Author: chug
Date: Thu Feb 23 19:13:12 2012
New Revision: 1292905
URL: http://svn.apache.org/viewvc?rev=1292905&view=rev
Log:
QPID-3799 ACL processing
1. Reformat AclData::lookup function.
2. Break int limit comparison code out of lookup().
Modified:
qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.cpp
qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.h
qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.cpp
qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.h
qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclValidator.cpp
qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/AclModule.h
qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/Broker.cpp
qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/SessionAdapter.cpp
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.cpp?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.cpp (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.cpp Thu Feb 23 19:13:12
2012
@@ -66,7 +66,12 @@ Acl::Acl (AclValues& av, Broker& b): acl
if (mgmtObject!=0) mgmtObject->set_enforcingAcl(1);
}
-bool Acl::authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& name, std::map<Property, std::string>*
params)
+bool Acl::authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params)
{
boost::shared_ptr<AclData> dataLocal;
{
@@ -81,7 +86,12 @@ bool Acl::authorise(const std::string& i
return result(aclreslt, id, action, objType, name);
}
-bool Acl::authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& ExchangeName, const std::string&
RoutingKey)
+bool Acl::authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey)
{
boost::shared_ptr<AclData> dataLocal;
{
@@ -96,33 +106,47 @@ bool Acl::authorise(const std::string& i
}
-bool Acl::result(const AclResult& aclreslt, const std::string& id, const
Action& action, const ObjectType& objType, const std::string& name)
+bool Acl::result(
+ const AclResult& aclreslt,
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name)
{
+ bool result(false);
+
switch (aclreslt)
{
case ALLOWLOG:
QPID_LOG(info, "ACL Allow id:" << id <<" action:" <<
AclHelper::getActionStr(action) <<
- " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:"
<< name );
+ " ObjectType:" << AclHelper::getObjectTypeStr(objType) << "
Name:" << name );
agent->raiseEvent(_qmf::EventAllow(id,
AclHelper::getActionStr(action),
- AclHelper::getObjectTypeStr(objType),
- name, types::Variant::Map()));
+ AclHelper::getObjectTypeStr(objType),
+ name, types::Variant::Map()));
// FALLTHROUGH
case ALLOW:
- return true;
+ result = true;
+ break;
case DENYLOG:
QPID_LOG(info, "ACL Deny id:" << id << " action:" <<
AclHelper::getActionStr(action) <<
- " ObjectType:" << AclHelper::getObjectTypeStr(objType) << " Name:"
<< name);
+ " ObjectType:" << AclHelper::getObjectTypeStr(objType) << "
Name:" << name);
agent->raiseEvent(_qmf::EventDeny(id, AclHelper::getActionStr(action),
AclHelper::getObjectTypeStr(objType),
name, types::Variant::Map()));
// FALLTHROUGH
case DENY:
- if (mgmtObject!=0) mgmtObject->inc_aclDenyCount();
- return false;
+ if (mgmtObject!=0)
+ mgmtObject->inc_aclDenyCount();
+ result = false;
+ break;
+
+ default:
+ assert (false);
}
- assert(false);
- return false;
+
+ QPID_LOG(debug, "ACL result() returns " << result);
+ return result;
}
bool Acl::readAclFile(std::string& errorText)
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.h
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.h?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.h (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/Acl.h Thu Feb 23 19:13:12 2012
@@ -66,12 +66,29 @@ public:
inline virtual bool doTransferAcl() {return transferAcl;};
// create specilied authorise methods for cases that need faster matching
as needed.
