PROTON-866: Tell SASL the external ssf and authid when we detect SASL - Add Internal API to set external ssf/authid to SASL
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/1cfeef1c Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/1cfeef1c Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/1cfeef1c Branch: refs/heads/kgiusti-python3 Commit: 1cfeef1c03d4607844320320ab50054f750f3aa8 Parents: f252261 Author: Andrew Stitcher <astitc...@apache.org> Authored: Tue May 26 15:11:54 2015 -0400 Committer: Andrew Stitcher <astitc...@apache.org> Committed: Wed Jun 10 16:41:51 2015 -0400 ---------------------------------------------------------------------- proton-c/src/sasl/cyrus_sasl.c | 33 ++++++++++++++++++++++++--------- proton-c/src/sasl/sasl-internal.h | 3 +++ proton-c/src/sasl/sasl.c | 13 +++++++++++++ proton-c/src/transport/transport.c | 1 + 4 files changed, 41 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/cyrus_sasl.c ---------------------------------------------------------------------- diff --git a/proton-c/src/sasl/cyrus_sasl.c b/proton-c/src/sasl/cyrus_sasl.c index 4bf5f4d..e280324 100644 --- a/proton-c/src/sasl/cyrus_sasl.c +++ b/proton-c/src/sasl/cyrus_sasl.c @@ -122,6 +122,23 @@ bool pni_init_client(pn_transport_t* transport) { if (result!=SASL_OK) return false; sasl->impl_context = cyrus_conn; + sasl_security_properties_t secprops = {0}; + secprops.security_flags = + SASL_SEC_NOPLAINTEXT | + ( transport->auth_required ? SASL_SEC_NOANONYMOUS : 0 ) ; + + result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops); + if (result!=SASL_OK) return false; + + sasl_ssf_t ssf = sasl->external_ssf; + result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf); + if (result!=SASL_OK) return false; + + const char *extid = sasl->external_auth; + if (extid) { + result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid); + if (result!=SASL_OK) return false; + } return true; } @@ -242,17 +259,15 @@ static int pni_wrap_server_new(pn_transport_t *transport) result = sasl_setprop(cyrus_conn, SASL_SEC_PROPS, &secprops); if (result!=SASL_OK) return result; - // EXTERNAL not implemented yet - #if 0 - sasl_ssf_t ssf = 128; - result = sasl_setprop(sasl->cyrus_conn, SASL_SSF_EXTERNAL, &ssf); + sasl_ssf_t ssf = sasl->external_ssf; + result = sasl_setprop(cyrus_conn, SASL_SSF_EXTERNAL, &ssf); if (result!=SASL_OK) return result; - const char *extid = "user"; - result = sasl_setprop(sasl->cyrus_conn, SASL_AUTH_EXTERNAL, extid); - if (result!=SASL_OK) return result; - #endif - + const char *extid = sasl->external_auth; + if (extid) { + result = sasl_setprop(cyrus_conn, SASL_AUTH_EXTERNAL, extid); + if (result!=SASL_OK) return result; + } return result; } http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl-internal.h ---------------------------------------------------------------------- diff --git a/proton-c/src/sasl/sasl-internal.h b/proton-c/src/sasl/sasl-internal.h index da180e4..40df261 100644 --- a/proton-c/src/sasl/sasl-internal.h +++ b/proton-c/src/sasl/sasl-internal.h @@ -29,6 +29,7 @@ void pn_sasl_free(pn_transport_t *transport); void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, const char *password); void pni_sasl_set_remote_hostname(pn_transport_t *transport, const char* fqdn); +void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid); // Internal SASL authenticator interface void pni_sasl_impl_free(pn_transport_t *transport); @@ -63,6 +64,8 @@ struct pni_sasl_t { const char *config_name; char *config_dir; const char *remote_fqdn; + char *external_auth; + int external_ssf; pn_sasl_outcome_t outcome; pn_bytes_t bytes_out; enum pni_sasl_state desired_state; http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/sasl/sasl.c ---------------------------------------------------------------------- diff --git a/proton-c/src/sasl/sasl.c b/proton-c/src/sasl/sasl.c index e180280..3142832 100644 --- a/proton-c/src/sasl/sasl.c +++ b/proton-c/src/sasl/sasl.c @@ -24,6 +24,7 @@ #include "dispatch_actions.h" #include "engine/engine-internal.h" #include "protocol.h" +#include "proton/ssl.h" #include "util.h" #include "transport/autodetect.h" @@ -87,6 +88,7 @@ static ssize_t pn_input_read_sasl_header(pn_transport_t* transport, unsigned int } if (transport->trace & PN_TRACE_FRM) pn_transport_logf(transport, " <- %s", "SASL"); + pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport)); return SASL_HEADER_LEN; case PNI_PROTOCOL_INSUFFICIENT: if (!eos) return 0; @@ -367,6 +369,8 @@ pn_sasl_t *pn_sasl(pn_transport_t *transport) sasl->config_name = sasl->client ? "proton-client" : "proton-server"; sasl->config_dir = sasl_config_path ? pn_strdup(sasl_config_path) : NULL; sasl->remote_fqdn = NULL; + sasl->external_auth = NULL; + sasl->external_ssf = 0; sasl->outcome = PN_SASL_NONE; sasl->impl_context = NULL; sasl->bytes_out.size = 0; @@ -417,6 +421,14 @@ void pni_sasl_set_user_password(pn_transport_t *transport, const char *user, con sasl->password = password ? pn_strdup(password) : NULL; } +void pni_sasl_set_external_security(pn_transport_t *transport, int ssf, const char *authid) +{ + pni_sasl_t *sasl = transport->sasl; + sasl->external_ssf = ssf; + free(sasl->external_auth); + sasl->external_auth = authid ? pn_strdup(authid) : NULL; +} + const char *pn_sasl_get_user(pn_sasl_t *sasl0) { pni_sasl_t *sasl = get_sasl_internal(sasl0); @@ -476,6 +488,7 @@ void pn_sasl_free(pn_transport_t *transport) free(sasl->included_mechanisms); free(sasl->password); free(sasl->config_dir); + free(sasl->external_auth); // CYRUS_SASL if (sasl->impl_context) { http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/1cfeef1c/proton-c/src/transport/transport.c ---------------------------------------------------------------------- diff --git a/proton-c/src/transport/transport.c b/proton-c/src/transport/transport.c index b5887ef..0e23975 100644 --- a/proton-c/src/transport/transport.c +++ b/proton-c/src/transport/transport.c @@ -250,6 +250,7 @@ ssize_t pn_io_layer_input_autodetect(pn_transport_t *transport, unsigned int lay transport->io_layers[layer+1] = &pni_autodetect_layer; if (transport->trace & PN_TRACE_FRM) pn_transport_logf(transport, " <- %s", "SASL"); + pni_sasl_set_external_security(transport, pn_ssl_get_ssf((pn_ssl_t*)transport), pn_ssl_get_remote_subject((pn_ssl_t*)transport)); return 8; case PNI_PROTOCOL_AMQP1: if (transport->auth_required && !pn_transport_is_authenticated(transport)) { --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
