DISPATCH-446 - Removed all annotations. Turned sslProfile to an entity. Updated documentation and add tests
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/9ec4c43b Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/9ec4c43b Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/9ec4c43b Branch: refs/heads/master Commit: 9ec4c43bc062a2eb468c673c2125bc3f6057b0ff Parents: 90415a4 Author: Ganesh Murthy <[email protected]> Authored: Tue Jul 19 09:09:26 2016 -0400 Committer: Ganesh Murthy <[email protected]> Committed: Fri Jul 29 16:07:59 2016 -0400 ---------------------------------------------------------------------- doc/man/qdrouterd.conf.5.py | 78 --- include/qpid/dispatch/connection_manager.h | 11 +- include/qpid/dispatch/server.h | 10 +- python/qpid_dispatch/management/qdrouter.json | 627 ++++++++++--------- .../management/qdrouter.json.readme.txt | 5 +- .../qdrouter.policyRuleset.settings.txt | 2 +- python/qpid_dispatch_internal/dispatch.py | 2 + .../qpid_dispatch_internal/management/agent.py | 27 +- .../qpid_dispatch_internal/management/config.py | 33 +- .../qpid_dispatch_internal/management/schema.py | 40 +- .../management/schema_doc.py | 2 +- src/connection_manager.c | 240 +++++-- src/server.c | 8 +- tests/management/qdrouter.py | 4 +- tests/management/schema.py | 46 +- tests/system_tests_qdmanage.py | 70 +++ tests/system_tests_sasl_plain.py | 144 ++++- tests/system_tests_two_routers.py | 57 +- 18 files changed, 831 insertions(+), 575 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/doc/man/qdrouterd.conf.5.py ---------------------------------------------------------------------- diff --git a/doc/man/qdrouterd.conf.5.py b/doc/man/qdrouterd.conf.5.py index 4c3877c..e71f7a1 100644 --- a/doc/man/qdrouterd.conf.5.py +++ b/doc/man/qdrouterd.conf.5.py @@ -35,9 +35,6 @@ class ManPageWriter(SchemaWriter): def __init__(self): super(ManPageWriter, self).__init__(sys.stdout, QdSchema()) - self.sslProfileAttributes = [] - self.connectionRoleAddrPortAttrs = [] - self.connectionRoleAddrPortAnnotations = {} def attribute_type(self, attr, holder): # Don't show read-only attributes @@ -47,37 +44,7 @@ class ManPageWriter(SchemaWriter): return super(ManPageWriter, self).attribute_type(attr, holder, show_create=False, show_update=False) - def is_entity_connector_or_listener(self, entity_type): - if CONNECTOR == entity_type.name or LISTENER == entity_type.name: - return True - return False - def add_connector_listener_attributes(self, entity_type): - - attr_type = AttributeType('name', type="string", defined_in=entity_type, create=True, update=True, - description="Unique name optionally assigned by user. Can be changed.") - entity_type.attributes['name'] = attr_type - self.connectionRoleAddrPortAttrs.append('name') - - # We will have to add the connectionRole and addrPort attributes to listener and connector entities - # so that they show up in the man doc page. - for attr in self.connectionRoleAddrPortAnnotations.keys(): - annotation = self.connectionRoleAddrPortAnnotations.get(attr) - - for key in annotation.attributes.keys(): - self.connectionRoleAddrPortAttrs.append(key) - annotation_attr = annotation.attributes.get(key) - if not annotation_attr.deprecated: - attr_type = AttributeType(key, type=annotation_attr.type, - defined_in=entity_type, - create=True, update=True, description=annotation_attr.description) - entity_type.attributes[key] = attr_type - - # Artificially add an sslProfile - ssl_profile_attr = AttributeType("sslProfile", type="string", defined_in=entity_type, - create=True, update=True, description="name of the sslProfile ") - - entity_type.attributes[u'sslProfile'] = ssl_profile_attr def man_page(self): self.writeln(r""" @@ -163,54 +130,9 @@ listener { """) with self.section("Configuration Sections"): - for annotation in self.schema.annotations.itervalues(): - # We are skipping connectionRole and addrPort annotations from the doc because it is - # confusing to the user - if "addrPort" in annotation.name or "connectionRole" in annotation.name: - self.connectionRoleAddrPortAnnotations[annotation.short_name] = annotation - continue - used_by = [e.short_name for e in self.schema.entity_types.itervalues() - if annotation in e.annotations] - with self.section(annotation.short_name): - if annotation.description: - self.para(annotation.description) - if used_by: - self.para('Used by: **%s**.'%('**, **'.join(used_by))) - - if "sslProfile" in annotation.name: - # sslProfileName is an internal attribute and should not show in the doc - del annotation.attributes[u'sslProfileName'] - - for attribute in annotation.attributes.keys(): - self.sslProfileAttributes.append(attribute) - - attrs = annotation.attributes - - annotation.attributes = OrderedDict() - # The name has to appear first in the doc, the other attributes appear after name - name_attr = AttributeType("name", type="string", defined_in=annotation, - create=True, update=True, description="name of the sslProfile ") - annotation.attributes[u'name'] = name_attr - annotation.attributes.update(attrs) - - self.attribute_types(annotation) config = self.schema.entity_type("configurationEntity") for entity_type in self.schema.entity_types.itervalues(): - if self.is_entity_connector_or_listener(entity_type): - for sslProfileAttribute in self.sslProfileAttributes: - del entity_type.attributes[sslProfileAttribute] - current_attrs = entity_type.attributes - - entity_type.attributes = OrderedDict() - # The attributes from the annotations must appear first in the doc - self.add_connector_listener_attributes(entity_type) - - for attr in self.connectionRoleAddrPortAttrs: - if current_attrs.get(attr): - del current_attrs[attr] - entity_type.attributes.update(current_attrs) - if config in entity_type.all_bases: with self.section(entity_type.short_name): if entity_type.description: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/include/qpid/dispatch/connection_manager.h ---------------------------------------------------------------------- diff --git a/include/qpid/dispatch/connection_manager.h b/include/qpid/dispatch/connection_manager.h index 4c2b319..28a944c 100644 --- a/include/qpid/dispatch/connection_manager.h +++ b/include/qpid/dispatch/connection_manager.h @@ -29,6 +29,7 @@ typedef struct qd_connection_manager_t qd_connection_manager_t; typedef struct qd_config_connector_t qd_config_connector_t; typedef struct qd_config_listener_t qd_config_listener_t; +typedef struct qd_config_ssl_profile_t qd_config_ssl_profile_t; typedef void (*qd_connection_manager_handler_t) (void *context, qd_connection_t *conn); @@ -50,13 +51,19 @@ void qd_connection_manager_free(qd_connection_manager_t *cm); /** * Free all the resources associated with a config listener */ -void qd_config_listener_free(qd_config_listener_t *cl); +void qd_config_listener_free(qd_connection_manager_t *cm, qd_config_listener_t *cl); + +/** + * Free the SSL Profile. Only SSL Profiles that are not referenced from other connectors/listeners can be freed. + * @return true if the ssl_profile has been freed, false if it is being referenced and cannot be freed + */ +bool qd_config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_profile_t *ssl_profile); /** * Free all the resources associated with a config connector */ -void qd_config_connector_free(qd_config_connector_t *cl); +void qd_config_connector_free(qd_connection_manager_t *cm, qd_config_connector_t *cl); /** http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/include/qpid/dispatch/server.h ---------------------------------------------------------------------- diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h index 935cb17..03d4e4b 100644 --- a/include/qpid/dispatch/server.h +++ b/include/qpid/dispatch/server.h @@ -286,11 +286,6 @@ typedef struct qd_server_config_t { int sasl_maxssf; /** - * SSL is enabled for this connection iff true. - */ - bool ssl_enabled; - - /** * Iff true, SSL/TLS must be used on the connection. */ bool ssl_required; @@ -365,6 +360,11 @@ typedef struct qd_server_config_t { char *ssl_uid_format; /** + * The name of the related ssl profile. + */ + char *ssl_profile; + + /** * Full path to the file that contains the uid to display name