- virtual bool authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& name, std::map<Property, std::string>*
params=0);
- virtual bool authorise(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& ExchangeName,const std::string&
RoutingKey);
+ virtual bool authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property,
+ std::string>* params=0);
+
+ virtual bool authorise(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey);
virtual ~Acl();
private:
- bool result(const AclResult& aclreslt, const std::string& id, const Action&
action, const ObjectType& objType, const std::string& name);
+ bool result(
+ const AclResult& aclreslt,
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name);
bool readAclFile(std::string& errorText);
bool readAclFile(std::string& aclFile, std::string& errorText);
virtual qpid::management::ManagementObject* GetManagementObject(void) const;
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.cpp?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.cpp (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.cpp Thu Feb 23
19:13:12 2012
@@ -52,114 +52,162 @@ namespace acl {
}
}
- AclResult AclData::lookup(const std::string& id, const Action& action,
const ObjectType& objType,
- const std::string& name, std::map<Property, std::string>* params) {
+ AclResult AclData::lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params) {
+
+ QPID_LOG(debug, "ACL: Lookup for id:" << id
+ << " action:" << AclHelper::getActionStr((Action) action)
+ << " objectType:" <<
AclHelper::getObjectTypeStr((ObjectType) objType)
+ << " name:" << name
+ << " with params " <<
AclHelper::propertyMapToString(params));
+
+ // A typical log looks like:
+ // ACL: Lookup for id:bob@QPID action:create objectType:queue name:q2
with params { durable=false
+ // passive=false autodelete=false exclusive=false alternate=
policytype= maxqueuesize=0 maxqueuecount=0 }
+
+ // Default result is blanket decision mode for the entire ACL list.
+ AclResult aclresult = decisionMode;
- QPID_LOG(debug, "ACL: Lookup for id:" << id << " action:" <<
AclHelper::getActionStr((Action) action)
- << " objectType:" <<
AclHelper::getObjectTypeStr((ObjectType) objType) << " name:" << name
- << " with params " <<
AclHelper::propertyMapToString(params));
-
- AclResult aclresult = decisionMode;
- if (actionList[action] && actionList[action][objType]) {
- AclData::actObjItr itrRule =
actionList[action][objType]->find(id);
- if (itrRule == actionList[action][objType]->end())
- itrRule = actionList[action][objType]->find("*");
-
- if (itrRule != actionList[action][objType]->end()) {
-
- //loop the vector
- ruleSetItr rsItr = itrRule->second.end();
- for (int cnt = itrRule->second.size(); cnt != 0; cnt--) {
- rsItr--;
- QPID_LOG(debug, "ACL: checking rule " <<
rsItr->toString());
- // loop the names looking for match
- bool match = true;
- for (propertyMapItr pMItr = rsItr->props.begin();
(pMItr != rsItr->props.end()) && match; pMItr++) {
- //match name is exists first
- if (pMItr->first == acl::PROP_NAME) {
- if (matchProp(pMItr->second, name)){
- QPID_LOG(debug, "ACL: lookup name '" <<
name << "' matched with rule name '"
- << pMItr->second << "'");
- }else{
- match = false;
- QPID_LOG(debug, "ACL: lookup name '" <<
name << "' didn't match with rule name '"
- << pMItr->second << "'");
- }
- } else if (params) { //match pMItr against params
- propertyMapItr paramItr =
params->find(pMItr->first);
- if (paramItr == params->end()) {
+ // Test for lists of rules at the intersection of the Action and the
Object
+ if (actionList[action] && actionList[action][objType])
+ {
+ // Find the list of rules for this actorId
+ AclData::actObjItr itrRule = actionList[action][objType]->find(id);
+
+ // If individual actorId not found then find a rule set for '*'.
+ if (itrRule == actionList[action][objType]->end())
+ itrRule = actionList[action][objType]->find("*");
+
+ if (itrRule != actionList[action][objType]->end())
+ {
+ // A list of rules exists for this actor/action/object tuple.
+ // Iterate the rule set to search for a matching rule.
