qpid/cpp/etc/Makefile.am b/qpid/cpp/etc/Makefile.am
new file mode 100644
index 0000000000..34a1a0062d
--- /dev/null
+++ b/qpid/cpp/etc/Makefile.am
@@ -0,0 +1,34 @@
+SASL_CONF = sasl2/qpidd.conf
+
+EXTRA_DIST = \
+	$(SASL_CONF) \
+	qpidd qpidd.conf
+
+nobase_sysconf_DATA = \
+	qpidd.conf
+
+if HAVE_SASL
+SASL_DB = sasl2/qpidd.sasldb
+
+nobase_sysconf_DATA += \
+	$(SASL_CONF)
+
+sasldbdir = $(localstatedir)/lib/qpidd
+sasldb_DATA = $(SASL_DB)
+
+# Setup the default sasldb file with a single user, guest, with an
+# obvious password. This user and password are the default for many
+# clients.
+#
+# The realm specified by -u is very important, and QPID is the default
+# for the broker so we use it here. The realm is important because it
+# defaults to the local hostname of the machine running the
+# broker. This may not seem to bad at first glance, but it means that
+# the sasldb has to be tailored to each machine that would be running
+# a broker, and if the machine ever changed its name the
+# authentication would stop working until the sasldb was updated. For
+# these reasons we always want the broker to specify a realm where its
+# users live, and we want the users to exist in that realm as well.
+$(SASL_DB):
+	echo guest | /usr/sbin/saslpasswd2 -c -p -f $(SASL_DB) -u QPID guest
+endif
diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf
new file mode 100644
index 0000000000..42466b60cb
--- /dev/null
+++ b/qpid/cpp/etc/sasl2/qpidd.conf
@@ -0,0 +1,24 @@
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+#   saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+#   sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+mech_list: plain anonymous
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb
diff --git a/qpid/cpp/qpidc.spec.in b/qpid/cpp/qpidc.spec.in
index 3510a64a9f..02b5ab437a 100644
--- a/qpid/cpp/qpidc.spec.in
+++ b/qpid/cpp/qpidc.spec.in
@@ -7,7 +7,7 @@
 
 Name:           @PACKAGE@
 Version:        @VERSION@
-Release:        31%{?dist}
+Release:        32%{?dist}
 Summary:        Libraries for Qpid C++ client applications
 Group:          System Environment/Libraries
 License:        Apache Software License
@@ -58,6 +58,8 @@ Requires: %name = %version-%release
 Requires: openais
 Requires: xqilla
 Requires: xerces-c
+Requires: cyrus-sasl
+BuildRequires: cyrus-sasl-devel
 
 %description -n %{qpidd}
 A message broker daemon that receives stores and routes messages using
@@ -137,8 +139,10 @@ make check
 %_libdir/libqpidcluster.so.0
 %_libdir/libqpidcluster.so.0.1.0
 %_sbindir/%{qpidd}
+%config(noreplace) %_sysconfdir/sasl2/qpidd.conf
 %{_initrddir}/%{qpidd}
 %attr(755, qpidd, qpidd) %_localstatedir/lib/qpidd
+%attr(600, qpidd, qpidd) %config(noreplace) %_localstatedir/lib/qpidd/qpidd.sasldb
 %doc %_mandir/man1/%{qpidd}.*
 
 %files -n %{qpidd}-devel
@@ -172,6 +176,10 @@ fi
 /sbin/ldconfig
 
 %changelog
+* Thu May  8 2008 Matthew Farrellee <mfarrellee@redhat> - 0.2-32
+- Added sasl2 config file for qpidd
+- Added cyrus-sasl dependencies
+
 * Wed May  7 2008 Matthew Farrellee <mfarrellee@redhat> - 0.2-31
 - Added python dependency, needed by managementgen
 
diff --git a/qpid/cpp/src/qpid/broker/Broker.cpp b/qpid/cpp/src/qpid/broker/Broker.cpp
index 4917502fdf..e9b1db0413 100644
--- a/qpid/cpp/src/qpid/broker/Broker.cpp
+++ b/qpid/cpp/src/qpid/broker/Broker.cpp
@@ -85,6 +85,7 @@ Broker::Options::Options(const std::string& name) :
 #else
     auth(false),
 #endif
+	realm("QPID"),
     ack(0)
 {
     int c = sys::SystemInfo::concurrency();
@@ -110,6 +111,8 @@ Broker::Options::Options(const std::string& name) :
          "Management Publish Interval")
         ("auth", optValue(auth, "yes|no"),
          "Enable authentication, if disabled all incoming connections will be trusted")
+        ("realm", optValue(realm, "REALM"),
+         "Use the given realm when performing authentication")
         ("ack", optValue(ack, "N"),
          "Send session.ack/solicit-ack at least every N frames. 0 disables voluntary ack/solitict-ack");
 }
diff --git a/qpid/cpp/src/qpid/broker/Broker.h b/qpid/cpp/src/qpid/broker/Broker.h
index 7297241763..e48f3dc23f 100644
--- a/qpid/cpp/src/qpid/broker/Broker.h
+++ b/qpid/cpp/src/qpid/broker/Broker.h
@@ -80,6 +80,7 @@ class Broker : public sys::Runnable, public Plugin::Target,
         bool enableMgmt;
         uint16_t mgmtPubInterval;
         bool auth;
+        std::string realm;
         uint32_t ack;
     };
     
diff --git a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
index 56718502f1..d48b258ba2 100644
--- a/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
+++ b/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
@@ -109,8 +109,26 @@ CyrusAuthenticator::CyrusAuthenticator(Connection& c) : sasl_conn(0), connection
 
 void CyrusAuthenticator::init()
 {
-    int code = sasl_server_new(BROKER_SASL_NAME,
-                               NULL, NULL, NULL, NULL, NULL, 0,
+        /* Next to the service name, which specifies the
+          * /etc/sasl2/<service name>.conf file to read, the realm is
+          * currently the most important argument below. When
+          * performing authentication the user that is authenticating
+          * will be looked up in a specific realm. If none is given
+          * then the realm defaults to the hostname, which can cause
+          * confusion when the daemon is run on different hosts that
+          * may be logically sharing a realm (aka a user domain). This
+          * is especially important for SASL PLAIN authentication,
+          * which cannot specify a realm for the user that is
+          * authenticating.
+          */
+    const char *realm = connection.getBroker().getOptions().realm.c_str();
+    int code = sasl_server_new(BROKER_SASL_NAME, /* Service name */
+                               NULL, /* Server FQDN, gethostname() */
+                               realm, /* Authentication realm */
+                               NULL, /* Local IP, needed for some mechanism */
+                               NULL, /* Remote IP, needed for some mechanism */
+                               NULL, /* Callbacks */
+                               0, /* Connection flags */
                                &sasl_conn);
     
     if (SASL_OK != code) {