1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
/*
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
#include "CredentialsExchange.h"
#include "Cluster.h"
#include "qpid/broker/ConnectionState.h"
#include "qpid/framing/reply_exceptions.h"
#include "qpid/sys/Time.h"
namespace qpid {
namespace cluster {
using namespace std;
const string CredentialsExchange::NAME=("qpid.cluster-credentials");
namespace {
const string ANONYMOUS_MECH("ANONYMOUS");
const string ANONYMOUS_USER("anonymous");
string effectiveUserId(const string& username, const string& mechanism) {
if (mechanism == ANONYMOUS_MECH && username.empty())
return ANONYMOUS_USER;
else
return username;
}
}
CredentialsExchange::CredentialsExchange(Cluster& cluster)
: broker::Exchange(NAME, &cluster),
username(effectiveUserId(cluster.getSettings().username,
cluster.getSettings().mechanism)),
timeout(120*sys::TIME_SEC),
authenticate(cluster.getBroker().getOptions().auth)
{}
static const string anonymous("anonymous");
bool CredentialsExchange::check(MemberId member) {
sys::Mutex::ScopedLock l(lock);
Map::iterator i = map.find(member);
if (i == map.end()) return false;
bool valid = (sys::Duration(i->second, sys::AbsTime::now()) < timeout);
map.erase(i);
return valid;
}
void CredentialsExchange::route(broker::Deliverable& msg) {
const framing::FieldTable* args = msg.getMessage().getApplicationHeaders();
sys::Mutex::ScopedLock l(lock);
const broker::ConnectionState* connection =
static_cast<const broker::ConnectionState*>(msg.getMessage().getPublisher());
if (authenticate && !connection->isAuthenticatedUser(username))
throw framing::UnauthorizedAccessException(
QPID_MSG("Unauthorized user " << connection->getUserId() << " for " << NAME
<< ", should be " << username));
if (!args || !args->isSet(NAME))
throw framing::InvalidArgumentException(
QPID_MSG("Invalid message received by " << NAME));
MemberId member(args->getAsUInt64(NAME));
map[member] = sys::AbsTime::now();
}
string CredentialsExchange::getType() const { return NAME; }
namespace {
void throwIllegal() {
throw framing::NotAllowedException(
QPID_MSG("Illegal use of " << CredentialsExchange::NAME+" exchange"));
}
}
bool CredentialsExchange::bind(boost::shared_ptr<broker::Queue> , const string& /*routingKey*/, const framing::FieldTable* ) { throwIllegal(); return false; }
bool CredentialsExchange::unbind(boost::shared_ptr<broker::Queue> , const string& /*routingKey*/, const framing::FieldTable* ) { throwIllegal(); return false; }
bool CredentialsExchange::isBound(boost::shared_ptr<broker::Queue>, const string* const /*routingKey*/, const framing::FieldTable* const ) { throwIllegal(); return false; }
}} // Namespace qpid::cluster
|