+ ruleSetItr rsItr = itrRule->second.end();
+ for (int cnt = itrRule->second.size(); cnt != 0; cnt--)
+ {
+ rsItr--;
+
+ QPID_LOG(debug, "ACL: checking rule " <<
rsItr->toString());
+
+ bool match = true;
+ bool limitChecked = true;
+
+ // Iterate this rule's properties
+ for (propertyMapItr rulePropMapItr = rsItr->props.begin();
+ (rulePropMapItr != rsItr->props.end())
&& match;
+ rulePropMapItr++)
+ {
+ // The property map's NAME property is handled
specially
+ if (rulePropMapItr->first == acl::PROP_NAME)
+ {
+ if (matchProp(rulePropMapItr->second, name))
+ {
+ QPID_LOG(debug, "ACL: lookup name '" << name
+ << "' matched with rule name '" <<
rulePropMapItr->second << "'");
+ }
+ else
+ {
+ match = false;
+ QPID_LOG(debug, "ACL: lookup name '" << name
+ << "' didn't match with rule name '"
<< rulePropMapItr->second << "'");
+ }
+ }
+ else
+ {
+ if (params)
+ {
+ // The rule's property map non-NAME properties
are
+ // to be found in the lookup's params list
+ propertyMapItr lookupParamItr =
params->find(rulePropMapItr->first);
+ if (lookupParamItr == params->end())
+ {
+ // Now the rule has a specified property
that does not exist
+ // in the caller's lookup params list.
This rule does not match.
match = false;
QPID_LOG(debug, "ACL: lookup parameter map
doesn't contain the rule property '"
- <<
AclHelper::getPropertyStr(pMItr->first) << "'");
- }else if ( pMItr->first ==
acl::PROP_MAXQUEUECOUNT || pMItr->first == acl::PROP_MAXQUEUESIZE ) {
- if ( pMItr->first == paramItr->first ) {
-
- uint64_t aclMax = 0;
- uint64_t paramMax = 0;
-
- try{
- aclMax =
boost::lexical_cast<uint64_t>(pMItr->second);
- }catch(const boost::bad_lexical_cast&){
- match = false;
- QPID_LOG(error,"ACL: Error
evaluating rule. " <<
- "Illegal value given in ACL
source <" << aclSource <<
- "> for property '" <<
-
AclHelper::getPropertyStr(pMItr->first) << "' : " <<
-
boost::lexical_cast<std::string>(pMItr->second));
- break;
- }
-
- try{
- paramMax =
boost::lexical_cast<uint64_t>(paramItr->second);
- }catch(const boost::bad_lexical_cast&){
+ <<
AclHelper::getPropertyStr(rulePropMapItr->first) << "'");
+ }
+ else
+ {
+ if ( rulePropMapItr->first ==
acl::PROP_QUEUEMAXCOUNT || rulePropMapItr->first == acl::PROP_QUEUEMAXSIZE )
+ {
+ assert ( rulePropMapItr->first ==
lookupParamItr->first );
+ limitChecked &=
compareIntMax(rulePropMapItr->first,
+
boost::lexical_cast<std::string>(rulePropMapItr->second),
+
boost::lexical_cast<std::string>(lookupParamItr->second));
+ }
+ else
+ {
+ if (matchProp(rulePropMapItr->second,
lookupParamItr->second))
+ {
+ QPID_LOG(debug, "ACL: the pair("
+ <<
AclHelper::getPropertyStr(lookupParamItr->first) << "," <<
lookupParamItr->second
+ << ") given in lookup matched
the pair("
+ <<
AclHelper::getPropertyStr(rulePropMapItr->first) << "," <<
rulePropMapItr->second
+ << ") given in the rule");
+ }
+ else
+ {
match = false;
- QPID_LOG(error,"ACL: Error
evaluating rule. " <<
- "Illegal value given in lookup
for property '" <<
-
AclHelper::getPropertyStr(pMItr->first) << "' : " <<
-
boost::lexical_cast<std::string>(paramItr->second));
- break;
- }
-
- QPID_LOG(debug, "ACL: Numeric
comparison for property " <<
-
AclHelper::getPropertyStr(paramItr->first) <<
- " (value given in lookup = " <<
-
boost::lexical_cast<std::string>(paramItr->second) <<
- ", value give in rule = " <<
-
boost::lexical_cast<std::string>(pMItr->second) << " )");
-