mapping. */ char *ssl_display_name_file; http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch/management/qdrouter.json ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json index 325a954..ae1b901 100644 --- a/python/qpid_dispatch/management/qdrouter.json +++ b/python/qpid_dispatch/management/qdrouter.json @@ -3,116 +3,6 @@ "prefix": "org.apache.qpid.dispatch", - "annotations": { - - "addrPort": { - "description": "Attributes for internet address and port.", - "attributes": { - "addr": { - "description":"(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead", - "deprecated": true, - "type": "string", - "default": "127.0.0.1", - "create": true - }, - "host": { - "description":"IP address: ipv4 or ipv6 literal or a host name", - "type": "string", - "default": "127.0.0.1", - "create": true - }, - "port": { - "description": "Port number or symbolic service name.", - "type": "string", - "default": "amqp", - "create": true - - }, - "protocolFamily": { - "type": ["IPv4", "IPv6"], - "required": false, - "description": "['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.", - "create": true - } - } - }, - - "connectionRole": { - "description": "Attribute for the role of a connection.", - "attributes": { - "role": { - "type": [ - "normal", - "inter-router", - "route-container", - "on-demand" - ], - "default": "normal", - "description": "The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.", - "create": true - }, - "cost": { - "type": "integer", - "default": "1", - "required": false, - "create": true, - "description": "For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress." - } - } - }, - - "sslProfile": { - "description":"Attributes for setting TLS/SSL configuration for connections.", - "referential": true, - "attributes": { - "certDb": { - "type": "path", - "description": "The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).", - "create": true - }, - "certFile": { - "type": "path", - "description": "The absolute path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.", - "create": true - - }, - "keyFile": { - "type": "path", - "description": "The absolute path to the file containing the PEM-formatted private key for the above certificate.", - "create": true - - }, - "passwordFile": { - "type": "path", - "description": "If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key.", - "create": true - - }, - "password": { - "type": "string", - "description": "An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the 'password' option. Don't use both password and passwordFile in the same profile.", - "create": true - - }, - "uidFormat": { - "type": "string", - "description": "A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of 'cou' indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of 'o2' indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of 'c'( ISO3166 two character country code), 's'(state or province), 'l'(Locality; generally - city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically certificate type or brand), 'n'(CommonName - typically a user name for client certificates) and '1'(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate finger print) and 5 (sha512 certificate fingerprint). ", - "create": true - }, - "displayNameFile": { - "type": "string", - "description": "The absolute path to the file containing the unique id to dispay name mapping", - "create": true - }, - "sslProfileName": { - "type": "string", - "description": "The name of the ssl profile. This is for internal use only. Use the 'name' attribute to assign a name to an sslProfile section ", - "create": false - } - } - } - }, - "entityTypes": { "entity": { @@ -356,7 +246,7 @@ } }, "GET-ATTRIBUTES": { - "description": "Get the set of entity types and the annotations they implement", + "description": "Get the set of entity types", "request": { "properties": { "identity": { @@ -478,59 +368,11 @@ "attributes": {} }, - "container": { - "description":"(DEPRECATED)Attributes related to the AMQP container. This entity has been deprecated. Use the router entity instead.", - "extends": "configurationEntity", - "deprecated": true, - "singleton": true, - "attributes": { - - "containerName": { - "type": "string", - "description": "The name of the AMQP container. If not specified, the container name will be set to a value of the container's choosing. The automatically assigned container name is not guaranteed to be persistent across restarts of the container.", - "create": true - - }, - "workerThreads": { - "type": "integer", - "default": 4, - "description": "The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .", - "create": true - - }, - "debugDump": { - "type": "path", - "description": "A file to dump debugging information that can't be logged normally.", - "create": true - - }, - "saslConfigPath": { - "type": "path", - "description": "Absolute path to the SASL configuration file.", - "required": false, - "create": true - }, - "saslConfigName": { - "type": "string", - "description": "Name of the SASL configuration. This string + '.conf' is the name of the configuration file.", - "required": false, - "create": true - } - } - }, - "router": { "description":"Tracks peer routers and computes routes to destinations.", "extends": "configurationEntity", "singleton": true, "attributes": { - "routerId": { - "description":"(DEPRECATED) Router's unique identity. This attribute has been deprecated. Use id instead", - "type": "string", - "required": false, - "deprecated": true, - "create": true - }, "id": { "description":"Router's unique identity. One of id or routerId is required. The router will fail to start without id or routerId", "type": "string", @@ -581,14 +423,6 @@ "description": "Time in seconds after which link state is declared stale if no RA is received.", "create": true }, - "mobileAddrMaxAge": { - "type": "integer", - "default": 60, - "deprecated": true, - "description": "(DEPRECATED) This value is no longer used in the router.", - "create": true - }, - "addrCount": { "type": "integer", "description":"Number of addresses known to the router.", @@ -629,20 +463,120 @@ "default": "qdrouterd", "required": false, "create": true - } + }, + "routerId": { + "description":"(DEPRECATED) Router's unique identity. This attribute has been deprecated. Use id instead", + "type": "string", + "required": false, + "deprecated": true, + "create": true + }, + "mobileAddrMaxAge": { + "type": "integer", + "default": 60, + "deprecated": true, + "description": "(DEPRECATED) This value is no longer used in the router.", + "create": true + } } }, + + "sslProfile": { + "description":"Attributes for setting TLS/SSL configuration for connections.", + "referential": true, + "extends": "configurationEntity", + "operations": ["CREATE", "DELETE"], + "attributes": { + "certDb": { + "type": "path", + "description": "The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).", + "create": true + }, + "certFile": { + "type": "path", + "description": "The absolute path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.", + "create": true + + }, + "keyFile": { + "type": "path", + "description": "The absolute path to the file containing the PEM-formatted private key for the above certificate.", + "create": true + + }, + "passwordFile": { + "type": "path", + "description": "If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key.", + "create": true + + }, + "password": { + "type": "string", + "description": "An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the 'password' option. Don't use both password and passwordFile in the same profile.", + "create": true + }, + "uidFormat": { + "type": "string", + "description": "A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of 'cou' indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of 'o2' indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of 'c'( ISO3166 two character country code), 's'(state or province), 'l'(Locality; generally - city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically certificate type or brand), 'n'(CommonName - typically a user name for client certificates) and '1'(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate finger print) and 5 (sha512 certificate