diff options
Diffstat (limited to 'qpid/cpp/src/qpid/broker/windows')
-rw-r--r-- | qpid/cpp/src/qpid/broker/windows/BrokerDefaults.cpp | 47 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/broker/windows/SaslAuthenticator.cpp | 193 | ||||
-rw-r--r-- | qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp | 297 |
3 files changed, 537 insertions, 0 deletions
diff --git a/qpid/cpp/src/qpid/broker/windows/BrokerDefaults.cpp b/qpid/cpp/src/qpid/broker/windows/BrokerDefaults.cpp new file mode 100644 index 0000000000..b65440b5ad --- /dev/null +++ b/qpid/cpp/src/qpid/broker/windows/BrokerDefaults.cpp @@ -0,0 +1,47 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +#include "qpid/broker/Broker.h" +#include <stdlib.h> + +namespace qpid { +namespace broker { + +const std::string Broker::Options::DEFAULT_DATA_DIR_LOCATION("\\TEMP"); +const std::string Broker::Options::DEFAULT_DATA_DIR_NAME("\\QPIDD.DATA"); + +std::string +Broker::Options::getHome() { + std::string home; +#ifdef _MSC_VER + char home_c[MAX_PATH+1]; + size_t unused; + if (0 == getenv_s (&unused, home_c, sizeof(home_c), "HOME")) + home += home_c; +#else + char *home_c = getenv("HOME"); + if (home_c) + home += home_c; +#endif + return home; +} + +}} // namespace qpid::broker diff --git a/qpid/cpp/src/qpid/broker/windows/SaslAuthenticator.cpp b/qpid/cpp/src/qpid/broker/windows/SaslAuthenticator.cpp new file mode 100644 index 0000000000..962877a471 --- /dev/null +++ b/qpid/cpp/src/qpid/broker/windows/SaslAuthenticator.cpp @@ -0,0 +1,193 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +// This source is only used on Windows; SSPI is the Windows mechanism for +// accessing authentication mechanisms, analogous to Cyrus SASL. + +#include "qpid/broker/Connection.h" +#include "qpid/log/Statement.h" +#include "qpid/framing/reply_exceptions.h" + +#include <windows.h> + +using namespace qpid::framing; +using qpid::sys::SecurityLayer; + +namespace qpid { +namespace broker { + +class NullAuthenticator : public SaslAuthenticator +{ + Connection& connection; + framing::AMQP_ClientProxy::Connection client; +public: + NullAuthenticator(Connection& connection); + ~NullAuthenticator(); + void getMechanisms(framing::Array& mechanisms); + void start(const std::string& mechanism, const std::string& response); + void step(const std::string&) {} + std::auto_ptr<SecurityLayer> getSecurityLayer(uint16_t maxFrameSize); +}; + +class SspiAuthenticator : public SaslAuthenticator +{ + HANDLE userToken; + Connection& connection; + framing::AMQP_ClientProxy::Connection client; + +public: + SspiAuthenticator(Connection& connection); + ~SspiAuthenticator(); + void getMechanisms(framing::Array& mechanisms); + void start(const std::string& mechanism, const std::string& response); + void step(const std::string& response); + std::auto_ptr<SecurityLayer> getSecurityLayer(uint16_t maxFrameSize); +}; + +bool SaslAuthenticator::available(void) +{ + return true; +} + +// Initialize the SASL mechanism; throw if it fails. +void SaslAuthenticator::init(const std::string& /*saslName*/, const std::string& /*saslConfig*/) +{ + return; +} + +void SaslAuthenticator::fini(void) +{ + return; +} + +std::auto_ptr<SaslAuthenticator> SaslAuthenticator::createAuthenticator(Connection& c, bool) +{ + if (c.getBroker().getOptions().auth) { + return std::auto_ptr<SaslAuthenticator>(new SspiAuthenticator(c)); + } else { + return std::auto_ptr<SaslAuthenticator>(new NullAuthenticator(c)); + } +} + +NullAuthenticator::NullAuthenticator(Connection& c) : connection(c), client(c.getOutput()) {} +NullAuthenticator::~NullAuthenticator() {} + +void NullAuthenticator::getMechanisms(Array& mechanisms) +{ + mechanisms.add(boost::shared_ptr<FieldValue>(new Str16Value("ANONYMOUS"))); +} + +void NullAuthenticator::start(const string& mechanism, const