- if (( aclMax ) && ( paramMax == 0 ||
paramMax > aclMax)){
- match = decisionMode ==
qpid::acl::ALLOW ;
- QPID_LOG(debug, "ACL: Limit
exceeded and match=" <<
- (match ? "true": "false") <<
- " as decision mode is " <<
AclHelper::getAclResultStr(decisionMode));
+ QPID_LOG(debug, "ACL: the pair("
+ <<
AclHelper::getPropertyStr(lookupParamItr->first) << "," <<
lookupParamItr->second
+ << ") given in lookup doesn't
match the pair("
+ <<
AclHelper::getPropertyStr(rulePropMapItr->first) << "," <<
rulePropMapItr->second
+ << ") given in the rule");
}
}
- }else if (matchProp(pMItr->second,
paramItr->second)) {
- QPID_LOG(debug, "ACL: the pair("
- <<
AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second
- << ") given in lookup matched the
pair("
- <<
AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in
the rule");
- } else {
- QPID_LOG(debug, "ACL: the pair("
- <<
AclHelper::getPropertyStr(paramItr->first) << "," << paramItr->second
- << ") given in lookup doesn't match
the pair("
- <<
AclHelper::getPropertyStr(pMItr->first) << "," << pMItr->second << ") given in
the rule");
- match = false;
- }
+ }
+ }
+ else
+ {
+ // params don't exist.
}
}
- if (match)
+ }
+ if (match)
+ {
+ aclresult = rsItr->ruleMode;
+ if (!limitChecked)
{
- aclresult = rsItr->ruleMode;
- QPID_LOG(debug,"ACL: Successful match, the
decision is:" << AclHelper::getAclResultStr(aclresult));
- return aclresult;
+ // Now a lookup matched all rule properties but
one of the numeric
+ // limits has failed. This has the effect of
demoting an allow to a deny.
+ if (aclresult == acl::ALLOW)
+ {
+ aclresult = acl::DENY;
+ }
+ else
+ {
+ if (aclresult == acl::ALLOWLOG)
+ {
+ aclresult = acl::DENYLOG;
+ }
+ }
}
+ QPID_LOG(debug,"ACL: Successful match, the decision
is:" << AclHelper::getAclResultStr(aclresult));
+ return aclresult;
+ }
+ else
+ {
+ // this rule did not match the requested lookup
}
}
}
+ else
+ {
+ // The Action-Object list has entries but not for this actorId
nor for *.
+ }
+ }
+ else
+ {
+ // The Action-Object list has no entries
+ }
- QPID_LOG(debug,"ACL: No successful match, defaulting to the
decision mode " << AclHelper::getAclResultStr(aclresult));
- return aclresult;
+ QPID_LOG(debug,"ACL: No successful match, defaulting to the decision
mode " << AclHelper::getAclResultStr(aclresult));
+ return aclresult;
}
AclResult AclData::lookup(const std::string& id, const Action& action,
const ObjectType& objType,
@@ -230,4 +278,42 @@ namespace acl {
clear();
}
-}}
+ bool AclData::compareIntMax(const qpid::acl::Property theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue) {
+ uint64_t aclMax (0);
+ uint64_t paramMax (0);
+
+ try {
+ aclMax = boost::lexical_cast<uint64_t>(theAclValue);
+ } catch(const boost::bad_lexical_cast&) {
+ assert (false);
+ return false;
+ }
+
+ try {
+ paramMax = boost::lexical_cast<uint64_t>(theLookupValue);
+ } catch(const boost::bad_lexical_cast&) {
+ QPID_LOG(error,"ACL: Error evaluating rule. " <<
+ "Illegal value given in lookup for property '" <<
+ AclHelper::getPropertyStr(theProperty) << "' : " <<
+ theLookupValue);
+ return false;
+ }
+
+ QPID_LOG(debug, "ACL: Numeric comparison for property " <<
+ AclHelper::getPropertyStr(theProperty) <<
+ " (value given in lookup = " <<
+ theLookupValue <<
+ ", value give in rule = " <<
+ theAclValue << " )");
+
+ if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax)){
+ QPID_LOG(debug, "ACL: Max limit exceeded for property '"