fingerprint). ", + "create": true + }, + "displayNameFile": { + "type": "string", + "description": "The absolute path to the file containing the unique id to dispay name mapping", + "create": true + } + } + }, + "listener": { "description": "Listens for incoming connections to the router.", "extends": "configurationEntity", "operations": ["CREATE", "DELETE"], - "annotations": [ - "addrPort", - "connectionRole", - "sslProfile" - ], "attributes": { + "host": { + "description":"IP address: ipv4 or ipv6 literal or a host name", + "type": "string", + "default": "127.0.0.1", + "create": true + }, + "port": { + "description": "Port number or symbolic service name.", + "type": "string", + "default": "amqp", + "create": true + + }, + "protocolFamily": { + "type": ["IPv4", "IPv6"], + "required": false, + "description": "['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.", + "create": true + }, + "role": { + "type": [ + "normal", + "inter-router", + "route-container", + "on-demand" + ], + "default": "normal", + "description": "The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.", + "create": true + }, + "cost": { + "type": "integer", + "default": "1", + "required": false, + "create": true, + "description": "For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress." + }, + "sslProfile": { + "type": "string", + "required": false, + "description": "Name of the sslProfile.", + "create": true + }, "saslMechanisms": { "type": "string", "required": false, @@ -684,49 +618,96 @@ "description": "The idle timeout, in seconds, for connections through this listener. If no frames are received on the connection for this time interval, the connection shall be closed.", "create": true }, - "requirePeerAuth": { + "stripAnnotations": { + "type": ["in", "out", "both", "no"], + "default": "both", + "description": "['in', 'out', 'both', 'no'] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations", + "create": true + }, + "linkCapacity": { + "type": "integer", + "create": true, + "required": false, + "description": "The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link." + }, + "addr": { + "description":"(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead", + "deprecated": true, + "type": "string", + "default": "127.0.0.1", + "create": true + }, + "allowNoSasl": { "type": "boolean", "create": true, "deprecated": true, "description": "(DEPRECATED) This attribute is now controlled by the authenticatePeer attribute." }, - "allowUnsecured": { + "requirePeerAuth": { "type": "boolean", "create": true, "deprecated": true, - "description": "(DEPRECATED) This attribute is now controlled by the requireEncryption attribute." + "description": "(DEPRECATED) This attribute is now controlled by the authenticatePeer attribute." }, - "allowNoSasl": { + "allowUnsecured": { "type": "boolean", "create": true, "deprecated": true, - "description": "(DEPRECATED) This attribute is now controlled by the authenticatePeer attribute." + "description": "(DEPRECATED) This attribute is now controlled by the requireEncryption attribute." + } + } + }, + + "connector": { + "description": "Establishes an outgoing connection from the router.", + "extends": "configurationEntity", + "operations": ["CREATE", "DELETE"], + "attributes": { + "host": { + "description":"IP address: ipv4 or ipv6 literal or a host name", + "type": "string", + "default": "127.0.0.1", + "create": true }, - "stripAnnotations": { - "type": ["in", "out", "both", "no"], - "default": "both", - "description": "['in', 'out', 'both', 'no'] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations", + "port": { + "description": "Port number or symbolic service name.", + "type": "string", + "default": "amqp", "create": true + }, - "linkCapacity": { + "protocolFamily": { + "type": ["IPv4", "IPv6"], + "required": false, + "description": "['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.", + "create": true + }, + + "role": { + "type": [ + "normal", + "inter-router", + "route-container", + "on-demand" + ], + "default": "normal", + "description": "The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.", + "create": true + }, + "cost": { "type": "integer", + "default": "1", + "required": false, "create": true, + "description": "For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress." + }, + + "sslProfile": { + "type": "string", "required": false, - "description": "The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link." - } - } - }, - - "connector": { - "description": "Establishes an outgoing connection from the router.", - "extends": "configurationEntity", - "operations": ["CREATE", "DELETE"], - "annotations": [ - "addrPort", - "connectionRole", - "sslProfile" - ], - "attributes": { + "description": "Name of the sslProfile.", + "create": true + }, "saslMechanisms": { "type": "string", "required": false, @@ -781,7 +762,14 @@ "description": "The password that the connector is using to connect to a peer.", "create": true, "hidden": true - } + }, + "addr": { + "description":"(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead", + "deprecated": true, + "type": "string", + "default": "127.0.0.1", + "create": true + } } }, @@ -832,106 +820,6 @@ } }, - "fixedAddress": { - "description":"(DEPRECATED) Establishes treatment for addresses starting with a prefix. This entity has been deprecated. Use address instead", - "extends": "configurationEntity", - "deprecated": true, - "operations": ["CREATE"], - "attributes": { - "prefix": { - "type": "string", - "required": true, - "description": "The address prefix (always starting with '/').", - "create": true - }, - "phase": { - "type": "integer", - "description": "The phase of a multi-hop address passing through one or more waypoints.", - "create": true - }, - "fanout": { - "type": [ - "multiple", - "single" - ], - "default": "multiple", - "description": "One of 'multiple' or 'single'. Multiple fanout is a non-competing pattern. If there are multiple consumers using the same address, each consumer will receive its own copy of every message sent to the address. Single fanout is a competing pattern where each message is sent to only one consumer.", - "create": true - }, - "bias": { - "type": [ - "closest", - "spread" - ], - "default": "closest", - "description": "Only if fanout is single. One of 'closest' or 'spread'. Closest bias means that messages to an address will always be delivered to the closest (lowest cost) subscribed consumer. Spread bias will distribute the messages across subscribers in an approximately even manner.", - "create": true - } - } - }, - - "waypoint": { - "description":"(DEPRECATED) A remote node that messages for an address pass through. This entity has been deprecated. Use autoLink instead", - "deprecated": true, - "extends": "configurationEntity", - "operations": ["CREATE", "DELETE"], - "attributes": { - "address": { - "description":"The AMQP address of the waypoint.", - "type": "string", - "required": true, - "create": true - }, - "connector": { - "description":"The name of the on-demand connector used to reach the waypoint's container.", - "type": "string", - "required": true, - "create": true - }, - "inPhase": { - "description":"The phase of the address as it is routed _to_ the waypoint.", - "type": "integer", - "default": -1, - "create": true - }, - "outPhase": { - "description":"The phase of the address as it is routed _from_ the waypoint.", - "type": "integer", - "default": -1, - "create": true - } - } - }, - - "linkRoutePattern": { - "description":"(DEPRECATED) An address pattern to match against link sources and targets to cause the router to link-route the attach across the network to a remote node. This entity has been deprecated. Use linkRoute instead", - "deprecated": true, - "extends": "configurationEntity", - "operations": ["CREATE"], - "attributes": { - "prefix": { - "description":"An address prefix to match against target and source addresses. This pattern must be of the form '<text>.<text1>.