Repository: qpid-dispatch Updated Branches: refs/heads/master 16f378e14 -> 194747dcd
DISPATCH-1086: use a pn_ssl_domain_t instance per auth service connection Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/194747dc Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/194747dc Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/194747dc Branch: refs/heads/master Commit: 194747dcd4ddf6973a6f5f85e893f769706fa47d Parents: 16f378e Author: Gordon Sim <g...@redhat.com> Authored: Wed Sep 19 17:18:28 2018 +0100 Committer: Gordon Sim <g...@redhat.com> Committed: Wed Sep 19 17:50:36 2018 +0100 ---------------------------------------------------------------------- include/qpid/dispatch/server.h | 41 +++++++++++++++--------- src/connection_manager.c | 63 +++++++++++++++++-------------------- src/remote_sasl.c | 1 + src/server.c | 38 ++++++++++++++++++++-- 4 files changed, 91 insertions(+), 52 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/194747dc/include/qpid/dispatch/server.h ---------------------------------------------------------------------- diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h index a037a14..e56519f 100644 --- a/include/qpid/dispatch/server.h +++ b/include/qpid/dispatch/server.h @@ -153,22 +153,35 @@ typedef struct qd_server_config_t { char *sasl_mechanisms; /** - * Address, i.e. host:port, of remote authentication service to connect to. - * (listener only) - */ - char *auth_service; - /** - * Hostname to set on sasl-init sent to authentication service. - */ - char *sasl_init_hostname; - /** - * Ssl config for connecting to the authentication service. - */ - pn_ssl_domain_t *auth_ssl_conf; - /** - * The name of the related sasl plugin config. + * The name of the sasl plugin config if used. */ char *sasl_plugin; + /** + * The config of the sasl plugin config if used. + */ + struct { + /** + * Address, i.e. host:port, of remote authentication service to connect to. + * (listener only) + */ + char *auth_service; + /** + * Hostname to set on sasl-init sent to authentication service. + */ + char *sasl_init_hostname; + bool use_ssl; + //ssl config for sasl auth plugin: + char *ssl_certificate_file; + char *ssl_private_key_file; + char *ssl_uid_format; + char *ssl_profile; + char *ssl_uid_name_mapping_file; + char *ssl_password; + char *ssl_trusted_certificate_db; + char *ssl_trusted_certificates; + char *ssl_ciphers; + char *ssl_protocols; + } sasl_plugin_config; /** * If appropriate for the mechanism, the username for authentication http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/194747dc/src/connection_manager.c ---------------------------------------------------------------------- diff --git a/src/connection_manager.c b/src/connection_manager.c index 5f984bc..339b572 100644 --- a/src/connection_manager.c +++ b/src/connection_manager.c @@ -131,9 +131,6 @@ void qd_server_config_free(qd_server_config_t *cf) if (cf->sasl_username) free(cf->sasl_username); if (cf->sasl_password) free(cf->sasl_password); if (cf->sasl_mechanisms) free(cf->sasl_mechanisms); - if (cf->auth_service) free(cf->auth_service); - if (cf->sasl_init_hostname) free(cf->sasl_init_hostname); - if (cf->auth_ssl_conf) pn_ssl_domain_free(cf->auth_ssl_conf); if (cf->ssl_profile) free(cf->ssl_profile); if (cf->failover_list) qd_failover_list_free(cf->failover_list); if (cf->log_message) free(cf->log_message); @@ -147,6 +144,19 @@ void qd_server_config_free(qd_server_config_t *cf) if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates); if (cf->ssl_uid_format) free(cf->ssl_uid_format); if (cf->ssl_uid_name_mapping_file) free(cf->ssl_uid_name_mapping_file); + + if (cf->sasl_plugin_config.auth_service) free(cf->sasl_plugin_config.auth_service); + if (cf->sasl_plugin_config.sasl_init_hostname) free(cf->sasl_plugin_config.sasl_init_hostname); + if (cf->sasl_plugin_config.ssl_certificate_file) free(cf->sasl_plugin_config.ssl_certificate_file); + if (cf->sasl_plugin_config.ssl_private_key_file) free(cf->sasl_plugin_config.ssl_private_key_file); + if (cf->sasl_plugin_config.ssl_ciphers) free(cf->sasl_plugin_config.ssl_ciphers); + if (cf->sasl_plugin_config.ssl_protocols) free(cf->sasl_plugin_config.ssl_protocols); + if (cf->sasl_plugin_config.ssl_password) free(cf->sasl_plugin_config.ssl_password); + if (cf->sasl_plugin_config.ssl_trusted_certificate_db) free(cf->sasl_plugin_config.ssl_trusted_certificate_db); + if (cf->sasl_plugin_config.ssl_trusted_certificates) free(cf->sasl_plugin_config.ssl_trusted_certificates); + if (cf->sasl_plugin_config.ssl_uid_format) free(cf->sasl_plugin_config.ssl_uid_format); + if (cf->sasl_plugin_config.ssl_uid_name_mapping_file) free(cf->sasl_plugin_config.ssl_uid_name_mapping_file); + memset(cf, 0, sizeof(*cf)); } @@ -400,43 +410,26 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf qd_config_sasl_plugin_t *sasl_plugin = qd_find_sasl_plugin(qd->connection_manager, config->sasl_plugin); if (sasl_plugin) { - config->auth_service = SSTRDUP(sasl_plugin->auth_service); - config->sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname); - qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->auth_service, config->sasl_plugin); + config->sasl_plugin_config.auth_service = SSTRDUP(sasl_plugin->auth_service); + config->sasl_plugin_config.sasl_init_hostname = SSTRDUP(sasl_plugin->sasl_init_hostname); + qd_log(qd->connection_manager->log_source, QD_LOG_INFO, "Using auth service %s from SASL Plugin %s", config->sasl_plugin_config.auth_service, config->sasl_plugin); if (sasl_plugin->auth_ssl_profile) { + config->sasl_plugin_config.use_ssl = true; qd_config_ssl_profile_t *auth_ssl_profile = qd_find_ssl_profile(qd->connection_manager, sasl_plugin->auth_ssl_profile); - config->auth_ssl_conf = pn_ssl_domain(PN_SSL_MODE_CLIENT); - - if (auth_ssl_profile->ssl_certificate_file) { - if (pn_ssl_domain_set_credentials(config->auth_ssl_conf, - auth_ssl_profile->ssl_certificate_file, - auth_ssl_profile->ssl_private_key_file, - auth_ssl_profile->ssl_password)) { - qd_error(QD_ERROR_RUNTIME, "Cannot set SSL credentials for authentication service"); CHECK(); - } - } - if (auth_ssl_profile->ssl_trusted_certificate_db) { - if (pn_ssl_domain_set_trusted_ca_db(config->auth_ssl_conf, auth_ssl_profile->ssl_trusted_certificate_db)) { - qd_error(QD_ERROR_RUNTIME, "Cannot set trusted SSL certificate db for authentication service" ); CHECK(); - } else { - if (pn_ssl_domain_set_peer_authentication(config->auth_ssl_conf, PN_SSL_VERIFY_PEER, auth_ssl_profile->ssl_trusted_certificate_db)) { - qd_error(QD_ERROR_RUNTIME, "Cannot set SSL peer verification for authentication service"); CHECK(); - } - } - } - if (auth_ssl_profile->ssl_ciphers) { - if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ssl_ciphers)) { - return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate"); - } - } - if (auth_ssl_profile->ssl_protocols) { - if (pn_ssl_domain_set_protocols(config->auth_ssl_conf, auth_ssl_profile->ssl_protocols)) { - return qd_error(QD_ERROR_RUNTIME, "Cannot set protocols. The protocols string might be invalid. This list is a space separated string of the allowed TLS protocols (TLSv1 TLSv1.1 TLSv1.2)"); - } - } + config->sasl_plugin_config.ssl_certificate_file = SSTRDUP(auth_ssl_profile->ssl_certificate_file); + config->sasl_plugin_config.ssl_private_key_file = SSTRDUP(auth_ssl_profile->ssl_private_key_file); + config->sasl_plugin_config.ssl_ciphers = SSTRDUP(auth_ssl_profile->ssl_ciphers); + config->sasl_plugin_config.ssl_protocols = SSTRDUP(auth_ssl_profile->ssl_protocols); + config->sasl_plugin_config.ssl_password = SSTRDUP(auth_ssl_profile->ssl_password); + config->sasl_plugin_config.ssl_trusted_certificate_db = SSTRDUP(auth_ssl_profile->ssl_trusted_certificate_db); + config->sasl_plugin_config.ssl_trusted_certificates = SSTRDUP(auth_ssl_profile->ssl_trusted_certificates); + config->sasl_plugin_config.ssl_uid_format = SSTRDUP(auth_ssl_profile->ssl_uid_format); + config->sasl_plugin_config.ssl_uid_name_mapping_file = SSTRDUP(auth_ssl_profile->uid_name_mapping_file); + } else { + config->sasl_plugin_config.use_ssl = false; } } else { qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK(); http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/194747dc/src/remote_sasl.c ---------------------------------------------------------------------- diff --git a/src/remote_sasl.c b/src/remote_sasl.c index 34eb51d..ae32936 100644 --- a/src/remote_sasl.c +++ b/src/remote_sasl.c @@ -138,6 +138,7 @@ static void delete_qdr_sasl_relay_t(qdr_sasl_relay_t* instance) { if (instance->authentication_service_address) free(instance->authentication_service_address); if (instance->sasl_init_hostname) free(instance->sasl_init_hostname); + if (instance->ssl_domain) pn_ssl_domain_free(instance->ssl_domain); if (instance->mechlist) free(instance->mechlist); if (instance->selected_mechanism) free(instance->selected_mechanism); if (instance->response.start) free(instance->response.start); http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/194747dc/src/server.c ---------------------------------------------------------------------- diff --git a/src/server.c b/src/server.c index a2bb8ea..5ad6b50 100644 --- a/src/server.c +++ b/src/server.c @@ -649,9 +649,41 @@ static void on_connection_bound(qd_server_t *server, pn_event_t *e) { pn_sasl_config_name(sasl, ctx->server->sasl_config_name); if (config->sasl_mechanisms) pn_sasl_allowed_mechs(sasl, config->sasl_mechanisms); - if (config->auth_service) { - qd_log(server->log_source, QD_LOG_INFO, "enabling remote authentication service %s", config->auth_service); - qdr_use_remote_authentication_service(tport, config->auth_service, config->sasl_init_hostname, config->auth_ssl_conf, server->proactor); + if (config->sasl_plugin_config.auth_service) { + qd_log(server->log_source, QD_LOG_INFO, "enabling remote authentication service %s", config->sasl_plugin_config.auth_service); + pn_ssl_domain_t* plugin_ssl_domain = NULL; + if (config->sasl_plugin_config.use_ssl) { + plugin_ssl_domain = pn_ssl_domain(PN_SSL_MODE_CLIENT); + + if (config->sasl_plugin_config.ssl_certificate_file) { + if (pn_ssl_domain_set_credentials(plugin_ssl_domain, + config->sasl_plugin_config.ssl_certificate_file, + config->sasl_plugin_config.ssl_private_key_file, + config->sasl_plugin_config.ssl_password)) { + qd_log(server->log_source, QD_LOG_ERROR, "Cannot set SSL credentials for authentication service"); + } + } + if (config->sasl_plugin_config.ssl_trusted_certificate_db) { + if (pn_ssl_domain_set_trusted_ca_db(plugin_ssl_domain, config->sasl_plugin_config.ssl_trusted_certificate_db)) { + qd_log(server->log_source, QD_LOG_ERROR, "Cannot set trusted SSL certificate db for authentication service" ); + } else { + if (pn_ssl_domain_set_peer_authentication(plugin_ssl_domain, PN_SSL_VERIFY_PEER, config->sasl_plugin_config.ssl_trusted_certificate_db)) { + qd_log(server->log_source, QD_LOG_ERROR, "Cannot set SSL peer verification for authentication service"); + } + } + } + if (config->sasl_plugin_config.ssl_ciphers) { + if (pn_ssl_domain_set_ciphers(plugin_ssl_domain, config->sasl_plugin_config.ssl_ciphers)) { + qd_log(server->log_source, QD_LOG_ERROR, "Cannot set ciphers for authentication service"); + } + } + if (config->sasl_plugin_config.ssl_protocols) { + if (pn_ssl_domain_set_protocols(plugin_ssl_domain, config->sasl_plugin_config.ssl_protocols)) { + qd_log(server->log_source, QD_LOG_ERROR, "Cannot set protocols for authentication service"); + } + } + } + qdr_use_remote_authentication_service(tport, config->sasl_plugin_config.auth_service, config->sasl_plugin_config.sasl_init_hostname, plugin_ssl_domain, server->proactor); } pn_transport_require_auth(tport, config->requireAuthentication); pn_transport_require_encryption(tport, config->requireEncryption); --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