+ << AclHelper::getPropertyStr(theProperty) << "'");
+ return false;
+ }
+
+ return true;
+ }
+}}
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.h
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.h?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.h (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclData.h Thu Feb 23 19:13:12
2012
@@ -72,15 +72,30 @@ public:
bool transferAcl;
std::string aclSource;
- AclResult lookup(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& name, std::map<Property, std::string>*
params=0);
- AclResult lookup(const std::string& id, const Action& action, const
ObjectType& objType, const std::string& ExchangeName, const std::string&
RoutingKey);
- AclResult getACLResult(bool logOnly, bool log);
+ AclResult lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& name,
+ std::map<Property, std::string>* params=0);
+
+ AclResult lookup(
+ const std::string& id,
+ const Action& action,
+ const ObjectType& objType,
+ const std::string& ExchangeName,
+ const std::string& RoutingKey);
bool matchProp(const std::string & src, const std::string& src1);
void clear ();
AclData();
virtual ~AclData();
+
+private:
+ bool compareIntMax(const qpid::acl::Property theProperty,
+ const std::string theAclValue,
+ const std::string theLookupValue);
};
}} // namespace qpid::acl
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclValidator.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclValidator.cpp?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclValidator.cpp (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/acl/AclValidator.cpp Thu Feb 23
19:13:12 2012
@@ -78,11 +78,11 @@ namespace acl {
}
AclValidator::AclValidator(){
- validators.insert(Validator(acl::PROP_MAXQUEUESIZE,
+ validators.insert(Validator(acl::PROP_QUEUEMAXSIZE,
boost::shared_ptr<PropertyType>(
new
IntPropertyType(0,std::numeric_limits<int64_t>::max()))));
- validators.insert(Validator(acl::PROP_MAXQUEUECOUNT,
+ validators.insert(Validator(acl::PROP_QUEUEMAXCOUNT,
boost::shared_ptr<PropertyType>(
new
IntPropertyType(0,std::numeric_limits<int64_t>::max()))));
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/AclModule.h
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/AclModule.h?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/AclModule.h (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/AclModule.h Thu Feb 23
19:13:12 2012
@@ -32,17 +32,77 @@ namespace qpid {
namespace acl {
- enum ObjectType {OBJ_QUEUE, OBJ_EXCHANGE, OBJ_BROKER, OBJ_LINK,
- OBJ_METHOD, OBJECTSIZE}; // OBJECTSIZE must be last in list
- enum Action {ACT_CONSUME, ACT_PUBLISH, ACT_CREATE, ACT_ACCESS, ACT_BIND,
- ACT_UNBIND, ACT_DELETE, ACT_PURGE, ACT_UPDATE,
- ACTIONSIZE}; // ACTIONSIZE must be last in list
- enum Property {PROP_NAME, PROP_DURABLE, PROP_OWNER, PROP_ROUTINGKEY,
- PROP_PASSIVE, PROP_AUTODELETE, PROP_EXCLUSIVE, PROP_TYPE,
- PROP_ALTERNATE, PROP_QUEUENAME, PROP_SCHEMAPACKAGE,
- PROP_SCHEMACLASS, PROP_POLICYTYPE, PROP_MAXQUEUESIZE,
- PROP_MAXQUEUECOUNT};
- enum AclResult {ALLOW, ALLOWLOG, DENY, DENYLOG};
+ // Interface enumerations.
+ // These enumerations define enum lists and implied text strings
+ // to match. They are used in two places:
+ // 1. In the ACL specifications in the ACL file.
+ // 2. In the authorize interface in the rest of the broker where
+ // code requests the ACL module to authorize an action.