<textN>' or '<text>' or '<text>.' and matches any address that contains that prefix. For example, if the prefix is set to org.apache (or org.apache.), any address that has the prefix 'org.apache' (like org.apache.dev) will match. Note that a prefix must not start with a (.), can end in a (.) and can contain zero or more dots (.). Any characters between the dots are simply treated as part of the address", - "type": "string", - "required": true, - "create": true - }, - "dir": { - "description":"Link direction for match: 'in' matches only links inbound to the client; 'out' matches only links outbound from the client; 'both' matches any link.", - "type": ["in", "out", "both"], - "required": false, - "default": "both", - "create": true - }, - "connector": { - "description":"The name of the on-demand connector used to reach the target node's container. If this value is not provided, it means that the target container is expected to be connected to a different router in the network. This prevents links to a link-routable address from being misinterpreted as message-routing links when there is no route to a valid destination available.", - "type": "string", - "required": false, - "default": "", - "create": true - } - } - }, - "router.config.address": { "description": "Entity type for address configuration. This is used to configure the treatment of message-routed deliveries within a particular address-space. The configuration controls distribution and address phasing.", "extends": "configurationEntity", @@ -1452,6 +1340,147 @@ "receiverDenied": {"type": "integer", "graph": true} } }, + + "container": { + "description":"(DEPRECATED)Attributes related to the AMQP container. This entity has been deprecated. Use the router entity instead.", + "extends": "configurationEntity", + "deprecated": true, + "singleton": true, + "attributes": { + + "containerName": { + "type": "string", + "description": "The name of the AMQP container. If not specified, the container name will be set to a value of the container's choosing. The automatically assigned container name is not guaranteed to be persistent across restarts of the container.", + "create": true + + }, + "workerThreads": { + "type": "integer", + "default": 4, + "description": "The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .", + "create": true + + }, + "debugDump": { + "type": "path", + "description": "A file to dump debugging information that can't be logged normally.", + "create": true + + }, + "saslConfigPath": { + "type": "path", + "description": "Absolute path to the SASL configuration file.", + "required": false, + "create": true + }, + "saslConfigName": { + "type": "string", + "description": "Name of the SASL configuration. This string + '.conf' is the name of the configuration file.", + "required": false, + "create": true + } + } + }, + + "waypoint": { + "description":"(DEPRECATED) A remote node that messages for an address pass through. This entity has been deprecated. Use autoLink instead", + "deprecated": true, + "extends": "configurationEntity", + "operations": ["CREATE", "DELETE"], + "attributes": { + "address": { + "description":"The AMQP address of the waypoint.", + "type": "string", + "required": true, + "create": true + }, + "connector": { + "description":"The name of the on-demand connector used to reach the waypoint's container.", + "type": "string", + "required": true, + "create": true + }, + "inPhase": { + "description":"The phase of the address as it is routed _to_ the waypoint.", + "type": "integer", + "default": -1, + "create": true + }, + "outPhase": { + "description":"The phase of the address as it is routed _from_ the waypoint.", + "type": "integer", + "default": -1, + "create": true + } + } + }, + + "fixedAddress": { + "description":"(DEPRECATED) Establishes treatment for addresses starting with a prefix. This entity has been deprecated. Use address instead", + "extends": "configurationEntity", + "deprecated": true, + "operations": ["CREATE"], + "attributes": { + "prefix": { + "type": "string", + "required": true, + "description": "The address prefix (always starting with '/').", + "create": true + }, + "phase": { + "type": "integer", + "description": "The phase of a multi-hop address passing through one or more waypoints.", + "create": true + }, + "fanout": { + "type": [ + "multiple", + "single" + ], + "default": "multiple", + "description": "One of 'multiple' or 'single'. Multiple fanout is a non-competing pattern. If there are multiple consumers using the same address, each consumer will receive its own copy of every message sent to the address. Single fanout is a competing pattern where each message is sent to only one consumer.", + "create": true + }, + "bias": { + "type": [ + "closest", + "spread" + ], + "default": "closest", + "description": "Only if fanout is single. One of 'closest' or 'spread'. Closest bias means that messages to an address will always be delivered to the closest (lowest cost) subscribed consumer. Spread bias will distribute the messages across subscribers in an approximately even manner.", + "create": true + } + } + }, + + "linkRoutePattern": { + "description":"(DEPRECATED) An address pattern to match against link sources and targets to cause the router to link-route the attach across the network to a remote node. This entity has been deprecated. Use linkRoute instead", + "deprecated": true, + "extends": "configurationEntity", + "operations": ["CREATE"], + "attributes": { + "prefix": { + "description":"An address prefix to match against target and source addresses. This pattern must be of the form '<text>.<text1>.<textN>' or '<text>' or '<text>.' and matches any address that contains that prefix. For example, if the prefix is set to org.apache (or org.apache.), any address that has the prefix 'org.apache' (like org.apache.dev) will match. Note that a prefix must not start with a (.), can end in a (.) and can contain zero or more dots (.). Any characters between the dots are simply treated as part of the address", + "type": "string", + "required": true, + "create": true + }, + "dir": { + "description":"Link direction for match: 'in' matches only links inbound to the client; 'out' matches only links outbound from the client; 'both' matches any link.", + "type": ["in", "out", "both"], + "required": false, + "default": "both", + "create": true + }, + "connector": { + "description":"The name of the on-demand connector used to reach the target node's container. If this value is not provided, it means that the target container is expected to be connected to a different router in the network. This prevents links to a link-routable address from being misinterpreted as message-routing links when there is no route to a valid destination available.", + "type": "string", + "required": false, + "default": "", + "create": true + } + } + }, "dummy": { "description": "Dummy entity for test purposes.", http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch/management/qdrouter.json.readme.txt ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch/management/qdrouter.json.readme.txt b/python/qpid_dispatch/management/qdrouter.json.readme.txt index b765955..ea9a139 100644 --- a/python/qpid_dispatch/management/qdrouter.json.readme.txt +++ b/python/qpid_dispatch/management/qdrouter.json.readme.txt @@ -19,7 +19,7 @@ under the License. # The qdrouter management schema -The schema `qdrouterd.json` is a JSON format file that defines annotations and +The schema `qdrouterd.json` is a JSON format file that defines entity types of the Qpid Dispatch Router management model. The model is based on the AMQP management specification. @@ -30,7 +30,7 @@ The schema is a JSON map with the following keys: - "entityTypes": map of entity type names to definitions (see below) -Annotation and entity type definition maps have the following keys: +Entity type definition maps have the following keys: - "description": documentation string. - "fullName": if true use the type name as-is, do not apply the schema prefix. @@ -41,7 +41,6 @@ Annotation and entity type definition maps have the following keys: Entity type definitions also have these fields: - "extends": Name of base type. The new type includes attributes, operations and operationDefs from the base type. -- "annotations": List of annotation names. The new type includes operations and attributes from all the annotations. Operation definitions