DISPATCH-1149: allow authz plugin to override conf file policy
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/2b4d4c96 Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/2b4d4c96 Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/2b4d4c96 Branch: refs/heads/1.4.x Commit: 2b4d4c962600c57c33a83166dbde6d6dd77f3464 Parents: a27ca38 Author: Gordon Sim <g...@redhat.com> Authored: Thu Oct 18 22:35:45 2018 +0100 Committer: Ganesh Murthy <gmur...@redhat.com> Committed: Fri Oct 19 09:32:54 2018 -0400 ---------------------------------------------------------------------- src/policy.c | 16 ++++++++++---- tests/policy-authz/default.json | 29 +++++++++++++++++++++++++ tests/system_tests_authz_service_plugin.py | 3 +++ 3 files changed, 44 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2b4d4c96/src/policy.c ---------------------------------------------------------------------- diff --git a/src/policy.c b/src/policy.c index 6556d3d..2b03b73 100644 --- a/src/policy.c +++ b/src/policy.c @@ -430,11 +430,19 @@ bool qd_policy_open_lookup_user( settings->maxSessions = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSessions", 0); settings->maxSenders = qd_entity_opt_long((qd_entity_t*)upolicy, "maxSenders", 0); settings->maxReceivers = qd_entity_opt_long((qd_entity_t*)upolicy, "maxReceivers", 0); - settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false); - settings->allowDynamicSource = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSource", false); + if (!settings->allowAnonymousSender) { //don't override if enabled by authz plugin + settings->allowAnonymousSender = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowAnonymousSender", false); + } + if (!settings->allowDynamicSource) { //don't override if enabled by authz plugin + settings->allowDynamicSource = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowDynamicSource", false); + } settings->allowUserIdProxy = qd_entity_opt_bool((qd_entity_t*)upolicy, "allowUserIdProxy", false); - settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources"); - settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets"); + if (settings->sources == 0) { //don't override if configured by authz plugin + settings->sources = qd_entity_get_string((qd_entity_t*)upolicy, "sources"); + } + if (settings->targets == 0) { //don't override if configured by authz plugin + settings->targets = qd_entity_get_string((qd_entity_t*)upolicy, "targets"); + } settings->sourcePattern = qd_entity_get_string((qd_entity_t*)upolicy, "sourcePattern"); settings->targetPattern = qd_entity_get_string((qd_entity_t*)upolicy, "targetPattern"); settings->sourceParseTree = qd_policy_parse_tree(settings->sourcePattern); http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2b4d4c96/tests/policy-authz/default.json ---------------------------------------------------------------------- diff --git a/tests/policy-authz/default.json b/tests/policy-authz/default.json new file mode 100644 index 0000000..ca3ec61 --- /dev/null +++ b/tests/policy-authz/default.json @@ -0,0 +1,29 @@ +## +## Licensed to the Apache Software Foundation (ASF) under one +## or more contributor license agreements. See the NOTICE file +## distributed with this work for additional information +## regarding copyright ownership. The ASF licenses this file +## to you under the Apache License, Version 2.0 (the +## "License"); you may not use this file except in compliance +## with the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, +## software distributed under the License is distributed on an +## "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +## KIND, either express or implied. See the License for the +## specific language governing permissions and limitations +## under the License +## +[ + ["vhost", { + "hostname": "$default", + "allowUnknownUser": true, + "groups" : { + "$default": { + "remoteHosts": "*" + } + } + }] +] http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/2b4d4c96/tests/system_tests_authz_service_plugin.py ---------------------------------------------------------------------- diff --git a/tests/system_tests_authz_service_plugin.py b/tests/system_tests_authz_service_plugin.py index fc5e2bf..392e1a8 100644 --- a/tests/system_tests_authz_service_plugin.py +++ b/tests/system_tests_authz_service_plugin.py @@ -73,9 +73,12 @@ mech_list: SCRAM-SHA-1 PLAIN cls.auth_service_port = cls.tester.get_port() cls.tester.popen(['/usr/bin/env', 'python', os.path.join(os.path.dirname(os.path.abspath(__file__)), 'authservice.py'), '-a', 'amqps://127.0.0.1:%d' % cls.auth_service_port, '-c', os.getcwd()], expect=Process.RUNNING) + policy_config_path = os.path.join(DIR, 'policy-authz') + cls.router_port = cls.tester.get_port() cls.tester.qdrouterd('router', Qdrouterd.Config([ ('sslProfile', {'name':'myssl'}), + ('policy', {'maxConnections': 2, 'policyDir': policy_config_path, 'enableVhostPolicy': 'true'}), # authService attribute has been deprecated. We are using it here to make sure that we are # still backward compatible. ('authServicePlugin', {'name':'myauth', 'sslProfile':'myssl', 'port': cls.auth_service_port, 'host': '127.0.0.1'}), --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org