+
+ // ObjectType shared between ACL spec and ACL authorise interface
+ enum ObjectType {
+ OBJ_QUEUE,
+ OBJ_EXCHANGE,
+ OBJ_BROKER,
+ OBJ_LINK,
+ OBJ_METHOD,
+ OBJECTSIZE }; // OBJECTSIZE must be last in list
+
+ // Action shared between ACL spec and ACL authorise interface
+ enum Action {
+ ACT_CONSUME,
+ ACT_PUBLISH,
+ ACT_CREATE,
+ ACT_ACCESS,
+ ACT_BIND,
+ ACT_UNBIND,
+ ACT_DELETE,
+ ACT_PURGE,
+ ACT_UPDATE,
+ ACTIONSIZE }; // ACTIONSIZE must be last in list
+
+ // Property used in ACL spec file
+ enum SpecProperty {
+ SPECPROP_NAME,
+ SPECPROP_DURABLE,
+ SPECPROP_OWNER,
+ SPECPROP_ROUTINGKEY,
+ SPECPROP_PASSIVE,
+ SPECPROP_AUTODELETE,
+ SPECPROP_EXCLUSIVE,
+ SPECPROP_TYPE,
+ SPECPROP_ALTERNATE,
+ SPECPROP_QUEUENAME,
+ SPECPROP_SCHEMAPACKAGE,
+ SPECPROP_SCHEMACLASS,
+ SPECPROP_POLICYTYPE,
+ SPECPROP_MAXQUEUESIZE,
+ SPECPROP_MAXQUEUECOUNT };
+
+ // Property used in ACL authroize interface
+ enum Property {
+ PROP_NAME,
+ PROP_DURABLE,
+ PROP_OWNER,
+ PROP_ROUTINGKEY,
+ PROP_PASSIVE,
+ PROP_AUTODELETE,
+ PROP_EXCLUSIVE,
+ PROP_TYPE,
+ PROP_ALTERNATE,
+ PROP_QUEUENAME,
+ PROP_SCHEMAPACKAGE,
+ PROP_SCHEMACLASS,
+ PROP_POLICYTYPE,
+ PROP_QUEUEMAXSIZE,
+ PROP_QUEUEMAXCOUNT };
+
+ // AclResult shared between ACL spec and ACL authorise interface
+ enum AclResult {
+ ALLOW,
+ ALLOWLOG,
+ DENY,
+ DENYLOG };
} // namespace acl
@@ -54,12 +114,21 @@ namespace broker {
public:
- // effienty turn off ACL on message transfer.
+ // efficienty turn off ACL on message transfer.
virtual bool doTransferAcl()=0;
- virtual bool authorise(const std::string& id, const acl::Action&
action, const acl::ObjectType& objType, const std::string& name,
+ virtual bool authorise(
+ const std::string& id,
+ const acl::Action& action,
+ const acl::ObjectType& objType,
+ const std::string& name,
std::map<acl::Property, std::string>* params=0)=0;
- virtual bool authorise(const std::string& id, const acl::Action&
action, const acl::ObjectType& objType, const std::string& ExchangeName,
+
+ virtual bool authorise(
+ const std::string& id,
+ const acl::Action& action,
+ const acl::ObjectType& objType,
+ const std::string& ExchangeName,
const std::string& RoutingKey)=0;
// create specilied authorise methods for cases that need faster
matching as needed.
