summaryrefslogtreecommitdiff
path: root/qpid/cpp
diff options
context:
space:
mode:
Diffstat (limited to 'qpid/cpp')
-rw-r--r--qpid/cpp/src/qpid/acl/Acl.cpp25
-rw-r--r--qpid/cpp/src/qpid/acl/Acl.h16
-rw-r--r--qpid/cpp/src/qpid/broker/AclModule.h8
-rw-r--r--qpid/cpp/src/qpid/broker/SemanticState.cpp10
-rw-r--r--qpid/cpp/src/qpid/broker/SemanticState.h4
-rw-r--r--qpid/cpp/src/qpid/broker/SessionAdapter.cpp4
6 files changed, 53 insertions, 14 deletions
diff --git a/qpid/cpp/src/qpid/acl/Acl.cpp b/qpid/cpp/src/qpid/acl/Acl.cpp
index 7fceba8b1a..9f6917a006 100644
--- a/qpid/cpp/src/qpid/acl/Acl.cpp
+++ b/qpid/cpp/src/qpid/acl/Acl.cpp
@@ -34,7 +34,7 @@ namespace acl {
using namespace std;
- Acl::Acl (AclValues& av, broker::Broker& b): aclValues(av), broker(&b)
+ Acl::Acl (AclValues& av, broker::Broker& b): aclValues(av), broker(&b), transferAcl(false)
{
if (!readAclFile()) throw Exception("Could not read ACL file");
QPID_LOG(info, "ACL Plugin loaded");
@@ -76,6 +76,24 @@ using namespace std;
// add real ACL check here...
AclResult aclreslt = ALLOWLOG; // hack to test, set based on real decision.
+
+ return result(aclreslt, id, action, objType, name);
+ }
+
+ bool Acl::authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string ExchangeName, std::string /*RoutingKey*/)
+ {
+ if (aclValues.noEnforce) return true;
+
+ // add real ACL check here...
+ AclResult aclreslt = ALLOWLOG; // hack to test, set based on real decision.
+
+
+ return result(aclreslt, id, action, objType, ExchangeName);
+ }
+
+
+ bool Acl::result(AclResult aclreslt, std::string id, acl::Action action, acl::ObjectType objType, std::string name)
+ {
switch (aclreslt)
{
case ALLOWLOG:
@@ -89,12 +107,13 @@ using namespace std;
QPID_LOG(info, "ACL Deny id:" << id << " action:" << printAction(action) << " ObjectType:" << printObjType(objType) << " Name:" << name);
return false;
}
-
return false;
}
-
+
bool Acl::readAclFile()
{
+ // only set transferAcl = true if a rule implies the use of ACL on transfer, else keep false for permormance reasons.
+
return true;
}
diff --git a/qpid/cpp/src/qpid/acl/Acl.h b/qpid/cpp/src/qpid/acl/Acl.h
index 98400eb33d..f460fb0c5e 100644
--- a/qpid/cpp/src/qpid/acl/Acl.h
+++ b/qpid/cpp/src/qpid/acl/Acl.h
@@ -48,22 +48,28 @@ struct AclValues {
class Acl : public broker::AclModule, public RefCounted
{
+private:
+ acl::AclValues aclValues;
+ broker::Broker* broker;
+ bool transferAcl;
+
+
public:
Acl (AclValues& av, broker::Broker& b);
void initialize();
- virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name, std::map<std::string, std::string>* params);
+ inline virtual bool doTransferAcl() {return transferAcl;};
+
// create specilied authorise methods for cases that need faster matching as needed.
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name, std::map<std::string, std::string>* params);
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string ExchangeName, std::string RoutingKey);
virtual ~Acl();
private:
std::string printAction(acl::Action action);
std::string printObjType(acl::ObjectType objType);
-
- acl::AclValues aclValues;
- broker::Broker* broker;
-
+ bool result(AclResult aclreslt, std::string id, acl::Action action, acl::ObjectType objType, std::string name);
bool readAclFile();
};
diff --git a/qpid/cpp/src/qpid/broker/AclModule.h b/qpid/cpp/src/qpid/broker/AclModule.h
index dfb365158d..568e339a22 100644
--- a/qpid/cpp/src/qpid/broker/AclModule.h
+++ b/qpid/cpp/src/qpid/broker/AclModule.h
@@ -44,7 +44,13 @@ class AclModule
public:
- virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name, std::map<std::string, std::string>* params)=0;
+ // effienty turn off ACL on message transfer.