string& response) +{ + QPID_LOG(warning, "SASL: No Authentication Performed"); + if (mechanism == "PLAIN") { // Old behavior + if (response.size() > 0 && response[0] == (char) 0) { + string temp = response.substr(1); + string::size_type i = temp.find((char)0); + string uid = temp.substr(0, i); + string pwd = temp.substr(i + 1); + connection.setUserId(uid); + } + } else { + connection.setUserId("anonymous"); + } + client.tune(framing::CHANNEL_MAX, connection.getFrameMax(), 0, 0); +} + +std::auto_ptr<SecurityLayer> NullAuthenticator::getSecurityLayer(uint16_t) +{ + std::auto_ptr<SecurityLayer> securityLayer; + return securityLayer; +} + + +SspiAuthenticator::SspiAuthenticator(Connection& c) : userToken(INVALID_HANDLE_VALUE), connection(c), client(c.getOutput()) +{ +} + +SspiAuthenticator::~SspiAuthenticator() +{ + if (INVALID_HANDLE_VALUE != userToken) { + CloseHandle(userToken); + userToken = INVALID_HANDLE_VALUE; + } +} + +void SspiAuthenticator::getMechanisms(Array& mechanisms) +{ + mechanisms.add(boost::shared_ptr<FieldValue>(new Str16Value(string("ANONYMOUS")))); + mechanisms.add(boost::shared_ptr<FieldValue>(new Str16Value(string("PLAIN")))); + QPID_LOG(info, "SASL: Mechanism list: ANONYMOUS PLAIN"); +} + +void SspiAuthenticator::start(const string& mechanism, const string& response) +{ + QPID_LOG(info, "SASL: Starting authentication with mechanism: " << mechanism); + if (mechanism == "ANONYMOUS") { + connection.setUserId("anonymous"); + client.tune(framing::CHANNEL_MAX, connection.getFrameMax(), 0, 0); + return; + } + if (mechanism != "PLAIN") + throw ConnectionForcedException("Unsupported mechanism"); + + // PLAIN's response is composed of 3 strings separated by 0 bytes: + // authorization id, authentication id (user), clear-text password. + if (response.size() == 0) + throw ConnectionForcedException("Authentication failed"); + + string::size_type i = response.find((char)0); + string auth = response.substr(0, i); + string::size_type j = response.find((char)0, i+1); + string uid = response.substr(i+1, j-1); + string pwd = response.substr(j+1); + string dot("."); + int error = 0; + if (!LogonUser(const_cast<char*>(uid.c_str()), + const_cast<char*>(dot.c_str()), + const_cast<char*>(pwd.c_str()), + LOGON32_LOGON_NETWORK, + LOGON32_PROVIDER_DEFAULT, + &userToken)) + error = GetLastError(); + pwd.replace(0, string::npos, 1, (char)0); + if (error != 0) { + QPID_LOG(info, + "SASL: Auth failed [" << error << "]: " << qpid::sys::strError(error)); + throw ConnectionForcedException("Authentication failed"); + } + + connection.setUserId(uid); + client.tune(framing::CHANNEL_MAX, connection.getFrameMax(), 0, 0); +} + +void SspiAuthenticator::step(const string& /*response*/) +{ + QPID_LOG(info, "SASL: Need another step!!!"); +} + +std::auto_ptr<SecurityLayer> SspiAuthenticator::getSecurityLayer(uint16_t) +{ + std::auto_ptr<SecurityLayer> securityLayer; + return securityLayer; +} + +}} diff --git a/qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp b/qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp new file mode 100644 index 0000000000..676074a590 --- /dev/null +++ b/qpid/cpp/src/qpid/broker/windows/SslProtocolFactory.cpp @@ -0,0 +1,297 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + +#include "qpid/sys/ProtocolFactory.h" + +#include "qpid/Plugin.h" +#include "qpid/broker/Broker.h" +#include "qpid/log/Statement.h" +#include "qpid/sys/AsynchIOHandler.h" +#include "qpid/sys/ConnectionCodec.h" +#include "qpid/sys/Socket.h" +#include "qpid/sys/SystemInfo.h" +#include "qpid/sys/windows/SslAsynchIO.h" +#include <boost/bind.hpp> +#include <memory> +// security.h needs to see this to distinguish from kernel use. +#define SECURITY_WIN32 +#include <security.h> +#include <Schnlsp.h> +#undef SECURITY_WIN32 + + +namespace qpid { +namespace sys { +namespace windows { + +struct SslServerOptions : qpid::Options +{ + std::string certStore; + std::string certName; + uint16_t port; + bool clientAuth; + + SslServerOptions() : qpid::Options("SSL Options"), + certStore("My"), port(5671), clientAuth(false) + { + qpid::Address me; + if (qpid::sys::SystemInfo::getLocalHostname(me)) + certName = me.host; + else + certName = "localhost"; + + addOptions() + ("ssl-cert-store", optValue(certStore, "NAME"), "Local store name from which to obtain certificate") + ("ssl-cert-name", optValue(certName, "NAME"), "Name of the certificate to use") + ("ssl-port", optValue(port, "PORT"), "Port on which to listen for SSL connections") + ("ssl-require-client-authentication", optValue(clientAuth), + "Forces clients to authenticate in order to establish an SSL connection"); + } +}; + +class SslProtocolFactory : public qpid::sys::ProtocolFactory { + qpid::sys::Socket listener; + const bool tcpNoDelay; + const uint16_t listeningPort; + std::string brokerHost; + const bool clientAuthSelected; + std::auto_ptr<qpid::sys::AsynchAcceptor> acceptor; + ConnectFailedCallback connectFailedCallback; + CredHandle credHandle; + + public: + SslProtocolFactory(const SslServerOptions&, int backlog, bool nodelay); + ~SslProtocolFactory(); + void accept(sys::Poller::shared_ptr, sys::ConnectionCodec::Factory*); + void connect(sys::Poller::shared_ptr, const std::string& host, const std::string& port, + sys::ConnectionCodec::Factory*, + ConnectFailedCallback failed); + + uint16_t getPort() const; + bool supports(const std::string& capability); + + private: + void connectFailed(const qpid::sys::Socket&, + int err, + const std::string& msg); + void established(sys::Poller::shared_ptr, + const qpid::sys::Socket&, + sys::ConnectionCodec::Factory*, + bool isClient); +}; + +// Static instance to initialise plugin +static struct SslPlugin : public Plugin { + SslServerOptions options; + + Options* getOptions() { return &options; } + + void earlyInitialize(Target&) { + } + + void initialize(Target& target) { + broker::Broker* broker = dynamic_cast<broker::Broker*>(&target); + // Only provide to a Broker + if (broker) { + try { + const broker::Broker::Options& opts = broker->getOptions(); + ProtocolFactory::shared_ptr protocol(new SslProtocolFactory(options, + opts.connectionBacklog, + opts.tcpNoDelay)); + QPID_LOG(notice, "Listening for SSL connections on TCP port " << protocol->getPort()); + broker->registerProtocolFactory("ssl", protocol); + } catch (const std::exception& e) { + QPID_LOG(error, "Failed to initialise SSL listener: " << e.what()); + } + } + } +} sslPlugin; + +SslProtocolFactory::SslProtocolFactory(const SslServerOptions& options, + int backlog, + bool nodelay) + : tcpNoDelay(nodelay), + listeningPort(listener.listen("", boost::lexical_cast<std::string>(options.port), backlog)), + clientAuthSelected(options.clientAuth) { + + SecInvalidateHandle(&credHandle); + + // Get the certificate for this server. + HCERTSTORE certStoreHandle; + certStoreHandle = ::CertOpenStore(CERT_STORE_PROV_SYSTEM_A, + X509_ASN_ENCODING, + 0, + CERT_SYSTEM_STORE_LOCAL_MACHINE, + options.certStore.c_str()); + if (!certStoreHandle) + throw qpid::Exception(QPID_MSG("Opening store " << options.certStore << " " << qpid::sys::strError(GetLastError()))); + + PCCERT_CONTEXT certContext; + certContext = ::CertFindCertificateInStore(certStoreHandle, + X509_ASN_ENCODING, + 0, + CERT_FIND_SUBJECT_STR_A, + options.certName.c_str(), + NULL); + if (certContext == NULL) { + int err = ::GetLastError(); + ::CertCloseStore(certStoreHandle, 0); + throw qpid::Exception(QPID_MSG("Locating certificate " << options.certName << " in store " << options.certStore << " " << qpid::sys::strError(GetLastError()))); + throw QPID_WINDOWS_ERROR(err); + } + + SCHANNEL_CRED