@@ -133,8 +202,8 @@ namespace acl {
if (str.compare("schemapackage") == 0) return PROP_SCHEMAPACKAGE;
if (str.compare("schemaclass") == 0) return PROP_SCHEMACLASS;
if (str.compare("policytype") == 0) return PROP_POLICYTYPE;
- if (str.compare("maxqueuesize") == 0) return PROP_MAXQUEUESIZE;
- if (str.compare("maxqueuecount") == 0) return PROP_MAXQUEUECOUNT;
+ if (str.compare("maxqueuesize") == 0) return PROP_QUEUEMAXSIZE;
+ if (str.compare("maxqueuecount") == 0) return PROP_QUEUEMAXCOUNT;
throw str;
}
static inline std::string getPropertyStr(const Property p) {
@@ -152,12 +221,51 @@ namespace acl {
case PROP_SCHEMAPACKAGE: return "schemapackage";
case PROP_SCHEMACLASS: return "schemaclass";
case PROP_POLICYTYPE: return "policytype";
- case PROP_MAXQUEUESIZE: return "maxqueuesize";
- case PROP_MAXQUEUECOUNT: return "maxqueuecount";
+ case PROP_QUEUEMAXSIZE: return "maxqueuesize";
+ case PROP_QUEUEMAXCOUNT: return "maxqueuecount";
default: assert(false); // should never get here
}
return "";
}
+ static inline SpecProperty getSpecProperty(const std::string& str) {
+ if (str.compare("name") == 0) return SPECPROP_NAME;
+ if (str.compare("durable") == 0) return SPECPROP_DURABLE;
+ if (str.compare("owner") == 0) return SPECPROP_OWNER;
+ if (str.compare("routingkey") == 0) return SPECPROP_ROUTINGKEY;
+ if (str.compare("passive") == 0) return SPECPROP_PASSIVE;
+ if (str.compare("autodelete") == 0) return SPECPROP_AUTODELETE;
+ if (str.compare("exclusive") == 0) return SPECPROP_EXCLUSIVE;
+ if (str.compare("type") == 0) return SPECPROP_TYPE;
+ if (str.compare("alternate") == 0) return SPECPROP_ALTERNATE;
+ if (str.compare("queuename") == 0) return SPECPROP_QUEUENAME;
+ if (str.compare("schemapackage") == 0) return
SPECPROP_SCHEMAPACKAGE;
+ if (str.compare("schemaclass") == 0) return SPECPROP_SCHEMACLASS;
+ if (str.compare("policytype") == 0) return SPECPROP_POLICYTYPE;
+ if (str.compare("queuemaxsize") == 0) return
SPECPROP_MAXQUEUESIZE;
+ if (str.compare("queuemaxcount") == 0) return
SPECPROP_MAXQUEUECOUNT;
+ throw str;
+ }
+ static inline std::string getSpecPropertyStr(const SpecProperty p) {
+ switch (p) {
+ case SPECPROP_NAME: return "name";
+ case SPECPROP_DURABLE: return "durable";
+ case SPECPROP_OWNER: return "owner";
+ case SPECPROP_ROUTINGKEY: return "routingkey";
+ case SPECPROP_PASSIVE: return "passive";
+ case SPECPROP_AUTODELETE: return "autodelete";
+ case SPECPROP_EXCLUSIVE: return "exclusive";
+ case SPECPROP_TYPE: return "type";
+ case SPECPROP_ALTERNATE: return "alternate";
+ case SPECPROP_QUEUENAME: return "queuename";
+ case SPECPROP_SCHEMAPACKAGE: return "schemapackage";
+ case SPECPROP_SCHEMACLASS: return "schemaclass";
+ case SPECPROP_POLICYTYPE: return "policytype";
+ case SPECPROP_MAXQUEUESIZE: return "queuemaxsize";
+ case SPECPROP_MAXQUEUECOUNT: return "queuemaxcount";
+ default: assert(false); // should never get here
+ }
+ return "";
+ }
static inline AclResult getAclResult(const std::string& str) {
if (str.compare("allow") == 0) return ALLOW;
if (str.compare("allow-log") == 0) return ALLOWLOG;
@@ -187,7 +295,9 @@ namespace acl {
typedef boost::shared_ptr<objectMap> objectMapPtr;
typedef std::map<Property, std::string> propMap;
typedef propMap::const_iterator propMapItr;
-
+ typedef std::map<SpecProperty, std::string> specPropMap;
+ typedef specPropMap::const_iterator specPropMapItr;
+
// This map contains the legal combinations of
object/action/properties found in an ACL file
static void loadValidationMap(objectMapPtr& map) {
if (!map.get()) return;
@@ -229,8 +339,8 @@ namespace acl {
p4->insert(PROP_EXCLUSIVE);