+ virtual bool doTransferAcl()=0;
+
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string name,
+ std::map<std::string, std::string>* params)=0;
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType objType, std::string ExchangeName,
+ std::string RoutingKey)=0;
// create specilied authorise methods for cases that need faster matching as needed.
virtual ~AclModule() {};
diff --git a/qpid/cpp/src/qpid/broker/SemanticState.cpp b/qpid/cpp/src/qpid/broker/SemanticState.cpp
index 1cbde08630..484a406c3b 100644
--- a/qpid/cpp/src/qpid/broker/SemanticState.cpp
+++ b/qpid/cpp/src/qpid/broker/SemanticState.cpp
@@ -33,6 +33,7 @@
#include "qpid/framing/MessageTransferBody.h"
#include "qpid/log/Statement.h"
#include "qpid/ptr_map.h"
+#include "AclModule.h"
#include <boost/bind.hpp>
#include <boost/format.hpp>
@@ -65,6 +66,7 @@ SemanticState::SemanticState(DeliveryAdapter& da, SessionContext& ss)
outputTasks(ss)
{
outstanding.reset();
+ acl = getSession().getBroker().getAcl();
}
SemanticState::~SemanticState() {
@@ -258,7 +260,7 @@ SemanticState::ConsumerImpl::ConsumerImpl(SemanticState* _parent,
blocked(true),
windowing(true),
msgCredit(0),
- byteCredit(0) {}
+ byteCredit(0){}
OwnershipToken* SemanticState::ConsumerImpl::getSession()
{
@@ -356,6 +358,12 @@ void SemanticState::route(intrusive_ptr<Message> msg, Deliverable& strategy) {
cacheExchange = session.getBroker().getExchanges().get(exchangeName);
}
+ if (acl && acl->doTransferAcl())
+ {
+ if (!acl->authorise(getSession().getConnection().getUserId(),acl::PUBLISH,acl::EXCHANGE,exchangeName, msg->getRoutingKey() ))
+ throw NotAllowedException("ACL denied exhange publish request");
+ }
+
cacheExchange->route(strategy, msg->getRoutingKey(), msg->getApplicationHeaders());
if (!strategy.delivered) {
diff --git a/qpid/cpp/src/qpid/broker/SemanticState.h b/qpid/cpp/src/qpid/broker/SemanticState.h
index 0c3b715784..a0424bf747 100644
--- a/qpid/cpp/src/qpid/broker/SemanticState.h
+++ b/qpid/cpp/src/qpid/broker/SemanticState.h
@@ -38,6 +38,7 @@
#include "qpid/framing/Uuid.h"
#include "qpid/sys/AggregateOutput.h"
#include "qpid/shared_ptr.h"
+#include "AclModule.h"
#include <list>
#include <map>
@@ -117,7 +118,8 @@ class SemanticState : public sys::OutputTask,
framing::SequenceSet accumulatedAck;
boost::shared_ptr<Exchange> cacheExchange;
sys::AggregateOutput outputTasks;
-
+ AclModule* acl;
+
void route(boost::intrusive_ptr<Message> msg, Deliverable& strategy);
void record(const DeliveryRecord& delivery);
bool checkPrefetch(boost::intrusive_ptr<Message>& msg);
diff --git a/qpid/cpp/src/qpid/broker/SessionAdapter.cpp b/qpid/cpp/src/qpid/broker/SessionAdapter.cpp
index bf4cd39393..1aeced49c1 100644
--- a/qpid/cpp/src/qpid/broker/SessionAdapter.cpp
+++ b/qpid/cpp/src/qpid/broker/SessionAdapter.cpp
@@ -153,9 +153,7 @@ void SessionAdapter::ExchangeHandlerImpl::bind(const string& queueName,
AclModule* acl = getBroker().getAcl();
if (acl)
{
- std::map<std::string, std::string> params;
- params.insert(make_pair("RKEY", routingKey));
- if (!acl->authorise(getConnection().getUserId(),acl::BIND,acl::EXCHANGE,exchangeName,&params) )
+ if (!acl->authorise(getConnection().getUserId(),acl::BIND,acl::EXCHANGE,exchangeName,routingKey) )
throw NotAllowedException("ACL denied exhange bind request");
}
View Lorry Controller Status