are optional, you can call an operation in the operations list without an operation definition. They have the following fields: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch/management/qdrouter.policyRuleset.settings.txt ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch/management/qdrouter.policyRuleset.settings.txt b/python/qpid_dispatch/management/qdrouter.policyRuleset.settings.txt index 2f40fef..c0c4208 100644 --- a/python/qpid_dispatch/management/qdrouter.policyRuleset.settings.txt +++ b/python/qpid_dispatch/management/qdrouter.policyRuleset.settings.txt @@ -17,7 +17,7 @@ under the License. -The schema `qdrouterd.json` is a JSON format file that defines annotations and +The schema `qdrouterd.json` is a JSON format file that defines entity types of the Qpid Dispatch Router management model. The model is based on the AMQP management specification. http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch_internal/dispatch.py ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch_internal/dispatch.py b/python/qpid_dispatch_internal/dispatch.py index 3ad4436..11fe6ed 100644 --- a/python/qpid_dispatch_internal/dispatch.py +++ b/python/qpid_dispatch_internal/dispatch.py @@ -61,9 +61,11 @@ class QdDll(ctypes.PyDLL): self._prototype(self.qd_dispatch_prepare, None, [self.qd_dispatch_p]) self._prototype(self.qd_dispatch_configure_listener, ctypes.c_void_p, [self.qd_dispatch_p, py_object]) self._prototype(self.qd_dispatch_configure_connector, ctypes.c_void_p, [self.qd_dispatch_p, py_object]) + self._prototype(self.qd_dispatch_configure_ssl_profile, ctypes.c_void_p, [self.qd_dispatch_p, py_object]) self._prototype(self.qd_connection_manager_delete_listener, None, [self.qd_dispatch_p, ctypes.c_void_p]) self._prototype(self.qd_connection_manager_delete_connector, None, [self.qd_dispatch_p, ctypes.c_void_p]) + self._prototype(self.qd_connection_manager_delete_ssl_profile, ctypes.c_bool, [self.qd_dispatch_p, ctypes.c_void_p]) self._prototype(self.qd_dispatch_configure_fixed_address, None, [self.qd_dispatch_p, py_object]) self._prototype(self.qd_dispatch_configure_waypoint, None, [self.qd_dispatch_p, py_object]) http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch_internal/management/agent.py ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch_internal/management/agent.py b/python/qpid_dispatch_internal/management/agent.py index c8ebf65..6e4b7fc 100644 --- a/python/qpid_dispatch_internal/management/agent.py +++ b/python/qpid_dispatch_internal/management/agent.py @@ -52,6 +52,7 @@ getting current information from the implementation object. ## Threading: + The agent is locked to be thread safe, called in the following threads: - Reading configuration file in initialization thread (no contention). - Management requests arriving in multiple, concurrent connection threads. @@ -75,7 +76,7 @@ from ctypes import c_void_p, py_object, c_long from subprocess import Popen from ..dispatch import IoAdapter, LogAdapter, LOG_INFO, LOG_WARNING, LOG_DEBUG, LOG_ERROR, TREATMENT_ANYCAST_CLOSEST from qpid_dispatch.management.error import ManagementError, OK, CREATED, NO_CONTENT, STATUS_TEXT, \ - BadRequestStatus, InternalServerErrorStatus, NotImplementedStatus, NotFoundStatus + BadRequestStatus, InternalServerErrorStatus, NotImplementedStatus, NotFoundStatus, ForbiddenStatus from qpid_dispatch.management.entity import camelcase from .schema import ValidationError, SchemaEntity, EntityType from .qdrouter import QdSchema @@ -345,6 +346,23 @@ def _host_port_name_identifier(entity): return "%s:%s" % (entity.attributes['host'], entity.attributes['port']) +class SslProfileEntity(EntityAdapter): + def create(self): + return self._qd.qd_dispatch_configure_ssl_profile(self._dispatch, self) + + def _delete(self): + deleted = self._qd.qd_connection_manager_delete_ssl_profile(self._dispatch, self._implementations[0].key) + # SSL Profiles cannot be deleted if they are referenced by a connector/listener. + if not deleted: + raise ForbiddenStatus("SSL Profile is referenced by other listeners/connectors. Delete the associated " + "listeners/connectors before deleting the SSL Profile") + + def _identifier(self): + return self.name + + def __str__(self): + return super(SslProfileEntity, self).__str__().replace("Entity(", "SslProfileEntity(") + class ListenerEntity(EntityAdapter): def create(self): config_listener = self._qd.qd_dispatch_configure_listener(self._dispatch, self) @@ -653,9 +671,10 @@ class ManagementEntity(EntityAdapter): for t in self._schema.by_type(type))) def get_annotations(self, request): - type = self.requested_type(request) - return (OK, dict((t.name, [a.name for a in t.annotations]) - for t in self._schema.by_type(type))) + """ + We are not supporting any annotations at the moment. + """ + return (OK, {}) def get_operations(self, request): type = self.requested_type(request) http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch_internal/management/config.py ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch_internal/management/config.py b/python/qpid_dispatch_internal/management/config.py index 28ba91b..a7b82c7 100644 --- a/python/qpid_dispatch_internal/management/config.py +++ b/python/qpid_dispatch_internal/management/config.py @@ -83,32 +83,6 @@ class Config(object): sections = json.loads(js_text) return sections - - def _expand(self, content): - """ - Find annotation sections (defined by schema) in the content, - expand references and remove the annotation sections. - @param content: ((sectionName:{name:value...})) - """ - def _expand_section(section, annotations): - """Expand one section""" - attrs = section[1] - - for k in attrs.keys(): # Iterate over keys() because we will modify attr - inc = [i[1] for i in annotations if i[0] == k and i[1]['name'] == attrs[k]] - if inc: - assert len(inc) == 1 - inc = copy(inc[0]) - if k == u'sslProfile': - inc[u'sslProfileName'] = inc[u'name'] - del inc['name'] - attrs.update(inc) - del attrs[k] # Delete the annotation attribute. - return section - annotations = [s for s in content if self.schema.annotation(s[0], error=False)] - return [_expand_section(s, annotations) for s in content - if self.schema.is_configuration(self.schema.entity_type(s[0], False))] - def get_config_types(self): return self.config_types @@ -128,7 +102,6 @@ class Config(object): for et in self.get_config_types(): if et.singleton and not [s for s in sections if s[0] == et.short_name]: sections.append((et.short_name, {})) - sections = self._expand(sections) entities = [dict(type=self.schema.long_name(s[0]), **s[1]) for s in sections] self.schema.validate_all(entities) self.entities = entities @@ -185,15 +158,15 @@ def configure_dispatch(dispatch, lib_handle, filename): policyDir = config.by_type('policy')[0]['policyDir'] policyDefaultVhost = config.by_type('policy')[0]['defaultVhost'] # Remaining configuration - for t in "fixedAddress", "listener", "connector", "waypoint", "linkRoutePattern", \ + for t in "sslProfile", "fixedAddress", "listener", "connector", "waypoint", "linkRoutePattern", \ "router.config.address", "router.config.linkRoute", "router.config.autoLink", \ "policy", "vhost": for a in config.by_type(t): configure(a) - if t == "listener": + if t == "sslProfile": display_file_name = a.get('displayNameFile') if display_file_name: - ssl_profile_name = a.get('sslProfileName') + ssl_profile_name = a.get('name') displayname_service.add(ssl_profile_name, display_file_name) for e in config.entities: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch_internal/management/schema.py ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch_internal/management/schema.py b/python/qpid_dispatch_internal/management/schema.py index 5338f37..7559c73 100644 --- a/python/qpid_dispatch_internal/management/schema.py +++ b/python/qpid_dispatch_internal/management/schema.py @@ -200,8 +200,7 @@ class AttributeType(object): @ivar value: Fixed value for the attribute. Can be a reference. @ivar unique: True if the attribute value is unique. @ivar description: Description of the attribute type. - @ivar annotation: Annotation section or None - @ivar defined_in: Annotation or EntityType in which this attribute is defined. + @ivar