p4->insert(PROP_AUTODELETE);
p4->insert(PROP_POLICYTYPE);
- p4->insert(PROP_MAXQUEUESIZE);
- p4->insert(PROP_MAXQUEUECOUNT);
+ p4->insert(PROP_QUEUEMAXSIZE);
+ p4->insert(PROP_QUEUEMAXCOUNT);
actionMapPtr a1(new actionMap);
a1->insert(actionPair(ACT_ACCESS, p0));
@@ -266,7 +376,21 @@ namespace acl {
if (params)
{
for (propMapItr pMItr = params->begin(); pMItr !=
params->end(); pMItr++) {
- ss << " " << getPropertyStr((Property) pMItr-> first) <<
"=" << pMItr->second;
+ ss << " " << getPropertyStr((Property) pMItr-> first)
+ << "=" << pMItr->second;
+ }
+ }
+ ss << " }";
+ return ss.str();
+ }
+ static std::string specPropertyMapToString(const
std::map<SpecProperty, std::string>* params) {
+ std::ostringstream ss;
+ ss << "{";
+ if (params)
+ {
+ for (specPropMapItr pMItr = params->begin(); pMItr !=
params->end(); pMItr++) {
+ ss << " " << getSpecPropertyStr((SpecProperty) pMItr->
first)
+ << "=" << pMItr->second;
}
}
ss << " }";
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/Broker.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/Broker.cpp?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/Broker.cpp (original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/Broker.cpp Thu Feb 23
19:13:12 2012
@@ -885,8 +885,8 @@ std::pair<boost::shared_ptr<Queue>, bool
params.insert(make_pair(acl::PROP_EXCLUSIVE, owner ? _TRUE : _FALSE));
params.insert(make_pair(acl::PROP_AUTODELETE, autodelete ? _TRUE :
_FALSE));
params.insert(make_pair(acl::PROP_POLICYTYPE,
arguments.getAsString("qpid.policy_type")));
- params.insert(make_pair(acl::PROP_MAXQUEUECOUNT,
boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
- params.insert(make_pair(acl::PROP_MAXQUEUESIZE,
boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXCOUNT,
boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXSIZE,
boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
if
(!acl->authorise(userId,acl::ACT_CREATE,acl::OBJ_QUEUE,name,¶ms) )
throw framing::UnauthorizedAccessException(QPID_MSG("ACL denied
queue create request from " << userId));
Modified: qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/SessionAdapter.cpp
URL:
http://svn.apache.org/viewvc/qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/SessionAdapter.cpp?rev=1292905&r1=1292904&r2=1292905&view=diff
==============================================================================
--- qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/SessionAdapter.cpp
(original)
+++ qpid/branches/QPID-3799-acl/cpp/src/qpid/broker/SessionAdapter.cpp Thu Feb
23 19:13:12 2012
@@ -286,8 +286,8 @@ void SessionAdapter::QueueHandlerImpl::d
params.insert(make_pair(acl::PROP_EXCLUSIVE, std::string(exclusive
? _TRUE : _FALSE)));
params.insert(make_pair(acl::PROP_AUTODELETE,
std::string(autoDelete ? _TRUE : _FALSE)));
params.insert(make_pair(acl::PROP_POLICYTYPE,
arguments.getAsString("qpid.policy_type")));
- params.insert(make_pair(acl::PROP_MAXQUEUECOUNT,
boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
- params.insert(make_pair(acl::PROP_MAXQUEUESIZE,
boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXCOUNT,
boost::lexical_cast<string>(arguments.getAsInt("qpid.max_count"))));
+ params.insert(make_pair(acl::PROP_QUEUEMAXSIZE,
boost::lexical_cast<string>(arguments.getAsInt64("qpid.max_size"))));
if
(!acl->authorise(getConnection().getUserId(),acl::ACT_CREATE,acl::OBJ_QUEUE,name,¶ms)
)
throw UnauthorizedAccessException(QPID_MSG("ACL denied queue
create request from " << getConnection().getUserId()));
}
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscr...@qpid.apache.org