cred; + memset(&cred, 0, sizeof(cred)); + cred.dwVersion = SCHANNEL_CRED_VERSION; + cred.cCreds = 1; + cred.paCred = &certContext; + SECURITY_STATUS status = ::AcquireCredentialsHandle(NULL, + UNISP_NAME, + SECPKG_CRED_INBOUND, + NULL, + &cred, + NULL, + NULL, + &credHandle, + NULL); + if (status != SEC_E_OK) + throw QPID_WINDOWS_ERROR(status); + ::CertFreeCertificateContext(certContext); + ::CertCloseStore(certStoreHandle, 0); +} + +SslProtocolFactory::~SslProtocolFactory() { + ::FreeCredentialsHandle(&credHandle); +} + +void SslProtocolFactory::connectFailed(const qpid::sys::Socket&, + int err, + const std::string& msg) { + if (connectFailedCallback) + connectFailedCallback(err, msg); +} + +void SslProtocolFactory::established(sys::Poller::shared_ptr poller, + const qpid::sys::Socket& s, + sys::ConnectionCodec::Factory* f, + bool isClient) { + sys::AsynchIOHandler* async = new sys::AsynchIOHandler(s.getFullAddress(), f); + + if (tcpNoDelay) { + s.setTcpNoDelay(); + QPID_LOG(info, + "Set TCP_NODELAY on connection to " << s.getPeerAddress()); + } + + SslAsynchIO *aio; + if (isClient) { + async->setClient(); + aio = + new qpid::sys::windows::ClientSslAsynchIO(brokerHost, + s, + credHandle, + boost::bind(&AsynchIOHandler::readbuff, async, _1, _2), + boost::bind(&AsynchIOHandler::eof, async, _1), + boost::bind(&AsynchIOHandler::disconnect, async, _1), + boost::bind(&AsynchIOHandler::closedSocket, async, _1, _2), + boost::bind(&AsynchIOHandler::nobuffs, async, _1), + boost::bind(&AsynchIOHandler::idle, async, _1)); + } + else { + aio = + new qpid::sys::windows::ServerSslAsynchIO(clientAuthSelected, + s, + credHandle, + boost::bind(&AsynchIOHandler::readbuff, async, _1, _2), + boost::bind(&AsynchIOHandler::eof, async, _1), + boost::bind(&AsynchIOHandler::disconnect, async, _1), + boost::bind(&AsynchIOHandler::closedSocket, async, _1, _2), + boost::bind(&AsynchIOHandler::nobuffs, async, _1), + boost::bind(&AsynchIOHandler::idle, async, _1)); + } + + async->init(aio, 4); + aio->start(poller); +} + +uint16_t SslProtocolFactory::getPort() const { + return listeningPort; // Immutable no need for lock. +} + +void SslProtocolFactory::accept(sys::Poller::shared_ptr poller, + sys::ConnectionCodec::Factory* fact) { + acceptor.reset( + AsynchAcceptor::create(listener, + boost::bind(&SslProtocolFactory::established, this, poller, _1, fact, false))); + acceptor->start(poller); +} + +void SslProtocolFactory::connect(sys::Poller::shared_ptr poller, + const std::string& host, + const std::string& port, + sys::ConnectionCodec::Factory* fact, + ConnectFailedCallback failed) +{ + SCHANNEL_CRED cred; + memset(&cred, 0, sizeof(cred)); + cred.dwVersion = SCHANNEL_CRED_VERSION; + SECURITY_STATUS status = ::AcquireCredentialsHandle(NULL, + UNISP_NAME, + SECPKG_CRED_OUTBOUND, + NULL, + &cred, + NULL, + NULL, + &credHandle, + NULL); + if (status != SEC_E_OK) + throw QPID_WINDOWS_ERROR(status); + + brokerHost = host; + // Note that the following logic does not cause a memory leak. + // The allocated Socket is freed either by the AsynchConnector + // upon connection failure or by the AsynchIO upon connection + // shutdown. The allocated AsynchConnector frees itself when it + // is no longer needed. + qpid::sys::Socket* socket = new qpid::sys::Socket(); + connectFailedCallback = failed; + AsynchConnector::create(*socket, + host, + port, + boost::bind(&SslProtocolFactory::established, + this, poller, _1, fact, true), + boost::bind(&SslProtocolFactory::connectFailed, + this, _1, _2, _3)); +} + +namespace +{ +const std::string SSL = "ssl"; +} + +bool SslProtocolFactory::supports(const std::string& capability) +{ + std::string s = capability; + transform(s.begin(), s.end(), s.begin(), tolower); + return s == SSL; +} + +}}} // namespace qpid::sys::windows |