defined_in: EntityType in which this attribute is defined. @ivar create: If true the attribute can be set by CREATE. @ivar update: If true the attribute can be modified by UPDATE. @ivar graph: If true the attribute could be graphed by a console. @@ -319,16 +318,14 @@ class EntityType(object): @ivar short_name: Un-prefixed short name. @ivar attributes: Map of L{AttributeType} for entity. @ivar singleton: If true only one entity of this type is allowed. - @ivar referential: True if an entity/annotation can be referred to by name. - @ivar annotations: List of names of sections annotationd by this entity. + @ivar referential: True if an entity can be referred to by name from another entity. """ def __init__(self, name, schema, attributes=None, operations=None, operationDefs=None, description="", - fullName=True, singleton=False, deprecated=False, annotations=None, extends=None, referential=False, **kwargs): + fullName=True, singleton=False, deprecated=False, extends=None, referential=False, **kwargs): """ @param name: name of the entity type. @param schema: schema for this type. @param singleton: True if entity type is a singleton. - @param annotations: List of names of annotation types for this entity. @param attributes: Map of attributes {name: {type:, default:, required:, unique:}} @param description: Human readable description. @param operations: Allowed operations, list of operation names. @@ -347,11 +344,10 @@ class EntityType(object): self.attributes = OrderedDict((k, AttributeType(k, defined_in=self, **v)) for k, v in (attributes or {}).iteritems()) self.operations = operations or [] - # Bases and annotations are resolved in self.init() + # Bases are resolved in self.init() self.base = extends self.all_bases = [] - self.annotations = annotations or [] - # List of annotations that are singletons + self.references = [] self.singleton = singleton self.deprecated = deprecated @@ -365,7 +361,7 @@ class EntityType(object): raise ValidationError, "%s '%s': %s" % (type(self).__name__, name, msg), trace def init(self): - """Find bases and annotations after all types are loaded.""" + """Find bases after all types are loaded.""" if self._init: return self._init = True if self.base: @@ -373,12 +369,6 @@ class EntityType(object): self.base.init() self.all_bases = [self.base] + self.base.all_bases self._extend(self.base, 'extend') - if self.annotations: - self.references = [x for x in self.annotations - if self.schema.annotation(x).referential] - self.annotations = [self.schema.annotation(a) for a in self.annotations] - for a in self.annotations: - self._extend(a, 'be annotated') def _extend(self, other, how): """Add attributes and operations from other""" @@ -407,7 +397,7 @@ class EntityType(object): @property def my_attributes(self): - """Return only attribute types defined in this annotation or entity type""" + """Return only attribute types defined in this entity type""" return [a for a in self.attributes.itervalues() if a.defined_in == self] def validate(self, attributes, check_singleton=None, **kwargs): @@ -483,10 +473,6 @@ class EntityType(object): def name_is(self, name): return self.name == self.schema.long_name(name) -class Annotation(EntityType): - """An annotation defines attributes, operations etc. that can be re-used by multiple EntityTypes.""" - pass - class Schema(object): @@ -496,14 +482,12 @@ class Schema(object): @ivar prefix: Prefix to prepend to short entity type names. @ivar entityTypes: Map of L{EntityType} by name. - @ivar annotations: Map of L{Annotation} by name. @ivar description: Text description of schema. """ - def __init__(self, prefix="", annotations=None, entityTypes=None, description=""): + def __init__(self, prefix="", entityTypes=None, description=""): """ @param prefix: Prefix for entity names. - @param annotations: Map of { annotationName: {attributeName: value, ... }} - @param entity_types: Map of { entityTypeName: { singleton:, annotation:[...], attributes:{...}}} + @param entity_types: Map of { entityTypeName: { singleton:, attributes:{...}}} @param description: Human readable description. """ if prefix: @@ -517,7 +501,6 @@ class Schema(object): return OrderedDict((self.long_name(k), cls(k, self, **v)) for k, v in (defs or {}).iteritems()) - self.annotations = parsedefs(Annotation, annotations) self.entity_types = parsedefs(EntityType, entityTypes) self.all_attributes = set() @@ -544,8 +527,6 @@ class Schema(object): """Return json-friendly representation""" return OrderedDict([ ('prefix', self.prefix), - ('annotations', - OrderedDict((a.short_name, a.dump()) for a in self.annotations.itervalues())), ('entityTypes', OrderedDict((e.short_name, e.dump()) for e in self.entity_types.itervalues())) ]) @@ -559,9 +540,6 @@ class Schema(object): def entity_type(self, name, error=True): return self._lookup(self.entity_types, name, "No such entity type '%s'", error) - def annotation(self, name, error=True): - return self._lookup(self.annotations, name, "No such annotation '%s'", error) - def validate_entity(self, attributes, check_required=True, add_default=True, check_unique=None, check_singleton=None): """ http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/python/qpid_dispatch_internal/management/schema_doc.py ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch_internal/management/schema_doc.py b/python/qpid_dispatch_internal/management/schema_doc.py index 379e04a..ecf2825 100644 --- a/python/qpid_dispatch_internal/management/schema_doc.py +++ b/python/qpid_dispatch_internal/management/schema_doc.py @@ -108,7 +108,7 @@ class SchemaWriter(object): self.warn("Warning no description for %s" % entity_type) if entity_type.operations: self.para("Operations allowed: `%s`\n\n" % "`, `".join(entity_type.operations)) - for a in entity_type.annotations: self.attribute_types(a) + self.attribute_types(entity_type) if entity_type.operation_defs: self.operation_defs(entity_type) http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/src/connection_manager.c ---------------------------------------------------------------------- diff --git a/src/connection_manager.c b/src/connection_manager.c index 0e95067..9a2b415 100644 --- a/src/connection_manager.c +++ b/src/connection_manager.c @@ -31,46 +31,66 @@ static char* HOST_ADDR_DEFAULT = "127.0.0.1"; +struct qd_config_ssl_profile_t { + DEQ_LINKS(qd_config_ssl_profile_t); + uint64_t identity; + char *name; + char *ssl_password; + char *ssl_trusted_certificate_db; + char *ssl_trusted_certificates; + char *ssl_uid_format; + char *ssl_display_name_file; + char *ssl_certificate_file; + char *ssl_private_key_file; + int ref_count; +}; + struct qd_config_listener_t { - bool is_connector; - qd_bind_state_t state; - qd_listener_t *listener; - qd_server_config_t configuration; + bool is_connector; + qd_bind_state_t state; + qd_listener_t *listener; + qd_config_ssl_profile_t *ssl_profile; + qd_server_config_t configuration; DEQ_LINKS(qd_config_listener_t); }; DEQ_DECLARE(qd_config_listener_t, qd_config_listener_list_t); +DEQ_DECLARE(qd_config_ssl_profile_t, qd_config_ssl_profile_list_t); struct qd_config_connector_t { bool is_connector; DEQ_LINKS(qd_config_connector_t); - qd_connector_t *connector; - qd_server_config_t configuration; + qd_connector_t *connector; + qd_server_config_t configuration; + qd_config_ssl_profile_t *ssl_profile; }; DEQ_DECLARE(qd_config_connector_t, qd_config_connector_list_t); - struct qd_connection_manager_t { - qd_log_source_t *log_source; - qd_server_t *server; - qd_config_listener_list_t config_listeners; - qd_config_connector_list_t config_connectors; + qd_log_source_t *log_source; + qd_server_t *server; + qd_config_listener_list_t config_listeners; + qd_config_connector_list_t config_connectors; + qd_config_ssl_profile_list_t config_ssl_profiles; + sys_mutex_t *ssl_profile_lock; }; -// True if entity has any of attributes. -static bool has_attrs(qd_entity_t *entity, const char **attributes, int n) { - for (int i = 0; i < n; ++i) - if (qd_entity_has(entity, attributes[i])) return true; - return false; -} - -static const char *ssl_attributes[] = { - "certDb", "certFile", "keyFile", "passwordFile", "password" -}; +/** + * Search the list of config_ssl_profiles for an ssl-profile that matches the passed in name + */ +static qd_config_ssl_profile_t *qd_find_ssl_profile(qd_connection_manager_t *cm, char *name) +{ + qd_config_ssl_profile_t *ssl_profile = DEQ_HEAD(cm->config_ssl_profiles); + while(ssl_profile) { + if(strcmp(ssl_profile->name, name)==0) + return ssl_profile; + ssl_profile = DEQ_NEXT(ssl_profile); + } -static const int ssl_attributes_count = sizeof(ssl_attributes)/sizeof(ssl_attributes[0]); + return 0; +} static void qd_server_config_free(qd_server_config_t *cf) { @@ -80,13 +100,7 @@ static void qd_server_config_free(qd_server_config_t *cf) free(cf->name); free(cf->role); free(cf->sasl_mechanisms); - if (cf->ssl_enabled) { - free(cf->ssl_certificate_file); - free(cf->ssl_private_key_file); - free(cf->ssl_password); - free(cf->ssl_trusted_certificate_db); - free(cf->ssl_trusted_certificates); - } + memset(cf, 0, sizeof(*cf)); } @@ -149,7 +163,7 @@ static void set_config_host(qd_server_config_t *config, qd_entity_t* entity) assert(config->host); } -static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity) +static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *config, qd_entity_t* entity, qd_config_ssl_profile_t **ssl_profile) { qd_error_clear(); @@ -172,8 +186,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf config->sasl_username = qd_entity_opt_string(entity, "saslUsername", 0); CHECK(); config->sasl_password = qd_entity_opt_string(entity, "saslPassword", 0); CHECK(); config->sasl_mechanisms = qd_entity_opt_string(entity, "saslMechanisms", 0); CHECK(); - config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); - config->ssl_enabled = has_attrs(entity, ssl_attributes, ssl_attributes_count); + config->ssl_profile = qd_entity_opt_string(entity, "sslProfile", 0); CHECK(); config->link_capacity = qd_entity_opt_long(entity, "linkCapacity", 0); CHECK(); set_config_host(config, entity); @@ -195,24 +208,25 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf config->requireAuthentication = authenticatePeer || depRequirePeerAuth; config->requireEncryption = requireEncryption || !depAllowUnsecured; - if (config->ssl_enabled) { + + if (config->ssl_profile) { config->ssl_required = requireSsl || !depAllowUnsecured; config->ssl_require_peer_authentication = config->sasl_mechanisms && strstr(config->sasl_mechanisms, "EXTERNAL") != 0; - config->ssl_certificate_file = - qd_entity_opt_string(entity, "certFile", 0); CHECK(); - config->ssl_private_key_file = - qd_entity_opt_string(entity, "keyFile", 0); CHECK(); - config->ssl_password = - qd_entity_opt_string(entity, "password", 0); CHECK(); - config->ssl_trusted_certificate_db = - qd_entity_opt_string(entity, "certDb", 0); CHECK(); - config->ssl_trusted_certificates = - qd_entity_opt_string(entity, "trustedCerts", 0); CHECK(); - config->ssl_uid_format = - qd_entity_opt_string(entity, "uidFormat", 0); CHECK(); - config->ssl_display_name_file = - qd_entity_opt_string(entity, "displayNameFile", 0); CHECK(); + + *ssl_profile = qd_find_ssl_profile(qd->connection_manager, config->ssl_profile); + if(*ssl_profile) { + config->ssl_certificate_file = (*ssl_profile)->ssl_certificate_file; + config->ssl_private_key_file = (*ssl_profile)->ssl_private_key_file; + config->ssl_password = (*ssl_profile)->ssl_password; + config->ssl_trusted_certificate_db = (*ssl_profile)->ssl_trusted_certificate_db; + config->ssl_trusted_certificates = (*ssl_profile)->ssl_trusted_certificates; + config->ssl_uid_format = (*ssl_profile)->ssl_uid_format; + config->ssl_display_name_file = (*ssl_profile)->ssl_display_name_file; + } + sys_mutex_lock(qd->connection_manager->ssl_profile_lock); + (*ssl_profile)->ref_count++; + sys_mutex_unlock(qd->connection_manager->ssl_profile_lock); } free(stripAnnotations); @@ -223,6 +237,36 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf return qd_error_code(); } + +qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd_entity_t *entity) +{ + qd_error_clear(); + qd_connection_manager_t *cm = qd->connection_manager; + + qd_config_ssl_profile_t *ssl_profile = NEW(qd_config_ssl_profile_t); + DEQ_ITEM_INIT(ssl_profile); + DEQ_INSERT_TAIL(cm->config_ssl_profiles, ssl_profile); + ssl_profile->name = qd_entity_opt_string(entity, "name", 0); CHECK(); + ssl_profile->ssl_certificate_file = qd_entity_opt_string(entity, "certFile", 0); CHECK(); + ssl_profile->ssl_private_key_file = qd_entity_opt_string(entity, "keyFile", 0); CHECK(); + ssl_profile->ssl_password = qd_entity_opt_string(entity, "password", 0); CHECK(); + ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0); CHECK(); + ssl_profile->ssl_trusted_certificates = qd_entity_opt_string(entity, "trustedCerts", 0); CHECK(); + ssl_profile->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK(); + ssl_profile->ssl_display_name_file = qd_entity_opt_string(entity, "displayNameFile", 0); CHECK(); + sys_mutex_lock(qd->connection_manager->ssl_profile_lock); + ssl_profile->ref_count = 0; + sys_mutex_unlock(qd->connection_manager->ssl_profile_lock); + qd_log(cm->log_source, QD_LOG_INFO, "Created SSL Profile with name %s ", ssl_profile->name); + return ssl_profile; + + error: + qd_log(cm->log_source, QD_LOG_ERROR, "Unable to create ssl profile: %s", qd_error_message()); + free(ssl_profile); + return 0; +} + + qd_config_listener_t *qd_dispatch_configure_listener(qd_dispatch_t *qd, qd_entity_t *entity) { qd_error_clear(); @@ -231,17 +275,22 @@ qd_config_listener_t *qd_dispatch_configure_listener(qd_dispatch_t *qd, qd_entit cl->is_connector = false; cl->state = QD_BIND_NONE; cl->listener = 0; - if (load_server_config(qd, &cl->configuration, entity) != QD_ERROR_NONE) { + qd_config_ssl_profile_t *ssl_profile = 0; + if (load_server_config(qd, &cl->configuration, entity, &ssl_profile) != QD_ERROR_NONE) { qd_log(cm->log_source, QD_LOG_ERROR, "Unable to create config listener: %s", qd_error_message()); - qd_config_listener_free(cl); + qd_config_listener_free(qd->connection_manager, cl); return 0; } + cl->ssl_profile = ssl_profile; DEQ_ITEM_INIT(cl); DEQ_INSERT_TAIL(cm->config_listeners, cl); - qd_log(cm->log_source, QD_LOG_INFO, "Configured Listener: %s:%s proto=%s role=%s", + + qd_log(cm->log_source, QD_LOG_INFO, "Configured Listener: %s:%s proto=%s, role=%s%s%s", cl->configuration.host, cl->configuration.port, cl->configuration.protocol_family ? cl->configuration.protocol_family : "any", - cl->configuration.role); + cl->configuration.role, + cl->ssl_profile ? ", sslProfile=":"", + cl->ssl_profile ? cl->ssl_profile->name:""); return cl; } @@ -267,18 +316,21 @@ qd_config_connector_t *qd_dispatch_configure_connector(qd_dispatch_t *qd, qd_ent ZERO(cc); cc->is_connector = true; - if (load_server_config(qd, &cc->configuration, entity) != QD_ERROR_NONE) { + qd_config_ssl_profile_t *ssl_profile = 0; + if (load_server_config(qd, &cc->configuration, entity, &ssl_profile) != QD_ERROR_NONE) { qd_log(cm->log_source, QD_LOG_ERROR, "Unable to create config connector: %s", qd_error_message()); - qd_config_connector_free(cc); + qd_config_connector_free(qd->connection_manager, cc); return 0; } - + cc->ssl_profile = ssl_profile; DEQ_ITEM_INIT(cc); DEQ_INSERT_TAIL(cm->config_connectors, cc); - qd_log(cm->log_source, QD_LOG_INFO, "Configured Connector: %s:%s proto=%s role=%s", - cc->configuration.host, cc->configuration.port, - cc->configuration.protocol_family ? cc->configuration.protocol_family : "any", - cc->configuration.role); + qd_log(cm->log_source, QD_LOG_INFO, "Configured Connector: %s:%s proto=%s, role=%s %s%s", + cc->configuration.host, cc->configuration.port, + cc->configuration.protocol_family ? cc->configuration.protocol_family : "any", + cc->configuration.role, + cc->ssl_profile ? ", sslProfile=":"", + cc->ssl_profile ? cc->ssl_profile->name:""); return cc; } @@ -291,9 +343,11 @@ qd_connection_manager_t *qd_connection_manager(qd_dispatch_t *qd) return 0; cm->log_source = qd_log_source("CONN_MGR"); + cm->ssl_profile_lock = sys_mutex(); cm->server = qd->server; DEQ_INIT(cm->config_listeners); DEQ_INIT(cm->config_connectors); + DEQ_INIT(cm->config_ssl_profiles); return cm; } @@ -319,6 +373,15 @@ void qd_connection_manager_free(qd_connection_manager_t *cm) free(cc); cc = DEQ_HEAD(cm->config_connectors); } + + qd_config_ssl_profile_t *sslp = DEQ_HEAD(cm->config_ssl_profiles); + while (sslp) { + DEQ_REMOVE_HEAD(cm->config_ssl_profiles); + qd_config_ssl_profile_free(cm, sslp); + sslp = DEQ_HEAD(cm->config_ssl_profiles); + } + + sys_mutex_free(cm->ssl_profile_lock); } @@ -347,25 +410,62 @@ void qd_connection_manager_start(qd_dispatch_t *qd) } -void qd_config_connector_free(qd_config_connector_t *cc) +void qd_config_connector_free(qd_connection_manager_t *cm, qd_config_connector_t *cc) { if (cc->connector) qd_server_connector_free(cc->connector); + + if (cc->ssl_profile) { + sys_mutex_lock(cm->ssl_profile_lock); + cc->ssl_profile->ref_count--; + sys_mutex_unlock(cm->ssl_profile_lock); + } + free(cc); } -void qd_config_listener_free(qd_config_listener_t *cl) +void qd_config_listener_free(qd_connection_manager_t *cm, qd_config_listener_t *cl) { if (cl->listener) { qd_server_listener_close(cl->listener); qd_server_listener_free(cl->listener); cl->listener = 0; } + + if (cl->ssl_profile) { + sys_mutex_lock(cm->ssl_profile_lock); + cl->ssl_profile->ref_count--; + sys_mutex_unlock(cm->ssl_profile_lock); + } + free(cl); } +bool qd_config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_profile_t *ssl_profile) +{ + sys_mutex_lock(cm->ssl_profile_lock); + if (ssl_profile->ref_count != 0) { + sys_mutex_unlock(cm->ssl_profile_lock); + return false; + } + sys_mutex_unlock(cm->ssl_profile_lock); + + free(ssl_profile->name); + free(ssl_profile->ssl_password); + free(ssl_profile->ssl_trusted_certificate_db); + free(ssl_profile->ssl_trusted_certificates); + free(ssl_profile->ssl_uid_format); + free(ssl_profile->ssl_display_name_file); + free(ssl_profile->ssl_certificate_file); + free(ssl_profile->ssl_private_key_file); + free(ssl_profile); + return true; + +} + + void qd_connection_manager_delete_listener(qd_dispatch_t *qd, void *impl) { qd_config_listener_t *cl = (qd_config_listener_t*) impl; @@ -373,8 +473,24 @@ void qd_connection_manager_delete_listener(qd_dispatch_t *qd, void *impl) if (cl) { qd_server_listener_close(cl->listener); DEQ_REMOVE(qd->connection_manager->config_listeners, cl); - qd_config_listener_free(cl); + qd_config_listener_free(qd->connection_manager, cl); + } +} + + +/** + * Only those SSL Profiles that are not being referenced from other listeners/connectors can be deleted + */ +bool qd_connection_manager_delete_ssl_profile(qd_dispatch_t *qd, void *impl) +{ + qd_config_ssl_profile_t *ssl_profile = (qd_config_ssl_profile_t*) impl; + if(ssl_profile) { + bool freed = qd_config_ssl_profile_free(qd->connection_manager, ssl_profile); + if (freed) + DEQ_REMOVE(qd->connection_manager->config_ssl_profiles, ssl_profile); + return freed; } + return false; } @@ -384,7 +500,7 @@ void qd_connection_manager_delete_connector(qd_dispatch_t *qd, void *impl) if (cc) { DEQ_REMOVE(qd->connection_manager->config_connectors, cc); - qd_config_connector_free(cc); + qd_config_connector_free(qd->connection_manager, cc); } } http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/src/server.c ---------------------------------------------------------------------- diff --git a/src/server.c b/src/server.c index 55e2ea9..0787022 100644 --- a/src/server.c +++ b/src/server.c @@ -400,6 +400,10 @@ static qd_error_t qd_set_connection_properties(qd_entity_t* entity, qd_connectio } +qd_error_t qd_entity_refresh_sslProfile(qd_entity_t* entity, void *impl) +{ + return QD_ERROR_NONE; +} qd_error_t qd_entity_refresh_connection(qd_entity_t* entity, void *impl) @@ -647,7 +651,7 @@ static void thread_process_listeners_LH(qd_server_t *qd_server) } // Set up SSL if configured - if (config->ssl_enabled) { + if (config->ssl_profile) { qd_log(qd_server->log_source, QD_LOG_TRACE, "Configuring SSL on %s", log_incoming(logbuf, sizeof(logbuf), cxtr)); if (listener_setup_ssl(ctx, config, tport) != QD_ERROR_NONE) { @@ -1229,7 +1233,7 @@ static void cxtr_try_open(void *context) // // Set up SSL if appropriate // - if (config->ssl_enabled) { + if (config->ssl_profile) { pn_ssl_domain_t *domain = pn_ssl_domain(PN_SSL_MODE_CLIENT); if (!domain) { http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/tests/management/qdrouter.py ---------------------------------------------------------------------- diff --git a/tests/management/qdrouter.py b/tests/management/qdrouter.py index b6285b4..46455ef 100644 --- a/tests/management/qdrouter.py +++ b/tests/management/qdrouter.py @@ -92,10 +92,10 @@ class QdrouterTest(unittest.TestCase): ] self.assertEqual(content, expect) - content = conf._expand(content) expect = [ [u'router', {u'mode': u'standalone', u'id': u'QDR'}], - [u'listener', {u'password': u'secret', u'name': u'l0', u'sslProfileName': u'test-profile', u'saslMechanisms': u'ANONYMOUS'}], + [u'sslProfile', {u'password': u'secret', u'name': u'test-profile'}], + [u'listener', {u'name': u'l0', u'sslProfile': u'test-profile', u'saslMechanisms': u'ANONYMOUS'}], [u'listener', {u'port': u'1234', u'identity': u'l1', u'saslMechanisms': u'ANONYMOUS'}], [u'listener', {u'port': u'4567', u'saslMechanisms': u'ANONYMOUS'}] ] http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/9ec4c43b/tests/management/schema.py ---------------------------------------------------------------------- diff --git a/tests/management/schema.py b/tests/management/schema.py index 6c32f89..9ab3fcf 100644 --- a/tests/management/schema.py +++ b/tests/management/schema.py @@ -35,22 +35,10 @@ def replace_od(thing): SCHEMA_1 = { "prefix": "org.example", - "annotations": { - "entityId": { - "attributes": { - "name": {"type": "string", - "required": True, - "unique": True}, - "type": {"type":"string", - "required": True} - } - } - }, "entityTypes": { "container": { "deprecated": True, "singleton": True, - "annotations": ["entityId"], "attributes": { "workerThreads": {"type": "integer", "default": 1}, "routerId": { @@ -60,20 +48,28 @@ SCHEMA_1 = { "deprecated": True, "create": True }, + "name": {"type": "string", + "required": True, + "unique": True}, + "type": {"type":"string", + "required": True} } }, "listener": { - "annotations": ["entityId"], "attributes": { - "host": { - "type": "string" - } + "host": {"type": "string"}, + "name": {"type": "string", "required": True, "unique": True}, + "type": {"type":"string", "required": True} } }, "connector": { - "annotations": ["entityId"], "attributes": { - "host": {"type": "string"} + "host": {"type": "string"}, + "name": {"type": "string", + "required": True, + "unique": True}, + "type": {"type":"string", + "required": True} } } } @@ -125,23 +121,17 @@ class SchemaTest(unittest.TestCase): self.assertRaises(ValidationError, a.validate, None) self.assertRaises(ValidationError, a.validate, "xxx") - def test_entity_type(self): - s = Schema(annotations={ - 'i1':{'attributes': { 'foo1': {'type':'string', 'default':'FOO1'}}}, - 'i2':{'attributes': { 'foo2': {'type':'string', 'default':'FOO2'}}}}) + s = Schema() e = EntityType('MyEntity', s, attributes={ 'foo': {'type':'string', 'default':'FOO'}, 'req': {'type':'integer', 'required':True}, 'e': {'type':['x', 'y']}}) + e.init() self.assertRaises(ValidationError, e.validate, {}) # Missing required 'req' self.assertEqual(e.validate({'req':42}), {'foo': 'FOO', 'req': 42}) - # Try with an annotation - e = EntityType('e2', s, attributes={'x':{'type':'integer'}}, annotations=['i1', 'i2']) - e.init() - self.assertEqual(e.validate({'x':1}), {'x':1, 'foo1': 'FOO1', 'foo2': 'FOO2'}) def test_schema_validate(self): s = Schema(**SCHEMA_1) @@ -162,8 +152,8 @@ class SchemaTest(unittest.TestCase): s = Schema(**SCHEMA_1) self.assertRaises(ValidationError, s.entity, {'type': 'nosuch'}) self.assertRaises(ValidationError, s.entity, {'type': 'listener', 'nosuch': 'x'}) - e = s.entity({'type': 'listener', 'name':'x', 'host':'foo'}) - self.assertEqual(e.attributes, {'type': 'org.example.listener', 'name':'x', 'host':'foo'}) + e = s.entity({'host':'foo', 'type': 'listener', 'name': 'listener-1'}) + self.assertEqual(e.attributes, {'host': 'foo', 'name': 'listener-1', 'type': 'org.example.listener'}) self.assertEqual(e['host'], 'foo') self.assertRaises(ValidationError, e.__setitem__, 'nosuch', 'x') --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
